1 /* $OpenBSD: validate.c,v 1.60 2023/05/09 10:34:32 tb Exp $ */ 2 /* 3 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <arpa/inet.h> 19 #include <assert.h> 20 #include <ctype.h> 21 #include <err.h> 22 #include <fcntl.h> 23 #include <inttypes.h> 24 #include <stdlib.h> 25 #include <string.h> 26 #include <unistd.h> 27 28 #include "extern.h" 29 30 extern ASN1_OBJECT *certpol_oid; 31 32 /* 33 * Walk up the chain of certificates trying to match our AS number to 34 * one of the allocations in that chain. 35 * Returns 1 if covered or 0 if not. 36 */ 37 static int 38 valid_as(struct auth *a, uint32_t min, uint32_t max) 39 { 40 int c; 41 42 if (a == NULL) 43 return 0; 44 45 /* Does this certificate cover our AS number? */ 46 c = as_check_covered(min, max, a->cert->as, a->cert->asz); 47 if (c > 0) 48 return 1; 49 else if (c < 0) 50 return 0; 51 52 /* If it inherits, walk up the chain. */ 53 return valid_as(a->parent, min, max); 54 } 55 56 /* 57 * Walk up the chain of certificates (really just the last one, but in 58 * the case of inheritance, the ones before) making sure that our IP 59 * prefix is covered in the first non-inheriting specification. 60 * Returns 1 if covered or 0 if not. 61 */ 62 static int 63 valid_ip(struct auth *a, enum afi afi, 64 const unsigned char *min, const unsigned char *max) 65 { 66 int c; 67 68 if (a == NULL) 69 return 0; 70 71 /* Does this certificate cover our IP prefix? */ 72 c = ip_addr_check_covered(afi, min, max, a->cert->ips, a->cert->ipsz); 73 if (c > 0) 74 return 1; 75 else if (c < 0) 76 return 0; 77 78 /* If it inherits, walk up the chain. */ 79 return valid_ip(a->parent, afi, min, max); 80 } 81 82 /* 83 * Make sure the AKI is the same as the AKI listed on the Manifest, 84 * and that the SKI doesn't already exist. 85 * Return the parent by its AKI, or NULL on failure. 86 */ 87 struct auth * 88 valid_ski_aki(const char *fn, struct auth_tree *auths, 89 const char *ski, const char *aki, const char *mftaki) 90 { 91 struct auth *a; 92 93 if (mftaki != NULL) { 94 if (strcmp(aki, mftaki) != 0) { 95 warnx("%s: AKI doesn't match Manifest AKI", fn); 96 return NULL; 97 } 98 } 99 100 if (auth_find(auths, ski) != NULL) { 101 warnx("%s: RFC 6487: duplicate SKI", fn); 102 return NULL; 103 } 104 105 a = auth_find(auths, aki); 106 if (a == NULL) 107 warnx("%s: RFC 6487: unknown AKI", fn); 108 109 return a; 110 } 111 112 /* 113 * Validate a trust anchor by making sure that the SKI is unique. 114 * Returns 1 if valid, 0 otherwise. 115 */ 116 int 117 valid_ta(const char *fn, struct auth_tree *auths, const struct cert *cert) 118 { 119 /* SKI must not be a dupe. */ 120 if (auth_find(auths, cert->ski) != NULL) { 121 warnx("%s: RFC 6487: duplicate SKI", fn); 122 return 0; 123 } 124 125 return 1; 126 } 127 128 /* 129 * Validate a non-TA certificate: make sure its IP and AS resources are 130 * fully covered by those in the authority key (which must exist). 131 * Returns 1 if valid, 0 otherwise. 132 */ 133 int 134 valid_cert(const char *fn, struct auth *a, const struct cert *cert) 135 { 136 size_t i; 137 uint32_t min, max; 138 char buf1[64], buf2[64]; 139 140 for (i = 0; i < cert->asz; i++) { 141 if (cert->as[i].type == CERT_AS_INHERIT) 142 continue; 143 min = cert->as[i].type == CERT_AS_ID ? 144 cert->as[i].id : cert->as[i].range.min; 145 max = cert->as[i].type == CERT_AS_ID ? 146 cert->as[i].id : cert->as[i].range.max; 147 if (valid_as(a, min, max)) 148 continue; 149 warnx("%s: RFC 6487: uncovered AS: " 150 "%u--%u", fn, min, max); 151 return 0; 152 } 153 154 for (i = 0; i < cert->ipsz; i++) { 155 if (valid_ip(a, cert->ips[i].afi, cert->ips[i].min, 156 cert->ips[i].max)) 157 continue; 158 switch (cert->ips[i].type) { 159 case CERT_IP_RANGE: 160 ip_addr_print(&cert->ips[i].range.min, 161 cert->ips[i].afi, buf1, sizeof(buf1)); 162 ip_addr_print(&cert->ips[i].range.max, 163 cert->ips[i].afi, buf2, sizeof(buf2)); 164 warnx("%s: RFC 6487: uncovered IP: " 165 "%s--%s", fn, buf1, buf2); 166 break; 167 case CERT_IP_ADDR: 168 ip_addr_print(&cert->ips[i].ip, 169 cert->ips[i].afi, buf1, sizeof(buf1)); 170 warnx("%s: RFC 6487: uncovered IP: " 171 "%s", fn, buf1); 172 break; 173 case CERT_IP_INHERIT: 174 warnx("%s: RFC 6487: uncovered IP: " 175 "(inherit)", fn); 176 break; 177 } 178 return 0; 179 } 180 181 return 1; 182 } 183 184 /* 185 * Validate our ROA: check that the prefixes (ipAddrBlocks) are contained. 186 * Returns 1 if valid, 0 otherwise. 187 */ 188 int 189 valid_roa(const char *fn, struct cert *cert, struct roa *roa) 190 { 191 size_t i; 192 char buf[64]; 193 194 for (i = 0; i < roa->ipsz; i++) { 195 if (ip_addr_check_covered(roa->ips[i].afi, roa->ips[i].min, 196 roa->ips[i].max, cert->ips, cert->ipsz) > 0) 197 continue; 198 199 ip_addr_print(&roa->ips[i].addr, roa->ips[i].afi, buf, 200 sizeof(buf)); 201 warnx("%s: RFC 6482: uncovered IP: %s", fn, buf); 202 return 0; 203 } 204 205 return 1; 206 } 207 208 /* 209 * Validate a file by verifying the SHA256 hash of that file. 210 * The file to check is passed as a file descriptor. 211 * Returns 1 if hash matched, 0 otherwise. Closes fd when done. 212 */ 213 int 214 valid_filehash(int fd, const char *hash, size_t hlen) 215 { 216 SHA256_CTX ctx; 217 char filehash[SHA256_DIGEST_LENGTH]; 218 char buffer[8192]; 219 ssize_t nr; 220 221 if (hlen != sizeof(filehash)) 222 errx(1, "bad hash size"); 223 224 if (fd == -1) 225 return 0; 226 227 SHA256_Init(&ctx); 228 while ((nr = read(fd, buffer, sizeof(buffer))) > 0) 229 SHA256_Update(&ctx, buffer, nr); 230 close(fd); 231 SHA256_Final(filehash, &ctx); 232 233 if (memcmp(hash, filehash, sizeof(filehash)) != 0) 234 return 0; 235 return 1; 236 } 237 238 /* 239 * Same as above but with a buffer instead of a fd. 240 */ 241 int 242 valid_hash(unsigned char *buf, size_t len, const char *hash, size_t hlen) 243 { 244 char filehash[SHA256_DIGEST_LENGTH]; 245 246 if (hlen != sizeof(filehash)) 247 errx(1, "bad hash size"); 248 249 if (buf == NULL || len == 0) 250 return 0; 251 252 if (!EVP_Digest(buf, len, filehash, NULL, EVP_sha256(), NULL)) 253 errx(1, "EVP_Digest failed"); 254 255 if (memcmp(hash, filehash, sizeof(filehash)) != 0) 256 return 0; 257 return 1; 258 } 259 260 /* 261 * Validate that a filename only contains characters from the POSIX portable 262 * filename character set [A-Za-z0-9._-], see IEEE Std 1003.1-2013, 3.278. 263 */ 264 int 265 valid_filename(const char *fn, size_t len) 266 { 267 const unsigned char *c; 268 size_t i; 269 270 for (c = fn, i = 0; i < len; i++, c++) 271 if (!isalnum(*c) && *c != '-' && *c != '_' && *c != '.') 272 return 0; 273 return 1; 274 } 275 276 /* 277 * Validate a URI to make sure it is pure ASCII and does not point backwards 278 * or doing some other silly tricks. To enforce the protocol pass either 279 * https:// or rsync:// as proto, if NULL is passed no protocol is enforced. 280 * Returns 1 if valid, 0 otherwise. 281 */ 282 int 283 valid_uri(const char *uri, size_t usz, const char *proto) 284 { 285 size_t s; 286 287 if (usz > MAX_URI_LENGTH) 288 return 0; 289 290 for (s = 0; s < usz; s++) 291 if (!isalnum((unsigned char)uri[s]) && 292 !ispunct((unsigned char)uri[s])) 293 return 0; 294 295 if (proto != NULL) { 296 s = strlen(proto); 297 if (s >= usz) 298 return 0; 299 if (strncasecmp(uri, proto, s) != 0) 300 return 0; 301 } 302 303 /* do not allow files or directories to start with a '.' */ 304 if (strstr(uri, "/.") != NULL) 305 return 0; 306 307 return 1; 308 } 309 310 /* 311 * Validate that a URI has the same host as the URI passed in proto. 312 * Returns 1 if valid, 0 otherwise. 313 */ 314 int 315 valid_origin(const char *uri, const char *proto) 316 { 317 const char *to; 318 319 /* extract end of host from proto URI */ 320 to = strstr(proto, "://"); 321 if (to == NULL) 322 return 0; 323 to += strlen("://"); 324 if ((to = strchr(to, '/')) == NULL) 325 return 0; 326 327 /* compare hosts including the / for the start of the path section */ 328 if (strncasecmp(uri, proto, to - proto + 1) != 0) 329 return 0; 330 331 return 1; 332 } 333 334 /* 335 * Walk the tree of known valid CA certificates until we find a certificate that 336 * doesn't inherit. Build a chain of intermediates and use the non-inheriting 337 * certificate as a trusted root by virtue of X509_V_FLAG_PARTIAL_CHAIN. The 338 * RFC 3779 path validation needs a non-inheriting trust root to ensure that 339 * all delegated resources are covered. 340 */ 341 static void 342 build_chain(const struct auth *a, STACK_OF(X509) **intermediates, 343 STACK_OF(X509) **root) 344 { 345 *intermediates = NULL; 346 *root = NULL; 347 348 if (a == NULL) 349 return; 350 351 if ((*intermediates = sk_X509_new_null()) == NULL) 352 err(1, "sk_X509_new_null"); 353 if ((*root = sk_X509_new_null()) == NULL) 354 err(1, "sk_X509_new_null"); 355 for (; a != NULL; a = a->parent) { 356 assert(a->cert->x509 != NULL); 357 if (!a->any_inherits) { 358 if (!sk_X509_push(*root, a->cert->x509)) 359 errx(1, "sk_X509_push"); 360 break; 361 } 362 if (!sk_X509_push(*intermediates, a->cert->x509)) 363 errx(1, "sk_X509_push"); 364 } 365 assert(sk_X509_num(*root) == 1); 366 } 367 368 /* 369 * Add the CRL based on the certs SKI value. 370 * No need to insert any other CRL since those were already checked. 371 */ 372 static void 373 build_crls(const struct crl *crl, STACK_OF(X509_CRL) **crls) 374 { 375 *crls = NULL; 376 377 if (crl == NULL) 378 return; 379 if ((*crls = sk_X509_CRL_new_null()) == NULL) 380 errx(1, "sk_X509_CRL_new_null"); 381 if (!sk_X509_CRL_push(*crls, crl->x509_crl)) 382 err(1, "sk_X509_CRL_push"); 383 } 384 385 /* 386 * Validate the X509 certificate. Returns 1 for valid certificates, 387 * returns 0 if there is a verify error and sets *errstr to the error 388 * returned by X509_verify_cert_error_string(). 389 */ 390 int 391 valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, 392 struct crl *crl, const char **errstr) 393 { 394 X509_VERIFY_PARAM *params; 395 ASN1_OBJECT *cp_oid; 396 STACK_OF(X509) *intermediates, *root; 397 STACK_OF(X509_CRL) *crls = NULL; 398 unsigned long flags; 399 int error; 400 401 *errstr = NULL; 402 build_chain(a, &intermediates, &root); 403 build_crls(crl, &crls); 404 405 assert(store_ctx != NULL); 406 assert(x509 != NULL); 407 if (!X509_STORE_CTX_init(store_ctx, NULL, x509, NULL)) 408 cryptoerrx("X509_STORE_CTX_init"); 409 410 if ((params = X509_STORE_CTX_get0_param(store_ctx)) == NULL) 411 cryptoerrx("X509_STORE_CTX_get0_param"); 412 if ((cp_oid = OBJ_dup(certpol_oid)) == NULL) 413 cryptoerrx("OBJ_dup"); 414 if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid)) 415 cryptoerrx("X509_VERIFY_PARAM_add0_policy"); 416 X509_VERIFY_PARAM_set_time(params, evaluation_time); 417 418 flags = X509_V_FLAG_CRL_CHECK; 419 flags |= X509_V_FLAG_PARTIAL_CHAIN; 420 flags |= X509_V_FLAG_POLICY_CHECK; 421 flags |= X509_V_FLAG_EXPLICIT_POLICY; 422 flags |= X509_V_FLAG_INHIBIT_MAP; 423 X509_STORE_CTX_set_flags(store_ctx, flags); 424 X509_STORE_CTX_set_depth(store_ctx, MAX_CERT_DEPTH); 425 /* 426 * See the comment above build_chain() for details on what's happening 427 * here. The nomenclature in this API is dubious and poorly documented. 428 */ 429 X509_STORE_CTX_set0_untrusted(store_ctx, intermediates); 430 X509_STORE_CTX_set0_trusted_stack(store_ctx, root); 431 X509_STORE_CTX_set0_crls(store_ctx, crls); 432 433 if (X509_verify_cert(store_ctx) <= 0) { 434 error = X509_STORE_CTX_get_error(store_ctx); 435 *errstr = X509_verify_cert_error_string(error); 436 X509_STORE_CTX_cleanup(store_ctx); 437 sk_X509_free(intermediates); 438 sk_X509_free(root); 439 sk_X509_CRL_free(crls); 440 return 0; 441 } 442 443 X509_STORE_CTX_cleanup(store_ctx); 444 sk_X509_free(intermediates); 445 sk_X509_free(root); 446 sk_X509_CRL_free(crls); 447 return 1; 448 } 449 450 /* 451 * Validate our RSC: check that all items in the ResourceBlock are contained. 452 * Returns 1 if valid, 0 otherwise. 453 */ 454 int 455 valid_rsc(const char *fn, struct cert *cert, struct rsc *rsc) 456 { 457 size_t i; 458 uint32_t min, max; 459 char buf1[64], buf2[64]; 460 461 for (i = 0; i < rsc->asz; i++) { 462 min = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.min 463 : rsc->as[i].id; 464 max = rsc->as[i].type == CERT_AS_RANGE ? rsc->as[i].range.max 465 : rsc->as[i].id; 466 467 if (as_check_covered(min, max, cert->as, cert->asz) > 0) 468 continue; 469 470 switch (rsc->as[i].type) { 471 case CERT_AS_ID: 472 warnx("%s: RSC resourceBlock: uncovered AS Identifier: " 473 "%u", fn, rsc->as[i].id); 474 break; 475 case CERT_AS_RANGE: 476 warnx("%s: RSC resourceBlock: uncovered AS Range: " 477 "%u--%u", fn, min, max); 478 break; 479 default: 480 break; 481 } 482 return 0; 483 } 484 485 for (i = 0; i < rsc->ipsz; i++) { 486 if (ip_addr_check_covered(rsc->ips[i].afi, rsc->ips[i].min, 487 rsc->ips[i].max, cert->ips, cert->ipsz) > 0) 488 continue; 489 490 switch (rsc->ips[i].type) { 491 case CERT_IP_RANGE: 492 ip_addr_print(&rsc->ips[i].range.min, 493 rsc->ips[i].afi, buf1, sizeof(buf1)); 494 ip_addr_print(&rsc->ips[i].range.max, 495 rsc->ips[i].afi, buf2, sizeof(buf2)); 496 warnx("%s: RSC ResourceBlock: uncovered IP Range: " 497 "%s--%s", fn, buf1, buf2); 498 break; 499 case CERT_IP_ADDR: 500 ip_addr_print(&rsc->ips[i].ip, 501 rsc->ips[i].afi, buf1, sizeof(buf1)); 502 warnx("%s: RSC ResourceBlock: uncovered IP: " 503 "%s", fn, buf1); 504 break; 505 default: 506 break; 507 } 508 return 0; 509 } 510 511 return 1; 512 } 513 514 int 515 valid_econtent_version(const char *fn, const ASN1_INTEGER *aint) 516 { 517 long version; 518 519 if (aint == NULL) 520 return 1; 521 522 if ((version = ASN1_INTEGER_get(aint)) < 0) { 523 warnx("%s: ASN1_INTEGER_get failed", fn); 524 return 0; 525 } 526 527 switch (version) { 528 case 0: 529 warnx("%s: incorrect encoding for version 0", fn); 530 return 0; 531 default: 532 warnx("%s: version %ld not supported (yet)", fn, version); 533 return 0; 534 } 535 } 536 537 /* 538 * Validate the ASPA: check that the customerASID is contained. 539 * Returns 1 if valid, 0 otherwise. 540 */ 541 int 542 valid_aspa(const char *fn, struct cert *cert, struct aspa *aspa) 543 { 544 545 if (as_check_covered(aspa->custasid, aspa->custasid, 546 cert->as, cert->asz) > 0) 547 return 1; 548 549 warnx("%s: ASPA: uncovered Customer ASID: %u", fn, aspa->custasid); 550 551 return 0; 552 } 553 554 /* 555 * Validate Geofeed prefixes: check that the prefixes are contained. 556 * Returns 1 if valid, 0 otherwise. 557 */ 558 int 559 valid_geofeed(const char *fn, struct cert *cert, struct geofeed *g) 560 { 561 size_t i; 562 char buf[64]; 563 564 for (i = 0; i < g->geoipsz; i++) { 565 if (ip_addr_check_covered(g->geoips[i].ip->afi, 566 g->geoips[i].ip->min, g->geoips[i].ip->max, cert->ips, 567 cert->ipsz) > 0) 568 continue; 569 570 ip_addr_print(&g->geoips[i].ip->ip, g->geoips[i].ip->afi, buf, 571 sizeof(buf)); 572 warnx("%s: Geofeed: uncovered IP: %s", fn, buf); 573 return 0; 574 } 575 576 return 1; 577 } 578 579 /* 580 * Validate whether a given string is a valid UUID. 581 * Returns 1 if valid, 0 otherwise. 582 */ 583 int 584 valid_uuid(const char *s) 585 { 586 int n = 0; 587 588 while (1) { 589 switch (n) { 590 case 8: 591 case 13: 592 case 18: 593 case 23: 594 if (s[n] != '-') 595 return 0; 596 break; 597 /* Check UUID is version 4 */ 598 case 14: 599 if (s[n] != '4') 600 return 0; 601 break; 602 /* Check UUID variant is 1 */ 603 case 19: 604 if (s[n] != '8' && s[n] != '9' && s[n] != 'a' && 605 s[n] != 'A' && s[n] != 'b' && s[n] != 'B') 606 return 0; 607 break; 608 case 36: 609 return s[n] == '\0'; 610 default: 611 if (!isxdigit((unsigned char)s[n])) 612 return 0; 613 break; 614 } 615 n++; 616 } 617 } 618 619 int 620 valid_ca_pkey(const char *fn, EVP_PKEY *pkey) 621 { 622 RSA *rsa; 623 const BIGNUM *rsa_e; 624 int key_bits; 625 626 if (pkey == NULL) { 627 warnx("%s: failure, pkey is NULL", fn); 628 return 0; 629 } 630 631 if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) { 632 warnx("%s: Expected EVP_PKEY_RSA, got %d", fn, 633 EVP_PKEY_base_id(pkey)); 634 return 0; 635 } 636 637 if ((key_bits = EVP_PKEY_bits(pkey)) != 2048) { 638 warnx("%s: RFC 7935: expected 2048-bit modulus, got %d bits", 639 fn, key_bits); 640 return 0; 641 } 642 643 if ((rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { 644 warnx("%s: failed to extract RSA public key", fn); 645 return 0; 646 } 647 648 if ((rsa_e = RSA_get0_e(rsa)) == NULL) { 649 warnx("%s: failed to get RSA exponent", fn); 650 return 0; 651 } 652 653 if (!BN_is_word(rsa_e, 65537)) { 654 warnx("%s: incorrect exponent (e) in RSA public key", fn); 655 return 0; 656 } 657 658 return 1; 659 } 660