summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2022-06-10 10:36:44 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2022-06-10 10:36:44 +0000
commit9fd9d709995ce62e2d48bb7b44f10f404d887756 (patch)
tree26fa1c223275fb224c846436a4929ca4bf337838 /usr.sbin
parentd8e4dfd27f23fc7cbb43cfe43d8882323e4224c2 (diff)
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code. ok claudio
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/rpki-client/extern.h3
-rw-r--r--usr.sbin/rpki-client/mft.c23
-rw-r--r--usr.sbin/rpki-client/roa.c23
-rw-r--r--usr.sbin/rpki-client/rsc.c23
-rw-r--r--usr.sbin/rpki-client/validate.c25
5 files changed, 35 insertions, 62 deletions
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 5536919e241..81e76f898e6 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: extern.h,v 1.141 2022/06/01 10:59:21 tb Exp $ */
+/* $OpenBSD: extern.h,v 1.142 2022/06/10 10:36:43 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -508,6 +508,7 @@ int valid_origin(const char *, const char *);
int valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *,
struct crl *, int);
int valid_rsc(const char *, struct auth *, struct rsc *);
+int valid_econtent_version(const char *, const ASN1_INTEGER *);
/* Working with CMS. */
unsigned char *cms_parse_validate(X509 **, const char *,
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index 289e35cc44d..4dfb08050ed 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mft.c,v 1.70 2022/06/01 10:58:34 tb Exp $ */
+/* $OpenBSD: mft.c,v 1.71 2022/06/10 10:36:43 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -270,7 +270,6 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
{
Manifest *mft;
FileAndHash *fh;
- long mft_version;
int i, rc = 0;
if ((mft = d2i_Manifest(NULL, &d, dsz)) == NULL) {
@@ -279,24 +278,8 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
goto out;
}
- /* Validate the optional version field */
- if (mft->version != NULL) {
- mft_version = ASN1_INTEGER_get(mft->version);
- if (mft_version < 0) {
- cryptowarnx("%s: ASN1_INTEGER_get failed", p->fn);
- goto out;
- }
-
- switch (mft_version) {
- case 0:
- warnx("%s: incorrect encoding for version 0", p->fn);
- goto out;
- default:
- warnx("%s: version %ld not supported (yet)", p->fn,
- mft_version);
- goto out;
- }
- }
+ if (!valid_econtent_version(p->fn, mft->version))
+ goto out;
p->res->seqnum = x509_convert_seqnum(p->fn, mft->manifestNumber);
if (p->res->seqnum == NULL)
diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c
index 281cb0c2eb3..0b5ff2832f7 100644
--- a/usr.sbin/rpki-client/roa.c
+++ b/usr.sbin/rpki-client/roa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: roa.c,v 1.46 2022/05/31 18:51:35 tb Exp $ */
+/* $OpenBSD: roa.c,v 1.47 2022/06/10 10:36:43 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -103,7 +103,6 @@ static int
roa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
{
RouteOriginAttestation *roa;
- long roa_version;
const ROAIPAddressFamily *addrfam;
const STACK_OF(ROAIPAddress) *addrs;
int addrsz;
@@ -120,24 +119,8 @@ roa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
goto out;
}
- /* Validate the optional version field */
- if (roa->version != NULL) {
- roa_version = ASN1_INTEGER_get(roa->version);
- if (roa_version < 0) {
- warnx("%s: ASN1_INTEGER_get failed", p->fn);
- goto out;
- }
-
- switch (roa_version) {
- case 0:
- warnx("%s: incorrect encoding for version 0", p->fn);
- goto out;
- default:
- warnx("%s: version %ld not supported (yet)", p->fn,
- roa_version);
- goto out;
- }
- }
+ if (!valid_econtent_version(p->fn, roa->version))
+ goto out;
if (!as_id_parse(roa->asid, &p->res->asid)) {
warnx("%s: RFC 6482 section 3.2: asID: "
diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c
index 1aac0659ddb..5009aae9864 100644
--- a/usr.sbin/rpki-client/rsc.c
+++ b/usr.sbin/rpki-client/rsc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsc.c,v 1.10 2022/06/05 13:31:35 tb Exp $ */
+/* $OpenBSD: rsc.c,v 1.11 2022/06/10 10:36:43 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2022 Job Snijders <job@fastly.com>
@@ -327,7 +327,6 @@ rsc_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
{
RpkiSignedChecklist *rsc;
ResourceBlock *resources;
- long rsc_version;
int rc = 0;
/*
@@ -339,24 +338,8 @@ rsc_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
goto out;
}
- /* Validate the optional version field */
- if (rsc->version != NULL) {
- rsc_version = ASN1_INTEGER_get(rsc->version);
- if (rsc_version < 0) {
- cryptowarnx("%s: RSC: ASN1_INTEGER_get failed", p->fn);
- goto out;
- }
-
- switch (rsc_version) {
- case 0:
- warnx("%s: RSC: incorrect version encoding", p->fn);
- goto out;
- default:
- warnx("%s: RSC: version %ld not supported (yet)", p->fn,
- rsc_version);
- goto out;
- }
- }
+ if (!valid_econtent_version(p->fn, rsc->version))
+ goto out;
resources = rsc->resources;
if (resources->asID == NULL && resources->ipAddrBlocks == NULL) {
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 4d65f9de61d..5c3fcd87acd 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: validate.c,v 1.39 2022/06/07 08:50:07 tb Exp $ */
+/* $OpenBSD: validate.c,v 1.40 2022/06/10 10:36:43 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -510,3 +510,26 @@ valid_rsc(const char *fn, struct auth *a, struct rsc *rsc)
return 1;
}
+
+int
+valid_econtent_version(const char *fn, const ASN1_INTEGER *aint)
+{
+ long version;
+
+ if (aint == NULL)
+ return 1;
+
+ if ((version = ASN1_INTEGER_get(aint)) < 0) {
+ warnx("%s: ASN1_INTEGER_get failed", fn);
+ return 0;
+ }
+
+ switch (version) {
+ case 0:
+ warnx("%s: incorrect encoding for version 0", fn);
+ return 0;
+ default:
+ warnx("%s: version %ld not supported (yet)", fn, version);
+ return 0;
+ }
+}