mischief/openbsd-src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2025-01-10 06:47:55 -08:00
Code

Further simplify cert and auth handling. Move common code into auth_insert

Browse Source 
and skip this distinction between invalid and failed certificates.
The difference between the to is getting more and more blurry.
OK tb@
This commit is contained in:
claudio 2021-11-01 17:00:34 +00:00
parent 6af37010bb
commit 198a05209c
6 changed files with 65 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
usr.sbin/rpki-client/cert.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cert.c,v 1.43 2021/10/28 09:02:19 beck Exp $ */
/* $OpenBSD: cert.c,v 1.44 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -1256,7 +1256,6 @@ cert_buffer(struct ibuf *b, const struct cert *p)
{
size_t i;
io_simple_buffer(b, &p->valid, sizeof(int));
io_simple_buffer(b, &p->expires, sizeof(time_t));
io_simple_buffer(b, &p->purpose, sizeof(enum cert_purpose));
io_simple_buffer(b, &p->ipsz, sizeof(size_t));
@ -1319,7 +1318,6 @@ cert_read(struct ibuf *b)
if ((p = calloc(1, sizeof(struct cert))) == NULL)
err(1, NULL);
io_read_buf(b, &p->valid, sizeof(int));
io_read_buf(b, &p->expires, sizeof(time_t));
io_read_buf(b, &p->purpose, sizeof(enum cert_purpose));
io_read_buf(b, &p->ipsz, sizeof(size_t));
@ -1365,6 +1363,24 @@ auth_find(struct auth_tree *auths, const char *aki)
return RB_FIND(auth_tree, auths, &a);
}
int
auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent)
{
struct auth *na;
na = malloc(sizeof(*na));
if (na == NULL)
err(1, NULL);
na->parent = parent;
na->cert = cert;
if (RB_INSERT(auth_tree, auths, na) != NULL)
err(1, "auth tree corrupted");
return 1;
}
static inline int
authcmp(struct auth *a, struct auth *b)
{

10
usr.sbin/rpki-client/extern.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: extern.h,v 1.87 2021/11/01 09:12:18 claudio Exp $ */
/* $OpenBSD: extern.h,v 1.88 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@ -128,7 +128,6 @@ struct cert {
char *tal; /* basename of TAL for this cert */
enum cert_purpose purpose; /* Certificate Purpose (BGPSec or CA) */
char *pubkey; /* Subject Public Key Info */
int valid; /* validated resources */
X509 *x509; /* the cert */
time_t expires; /* do not use after */
};
@ -277,7 +276,8 @@ struct auth {
RB_HEAD(auth_tree, auth);
RB_PROTOTYPE(auth_tree, auth, entry, authcmp);
struct auth *auth_find(struct auth_tree *, const char *);
struct auth *auth_find(struct auth_tree *, const char *);
int auth_insert(struct auth_tree *, struct cert *, struct auth *);
/*
* Resource types specified by the RPKI profiles.
@ -359,8 +359,7 @@ struct stats {
size_t mfts_fail; /* failing syntactic parse */
size_t mfts_stale; /* stale manifests */
size_t certs; /* certificates */
size_t certs_fail; /* failing syntactic parse */
size_t certs_invalid; /* invalid resources */
size_t certs_fail; /* invalid certificate */
size_t roas; /* route origin authorizations */
size_t roas_fail; /* failing syntactic parse */
size_t roas_invalid; /* invalid resources */
@ -378,7 +377,6 @@ struct stats {
size_t del_files; /* number of files removed in cleanup */
size_t del_dirs; /* number of directories removed in cleanup */
size_t brks; /* number of BGPsec Router Key (BRK) certificates */
size_t brks_invalids; /* invalid BGPsec certs */
char *talnames;
struct timeval elapsed_time;
struct timeval user_time;

35
usr.sbin/rpki-client/main.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: main.c,v 1.159 2021/10/31 16:00:14 claudio Exp $ */
/* $OpenBSD: main.c,v 1.160 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -497,24 +497,18 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree,
}
cert = cert_read(b);
if (cert->purpose == CERT_PURPOSE_CA) {
if (cert->valid) {
/*
* Process the revocation list from the
* certificate *first*, since it might mark that
* we're revoked and then we don't want to
* process the MFT.
*/
queue_add_from_cert(cert);
} else
st->certs_invalid++;
/*
* Process the revocation list from the
* certificate *first*, since it might mark that
* we're revoked and then we don't want to
* process the MFT.
*/
queue_add_from_cert(cert);
} else if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
if (cert->valid) {
cert_insert_brks(brktree, cert);
st->brks++;
} else
st->brks_invalids++;
cert_insert_brks(brktree, cert);
st->brks++;
} else
st->certs_invalid++;
st->certs_fail++;
cert_free(cert);
break;
case RTYPE_MFT:
@ -1184,10 +1178,9 @@ main(int argc, char *argv[])
(long long)stats.system_time.tv_sec);
logx("Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)",
stats.roas, stats.roas_fail, stats.roas_invalid);
logx("BGPsec Router Certificates: %zu (%zu invalid)",
stats.brks, stats.brks_invalids);
logx("Certificates: %zu (%zu failed parse, %zu invalid)",
stats.certs, stats.certs_fail, stats.certs_invalid);
logx("BGPsec Router Certificates: %zu", stats.brks);
logx("Certificates: %zu (%zu invalid)",
stats.certs, stats.certs_fail);
logx("Trust Anchor Locators: %zu", stats.tals);
logx("Manifests: %zu (%zu failed parse, %zu stale)",
stats.mfts, stats.mfts_fail, stats.mfts_stale);

7
usr.sbin/rpki-client/output-json.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: output-json.c,v 1.20 2021/10/15 08:48:18 job Exp $ */
/* $OpenBSD: output-json.c,v 1.21 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
*
@ -47,9 +47,7 @@ outputheader_json(FILE *out, struct stats *st)
"\t\t\"failedroas\": %zu,\n"
"\t\t\"invalidroas\": %zu,\n"
"\t\t\"bgpsec_pubkeys\": %zu,\n"
"\t\t\"invalidbgpsec_pubkeys\": %zu,\n"
"\t\t\"certificates\": %zu,\n"
"\t\t\"failcertificates\": %zu,\n"
"\t\t\"invalidcertificates\": %zu,\n"
"\t\t\"tals\": %zu,\n"
"\t\t\"talfiles\": \"%s\",\n"
@ -67,8 +65,7 @@ outputheader_json(FILE *out, struct stats *st)
hn, tbuf, (long long)st->elapsed_time.tv_sec,
(long long)st->user_time.tv_sec, (long long)st->system_time.tv_sec,
st->roas, st->roas_fail, st->roas_invalid,
st->brks, st->brks_invalids,
st->certs, st->certs_fail, st->certs_invalid,
st->brks, st->certs, st->certs_fail,
st->tals, st->talnames,
st->mfts, st->mfts_fail, st->mfts_stale,
st->crls,

9
usr.sbin/rpki-client/output.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: output.c,v 1.22 2021/10/11 16:50:03 job Exp $ */
/* $OpenBSD: output.c,v 1.23 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2019 Theo de Raadt <deraadt@openbsd.org>
*
@ -213,8 +213,8 @@ outputheader(FILE *out, struct stats *st)
"# Generated on host %s at %s\n"
"# Processing time %lld seconds (%lld seconds user, %lld seconds system)\n"
"# Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)\n"
"# BGPsec Router Certificates: %zu (%zu invalid)\n"
"# Certificates: %zu (%zu failed parse, %zu invalid)\n"
"# BGPsec Router Certificates: %zu\n"
"# Certificates: %zu (%zu invalid)\n"
"# Trust Anchor Locators: %zu (%s)\n"
"# Manifests: %zu (%zu failed parse, %zu stale)\n"
"# Certificate revocation lists: %zu\n"
@ -224,8 +224,7 @@ outputheader(FILE *out, struct stats *st)
hn, tbuf, (long long)st->elapsed_time.tv_sec,
(long long)st->user_time.tv_sec, (long long)st->system_time.tv_sec,
st->roas, st->roas_fail, st->roas_invalid,
st->brks, st->brks_invalids,
st->certs, st->certs_fail, st->certs_invalid,
st->brks, st->certs, st->certs_fail,
st->tals, st->talnames,
st->mfts, st->mfts_fail, st->mfts_stale,
st->crls,

53
usr.sbin/rpki-client/parser.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: parser.c,v 1.22 2021/11/01 09:12:18 claudio Exp $ */
/* $OpenBSD: parser.c,v 1.23 2021/11/01 17:00:34 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -195,7 +195,7 @@ proc_parser_cert(const struct entity *entp, const unsigned char *der,
struct cert *cert;
X509 *x509;
int c;
struct auth *a = NULL, *na;
struct auth *a = NULL;
STACK_OF(X509) *chain;
STACK_OF(X509_CRL) *crls;
@ -237,28 +237,24 @@ proc_parser_cert(const struct entity *entp, const unsigned char *der,
sk_X509_free(chain);
sk_X509_CRL_free(crls);
if ((cert->tal = strdup(a->cert->tal)) == NULL)
err(1, NULL);
/* Validate the cert to get the parent */
if (!valid_cert(entp->file, &auths, cert)) {
X509_free(x509); // needed? XXX
return cert;
cert_free(cert);
return NULL;
}
/*
* Add validated certs to the RPKI auth tree.
*/
cert->valid = 1;
if ((cert->tal = strdup(a->cert->tal)) == NULL)
err(1, NULL);
na = malloc(sizeof(*na));
if (na == NULL)
err(1, NULL);
na->parent = a;
na->cert = cert;
if (RB_INSERT(auth_tree, &auths, na) != NULL)
err(1, "auth tree corrupted");
if (!auth_insert(&auths, cert, a)) {
X509_free(x509); // needed? XXX
cert_free(cert);
return NULL;
}
return cert;
}
@ -282,7 +278,6 @@ proc_parser_root_cert(const struct entity *entp, const unsigned char *der,
X509_NAME *name;
struct cert *cert;
X509 *x509;
struct auth *na;
assert(entp->has_data);
@ -327,27 +322,23 @@ proc_parser_root_cert(const struct entity *entp, const unsigned char *der,
goto badcert;
}
/*
* Add valid roots to the RPKI auth tree.
*/
cert->valid = 1;
if ((cert->tal = strdup(entp->descr)) == NULL)
err(1, NULL);
na = malloc(sizeof(*na));
if (na == NULL)
err(1, NULL);
na->parent = NULL;
na->cert = cert;
if (RB_INSERT(auth_tree, &auths, na) != NULL)
err(1, "auth tree corrupted");
/*
* Add valid roots to the RPKI auth tree.
*/
if (!auth_insert(&auths, cert, NULL)) {
X509_free(x509); // needed? XXX
cert_free(cert);
return NULL;
}
return cert;
badcert:
X509_free(x509); // needed? XXX
return cert;
cert_free(cert);
return NULL;
}
/*