Index | Thread | Search

From:
Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject:
Re: rpki-client: drop proto argument from x509_location()
To:
Theo Buehler <tb@theobuehler.org>
Cc:
tech@openbsd.org
Date:
Mon, 3 Jun 2024 17:08:22 +0200

Download raw body.

Thread 
On Mon, Jun 03, 2024 at 04:50:14PM +0200, Theo Buehler wrote:
> As mentioned previously, there's only one caller that uses this, all
> others can't.

OK claudio@
 
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> diff -u -p -r1.133 cert.c
> --- cert.c	3 Jun 2024 12:58:39 -0000	1.133
> +++ cert.c	3 Jun 2024 14:48:56 -0000
> @@ -529,7 +529,7 @@ sbgp_sia(const char *fn, struct cert *ce
>  		oid = ad->method;
>  
>  		if (OBJ_cmp(oid, carepo_oid) == 0) {
> -			if (!x509_location(fn, "SIA: caRepository", NULL,
> +			if (!x509_location(fn, "SIA: caRepository",
>  			    ad->location, &carepo))
>  				goto out;
>  			if (cert->repo == NULL && strncasecmp(carepo,
> @@ -544,7 +544,7 @@ sbgp_sia(const char *fn, struct cert *ce
>  			free(carepo);
>  			carepo = NULL;
>  		} else if (OBJ_cmp(oid, manifest_oid) == 0) {
> -			if (!x509_location(fn, "SIA: rpkiManifest", NULL,
> +			if (!x509_location(fn, "SIA: rpkiManifest",
>  			    ad->location, &rpkimft))
>  				goto out;
>  			if (cert->mft == NULL && strncasecmp(rpkimft,
> @@ -560,8 +560,14 @@ sbgp_sia(const char *fn, struct cert *ce
>  			rpkimft = NULL;
>  		} else if (OBJ_cmp(oid, notify_oid) == 0) {
>  			if (!x509_location(fn, "SIA: rpkiNotify",
> -			    HTTPS_PROTO, ad->location, &cert->notify))
> +			    ad->location, &cert->notify))
>  				goto out;
> +			if (strncasecmp(cert->notify, HTTPS_PROTO,
> +			    HTTPS_PROTO_LEN) != 0) {
> +				warnx("%s: non-https uri in rpkiNotify: %s",
> +				    fn, cert->notify);
> +				goto out;
> +			}
>  		}
>  	}
>  
> Index: extern.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> diff -u -p -r1.220 extern.h
> --- extern.h	31 May 2024 02:45:15 -0000	1.220
> +++ extern.h	3 Jun 2024 13:02:03 -0000
> @@ -913,8 +913,8 @@ char		*x509_pubkey_get_ski(X509_PUBKEY *
>  enum cert_purpose	 x509_get_purpose(X509 *, const char *);
>  int		 x509_get_time(const ASN1_TIME *, time_t *);
>  char		*x509_convert_seqnum(const char *, const ASN1_INTEGER *);
> -int		 x509_location(const char *, const char *, const char *,
> -		    GENERAL_NAME *, char **);
> +int		 x509_location(const char *, const char *, GENERAL_NAME *,
> +		    char **);
>  int		 x509_inherits(X509 *);
>  int		 x509_any_inherits(X509 *);
>  int		 x509_valid_name(const char *, const char *, const X509_NAME *);
> Index: x509.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
> diff -u -p -r1.91 x509.c
> --- x509.c	3 Jun 2024 12:58:39 -0000	1.91
> +++ x509.c	3 Jun 2024 14:47:48 -0000
> @@ -456,7 +456,7 @@ x509_get_aia(X509 *x, const char *fn, ch
>  		goto out;
>  	}
>  
> -	if (!x509_location(fn, "AIA: caIssuers", NULL, ad->location, aia))
> +	if (!x509_location(fn, "AIA: caIssuers", ad->location, aia))
>  		goto out;
>  
>  	rc = 1;
> @@ -522,9 +522,7 @@ x509_get_sia(X509 *x, const char *fn, ch
>  			goto out;
>  		}
>  
> -		/* Don't fail on non-rsync URI, so check this afterward. */
> -		if (!x509_location(fn, "SIA: signedObject", NULL, ad->location,
> -		    sia))
> +		if (!x509_location(fn, "SIA: signedObject", ad->location, sia))
>  			goto out;
>  
>  		if (rsync_found)
> @@ -764,9 +762,7 @@ x509_get_crl(X509 *x, const char *fn, ch
>  	for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
>  		name = sk_GENERAL_NAME_value(names, i);
>  
> -		/* Don't fail on non-rsync URI, so check this afterward. */
> -		if (!x509_location(fn, "CRL distribution point", NULL, name,
> -		    crl))
> +		if (!x509_location(fn, "CRL distribution point", name, crl))
>  			goto out;
>  
>  		if (strncasecmp(*crl, RSYNC_PROTO, RSYNC_PROTO_LEN) == 0) {
> @@ -812,8 +808,8 @@ x509_get_time(const ASN1_TIME *at, time_
>   * Returns 0 on failure and 1 on success.
>   */
>  int
> -x509_location(const char *fn, const char *descr, const char *proto,
> -    GENERAL_NAME *location, char **out)
> +x509_location(const char *fn, const char *descr, GENERAL_NAME *location,
> +    char **out)
>  {
>  	ASN1_IA5STRING	*uri;
>  
> @@ -824,7 +820,7 @@ x509_location(const char *fn, const char
>  
>  	uri = location->d.uniformResourceIdentifier;
>  
> -	if (!valid_uri(uri->data, uri->length, proto)) {
> +	if (!valid_uri(uri->data, uri->length, NULL)) {
>  		warnx("%s: RFC 6487 section 4.8: %s bad location", fn, descr);
>  		return 0;
>  	}
> 

-- 
:wq Claudio