summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2023-12-27 07:15:56 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2023-12-27 07:15:56 +0000
commit8770c2510b50b0bc36f094afe00244215e224e49 (patch)
treece07dd7dca8e1109b1d171e18e7b14a1a70d27de /usr.sbin/rpki-client
parentd8797478692abbff0fd36f003184702f8fbf4c2a (diff)
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages. ok claudio job
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r--usr.sbin/rpki-client/as.c14
-rw-r--r--usr.sbin/rpki-client/constraints.c7
-rw-r--r--usr.sbin/rpki-client/extern.h8
-rw-r--r--usr.sbin/rpki-client/ip.c37
-rw-r--r--usr.sbin/rpki-client/validate.c65
5 files changed, 42 insertions, 89 deletions
diff --git a/usr.sbin/rpki-client/as.c b/usr.sbin/rpki-client/as.c
index 6f64a73b8d4..4812d9314f0 100644
--- a/usr.sbin/rpki-client/as.c
+++ b/usr.sbin/rpki-client/as.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: as.c,v 1.15 2023/10/18 07:10:24 tb Exp $ */
+/* $OpenBSD: as.c,v 1.16 2023/12/27 07:15:55 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -137,18 +137,18 @@ as_check_covered(uint32_t min, uint32_t max,
}
void
-as_warn(const char *fn, const struct cert_as *cert, const char *msg)
+as_warn(const char *fn, const char *msg, const struct cert_as *as)
{
- switch (cert->type) {
+ switch (as->type) {
case CERT_AS_ID:
- warnx("%s: AS %u: %s", fn, cert->id, msg);
+ warnx("%s: %s: AS %u", fn, msg, as->id);
break;
case CERT_AS_RANGE:
- warnx("%s: AS range %u--%u: %s", fn, cert->range.min,
- cert->range.max, msg);
+ warnx("%s: %s: AS range %u--%u", fn, msg, as->range.min,
+ as->range.max);
break;
case CERT_AS_INHERIT:
- warnx("%s: AS (inherit): %s", fn, msg);
+ warnx("%s: %s: AS (inherit)", fn, msg);
break;
default:
warnx("%s: corrupt cert", fn);
diff --git a/usr.sbin/rpki-client/constraints.c b/usr.sbin/rpki-client/constraints.c
index 226e249b3f9..bd75e962eb4 100644
--- a/usr.sbin/rpki-client/constraints.c
+++ b/usr.sbin/rpki-client/constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: constraints.c,v 1.1 2023/10/13 12:06:49 job Exp $ */
+/* $OpenBSD: constraints.c,v 1.2 2023/12/27 07:15:55 tb Exp $ */
/*
* Copyright (c) 2023 Job Snijders <job@openbsd.org>
* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@@ -578,7 +578,7 @@ constraints_validate(const char *fn, const struct cert *cert)
deny_as, deny_asz))
continue;
- as_warn(fn, &cert->as[i], "violates trust anchor constraints");
+ as_warn(fn, "trust anchor constraints violation", &cert->as[i]);
return 0;
}
@@ -592,7 +592,8 @@ constraints_validate(const char *fn, const struct cert *cert)
allow_ipsz, deny_ips, deny_ipsz))
continue;
- ip_warn(fn, &cert->ips[i], "violates trust anchor constraints");
+ ip_warn(fn, "trust anchor constraints violation",
+ &cert->ips[i]);
return 0;
}
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 9bb95edb208..808ced811f3 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: extern.h,v 1.196 2023/12/11 19:05:20 job Exp $ */
+/* $OpenBSD: extern.h,v 1.197 2023/12/27 07:15:55 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -710,8 +710,6 @@ int ip_addr_parse(const ASN1_BIT_STRING *,
enum afi, const char *, struct ip_addr *);
void ip_addr_print(const struct ip_addr *, enum afi, char *,
size_t);
-void ip_addr_range_print(const struct ip_addr_range *, enum afi,
- char *, size_t);
int ip_addr_cmp(const struct ip_addr *, const struct ip_addr *);
int ip_addr_check_overlap(const struct cert_ip *,
const char *, const struct cert_ip *, size_t, int);
@@ -719,7 +717,7 @@ int ip_addr_check_covered(enum afi, const unsigned char *,
const unsigned char *, const struct cert_ip *, size_t);
int ip_cert_compose_ranges(struct cert_ip *);
void ip_roa_compose_ranges(struct roa_ip *);
-void ip_warn(const char *, const struct cert_ip *, const char *);
+void ip_warn(const char *, const char *, const struct cert_ip *);
int sbgp_addr(const char *, struct cert_ip *, size_t *,
enum afi, const ASN1_BIT_STRING *);
@@ -736,7 +734,7 @@ int as_check_overlap(const struct cert_as *, const char *,
const struct cert_as *, size_t, int);
int as_check_covered(uint32_t, uint32_t,
const struct cert_as *, size_t);
-void as_warn(const char *, const struct cert_as *, const char *);
+void as_warn(const char *, const char *, const struct cert_as *);
int sbgp_as_id(const char *, struct cert_as *, size_t *,
const ASN1_INTEGER *);
diff --git a/usr.sbin/rpki-client/ip.c b/usr.sbin/rpki-client/ip.c
index a7541723a51..8cd936a753f 100644
--- a/usr.sbin/rpki-client/ip.c
+++ b/usr.sbin/rpki-client/ip.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip.c,v 1.31 2023/10/18 07:10:24 tb Exp $ */
+/* $OpenBSD: ip.c,v 1.32 2023/12/27 07:15:55 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -154,8 +154,8 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
if (!quiet) {
warnx("%s: RFC 3779 section 2.2.3.5: "
"cannot have overlapping IP addresses", fn);
- ip_warn(fn, ip, "certificate IP");
- ip_warn(fn, &ips[i], "offending IP");
+ ip_warn(fn, "certificate IP", ip);
+ ip_warn(fn, "offending IP", &ips[i]);
}
return 0;
}
@@ -246,10 +246,11 @@ ip_addr_print(const struct ip_addr *addr,
* Convert a ip_addr into a NUL-terminated range notation string.
* The size of the buffer must be at least 95 (inclusive).
*/
-void
+static void
ip_addr_range_print(const struct ip_addr_range *range,
enum afi afi, char *buf, size_t bufsz)
{
+ struct cert_ip ip;
char min[INET6_ADDRSTRLEN], max[INET6_ADDRSTRLEN];
int ret, af;
@@ -264,9 +265,17 @@ ip_addr_range_print(const struct ip_addr_range *range,
errx(1, "unsupported address family identifier");
}
- if (inet_ntop(af, &range->min, min, sizeof(min)) == NULL)
+ memset(&ip, 0, sizeof(ip));
+
+ ip.afi = afi;
+ ip.type = CERT_IP_RANGE;
+ ip.range = *range;
+ if (!ip_cert_compose_ranges(&ip))
+ errx(1, "failed to compose ranges");
+
+ if (inet_ntop(af, ip.min, min, sizeof(min)) == NULL)
err(1, "inet_ntop");
- if (inet_ntop(af, &range->max, max, sizeof(max)) == NULL)
+ if (inet_ntop(af, ip.max, max, sizeof(max)) == NULL)
err(1, "inet_ntop");
ret = snprintf(buf, bufsz, "%s--%s", min, max);
@@ -311,7 +320,7 @@ ip_cert_compose_ranges(struct cert_ip *p)
return 1;
}
- sz = AFI_IPV4 == p->afi ? 4 : 16;
+ sz = p->afi == AFI_IPV4 ? 4 : 16;
return memcmp(p->min, p->max, sz) <= 0;
}
@@ -333,21 +342,21 @@ ip_roa_compose_ranges(struct roa_ip *p)
}
void
-ip_warn(const char *fn, const struct cert_ip *cert, const char *msg)
+ip_warn(const char *fn, const char *msg, const struct cert_ip *ip)
{
char buf[128];
- switch (cert->type) {
+ switch (ip->type) {
case CERT_IP_ADDR:
- ip_addr_print(&cert->ip, cert->afi, buf, sizeof(buf));
- warnx("%s: %s: %s", fn, buf, msg);
+ ip_addr_print(&ip->ip, ip->afi, buf, sizeof(buf));
+ warnx("%s: %s: %s", fn, msg, buf);
break;
case CERT_IP_RANGE:
- ip_addr_range_print(&cert->range, cert->afi, buf, sizeof(buf));
- warnx("%s: %s: %s", fn, buf, msg);
+ ip_addr_range_print(&ip->range, ip->afi, buf, sizeof(buf));
+ warnx("%s: %s: %s", fn, msg, buf);
break;
case CERT_IP_INHERIT:
- warnx("%s: (inherit): %s", fn, msg);
+ warnx("%s: %s: IP (inherit)", fn, msg);
break;
default:
warnx("%s: corrupt cert", fn);
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 8e3a08793a0..7386d109fbf 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: validate.c,v 1.68 2023/10/19 17:05:55 job Exp $ */
+/* $OpenBSD: validate.c,v 1.69 2023/12/27 07:15:55 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -135,7 +135,6 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert)
{
size_t i;
uint32_t min, max;
- char buf[128];
for (i = 0; i < cert->asz; i++) {
if (cert->as[i].type == CERT_AS_INHERIT)
@@ -152,19 +151,7 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert)
if (valid_as(a, min, max))
continue;
- switch (cert->as[i].type) {
- case CERT_AS_ID:
- warnx("%s: RFC 6487: uncovered AS: %u", fn, min);
- break;
- case CERT_AS_RANGE:
- warnx("%s: RFC 6487: uncovered AS: %u--%u", fn,
- min, max);
- break;
- case CERT_AS_INHERIT:
- warnx("%s: RFC 6487: uncovered AS: (inherit)", fn);
- break;
- }
-
+ as_warn(fn, "RFC 6487: uncovered resource", &cert->as[i]);
return 0;
}
@@ -176,22 +163,7 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert)
cert->ips[i].max))
continue;
- switch (cert->ips[i].type) {
- case CERT_IP_ADDR:
- ip_addr_print(&cert->ips[i].ip,
- cert->ips[i].afi, buf, sizeof(buf));
- warnx("%s: RFC 6487: uncovered IP: %s", fn, buf);
- break;
- case CERT_IP_RANGE:
- ip_addr_range_print(&cert->ips[i].range,
- cert->ips[i].afi, buf, sizeof(buf));
- warnx("%s: RFC 6487: uncovered IP: %s", fn, buf);
- break;
- case CERT_IP_INHERIT:
- warnx("%s: RFC 6487: uncovered IP: (inherit)", fn);
- break;
- }
-
+ ip_warn(fn, "RFC 6487: uncovered resource", &cert->ips[i]);
return 0;
}
@@ -473,7 +445,6 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc)
{
size_t i;
uint32_t min, max;
- char buf[128];
for (i = 0; i < rsc->asz; i++) {
if (rsc->as[i].type == CERT_AS_ID) {
@@ -487,18 +458,7 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc)
if (as_check_covered(min, max, cert->as, cert->asz) > 0)
continue;
- switch (rsc->as[i].type) {
- case CERT_AS_ID:
- warnx("%s: RSC resourceBlock: uncovered AS: %u", fn,
- min);
- break;
- case CERT_AS_RANGE:
- warnx("%s: RSC resourceBlock: uncovered AS: %u--%u",
- fn, min, max);
- break;
- default:
- break;
- }
+ as_warn(fn, "RSC ResourceBlock uncovered", &rsc->as[i]);
return 0;
}
@@ -507,22 +467,7 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc)
rsc->ips[i].max, cert->ips, cert->ipsz) > 0)
continue;
- switch (rsc->ips[i].type) {
- case CERT_IP_ADDR:
- ip_addr_print(&rsc->ips[i].ip, rsc->ips[i].afi, buf,
- sizeof(buf));
- warnx("%s: RSC ResourceBlock: uncovered IP: %s", fn,
- buf);
- break;
- case CERT_IP_RANGE:
- ip_addr_range_print(&rsc->ips[i].range, rsc->ips[i].afi,
- buf, sizeof(buf));
- warnx("%s: RSC ResourceBlock: uncovered IP: %s", fn,
- buf);
- break;
- default:
- break;
- }
+ ip_warn(fn, "RSC ResourceBlock uncovered", &rsc->ips[i]);
return 0;
}