1 /* $OpenBSD: extern.h,v 1.66 2021/09/01 08:09:41 claudio Exp $ */ 2 /* 3 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 #ifndef EXTERN_H 18 #define EXTERN_H 19 20 #include <sys/queue.h> 21 #include <sys/tree.h> 22 #include <sys/time.h> 23 24 #include <openssl/x509.h> 25 26 enum cert_as_type { 27 CERT_AS_ID, /* single identifier */ 28 CERT_AS_INHERIT, /* inherit from parent */ 29 CERT_AS_RANGE, /* range of identifiers */ 30 }; 31 32 /* 33 * An AS identifier range. 34 * The maximum AS identifier is an unsigned 32 bit integer (RFC 6793). 35 */ 36 struct cert_as_range { 37 uint32_t min; /* minimum non-zero */ 38 uint32_t max; /* maximum */ 39 }; 40 41 /* 42 * An autonomous system (AS) object. 43 * AS identifiers are unsigned 32 bit integers (RFC 6793). 44 */ 45 struct cert_as { 46 enum cert_as_type type; /* type of AS specification */ 47 union { 48 uint32_t id; /* singular identifier */ 49 struct cert_as_range range; /* range */ 50 }; 51 }; 52 53 /* 54 * AFI values are assigned by IANA. 55 * In rpki-client, we only accept the IPV4 and IPV6 AFI values. 56 */ 57 enum afi { 58 AFI_IPV4 = 1, 59 AFI_IPV6 = 2 60 }; 61 62 /* 63 * An IP address as parsed from RFC 3779, section 2.2.3.8. 64 * This is either in a certificate or an ROA. 65 * It may either be IPv4 or IPv6. 66 */ 67 struct ip_addr { 68 unsigned char addr[16]; /* binary address prefix */ 69 unsigned char prefixlen; /* number of valid bits in address */ 70 }; 71 72 /* 73 * An IP address (IPv4 or IPv6) range starting at the minimum and making 74 * its way to the maximum. 75 */ 76 struct ip_addr_range { 77 struct ip_addr min; /* minimum ip */ 78 struct ip_addr max; /* maximum ip */ 79 }; 80 81 enum cert_ip_type { 82 CERT_IP_ADDR, /* IP address range w/shared prefix */ 83 CERT_IP_INHERIT, /* inherited IP address */ 84 CERT_IP_RANGE /* range of IP addresses */ 85 }; 86 87 /* 88 * A single IP address family (AFI, address or range) as defined in RFC 89 * 3779, 2.2.3.2. 90 * The RFC specifies multiple address or ranges per AFI; this structure 91 * encodes both the AFI and a single address or range. 92 */ 93 struct cert_ip { 94 enum afi afi; /* AFI value */ 95 enum cert_ip_type type; /* type of IP entry */ 96 unsigned char min[16]; /* full range minimum */ 97 unsigned char max[16]; /* full range maximum */ 98 union { 99 struct ip_addr ip; /* singular address */ 100 struct ip_addr_range range; /* range */ 101 }; 102 }; 103 104 /* 105 * Parsed components of a validated X509 certificate stipulated by RFC 106 * 6847 and further (within) by RFC 3779. 107 * All AS numbers are guaranteed to be non-overlapping and properly 108 * inheriting. 109 */ 110 struct cert { 111 struct cert_ip *ips; /* list of IP address ranges */ 112 size_t ipsz; /* length of "ips" */ 113 struct cert_as *as; /* list of AS numbers and ranges */ 114 size_t asz; /* length of "asz" */ 115 char *repo; /* CA repository (rsync:// uri) */ 116 char *mft; /* manifest (rsync:// uri) */ 117 char *notify; /* RRDP notify (https:// uri) */ 118 char *crl; /* CRL location (rsync:// or NULL) */ 119 char *aia; /* AIA (or NULL, for trust anchor) */ 120 char *aki; /* AKI (or NULL, for trust anchor) */ 121 char *ski; /* SKI */ 122 int valid; /* validated resources */ 123 X509 *x509; /* the cert */ 124 }; 125 126 /* 127 * The TAL file conforms to RFC 7730. 128 * It is the top-level structure of RPKI and defines where we can find 129 * certificates for TAs (trust anchors). 130 * It also includes the public key for verifying those trust anchor 131 * certificates. 132 */ 133 struct tal { 134 char **uri; /* well-formed rsync URIs */ 135 size_t urisz; /* number of URIs */ 136 unsigned char *pkey; /* DER-encoded public key */ 137 size_t pkeysz; /* length of pkey */ 138 char *descr; /* basename of tal file */ 139 }; 140 141 /* 142 * Files specified in an MFT have their bodies hashed with SHA256. 143 */ 144 struct mftfile { 145 char *file; /* filename (CER/ROA/CRL, no path) */ 146 unsigned char hash[SHA256_DIGEST_LENGTH]; /* sha256 of body */ 147 }; 148 149 /* 150 * A manifest, RFC 6486. 151 * This consists of a bunch of files found in the same directory as the 152 * manifest file. 153 */ 154 struct mft { 155 char *file; /* full path of MFT file */ 156 struct mftfile *files; /* file and hash */ 157 size_t filesz; /* number of filenames */ 158 int stale; /* if a stale manifest */ 159 char *seqnum; /* manifestNumber */ 160 char *aia; /* AIA */ 161 char *aki; /* AKI */ 162 char *ski; /* SKI */ 163 }; 164 165 /* 166 * An IP address prefix for a given ROA. 167 * This encodes the maximum length, AFI (v6/v4), and address. 168 * FIXME: are the min/max necessary or just used in one place? 169 */ 170 struct roa_ip { 171 enum afi afi; /* AFI value */ 172 size_t maxlength; /* max length or zero */ 173 unsigned char min[16]; /* full range minimum */ 174 unsigned char max[16]; /* full range maximum */ 175 struct ip_addr addr; /* the address prefix itself */ 176 }; 177 178 /* 179 * An ROA, RFC 6482. 180 * This consists of the concerned ASID and its IP prefixes. 181 */ 182 struct roa { 183 uint32_t asid; /* asID of ROA (if 0, RFC 6483 sec 4) */ 184 struct roa_ip *ips; /* IP prefixes */ 185 size_t ipsz; /* number of IP prefixes */ 186 int valid; /* validated resources */ 187 char *aia; /* AIA */ 188 char *aki; /* AKI */ 189 char *ski; /* SKI */ 190 char *tal; /* basename of TAL for this cert */ 191 time_t expires; /* do not use after */ 192 }; 193 194 /* 195 * A single Ghostbuster record 196 */ 197 struct gbr { 198 char *vcard; 199 char *aia; /* AIA */ 200 char *aki; /* AKI */ 201 char *ski; /* SKI */ 202 }; 203 204 /* 205 * A single VRP element (including ASID) 206 */ 207 struct vrp { 208 RB_ENTRY(vrp) entry; 209 struct ip_addr addr; 210 uint32_t asid; 211 char *tal; /* basename of TAL for this cert */ 212 enum afi afi; 213 unsigned char maxlength; 214 time_t expires; /* transitive expiry moment */ 215 }; 216 /* 217 * Tree of VRP sorted by afi, addr, maxlength and asid 218 */ 219 RB_HEAD(vrp_tree, vrp); 220 RB_PROTOTYPE(vrp_tree, vrp, entry, vrpcmp); 221 222 /* 223 * A single CRL 224 */ 225 struct crl { 226 RB_ENTRY(crl) entry; 227 char *aki; 228 X509_CRL *x509_crl; 229 }; 230 /* 231 * Tree of CRLs sorted by uri 232 */ 233 RB_HEAD(crl_tree, crl); 234 RB_PROTOTYPE(crl_tree, crl, entry, crlcmp); 235 236 /* 237 * An authentication tuple. 238 * This specifies a public key and a subject key identifier used to 239 * verify children nodes in the tree of entities. 240 */ 241 struct auth { 242 RB_ENTRY(auth) entry; 243 struct cert *cert; /* owner information */ 244 struct auth *parent; /* pointer to parent or NULL for TA cert */ 245 char *tal; /* basename of TAL for this cert */ 246 char *fn; /* FIXME: debugging */ 247 }; 248 /* 249 * Tree of auth sorted by ski 250 */ 251 RB_HEAD(auth_tree, auth); 252 RB_PROTOTYPE(auth_tree, auth, entry, authcmp); 253 254 struct auth *auth_find(struct auth_tree *, const char *); 255 256 /* 257 * Resource types specified by the RPKI profiles. 258 * There might be others we don't consider. 259 */ 260 enum rtype { 261 RTYPE_EOF = 0, 262 RTYPE_TAL, 263 RTYPE_MFT, 264 RTYPE_ROA, 265 RTYPE_CER, 266 RTYPE_CRL, 267 RTYPE_GBR, 268 }; 269 270 enum http_result { 271 HTTP_FAILED, /* anything else */ 272 HTTP_OK, /* 200 OK */ 273 HTTP_NOT_MOD, /* 304 Not Modified */ 274 }; 275 276 /* 277 * Message types for communication with RRDP process. 278 */ 279 enum rrdp_msg { 280 RRDP_START, 281 RRDP_SESSION, 282 RRDP_FILE, 283 RRDP_END, 284 RRDP_HTTP_REQ, 285 RRDP_HTTP_INI, 286 RRDP_HTTP_FIN 287 }; 288 289 /* 290 * RRDP session state, needed to pickup at the right spot on next run. 291 */ 292 struct rrdp_session { 293 char *last_mod; 294 char *session_id; 295 long long serial; 296 }; 297 298 /* 299 * File types used in RRDP_FILE messages. 300 */ 301 enum publish_type { 302 PUB_ADD, 303 PUB_UPD, 304 PUB_DEL, 305 }; 306 307 /* 308 * An entity (MFT, ROA, certificate, etc.) that needs to be downloaded 309 * and parsed. 310 */ 311 struct entity { 312 enum rtype type; /* type of entity (not RTYPE_EOF) */ 313 char *file; /* local path to file */ 314 int has_pkey; /* whether pkey/sz is specified */ 315 unsigned char *pkey; /* public key (optional) */ 316 size_t pkeysz; /* public key length (optional) */ 317 char *descr; /* tal description */ 318 TAILQ_ENTRY(entity) entries; 319 }; 320 TAILQ_HEAD(entityq, entity); 321 322 struct repo; 323 struct filepath; 324 RB_HEAD(filepath_tree, filepath); 325 326 327 /* 328 * Statistics collected during run-time. 329 */ 330 struct stats { 331 size_t tals; /* total number of locators */ 332 size_t mfts; /* total number of manifests */ 333 size_t mfts_fail; /* failing syntactic parse */ 334 size_t mfts_stale; /* stale manifests */ 335 size_t certs; /* certificates */ 336 size_t certs_fail; /* failing syntactic parse */ 337 size_t certs_invalid; /* invalid resources */ 338 size_t roas; /* route origin authorizations */ 339 size_t roas_fail; /* failing syntactic parse */ 340 size_t roas_invalid; /* invalid resources */ 341 size_t repos; /* repositories */ 342 size_t rsync_repos; /* synced rsync repositories */ 343 size_t rsync_fails; /* failed rsync repositories */ 344 size_t http_repos; /* synced http repositories */ 345 size_t http_fails; /* failed http repositories */ 346 size_t rrdp_repos; /* synced rrdp repositories */ 347 size_t rrdp_fails; /* failed rrdp repositories */ 348 size_t crls; /* revocation lists */ 349 size_t gbrs; /* ghostbuster records */ 350 size_t vrps; /* total number of vrps */ 351 size_t uniqs; /* number of unique vrps */ 352 size_t del_files; /* number of files removed in cleanup */ 353 size_t del_dirs; /* number of directories removed in cleanup */ 354 char *talnames; 355 struct timeval elapsed_time; 356 struct timeval user_time; 357 struct timeval system_time; 358 }; 359 360 struct ibuf; 361 362 /* global variables */ 363 extern int verbose; 364 365 /* Routines for RPKI entities. */ 366 367 void tal_buffer(struct ibuf *, const struct tal *); 368 void tal_free(struct tal *); 369 struct tal *tal_parse(const char *, char *); 370 char *tal_read_file(const char *); 371 struct tal *tal_read(int); 372 373 void cert_buffer(struct ibuf *, const struct cert *); 374 void cert_free(struct cert *); 375 struct cert *cert_parse(X509 **, const char *); 376 struct cert *ta_parse(X509 **, const char *, const unsigned char *, size_t); 377 struct cert *cert_read(int); 378 379 void mft_buffer(struct ibuf *, const struct mft *); 380 void mft_free(struct mft *); 381 struct mft *mft_parse(X509 **, const char *); 382 int mft_check(const char *, struct mft *); 383 struct mft *mft_read(int); 384 385 void roa_buffer(struct ibuf *, const struct roa *); 386 void roa_free(struct roa *); 387 struct roa *roa_parse(X509 **, const char *); 388 struct roa *roa_read(int); 389 void roa_insert_vrps(struct vrp_tree *, struct roa *, size_t *, 390 size_t *); 391 392 void gbr_free(struct gbr *); 393 struct gbr *gbr_parse(X509 **, const char *); 394 395 /* crl.c */ 396 X509_CRL *crl_parse(const char *); 397 void free_crl(struct crl *); 398 399 /* Validation of our objects. */ 400 401 struct auth *valid_ski_aki(const char *, struct auth_tree *, 402 const char *, const char *); 403 int valid_ta(const char *, struct auth_tree *, 404 const struct cert *); 405 int valid_cert(const char *, struct auth_tree *, 406 const struct cert *); 407 int valid_roa(const char *, struct auth_tree *, struct roa *); 408 int valid_filehash(const char *, const char *, size_t); 409 int valid_uri(const char *, size_t, const char *); 410 411 /* Working with CMS. */ 412 unsigned char *cms_parse_validate(X509 **, const char *, 413 const char *, size_t *); 414 int cms_econtent_version(const char *, const unsigned char **, 415 size_t, long *); 416 /* Helper for ASN1 parsing */ 417 int ASN1_frame(const char *, size_t, 418 const unsigned char **, long *, int *); 419 420 /* Work with RFC 3779 IP addresses, prefixes, ranges. */ 421 422 int ip_addr_afi_parse(const char *, const ASN1_OCTET_STRING *, 423 enum afi *); 424 int ip_addr_parse(const ASN1_BIT_STRING *, 425 enum afi, const char *, struct ip_addr *); 426 void ip_addr_print(const struct ip_addr *, enum afi, char *, 427 size_t); 428 void ip_addr_buffer(struct ibuf *, const struct ip_addr *); 429 void ip_addr_range_buffer(struct ibuf *, 430 const struct ip_addr_range *); 431 void ip_addr_read(int, struct ip_addr *); 432 void ip_addr_range_read(int, struct ip_addr_range *); 433 int ip_addr_cmp(const struct ip_addr *, const struct ip_addr *); 434 int ip_addr_check_overlap(const struct cert_ip *, 435 const char *, const struct cert_ip *, size_t); 436 int ip_addr_check_covered(enum afi, const unsigned char *, 437 const unsigned char *, const struct cert_ip *, size_t); 438 int ip_cert_compose_ranges(struct cert_ip *); 439 void ip_roa_compose_ranges(struct roa_ip *); 440 441 /* Work with RFC 3779 AS numbers, ranges. */ 442 443 int as_id_parse(const ASN1_INTEGER *, uint32_t *); 444 int as_check_overlap(const struct cert_as *, const char *, 445 const struct cert_as *, size_t); 446 int as_check_covered(uint32_t, uint32_t, 447 const struct cert_as *, size_t); 448 449 /* Parser-specific */ 450 void entity_free(struct entity *); 451 void entity_read_req(int fd, struct entity *); 452 void entityq_flush(struct entityq *, struct repo *); 453 void proc_parser(int) __attribute__((noreturn)); 454 455 /* Rsync-specific. */ 456 457 char *rsync_base_uri(const char *); 458 void proc_rsync(char *, char *, int) __attribute__((noreturn)); 459 460 /* HTTP and RRDP processes. */ 461 462 void proc_http(char *, int); 463 void proc_rrdp(int); 464 465 /* Repository handling */ 466 int filepath_add(struct filepath_tree *, char *); 467 void rrdp_save_state(size_t, struct rrdp_session *); 468 int rrdp_handle_file(size_t, enum publish_type, char *, 469 char *, size_t, char *, size_t); 470 char *repo_filename(const struct repo *, const char *); 471 struct repo *ta_lookup(struct tal *); 472 struct repo *repo_lookup(const char *, const char *); 473 int repo_queued(struct repo *, struct entity *); 474 void repo_cleanup(struct filepath_tree *); 475 void repo_free(void); 476 477 void rsync_finish(size_t, int); 478 void http_finish(size_t, enum http_result, const char *); 479 void rrdp_finish(size_t, int); 480 481 void rsync_fetch(size_t, const char *, const char *); 482 void http_fetch(size_t, const char *, const char *, int); 483 void rrdp_fetch(size_t, const char *, const char *, 484 struct rrdp_session *); 485 void rrdp_http_done(size_t, enum http_result, const char *); 486 487 488 /* Logging (though really used for OpenSSL errors). */ 489 490 void cryptowarnx(const char *, ...) 491 __attribute__((format(printf, 1, 2))); 492 void cryptoerrx(const char *, ...) 493 __attribute__((format(printf, 1, 2))) 494 __attribute__((noreturn)); 495 496 /* Encoding functions for hex and base64. */ 497 498 int base64_decode(const unsigned char *, unsigned char **, 499 size_t *); 500 int base64_encode(const unsigned char *, size_t, char **); 501 char *hex_encode(const unsigned char *, size_t); 502 503 504 /* Functions for moving data between processes. */ 505 506 void io_socket_blocking(int); 507 void io_socket_nonblocking(int); 508 void io_simple_buffer(struct ibuf *, const void *, size_t); 509 void io_buf_buffer(struct ibuf *, const void *, size_t); 510 void io_str_buffer(struct ibuf *, const char *); 511 void io_simple_read(int, void *, size_t); 512 void io_buf_read_alloc(int, void **, size_t *); 513 void io_str_read(int, char **); 514 int io_recvfd(int, void *, size_t); 515 516 /* X509 helpers. */ 517 518 char *hex_encode(const unsigned char *, size_t); 519 char *x509_get_aia(X509 *, const char *); 520 char *x509_get_aki(X509 *, int, const char *); 521 char *x509_get_ski(X509 *, const char *); 522 char *x509_get_crl(X509 *, const char *); 523 char *x509_crl_get_aki(X509_CRL *, const char *); 524 525 /* Output! */ 526 527 extern int outformats; 528 #define FORMAT_OPENBGPD 0x01 529 #define FORMAT_BIRD 0x02 530 #define FORMAT_CSV 0x04 531 #define FORMAT_JSON 0x08 532 533 int outputfiles(struct vrp_tree *v, struct stats *); 534 int outputheader(FILE *, struct stats *); 535 int output_bgpd(FILE *, struct vrp_tree *, struct stats *); 536 int output_bird1v4(FILE *, struct vrp_tree *, struct stats *); 537 int output_bird1v6(FILE *, struct vrp_tree *, struct stats *); 538 int output_bird2(FILE *, struct vrp_tree *, struct stats *); 539 int output_csv(FILE *, struct vrp_tree *, struct stats *); 540 int output_json(FILE *, struct vrp_tree *, struct stats *); 541 542 void logx(const char *fmt, ...) 543 __attribute__((format(printf, 1, 2))); 544 545 int mkpath(const char *); 546 547 #define RPKI_PATH_OUT_DIR "/var/db/rpki-client" 548 #define RPKI_PATH_BASE_DIR "/var/cache/rpki-client" 549 550 #endif /* ! EXTERN_H */ 551