Simplify valid_cert() and valid_roa() by passing in struct auth instead

of looking it up again. For this valid_roa() needs to be moved up in
proc_parser_roa() also move out the assignment of the TAL id. Not the
right thing to alter an object in a validation function.
OK tb@

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 8fb008f..44585ad 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.112 2022/01/22 09:18:48 tb Exp $ */
+/*     $OpenBSD: extern.h,v 1.113 2022/01/23 05:59:35 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -446,9 +446,8 @@ struct auth *valid_ski_aki(const char *, struct auth_tree *,
                    const char *, const char *);
 int             valid_ta(const char *, struct auth_tree *,
                    const struct cert *);
-int             valid_cert(const char *, struct auth_tree *,
-                   const struct cert *);
-int             valid_roa(const char *, struct auth_tree *, struct roa *);
+int             valid_cert(const char *, struct auth *, const struct cert *);
+int             valid_roa(const char *, struct auth *, struct roa *);
 int             valid_filehash(int, const char *, size_t);
 int             valid_uri(const char *, size_t, const char *);
 int             valid_origin(const char *, const char *);

diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 64ccfd6..7b4724a 100644 (file)
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parser.c,v 1.50 2022/01/22 09:18:48 tb Exp $ */
+/*     $OpenBSD: parser.c,v 1.51 2022/01/23 05:59:35 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -268,6 +268,16 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len)
        }
        X509_free(x509);
 
+       roa->talid = a->cert->talid;
+
+       /*
+        * If the ROA isn't valid, we accept it anyway and depend upon
+        * the code around roa_read() to check the "valid" field itself.
+        */
+
+       if (valid_roa(file, a, roa))
+               roa->valid = 1;
+
        /*
         * Check CRL to figure out the soonest transitive expiry moment
         */
@@ -283,14 +293,6 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len)
                        roa->expires = a->cert->expires;
        }
 
-       /*
-        * If the ROA isn't valid, we accept it anyway and depend upon
-        * the code around roa_read() to check the "valid" field itself.
-        */
-
-       if (valid_roa(file, &auths, roa))
-               roa->valid = 1;
-
        return roa;
 }
 
@@ -401,8 +403,8 @@ proc_parser_cert_validate(char *file, struct cert *cert)
 
        cert->talid = a->cert->talid;
 
-       /* Validate the cert to get the parent */
-       if (!valid_cert(file, &auths, cert)) {
+       /* Validate the cert */
+       if (!valid_cert(file, a, cert)) {
                cert_free(cert);
                return NULL;
        }

diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index f3b6646..9959211 100644 (file)
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: validate.c,v 1.26 2022/01/22 09:18:48 tb Exp $ */
+/*     $OpenBSD: validate.c,v 1.27 2022/01/23 05:59:35 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -143,17 +143,12 @@ valid_ta(const char *fn, struct auth_tree *auths, const struct cert *cert)
  * Returns 1 if valid, 0 otherwise.
  */
 int
-valid_cert(const char *fn, struct auth_tree *auths, const struct cert *cert)
+valid_cert(const char *fn, struct auth *a, const struct cert *cert)
 {
-       struct auth     *a;
        size_t           i;
        uint32_t         min, max;
        char             buf1[64], buf2[64];
 
-       a = valid_ski_aki(fn, auths, cert->ski, cert->aki);
-       if (a == NULL)
-               return 0;
-
        for (i = 0; i < cert->asz; i++) {
                if (cert->as[i].type == CERT_AS_INHERIT) {
                        if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER)
@@ -207,17 +202,11 @@ valid_cert(const char *fn, struct auth_tree *auths, const struct cert *cert)
  * Returns 1 if valid, 0 otherwise.
  */
 int
-valid_roa(const char *fn, struct auth_tree *auths, struct roa *roa)
+valid_roa(const char *fn, struct auth *a, struct roa *roa)
 {
-       struct auth     *a;
        size_t   i;
        char     buf[64];
 
-       a = valid_ski_aki(fn, auths, roa->ski, roa->aki);
-       if (a == NULL)
-               return 0;
-
-       roa->talid = a->cert->talid;
 
        for (i = 0; i < roa->ipsz; i++) {
                if (valid_ip(a, roa->ips[i].afi, roa->ips[i].min,