Rework the warnings on internet resources

Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job

diff --git a/usr.sbin/rpki-client/as.c b/usr.sbin/rpki-client/as.c
index 6f64a73..4812d93 100644 (file)
--- a/usr.sbin/rpki-client/as.c
+++ b/usr.sbin/rpki-client/as.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: as.c,v 1.15 2023/10/18 07:10:24 tb Exp $ */
+/*     $OpenBSD: as.c,v 1.16 2023/12/27 07:15:55 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -137,18 +137,18 @@ as_check_covered(uint32_t min, uint32_t max,
 }
 
 void
-as_warn(const char *fn, const struct cert_as *cert, const char *msg)
+as_warn(const char *fn, const char *msg, const struct cert_as *as)
 {
-       switch (cert->type) {
+       switch (as->type) {
        case CERT_AS_ID:
-               warnx("%s: AS %u: %s", fn, cert->id, msg);
+               warnx("%s: %s: AS %u", fn, msg, as->id);
                break;
        case CERT_AS_RANGE:
-               warnx("%s: AS range %u--%u: %s", fn, cert->range.min,
-                   cert->range.max, msg);
+               warnx("%s: %s: AS range %u--%u", fn, msg, as->range.min,
+                   as->range.max);
                break;
        case CERT_AS_INHERIT:
-               warnx("%s: AS (inherit): %s", fn, msg);
+               warnx("%s: %s: AS (inherit)", fn, msg);
                break;
        default:
                warnx("%s: corrupt cert", fn);

diff --git a/usr.sbin/rpki-client/constraints.c b/usr.sbin/rpki-client/constraints.c
index 226e249..bd75e96 100644 (file)
--- a/usr.sbin/rpki-client/constraints.c
+++ b/usr.sbin/rpki-client/constraints.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: constraints.c,v 1.1 2023/10/13 12:06:49 job Exp $ */
+/*     $OpenBSD: constraints.c,v 1.2 2023/12/27 07:15:55 tb Exp $ */
 /*
  * Copyright (c) 2023 Job Snijders <job@openbsd.org>
  * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@@ -578,7 +578,7 @@ constraints_validate(const char *fn, const struct cert *cert)
                    deny_as, deny_asz))
                        continue;
 
-               as_warn(fn, &cert->as[i], "violates trust anchor constraints");
+               as_warn(fn, "trust anchor constraints violation", &cert->as[i]);
                return 0;
        }
 
@@ -592,7 +592,8 @@ constraints_validate(const char *fn, const struct cert *cert)
                    allow_ipsz, deny_ips, deny_ipsz))
                        continue;
 
-               ip_warn(fn, &cert->ips[i], "violates trust anchor constraints");
+               ip_warn(fn, "trust anchor constraints violation",
+                   &cert->ips[i]);
                return 0;
        }
 

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 9bb95ed..808ced8 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.196 2023/12/11 19:05:20 job Exp $ */
+/*     $OpenBSD: extern.h,v 1.197 2023/12/27 07:15:55 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -710,8 +710,6 @@ int          ip_addr_parse(const ASN1_BIT_STRING *,
                        enum afi, const char *, struct ip_addr *);
 void            ip_addr_print(const struct ip_addr *, enum afi, char *,
                        size_t);
-void            ip_addr_range_print(const struct ip_addr_range *, enum afi,
-                       char *, size_t);
 int             ip_addr_cmp(const struct ip_addr *, const struct ip_addr *);
 int             ip_addr_check_overlap(const struct cert_ip *,
                        const char *, const struct cert_ip *, size_t, int);
@@ -719,7 +717,7 @@ int          ip_addr_check_covered(enum afi, const unsigned char *,
                        const unsigned char *, const struct cert_ip *, size_t);
 int             ip_cert_compose_ranges(struct cert_ip *);
 void            ip_roa_compose_ranges(struct roa_ip *);
-void            ip_warn(const char *, const struct cert_ip *, const char *);
+void            ip_warn(const char *, const char *, const struct cert_ip *);
 
 int             sbgp_addr(const char *, struct cert_ip *, size_t *,
                    enum afi, const ASN1_BIT_STRING *);
@@ -736,7 +734,7 @@ int          as_check_overlap(const struct cert_as *, const char *,
                        const struct cert_as *, size_t, int);
 int             as_check_covered(uint32_t, uint32_t,
                        const struct cert_as *, size_t);
-void            as_warn(const char *, const struct cert_as *, const char *);
+void            as_warn(const char *, const char *, const struct cert_as *);
 
 int             sbgp_as_id(const char *, struct cert_as *, size_t *,
                    const ASN1_INTEGER *);

diff --git a/usr.sbin/rpki-client/ip.c b/usr.sbin/rpki-client/ip.c
index a754172..8cd936a 100644 (file)
--- a/usr.sbin/rpki-client/ip.c
+++ b/usr.sbin/rpki-client/ip.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip.c,v 1.31 2023/10/18 07:10:24 tb Exp $ */
+/*     $OpenBSD: ip.c,v 1.32 2023/12/27 07:15:55 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -154,8 +154,8 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
                if (!quiet) {
                        warnx("%s: RFC 3779 section 2.2.3.5: "
                            "cannot have overlapping IP addresses", fn);
-                       ip_warn(fn, ip, "certificate IP");
-                       ip_warn(fn, &ips[i], "offending IP");
+                       ip_warn(fn, "certificate IP", ip);
+                       ip_warn(fn, "offending IP", &ips[i]);
                }
                return 0;
        }
@@ -246,10 +246,11 @@ ip_addr_print(const struct ip_addr *addr,
  * Convert a ip_addr into a NUL-terminated range notation string.
  * The size of the buffer must be at least 95 (inclusive).
  */
-void
+static void
 ip_addr_range_print(const struct ip_addr_range *range,
     enum afi afi, char *buf, size_t bufsz)
 {
+       struct cert_ip ip;
        char min[INET6_ADDRSTRLEN], max[INET6_ADDRSTRLEN];
        int ret, af;
 
@@ -264,9 +265,17 @@ ip_addr_range_print(const struct ip_addr_range *range,
                errx(1, "unsupported address family identifier");
        }
 
-       if (inet_ntop(af, &range->min, min, sizeof(min)) == NULL)
+       memset(&ip, 0, sizeof(ip));
+
+       ip.afi = afi;
+       ip.type = CERT_IP_RANGE;
+       ip.range = *range;
+       if (!ip_cert_compose_ranges(&ip))
+               errx(1, "failed to compose ranges");
+
+       if (inet_ntop(af, ip.min, min, sizeof(min)) == NULL)
                err(1, "inet_ntop");
-       if (inet_ntop(af, &range->max, max, sizeof(max)) == NULL)
+       if (inet_ntop(af, ip.max, max, sizeof(max)) == NULL)
                err(1, "inet_ntop");
 
        ret = snprintf(buf, bufsz, "%s--%s", min, max);
@@ -311,7 +320,7 @@ ip_cert_compose_ranges(struct cert_ip *p)
                return 1;
        }
 
-       sz = AFI_IPV4 == p->afi ? 4 : 16;
+       sz = p->afi == AFI_IPV4 ? 4 : 16;
        return memcmp(p->min, p->max, sz) <= 0;
 }
 
@@ -333,21 +342,21 @@ ip_roa_compose_ranges(struct roa_ip *p)
 }
 
 void
-ip_warn(const char *fn, const struct cert_ip *cert, const char *msg)
+ip_warn(const char *fn, const char *msg, const struct cert_ip *ip)
 {
        char buf[128];
 
-       switch (cert->type) {
+       switch (ip->type) {
        case CERT_IP_ADDR:
-               ip_addr_print(&cert->ip, cert->afi, buf, sizeof(buf));
-               warnx("%s: %s: %s", fn, buf, msg);
+               ip_addr_print(&ip->ip, ip->afi, buf, sizeof(buf));
+               warnx("%s: %s: %s", fn, msg, buf);
                break;
        case CERT_IP_RANGE:
-               ip_addr_range_print(&cert->range, cert->afi, buf, sizeof(buf));
-               warnx("%s: %s: %s", fn, buf, msg);
+               ip_addr_range_print(&ip->range, ip->afi, buf, sizeof(buf));
+               warnx("%s: %s: %s", fn, msg, buf);
                break;
        case CERT_IP_INHERIT:
-               warnx("%s: (inherit): %s", fn, msg);
+               warnx("%s: %s: IP (inherit)", fn, msg);
                break;
        default:
                warnx("%s: corrupt cert", fn);

diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 8e3a087..7386d10 100644 (file)
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: validate.c,v 1.68 2023/10/19 17:05:55 job Exp $ */
+/*     $OpenBSD: validate.c,v 1.69 2023/12/27 07:15:55 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -135,7 +135,6 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert)
 {
        size_t           i;
        uint32_t         min, max;
-       char             buf[128];
 
        for (i = 0; i < cert->asz; i++) {
                if (cert->as[i].type == CERT_AS_INHERIT)
@@ -152,19 +151,7 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert)
                if (valid_as(a, min, max))
                        continue;
 
-               switch (cert->as[i].type) {
-               case CERT_AS_ID:
-                       warnx("%s: RFC 6487: uncovered AS: %u", fn, min);
-                       break;
-               case CERT_AS_RANGE:
-                       warnx("%s: RFC 6487: uncovered AS: %u--%u", fn,
-                           min, max);
-                       break;
-               case CERT_AS_INHERIT:
-                       warnx("%s: RFC 6487: uncovered AS: (inherit)", fn);
-                       break;
-               }
-
+               as_warn(fn, "RFC 6487: uncovered resource", &cert->as[i]);
                return 0;
        }
 
@@ -176,22 +163,7 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert)
                    cert->ips[i].max))
                        continue;
 
-               switch (cert->ips[i].type) {
-               case CERT_IP_ADDR:
-                       ip_addr_print(&cert->ips[i].ip,
-                           cert->ips[i].afi, buf, sizeof(buf));
-                       warnx("%s: RFC 6487: uncovered IP: %s", fn, buf);
-                       break;
-               case CERT_IP_RANGE:
-                       ip_addr_range_print(&cert->ips[i].range,
-                           cert->ips[i].afi, buf, sizeof(buf));
-                       warnx("%s: RFC 6487: uncovered IP: %s", fn, buf);
-                       break;
-               case CERT_IP_INHERIT:
-                       warnx("%s: RFC 6487: uncovered IP: (inherit)", fn);
-                       break;
-               }
-
+               ip_warn(fn, "RFC 6487: uncovered resource", &cert->ips[i]);
                return 0;
        }
 
@@ -473,7 +445,6 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc)
 {
        size_t          i;
        uint32_t        min, max;
-       char            buf[128];
 
        for (i = 0; i < rsc->asz; i++) {
                if (rsc->as[i].type == CERT_AS_ID) {
@@ -487,18 +458,7 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc)
                if (as_check_covered(min, max, cert->as, cert->asz) > 0)
                        continue;
 
-               switch (rsc->as[i].type) {
-               case CERT_AS_ID:
-                       warnx("%s: RSC resourceBlock: uncovered AS: %u", fn,
-                           min);
-                       break;
-               case CERT_AS_RANGE:
-                       warnx("%s: RSC resourceBlock: uncovered AS: %u--%u",
-                           fn, min, max);
-                       break;
-               default:
-                       break;
-               }
+               as_warn(fn, "RSC ResourceBlock uncovered", &rsc->as[i]);
                return 0;
        }
 
@@ -507,22 +467,7 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc)
                    rsc->ips[i].max, cert->ips, cert->ipsz) > 0)
                        continue;
 
-               switch (rsc->ips[i].type) {
-               case CERT_IP_ADDR:
-                       ip_addr_print(&rsc->ips[i].ip, rsc->ips[i].afi, buf,
-                           sizeof(buf));
-                       warnx("%s: RSC ResourceBlock: uncovered IP: %s", fn,
-                           buf);
-                       break;
-               case CERT_IP_RANGE:
-                       ip_addr_range_print(&rsc->ips[i].range, rsc->ips[i].afi,
-                           buf, sizeof(buf));
-                       warnx("%s: RSC ResourceBlock: uncovered IP: %s", fn,
-                           buf);
-                       break;
-               default:
-                       break;
-               }
+               ip_warn(fn, "RSC ResourceBlock uncovered", &rsc->ips[i]);
                return 0;
        }