# include <endian.h>
#endif
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
#include <loc/libloc.h>
#include <loc/as.h>
#include <loc/compat.h>
struct loc_ctx* ctx;
int refcount;
+ FILE* f;
+
unsigned int version;
time_t created_at;
off_t vendor;
off_t description;
off_t license;
+ char* signature;
+ size_t signature_length;
+
// ASes in the database
struct loc_database_as_v0* as_v0;
size_t as_count;
char country_code[3];
uint32_t asn;
enum loc_network_flags flags;
+ int family;
// Index of the AS we are looking at
unsigned int as_index;
unsigned int* networks_visited;
};
-static int loc_database_read_magic(struct loc_database* db, FILE* f) {
+static int loc_database_read_magic(struct loc_database* db) {
struct loc_database_magic magic;
// Read from file
- size_t bytes_read = fread(&magic, 1, sizeof(magic), f);
+ size_t bytes_read = fread(&magic, 1, sizeof(magic), db->f);
// Check if we have been able to read enough data
if (bytes_read < sizeof(magic)) {
}
static int loc_database_read_as_section_v0(struct loc_database* db,
- FILE* f, const struct loc_database_header_v0* header) {
+ const struct loc_database_header_v0* header) {
off_t as_offset = be32toh(header->as_offset);
size_t as_length = be32toh(header->as_length);
if (as_length > 0) {
db->as_v0 = mmap(NULL, as_length, PROT_READ,
- MAP_SHARED, fileno(f), as_offset);
+ MAP_SHARED, fileno(db->f), as_offset);
if (db->as_v0 == MAP_FAILED)
return -errno;
}
static int loc_database_read_network_nodes_section_v0(struct loc_database* db,
- FILE* f, const struct loc_database_header_v0* header) {
+ const struct loc_database_header_v0* header) {
off_t network_nodes_offset = be32toh(header->network_tree_offset);
size_t network_nodes_length = be32toh(header->network_tree_length);
if (network_nodes_length > 0) {
db->network_nodes_v0 = mmap(NULL, network_nodes_length, PROT_READ,
- MAP_SHARED, fileno(f), network_nodes_offset);
+ MAP_SHARED, fileno(db->f), network_nodes_offset);
if (db->network_nodes_v0 == MAP_FAILED)
return -errno;
}
static int loc_database_read_networks_section_v0(struct loc_database* db,
- FILE* f, const struct loc_database_header_v0* header) {
+ const struct loc_database_header_v0* header) {
off_t networks_offset = be32toh(header->network_data_offset);
size_t networks_length = be32toh(header->network_data_length);
if (networks_length > 0) {
db->networks_v0 = mmap(NULL, networks_length, PROT_READ,
- MAP_SHARED, fileno(f), networks_offset);
+ MAP_SHARED, fileno(db->f), networks_offset);
if (db->networks_v0 == MAP_FAILED)
return -errno;
}
static int loc_database_read_countries_section_v0(struct loc_database* db,
- FILE* f, const struct loc_database_header_v0* header) {
+ const struct loc_database_header_v0* header) {
off_t countries_offset = be32toh(header->countries_offset);
size_t countries_length = be32toh(header->countries_length);
DEBUG(db->ctx, "Reading countries section from %jd (%zu bytes)\n",
- countries_offset, countries_length);
+ (intmax_t)countries_offset, countries_length);
if (countries_length > 0) {
db->countries_v0 = mmap(NULL, countries_length, PROT_READ,
- MAP_SHARED, fileno(f), countries_offset);
+ MAP_SHARED, fileno(db->f), countries_offset);
if (db->countries_v0 == MAP_FAILED)
return -errno;
return 0;
}
-static int loc_database_read_header_v0(struct loc_database* db, FILE* f) {
+static int loc_database_read_header_v0(struct loc_database* db) {
struct loc_database_header_v0 header;
// Read from file
- size_t size = fread(&header, 1, sizeof(header), f);
+ size_t size = fread(&header, 1, sizeof(header), db->f);
if (size < sizeof(header)) {
ERROR(db->ctx, "Could not read enough data for header\n");
db->description = be32toh(header.description);
db->license = be32toh(header.license);
+ // Read signature
+ db->signature_length = be32toh(header.signature_length);
+ if (db->signature_length) {
+ // Check for a plausible signature length
+ if (db->signature_length > LOC_SIGNATURE_MAX_LENGTH) {
+ ERROR(db->ctx, "Signature too long: %ld\n", db->signature_length);
+ return -EINVAL;
+ }
+
+ DEBUG(db->ctx, "Reading signature of %ld bytes\n",
+ db->signature_length);
+
+ db->signature = malloc(db->signature_length);
+ for (unsigned int i = 0; i < db->signature_length; i++)
+ db->signature[i] = header.signature[i];
+ }
+
// Open pool
off_t pool_offset = be32toh(header.pool_offset);
size_t pool_length = be32toh(header.pool_length);
int r = loc_stringpool_open(db->ctx, &db->pool,
- f, pool_length, pool_offset);
+ db->f, pool_length, pool_offset);
if (r)
return r;
// AS section
- r = loc_database_read_as_section_v0(db, f, &header);
+ r = loc_database_read_as_section_v0(db, &header);
if (r)
return r;
// Network Nodes
- r = loc_database_read_network_nodes_section_v0(db, f, &header);
+ r = loc_database_read_network_nodes_section_v0(db, &header);
if (r)
return r;
// Networks
- r = loc_database_read_networks_section_v0(db, f, &header);
+ r = loc_database_read_networks_section_v0(db, &header);
if (r)
return r;
// countries
- r = loc_database_read_countries_section_v0(db, f, &header);
+ r = loc_database_read_countries_section_v0(db, &header);
if (r)
return r;
return 0;
}
-static int loc_database_read_header(struct loc_database* db, FILE* f) {
+static int loc_database_read_header(struct loc_database* db) {
switch (db->version) {
case 0:
- return loc_database_read_header_v0(db, f);
+ return loc_database_read_header_v0(db);
default:
ERROR(db->ctx, "Incompatible database version: %u\n", db->version);
static int loc_database_read(struct loc_database* db, FILE* f) {
clock_t start = clock();
+ int fd = fileno(f);
+
+ // Clone file descriptor
+ fd = dup(fd);
+ if (!fd) {
+ ERROR(db->ctx, "Could not duplicate file descriptor\n");
+ return -1;
+ }
+
+ // Reopen the file so that we can keep our own file handle
+ db->f = fdopen(fd, "r");
+ if (!db->f) {
+ ERROR(db->ctx, "Could not re-open database file\n");
+ return -1;
+ }
+
+ // Rewind to the start of the file
+ rewind(db->f);
+
// Read magic bytes
- int r = loc_database_read_magic(db, f);
+ int r = loc_database_read_magic(db);
if (r)
return r;
// Read the header
- r = loc_database_read_header(db, f);
+ r = loc_database_read_header(db);
if (r)
return r;
loc_stringpool_unref(db->pool);
+ // Free signature
+ if (db->signature)
+ free(db->signature);
+
+ // Close database file
+ if (db->f)
+ fclose(db->f);
+
loc_unref(db->ctx);
free(db);
}
return NULL;
}
+LOC_EXPORT int loc_database_verify(struct loc_database* db, FILE* f) {
+ // Cannot do this when no signature is available
+ if (!db->signature) {
+ DEBUG(db->ctx, "No signature available to verify\n");
+ return 1;
+ }
+
+ // Start the stopwatch
+ clock_t start = clock();
+
+ // Load public key
+ EVP_PKEY* pkey = PEM_read_PUBKEY(f, NULL, NULL, NULL);
+ if (!pkey) {
+ char* error = ERR_error_string(ERR_get_error(), NULL);
+ ERROR(db->ctx, "Could not parse public key: %s\n", error);
+
+ return -1;
+ }
+
+ int r = 0;
+
+ EVP_MD_CTX* mdctx = EVP_MD_CTX_new();
+
+ // Initialise hash function
+ r = EVP_DigestVerifyInit(mdctx, NULL, NULL, NULL, pkey);
+ if (r != 1) {
+ ERROR(db->ctx, "Error initializing signature validation: %s\n",
+ ERR_error_string(ERR_get_error(), NULL));
+ r = 1;
+
+ goto CLEANUP;
+ }
+
+ // Reset file to start
+ rewind(db->f);
+
+ // Read magic
+ struct loc_database_magic magic;
+ fread(&magic, 1, sizeof(magic), db->f);
+
+ hexdump(db->ctx, &magic, sizeof(magic));
+
+ // Feed magic into the hash
+ r = EVP_DigestVerifyUpdate(mdctx, &magic, sizeof(magic));
+ if (r != 1) {
+ ERROR(db->ctx, "%s\n", ERR_error_string(ERR_get_error(), NULL));
+ r = 1;
+
+ goto CLEANUP;
+ }
+
+ // Read the header
+ struct loc_database_header_v0 header_v0;
+
+ switch (db->version) {
+ case 0:
+ fread(&header_v0, 1, sizeof(header_v0), db->f);
+
+ // Clear signature
+ for (unsigned int i = 0; i < sizeof(header_v0.signature); i++) {
+ header_v0.signature[i] = '\0';
+ }
+
+ hexdump(db->ctx, &header_v0, sizeof(header_v0));
+
+ // Feed header into the hash
+ r = EVP_DigestVerifyUpdate(mdctx, &header_v0, sizeof(header_v0));
+ if (r != 1) {
+ ERROR(db->ctx, "%s\n", ERR_error_string(ERR_get_error(), NULL));
+ r = 1;
+
+ goto CLEANUP;
+ }
+ break;
+
+ default:
+ ERROR(db->ctx, "Cannot compute hash for database with format %d\n",
+ db->version);
+ r = -EINVAL;
+ goto CLEANUP;
+ }
+
+ // Walk through the file in chunks of 64kB
+ char buffer[64 * 1024];
+
+ while (!feof(db->f)) {
+ size_t bytes_read = fread(buffer, 1, sizeof(buffer), db->f);
+
+ hexdump(db->ctx, buffer, bytes_read);
+
+ r = EVP_DigestVerifyUpdate(mdctx, buffer, bytes_read);
+ if (r != 1) {
+ ERROR(db->ctx, "%s\n", ERR_error_string(ERR_get_error(), NULL));
+ r = 1;
+
+ goto CLEANUP;
+ }
+ }
+
+ // Finish
+ r = EVP_DigestVerifyFinal(mdctx,
+ (unsigned char*)db->signature, db->signature_length);
+
+ if (r == 0) {
+ DEBUG(db->ctx, "The signature is invalid\n");
+ r = 1;
+ } else if (r == 1) {
+ DEBUG(db->ctx, "The signature is valid\n");
+ r = 0;
+ } else {
+ ERROR(db->ctx, "Error verifying the signature: %s\n",
+ ERR_error_string(ERR_get_error(), NULL));
+ r = 1;
+ }
+
+ // Dump signature
+ hexdump(db->ctx, db->signature, db->signature_length);
+
+ clock_t end = clock();
+ DEBUG(db->ctx, "Signature checked in %.4fms\n",
+ (double)(end - start) / CLOCKS_PER_SEC * 1000);
+
+CLEANUP:
+ // Cleanup
+ EVP_MD_CTX_free(mdctx);
+ EVP_PKEY_free(pkey);
+
+ return r;
+}
+
LOC_EXPORT time_t loc_database_created_at(struct loc_database* db) {
return db->created_at;
}
// Returns the network at position pos
static int loc_database_fetch_network(struct loc_database* db, struct loc_network** network,
struct in6_addr* address, unsigned int prefix, off_t pos) {
- if ((size_t)pos >= db->networks_count)
+ if ((size_t)pos >= db->networks_count) {
+ DEBUG(db->ctx, "Network ID out of range: %jd/%jd\n",
+ (intmax_t)pos, (intmax_t)db->networks_count);
return -EINVAL;
+ }
+
DEBUG(db->ctx, "Fetching network at position %jd\n", (intmax_t)pos);
if ((size_t)pos >= db->countries_count)
return -EINVAL;
- DEBUG(db->ctx, "Fetching country at position %jd\n", pos);
+ DEBUG(db->ctx, "Fetching country at position %jd\n", (intmax_t)pos);
int r;
switch (db->version) {
// adjust our search pointers
loc_country_unref(*country);
- if (result < 0) {
+ if (result > 0) {
lo = i + 1;
} else
hi = i - 1;
return 0;
}
+LOC_EXPORT int loc_database_enumerator_set_family(
+ struct loc_database_enumerator* enumerator, int family) {
+ enumerator->family = family;
+
+ return 0;
+}
+
LOC_EXPORT int loc_database_enumerator_next_as(
struct loc_database_enumerator* enumerator, struct loc_as** as) {
*as = NULL;
// Increase stack size
int s = ++e->network_stack_depth;
- DEBUG(e->ctx, "Added node %jd to stack (%d)\n", offset, depth);
+ DEBUG(e->ctx, "Added node %jd to stack (%d)\n", (intmax_t)offset, depth);
e->network_stack[s].offset = offset;
e->network_stack[s].i = i;
in6_addr_set_bit(&enumerator->network_address,
(node->depth > 0) ? node->depth - 1 : 0, node->i);
- DEBUG(enumerator->ctx, "Looking at node %jd\n", node->offset);
+ DEBUG(enumerator->ctx, "Looking at node %jd\n", (intmax_t)node->offset);
enumerator->networks_visited[node->offset]++;
// Pop node from top of the stack
if (__loc_database_node_is_leaf(n)) {
off_t network_index = be32toh(n->network);
- DEBUG(enumerator->ctx, "Node has a network at %jd\n", network_index);
+ DEBUG(enumerator->ctx, "Node has a network at %jd\n", (intmax_t)network_index);
// Fetch the network object
r = loc_database_fetch_network(enumerator->db, network,
// Check if we are interested in this network
+ // Skip if the family does not match
+ if (enumerator->family && loc_network_address_family(*network) != enumerator->family) {
+ loc_network_unref(*network);
+ *network = NULL;
+
+ continue;
+ }
+
// Skip if the country code does not match
- if (enumerator->country_code &&
+ if (*enumerator->country_code &&
!loc_network_match_country_code(*network, enumerator->country_code)) {
loc_network_unref(*network);
*network = NULL;
projects / location / libloc.git / blobdiff