pcarana [Wed, 13 Nov 2019 23:47:58 +0000 (17:47 -0600)]
Support RFC8630, TALs can have comments and HTTPS URIs.
-Remove all references to RFC 7730 (docs and source comments), now obsolete.
-Indicate full RFC 8630 compliance at docs.
-Implement full validation of AIA (RFC 6487 section 4.8.7), since HTTPS URIs loaded from a TAL can cause the current validation to fail.
-The AIA validation function is now exposed, so that CAs and EEs can do it when the current certificate is being validated (and already loaded at heap).
-Allow to create uris that start with 'https://', let uri.c ready to validate https and/or rsync uris.
-Parse comments and https URIs from a tal file, comments are ignored. Whenever and https URI is found and utilized, the file is downloaded using the previously commited HTTP module.
pcarana [Tue, 12 Nov 2019 23:42:29 +0000 (17:42 -0600)]
Add module to support HTTPS requests.
-New program arguments to configure http requests:
+http.user-agent
+http.connect-timeout
+http.transfer-timeout
+http.ca-path
-Relocate functions that create a local directory structure from a local URI, so that can be utilized by rsync.c and http.c.
-Expose a function to download a file from an HTTPS URL, the function is expected to write the bytes from the response into a file using a callback (defined by the caller).
-Add libcurl dependency at makefile and docs (still needs an update for the distinct OSs installation).
-Add unit test for the http module.
-Update man and docs with new configuration properties.
-Update configuration example with new configuration properties.
pcarana [Tue, 29 Oct 2019 20:57:41 +0000 (14:57 -0600)]
Fix unit tests, create common function to print IP addresses.
-Add missing getters at configuration impersonator.
-Create a common function to print IPv4 and IPv6 addresses, the function already existed but it was created multiple times at distinct sources.
pcarana [Thu, 24 Oct 2019 15:46:26 +0000 (10:46 -0500)]
Validate SignedObject DER encoding using incidences schema.
-asn1c doesn't have a DER decoder, but it has DER encoders. Once the data is BER decoded, encode it again as DER and compare against the original data, the difference (if there's one) will be at ASN1 TLVs.
-Create new incidence 'incid-obj-not-der-encoded' to handle such error.
-Update docs: RFC 6488 100% compliance, new incidence description.
-Add new incidence to configuration example (examples/config.json).
pcarana [Fri, 18 Oct 2019 19:39:34 +0000 (14:39 -0500)]
Create setup script, add examples directory (includes tal dir).
-The script invites to agree ARIN RPA and downloads ARIN's TAL. Additionally, downloads the rest of the TALS, creates a local repository directory, and an example configuration file.
-Create 'examples' directory to include examples of: configuration file, SLURM, TALs.
-Move 'tal' directory to 'examples/tal'.
-Update docs, add the usage of the setup script at Installation module.
pcarana [Tue, 15 Oct 2019 20:04:32 +0000 (15:04 -0500)]
Log additional information on start/end of validation cycle.
+The information is printed at INFO level:
- When a client starts/ends a connection, or when the connection is killed (print its address and an internal ID).
- When a new validation cycle is started and finished (includes number of valid ROAs and Router Keys, current/new serial number, and real execution time).
+Update function 'log_debug_enabled' and add 'log_info_enabled' function.
+Add functions to get total ROAs and Router Keys from db_table struct.
pcarana [Fri, 11 Oct 2019 22:30:12 +0000 (17:30 -0500)]
Remember last valid SLURM in case of syntax error with newer SLURM(s).
-Remove 'comment' member from slurm structs, there's no need to store its value.
-Rename 'slurm/slurm_db.*' to 'slurm/db_slurm.*'.
-Allocate SLURM data, so that the last valid SLURM can be used if needed; so, now the SLURM lives on the heap and is 'remembered' as part of the VRPs state. Also remember the date and time when the last valid SLURM was loaded.
-Move 'slurm_bgpsec' and 'slurm_prefix' structs, and SLURM data flags to 'db_slurm.h'.
-Update 'slurm_parser' to return a specific error in case of a syntax error, so that further actions can be taken (ignore slurm, use last valid version, or store as the last valid version).
-In case a previous valid version of SLURM is utilized, log a WARNING indicating that such action is being taken, and log SLURM content at INFO level.
-Fix bug at common function 'process_file', there was an issue before releasing temporal pointers.
Update docs structure and content, merge with master.
-Bring the last updates from master (from commit 298c8f9ab0147159e70e47fb7f0766a5bc1b8b31).
-Fix background of some images (use white instead of none).
-Remove the 'doc' dir and move all its content to root folder, so that the whole documentation can be consulted from the root directory.
-Update the documentation index.
-Update docs layout references to match the new directory structure.
Fix bug, complete some unit tests, downgrade NID info logging.
-Bug fixed: Router Key PDUs overriding each others weren't removed due to a bad 'memcmp' use.
-Complete unit tests where Router Keys data can be tested.
-Downgrade NID registering log from info to debug on initialization.
+Each TAL will validate its own repositories without waiting for the others to terminate.
+Remove a TODO on configure.ac
+Update unit tests.
+Fix warning at base64 sanitizer, replace the function 'strchr' with a local one since the read buffer isn't necessarily a string.
pcarana [Wed, 21 Aug 2019 17:24:49 +0000 (12:24 -0500)]
Fix SLURM issues, and compile warning.
-SLURM filters weren't correctly applied when the filter had a prefix and an asn, only the asn was taken into account.
-Another error at filters, if a prefix X covered ROA prefix Y, the ROA prefix wasn't filtered; so apply the filter as specified in RFC 8416.
-Remove compile warning '_BSD_SOURCE and _SVID_SOURCE are deprecated', and set '_DEFAULT_SOURCE' at generated code by asn1c 'GeneralizedTime.c'.
pcarana [Wed, 14 Aug 2019 22:10:25 +0000 (17:10 -0500)]
Fix #14, remove SIGINT handler and adequate rsync return status.
-The SIGINT handler wasn't terminating the process as it should be, so let the signal be handled as default (like SIGTERM).
-Update the rsync (do_rsync) function to read the returned pid status and know how did the process was terminated; in case of interruption, use the returned value to terminate the validation cycle as well.
pcarana [Tue, 6 Aug 2019 16:28:24 +0000 (11:28 -0500)]
Assign ID to incidence, validate RTR port, fix slurm bug.
-Use an ID for the registered incidence.
-When loading multiple SLURM files, the validation from RFC 8416 section 4.2 wasn't considered. A context is used to perform such validation, since every prefix or asn (for bgpsec) must be validated according to its own context/file.
-Remove dead code (structs) from SLURM.
-Validate RTR port range since this isn't validated by getaddrinfo.
pcarana [Fri, 2 Aug 2019 16:51:11 +0000 (11:51 -0500)]
Fix minor issues and add some enhancements.
-Display a warning when a directory doesn't have files with the desired extension (used at TAL and SLURM configuration).
-Set the minimum allowed value of 'maximum-certificate-depth' to 5 to allow a normal operation.
-Validate ROA output file path at initialization instead of doing it when the whole validation process has terminated.
-Add a note to indicate 64-bit OS support.
-Print the real address where the RTR server will be bounded to.
-If there's an error loading the SLURM data, show the element that has the error.
-Fix X509_VERIFY_PARAM memory leak.
-Update doc reference to UINT_MAX definition.
-Fix bug: when a TAL couldn't be loaded its references where trying to be released, but such references didn't existed.
I was uncomfortable with the previous solution for two reasons:
- It wasn't deferring certificate revocation validation to libcrypto.
I am not sure if our implementation of it was sufficient, but
regardless, this operation should not be performed by Fort itself.
- It induced redundant CRL loading, which was a little unnecessarily
slow.
The root of the problem was that Fort was (originally) trying to
validate manifests' certificates using their grandparents' CRL (rather
than the parents'), which was incorrect and now fixed.
Fix some BGPsec issues and complete output printing.
-The SLURM BGPsec arrays were loading only 1 element, and the AS wasn't set when filtering router keys (programmer errors ¬¬).
-Validate SLURM routerPublicKey as a SubjectPublicKeyInfo struct, including the expected algorithms for BGPsec certificates.
-Print router key info as base64url encoded strings, and update headers.
Rename *bgpsec to *router_key, change SK data types, fix ERROR_PDU bug
-Use 'router_key' naming instead of bgpsec once the certificates had been validated and are stored at base or deltas.
-Use char arrays instead of pointers at SK (subject key) info, the DB hash table was detecting every validation run as an update for BGPsec certificates (pointers to sk_info's were always distinct).
-Remove structure 'sk_info' and its related functions, now its data is set at 'router_key' struct.
-Allow to receive larger error pdu messages. The maximum allowed length for PDUs received is 512 bytes, but the error messages couldn't be larger than 40 bytes (aprox).
-Add Router Key PDU constant length.
-Avoid needless comparisons at SLURM filters.
-Add functions to apply SLURM BGPsec filters and assertions.
-Remove length variables of SKI and SPKI on SLURM BGPsec structs.
-Send Router Key PDUs of base data (only PDUs from deltas were sent).
-Update outdated unit tests (bad calls, missing calls, impersonate functions).
-Complete filtering functions for BGPsec data.
Store BGPsec certs info, print at configured output
-Use struct 'router_key' to represent BGPsec certificates.
-Use reference count of Subject Key data (ID and public key) with 'sk_info' struct.
-Add router certificates info to local DB, as part of the refactor 'roa_table' was renamed to 'db_table'.
-Add configuration parameter 'output.bgpsec', the information is printed in hexadecimal representation (there's a TODO here: maybe encode and print as base64).
-Consider BGPsec keys in deltas.
-Use a constant for SKI length, since always is the same (20 bytes/octets).
Fix 11: validate certificates against its corresponding CRL.
The OpenSSL function 'X509_STORE_CTX_set0_crls' wasn't taking into consideration the CRL stack; the simple way to check revocation was doing it manually.
Pay special attention to manifests, the CRL stack that's received when its EE is validated, is grandparent's CRL; so, in this case, validate manifests on its own CRLDP.
-Prepare structs and functions to send RTRv1 router key PDUs.
-Basic preparation to store router keys, still needs more work.
-Validate BGPsec certificates based on RFCs 8209 and 8608.
-Configure RTRv1 intervals (refresh, retry, expire), more validations and logic are pending.
-Update sorted array to allow iterations on its elements.
libcmscodec's generated code is now git tracked by this repository. This
prevents lots of autotools and Debian package headaches, as well as
allowing us to prune large chunks of steps from the installation
recipes.
One of the reasons why we had the previous arrangement was because we
used to consider asn1c's output generated code, which meant we weren't
supposed to track it. However, the fact of the matter is that we'll
eventually need to tweak it manually, because we need to implement DER
parsing and better error message reporting, as well as improve the
quality of asn1c's code.
projects / thirdparty / FORT-validator.git / log
