From: Claudio Jeker Subject: Re: rpki-client: drop proto argument from x509_location() To: Theo Buehler Cc: tech@openbsd.org Date: Mon, 3 Jun 2024 17:08:22 +0200 On Mon, Jun 03, 2024 at 04:50:14PM +0200, Theo Buehler wrote: > As mentioned previously, there's only one caller that uses this, all > others can't. OK claudio@ > Index: cert.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v > diff -u -p -r1.133 cert.c > --- cert.c 3 Jun 2024 12:58:39 -0000 1.133 > +++ cert.c 3 Jun 2024 14:48:56 -0000 > @@ -529,7 +529,7 @@ sbgp_sia(const char *fn, struct cert *ce > oid = ad->method; > > if (OBJ_cmp(oid, carepo_oid) == 0) { > - if (!x509_location(fn, "SIA: caRepository", NULL, > + if (!x509_location(fn, "SIA: caRepository", > ad->location, &carepo)) > goto out; > if (cert->repo == NULL && strncasecmp(carepo, > @@ -544,7 +544,7 @@ sbgp_sia(const char *fn, struct cert *ce > free(carepo); > carepo = NULL; > } else if (OBJ_cmp(oid, manifest_oid) == 0) { > - if (!x509_location(fn, "SIA: rpkiManifest", NULL, > + if (!x509_location(fn, "SIA: rpkiManifest", > ad->location, &rpkimft)) > goto out; > if (cert->mft == NULL && strncasecmp(rpkimft, > @@ -560,8 +560,14 @@ sbgp_sia(const char *fn, struct cert *ce > rpkimft = NULL; > } else if (OBJ_cmp(oid, notify_oid) == 0) { > if (!x509_location(fn, "SIA: rpkiNotify", > - HTTPS_PROTO, ad->location, &cert->notify)) > + ad->location, &cert->notify)) > goto out; > + if (strncasecmp(cert->notify, HTTPS_PROTO, > + HTTPS_PROTO_LEN) != 0) { > + warnx("%s: non-https uri in rpkiNotify: %s", > + fn, cert->notify); > + goto out; > + } > } > } > > Index: extern.h > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v > diff -u -p -r1.220 extern.h > --- extern.h 31 May 2024 02:45:15 -0000 1.220 > +++ extern.h 3 Jun 2024 13:02:03 -0000 > @@ -913,8 +913,8 @@ char *x509_pubkey_get_ski(X509_PUBKEY * > enum cert_purpose x509_get_purpose(X509 *, const char *); > int x509_get_time(const ASN1_TIME *, time_t *); > char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); > -int x509_location(const char *, const char *, const char *, > - GENERAL_NAME *, char **); > +int x509_location(const char *, const char *, GENERAL_NAME *, > + char **); > int x509_inherits(X509 *); > int x509_any_inherits(X509 *); > int x509_valid_name(const char *, const char *, const X509_NAME *); > Index: x509.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v > diff -u -p -r1.91 x509.c > --- x509.c 3 Jun 2024 12:58:39 -0000 1.91 > +++ x509.c 3 Jun 2024 14:47:48 -0000 > @@ -456,7 +456,7 @@ x509_get_aia(X509 *x, const char *fn, ch > goto out; > } > > - if (!x509_location(fn, "AIA: caIssuers", NULL, ad->location, aia)) > + if (!x509_location(fn, "AIA: caIssuers", ad->location, aia)) > goto out; > > rc = 1; > @@ -522,9 +522,7 @@ x509_get_sia(X509 *x, const char *fn, ch > goto out; > } > > - /* Don't fail on non-rsync URI, so check this afterward. */ > - if (!x509_location(fn, "SIA: signedObject", NULL, ad->location, > - sia)) > + if (!x509_location(fn, "SIA: signedObject", ad->location, sia)) > goto out; > > if (rsync_found) > @@ -764,9 +762,7 @@ x509_get_crl(X509 *x, const char *fn, ch > for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { > name = sk_GENERAL_NAME_value(names, i); > > - /* Don't fail on non-rsync URI, so check this afterward. */ > - if (!x509_location(fn, "CRL distribution point", NULL, name, > - crl)) > + if (!x509_location(fn, "CRL distribution point", name, crl)) > goto out; > > if (strncasecmp(*crl, RSYNC_PROTO, RSYNC_PROTO_LEN) == 0) { > @@ -812,8 +808,8 @@ x509_get_time(const ASN1_TIME *at, time_ > * Returns 0 on failure and 1 on success. > */ > int > -x509_location(const char *fn, const char *descr, const char *proto, > - GENERAL_NAME *location, char **out) > +x509_location(const char *fn, const char *descr, GENERAL_NAME *location, > + char **out) > { > ASN1_IA5STRING *uri; > > @@ -824,7 +820,7 @@ x509_location(const char *fn, const char > > uri = location->d.uniformResourceIdentifier; > > - if (!valid_uri(uri->data, uri->length, proto)) { > + if (!valid_uri(uri->data, uri->length, NULL)) { > warnx("%s: RFC 6487 section 4.8: %s bad location", fn, descr); > return 0; > } > -- :wq Claudio