From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: updates for roas (RFC 9582)
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Sun, 24 Aug 2025 13:26:08 +0200

On Sun, Aug 24, 2025 at 09:24:43AM +0200, Theo Buehler wrote:
> This shuffles the ASN.1 templates into an order better matching the
> ASN.1 in RFC 9582 and makes the warnings point at the correct section
> in there, which I think we can do since the next release is massive.
> 
> Fix a copy-paste error in spl.c. With this no references to RFC 6482
> remain.

One comment below.
 
> Index: extern.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> diff -u -p -r1.258 extern.h
> --- extern.h	23 Aug 2025 09:13:14 -0000	1.258
> +++ extern.h	24 Aug 2025 07:20:56 -0000
> @@ -260,7 +260,7 @@ struct roa_ip {
>  };
>  
>  /*
> - * An ROA, RFC 6482.
> + * An ROA, RFC 9582.
>   * This consists of the concerned ASID and its IP prefixes.
>   */
>  struct roa {
> Index: roa.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
> diff -u -p -r1.85 roa.c
> --- roa.c	19 Aug 2025 11:30:20 -0000	1.85
> +++ roa.c	24 Aug 2025 07:20:23 -0000
> @@ -36,19 +36,9 @@
>   * ROA eContent definition in RFC 9582, section 4.
>   */
>  
> -ASN1_ITEM_EXP ROAIPAddress_it;
> -ASN1_ITEM_EXP ROAIPAddressFamily_it;
>  ASN1_ITEM_EXP RouteOriginAttestation_it;
> -
> -ASN1_SEQUENCE(ROAIPAddress) = {
> -	ASN1_SIMPLE(ROAIPAddress, address, ASN1_BIT_STRING),
> -	ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER),
> -} ASN1_SEQUENCE_END(ROAIPAddress);
> -
> -ASN1_SEQUENCE(ROAIPAddressFamily) = {
> -	ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING),
> -	ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress),
> -} ASN1_SEQUENCE_END(ROAIPAddressFamily);
> +ASN1_ITEM_EXP ROAIPAddressFamily_it;
> +ASN1_ITEM_EXP ROAIPAddress_it;
>  
>  ASN1_SEQUENCE(RouteOriginAttestation) = {
>  	ASN1_EXP_OPT(RouteOriginAttestation, version, ASN1_INTEGER, 0),
> @@ -59,9 +49,18 @@ ASN1_SEQUENCE(RouteOriginAttestation) = 
>  
>  IMPLEMENT_ASN1_FUNCTIONS(RouteOriginAttestation);
>  
> +ASN1_SEQUENCE(ROAIPAddressFamily) = {
> +	ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING),
> +	ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress),
> +} ASN1_SEQUENCE_END(ROAIPAddressFamily);
> +
> +ASN1_SEQUENCE(ROAIPAddress) = {
> +	ASN1_SIMPLE(ROAIPAddress, address, ASN1_BIT_STRING),
> +	ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER),
> +} ASN1_SEQUENCE_END(ROAIPAddress);
>  
>  /*
> - * Parses the eContent section of an ROA file, RFC 6482, section 3.
> + * Parses the eContent section of an ROA file, RFC 9582, section 4.
>   * Returns zero on failure, non-zero on success.
>   */
>  static int
> @@ -83,7 +82,7 @@ roa_parse_econtent(const char *fn, struc
>  
>  	oder = d;
>  	if ((roa_asn1 = d2i_RouteOriginAttestation(NULL, &d, dsz)) == NULL) {
> -		warnx("%s: RFC 6482 section 3: failed to parse "
> +		warnx("%s: RFC 9582 section 4: failed to parse "
>  		    "RouteOriginAttestation", fn);
>  		goto out;
>  	}
> @@ -97,7 +96,7 @@ roa_parse_econtent(const char *fn, struc
>  		goto out;
>  
>  	if (!as_id_parse(roa_asn1->asid, &roa->asid)) {
> -		warnx("%s: RFC 6482 section 3.2: asID: "
> +		warnx("%s: RFC 9582 section 4.2: asID: "
>  		    "malformed AS identifier", fn);
>  		goto out;
>  	}
> @@ -116,7 +115,7 @@ roa_parse_econtent(const char *fn, struc
>  		addrsz = sk_ROAIPAddress_num(addrs);
>  
>  		if (!ip_addr_afi_parse(fn, addrfam->addressFamily, &afi)) {
> -			warnx("%s: RFC 6482 section 3.3: addressFamily: "
> +			warnx("%s: RFC 9582 section 4.3: addressFamily: "
>  			    "invalid", fn);
>  			goto out;
>  		}
> @@ -124,14 +123,14 @@ roa_parse_econtent(const char *fn, struc
>  		switch (afi) {
>  		case AFI_IPV4:
>  			if (ipv4_seen++ > 0) {
> -				warnx("%s: RFC 9582 section 4.3.2: "
> +				warnx("%s: RFC 9582 section 4.3.1: "
>  				    "IPv4 appears twice", fn);
>  				goto out;
>  			}
>  			break;
>  		case AFI_IPV6:
>  			if (ipv6_seen++ > 0) {
> -				warnx("%s: RFC 9582 section 4.3.2: "
> +				warnx("%s: RFC 9582 section 4.3.1: "
>  				    "IPv6 appears twice", fn);
>  				goto out;
>  			}
> @@ -139,7 +138,7 @@ roa_parse_econtent(const char *fn, struc
>  		}
>  
>  		if (addrsz == 0) {
> -			warnx("%s: RFC 9582, section 4.3.2: "
> +			warnx("%s: RFC 9582, section 4.3.1: "
>  			    "empty ROAIPAddressFamily", fn);
>  			goto out;
>  		}
> @@ -158,7 +157,7 @@ roa_parse_econtent(const char *fn, struc
>  			addr = sk_ROAIPAddress_value(addrs, j);
>  
>  			if (!ip_addr_parse(addr->address, afi, fn, &ipaddr)) {
> -				warnx("%s: RFC 6482 section 3.3: address: "
> +				warnx("%s: RFC 9582 section 4.3.2.1: address: "
>  				    "invalid IP address", fn);
>  				goto out;
>  			}
> @@ -167,7 +166,7 @@ roa_parse_econtent(const char *fn, struc
>  			if (addr->maxLength != NULL) {
>  				if (!ASN1_INTEGER_get_uint64(&maxlen,
>  				    addr->maxLength)) {
> -					warnx("%s: RFC 6482 section 3.2: "
> +					warnx("%s: RFC 9582 section 4.3.2.2: "
>  					    "ASN1_INTEGER_get_uint64 failed",
>  					    fn);
>  					goto out;
> @@ -201,7 +200,7 @@ roa_parse_econtent(const char *fn, struc
>  }
>  
>  /*
> - * Parse a full RFC 6482 file.
> + * Parse a full RFC 9582 file.
>   * Returns the ROA or NULL if the document was malformed.
>   */
>  struct roa *
> Index: spl.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/spl.c,v
> diff -u -p -r1.14 spl.c
> --- spl.c	19 Aug 2025 11:30:20 -0000	1.14
> +++ spl.c	24 Aug 2025 07:21:32 -0000
> @@ -116,8 +116,7 @@ spl_parse_econtent(const char *fn, struc
>  
>  	oder = d;
>  	if ((spl_asn1 = d2i_SignedPrefixList(NULL, &d, dsz)) == NULL) {
> -		warnx("%s: RFC 6482 section 3: failed to parse "
> -		    "SignedPrefixList", fn);
> +		warnx("%s: failed to parse SignedPrefixList", fn);
>  		goto out;
>  	}
>  	if (d != oder + dsz) {
> Index: validate.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
> diff -u -p -r1.80 validate.c
> --- validate.c	1 Aug 2025 14:57:15 -0000	1.80
> +++ validate.c	24 Aug 2025 07:21:48 -0000
> @@ -140,7 +140,7 @@ valid_roa(const char *fn, struct cert *c
>  
>  		ip_addr_print(&roa->ips[i].addr, roa->ips[i].afi, buf,
>  		    sizeof(buf));
> -		warnx("%s: RFC 6482: uncovered IP: %s", fn, buf);
> +		warnx("%s: RFC 6582: uncovered IP: %s", fn, buf);

Typo here. This should be RFC 9582 not 6582 (The NewReno Modification to
TCP's Fast Recovery Algorithm).

>  		return 0;
>  	}
>  
> 

Apart from that OK claudio@
-- 
:wq Claudio