src - OpenBSD base system

diff options


context:
space:
mode:

author	Theo Buehler <tb@cvs.openbsd.org>	2022-04-12 09:32:24 +0000
committer	Theo Buehler <tb@cvs.openbsd.org>	2022-04-12 09:32:24 +0000
commit	cb448209f4c022b101a0e526f2eaffe1b02ce8fd (patch)
tree	58d59ae65f27accfee49bb723d82a04ea8dfbe78 /usr.sbin/rpki-client
parent	2ea3221771235cbd994a7a73a013eefde93f170c (diff)

Shuffle sbgp_sia() a bit down to a place where it makes more sense

ok claudio

Diffstat (limited to 'usr.sbin/rpki-client')

-rw-r--r--

usr.sbin/rpki-client/cert.c

140

1 files changed, 70 insertions, 70 deletions

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 2eb1601fb25..8e75c620ce5 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: cert.c,v 1.67 2022/04/12 08:45:34 tb Exp $ */

+/* $OpenBSD: cert.c,v 1.68 2022/04/12 09:32:23 tb Exp $ */

@@ -125,75 +125,6 @@ sbgp_addr(struct parse *p,

}

- * Parse "Subject Information Access" extension, RFC 6487 4.8.8.

- * Returns zero on failure, non-zero on success.

- */

-static int

-sbgp_sia(struct parse *p, X509_EXTENSION *ext)

- AUTHORITY_INFO_ACCESS *sia = NULL;

- ACCESS_DESCRIPTION *ad;

- ASN1_OBJECT *oid;

- int i, rc = 0;

- if (X509_EXTENSION_get_critical(ext)) {

- warnx("%s: RFC 6487 section 4.8.8: SIA: "

- "extension not non-critical", p->fn);

- goto out;

- }

- if ((sia = X509V3_EXT_d2i(ext)) == NULL) {

- cryptowarnx("%s: RFC 6487 section 4.8.8: SIA: "

- "failed extension parse", p->fn);

- goto out;

- }

- for (i = 0; i < sk_ACCESS_DESCRIPTION_num(sia); i++) {

- ad = sk_ACCESS_DESCRIPTION_value(sia, i);

- oid = ad->method;

- if (OBJ_cmp(oid, carepo_oid) == 0) {

- if (!x509_location(p->fn, "SIA: caRepository",

- "rsync://", ad->location, &p->res->repo))

- goto out;

- } else if (OBJ_cmp(oid, manifest_oid) == 0) {

- if (!x509_location(p->fn, "SIA: rpkiManifest",

- "rsync://", ad->location, &p->res->mft))

- goto out;

- } else if (OBJ_cmp(oid, notify_oid) == 0) {

- if (!x509_location(p->fn, "SIA: rpkiNotify",

- "https://", ad->location, &p->res->notify))

- goto out;

- }

- if (p->res->mft == NULL || p->res->repo == NULL) {

- warnx("%s: RFC 6487 section 4.8.8: SIA missing caRepository "

- "or rpkiManifest", p->fn);

- goto out;

- }

- if (strstr(p->res->mft, p->res->repo) != p->res->mft) {

- warnx("%s: RFC 6487 section 4.8.8: SIA: "

- "conflicting URIs for caRepository and rpkiManifest",

- p->fn);

- goto out;

- }

- if (rtype_from_file_extension(p->res->mft) != RTYPE_MFT) {

- warnx("%s: RFC 6487 section 4.8.8: SIA: "

- "not an MFT file", p->fn);

- goto out;

- }

- rc = 1;

- out:

- AUTHORITY_INFO_ACCESS_free(sia);

- return rc;

-/*

* Parse a range of addresses as in 3.2.3.8.

* Returns zero on failure, non-zero on success.

@@ -777,6 +708,75 @@ out:

}

+ * Parse "Subject Information Access" extension, RFC 6487 4.8.8.

+ * Returns zero on failure, non-zero on success.

+ */

+static int

+sbgp_sia(struct parse *p, X509_EXTENSION *ext)

+ AUTHORITY_INFO_ACCESS *sia = NULL;

+ ACCESS_DESCRIPTION *ad;

+ ASN1_OBJECT *oid;

+ int i, rc = 0;

+ if (X509_EXTENSION_get_critical(ext)) {

+ warnx("%s: RFC 6487 section 4.8.8: SIA: "

+ "extension not non-critical", p->fn);

+ goto out;

+ }

+ if ((sia = X509V3_EXT_d2i(ext)) == NULL) {

+ cryptowarnx("%s: RFC 6487 section 4.8.8: SIA: "

+ "failed extension parse", p->fn);

+ goto out;

+ }

+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(sia); i++) {

+ ad = sk_ACCESS_DESCRIPTION_value(sia, i);

+ oid = ad->method;

+ if (OBJ_cmp(oid, carepo_oid) == 0) {

+ if (!x509_location(p->fn, "SIA: caRepository",

+ "rsync://", ad->location, &p->res->repo))

+ goto out;

+ } else if (OBJ_cmp(oid, manifest_oid) == 0) {

+ if (!x509_location(p->fn, "SIA: rpkiManifest",

+ "rsync://", ad->location, &p->res->mft))

+ goto out;

+ } else if (OBJ_cmp(oid, notify_oid) == 0) {

+ if (!x509_location(p->fn, "SIA: rpkiNotify",

+ "https://", ad->location, &p->res->notify))

+ goto out;

+ }

+ if (p->res->mft == NULL || p->res->repo == NULL) {

+ warnx("%s: RFC 6487 section 4.8.8: SIA missing caRepository "

+ "or rpkiManifest", p->fn);

+ goto out;

+ }

+ if (strstr(p->res->mft, p->res->repo) != p->res->mft) {

+ warnx("%s: RFC 6487 section 4.8.8: SIA: "

+ "conflicting URIs for caRepository and rpkiManifest",

+ p->fn);

+ goto out;

+ }

+ if (rtype_from_file_extension(p->res->mft) != RTYPE_MFT) {

+ warnx("%s: RFC 6487 section 4.8.8: SIA: "

+ "not an MFT file", p->fn);

+ goto out;

+ }

+ rc = 1;

+ out:

+ AUTHORITY_INFO_ACCESS_free(sia);

+ return rc;

+/*

* Parse the certificate policies extension and check that it follows RFC 7318.

* Returns zero on failure, non-zero on success.