From 81a06611ad25def9476a5b5a4d6ed42bbdf29802 Mon Sep 17 00:00:00 2001 From: claudio Date: Sun, 21 Apr 2024 19:27:44 +0000 Subject: [PATCH] P-256 support is experimental so require -x to enable it. Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@ --- usr.sbin/rpki-client/cert.c | 4 ++-- usr.sbin/rpki-client/cms.c | 4 ++-- usr.sbin/rpki-client/crl.c | 4 ++-- usr.sbin/rpki-client/extern.h | 4 +++- usr.sbin/rpki-client/filemode.c | 4 +--- usr.sbin/rpki-client/output-json.c | 4 +--- usr.sbin/rpki-client/parser.c | 6 +----- usr.sbin/rpki-client/repo.c | 3 +-- 8 files changed, 13 insertions(+), 20 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index b5fbf3d56fc..c4f347f2225 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.129 2024/03/22 03:38:12 job Exp $ */ +/* $OpenBSD: cert.c,v 1.130 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -773,7 +773,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) } X509_ALGOR_get0(&cobj, NULL, NULL, palg); nid = OBJ_obj2nid(cobj); - if (nid == NID_ecdsa_with_SHA256) { + if (experimental && nid == NID_ecdsa_with_SHA256) { if (verbose) warnx("%s: P-256 support is experimental", fn); } else if (nid != NID_sha256WithRSAEncryption) { diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c index 40cf8e1785a..c9d8ae5b42f 100644 --- a/usr.sbin/rpki-client/cms.c +++ b/usr.sbin/rpki-client/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.43 2024/04/21 09:03:22 job Exp $ */ +/* $OpenBSD: cms.c,v 1.44 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -257,7 +257,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der, X509_ALGOR_get0(&obj, NULL, NULL, psig); nid = OBJ_obj2nid(obj); /* RFC7935 last paragraph of section 2 specifies the allowed psig */ - if (nid == NID_ecdsa_with_SHA256) { + if (experimental && nid == NID_ecdsa_with_SHA256) { if (verbose) warnx("%s: P-256 support is experimental", fn); } else if (nid != NID_rsaEncryption && diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c index c6ad99d2854..1f65073763c 100644 --- a/usr.sbin/rpki-client/crl.c +++ b/usr.sbin/rpki-client/crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl.c,v 1.33 2024/04/15 13:57:45 job Exp $ */ +/* $OpenBSD: crl.c,v 1.34 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -63,7 +63,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) } X509_ALGOR_get0(&cobj, NULL, NULL, palg); nid = OBJ_obj2nid(cobj); - if (nid == NID_ecdsa_with_SHA256) { + if (experimental && nid == NID_ecdsa_with_SHA256) { if (verbose) warnx("%s: P-256 support is experimental", fn); } else if (nid != NID_sha256WithRSAEncryption) { diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index f72b383721b..9dd6997176d 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.216 2024/04/15 13:57:45 job Exp $ */ +/* $OpenBSD: extern.h,v 1.217 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -645,8 +645,10 @@ struct msgbuf; /* global variables */ extern int verbose; +extern int noop; extern int filemode; extern int excludeaspa; +extern int experimental; extern const char *tals[]; extern const char *taldescs[]; extern unsigned int talrepocnt[]; diff --git a/usr.sbin/rpki-client/filemode.c b/usr.sbin/rpki-client/filemode.c index cd4baade192..5590079a288 100644 --- a/usr.sbin/rpki-client/filemode.c +++ b/usr.sbin/rpki-client/filemode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filemode.c,v 1.40 2024/03/22 03:38:12 job Exp $ */ +/* $OpenBSD: filemode.c,v 1.41 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -41,8 +41,6 @@ #include "extern.h" #include "json.h" -extern int verbose; - static X509_STORE_CTX *ctx; static struct auth_tree auths = RB_INITIALIZER(&auths); static struct crl_tree crlt = RB_INITIALIZER(&crlt); diff --git a/usr.sbin/rpki-client/output-json.c b/usr.sbin/rpki-client/output-json.c index afea19f3f28..bc0695ef89f 100644 --- a/usr.sbin/rpki-client/output-json.c +++ b/usr.sbin/rpki-client/output-json.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output-json.c,v 1.48 2024/04/08 14:02:13 tb Exp $ */ +/* $OpenBSD: output-json.c,v 1.49 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * @@ -23,8 +23,6 @@ #include "extern.h" #include "json.h" -extern int experimental; - static void outputheader_json(struct stats *st) { diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index d26d9c77d49..f482d67687c 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.134 2024/04/17 15:03:22 tb Exp $ */ +/* $OpenBSD: parser.c,v 1.135 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -38,10 +38,6 @@ #include "extern.h" -extern int noop; -extern int experimental; -extern int verbose; - static X509_STORE_CTX *ctx; static struct auth_tree auths = RB_INITIALIZER(&auths); static struct crl_tree crlt = RB_INITIALIZER(&crlt); diff --git a/usr.sbin/rpki-client/repo.c b/usr.sbin/rpki-client/repo.c index 7290dcfe4bb..14ea81dea68 100644 --- a/usr.sbin/rpki-client/repo.c +++ b/usr.sbin/rpki-client/repo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: repo.c,v 1.56 2024/04/08 14:02:13 tb Exp $ */ +/* $OpenBSD: repo.c,v 1.57 2024/04/21 19:27:44 claudio Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -38,7 +38,6 @@ #include "extern.h" extern struct stats stats; -extern int noop; extern int rrdpon; extern int repo_timeout; extern time_t deadline; -- 2.20.1