Index | Thread | Search

From:
Theo Buehler <tb@theobuehler.org>
Subject:
Re: rpki-client: disallow superfluous encoding of AS0 in providers
To:
Job Snijders <job@bsd.nl>
Cc:
tech@openbsd.org
Date:
Sat, 7 Feb 2026 13:49:10 +0100

Download raw body.

Thread 
On Sat, Feb 07, 2026 at 12:12:53PM +0000, Job Snijders wrote:
> Implement this check:
> 
> https://author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-aspa-profile-21&url2=draft-ietf-sidrops-aspa-profile-22&difftype=--html

I think making me watch a video where you type out the three lines of
interest would be even more convenient :)

>
> OK?

Your check doesn't implement "this check".

>
> Index: aspa.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/aspa.c,v
> diff -u -p -r1.41 aspa.c
> --- aspa.c	14 Nov 2025 08:30:22 -0000	1.41
> +++ aspa.c	7 Feb 2026 12:07:24 -0000
> @@ -90,6 +90,11 @@ aspa_parse_providers(const char *fn, str
>  		}
>  
>  		if (i > 0) {
> +			if (provider == 0) {

If provider == 0, you necessarily hit one of the other two checks in
here.

			if (providers[i - 1] == 0) {

would work. Or, probably better, after the for loop:

	if (aspa->num_providers > 1 && aspa->providers[0] == 0) {
		warnx(...);
		return 0;
	}

> +				warnx("%s: ASPA: invalid mixed AS 0 Provider",

I would have no clue what this warning is trying to tell me if I didn't
already know.

> +				    fn);
> +				return 0;
> +			}
>  			if (aspa->providers[i - 1] > provider) {
>  				warnx("%s: ASPA: invalid ProviderASSet order",
>  				    fn);
>