1 /* $OpenBSD: extern.h,v 1.221 2024/06/04 04:17:18 tb Exp $ */ 2 /* 3 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 #ifndef EXTERN_H 18 #define EXTERN_H 19 20 #include <sys/queue.h> 21 #include <sys/tree.h> 22 #include <sys/time.h> 23 24 #include <openssl/x509.h> 25 #include <openssl/x509v3.h> 26 27 #define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ 28 __attribute__((__unused__)) 29 30 enum cert_as_type { 31 CERT_AS_ID, /* single identifier */ 32 CERT_AS_INHERIT, /* inherit from issuer */ 33 CERT_AS_RANGE, /* range of identifiers */ 34 }; 35 36 /* 37 * An AS identifier range. 38 * The maximum AS identifier is an unsigned 32 bit integer (RFC 6793). 39 */ 40 struct cert_as_range { 41 uint32_t min; /* minimum non-zero */ 42 uint32_t max; /* maximum */ 43 }; 44 45 /* 46 * An autonomous system (AS) object. 47 * AS identifiers are unsigned 32 bit integers (RFC 6793). 48 */ 49 struct cert_as { 50 enum cert_as_type type; /* type of AS specification */ 51 union { 52 uint32_t id; /* singular identifier */ 53 struct cert_as_range range; /* range */ 54 }; 55 }; 56 57 /* 58 * AFI values are assigned by IANA. 59 * In rpki-client, we only accept the IPV4 and IPV6 AFI values. 60 */ 61 enum afi { 62 AFI_IPV4 = 1, 63 AFI_IPV6 = 2 64 }; 65 66 /* 67 * An IP address as parsed from RFC 3779, section 2.2.3.8. 68 * This is either in a certificate or an ROA. 69 * It may either be IPv4 or IPv6. 70 */ 71 struct ip_addr { 72 unsigned char addr[16]; /* binary address prefix */ 73 unsigned char prefixlen; /* number of valid bits in address */ 74 }; 75 76 /* 77 * An IP address (IPv4 or IPv6) range starting at the minimum and making 78 * its way to the maximum. 79 */ 80 struct ip_addr_range { 81 struct ip_addr min; /* minimum ip */ 82 struct ip_addr max; /* maximum ip */ 83 }; 84 85 enum cert_ip_type { 86 CERT_IP_ADDR, /* IP address range w/shared prefix */ 87 CERT_IP_INHERIT, /* inherited IP address */ 88 CERT_IP_RANGE /* range of IP addresses */ 89 }; 90 91 /* 92 * A single IP address family (AFI, address or range) as defined in RFC 93 * 3779, 2.2.3.2. 94 * The RFC specifies multiple address or ranges per AFI; this structure 95 * encodes both the AFI and a single address or range. 96 */ 97 struct cert_ip { 98 enum afi afi; /* AFI value */ 99 enum cert_ip_type type; /* type of IP entry */ 100 unsigned char min[16]; /* full range minimum */ 101 unsigned char max[16]; /* full range maximum */ 102 union { 103 struct ip_addr ip; /* singular address */ 104 struct ip_addr_range range; /* range */ 105 }; 106 }; 107 108 enum cert_purpose { 109 CERT_PURPOSE_INVALID, 110 CERT_PURPOSE_CA, 111 CERT_PURPOSE_BGPSEC_ROUTER 112 }; 113 114 /* 115 * Parsed components of a validated X509 certificate stipulated by RFC 116 * 6847 and further (within) by RFC 3779. 117 * All AS numbers are guaranteed to be non-overlapping and properly 118 * inheriting. 119 */ 120 struct cert { 121 struct cert_ip *ips; /* list of IP address ranges */ 122 size_t ipsz; /* length of "ips" */ 123 struct cert_as *as; /* list of AS numbers and ranges */ 124 size_t asz; /* length of "asz" */ 125 int talid; /* cert is covered by which TAL */ 126 int certid; 127 unsigned int repoid; /* repository of this cert file */ 128 char *repo; /* CA repository (rsync:// uri) */ 129 char *mft; /* manifest (rsync:// uri) */ 130 char *notify; /* RRDP notify (https:// uri) */ 131 char *crl; /* CRL location (rsync:// or NULL) */ 132 char *aia; /* AIA (or NULL, for trust anchor) */ 133 char *aki; /* AKI (or NULL, for trust anchor) */ 134 char *ski; /* SKI */ 135 enum cert_purpose purpose; /* BGPSec or CA */ 136 char *pubkey; /* Subject Public Key Info */ 137 X509 *x509; /* the cert */ 138 time_t notbefore; /* cert's Not Before */ 139 time_t notafter; /* cert's Not After */ 140 time_t expires; /* when the signature path expires */ 141 }; 142 143 /* 144 * The TAL file conforms to RFC 7730. 145 * It is the top-level structure of RPKI and defines where we can find 146 * certificates for TAs (trust anchors). 147 * It also includes the public key for verifying those trust anchor 148 * certificates. 149 */ 150 struct tal { 151 char **uri; /* well-formed rsync URIs */ 152 size_t urisz; /* number of URIs */ 153 unsigned char *pkey; /* DER-encoded public key */ 154 size_t pkeysz; /* length of pkey */ 155 char *descr; /* basename of tal file */ 156 int id; /* ID of this TAL */ 157 }; 158 159 /* 160 * Resource types specified by the RPKI profiles. 161 * There might be others we don't consider. 162 */ 163 enum rtype { 164 RTYPE_INVALID, 165 RTYPE_TAL, 166 RTYPE_MFT, 167 RTYPE_ROA, 168 RTYPE_CER, 169 RTYPE_CRL, 170 RTYPE_GBR, 171 RTYPE_REPO, 172 RTYPE_FILE, 173 RTYPE_RSC, 174 RTYPE_ASPA, 175 RTYPE_TAK, 176 RTYPE_GEOFEED, 177 RTYPE_SPL, 178 }; 179 180 enum location { 181 DIR_UNKNOWN, 182 DIR_TEMP, 183 DIR_VALID, 184 }; 185 186 /* 187 * Files specified in an MFT have their bodies hashed with SHA256. 188 */ 189 struct mftfile { 190 char *file; /* filename (CER/ROA/CRL, no path) */ 191 enum rtype type; /* file type as determined by extension */ 192 enum location location; /* temporary or valid directory */ 193 unsigned char hash[SHA256_DIGEST_LENGTH]; /* sha256 of body */ 194 }; 195 196 /* 197 * A manifest, RFC 6486. 198 * This consists of a bunch of files found in the same directory as the 199 * manifest file. 200 */ 201 struct mft { 202 char *path; /* relative path to directory of the MFT */ 203 struct mftfile *files; /* file and hash */ 204 char *seqnum; /* manifestNumber */ 205 char *aia; /* AIA */ 206 char *aki; /* AKI */ 207 char *sia; /* SIA signedObject */ 208 char *ski; /* SKI */ 209 char *crl; /* CRL file name */ 210 unsigned char mfthash[SHA256_DIGEST_LENGTH]; 211 unsigned char crlhash[SHA256_DIGEST_LENGTH]; 212 time_t signtime; /* CMS signing-time attribute */ 213 time_t thisupdate; /* from the eContent */ 214 time_t nextupdate; /* from the eContent */ 215 time_t expires; /* when the signature path expires */ 216 size_t filesz; /* number of filenames */ 217 unsigned int repoid; 218 int talid; 219 int certid; 220 }; 221 222 /* 223 * An IP address prefix for a given ROA. 224 * This encodes the maximum length, AFI (v6/v4), and address. 225 * FIXME: are the min/max necessary or just used in one place? 226 */ 227 struct roa_ip { 228 enum afi afi; /* AFI value */ 229 struct ip_addr addr; /* the address prefix itself */ 230 unsigned char min[16]; /* full range minimum */ 231 unsigned char max[16]; /* full range maximum */ 232 unsigned char maxlength; /* max length or zero */ 233 }; 234 235 /* 236 * An ROA, RFC 6482. 237 * This consists of the concerned ASID and its IP prefixes. 238 */ 239 struct roa { 240 uint32_t asid; /* asID of ROA (if 0, RFC 6483 sec 4) */ 241 struct roa_ip *ips; /* IP prefixes */ 242 size_t ipsz; /* number of IP prefixes */ 243 int talid; /* ROAs are covered by which TAL */ 244 int valid; /* validated resources */ 245 char *aia; /* AIA */ 246 char *aki; /* AKI */ 247 char *sia; /* SIA signedObject */ 248 char *ski; /* SKI */ 249 time_t signtime; /* CMS signing-time attribute */ 250 time_t notbefore; /* EE cert's Not Before */ 251 time_t notafter; /* EE cert's Not After */ 252 time_t expires; /* when the signature path expires */ 253 }; 254 255 struct rscfile { 256 char *filename; /* an optional filename on the checklist */ 257 unsigned char hash[SHA256_DIGEST_LENGTH]; /* the digest */ 258 }; 259 260 /* 261 * A Signed Checklist (RSC) 262 */ 263 struct rsc { 264 int talid; /* RSC covered by what TAL */ 265 int valid; /* eContent resources covered by EE's 3779? */ 266 struct cert_ip *ips; /* IP prefixes */ 267 size_t ipsz; /* number of IP prefixes */ 268 struct cert_as *as; /* AS resources */ 269 size_t asz; /* number of AS resources */ 270 struct rscfile *files; /* FileAndHashes in the RSC */ 271 size_t filesz; /* number of FileAndHashes */ 272 char *aia; /* AIA */ 273 char *aki; /* AKI */ 274 char *ski; /* SKI */ 275 time_t signtime; /* CMS signing-time attribute */ 276 time_t notbefore; /* EE cert's Not Before */ 277 time_t notafter; /* Not After of the RSC EE */ 278 time_t expires; /* when the signature path expires */ 279 }; 280 281 /* 282 * An IP address prefix in a given SignedPrefixList. 283 */ 284 struct spl_pfx { 285 enum afi afi; 286 struct ip_addr prefix; 287 }; 288 289 /* 290 * An SPL, draft-ietf-sidrops-rpki-prefixlist 291 * This consists of an ASID and its IP prefixes. 292 */ 293 struct spl { 294 uint32_t asid; 295 struct spl_pfx *pfxs; 296 size_t pfxsz; 297 int talid; 298 char *aia; 299 char *aki; 300 char *sia; 301 char *ski; 302 time_t signtime; /* CMS signing-time attribute */ 303 time_t notbefore; /* EE cert's Not Before */ 304 time_t notafter; /* EE cert's Not After */ 305 time_t expires; /* when the certification path expires */ 306 int valid; 307 }; 308 309 /* 310 * Datastructure representing the TAKey sequence inside TAKs. 311 */ 312 struct takey { 313 char **comments; /* Comments */ 314 size_t commentsz; /* number of Comments */ 315 char **uris; /* CertificateURI */ 316 size_t urisz; /* number of CertificateURIs */ 317 unsigned char *pubkey; /* DER encoded SubjectPublicKeyInfo */ 318 size_t pubkeysz; 319 char *ski; /* hex encoded SubjectKeyIdentifier of pubkey */ 320 }; 321 322 /* 323 * A Signed TAL (TAK) draft-ietf-sidrops-signed-tal-12 324 */ 325 struct tak { 326 int talid; /* TAK covered by what TAL */ 327 struct takey *current; 328 struct takey *predecessor; 329 struct takey *successor; 330 char *aia; /* AIA */ 331 char *aki; /* AKI */ 332 char *sia; /* SIA signed Object */ 333 char *ski; /* SKI */ 334 time_t signtime; /* CMS signing-time attribute */ 335 time_t notbefore; /* EE cert's Not Before */ 336 time_t notafter; /* Not After of the TAK EE */ 337 time_t expires; /* when the signature path expires */ 338 }; 339 340 /* 341 * A single geofeed record 342 */ 343 struct geoip { 344 struct cert_ip *ip; 345 char *loc; 346 }; 347 348 /* 349 * A geofeed file 350 */ 351 struct geofeed { 352 struct geoip *geoips; /* Prefix + location entry in the CSV */ 353 size_t geoipsz; /* number of IPs */ 354 char *aia; /* AIA */ 355 char *aki; /* AKI */ 356 char *ski; /* SKI */ 357 time_t signtime; /* CMS signing-time attribute */ 358 time_t notbefore; /* EE cert's Not Before */ 359 time_t notafter; /* Not After of the Geofeed EE */ 360 time_t expires; /* when the signature path expires */ 361 int valid; /* all resources covered */ 362 }; 363 364 /* 365 * A single Ghostbuster record 366 */ 367 struct gbr { 368 char *vcard; 369 char *aia; /* AIA */ 370 char *aki; /* AKI */ 371 char *sia; /* SIA signedObject */ 372 char *ski; /* SKI */ 373 time_t signtime; /* CMS signing-time attribute */ 374 time_t notbefore; /* EE cert's Not Before */ 375 time_t notafter; /* Not After of the GBR EE */ 376 time_t expires; /* when the signature path expires */ 377 int talid; /* TAL the GBR is chained up to */ 378 }; 379 380 /* 381 * A single ASPA record 382 */ 383 struct aspa { 384 int valid; /* contained in issuer auth */ 385 int talid; /* TAL the ASPA is chained up to */ 386 char *aia; /* AIA */ 387 char *aki; /* AKI */ 388 char *sia; /* SIA signedObject */ 389 char *ski; /* SKI */ 390 uint32_t custasid; /* the customerASID */ 391 uint32_t *providers; /* the providers */ 392 size_t providersz; /* number of providers */ 393 time_t signtime; /* CMS signing-time attribute */ 394 time_t notbefore; /* EE cert's Not Before */ 395 time_t notafter; /* notAfter of the ASPA EE cert */ 396 time_t expires; /* when the signature path expires */ 397 }; 398 399 /* 400 * A Validated ASPA Payload (VAP) tree element. 401 * To ease transformation, this struct mimics ASPA RTR PDU structure. 402 */ 403 struct vap { 404 RB_ENTRY(vap) entry; 405 uint32_t custasid; 406 uint32_t *providers; 407 size_t providersz; 408 time_t expires; 409 int talid; 410 unsigned int repoid; 411 int overflowed; 412 }; 413 414 /* 415 * Tree of VAPs sorted by afi, custasid, and provideras. 416 */ 417 RB_HEAD(vap_tree, vap); 418 RB_PROTOTYPE(vap_tree, vap, entry, vapcmp); 419 420 /* 421 * A single VRP element (including ASID) 422 */ 423 struct vrp { 424 RB_ENTRY(vrp) entry; 425 struct ip_addr addr; 426 uint32_t asid; 427 enum afi afi; 428 unsigned char maxlength; 429 time_t expires; /* transitive expiry moment */ 430 int talid; /* covered by which TAL */ 431 unsigned int repoid; 432 }; 433 /* 434 * Tree of VRP sorted by afi, addr, maxlength and asid 435 */ 436 RB_HEAD(vrp_tree, vrp); 437 RB_PROTOTYPE(vrp_tree, vrp, entry, vrpcmp); 438 439 /* 440 * Validated SignedPrefixList Payload 441 * A single VSP element (including ASID) 442 * draft-ietf-sidrops-rpki-prefixlist 443 */ 444 struct vsp { 445 RB_ENTRY(vsp) entry; 446 uint32_t asid; 447 struct spl_pfx *prefixes; 448 size_t prefixesz; 449 time_t expires; 450 int talid; 451 unsigned int repoid; 452 }; 453 /* 454 * Tree of VSP sorted by asid 455 */ 456 RB_HEAD(vsp_tree, vsp); 457 RB_PROTOTYPE(vsp_tree, vsp, entry, vspcmp); 458 459 /* 460 * A single BGPsec Router Key (including ASID) 461 */ 462 struct brk { 463 RB_ENTRY(brk) entry; 464 uint32_t asid; 465 int talid; /* covered by which TAL */ 466 char *ski; /* Subject Key Identifier */ 467 char *pubkey; /* Subject Public Key Info */ 468 time_t expires; /* transitive expiry moment */ 469 }; 470 /* 471 * Tree of BRK sorted by asid 472 */ 473 RB_HEAD(brk_tree, brk); 474 RB_PROTOTYPE(brk_tree, brk, entry, brkcmp); 475 476 /* 477 * A single CRL 478 */ 479 struct crl { 480 RB_ENTRY(crl) entry; 481 char *aki; 482 char *mftpath; 483 X509_CRL *x509_crl; 484 time_t thisupdate; /* do not use before */ 485 time_t nextupdate; /* do not use after */ 486 }; 487 /* 488 * Tree of CRLs sorted by uri 489 */ 490 RB_HEAD(crl_tree, crl); 491 492 /* 493 * An authentication tuple. 494 * This specifies a public key and a subject key identifier used to 495 * verify children nodes in the tree of entities. 496 */ 497 struct auth { 498 RB_ENTRY(auth) entry; 499 struct cert *cert; /* owner information */ 500 struct auth *issuer; /* pointer to issuer or NULL for TA cert */ 501 int any_inherits; 502 int depth; 503 }; 504 /* 505 * Tree of auth sorted by ski 506 */ 507 RB_HEAD(auth_tree, auth); 508 509 struct auth *auth_find(struct auth_tree *, int); 510 struct auth *auth_insert(const char *, struct auth_tree *, struct cert *, 511 struct auth *); 512 513 enum http_result { 514 HTTP_FAILED, /* anything else */ 515 HTTP_OK, /* 200 OK */ 516 HTTP_NOT_MOD, /* 304 Not Modified */ 517 }; 518 519 /* 520 * Message types for communication with RRDP process. 521 */ 522 enum rrdp_msg { 523 RRDP_START, 524 RRDP_SESSION, 525 RRDP_FILE, 526 RRDP_CLEAR, 527 RRDP_END, 528 RRDP_HTTP_REQ, 529 RRDP_HTTP_INI, 530 RRDP_HTTP_FIN, 531 RRDP_ABORT, 532 }; 533 534 /* Maximum number of delta files per RRDP notification file. */ 535 #define MAX_RRDP_DELTAS 300 536 537 /* 538 * RRDP session state, needed to pickup at the right spot on next run. 539 */ 540 struct rrdp_session { 541 char *last_mod; 542 char *session_id; 543 long long serial; 544 char *deltas[MAX_RRDP_DELTAS]; 545 }; 546 547 /* 548 * File types used in RRDP_FILE messages. 549 */ 550 enum publish_type { 551 PUB_ADD, 552 PUB_UPD, 553 PUB_DEL, 554 }; 555 556 /* 557 * An entity (MFT, ROA, certificate, etc.) that needs to be downloaded 558 * and parsed. 559 */ 560 struct entity { 561 TAILQ_ENTRY(entity) entries; 562 char *path; /* path relative to repository */ 563 char *file; /* filename or valid repo path */ 564 char *mftaki; /* expected AKI (taken from Manifest) */ 565 unsigned char *data; /* optional data blob */ 566 size_t datasz; /* length of optional data blob */ 567 unsigned int repoid; /* repository identifier */ 568 int talid; /* tal identifier */ 569 int certid; 570 enum rtype type; /* type of entity (not RTYPE_EOF) */ 571 enum location location; /* which directory the file lives in */ 572 }; 573 TAILQ_HEAD(entityq, entity); 574 575 enum stype { 576 STYPE_OK, 577 STYPE_FAIL, 578 STYPE_INVALID, 579 STYPE_BGPSEC, 580 STYPE_TOTAL, 581 STYPE_UNIQUE, 582 STYPE_DEC_UNIQUE, 583 STYPE_PROVIDERS, 584 STYPE_OVERFLOW, 585 }; 586 587 struct repo; 588 struct filepath; 589 RB_HEAD(filepath_tree, filepath); 590 591 592 /* 593 * Statistics collected during run-time. 594 */ 595 struct repotalstats { 596 uint32_t certs; /* certificates */ 597 uint32_t certs_fail; /* invalid certificate */ 598 uint32_t mfts; /* total number of manifests */ 599 uint32_t mfts_fail; /* failing syntactic parse */ 600 uint32_t roas; /* route origin authorizations */ 601 uint32_t roas_fail; /* failing syntactic parse */ 602 uint32_t roas_invalid; /* invalid resources */ 603 uint32_t aspas; /* ASPA objects */ 604 uint32_t aspas_fail; /* ASPA objects failing syntactic parse */ 605 uint32_t aspas_invalid; /* ASPAs with invalid customerASID */ 606 uint32_t brks; /* number of BGPsec Router Key (BRK) certs */ 607 uint32_t crls; /* revocation lists */ 608 uint32_t gbrs; /* ghostbuster records */ 609 uint32_t taks; /* signed TAL objects */ 610 uint32_t vaps; /* total number of Validated ASPA Payloads */ 611 uint32_t vaps_uniqs; /* total number of unique VAPs */ 612 uint32_t vaps_pas; /* total number of providers */ 613 uint32_t vaps_overflowed; /* VAPs with too many providers */ 614 uint32_t vrps; /* total number of Validated ROA Payloads */ 615 uint32_t vrps_uniqs; /* number of unique vrps */ 616 uint32_t spls; /* signed prefix list */ 617 uint32_t spls_fail; /* failing syntactic parse */ 618 uint32_t spls_invalid; /* invalid spls */ 619 uint32_t vsps; /* total number of Validated SPL Payloads */ 620 uint32_t vsps_uniqs; /* number of unique vsps */ 621 }; 622 623 struct repostats { 624 uint32_t del_files; /* number of files removed in cleanup */ 625 uint32_t extra_files; /* number of superfluous files */ 626 uint32_t del_extra_files;/* number of removed extra files */ 627 uint32_t del_dirs; /* number of dirs removed in cleanup */ 628 uint32_t new_files; /* moved from DIR_TEMP to DIR_VALID */ 629 struct timespec sync_time; /* time to sync repo */ 630 }; 631 632 struct stats { 633 uint32_t tals; /* total number of locators */ 634 uint32_t repos; /* repositories */ 635 uint32_t rsync_repos; /* synced rsync repositories */ 636 uint32_t rsync_fails; /* failed rsync repositories */ 637 uint32_t http_repos; /* synced http repositories */ 638 uint32_t http_fails; /* failed http repositories */ 639 uint32_t rrdp_repos; /* synced rrdp repositories */ 640 uint32_t rrdp_fails; /* failed rrdp repositories */ 641 uint32_t skiplistentries; /* number of skiplist entries */ 642 643 struct repotalstats repo_tal_stats; 644 struct repostats repo_stats; 645 struct timespec elapsed_time; 646 struct timespec user_time; 647 struct timespec system_time; 648 }; 649 650 struct ibuf; 651 struct msgbuf; 652 653 /* global variables */ 654 extern int verbose; 655 extern int noop; 656 extern int filemode; 657 extern int excludeaspa; 658 extern int experimental; 659 extern const char *tals[]; 660 extern const char *taldescs[]; 661 extern unsigned int talrepocnt[]; 662 extern struct repotalstats talstats[]; 663 extern int talsz; 664 665 /* Routines for RPKI entities. */ 666 667 void tal_buffer(struct ibuf *, const struct tal *); 668 void tal_free(struct tal *); 669 struct tal *tal_parse(const char *, char *, size_t); 670 struct tal *tal_read(struct ibuf *); 671 672 void cert_buffer(struct ibuf *, const struct cert *); 673 void cert_free(struct cert *); 674 void auth_tree_free(struct auth_tree *); 675 struct cert *cert_parse_ee_cert(const char *, int, X509 *); 676 struct cert *cert_parse_pre(const char *, const unsigned char *, size_t); 677 struct cert *cert_parse(const char *, struct cert *); 678 struct cert *ta_parse(const char *, struct cert *, const unsigned char *, 679 size_t); 680 struct cert *cert_read(struct ibuf *); 681 void cert_insert_brks(struct brk_tree *, struct cert *); 682 683 enum rtype rtype_from_file_extension(const char *); 684 void mft_buffer(struct ibuf *, const struct mft *); 685 void mft_free(struct mft *); 686 struct mft *mft_parse(X509 **, const char *, int, const unsigned char *, 687 size_t); 688 struct mft *mft_read(struct ibuf *); 689 int mft_compare_issued(const struct mft *, const struct mft *); 690 int mft_compare_seqnum(const struct mft *, const struct mft *); 691 692 void roa_buffer(struct ibuf *, const struct roa *); 693 void roa_free(struct roa *); 694 struct roa *roa_parse(X509 **, const char *, int, const unsigned char *, 695 size_t); 696 struct roa *roa_read(struct ibuf *); 697 void roa_insert_vrps(struct vrp_tree *, struct roa *, 698 struct repo *); 699 700 void spl_buffer(struct ibuf *, const struct spl *); 701 void spl_free(struct spl *); 702 struct spl *spl_parse(X509 **, const char *, int, const unsigned char *, 703 size_t); 704 struct spl *spl_read(struct ibuf *); 705 void spl_insert_vsps(struct vsp_tree *, struct spl *, 706 struct repo *); 707 708 void gbr_free(struct gbr *); 709 struct gbr *gbr_parse(X509 **, const char *, int, const unsigned char *, 710 size_t); 711 712 void geofeed_free(struct geofeed *); 713 struct geofeed *geofeed_parse(X509 **, const char *, int, char *, size_t); 714 715 void rsc_free(struct rsc *); 716 struct rsc *rsc_parse(X509 **, const char *, int, const unsigned char *, 717 size_t); 718 719 void takey_free(struct takey *); 720 void tak_free(struct tak *); 721 struct tak *tak_parse(X509 **, const char *, int, const unsigned char *, 722 size_t); 723 724 void aspa_buffer(struct ibuf *, const struct aspa *); 725 void aspa_free(struct aspa *); 726 void aspa_insert_vaps(char *, struct vap_tree *, struct aspa *, 727 struct repo *); 728 struct aspa *aspa_parse(X509 **, const char *, int, const unsigned char *, 729 size_t); 730 struct aspa *aspa_read(struct ibuf *); 731 732 /* crl.c */ 733 struct crl *crl_parse(const char *, const unsigned char *, size_t); 734 struct crl *crl_get(struct crl_tree *, const struct auth *); 735 int crl_insert(struct crl_tree *, struct crl *); 736 void crl_free(struct crl *); 737 void crl_tree_free(struct crl_tree *); 738 739 /* Validation of our objects. */ 740 741 int valid_cert(const char *, struct auth *, const struct cert *); 742 int valid_roa(const char *, struct cert *, struct roa *); 743 int valid_filehash(int, const char *, size_t); 744 int valid_hash(unsigned char *, size_t, const char *, size_t); 745 int valid_filename(const char *, size_t); 746 int valid_uri(const char *, size_t, const char *); 747 int valid_origin(const char *, const char *); 748 int valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *, 749 struct crl *, const char **); 750 int valid_rsc(const char *, struct cert *, struct rsc *); 751 int valid_econtent_version(const char *, const ASN1_INTEGER *, 752 uint64_t); 753 int valid_aspa(const char *, struct cert *, struct aspa *); 754 int valid_geofeed(const char *, struct cert *, struct geofeed *); 755 int valid_uuid(const char *); 756 int valid_ca_pkey(const char *, EVP_PKEY *); 757 int valid_spl(const char *, struct cert *, struct spl *); 758 759 /* Working with CMS. */ 760 unsigned char *cms_parse_validate(X509 **, const char *, 761 const unsigned char *, size_t, 762 const ASN1_OBJECT *, size_t *, time_t *); 763 int cms_parse_validate_detached(X509 **, const char *, 764 const unsigned char *, size_t, 765 const ASN1_OBJECT *, BIO *, time_t *); 766 767 /* Work with RFC 3779 IP addresses, prefixes, ranges. */ 768 769 int ip_addr_afi_parse(const char *, const ASN1_OCTET_STRING *, 770 enum afi *); 771 int ip_addr_parse(const ASN1_BIT_STRING *, 772 enum afi, const char *, struct ip_addr *); 773 void ip_addr_print(const struct ip_addr *, enum afi, char *, 774 size_t); 775 int ip_addr_check_overlap(const struct cert_ip *, 776 const char *, const struct cert_ip *, size_t, int); 777 int ip_addr_check_covered(enum afi, const unsigned char *, 778 const unsigned char *, const struct cert_ip *, size_t); 779 int ip_cert_compose_ranges(struct cert_ip *); 780 void ip_roa_compose_ranges(struct roa_ip *); 781 void ip_warn(const char *, const char *, const struct cert_ip *); 782 783 int sbgp_addr(const char *, struct cert_ip *, size_t *, 784 enum afi, const ASN1_BIT_STRING *); 785 int sbgp_addr_range(const char *, struct cert_ip *, size_t *, 786 enum afi, const IPAddressRange *); 787 788 int sbgp_parse_ipaddrblk(const char *, const IPAddrBlocks *, 789 struct cert_ip **, size_t *); 790 791 /* Work with RFC 3779 AS numbers, ranges. */ 792 793 int as_id_parse(const ASN1_INTEGER *, uint32_t *); 794 int as_check_overlap(const struct cert_as *, const char *, 795 const struct cert_as *, size_t, int); 796 int as_check_covered(uint32_t, uint32_t, 797 const struct cert_as *, size_t); 798 void as_warn(const char *, const char *, const struct cert_as *); 799 800 int sbgp_as_id(const char *, struct cert_as *, size_t *, 801 const ASN1_INTEGER *); 802 int sbgp_as_range(const char *, struct cert_as *, size_t *, 803 const ASRange *); 804 805 int sbgp_parse_assysnum(const char *, const ASIdentifiers *, 806 struct cert_as **, size_t *); 807 808 /* Constraints-specific */ 809 void constraints_load(void); 810 void constraints_unload(void); 811 void constraints_parse(void); 812 int constraints_validate(const char *, const struct cert *); 813 814 /* Parser-specific */ 815 void entity_free(struct entity *); 816 void entity_read_req(struct ibuf *, struct entity *); 817 void entityq_flush(struct entityq *, struct repo *); 818 void proc_parser(int) __attribute__((noreturn)); 819 void proc_filemode(int) __attribute__((noreturn)); 820 821 /* Rsync-specific. */ 822 823 char *rsync_base_uri(const char *); 824 void proc_rsync(char *, char *, int) __attribute__((noreturn)); 825 826 /* HTTP and RRDP processes. */ 827 828 void proc_http(char *, int) __attribute__((noreturn)); 829 void proc_rrdp(int) __attribute__((noreturn)); 830 831 /* Repository handling */ 832 int filepath_add(struct filepath_tree *, char *, int, time_t); 833 void rrdp_clear(unsigned int); 834 void rrdp_session_save(unsigned int, struct rrdp_session *); 835 void rrdp_session_free(struct rrdp_session *); 836 void rrdp_session_buffer(struct ibuf *, 837 const struct rrdp_session *); 838 struct rrdp_session *rrdp_session_read(struct ibuf *); 839 int rrdp_handle_file(unsigned int, enum publish_type, char *, 840 char *, size_t, char *, size_t); 841 char *repo_basedir(const struct repo *, int); 842 unsigned int repo_id(const struct repo *); 843 const char *repo_uri(const struct repo *); 844 void repo_fetch_uris(const struct repo *, const char **, 845 const char **); 846 int repo_synced(const struct repo *); 847 const char *repo_proto(const struct repo *); 848 int repo_talid(const struct repo *); 849 struct repo *ta_lookup(int, struct tal *); 850 struct repo *repo_lookup(int, const char *, const char *); 851 struct repo *repo_byid(unsigned int); 852 int repo_queued(struct repo *, struct entity *); 853 void repo_cleanup(struct filepath_tree *, int); 854 int repo_check_timeout(int); 855 void repostats_new_files_inc(struct repo *, const char *); 856 void repo_stat_inc(struct repo *, int, enum rtype, enum stype); 857 void repo_tal_stats_collect(void (*)(const struct repo *, 858 const struct repotalstats *, void *), int, void *); 859 void repo_stats_collect(void (*)(const struct repo *, 860 const struct repostats *, void *), void *); 861 void repo_free(void); 862 863 void rsync_finish(unsigned int, int); 864 void http_finish(unsigned int, enum http_result, const char *); 865 void rrdp_finish(unsigned int, int); 866 867 void rsync_fetch(unsigned int, const char *, const char *, 868 const char *); 869 void rsync_abort(unsigned int); 870 void http_fetch(unsigned int, const char *, const char *, int); 871 void rrdp_fetch(unsigned int, const char *, const char *, 872 struct rrdp_session *); 873 void rrdp_abort(unsigned int); 874 void rrdp_http_done(unsigned int, enum http_result, const char *); 875 876 /* Encoding functions for hex and base64. */ 877 878 unsigned char *load_file(const char *, size_t *); 879 int base64_decode_len(size_t, size_t *); 880 int base64_decode(const unsigned char *, size_t, 881 unsigned char **, size_t *); 882 int base64_encode_len(size_t, size_t *); 883 int base64_encode(const unsigned char *, size_t, char **); 884 char *hex_encode(const unsigned char *, size_t); 885 int hex_decode(const char *, char *, size_t); 886 887 888 /* Functions for moving data between processes. */ 889 890 struct ibuf *io_new_buffer(void); 891 void io_simple_buffer(struct ibuf *, const void *, size_t); 892 void io_buf_buffer(struct ibuf *, const void *, size_t); 893 void io_str_buffer(struct ibuf *, const char *); 894 void io_close_buffer(struct msgbuf *, struct ibuf *); 895 void io_read_buf(struct ibuf *, void *, size_t); 896 void io_read_str(struct ibuf *, char **); 897 void io_read_buf_alloc(struct ibuf *, void **, size_t *); 898 struct ibuf *io_buf_read(int, struct ibuf **); 899 struct ibuf *io_buf_recvfd(int, struct ibuf **); 900 901 /* X509 helpers. */ 902 903 void x509_init_oid(void); 904 int x509_get_aia(X509 *, const char *, char **); 905 int x509_get_aki(X509 *, const char *, char **); 906 int x509_get_sia(X509 *, const char *, char **); 907 int x509_get_ski(X509 *, const char *, char **); 908 int x509_get_notbefore(X509 *, const char *, time_t *); 909 int x509_get_notafter(X509 *, const char *, time_t *); 910 int x509_get_crl(X509 *, const char *, char **); 911 char *x509_get_pubkey(X509 *, const char *); 912 char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); 913 enum cert_purpose x509_get_purpose(X509 *, const char *); 914 int x509_get_time(const ASN1_TIME *, time_t *); 915 char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); 916 int x509_location(const char *, const char *, GENERAL_NAME *, 917 char **); 918 int x509_inherits(X509 *); 919 int x509_any_inherits(X509 *); 920 int x509_valid_name(const char *, const char *, const X509_NAME *); 921 time_t x509_find_expires(time_t, struct auth *, struct crl_tree *); 922 923 /* printers */ 924 char *nid2str(int); 925 char *time2str(time_t); 926 void x509_print(const X509 *); 927 void tal_print(const struct tal *); 928 void cert_print(const struct cert *); 929 void crl_print(const struct crl *); 930 void mft_print(const X509 *, const struct mft *); 931 void roa_print(const X509 *, const struct roa *); 932 void gbr_print(const X509 *, const struct gbr *); 933 void rsc_print(const X509 *, const struct rsc *); 934 void aspa_print(const X509 *, const struct aspa *); 935 void tak_print(const X509 *, const struct tak *); 936 void geofeed_print(const X509 *, const struct geofeed *); 937 void spl_print(const X509 *, const struct spl *); 938 939 /* Missing RFC 3779 API */ 940 IPAddrBlocks *IPAddrBlocks_new(void); 941 void IPAddrBlocks_free(IPAddrBlocks *); 942 943 /* Output! */ 944 945 extern int outformats; 946 #define FORMAT_OPENBGPD 0x01 947 #define FORMAT_BIRD 0x02 948 #define FORMAT_CSV 0x04 949 #define FORMAT_JSON 0x08 950 #define FORMAT_OMETRIC 0x10 951 952 int outputfiles(struct vrp_tree *v, struct brk_tree *b, 953 struct vap_tree *, struct vsp_tree *, struct stats *); 954 int outputheader(FILE *, struct stats *); 955 int output_bgpd(FILE *, struct vrp_tree *, struct brk_tree *, 956 struct vap_tree *, struct vsp_tree *, struct stats *); 957 int output_bird1v4(FILE *, struct vrp_tree *, struct brk_tree *, 958 struct vap_tree *, struct vsp_tree *, struct stats *); 959 int output_bird1v6(FILE *, struct vrp_tree *, struct brk_tree *, 960 struct vap_tree *, struct vsp_tree *, struct stats *); 961 int output_bird2(FILE *, struct vrp_tree *, struct brk_tree *, 962 struct vap_tree *, struct vsp_tree *, struct stats *); 963 int output_csv(FILE *, struct vrp_tree *, struct brk_tree *, 964 struct vap_tree *, struct vsp_tree *, struct stats *); 965 int output_json(FILE *, struct vrp_tree *, struct brk_tree *, 966 struct vap_tree *, struct vsp_tree *, struct stats *); 967 int output_ometric(FILE *, struct vrp_tree *, struct brk_tree *, 968 struct vap_tree *, struct vsp_tree *, struct stats *); 969 970 void logx(const char *fmt, ...) 971 __attribute__((format(printf, 1, 2))); 972 time_t getmonotime(void); 973 time_t get_current_time(void); 974 975 int mkpath(const char *); 976 int mkpathat(int, const char *); 977 978 #define RPKI_PATH_OUT_DIR "/var/db/rpki-client" 979 #define RPKI_PATH_BASE_DIR "/var/cache/rpki-client" 980 981 #define DEFAULT_SKIPLIST_FILE "/etc/rpki/skiplist" 982 983 /* Maximum number of TAL files we'll load. */ 984 #define TALSZ_MAX 8 985 #define CERTID_MAX 1000000 986 987 /* 988 * Maximum number of elements in the sbgp-ipAddrBlock (IP) and 989 * sbgp-autonomousSysNum (AS) X.509v3 extension of CA/EE certificates. 990 */ 991 #define MAX_IP_SIZE 200000 992 #define MAX_AS_SIZE 200000 993 994 /* Maximum acceptable URI length */ 995 #define MAX_URI_LENGTH 2048 996 997 /* Min/Max acceptable file size */ 998 #define MIN_FILE_SIZE 100 999 #define MAX_FILE_SIZE 4000000 1000 1001 /* Maximum number of FileNameAndHash entries per RSC checklist. */ 1002 #define MAX_CHECKLIST_ENTRIES 100000 1003 1004 /* Maximum number of FileAndHash entries per manifest. */ 1005 #define MAX_MANIFEST_ENTRIES 100000 1006 1007 /* Maximum number of Providers per ASPA object. */ 1008 #define MAX_ASPA_PROVIDERS 10000 1009 1010 /* Maximum depth of the RPKI tree. */ 1011 #define MAX_CERT_DEPTH 12 1012 1013 /* Maximum number of concurrent http and rsync requests. */ 1014 #define MAX_HTTP_REQUESTS 64 1015 #define MAX_RSYNC_REQUESTS 16 1016 1017 /* How many seconds to wait for a connection to succeed. */ 1018 #define MAX_CONN_TIMEOUT 15 1019 1020 /* How many seconds to wait for IO from a remote server. */ 1021 #define MAX_IO_TIMEOUT 30 1022 1023 /* Maximum number of delegated hosting locations (repositories) for each TAL. */ 1024 #define MAX_REPO_PER_TAL 1000 1025 1026 #define HTTP_PROTO "http://" 1027 #define HTTP_PROTO_LEN (sizeof(HTTP_PROTO) - 1) 1028 #define HTTPS_PROTO "https://" 1029 #define HTTPS_PROTO_LEN (sizeof(HTTPS_PROTO) - 1) 1030 #define RSYNC_PROTO "rsync://" 1031 #define RSYNC_PROTO_LEN (sizeof(RSYNC_PROTO) - 1) 1032 1033 #endif /* ! EXTERN_H */ 1034