diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2022-01-18 16:36:50 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2022-01-18 16:36:50 +0000 |
| commit | 16eb5589ee06fb1f70da1aa466b8b560a12d7a8c (patch) | |
| tree | 8ebc5ca2304080268af2ce70b723b8d5f13a1784 /usr.sbin/rpki-client | |
| parent | 6a35a5b99d96ea759e4408a025af1976c48f90f1 (diff) | |
Change cert_parse() and ta_parse() to no longer take a x509 handle as
argument. The x509 cert is also inside struct cert and easy to access.
Also switch auth_insert() to a void function since it can't fail.
OK tb@
Diffstat (limited to 'usr.sbin/rpki-client')
| -rw-r--r-- | usr.sbin/rpki-client/cert.c | 30 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/extern.h | 9 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/parser.c | 28 |
3 files changed, 21 insertions, 46 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 074a701e5d3..9c3cbca1d62 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.50 2022/01/18 13:06:43 claudio Exp $ */ +/* $OpenBSD: cert.c,v 1.51 2022/01/18 16:36:49 claudio Exp $ */ /* * Copyright (c) 2021 Job Snijders <job@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -978,8 +978,7 @@ out: * is also dereferenced. */ static struct cert * -cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der, - size_t len, int ta) +cert_parse_inner(const char *fn, const unsigned char *der, size_t len, int ta) { int rc = 0, extsz, c; int sia_present = 0; @@ -989,8 +988,6 @@ cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der, ASN1_OBJECT *obj; struct parse p; - *xp = NULL; - /* just fail for empty buffers, the warning was printed elsewhere */ if (der == NULL) return NULL; @@ -1000,7 +997,7 @@ cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der, if ((p.res = calloc(1, sizeof(struct cert))) == NULL) err(1, NULL); - if ((x = *xp = d2i_X509(NULL, &der, len)) == NULL) { + if ((x = d2i_X509(NULL, &der, len)) == NULL) { cryptowarnx("%s: d2i_X509_bio", p.fn); goto out; } @@ -1139,9 +1136,6 @@ cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der, goto out; } - if (X509_up_ref(x) == 0) - errx(1, "%s: X509_up_ref failed", __func__); - p.res->x509 = x; rc = 1; @@ -1149,34 +1143,32 @@ out: if (rc == 0) { cert_free(p.res); X509_free(x); - *xp = NULL; } return (rc == 0) ? NULL : p.res; } struct cert * -cert_parse(X509 **xp, const char *fn, const unsigned char *der, size_t len) +cert_parse(const char *fn, const unsigned char *der, size_t len) { - return cert_parse_inner(xp, fn, der, len, 0); + return cert_parse_inner(fn, der, len, 0); } struct cert * -ta_parse(X509 **xp, const char *fn, const unsigned char *der, size_t len, +ta_parse(const char *fn, const unsigned char *der, size_t len, const unsigned char *pkey, size_t pkeysz) { EVP_PKEY *pk = NULL, *opk = NULL; struct cert *p; int rc = 0; - if ((p = cert_parse_inner(xp, fn, der, len, 1)) == NULL) + if ((p = cert_parse_inner(fn, der, len, 1)) == NULL) return NULL; if (pkey != NULL) { - assert(*xp != NULL); pk = d2i_PUBKEY(NULL, &pkey, pkeysz); assert(pk != NULL); - if ((opk = X509_get_pubkey(*xp)) == NULL) + if ((opk = X509_get_pubkey(p->x509)) == NULL) cryptowarnx("%s: RFC 6487 (trust anchor): " "missing pubkey", fn); else if (EVP_PKEY_cmp(pk, opk) != 1) @@ -1192,8 +1184,6 @@ ta_parse(X509 **xp, const char *fn, const unsigned char *der, size_t len, if (rc == 0) { cert_free(p); p = NULL; - X509_free(*xp); - *xp = NULL; } return p; @@ -1305,7 +1295,7 @@ auth_find(struct auth_tree *auths, const char *aki) return RB_FIND(auth_tree, auths, &a); } -int +void auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent) { struct auth *na; @@ -1319,8 +1309,6 @@ auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent) if (RB_INSERT(auth_tree, auths, na) != NULL) err(1, "auth tree corrupted"); - - return 1; } static inline int diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 42bb0fc3af7..b3bcd4050ac 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.107 2022/01/18 16:24:55 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.108 2022/01/18 16:36:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -279,7 +279,7 @@ RB_HEAD(auth_tree, auth); RB_PROTOTYPE(auth_tree, auth, entry, authcmp); struct auth *auth_find(struct auth_tree *, const char *); -int auth_insert(struct auth_tree *, struct cert *, struct auth *); +void auth_insert(struct auth_tree *, struct cert *, struct auth *); /* * Resource types specified by the RPKI profiles. @@ -407,9 +407,8 @@ struct tal *tal_read(struct ibuf *); void cert_buffer(struct ibuf *, const struct cert *); void cert_free(struct cert *); -struct cert *cert_parse(X509 **, const char *, const unsigned char *, - size_t); -struct cert *ta_parse(X509 **, const char *, const unsigned char *, size_t, +struct cert *cert_parse(const char *, const unsigned char *, size_t); +struct cert *ta_parse(const char *, const unsigned char *, size_t, const unsigned char *, size_t); struct cert *cert_read(struct ibuf *); void cert_insert_brks(struct brk_tree *, struct cert *); diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index 9f5d6a32979..cdb8e6100e4 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.42 2022/01/18 16:29:06 claudio Exp $ */ +/* $OpenBSD: parser.c,v 1.43 2022/01/18 16:36:49 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -393,25 +393,22 @@ static struct cert * proc_parser_cert(char *file, const unsigned char *der, size_t len) { struct cert *cert; - X509 *x509; struct auth *a; struct crl *crl; /* Extract certificate data and X509. */ - cert = cert_parse(&x509, file, der, len); + cert = cert_parse(file, der, len); if (cert == NULL) return NULL; a = valid_ski_aki(file, &auths, cert->ski, cert->aki); crl = get_crl(a); - if (!valid_x509(file, x509, a, crl)) { + if (!valid_x509(file, cert->x509, a, crl)) { cert_free(cert); - X509_free(x509); return NULL; } - X509_free(x509); cert->talid = a->cert->talid; @@ -424,12 +421,8 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len) /* * Add validated CA certs to the RPKI auth tree. */ - if (cert->purpose == CERT_PURPOSE_CA) { - if (!auth_insert(&auths, cert, a)) { - cert_free(cert); - return NULL; - } - } + if (cert->purpose == CERT_PURPOSE_CA) + auth_insert(&auths, cert, a); return cert; } @@ -455,10 +448,11 @@ proc_parser_root_cert(char *file, const unsigned char *der, size_t len, /* Extract certificate data and X509. */ - cert = ta_parse(&x509, file, der, len, pkey, pkeysz); + cert = ta_parse(file, der, len, pkey, pkeysz); if (cert == NULL) return NULL; + x509 = cert->x509; if ((name = X509_get_subject_name(x509)) == NULL) { warnx("%s Unable to get certificate subject", file); goto badcert; @@ -493,22 +487,16 @@ proc_parser_root_cert(char *file, const unsigned char *der, size_t len, goto badcert; } - X509_free(x509); - cert->talid = talid; /* * Add valid roots to the RPKI auth tree. */ - if (!auth_insert(&auths, cert, NULL)) { - cert_free(cert); - return NULL; - } + auth_insert(&auths, cert, NULL); return cert; badcert: - X509_free(x509); cert_free(cert); return NULL; } |