diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2022-05-11 14:42:02 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2022-05-11 14:42:02 +0000 |
| commit | a9ab456066a9d5d377eddc5311deafe22ee27e04 (patch) | |
| tree | c93c3819026ea707a954177dbf9c620a2479bc9a /usr.sbin | |
| parent | 019bc825343fa08a855d81b6769088fe592ab5d1 (diff) | |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/rpki-client/extern.h | 3 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/filemode.c | 11 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/validate.c | 77 |
3 files changed, 87 insertions, 4 deletions
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 843927bce40..3e1c3e4894a 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.135 2022/05/10 07:41:37 tb Exp $ */ +/* $OpenBSD: extern.h,v 1.136 2022/05/11 14:42:01 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -507,6 +507,7 @@ int valid_uri(const char *, size_t, const char *); int valid_origin(const char *, const char *); int valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *, struct crl *, int); +int valid_rsc(const char *, struct auth *, struct rsc *); /* Working with CMS. */ unsigned char *cms_parse_validate(X509 **, const char *, diff --git a/usr.sbin/rpki-client/filemode.c b/usr.sbin/rpki-client/filemode.c index 5ab2906d44c..f43a2fa5565 100644 --- a/usr.sbin/rpki-client/filemode.c +++ b/usr.sbin/rpki-client/filemode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filemode.c,v 1.6 2022/05/09 17:02:34 job Exp $ */ +/* $OpenBSD: filemode.c,v 1.7 2022/05/11 14:42:01 job Exp $ */ /* * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -380,6 +380,7 @@ proc_parser_file(char *file, unsigned char *buf, size_t len) struct auth *a; struct crl *c; char *crl_uri; + int status; x509_get_crl(x509, file, &crl_uri); parse_load_crl(crl_uri); @@ -389,7 +390,13 @@ proc_parser_file(char *file, unsigned char *buf, size_t len) a = auth_find(&auths, aki); c = crl_get(&crlt, a); - if (valid_x509(file, ctx, x509, a, c, 0)) + if ((status = valid_x509(file, ctx, x509, a, c, 0))) { + if (type == RTYPE_ROA) + status = valid_roa(file, a, roa); + else if (type == RTYPE_RSC) + status = valid_rsc(file, a, rsc); + } + if (status) printf("OK"); else printf("Failed"); diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index ca0312692d9..187190db034 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.32 2022/05/10 07:41:37 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.33 2022/05/11 14:42:01 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -502,3 +502,78 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, sk_X509_CRL_free(crls); return 1; } + +/* + * Validate our RSC: check that all items in the ResourceBlock are contained. + * Returns 1 if valid, 0 otherwise. + */ +int +valid_rsc(const char *fn, struct auth *a, struct rsc *rsc) +{ + size_t i; + uint32_t min, max; + char buf1[64], buf2[64]; + + for (i = 0; i < rsc->asz; i++) { + if (rsc->as[i].type == CERT_AS_INHERIT) { + warnx("%s: RSC ResourceBlock: illegal inherit", fn); + return 0; + } + + min = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.min + : rsc->as[i].id; + max = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.max + : rsc->as[i].id; + + if (valid_as(a, min, max)) + continue; + + switch (rsc->as[i].type) { + case CERT_AS_ID: + warnx("%s: RSC resourceBlock: uncovered AS Identifier: " + "%u", fn, rsc->as[i].id); + break; + case CERT_AS_RANGE: + continue; + warnx("%s: RSC resourceBlock: uncovered AS Range: " + "%u--%u", fn, min, max); + break; + default: + break; + } + return 0; + } + + for (i = 0; i < rsc->ipsz; i++) { + if (rsc->ips[i].type == CERT_IP_INHERIT) { + warnx("%s: RSC ResourceBlock: illegal inherit", fn); + return 0; + } + + if (valid_ip(a, rsc->ips[i].afi, rsc->ips[i].min, + rsc->ips[i].max)) + continue; + + switch (rsc->ips[i].type) { + case CERT_IP_RANGE: + ip_addr_print(&rsc->ips[i].range.min, + rsc->ips[i].afi, buf1, sizeof(buf1)); + ip_addr_print(&rsc->ips[i].range.max, + rsc->ips[i].afi, buf2, sizeof(buf2)); + warnx("%s: RSC ResourceBlock: uncovered IP Range: " + "%s--%s", fn, buf1, buf2); + break; + case CERT_IP_ADDR: + ip_addr_print(&rsc->ips[i].ip, + rsc->ips[i].afi, buf1, sizeof(buf1)); + warnx("%s: RSC ResourceBlock: uncovered IP: " + "%s", fn, buf1); + break; + default: + break; + } + return 0; + } + + return 1; +} |