From: claudio <claudio@openbsd.org>
Date: Thu, 9 Sep 2021 14:15:49 +0000 (+0000)
Subject: Rework how various OIDs are compared in the code.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d2e465bb280e6135e858181ab3cb4a0a53336e09;p=openbsd

Rework how various OIDs are compared in the code.

Instead of converting the ASN1_OBJECT into a string and comparing the
strings, convert the string into an ASN1_OBJECT once and then compare
these objects with OBJ_cmp().

Makes the code a bit easier to read and removes some repetitive conversions.
With input and OK tb@
---

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index a8908b31783..3ac117f437a 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.31 2021/07/13 18:39:39 job Exp $ */
+/*	$OpenBSD: cert.c,v 1.32 2021/09/09 14:15:49 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -46,6 +46,21 @@ struct	parse {
 	const char	*fn; /* currently-parsed file */
 };
 
+static ASN1_OBJECT	*carepo_oid;	/* 1.3.6.1.5.5.7.48.5 (caRepository) */
+static ASN1_OBJECT	*mft_oid;	/* 1.3.6.1.5.5.7.48.10 (rpkiManifest) */
+static ASN1_OBJECT	*notify_oid;	/* 1.3.6.1.5.5.7.48.13 (rpkiNotify) */
+
+static void
+cert_init_oid(void)
+{
+	if ((carepo_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.5", 1)) == NULL)
+		errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.5");
+	if ((mft_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.10", 1)) == NULL)
+		errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.10");
+	if ((notify_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.13", 1)) == NULL)
+		errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.13");
+}
+
 /*
  * Append an IP address structure to our list of results.
  * This will also constrain us to having at most one inheritence
@@ -207,9 +222,9 @@ sbgp_sia_resource_entry(struct parse *p,
 	const unsigned char *d, size_t dsz)
 {
 	ASN1_SEQUENCE_ANY	*seq;
+	ASN1_OBJECT		*oid;
 	const ASN1_TYPE		*t;
 	int			 rc = 0, ptag;
-	char			 buf[128];
 	long			 plen;
 
 	if ((seq = d2i_ASN1_SEQUENCE_ANY(NULL, &d, dsz)) == NULL) {
@@ -233,7 +248,7 @@ sbgp_sia_resource_entry(struct parse *p,
 		    p->fn, ASN1_tag2str(t->type), t->type);
 		goto out;
 	}
-	OBJ_obj2txt(buf, sizeof(buf), t->value.object, 1);
+	oid = t->value.object;
 
 	t = sk_ASN1_TYPE_value(seq, 1);
 	if (t->type != V_ASN1_OTHER) {
@@ -250,18 +265,14 @@ sbgp_sia_resource_entry(struct parse *p,
 	if (!ASN1_frame(p->fn, dsz, &d, &plen, &ptag))
 		goto out;
 
-	/*
-	 * Ignore all but manifest and RRDP notify URL.
-	 * Things we may see:
-	 *  - 1.3.6.1.5.5.7.48.5 (caRepository)
-	 *  - 1.3.6.1.5.5.7.48.10 (rpkiManifest)
-	 *  - 1.3.6.1.5.5.7.48.13 (rpkiNotify)
-	 */
-	if (strcmp(buf, "1.3.6.1.5.5.7.48.5") == 0)
+	if (carepo_oid == NULL)
+		cert_init_oid();
+
+	if (OBJ_cmp(oid, carepo_oid) == 0)
 		rc = sbgp_sia_resource_carepo(p, d, plen);
-	else if (strcmp(buf, "1.3.6.1.5.5.7.48.10") == 0)
+	else if (OBJ_cmp(oid, mft_oid) == 0)
 		rc = sbgp_sia_resource_mft(p, d, plen);
-	else if (strcmp(buf, "1.3.6.1.5.5.7.48.13") == 0)
+	else if (OBJ_cmp(oid, notify_oid) == 0)
 		rc = sbgp_sia_resource_notify(p, d, plen);
 	else
 		rc = 1;	/* silently ignore */
diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c
index 3f617bb8c4c..4a606039aca 100644
--- a/usr.sbin/rpki-client/cms.c
+++ b/usr.sbin/rpki-client/cms.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cms.c,v 1.9 2021/07/13 18:39:39 job Exp $ */
+/*	$OpenBSD: cms.c,v 1.10 2021/09/09 14:15:49 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -35,16 +35,15 @@
  * Return the eContent as a string and set "rsz" to be its length.
  */
 unsigned char *
-cms_parse_validate(X509 **xp, const char *fn,
-    const char *oid, size_t *rsz)
+cms_parse_validate(X509 **xp, const char *fn, const ASN1_OBJECT *oid,
+    size_t *rsz)
 {
 	const ASN1_OBJECT	*obj;
 	ASN1_OCTET_STRING	**os = NULL;
 	BIO			*bio = NULL;
 	CMS_ContentInfo		*cms;
 	FILE			*f;
-	char			 buf[128];
-	int			 rc = 0, sz;
+	int			 rc = 0;
 	STACK_OF(X509)		*certs = NULL;
 	unsigned char		*res = NULL;
 
@@ -84,16 +83,18 @@ cms_parse_validate(X509 **xp, const char *fn,
 	/* RFC 6488 section 2.1.3.1: check the object's eContentType. */
 
 	obj = CMS_get0_eContentType(cms);
-	if ((sz = OBJ_obj2txt(buf, sizeof(buf), obj, 1)) < 0)
-		cryptoerrx("OBJ_obj2txt");
-
-	if ((size_t)sz >= sizeof(buf)) {
-		warnx("%s: RFC 6488 section 2.1.3.1: "
-		    "eContentType: OID too long", fn);
+	if (obj == NULL) {
+		warnx("%s: RFC 6488 section 2.1.3.1: eContentType: "
+		    "OID object is NULL", fn);
 		goto out;
-	} else if (strcmp(buf, oid)) {
+	}
+	if (OBJ_cmp(obj, oid) != 0) {
+		char buf[128], obuf[128];
+
+		OBJ_obj2txt(buf, sizeof(buf), obj, 1);
+		OBJ_obj2txt(obuf, sizeof(obuf), oid, 1);
 		warnx("%s: RFC 6488 section 2.1.3.1: eContentType: "
-		    "unknown OID: %s, want %s", fn, buf, oid);
+		    "unknown OID: %s, want %s", fn, buf, obuf);
 		goto out;
 	}
 
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index b3e14515d9e..d0fd3d1a4d7 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.66 2021/09/01 08:09:41 claudio Exp $ */
+/*	$OpenBSD: extern.h,v 1.67 2021/09/09 14:15:49 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -410,9 +410,9 @@ int		 valid_uri(const char *, size_t, const char *);
 
 /* Working with CMS. */
 unsigned char	*cms_parse_validate(X509 **, const char *,
-			const char *, size_t *);
+		    const ASN1_OBJECT *, size_t *);
 int		 cms_econtent_version(const char *, const unsigned char **,
-			size_t, long *);
+		    size_t, long *);
 /* Helper for ASN1 parsing */
 int		 ASN1_frame(const char *, size_t,
 			const unsigned char **, long *, int *);
diff --git a/usr.sbin/rpki-client/gbr.c b/usr.sbin/rpki-client/gbr.c
index 43f2915224d..5e5fcd4c96d 100644
--- a/usr.sbin/rpki-client/gbr.c
+++ b/usr.sbin/rpki-client/gbr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: gbr.c,v 1.9 2021/03/29 06:50:44 tb Exp $ */
+/*	$OpenBSD: gbr.c,v 1.10 2021/09/09 14:15:49 claudio Exp $ */
 /*
  * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
  *
@@ -36,6 +36,8 @@ struct	parse {
 	struct gbr	 *res; /* results */
 };
 
+static ASN1_OBJECT	*gbr_oid;
+
 /*
  * Parse a full RFC 6493 file and signed by the certificate "cacert"
  * (the latter is optional and may be passed as NULL to disable).
@@ -52,9 +54,14 @@ gbr_parse(X509 **x509, const char *fn)
 	p.fn = fn;
 
 	/* OID from section 9.1, RFC 6493. */
+	if (gbr_oid == NULL) {
+		gbr_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.35", 1);
+		if (gbr_oid == NULL)
+			errx(1, "OBJ_txt2obj for %s failed",
+			    "1.2.840.113549.1.9.16.1.35");
+	}
 
-	cms = cms_parse_validate(x509, fn,
-	    "1.2.840.113549.1.9.16.1.35", &cmsz);
+	cms = cms_parse_validate(x509, fn, gbr_oid, &cmsz);
 	if (cms == NULL)
 		return NULL;
 
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index 782db412863..f80d2321eb2 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mft.c,v 1.37 2021/09/08 16:37:20 claudio Exp $ */
+/*	$OpenBSD: mft.c,v 1.38 2021/09/09 14:15:49 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -40,6 +40,8 @@ struct	parse {
 	struct mft	*res; /* result object */
 };
 
+static ASN1_OBJECT    *mft_oid;
+
 static const char *
 gentime2str(const ASN1_GENERALIZEDTIME *time)
 {
@@ -417,8 +419,14 @@ mft_parse(X509 **x509, const char *fn)
 	memset(&p, 0, sizeof(struct parse));
 	p.fn = fn;
 
-	cms = cms_parse_validate(x509, fn, "1.2.840.113549.1.9.16.1.26",
-	    &cmsz);
+	if (mft_oid == NULL) {
+		mft_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.26", 1);
+		if (mft_oid == NULL)
+			errx(1, "OBJ_txt2obj for %s failed",
+			    "1.2.840.113549.1.9.16.1.26");
+	}
+
+	cms = cms_parse_validate(x509, fn, mft_oid, &cmsz);
 	if (cms == NULL)
 		return NULL;
 	assert(*x509 != NULL);
diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c
index 3d433ecb161..4fdd7b2722c 100644
--- a/usr.sbin/rpki-client/roa.c
+++ b/usr.sbin/rpki-client/roa.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: roa.c,v 1.24 2021/09/08 16:37:20 claudio Exp $ */
+/*	$OpenBSD: roa.c,v 1.25 2021/09/09 14:15:49 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -36,6 +36,8 @@ struct	parse {
 	struct roa	 *res; /* results */
 };
 
+static ASN1_OBJECT	*roa_oid;
+
 /*
  * Parse IP address (ROAIPAddress), RFC 6482, section 3.3.
  * Returns zero on failure, non-zero on success.
@@ -339,9 +341,14 @@ roa_parse(X509 **x509, const char *fn)
 	p.fn = fn;
 
 	/* OID from section 2, RFC 6482. */
+	if (roa_oid == NULL) {
+		roa_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.24", 1);
+		if (roa_oid == NULL)
+			errx(1, "OBJ_txt2obj for %s failed",
+			    "1.2.840.113549.1.9.16.1.24");
+	}
 
-	cms = cms_parse_validate(x509, fn,
-	    "1.2.840.113549.1.9.16.1.24", &cmsz);
+	cms = cms_parse_validate(x509, fn, roa_oid, &cmsz);
 	if (cms == NULL)
 		return NULL;