From: pcarana Date: Mon, 22 Jul 2019 19:49:28 +0000 (-0500) Subject: Use SPKI length constant (in BGPsec certs is always 91 bytes long) X-Git-Tag: v1.1.0~1^2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9029dd6b1fc3dfca072f2ca67e0d15fc4061b134;p=thirdparty%2FFORT-validator.git Use SPKI length constant (in BGPsec certs is always 91 bytes long) --- diff --git a/src/object/bgpsec.c b/src/object/bgpsec.c index d2ef8ad1..f3dd84c2 100644 --- a/src/object/bgpsec.c +++ b/src/object/bgpsec.c @@ -6,7 +6,6 @@ struct resource_params { unsigned char const *ski; unsigned char const *spk; - size_t spk_len; struct resources *resources; }; @@ -19,8 +18,7 @@ asn_cb(unsigned long asn, void *arg) return pr_err("BGPsec certificate is not allowed for ASN %lu.", asn); - return vhandler_handle_bgpsec(params->ski, asn, params->spk, - params->spk_len); + return vhandler_handle_bgpsec(params->ski, asn, params->spk); } int @@ -28,7 +26,7 @@ handle_bgpsec(X509 *cert, unsigned char const *ski, struct resources *resources) { struct resource_params res_params; X509_PUBKEY *pub_key; - unsigned char const *cert_spk; + unsigned char *cert_spk, *tmp; int cert_spk_len; int ok; @@ -36,17 +34,21 @@ handle_bgpsec(X509 *cert, unsigned char const *ski, struct resources *resources) if (pub_key == NULL) return crypto_err("X509_get_X509_PUBKEY() returned NULL at BGPsec"); - ok = X509_PUBKEY_get0_param(NULL, &cert_spk, &cert_spk_len, NULL, - pub_key); - if (!ok) - return crypto_err("X509_PUBKEY_get0_param() returned %d at BGPsec", - ok); + cert_spk = malloc(RK_SPKI_LEN); + if (cert_spk == NULL) + return pr_enomem(); + + /* Use a temporal pointer, since i2d_X509_PUBKEY moves it */ + tmp = cert_spk; + cert_spk_len = i2d_X509_PUBKEY(pub_key, &tmp); + if(cert_spk_len < 0) + return crypto_err("i2d_X509_PUBKEY() returned error"); res_params.spk = cert_spk; - res_params.spk_len = cert_spk_len; res_params.ski = ski; res_params.resources = resources; ok = resources_foreach_asn(resources, asn_cb, &res_params); + free(cert_spk); return ok; } diff --git a/src/object/router_key.c b/src/object/router_key.c index 81ca8102..1664e50b 100644 --- a/src/object/router_key.c +++ b/src/object/router_key.c @@ -5,9 +5,8 @@ struct sk_info { unsigned char *ski; - /* SKI length its constant (see RK_SKI_LEN) */ + /* Lengths are constant (see RK_SKI_LEN, RK_SPKI_LEN) */ unsigned char *spk; - size_t spk_len; unsigned int references; }; @@ -26,7 +25,7 @@ uchar_create(unsigned char **result, size_t size) int router_key_init(struct router_key *key, unsigned char const *ski, - uint32_t as, unsigned char const *spk, size_t spk_len) + uint32_t as, unsigned char const *spk) { struct sk_info *sk; int error; @@ -41,7 +40,7 @@ router_key_init(struct router_key *key, unsigned char const *ski, return pr_enomem(); } - error = uchar_create(&sk->spk, spk_len); + error = uchar_create(&sk->spk, RK_SPKI_LEN); if (error) { free(sk->ski); free(sk); @@ -50,9 +49,8 @@ router_key_init(struct router_key *key, unsigned char const *ski, memcpy(sk->ski, ski, RK_SKI_LEN); sk->ski[RK_SKI_LEN] = '\0'; - memcpy(sk->spk, spk, spk_len); - sk->spk[spk_len] = '\0'; - sk->spk_len = spk_len; + memcpy(sk->spk, spk, RK_SPKI_LEN); + sk->spk[RK_SPKI_LEN] = '\0'; sk->references = 1; key->as = as; @@ -95,9 +93,3 @@ sk_info_get_spk(struct sk_info *sk) { return sk->spk; } - -size_t -sk_info_get_spk_len(struct sk_info *sk) -{ - return sk->spk_len; -} diff --git a/src/object/router_key.h b/src/object/router_key.h index a6b612da..e070f142 100644 --- a/src/object/router_key.h +++ b/src/object/router_key.h @@ -10,6 +10,16 @@ */ #define RK_SKI_LEN 20 +/* + * SPKI (subjectPublicKeyInfo) is 91 bytes long (considering TLVs): + * SEQUENCE subjectPublicKeyInfo: 2 (Tag & Length) + 89 (Value) + * Public key: 2 (TL) + 65 (V) + * SEQUENCE Algorithm: 2 (TL) + 19 (V) + * Algorithm OID: 2 (TL) + 7 (V) [oid: 1.2.840.10045.2.1] + * Algorithm param: 2 (TL) + 8 (V) [oid: 1.2.840.10045.3.1.7] + */ +#define RK_SPKI_LEN 91 + /* * Subject key info with ref counter, use getters to fetch its data */ @@ -24,7 +34,7 @@ struct router_key { }; int router_key_init(struct router_key *, unsigned char const *, uint32_t, - unsigned char const *, size_t); + unsigned char const *); void router_key_cleanup(struct router_key *); void sk_info_refget(struct sk_info *); @@ -32,6 +42,5 @@ void sk_info_refput(struct sk_info *); unsigned char *sk_info_get_ski(struct sk_info *); unsigned char *sk_info_get_spk(struct sk_info *); -size_t sk_info_get_spk_len(struct sk_info *); #endif /* SRC_OBJECT_ROUTER_KEY_H_ */ diff --git a/src/output_printer.c b/src/output_printer.c index dd327297..aa460dbb 100644 --- a/src/output_printer.c +++ b/src/output_printer.c @@ -111,8 +111,7 @@ print_router_key(struct router_key const *key, void *arg) error = print_to_hex(sk_info_get_ski(key->sk), RK_SKI_LEN, &buf1); if (error) return error; - error = print_to_hex(sk_info_get_spk(key->sk), - sk_info_get_spk_len(key->sk), &buf2); + error = print_to_hex(sk_info_get_spk(key->sk),RK_SPKI_LEN, &buf2); if (error) return error; fprintf(out, "AS%u,%s,%s\n", key->as, buf1, buf2); diff --git a/src/rtr/db/db_table.c b/src/rtr/db/db_table.c index 7c8438f4..f2cca92f 100644 --- a/src/rtr/db/db_table.c +++ b/src/rtr/db/db_table.c @@ -165,7 +165,7 @@ duplicate_key(struct db_table *dst, struct hashable_key *new) struct sk_info *sk = new->data.sk; return rtrhandler_handle_router_key(dst, sk_info_get_ski(sk), - new->data.as, sk_info_get_spk(sk), sk_info_get_spk_len(sk)); + new->data.as, sk_info_get_spk(sk)); } #define MERGE_ITER(table_prop, name, err_var) \ @@ -279,8 +279,7 @@ rtrhandler_handle_roa_v6(struct db_table *table, uint32_t asn, int rtrhandler_handle_router_key(struct db_table *table, - unsigned char const *ski, uint32_t as, unsigned char const *spk, - size_t spk_len) + unsigned char const *ski, uint32_t as, unsigned char const *spk) { struct hashable_key *key; int error; @@ -291,7 +290,7 @@ rtrhandler_handle_router_key(struct db_table *table, /* Needed by uthash */ memset(key, 0, sizeof(struct hashable_key)); - error = router_key_init(&key->data, ski, as, spk, spk_len); + error = router_key_init(&key->data, ski, as, spk); if (error) { free(key); return error; diff --git a/src/rtr/db/db_table.h b/src/rtr/db/db_table.h index 178bc668..0a475aa5 100644 --- a/src/rtr/db/db_table.h +++ b/src/rtr/db/db_table.h @@ -22,7 +22,7 @@ int rtrhandler_handle_roa_v4(struct db_table *, uint32_t, int rtrhandler_handle_roa_v6(struct db_table *, uint32_t, struct ipv6_prefix const *, uint8_t); int rtrhandler_handle_router_key(struct db_table *, unsigned char const *, - uint32_t, unsigned char const *, size_t); + uint32_t, unsigned char const *); int compute_deltas(struct db_table *, struct db_table *, struct deltas **); #endif /* SRC_RTR_DB_DB_TABLE_H_ */ diff --git a/src/rtr/db/vrps.c b/src/rtr/db/vrps.c index b8a03bd5..3161e459 100644 --- a/src/rtr/db/vrps.c +++ b/src/rtr/db/vrps.c @@ -115,9 +115,9 @@ __handle_roa_v6(uint32_t as, struct ipv6_prefix const * prefix, int __handle_bgpsec(unsigned char const *ski, uint32_t as, unsigned char const *spk, - size_t spk_len, void *arg) + void *arg) { - return rtrhandler_handle_router_key(arg, ski, as, spk, spk_len); + return rtrhandler_handle_router_key(arg, ski, as, spk); } static int diff --git a/src/rtr/pdu_sender.c b/src/rtr/pdu_sender.c index 3d2ff749..9bda1c6e 100644 --- a/src/rtr/pdu_sender.c +++ b/src/rtr/pdu_sender.c @@ -179,11 +179,11 @@ send_router_key_pdu(int fd, uint8_t version, pdu.ski_len = RK_SKI_LEN; pdu.asn = router_key->as; pdu.spki = sk_info_get_spk(router_key->sk); - pdu.spki_len = sk_info_get_spk_len(router_key->sk); + pdu.spki_len = RK_SPKI_LEN; pdu.header.length = RTRPDU_HDR_LEN + RK_SKI_LEN + sizeof(router_key->as) - + pdu.spki_len; + + RK_SPKI_LEN; sk_info_refget(router_key->sk); data = malloc(pdu.header.length); diff --git a/src/validation_handler.c b/src/validation_handler.c index c9cc3bf6..2c8410b4 100644 --- a/src/validation_handler.c +++ b/src/validation_handler.c @@ -55,7 +55,7 @@ vhandler_handle_roa_v6(uint32_t as, struct ipv6_prefix const *prefix, int vhandler_handle_bgpsec(unsigned char const *ski, uint32_t as, - unsigned char const *spk, size_t spk_len) + unsigned char const *spk) { struct validation_handler const *handler; int error; @@ -65,6 +65,6 @@ vhandler_handle_bgpsec(unsigned char const *ski, uint32_t as, return error; return (handler->handle_bgpsec != NULL) - ? handler->handle_bgpsec(ski, as, spk, spk_len, handler->arg) + ? handler->handle_bgpsec(ski, as, spk, handler->arg) : 0; } diff --git a/src/validation_handler.h b/src/validation_handler.h index 91651220..3feac996 100644 --- a/src/validation_handler.h +++ b/src/validation_handler.h @@ -31,7 +31,7 @@ struct validation_handler { void *); /** Called every time Fort has successfully validated a BGPsec cert */ int (*handle_bgpsec)(unsigned char const *, uint32_t, - unsigned char const *, size_t, void *); + unsigned char const *, void *); /** Generic user-defined argument for the functions above. */ void *arg; }; @@ -39,6 +39,6 @@ struct validation_handler { int vhandler_handle_roa_v4(uint32_t, struct ipv4_prefix const *, uint8_t); int vhandler_handle_roa_v6(uint32_t, struct ipv6_prefix const *, uint8_t); int vhandler_handle_bgpsec(unsigned char const *, uint32_t, - unsigned char const *, size_t); + unsigned char const *); #endif /* SRC_VALIDATION_HANDLER_H_ */