rpki-client: remove proto argument from x509_location()

After recent changes, the rpkiNotify access description became the last
user of it, so this is now a pointless complication.

ok claudio

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 625f047..bc517e6 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.133 2024/06/03 12:58:39 tb Exp $ */
+/*     $OpenBSD: cert.c,v 1.134 2024/06/04 04:17:18 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -529,7 +529,7 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext)
                oid = ad->method;
 
                if (OBJ_cmp(oid, carepo_oid) == 0) {
-                       if (!x509_location(fn, "SIA: caRepository", NULL,
+                       if (!x509_location(fn, "SIA: caRepository",
                            ad->location, &carepo))
                                goto out;
                        if (cert->repo == NULL && strncasecmp(carepo,
@@ -544,7 +544,7 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext)
                        free(carepo);
                        carepo = NULL;
                } else if (OBJ_cmp(oid, manifest_oid) == 0) {
-                       if (!x509_location(fn, "SIA: rpkiManifest", NULL,
+                       if (!x509_location(fn, "SIA: rpkiManifest",
                            ad->location, &rpkimft))
                                goto out;
                        if (cert->mft == NULL && strncasecmp(rpkimft,
@@ -560,8 +560,14 @@ sbgp_sia(const char *fn, struct cert *cert, X509_EXTENSION *ext)
                        rpkimft = NULL;
                } else if (OBJ_cmp(oid, notify_oid) == 0) {
                        if (!x509_location(fn, "SIA: rpkiNotify",
-                           HTTPS_PROTO, ad->location, &cert->notify))
+                           ad->location, &cert->notify))
                                goto out;
+                       if (strncasecmp(cert->notify, HTTPS_PROTO,
+                           HTTPS_PROTO_LEN) != 0) {
+                               warnx("%s: non-https uri in rpkiNotify: %s",
+                                   fn, cert->notify);
+                               goto out;
+                       }
                }
        }
 

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 46c64af..601d7d2 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.220 2024/05/31 02:45:15 tb Exp $ */
+/*     $OpenBSD: extern.h,v 1.221 2024/06/04 04:17:18 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -913,8 +913,8 @@ char                *x509_pubkey_get_ski(X509_PUBKEY *, const char *);
 enum cert_purpose       x509_get_purpose(X509 *, const char *);
 int             x509_get_time(const ASN1_TIME *, time_t *);
 char           *x509_convert_seqnum(const char *, const ASN1_INTEGER *);
-int             x509_location(const char *, const char *, const char *,
-                   GENERAL_NAME *, char **);
+int             x509_location(const char *, const char *, GENERAL_NAME *,
+                   char **);
 int             x509_inherits(X509 *);
 int             x509_any_inherits(X509 *);
 int             x509_valid_name(const char *, const char *, const X509_NAME *);

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 1aad594..39b16fc 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.91 2024/06/03 12:58:39 tb Exp $ */
+/*     $OpenBSD: x509.c,v 1.92 2024/06/04 04:17:18 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -456,7 +456,7 @@ x509_get_aia(X509 *x, const char *fn, char **aia)
                goto out;
        }
 
-       if (!x509_location(fn, "AIA: caIssuers", NULL, ad->location, aia))
+       if (!x509_location(fn, "AIA: caIssuers", ad->location, aia))
                goto out;
 
        rc = 1;
@@ -522,9 +522,7 @@ x509_get_sia(X509 *x, const char *fn, char **sia)
                        goto out;
                }
 
-               /* Don't fail on non-rsync URI, so check this afterward. */
-               if (!x509_location(fn, "SIA: signedObject", NULL, ad->location,
-                   sia))
+               if (!x509_location(fn, "SIA: signedObject", ad->location, sia))
                        goto out;
 
                if (rsync_found)
@@ -764,9 +762,7 @@ x509_get_crl(X509 *x, const char *fn, char **crl)
        for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
                name = sk_GENERAL_NAME_value(names, i);
 
-               /* Don't fail on non-rsync URI, so check this afterward. */
-               if (!x509_location(fn, "CRL distribution point", NULL, name,
-                   crl))
+               if (!x509_location(fn, "CRL distribution point", name, crl))
                        goto out;
 
                if (strncasecmp(*crl, RSYNC_PROTO, RSYNC_PROTO_LEN) == 0) {
@@ -812,8 +808,8 @@ x509_get_time(const ASN1_TIME *at, time_t *t)
  * Returns 0 on failure and 1 on success.
  */
 int
-x509_location(const char *fn, const char *descr, const char *proto,
-    GENERAL_NAME *location, char **out)
+x509_location(const char *fn, const char *descr, GENERAL_NAME *location,
+    char **out)
 {
        ASN1_IA5STRING  *uri;
 
@@ -824,7 +820,7 @@ x509_location(const char *fn, const char *descr, const char *proto,
 
        uri = location->d.uniformResourceIdentifier;
 
-       if (!valid_uri(uri->data, uri->length, proto)) {
+       if (!valid_uri(uri->data, uri->length, NULL)) {
                warnx("%s: RFC 6487 section 4.8: %s bad location", fn, descr);
                return 0;
        }