xref: /openbsd/usr.sbin/rpki-client/extern.h (revision 097a140d) 
1 /*	$OpenBSD: extern.h,v 1.63 2021/04/14 18:05:47 benno Exp $ */
2 /*
3  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 #ifndef EXTERN_H
18 #define EXTERN_H
19 
20 #include <sys/queue.h>
21 #include <sys/tree.h>
22 #include <sys/time.h>
23 
24 #include <openssl/x509.h>
25 
26 enum cert_as_type {
27 	CERT_AS_ID, /* single identifier */
28 	CERT_AS_INHERIT, /* inherit from parent */
29 	CERT_AS_RANGE, /* range of identifiers */
30 };
31 
32 /*
33  * An AS identifier range.
34  * The maximum AS identifier is an unsigned 32 bit integer (RFC 6793).
35  */
36 struct cert_as_range {
37 	uint32_t	 min; /* minimum non-zero */
38 	uint32_t	 max; /* maximum */
39 };
40 
41 /*
42  * An autonomous system (AS) object.
43  * AS identifiers are unsigned 32 bit integers (RFC 6793).
44  */
45 struct cert_as {
46 	enum cert_as_type type; /* type of AS specification */
47 	union {
48 		uint32_t id; /* singular identifier */
49 		struct cert_as_range range; /* range */
50 	};
51 };
52 
53 /*
54  * AFI values are assigned by IANA.
55  * In rpki-client, we only accept the IPV4 and IPV6 AFI values.
56  */
57 enum afi {
58 	AFI_IPV4 = 1,
59 	AFI_IPV6 = 2
60 };
61 
62 /*
63  * An IP address as parsed from RFC 3779, section 2.2.3.8.
64  * This is either in a certificate or an ROA.
65  * It may either be IPv4 or IPv6.
66  */
67 struct ip_addr {
68 	unsigned char	 addr[16]; /* binary address prefix */
69 	unsigned char	 prefixlen; /* number of valid bits in address */
70 };
71 
72 /*
73  * An IP address (IPv4 or IPv6) range starting at the minimum and making
74  * its way to the maximum.
75  */
76 struct ip_addr_range {
77 	struct ip_addr min; /* minimum ip */
78 	struct ip_addr max; /* maximum ip */
79 };
80 
81 enum cert_ip_type {
82 	CERT_IP_ADDR, /* IP address range w/shared prefix */
83 	CERT_IP_INHERIT, /* inherited IP address */
84 	CERT_IP_RANGE /* range of IP addresses */
85 };
86 
87 /*
88  * A single IP address family (AFI, address or range) as defined in RFC
89  * 3779, 2.2.3.2.
90  * The RFC specifies multiple address or ranges per AFI; this structure
91  * encodes both the AFI and a single address or range.
92  */
93 struct cert_ip {
94 	enum afi		afi; /* AFI value */
95 	enum cert_ip_type	type; /* type of IP entry */
96 	unsigned char		min[16]; /* full range minimum */
97 	unsigned char		max[16]; /* full range maximum */
98 	union {
99 		struct ip_addr ip; /* singular address */
100 		struct ip_addr_range range; /* range */
101 	};
102 };
103 
104 /*
105  * Parsed components of a validated X509 certificate stipulated by RFC
106  * 6847 and further (within) by RFC 3779.
107  * All AS numbers are guaranteed to be non-overlapping and properly
108  * inheriting.
109  */
110 struct cert {
111 	struct cert_ip	*ips; /* list of IP address ranges */
112 	size_t		 ipsz; /* length of "ips" */
113 	struct cert_as	*as; /* list of AS numbers and ranges */
114 	size_t		 asz; /* length of "asz" */
115 	char		*repo; /* CA repository (rsync:// uri) */
116 	char		*mft; /* manifest (rsync:// uri) */
117 	char		*notify; /* RRDP notify (https:// uri) */
118 	char		*crl; /* CRL location (rsync:// or NULL) */
119 	char		*aia; /* AIA (or NULL, for trust anchor) */
120 	char		*aki; /* AKI (or NULL, for trust anchor) */
121 	char		*ski; /* SKI */
122 	int		 valid; /* validated resources */
123 	X509		*x509; /* the cert */
124 };
125 
126 /*
127  * The TAL file conforms to RFC 7730.
128  * It is the top-level structure of RPKI and defines where we can find
129  * certificates for TAs (trust anchors).
130  * It also includes the public key for verifying those trust anchor
131  * certificates.
132  */
133 struct tal {
134 	char		**uri; /* well-formed rsync URIs */
135 	size_t		 urisz; /* number of URIs */
136 	unsigned char	*pkey; /* DER-encoded public key */
137 	size_t		 pkeysz; /* length of pkey */
138 	char		*descr; /* basename of tal file */
139 };
140 
141 /*
142  * Files specified in an MFT have their bodies hashed with SHA256.
143  */
144 struct mftfile {
145 	char		*file; /* filename (CER/ROA/CRL, no path) */
146 	unsigned char	 hash[SHA256_DIGEST_LENGTH]; /* sha256 of body */
147 };
148 
149 /*
150  * A manifest, RFC 6486.
151  * This consists of a bunch of files found in the same directory as the
152  * manifest file.
153  */
154 struct mft {
155 	char		*file; /* full path of MFT file */
156 	struct mftfile	*files; /* file and hash */
157 	size_t		 filesz; /* number of filenames */
158 	int		 stale; /* if a stale manifest */
159 	char		*seqnum; /* manifestNumber */
160 	char		*aia; /* AIA */
161 	char		*aki; /* AKI */
162 	char		*ski; /* SKI */
163 };
164 
165 /*
166  * An IP address prefix for a given ROA.
167  * This encodes the maximum length, AFI (v6/v4), and address.
168  * FIXME: are the min/max necessary or just used in one place?
169  */
170 struct roa_ip {
171 	enum afi	 afi; /* AFI value */
172 	size_t		 maxlength; /* max length or zero */
173 	unsigned char	 min[16]; /* full range minimum */
174 	unsigned char	 max[16]; /* full range maximum */
175 	struct ip_addr	 addr; /* the address prefix itself */
176 };
177 
178 /*
179  * An ROA, RFC 6482.
180  * This consists of the concerned ASID and its IP prefixes.
181  */
182 struct roa {
183 	uint32_t	 asid; /* asID of ROA (if 0, RFC 6483 sec 4) */
184 	struct roa_ip	*ips; /* IP prefixes */
185 	size_t		 ipsz; /* number of IP prefixes */
186 	int		 valid; /* validated resources */
187 	char		*aia; /* AIA */
188 	char		*aki; /* AKI */
189 	char		*ski; /* SKI */
190 	char		*tal; /* basename of TAL for this cert */
191 };
192 
193 /*
194  * A single Ghostbuster record
195  */
196 struct gbr {
197 	char		*vcard;
198 	char		*aia; /* AIA */
199 	char		*aki; /* AKI */
200 	char		*ski; /* SKI */
201 };
202 
203 /*
204  * A single VRP element (including ASID)
205  */
206 struct vrp {
207 	RB_ENTRY(vrp)	entry;
208 	struct ip_addr	addr;
209 	uint32_t	asid;
210 	char		*tal; /* basename of TAL for this cert */
211 	enum afi	afi;
212 	unsigned char	maxlength;
213 };
214 /*
215  * Tree of VRP sorted by afi, addr, maxlength and asid
216  */
217 RB_HEAD(vrp_tree, vrp);
218 RB_PROTOTYPE(vrp_tree, vrp, entry, vrpcmp);
219 
220 /*
221  * A single CRL
222  */
223 struct crl {
224 	RB_ENTRY(crl)	 entry;
225 	char		*aki;
226 	X509_CRL	*x509_crl;
227 };
228 /*
229  * Tree of CRLs sorted by uri
230  */
231 RB_HEAD(crl_tree, crl);
232 RB_PROTOTYPE(crl_tree, crl, entry, crlcmp);
233 
234 /*
235  * An authentication tuple.
236  * This specifies a public key and a subject key identifier used to
237  * verify children nodes in the tree of entities.
238  */
239 struct auth {
240 	RB_ENTRY(auth)	 entry;
241 	struct cert	*cert; /* owner information */
242 	struct auth	*parent; /* pointer to parent or NULL for TA cert */
243 	char		*tal; /* basename of TAL for this cert */
244 	char		*fn; /* FIXME: debugging */
245 };
246 /*
247  * Tree of auth sorted by ski
248  */
249 RB_HEAD(auth_tree, auth);
250 RB_PROTOTYPE(auth_tree, auth, entry, authcmp);
251 
252 struct auth *auth_find(struct auth_tree *, const char *);
253 
254 /*
255  * Resource types specified by the RPKI profiles.
256  * There might be others we don't consider.
257  */
258 enum rtype {
259 	RTYPE_EOF = 0,
260 	RTYPE_TAL,
261 	RTYPE_MFT,
262 	RTYPE_ROA,
263 	RTYPE_CER,
264 	RTYPE_CRL,
265 	RTYPE_GBR,
266 };
267 
268 enum http_result {
269 	HTTP_FAILED,	/* anything else */
270 	HTTP_OK,	/* 200 OK */
271 	HTTP_NOT_MOD,	/* 304 Not Modified */
272 };
273 
274 /*
275  * Message types for communication with RRDP process.
276  */
277 enum rrdp_msg {
278 	RRDP_START,
279 	RRDP_SESSION,
280 	RRDP_FILE,
281 	RRDP_END,
282 	RRDP_HTTP_REQ,
283 	RRDP_HTTP_INI,
284 	RRDP_HTTP_FIN
285 };
286 
287 /*
288  * RRDP session state, needed to pickup at the right spot on next run.
289  */
290 struct rrdp_session {
291 	char			*last_mod;
292 	char			*session_id;
293 	long long		 serial;
294 };
295 
296 /*
297  * File types used in RRDP_FILE messages.
298  */
299 enum publish_type {
300 	PUB_ADD,
301 	PUB_UPD,
302 	PUB_DEL,
303 };
304 
305 /*
306  * An entity (MFT, ROA, certificate, etc.) that needs to be downloaded
307  * and parsed.
308  */
309 struct	entity {
310 	enum rtype	 type; /* type of entity (not RTYPE_EOF) */
311 	char		*file; /* local path to file */
312 	int		 has_pkey; /* whether pkey/sz is specified */
313 	unsigned char	*pkey; /* public key (optional) */
314 	size_t		 pkeysz; /* public key length (optional) */
315 	char		*descr; /* tal description */
316 	TAILQ_ENTRY(entity) entries;
317 };
318 TAILQ_HEAD(entityq, entity);
319 
320 struct repo;
321 struct filepath;
322 RB_HEAD(filepath_tree, filepath);
323 
324 
325 /*
326  * Statistics collected during run-time.
327  */
328 struct	stats {
329 	size_t	 tals; /* total number of locators */
330 	size_t	 mfts; /* total number of manifests */
331 	size_t	 mfts_fail; /* failing syntactic parse */
332 	size_t	 mfts_stale; /* stale manifests */
333 	size_t	 certs; /* certificates */
334 	size_t	 certs_fail; /* failing syntactic parse */
335 	size_t	 certs_invalid; /* invalid resources */
336 	size_t	 roas; /* route origin authorizations */
337 	size_t	 roas_fail; /* failing syntactic parse */
338 	size_t	 roas_invalid; /* invalid resources */
339 	size_t	 repos; /* repositories */
340 	size_t	 rsync_repos; /* synced rsync repositories */
341 	size_t	 rsync_fails; /* failed rsync repositories */
342 	size_t	 http_repos; /* synced http repositories */
343 	size_t	 http_fails; /* failed http repositories */
344 	size_t	 rrdp_repos; /* synced rrdp repositories */
345 	size_t	 rrdp_fails; /* failed rrdp repositories */
346 	size_t	 crls; /* revocation lists */
347 	size_t	 gbrs; /* ghostbuster records */
348 	size_t	 vrps; /* total number of vrps */
349 	size_t	 uniqs; /* number of unique vrps */
350 	size_t	 del_files; /* number of files removed in cleanup */
351 	size_t	 del_dirs; /* number of directories removed in cleanup */
352 	char	*talnames;
353 	struct timeval	elapsed_time;
354 	struct timeval	user_time;
355 	struct timeval	system_time;
356 };
357 
358 struct ibuf;
359 
360 /* global variables */
361 extern int verbose;
362 
363 /* Routines for RPKI entities. */
364 
365 int		 base64_decode(const unsigned char *, unsigned char **,
366 		    size_t *);
367 void		 tal_buffer(struct ibuf *, const struct tal *);
368 void		 tal_free(struct tal *);
369 struct tal	*tal_parse(const char *, char *);
370 char		*tal_read_file(const char *);
371 struct tal	*tal_read(int);
372 
373 void		 cert_buffer(struct ibuf *, const struct cert *);
374 void		 cert_free(struct cert *);
375 struct cert	*cert_parse(X509 **, const char *);
376 struct cert	*ta_parse(X509 **, const char *, const unsigned char *, size_t);
377 struct cert	*cert_read(int);
378 
379 void		 mft_buffer(struct ibuf *, const struct mft *);
380 void		 mft_free(struct mft *);
381 struct mft	*mft_parse(X509 **, const char *);
382 int		 mft_check(const char *, struct mft *);
383 struct mft	*mft_read(int);
384 
385 void		 roa_buffer(struct ibuf *, const struct roa *);
386 void		 roa_free(struct roa *);
387 struct roa	*roa_parse(X509 **, const char *);
388 struct roa	*roa_read(int);
389 void		 roa_insert_vrps(struct vrp_tree *, struct roa *, size_t *,
390 		    size_t *);
391 
392 void		 gbr_free(struct gbr *);
393 struct gbr	*gbr_parse(X509 **, const char *);
394 
395 /* crl.c */
396 X509_CRL	*crl_parse(const char *);
397 void		 free_crl(struct crl *);
398 
399 /* Validation of our objects. */
400 
401 struct auth	*valid_ski_aki(const char *, struct auth_tree *,
402 		    const char *, const char *);
403 int		 valid_ta(const char *, struct auth_tree *,
404 		    const struct cert *);
405 int		 valid_cert(const char *, struct auth_tree *,
406 		    const struct cert *);
407 int		 valid_roa(const char *, struct auth_tree *, struct roa *);
408 int		 valid_filehash(const char *, const char *, size_t);
409 int		 valid_uri(const char *, size_t, const char *);
410 
411 /* Working with CMS files. */
412 
413 unsigned char	*cms_parse_validate(X509 **, const char *,
414 			const char *, size_t *);
415 
416 /* Work with RFC 3779 IP addresses, prefixes, ranges. */
417 
418 int		 ip_addr_afi_parse(const char *, const ASN1_OCTET_STRING *,
419 			enum afi *);
420 int		 ip_addr_parse(const ASN1_BIT_STRING *,
421 			enum afi, const char *, struct ip_addr *);
422 void		 ip_addr_print(const struct ip_addr *, enum afi, char *,
423 			size_t);
424 void		 ip_addr_buffer(struct ibuf *, const struct ip_addr *);
425 void		 ip_addr_range_buffer(struct ibuf *,
426 			const struct ip_addr_range *);
427 void		 ip_addr_read(int, struct ip_addr *);
428 void		 ip_addr_range_read(int, struct ip_addr_range *);
429 int		 ip_addr_cmp(const struct ip_addr *, const struct ip_addr *);
430 int		 ip_addr_check_overlap(const struct cert_ip *,
431 			const char *, const struct cert_ip *, size_t);
432 int		 ip_addr_check_covered(enum afi, const unsigned char *,
433 			const unsigned char *, const struct cert_ip *, size_t);
434 int		 ip_cert_compose_ranges(struct cert_ip *);
435 void		 ip_roa_compose_ranges(struct roa_ip *);
436 
437 /* Work with RFC 3779 AS numbers, ranges. */
438 
439 int		 as_id_parse(const ASN1_INTEGER *, uint32_t *);
440 int		 as_check_overlap(const struct cert_as *, const char *,
441 			const struct cert_as *, size_t);
442 int		 as_check_covered(uint32_t, uint32_t,
443 			const struct cert_as *, size_t);
444 
445 /* Parser-specific */
446 void		 entity_free(struct entity *);
447 void		 entity_read_req(int fd, struct entity *);
448 void		 entityq_flush(struct entityq *, struct repo *);
449 void		 proc_parser(int) __attribute__((noreturn));
450 
451 /* Rsync-specific. */
452 
453 char		*rsync_base_uri(const char *);
454 void		 proc_rsync(char *, char *, int) __attribute__((noreturn));
455 
456 /* HTTP and RRDP processes. */
457 
458 void		 proc_http(char *, int);
459 void		 proc_rrdp(int);
460 
461 /* Repository handling */
462 int		 filepath_add(struct filepath_tree *, char *);
463 void		 rrdp_save_state(size_t, struct rrdp_session *);
464 int		 rrdp_handle_file(size_t, enum publish_type, char *,
465 		    char *, size_t, char *, size_t);
466 char		*repo_filename(const struct repo *, const char *);
467 struct repo	*ta_lookup(struct tal *);
468 struct repo	*repo_lookup(const char *, const char *);
469 int		 repo_queued(struct repo *, struct entity *);
470 void		 repo_cleanup(struct filepath_tree *);
471 void		 repo_free(void);
472 
473 void		 rsync_finish(size_t, int);
474 void		 http_finish(size_t, enum http_result, const char *);
475 void		 rrdp_finish(size_t, int);
476 
477 void		 rsync_fetch(size_t, const char *, const char *);
478 void		 http_fetch(size_t, const char *, const char *, int);
479 void		 rrdp_fetch(size_t, const char *, const char *,
480 		    struct rrdp_session *);
481 void		 rrdp_http_done(size_t, enum http_result, const char *);
482 
483 
484 /* Logging (though really used for OpenSSL errors). */
485 
486 void		 cryptowarnx(const char *, ...)
487 			__attribute__((format(printf, 1, 2)));
488 void		 cryptoerrx(const char *, ...)
489 			__attribute__((format(printf, 1, 2)))
490 			__attribute__((noreturn));
491 
492 /* Encoding functions for hex and base64. */
493 
494 int		 base64_decode(const unsigned char *, unsigned char **,
495 		    size_t *);
496 char		*hex_encode(const unsigned char *, size_t);
497 
498 
499 /* Functions for moving data between processes. */
500 
501 void		 io_socket_blocking(int);
502 void		 io_socket_nonblocking(int);
503 void		 io_simple_buffer(struct ibuf *, const void *, size_t);
504 void		 io_buf_buffer(struct ibuf *, const void *, size_t);
505 void		 io_str_buffer(struct ibuf *, const char *);
506 void		 io_simple_read(int, void *, size_t);
507 void		 io_buf_read_alloc(int, void **, size_t *);
508 void		 io_str_read(int, char **);
509 int		 io_recvfd(int, void *, size_t);
510 
511 /* X509 helpers. */
512 
513 char		*hex_encode(const unsigned char *, size_t);
514 char		*x509_get_aia(X509 *, const char *);
515 char		*x509_get_aki(X509 *, int, const char *);
516 char		*x509_get_ski(X509 *, const char *);
517 char		*x509_get_crl(X509 *, const char *);
518 char		*x509_crl_get_aki(X509_CRL *, const char *);
519 
520 /* Output! */
521 
522 extern int	 outformats;
523 #define FORMAT_OPENBGPD	0x01
524 #define FORMAT_BIRD	0x02
525 #define FORMAT_CSV	0x04
526 #define FORMAT_JSON	0x08
527 
528 int		 outputfiles(struct vrp_tree *v, struct stats *);
529 int		 outputheader(FILE *, struct stats *);
530 int		 output_bgpd(FILE *, struct vrp_tree *, struct stats *);
531 int		 output_bird1v4(FILE *, struct vrp_tree *, struct stats *);
532 int		 output_bird1v6(FILE *, struct vrp_tree *, struct stats *);
533 int		 output_bird2(FILE *, struct vrp_tree *, struct stats *);
534 int		 output_csv(FILE *, struct vrp_tree *, struct stats *);
535 int		 output_json(FILE *, struct vrp_tree *, struct stats *);
536 
537 void	logx(const char *fmt, ...)
538 		    __attribute__((format(printf, 1, 2)));
539 
540 int	mkpath(const char *);
541 
542 #define		RPKI_PATH_OUT_DIR	"/var/db/rpki-client"
543 #define		RPKI_PATH_BASE_DIR	"/var/cache/rpki-client"
544 
545 #endif /* ! EXTERN_H */
546