From 24069af1d090231bd09ccc5376fe36cde649907a Mon Sep 17 00:00:00 2001 From: claudio Date: Sun, 23 Jan 2022 05:59:35 +0000 Subject: [PATCH] Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@ --- usr.sbin/rpki-client/extern.h | 7 +++---- usr.sbin/rpki-client/parser.c | 24 +++++++++++++----------- usr.sbin/rpki-client/validate.c | 17 +++-------------- 3 files changed, 19 insertions(+), 29 deletions(-) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 8fb008fa7fe..44585adc15c 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.112 2022/01/22 09:18:48 tb Exp $ */ +/* $OpenBSD: extern.h,v 1.113 2022/01/23 05:59:35 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -446,9 +446,8 @@ struct auth *valid_ski_aki(const char *, struct auth_tree *, const char *, const char *); int valid_ta(const char *, struct auth_tree *, const struct cert *); -int valid_cert(const char *, struct auth_tree *, - const struct cert *); -int valid_roa(const char *, struct auth_tree *, struct roa *); +int valid_cert(const char *, struct auth *, const struct cert *); +int valid_roa(const char *, struct auth *, struct roa *); int valid_filehash(int, const char *, size_t); int valid_uri(const char *, size_t, const char *); int valid_origin(const char *, const char *); diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index 64ccfd6c2a0..7b4724a21ea 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.50 2022/01/22 09:18:48 tb Exp $ */ +/* $OpenBSD: parser.c,v 1.51 2022/01/23 05:59:35 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -268,6 +268,16 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len) } X509_free(x509); + roa->talid = a->cert->talid; + + /* + * If the ROA isn't valid, we accept it anyway and depend upon + * the code around roa_read() to check the "valid" field itself. + */ + + if (valid_roa(file, a, roa)) + roa->valid = 1; + /* * Check CRL to figure out the soonest transitive expiry moment */ @@ -283,14 +293,6 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len) roa->expires = a->cert->expires; } - /* - * If the ROA isn't valid, we accept it anyway and depend upon - * the code around roa_read() to check the "valid" field itself. - */ - - if (valid_roa(file, &auths, roa)) - roa->valid = 1; - return roa; } @@ -401,8 +403,8 @@ proc_parser_cert_validate(char *file, struct cert *cert) cert->talid = a->cert->talid; - /* Validate the cert to get the parent */ - if (!valid_cert(file, &auths, cert)) { + /* Validate the cert */ + if (!valid_cert(file, a, cert)) { cert_free(cert); return NULL; } diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index f3b6646672e..9959211a0e0 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.26 2022/01/22 09:18:48 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.27 2022/01/23 05:59:35 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -143,17 +143,12 @@ valid_ta(const char *fn, struct auth_tree *auths, const struct cert *cert) * Returns 1 if valid, 0 otherwise. */ int -valid_cert(const char *fn, struct auth_tree *auths, const struct cert *cert) +valid_cert(const char *fn, struct auth *a, const struct cert *cert) { - struct auth *a; size_t i; uint32_t min, max; char buf1[64], buf2[64]; - a = valid_ski_aki(fn, auths, cert->ski, cert->aki); - if (a == NULL) - return 0; - for (i = 0; i < cert->asz; i++) { if (cert->as[i].type == CERT_AS_INHERIT) { if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) @@ -207,17 +202,11 @@ valid_cert(const char *fn, struct auth_tree *auths, const struct cert *cert) * Returns 1 if valid, 0 otherwise. */ int -valid_roa(const char *fn, struct auth_tree *auths, struct roa *roa) +valid_roa(const char *fn, struct auth *a, struct roa *roa) { - struct auth *a; size_t i; char buf[64]; - a = valid_ski_aki(fn, auths, roa->ski, roa->aki); - if (a == NULL) - return 0; - - roa->talid = a->cert->talid; for (i = 0; i < roa->ipsz; i++) { if (valid_ip(a, roa->ips[i].afi, roa->ips[i].min, -- 2.20.1