1 /* $OpenBSD: extern.h,v 1.230 2024/11/12 09:23:07 tb Exp $ */ 2 /* 3 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 #ifndef EXTERN_H 18 #define EXTERN_H 19 20 #include <sys/queue.h> 21 #include <sys/tree.h> 22 #include <sys/time.h> 23 24 #include <openssl/x509.h> 25 #include <openssl/x509v3.h> 26 27 #define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ 28 __attribute__((__unused__)) 29 30 enum cert_as_type { 31 CERT_AS_ID, /* single identifier */ 32 CERT_AS_INHERIT, /* inherit from issuer */ 33 CERT_AS_RANGE, /* range of identifiers */ 34 }; 35 36 /* 37 * An AS identifier range. 38 * The maximum AS identifier is an unsigned 32 bit integer (RFC 6793). 39 */ 40 struct cert_as_range { 41 uint32_t min; /* minimum non-zero */ 42 uint32_t max; /* maximum */ 43 }; 44 45 /* 46 * An autonomous system (AS) object. 47 * AS identifiers are unsigned 32 bit integers (RFC 6793). 48 */ 49 struct cert_as { 50 enum cert_as_type type; /* type of AS specification */ 51 union { 52 uint32_t id; /* singular identifier */ 53 struct cert_as_range range; /* range */ 54 }; 55 }; 56 57 /* 58 * AFI values are assigned by IANA. 59 * In rpki-client, we only accept the IPV4 and IPV6 AFI values. 60 */ 61 enum afi { 62 AFI_IPV4 = 1, 63 AFI_IPV6 = 2 64 }; 65 66 /* 67 * An IP address as parsed from RFC 3779, section 2.2.3.8. 68 * This is either in a certificate or an ROA. 69 * It may either be IPv4 or IPv6. 70 */ 71 struct ip_addr { 72 unsigned char addr[16]; /* binary address prefix */ 73 unsigned char prefixlen; /* number of valid bits in address */ 74 }; 75 76 /* 77 * An IP address (IPv4 or IPv6) range starting at the minimum and making 78 * its way to the maximum. 79 */ 80 struct ip_addr_range { 81 struct ip_addr min; /* minimum ip */ 82 struct ip_addr max; /* maximum ip */ 83 }; 84 85 enum cert_ip_type { 86 CERT_IP_ADDR, /* IP address range w/shared prefix */ 87 CERT_IP_INHERIT, /* inherited IP address */ 88 CERT_IP_RANGE /* range of IP addresses */ 89 }; 90 91 /* 92 * A single IP address family (AFI, address or range) as defined in RFC 93 * 3779, 2.2.3.2. 94 * The RFC specifies multiple address or ranges per AFI; this structure 95 * encodes both the AFI and a single address or range. 96 */ 97 struct cert_ip { 98 enum afi afi; /* AFI value */ 99 enum cert_ip_type type; /* type of IP entry */ 100 unsigned char min[16]; /* full range minimum */ 101 unsigned char max[16]; /* full range maximum */ 102 union { 103 struct ip_addr ip; /* singular address */ 104 struct ip_addr_range range; /* range */ 105 }; 106 }; 107 108 enum cert_purpose { 109 CERT_PURPOSE_INVALID, 110 CERT_PURPOSE_TA, 111 CERT_PURPOSE_CA, 112 CERT_PURPOSE_EE, 113 CERT_PURPOSE_BGPSEC_ROUTER, 114 }; 115 116 /* 117 * Parsed components of a validated X509 certificate stipulated by RFC 118 * 6847 and further (within) by RFC 3779. 119 * All AS numbers are guaranteed to be non-overlapping and properly 120 * inheriting. 121 */ 122 struct cert { 123 struct cert_ip *ips; /* list of IP address ranges */ 124 size_t num_ips; 125 struct cert_as *ases; /* list of AS numbers and ranges */ 126 size_t num_ases; 127 int talid; /* cert is covered by which TAL */ 128 int certid; 129 unsigned int repoid; /* repository of this cert file */ 130 char *repo; /* CA repository (rsync:// uri) */ 131 char *mft; /* manifest (rsync:// uri) */ 132 char *notify; /* RRDP notify (https:// uri) */ 133 char *crl; /* CRL location (rsync:// or NULL) */ 134 char *aia; /* AIA (or NULL, for trust anchor) */ 135 char *aki; /* AKI (or NULL, for trust anchor) */ 136 char *ski; /* SKI */ 137 enum cert_purpose purpose; /* BGPSec or CA */ 138 char *pubkey; /* Subject Public Key Info */ 139 X509 *x509; /* the cert */ 140 time_t notbefore; /* cert's Not Before */ 141 time_t notafter; /* cert's Not After */ 142 time_t expires; /* when the signature path expires */ 143 }; 144 145 /* 146 * The TAL file conforms to RFC 7730. 147 * It is the top-level structure of RPKI and defines where we can find 148 * certificates for TAs (trust anchors). 149 * It also includes the public key for verifying those trust anchor 150 * certificates. 151 */ 152 struct tal { 153 char **uri; /* well-formed rsync URIs */ 154 size_t urisz; /* number of URIs */ 155 unsigned char *pkey; /* DER-encoded public key */ 156 size_t pkeysz; /* length of pkey */ 157 char *descr; /* basename of tal file */ 158 int id; /* ID of this TAL */ 159 }; 160 161 /* 162 * Resource types specified by the RPKI profiles. 163 * There might be others we don't consider. 164 */ 165 enum rtype { 166 RTYPE_INVALID, 167 RTYPE_TAL, 168 RTYPE_MFT, 169 RTYPE_ROA, 170 RTYPE_CER, 171 RTYPE_CRL, 172 RTYPE_GBR, 173 RTYPE_REPO, 174 RTYPE_FILE, 175 RTYPE_RSC, 176 RTYPE_ASPA, 177 RTYPE_TAK, 178 RTYPE_GEOFEED, 179 RTYPE_SPL, 180 }; 181 182 enum location { 183 DIR_UNKNOWN, 184 DIR_TEMP, 185 DIR_VALID, 186 }; 187 188 /* 189 * Files specified in an MFT have their bodies hashed with SHA256. 190 */ 191 struct mftfile { 192 char *file; /* filename (CER/ROA/CRL, no path) */ 193 enum rtype type; /* file type as determined by extension */ 194 enum location location; /* temporary or valid directory */ 195 unsigned char hash[SHA256_DIGEST_LENGTH]; /* sha256 of body */ 196 }; 197 198 /* 199 * A manifest, RFC 6486. 200 * This consists of a bunch of files found in the same directory as the 201 * manifest file. 202 */ 203 struct mft { 204 char *path; /* relative path to directory of the MFT */ 205 struct mftfile *files; /* file and hash */ 206 char *seqnum; /* manifestNumber */ 207 char *aia; /* AIA */ 208 char *aki; /* AKI */ 209 char *sia; /* SIA signedObject */ 210 char *ski; /* SKI */ 211 char *crl; /* CRL file name */ 212 unsigned char mfthash[SHA256_DIGEST_LENGTH]; 213 unsigned char crlhash[SHA256_DIGEST_LENGTH]; 214 time_t signtime; /* CMS signing-time attribute */ 215 time_t thisupdate; /* from the eContent */ 216 time_t nextupdate; /* from the eContent */ 217 time_t expires; /* when the signature path expires */ 218 size_t filesz; /* number of filenames */ 219 unsigned int repoid; 220 int talid; 221 int certid; 222 int seqnum_gap; /* was there a gap compared to prev mft? */ 223 }; 224 225 /* 226 * An IP address prefix for a given ROA. 227 * This encodes the maximum length, AFI (v6/v4), and address. 228 * FIXME: are the min/max necessary or just used in one place? 229 */ 230 struct roa_ip { 231 enum afi afi; /* AFI value */ 232 struct ip_addr addr; /* the address prefix itself */ 233 unsigned char min[16]; /* full range minimum */ 234 unsigned char max[16]; /* full range maximum */ 235 unsigned char maxlength; /* max length or zero */ 236 }; 237 238 /* 239 * An ROA, RFC 6482. 240 * This consists of the concerned ASID and its IP prefixes. 241 */ 242 struct roa { 243 uint32_t asid; /* asID of ROA (if 0, RFC 6483 sec 4) */ 244 struct roa_ip *ips; /* IP prefixes */ 245 size_t num_ips; 246 int talid; /* ROAs are covered by which TAL */ 247 int valid; /* validated resources */ 248 char *aia; /* AIA */ 249 char *aki; /* AKI */ 250 char *sia; /* SIA signedObject */ 251 char *ski; /* SKI */ 252 time_t signtime; /* CMS signing-time attribute */ 253 time_t notbefore; /* EE cert's Not Before */ 254 time_t notafter; /* EE cert's Not After */ 255 time_t expires; /* when the signature path expires */ 256 }; 257 258 struct rscfile { 259 char *filename; /* an optional filename on the checklist */ 260 unsigned char hash[SHA256_DIGEST_LENGTH]; /* the digest */ 261 }; 262 263 /* 264 * A Signed Checklist (RSC) 265 */ 266 struct rsc { 267 int talid; /* RSC covered by what TAL */ 268 int valid; /* eContent resources covered by EE's 3779? */ 269 struct cert_ip *ips; /* IP prefixes */ 270 size_t num_ips; 271 struct cert_as *ases; /* AS resources */ 272 size_t num_ases; 273 struct rscfile *files; /* FileAndHashes in the RSC */ 274 size_t filesz; /* number of FileAndHashes */ 275 char *aia; /* AIA */ 276 char *aki; /* AKI */ 277 char *ski; /* SKI */ 278 time_t signtime; /* CMS signing-time attribute */ 279 time_t notbefore; /* EE cert's Not Before */ 280 time_t notafter; /* Not After of the RSC EE */ 281 time_t expires; /* when the signature path expires */ 282 }; 283 284 /* 285 * An IP address prefix in a given SignedPrefixList. 286 */ 287 struct spl_pfx { 288 enum afi afi; 289 struct ip_addr prefix; 290 }; 291 292 /* 293 * An SPL, draft-ietf-sidrops-rpki-prefixlist 294 * This consists of an ASID and its IP prefixes. 295 */ 296 struct spl { 297 uint32_t asid; 298 struct spl_pfx *pfxs; 299 size_t pfxsz; 300 int talid; 301 char *aia; 302 char *aki; 303 char *sia; 304 char *ski; 305 time_t signtime; /* CMS signing-time attribute */ 306 time_t notbefore; /* EE cert's Not Before */ 307 time_t notafter; /* EE cert's Not After */ 308 time_t expires; /* when the certification path expires */ 309 int valid; 310 }; 311 312 /* 313 * Datastructure representing the TAKey sequence inside TAKs. 314 */ 315 struct takey { 316 char **comments; /* Comments */ 317 size_t commentsz; /* number of Comments */ 318 char **uris; /* CertificateURI */ 319 size_t urisz; /* number of CertificateURIs */ 320 unsigned char *pubkey; /* DER encoded SubjectPublicKeyInfo */ 321 size_t pubkeysz; 322 char *ski; /* hex encoded SubjectKeyIdentifier of pubkey */ 323 }; 324 325 /* 326 * A Signed TAL (TAK) draft-ietf-sidrops-signed-tal-12 327 */ 328 struct tak { 329 int talid; /* TAK covered by what TAL */ 330 struct takey *current; 331 struct takey *predecessor; 332 struct takey *successor; 333 char *aia; /* AIA */ 334 char *aki; /* AKI */ 335 char *sia; /* SIA signed Object */ 336 char *ski; /* SKI */ 337 time_t signtime; /* CMS signing-time attribute */ 338 time_t notbefore; /* EE cert's Not Before */ 339 time_t notafter; /* Not After of the TAK EE */ 340 time_t expires; /* when the signature path expires */ 341 }; 342 343 /* 344 * A single geofeed record 345 */ 346 struct geoip { 347 struct cert_ip *ip; 348 char *loc; 349 }; 350 351 /* 352 * A geofeed file 353 */ 354 struct geofeed { 355 struct geoip *geoips; /* Prefix + location entry in the CSV */ 356 size_t num_geoips; 357 char *aia; /* AIA */ 358 char *aki; /* AKI */ 359 char *ski; /* SKI */ 360 time_t signtime; /* CMS signing-time attribute */ 361 time_t notbefore; /* EE cert's Not Before */ 362 time_t notafter; /* Not After of the Geofeed EE */ 363 time_t expires; /* when the signature path expires */ 364 int valid; /* all resources covered */ 365 }; 366 367 /* 368 * A single Ghostbuster record 369 */ 370 struct gbr { 371 char *vcard; 372 char *aia; /* AIA */ 373 char *aki; /* AKI */ 374 char *sia; /* SIA signedObject */ 375 char *ski; /* SKI */ 376 time_t signtime; /* CMS signing-time attribute */ 377 time_t notbefore; /* EE cert's Not Before */ 378 time_t notafter; /* Not After of the GBR EE */ 379 time_t expires; /* when the signature path expires */ 380 int talid; /* TAL the GBR is chained up to */ 381 }; 382 383 /* 384 * A single ASPA record 385 */ 386 struct aspa { 387 int valid; /* contained in issuer auth */ 388 int talid; /* TAL the ASPA is chained up to */ 389 char *aia; /* AIA */ 390 char *aki; /* AKI */ 391 char *sia; /* SIA signedObject */ 392 char *ski; /* SKI */ 393 uint32_t custasid; /* the customerASID */ 394 uint32_t *providers; /* the providers */ 395 size_t providersz; /* number of providers */ 396 time_t signtime; /* CMS signing-time attribute */ 397 time_t notbefore; /* EE cert's Not Before */ 398 time_t notafter; /* notAfter of the ASPA EE cert */ 399 time_t expires; /* when the signature path expires */ 400 }; 401 402 /* 403 * A Validated ASPA Payload (VAP) tree element. 404 * To ease transformation, this struct mimics ASPA RTR PDU structure. 405 */ 406 struct vap { 407 RB_ENTRY(vap) entry; 408 uint32_t custasid; 409 uint32_t *providers; 410 size_t providersz; 411 time_t expires; 412 int talid; 413 unsigned int repoid; 414 int overflowed; 415 }; 416 417 /* 418 * Tree of VAPs sorted by afi, custasid, and provideras. 419 */ 420 RB_HEAD(vap_tree, vap); 421 RB_PROTOTYPE(vap_tree, vap, entry, vapcmp); 422 423 /* 424 * A single VRP element (including ASID) 425 */ 426 struct vrp { 427 RB_ENTRY(vrp) entry; 428 struct ip_addr addr; 429 uint32_t asid; 430 enum afi afi; 431 unsigned char maxlength; 432 time_t expires; /* transitive expiry moment */ 433 int talid; /* covered by which TAL */ 434 unsigned int repoid; 435 }; 436 /* 437 * Tree of VRP sorted by afi, addr, maxlength and asid 438 */ 439 RB_HEAD(vrp_tree, vrp); 440 RB_PROTOTYPE(vrp_tree, vrp, entry, vrpcmp); 441 442 /* 443 * Validated SignedPrefixList Payload 444 * A single VSP element (including ASID) 445 * draft-ietf-sidrops-rpki-prefixlist 446 */ 447 struct vsp { 448 RB_ENTRY(vsp) entry; 449 uint32_t asid; 450 struct spl_pfx *prefixes; 451 size_t prefixesz; 452 time_t expires; 453 int talid; 454 unsigned int repoid; 455 }; 456 /* 457 * Tree of VSP sorted by asid 458 */ 459 RB_HEAD(vsp_tree, vsp); 460 RB_PROTOTYPE(vsp_tree, vsp, entry, vspcmp); 461 462 /* 463 * A single BGPsec Router Key (including ASID) 464 */ 465 struct brk { 466 RB_ENTRY(brk) entry; 467 uint32_t asid; 468 int talid; /* covered by which TAL */ 469 char *ski; /* Subject Key Identifier */ 470 char *pubkey; /* Subject Public Key Info */ 471 time_t expires; /* transitive expiry moment */ 472 }; 473 /* 474 * Tree of BRK sorted by asid 475 */ 476 RB_HEAD(brk_tree, brk); 477 RB_PROTOTYPE(brk_tree, brk, entry, brkcmp); 478 479 /* 480 * A single CRL 481 */ 482 struct crl { 483 RB_ENTRY(crl) entry; 484 char *aki; 485 char *mftpath; 486 X509_CRL *x509_crl; 487 time_t thisupdate; /* do not use before */ 488 time_t nextupdate; /* do not use after */ 489 }; 490 /* 491 * Tree of CRLs sorted by uri 492 */ 493 RB_HEAD(crl_tree, crl); 494 495 /* 496 * An authentication tuple. 497 * This specifies a public key and a subject key identifier used to 498 * verify children nodes in the tree of entities. 499 */ 500 struct auth { 501 RB_ENTRY(auth) entry; 502 struct cert *cert; /* owner information */ 503 struct auth *issuer; /* pointer to issuer or NULL for TA cert */ 504 int any_inherits; 505 int depth; 506 }; 507 /* 508 * Tree of auth sorted by ski 509 */ 510 RB_HEAD(auth_tree, auth); 511 512 struct auth *auth_find(struct auth_tree *, int); 513 struct auth *auth_insert(const char *, struct auth_tree *, struct cert *, 514 struct auth *); 515 516 enum http_result { 517 HTTP_FAILED, /* anything else */ 518 HTTP_OK, /* 200 OK */ 519 HTTP_NOT_MOD, /* 304 Not Modified */ 520 }; 521 522 /* 523 * Message types for communication with RRDP process. 524 */ 525 enum rrdp_msg { 526 RRDP_START, 527 RRDP_SESSION, 528 RRDP_FILE, 529 RRDP_CLEAR, 530 RRDP_END, 531 RRDP_HTTP_REQ, 532 RRDP_HTTP_INI, 533 RRDP_HTTP_FIN, 534 RRDP_ABORT, 535 }; 536 537 /* Maximum number of delta files per RRDP notification file. */ 538 #define MAX_RRDP_DELTAS 300 539 540 /* 541 * RRDP session state, needed to pickup at the right spot on next run. 542 */ 543 struct rrdp_session { 544 char *last_mod; 545 char *session_id; 546 long long serial; 547 char *deltas[MAX_RRDP_DELTAS]; 548 }; 549 550 /* 551 * File types used in RRDP_FILE messages. 552 */ 553 enum publish_type { 554 PUB_ADD, 555 PUB_UPD, 556 PUB_DEL, 557 }; 558 559 /* 560 * An entity (MFT, ROA, certificate, etc.) that needs to be downloaded 561 * and parsed. 562 */ 563 struct entity { 564 TAILQ_ENTRY(entity) entries; 565 char *path; /* path relative to repository */ 566 char *file; /* filename or valid repo path */ 567 char *mftaki; /* expected AKI (taken from Manifest) */ 568 unsigned char *data; /* optional data blob */ 569 size_t datasz; /* length of optional data blob */ 570 unsigned int repoid; /* repository identifier */ 571 int talid; /* tal identifier */ 572 int certid; 573 enum rtype type; /* type of entity (not RTYPE_EOF) */ 574 enum location location; /* which directory the file lives in */ 575 }; 576 TAILQ_HEAD(entityq, entity); 577 578 enum stype { 579 STYPE_OK, 580 STYPE_FAIL, 581 STYPE_INVALID, 582 STYPE_BGPSEC, 583 STYPE_TOTAL, 584 STYPE_UNIQUE, 585 STYPE_DEC_UNIQUE, 586 STYPE_PROVIDERS, 587 STYPE_OVERFLOW, 588 STYPE_SEQNUM_GAP, 589 }; 590 591 struct repo; 592 struct filepath; 593 RB_HEAD(filepath_tree, filepath); 594 595 596 /* 597 * Statistics collected during run-time. 598 */ 599 struct repotalstats { 600 uint32_t certs; /* certificates */ 601 uint32_t certs_fail; /* invalid certificate */ 602 uint32_t mfts; /* total number of manifests */ 603 uint32_t mfts_gap; /* manifests with sequence gaps */ 604 uint32_t mfts_fail; /* failing syntactic parse */ 605 uint32_t roas; /* route origin authorizations */ 606 uint32_t roas_fail; /* failing syntactic parse */ 607 uint32_t roas_invalid; /* invalid resources */ 608 uint32_t aspas; /* ASPA objects */ 609 uint32_t aspas_fail; /* ASPA objects failing syntactic parse */ 610 uint32_t aspas_invalid; /* ASPAs with invalid customerASID */ 611 uint32_t brks; /* number of BGPsec Router Key (BRK) certs */ 612 uint32_t crls; /* revocation lists */ 613 uint32_t gbrs; /* ghostbuster records */ 614 uint32_t taks; /* signed TAL objects */ 615 uint32_t vaps; /* total number of Validated ASPA Payloads */ 616 uint32_t vaps_uniqs; /* total number of unique VAPs */ 617 uint32_t vaps_pas; /* total number of providers */ 618 uint32_t vaps_overflowed; /* VAPs with too many providers */ 619 uint32_t vrps; /* total number of Validated ROA Payloads */ 620 uint32_t vrps_uniqs; /* number of unique vrps */ 621 uint32_t spls; /* signed prefix list */ 622 uint32_t spls_fail; /* failing syntactic parse */ 623 uint32_t spls_invalid; /* invalid spls */ 624 uint32_t vsps; /* total number of Validated SPL Payloads */ 625 uint32_t vsps_uniqs; /* number of unique vsps */ 626 }; 627 628 struct repostats { 629 uint32_t del_files; /* number of files removed in cleanup */ 630 uint32_t extra_files; /* number of superfluous files */ 631 uint32_t del_extra_files;/* number of removed extra files */ 632 uint32_t del_dirs; /* number of dirs removed in cleanup */ 633 uint32_t new_files; /* moved from DIR_TEMP to DIR_VALID */ 634 struct timespec sync_time; /* time to sync repo */ 635 }; 636 637 struct stats { 638 uint32_t tals; /* total number of locators */ 639 uint32_t repos; /* repositories */ 640 uint32_t rsync_repos; /* synced rsync repositories */ 641 uint32_t rsync_fails; /* failed rsync repositories */ 642 uint32_t http_repos; /* synced http repositories */ 643 uint32_t http_fails; /* failed http repositories */ 644 uint32_t rrdp_repos; /* synced rrdp repositories */ 645 uint32_t rrdp_fails; /* failed rrdp repositories */ 646 uint32_t skiplistentries; /* number of skiplist entries */ 647 648 struct repotalstats repo_tal_stats; 649 struct repostats repo_stats; 650 struct timespec elapsed_time; 651 struct timespec user_time; 652 struct timespec system_time; 653 }; 654 655 struct ibuf; 656 struct msgbuf; 657 658 /* global variables */ 659 extern int verbose; 660 extern int noop; 661 extern int filemode; 662 extern int excludeaspa; 663 extern int experimental; 664 extern const char *tals[]; 665 extern const char *taldescs[]; 666 extern unsigned int talrepocnt[]; 667 extern struct repotalstats talstats[]; 668 extern int talsz; 669 670 /* Routines for RPKI entities. */ 671 672 void tal_buffer(struct ibuf *, const struct tal *); 673 void tal_free(struct tal *); 674 struct tal *tal_parse(const char *, char *, size_t); 675 struct tal *tal_read(struct ibuf *); 676 677 void cert_buffer(struct ibuf *, const struct cert *); 678 void cert_free(struct cert *); 679 void auth_tree_free(struct auth_tree *); 680 struct cert *cert_parse_ee_cert(const char *, int, X509 *); 681 struct cert *cert_parse_pre(const char *, const unsigned char *, size_t); 682 struct cert *cert_parse(const char *, struct cert *); 683 struct cert *ta_parse(const char *, struct cert *, const unsigned char *, 684 size_t); 685 struct cert *cert_read(struct ibuf *); 686 void cert_insert_brks(struct brk_tree *, struct cert *); 687 688 enum rtype rtype_from_file_extension(const char *); 689 void mft_buffer(struct ibuf *, const struct mft *); 690 void mft_free(struct mft *); 691 struct mft *mft_parse(X509 **, const char *, int, const unsigned char *, 692 size_t); 693 struct mft *mft_read(struct ibuf *); 694 int mft_compare_issued(const struct mft *, const struct mft *); 695 int mft_compare_seqnum(const struct mft *, const struct mft *); 696 int mft_seqnum_gap_present(const struct mft *, const struct mft *); 697 698 void roa_buffer(struct ibuf *, const struct roa *); 699 void roa_free(struct roa *); 700 struct roa *roa_parse(X509 **, const char *, int, const unsigned char *, 701 size_t); 702 struct roa *roa_read(struct ibuf *); 703 void roa_insert_vrps(struct vrp_tree *, struct roa *, 704 struct repo *); 705 706 void spl_buffer(struct ibuf *, const struct spl *); 707 void spl_free(struct spl *); 708 struct spl *spl_parse(X509 **, const char *, int, const unsigned char *, 709 size_t); 710 struct spl *spl_read(struct ibuf *); 711 void spl_insert_vsps(struct vsp_tree *, struct spl *, 712 struct repo *); 713 714 void gbr_free(struct gbr *); 715 struct gbr *gbr_parse(X509 **, const char *, int, const unsigned char *, 716 size_t); 717 718 void geofeed_free(struct geofeed *); 719 struct geofeed *geofeed_parse(X509 **, const char *, int, char *, size_t); 720 721 void rsc_free(struct rsc *); 722 struct rsc *rsc_parse(X509 **, const char *, int, const unsigned char *, 723 size_t); 724 725 void takey_free(struct takey *); 726 void tak_free(struct tak *); 727 struct tak *tak_parse(X509 **, const char *, int, const unsigned char *, 728 size_t); 729 730 void aspa_buffer(struct ibuf *, const struct aspa *); 731 void aspa_free(struct aspa *); 732 void aspa_insert_vaps(char *, struct vap_tree *, struct aspa *, 733 struct repo *); 734 struct aspa *aspa_parse(X509 **, const char *, int, const unsigned char *, 735 size_t); 736 struct aspa *aspa_read(struct ibuf *); 737 738 /* crl.c */ 739 struct crl *crl_parse(const char *, const unsigned char *, size_t); 740 struct crl *crl_get(struct crl_tree *, const struct auth *); 741 int crl_insert(struct crl_tree *, struct crl *); 742 void crl_free(struct crl *); 743 void crl_tree_free(struct crl_tree *); 744 745 /* Validation of our objects. */ 746 747 int valid_cert(const char *, struct auth *, const struct cert *); 748 int valid_roa(const char *, struct cert *, struct roa *); 749 int valid_filehash(int, const char *, size_t); 750 int valid_hash(unsigned char *, size_t, const char *, size_t); 751 int valid_filename(const char *, size_t); 752 int valid_uri(const char *, size_t, const char *); 753 int valid_origin(const char *, const char *); 754 int valid_x509(char *, X509_STORE_CTX *, X509 *, struct auth *, 755 struct crl *, const char **); 756 int valid_rsc(const char *, struct cert *, struct rsc *); 757 int valid_econtent_version(const char *, const ASN1_INTEGER *, 758 uint64_t); 759 int valid_aspa(const char *, struct cert *, struct aspa *); 760 int valid_geofeed(const char *, struct cert *, struct geofeed *); 761 int valid_uuid(const char *); 762 int valid_ca_pkey(const char *, EVP_PKEY *); 763 int valid_spl(const char *, struct cert *, struct spl *); 764 765 /* Working with CMS. */ 766 unsigned char *cms_parse_validate(X509 **, const char *, 767 const unsigned char *, size_t, 768 const ASN1_OBJECT *, size_t *, time_t *); 769 int cms_parse_validate_detached(X509 **, const char *, 770 const unsigned char *, size_t, 771 const ASN1_OBJECT *, BIO *, time_t *); 772 773 /* Work with RFC 3779 IP addresses, prefixes, ranges. */ 774 775 int ip_addr_afi_parse(const char *, const ASN1_OCTET_STRING *, 776 enum afi *); 777 int ip_addr_parse(const ASN1_BIT_STRING *, 778 enum afi, const char *, struct ip_addr *); 779 void ip_addr_print(const struct ip_addr *, enum afi, char *, 780 size_t); 781 int ip_addr_check_overlap(const struct cert_ip *, 782 const char *, const struct cert_ip *, size_t, int); 783 int ip_addr_check_covered(enum afi, const unsigned char *, 784 const unsigned char *, const struct cert_ip *, size_t); 785 int ip_cert_compose_ranges(struct cert_ip *); 786 void ip_roa_compose_ranges(struct roa_ip *); 787 void ip_warn(const char *, const char *, const struct cert_ip *); 788 789 int sbgp_addr(const char *, struct cert_ip *, size_t *, 790 enum afi, const ASN1_BIT_STRING *); 791 int sbgp_addr_range(const char *, struct cert_ip *, size_t *, 792 enum afi, const IPAddressRange *); 793 794 int sbgp_parse_ipaddrblk(const char *, const IPAddrBlocks *, 795 struct cert_ip **, size_t *); 796 797 /* Work with RFC 3779 AS numbers, ranges. */ 798 799 int as_id_parse(const ASN1_INTEGER *, uint32_t *); 800 int as_check_overlap(const struct cert_as *, const char *, 801 const struct cert_as *, size_t, int); 802 int as_check_covered(uint32_t, uint32_t, 803 const struct cert_as *, size_t); 804 void as_warn(const char *, const char *, const struct cert_as *); 805 806 int sbgp_as_id(const char *, struct cert_as *, size_t *, 807 const ASN1_INTEGER *); 808 int sbgp_as_range(const char *, struct cert_as *, size_t *, 809 const ASRange *); 810 811 int sbgp_parse_assysnum(const char *, const ASIdentifiers *, 812 struct cert_as **, size_t *); 813 814 /* Constraints-specific */ 815 void constraints_load(void); 816 void constraints_unload(void); 817 void constraints_parse(void); 818 int constraints_validate(const char *, const struct cert *); 819 820 /* Parser-specific */ 821 void entity_free(struct entity *); 822 void entity_read_req(struct ibuf *, struct entity *); 823 void entityq_flush(struct entityq *, struct repo *); 824 void proc_parser(int) __attribute__((noreturn)); 825 void proc_filemode(int) __attribute__((noreturn)); 826 827 /* Rsync-specific. */ 828 829 char *rsync_base_uri(const char *); 830 void proc_rsync(char *, char *, int) __attribute__((noreturn)); 831 832 /* HTTP and RRDP processes. */ 833 834 void proc_http(char *, int) __attribute__((noreturn)); 835 void proc_rrdp(int) __attribute__((noreturn)); 836 837 /* Repository handling */ 838 int filepath_add(struct filepath_tree *, char *, int, time_t, int); 839 int filepath_valid(struct filepath_tree *, char *, int); 840 void rrdp_clear(unsigned int); 841 void rrdp_session_save(unsigned int, struct rrdp_session *); 842 void rrdp_session_free(struct rrdp_session *); 843 void rrdp_session_buffer(struct ibuf *, 844 const struct rrdp_session *); 845 struct rrdp_session *rrdp_session_read(struct ibuf *); 846 int rrdp_handle_file(unsigned int, enum publish_type, char *, 847 char *, size_t, char *, size_t); 848 char *repo_basedir(const struct repo *, int); 849 unsigned int repo_id(const struct repo *); 850 const char *repo_uri(const struct repo *); 851 void repo_fetch_uris(const struct repo *, const char **, 852 const char **); 853 int repo_synced(const struct repo *); 854 const char *repo_proto(const struct repo *); 855 int repo_talid(const struct repo *); 856 struct repo *ta_lookup(int, struct tal *); 857 struct repo *repo_lookup(int, const char *, const char *); 858 struct repo *repo_byid(unsigned int); 859 int repo_queued(struct repo *, struct entity *); 860 void repo_cleanup(struct filepath_tree *, int); 861 int repo_check_timeout(int); 862 void repostats_new_files_inc(struct repo *, const char *); 863 void repo_stat_inc(struct repo *, int, enum rtype, enum stype); 864 void repo_tal_stats_collect(void (*)(const struct repo *, 865 const struct repotalstats *, void *), int, void *); 866 void repo_stats_collect(void (*)(const struct repo *, 867 const struct repostats *, void *), void *); 868 void repo_free(void); 869 870 void rsync_finish(unsigned int, int); 871 void http_finish(unsigned int, enum http_result, const char *); 872 void rrdp_finish(unsigned int, int); 873 874 void rsync_fetch(unsigned int, const char *, const char *, 875 const char *); 876 void rsync_abort(unsigned int); 877 void http_fetch(unsigned int, const char *, const char *, int); 878 void rrdp_fetch(unsigned int, const char *, const char *, 879 struct rrdp_session *); 880 void rrdp_abort(unsigned int); 881 void rrdp_http_done(unsigned int, enum http_result, const char *); 882 883 /* Encoding functions for hex and base64. */ 884 885 unsigned char *load_file(const char *, size_t *); 886 int base64_decode_len(size_t, size_t *); 887 int base64_decode(const unsigned char *, size_t, 888 unsigned char **, size_t *); 889 int base64_encode_len(size_t, size_t *); 890 int base64_encode(const unsigned char *, size_t, char **); 891 char *hex_encode(const unsigned char *, size_t); 892 int hex_decode(const char *, char *, size_t); 893 894 895 /* Functions for moving data between processes. */ 896 897 struct ibuf *io_new_buffer(void); 898 void io_simple_buffer(struct ibuf *, const void *, size_t); 899 void io_buf_buffer(struct ibuf *, const void *, size_t); 900 void io_str_buffer(struct ibuf *, const char *); 901 void io_close_buffer(struct msgbuf *, struct ibuf *); 902 void io_read_buf(struct ibuf *, void *, size_t); 903 void io_read_str(struct ibuf *, char **); 904 void io_read_buf_alloc(struct ibuf *, void **, size_t *); 905 struct ibuf *io_buf_read(int, struct ibuf **); 906 struct ibuf *io_buf_recvfd(int, struct ibuf **); 907 908 /* X509 helpers. */ 909 910 void x509_init_oid(void); 911 int x509_cache_extensions(X509 *, const char *); 912 int x509_get_aia(X509 *, const char *, char **); 913 int x509_get_aki(X509 *, const char *, char **); 914 int x509_get_sia(X509 *, const char *, char **); 915 int x509_get_ski(X509 *, const char *, char **); 916 int x509_get_notbefore(X509 *, const char *, time_t *); 917 int x509_get_notafter(X509 *, const char *, time_t *); 918 int x509_get_crl(X509 *, const char *, char **); 919 char *x509_get_pubkey(X509 *, const char *); 920 char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); 921 enum cert_purpose x509_get_purpose(X509 *, const char *); 922 int x509_get_time(const ASN1_TIME *, time_t *); 923 char *x509_convert_seqnum(const char *, const char *, 924 const ASN1_INTEGER *); 925 int x509_valid_seqnum(const char *, const char *, 926 const ASN1_INTEGER *); 927 int x509_location(const char *, const char *, GENERAL_NAME *, 928 char **); 929 int x509_inherits(X509 *); 930 int x509_any_inherits(X509 *); 931 int x509_valid_name(const char *, const char *, const X509_NAME *); 932 time_t x509_find_expires(time_t, struct auth *, struct crl_tree *); 933 934 /* printers */ 935 char *nid2str(int); 936 const char *purpose2str(enum cert_purpose); 937 char *time2str(time_t); 938 void x509_print(const X509 *); 939 void tal_print(const struct tal *); 940 void cert_print(const struct cert *); 941 void crl_print(const struct crl *); 942 void mft_print(const X509 *, const struct mft *); 943 void roa_print(const X509 *, const struct roa *); 944 void gbr_print(const X509 *, const struct gbr *); 945 void rsc_print(const X509 *, const struct rsc *); 946 void aspa_print(const X509 *, const struct aspa *); 947 void tak_print(const X509 *, const struct tak *); 948 void geofeed_print(const X509 *, const struct geofeed *); 949 void spl_print(const X509 *, const struct spl *); 950 951 /* Missing RFC 3779 API */ 952 IPAddrBlocks *IPAddrBlocks_new(void); 953 void IPAddrBlocks_free(IPAddrBlocks *); 954 955 /* Output! */ 956 957 extern int outformats; 958 #define FORMAT_OPENBGPD 0x01 959 #define FORMAT_BIRD 0x02 960 #define FORMAT_CSV 0x04 961 #define FORMAT_JSON 0x08 962 #define FORMAT_OMETRIC 0x10 963 964 int outputfiles(struct vrp_tree *v, struct brk_tree *b, 965 struct vap_tree *, struct vsp_tree *, struct stats *); 966 int outputheader(FILE *, struct stats *); 967 int output_bgpd(FILE *, struct vrp_tree *, struct brk_tree *, 968 struct vap_tree *, struct vsp_tree *, struct stats *); 969 int output_bird1v4(FILE *, struct vrp_tree *, struct brk_tree *, 970 struct vap_tree *, struct vsp_tree *, struct stats *); 971 int output_bird1v6(FILE *, struct vrp_tree *, struct brk_tree *, 972 struct vap_tree *, struct vsp_tree *, struct stats *); 973 int output_bird2(FILE *, struct vrp_tree *, struct brk_tree *, 974 struct vap_tree *, struct vsp_tree *, struct stats *); 975 int output_csv(FILE *, struct vrp_tree *, struct brk_tree *, 976 struct vap_tree *, struct vsp_tree *, struct stats *); 977 int output_json(FILE *, struct vrp_tree *, struct brk_tree *, 978 struct vap_tree *, struct vsp_tree *, struct stats *); 979 int output_ometric(FILE *, struct vrp_tree *, struct brk_tree *, 980 struct vap_tree *, struct vsp_tree *, struct stats *); 981 982 void logx(const char *fmt, ...) 983 __attribute__((format(printf, 1, 2))); 984 time_t getmonotime(void); 985 time_t get_current_time(void); 986 987 int mkpath(const char *); 988 int mkpathat(int, const char *); 989 990 #define RPKI_PATH_OUT_DIR "/var/db/rpki-client" 991 #define RPKI_PATH_BASE_DIR "/var/cache/rpki-client" 992 993 #define DEFAULT_SKIPLIST_FILE "/etc/rpki/skiplist" 994 995 /* Interval in which random reinitialization to an RRDP snapshot happens. */ 996 #define RRDP_RANDOM_REINIT_MAX 12 /* weeks */ 997 998 /* Maximum number of TAL files we'll load. */ 999 #define TALSZ_MAX 8 1000 #define CERTID_MAX 1000000 1001 1002 /* 1003 * Maximum number of elements in the sbgp-ipAddrBlock (IP) and 1004 * sbgp-autonomousSysNum (AS) X.509v3 extension of CA/EE certificates. 1005 */ 1006 #define MAX_IP_SIZE 200000 1007 #define MAX_AS_SIZE 200000 1008 1009 /* Maximum acceptable URI length */ 1010 #define MAX_URI_LENGTH 2048 1011 1012 /* Min/Max acceptable file size */ 1013 #define MIN_FILE_SIZE 100 1014 #define MAX_FILE_SIZE 8000000 1015 1016 /* Maximum number of FileNameAndHash entries per RSC checklist. */ 1017 #define MAX_CHECKLIST_ENTRIES 100000 1018 1019 /* Maximum number of FileAndHash entries per manifest. */ 1020 #define MAX_MANIFEST_ENTRIES 100000 1021 1022 /* Maximum number of Providers per ASPA object. */ 1023 #define MAX_ASPA_PROVIDERS 10000 1024 1025 /* Maximum depth of the RPKI tree. */ 1026 #define MAX_CERT_DEPTH 12 1027 1028 /* Maximum number of concurrent http and rsync requests. */ 1029 #define MAX_HTTP_REQUESTS 64 1030 #define MAX_RSYNC_REQUESTS 16 1031 1032 /* How many seconds to wait for a connection to succeed. */ 1033 #define MAX_CONN_TIMEOUT 15 1034 1035 /* How many seconds to wait for IO from a remote server. */ 1036 #define MAX_IO_TIMEOUT 30 1037 1038 /* Maximum number of delegated hosting locations (repositories) for each TAL. */ 1039 #define MAX_REPO_PER_TAL 1000 1040 1041 #define HTTP_PROTO "http://" 1042 #define HTTP_PROTO_LEN (sizeof(HTTP_PROTO) - 1) 1043 #define HTTPS_PROTO "https://" 1044 #define HTTPS_PROTO_LEN (sizeof(HTTPS_PROTO) - 1) 1045 #define RSYNC_PROTO "rsync://" 1046 #define RSYNC_PROTO_LEN (sizeof(RSYNC_PROTO) - 1) 1047 1048 #endif /* ! EXTERN_H */ 1049