From 8e5b983981e1c395e2fcdd6322e60eedde714623 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 10 Jun 2022 10:36:43 +0000 Subject: [PATCH] Dedup econtent version checks Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code. ok claudio --- usr.sbin/rpki-client/extern.h | 3 ++- usr.sbin/rpki-client/mft.c | 23 +++-------------------- usr.sbin/rpki-client/roa.c | 23 +++-------------------- usr.sbin/rpki-client/rsc.c | 23 +++-------------------- usr.sbin/rpki-client/validate.c | 25 ++++++++++++++++++++++++- 5 files changed, 35 insertions(+), 62 deletions(-) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 5536919e241..81e76f898e6 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.141 2022/06/01 10:59:21 tb Exp $ */ +/* $OpenBSD: extern.h,v 1.142 2022/06/10 10:36:43 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -508,6 +508,7 @@ int valid_origin(const char *, const char *); int valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *, struct crl *, int); int valid_rsc(const char *, struct auth *, struct rsc *); +int valid_econtent_version(const char *, const ASN1_INTEGER *); /* Working with CMS. */ unsigned char *cms_parse_validate(X509 **, const char *, diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index 289e35cc44d..4dfb08050ed 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.70 2022/06/01 10:58:34 tb Exp $ */ +/* $OpenBSD: mft.c,v 1.71 2022/06/10 10:36:43 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -270,7 +270,6 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) { Manifest *mft; FileAndHash *fh; - long mft_version; int i, rc = 0; if ((mft = d2i_Manifest(NULL, &d, dsz)) == NULL) { @@ -279,24 +278,8 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) goto out; } - /* Validate the optional version field */ - if (mft->version != NULL) { - mft_version = ASN1_INTEGER_get(mft->version); - if (mft_version < 0) { - cryptowarnx("%s: ASN1_INTEGER_get failed", p->fn); - goto out; - } - - switch (mft_version) { - case 0: - warnx("%s: incorrect encoding for version 0", p->fn); - goto out; - default: - warnx("%s: version %ld not supported (yet)", p->fn, - mft_version); - goto out; - } - } + if (!valid_econtent_version(p->fn, mft->version)) + goto out; p->res->seqnum = x509_convert_seqnum(p->fn, mft->manifestNumber); if (p->res->seqnum == NULL) diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index 281cb0c2eb3..0b5ff2832f7 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.46 2022/05/31 18:51:35 tb Exp $ */ +/* $OpenBSD: roa.c,v 1.47 2022/06/10 10:36:43 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -103,7 +103,6 @@ static int roa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) { RouteOriginAttestation *roa; - long roa_version; const ROAIPAddressFamily *addrfam; const STACK_OF(ROAIPAddress) *addrs; int addrsz; @@ -120,24 +119,8 @@ roa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) goto out; } - /* Validate the optional version field */ - if (roa->version != NULL) { - roa_version = ASN1_INTEGER_get(roa->version); - if (roa_version < 0) { - warnx("%s: ASN1_INTEGER_get failed", p->fn); - goto out; - } - - switch (roa_version) { - case 0: - warnx("%s: incorrect encoding for version 0", p->fn); - goto out; - default: - warnx("%s: version %ld not supported (yet)", p->fn, - roa_version); - goto out; - } - } + if (!valid_econtent_version(p->fn, roa->version)) + goto out; if (!as_id_parse(roa->asid, &p->res->asid)) { warnx("%s: RFC 6482 section 3.2: asID: " diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c index 1aac0659ddb..5009aae9864 100644 --- a/usr.sbin/rpki-client/rsc.c +++ b/usr.sbin/rpki-client/rsc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsc.c,v 1.10 2022/06/05 13:31:35 tb Exp $ */ +/* $OpenBSD: rsc.c,v 1.11 2022/06/10 10:36:43 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2022 Job Snijders @@ -327,7 +327,6 @@ rsc_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) { RpkiSignedChecklist *rsc; ResourceBlock *resources; - long rsc_version; int rc = 0; /* @@ -339,24 +338,8 @@ rsc_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) goto out; } - /* Validate the optional version field */ - if (rsc->version != NULL) { - rsc_version = ASN1_INTEGER_get(rsc->version); - if (rsc_version < 0) { - cryptowarnx("%s: RSC: ASN1_INTEGER_get failed", p->fn); - goto out; - } - - switch (rsc_version) { - case 0: - warnx("%s: RSC: incorrect version encoding", p->fn); - goto out; - default: - warnx("%s: RSC: version %ld not supported (yet)", p->fn, - rsc_version); - goto out; - } - } + if (!valid_econtent_version(p->fn, rsc->version)) + goto out; resources = rsc->resources; if (resources->asID == NULL && resources->ipAddrBlocks == NULL) { diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 4d65f9de61d..5c3fcd87acd 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.39 2022/06/07 08:50:07 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.40 2022/06/10 10:36:43 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -510,3 +510,26 @@ valid_rsc(const char *fn, struct auth *a, struct rsc *rsc) return 1; } + +int +valid_econtent_version(const char *fn, const ASN1_INTEGER *aint) +{ + long version; + + if (aint == NULL) + return 1; + + if ((version = ASN1_INTEGER_get(aint)) < 0) { + warnx("%s: ASN1_INTEGER_get failed", fn); + return 0; + } + + switch (version) { + case 0: + warnx("%s: incorrect encoding for version 0", fn); + return 0; + default: + warnx("%s: version %ld not supported (yet)", fn, version); + return 0; + } +} -- 2.20.1