From e1686bd76c741fd8c56992edb3d4bfbecc5cfa13 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Wed, 7 Jun 2023 10:46:34 +0000
Subject: [PATCH] In anticipation of a bump of the ASPA eContent profile
 version, update valid_econtent_version() to allow for non-zero versions.

OK tb@
---
 usr.sbin/rpki-client/aspa.c     |  4 ++--
 usr.sbin/rpki-client/extern.h   |  5 +++--
 usr.sbin/rpki-client/mft.c      |  4 ++--
 usr.sbin/rpki-client/roa.c      |  4 ++--
 usr.sbin/rpki-client/rsc.c      |  4 ++--
 usr.sbin/rpki-client/tak.c      |  4 ++--
 usr.sbin/rpki-client/validate.c | 20 ++++++++++++--------
 7 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/usr.sbin/rpki-client/aspa.c b/usr.sbin/rpki-client/aspa.c
index 9f56abd26ec..1fdd3cb8484 100644
--- a/usr.sbin/rpki-client/aspa.c
+++ b/usr.sbin/rpki-client/aspa.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: aspa.c,v 1.17 2023/04/26 16:32:41 claudio Exp $ */
+/*	$OpenBSD: aspa.c,v 1.18 2023/06/07 10:46:34 job Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -161,7 +161,7 @@ aspa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
 		goto out;
 	}
 
-	if (!valid_econtent_version(p->fn, aspa->version))
+	if (!valid_econtent_version(p->fn, aspa->version, 0))
 		goto out;
 
 	if (!as_id_parse(aspa->customerASID, &p->res->custasid)) {
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index c3e3be89ce6..ec6c257e9b4 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.183 2023/05/30 16:02:28 job Exp $ */
+/*	$OpenBSD: extern.h,v 1.184 2023/06/07 10:46:34 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -690,7 +690,8 @@ int		 valid_origin(const char *, const char *);
 int		 valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *,
 		    struct crl *, const char **);
 int		 valid_rsc(const char *, struct cert *, struct rsc *);
-int		 valid_econtent_version(const char *, const ASN1_INTEGER *);
+int		 valid_econtent_version(const char *, const ASN1_INTEGER *,
+		    uint64_t);
 int		 valid_aspa(const char *, struct cert *, struct aspa *);
 int		 valid_geofeed(const char *, struct cert *, struct geofeed *);
 int		 valid_uuid(const char *);
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index c7c27ba5b23..75ad639d8d3 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mft.c,v 1.93 2023/05/22 15:15:25 tb Exp $ */
+/*	$OpenBSD: mft.c,v 1.94 2023/06/07 10:46:34 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -286,7 +286,7 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
 		goto out;
 	}
 
-	if (!valid_econtent_version(p->fn, mft->version))
+	if (!valid_econtent_version(p->fn, mft->version, 0))
 		goto out;
 
 	p->res->seqnum = x509_convert_seqnum(p->fn, mft->manifestNumber);
diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c
index 206cd011932..0097b514fa3 100644
--- a/usr.sbin/rpki-client/roa.c
+++ b/usr.sbin/rpki-client/roa.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: roa.c,v 1.67 2023/05/23 06:42:08 tb Exp $ */
+/*	$OpenBSD: roa.c,v 1.68 2023/06/07 10:46:34 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -119,7 +119,7 @@ roa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
 		goto out;
 	}
 
-	if (!valid_econtent_version(p->fn, roa->version))
+	if (!valid_econtent_version(p->fn, roa->version, 0))
 		goto out;
 
 	if (!as_id_parse(roa->asid, &p->res->asid)) {
diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c
index ef88470b7e0..4e9f491ca88 100644
--- a/usr.sbin/rpki-client/rsc.c
+++ b/usr.sbin/rpki-client/rsc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rsc.c,v 1.25 2023/03/12 13:31:39 tb Exp $ */
+/*	$OpenBSD: rsc.c,v 1.26 2023/06/07 10:46:34 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
@@ -339,7 +339,7 @@ rsc_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
 		goto out;
 	}
 
-	if (!valid_econtent_version(p->fn, rsc->version))
+	if (!valid_econtent_version(p->fn, rsc->version, 0))
 		goto out;
 
 	resources = rsc->resources;
diff --git a/usr.sbin/rpki-client/tak.c b/usr.sbin/rpki-client/tak.c
index 85613ed7de1..4805fa0edd1 100644
--- a/usr.sbin/rpki-client/tak.c
+++ b/usr.sbin/rpki-client/tak.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tak.c,v 1.8 2023/03/12 11:46:35 tb Exp $ */
+/*	$OpenBSD: tak.c,v 1.9 2023/06/07 10:46:34 job Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -195,7 +195,7 @@ tak_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
 		goto out;
 	}
 
-	if (!valid_econtent_version(fn, tak->version))
+	if (!valid_econtent_version(fn, tak->version, 0))
 		goto out;
 
 	p->res->current = parse_takey(fn, tak->current);
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 69612a83900..3ed0f0372d8 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.63 2023/05/30 12:14:48 claudio Exp $ */
+/*	$OpenBSD: validate.c,v 1.64 2023/06/07 10:46:34 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -514,11 +514,12 @@ valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc)
 }
 
 int
-valid_econtent_version(const char *fn, const ASN1_INTEGER *aint)
+valid_econtent_version(const char *fn, const ASN1_INTEGER *aint,
+    uint64_t expected)
 {
 	uint64_t version;
 
-	if (aint == NULL)
+	if (expected == 0 && aint == NULL)
 		return 1;
 
 	if (!ASN1_INTEGER_get_uint64(&version, aint)) {
@@ -526,15 +527,18 @@ valid_econtent_version(const char *fn, const ASN1_INTEGER *aint)
 		return 0;
 	}
 
-	switch (version) {
-	case 0:
+	if (version == 0) {
 		warnx("%s: incorrect encoding for version 0", fn);
 		return 0;
-	default:
-		warnx("%s: version %llu not supported (yet)", fn,
-		    (unsigned long long)version);
+	}
+
+	if (version != expected) {
+		warnx("%s: unexpected version (expected %llu, got %llu)", fn,
+		    (unsigned long long)expected, (unsigned long long)version);
 		return 0;
 	}
+
+	return 1;
 }
 
 /*
-- 
2.20.1