Download raw body.
rpki-client: updates for roas (RFC 9582)
This shuffles the ASN.1 templates into an order better matching the
ASN.1 in RFC 9582 and makes the warnings point at the correct section
in there, which I think we can do since the next release is massive.
Fix a copy-paste error in spl.c. With this no references to RFC 6482
remain.
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.258 extern.h
--- extern.h 23 Aug 2025 09:13:14 -0000 1.258
+++ extern.h 24 Aug 2025 07:20:56 -0000
@@ -260,7 +260,7 @@ struct roa_ip {
};
/*
- * An ROA, RFC 6482.
+ * An ROA, RFC 9582.
* This consists of the concerned ASID and its IP prefixes.
*/
struct roa {
Index: roa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
diff -u -p -r1.85 roa.c
--- roa.c 19 Aug 2025 11:30:20 -0000 1.85
+++ roa.c 24 Aug 2025 07:20:23 -0000
@@ -36,19 +36,9 @@
* ROA eContent definition in RFC 9582, section 4.
*/
-ASN1_ITEM_EXP ROAIPAddress_it;
-ASN1_ITEM_EXP ROAIPAddressFamily_it;
ASN1_ITEM_EXP RouteOriginAttestation_it;
-
-ASN1_SEQUENCE(ROAIPAddress) = {
- ASN1_SIMPLE(ROAIPAddress, address, ASN1_BIT_STRING),
- ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER),
-} ASN1_SEQUENCE_END(ROAIPAddress);
-
-ASN1_SEQUENCE(ROAIPAddressFamily) = {
- ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING),
- ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress),
-} ASN1_SEQUENCE_END(ROAIPAddressFamily);
+ASN1_ITEM_EXP ROAIPAddressFamily_it;
+ASN1_ITEM_EXP ROAIPAddress_it;
ASN1_SEQUENCE(RouteOriginAttestation) = {
ASN1_EXP_OPT(RouteOriginAttestation, version, ASN1_INTEGER, 0),
@@ -59,9 +49,18 @@ ASN1_SEQUENCE(RouteOriginAttestation) =
IMPLEMENT_ASN1_FUNCTIONS(RouteOriginAttestation);
+ASN1_SEQUENCE(ROAIPAddressFamily) = {
+ ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING),
+ ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress),
+} ASN1_SEQUENCE_END(ROAIPAddressFamily);
+
+ASN1_SEQUENCE(ROAIPAddress) = {
+ ASN1_SIMPLE(ROAIPAddress, address, ASN1_BIT_STRING),
+ ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER),
+} ASN1_SEQUENCE_END(ROAIPAddress);
/*
- * Parses the eContent section of an ROA file, RFC 6482, section 3.
+ * Parses the eContent section of an ROA file, RFC 9582, section 4.
* Returns zero on failure, non-zero on success.
*/
static int
@@ -83,7 +82,7 @@ roa_parse_econtent(const char *fn, struc
oder = d;
if ((roa_asn1 = d2i_RouteOriginAttestation(NULL, &d, dsz)) == NULL) {
- warnx("%s: RFC 6482 section 3: failed to parse "
+ warnx("%s: RFC 9582 section 4: failed to parse "
"RouteOriginAttestation", fn);
goto out;
}
@@ -97,7 +96,7 @@ roa_parse_econtent(const char *fn, struc
goto out;
if (!as_id_parse(roa_asn1->asid, &roa->asid)) {
- warnx("%s: RFC 6482 section 3.2: asID: "
+ warnx("%s: RFC 9582 section 4.2: asID: "
"malformed AS identifier", fn);
goto out;
}
@@ -116,7 +115,7 @@ roa_parse_econtent(const char *fn, struc
addrsz = sk_ROAIPAddress_num(addrs);
if (!ip_addr_afi_parse(fn, addrfam->addressFamily, &afi)) {
- warnx("%s: RFC 6482 section 3.3: addressFamily: "
+ warnx("%s: RFC 9582 section 4.3: addressFamily: "
"invalid", fn);
goto out;
}
@@ -124,14 +123,14 @@ roa_parse_econtent(const char *fn, struc
switch (afi) {
case AFI_IPV4:
if (ipv4_seen++ > 0) {
- warnx("%s: RFC 9582 section 4.3.2: "
+ warnx("%s: RFC 9582 section 4.3.1: "
"IPv4 appears twice", fn);
goto out;
}
break;
case AFI_IPV6:
if (ipv6_seen++ > 0) {
- warnx("%s: RFC 9582 section 4.3.2: "
+ warnx("%s: RFC 9582 section 4.3.1: "
"IPv6 appears twice", fn);
goto out;
}
@@ -139,7 +138,7 @@ roa_parse_econtent(const char *fn, struc
}
if (addrsz == 0) {
- warnx("%s: RFC 9582, section 4.3.2: "
+ warnx("%s: RFC 9582, section 4.3.1: "
"empty ROAIPAddressFamily", fn);
goto out;
}
@@ -158,7 +157,7 @@ roa_parse_econtent(const char *fn, struc
addr = sk_ROAIPAddress_value(addrs, j);
if (!ip_addr_parse(addr->address, afi, fn, &ipaddr)) {
- warnx("%s: RFC 6482 section 3.3: address: "
+ warnx("%s: RFC 9582 section 4.3.2.1: address: "
"invalid IP address", fn);
goto out;
}
@@ -167,7 +166,7 @@ roa_parse_econtent(const char *fn, struc
if (addr->maxLength != NULL) {
if (!ASN1_INTEGER_get_uint64(&maxlen,
addr->maxLength)) {
- warnx("%s: RFC 6482 section 3.2: "
+ warnx("%s: RFC 9582 section 4.3.2.2: "
"ASN1_INTEGER_get_uint64 failed",
fn);
goto out;
@@ -201,7 +200,7 @@ roa_parse_econtent(const char *fn, struc
}
/*
- * Parse a full RFC 6482 file.
+ * Parse a full RFC 9582 file.
* Returns the ROA or NULL if the document was malformed.
*/
struct roa *
Index: spl.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/spl.c,v
diff -u -p -r1.14 spl.c
--- spl.c 19 Aug 2025 11:30:20 -0000 1.14
+++ spl.c 24 Aug 2025 07:21:32 -0000
@@ -116,8 +116,7 @@ spl_parse_econtent(const char *fn, struc
oder = d;
if ((spl_asn1 = d2i_SignedPrefixList(NULL, &d, dsz)) == NULL) {
- warnx("%s: RFC 6482 section 3: failed to parse "
- "SignedPrefixList", fn);
+ warnx("%s: failed to parse SignedPrefixList", fn);
goto out;
}
if (d != oder + dsz) {
Index: validate.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
diff -u -p -r1.80 validate.c
--- validate.c 1 Aug 2025 14:57:15 -0000 1.80
+++ validate.c 24 Aug 2025 07:21:48 -0000
@@ -140,7 +140,7 @@ valid_roa(const char *fn, struct cert *c
ip_addr_print(&roa->ips[i].addr, roa->ips[i].afi, buf,
sizeof(buf));
- warnx("%s: RFC 6482: uncovered IP: %s", fn, buf);
+ warnx("%s: RFC 6582: uncovered IP: %s", fn, buf);
return 0;
}
rpki-client: updates for roas (RFC 9582)