From 4032f119c8feecd08b37d707cab08371c68de82b Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 27 Dec 2023 07:15:55 +0000 Subject: [PATCH] Rework the warnings on internet resources Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages. ok claudio job --- usr.sbin/rpki-client/as.c | 14 +++---- usr.sbin/rpki-client/constraints.c | 7 ++-- usr.sbin/rpki-client/extern.h | 8 ++-- usr.sbin/rpki-client/ip.c | 37 ++++++++++------- usr.sbin/rpki-client/validate.c | 65 +++--------------------------- 5 files changed, 42 insertions(+), 89 deletions(-) diff --git a/usr.sbin/rpki-client/as.c b/usr.sbin/rpki-client/as.c index 6f64a73b8d4..4812d9314f0 100644 --- a/usr.sbin/rpki-client/as.c +++ b/usr.sbin/rpki-client/as.c @@ -1,4 +1,4 @@ -/* $OpenBSD: as.c,v 1.15 2023/10/18 07:10:24 tb Exp $ */ +/* $OpenBSD: as.c,v 1.16 2023/12/27 07:15:55 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -137,18 +137,18 @@ as_check_covered(uint32_t min, uint32_t max, } void -as_warn(const char *fn, const struct cert_as *cert, const char *msg) +as_warn(const char *fn, const char *msg, const struct cert_as *as) { - switch (cert->type) { + switch (as->type) { case CERT_AS_ID: - warnx("%s: AS %u: %s", fn, cert->id, msg); + warnx("%s: %s: AS %u", fn, msg, as->id); break; case CERT_AS_RANGE: - warnx("%s: AS range %u--%u: %s", fn, cert->range.min, - cert->range.max, msg); + warnx("%s: %s: AS range %u--%u", fn, msg, as->range.min, + as->range.max); break; case CERT_AS_INHERIT: - warnx("%s: AS (inherit): %s", fn, msg); + warnx("%s: %s: AS (inherit)", fn, msg); break; default: warnx("%s: corrupt cert", fn); diff --git a/usr.sbin/rpki-client/constraints.c b/usr.sbin/rpki-client/constraints.c index 226e249b3f9..bd75e962eb4 100644 --- a/usr.sbin/rpki-client/constraints.c +++ b/usr.sbin/rpki-client/constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraints.c,v 1.1 2023/10/13 12:06:49 job Exp $ */ +/* $OpenBSD: constraints.c,v 1.2 2023/12/27 07:15:55 tb Exp $ */ /* * Copyright (c) 2023 Job Snijders * Copyright (c) 2023 Theo Buehler @@ -578,7 +578,7 @@ constraints_validate(const char *fn, const struct cert *cert) deny_as, deny_asz)) continue; - as_warn(fn, &cert->as[i], "violates trust anchor constraints"); + as_warn(fn, "trust anchor constraints violation", &cert->as[i]); return 0; } @@ -592,7 +592,8 @@ constraints_validate(const char *fn, const struct cert *cert) allow_ipsz, deny_ips, deny_ipsz)) continue; - ip_warn(fn, &cert->ips[i], "violates trust anchor constraints"); + ip_warn(fn, "trust anchor constraints violation", + &cert->ips[i]); return 0; } diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 9bb95edb208..808ced811f3 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.196 2023/12/11 19:05:20 job Exp $ */ +/* $OpenBSD: extern.h,v 1.197 2023/12/27 07:15:55 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -710,8 +710,6 @@ int ip_addr_parse(const ASN1_BIT_STRING *, enum afi, const char *, struct ip_addr *); void ip_addr_print(const struct ip_addr *, enum afi, char *, size_t); -void ip_addr_range_print(const struct ip_addr_range *, enum afi, - char *, size_t); int ip_addr_cmp(const struct ip_addr *, const struct ip_addr *); int ip_addr_check_overlap(const struct cert_ip *, const char *, const struct cert_ip *, size_t, int); @@ -719,7 +717,7 @@ int ip_addr_check_covered(enum afi, const unsigned char *, const unsigned char *, const struct cert_ip *, size_t); int ip_cert_compose_ranges(struct cert_ip *); void ip_roa_compose_ranges(struct roa_ip *); -void ip_warn(const char *, const struct cert_ip *, const char *); +void ip_warn(const char *, const char *, const struct cert_ip *); int sbgp_addr(const char *, struct cert_ip *, size_t *, enum afi, const ASN1_BIT_STRING *); @@ -736,7 +734,7 @@ int as_check_overlap(const struct cert_as *, const char *, const struct cert_as *, size_t, int); int as_check_covered(uint32_t, uint32_t, const struct cert_as *, size_t); -void as_warn(const char *, const struct cert_as *, const char *); +void as_warn(const char *, const char *, const struct cert_as *); int sbgp_as_id(const char *, struct cert_as *, size_t *, const ASN1_INTEGER *); diff --git a/usr.sbin/rpki-client/ip.c b/usr.sbin/rpki-client/ip.c index a7541723a51..8cd936a753f 100644 --- a/usr.sbin/rpki-client/ip.c +++ b/usr.sbin/rpki-client/ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip.c,v 1.31 2023/10/18 07:10:24 tb Exp $ */ +/* $OpenBSD: ip.c,v 1.32 2023/12/27 07:15:55 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -154,8 +154,8 @@ ip_addr_check_overlap(const struct cert_ip *ip, const char *fn, if (!quiet) { warnx("%s: RFC 3779 section 2.2.3.5: " "cannot have overlapping IP addresses", fn); - ip_warn(fn, ip, "certificate IP"); - ip_warn(fn, &ips[i], "offending IP"); + ip_warn(fn, "certificate IP", ip); + ip_warn(fn, "offending IP", &ips[i]); } return 0; } @@ -246,10 +246,11 @@ ip_addr_print(const struct ip_addr *addr, * Convert a ip_addr into a NUL-terminated range notation string. * The size of the buffer must be at least 95 (inclusive). */ -void +static void ip_addr_range_print(const struct ip_addr_range *range, enum afi afi, char *buf, size_t bufsz) { + struct cert_ip ip; char min[INET6_ADDRSTRLEN], max[INET6_ADDRSTRLEN]; int ret, af; @@ -264,9 +265,17 @@ ip_addr_range_print(const struct ip_addr_range *range, errx(1, "unsupported address family identifier"); } - if (inet_ntop(af, &range->min, min, sizeof(min)) == NULL) + memset(&ip, 0, sizeof(ip)); + + ip.afi = afi; + ip.type = CERT_IP_RANGE; + ip.range = *range; + if (!ip_cert_compose_ranges(&ip)) + errx(1, "failed to compose ranges"); + + if (inet_ntop(af, ip.min, min, sizeof(min)) == NULL) err(1, "inet_ntop"); - if (inet_ntop(af, &range->max, max, sizeof(max)) == NULL) + if (inet_ntop(af, ip.max, max, sizeof(max)) == NULL) err(1, "inet_ntop"); ret = snprintf(buf, bufsz, "%s--%s", min, max); @@ -311,7 +320,7 @@ ip_cert_compose_ranges(struct cert_ip *p) return 1; } - sz = AFI_IPV4 == p->afi ? 4 : 16; + sz = p->afi == AFI_IPV4 ? 4 : 16; return memcmp(p->min, p->max, sz) <= 0; } @@ -333,21 +342,21 @@ ip_roa_compose_ranges(struct roa_ip *p) } void -ip_warn(const char *fn, const struct cert_ip *cert, const char *msg) +ip_warn(const char *fn, const char *msg, const struct cert_ip *ip) { char buf[128]; - switch (cert->type) { + switch (ip->type) { case CERT_IP_ADDR: - ip_addr_print(&cert->ip, cert->afi, buf, sizeof(buf)); - warnx("%s: %s: %s", fn, buf, msg); + ip_addr_print(&ip->ip, ip->afi, buf, sizeof(buf)); + warnx("%s: %s: %s", fn, msg, buf); break; case CERT_IP_RANGE: - ip_addr_range_print(&cert->range, cert->afi, buf, sizeof(buf)); - warnx("%s: %s: %s", fn, buf, msg); + ip_addr_range_print(&ip->range, ip->afi, buf, sizeof(buf)); + warnx("%s: %s: %s", fn, msg, buf); break; case CERT_IP_INHERIT: - warnx("%s: (inherit): %s", fn, msg); + warnx("%s: %s: IP (inherit)", fn, msg); break; default: warnx("%s: corrupt cert", fn); diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 8e3a08793a0..7386d109fbf 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.68 2023/10/19 17:05:55 job Exp $ */ +/* $OpenBSD: validate.c,v 1.69 2023/12/27 07:15:55 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -135,7 +135,6 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert) { size_t i; uint32_t min, max; - char buf[128]; for (i = 0; i < cert->asz; i++) { if (cert->as[i].type == CERT_AS_INHERIT) @@ -152,19 +151,7 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert) if (valid_as(a, min, max)) continue; - switch (cert->as[i].type) { - case CERT_AS_ID: - warnx("%s: RFC 6487: uncovered AS: %u", fn, min); - break; - case CERT_AS_RANGE: - warnx("%s: RFC 6487: uncovered AS: %u--%u", fn, - min, max); - break; - case CERT_AS_INHERIT: - warnx("%s: RFC 6487: uncovered AS: (inherit)", fn); - break; - } - + as_warn(fn, "RFC 6487: uncovered resource", &cert->as[i]); return 0; } @@ -176,22 +163,7 @@ valid_cert(const char *fn, struct auth *a, const struct cert *cert) cert->ips[i].max)) continue; - switch (cert->ips[i].type) { - case CERT_IP_ADDR: - ip_addr_print(&cert->ips[i].ip, - cert->ips[i].afi, buf, sizeof(buf)); - warnx("%s: RFC 6487: uncovered IP: %s", fn, buf); - break; - case CERT_IP_RANGE: - ip_addr_range_print(&cert->ips[i].range, - cert->ips[i].afi, buf, sizeof(buf)); - warnx("%s: RFC 6487: uncovered IP: %s", fn, buf); - break; - case CERT_IP_INHERIT: - warnx("%s: RFC 6487: uncovered IP: (inherit)", fn); - break; - } - + ip_warn(fn, "RFC 6487: uncovered resource", &cert->ips[i]); return 0; } @@ -473,7 +445,6 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc) { size_t i; uint32_t min, max; - char buf[128]; for (i = 0; i < rsc->asz; i++) { if (rsc->as[i].type == CERT_AS_ID) { @@ -487,18 +458,7 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc) if (as_check_covered(min, max, cert->as, cert->asz) > 0) continue; - switch (rsc->as[i].type) { - case CERT_AS_ID: - warnx("%s: RSC resourceBlock: uncovered AS: %u", fn, - min); - break; - case CERT_AS_RANGE: - warnx("%s: RSC resourceBlock: uncovered AS: %u--%u", - fn, min, max); - break; - default: - break; - } + as_warn(fn, "RSC ResourceBlock uncovered", &rsc->as[i]); return 0; } @@ -507,22 +467,7 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc) rsc->ips[i].max, cert->ips, cert->ipsz) > 0) continue; - switch (rsc->ips[i].type) { - case CERT_IP_ADDR: - ip_addr_print(&rsc->ips[i].ip, rsc->ips[i].afi, buf, - sizeof(buf)); - warnx("%s: RSC ResourceBlock: uncovered IP: %s", fn, - buf); - break; - case CERT_IP_RANGE: - ip_addr_range_print(&rsc->ips[i].range, rsc->ips[i].afi, - buf, sizeof(buf)); - warnx("%s: RSC ResourceBlock: uncovered IP: %s", fn, - buf); - break; - default: - break; - } + ip_warn(fn, "RSC ResourceBlock uncovered", &rsc->ips[i]); return 0; } -- 2.20.1