From: Alberto Leiva Popper Date: Tue, 14 Jul 2026 21:32:59 +0000 (-0600) Subject: Merge branch 'main' into aspa X-Git-Tag: 1.7.0.experimental~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8d398799e4c425cee5eaf0e3b757bc1b35827399;p=thirdparty%2FFORT-validator.git Merge branch 'main' into aspa --- 8d398799e4c425cee5eaf0e3b757bc1b35827399 diff --cc src/config.c index 1bd8b5f9,a2afb779..675fff6c --- a/src/config.c +++ b/src/config.c @@@ -990,9 -948,10 +990,10 @@@ set_default_values(void "--contimeout=20", "--max-size=20MB", "--timeout=15", + "--exclude=.*", - "--include=*/", "--include=*.cer", "--include=*.crl", - "--include=*.gbr", "--include=*.mft", "--include=*.roa", - "--exclude=*", + "--include=*/", "--include=*.cer", "--include=*.roa", + "--include=*.asa", "--include=*.mft", "--include=*.crl", + "--include=*.gbr", "--exclude=*", "$REMOTE", "$LOCAL", }; diff --cc src/main.c index d05a2eef,e4f458c3..a8bd1a06 --- a/src/main.c +++ b/src/main.c @@@ -62,8 -62,8 +62,8 @@@ fort_server(void goto end; pr_op_info("Main loop: Time to work!"); - error = vrps_update(&changed); + error = vrps_update(&rtr); - if (fort_end) + if (fort_end || error == -EINTR) break; if (error) { pr_op_debug("Main loop: Error %d (%s)", error, diff --cc src/object/certificate.c index e71613dc,53a07ba9..a3429341 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@@ -1131,19 -1131,23 +1131,26 @@@ abort } static int - handle_ip_extension(X509_EXTENSION *ext, struct resources *resources, int flags) + handle_ip_extension( + #if OPENSSL_VERSION_MAJOR >= 4 + X509_EXTENSION const *ext, + #else + X509_EXTENSION *ext, + #endif - struct resources *resources) ++ struct resources *resources, int flags) { - ASN1_OCTET_STRING *string; + ASN1_OCTET_STRING const *string; struct IPAddrBlocks *blocks; OCTET_STRING_t *family; int i; int error; + if (!X509_EXTENSION_get_critical(ext)) + return pr_val_err("IP extension is not marked critical."); + string = X509_EXTENSION_get_data(ext); - error = asn1_decode(string->data, string->length, &asn_DEF_IPAddrBlocks, + error = asn1_decode(ASN1_STRING_get0_data(string), + ASN1_STRING_length(string), &asn_DEF_IPAddrBlocks, (void **) &blocks, true); if (error) return error; @@@ -1183,10 -1187,15 +1190,15 @@@ end } static int - handle_asn_extension(X509_EXTENSION *ext, struct resources *resources, - int flags) + handle_asn_extension( + #if OPENSSL_VERSION_MAJOR >= 4 + X509_EXTENSION const *ext, + #else + X509_EXTENSION *ext, + #endif - struct resources *resources, bool allow_inherit) ++ struct resources *resources, int flags) { - ASN1_OCTET_STRING *string; + ASN1_OCTET_STRING const *string; struct ASIdentifiers *ids; int error; @@@ -1202,108 -1212,64 +1215,112 @@@ return error; } -static int -__certificate_get_resources(X509 *cert, struct resources *resources, - int addr_nid, int asn_nid, int bad_addr_nid, int bad_asn_nid, - char const *policy_rfc, char const *bad_ext_rfc, bool allow_asn_inherit) +/** + * Copies the resources from @cert to @resources. + */ +int +certificate_get_resources(X509 *cert, struct resources *resources, + enum cert_type type, enum ee_type eet) { + int allowed_ip_nid = NID_undef; + int allowed_as_nid = NID_undef; + int flags = RF_ALLOW_ALL; + + int nid_ip1 = NID_sbgp_ipAddrBlock; + int nid_ip2 = nid_ipAddrBlocksv2(); + int nid_as1 = NID_sbgp_autonomousSysNum; + int nid_as2 = nid_autonomousSysIdsv2(); + + #if OPENSSL_VERSION_MAJOR >= 4 + X509_EXTENSION const *ext; + #else X509_EXTENSION *ext; + #endif - int nid; - int i; + int extnid; + int e; int error; - bool ip_ext_found = false; - bool asn_ext_found = false; - - /* Reference: X509_get_ext_d2i */ - /* rfc6487#section-2 */ - for (i = 0; i < X509_get_ext_count(cert); i++) { - ext = X509_get_ext(cert, i); - nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); + switch (type) { + case CERTYPE_TA: + case CERTYPE_CA: + case CERTYPE_BGPSEC: + switch (resources_get_policy(resources)) { + case RPKI_POLICY_RFC6484: + allowed_ip_nid = nid_ip1; + allowed_as_nid = nid_as1; + break; + case RPKI_POLICY_RFC8360: + allowed_ip_nid = nid_ip2; + allowed_as_nid = nid_as2; + } + break; + case CERTYPE_EE: + switch (eet) { + case EET_ROA: + switch (resources_get_policy(resources)) { + case RPKI_POLICY_RFC6484: + allowed_ip_nid = nid_ip1; break; + case RPKI_POLICY_RFC8360: + allowed_ip_nid = nid_ip2; + } + flags &= ~RF_ALLOW_INHERIT; + break; + case EET_ASPA: + switch (resources_get_policy(resources)) { + case RPKI_POLICY_RFC6484: + allowed_as_nid = nid_as1; break; + case RPKI_POLICY_RFC8360: + allowed_as_nid = nid_as2; + } + flags = 0; + break; + case EET_MFT: + case EET_GBR: + /* + * RFC6487: + * + * > Either the IP Resources extension, or the AS + * > Resources extension, or both, MUST be present in + * > all RPKI certificates + * + * This requirement seems counterproductive, + * but I guess it's too late to fix it. + */ + switch (resources_get_policy(resources)) { + case RPKI_POLICY_RFC6484: + allowed_ip_nid = nid_ip1; + allowed_as_nid = nid_as1; + break; + case RPKI_POLICY_RFC8360: + allowed_ip_nid = nid_ip2; + allowed_as_nid = nid_as2; + } + break; + } + break; + } - if (nid == addr_nid) { - if (ip_ext_found) - return pr_val_err("Multiple IP extensions found."); - if (!X509_EXTENSION_get_critical(ext)) - return pr_val_err("The IP extension is not marked as critical."); + for (e = 0; e < X509_get_ext_count(cert); e++) { + ext = X509_get_ext(cert, e); + extnid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); - pr_val_debug("IP {"); - error = handle_ip_extension(ext, resources); - pr_val_debug("}"); - ip_ext_found = true; + if (extnid == nid_ip1 || extnid == nid_ip2) { + if (extnid != allowed_ip_nid) + return pr_val_err("Found an unexpected IP Resources extension."); + error = handle_ip_extension(ext, resources, flags); if (error) return error; + allowed_ip_nid = NID_undef; - } else if (nid == asn_nid) { - if (asn_ext_found) - return pr_val_err("Multiple AS extensions found."); - if (!X509_EXTENSION_get_critical(ext)) - return pr_val_err("The AS extension is not marked as critical."); - - pr_val_debug("ASN {"); - error = handle_asn_extension(ext, resources, - allow_asn_inherit); - pr_val_debug("}"); - asn_ext_found = true; + } else if (extnid == nid_as1 || extnid == nid_as2) { + if (extnid != allowed_as_nid) + return pr_val_err("Found an unexpected AS Resources extension."); + error = handle_asn_extension(ext, resources, flags); if (error) return error; - - } else if (nid == bad_addr_nid) { - return pr_val_err("Certificate has an RFC%s policy, but contains an RFC%s IP extension.", - policy_rfc, bad_ext_rfc); - } else if (nid == bad_asn_nid) { - return pr_val_err("Certificate has an RFC%s policy, but contains an RFC%s ASN extension.", - policy_rfc, bad_ext_rfc); + allowed_as_nid = NID_undef; } } diff --cc src/rtr/pdu_stream.h index 56d37eb0,d8677a0a..1ddf13af --- a/src/rtr/pdu_stream.h +++ b/src/rtr/pdu_stream.h @@@ -1,7 -1,8 +1,9 @@@ #ifndef SRC_RTR_PDU_STREAM_H_ #define SRC_RTR_PDU_STREAM_H_ + #include + #include +#include #include #include "rtr/pdu.h" diff --cc src/rtr/rtr.c index ddd83034,79466850..fc180a5c --- a/src/rtr/rtr.c +++ b/src/rtr/rtr.c @@@ -2,9 -2,9 +2,12 @@@ #include #include + #include #include #include ++#include ++#include +#include #include "common.h" #include "config.h"