In filemode check whether ROA & RSC resources are properly contained

with and OK tb@ claudio@

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 843927b..3e1c3e4 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.135 2022/05/10 07:41:37 tb Exp $ */
+/*     $OpenBSD: extern.h,v 1.136 2022/05/11 14:42:01 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -507,6 +507,7 @@ int          valid_uri(const char *, size_t, const char *);
 int             valid_origin(const char *, const char *);
 int             valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *,
                    struct crl *, int);
+int             valid_rsc(const char *, struct auth *, struct rsc *);
 
 /* Working with CMS. */
 unsigned char  *cms_parse_validate(X509 **, const char *,

diff --git a/usr.sbin/rpki-client/filemode.c b/usr.sbin/rpki-client/filemode.c
index 5ab2906..f43a2fa 100644 (file)
--- a/usr.sbin/rpki-client/filemode.c
+++ b/usr.sbin/rpki-client/filemode.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: filemode.c,v 1.6 2022/05/09 17:02:34 job Exp $ */
+/*     $OpenBSD: filemode.c,v 1.7 2022/05/11 14:42:01 job Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -380,6 +380,7 @@ proc_parser_file(char *file, unsigned char *buf, size_t len)
                struct auth *a;
                struct crl *c;
                char *crl_uri;
+               int status;
 
                x509_get_crl(x509, file, &crl_uri);
                parse_load_crl(crl_uri);
@@ -389,7 +390,13 @@ proc_parser_file(char *file, unsigned char *buf, size_t len)
                a = auth_find(&auths, aki);
                c = crl_get(&crlt, a);
 
-               if (valid_x509(file, ctx, x509, a, c, 0))
+               if ((status = valid_x509(file, ctx, x509, a, c, 0))) {
+                       if (type == RTYPE_ROA)
+                               status = valid_roa(file, a, roa);
+                       else if (type == RTYPE_RSC)
+                               status = valid_rsc(file, a, rsc);
+               }
+               if (status)
                        printf("OK");
                else
                        printf("Failed");

diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index ca03126..187190d 100644 (file)
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: validate.c,v 1.32 2022/05/10 07:41:37 tb Exp $ */
+/*     $OpenBSD: validate.c,v 1.33 2022/05/11 14:42:01 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -502,3 +502,78 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a,
        sk_X509_CRL_free(crls);
        return 1;
 }
+
+/*
+ * Validate our RSC: check that all items in the ResourceBlock are contained.
+ * Returns 1 if valid, 0 otherwise.
+ */
+int
+valid_rsc(const char *fn, struct auth *a, struct rsc *rsc)
+{
+       size_t          i;
+       uint32_t        min, max;
+       char            buf1[64], buf2[64];
+
+       for (i = 0; i < rsc->asz; i++) {
+               if (rsc->as[i].type == CERT_AS_INHERIT) {
+                       warnx("%s: RSC ResourceBlock: illegal inherit", fn);
+                       return 0;
+               }
+
+               min = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.min
+                   : rsc->as[i].id;
+               max = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.max
+                   : rsc->as[i].id;
+               
+               if (valid_as(a, min, max))
+                       continue;
+
+               switch (rsc->as[i].type) {
+               case CERT_AS_ID:
+                       warnx("%s: RSC resourceBlock: uncovered AS Identifier: "
+                           "%u", fn, rsc->as[i].id);
+                       break;
+               case CERT_AS_RANGE:
+                               continue;
+                       warnx("%s: RSC resourceBlock: uncovered AS Range: "
+                           "%u--%u", fn, min, max);
+                       break;
+               default:
+                       break;
+               }
+               return 0;
+       }
+
+       for (i = 0; i < rsc->ipsz; i++) {
+               if (rsc->ips[i].type == CERT_IP_INHERIT) {
+                       warnx("%s: RSC ResourceBlock: illegal inherit", fn);
+                       return 0;
+               }
+
+               if (valid_ip(a, rsc->ips[i].afi, rsc->ips[i].min,
+                   rsc->ips[i].max))
+                       continue;
+
+               switch (rsc->ips[i].type) {
+               case CERT_IP_RANGE:
+                       ip_addr_print(&rsc->ips[i].range.min,
+                          rsc->ips[i].afi, buf1, sizeof(buf1));
+                       ip_addr_print(&rsc->ips[i].range.max,
+                          rsc->ips[i].afi, buf2, sizeof(buf2));
+                       warnx("%s: RSC ResourceBlock: uncovered IP Range: "
+                          "%s--%s", fn, buf1, buf2);
+                       break;
+               case CERT_IP_ADDR:
+                       ip_addr_print(&rsc->ips[i].ip,
+                          rsc->ips[i].afi, buf1, sizeof(buf1));
+                       warnx("%s: RSC ResourceBlock: uncovered IP: "
+                          "%s", fn, buf1);
+                       break;
+               default:
+                       break;
+               }
+               return 0;
+       }
+
+       return 1;
+}