From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: convert most of ip.c to opaque ASN1_STRING
To: tech@openbsd.org
Date: Wed, 3 Dec 2025 11:39:13 +0100

This removes all but two direct accesss into ASN1_STRING in ip.c.
To handle the abs->flags reads, we will need new libcrypto API and a
compat shim for portable.

This is in the works: https://github.com/openssl/openssl/issues/29184

Index: ip.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/ip.c,v
diff -u -p -r1.35 ip.c
--- ip.c	3 Dec 2025 10:26:52 -0000	1.35
+++ ip.c	3 Dec 2025 10:29:36 -0000
@@ -170,17 +170,19 @@ ip_addr_check_overlap(const struct cert_
  * Return zero on failure, non-zero on success.
  */
 int
-ip_addr_parse(const ASN1_BIT_STRING *p,
+ip_addr_parse(const ASN1_BIT_STRING *abs,
     enum afi afi, const char *fn, struct ip_addr *addr)
 {
-	long	 unused = 0;
+	const unsigned char *data;
+	int length, unused = 0;
 
-	/* Weird OpenSSL-ism to get unused bit count. */
+	data = ASN1_STRING_get0_data(abs);
+	length = ASN1_STRING_length(abs);
 
-	if ((p->flags & ASN1_STRING_FLAG_BITS_LEFT))
-		unused = p->flags & 0x07;
+	if ((abs->flags & ASN1_STRING_FLAG_BITS_LEFT))
+		unused = abs->flags & 0x07;
 
-	if (p->length == 0 && unused != 0) {
+	if (length == 0 && unused != 0) {
 		warnx("%s: RFC 3779 section 2.2.3.8: "
 		    "unused bit count must be zero if length is zero", fn);
 		return 0;
@@ -192,8 +194,7 @@ ip_addr_parse(const ASN1_BIT_STRING *p,
 	 * of the [minimum] address ranges.
 	 */
 
-	if (p->length != 0 &&
-	    (p->data[p->length - 1] & ((1 << unused) - 1))) {
+	if (length != 0 && (data[length - 1] & ((1 << unused) - 1))) {
 		warnx("%s: RFC 3779 section 2.2.3.8: "
 		    "unused bits must be set to zero", fn);
 		return 0;
@@ -201,16 +202,16 @@ ip_addr_parse(const ASN1_BIT_STRING *p,
 
 	/* Limit possible sizes of addresses. */
 
-	if ((afi == AFI_IPV4 && p->length > 4) ||
-	    (afi == AFI_IPV6 && p->length > 16)) {
+	if ((afi == AFI_IPV4 && length > 4) ||
+	    (afi == AFI_IPV6 && length > 16)) {
 		warnx("%s: RFC 3779 section 2.2.3.8: "
 		    "IP address too long", fn);
 		return 0;
 	}
 
 	memset(addr, 0, sizeof(struct ip_addr));
-	addr->prefixlen = p->length * 8 - unused;
-	memcpy(addr->addr, p->data, p->length);
+	addr->prefixlen = length * 8 - unused;
+	memcpy(addr->addr, data, length);
 	return 1;
 }