1 /* $OpenBSD: extern.h,v 1.236 2025/01/03 10:14:32 job Exp $ */ 2 /* 3 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 #ifndef EXTERN_H 18 #define EXTERN_H 19 20 #include <sys/queue.h> 21 #include <sys/tree.h> 22 #include <sys/time.h> 23 24 #include <openssl/x509.h> 25 #include <openssl/x509v3.h> 26 27 #define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ 28 __attribute__((__unused__)) 29 30 #define MAX_MSG_SIZE (50 * 1024 * 1024) 31 32 enum cert_as_type { 33 CERT_AS_ID, /* single identifier */ 34 CERT_AS_INHERIT, /* inherit from issuer */ 35 CERT_AS_RANGE, /* range of identifiers */ 36 }; 37 38 /* 39 * An AS identifier range. 40 * The maximum AS identifier is an unsigned 32 bit integer (RFC 6793). 41 */ 42 struct cert_as_range { 43 uint32_t min; /* minimum non-zero */ 44 uint32_t max; /* maximum */ 45 }; 46 47 /* 48 * An autonomous system (AS) object. 49 * AS identifiers are unsigned 32 bit integers (RFC 6793). 50 */ 51 struct cert_as { 52 enum cert_as_type type; /* type of AS specification */ 53 union { 54 uint32_t id; /* singular identifier */ 55 struct cert_as_range range; /* range */ 56 }; 57 }; 58 59 /* 60 * AFI values are assigned by IANA. 61 * In rpki-client, we only accept the IPV4 and IPV6 AFI values. 62 */ 63 enum afi { 64 AFI_IPV4 = 1, 65 AFI_IPV6 = 2 66 }; 67 68 /* 69 * An IP address as parsed from RFC 3779, section 2.2.3.8. 70 * This is either in a certificate or an ROA. 71 * It may either be IPv4 or IPv6. 72 */ 73 struct ip_addr { 74 unsigned char addr[16]; /* binary address prefix */ 75 unsigned char prefixlen; /* number of valid bits in address */ 76 }; 77 78 /* 79 * An IP address (IPv4 or IPv6) range starting at the minimum and making 80 * its way to the maximum. 81 */ 82 struct ip_addr_range { 83 struct ip_addr min; /* minimum ip */ 84 struct ip_addr max; /* maximum ip */ 85 }; 86 87 enum cert_ip_type { 88 CERT_IP_ADDR, /* IP address range w/shared prefix */ 89 CERT_IP_INHERIT, /* inherited IP address */ 90 CERT_IP_RANGE /* range of IP addresses */ 91 }; 92 93 /* 94 * A single IP address family (AFI, address or range) as defined in RFC 95 * 3779, 2.2.3.2. 96 * The RFC specifies multiple address or ranges per AFI; this structure 97 * encodes both the AFI and a single address or range. 98 */ 99 struct cert_ip { 100 enum afi afi; /* AFI value */ 101 enum cert_ip_type type; /* type of IP entry */ 102 unsigned char min[16]; /* full range minimum */ 103 unsigned char max[16]; /* full range maximum */ 104 union { 105 struct ip_addr ip; /* singular address */ 106 struct ip_addr_range range; /* range */ 107 }; 108 }; 109 110 enum cert_purpose { 111 CERT_PURPOSE_INVALID, 112 CERT_PURPOSE_TA, 113 CERT_PURPOSE_CA, 114 CERT_PURPOSE_EE, 115 CERT_PURPOSE_BGPSEC_ROUTER, 116 }; 117 118 /* 119 * Parsed components of a validated X509 certificate stipulated by RFC 120 * 6847 and further (within) by RFC 3779. 121 * All AS numbers are guaranteed to be non-overlapping and properly 122 * inheriting. 123 */ 124 struct cert { 125 struct cert_ip *ips; /* list of IP address ranges */ 126 size_t num_ips; 127 struct cert_as *ases; /* list of AS numbers and ranges */ 128 size_t num_ases; 129 int talid; /* cert is covered by which TAL */ 130 int certid; 131 unsigned int repoid; /* repository of this cert file */ 132 char *repo; /* CA repository (rsync:// uri) */ 133 char *mft; /* manifest (rsync:// uri) */ 134 char *notify; /* RRDP notify (https:// uri) */ 135 char *crl; /* CRL location (rsync:// or NULL) */ 136 char *aia; /* AIA (or NULL, for trust anchor) */ 137 char *aki; /* AKI (or NULL, for trust anchor) */ 138 char *ski; /* SKI */ 139 enum cert_purpose purpose; /* BGPSec or CA */ 140 char *pubkey; /* Subject Public Key Info */ 141 X509 *x509; /* the cert */ 142 time_t notbefore; /* cert's Not Before */ 143 time_t notafter; /* cert's Not After */ 144 time_t expires; /* when the signature path expires */ 145 }; 146 147 /* 148 * The TAL file conforms to RFC 7730. 149 * It is the top-level structure of RPKI and defines where we can find 150 * certificates for TAs (trust anchors). 151 * It also includes the public key for verifying those trust anchor 152 * certificates. 153 */ 154 struct tal { 155 char **uri; /* well-formed rsync URIs */ 156 size_t num_uris; 157 unsigned char *pkey; /* DER-encoded public key */ 158 size_t pkeysz; /* length of pkey */ 159 char *descr; /* basename of tal file */ 160 int id; /* ID of this TAL */ 161 }; 162 163 /* 164 * Resource types specified by the RPKI profiles. 165 * There might be others we don't consider. 166 */ 167 enum rtype { 168 RTYPE_INVALID, 169 RTYPE_TAL, 170 RTYPE_MFT, 171 RTYPE_ROA, 172 RTYPE_CER, 173 RTYPE_CRL, 174 RTYPE_GBR, 175 RTYPE_REPO, 176 RTYPE_FILE, 177 RTYPE_RSC, 178 RTYPE_ASPA, 179 RTYPE_TAK, 180 RTYPE_GEOFEED, 181 RTYPE_SPL, 182 }; 183 184 enum location { 185 DIR_UNKNOWN, 186 DIR_TEMP, 187 DIR_VALID, 188 }; 189 190 /* 191 * Files specified in an MFT have their bodies hashed with SHA256. 192 */ 193 struct mftfile { 194 char *file; /* filename (CER/ROA/CRL, no path) */ 195 enum rtype type; /* file type as determined by extension */ 196 enum location location; /* temporary or valid directory */ 197 unsigned char hash[SHA256_DIGEST_LENGTH]; /* sha256 of body */ 198 }; 199 200 /* 201 * A manifest, RFC 6486. 202 * This consists of a bunch of files found in the same directory as the 203 * manifest file. 204 */ 205 struct mft { 206 char *path; /* relative path to directory of the MFT */ 207 struct mftfile *files; /* file and hash */ 208 char *seqnum; /* manifestNumber */ 209 char *aia; /* AIA */ 210 char *aki; /* AKI */ 211 char *sia; /* SIA signedObject */ 212 char *ski; /* SKI */ 213 char *crl; /* CRL file name */ 214 unsigned char mfthash[SHA256_DIGEST_LENGTH]; 215 unsigned char crlhash[SHA256_DIGEST_LENGTH]; 216 time_t signtime; /* CMS signing-time attribute */ 217 time_t thisupdate; /* from the eContent */ 218 time_t nextupdate; /* from the eContent */ 219 time_t expires; /* when the signature path expires */ 220 size_t filesz; /* number of filenames */ 221 unsigned int repoid; 222 int talid; 223 int certid; 224 int seqnum_gap; /* was there a gap compared to prev mft? */ 225 }; 226 227 /* 228 * An IP address prefix for a given ROA. 229 * This encodes the maximum length, AFI (v6/v4), and address. 230 * FIXME: are the min/max necessary or just used in one place? 231 */ 232 struct roa_ip { 233 enum afi afi; /* AFI value */ 234 struct ip_addr addr; /* the address prefix itself */ 235 unsigned char min[16]; /* full range minimum */ 236 unsigned char max[16]; /* full range maximum */ 237 unsigned char maxlength; /* max length or zero */ 238 }; 239 240 /* 241 * An ROA, RFC 6482. 242 * This consists of the concerned ASID and its IP prefixes. 243 */ 244 struct roa { 245 uint32_t asid; /* asID of ROA (if 0, RFC 6483 sec 4) */ 246 struct roa_ip *ips; /* IP prefixes */ 247 size_t num_ips; 248 int talid; /* ROAs are covered by which TAL */ 249 int valid; /* validated resources */ 250 char *aia; /* AIA */ 251 char *aki; /* AKI */ 252 char *sia; /* SIA signedObject */ 253 char *ski; /* SKI */ 254 time_t signtime; /* CMS signing-time attribute */ 255 time_t notbefore; /* EE cert's Not Before */ 256 time_t notafter; /* EE cert's Not After */ 257 time_t expires; /* when the signature path expires */ 258 }; 259 260 struct rscfile { 261 char *filename; /* an optional filename on the checklist */ 262 unsigned char hash[SHA256_DIGEST_LENGTH]; /* the digest */ 263 }; 264 265 /* 266 * A Signed Checklist (RSC) 267 */ 268 struct rsc { 269 int talid; /* RSC covered by what TAL */ 270 int valid; /* eContent resources covered by EE's 3779? */ 271 struct cert_ip *ips; /* IP prefixes */ 272 size_t num_ips; 273 struct cert_as *ases; /* AS resources */ 274 size_t num_ases; 275 struct rscfile *files; /* FileAndHashes in the RSC */ 276 size_t num_files; 277 char *aia; /* AIA */ 278 char *aki; /* AKI */ 279 char *ski; /* SKI */ 280 time_t signtime; /* CMS signing-time attribute */ 281 time_t notbefore; /* EE cert's Not Before */ 282 time_t notafter; /* Not After of the RSC EE */ 283 time_t expires; /* when the signature path expires */ 284 }; 285 286 /* 287 * An IP address prefix in a given SignedPrefixList. 288 */ 289 struct spl_pfx { 290 enum afi afi; 291 struct ip_addr prefix; 292 }; 293 294 /* 295 * An SPL, draft-ietf-sidrops-rpki-prefixlist 296 * This consists of an ASID and its IP prefixes. 297 */ 298 struct spl { 299 uint32_t asid; 300 struct spl_pfx *prefixes; 301 size_t num_prefixes; 302 int talid; 303 char *aia; 304 char *aki; 305 char *sia; 306 char *ski; 307 time_t signtime; /* CMS signing-time attribute */ 308 time_t notbefore; /* EE cert's Not Before */ 309 time_t notafter; /* EE cert's Not After */ 310 time_t expires; /* when the certification path expires */ 311 int valid; 312 }; 313 314 /* 315 * Datastructure representing the TAKey sequence inside TAKs. 316 */ 317 struct takey { 318 char **comments; /* Comments */ 319 size_t num_comments; 320 char **uris; /* CertificateURI */ 321 size_t num_uris; 322 unsigned char *pubkey; /* DER encoded SubjectPublicKeyInfo */ 323 size_t pubkeysz; 324 char *ski; /* hex encoded SubjectKeyIdentifier of pubkey */ 325 }; 326 327 /* 328 * A Signed TAL (TAK) draft-ietf-sidrops-signed-tal-12 329 */ 330 struct tak { 331 int talid; /* TAK covered by what TAL */ 332 struct takey *current; 333 struct takey *predecessor; 334 struct takey *successor; 335 char *aia; /* AIA */ 336 char *aki; /* AKI */ 337 char *sia; /* SIA signed Object */ 338 char *ski; /* SKI */ 339 time_t signtime; /* CMS signing-time attribute */ 340 time_t notbefore; /* EE cert's Not Before */ 341 time_t notafter; /* Not After of the TAK EE */ 342 time_t expires; /* when the signature path expires */ 343 }; 344 345 /* 346 * A single geofeed record 347 */ 348 struct geoip { 349 struct cert_ip *ip; 350 char *loc; 351 }; 352 353 /* 354 * A geofeed file 355 */ 356 struct geofeed { 357 struct geoip *geoips; /* Prefix + location entry in the CSV */ 358 size_t num_geoips; 359 char *aia; /* AIA */ 360 char *aki; /* AKI */ 361 char *ski; /* SKI */ 362 time_t signtime; /* CMS signing-time attribute */ 363 time_t notbefore; /* EE cert's Not Before */ 364 time_t notafter; /* Not After of the Geofeed EE */ 365 time_t expires; /* when the signature path expires */ 366 int valid; /* all resources covered */ 367 }; 368 369 /* 370 * A single Ghostbuster record 371 */ 372 struct gbr { 373 char *vcard; 374 char *aia; /* AIA */ 375 char *aki; /* AKI */ 376 char *sia; /* SIA signedObject */ 377 char *ski; /* SKI */ 378 time_t signtime; /* CMS signing-time attribute */ 379 time_t notbefore; /* EE cert's Not Before */ 380 time_t notafter; /* Not After of the GBR EE */ 381 time_t expires; /* when the signature path expires */ 382 int talid; /* TAL the GBR is chained up to */ 383 }; 384 385 /* 386 * A single ASPA record 387 */ 388 struct aspa { 389 int valid; /* contained in issuer auth */ 390 int talid; /* TAL the ASPA is chained up to */ 391 char *aia; /* AIA */ 392 char *aki; /* AKI */ 393 char *sia; /* SIA signedObject */ 394 char *ski; /* SKI */ 395 uint32_t custasid; /* the customerASID */ 396 uint32_t *providers; /* the providers */ 397 size_t num_providers; 398 time_t signtime; /* CMS signing-time attribute */ 399 time_t notbefore; /* EE cert's Not Before */ 400 time_t notafter; /* notAfter of the ASPA EE cert */ 401 time_t expires; /* when the signature path expires */ 402 }; 403 404 /* 405 * A Validated ASPA Payload (VAP) tree element. 406 * To ease transformation, this struct mimics ASPA RTR PDU structure. 407 */ 408 struct vap { 409 RB_ENTRY(vap) entry; 410 uint32_t custasid; 411 uint32_t *providers; 412 size_t num_providers; 413 time_t expires; 414 int talid; 415 unsigned int repoid; 416 int overflowed; 417 }; 418 419 /* 420 * Tree of VAPs sorted by afi, custasid, and provideras. 421 */ 422 RB_HEAD(vap_tree, vap); 423 RB_PROTOTYPE(vap_tree, vap, entry, vapcmp); 424 425 /* 426 * A single VRP element (including ASID) 427 */ 428 struct vrp { 429 RB_ENTRY(vrp) entry; 430 struct ip_addr addr; 431 uint32_t asid; 432 enum afi afi; 433 unsigned char maxlength; 434 time_t expires; /* transitive expiry moment */ 435 int talid; /* covered by which TAL */ 436 unsigned int repoid; 437 }; 438 /* 439 * Tree of VRP sorted by afi, addr, maxlength and asid 440 */ 441 RB_HEAD(vrp_tree, vrp); 442 RB_PROTOTYPE(vrp_tree, vrp, entry, vrpcmp); 443 444 /* 445 * Validated SignedPrefixList Payload 446 * A single VSP element (including ASID) 447 * draft-ietf-sidrops-rpki-prefixlist 448 */ 449 struct vsp { 450 RB_ENTRY(vsp) entry; 451 uint32_t asid; 452 struct spl_pfx *prefixes; 453 size_t num_prefixes; 454 time_t expires; 455 int talid; 456 unsigned int repoid; 457 }; 458 /* 459 * Tree of VSP sorted by asid 460 */ 461 RB_HEAD(vsp_tree, vsp); 462 RB_PROTOTYPE(vsp_tree, vsp, entry, vspcmp); 463 464 /* 465 * A single BGPsec Router Key (including ASID) 466 */ 467 struct brk { 468 RB_ENTRY(brk) entry; 469 uint32_t asid; 470 int talid; /* covered by which TAL */ 471 char *ski; /* Subject Key Identifier */ 472 char *pubkey; /* Subject Public Key Info */ 473 time_t expires; /* transitive expiry moment */ 474 }; 475 /* 476 * Tree of BRK sorted by asid 477 */ 478 RB_HEAD(brk_tree, brk); 479 RB_PROTOTYPE(brk_tree, brk, entry, brkcmp); 480 481 /* 482 * A single CRL 483 */ 484 struct crl { 485 RB_ENTRY(crl) entry; 486 char *aki; 487 char *mftpath; 488 X509_CRL *x509_crl; 489 time_t thisupdate; /* do not use before */ 490 time_t nextupdate; /* do not use after */ 491 }; 492 /* 493 * Tree of CRLs sorted by uri 494 */ 495 RB_HEAD(crl_tree, crl); 496 497 /* 498 * An authentication tuple. 499 * This specifies a public key and a subject key identifier used to 500 * verify children nodes in the tree of entities. 501 */ 502 struct auth { 503 RB_ENTRY(auth) entry; 504 struct cert *cert; /* owner information */ 505 struct auth *issuer; /* pointer to issuer or NULL for TA cert */ 506 int any_inherits; 507 int depth; 508 }; 509 /* 510 * Tree of auth sorted by ski 511 */ 512 RB_HEAD(auth_tree, auth); 513 514 struct auth *auth_find(struct auth_tree *, int); 515 struct auth *auth_insert(const char *, struct auth_tree *, struct cert *, 516 struct auth *); 517 518 enum http_result { 519 HTTP_FAILED, /* anything else */ 520 HTTP_OK, /* 200 OK */ 521 HTTP_NOT_MOD, /* 304 Not Modified */ 522 }; 523 524 /* 525 * Message types for communication with RRDP process. 526 */ 527 enum rrdp_msg { 528 RRDP_START, 529 RRDP_SESSION, 530 RRDP_FILE, 531 RRDP_CLEAR, 532 RRDP_END, 533 RRDP_HTTP_REQ, 534 RRDP_HTTP_INI, 535 RRDP_HTTP_FIN, 536 RRDP_ABORT, 537 }; 538 539 /* Maximum number of delta files per RRDP notification file. */ 540 #define MAX_RRDP_DELTAS 300 541 542 /* 543 * RRDP session state, needed to pickup at the right spot on next run. 544 */ 545 struct rrdp_session { 546 char *last_mod; 547 char *session_id; 548 long long serial; 549 char *deltas[MAX_RRDP_DELTAS]; 550 }; 551 552 /* 553 * File types used in RRDP_FILE messages. 554 */ 555 enum publish_type { 556 PUB_ADD, 557 PUB_UPD, 558 PUB_DEL, 559 }; 560 561 /* 562 * An entity (MFT, ROA, certificate, etc.) that needs to be downloaded 563 * and parsed. 564 */ 565 struct entity { 566 TAILQ_ENTRY(entity) entries; 567 char *path; /* path relative to repository */ 568 char *file; /* filename or valid repo path */ 569 char *mftaki; /* expected AKI (taken from Manifest) */ 570 unsigned char *data; /* optional data blob */ 571 size_t datasz; /* length of optional data blob */ 572 unsigned int repoid; /* repository identifier */ 573 int talid; /* tal identifier */ 574 int certid; 575 enum rtype type; /* type of entity (not RTYPE_EOF) */ 576 enum location location; /* which directory the file lives in */ 577 }; 578 TAILQ_HEAD(entityq, entity); 579 580 enum stype { 581 STYPE_OK, 582 STYPE_FAIL, 583 STYPE_INVALID, 584 STYPE_BGPSEC, 585 STYPE_TOTAL, 586 STYPE_UNIQUE, 587 STYPE_DEC_UNIQUE, 588 STYPE_PROVIDERS, 589 STYPE_OVERFLOW, 590 STYPE_SEQNUM_GAP, 591 }; 592 593 struct repo; 594 struct filepath; 595 RB_HEAD(filepath_tree, filepath); 596 597 598 /* 599 * Statistics collected during run-time. 600 */ 601 struct repotalstats { 602 uint32_t certs; /* certificates */ 603 uint32_t certs_fail; /* invalid certificate */ 604 uint32_t mfts; /* total number of manifests */ 605 uint32_t mfts_gap; /* manifests with sequence gaps */ 606 uint32_t mfts_fail; /* failing syntactic parse */ 607 uint32_t roas; /* route origin authorizations */ 608 uint32_t roas_fail; /* failing syntactic parse */ 609 uint32_t roas_invalid; /* invalid resources */ 610 uint32_t aspas; /* ASPA objects */ 611 uint32_t aspas_fail; /* ASPA objects failing syntactic parse */ 612 uint32_t aspas_invalid; /* ASPAs with invalid customerASID */ 613 uint32_t brks; /* number of BGPsec Router Key (BRK) certs */ 614 uint32_t crls; /* revocation lists */ 615 uint32_t gbrs; /* ghostbuster records */ 616 uint32_t taks; /* signed TAL objects */ 617 uint32_t vaps; /* total number of Validated ASPA Payloads */ 618 uint32_t vaps_uniqs; /* total number of unique VAPs */ 619 uint32_t vaps_pas; /* total number of providers */ 620 uint32_t vaps_overflowed; /* VAPs with too many providers */ 621 uint32_t vrps; /* total number of Validated ROA Payloads */ 622 uint32_t vrps_uniqs; /* number of unique vrps */ 623 uint32_t spls; /* signed prefix list */ 624 uint32_t spls_fail; /* failing syntactic parse */ 625 uint32_t spls_invalid; /* invalid spls */ 626 uint32_t vsps; /* total number of Validated SPL Payloads */ 627 uint32_t vsps_uniqs; /* number of unique vsps */ 628 }; 629 630 struct repostats { 631 uint32_t del_files; /* number of files removed in cleanup */ 632 uint32_t extra_files; /* number of superfluous files */ 633 uint32_t del_extra_files;/* number of removed extra files */ 634 uint32_t del_dirs; /* number of dirs removed in cleanup */ 635 uint32_t new_files; /* moved from DIR_TEMP to DIR_VALID */ 636 struct timespec sync_time; /* time to sync repo */ 637 }; 638 639 struct stats { 640 uint32_t tals; /* total number of locators */ 641 uint32_t repos; /* repositories */ 642 uint32_t rsync_repos; /* synced rsync repositories */ 643 uint32_t rsync_fails; /* failed rsync repositories */ 644 uint32_t http_repos; /* synced http repositories */ 645 uint32_t http_fails; /* failed http repositories */ 646 uint32_t rrdp_repos; /* synced rrdp repositories */ 647 uint32_t rrdp_fails; /* failed rrdp repositories */ 648 uint32_t skiplistentries; /* number of skiplist entries */ 649 650 struct repotalstats repo_tal_stats; 651 struct repostats repo_stats; 652 struct timespec elapsed_time; 653 struct timespec user_time; 654 struct timespec system_time; 655 }; 656 657 struct ibuf; 658 struct msgbuf; 659 660 /* global variables */ 661 extern int verbose; 662 extern int noop; 663 extern int filemode; 664 extern int excludeaspa; 665 extern int experimental; 666 extern int excludeas0; 667 extern const char *tals[]; 668 extern const char *taldescs[]; 669 extern unsigned int talrepocnt[]; 670 extern struct repotalstats talstats[]; 671 extern int talsz; 672 673 /* Routines for RPKI entities. */ 674 675 void tal_buffer(struct ibuf *, const struct tal *); 676 void tal_free(struct tal *); 677 struct tal *tal_parse(const char *, char *, size_t); 678 struct tal *tal_read(struct ibuf *); 679 680 void cert_buffer(struct ibuf *, const struct cert *); 681 void cert_free(struct cert *); 682 void auth_tree_free(struct auth_tree *); 683 struct cert *cert_parse_ee_cert(const char *, int, X509 *); 684 struct cert *cert_parse_pre(const char *, const unsigned char *, size_t); 685 struct cert *cert_parse(const char *, struct cert *); 686 struct cert *ta_parse(const char *, struct cert *, const unsigned char *, 687 size_t); 688 struct cert *cert_read(struct ibuf *); 689 void cert_insert_brks(struct brk_tree *, struct cert *); 690 691 enum rtype rtype_from_file_extension(const char *); 692 void mft_buffer(struct ibuf *, const struct mft *); 693 void mft_free(struct mft *); 694 struct mft *mft_parse(X509 **, const char *, int, const unsigned char *, 695 size_t); 696 struct mft *mft_read(struct ibuf *); 697 int mft_compare_issued(const struct mft *, const struct mft *); 698 int mft_compare_seqnum(const struct mft *, const struct mft *); 699 int mft_seqnum_gap_present(const struct mft *, const struct mft *); 700 701 void roa_buffer(struct ibuf *, const struct roa *); 702 void roa_free(struct roa *); 703 struct roa *roa_parse(X509 **, const char *, int, const unsigned char *, 704 size_t); 705 struct roa *roa_read(struct ibuf *); 706 void roa_insert_vrps(struct vrp_tree *, struct roa *, 707 struct repo *); 708 709 void spl_buffer(struct ibuf *, const struct spl *); 710 void spl_free(struct spl *); 711 struct spl *spl_parse(X509 **, const char *, int, const unsigned char *, 712 size_t); 713 struct spl *spl_read(struct ibuf *); 714 void spl_insert_vsps(struct vsp_tree *, struct spl *, 715 struct repo *); 716 717 void gbr_free(struct gbr *); 718 struct gbr *gbr_parse(X509 **, const char *, int, const unsigned char *, 719 size_t); 720 721 void geofeed_free(struct geofeed *); 722 struct geofeed *geofeed_parse(X509 **, const char *, int, char *, size_t); 723 724 void rsc_free(struct rsc *); 725 struct rsc *rsc_parse(X509 **, const char *, int, const unsigned char *, 726 size_t); 727 728 void takey_free(struct takey *); 729 void tak_free(struct tak *); 730 struct tak *tak_parse(X509 **, const char *, int, const unsigned char *, 731 size_t); 732 733 void aspa_buffer(struct ibuf *, const struct aspa *); 734 void aspa_free(struct aspa *); 735 void aspa_insert_vaps(char *, struct vap_tree *, struct aspa *, 736 struct repo *); 737 struct aspa *aspa_parse(X509 **, const char *, int, const unsigned char *, 738 size_t); 739 struct aspa *aspa_read(struct ibuf *); 740 741 /* crl.c */ 742 struct crl *crl_parse(const char *, const unsigned char *, size_t); 743 struct crl *crl_get(struct crl_tree *, const struct auth *); 744 int crl_insert(struct crl_tree *, struct crl *); 745 void crl_free(struct crl *); 746 void crl_tree_free(struct crl_tree *); 747 748 /* Validation of our objects. */ 749 750 int valid_cert(const char *, struct auth *, const struct cert *); 751 int valid_roa(const char *, struct cert *, struct roa *); 752 int valid_filehash(int, const char *, size_t); 753 int valid_hash(unsigned char *, size_t, const char *, size_t); 754 int valid_filename(const char *, size_t); 755 int valid_uri(const char *, size_t, const char *); 756 int valid_origin(const char *, const char *); 757 int valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *, 758 struct crl *, const char **); 759 int valid_rsc(const char *, struct cert *, struct rsc *); 760 int valid_econtent_version(const char *, const ASN1_INTEGER *, 761 uint64_t); 762 int valid_aspa(const char *, struct cert *, struct aspa *); 763 int valid_geofeed(const char *, struct cert *, struct geofeed *); 764 int valid_uuid(const char *); 765 int valid_ca_pkey(const char *, EVP_PKEY *); 766 int valid_spl(const char *, struct cert *, struct spl *); 767 768 /* Working with CMS. */ 769 unsigned char *cms_parse_validate(X509 **, const char *, 770 const unsigned char *, size_t, 771 const ASN1_OBJECT *, size_t *, time_t *); 772 int cms_parse_validate_detached(X509 **, const char *, 773 const unsigned char *, size_t, 774 const ASN1_OBJECT *, BIO *, time_t *); 775 776 /* Work with RFC 3779 IP addresses, prefixes, ranges. */ 777 778 int ip_addr_afi_parse(const char *, const ASN1_OCTET_STRING *, 779 enum afi *); 780 int ip_addr_parse(const ASN1_BIT_STRING *, 781 enum afi, const char *, struct ip_addr *); 782 void ip_addr_print(const struct ip_addr *, enum afi, char *, 783 size_t); 784 int ip_addr_check_overlap(const struct cert_ip *, 785 const char *, const struct cert_ip *, size_t, int); 786 int ip_addr_check_covered(enum afi, const unsigned char *, 787 const unsigned char *, const struct cert_ip *, size_t); 788 int ip_cert_compose_ranges(struct cert_ip *); 789 void ip_roa_compose_ranges(struct roa_ip *); 790 void ip_warn(const char *, const char *, const struct cert_ip *); 791 792 int sbgp_addr(const char *, struct cert_ip *, size_t *, 793 enum afi, const ASN1_BIT_STRING *); 794 int sbgp_addr_range(const char *, struct cert_ip *, size_t *, 795 enum afi, const IPAddressRange *); 796 797 int sbgp_parse_ipaddrblk(const char *, const IPAddrBlocks *, 798 struct cert_ip **, size_t *); 799 800 /* Work with RFC 3779 AS numbers, ranges. */ 801 802 int as_id_parse(const ASN1_INTEGER *, uint32_t *); 803 int as_check_overlap(const struct cert_as *, const char *, 804 const struct cert_as *, size_t, int); 805 int as_check_covered(uint32_t, uint32_t, 806 const struct cert_as *, size_t); 807 void as_warn(const char *, const char *, const struct cert_as *); 808 809 int sbgp_as_id(const char *, struct cert_as *, size_t *, 810 const ASN1_INTEGER *); 811 int sbgp_as_range(const char *, struct cert_as *, size_t *, 812 const ASRange *); 813 814 int sbgp_parse_assysnum(const char *, const ASIdentifiers *, 815 struct cert_as **, size_t *); 816 817 /* Constraints-specific */ 818 void constraints_load(void); 819 void constraints_unload(void); 820 void constraints_parse(void); 821 int constraints_validate(const char *, const struct cert *); 822 823 /* Parser-specific */ 824 void entity_free(struct entity *); 825 void entity_read_req(struct ibuf *, struct entity *); 826 void entityq_flush(struct entityq *, struct repo *); 827 void proc_parser(int) __attribute__((noreturn)); 828 void proc_filemode(int) __attribute__((noreturn)); 829 830 /* Rsync-specific. */ 831 832 char *rsync_base_uri(const char *); 833 void proc_rsync(char *, char *, int) __attribute__((noreturn)); 834 835 /* HTTP and RRDP processes. */ 836 837 void proc_http(char *, int) __attribute__((noreturn)); 838 void proc_rrdp(int) __attribute__((noreturn)); 839 840 /* Repository handling */ 841 int filepath_add(struct filepath_tree *, char *, int, time_t, int); 842 int filepath_valid(struct filepath_tree *, char *, int); 843 void rrdp_clear(unsigned int); 844 void rrdp_session_save(unsigned int, struct rrdp_session *); 845 void rrdp_session_free(struct rrdp_session *); 846 void rrdp_session_buffer(struct ibuf *, 847 const struct rrdp_session *); 848 struct rrdp_session *rrdp_session_read(struct ibuf *); 849 int rrdp_handle_file(unsigned int, enum publish_type, char *, 850 char *, size_t, char *, size_t); 851 char *repo_basedir(const struct repo *, int); 852 unsigned int repo_id(const struct repo *); 853 const char *repo_uri(const struct repo *); 854 void repo_fetch_uris(const struct repo *, const char **, 855 const char **); 856 int repo_synced(const struct repo *); 857 const char *repo_proto(const struct repo *); 858 int repo_talid(const struct repo *); 859 struct repo *ta_lookup(int, struct tal *); 860 struct repo *repo_lookup(int, const char *, const char *); 861 struct repo *repo_byid(unsigned int); 862 int repo_queued(struct repo *, struct entity *); 863 void repo_cleanup(struct filepath_tree *, int); 864 int repo_check_timeout(int); 865 void repostats_new_files_inc(struct repo *, const char *); 866 void repo_stat_inc(struct repo *, int, enum rtype, enum stype); 867 void repo_tal_stats_collect(void (*)(const struct repo *, 868 const struct repotalstats *, void *), int, void *); 869 void repo_stats_collect(void (*)(const struct repo *, 870 const struct repostats *, void *), void *); 871 void repo_free(void); 872 873 void rsync_finish(unsigned int, int); 874 void http_finish(unsigned int, enum http_result, const char *); 875 void rrdp_finish(unsigned int, int); 876 877 void rsync_fetch(unsigned int, const char *, const char *, 878 const char *); 879 void rsync_abort(unsigned int); 880 void http_fetch(unsigned int, const char *, const char *, int); 881 void rrdp_fetch(unsigned int, const char *, const char *, 882 struct rrdp_session *); 883 void rrdp_abort(unsigned int); 884 void rrdp_http_done(unsigned int, enum http_result, const char *); 885 886 /* Encoding functions for hex and base64. */ 887 888 unsigned char *load_file(const char *, size_t *); 889 int base64_decode_len(size_t, size_t *); 890 int base64_decode(const unsigned char *, size_t, 891 unsigned char **, size_t *); 892 int base64_encode_len(size_t, size_t *); 893 int base64_encode(const unsigned char *, size_t, char **); 894 char *hex_encode(const unsigned char *, size_t); 895 int hex_decode(const char *, char *, size_t); 896 897 898 /* Functions for moving data between processes. */ 899 900 struct ibuf *io_new_buffer(void); 901 void io_simple_buffer(struct ibuf *, const void *, size_t); 902 void io_buf_buffer(struct ibuf *, const void *, size_t); 903 void io_str_buffer(struct ibuf *, const char *); 904 void io_close_buffer(struct msgbuf *, struct ibuf *); 905 void io_read_buf(struct ibuf *, void *, size_t); 906 void io_read_str(struct ibuf *, char **); 907 void io_read_buf_alloc(struct ibuf *, void **, size_t *); 908 struct ibuf *io_parse_hdr(struct ibuf *, void *, int *); 909 struct ibuf *io_buf_get(struct msgbuf *); 910 911 /* X509 helpers. */ 912 913 void x509_init_oid(void); 914 int x509_cache_extensions(X509 *, const char *); 915 int x509_get_aia(X509 *, const char *, char **); 916 int x509_get_aki(X509 *, const char *, char **); 917 int x509_get_sia(X509 *, const char *, char **); 918 int x509_get_ski(X509 *, const char *, char **); 919 int x509_get_notbefore(X509 *, const char *, time_t *); 920 int x509_get_notafter(X509 *, const char *, time_t *); 921 int x509_get_crl(X509 *, const char *, char **); 922 char *x509_get_pubkey(X509 *, const char *); 923 char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); 924 enum cert_purpose x509_get_purpose(X509 *, const char *); 925 int x509_get_time(const ASN1_TIME *, time_t *); 926 char *x509_convert_seqnum(const char *, const char *, 927 const ASN1_INTEGER *); 928 int x509_valid_seqnum(const char *, const char *, 929 const ASN1_INTEGER *); 930 int x509_location(const char *, const char *, GENERAL_NAME *, 931 char **); 932 int x509_inherits(X509 *); 933 int x509_any_inherits(X509 *); 934 int x509_valid_name(const char *, const char *, const X509_NAME *); 935 time_t x509_find_expires(time_t, struct auth *, struct crl_tree *); 936 937 /* printers */ 938 char *nid2str(int); 939 const char *purpose2str(enum cert_purpose); 940 char *time2str(time_t); 941 void x509_print(const X509 *); 942 void tal_print(const struct tal *); 943 void cert_print(const struct cert *); 944 void crl_print(const struct crl *); 945 void mft_print(const X509 *, const struct mft *); 946 void roa_print(const X509 *, const struct roa *); 947 void gbr_print(const X509 *, const struct gbr *); 948 void rsc_print(const X509 *, const struct rsc *); 949 void aspa_print(const X509 *, const struct aspa *); 950 void tak_print(const X509 *, const struct tak *); 951 void geofeed_print(const X509 *, const struct geofeed *); 952 void spl_print(const X509 *, const struct spl *); 953 954 /* Missing RFC 3779 API */ 955 IPAddrBlocks *IPAddrBlocks_new(void); 956 void IPAddrBlocks_free(IPAddrBlocks *); 957 958 /* Output! */ 959 960 extern int outformats; 961 #define FORMAT_OPENBGPD 0x01 962 #define FORMAT_BIRD 0x02 963 #define FORMAT_CSV 0x04 964 #define FORMAT_JSON 0x08 965 #define FORMAT_OMETRIC 0x10 966 967 int outputfiles(struct vrp_tree *v, struct brk_tree *b, 968 struct vap_tree *, struct vsp_tree *, struct stats *); 969 int outputheader(FILE *, struct stats *); 970 int output_bgpd(FILE *, struct vrp_tree *, struct brk_tree *, 971 struct vap_tree *, struct vsp_tree *, struct stats *); 972 int output_bird(FILE *, struct vrp_tree *, struct brk_tree *, 973 struct vap_tree *, struct vsp_tree *, struct stats *); 974 int output_csv(FILE *, struct vrp_tree *, struct brk_tree *, 975 struct vap_tree *, struct vsp_tree *, struct stats *); 976 int output_json(FILE *, struct vrp_tree *, struct brk_tree *, 977 struct vap_tree *, struct vsp_tree *, struct stats *); 978 int output_ometric(FILE *, struct vrp_tree *, struct brk_tree *, 979 struct vap_tree *, struct vsp_tree *, struct stats *); 980 981 void logx(const char *fmt, ...) 982 __attribute__((format(printf, 1, 2))); 983 time_t getmonotime(void); 984 time_t get_current_time(void); 985 986 int mkpath(const char *); 987 int mkpathat(int, const char *); 988 989 #define RPKI_PATH_OUT_DIR "/var/db/rpki-client" 990 #define RPKI_PATH_BASE_DIR "/var/cache/rpki-client" 991 992 #define DEFAULT_SKIPLIST_FILE "/etc/rpki/skiplist" 993 994 /* Interval in which random reinitialization to an RRDP snapshot happens. */ 995 #define RRDP_RANDOM_REINIT_MAX 12 /* weeks */ 996 997 /* Maximum number of TAL files we'll load. */ 998 #define TALSZ_MAX 8 999 #define CERTID_MAX 1000000 1000 1001 /* 1002 * Maximum number of elements in the sbgp-ipAddrBlock (IP) and 1003 * sbgp-autonomousSysNum (AS) X.509v3 extension of CA/EE certificates. 1004 */ 1005 #define MAX_IP_SIZE 200000 1006 #define MAX_AS_SIZE 200000 1007 1008 /* Maximum acceptable URI length */ 1009 #define MAX_URI_LENGTH 2048 1010 1011 /* Min/Max acceptable file size */ 1012 #define MIN_FILE_SIZE 100 1013 #define MAX_FILE_SIZE 8000000 1014 1015 /* Maximum number of FileNameAndHash entries per RSC checklist. */ 1016 #define MAX_CHECKLIST_ENTRIES 100000 1017 1018 /* Maximum number of FileAndHash entries per manifest. */ 1019 #define MAX_MANIFEST_ENTRIES 100000 1020 1021 /* Maximum number of Providers per ASPA object. */ 1022 #define MAX_ASPA_PROVIDERS 10000 1023 1024 /* Maximum depth of the RPKI tree. */ 1025 #define MAX_CERT_DEPTH 12 1026 1027 /* Maximum number of concurrent http and rsync requests. */ 1028 #define MAX_HTTP_REQUESTS 64 1029 #define MAX_RSYNC_REQUESTS 16 1030 1031 /* How many seconds to wait for a connection to succeed. */ 1032 #define MAX_CONN_TIMEOUT 15 1033 1034 /* How many seconds to wait for IO from a remote server. */ 1035 #define MAX_IO_TIMEOUT 30 1036 1037 /* Maximum number of delegated hosting locations (repositories) for each TAL. */ 1038 #define MAX_REPO_PER_TAL 1000 1039 1040 #define HTTP_PROTO "http://" 1041 #define HTTP_PROTO_LEN (sizeof(HTTP_PROTO) - 1) 1042 #define HTTPS_PROTO "https://" 1043 #define HTTPS_PROTO_LEN (sizeof(HTTPS_PROTO) - 1) 1044 #define RSYNC_PROTO "rsync://" 1045 #define RSYNC_PROTO_LEN (sizeof(RSYNC_PROTO) - 1) 1046 1047 #endif /* ! EXTERN_H */ 1048