]> git.ipfire.org Git - thirdparty/FORT-validator.git/commitdiff
Merge branch 'main' into aspa
authorAlberto Leiva Popper <ydahhrk@gmail.com>
Tue, 14 Jul 2026 21:32:59 +0000 (15:32 -0600)
committerAlberto Leiva Popper <ydahhrk@gmail.com>
Tue, 14 Jul 2026 21:32:59 +0000 (15:32 -0600)
1  2 
src/config.c
src/config.h
src/main.c
src/object/bgpsec.c
src/object/certificate.c
src/rrdp.c
src/rtr/pdu.h
src/rtr/pdu_stream.h
src/rtr/rtr.c

diff --cc src/config.c
index 1bd8b5f975fbcb99b13d835c6adb14551ca506b1,a2afb7791cac0b42167accece58b607931477c38..675fff6c5540601afcf5b2de36ae69a0aede67d1
@@@ -990,9 -948,10 +990,10 @@@ set_default_values(void
  
                "--contimeout=20", "--max-size=20MB", "--timeout=15",
  
 -              "--include=*/", "--include=*.cer", "--include=*.crl",
 -              "--include=*.gbr", "--include=*.mft", "--include=*.roa",
 -              "--exclude=*",
+               "--exclude=.*",
 +              "--include=*/", "--include=*.cer", "--include=*.roa",
 +              "--include=*.asa", "--include=*.mft", "--include=*.crl",
 +              "--include=*.gbr", "--exclude=*",
  
                "$REMOTE", "$LOCAL",
        };
diff --cc src/config.h
Simple merge
diff --cc src/main.c
index d05a2eef263c2e7b1998ec39a54cacca58f08772,e4f458c3426129f70ed162b36a79ff826b971171..a8bd1a06e5113e6a488af5d97016dc3f90efab0a
@@@ -62,8 -62,8 +62,8 @@@ fort_server(void
                        goto end;
                pr_op_info("Main loop: Time to work!");
  
 -              error = vrps_update(&changed);
 +              error = vrps_update(&rtr);
-               if (fort_end)
+               if (fort_end || error == -EINTR)
                        break;
                if (error) {
                        pr_op_debug("Main loop: Error %d (%s)", error,
Simple merge
index e71613dcffbc1797a42c01d9caa26fe57dca27e6,53a07ba9750fe630632f933d97383f86719a91e4..a3429341bad3489e9acc7c74796f13a0c5a8e6a5
@@@ -1131,19 -1131,23 +1131,26 @@@ abort
  }
  
  static int
- handle_ip_extension(X509_EXTENSION *ext, struct resources *resources, int flags)
+ handle_ip_extension(
+ #if OPENSSL_VERSION_MAJOR >= 4
+     X509_EXTENSION const *ext,
+ #else
+     X509_EXTENSION *ext,
+ #endif
 -    struct resources *resources)
++    struct resources *resources, int flags)
  {
-       ASN1_OCTET_STRING *string;
+       ASN1_OCTET_STRING const *string;
        struct IPAddrBlocks *blocks;
        OCTET_STRING_t *family;
        int i;
        int error;
  
 +      if (!X509_EXTENSION_get_critical(ext))
 +              return pr_val_err("IP extension is not marked critical.");
 +
        string = X509_EXTENSION_get_data(ext);
-       error = asn1_decode(string->data, string->length, &asn_DEF_IPAddrBlocks,
+       error = asn1_decode(ASN1_STRING_get0_data(string),
+           ASN1_STRING_length(string), &asn_DEF_IPAddrBlocks,
            (void **) &blocks, true);
        if (error)
                return error;
  }
  
  static int
- handle_asn_extension(X509_EXTENSION *ext, struct resources *resources,
-     int flags)
+ handle_asn_extension(
+ #if OPENSSL_VERSION_MAJOR >= 4
+     X509_EXTENSION const *ext,
+ #else
+     X509_EXTENSION *ext,
+ #endif
 -    struct resources *resources, bool allow_inherit)
++    struct resources *resources, int flags)
  {
-       ASN1_OCTET_STRING *string;
+       ASN1_OCTET_STRING const *string;
        struct ASIdentifiers *ids;
        int error;
  
        return error;
  }
  
 -static int
 -__certificate_get_resources(X509 *cert, struct resources *resources,
 -    int addr_nid, int asn_nid, int bad_addr_nid, int bad_asn_nid,
 -    char const *policy_rfc, char const *bad_ext_rfc, bool allow_asn_inherit)
 +/**
 + * Copies the resources from @cert to @resources.
 + */
 +int
 +certificate_get_resources(X509 *cert, struct resources *resources,
 +    enum cert_type type, enum ee_type eet)
  {
 +      int allowed_ip_nid = NID_undef;
 +      int allowed_as_nid = NID_undef;
 +      int flags = RF_ALLOW_ALL;
 +
 +      int nid_ip1 = NID_sbgp_ipAddrBlock;
 +      int nid_ip2 = nid_ipAddrBlocksv2();
 +      int nid_as1 = NID_sbgp_autonomousSysNum;
 +      int nid_as2 = nid_autonomousSysIdsv2();
 +
+ #if OPENSSL_VERSION_MAJOR >= 4
+       X509_EXTENSION const *ext;
+ #else
        X509_EXTENSION *ext;
 -      int nid;
 -      int i;
+ #endif
 +      int extnid;
 +      int e;
        int error;
 -      bool ip_ext_found = false;
 -      bool asn_ext_found = false;
 -
 -      /* Reference: X509_get_ext_d2i */
 -      /* rfc6487#section-2 */
  
 -      for (i = 0; i < X509_get_ext_count(cert); i++) {
 -              ext = X509_get_ext(cert, i);
 -              nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
 +      switch (type) {
 +      case CERTYPE_TA:
 +      case CERTYPE_CA:
 +      case CERTYPE_BGPSEC:
 +              switch (resources_get_policy(resources)) {
 +              case RPKI_POLICY_RFC6484:
 +                      allowed_ip_nid = nid_ip1;
 +                      allowed_as_nid = nid_as1;
 +                      break;
 +              case RPKI_POLICY_RFC8360:
 +                      allowed_ip_nid = nid_ip2;
 +                      allowed_as_nid = nid_as2;
 +              }
 +              break;
 +      case CERTYPE_EE:
 +              switch (eet) {
 +              case EET_ROA:
 +                      switch (resources_get_policy(resources)) {
 +                      case RPKI_POLICY_RFC6484:
 +                              allowed_ip_nid = nid_ip1; break;
 +                      case RPKI_POLICY_RFC8360:
 +                              allowed_ip_nid = nid_ip2;
 +                      }
 +                      flags &= ~RF_ALLOW_INHERIT;
 +                      break;
 +              case EET_ASPA:
 +                      switch (resources_get_policy(resources)) {
 +                      case RPKI_POLICY_RFC6484:
 +                              allowed_as_nid = nid_as1; break;
 +                      case RPKI_POLICY_RFC8360:
 +                              allowed_as_nid = nid_as2;
 +                      }
 +                      flags = 0;
 +                      break;
 +              case EET_MFT:
 +              case EET_GBR:
 +                      /*
 +                       * RFC6487:
 +                       *
 +                       * > Either the IP Resources extension, or the AS
 +                       * > Resources extension, or both, MUST be present in
 +                       * > all RPKI certificates
 +                       *
 +                       * This requirement seems counterproductive,
 +                       * but I guess it's too late to fix it.
 +                       */
 +                      switch (resources_get_policy(resources)) {
 +                      case RPKI_POLICY_RFC6484:
 +                              allowed_ip_nid = nid_ip1;
 +                              allowed_as_nid = nid_as1;
 +                              break;
 +                      case RPKI_POLICY_RFC8360:
 +                              allowed_ip_nid = nid_ip2;
 +                              allowed_as_nid = nid_as2;
 +                      }
 +                      break;
 +              }
 +              break;
 +      }
  
 -              if (nid == addr_nid) {
 -                      if (ip_ext_found)
 -                              return pr_val_err("Multiple IP extensions found.");
 -                      if (!X509_EXTENSION_get_critical(ext))
 -                              return pr_val_err("The IP extension is not marked as critical.");
 +      for (e = 0; e < X509_get_ext_count(cert); e++) {
 +              ext = X509_get_ext(cert, e);
 +              extnid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
  
 -                      pr_val_debug("IP {");
 -                      error = handle_ip_extension(ext, resources);
 -                      pr_val_debug("}");
 -                      ip_ext_found = true;
 +              if (extnid == nid_ip1 || extnid == nid_ip2) {
 +                      if (extnid != allowed_ip_nid)
 +                              return pr_val_err("Found an unexpected IP Resources extension.");
  
 +                      error = handle_ip_extension(ext, resources, flags);
                        if (error)
                                return error;
 +                      allowed_ip_nid = NID_undef;
  
 -              } else if (nid == asn_nid) {
 -                      if (asn_ext_found)
 -                              return pr_val_err("Multiple AS extensions found.");
 -                      if (!X509_EXTENSION_get_critical(ext))
 -                              return pr_val_err("The AS extension is not marked as critical.");
 -
 -                      pr_val_debug("ASN {");
 -                      error = handle_asn_extension(ext, resources,
 -                          allow_asn_inherit);
 -                      pr_val_debug("}");
 -                      asn_ext_found = true;
 +              } else if (extnid == nid_as1 || extnid == nid_as2) {
 +                      if (extnid != allowed_as_nid)
 +                              return pr_val_err("Found an unexpected AS Resources extension.");
  
 +                      error = handle_asn_extension(ext, resources, flags);
                        if (error)
                                return error;
 -
 -              } else if (nid == bad_addr_nid) {
 -                      return pr_val_err("Certificate has an RFC%s policy, but contains an RFC%s IP extension.",
 -                          policy_rfc, bad_ext_rfc);
 -              } else if (nid == bad_asn_nid) {
 -                      return pr_val_err("Certificate has an RFC%s policy, but contains an RFC%s ASN extension.",
 -                          policy_rfc, bad_ext_rfc);
 +                      allowed_as_nid = NID_undef;
                }
        }
  
diff --cc src/rrdp.c
Simple merge
diff --cc src/rtr/pdu.h
Simple merge
index 56d37eb060773509cb99deab1c78054c32745f66,d8677a0ac15a3f3026466ff6efd2197d6a7db5dd..1ddf13af55d5e225f129435d22c0195f8dd5ec94
@@@ -1,7 -1,8 +1,9 @@@
  #ifndef SRC_RTR_PDU_STREAM_H_
  #define SRC_RTR_PDU_STREAM_H_
  
+ #include <arpa/inet.h>
+ #include <netinet/in.h>
 +#include <sys/queue.h>
  #include <stdbool.h>
  
  #include "rtr/pdu.h"
diff --cc src/rtr/rtr.c
index ddd83034ae191ab6cbd8dba7c7745f4e34a60c5a,79466850fcc23f62442831f1ebba2f80d139c90d..fc180a5c5b5d9405dfb9cc1ce8964b92d8d85965
@@@ -2,9 -2,9 +2,12 @@@
  
  #include <errno.h>
  #include <fcntl.h>
+ #include <netdb.h>
  #include <poll.h>
  #include <string.h>
++#include <sys/types.h>
++#include <sys/socket.h>
 +#include <unistd.h>
  
  #include "common.h"
  #include "config.h"