src - OpenBSD base system

diff options


context:
space:
mode:

author	Claudio Jeker <claudio@cvs.openbsd.org>	2021-11-01 17:00:35 +0000
committer	Claudio Jeker <claudio@cvs.openbsd.org>	2021-11-01 17:00:35 +0000
commit	02789f46b451cb3ad87d7e85952b65a16da6bb8b (patch)
tree	e0adc9c55cf27837cc7f292dd2bb654457492bd3 /usr.sbin
parent	b9cd79b55c96390802783adcf4ab176ad1a66bfc (diff)

Further simplify cert and auth handling. Move common code into auth_insert

and skip this distinction between invalid and failed certificates. The difference between the to is getting more and more blurry. OK tb@

Diffstat (limited to 'usr.sbin')

-rw-r--r--

usr.sbin/rpki-client/cert.c

-rw-r--r--

usr.sbin/rpki-client/extern.h

-rw-r--r--

usr.sbin/rpki-client/main.c

-rw-r--r--

usr.sbin/rpki-client/output-json.c

-rw-r--r--

usr.sbin/rpki-client/output.c

-rw-r--r--

usr.sbin/rpki-client/parser.c

6 files changed, 65 insertions, 71 deletions

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index c78f067563e..f6b862dc84d 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: cert.c,v 1.43 2021/10/28 09:02:19 beck Exp $ */

+/* $OpenBSD: cert.c,v 1.44 2021/11/01 17:00:34 claudio Exp $ */

@@ -1256,7 +1256,6 @@ cert_buffer(struct ibuf *b, const struct cert *p)

{

size_t i;

- io_simple_buffer(b, &p->valid, sizeof(int));

io_simple_buffer(b, &p->expires, sizeof(time_t));

io_simple_buffer(b, &p->purpose, sizeof(enum cert_purpose));

io_simple_buffer(b, &p->ipsz, sizeof(size_t));

@@ -1319,7 +1318,6 @@ cert_read(struct ibuf *b)

if ((p = calloc(1, sizeof(struct cert))) == NULL)

err(1, NULL);

- io_read_buf(b, &p->valid, sizeof(int));

io_read_buf(b, &p->expires, sizeof(time_t));

io_read_buf(b, &p->purpose, sizeof(enum cert_purpose));

io_read_buf(b, &p->ipsz, sizeof(size_t));

@@ -1365,6 +1363,24 @@ auth_find(struct auth_tree *auths, const char *aki)

return RB_FIND(auth_tree, auths, &a);

}

+int

+auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent)

+ struct auth *na;

+ na = malloc(sizeof(*na));

+ if (na == NULL)

+ err(1, NULL);

+ na->parent = parent;

+ na->cert = cert;

+ if (RB_INSERT(auth_tree, auths, na) != NULL)

+ err(1, "auth tree corrupted");

+ return 1;

static inline int

authcmp(struct auth *a, struct auth *b)

{

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 43858a5722c..70d5c7d9b4c 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: extern.h,v 1.87 2021/11/01 09:12:18 claudio Exp $ */

+/* $OpenBSD: extern.h,v 1.88 2021/11/01 17:00:34 claudio Exp $ */

@@ -128,7 +128,6 @@ struct cert {

char *tal; /* basename of TAL for this cert */

enum cert_purpose purpose; /* Certificate Purpose (BGPSec or CA) */

char *pubkey; /* Subject Public Key Info */

- int valid; /* validated resources */

X509 *x509; /* the cert */

time_t expires; /* do not use after */

};

@@ -277,7 +276,8 @@ struct auth {

RB_HEAD(auth_tree, auth);

RB_PROTOTYPE(auth_tree, auth, entry, authcmp);

-struct auth *auth_find(struct auth_tree *, const char *);

+struct auth *auth_find(struct auth_tree *, const char *);

+int auth_insert(struct auth_tree *, struct cert *, struct auth *);

* Resource types specified by the RPKI profiles.

@@ -359,8 +359,7 @@ struct stats {

size_t mfts_fail; /* failing syntactic parse */

size_t mfts_stale; /* stale manifests */

size_t certs; /* certificates */

- size_t certs_fail; /* failing syntactic parse */

- size_t certs_invalid; /* invalid resources */

+ size_t certs_fail; /* invalid certificate */

size_t roas; /* route origin authorizations */

size_t roas_fail; /* failing syntactic parse */

size_t roas_invalid; /* invalid resources */

@@ -378,7 +377,6 @@ struct stats {

size_t del_files; /* number of files removed in cleanup */

size_t del_dirs; /* number of directories removed in cleanup */

size_t brks; /* number of BGPsec Router Key (BRK) certificates */

- size_t brks_invalids; /* invalid BGPsec certs */

char *talnames;

struct timeval elapsed_time;

struct timeval user_time;

diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index 33f9b0fb4d3..f05a4d01e3f 100644
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: main.c,v 1.159 2021/10/31 16:00:14 claudio Exp $ */

+/* $OpenBSD: main.c,v 1.160 2021/11/01 17:00:34 claudio Exp $ */

@@ -497,24 +497,18 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree,

}

cert = cert_read(b);

if (cert->purpose == CERT_PURPOSE_CA) {

- if (cert->valid) {

- /*

- * Process the revocation list from the

- * certificate *first*, since it might mark that

- * we're revoked and then we don't want to

- * process the MFT.

- */

- queue_add_from_cert(cert);

- } else

- st->certs_invalid++;

+ /*

+ * Process the revocation list from the

+ * certificate *first*, since it might mark that

+ * we're revoked and then we don't want to

+ * process the MFT.

+ */

+ queue_add_from_cert(cert);

} else if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {

- if (cert->valid) {

- cert_insert_brks(brktree, cert);

- st->brks++;

- } else

- st->brks_invalids++;

+ cert_insert_brks(brktree, cert);

+ st->brks++;

} else

- st->certs_invalid++;

+ st->certs_fail++;

cert_free(cert);

break;

case RTYPE_MFT:

@@ -1184,10 +1178,9 @@ main(int argc, char *argv[])

(long long)stats.system_time.tv_sec);

logx("Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)",

stats.roas, stats.roas_fail, stats.roas_invalid);

- logx("BGPsec Router Certificates: %zu (%zu invalid)",

- stats.brks, stats.brks_invalids);

- logx("Certificates: %zu (%zu failed parse, %zu invalid)",

- stats.certs, stats.certs_fail, stats.certs_invalid);

+ logx("BGPsec Router Certificates: %zu", stats.brks);

+ logx("Certificates: %zu (%zu invalid)",

+ stats.certs, stats.certs_fail);

logx("Trust Anchor Locators: %zu", stats.tals);

logx("Manifests: %zu (%zu failed parse, %zu stale)",

stats.mfts, stats.mfts_fail, stats.mfts_stale);

diff --git a/usr.sbin/rpki-client/output-json.c b/usr.sbin/rpki-client/output-json.c
index 38c5422c22f..d390179112f 100644
--- a/usr.sbin/rpki-client/output-json.c
+++ b/usr.sbin/rpki-client/output-json.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: output-json.c,v 1.20 2021/10/15 08:48:18 job Exp $ */

+/* $OpenBSD: output-json.c,v 1.21 2021/11/01 17:00:34 claudio Exp $ */

@@ -47,9 +47,7 @@ outputheader_json(FILE *out, struct stats *st)

"\t\t\"failedroas\": %zu,\n"

"\t\t\"invalidroas\": %zu,\n"

"\t\t\"bgpsec_pubkeys\": %zu,\n"

- "\t\t\"invalidbgpsec_pubkeys\": %zu,\n"

"\t\t\"certificates\": %zu,\n"

- "\t\t\"failcertificates\": %zu,\n"

"\t\t\"invalidcertificates\": %zu,\n"

"\t\t\"tals\": %zu,\n"

"\t\t\"talfiles\": \"%s\",\n"

@@ -67,8 +65,7 @@ outputheader_json(FILE *out, struct stats *st)

hn, tbuf, (long long)st->elapsed_time.tv_sec,

(long long)st->user_time.tv_sec, (long long)st->system_time.tv_sec,

st->roas, st->roas_fail, st->roas_invalid,

- st->brks, st->brks_invalids,

- st->certs, st->certs_fail, st->certs_invalid,

+ st->brks, st->certs, st->certs_fail,

st->tals, st->talnames,

st->mfts, st->mfts_fail, st->mfts_stale,

st->crls,

diff --git a/usr.sbin/rpki-client/output.c b/usr.sbin/rpki-client/output.c
index 5e4c64d04ab..7578e04d50d 100644
--- a/usr.sbin/rpki-client/output.c
+++ b/usr.sbin/rpki-client/output.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: output.c,v 1.22 2021/10/11 16:50:03 job Exp $ */

+/* $OpenBSD: output.c,v 1.23 2021/11/01 17:00:34 claudio Exp $ */

@@ -213,8 +213,8 @@ outputheader(FILE *out, struct stats *st)

"# Generated on host %s at %s\n"

"# Processing time %lld seconds (%lld seconds user, %lld seconds system)\n"

"# Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)\n"

- "# BGPsec Router Certificates: %zu (%zu invalid)\n"

- "# Certificates: %zu (%zu failed parse, %zu invalid)\n"

+ "# BGPsec Router Certificates: %zu\n"

+ "# Certificates: %zu (%zu invalid)\n"

"# Trust Anchor Locators: %zu (%s)\n"

"# Manifests: %zu (%zu failed parse, %zu stale)\n"

"# Certificate revocation lists: %zu\n"

@@ -224,8 +224,7 @@ outputheader(FILE *out, struct stats *st)

hn, tbuf, (long long)st->elapsed_time.tv_sec,

(long long)st->user_time.tv_sec, (long long)st->system_time.tv_sec,

st->roas, st->roas_fail, st->roas_invalid,

- st->brks, st->brks_invalids,

- st->certs, st->certs_fail, st->certs_invalid,

+ st->brks, st->certs, st->certs_fail,

st->tals, st->talnames,

st->mfts, st->mfts_fail, st->mfts_stale,

st->crls,

diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 4818354f3bc..3b0b300ebcd 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: parser.c,v 1.22 2021/11/01 09:12:18 claudio Exp $ */

+/* $OpenBSD: parser.c,v 1.23 2021/11/01 17:00:34 claudio Exp $ */

@@ -195,7 +195,7 @@ proc_parser_cert(const struct entity *entp, const unsigned char *der,

struct cert *cert;

X509 *x509;

int c;

- struct auth *a = NULL, *na;

+ struct auth *a = NULL;

STACK_OF(X509) *chain;

STACK_OF(X509_CRL) *crls;

@@ -237,28 +237,24 @@ proc_parser_cert(const struct entity *entp, const unsigned char *der,

sk_X509_free(chain);

sk_X509_CRL_free(crls);

+ if ((cert->tal = strdup(a->cert->tal)) == NULL)

+ err(1, NULL);

/* Validate the cert to get the parent */

if (!valid_cert(entp->file, &auths, cert)) {

X509_free(x509); // needed? XXX

- return cert;

+ cert_free(cert);

+ return NULL;

}

* Add validated certs to the RPKI auth tree.

- cert->valid = 1;

- if ((cert->tal = strdup(a->cert->tal)) == NULL)

- err(1, NULL);

- na = malloc(sizeof(*na));

- if (na == NULL)

- err(1, NULL);

- na->parent = a;

- na->cert = cert;

- if (RB_INSERT(auth_tree, &auths, na) != NULL)

- err(1, "auth tree corrupted");

+ if (!auth_insert(&auths, cert, a)) {

+ X509_free(x509); // needed? XXX

+ cert_free(cert);

+ return NULL;

+ }

return cert;

}

@@ -282,7 +278,6 @@ proc_parser_root_cert(const struct entity *entp, const unsigned char *der,

X509_NAME *name;

struct cert *cert;

X509 *x509;

- struct auth *na;

assert(entp->has_data);

@@ -327,27 +322,23 @@ proc_parser_root_cert(const struct entity *entp, const unsigned char *der,

goto badcert;

}

- /*

- * Add valid roots to the RPKI auth tree.

- */

- cert->valid = 1;

if ((cert->tal = strdup(entp->descr)) == NULL)

err(1, NULL);

- na = malloc(sizeof(*na));

- if (na == NULL)

- err(1, NULL);

- na->parent = NULL;

- na->cert = cert;

- if (RB_INSERT(auth_tree, &auths, na) != NULL)

- err(1, "auth tree corrupted");

+ /*

+ * Add valid roots to the RPKI auth tree.

+ */

+ if (!auth_insert(&auths, cert, NULL)) {

+ X509_free(x509); // needed? XXX

+ cert_free(cert);

+ return NULL;

+ }

return cert;

badcert:

X509_free(x509); // needed? XXX

- return cert;

+ cert_free(cert);

+ return NULL;

}