xref: /openbsd/usr.sbin/rpki-client/extern.h (revision 3cab2bb3) 
1 /*	$OpenBSD: extern.h,v 1.32 2020/07/28 07:35:04 claudio Exp $ */
2 /*
3  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 #ifndef EXTERN_H
18 #define EXTERN_H
19 
20 #include <sys/tree.h>
21 #include <sys/time.h>
22 
23 enum cert_as_type {
24 	CERT_AS_ID, /* single identifier */
25 	CERT_AS_INHERIT, /* inherit from parent */
26 	CERT_AS_RANGE, /* range of identifiers */
27 };
28 
29 /*
30  * An AS identifier range.
31  * The maximum AS identifier is an unsigned 32 bit integer (RFC 6793).
32  */
33 struct cert_as_range {
34 	uint32_t	 min; /* minimum non-zero */
35 	uint32_t	 max; /* maximum */
36 };
37 
38 /*
39  * An autonomous system (AS) object.
40  * AS identifiers are unsigned 32 bit integers (RFC 6793).
41  */
42 struct cert_as {
43 	enum cert_as_type type; /* type of AS specification */
44 	union {
45 		uint32_t id; /* singular identifier */
46 		struct cert_as_range range; /* range */
47 	};
48 };
49 
50 /*
51  * AFI values are assigned by IANA.
52  * In rpki-client, we only accept the IPV4 and IPV6 AFI values.
53  */
54 enum afi {
55 	AFI_IPV4 = 1,
56 	AFI_IPV6 = 2
57 };
58 
59 /*
60  * An IP address as parsed from RFC 3779, section 2.2.3.8.
61  * This is either in a certificate or an ROA.
62  * It may either be IPv4 or IPv6.
63  */
64 struct ip_addr {
65 	unsigned char	 addr[16]; /* binary address prefix */
66 	unsigned char	 prefixlen; /* number of valid bits in address */
67 };
68 
69 /*
70  * An IP address (IPv4 or IPv6) range starting at the minimum and making
71  * its way to the maximum.
72  */
73 struct ip_addr_range {
74 	struct ip_addr min; /* minimum ip */
75 	struct ip_addr max; /* maximum ip */
76 };
77 
78 enum cert_ip_type {
79 	CERT_IP_ADDR, /* IP address range w/shared prefix */
80 	CERT_IP_INHERIT, /* inherited IP address */
81 	CERT_IP_RANGE /* range of IP addresses */
82 };
83 
84 /*
85  * A single IP address family (AFI, address or range) as defined in RFC
86  * 3779, 2.2.3.2.
87  * The RFC specifies multiple address or ranges per AFI; this structure
88  * encodes both the AFI and a single address or range.
89  */
90 struct cert_ip {
91 	enum afi		afi; /* AFI value */
92 	enum cert_ip_type	type; /* type of IP entry */
93 	unsigned char		min[16]; /* full range minimum */
94 	unsigned char		max[16]; /* full range maximum */
95 	union {
96 		struct ip_addr ip; /* singular address */
97 		struct ip_addr_range range; /* range */
98 	};
99 };
100 
101 /*
102  * Parsed components of a validated X509 certificate stipulated by RFC
103  * 6847 and further (within) by RFC 3779.
104  * All AS numbers are guaranteed to be non-overlapping and properly
105  * inheriting.
106  */
107 struct cert {
108 	struct cert_ip	*ips; /* list of IP address ranges */
109 	size_t		 ipsz; /* length of "ips" */
110 	struct cert_as	*as; /* list of AS numbers and ranges */
111 	size_t		 asz; /* length of "asz" */
112 	char		*mft; /* manifest (rsync:// uri) */
113 	char		*notify; /* RRDP notify (https:// uri) */
114 	char		*crl; /* CRL location (rsync:// or NULL) */
115 	char		*aki; /* AKI (or NULL, for trust anchor) */
116 	char		*ski; /* SKI */
117 	int		 valid; /* validated resources */
118 	X509		*x509; /* the cert */
119 };
120 
121 /*
122  * The TAL file conforms to RFC 7730.
123  * It is the top-level structure of RPKI and defines where we can find
124  * certificates for TAs (trust anchors).
125  * It also includes the public key for verifying those trust anchor
126  * certificates.
127  */
128 struct tal {
129 	char		**uri; /* well-formed rsync URIs */
130 	size_t		 urisz; /* number of URIs */
131 	unsigned char	*pkey; /* DER-encoded public key */
132 	size_t		 pkeysz; /* length of pkey */
133 	char		*descr; /* basename of tal file */
134 };
135 
136 /*
137  * Files specified in an MFT have their bodies hashed with SHA256.
138  */
139 struct mftfile {
140 	char		*file; /* filename (CER/ROA/CRL, no path) */
141 	unsigned char	 hash[SHA256_DIGEST_LENGTH]; /* sha256 of body */
142 };
143 
144 /*
145  * A manifest, RFC 6486.
146  * This consists of a bunch of files found in the same directory as the
147  * manifest file.
148  */
149 struct mft {
150 	char		*file; /* full path of MFT file */
151 	struct mftfile	*files; /* file and hash */
152 	size_t		 filesz; /* number of filenames */
153 	int		 stale; /* if a stale manifest */
154 	char		*ski; /* SKI */
155 	char		*aki; /* AKI */
156 };
157 
158 /*
159  * An IP address prefix for a given ROA.
160  * This encodes the maximum length, AFI (v6/v4), and address.
161  * FIXME: are the min/max necessary or just used in one place?
162  */
163 struct roa_ip {
164 	enum afi	 afi; /* AFI value */
165 	size_t		 maxlength; /* max length or zero */
166 	unsigned char	 min[16]; /* full range minimum */
167 	unsigned char	 max[16]; /* full range maximum */
168 	struct ip_addr	 addr; /* the address prefix itself */
169 };
170 
171 /*
172  * An ROA, RFC 6482.
173  * This consists of the concerned ASID and its IP prefixes.
174  */
175 struct roa {
176 	uint32_t	 asid; /* asID of ROA (if 0, RFC 6483 sec 4) */
177 	struct roa_ip	*ips; /* IP prefixes */
178 	size_t		 ipsz; /* number of IP prefixes */
179 	int		 valid; /* validated resources */
180 	char		*ski; /* SKI */
181 	char		*aki; /* AKI */
182 	char		*tal; /* basename of TAL for this cert */
183 };
184 
185 /*
186  * A single VRP element (including ASID)
187  */
188 struct vrp {
189 	RB_ENTRY(vrp)	entry;
190 	struct ip_addr	addr;
191 	uint32_t	asid;
192 	char		*tal; /* basename of TAL for this cert */
193 	enum afi	afi;
194 	unsigned char	maxlength;
195 };
196 /*
197  * Tree of VRP sorted by afi, addr, maxlength and asid
198  */
199 RB_HEAD(vrp_tree, vrp);
200 RB_PROTOTYPE(vrp_tree, vrp, entry, vrpcmp);
201 
202 /*
203  * A single CRL
204  */
205 struct crl {
206 	RB_ENTRY(crl)	 entry;
207 	char		*aki;
208 	X509_CRL	*x509_crl;
209 };
210 /*
211  * Tree of CRLs sorted by uri
212  */
213 RB_HEAD(crl_tree, crl);
214 RB_PROTOTYPE(crl_tree, crl, entry, crlcmp);
215 
216 /*
217  * An authentication tuple.
218  * This specifies a public key and a subject key identifier used to
219  * verify children nodes in the tree of entities.
220  */
221 struct auth {
222 	RB_ENTRY(auth)	 entry;
223 	struct cert	*cert; /* owner information */
224 	struct auth	*parent; /* pointer to parent or NULL for TA cert */
225 	char		*tal; /* basename of TAL for this cert */
226 	char		*fn; /* FIXME: debugging */
227 };
228 /*
229  * Tree of auth sorted by ski
230  */
231 RB_HEAD(auth_tree, auth);
232 RB_PROTOTYPE(auth_tree, auth, entry, authcmp);
233 
234 struct auth *auth_find(struct auth_tree *, const char *);
235 
236 /*
237  * Resource types specified by the RPKI profiles.
238  * There are others (e.g., gbr) that we don't consider.
239  */
240 enum rtype {
241 	RTYPE_EOF = 0,
242 	RTYPE_TAL,
243 	RTYPE_MFT,
244 	RTYPE_ROA,
245 	RTYPE_CER,
246 	RTYPE_CRL
247 };
248 
249 /*
250  * Statistics collected during run-time.
251  */
252 struct	stats {
253 	size_t	 tals; /* total number of locators */
254 	size_t	 mfts; /* total number of manifests */
255 	size_t	 mfts_fail; /* failing syntactic parse */
256 	size_t	 mfts_stale; /* stale manifests */
257 	size_t	 certs; /* certificates */
258 	size_t	 certs_fail; /* failing syntactic parse */
259 	size_t	 certs_invalid; /* invalid resources */
260 	size_t	 roas; /* route origin authorizations */
261 	size_t	 roas_fail; /* failing syntactic parse */
262 	size_t	 roas_invalid; /* invalid resources */
263 	size_t	 repos; /* repositories */
264 	size_t	 crls; /* revocation lists */
265 	size_t	 vrps; /* total number of vrps */
266 	size_t	 uniqs; /* number of unique vrps */
267 	size_t	 del_files; /* number of files removed in cleanup */
268 	char	*talnames;
269 	struct timeval	elapsed_time;
270 	struct timeval	user_time;
271 	struct timeval	system_time;
272 };
273 
274 /* global variables */
275 extern int verbose;
276 
277 /* Routines for RPKI entities. */
278 
279 void		 tal_buffer(char **, size_t *, size_t *, const struct tal *);
280 void		 tal_free(struct tal *);
281 struct tal	*tal_parse(const char *, char *);
282 char		*tal_read_file(const char *);
283 struct tal	*tal_read(int);
284 
285 void		 cert_buffer(char **, size_t *, size_t *, const struct cert *);
286 void		 cert_free(struct cert *);
287 struct cert	*cert_parse(X509 **, const char *, const unsigned char *);
288 struct cert	*ta_parse(X509 **, const char *, const unsigned char *, size_t);
289 struct cert	*cert_read(int);
290 
291 void		 mft_buffer(char **, size_t *, size_t *, const struct mft *);
292 void		 mft_free(struct mft *);
293 struct mft	*mft_parse(X509 **, const char *);
294 int		 mft_check(const char *, struct mft *);
295 struct mft	*mft_read(int);
296 
297 void		 roa_buffer(char **, size_t *, size_t *, const struct roa *);
298 void		 roa_free(struct roa *);
299 struct roa	*roa_parse(X509 **, const char *, const unsigned char *);
300 struct roa	*roa_read(int);
301 void		 roa_insert_vrps(struct vrp_tree *, struct roa *, size_t *,
302 		    size_t *);
303 
304 /* crl.c */
305 X509_CRL	*crl_parse(const char *, const unsigned char *);
306 void		 free_crl(struct crl *);
307 
308 /* Validation of our objects. */
309 
310 struct auth	*valid_ski_aki(const char *, struct auth_tree *,
311 		    const char *, const char *);
312 int		 valid_ta(const char *, struct auth_tree *,
313 		    const struct cert *);
314 int		 valid_cert(const char *, struct auth_tree *,
315 		    const struct cert *);
316 int		 valid_roa(const char *, struct auth_tree *, struct roa *);
317 
318 /* Working with CMS files. */
319 
320 unsigned char	*cms_parse_validate(X509 **, const char *,
321 			const char *, const unsigned char *, size_t *);
322 
323 /* Work with RFC 3779 IP addresses, prefixes, ranges. */
324 
325 int		 ip_addr_afi_parse(const char *, const ASN1_OCTET_STRING *,
326 			enum afi *);
327 int		 ip_addr_parse(const ASN1_BIT_STRING *,
328 			enum afi, const char *, struct ip_addr *);
329 void		 ip_addr_print(const struct ip_addr *, enum afi, char *,
330 			size_t);
331 void		 ip_addr_buffer(char **, size_t *, size_t *,
332 			const struct ip_addr *);
333 void		 ip_addr_range_buffer(char **, size_t *, size_t *,
334 			const struct ip_addr_range *);
335 void		 ip_addr_read(int, struct ip_addr *);
336 void		 ip_addr_range_read(int, struct ip_addr_range *);
337 int		 ip_addr_cmp(const struct ip_addr *, const struct ip_addr *);
338 int		 ip_addr_check_overlap(const struct cert_ip *,
339 			const char *, const struct cert_ip *, size_t);
340 int		 ip_addr_check_covered(enum afi, const unsigned char *,
341 			const unsigned char *, const struct cert_ip *, size_t);
342 int		 ip_cert_compose_ranges(struct cert_ip *);
343 void		 ip_roa_compose_ranges(struct roa_ip *);
344 
345 /* Work with RFC 3779 AS numbers, ranges. */
346 
347 int		 as_id_parse(const ASN1_INTEGER *, uint32_t *);
348 int		 as_check_overlap(const struct cert_as *, const char *,
349 			const struct cert_as *, size_t);
350 int		 as_check_covered(uint32_t, uint32_t,
351 			const struct cert_as *, size_t);
352 
353 /* Rsync-specific. */
354 
355 int		 rsync_uri_parse(const char **, size_t *,
356 			const char **, size_t *, const char **, size_t *,
357 			enum rtype *, const char *);
358 
359 /* Logging (though really used for OpenSSL errors). */
360 
361 void		 cryptowarnx(const char *, ...)
362 			__attribute__((format(printf, 1, 2)));
363 void		 cryptoerrx(const char *, ...)
364 			__attribute__((format(printf, 1, 2)))
365 			__attribute__((noreturn));
366 
367 /* Functions for moving data between processes. */
368 
369 void		 io_socket_blocking(int);
370 void		 io_socket_nonblocking(int);
371 void		 io_simple_buffer(char **, size_t *, size_t *, const void *,
372 			size_t);
373 void		 io_simple_read(int, void *, size_t);
374 void		 io_simple_write(int, const void *, size_t);
375 void		 io_buf_buffer(char **, size_t *, size_t *, const void *,
376 			size_t);
377 void		 io_buf_read_alloc(int, void **, size_t *);
378 void		 io_buf_write(int, const void *, size_t);
379 void		 io_str_buffer(char **, size_t *, size_t *, const char *);
380 void		 io_str_read(int, char **);
381 void		 io_str_write(int, const char *);
382 
383 /* X509 helpers. */
384 
385 char		*x509_get_aki_ext(X509_EXTENSION *, const char *);
386 char		*x509_get_ski_ext(X509_EXTENSION *, const char *);
387 int		 x509_get_ski_aki(X509 *, const char *, char **, char **);
388 char		*x509_get_crl(X509 *, const char *);
389 char		*x509_crl_get_aki(X509_CRL *);
390 
391 /* Output! */
392 
393 extern int	 outformats;
394 #define FORMAT_OPENBGPD	0x01
395 #define FORMAT_BIRD	0x02
396 #define FORMAT_CSV	0x04
397 #define FORMAT_JSON	0x08
398 extern char*	 outputdir;
399 
400 int		 outputfiles(struct vrp_tree *v, struct stats *);
401 int		 outputheader(FILE *, struct stats *);
402 int		 output_bgpd(FILE *, struct vrp_tree *, struct stats *);
403 int		 output_bird1v4(FILE *, struct vrp_tree *, struct stats *);
404 int		 output_bird1v6(FILE *, struct vrp_tree *, struct stats *);
405 int		 output_bird2(FILE *, struct vrp_tree *, struct stats *);
406 int		 output_csv(FILE *, struct vrp_tree *, struct stats *);
407 int		 output_json(FILE *, struct vrp_tree *, struct stats *);
408 
409 void	logx(const char *fmt, ...)
410 		    __attribute__((format(printf, 1, 2)));
411 
412 #define		RPKI_PATH_OUT_DIR	"/var/db/rpki-client"
413 #define		RPKI_PATH_BASE_DIR	"/var/cache/rpki-client"
414 
415 #endif /* ! EXTERN_H */
416