From d9ccba3f05a1bc7c5fc3d9b7d70dd24849bc38b7 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Tue, 12 Nov 2024 09:23:08 +0000 Subject: Rename ips/as and ipsz/asz to ips/ases, num_ips/num_ases Having a single letter to distinguish a length from a pointer is error prone. This results in binary change only in validate.c and cert.c due to a line wrap resulting in line number changes and in cert.c there's in addition two asserts that change. checked with/ok job --- usr.sbin/rpki-client/as.c | 52 +++++++------- usr.sbin/rpki-client/cert.c | 137 +++++++++++++++++++------------------ usr.sbin/rpki-client/constraints.c | 94 ++++++++++++------------- usr.sbin/rpki-client/extern.h | 24 +++---- usr.sbin/rpki-client/geofeed.c | 12 ++-- usr.sbin/rpki-client/ip.c | 12 ++-- usr.sbin/rpki-client/print.c | 45 ++++++------ usr.sbin/rpki-client/roa.c | 28 ++++---- usr.sbin/rpki-client/rsc.c | 32 ++++----- usr.sbin/rpki-client/spl.c | 6 +- usr.sbin/rpki-client/validate.c | 58 ++++++++-------- 11 files changed, 252 insertions(+), 248 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/rpki-client/as.c b/usr.sbin/rpki-client/as.c index 4812d9314f0..471e172bed4 100644 --- a/usr.sbin/rpki-client/as.c +++ b/usr.sbin/rpki-client/as.c @@ -1,4 +1,4 @@ -/* $OpenBSD: as.c,v 1.16 2023/12/27 07:15:55 tb Exp $ */ +/* $OpenBSD: as.c,v 1.17 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -38,21 +38,21 @@ as_id_parse(const ASN1_INTEGER *v, uint32_t *out) } /* - * Given a newly-parsed AS number or range "a", make sure that "a" does - * not overlap with any other numbers or ranges in the "as" array. + * Given a newly-parsed AS number or range "as", make sure that "as" does + * not overlap with any other numbers or ranges in the "ases" array. * This is defined by RFC 3779 section 3.2.3.4. * Returns zero on failure, non-zero on success. */ int -as_check_overlap(const struct cert_as *a, const char *fn, - const struct cert_as *as, size_t asz, int quiet) +as_check_overlap(const struct cert_as *as, const char *fn, + const struct cert_as *ases, size_t num_ases, int quiet) { size_t i; /* We can have only one inheritance statement. */ - if (asz && - (a->type == CERT_AS_INHERIT || as[0].type == CERT_AS_INHERIT)) { + if (num_ases && + (as->type == CERT_AS_INHERIT || ases[0].type == CERT_AS_INHERIT)) { if (!quiet) { warnx("%s: RFC 3779 section 3.2.3.3: " "cannot have inheritance and multiple ASnum or " @@ -63,17 +63,17 @@ as_check_overlap(const struct cert_as *a, const char *fn, /* Now check for overlaps between singletons/ranges. */ - for (i = 0; i < asz; i++) { - switch (as[i].type) { + for (i = 0; i < num_ases; i++) { + switch (ases[i].type) { case CERT_AS_ID: - switch (a->type) { + switch (as->type) { case CERT_AS_ID: - if (a->id != as[i].id) + if (as->id != ases[i].id) continue; break; case CERT_AS_RANGE: - if (as->range.min > as[i].id || - as->range.max < as[i].id) + if (ases->range.min > ases[i].id || + ases->range.max < ases[i].id) continue; break; default: @@ -81,15 +81,15 @@ as_check_overlap(const struct cert_as *a, const char *fn, } break; case CERT_AS_RANGE: - switch (a->type) { + switch (as->type) { case CERT_AS_ID: - if (as[i].range.min > a->id || - as[i].range.max < a->id) + if (ases[i].range.min > as->id || + ases[i].range.max < as->id) continue; break; case CERT_AS_RANGE: - if (a->range.max < as[i].range.min || - a->range.min > as[i].range.max) + if (as->range.max < ases[i].range.min || + as->range.min > ases[i].range.max) continue; break; default: @@ -112,23 +112,23 @@ as_check_overlap(const struct cert_as *a, const char *fn, /* * See if a given AS range (which may be the same number, in the case of * singleton AS identifiers) is covered by the AS numbers or ranges - * specified in the "as" array. + * specified in the "ases" array. * Return <0 if there is no cover, 0 if we're inheriting, >0 if there is. */ int as_check_covered(uint32_t min, uint32_t max, - const struct cert_as *as, size_t asz) + const struct cert_as *ases, size_t num_ases) { size_t i; uint32_t amin, amax; - for (i = 0; i < asz; i++) { - if (as[i].type == CERT_AS_INHERIT) + for (i = 0; i < num_ases; i++) { + if (ases[i].type == CERT_AS_INHERIT) return 0; - amin = as[i].type == CERT_AS_RANGE ? - as[i].range.min : as[i].id; - amax = as[i].type == CERT_AS_RANGE ? - as[i].range.max : as[i].id; + amin = ases[i].type == CERT_AS_RANGE ? + ases[i].range.min : ases[i].id; + amax = ases[i].type == CERT_AS_RANGE ? + ases[i].range.max : ases[i].id; if (min >= amin && max <= amax) return 1; } diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 020605ea809..2675a41603f 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.152 2024/11/05 18:09:16 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.153 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -48,12 +48,12 @@ int certid = TALSZ_MAX; * Returns zero on failure (IP overlap) non-zero on success. */ static int -append_ip(const char *fn, struct cert_ip *ips, size_t *ipsz, +append_ip(const char *fn, struct cert_ip *ips, size_t *num_ips, const struct cert_ip *ip) { - if (!ip_addr_check_overlap(ip, fn, ips, *ipsz, 0)) + if (!ip_addr_check_overlap(ip, fn, ips, *num_ips, 0)) return 0; - ips[(*ipsz)++] = *ip; + ips[(*num_ips)++] = *ip; return 1; } @@ -63,12 +63,12 @@ append_ip(const char *fn, struct cert_ip *ips, size_t *ipsz, * as defined by RFC 3779 section 3.3. */ static int -append_as(const char *fn, struct cert_as *ases, size_t *asz, +append_as(const char *fn, struct cert_as *ases, size_t *num_ases, const struct cert_as *as) { - if (!as_check_overlap(as, fn, ases, *asz, 0)) + if (!as_check_overlap(as, fn, ases, *num_ases, 0)) return 0; - ases[(*asz)++] = *as; + ases[(*num_ases)++] = *as; return 1; } @@ -77,7 +77,7 @@ append_as(const char *fn, struct cert_as *ases, size_t *asz, * Returns zero on failure, non-zero on success. */ int -sbgp_as_range(const char *fn, struct cert_as *ases, size_t *asz, +sbgp_as_range(const char *fn, struct cert_as *ases, size_t *num_ases, const ASRange *range) { struct cert_as as; @@ -107,14 +107,14 @@ sbgp_as_range(const char *fn, struct cert_as *ases, size_t *asz, return 0; } - return append_as(fn, ases, asz, &as); + return append_as(fn, ases, num_ases, &as); } /* * Parse an entire 3.2.3.10 integer type. */ int -sbgp_as_id(const char *fn, struct cert_as *ases, size_t *asz, +sbgp_as_id(const char *fn, struct cert_as *ases, size_t *num_ases, const ASN1_INTEGER *i) { struct cert_as as; @@ -133,30 +133,30 @@ sbgp_as_id(const char *fn, struct cert_as *ases, size_t *asz, return 0; } - return append_as(fn, ases, asz, &as); + return append_as(fn, ases, num_ases, &as); } static int -sbgp_as_inherit(const char *fn, struct cert_as *ases, size_t *asz) +sbgp_as_inherit(const char *fn, struct cert_as *ases, size_t *num_ases) { struct cert_as as; memset(&as, 0, sizeof(struct cert_as)); as.type = CERT_AS_INHERIT; - return append_as(fn, ases, asz, &as); + return append_as(fn, ases, num_ases, &as); } int sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers, - struct cert_as **out_as, size_t *out_asz) + struct cert_as **out_as, size_t *out_num_ases) { const ASIdOrRanges *aors = NULL; struct cert_as *as = NULL; - size_t asz = 0, sz; + size_t num_ases = 0, num; int i; - assert(*out_as == NULL && *out_asz == 0); + assert(*out_as == NULL && *out_num_ases == 0); if (asidentifiers->rdi != NULL) { warnx("%s: RFC 6487 section 4.8.11: autonomousSysNum: " @@ -172,11 +172,11 @@ sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers, switch (asidentifiers->asnum->type) { case ASIdentifierChoice_inherit: - sz = 1; + num = 1; break; case ASIdentifierChoice_asIdsOrRanges: aors = asidentifiers->asnum->u.asIdsOrRanges; - sz = sk_ASIdOrRange_num(aors); + num = sk_ASIdOrRange_num(aors); break; default: warnx("%s: RFC 3779 section 3.2.3.2: ASIdentifierChoice: " @@ -184,21 +184,21 @@ sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers, goto out; } - if (sz == 0) { + if (num == 0) { warnx("%s: RFC 6487 section 4.8.11: empty asIdsOrRanges", fn); goto out; } - if (sz >= MAX_AS_SIZE) { + if (num >= MAX_AS_SIZE) { warnx("%s: too many AS number entries: limit %d", fn, MAX_AS_SIZE); goto out; } - as = calloc(sz, sizeof(struct cert_as)); + as = calloc(num, sizeof(struct cert_as)); if (as == NULL) err(1, NULL); if (aors == NULL) { - if (!sbgp_as_inherit(fn, as, &asz)) + if (!sbgp_as_inherit(fn, as, &num_ases)) goto out; } @@ -208,11 +208,11 @@ sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers, aor = sk_ASIdOrRange_value(aors, i); switch (aor->type) { case ASIdOrRange_id: - if (!sbgp_as_id(fn, as, &asz, aor->u.id)) + if (!sbgp_as_id(fn, as, &num_ases, aor->u.id)) goto out; break; case ASIdOrRange_range: - if (!sbgp_as_range(fn, as, &asz, aor->u.range)) + if (!sbgp_as_range(fn, as, &num_ases, aor->u.range)) goto out; break; default: @@ -223,7 +223,7 @@ sbgp_parse_assysnum(const char *fn, const ASIdentifiers *asidentifiers, } *out_as = as; - *out_asz = asz; + *out_num_ases = num_ases; return 1; @@ -256,7 +256,8 @@ sbgp_assysnum(const char *fn, struct cert *cert, X509_EXTENSION *ext) goto out; } - if (!sbgp_parse_assysnum(fn, asidentifiers, &cert->as, &cert->asz)) + if (!sbgp_parse_assysnum(fn, asidentifiers, &cert->ases, + &cert->num_ases)) goto out; rc = 1; @@ -270,7 +271,7 @@ sbgp_assysnum(const char *fn, struct cert *cert, X509_EXTENSION *ext) * Returns zero on failure, non-zero on success. */ int -sbgp_addr(const char *fn, struct cert_ip *ips, size_t *ipsz, enum afi afi, +sbgp_addr(const char *fn, struct cert_ip *ips, size_t *num_ips, enum afi afi, const ASN1_BIT_STRING *bs) { struct cert_ip ip; @@ -292,7 +293,7 @@ sbgp_addr(const char *fn, struct cert_ip *ips, size_t *ipsz, enum afi afi, return 0; } - return append_ip(fn, ips, ipsz, &ip); + return append_ip(fn, ips, num_ips, &ip); } /* @@ -300,7 +301,7 @@ sbgp_addr(const char *fn, struct cert_ip *ips, size_t *ipsz, enum afi afi, * Returns zero on failure, non-zero on success. */ int -sbgp_addr_range(const char *fn, struct cert_ip *ips, size_t *ipsz, +sbgp_addr_range(const char *fn, struct cert_ip *ips, size_t *num_ips, enum afi afi, const IPAddressRange *range) { struct cert_ip ip; @@ -328,11 +329,11 @@ sbgp_addr_range(const char *fn, struct cert_ip *ips, size_t *ipsz, return 0; } - return append_ip(fn, ips, ipsz, &ip); + return append_ip(fn, ips, num_ips, &ip); } static int -sbgp_addr_inherit(const char *fn, struct cert_ip *ips, size_t *ipsz, +sbgp_addr_inherit(const char *fn, struct cert_ip *ips, size_t *num_ips, enum afi afi) { struct cert_ip ip; @@ -342,23 +343,23 @@ sbgp_addr_inherit(const char *fn, struct cert_ip *ips, size_t *ipsz, ip.afi = afi; ip.type = CERT_IP_INHERIT; - return append_ip(fn, ips, ipsz, &ip); + return append_ip(fn, ips, num_ips, &ip); } int sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk, - struct cert_ip **out_ips, size_t *out_ipsz) + struct cert_ip **out_ips, size_t *out_num_ips) { const IPAddressFamily *af; const IPAddressOrRanges *aors; const IPAddressOrRange *aor; enum afi afi; struct cert_ip *ips = NULL; - size_t ipsz = 0, sz; + size_t num_ips = 0, num; int ipv4_seen = 0, ipv6_seen = 0; int i, j, ipaddrblocksz; - assert(*out_ips == NULL && *out_ipsz == 0); + assert(*out_ips == NULL && *out_num_ips == 0); ipaddrblocksz = sk_IPAddressFamily_num(addrblk); if (ipaddrblocksz != 1 && ipaddrblocksz != 2) { @@ -374,26 +375,26 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk, switch (af->ipAddressChoice->type) { case IPAddressChoice_inherit: aors = NULL; - sz = ipsz + 1; + num = num_ips + 1; break; case IPAddressChoice_addressesOrRanges: aors = af->ipAddressChoice->u.addressesOrRanges; - sz = ipsz + sk_IPAddressOrRange_num(aors); + num = num_ips + sk_IPAddressOrRange_num(aors); break; default: warnx("%s: RFC 3779: IPAddressChoice: unknown type %d", fn, af->ipAddressChoice->type); goto out; } - if (sz == ipsz) { + if (num == num_ips) { warnx("%s: RFC 6487 section 4.8.10: " "empty ipAddressesOrRanges", fn); goto out; } - if (sz >= MAX_IP_SIZE) + if (num >= MAX_IP_SIZE) goto out; - ips = recallocarray(ips, ipsz, sz, sizeof(struct cert_ip)); + ips = recallocarray(ips, num_ips, num, sizeof(struct cert_ip)); if (ips == NULL) err(1, NULL); @@ -420,7 +421,7 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk, } if (aors == NULL) { - if (!sbgp_addr_inherit(fn, ips, &ipsz, afi)) + if (!sbgp_addr_inherit(fn, ips, &num_ips, afi)) goto out; continue; } @@ -429,12 +430,12 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk, aor = sk_IPAddressOrRange_value(aors, j); switch (aor->type) { case IPAddressOrRange_addressPrefix: - if (!sbgp_addr(fn, ips, &ipsz, afi, + if (!sbgp_addr(fn, ips, &num_ips, afi, aor->u.addressPrefix)) goto out; break; case IPAddressOrRange_addressRange: - if (!sbgp_addr_range(fn, ips, &ipsz, afi, + if (!sbgp_addr_range(fn, ips, &num_ips, afi, aor->u.addressRange)) goto out; break; @@ -447,7 +448,7 @@ sbgp_parse_ipaddrblk(const char *fn, const IPAddrBlocks *addrblk, } *out_ips = ips; - *out_ipsz = ipsz; + *out_num_ips = num_ips; return 1; @@ -480,10 +481,10 @@ sbgp_ipaddrblk(const char *fn, struct cert *cert, X509_EXTENSION *ext) goto out; } - if (!sbgp_parse_ipaddrblk(fn, addrblk, &cert->ips, &cert->ipsz)) + if (!sbgp_parse_ipaddrblk(fn, addrblk, &cert->ips, &cert->num_ips)) goto out; - if (cert->ipsz == 0) { + if (cert->num_ips == 0) { warnx("%s: RFC 6487 section 4.8.10: empty ipAddrBlock", fn); goto out; } @@ -975,7 +976,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) warnx("%s: RFC 6487 section 4.8.8: missing SIA", fn); goto out; } - if (cert->asz == 0 && cert->ipsz == 0) { + if (cert->num_ases == 0 && cert->num_ips == 0) { warnx("%s: missing IP or AS resources", fn); goto out; } @@ -986,12 +987,12 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) warnx("%s: x509_get_pubkey failed", fn); goto out; } - if (cert->ipsz > 0) { + if (cert->num_ips > 0) { warnx("%s: unexpected IP resources in BGPsec cert", fn); goto out; } - for (j = 0; j < cert->asz; j++) { - if (cert->as[j].type == CERT_AS_INHERIT) { + for (j = 0; j < cert->num_ases; j++) { + if (cert->ases[j].type == CERT_AS_INHERIT) { warnx("%s: inherit elements not allowed in EE" " cert", fn); goto out; @@ -1150,7 +1151,7 @@ cert_free(struct cert *p) free(p->mft); free(p->notify); free(p->ips); - free(p->as); + free(p->ases); free(p->aia); free(p->aki); free(p->ski); @@ -1171,11 +1172,11 @@ cert_buffer(struct ibuf *b, const struct cert *p) io_simple_buffer(b, &p->talid, sizeof(p->talid)); io_simple_buffer(b, &p->certid, sizeof(p->certid)); io_simple_buffer(b, &p->repoid, sizeof(p->repoid)); - io_simple_buffer(b, &p->ipsz, sizeof(p->ipsz)); - io_simple_buffer(b, &p->asz, sizeof(p->asz)); + io_simple_buffer(b, &p->num_ips, sizeof(p->num_ips)); + io_simple_buffer(b, &p->num_ases, sizeof(p->num_ases)); - io_simple_buffer(b, p->ips, p->ipsz * sizeof(p->ips[0])); - io_simple_buffer(b, p->as, p->asz * sizeof(p->as[0])); + io_simple_buffer(b, p->ips, p->num_ips * sizeof(p->ips[0])); + io_simple_buffer(b, p->ases, p->num_ases * sizeof(p->ases[0])); io_str_buffer(b, p->mft); io_str_buffer(b, p->notify); @@ -1205,19 +1206,19 @@ cert_read(struct ibuf *b) io_read_buf(b, &p->talid, sizeof(p->talid)); io_read_buf(b, &p->certid, sizeof(p->certid)); io_read_buf(b, &p->repoid, sizeof(p->repoid)); - io_read_buf(b, &p->ipsz, sizeof(p->ipsz)); - io_read_buf(b, &p->asz, sizeof(p->asz)); + io_read_buf(b, &p->num_ips, sizeof(p->num_ips)); + io_read_buf(b, &p->num_ases, sizeof(p->num_ases)); - if (p->ipsz > 0) { - if ((p->ips = calloc(p->ipsz, sizeof(p->ips[0]))) == NULL) + if (p->num_ips > 0) { + if ((p->ips = calloc(p->num_ips, sizeof(p->ips[0]))) == NULL) err(1, NULL); - io_read_buf(b, p->ips, p->ipsz * sizeof(p->ips[0])); + io_read_buf(b, p->ips, p->num_ips * sizeof(p->ips[0])); } - if (p->asz > 0) { - if ((p->as = calloc(p->asz, sizeof(p->as[0]))) == NULL) + if (p->num_ases > 0) { + if ((p->ases = calloc(p->num_ases, sizeof(p->ases[0]))) == NULL) err(1, NULL); - io_read_buf(b, p->as, p->asz * sizeof(p->as[0])); + io_read_buf(b, p->ases, p->num_ases * sizeof(p->ases[0])); } io_read_str(b, &p->mft); @@ -1348,14 +1349,14 @@ cert_insert_brks(struct brk_tree *tree, struct cert *cert) { size_t i, asid; - for (i = 0; i < cert->asz; i++) { - switch (cert->as[i].type) { + for (i = 0; i < cert->num_ases; i++) { + switch (cert->ases[i].type) { case CERT_AS_ID: - insert_brk(tree, cert, cert->as[i].id); + insert_brk(tree, cert, cert->ases[i].id); break; case CERT_AS_RANGE: - for (asid = cert->as[i].range.min; - asid <= cert->as[i].range.max; asid++) + for (asid = cert->ases[i].range.min; + asid <= cert->ases[i].range.max; asid++) insert_brk(tree, cert, asid); break; default: diff --git a/usr.sbin/rpki-client/constraints.c b/usr.sbin/rpki-client/constraints.c index 1c08427bfdd..37a95b952ee 100644 --- a/usr.sbin/rpki-client/constraints.c +++ b/usr.sbin/rpki-client/constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraints.c,v 1.4 2024/03/15 05:14:16 tb Exp $ */ +/* $OpenBSD: constraints.c,v 1.5 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2023 Job Snijders * Copyright (c) 2023 Theo Buehler @@ -41,13 +41,13 @@ struct tal_constraints { char *fn; /* constraints filename */ char *warn; /* warning msg used for violations */ struct cert_ip *allow_ips; /* list of allowed IP address ranges */ - size_t allow_ipsz; /* length of "allow_ips" */ - struct cert_as *allow_as; /* allowed AS numbers and ranges */ - size_t allow_asz; /* length of "allow_as" */ + size_t num_allow_ips; + struct cert_as *allow_ases; /* allowed AS numbers and ranges */ + size_t num_allow_ases; struct cert_ip *deny_ips; /* forbidden IP address ranges */ - size_t deny_ipsz; /* length of "deny_ips" */ - struct cert_as *deny_as; /* forbidden AS numbers and ranges */ - size_t deny_asz; /* length of "deny_as" */ + size_t num_deny_ips; + struct cert_as *deny_ases; /* forbidden AS numbers and ranges */ + size_t num_deny_ases; } tal_constraints[TALSZ_MAX]; /* @@ -334,10 +334,10 @@ constraints_parse_talid(int talid) ASIdentifiers *allow_asids, *deny_asids; FILE *f; char *fn, *p, *pp; - struct cert_as *allow_as = NULL, *deny_as = NULL; + struct cert_as *allow_ases = NULL, *deny_ases = NULL; struct cert_ip *allow_ips = NULL, *deny_ips = NULL; - size_t allow_asz = 0, allow_ipsz = 0, - deny_asz = 0, deny_ipsz = 0; + size_t num_allow_ases = 0, num_allow_ips = 0, + num_deny_as = 0, num_deny_ips = 0; char *line = NULL; size_t len = 0; ssize_t n; @@ -452,14 +452,14 @@ constraints_parse_talid(int talid) errx(1, "%s: failed to canonize AS numbers denylist", fn); if (have_allow_as) { - if (!sbgp_parse_assysnum(fn, allow_asids, &allow_as, - &allow_asz)) + if (!sbgp_parse_assysnum(fn, allow_asids, &allow_ases, + &num_allow_ases)) errx(1, "%s: failed to parse AS identifiers allowlist", fn); } if (have_deny_as) { - if (!sbgp_parse_assysnum(fn, deny_asids, &deny_as, - &deny_asz)) + if (!sbgp_parse_assysnum(fn, deny_asids, &deny_ases, + &num_deny_as)) errx(1, "%s: failed to parse AS identifiers denylist", fn); } @@ -467,7 +467,7 @@ constraints_parse_talid(int talid) constraints_normalize_ip_addrblocks(fn, &allow_addrs); if (!sbgp_parse_ipaddrblk(fn, allow_addrs, &allow_ips, - &allow_ipsz)) + &num_allow_ips)) errx(1, "%s: failed to parse IP addresses allowlist", fn); } @@ -475,19 +475,19 @@ constraints_parse_talid(int talid) constraints_normalize_ip_addrblocks(fn, &deny_addrs); if (!sbgp_parse_ipaddrblk(fn, deny_addrs, &deny_ips, - &deny_ipsz)) + &num_deny_ips)) errx(1, "%s: failed to parse IP addresses denylist", fn); } - tal_constraints[talid].allow_as = allow_as; - tal_constraints[talid].allow_asz = allow_asz; + tal_constraints[talid].allow_ases = allow_ases; + tal_constraints[talid].num_allow_ases = num_allow_ases; tal_constraints[talid].allow_ips = allow_ips; - tal_constraints[talid].allow_ipsz = allow_ipsz; - tal_constraints[talid].deny_as = deny_as; - tal_constraints[talid].deny_asz = deny_asz; + tal_constraints[talid].num_allow_ips = num_allow_ips; + tal_constraints[talid].deny_ases = deny_ases; + tal_constraints[talid].num_deny_ases = num_deny_as; tal_constraints[talid].deny_ips = deny_ips; - tal_constraints[talid].deny_ipsz = deny_ipsz; + tal_constraints[talid].num_deny_ips = num_deny_ips; IPAddrBlocks_free(allow_addrs); IPAddrBlocks_free(deny_addrs); @@ -511,8 +511,8 @@ constraints_parse(void) static int constraints_check_as(const char *fn, struct cert_as *cert, - const struct cert_as *allow_as, size_t allow_asz, - const struct cert_as *deny_as, size_t deny_asz) + const struct cert_as *allow_ases, size_t num_allow_ases, + const struct cert_as *deny_ases, size_t num_deny_ases) { uint32_t min, max; @@ -528,12 +528,12 @@ constraints_check_as(const char *fn, struct cert_as *cert, max = cert->range.max; } - if (deny_as != NULL) { - if (!as_check_overlap(cert, fn, deny_as, deny_asz, 1)) + if (deny_ases != NULL) { + if (!as_check_overlap(cert, fn, deny_ases, num_deny_ases, 1)) return 0; } - if (allow_as != NULL) { - if (as_check_covered(min, max, allow_as, allow_asz) <= 0) + if (allow_ases != NULL) { + if (as_check_covered(min, max, allow_ases, num_allow_ases) <= 0) return 0; } return 1; @@ -541,20 +541,20 @@ constraints_check_as(const char *fn, struct cert_as *cert, static int constraints_check_ips(const char *fn, struct cert_ip *cert, - const struct cert_ip *allow_ips, size_t allow_ipsz, - const struct cert_ip *deny_ips, size_t deny_ipsz) + const struct cert_ip *allow_ips, size_t num_allow_ips, + const struct cert_ip *deny_ips, size_t num_deny_ips) { /* Inheriting EE resources are not to be constrained. */ if (cert->type == CERT_IP_INHERIT) return 1; if (deny_ips != NULL) { - if (!ip_addr_check_overlap(cert, fn, deny_ips, deny_ipsz, 1)) + if (!ip_addr_check_overlap(cert, fn, deny_ips, num_deny_ips, 1)) return 0; } if (allow_ips != NULL) { if (ip_addr_check_covered(cert->afi, cert->min, cert->max, - allow_ips, allow_ipsz) <= 0) + allow_ips, num_allow_ips) <= 0) return 0; } return 1; @@ -569,9 +569,11 @@ int constraints_validate(const char *fn, const struct cert *cert) { int talid = cert->talid; - struct cert_as *allow_as, *deny_as; + struct cert_as *allow_ases, *deny_ases; struct cert_ip *allow_ips, *deny_ips; - size_t i, allow_asz, allow_ipsz, deny_asz, deny_ipsz; + size_t num_allow_ases, num_allow_ips; + size_t num_deny_ases, num_deny_ips; + size_t i; /* Accept negative talid to bypass validation. */ if (talid < 0) @@ -579,28 +581,28 @@ constraints_validate(const char *fn, const struct cert *cert) if (talid >= talsz) errx(1, "%s: talid out of range %d", fn, talid); - allow_as = tal_constraints[talid].allow_as; - allow_asz = tal_constraints[talid].allow_asz; - deny_as = tal_constraints[talid].deny_as; - deny_asz = tal_constraints[talid].deny_asz; + allow_ases = tal_constraints[talid].allow_ases; + num_allow_ases = tal_constraints[talid].num_allow_ases; + deny_ases = tal_constraints[talid].deny_ases; + num_deny_ases = tal_constraints[talid].num_deny_ases; - for (i = 0; i < cert->asz; i++) { - if (constraints_check_as(fn, &cert->as[i], allow_as, allow_asz, - deny_as, deny_asz)) + for (i = 0; i < cert->num_ases; i++) { + if (constraints_check_as(fn, &cert->ases[i], + allow_ases, num_allow_ases, deny_ases, num_deny_ases)) continue; - as_warn(fn, tal_constraints[talid].warn, &cert->as[i]); + as_warn(fn, tal_constraints[talid].warn, &cert->ases[i]); return 0; } allow_ips = tal_constraints[talid].allow_ips; - allow_ipsz = tal_constraints[talid].allow_ipsz; + num_allow_ips = tal_constraints[talid].num_allow_ips; deny_ips = tal_constraints[talid].deny_ips; - deny_ipsz = tal_constraints[talid].deny_ipsz; + num_deny_ips = tal_constraints[talid].num_deny_ips; - for (i = 0; i < cert->ipsz; i++) { + for (i = 0; i < cert->num_ips; i++) { if (constraints_check_ips(fn, &cert->ips[i], allow_ips, - allow_ipsz, deny_ips, deny_ipsz)) + num_allow_ips, deny_ips, num_deny_ips)) continue; ip_warn(fn, tal_constraints[talid].warn, &cert->ips[i]); diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 243f7a283fe..56637881514 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.229 2024/11/02 12:30:28 job Exp $ */ +/* $OpenBSD: extern.h,v 1.230 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -120,10 +120,10 @@ enum cert_purpose { * inheriting. */ struct cert { - struct cert_ip *ips; /* list of IP address ranges */ - size_t ipsz; /* length of "ips" */ - struct cert_as *as; /* list of AS numbers and ranges */ - size_t asz; /* length of "asz" */ + struct cert_ip *ips; /* list of IP address ranges */ + size_t num_ips; + struct cert_as *ases; /* list of AS numbers and ranges */ + size_t num_ases; int talid; /* cert is covered by which TAL */ int certid; unsigned int repoid; /* repository of this cert file */ @@ -241,8 +241,8 @@ struct roa_ip { */ struct roa { uint32_t asid; /* asID of ROA (if 0, RFC 6483 sec 4) */ - struct roa_ip *ips; /* IP prefixes */ - size_t ipsz; /* number of IP prefixes */ + struct roa_ip *ips; /* IP prefixes */ + size_t num_ips; int talid; /* ROAs are covered by which TAL */ int valid; /* validated resources */ char *aia; /* AIA */ @@ -266,10 +266,10 @@ struct rscfile { struct rsc { int talid; /* RSC covered by what TAL */ int valid; /* eContent resources covered by EE's 3779? */ - struct cert_ip *ips; /* IP prefixes */ - size_t ipsz; /* number of IP prefixes */ - struct cert_as *as; /* AS resources */ - size_t asz; /* number of AS resources */ + struct cert_ip *ips; /* IP prefixes */ + size_t num_ips; + struct cert_as *ases; /* AS resources */ + size_t num_ases; struct rscfile *files; /* FileAndHashes in the RSC */ size_t filesz; /* number of FileAndHashes */ char *aia; /* AIA */ @@ -353,7 +353,7 @@ struct geoip { */ struct geofeed { struct geoip *geoips; /* Prefix + location entry in the CSV */ - size_t geoipsz; /* number of IPs */ + size_t num_geoips; char *aia; /* AIA */ char *aki; /* AKI */ char *ski; /* SKI */ diff --git a/usr.sbin/rpki-client/geofeed.c b/usr.sbin/rpki-client/geofeed.c index f7d321fa35f..0c89143250f 100644 --- a/usr.sbin/rpki-client/geofeed.c +++ b/usr.sbin/rpki-client/geofeed.c @@ -1,4 +1,4 @@ -/* $OpenBSD: geofeed.c,v 1.16 2024/02/21 09:17:06 tb Exp $ */ +/* $OpenBSD: geofeed.c,v 1.17 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -68,11 +68,11 @@ geofeed_parse_geoip(struct geofeed *geofeed, char *cidr, char *loc) ipaddr->prefixlen = plen; - geofeed->geoips = recallocarray(geofeed->geoips, geofeed->geoipsz, - geofeed->geoipsz + 1, sizeof(struct geoip)); + geofeed->geoips = recallocarray(geofeed->geoips, geofeed->num_geoips, + geofeed->num_geoips + 1, sizeof(struct geoip)); if (geofeed->geoips == NULL) err(1, NULL); - geoip = &geofeed->geoips[geofeed->geoipsz++]; + geoip = &geofeed->geoips[geofeed->num_geoips++]; if ((geoip->ip = calloc(1, sizeof(struct cert_ip))) == NULL) err(1, NULL); @@ -253,7 +253,7 @@ geofeed_parse(X509 **x509, const char *fn, int talid, char *buf, size_t len) goto out; } - if (cert->asz > 0) { + if (cert->num_ases > 0) { warnx("%s: superfluous AS Resources extension present", fn); goto out; } @@ -288,7 +288,7 @@ geofeed_free(struct geofeed *p) if (p == NULL) return; - for (i = 0; i < p->geoipsz; i++) { + for (i = 0; i < p->num_geoips; i++) { free(p->geoips[i].ip); free(p->geoips[i].loc); } diff --git a/usr.sbin/rpki-client/ip.c b/usr.sbin/rpki-client/ip.c index 3e021f08aa6..01bcd7c2133 100644 --- a/usr.sbin/rpki-client/ip.c +++ b/usr.sbin/rpki-client/ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip.c,v 1.33 2024/03/19 05:04:13 tb Exp $ */ +/* $OpenBSD: ip.c,v 1.34 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -78,11 +78,11 @@ ip_addr_afi_parse(const char *fn, const ASN1_OCTET_STRING *p, enum afi *afi) int ip_addr_check_covered(enum afi afi, const unsigned char *min, const unsigned char *max, - const struct cert_ip *ips, size_t ipsz) + const struct cert_ip *ips, size_t num_ips) { size_t i, sz = AFI_IPV4 == afi ? 4 : 16; - for (i = 0; i < ipsz; i++) { + for (i = 0; i < num_ips; i++) { if (ips[i].afi != afi) continue; if (ips[i].type == CERT_IP_INHERIT) @@ -103,7 +103,7 @@ ip_addr_check_covered(enum afi afi, */ int ip_addr_check_overlap(const struct cert_ip *ip, const char *fn, - const struct cert_ip *ips, size_t ipsz, int quiet) + const struct cert_ip *ips, size_t num_ips, int quiet) { size_t i, sz = ip->afi == AFI_IPV4 ? 4 : 16; int inherit_v4 = 0, inherit_v6 = 0; @@ -114,7 +114,7 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn, * going to need to do a lot of scanning for big allocations. */ - for (i = 0; i < ipsz; i++) + for (i = 0; i < num_ips; i++) if (ips[i].type == CERT_IP_INHERIT) { if (ips[i].afi == AFI_IPV4) inherit_v4 = 1; @@ -145,7 +145,7 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn, /* Check our ranges. */ - for (i = 0; i < ipsz; i++) { + for (i = 0; i < num_ips; i++) { if (ips[i].afi != ip->afi) continue; if (memcmp(ips[i].max, ip->min, sz) <= 0 || diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index d69dad299a3..9ce73d081aa 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.56 2024/09/12 10:33:25 tb Exp $ */ +/* $OpenBSD: print.c,v 1.57 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -177,21 +177,21 @@ x509_print(const X509 *x) } static void -as_resources_print(struct cert_as *as, size_t asz) +as_resources_print(struct cert_as *ases, size_t num_ases) { size_t i; - for (i = 0; i < asz; i++) { + for (i = 0; i < num_ases; i++) { if (outformats & FORMAT_JSON) json_do_object("resource", 1); - switch (as[i].type) { + switch (ases[i].type) { case CERT_AS_ID: if (outformats & FORMAT_JSON) { - json_do_uint("asid", as[i].id); + json_do_uint("asid", ases[i].id); } else { if (i > 0) printf("%26s", ""); - printf("AS: %u", as[i].id); + printf("AS: %u", ases[i].id); } break; case CERT_AS_INHERIT: @@ -206,14 +206,14 @@ as_resources_print(struct cert_as *as, size_t asz) case CERT_AS_RANGE: if (outformats & FORMAT_JSON) { json_do_object("asrange", 1); - json_do_uint("min", as[i].range.min); - json_do_uint("max", as[i].range.max); + json_do_uint("min", ases[i].range.min); + json_do_uint("max", ases[i].range.max); json_do_end(); } else { if (i > 0) printf("%26s", ""); - printf("AS: %u -- %u", as[i].range.min, - as[i].range.max); + printf("AS: %u -- %u", ases[i].range.min, + ases[i].range.max); } break; } @@ -225,13 +225,13 @@ as_resources_print(struct cert_as *as, size_t asz) } static void -ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz) +ip_resources_print(struct cert_ip *ips, size_t num_ips, size_t num_ases) { char buf1[64], buf2[64]; size_t i; int sockt; - for (i = 0; i < ipsz; i++) { + for (i = 0; i < num_ips; i++) { if (outformats & FORMAT_JSON) json_do_object("resource", 1); switch (ips[i].type) { @@ -239,7 +239,7 @@ ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz) if (outformats & FORMAT_JSON) { json_do_bool("ip_inherit", 1); } else { - if (i > 0 || asz > 0) + if (i > 0 || num_ases > 0) printf("%26s", ""); printf("IP: inherit"); } @@ -250,7 +250,7 @@ ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz) if (outformats & FORMAT_JSON) { json_do_string("ip_prefix", buf1); } else { - if (i > 0 || asz > 0) + if (i > 0 || num_ases > 0) printf("%26s", ""); printf("IP: %s", buf1); } @@ -266,7 +266,7 @@ ip_resources_print(struct cert_ip *ips, size_t ipsz, size_t asz) json_do_string("max", buf2); json_do_end(); } else { - if (i > 0 || asz > 0) + if (i > 0 || num_ases > 0) printf("%26s", ""); printf("IP: %s -- %s", buf1, buf2); } @@ -336,8 +336,8 @@ cert_print(const struct cert *p) printf("Subordinate resources: "); } - as_resources_print(p->as, p->asz); - ip_resources_print(p->ips, p->ipsz, p->asz); + as_resources_print(p->ases, p->num_ases); + ip_resources_print(p->ips, p->num_ips, p->num_ases); if (outformats & FORMAT_JSON) json_do_end(); @@ -543,9 +543,8 @@ roa_print(const X509 *x, const struct roa *p) if (outformats & FORMAT_JSON) json_do_array("vrps"); - for (i = 0; i < p->ipsz; i++) { - ip_addr_print(&p->ips[i].addr, - p->ips[i].afi, buf, sizeof(buf)); + for (i = 0; i < p->num_ips; i++) { + ip_addr_print(&p->ips[i].addr, p->ips[i].afi, buf, sizeof(buf)); if (outformats & FORMAT_JSON) { json_do_object("vrp", 1); @@ -683,8 +682,8 @@ rsc_print(const X509 *x, const struct rsc *p) printf("Signed with resources: "); } - as_resources_print(p->as, p->asz); - ip_resources_print(p->ips, p->ipsz, p->asz); + as_resources_print(p->ases, p->num_ases); + ip_resources_print(p->ips, p->num_ips, p->num_ases); if (outformats & FORMAT_JSON) { json_do_end(); @@ -886,7 +885,7 @@ geofeed_print(const X509 *x, const struct geofeed *p) printf("Geofeed CSV records: "); } - for (i = 0; i < p->geoipsz; i++) { + for (i = 0; i < p->num_geoips; i++) { if (p->geoips[i].ip->type != CERT_IP_ADDR) continue; diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index cff8115922c..4ca22af4f71 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.79 2024/11/05 18:09:16 tb Exp $ */ +/* $OpenBSD: roa.c,v 1.80 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -174,13 +174,13 @@ roa_parse_econtent(const char *fn, struct roa *roa, const unsigned char *d, goto out; } - if (roa->ipsz + addrsz >= MAX_IP_SIZE) { + if (roa->num_ips + addrsz >= MAX_IP_SIZE) { warnx("%s: too many ROAIPAddress entries: limit %d", fn, MAX_IP_SIZE); goto out; } - roa->ips = recallocarray(roa->ips, roa->ipsz, - roa->ipsz + addrsz, sizeof(struct roa_ip)); + roa->ips = recallocarray(roa->ips, roa->num_ips, + roa->num_ips + addrsz, sizeof(struct roa_ip)); if (roa->ips == NULL) err(1, NULL); @@ -216,7 +216,7 @@ roa_parse_econtent(const char *fn, struct roa *roa, const unsigned char *d, } } - res = &roa->ips[roa->ipsz++]; + res = &roa->ips[roa->num_ips++]; res->addr = ipaddr; res->afi = afi; res->maxlength = maxlen; @@ -284,12 +284,12 @@ roa_parse(X509 **x509, const char *fn, int talid, const unsigned char *der, if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL) goto out; - if (cert->asz > 0) { + if (cert->num_ases > 0) { warnx("%s: superfluous AS Resources extension present", fn); goto out; } - if (cert->ipsz == 0) { + if (cert->num_ips == 0) { warnx("%s: no IP address present", fn); goto out; } @@ -341,10 +341,10 @@ roa_buffer(struct ibuf *b, const struct roa *p) io_simple_buffer(b, &p->valid, sizeof(p->valid)); io_simple_buffer(b, &p->asid, sizeof(p->asid)); io_simple_buffer(b, &p->talid, sizeof(p->talid)); - io_simple_buffer(b, &p->ipsz, sizeof(p->ipsz)); + io_simple_buffer(b, &p->num_ips, sizeof(p->num_ips)); io_simple_buffer(b, &p->expires, sizeof(p->expires)); - io_simple_buffer(b, p->ips, p->ipsz * sizeof(p->ips[0])); + io_simple_buffer(b, p->ips, p->num_ips * sizeof(p->ips[0])); io_str_buffer(b, p->aia); io_str_buffer(b, p->aki); @@ -367,13 +367,13 @@ roa_read(struct ibuf *b) io_read_buf(b, &p->valid, sizeof(p->valid)); io_read_buf(b, &p->asid, sizeof(p->asid)); io_read_buf(b, &p->talid, sizeof(p->talid)); - io_read_buf(b, &p->ipsz, sizeof(p->ipsz)); + io_read_buf(b, &p->num_ips, sizeof(p->num_ips)); io_read_buf(b, &p->expires, sizeof(p->expires)); - if (p->ipsz > 0) { - if ((p->ips = calloc(p->ipsz, sizeof(p->ips[0]))) == NULL) + if (p->num_ips > 0) { + if ((p->ips = calloc(p->num_ips, sizeof(p->ips[0]))) == NULL) err(1, NULL); - io_read_buf(b, p->ips, p->ipsz * sizeof(p->ips[0])); + io_read_buf(b, p->ips, p->num_ips * sizeof(p->ips[0])); } io_read_str(b, &p->aia); @@ -395,7 +395,7 @@ roa_insert_vrps(struct vrp_tree *tree, struct roa *roa, struct repo *rp) struct vrp *v, *found; size_t i; - for (i = 0; i < roa->ipsz; i++) { + for (i = 0; i < roa->num_ips; i++) { if ((v = malloc(sizeof(*v))) == NULL) err(1, NULL); v->afi = roa->ips[i].afi; diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c index 4a849a18892..246a3bcfb75 100644 --- a/usr.sbin/rpki-client/rsc.c +++ b/usr.sbin/rpki-client/rsc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsc.c,v 1.35 2024/06/11 10:38:40 tb Exp $ */ +/* $OpenBSD: rsc.c,v 1.36 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2022 Job Snijders @@ -130,38 +130,38 @@ static int rsc_parse_aslist(const char *fn, struct rsc *rsc, const ConstrainedASIdentifiers *asids) { - int i, asz; + int i, num_ases; if (asids == NULL) return 1; - if ((asz = sk_ASIdOrRange_num(asids->asnum)) == 0) { + if ((num_ases = sk_ASIdOrRange_num(asids->asnum)) == 0) { warnx("%s: RSC asID empty", fn); return 0; } - if (asz >= MAX_AS_SIZE) { + if (num_ases >= MAX_AS_SIZE) { warnx("%s: too many AS number entries: limit %d", fn, MAX_AS_SIZE); return 0; } - rsc->as = calloc(asz, sizeof(struct cert_as)); - if (rsc->as == NULL) + if ((rsc->ases = calloc(num_ases, sizeof(struct cert_as))) == NULL) err(1, NULL); - for (i = 0; i < asz; i++) { + for (i = 0; i < num_ases; i++) { const ASIdOrRange *aor; aor = sk_ASIdOrRange_value(asids->asnum, i); switch (aor->type) { case ASIdOrRange_id: - if (!sbgp_as_id(fn, rsc->as, &rsc->asz, aor->u.id)) + if (!sbgp_as_id(fn, rsc->ases, &rsc->num_ases, + aor->u.id)) return 0; break; case ASIdOrRange_range: - if (!sbgp_as_range(fn, rsc->as, &rsc->asz, + if (!sbgp_as_range(fn, rsc->ases, &rsc->num_ases, aor->u.range)) return 0; break; @@ -181,7 +181,7 @@ rsc_parse_iplist(const char *fn, struct rsc *rsc, const ConstrainedIPAddressFamily *af; const IPAddressOrRanges *aors; const IPAddressOrRange *aor; - size_t ipsz; + size_t num_ips; enum afi afi; int i, j; @@ -197,14 +197,14 @@ rsc_parse_iplist(const char *fn, struct rsc *rsc, af = sk_ConstrainedIPAddressFamily_value(ipAddrBlocks, i); aors = af->addressesOrRanges; - ipsz = rsc->ipsz + sk_IPAddressOrRange_num(aors); - if (ipsz >= MAX_IP_SIZE) { + num_ips = rsc->num_ips + sk_IPAddressOrRange_num(aors); + if (num_ips >= MAX_IP_SIZE) { warnx("%s: too many IP address entries: limit %d", fn, MAX_IP_SIZE); return 0; } - rsc->ips = recallocarray(rsc->ips, rsc->ipsz, ipsz, + rsc->ips = recallocarray(rsc->ips, rsc->num_ips, num_ips, sizeof(struct cert_ip)); if (rsc->ips == NULL) err(1, NULL); @@ -219,12 +219,12 @@ rsc_parse_iplist(const char *fn, struct rsc *rsc, switch (aor->type) { case IPAddressOrRange_addressPrefix: if (!sbgp_addr(fn, rsc->ips, - &rsc->ipsz, afi, aor->u.addressPrefix)) + &rsc->num_ips, afi, aor->u.addressPrefix)) return 0; break; case IPAddressOrRange_addressRange: if (!sbgp_addr_range(fn, rsc->ips, - &rsc->ipsz, afi, aor->u.addressRange)) + &rsc->num_ips, afi, aor->u.addressRange)) return 0; break; default: @@ -465,7 +465,7 @@ rsc_free(struct rsc *p) free(p->aki); free(p->ski); free(p->ips); - free(p->as); + free(p->ases); free(p->files); free(p); } diff --git a/usr.sbin/rpki-client/spl.c b/usr.sbin/rpki-client/spl.c index 93c2b5abc24..d9642b353e8 100644 --- a/usr.sbin/rpki-client/spl.c +++ b/usr.sbin/rpki-client/spl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spl.c,v 1.5 2024/11/05 18:58:35 lucas Exp $ */ +/* $OpenBSD: spl.c,v 1.6 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2024 Job Snijders * Copyright (c) 2022 Theo Buehler @@ -291,12 +291,12 @@ spl_parse(X509 **x509, const char *fn, int talid, const unsigned char *der, if ((cert = cert_parse_ee_cert(fn, talid, *x509)) == NULL) goto out; - if (cert->asz == 0) { + if (cert->num_ases == 0) { warnx("%s: AS Resources extension missing", fn); goto out; } - if (cert->ipsz > 0) { + if (cert->num_ips > 0) { warnx("%s: superfluous IP Resources extension present", fn); goto out; } diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 56b3fe5f4d7..a17eb921876 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.77 2024/10/16 06:09:45 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.78 2024/11/12 09:23:07 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -43,7 +43,7 @@ valid_as(struct auth *a, uint32_t min, uint32_t max) return 0; /* Does this certificate cover our AS number? */ - c = as_check_covered(min, max, a->cert->as, a->cert->asz); + c = as_check_covered(min, max, a->cert->ases, a->cert->num_ases); if (c > 0) return 1; else if (c < 0) @@ -69,7 +69,8 @@ valid_ip(struct auth *a, enum afi afi, return 0; /* Does this certificate cover our IP prefix? */ - c = ip_addr_check_covered(afi, min, max, a->cert->ips, a->cert->ipsz); + c = ip_addr_check_covered(afi, min, max, a->cert->ips, + a->cert->num_ips); if (c > 0) return 1; else if (c < 0) @@ -90,26 +91,26 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert) size_t i; uint32_t min, max; - for (i = 0; i < cert->asz; i++) { - if (cert->as[i].type == CERT_AS_INHERIT) + for (i = 0; i < cert->num_ases; i++) { + if (cert->ases[i].type == CERT_AS_INHERIT) continue; - if (cert->as[i].type == CERT_AS_ID) { - min = cert->as[i].id; - max = cert->as[i].id; + if (cert->ases[i].type == CERT_AS_ID) { + min = cert->ases[i].id; + max = cert->ases[i].id; } else { - min = cert->as[i].range.min; - max = cert->as[i].range.max; + min = cert->ases[i].range.min; + max = cert->ases[i].range.max; } if (valid_as(a, min, max)) continue; - as_warn(fn, "RFC 6487: uncovered resource", &cert->as[i]); + as_warn(fn, "RFC 6487: uncovered resource", &cert->ases[i]); return 0; } - for (i = 0; i < cert->ipsz; i++) { + for (i = 0; i < cert->num_ips; i++) { if (cert->ips[i].type == CERT_IP_INHERIT) continue; @@ -134,9 +135,9 @@ valid_roa(const char *fn, struct cert *cert, struct roa *roa) size_t i; char buf[64]; - for (i = 0; i < roa->ipsz; i++) { + for (i = 0; i < roa->num_ips; i++) { if (ip_addr_check_covered(roa->ips[i].afi, roa->ips[i].min, - roa->ips[i].max, cert->ips, cert->ipsz) > 0) + roa->ips[i].max, cert->ips, cert->num_ips) > 0) continue; ip_addr_print(&roa->ips[i].addr, roa->ips[i].afi, buf, @@ -156,7 +157,8 @@ valid_roa(const char *fn, struct cert *cert, struct roa *roa) int valid_spl(const char *fn, struct cert *cert, struct spl *spl) { - if (as_check_covered(spl->asid, spl->asid, cert->as, cert->asz) > 0) + if (as_check_covered(spl->asid, spl->asid, cert->ases, + cert->num_ases) > 0) return 1; warnx("%s: SPL: uncovered ASID: %u", fn, spl->asid); @@ -442,25 +444,25 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc) size_t i; uint32_t min, max; - for (i = 0; i < rsc->asz; i++) { - if (rsc->as[i].type == CERT_AS_ID) { - min = rsc->as[i].id; - max = rsc->as[i].id; + for (i = 0; i < rsc->num_ases; i++) { + if (rsc->ases[i].type == CERT_AS_ID) { + min = rsc->ases[i].id; + max = rsc->ases[i].id; } else { - min = rsc->as[i].range.min; - max = rsc->as[i].range.max; + min = rsc->ases[i].range.min; + max = rsc->ases[i].range.max; } - if (as_check_covered(min, max, cert->as, cert->asz) > 0) + if (as_check_covered(min, max, cert->ases, cert->num_ases) > 0) continue; - as_warn(fn, "RSC ResourceBlock uncovered", &rsc->as[i]); + as_warn(fn, "RSC ResourceBlock uncovered", &rsc->ases[i]); return 0; } - for (i = 0; i < rsc->ipsz; i++) { + for (i = 0; i < rsc->num_ips; i++) { if (ip_addr_check_covered(rsc->ips[i].afi, rsc->ips[i].min, - rsc->ips[i].max, cert->ips, cert->ipsz) > 0) + rsc->ips[i].max, cert->ips, cert->num_ips) > 0) continue; ip_warn(fn, "RSC ResourceBlock uncovered", &rsc->ips[i]); @@ -511,7 +513,7 @@ valid_aspa(const char *fn, struct cert *cert, struct aspa *aspa) { if (as_check_covered(aspa->custasid, aspa->custasid, - cert->as, cert->asz) > 0) + cert->ases, cert->num_ases) > 0) return 1; warnx("%s: ASPA: uncovered Customer ASID: %u", fn, aspa->custasid); @@ -529,10 +531,10 @@ valid_geofeed(const char *fn, struct cert *cert, struct geofeed *g) size_t i; char buf[64]; - for (i = 0; i < g->geoipsz; i++) { + for (i = 0; i < g->num_geoips; i++) { if (ip_addr_check_covered(g->geoips[i].ip->afi, g->geoips[i].ip->min, g->geoips[i].ip->max, cert->ips, - cert->ipsz) > 0) + cert->num_ips) > 0) continue; ip_addr_print(&g->geoips[i].ip->ip, g->geoips[i].ip->afi, buf, -- cgit v1.2.3