summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/rpki-client/as.c52
-rw-r--r--usr.sbin/rpki-client/cert.c137
-rw-r--r--usr.sbin/rpki-client/constraints.c94
-rw-r--r--usr.sbin/rpki-client/extern.h24
-rw-r--r--usr.sbin/rpki-client/geofeed.c12
-rw-r--r--usr.sbin/rpki-client/ip.c12
-rw-r--r--usr.sbin/rpki-client/print.c45
-rw-r--r--usr.sbin/rpki-client/roa.c28
-rw-r--r--usr.sbin/rpki-client/rsc.c32
-rw-r--r--usr.sbin/rpki-client/spl.c6
-rw-r--r--usr.sbin/rpki-client/validate.c58
11 files changed, 252 insertions, 248 deletions
diff --git a/usr.sbin/rpki-client/as.c b/usr.sbin/rpki-client/as.c
index 4812d9314f0..471e172bed4 100644
--- a/usr.sbin/rpki-client/as.c
+++ b/usr.sbin/rpki-client/as.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: as.c,v 1.16 2023/12/27 07:15:55 tb Exp $ */
+/* $OpenBSD: as.c,v 1.17 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -38,21 +38,21 @@ as_id_parse(const ASN1_INTEGER *v, uint32_t *out)
}
/*
- * Given a newly-parsed AS number or range "a", make sure that "a" does
- * not overlap with any other numbers or ranges in the "as" array.
+ * Given a newly-parsed AS number or range "as", make sure that "as" does
+ * not overlap with any other numbers or ranges in the "ases" array.
* This is defined by RFC 3779 section 3.2.3.4.
* Returns zero on failure, non-zero on success.
*/
int
-as_check_overlap(const struct cert_as *a, const char *fn,
- const struct cert_as *as, size_t asz, int quiet)
+as_check_overlap(const struct cert_as *as, const char *fn,
+ const struct cert_as *ases, size_t num_ases, int quiet)
{
size_t i;
/* We can have only one inheritance statement. */
- if (asz &&
- (a->type == CERT_AS_INHERIT || as[0].type == CERT_AS_INHERIT)) {
+ if (num_ases &&
+ (as->type == CERT_AS_INHERIT || ases[0].type == CERT_AS_INHERIT)) {
if (!quiet) {
warnx("%s: RFC 3779 section 3.2.3.3: "
"cannot have inheritance and multiple ASnum or "
@@ -63,17 +63,17 @@ as_check_overlap(const struct cert_as *a, const char *fn,
/* Now check for overlaps between singletons/ranges. */
- for (i = 0; i < asz; i++) {
- switch (as[i].type) {
+ for (i = 0; i < num_ases; i++) {
+ switch (ases[i].type) {
case CERT_AS_ID:
- switch (a->type) {
+ switch (as->type) {
case CERT_AS_ID:
- if (a->id != as[i].id)
+ if (as->id != ases[i].id)
continue;
break;
case CERT_AS_RANGE:
- if (as->range.min > as[i].id ||
- as->range.max < as[i].id)
+ if (ases->range.min > ases[i].id ||
+ ases->range.max < ases[i].id)
continue;
break;
default:
@@ -81,15 +81,15 @@ as_check_overlap(const struct cert_as *a, const char *fn,
}
break;
case CERT_AS_RANGE:
- switch (a->type) {
+ switch (as->type) {
case CERT_AS_ID:
- if (as[i].range.min > a->id ||
- as[i].range.max < a->id)
+ if (ases[i].range.min > as->id ||
+ ases[i].range.max < as->id)
continue;
break;
case CERT_AS_RANGE:
- if (a->range.max < as[i].range.min ||
- a->range.min > as[i].range.max)
+ if (as->range.max < ases[i].range.min ||
+ as->range.min > ases[i].range.max)
continue;
break;
default:
@@ -112,23 +112,23 @@ as_check_overlap(const struct cert_as *a, const char *fn,
/*
* See if a given AS range (which may be the same number, in the case of
* singleton AS identifiers) is covered by the AS numbers or ranges
- * specified in the "as" array.
+ * specified in the "ases" array.
* Return <0 if there is no cover, 0 if we're inheriting, >0 if there is.
*/
int
as_check_covered(uint32_t min, uint32_t max,
- const struct cert_as *as, size_t asz)
+ const struct cert_as *ases, size_t num_ases)
{
size_t i;
uint32_t amin, amax;
- for (i = 0; i < asz; i++) {
- if (as[i].type == CERT_AS_INHERIT)
+ for (i = 0; i < num_ases; i++) {
+ if (ases[i].type == CERT_AS_INHERIT)
return 0;
- amin = as[i].type == CERT_AS_RANGE ?
- as[i].range.min : as[i].id;
- amax = as[i].type == CERT_AS_RANGE ?
- as[i].range.max : as[i].id;
+ amin = ases[i].type == CERT_AS_RANGE ?
+ ases[i].range.min : ases[i].id;
+ amax = ases[i].type == CERT_AS_RANGE ?
+ ases[i].range.max : ases[i].id;
if (min >= amin && max <= amax)
return 1;
}
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 020605ea809..2675a41603f 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.152 2024/11/05 18:09:16 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.153 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -48,12 +48,12 @@ int certid = TALSZ_MAX;
* Returns zero on failure (IP overlap) non-zero on success.
*/
static int
-append_ip(const char *fn, struct cert_ip *ips, size_t *ipsz,
+append_ip(const char *fn, struct cert_ip *ips, size_t *num_ips,
const struct cert_ip *ip)
{
- if (!ip_addr_check_overlap(ip, fn, ips, *ipsz, 0))
+ if (!ip_addr_check_overlap(ip, fn, ips, *num_ips, 0))
return 0;
- ips[(*ipsz)++] = *ip;
+ ips[(*num_ips)++] = *ip;
return 1;
}
@@ -63,12 +63,12 @@ append_ip(const char *fn, struct cert_ip *ips, size_t *ipsz,
* as defined by RFC 3779 section 3.3.
*/
static int
-append_as(const char *fn, struct cert_as *ases, size_t *asz,
+append_as(const char *fn, struct cert_as *ases, size_t *num_ases,
const struct cert_as *as)
{
- if (!as_check_overlap(as, fn, ases, *asz, 0))
+ if (!as_check_overlap(as, fn, ases, *num_ases, 0))
return 0;
- ases[(*asz)++] = *as;
+ ases[(*num_ases)++] = *as;
return 1;
}
@@ -77,7 +77,7 @@ append_as(const char *fn, struct cert_as *ases, size_t *asz,
* Returns zero on failure, non-zero on success.
*/
int
-sbgp_as_range(const char *fn, struct cert_as *ases, size_t *asz,
+sbgp_as_range(const char *fn, struct cert_as *ases, size_t *num_ases,
const ASRange *range)
{
struct cert_as as;
@@ -107,14 +107,14 @@ sbgp_as_range(const char *fn, struct cert_as *ases, size_t *asz,
return 0;
}
- return append_as(fn, ases, asz, &as);
+ return append_as(fn, ases, num_ases, &as);
}
/*
* Parse an entire 3.2.3.10 integer type.
*/
int
-sbgp_as_id(const char *fn, struct cert_as *ases, size_t *asz,
+sbgp_as_id(const char *fn, struct cert_as *ases, size_t *num_ases,
const ASN1_INTEGER *i)
{
struct cert_as as;
@@ -133,30 +133,30 @@ sbgp_as_id(const char *fn, struct cert_as *ases, size_t *asz,
return 0;
}
- return append_as(fn, ases, asz, &as);
+ return append_as(fn, ases, num_ases, &as);
}
static int
-sbgp_as_inherit(const char *fn, struct cert_as *ases, size_t *asz)
+sbgp_as_inherit(const char *fn, struct cert_as *ases, size_t *num_ases)
{
struct cert_as as;
memset(&as, 0, sizeof(struct cert_as));
as.type = CERT_AS_INHERIT;
- return append_as(fn, ases, asz, &as);
+ return append_as(fn, ases, num_ases, &as);
}
int
sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers,
- struct cert_as **out_as, size_t *out_asz)
+ struct cert_as **out_as, size_t *out_num_ases)
{
const ASIdOrRanges *aors = NULL;
struct cert_as *as = NULL;
- size_t asz = 0, sz;
+ size_t num_ases = 0, num;
int i;
- assert(*out_as == NULL && *out_asz == 0);
+ assert(*out_as == NULL && *out_num_ases == 0);
if (asidentifiers->rdi != NULL) {
warnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: "
@@ -172,11 +172,11 @@ sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers,
switch (asidentifiers->asnum->type) {
case ASIdentifierChoice_inherit:
- sz = 1;
+ num = 1;
break;
case ASIdentifierChoice_asIdsOrRanges:
aors = asidentifiers->asnum->u.asIdsOrRanges;
- sz = sk_ASIdOrRange_num(aors);
+ num = sk_ASIdOrRange_num(aors);
break;
default:
warnx("%s: RFC 3779 section 3.2.3.2: ASIdentifierChoice: "
@@ -184,21 +184,21 @@ sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers,
goto out;
}
- if (sz == 0) {
+ if (num == 0) {
warnx("%s: RFC 6487 section 4.8.11: empty asIdsOrRanges", fn);
goto out;
}
- if (sz >= MAX_AS_SIZE) {
+ if (num >= MAX_AS_SIZE) {
warnx("%s: too many AS number entries: limit %d",
fn, MAX_AS_SIZE);
goto out;
}
- as = calloc(sz, sizeof(struct cert_as));
+ as = calloc(num, sizeof(struct cert_as));
if (as == NULL)
err(1, NULL);
if (aors == NULL) {
- if (!sbgp_as_inherit(fn, as, &asz))
+ if (!sbgp_as_inherit(fn, as, &num_ases))
goto out;
}
@@ -208,11 +208,11 @@ sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers,
aor = sk_ASIdOrRange_value(aors, i);
switch (aor->type) {
case ASIdOrRange_id:
- if (!sbgp_as_id(fn, as, &asz, aor->u.id))
+ if (!sbgp_as_id(fn, as, &num_ases, aor->u.id))
goto out;
break;
case ASIdOrRange_range:
- if (!sbgp_as_range(fn, as, &asz, aor->u.range))
+ if (!sbgp_as_range(fn, as, &num_ases, aor->u.range))
goto out;
break;
default:
@@ -223,7 +223,7 @@ sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers,
}
*out_as = as;
- *out_asz = asz;
+ *out_num_ases = num_ases;
return 1;
@@ -256,7 +256,8 @@ sbgp_assysnum(const char *fn, struct cert *cert, X509_EXTENSION *ext)
goto out;
}
- if (!sbgp_parse_assysnum(fn, asidentifiers, &cert->as, &cert->asz))
+ if (!sbgp_parse_assysnum(fn, asidentifiers, &cert->ases,
+ &cert->num_ases))
goto out;
rc = 1;
@@ -270,7 +271,7 @@ sbgp_assysnum(const char *fn, struct cert *cert, X509_EXTENSION *ext)
* Returns zero on failure, non-zero on success.
*/
int
-sbgp_addr(const char *fn, struct cert_ip *ips, size_t *ipsz, enum afi afi,
+sbgp_addr(const char *fn, struct cert_ip *ips, size_t *num_ips, enum afi afi,
const ASN1_BIT_STRING *bs)
{
struct cert_ip ip;
@@ -292,7 +293,7 @@ sbgp_addr(const char *fn, struct cert_ip *ips, size_t *ipsz, enum afi afi,
return 0;
}
- return append_ip(fn, ips, ipsz, &ip);
+ return append_ip(fn, ips, num_ips, &ip);
}
/*
@@ -300,7 +301,7 @@ sbgp_addr(const char *fn, struct cert_ip *ips, size_t *ipsz, enum afi afi,
* Returns zero on failure, non-zero on success.
*/
int
-sbgp_addr_range(const char *fn, struct cert_ip *ips, size_t *ipsz,
+sbgp_addr_range(const char *fn, struct cert_ip *ips, size_t *num_ips,
enum afi afi, const IPAddressRange *range)
{
struct cert_ip ip;
@@ -328,11 +329,11 @@ sbgp_addr_range(const char *fn, struct cert_ip *ips, size_t *ipsz,
return 0;
}
- return append_ip(fn, ips, ipsz, &ip);
+ return append_ip(fn, ips, num_ips, &ip);
}
static int
-sbgp_addr_inherit(const char *fn, struct cert_ip *ips, size_t *ipsz,
+sbgp_addr_inherit(const char *fn, struct cert_ip *ips, size_t *num_ips,
enum afi afi)
{
struct cert_ip ip;
@@ -342,23 +343,23 @@ sbgp_addr_inherit(const char *fn, struct cert_ip *ips, size_t *ipsz,
ip.afi = afi;
ip.type = CERT_IP_INHERIT;
- return append_ip(fn, ips, ipsz, &ip);
+ return append_ip(fn, ips, num_ips, &ip);
}
int
sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk,
- struct cert_ip **out_ips, size_t *out_ipsz)
+ struct cert_ip **out_ips, size_t *out_num_ips)
{
const IPAddressFamily *af;
const IPAddressOrRanges *aors;
const IPAddressOrRange *aor;
enum afi afi;
struct cert_ip *ips = NULL;
- size_t ipsz = 0, sz;
+ size_t num_ips = 0, num;
int ipv4_seen = 0, ipv6_seen = 0;
int i, j, ipaddrblocksz;
- assert(*out_ips == NULL && *out_ipsz == 0);
+ assert(*out_ips == NULL && *out_num_ips == 0);
ipaddrblocksz = sk_IPAddressFamily_num(addrblk);
if (ipaddrblocksz != 1 && ipaddrblocksz != 2) {
@@ -374,26 +375,26 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk,
switch (af->ipAddressChoice->type) {
case IPAddressChoice_inherit:
aors = NULL;
- sz = ipsz + 1;
+ num = num_ips + 1;
break;
case IPAddressChoice_addressesOrRanges:
aors = af->ipAddressChoice->u.addressesOrRanges;
- sz = ipsz + sk_IPAddressOrRange_num(aors);
+ num = num_ips + sk_IPAddressOrRange_num(aors);
break;
default:
warnx("%s: RFC 3779: IPAddressChoice: unknown type %d",
fn, af->ipAddressChoice->type);
goto out;
}
- if (sz == ipsz) {
+ if (num == num_ips) {
warnx("%s: RFC 6487 section 4.8.10: "
"empty ipAddressesOrRanges", fn);
goto out;
}
- if (sz >= MAX_IP_SIZE)
+ if (num >= MAX_IP_SIZE)
goto out;
- ips = recallocarray(ips, ipsz, sz, sizeof(struct cert_ip));
+ ips = recallocarray(ips, num_ips, num, sizeof(struct cert_ip));
if (ips == NULL)
err(1, NULL);
@@ -420,7 +421,7 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk,
}
if (aors == NULL) {
- if (!sbgp_addr_inherit(fn, ips, &ipsz, afi))
+ if (!sbgp_addr_inherit(fn, ips, &num_ips, afi))
goto out;
continue;
}
@@ -429,12 +430,12 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk,
aor = sk_IPAddressOrRange_value(aors, j);
switch (aor->type) {
case IPAddressOrRange_addressPrefix:
- if (!sbgp_addr(fn, ips, &ipsz, afi,
+ if (!sbgp_addr(fn, ips, &num_ips, afi,
aor->u.addressPrefix))
goto out;
break;
case IPAddressOrRange_addressRange:
- if (!sbgp_addr_range(fn, ips, &ipsz, afi,
+ if (!sbgp_addr_range(fn, ips, &num_ips, afi,
aor->u.addressRange))
goto out;
break;
@@ -447,7 +448,7 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk,
}
*out_ips = ips;
- *out_ipsz = ipsz;
+ *out_num_ips = num_ips;
return 1;
@@ -480,10 +481,10 @@ sbgp_ipaddrblk(const char *fn, struct cert *cert, X509_EXTENSION *ext)
goto out;
}
- if (!sbgp_parse_ipaddrblk(fn, addrblk, &cert->ips, &cert->ipsz))
+ if (!sbgp_parse_ipaddrblk(fn, addrblk, &cert->ips, &cert->num_ips))
goto out;
- if (cert->ipsz == 0) {
+ if (cert->num_ips == 0) {
warnx("%s: RFC 6487 section 4.8.10: empty ipAddrBlock", fn);
goto out;
}
@@ -975,7 +976,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
warnx("%s: RFC 6487 section 4.8.8: missing SIA", fn);
goto out;
}
- if (cert->asz == 0 && cert->ipsz == 0) {
+ if (cert->num_ases == 0 && cert->num_ips == 0) {
warnx("%s: missing IP or AS resources", fn);
goto out;
}
@@ -986,12 +987,12 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
warnx("%s: x509_get_pubkey failed", fn);
goto out;
}
- if (cert->ipsz > 0) {
+ if (cert->num_ips > 0) {
warnx("%s: unexpected IP resources in BGPsec cert", fn);
goto out;
}
- for (j = 0; j < cert->asz; j++) {
- if (cert->as[j].type == CERT_AS_INHERIT) {
+ for (j = 0; j < cert->num_ases; j++) {
+ if (cert->ases[j].type == CERT_AS_INHERIT) {
warnx("%s: inherit elements not allowed in EE"
" cert", fn);
goto out;
@@ -1150,7 +1151,7 @@ cert_free(struct cert *p)
free(p->mft);
free(p->notify);
free(p->ips);
- free(p->as);
+ free(p->ases);
free(p->aia);
free(p->aki);
free(p->ski);
@@ -1171,11 +1172,11 @@ cert_buffer(struct ibuf *b, const struct cert *p)
io_simple_buffer(b, &p->talid, sizeof(p->talid));
io_simple_buffer(b, &p->certid, sizeof(p->certid));
io_simple_buffer(b, &p->repoid, sizeof(p->repoid));
- io_simple_buffer(b, &p->ipsz, sizeof(p->ipsz));
- io_simple_buffer(b, &p->asz, sizeof(p->asz));
+ io_simple_buffer(b, &p->num_ips, sizeof(p->num_ips));
+ io_simple_buffer(b, &p->num_ases, sizeof(p->num_ases));
- io_simple_buffer(b, p->ips, p->ipsz * sizeof(p->ips[0]));
- io_simple_buffer(b, p->as, p->asz * sizeof(p->as[0]));
+ io_simple_buffer(b, p->ips, p->num_ips * sizeof(p->ips[0]));
+ io_simple_buffer(b, p->ases, p->num_ases * sizeof(p->ases[0]));
io_str_buffer(b, p->mft);
io_str_buffer(b, p->notify);
@@ -1205,19 +1206,19 @@ cert_read(struct ibuf *b)
io_read_buf(b, &p->talid, sizeof(p->talid));
io_read_buf(b, &p->certid, sizeof(p->certid));
io_read_buf(b, &p->repoid, sizeof(p->repoid));
- io_read_buf(b, &p->ipsz, sizeof(p->ipsz));
- io_read_buf(b, &p->asz, sizeof(p->asz));
+ io_read_buf(b, &p->num_ips, sizeof(p->num_ips));
+ io_read_buf(b, &p->num_ases, sizeof(p->num_ases));
- if (p->ipsz > 0) {
- if ((p->ips = calloc(p->ipsz, sizeof(p->ips[0]))) == NULL)
+ if (p->num_ips > 0) {
+ if ((p->ips = calloc(p->num_ips, sizeof(p->ips[0]))) == NULL)
err(1, NULL);
- io_read_buf(b, p->ips, p->ipsz * sizeof(p->ips[0]));
+ io_read_buf(b, p->ips, p->num_ips * sizeof(p->ips[0]));
}
- if (p->asz > 0) {
- if ((p->as = calloc(p->asz, sizeof(p->as[0]))) == NULL)
+ if (p->num_ases > 0) {
+ if ((p->ases = calloc(p->num_ases, sizeof(p->ases[0]))) == NULL)
err(1, NULL);
- io_read_buf(b, p->as, p->asz * sizeof(p->as[0]));
+ io_read_buf(b, p->ases, p->num_ases * sizeof(p->ases[0]));
}
io_read_str(b, &p->mft);
@@ -1348,14 +1349,14 @@ cert_insert_brks(struct brk_tree *tree, struct cert *cert)
{
size_t i, asid;
- for (i = 0; i < cert->asz; i++) {
- switch (cert->as[i].type) {
+ for (i = 0; i < cert->num_ases; i++) {
+ switch (cert->ases[i].type) {
case CERT_AS_ID:
- insert_brk(tree, cert, cert->as[i].id);
+ insert_brk(tree, cert, cert->ases[i].id);
break;
case CERT_AS_RANGE:
- for (asid = cert->as[i].range.min;
- asid <= cert->as[i].range.max; asid++)
+ for (asid = cert->ases[i].range.min;
+ asid <= cert->ases[i].range.max; asid++)
insert_brk(tree, cert, asid);
break;
default:
diff --git a/usr.sbin/rpki-client/constraints.c b/usr.sbin/rpki-client/constraints.c
index 1c08427bfdd..37a95b952ee 100644
--- a/usr.sbin/rpki-client/constraints.c
+++ b/usr.sbin/rpki-client/constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: constraints.c,v 1.4 2024/03/15 05:14:16 tb Exp $ */
+/* $OpenBSD: constraints.c,v 1.5 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2023 Job Snijders <job@openbsd.org>
* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@@ -41,13 +41,13 @@ struct tal_constraints {
char *fn; /* constraints filename */
char *warn; /* warning msg used for violations */
struct cert_ip *allow_ips; /* list of allowed IP address ranges */
- size_t allow_ipsz; /* length of "allow_ips" */
- struct cert_as *allow_as; /* allowed AS numbers and ranges */
- size_t allow_asz; /* length of "allow_as" */
+ size_t num_allow_ips;
+ struct cert_as *allow_ases; /* allowed AS numbers and ranges */
+ size_t num_allow_ases;
struct cert_ip *deny_ips; /* forbidden IP address ranges */
- size_t deny_ipsz; /* length of "deny_ips" */
- struct cert_as *deny_as; /* forbidden AS numbers and ranges */
- size_t deny_asz; /* length of "deny_as" */
+ size_t num_deny_ips;
+ struct cert_as *deny_ases; /* forbidden AS numbers and ranges */
+ size_t num_deny_ases;
} tal_constraints[TALSZ_MAX];
/*
@@ -334,10 +334,10 @@ constraints_parse_talid(int talid)
ASIdentifiers *allow_asids, *deny_asids;
FILE *f;
char *fn, *p, *pp;
- struct cert_as *allow_as = NULL, *deny_as = NULL;
+ struct cert_as *allow_ases = NULL, *deny_ases = NULL;
struct cert_ip *allow_ips = NULL, *deny_ips = NULL;
- size_t allow_asz = 0, allow_ipsz = 0,
- deny_asz = 0, deny_ipsz = 0;
+ size_t num_allow_ases = 0, num_allow_ips = 0,
+ num_deny_as = 0, num_deny_ips = 0;
char *line = NULL;
size_t len = 0;
ssize_t n;
@@ -452,14 +452,14 @@ constraints_parse_talid(int talid)
errx(1, "%s: failed to canonize AS numbers denylist", fn);
if (have_allow_as) {
- if (!sbgp_parse_assysnum(fn, allow_asids, &allow_as,
- &allow_asz))
+ if (!sbgp_parse_assysnum(fn, allow_asids, &allow_ases,
+ &num_allow_ases))
errx(1, "%s: failed to parse AS identifiers allowlist",
fn);
}
if (have_deny_as) {
- if (!sbgp_parse_assysnum(fn, deny_asids, &deny_as,
- &deny_asz))
+ if (!sbgp_parse_assysnum(fn, deny_asids, &deny_ases,
+ &num_deny_as))
errx(1, "%s: failed to parse AS identifiers denylist",
fn);
}
@@ -467,7 +467,7 @@ constraints_parse_talid(int talid)
constraints_normalize_ip_addrblocks(fn, &allow_addrs);
if (!sbgp_parse_ipaddrblk(fn, allow_addrs, &allow_ips,
- &allow_ipsz))
+ &num_allow_ips))
errx(1, "%s: failed to parse IP addresses allowlist",
fn);
}
@@ -475,19 +475,19 @@ constraints_parse_talid(int talid)
constraints_normalize_ip_addrblocks(fn, &deny_addrs);
if (!sbgp_parse_ipaddrblk(fn, deny_addrs, &deny_ips,
- &deny_ipsz))
+ &num_deny_ips))
errx(1, "%s: failed to parse IP addresses denylist",
fn);
}
- tal_constraints[talid].allow_as = allow_as;
- tal_constraints[talid].allow_asz = allow_asz;
+ tal_constraints[talid].allow_ases = allow_ases;
+ tal_constraints[talid].num_allow_ases = num_allow_ases;
tal_constraints[talid].allow_ips = allow_ips;
- tal_constraints[talid].allow_ipsz = allow_ipsz;
- tal_constraints[talid].deny_as = deny_as;
- tal_constraints[talid].deny_asz = deny_asz;
+ tal_constraints[talid].num_allow_ips = num_allow_ips;
+ tal_constraints[talid].deny_ases = deny_ases;
+ tal_constraints[talid].num_deny_ases = num_deny_as;
tal_constraints[talid].deny_ips = deny_ips;
- tal_constraints[talid].deny_ipsz = deny_ipsz;
+ tal_constraints[talid].num_deny_ips = num_deny_ips;
IPAddrBlocks_free(allow_addrs);
IPAddrBlocks_free(deny_addrs);
@@ -511,8 +511,8 @@ constraints_parse(void)
static int
constraints_check_as(const char *fn, struct cert_as *cert,
- const struct cert_as *allow_as, size_t allow_asz,
- const struct cert_as *deny_as, size_t deny_asz)
+ const struct cert_as *allow_ases, size_t num_allow_ases,
+ const struct cert_as *deny_ases, size_t num_deny_ases)
{
uint32_t min, max;
@@ -528,12 +528,12 @@ constraints_check_as(const char *fn, struct cert_as *cert,
max = cert->range.max;
}
- if (deny_as != NULL) {
- if (!as_check_overlap(cert, fn, deny_as, deny_asz, 1))
+ if (deny_ases != NULL) {
+ if (!as_check_overlap(cert, fn, deny_ases, num_deny_ases, 1))
return 0;
}
- if (allow_as != NULL) {
- if (as_check_covered(min, max, allow_as, allow_asz) <= 0)
+ if (allow_ases != NULL) {
+ if (as_check_covered(min, max, allow_ases, num_allow_ases) <= 0)
return 0;
}
return 1;
@@ -541,20 +541,20 @@ constraints_check_as(const char *fn, struct cert_as *cert,
static int
constraints_check_ips(const char *fn, struct cert_ip *cert,
- const struct cert_ip *allow_ips, size_t allow_ipsz,
- const struct cert_ip *deny_ips, size_t deny_ipsz)
+ const struct cert_ip *allow_ips, size_t num_allow_ips,
+ const struct cert_ip *deny_ips, size_t num_deny_ips)
{
/* Inheriting EE resources are not to be constrained. */
if (cert->type == CERT_IP_INHERIT)
return 1;
if (deny_ips != NULL) {
- if (!ip_addr_check_overlap(cert, fn, deny_ips, deny_ipsz, 1))
+ if (!ip_addr_check_overlap(cert, fn, deny_ips, num_deny_ips, 1))
return 0;
}
if (allow_ips != NULL) {
if (ip_addr_check_covered(cert->afi, cert->min, cert->max,
- allow_ips, allow_ipsz) <= 0)
+ allow_ips, num_allow_ips) <= 0)
return 0;
}
return 1;
@@ -569,9 +569,11 @@ int
constraints_validate(const char *fn, const struct cert *cert)
{
int talid = cert->talid;
- struct cert_as *allow_as, *deny_as;
+ struct cert_as *allow_ases, *deny_ases;
struct cert_ip *allow_ips, *deny_ips;
- size_t i, allow_asz, allow_ipsz, deny_asz, deny_ipsz;
+ size_t num_allow_ases, num_allow_ips;
+ size_t num_deny_ases, num_deny_ips;
+ size_t i;
/* Accept negative talid to bypass validation. */
if (talid < 0)
@@ -579,28 +581,28 @@ constraints_validate(const char *fn, const struct cert *cert)
if (talid >= talsz)
errx(1, "%s: talid out of range %d", fn, talid);
- allow_as = tal_constraints[talid].allow_as;
- allow_asz = tal_constraints[talid].allow_asz;
- deny_as = tal_constraints[talid].deny_as;
- deny_asz = tal_constraints[talid].deny_asz;
+ allow_ases = tal_constraints[talid].allow_ases;
+ num_allow_ases = tal_constraints[talid].num_allow_ases;
+ deny_ases = tal_constraints[talid].deny_ases;
+ num_deny_ases = tal_constraints[talid].num_deny_ases;
- for (i = 0; i < cert->asz; i++) {
- if (constraints_check_as(fn, &cert->as[i], allow_as, allow_asz,
- deny_as, deny_asz))
+ for (i = 0; i < cert->num_ases; i++) {
+ if (constraints_check_as(fn, &cert->ases[i],
+ allow_ases, num_allow_ases, deny_ases, num_deny_ases))
continue;
- as_warn(fn, tal_constraints[talid].warn, &cert->as[i]);
+ as_warn(fn, tal_constraints[talid].warn, &cert->ases[i]);
return 0;
}
allow_ips = tal_constraints[talid].allow_ips;
- allow_ipsz = tal_constraints[talid].allow_ipsz;
+ num_allow_ips = tal_constraints[talid].num_allow_ips;
deny_ips = tal_constraints[talid].deny_ips;
- deny_ipsz = tal_constraints[talid].deny_ipsz;
+ num_deny_ips = tal_constraints[talid].num_deny_ips;
- for (i = 0; i < cert->ipsz; i++) {
+ for (i = 0; i < cert->num_ips; i++) {
if (constraints_check_ips(fn, &cert->ips[i], allow_ips,
- allow_ipsz, deny_ips, deny_ipsz))
+ num_allow_ips, deny_ips, num_deny_ips))
continue;
ip_warn(fn, tal_constraints[talid].warn, &cert->ips[i]);
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 243f7a283fe..56637881514 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: extern.h,v 1.229 2024/11/02 12:30:28 job Exp $ */
+/* $OpenBSD: extern.h,v 1.230 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -120,10 +120,10 @@ enum cert_purpose {
* inheriting.
*/
struct cert {
- struct cert_ip *ips; /* list of IP address ranges */
- size_t ipsz; /* length of "ips" */
- struct cert_as *as; /* list of AS numbers and ranges */
- size_t asz; /* length of "asz" */
+ struct cert_ip *ips; /* list of IP address ranges */
+ size_t num_ips;
+ struct cert_as *ases; /* list of AS numbers and ranges */
+ size_t num_ases;
int talid; /* cert is covered by which TAL */
int certid;
unsigned int repoid; /* repository of this cert file */
@@ -241,8 +241,8 @@ struct roa_ip {
*/
struct roa {
uint32_t asid; /* asID of ROA (if 0, RFC 6483 sec 4) */
- struct roa_ip *ips; /* IP prefixes */
- size_t ipsz; /* number of IP prefixes */
+ struct roa_ip *ips; /* IP prefixes */
+ size_t num_ips;
int talid; /* ROAs are covered by which TAL */
int valid; /* validated resources */
char *aia; /* AIA */
@@ -266,10 +266,10 @@ struct rscfile {
struct rsc {
int talid; /* RSC covered by what TAL */
int valid; /* eContent resources covered by EE's 3779? */
- struct cert_ip *ips; /* IP prefixes */
- size_t ipsz; /* number of IP prefixes */
- struct cert_as *as; /* AS resources */
- size_t asz; /* number of AS resources */
+ struct cert_ip *ips; /* IP prefixes */
+ size_t num_ips;
+ struct cert_as *ases; /* AS resources */
+ size_t num_ases;
struct rscfile *files; /* FileAndHashes in the RSC */
size_t filesz; /* number of FileAndHashes */
char *aia; /* AIA */
@@ -353,7 +353,7 @@ struct geoip {
*/
struct geofeed {
struct geoip *geoips; /* Prefix + location entry in the CSV */
- size_t geoipsz; /* number of IPs */
+ size_t num_geoips;
char *aia; /* AIA */
char *aki; /* AKI */
char *ski; /* SKI */
diff --git a/usr.sbin/rpki-client/geofeed.c b/usr.sbin/rpki-client/geofeed.c
index f7d321fa35f..0c89143250f 100644
--- a/usr.sbin/rpki-client/geofeed.c
+++ b/usr.sbin/rpki-client/geofeed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: geofeed.c,v 1.16 2024/02/21 09:17:06 tb Exp $ */
+/* $OpenBSD: geofeed.c,v 1.17 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2022 Job Snijders <job@fastly.com>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -68,11 +68,11 @@ geofeed_parse_geoip(struct geofeed *geofeed, char *cidr, char *loc)
ipaddr->prefixlen = plen;
- geofeed->geoips = recallocarray(geofeed->geoips, geofeed->geoipsz,
- geofeed->geoipsz + 1, sizeof(struct geoip));
+ geofeed->geoips = recallocarray(geofeed->geoips, geofeed->num_geoips,
+ geofeed->num_geoips + 1, sizeof(struct geoip));
if (geofeed->geoips == NULL)
err(1, NULL);
- geoip = &geofeed->geoips[geofeed->geoipsz++];
+ geoip = &geofeed->geoips[geofeed->num_geoips++];
if ((geoip->ip = calloc(1, sizeof(struct cert_ip))) == NULL)
err(1, NULL);
@@ -253,7 +253,7 @@ geofeed_parse(X509 **x509, const char *fn, int talid, char *buf, size_t len)
goto out;
}
- if (cert->asz > 0) {
+ if (cert->num_ases > 0) {
warnx("%s: superfluous AS Resources extension present", fn);
goto out;
}
@@ -288,7 +288,7 @@ geofeed_free(struct geofeed *p)
if (p == NULL)
return;
- for (i = 0; i < p->geoipsz; i++) {
+ for (i = 0; i < p->num_geoips; i++) {
free(p->geoips[i].ip);
free(p->geoips[i].loc);
}
diff --git a/usr.sbin/rpki-client/ip.c b/usr.sbin/rpki-client/ip.c
index 3e021f08aa6..01bcd7c2133 100644
--- a/usr.sbin/rpki-client/ip.c
+++ b/usr.sbin/rpki-client/ip.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip.c,v 1.33 2024/03/19 05:04:13 tb Exp $ */
+/* $OpenBSD: ip.c,v 1.34 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -78,11 +78,11 @@ ip_addr_afi_parse(const char *fn, const ASN1_OCTET_STRING *p, enum afi *afi)
int
ip_addr_check_covered(enum afi afi,
const unsigned char *min, const unsigned char *max,
- const struct cert_ip *ips, size_t ipsz)
+ const struct cert_ip *ips, size_t num_ips)
{
size_t i, sz = AFI_IPV4 == afi ? 4 : 16;
- for (i = 0; i < ipsz; i++) {
+ for (i = 0; i < num_ips; i++) {
if (ips[i].afi != afi)
continue;
if (ips[i].type == CERT_IP_INHERIT)
@@ -103,7 +103,7 @@ ip_addr_check_covered(enum afi afi,
*/
int
ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
- const struct cert_ip *ips, size_t ipsz, int quiet)
+ const struct cert_ip *ips, size_t num_ips, int quiet)
{
size_t i, sz = ip->afi == AFI_IPV4 ? 4 : 16;
int inherit_v4 = 0, inherit_v6 = 0;
@@ -114,7 +114,7 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
* going to need to do a lot of scanning for big allocations.
*/
- for (i = 0; i < ipsz; i++)
+ for (i = 0; i < num_ips; i++)
if (ips[i].type == CERT_IP_INHERIT) {
if (ips[i].afi == AFI_IPV4)
inherit_v4 = 1;
@@ -145,7 +145,7 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
/* Check our ranges. */
- for (i = 0; i < ipsz; i++) {
+ for (i = 0; i < num_ips; i++) {
if (ips[i].afi != ip->afi)
continue;
if (memcmp(ips[i].max, ip->min, sz) <= 0 ||
diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c
index d69dad299a3..9ce73d081aa 100644
--- a/usr.sbin/rpki-client/print.c
+++ b/usr.sbin/rpki-client/print.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: print.c,v 1.56 2024/09/12 10:33:25 tb Exp $ */
+/* $OpenBSD: print.c,v 1.57 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -177,21 +177,21 @@ x509_print(const X509 *x)
}
static void
-as_resources_print(struct cert_as *as, size_t asz)
+as_resources_print(struct cert_as *ases, size_t num_ases)
{
size_t i;
- for (i = 0; i < asz; i++) {
+ for (i = 0; i < num_ases; i++) {
if (outformats & FORMAT_JSON)
json_do_object("resource", 1);
- switch (as[i].type) {
+ switch (ases[i].type) {
case CERT_AS_ID:
if (outformats & FORMAT_JSON) {
- json_do_uint("asid", as[i].id);
+ json_do_uint("asid", ases[i].id);
} else {
if (i > 0)
printf("%26s", "");
- printf("AS: %u", as[i].id);
+ printf("AS: %u", ases[i].id);
}
break;
case CERT_AS_INHERIT:
@@ -206,14 +206,14 @@ as_resources_print(struct cert_as *as, size_t asz)
case CERT_AS_RANGE:
if (outformats & FORMAT_JSON) {
json_do_object("asrange", 1);
- json_do_uint("min", as[i].range.min);
- json_do_uint("max", as[i].range.max);
+ json_do_uint("min", ases[i].range.min);
+ json_do_uint("max", ases[i].range.max);
json_do_end();
} else {
if (i > 0)
printf("%26s", "");
- printf("AS: %u -- %u", as[i].range.min,
- as[i].range.max);
+ printf("AS: %u -- %u", ases[i].range.min,
+ ases[i].range.max);
}
break;
}
@@ -225,13 +225,13 @@ as_resources_print(struct cert_as *as, size_t asz)
}
static void
-ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz)
+ip_resources_print(struct cert_ip *ips, size_t num_ips, size_t num_ases)
{
char buf1[64], buf2[64];
size_t i;
int sockt;
- for (i = 0; i < ipsz; i++) {
+ for (i = 0; i < num_ips; i++) {
if (outformats & FORMAT_JSON)
json_do_object("resource", 1);
switch (ips[i].type) {
@@ -239,7 +239,7 @@ ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz)
if (outformats & FORMAT_JSON) {
json_do_bool("ip_inherit", 1);
} else {
- if (i > 0 || asz > 0)
+ if (i > 0 || num_ases > 0)
printf("%26s", "");
printf("IP: inherit");
}
@@ -250,7 +250,7 @@ ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz)
if (outformats & FORMAT_JSON) {
json_do_string("ip_prefix", buf1);
} else {
- if (i > 0 || asz > 0)
+ if (i > 0 || num_ases > 0)
printf("%26s", "");
printf("IP: %s", buf1);
}
@@ -266,7 +266,7 @@ ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz)
json_do_string("max", buf2);
json_do_end();
} else {
- if (i > 0 || asz > 0)
+ if (i > 0 || num_ases > 0)
printf("%26s", "");
printf("IP: %s -- %s", buf1, buf2);
}
@@ -336,8 +336,8 @@ cert_print(const struct cert *p)
printf("Subordinate resources: ");
}
- as_resources_print(p->as, p->asz);
- ip_resources_print(p->ips, p->ipsz, p->asz);
+ as_resources_print(p->ases, p->num_ases);
+ ip_resources_print(p->ips, p->num_ips, p->num_ases);
if (outformats & FORMAT_JSON)
json_do_end();
@@ -543,9 +543,8 @@ roa_print(const X509 *x, const struct roa *p)
if (outformats & FORMAT_JSON)
json_do_array("vrps");
- for (i = 0; i < p->ipsz; i++) {
- ip_addr_print(&p->ips[i].addr,
- p->ips[i].afi, buf, sizeof(buf));
+ for (i = 0; i < p->num_ips; i++) {
+ ip_addr_print(&p->ips[i].addr, p->ips[i].afi, buf, sizeof(buf));
if (outformats & FORMAT_JSON) {
json_do_object("vrp", 1);
@@ -683,8 +682,8 @@ rsc_print(const X509 *x, const struct rsc *p)
printf("Signed with resources: ");
}
- as_resources_print(p->as, p->asz);
- ip_resources_print(p->ips, p->ipsz, p->asz);
+ as_resources_print(p->ases, p->num_ases);
+ ip_resources_print(p->ips, p->num_ips, p->num_ases);
if (outformats & FORMAT_JSON) {
json_do_end();
@@ -886,7 +885,7 @@ geofeed_print(const X509 *x, const struct geofeed *p)
printf("Geofeed CSV records: ");
}
- for (i = 0; i < p->geoipsz; i++) {
+ for (i = 0; i < p->num_geoips; i++) {
if (p->geoips[i].ip->type != CERT_IP_ADDR)
continue;
diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c
index cff8115922c..4ca22af4f71 100644
--- a/usr.sbin/rpki-client/roa.c
+++ b/usr.sbin/rpki-client/roa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: roa.c,v 1.79 2024/11/05 18:09:16 tb Exp $ */
+/* $OpenBSD: roa.c,v 1.80 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -174,13 +174,13 @@ roa_parse_econtent(const char *fn, struct roa *roa, const unsigned char *d,
goto out;
}
- if (roa->ipsz + addrsz >= MAX_IP_SIZE) {
+ if (roa->num_ips + addrsz >= MAX_IP_SIZE) {
warnx("%s: too many ROAIPAddress entries: limit %d",
fn, MAX_IP_SIZE);
goto out;
}
- roa->ips = recallocarray(roa->ips, roa->ipsz,
- roa->ipsz + addrsz, sizeof(struct roa_ip));
+ roa->ips = recallocarray(roa->ips, roa->num_ips,
+ roa->num_ips + addrsz, sizeof(struct roa_ip));
if (roa->ips == NULL)
err(1, NULL);
@@ -216,7 +216,7 @@ roa_parse_econtent(const char *fn, struct roa *roa, const unsigned char *d,
}
}
- res = &roa->ips[roa->ipsz++];
+ res = &roa->ips[roa->num_ips++];
res->addr = ipaddr;
res->afi = afi;
res->maxlength = maxlen;
@@ -284,12 +284,12 @@ roa_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
- if (cert->asz > 0) {
+ if (cert->num_ases > 0) {
warnx("%s: superfluous AS Resources extension present", fn);
goto out;
}
- if (cert->ipsz == 0) {
+ if (cert->num_ips == 0) {
warnx("%s: no IP address present", fn);
goto out;
}
@@ -341,10 +341,10 @@ roa_buffer(struct ibuf *b, const struct roa *p)
io_simple_buffer(b, &p->valid, sizeof(p->valid));
io_simple_buffer(b, &p->asid, sizeof(p->asid));
io_simple_buffer(b, &p->talid, sizeof(p->talid));
- io_simple_buffer(b, &p->ipsz, sizeof(p->ipsz));
+ io_simple_buffer(b, &p->num_ips, sizeof(p->num_ips));
io_simple_buffer(b, &p->expires, sizeof(p->expires));
- io_simple_buffer(b, p->ips, p->ipsz * sizeof(p->ips[0]));
+ io_simple_buffer(b, p->ips, p->num_ips * sizeof(p->ips[0]));
io_str_buffer(b, p->aia);
io_str_buffer(b, p->aki);
@@ -367,13 +367,13 @@ roa_read(struct ibuf *b)
io_read_buf(b, &p->valid, sizeof(p->valid));
io_read_buf(b, &p->asid, sizeof(p->asid));
io_read_buf(b, &p->talid, sizeof(p->talid));
- io_read_buf(b, &p->ipsz, sizeof(p->ipsz));
+ io_read_buf(b, &p->num_ips, sizeof(p->num_ips));
io_read_buf(b, &p->expires, sizeof(p->expires));
- if (p->ipsz > 0) {
- if ((p->ips = calloc(p->ipsz, sizeof(p->ips[0]))) == NULL)
+ if (p->num_ips > 0) {
+ if ((p->ips = calloc(p->num_ips, sizeof(p->ips[0]))) == NULL)
err(1, NULL);
- io_read_buf(b, p->ips, p->ipsz * sizeof(p->ips[0]));
+ io_read_buf(b, p->ips, p->num_ips * sizeof(p->ips[0]));
}
io_read_str(b, &p->aia);
@@ -395,7 +395,7 @@ roa_insert_vrps(struct vrp_tree *tree, struct roa *roa, struct repo *rp)
struct vrp *v, *found;
size_t i;
- for (i = 0; i < roa->ipsz; i++) {
+ for (i = 0; i < roa->num_ips; i++) {
if ((v = malloc(sizeof(*v))) == NULL)
err(1, NULL);
v->afi = roa->ips[i].afi;
diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c
index 4a849a18892..246a3bcfb75 100644
--- a/usr.sbin/rpki-client/rsc.c
+++ b/usr.sbin/rpki-client/rsc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsc.c,v 1.35 2024/06/11 10:38:40 tb Exp $ */
+/* $OpenBSD: rsc.c,v 1.36 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2022 Job Snijders <job@fastly.com>
@@ -130,38 +130,38 @@ static int
rsc_parse_aslist(const char *fn, struct rsc *rsc,
const ConstrainedASIdentifiers *asids)
{
- int i, asz;
+ int i, num_ases;
if (asids == NULL)
return 1;
- if ((asz = sk_ASIdOrRange_num(asids->asnum)) == 0) {
+ if ((num_ases = sk_ASIdOrRange_num(asids->asnum)) == 0) {
warnx("%s: RSC asID empty", fn);
return 0;
}
- if (asz >= MAX_AS_SIZE) {
+ if (num_ases >= MAX_AS_SIZE) {
warnx("%s: too many AS number entries: limit %d",
fn, MAX_AS_SIZE);
return 0;
}
- rsc->as = calloc(asz, sizeof(struct cert_as));
- if (rsc->as == NULL)
+ if ((rsc->ases = calloc(num_ases, sizeof(struct cert_as))) == NULL)
err(1, NULL);
- for (i = 0; i < asz; i++) {
+ for (i = 0; i < num_ases; i++) {
const ASIdOrRange *aor;
aor = sk_ASIdOrRange_value(asids->asnum, i);
switch (aor->type) {
case ASIdOrRange_id:
- if (!sbgp_as_id(fn, rsc->as, &rsc->asz, aor->u.id))
+ if (!sbgp_as_id(fn, rsc->ases, &rsc->num_ases,
+ aor->u.id))
return 0;
break;
case ASIdOrRange_range:
- if (!sbgp_as_range(fn, rsc->as, &rsc->asz,
+ if (!sbgp_as_range(fn, rsc->ases, &rsc->num_ases,
aor->u.range))
return 0;
break;
@@ -181,7 +181,7 @@ rsc_parse_iplist(const char *fn, struct rsc *rsc,
const ConstrainedIPAddressFamily *af;
const IPAddressOrRanges *aors;
const IPAddressOrRange *aor;
- size_t ipsz;
+ size_t num_ips;
enum afi afi;
int i, j;
@@ -197,14 +197,14 @@ rsc_parse_iplist(const char *fn, struct rsc *rsc,
af = sk_ConstrainedIPAddressFamily_value(ipAddrBlocks, i);
aors = af->addressesOrRanges;
- ipsz = rsc->ipsz + sk_IPAddressOrRange_num(aors);
- if (ipsz >= MAX_IP_SIZE) {
+ num_ips = rsc->num_ips + sk_IPAddressOrRange_num(aors);
+ if (num_ips >= MAX_IP_SIZE) {
warnx("%s: too many IP address entries: limit %d",
fn, MAX_IP_SIZE);
return 0;
}
- rsc->ips = recallocarray(rsc->ips, rsc->ipsz, ipsz,
+ rsc->ips = recallocarray(rsc->ips, rsc->num_ips, num_ips,
sizeof(struct cert_ip));
if (rsc->ips == NULL)
err(1, NULL);
@@ -219,12 +219,12 @@ rsc_parse_iplist(const char *fn, struct rsc *rsc,
switch (aor->type) {
case IPAddressOrRange_addressPrefix:
if (!sbgp_addr(fn, rsc->ips,
- &rsc->ipsz, afi, aor->u.addressPrefix))
+ &rsc->num_ips, afi, aor->u.addressPrefix))
return 0;
break;
case IPAddressOrRange_addressRange:
if (!sbgp_addr_range(fn, rsc->ips,
- &rsc->ipsz, afi, aor->u.addressRange))
+ &rsc->num_ips, afi, aor->u.addressRange))
return 0;
break;
default:
@@ -465,7 +465,7 @@ rsc_free(struct rsc *p)
free(p->aki);
free(p->ski);
free(p->ips);
- free(p->as);
+ free(p->ases);
free(p->files);
free(p);
}
diff --git a/usr.sbin/rpki-client/spl.c b/usr.sbin/rpki-client/spl.c
index 93c2b5abc24..d9642b353e8 100644
--- a/usr.sbin/rpki-client/spl.c
+++ b/usr.sbin/rpki-client/spl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: spl.c,v 1.5 2024/11/05 18:58:35 lucas Exp $ */
+/* $OpenBSD: spl.c,v 1.6 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2024 Job Snijders <job@fastly.com>
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -291,12 +291,12 @@ spl_parse(X509 **x509, const char *fn, int talid, const unsigned char *der,
if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL)
goto out;
- if (cert->asz == 0) {
+ if (cert->num_ases == 0) {
warnx("%s: AS Resources extension missing", fn);
goto out;
}
- if (cert->ipsz > 0) {
+ if (cert->num_ips > 0) {
warnx("%s: superfluous IP Resources extension present", fn);
goto out;
}
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 56b3fe5f4d7..a17eb921876 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: validate.c,v 1.77 2024/10/16 06:09:45 tb Exp $ */
+/* $OpenBSD: validate.c,v 1.78 2024/11/12 09:23:07 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -43,7 +43,7 @@ valid_as(struct auth *a, uint32_t min, uint32_t max)
return 0;
/* Does this certificate cover our AS number? */
- c = as_check_covered(min, max, a->cert->as, a->cert->asz);
+ c = as_check_covered(min, max, a->cert->ases, a->cert->num_ases);
if (c > 0)
return 1;
else if (c < 0)
@@ -69,7 +69,8 @@ valid_ip(struct auth *a, enum afi afi,
return 0;
/* Does this certificate cover our IP prefix? */
- c = ip_addr_check_covered(afi, min, max, a->cert->ips, a->cert->ipsz);
+ c = ip_addr_check_covered(afi, min, max, a->cert->ips,
+ a->cert->num_ips);
if (c > 0)
return 1;
else if (c < 0)
@@ -90,26 +91,26 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert)
size_t i;
uint32_t min, max;
- for (i = 0; i < cert->asz; i++) {
- if (cert->as[i].type == CERT_AS_INHERIT)
+ for (i = 0; i < cert->num_ases; i++) {
+ if (cert->ases[i].type == CERT_AS_INHERIT)
continue;
- if (cert->as[i].type == CERT_AS_ID) {
- min = cert->as[i].id;
- max = cert->as[i].id;
+ if (cert->ases[i].type == CERT_AS_ID) {
+ min = cert->ases[i].id;
+ max = cert->ases[i].id;
} else {
- min = cert->as[i].range.min;
- max = cert->as[i].range.max;
+ min = cert->ases[i].range.min;
+ max = cert->ases[i].range.max;
}
if (valid_as(a, min, max))
continue;
- as_warn(fn, "RFC 6487: uncovered resource", &cert->as[i]);
+ as_warn(fn, "RFC 6487: uncovered resource", &cert->ases[i]);
return 0;
}
- for (i = 0; i < cert->ipsz; i++) {
+ for (i = 0; i < cert->num_ips; i++) {
if (cert->ips[i].type == CERT_IP_INHERIT)
continue;
@@ -134,9 +135,9 @@ valid_roa(const char *fn, struct cert *cert, struct roa *roa)
size_t i;
char buf[64];
- for (i = 0; i < roa->ipsz; i++) {
+ for (i = 0; i < roa->num_ips; i++) {
if (ip_addr_check_covered(roa->ips[i].afi, roa->ips[i].min,
- roa->ips[i].max, cert->ips, cert->ipsz) > 0)
+ roa->ips[i].max, cert->ips, cert->num_ips) > 0)
continue;
ip_addr_print(&roa->ips[i].addr, roa->ips[i].afi, buf,
@@ -156,7 +157,8 @@ valid_roa(const char *fn, struct cert *cert, struct roa *roa)
int
valid_spl(const char *fn, struct cert *cert, struct spl *spl)
{
- if (as_check_covered(spl->asid, spl->asid, cert->as, cert->asz) > 0)
+ if (as_check_covered(spl->asid, spl->asid, cert->ases,
+ cert->num_ases) > 0)
return 1;
warnx("%s: SPL: uncovered ASID: %u", fn, spl->asid);
@@ -442,25 +444,25 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc)
size_t i;
uint32_t min, max;
- for (i = 0; i < rsc->asz; i++) {
- if (rsc->as[i].type == CERT_AS_ID) {
- min = rsc->as[i].id;
- max = rsc->as[i].id;
+ for (i = 0; i < rsc->num_ases; i++) {
+ if (rsc->ases[i].type == CERT_AS_ID) {
+ min = rsc->ases[i].id;
+ max = rsc->ases[i].id;
} else {
- min = rsc->as[i].range.min;
- max = rsc->as[i].range.max;
+ min = rsc->ases[i].range.min;
+ max = rsc->ases[i].range.max;
}
- if (as_check_covered(min, max, cert->as, cert->asz) > 0)
+ if (as_check_covered(min, max, cert->ases, cert->num_ases) > 0)
continue;
- as_warn(fn, "RSC ResourceBlock uncovered", &rsc->as[i]);
+ as_warn(fn, "RSC ResourceBlock uncovered", &rsc->ases[i]);
return 0;
}
- for (i = 0; i < rsc->ipsz; i++) {
+ for (i = 0; i < rsc->num_ips; i++) {
if (ip_addr_check_covered(rsc->ips[i].afi, rsc->ips[i].min,
- rsc->ips[i].max, cert->ips, cert->ipsz) > 0)
+ rsc->ips[i].max, cert->ips, cert->num_ips) > 0)
continue;
ip_warn(fn, "RSC ResourceBlock uncovered", &rsc->ips[i]);
@@ -511,7 +513,7 @@ valid_aspa(const char *fn, struct cert *cert, struct aspa *aspa)
{
if (as_check_covered(aspa->custasid, aspa->custasid,
- cert->as, cert->asz) > 0)
+ cert->ases, cert->num_ases) > 0)
return 1;
warnx("%s: ASPA: uncovered Customer ASID: %u", fn, aspa->custasid);
@@ -529,10 +531,10 @@ valid_geofeed(const char *fn, struct cert *cert, struct geofeed *g)
size_t i;
char buf[64];
- for (i = 0; i < g->geoipsz; i++) {
+ for (i = 0; i < g->num_geoips; i++) {
if (ip_addr_check_covered(g->geoips[i].ip->afi,
g->geoips[i].ip->min, g->geoips[i].ip->max, cert->ips,
- cert->ipsz) > 0)
+ cert->num_ips) > 0)
continue;
ip_addr_print(&g->geoips[i].ip->ip, g->geoips[i].ip->afi, buf,