diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2021-09-09 14:15:50 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2021-09-09 14:15:50 +0000 |
| commit | 2ebc860a9612c71bc9c680d40ac0438017c10109 (patch) | |
| tree | d4c29746823c8b72f813d317fa56da0065fab57c /usr.sbin/rpki-client | |
| parent | f06d76807a657383a49593a241872b9e9ea60cae (diff) | |
Rework how various OIDs are compared in the code.
Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these objects with OBJ_cmp().
Makes the code a bit easier to read and removes some repetitive conversions.
With input and OK tb@
Diffstat (limited to 'usr.sbin/rpki-client')
| -rw-r--r-- | usr.sbin/rpki-client/cert.c | 37 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/cms.c | 27 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/extern.h | 6 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/gbr.c | 13 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/mft.c | 14 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/roa.c | 13 |
6 files changed, 72 insertions, 38 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index a8908b31783..3ac117f437a 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.31 2021/07/13 18:39:39 job Exp $ */ +/* $OpenBSD: cert.c,v 1.32 2021/09/09 14:15:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -46,6 +46,21 @@ struct parse { const char *fn; /* currently-parsed file */ }; +static ASN1_OBJECT *carepo_oid; /* 1.3.6.1.5.5.7.48.5 (caRepository) */ +static ASN1_OBJECT *mft_oid; /* 1.3.6.1.5.5.7.48.10 (rpkiManifest) */ +static ASN1_OBJECT *notify_oid; /* 1.3.6.1.5.5.7.48.13 (rpkiNotify) */ + +static void +cert_init_oid(void) +{ + if ((carepo_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.5", 1)) == NULL) + errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.5"); + if ((mft_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.10", 1)) == NULL) + errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.10"); + if ((notify_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.13", 1)) == NULL) + errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.13"); +} + /* * Append an IP address structure to our list of results. * This will also constrain us to having at most one inheritence @@ -207,9 +222,9 @@ sbgp_sia_resource_entry(struct parse *p, const unsigned char *d, size_t dsz) { ASN1_SEQUENCE_ANY *seq; + ASN1_OBJECT *oid; const ASN1_TYPE *t; int rc = 0, ptag; - char buf[128]; long plen; if ((seq = d2i_ASN1_SEQUENCE_ANY(NULL, &d, dsz)) == NULL) { @@ -233,7 +248,7 @@ sbgp_sia_resource_entry(struct parse *p, p->fn, ASN1_tag2str(t->type), t->type); goto out; } - OBJ_obj2txt(buf, sizeof(buf), t->value.object, 1); + oid = t->value.object; t = sk_ASN1_TYPE_value(seq, 1); if (t->type != V_ASN1_OTHER) { @@ -250,18 +265,14 @@ sbgp_sia_resource_entry(struct parse *p, if (!ASN1_frame(p->fn, dsz, &d, &plen, &ptag)) goto out; - /* - * Ignore all but manifest and RRDP notify URL. - * Things we may see: - * - 1.3.6.1.5.5.7.48.5 (caRepository) - * - 1.3.6.1.5.5.7.48.10 (rpkiManifest) - * - 1.3.6.1.5.5.7.48.13 (rpkiNotify) - */ - if (strcmp(buf, "1.3.6.1.5.5.7.48.5") == 0) + if (carepo_oid == NULL) + cert_init_oid(); + + if (OBJ_cmp(oid, carepo_oid) == 0) rc = sbgp_sia_resource_carepo(p, d, plen); - else if (strcmp(buf, "1.3.6.1.5.5.7.48.10") == 0) + else if (OBJ_cmp(oid, mft_oid) == 0) rc = sbgp_sia_resource_mft(p, d, plen); - else if (strcmp(buf, "1.3.6.1.5.5.7.48.13") == 0) + else if (OBJ_cmp(oid, notify_oid) == 0) rc = sbgp_sia_resource_notify(p, d, plen); else rc = 1; /* silently ignore */ diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c index 3f617bb8c4c..4a606039aca 100644 --- a/usr.sbin/rpki-client/cms.c +++ b/usr.sbin/rpki-client/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.9 2021/07/13 18:39:39 job Exp $ */ +/* $OpenBSD: cms.c,v 1.10 2021/09/09 14:15:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -35,16 +35,15 @@ * Return the eContent as a string and set "rsz" to be its length. */ unsigned char * -cms_parse_validate(X509 **xp, const char *fn, - const char *oid, size_t *rsz) +cms_parse_validate(X509 **xp, const char *fn, const ASN1_OBJECT *oid, + size_t *rsz) { const ASN1_OBJECT *obj; ASN1_OCTET_STRING **os = NULL; BIO *bio = NULL; CMS_ContentInfo *cms; FILE *f; - char buf[128]; - int rc = 0, sz; + int rc = 0; STACK_OF(X509) *certs = NULL; unsigned char *res = NULL; @@ -84,16 +83,18 @@ cms_parse_validate(X509 **xp, const char *fn, /* RFC 6488 section 2.1.3.1: check the object's eContentType. */ obj = CMS_get0_eContentType(cms); - if ((sz = OBJ_obj2txt(buf, sizeof(buf), obj, 1)) < 0) - cryptoerrx("OBJ_obj2txt"); - - if ((size_t)sz >= sizeof(buf)) { - warnx("%s: RFC 6488 section 2.1.3.1: " - "eContentType: OID too long", fn); + if (obj == NULL) { + warnx("%s: RFC 6488 section 2.1.3.1: eContentType: " + "OID object is NULL", fn); goto out; - } else if (strcmp(buf, oid)) { + } + if (OBJ_cmp(obj, oid) != 0) { + char buf[128], obuf[128]; + + OBJ_obj2txt(buf, sizeof(buf), obj, 1); + OBJ_obj2txt(obuf, sizeof(obuf), oid, 1); warnx("%s: RFC 6488 section 2.1.3.1: eContentType: " - "unknown OID: %s, want %s", fn, buf, oid); + "unknown OID: %s, want %s", fn, buf, obuf); goto out; } diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index b3e14515d9e..d0fd3d1a4d7 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.66 2021/09/01 08:09:41 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.67 2021/09/09 14:15:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -410,9 +410,9 @@ int valid_uri(const char *, size_t, const char *); /* Working with CMS. */ unsigned char *cms_parse_validate(X509 **, const char *, - const char *, size_t *); + const ASN1_OBJECT *, size_t *); int cms_econtent_version(const char *, const unsigned char **, - size_t, long *); + size_t, long *); /* Helper for ASN1 parsing */ int ASN1_frame(const char *, size_t, const unsigned char **, long *, int *); diff --git a/usr.sbin/rpki-client/gbr.c b/usr.sbin/rpki-client/gbr.c index 43f2915224d..5e5fcd4c96d 100644 --- a/usr.sbin/rpki-client/gbr.c +++ b/usr.sbin/rpki-client/gbr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gbr.c,v 1.9 2021/03/29 06:50:44 tb Exp $ */ +/* $OpenBSD: gbr.c,v 1.10 2021/09/09 14:15:49 claudio Exp $ */ /* * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org> * @@ -36,6 +36,8 @@ struct parse { struct gbr *res; /* results */ }; +static ASN1_OBJECT *gbr_oid; + /* * Parse a full RFC 6493 file and signed by the certificate "cacert" * (the latter is optional and may be passed as NULL to disable). @@ -52,9 +54,14 @@ gbr_parse(X509 **x509, const char *fn) p.fn = fn; /* OID from section 9.1, RFC 6493. */ + if (gbr_oid == NULL) { + gbr_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.35", 1); + if (gbr_oid == NULL) + errx(1, "OBJ_txt2obj for %s failed", + "1.2.840.113549.1.9.16.1.35"); + } - cms = cms_parse_validate(x509, fn, - "1.2.840.113549.1.9.16.1.35", &cmsz); + cms = cms_parse_validate(x509, fn, gbr_oid, &cmsz); if (cms == NULL) return NULL; diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index 782db412863..f80d2321eb2 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.37 2021/09/08 16:37:20 claudio Exp $ */ +/* $OpenBSD: mft.c,v 1.38 2021/09/09 14:15:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -40,6 +40,8 @@ struct parse { struct mft *res; /* result object */ }; +static ASN1_OBJECT *mft_oid; + static const char * gentime2str(const ASN1_GENERALIZEDTIME *time) { @@ -417,8 +419,14 @@ mft_parse(X509 **x509, const char *fn) memset(&p, 0, sizeof(struct parse)); p.fn = fn; - cms = cms_parse_validate(x509, fn, "1.2.840.113549.1.9.16.1.26", - &cmsz); + if (mft_oid == NULL) { + mft_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.26", 1); + if (mft_oid == NULL) + errx(1, "OBJ_txt2obj for %s failed", + "1.2.840.113549.1.9.16.1.26"); + } + + cms = cms_parse_validate(x509, fn, mft_oid, &cmsz); if (cms == NULL) return NULL; assert(*x509 != NULL); diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index 3d433ecb161..4fdd7b2722c 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.24 2021/09/08 16:37:20 claudio Exp $ */ +/* $OpenBSD: roa.c,v 1.25 2021/09/09 14:15:49 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -36,6 +36,8 @@ struct parse { struct roa *res; /* results */ }; +static ASN1_OBJECT *roa_oid; + /* * Parse IP address (ROAIPAddress), RFC 6482, section 3.3. * Returns zero on failure, non-zero on success. @@ -339,9 +341,14 @@ roa_parse(X509 **x509, const char *fn) p.fn = fn; /* OID from section 2, RFC 6482. */ + if (roa_oid == NULL) { + roa_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.24", 1); + if (roa_oid == NULL) + errx(1, "OBJ_txt2obj for %s failed", + "1.2.840.113549.1.9.16.1.24"); + } - cms = cms_parse_validate(x509, fn, - "1.2.840.113549.1.9.16.1.24", &cmsz); + cms = cms_parse_validate(x509, fn, roa_oid, &cmsz); if (cms == NULL) return NULL; |