On Fri, Jun 10, 2022 at 11:38:53AM +0200, Theo Buehler wrote:
> On Fri, Jun 10, 2022 at 11:31:42AM +0200, Theo Buehler wrote:
> > This is a leftover of the conversion to ASN.1 templates. The diff
> > reinstates a simplified variant of the removed cms_econtent_version().
> >
> > None of the filetypes currently have a version other than the default,
> > which means that the ->version should always be NULL. This in turn means
> > that this is a bunch of mostly dead copy-pasted code.
> >
> > Obviously, we will need to rethink this once we want to support a future
> > version of any of these, but that will necessarily come with other
> > changes. For now we're better off with one copy instead of three.
>
> I sent an older version of the diff. This pure validation makes more
> sense to me:
Once in the far future when one of the version changes this will need to
reconsidered and the api adapted. Until then this is perfectly OK.
OK claudio@
> Index: extern.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> retrieving revision 1.141
> diff -u -p -r1.141 extern.h
> --- extern.h 1 Jun 2022 10:59:21 -0000 1.141
> +++ extern.h 10 Jun 2022 09:36:47 -0000
> @@ -508,6 +508,7 @@ int valid_origin(const char *, const c
> int valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *,
> struct crl *, int);
> int valid_rsc(const char *, struct auth *, struct rsc *);
> +int valid_econtent_version(const char *, const ASN1_INTEGER *);
>
> /* Working with CMS. */
> unsigned char *cms_parse_validate(X509 **, const char *,
> Index: mft.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
> retrieving revision 1.70
> diff -u -p -r1.70 mft.c
> --- mft.c 1 Jun 2022 10:58:34 -0000 1.70
> +++ mft.c 10 Jun 2022 09:36:13 -0000
> @@ -270,7 +270,6 @@ mft_parse_econtent(const unsigned char *
> {
> Manifest *mft;
> FileAndHash *fh;
> - long mft_version;
> int i, rc = 0;
>
> if ((mft = d2i_Manifest(NULL, &d, dsz)) == NULL) {
> @@ -279,24 +278,8 @@ mft_parse_econtent(const unsigned char *
> goto out;
> }
>
> - /* Validate the optional version field */
> - if (mft->version != NULL) {
> - mft_version = ASN1_INTEGER_get(mft->version);
> - if (mft_version < 0) {
> - cryptowarnx("%s: ASN1_INTEGER_get failed", p->fn);
> - goto out;
> - }
> -
> - switch (mft_version) {
> - case 0:
> - warnx("%s: incorrect encoding for version 0", p->fn);
> - goto out;
> - default:
> - warnx("%s: version %ld not supported (yet)", p->fn,
> - mft_version);
> - goto out;
> - }
> - }
> + if (!valid_econtent_version(p->fn, mft->version))
> + goto out;
>
> p->res->seqnum = x509_convert_seqnum(p->fn, mft->manifestNumber);
> if (p->res->seqnum == NULL)
> Index: roa.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
> retrieving revision 1.46
> diff -u -p -r1.46 roa.c
> --- roa.c 31 May 2022 18:51:35 -0000 1.46
> +++ roa.c 10 Jun 2022 09:36:22 -0000
> @@ -103,7 +103,6 @@ static int
> roa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
> {
> RouteOriginAttestation *roa;
> - long roa_version;
> const ROAIPAddressFamily *addrfam;
> const STACK_OF(ROAIPAddress) *addrs;
> int addrsz;
> @@ -120,24 +119,8 @@ roa_parse_econtent(const unsigned char *
> goto out;
> }
>
> - /* Validate the optional version field */
> - if (roa->version != NULL) {
> - roa_version = ASN1_INTEGER_get(roa->version);
> - if (roa_version < 0) {
> - warnx("%s: ASN1_INTEGER_get failed", p->fn);
> - goto out;
> - }
> -
> - switch (roa_version) {
> - case 0:
> - warnx("%s: incorrect encoding for version 0", p->fn);
> - goto out;
> - default:
> - warnx("%s: version %ld not supported (yet)", p->fn,
> - roa_version);
> - goto out;
> - }
> - }
> + if (!valid_econtent_version(p->fn, roa->version))
> + goto out;
>
> if (!as_id_parse(roa->asid, &p->res->asid)) {
> warnx("%s: RFC 6482 section 3.2: asID: "
> Index: rsc.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v
> retrieving revision 1.10
> diff -u -p -r1.10 rsc.c
> --- rsc.c 5 Jun 2022 13:31:35 -0000 1.10
> +++ rsc.c 10 Jun 2022 09:36:31 -0000
> @@ -327,7 +327,6 @@ rsc_parse_econtent(const unsigned char *
> {
> RpkiSignedChecklist *rsc;
> ResourceBlock *resources;
> - long rsc_version;
> int rc = 0;
>
> /*
> @@ -339,24 +338,8 @@ rsc_parse_econtent(const unsigned char *
> goto out;
> }
>
> - /* Validate the optional version field */
> - if (rsc->version != NULL) {
> - rsc_version = ASN1_INTEGER_get(rsc->version);
> - if (rsc_version < 0) {
> - cryptowarnx("%s: RSC: ASN1_INTEGER_get failed", p->fn);
> - goto out;
> - }
> -
> - switch (rsc_version) {
> - case 0:
> - warnx("%s: RSC: incorrect version encoding", p->fn);
> - goto out;
> - default:
> - warnx("%s: RSC: version %ld not supported (yet)", p->fn,
> - rsc_version);
> - goto out;
> - }
> - }
> + if (!valid_econtent_version(p->fn, rsc->version))
> + goto out;
>
> resources = rsc->resources;
> if (resources->asID == NULL && resources->ipAddrBlocks == NULL) {
> Index: validate.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 validate.c
> --- validate.c 7 Jun 2022 08:50:07 -0000 1.39
> +++ validate.c 10 Jun 2022 09:35:58 -0000
> @@ -510,3 +510,26 @@ valid_rsc(const char *fn, struct auth *a
>
> return 1;
> }
> +
> +int
> +valid_econtent_version(const char *fn, const ASN1_INTEGER *aint)
> +{
> + long version;
> +
> + if (aint == NULL)
> + return 1;
> +
> + if ((version = ASN1_INTEGER_get(aint)) < 0) {
> + warnx("%s: ASN1_INTEGER_get failed", fn);
> + return 0;
> + }
> +
> + switch (version) {
> + case 0:
> + warnx("%s: incorrect encoding for version 0", fn);
> + return 0;
> + default:
> + warnx("%s: version %ld not supported (yet)", fn, version);
> + return 0;
> + }
> +}
>
--
:wq Claudio
