From: Theo Buehler Subject: rpki-client: updates for roas (RFC 9582) To: tech@openbsd.org Date: Sun, 24 Aug 2025 09:24:43 +0200 This shuffles the ASN.1 templates into an order better matching the ASN.1 in RFC 9582 and makes the warnings point at the correct section in there, which I think we can do since the next release is massive. Fix a copy-paste error in spl.c. With this no references to RFC 6482 remain. Index: extern.h =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v diff -u -p -r1.258 extern.h --- extern.h 23 Aug 2025 09:13:14 -0000 1.258 +++ extern.h 24 Aug 2025 07:20:56 -0000 @@ -260,7 +260,7 @@ struct roa_ip { }; /* - * An ROA, RFC 6482. + * An ROA, RFC 9582. * This consists of the concerned ASID and its IP prefixes. */ struct roa { Index: roa.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v diff -u -p -r1.85 roa.c --- roa.c 19 Aug 2025 11:30:20 -0000 1.85 +++ roa.c 24 Aug 2025 07:20:23 -0000 @@ -36,19 +36,9 @@ * ROA eContent definition in RFC 9582, section 4. */ -ASN1_ITEM_EXP ROAIPAddress_it; -ASN1_ITEM_EXP ROAIPAddressFamily_it; ASN1_ITEM_EXP RouteOriginAttestation_it; - -ASN1_SEQUENCE(ROAIPAddress) = { - ASN1_SIMPLE(ROAIPAddress, address, ASN1_BIT_STRING), - ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER), -} ASN1_SEQUENCE_END(ROAIPAddress); - -ASN1_SEQUENCE(ROAIPAddressFamily) = { - ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING), - ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress), -} ASN1_SEQUENCE_END(ROAIPAddressFamily); +ASN1_ITEM_EXP ROAIPAddressFamily_it; +ASN1_ITEM_EXP ROAIPAddress_it; ASN1_SEQUENCE(RouteOriginAttestation) = { ASN1_EXP_OPT(RouteOriginAttestation, version, ASN1_INTEGER, 0), @@ -59,9 +49,18 @@ ASN1_SEQUENCE(RouteOriginAttestation) = IMPLEMENT_ASN1_FUNCTIONS(RouteOriginAttestation); +ASN1_SEQUENCE(ROAIPAddressFamily) = { + ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING), + ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress), +} ASN1_SEQUENCE_END(ROAIPAddressFamily); + +ASN1_SEQUENCE(ROAIPAddress) = { + ASN1_SIMPLE(ROAIPAddress, address, ASN1_BIT_STRING), + ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER), +} ASN1_SEQUENCE_END(ROAIPAddress); /* - * Parses the eContent section of an ROA file, RFC 6482, section 3. + * Parses the eContent section of an ROA file, RFC 9582, section 4. * Returns zero on failure, non-zero on success. */ static int @@ -83,7 +82,7 @@ roa_parse_econtent(const char *fn, struc oder = d; if ((roa_asn1 = d2i_RouteOriginAttestation(NULL, &d, dsz)) == NULL) { - warnx("%s: RFC 6482 section 3: failed to parse " + warnx("%s: RFC 9582 section 4: failed to parse " "RouteOriginAttestation", fn); goto out; } @@ -97,7 +96,7 @@ roa_parse_econtent(const char *fn, struc goto out; if (!as_id_parse(roa_asn1->asid, &roa->asid)) { - warnx("%s: RFC 6482 section 3.2: asID: " + warnx("%s: RFC 9582 section 4.2: asID: " "malformed AS identifier", fn); goto out; } @@ -116,7 +115,7 @@ roa_parse_econtent(const char *fn, struc addrsz = sk_ROAIPAddress_num(addrs); if (!ip_addr_afi_parse(fn, addrfam->addressFamily, &afi)) { - warnx("%s: RFC 6482 section 3.3: addressFamily: " + warnx("%s: RFC 9582 section 4.3: addressFamily: " "invalid", fn); goto out; } @@ -124,14 +123,14 @@ roa_parse_econtent(const char *fn, struc switch (afi) { case AFI_IPV4: if (ipv4_seen++ > 0) { - warnx("%s: RFC 9582 section 4.3.2: " + warnx("%s: RFC 9582 section 4.3.1: " "IPv4 appears twice", fn); goto out; } break; case AFI_IPV6: if (ipv6_seen++ > 0) { - warnx("%s: RFC 9582 section 4.3.2: " + warnx("%s: RFC 9582 section 4.3.1: " "IPv6 appears twice", fn); goto out; } @@ -139,7 +138,7 @@ roa_parse_econtent(const char *fn, struc } if (addrsz == 0) { - warnx("%s: RFC 9582, section 4.3.2: " + warnx("%s: RFC 9582, section 4.3.1: " "empty ROAIPAddressFamily", fn); goto out; } @@ -158,7 +157,7 @@ roa_parse_econtent(const char *fn, struc addr = sk_ROAIPAddress_value(addrs, j); if (!ip_addr_parse(addr->address, afi, fn, &ipaddr)) { - warnx("%s: RFC 6482 section 3.3: address: " + warnx("%s: RFC 9582 section 4.3.2.1: address: " "invalid IP address", fn); goto out; } @@ -167,7 +166,7 @@ roa_parse_econtent(const char *fn, struc if (addr->maxLength != NULL) { if (!ASN1_INTEGER_get_uint64(&maxlen, addr->maxLength)) { - warnx("%s: RFC 6482 section 3.2: " + warnx("%s: RFC 9582 section 4.3.2.2: " "ASN1_INTEGER_get_uint64 failed", fn); goto out; @@ -201,7 +200,7 @@ roa_parse_econtent(const char *fn, struc } /* - * Parse a full RFC 6482 file. + * Parse a full RFC 9582 file. * Returns the ROA or NULL if the document was malformed. */ struct roa * Index: spl.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/spl.c,v diff -u -p -r1.14 spl.c --- spl.c 19 Aug 2025 11:30:20 -0000 1.14 +++ spl.c 24 Aug 2025 07:21:32 -0000 @@ -116,8 +116,7 @@ spl_parse_econtent(const char *fn, struc oder = d; if ((spl_asn1 = d2i_SignedPrefixList(NULL, &d, dsz)) == NULL) { - warnx("%s: RFC 6482 section 3: failed to parse " - "SignedPrefixList", fn); + warnx("%s: failed to parse SignedPrefixList", fn); goto out; } if (d != oder + dsz) { Index: validate.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v diff -u -p -r1.80 validate.c --- validate.c 1 Aug 2025 14:57:15 -0000 1.80 +++ validate.c 24 Aug 2025 07:21:48 -0000 @@ -140,7 +140,7 @@ valid_roa(const char *fn, struct cert *c ip_addr_print(&roa->ips[i].addr, roa->ips[i].afi, buf, sizeof(buf)); - warnx("%s: RFC 6482: uncovered IP: %s", fn, buf); + warnx("%s: RFC 6582: uncovered IP: %s", fn, buf); return 0; }