1 /* $OpenBSD: extern.h,v 1.217 2024/04/21 19:27:44 claudio Exp $ */ 2 /* 3 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 #ifndef EXTERN_H 18 #define EXTERN_H 19 20 #include <sys/queue.h> 21 #include <sys/tree.h> 22 #include <sys/time.h> 23 24 #include <openssl/x509.h> 25 #include <openssl/x509v3.h> 26 27 enum cert_as_type { 28 CERT_AS_ID, /* single identifier */ 29 CERT_AS_INHERIT, /* inherit from issuer */ 30 CERT_AS_RANGE, /* range of identifiers */ 31 }; 32 33 /* 34 * An AS identifier range. 35 * The maximum AS identifier is an unsigned 32 bit integer (RFC 6793). 36 */ 37 struct cert_as_range { 38 uint32_t min; /* minimum non-zero */ 39 uint32_t max; /* maximum */ 40 }; 41 42 /* 43 * An autonomous system (AS) object. 44 * AS identifiers are unsigned 32 bit integers (RFC 6793). 45 */ 46 struct cert_as { 47 enum cert_as_type type; /* type of AS specification */ 48 union { 49 uint32_t id; /* singular identifier */ 50 struct cert_as_range range; /* range */ 51 }; 52 }; 53 54 /* 55 * AFI values are assigned by IANA. 56 * In rpki-client, we only accept the IPV4 and IPV6 AFI values. 57 */ 58 enum afi { 59 AFI_IPV4 = 1, 60 AFI_IPV6 = 2 61 }; 62 63 /* 64 * An IP address as parsed from RFC 3779, section 2.2.3.8. 65 * This is either in a certificate or an ROA. 66 * It may either be IPv4 or IPv6. 67 */ 68 struct ip_addr { 69 unsigned char addr[16]; /* binary address prefix */ 70 unsigned char prefixlen; /* number of valid bits in address */ 71 }; 72 73 /* 74 * An IP address (IPv4 or IPv6) range starting at the minimum and making 75 * its way to the maximum. 76 */ 77 struct ip_addr_range { 78 struct ip_addr min; /* minimum ip */ 79 struct ip_addr max; /* maximum ip */ 80 }; 81 82 enum cert_ip_type { 83 CERT_IP_ADDR, /* IP address range w/shared prefix */ 84 CERT_IP_INHERIT, /* inherited IP address */ 85 CERT_IP_RANGE /* range of IP addresses */ 86 }; 87 88 /* 89 * A single IP address family (AFI, address or range) as defined in RFC 90 * 3779, 2.2.3.2. 91 * The RFC specifies multiple address or ranges per AFI; this structure 92 * encodes both the AFI and a single address or range. 93 */ 94 struct cert_ip { 95 enum afi afi; /* AFI value */ 96 enum cert_ip_type type; /* type of IP entry */ 97 unsigned char min[16]; /* full range minimum */ 98 unsigned char max[16]; /* full range maximum */ 99 union { 100 struct ip_addr ip; /* singular address */ 101 struct ip_addr_range range; /* range */ 102 }; 103 }; 104 105 enum cert_purpose { 106 CERT_PURPOSE_INVALID, 107 CERT_PURPOSE_CA, 108 CERT_PURPOSE_BGPSEC_ROUTER 109 }; 110 111 /* 112 * Parsed components of a validated X509 certificate stipulated by RFC 113 * 6847 and further (within) by RFC 3779. 114 * All AS numbers are guaranteed to be non-overlapping and properly 115 * inheriting. 116 */ 117 struct cert { 118 struct cert_ip *ips; /* list of IP address ranges */ 119 size_t ipsz; /* length of "ips" */ 120 struct cert_as *as; /* list of AS numbers and ranges */ 121 size_t asz; /* length of "asz" */ 122 int talid; /* cert is covered by which TAL */ 123 unsigned int repoid; /* repository of this cert file */ 124 char *repo; /* CA repository (rsync:// uri) */ 125 char *mft; /* manifest (rsync:// uri) */ 126 char *notify; /* RRDP notify (https:// uri) */ 127 char *crl; /* CRL location (rsync:// or NULL) */ 128 char *aia; /* AIA (or NULL, for trust anchor) */ 129 char *aki; /* AKI (or NULL, for trust anchor) */ 130 char *ski; /* SKI */ 131 enum cert_purpose purpose; /* BGPSec or CA */ 132 char *pubkey; /* Subject Public Key Info */ 133 X509 *x509; /* the cert */ 134 time_t notbefore; /* cert's Not Before */ 135 time_t notafter; /* cert's Not After */ 136 time_t expires; /* when the signature path expires */ 137 }; 138 139 /* 140 * The TAL file conforms to RFC 7730. 141 * It is the top-level structure of RPKI and defines where we can find 142 * certificates for TAs (trust anchors). 143 * It also includes the public key for verifying those trust anchor 144 * certificates. 145 */ 146 struct tal { 147 char **uri; /* well-formed rsync URIs */ 148 size_t urisz; /* number of URIs */ 149 unsigned char *pkey; /* DER-encoded public key */ 150 size_t pkeysz; /* length of pkey */ 151 char *descr; /* basename of tal file */ 152 int id; /* ID of this TAL */ 153 }; 154 155 /* 156 * Resource types specified by the RPKI profiles. 157 * There might be others we don't consider. 158 */ 159 enum rtype { 160 RTYPE_INVALID, 161 RTYPE_TAL, 162 RTYPE_MFT, 163 RTYPE_ROA, 164 RTYPE_CER, 165 RTYPE_CRL, 166 RTYPE_GBR, 167 RTYPE_REPO, 168 RTYPE_FILE, 169 RTYPE_RSC, 170 RTYPE_ASPA, 171 RTYPE_TAK, 172 RTYPE_GEOFEED, 173 RTYPE_SPL, 174 }; 175 176 enum location { 177 DIR_UNKNOWN, 178 DIR_TEMP, 179 DIR_VALID, 180 }; 181 182 /* 183 * Files specified in an MFT have their bodies hashed with SHA256. 184 */ 185 struct mftfile { 186 char *file; /* filename (CER/ROA/CRL, no path) */ 187 enum rtype type; /* file type as determined by extension */ 188 enum location location; /* temporary or valid directory */ 189 unsigned char hash[SHA256_DIGEST_LENGTH]; /* sha256 of body */ 190 }; 191 192 /* 193 * A manifest, RFC 6486. 194 * This consists of a bunch of files found in the same directory as the 195 * manifest file. 196 */ 197 struct mft { 198 char *path; /* relative path to directory of the MFT */ 199 struct mftfile *files; /* file and hash */ 200 char *seqnum; /* manifestNumber */ 201 char *aia; /* AIA */ 202 char *aki; /* AKI */ 203 char *sia; /* SIA signedObject */ 204 char *ski; /* SKI */ 205 char *crl; /* CRL file name */ 206 unsigned char mfthash[SHA256_DIGEST_LENGTH]; 207 unsigned char crlhash[SHA256_DIGEST_LENGTH]; 208 time_t signtime; /* CMS signing-time attribute */ 209 time_t thisupdate; /* from the eContent */ 210 time_t nextupdate; /* from the eContent */ 211 time_t expires; /* when the signature path expires */ 212 size_t filesz; /* number of filenames */ 213 unsigned int repoid; 214 int talid; 215 }; 216 217 /* 218 * An IP address prefix for a given ROA. 219 * This encodes the maximum length, AFI (v6/v4), and address. 220 * FIXME: are the min/max necessary or just used in one place? 221 */ 222 struct roa_ip { 223 enum afi afi; /* AFI value */ 224 struct ip_addr addr; /* the address prefix itself */ 225 unsigned char min[16]; /* full range minimum */ 226 unsigned char max[16]; /* full range maximum */ 227 unsigned char maxlength; /* max length or zero */ 228 }; 229 230 /* 231 * An ROA, RFC 6482. 232 * This consists of the concerned ASID and its IP prefixes. 233 */ 234 struct roa { 235 uint32_t asid; /* asID of ROA (if 0, RFC 6483 sec 4) */ 236 struct roa_ip *ips; /* IP prefixes */ 237 size_t ipsz; /* number of IP prefixes */ 238 int talid; /* ROAs are covered by which TAL */ 239 int valid; /* validated resources */ 240 char *aia; /* AIA */ 241 char *aki; /* AKI */ 242 char *sia; /* SIA signedObject */ 243 char *ski; /* SKI */ 244 time_t signtime; /* CMS signing-time attribute */ 245 time_t notbefore; /* EE cert's Not Before */ 246 time_t notafter; /* EE cert's Not After */ 247 time_t expires; /* when the signature path expires */ 248 }; 249 250 struct rscfile { 251 char *filename; /* an optional filename on the checklist */ 252 unsigned char hash[SHA256_DIGEST_LENGTH]; /* the digest */ 253 }; 254 255 /* 256 * A Signed Checklist (RSC) 257 */ 258 struct rsc { 259 int talid; /* RSC covered by what TAL */ 260 int valid; /* eContent resources covered by EE's 3779? */ 261 struct cert_ip *ips; /* IP prefixes */ 262 size_t ipsz; /* number of IP prefixes */ 263 struct cert_as *as; /* AS resources */ 264 size_t asz; /* number of AS resources */ 265 struct rscfile *files; /* FileAndHashes in the RSC */ 266 size_t filesz; /* number of FileAndHashes */ 267 char *aia; /* AIA */ 268 char *aki; /* AKI */ 269 char *ski; /* SKI */ 270 time_t signtime; /* CMS signing-time attribute */ 271 time_t notbefore; /* EE cert's Not Before */ 272 time_t notafter; /* Not After of the RSC EE */ 273 time_t expires; /* when the signature path expires */ 274 }; 275 276 /* 277 * An IP address prefix in a given SignedPrefixList. 278 */ 279 struct spl_pfx { 280 enum afi afi; 281 struct ip_addr prefix; 282 }; 283 284 /* 285 * An SPL, draft-ietf-sidrops-rpki-prefixlist 286 * This consists of an ASID and its IP prefixes. 287 */ 288 struct spl { 289 uint32_t asid; 290 struct spl_pfx *pfxs; 291 size_t pfxsz; 292 int talid; 293 char *aia; 294 char *aki; 295 char *sia; 296 char *ski; 297 time_t signtime; /* CMS signing-time attribute */ 298 time_t notbefore; /* EE cert's Not Before */ 299 time_t notafter; /* EE cert's Not After */ 300 time_t expires; /* when the certification path expires */ 301 int valid; 302 }; 303 304 /* 305 * Datastructure representing the TAKey sequence inside TAKs. 306 */ 307 struct takey { 308 char **comments; /* Comments */ 309 size_t commentsz; /* number of Comments */ 310 char **uris; /* CertificateURI */ 311 size_t urisz; /* number of CertificateURIs */ 312 unsigned char *pubkey; /* DER encoded SubjectPublicKeyInfo */ 313 size_t pubkeysz; 314 char *ski; /* hex encoded SubjectKeyIdentifier of pubkey */ 315 }; 316 317 /* 318 * A Signed TAL (TAK) draft-ietf-sidrops-signed-tal-12 319 */ 320 struct tak { 321 int talid; /* TAK covered by what TAL */ 322 struct takey *current; 323 struct takey *predecessor; 324 struct takey *successor; 325 char *aia; /* AIA */ 326 char *aki; /* AKI */ 327 char *sia; /* SIA signed Object */ 328 char *ski; /* SKI */ 329 time_t signtime; /* CMS signing-time attribute */ 330 time_t notbefore; /* EE cert's Not Before */ 331 time_t notafter; /* Not After of the TAK EE */ 332 time_t expires; /* when the signature path expires */ 333 }; 334 335 /* 336 * A single geofeed record 337 */ 338 struct geoip { 339 struct cert_ip *ip; 340 char *loc; 341 }; 342 343 /* 344 * A geofeed file 345 */ 346 struct geofeed { 347 struct geoip *geoips; /* Prefix + location entry in the CSV */ 348 size_t geoipsz; /* number of IPs */ 349 char *aia; /* AIA */ 350 char *aki; /* AKI */ 351 char *ski; /* SKI */ 352 time_t signtime; /* CMS signing-time attribute */ 353 time_t notbefore; /* EE cert's Not Before */ 354 time_t notafter; /* Not After of the Geofeed EE */ 355 time_t expires; /* when the signature path expires */ 356 int valid; /* all resources covered */ 357 }; 358 359 /* 360 * A single Ghostbuster record 361 */ 362 struct gbr { 363 char *vcard; 364 char *aia; /* AIA */ 365 char *aki; /* AKI */ 366 char *sia; /* SIA signedObject */ 367 char *ski; /* SKI */ 368 time_t signtime; /* CMS signing-time attribute */ 369 time_t notbefore; /* EE cert's Not Before */ 370 time_t notafter; /* Not After of the GBR EE */ 371 time_t expires; /* when the signature path expires */ 372 int talid; /* TAL the GBR is chained up to */ 373 }; 374 375 /* 376 * A single ASPA record 377 */ 378 struct aspa { 379 int valid; /* contained in issuer auth */ 380 int talid; /* TAL the ASPA is chained up to */ 381 char *aia; /* AIA */ 382 char *aki; /* AKI */ 383 char *sia; /* SIA signedObject */ 384 char *ski; /* SKI */ 385 uint32_t custasid; /* the customerASID */ 386 uint32_t *providers; /* the providers */ 387 size_t providersz; /* number of providers */ 388 time_t signtime; /* CMS signing-time attribute */ 389 time_t notbefore; /* EE cert's Not Before */ 390 time_t notafter; /* notAfter of the ASPA EE cert */ 391 time_t expires; /* when the signature path expires */ 392 }; 393 394 /* 395 * A Validated ASPA Payload (VAP) tree element. 396 * To ease transformation, this struct mimics ASPA RTR PDU structure. 397 */ 398 struct vap { 399 RB_ENTRY(vap) entry; 400 uint32_t custasid; 401 uint32_t *providers; 402 size_t providersz; 403 time_t expires; 404 int talid; 405 unsigned int repoid; 406 int overflowed; 407 }; 408 409 /* 410 * Tree of VAPs sorted by afi, custasid, and provideras. 411 */ 412 RB_HEAD(vap_tree, vap); 413 RB_PROTOTYPE(vap_tree, vap, entry, vapcmp); 414 415 /* 416 * A single VRP element (including ASID) 417 */ 418 struct vrp { 419 RB_ENTRY(vrp) entry; 420 struct ip_addr addr; 421 uint32_t asid; 422 enum afi afi; 423 unsigned char maxlength; 424 time_t expires; /* transitive expiry moment */ 425 int talid; /* covered by which TAL */ 426 unsigned int repoid; 427 }; 428 /* 429 * Tree of VRP sorted by afi, addr, maxlength and asid 430 */ 431 RB_HEAD(vrp_tree, vrp); 432 RB_PROTOTYPE(vrp_tree, vrp, entry, vrpcmp); 433 434 /* 435 * Validated SignedPrefixList Payload 436 * A single VSP element (including ASID) 437 * draft-ietf-sidrops-rpki-prefixlist 438 */ 439 struct vsp { 440 RB_ENTRY(vsp) entry; 441 uint32_t asid; 442 struct spl_pfx *prefixes; 443 size_t prefixesz; 444 time_t expires; 445 int talid; 446 unsigned int repoid; 447 }; 448 /* 449 * Tree of VSP sorted by asid 450 */ 451 RB_HEAD(vsp_tree, vsp); 452 RB_PROTOTYPE(vsp_tree, vsp, entry, vspcmp); 453 454 /* 455 * A single BGPsec Router Key (including ASID) 456 */ 457 struct brk { 458 RB_ENTRY(brk) entry; 459 uint32_t asid; 460 int talid; /* covered by which TAL */ 461 char *ski; /* Subject Key Identifier */ 462 char *pubkey; /* Subject Public Key Info */ 463 time_t expires; /* transitive expiry moment */ 464 }; 465 /* 466 * Tree of BRK sorted by asid 467 */ 468 RB_HEAD(brk_tree, brk); 469 RB_PROTOTYPE(brk_tree, brk, entry, brkcmp); 470 471 /* 472 * A single CRL 473 */ 474 struct crl { 475 RB_ENTRY(crl) entry; 476 char *aki; 477 char *mftpath; 478 char *number; 479 X509_CRL *x509_crl; 480 time_t thisupdate; /* do not use before */ 481 time_t nextupdate; /* do not use after */ 482 }; 483 /* 484 * Tree of CRLs sorted by uri 485 */ 486 RB_HEAD(crl_tree, crl); 487 488 /* 489 * An authentication tuple. 490 * This specifies a public key and a subject key identifier used to 491 * verify children nodes in the tree of entities. 492 */ 493 struct auth { 494 RB_ENTRY(auth) entry; 495 struct cert *cert; /* owner information */ 496 struct auth *issuer; /* pointer to issuer or NULL for TA cert */ 497 int any_inherits; 498 }; 499 /* 500 * Tree of auth sorted by ski 501 */ 502 RB_HEAD(auth_tree, auth); 503 504 struct auth *auth_find(struct auth_tree *, const char *); 505 struct auth *auth_insert(struct auth_tree *, struct cert *, struct auth *); 506 507 enum http_result { 508 HTTP_FAILED, /* anything else */ 509 HTTP_OK, /* 200 OK */ 510 HTTP_NOT_MOD, /* 304 Not Modified */ 511 }; 512 513 /* 514 * Message types for communication with RRDP process. 515 */ 516 enum rrdp_msg { 517 RRDP_START, 518 RRDP_SESSION, 519 RRDP_FILE, 520 RRDP_CLEAR, 521 RRDP_END, 522 RRDP_HTTP_REQ, 523 RRDP_HTTP_INI, 524 RRDP_HTTP_FIN, 525 RRDP_ABORT, 526 }; 527 528 /* Maximum number of delta files per RRDP notification file. */ 529 #define MAX_RRDP_DELTAS 300 530 531 /* 532 * RRDP session state, needed to pickup at the right spot on next run. 533 */ 534 struct rrdp_session { 535 char *last_mod; 536 char *session_id; 537 long long serial; 538 char *deltas[MAX_RRDP_DELTAS]; 539 }; 540 541 /* 542 * File types used in RRDP_FILE messages. 543 */ 544 enum publish_type { 545 PUB_ADD, 546 PUB_UPD, 547 PUB_DEL, 548 }; 549 550 /* 551 * An entity (MFT, ROA, certificate, etc.) that needs to be downloaded 552 * and parsed. 553 */ 554 struct entity { 555 TAILQ_ENTRY(entity) entries; 556 char *path; /* path relative to repository */ 557 char *file; /* filename or valid repo path */ 558 char *mftaki; /* expected AKI (taken from Manifest) */ 559 unsigned char *data; /* optional data blob */ 560 size_t datasz; /* length of optional data blob */ 561 unsigned int repoid; /* repository identifier */ 562 int talid; /* tal identifier */ 563 enum rtype type; /* type of entity (not RTYPE_EOF) */ 564 enum location location; /* which directory the file lives in */ 565 }; 566 TAILQ_HEAD(entityq, entity); 567 568 enum stype { 569 STYPE_OK, 570 STYPE_FAIL, 571 STYPE_INVALID, 572 STYPE_BGPSEC, 573 STYPE_TOTAL, 574 STYPE_UNIQUE, 575 STYPE_DEC_UNIQUE, 576 STYPE_PROVIDERS, 577 STYPE_OVERFLOW, 578 }; 579 580 struct repo; 581 struct filepath; 582 RB_HEAD(filepath_tree, filepath); 583 584 585 /* 586 * Statistics collected during run-time. 587 */ 588 struct repotalstats { 589 uint32_t certs; /* certificates */ 590 uint32_t certs_fail; /* invalid certificate */ 591 uint32_t mfts; /* total number of manifests */ 592 uint32_t mfts_fail; /* failing syntactic parse */ 593 uint32_t roas; /* route origin authorizations */ 594 uint32_t roas_fail; /* failing syntactic parse */ 595 uint32_t roas_invalid; /* invalid resources */ 596 uint32_t aspas; /* ASPA objects */ 597 uint32_t aspas_fail; /* ASPA objects failing syntactic parse */ 598 uint32_t aspas_invalid; /* ASPAs with invalid customerASID */ 599 uint32_t brks; /* number of BGPsec Router Key (BRK) certs */ 600 uint32_t crls; /* revocation lists */ 601 uint32_t gbrs; /* ghostbuster records */ 602 uint32_t taks; /* signed TAL objects */ 603 uint32_t vaps; /* total number of Validated ASPA Payloads */ 604 uint32_t vaps_uniqs; /* total number of unique VAPs */ 605 uint32_t vaps_pas; /* total number of providers */ 606 uint32_t vaps_overflowed; /* VAPs with too many providers */ 607 uint32_t vrps; /* total number of Validated ROA Payloads */ 608 uint32_t vrps_uniqs; /* number of unique vrps */ 609 uint32_t spls; /* signed prefix list */ 610 uint32_t spls_fail; /* failing syntactic parse */ 611 uint32_t spls_invalid; /* invalid spls */ 612 uint32_t vsps; /* total number of Validated SPL Payloads */ 613 uint32_t vsps_uniqs; /* number of unique vsps */ 614 }; 615 616 struct repostats { 617 uint32_t del_files; /* number of files removed in cleanup */ 618 uint32_t extra_files; /* number of superfluous files */ 619 uint32_t del_extra_files;/* number of removed extra files */ 620 uint32_t del_dirs; /* number of dirs removed in cleanup */ 621 uint32_t new_files; /* moved from DIR_TEMP to DIR_VALID */ 622 struct timespec sync_time; /* time to sync repo */ 623 }; 624 625 struct stats { 626 uint32_t tals; /* total number of locators */ 627 uint32_t repos; /* repositories */ 628 uint32_t rsync_repos; /* synced rsync repositories */ 629 uint32_t rsync_fails; /* failed rsync repositories */ 630 uint32_t http_repos; /* synced http repositories */ 631 uint32_t http_fails; /* failed http repositories */ 632 uint32_t rrdp_repos; /* synced rrdp repositories */ 633 uint32_t rrdp_fails; /* failed rrdp repositories */ 634 uint32_t skiplistentries; /* number of skiplist entries */ 635 636 struct repotalstats repo_tal_stats; 637 struct repostats repo_stats; 638 struct timespec elapsed_time; 639 struct timespec user_time; 640 struct timespec system_time; 641 }; 642 643 struct ibuf; 644 struct msgbuf; 645 646 /* global variables */ 647 extern int verbose; 648 extern int noop; 649 extern int filemode; 650 extern int excludeaspa; 651 extern int experimental; 652 extern const char *tals[]; 653 extern const char *taldescs[]; 654 extern unsigned int talrepocnt[]; 655 extern struct repotalstats talstats[]; 656 extern int talsz; 657 658 /* Routines for RPKI entities. */ 659 660 void tal_buffer(struct ibuf *, const struct tal *); 661 void tal_free(struct tal *); 662 struct tal *tal_parse(const char *, char *, size_t); 663 struct tal *tal_read(struct ibuf *); 664 665 void cert_buffer(struct ibuf *, const struct cert *); 666 void cert_free(struct cert *); 667 void auth_tree_free(struct auth_tree *); 668 struct cert *cert_parse_ee_cert(const char *, int, X509 *); 669 struct cert *cert_parse_pre(const char *, const unsigned char *, size_t); 670 struct cert *cert_parse(const char *, struct cert *); 671 struct cert *ta_parse(const char *, struct cert *, const unsigned char *, 672 size_t); 673 struct cert *cert_read(struct ibuf *); 674 void cert_insert_brks(struct brk_tree *, struct cert *); 675 676 enum rtype rtype_from_file_extension(const char *); 677 void mft_buffer(struct ibuf *, const struct mft *); 678 void mft_free(struct mft *); 679 struct mft *mft_parse(X509 **, const char *, int, const unsigned char *, 680 size_t); 681 struct mft *mft_read(struct ibuf *); 682 int mft_compare_issued(const struct mft *, const struct mft *); 683 int mft_compare_seqnum(const struct mft *, const struct mft *); 684 685 void roa_buffer(struct ibuf *, const struct roa *); 686 void roa_free(struct roa *); 687 struct roa *roa_parse(X509 **, const char *, int, const unsigned char *, 688 size_t); 689 struct roa *roa_read(struct ibuf *); 690 void roa_insert_vrps(struct vrp_tree *, struct roa *, 691 struct repo *); 692 693 void spl_buffer(struct ibuf *, const struct spl *); 694 void spl_free(struct spl *); 695 struct spl *spl_parse(X509 **, const char *, int, const unsigned char *, 696 size_t); 697 struct spl *spl_read(struct ibuf *); 698 void spl_insert_vsps(struct vsp_tree *, struct spl *, 699 struct repo *); 700 701 void gbr_free(struct gbr *); 702 struct gbr *gbr_parse(X509 **, const char *, int, const unsigned char *, 703 size_t); 704 705 void geofeed_free(struct geofeed *); 706 struct geofeed *geofeed_parse(X509 **, const char *, int, char *, size_t); 707 708 void rsc_free(struct rsc *); 709 struct rsc *rsc_parse(X509 **, const char *, int, const unsigned char *, 710 size_t); 711 712 void takey_free(struct takey *); 713 void tak_free(struct tak *); 714 struct tak *tak_parse(X509 **, const char *, int, const unsigned char *, 715 size_t); 716 717 void aspa_buffer(struct ibuf *, const struct aspa *); 718 void aspa_free(struct aspa *); 719 void aspa_insert_vaps(char *, struct vap_tree *, struct aspa *, 720 struct repo *); 721 struct aspa *aspa_parse(X509 **, const char *, int, const unsigned char *, 722 size_t); 723 struct aspa *aspa_read(struct ibuf *); 724 725 /* crl.c */ 726 struct crl *crl_parse(const char *, const unsigned char *, size_t); 727 struct crl *crl_get(struct crl_tree *, const struct auth *); 728 int crl_insert(struct crl_tree *, struct crl *); 729 void crl_free(struct crl *); 730 void crl_tree_free(struct crl_tree *); 731 732 /* Validation of our objects. */ 733 734 struct auth *valid_ski_aki(const char *, struct auth_tree *, 735 const char *, const char *, const char *); 736 int valid_ta(const char *, struct auth_tree *, 737 const struct cert *); 738 int valid_cert(const char *, struct auth *, const struct cert *); 739 int valid_roa(const char *, struct cert *, struct roa *); 740 int valid_filehash(int, const char *, size_t); 741 int valid_hash(unsigned char *, size_t, const char *, size_t); 742 int valid_filename(const char *, size_t); 743 int valid_uri(const char *, size_t, const char *); 744 int valid_origin(const char *, const char *); 745 int valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *, 746 struct crl *, const char **); 747 int valid_rsc(const char *, struct cert *, struct rsc *); 748 int valid_econtent_version(const char *, const ASN1_INTEGER *, 749 uint64_t); 750 int valid_aspa(const char *, struct cert *, struct aspa *); 751 int valid_geofeed(const char *, struct cert *, struct geofeed *); 752 int valid_uuid(const char *); 753 int valid_ca_pkey(const char *, EVP_PKEY *); 754 int valid_spl(const char *, struct cert *, struct spl *); 755 756 /* Working with CMS. */ 757 unsigned char *cms_parse_validate(X509 **, const char *, 758 const unsigned char *, size_t, 759 const ASN1_OBJECT *, size_t *, time_t *); 760 int cms_parse_validate_detached(X509 **, const char *, 761 const unsigned char *, size_t, 762 const ASN1_OBJECT *, BIO *, time_t *); 763 764 /* Work with RFC 3779 IP addresses, prefixes, ranges. */ 765 766 int ip_addr_afi_parse(const char *, const ASN1_OCTET_STRING *, 767 enum afi *); 768 int ip_addr_parse(const ASN1_BIT_STRING *, 769 enum afi, const char *, struct ip_addr *); 770 void ip_addr_print(const struct ip_addr *, enum afi, char *, 771 size_t); 772 int ip_addr_check_overlap(const struct cert_ip *, 773 const char *, const struct cert_ip *, size_t, int); 774 int ip_addr_check_covered(enum afi, const unsigned char *, 775 const unsigned char *, const struct cert_ip *, size_t); 776 int ip_cert_compose_ranges(struct cert_ip *); 777 void ip_roa_compose_ranges(struct roa_ip *); 778 void ip_warn(const char *, const char *, const struct cert_ip *); 779 780 int sbgp_addr(const char *, struct cert_ip *, size_t *, 781 enum afi, const ASN1_BIT_STRING *); 782 int sbgp_addr_range(const char *, struct cert_ip *, size_t *, 783 enum afi, const IPAddressRange *); 784 785 int sbgp_parse_ipaddrblk(const char *, const IPAddrBlocks *, 786 struct cert_ip **, size_t *); 787 788 /* Work with RFC 3779 AS numbers, ranges. */ 789 790 int as_id_parse(const ASN1_INTEGER *, uint32_t *); 791 int as_check_overlap(const struct cert_as *, const char *, 792 const struct cert_as *, size_t, int); 793 int as_check_covered(uint32_t, uint32_t, 794 const struct cert_as *, size_t); 795 void as_warn(const char *, const char *, const struct cert_as *); 796 797 int sbgp_as_id(const char *, struct cert_as *, size_t *, 798 const ASN1_INTEGER *); 799 int sbgp_as_range(const char *, struct cert_as *, size_t *, 800 const ASRange *); 801 802 int sbgp_parse_assysnum(const char *, const ASIdentifiers *, 803 struct cert_as **, size_t *); 804 805 /* Constraints-specific */ 806 void constraints_load(void); 807 void constraints_unload(void); 808 void constraints_parse(void); 809 int constraints_validate(const char *, const struct cert *); 810 811 /* Parser-specific */ 812 void entity_free(struct entity *); 813 void entity_read_req(struct ibuf *, struct entity *); 814 void entityq_flush(struct entityq *, struct repo *); 815 void proc_parser(int) __attribute__((noreturn)); 816 void proc_filemode(int) __attribute__((noreturn)); 817 818 /* Rsync-specific. */ 819 820 char *rsync_base_uri(const char *); 821 void proc_rsync(char *, char *, int) __attribute__((noreturn)); 822 823 /* HTTP and RRDP processes. */ 824 825 void proc_http(char *, int) __attribute__((noreturn)); 826 void proc_rrdp(int) __attribute__((noreturn)); 827 828 /* Repository handling */ 829 int filepath_add(struct filepath_tree *, char *, time_t); 830 void rrdp_clear(unsigned int); 831 void rrdp_session_save(unsigned int, struct rrdp_session *); 832 void rrdp_session_free(struct rrdp_session *); 833 void rrdp_session_buffer(struct ibuf *, 834 const struct rrdp_session *); 835 struct rrdp_session *rrdp_session_read(struct ibuf *); 836 int rrdp_handle_file(unsigned int, enum publish_type, char *, 837 char *, size_t, char *, size_t); 838 char *repo_basedir(const struct repo *, int); 839 unsigned int repo_id(const struct repo *); 840 const char *repo_uri(const struct repo *); 841 void repo_fetch_uris(const struct repo *, const char **, 842 const char **); 843 int repo_synced(const struct repo *); 844 const char *repo_proto(const struct repo *); 845 int repo_talid(const struct repo *); 846 struct repo *ta_lookup(int, struct tal *); 847 struct repo *repo_lookup(int, const char *, const char *); 848 struct repo *repo_byid(unsigned int); 849 int repo_queued(struct repo *, struct entity *); 850 void repo_cleanup(struct filepath_tree *, int); 851 int repo_check_timeout(int); 852 void repostats_new_files_inc(struct repo *, const char *); 853 void repo_stat_inc(struct repo *, int, enum rtype, enum stype); 854 void repo_tal_stats_collect(void (*)(const struct repo *, 855 const struct repotalstats *, void *), int, void *); 856 void repo_stats_collect(void (*)(const struct repo *, 857 const struct repostats *, void *), void *); 858 void repo_free(void); 859 860 void rsync_finish(unsigned int, int); 861 void http_finish(unsigned int, enum http_result, const char *); 862 void rrdp_finish(unsigned int, int); 863 864 void rsync_fetch(unsigned int, const char *, const char *, 865 const char *); 866 void rsync_abort(unsigned int); 867 void http_fetch(unsigned int, const char *, const char *, int); 868 void rrdp_fetch(unsigned int, const char *, const char *, 869 struct rrdp_session *); 870 void rrdp_abort(unsigned int); 871 void rrdp_http_done(unsigned int, enum http_result, const char *); 872 873 /* Encoding functions for hex and base64. */ 874 875 unsigned char *load_file(const char *, size_t *); 876 int base64_decode_len(size_t, size_t *); 877 int base64_decode(const unsigned char *, size_t, 878 unsigned char **, size_t *); 879 int base64_encode_len(size_t, size_t *); 880 int base64_encode(const unsigned char *, size_t, char **); 881 char *hex_encode(const unsigned char *, size_t); 882 int hex_decode(const char *, char *, size_t); 883 884 885 /* Functions for moving data between processes. */ 886 887 struct ibuf *io_new_buffer(void); 888 void io_simple_buffer(struct ibuf *, const void *, size_t); 889 void io_buf_buffer(struct ibuf *, const void *, size_t); 890 void io_str_buffer(struct ibuf *, const char *); 891 void io_close_buffer(struct msgbuf *, struct ibuf *); 892 void io_read_buf(struct ibuf *, void *, size_t); 893 void io_read_str(struct ibuf *, char **); 894 void io_read_buf_alloc(struct ibuf *, void **, size_t *); 895 struct ibuf *io_buf_read(int, struct ibuf **); 896 struct ibuf *io_buf_recvfd(int, struct ibuf **); 897 898 /* X509 helpers. */ 899 900 void x509_init_oid(void); 901 int x509_get_aia(X509 *, const char *, char **); 902 int x509_get_aki(X509 *, const char *, char **); 903 int x509_get_sia(X509 *, const char *, char **); 904 int x509_get_ski(X509 *, const char *, char **); 905 int x509_get_notbefore(X509 *, const char *, time_t *); 906 int x509_get_notafter(X509 *, const char *, time_t *); 907 int x509_get_crl(X509 *, const char *, char **); 908 char *x509_crl_get_aki(X509_CRL *, const char *); 909 char *x509_crl_get_number(X509_CRL *, const char *); 910 char *x509_get_pubkey(X509 *, const char *); 911 char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); 912 enum cert_purpose x509_get_purpose(X509 *, const char *); 913 int x509_get_time(const ASN1_TIME *, time_t *); 914 char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); 915 int x509_location(const char *, const char *, const char *, 916 GENERAL_NAME *, char **); 917 int x509_inherits(X509 *); 918 int x509_any_inherits(X509 *); 919 int x509_valid_subject(const char *, const X509 *); 920 time_t x509_find_expires(time_t, struct auth *, struct crl_tree *); 921 922 /* printers */ 923 char *nid2str(int); 924 char *time2str(time_t); 925 void x509_print(const X509 *); 926 void tal_print(const struct tal *); 927 void cert_print(const struct cert *); 928 void crl_print(const struct crl *); 929 void mft_print(const X509 *, const struct mft *); 930 void roa_print(const X509 *, const struct roa *); 931 void gbr_print(const X509 *, const struct gbr *); 932 void rsc_print(const X509 *, const struct rsc *); 933 void aspa_print(const X509 *, const struct aspa *); 934 void tak_print(const X509 *, const struct tak *); 935 void geofeed_print(const X509 *, const struct geofeed *); 936 void spl_print(const X509 *, const struct spl *); 937 938 /* Missing RFC 3779 API */ 939 IPAddrBlocks *IPAddrBlocks_new(void); 940 void IPAddrBlocks_free(IPAddrBlocks *); 941 942 /* Output! */ 943 944 extern int outformats; 945 #define FORMAT_OPENBGPD 0x01 946 #define FORMAT_BIRD 0x02 947 #define FORMAT_CSV 0x04 948 #define FORMAT_JSON 0x08 949 #define FORMAT_OMETRIC 0x10 950 951 int outputfiles(struct vrp_tree *v, struct brk_tree *b, 952 struct vap_tree *, struct vsp_tree *, struct stats *); 953 int outputheader(FILE *, struct stats *); 954 int output_bgpd(FILE *, struct vrp_tree *, struct brk_tree *, 955 struct vap_tree *, struct vsp_tree *, struct stats *); 956 int output_bird1v4(FILE *, struct vrp_tree *, struct brk_tree *, 957 struct vap_tree *, struct vsp_tree *, struct stats *); 958 int output_bird1v6(FILE *, struct vrp_tree *, struct brk_tree *, 959 struct vap_tree *, struct vsp_tree *, struct stats *); 960 int output_bird2(FILE *, struct vrp_tree *, struct brk_tree *, 961 struct vap_tree *, struct vsp_tree *, struct stats *); 962 int output_csv(FILE *, struct vrp_tree *, struct brk_tree *, 963 struct vap_tree *, struct vsp_tree *, struct stats *); 964 int output_json(FILE *, struct vrp_tree *, struct brk_tree *, 965 struct vap_tree *, struct vsp_tree *, struct stats *); 966 int output_ometric(FILE *, struct vrp_tree *, struct brk_tree *, 967 struct vap_tree *, struct vsp_tree *, struct stats *); 968 969 void logx(const char *fmt, ...) 970 __attribute__((format(printf, 1, 2))); 971 time_t getmonotime(void); 972 time_t get_current_time(void); 973 974 int mkpath(const char *); 975 int mkpathat(int, const char *); 976 977 #define RPKI_PATH_OUT_DIR "/var/db/rpki-client" 978 #define RPKI_PATH_BASE_DIR "/var/cache/rpki-client" 979 980 #define DEFAULT_SKIPLIST_FILE "/etc/rpki/skiplist" 981 982 /* Maximum number of TAL files we'll load. */ 983 #define TALSZ_MAX 8 984 985 /* 986 * Maximum number of elements in the sbgp-ipAddrBlock (IP) and 987 * sbgp-autonomousSysNum (AS) X.509v3 extension of CA/EE certificates. 988 */ 989 #define MAX_IP_SIZE 200000 990 #define MAX_AS_SIZE 200000 991 992 /* Maximum acceptable URI length */ 993 #define MAX_URI_LENGTH 2048 994 995 /* Min/Max acceptable file size */ 996 #define MIN_FILE_SIZE 100 997 #define MAX_FILE_SIZE 4000000 998 999 /* Maximum number of FileNameAndHash entries per RSC checklist. */ 1000 #define MAX_CHECKLIST_ENTRIES 100000 1001 1002 /* Maximum number of FileAndHash entries per manifest. */ 1003 #define MAX_MANIFEST_ENTRIES 100000 1004 1005 /* Maximum number of Providers per ASPA object. */ 1006 #define MAX_ASPA_PROVIDERS 10000 1007 1008 /* Maximum depth of the RPKI tree. */ 1009 #define MAX_CERT_DEPTH 12 1010 1011 /* Maximum number of concurrent http and rsync requests. */ 1012 #define MAX_HTTP_REQUESTS 64 1013 #define MAX_RSYNC_REQUESTS 16 1014 1015 /* How many seconds to wait for a connection to succeed. */ 1016 #define MAX_CONN_TIMEOUT 15 1017 1018 /* How many seconds to wait for IO from a remote server. */ 1019 #define MAX_IO_TIMEOUT 30 1020 1021 /* Maximum number of delegated hosting locations (repositories) for each TAL. */ 1022 #define MAX_REPO_PER_TAL 1000 1023 1024 #define HTTP_PROTO "http://" 1025 #define HTTP_PROTO_LEN (sizeof(HTTP_PROTO) - 1) 1026 #define HTTPS_PROTO "https://" 1027 #define HTTPS_PROTO_LEN (sizeof(HTTPS_PROTO) - 1) 1028 #define RSYNC_PROTO "rsync://" 1029 #define RSYNC_PROTO_LEN (sizeof(RSYNC_PROTO) - 1) 1030 1031 #endif /* ! EXTERN_H */ 1032