diff options
| author |   claudio <claudio@openbsd.org> | 2019-10-08 10:04:36 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2019-10-08 10:04:36 +0000 |
| commit | a382efa29822019cb5674a891919ebb39bcffd1c (patch) | |
| tree | 2e161e686c14652e1c4f21ef4939ec97698fa6d5 | |
| parent | Free the "e" element in ber_printf_elements if it fails, since there's no (diff) | |
| download | wireguard-openbsd-a382efa29822019cb5674a891919ebb39bcffd1c.tar.xz wireguard-openbsd-a382efa29822019cb5674a891919ebb39bcffd1c.zip | |
Rewrite the output handling of rpki-client and add an option to dump the
data in JSON format. To make the JSON output the same as the output of the
RIPE rpki-validator the basename of the TAL had to be added and passed around
in rpki-client. Additinally the VRPs are now stored in an RB tree in the
main process instead of keeping them per ROA object. This changes the sort
order to be in network order and no longer just lexographical.
Agreed by job@ deraadt@
| -rw-r--r-- | usr.sbin/rpki-client/Makefile | 4 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/extern.h | 31 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/main.c | 83 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/output-bgpd.c | 60 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/output-json.c | 51 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/roa.c | 70 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/tal.c | 22 | ||||
| -rw-r--r-- | usr.sbin/rpki-client/validate.c | 10 |
8 files changed, 243 insertions, 88 deletions
diff --git a/usr.sbin/rpki-client/Makefile b/usr.sbin/rpki-client/Makefile index 5f78ecb5cab..21f252a6494 100644 --- a/usr.sbin/rpki-client/Makefile +++ b/usr.sbin/rpki-client/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.7 2019/08/12 18:03:17 jsing Exp $ +# $OpenBSD: Makefile,v 1.8 2019/10/08 10:04:36 claudio Exp $ PROG= rpki-client SRCS= as.c cert.c cms.c crl.c io.c ip.c log.c main.c mft.c \ - output-bgpd.c roa.c rsync.c tal.c validate.c x509.c + output-bgpd.c output-json.c roa.c rsync.c tal.c validate.c x509.c MAN= rpki-client.8 LDADD= /usr/local/lib/eopenssl/libcrypto.a diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index b9143c9f4f8..01675bc339e 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.7 2019/08/20 16:01:52 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.8 2019/10/08 10:04:36 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -17,6 +17,8 @@ #ifndef EXTERN_H #define EXTERN_H +#include <sys/tree.h> + enum cert_as_type { CERT_AS_ID, /* single identifier */ CERT_AS_INHERIT, /* inherit from parent */ @@ -125,6 +127,7 @@ struct tal { size_t urisz; /* number of URIs */ unsigned char *pkey; /* DER-encoded public key */ size_t pkeysz; /* length of pkey */ + char *descr; /* basename of tal file */ }; /* @@ -173,9 +176,27 @@ struct roa { int valid; /* validated resources */ char *ski; /* SKI */ char *aki; /* AKI */ + char *tal; /* basename of TAL for this cert */ }; /* + * A single VRP element (including ASID) + */ +struct vrp { + RB_ENTRY(vrp) entry; + struct ip_addr addr; + uint32_t asid; + char *tal; /* basename of TAL for this cert */ + enum afi afi; + unsigned char maxlength; +}; +/* + * Tree of VRP sorted by afi, addr, maxlength and asid + */ +RB_HEAD(vrp_tree, vrp); +RB_PROTOTYPE(vrp_tree, vrp, entry, vrpcmp); + +/* * An authentication tuple. * This specifies a public key and a subject key identifier used to * verify children nodes in the tree of entities. @@ -184,6 +205,7 @@ struct auth { struct cert *cert; /* owner information */ size_t id; /* self-index */ size_t parent; /* index of parent pair (or self) */ + char *tal; /* basename of TAL for this cert */ char *fn; /* FIXME: debugging */ }; @@ -225,13 +247,14 @@ void roa_buffer(char **, size_t *, size_t *, const struct roa *); void roa_free(struct roa *); struct roa *roa_parse(X509 **, const char *, const unsigned char *); struct roa *roa_read(int); +void roa_insert_vrps(struct vrp_tree *, struct roa *, size_t *, size_t *); X509_CRL *crl_parse(const char *, const unsigned char *); /* Validation of our objects. */ ssize_t valid_cert(const char *, const struct auth *, size_t, const struct cert *); -int valid_roa(const char *, const struct auth *, size_t, const struct roa *); +ssize_t valid_roa(const char *, const struct auth *, size_t, const struct roa *); ssize_t valid_ta(const char *, const struct auth *, size_t, const struct cert *); /* Working with CMS files. */ @@ -301,7 +324,7 @@ int x509_get_ski_aki(X509 *, const char *, char **, char **); /* Output! */ -void output_bgpd(FILE *, const struct roa **, size_t, - size_t *, size_t *); +void output_bgpd(FILE *, struct vrp_tree *); +void output_json(FILE *, struct vrp_tree *); #endif /* ! EXTERN_H */ diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c index 8601669a98d..c35facdbc5e 100644 --- a/usr.sbin/rpki-client/main.c +++ b/usr.sbin/rpki-client/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.17 2019/09/26 17:07:30 claudio Exp $ */ +/* $OpenBSD: main.c,v 1.18 2019/10/08 10:04:36 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -62,6 +62,8 @@ struct stats { size_t roas_invalid; /* invalid resources */ size_t repos; /* repositories */ size_t crls; /* revocation lists */ + size_t vrps; /* total number of vrps */ + size_t uniqs; /* number of unique vrps */ }; /* @@ -107,6 +109,8 @@ struct entity { int has_pkey; /* whether pkey/sz is specified */ unsigned char *pkey; /* public key (optional) */ size_t pkeysz; /* public key length (optional) */ + int has_descr; /* whether descr is specified */ + char *descr; /* tal description */ TAILQ_ENTRY(entity) entries; }; @@ -162,6 +166,7 @@ entity_free(struct entity *ent) free(ent->pkey); free(ent->uri); + free(ent->descr); free(ent); } @@ -183,6 +188,9 @@ entity_read_req(int fd, struct entity *ent) io_simple_read(fd, &ent->has_pkey, sizeof(int)); if (ent->has_pkey) io_buf_read_alloc(fd, (void **)&ent->pkey, &ent->pkeysz); + io_simple_read(fd, &ent->has_descr, sizeof(int)); + if (ent->has_descr) + io_str_read(fd, &ent->descr); } /* @@ -283,6 +291,9 @@ entity_buffer_req(char **b, size_t *bsz, size_t *bmax, io_simple_buffer(b, bsz, bmax, &ent->has_pkey, sizeof(int)); if (ent->has_pkey) io_buf_buffer(b, bsz, bmax, ent->pkey, ent->pkeysz); + io_simple_buffer(b, bsz, bmax, &ent->has_descr, sizeof(int)); + if (ent->has_descr) + io_str_buffer(b, bsz, bmax, ent->descr); } /* @@ -322,7 +333,7 @@ entityq_flush(int fd, struct entityq *q, const struct repo *repo) static void entityq_add(int fd, struct entityq *q, char *file, enum rtype type, const struct repo *rp, const unsigned char *dgst, - const unsigned char *pkey, size_t pkeysz, size_t *eid) + const unsigned char *pkey, size_t pkeysz, char *descr, size_t *eid) { struct entity *p; @@ -335,6 +346,7 @@ entityq_add(int fd, struct entityq *q, char *file, enum rtype type, p->repo = (rp != NULL) ? (ssize_t)rp->id : -1; p->has_dgst = dgst != NULL; p->has_pkey = pkey != NULL; + p->has_descr = descr != NULL; if (p->has_dgst) memcpy(p->dgst, dgst, sizeof(p->dgst)); if (p->has_pkey) { @@ -343,6 +355,10 @@ entityq_add(int fd, struct entityq *q, char *file, enum rtype type, err(EXIT_FAILURE, "malloc"); memcpy(p->pkey, pkey, pkeysz); } + if (p->has_descr) + if ((p->descr = strdup(descr)) == NULL) + err(EXIT_FAILURE, "strdup"); + TAILQ_INSERT_TAIL(q, p, entries); /* @@ -387,7 +403,7 @@ queue_add_from_mft(int fd, struct entityq *q, const char *mft, * that the repository has already been loaded. */ - entityq_add(fd, q, nfile, type, NULL, file->hash, NULL, 0, eid); + entityq_add(fd, q, nfile, type, NULL, file->hash, NULL, 0, NULL, eid); } /* @@ -446,7 +462,7 @@ queue_add_tal(int fd, struct entityq *q, const char *file, size_t *eid) /* Not in a repository, so directly add to queue. */ - entityq_add(fd, q, nfile, RTYPE_TAL, NULL, NULL, NULL, 0, eid); + entityq_add(fd, q, nfile, RTYPE_TAL, NULL, NULL, NULL, 0, NULL, eid); } /* @@ -475,7 +491,7 @@ queue_add_from_tal(int proc, int rsync, struct entityq *q, err(EXIT_FAILURE, "asprintf"); entityq_add(proc, q, nfile, RTYPE_CER, repo, NULL, tal->pkey, - tal->pkeysz, eid); + tal->pkeysz, tal->descr, eid); } /* @@ -503,7 +519,7 @@ queue_add_from_cert(int proc, int rsync, struct entityq *q, BASE_DIR, repo->host, repo->module, uri) == -1) err(EXIT_FAILURE, "asprintf"); - entityq_add(proc, q, nfile, type, repo, NULL, NULL, 0, eid); + entityq_add(proc, q, nfile, type, repo, NULL, NULL, 0, NULL, eid); } static void @@ -749,6 +765,7 @@ proc_parser_roa(struct entity *entp, int norev, int c; X509_VERIFY_PARAM *param; unsigned int fl, nfl; + ssize_t aidx; assert(entp->has_dgst); if ((roa = roa_parse(&x509, entp->uri, entp->dgst)) == NULL) @@ -785,7 +802,12 @@ proc_parser_roa(struct entity *entp, int norev, * the code around roa_read() to check the "valid" field itself. */ - roa->valid = valid_roa(entp->uri, auths, authsz, roa); + aidx = valid_roa(entp->uri, auths, authsz, roa); + if (aidx != -1) { + roa->valid = 1; + if ((roa->tal = strdup(auths[aidx].tal)) == NULL) + err(EXIT_FAILURE, NULL); + } return roa; } @@ -856,6 +878,7 @@ proc_parser_cert(const struct entity *entp, int norev, X509_VERIFY_PARAM *param; unsigned int fl, nfl; ssize_t id; + char *tal; assert(!entp->has_dgst != !entp->has_pkey); @@ -922,10 +945,16 @@ proc_parser_cert(const struct entity *entp, int norev, *auths = reallocarray(*auths, *authsz + 1, sizeof(struct auth)); if (*auths == NULL) err(EXIT_FAILURE, NULL); + if (entp->has_pkey) { + if ((tal = strdup(entp->descr)) == NULL) + err(EXIT_FAILURE, NULL); + } else + tal = (*auths)[id].tal; (*auths)[*authsz].id = *authsz; (*auths)[*authsz].parent = id; (*auths)[*authsz].cert = cert; + (*auths)[*authsz].tal = tal; (*auths)[*authsz].fn = strdup(entp->uri); if ((*auths)[*authsz].fn == NULL) err(EXIT_FAILURE, NULL); @@ -1148,6 +1177,8 @@ out: for (i = 0; i < authsz; i++) { free(auths[i].fn); + if (i == auths[i].parent) + free(auths[i].tal); cert_free(auths[i].cert); } @@ -1174,7 +1205,7 @@ out: static void entity_process(int proc, int rsync, struct stats *st, struct entityq *q, const struct entity *ent, struct repotab *rt, - size_t *eid, struct roa ***out, size_t *outsz) + size_t *eid, struct vrp_tree *tree) { struct tal *tal; struct cert *cert; @@ -1245,18 +1276,11 @@ entity_process(int proc, int rsync, struct stats *st, break; } roa = roa_read(proc); - if (roa->valid) { - *out = reallocarray(*out, - *outsz + 1, sizeof(struct roa *)); - if (*out == NULL) - err(EXIT_FAILURE, "reallocarray"); - (*out)[*outsz] = roa; - (*outsz)++; - /* We roa_free() on exit. */ - } else { + if (roa->valid) + roa_insert_vrps(tree, roa, &st->vrps, &st->uniqs); + else st->roas_invalid++; - roa_free(roa); - } + roa_free(roa); break; default: abort(); @@ -1296,8 +1320,8 @@ main(int argc, char *argv[]) { int rc = 0, c, proc, st, rsync, fl = SOCK_STREAM | SOCK_CLOEXEC, noop = 0, - force = 0, norev = 0; - size_t i, j, eid = 1, outsz = 0, talsz = 0, vrps, uniqs; + force = 0, norev = 0, jsonout = 0; + size_t i, j, eid = 1, outsz = 0, talsz = 0; pid_t procpid, rsyncpid; int fd[2]; struct entityq q; @@ -1310,11 +1334,12 @@ main(int argc, char *argv[]) const char *bind_addr = NULL; const char *tals[TALSZ_MAX]; FILE *output = NULL; + struct vrp_tree v = RB_INITIALIZER(&v); if (pledge("stdio rpath wpath cpath proc exec unveil", NULL) == -1) err(EXIT_FAILURE, "pledge"); - while ((c = getopt(argc, argv, "b:e:fnrt:v")) != -1) + while ((c = getopt(argc, argv, "b:e:fjnrt:v")) != -1) switch (c) { case 'b': bind_addr = optarg; @@ -1325,6 +1350,9 @@ main(int argc, char *argv[]) case 'f': force = 1; break; + case 'j': + jsonout = 1; + break; case 'n': noop = 1; break; @@ -1487,7 +1515,7 @@ main(int argc, char *argv[]) if ((pfd[1].revents & POLLIN)) { ent = entityq_next(proc, &q); entity_process(proc, rsync, &stats, - &q, ent, &rt, &eid, &out, &outsz); + &q, ent, &rt, &eid, &v); if (verbose > 1) fprintf(stderr, "%s\n", ent->uri); entity_free(ent); @@ -1520,10 +1548,11 @@ main(int argc, char *argv[]) rc = 0; } - /* Output and statistics. */ + if (jsonout) + output_json(output, &v); + else + output_bgpd(output, &v); - output_bgpd(output, (const struct roa **)out, - outsz, &vrps, &uniqs); logx("Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)", stats.roas, stats.roas_fail, stats.roas_invalid); logx("Certificates: %zu (%zu failed parse, %zu invalid)", @@ -1533,7 +1562,7 @@ main(int argc, char *argv[]) stats.mfts, stats.mfts_fail, stats.mfts_stale); logx("Certificate revocation lists: %zu", stats.crls); logx("Repositories: %zu", stats.repos); - logx("VRP Entries: %zu (%zu unique)", vrps, uniqs); + logx("VRP Entries: %zu (%zu unique)", stats.vrps, stats.uniqs); /* Memory cleanup. */ diff --git a/usr.sbin/rpki-client/output-bgpd.c b/usr.sbin/rpki-client/output-bgpd.c index 7dfe65ae672..3f4412049f0 100644 --- a/usr.sbin/rpki-client/output-bgpd.c +++ b/usr.sbin/rpki-client/output-bgpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output-bgpd.c,v 1.10 2019/08/20 16:01:52 claudio Exp $ */ +/* $OpenBSD: output-bgpd.c,v 1.11 2019/10/08 10:04:36 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -25,57 +25,23 @@ #include "extern.h" -static int -cmp(const void *p1, const void *p2) -{ - const char *a1 = *(const char **)p1, *a2 = *(const char **)p2; - - return strcmp(a1, a2); -} - void -output_bgpd(FILE *out, const struct roa **roas, size_t roasz, - size_t *vrps, size_t *unique) +output_bgpd(FILE *out, struct vrp_tree *vrps) { char buf1[64], buf2[32]; - char **lines = NULL; - size_t i, j, k; - - *vrps = *unique = 0; + struct vrp *v; - for (i = 0; i < roasz; i++) - *vrps += roas[i]->ipsz; - - if ((lines = calloc(*vrps, sizeof(char *))) == NULL) - err(EXIT_FAILURE, NULL); - - for (i = k = 0; i < roasz; i++) - for (j = 0; j < roas[i]->ipsz; j++) { - ip_addr_print(&roas[i]->ips[j].addr, - roas[i]->ips[j].afi, buf1, sizeof(buf1)); - if (roas[i]->ips[j].maxlength > - roas[i]->ips[j].addr.prefixlen) - snprintf(buf2, sizeof(buf2), "maxlen %zu ", - roas[i]->ips[j].maxlength); - else - buf2[0] = '\0'; - if (asprintf(&lines[k++], "%s %ssource-as %u", - buf1, buf2, roas[i]->asid) == -1) - err(EXIT_FAILURE, NULL); - } + fprintf(out, "roa-set {\n"); - assert(k == *vrps); - qsort(lines, *vrps, sizeof(char *), cmp); + RB_FOREACH(v, vrp_tree, vrps) { + ip_addr_print(&v->addr, v->afi, buf1, sizeof(buf1)); + if (v->maxlength > v->addr.prefixlen) + snprintf(buf2, sizeof(buf2), "maxlen %u ", + v->maxlength); + else + buf2[0] = '\0'; + fprintf(out, "\t%s %ssource-as %u\n", buf1, buf2, v->asid); + } - fprintf(out, "roa-set {\n"); - for (i = 0; i < *vrps; i++) - if (i == 0 || strcmp(lines[i], lines[i - 1])) { - fprintf(out, "\t%s\n", lines[i]); - (*unique)++; - } fprintf(out, "}\n"); - - for (i = 0; i < *vrps; i++) - free(lines[i]); - free(lines); } diff --git a/usr.sbin/rpki-client/output-json.c b/usr.sbin/rpki-client/output-json.c new file mode 100644 index 00000000000..1c94f59eb08 --- /dev/null +++ b/usr.sbin/rpki-client/output-json.c @@ -0,0 +1,51 @@ +/* $OpenBSD: output-json.c,v 1.1 2019/10/08 10:04:36 claudio Exp $ */ +/* + * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <assert.h> +#include <err.h> +#include <inttypes.h> +#include <stdarg.h> +#include <stdlib.h> + +#include <openssl/ssl.h> + +#include "extern.h" + +void +output_json(FILE *out, struct vrp_tree *vrps) +{ + char buf[64]; + struct vrp *v; + int first = 1; + + fprintf(out, "{\n\t\"roas\": [\n"); + + RB_FOREACH(v, vrp_tree, vrps) { + if (first) + first = 0; + else + fprintf(out, ",\n"); + + ip_addr_print(&v->addr, v->afi, buf, sizeof(buf)); + + fprintf(out, "\t\t{ \"asn\": \"AS%u\", \"prefix\": \"%s\", " + "\"maxLength\": %u, \"ta\": \"%s\" }", + v->asid, buf, v->maxlength, v->tal); + } + + fprintf(out, "\n\t]\n}\n"); +} diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index 8e6ada409b2..1be4e810b49 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.4 2019/06/19 16:30:37 deraadt Exp $ */ +/* $OpenBSD: roa.c,v 1.5 2019/10/08 10:04:36 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -380,6 +380,7 @@ roa_free(struct roa *p) free(p->aki); free(p->ski); free(p->ips); + free(p->tal); free(p); } @@ -410,6 +411,7 @@ roa_buffer(char **b, size_t *bsz, size_t *bmax, const struct roa *p) io_str_buffer(b, bsz, bmax, p->aki); io_str_buffer(b, bsz, bmax, p->ski); + io_str_buffer(b, bsz, bmax, p->tal); } /* @@ -443,5 +445,71 @@ roa_read(int fd) io_str_read(fd, &p->aki); io_str_read(fd, &p->ski); + io_str_read(fd, &p->tal); return p; } + +void +roa_insert_vrps(struct vrp_tree *tree, struct roa *roa, size_t *vrps, + size_t *uniqs) +{ + struct vrp *v; + size_t i; + + for (i = 0; i < roa->ipsz; i++) { + if ((v = malloc(sizeof(*v))) == NULL) + err(EXIT_FAILURE, NULL); + v->afi = roa->ips[i].afi; + v->addr = roa->ips[i].addr; + v->maxlength = roa->ips[i].maxlength; + v->asid = roa->asid; + if ((v->tal = strdup(roa->tal)) == NULL) + err(EXIT_FAILURE, NULL); + if (RB_INSERT(vrp_tree, tree, v) == NULL) + (*uniqs)++; + else /* already exists */ + free(v); + (*vrps)++; + } +} + +static inline int +vrpcmp(struct vrp *a, struct vrp *b) +{ + int rv; + + if (a->afi > b->afi) + return 1; + if (a->afi < b->afi) + return -1; + switch (a->afi) { + case AFI_IPV4: + rv = memcmp(&a->addr.addr, &b->addr.addr, 4); + if (rv) + return rv; + break; + case AFI_IPV6: + rv = memcmp(&a->addr.addr, &b->addr.addr, 16); + if (rv) + return rv; + break; + } + /* a smaller prefixlen is considered bigger, e.g. /8 vs /10 */ + if (a->addr.prefixlen < b->addr.prefixlen) + return 1; + if (a->addr.prefixlen > b->addr.prefixlen) + return -1; + if (a->maxlength < b->maxlength) + return 1; + if (a->maxlength > b->maxlength) + return -1; + + if (a->asid > b->asid) + return 1; + if (a->asid < b->asid) + return -1; + + return 0; +} + +RB_GENERATE(vrp_tree, vrp, entry, vrpcmp); diff --git a/usr.sbin/rpki-client/tal.c b/usr.sbin/rpki-client/tal.c index 6998653b8b4..d8d86f7dae9 100644 --- a/usr.sbin/rpki-client/tal.c +++ b/usr.sbin/rpki-client/tal.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tal.c,v 1.6 2019/06/20 15:26:49 claudio Exp $ */ +/* $OpenBSD: tal.c,v 1.7 2019/10/08 10:04:36 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -18,6 +18,7 @@ #include <netinet/in.h> #include <assert.h> #include <err.h> +#include <libgen.h> #include <resolv.h> #include <stdio.h> #include <stdlib.h> @@ -183,12 +184,27 @@ tal_parse(const char *fn) { FILE *f; struct tal *p; + char *d; + size_t dlen; if ((f = fopen(fn, "r")) == NULL) err(EXIT_FAILURE, "%s: open", fn); p = tal_parse_stream(fn, f); fclose(f); + + /* extract the TAL basename (without .tal suffix) */ + d = basename(fn); + if (d == NULL) + err(EXIT_FAILURE, "%s: basename", fn); + dlen = strlen(d); + if (strcasecmp(d + dlen - 4, ".tal") == 0) + dlen -= 4; + if ((p->descr = malloc(dlen + 1)) == NULL) + err(EXIT_FAILURE, NULL); + memcpy(p->descr, d, dlen); + p->descr[dlen] = 0; + return p; } @@ -210,6 +226,7 @@ tal_free(struct tal *p) free(p->pkey); free(p->uri); + free(p->descr); free(p); } @@ -223,6 +240,7 @@ tal_buffer(char **b, size_t *bsz, size_t *bmax, const struct tal *p) size_t i; io_buf_buffer(b, bsz, bmax, p->pkey, p->pkeysz); + io_str_buffer(b, bsz, bmax, p->descr); io_simple_buffer(b, bsz, bmax, &p->urisz, sizeof(size_t)); for (i = 0; i < p->urisz; i++) @@ -245,6 +263,7 @@ tal_read(int fd) io_buf_read_alloc(fd, (void **)&p->pkey, &p->pkeysz); assert(p->pkeysz > 0); + io_str_read(fd, &p->descr); io_simple_read(fd, &p->urisz, sizeof(size_t)); assert(p->urisz > 0); @@ -256,4 +275,3 @@ tal_read(int fd) return p; } - diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 02ecf8de9c6..6c8fd709f6e 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.4 2019/06/19 16:30:37 deraadt Exp $ */ +/* $OpenBSD: validate.c,v 1.5 2019/10/08 10:04:36 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -234,7 +234,7 @@ valid_cert(const char *fn, const struct auth *auths, * the IP prefix is also contained. * Returns zero if not valid, non-zero if valid. */ -int +ssize_t valid_roa(const char *fn, const struct auth *auths, size_t authsz, const struct roa *roa) { @@ -244,7 +244,7 @@ valid_roa(const char *fn, const struct auth *auths, c = valid_ski_aki(fn, auths, authsz, roa->ski, roa->aki); if (c < 0) - return 0; + return -1; for (i = 0; i < roa->ipsz; i++) { pp = valid_ip(c, roa->ips[i].afi, roa->ips[i].min, @@ -256,8 +256,8 @@ valid_roa(const char *fn, const struct auth *auths, warnx("%s: RFC 6482: uncovered IP: " "%s", fn, buf); tracewarn(c, auths, authsz); - return 0; + return -1; } - return 1; + return c; } |