1
0
mirror of https://github.com/openbsd/src.git synced 2024-12-22 16:42:56 -08:00
Commit Graph

234 Commits

Author SHA1 Message Date
job
bf5a499ba8 If AS0 TALs are provided, by default omit VRPs derived from such AS0 TALs
AS0 TALs represent unmitigated operational risks: what if the RIR by
accident marks some IP space as 'unassigned'?

APNIC notes in their limitation of liability statement:

    """
    Depending on router configuration, errors in the AS0 ROA could
    cause unintended interruption to routing with other networks.
    For this reason, it is strongly recommended that the AS0 ROA is
    used for advisory and/ or alerting purposes only, and not for
    automatic filtering of BGP routes.
    """
    https://www.apnic.net/community/security/resource-certification/apnic-limitations-of-liability-for-rpki-2/

Guard usage of AS0 TALs behind new '-0' option

OK deraadt@ tb@
2024-12-02 14:55:02 +00:00
claudio
929d2bb2d4 Adapt the rpki-client message reader to the new msgbuf_new_reader callback.
This is mostly stolen from the imsg handler and should probably be cleaned up
further.

OK tb@
2024-11-26 13:59:09 +00:00
claudio
b5fa5d51bd Rewrite the rpki-client io read handling using the new ibuf_read API.
OK tb@
2024-11-21 13:32:27 +00:00
tb
30a085025d Second sweep of foosz -> num_foos and friends
Binary change in main.o and tal.o due to an assertion change and in spl.o
due to line number changes

looks good to claudio, ok clang + sha256
2024-11-13 12:51:03 +00:00
tb
381ee59950 Rename ips/as and ipsz/asz to ips/ases, num_ips/num_ases
Having a single letter to distinguish a length from a pointer is error
prone. This results in binary change only in validate.c and cert.c due
to a line wrap resulting in line number changes and in cert.c there's in
addition two asserts that change.

checked with/ok job
2024-11-12 09:23:07 +00:00
job
318f05722c Improve detection of gaps in Manifestissuance
It is helpful for network operators, publication point operators, and CA
operators to have more insight into whether the RP noticed an issuance
gap between two versions of a given manifest.

* high number of gaps all the time might be an indication the RP is not
  refreshing often enough
* the CA is trying to issue manifests more than once a second
* the RFC 8181 publication server's ingress API endpoint has issues
* the RFC 8181 publication client has trouble reaching the server
* the CA's private keys (RPKI + BPKI) are used on a second (cloned) system
* the CA's issuance database is broken

Correlation opportunity: detection of a gap means some of the CA's
intermediate states were occluded from the RP; the RP operator might
want to correlate this to traffic shifts in BGP or publication point
reachability issues.

Going forward, emit a warning per manifest, adds metrics to the
openmetrics output, and displays a summary at the end of the run about
issuance gaps.

OK tb@
2024-11-02 12:30:28 +00:00
tb
904d9c60a4 Reintroduce check that CRL Number is in range
The CRL number draft clarified what ignoring means and it includes checking
that the CRL number is well-formed again. So do this but continue to ignore
the value for any other purpose. This refactors x509_convert_seqnum() into
a couple of helpers. There's some duplication between crl_check_crl_number()
and crl_parse_crl_number() which could be removed if anyone cares.

tweaks/ok job
2024-09-12 10:33:25 +00:00
job
d0a27ef8be Periodically reinitialize RRDP sessions to snapshot at random intervals
It is technically possible for a series of RRDP deltas and a snapshot
to diverge. An RRDP server could distribute files via Deltas and then
forget about those files, causing copies to remain stuck in the caches
of RRDP clients. Resetting RRDP sessions once every few weeks helps with
garbage collection.

In week 0 the probability of triggering re-initialization is ~0.025% and
doubles every week, in week 11 its 50% and always after week 12. Thus,
RPs will reinitialize at least once every 3 months.

OK tb@ claudio@
2024-08-29 09:53:04 +00:00
job
2b6cb12d02 Increase maximum Signed Object size to 8MB
OK tb@ claudio@
2024-08-21 19:35:31 +00:00
claudio
9236071340 Improve duplicate detection and repo_move_valid
Only trigger a duplicate error if a valid filepath is revisted. It is
possible that a bad CA references somebody else's files and if that
happens first it would block the valid access.

To make this work, pass the ok flag to filepath_add() and only set the
talmask bit if the file was ok. Since we need to do the duplicate check
before processing the entity introduce filepath_valid() which checks
if the path is in the tree and has its talmask bit set.

In repo_move_valid() handle conflicts more gracefully. When both a valid
and temporary file are present assume that one of the files was never ok
(talmask == 0) and silently remove that file from the filepath tree.

OK tb@
2024-07-12 09:27:32 +00:00
tb
3e8d4b7d11 Helper to convert purpose into a printable string
ok job
2024-06-08 13:30:35 +00:00
tb
6468d23573 Extend the cert_purpose enum
This adds a TA and an EE purpose to be used in upcoming commits.

ok job
2024-06-08 13:29:54 +00:00
tb
e891962d45 Add a x509_cache_extensions() helper
This is a simple wrapper around X509_check_policy(cert, -1, 0) that
doesn't need an explanatory comment in the caller.

The reason for having to do this is that various OpenSSL API calls rely
on having extension information cached. As an unsurprising consequence of
OpenSSL's characteristic API misdesign these calls can't report errors,
so they call the extension caching without error checking and the result
is that they may report nonsense.

To work around this, cache the extensions up front so a second call can't
fail and thus API calls such as X509_check_ca(), X509_get_key_usage() and
X509_cmp() work reliably.

ok job
2024-06-08 13:28:35 +00:00
tb
2b872fe6fa rpki-client: remove proto argument from x509_location()
After recent changes, the rpkiNotify access description became the last
user of it, so this is now a pointless complication.

ok claudio
2024-06-04 04:17:18 +00:00
tb
0466b83f31 rpki-client: check issuer for certs and CRLs
Per RFC 6487, the subject and issuer fields of a certificate and the issuer
field of a CRL are subject to the same restrictions: only a commonName and
an optional serialNumber may be present and the commonName must be an ASN.1
printable string.

So far we've only checked the subject of certificates, which covers almost
everything by relying on the verifier to check that the issuer's subject is
identical to the subject's issuer, also for CRLs per X509_V_FLAG_CRL_CHECK.
The only thing missing this way is the TA's issuer.

Since the check is cheap and simple, we're better off doing it ourselves:
Refactor the x509_vaild_subject() helper to take an X509_NAME (which is of
course the appropriate name for a type representing an X.501 distinguished
name). This checks the details of RFC 6487, section 4.4, except that we
still can't check for a printable string since afrinic has ~3000 EE certs
that don't follow the spec, which would knock out ~45% of their ROAs. We're
told that this is going to be fixed this year.

looks good to claudio
ok job
2024-05-31 02:45:15 +00:00
tb
09383acc57 rpki-client: rework CRL handling
There is no benefit in parsing the CRLNumber in the RPKI. It is redundant
with other mechanisms, notably the requirements on manifests. rpki-client
never did anything with the CRL number anyway so stop parsing it in the
main process.

Move CRL AKI and CRL number handling from x509.c to crl.c, slightly improve
error checking for X509_CRL_get_ext_d2i() and only check well-formedness of
the CRL number: check it's there and non-critical. Avoid double warnings.

Add some checks for the well-formedness of the list of revoked certs.
Due to bugs in rpki-rs and Krill we can't reject empty lists (because
~15% of CRL's have this). And some people still use CRLs revoking certs
at the time they expire. This latter point might change mid-2025.

Add a hook for printing CRL numbers in file mode and warn about ill-formed
numbers (negative and overlong ones).

ok claudio job
2024-05-29 13:26:24 +00:00
claudio
0bc420b98d Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is
problematic. It is also not really needed to do that since in theory we
already know the path (but this got lost in the privsep communication).
So add a cert id and pass this id back and forth between main process and
the parser. With this id we can lookup the authentication chain in the
parser and this even works with multiple paths to the same resource.
Since we no longer lookup by SKI the valid_aki_ski function is replaced
by find_issuer() which does the lookup by certid.

The loop protection is now extended to allow each TAL to reach each file
once but still triggers if a file is reaccessed by the tree of a TAL.

In filemode the lookup now uses an AIA uri based lookup tree. Again this
replaces the SKI based lookups from before.

Done together with tb@
OK tb@ job@
2024-05-20 15:51:43 +00:00
claudio
81a06611ad P-256 support is experimental so require -x to enable it.
Also clean up the externs a little bit by moving experimental and noop
to extern.h.
Reminded by and OK tb@
2024-04-21 19:27:44 +00:00
job
c207abadaf Use the manifest location as additional differentiator when comparing CRLs
OK tb@
2024-04-15 13:57:45 +00:00
tb
7e284d508f Fix capping of VAPs
The previous approach introduced a cap, but it might not always be hit as
intended (I missed this on review). Fix this to check the cap after merging
an ASPA into an already existing VAP. Also free the list of providers since
nothing should be looking at it anymore.

Count VAPs that hit the limit with a new overflowed counter. There are
still a few aspects of the accounting that probably aren't entirely right.
This will be fixed at another point. It's just statistics after all.

with/ok claudio, ok job
2024-04-08 14:02:13 +00:00
job
cd55b6bd00 Don't emit Validated ASPAs for Customer ASIDs with more than MAX_ASPA_PROVIDERS
The number of providers in a single ASPA object already was limited to
MAX_ASPA_PROVIDERS, now also impose a limit on the total number of providers
across multiple ASPA objects. If the MAX_ASPA_PROVIDERS limit is hit, omit
the Customer ASID's entry from OpenBGPD and JSON output.

OK tb@
2024-04-05 16:05:15 +00:00
job
0610060da8 Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
2024-03-22 03:38:12 +00:00
tb
335482ab79 Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is
a mechanical diff. The only remaining uses of 'parent' in this code
base now mean 'parent process'.

discussed with beck and job
ok job
2024-03-19 05:04:13 +00:00
tb
d108608d83 Remove unused enum rsc_resourceblock_tag
This was used in rsc.c prior to the switch to ASN.1 templates.

ok job
2024-03-17 01:44:59 +00:00
job
a5f50487b5 Track the number of new files moving from 'staging' to 'validated cache'
The OpenMetrics output shows per-repository counters for new files
added, the main process and JSON output emit the sum of all new files.

OK claudio@
2024-02-26 15:40:33 +00:00
tb
c59859a5f2 Fix copy-paste error in comment 2024-02-22 21:00:26 +00:00
job
d4be4cde0c Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.

https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

with and OK claudio@ tb@
2024-02-22 12:49:42 +00:00
tb
d3c630ad8f Group logx() getmonotime() and get_current_time() together
Fix their indent in extern.h, move the X509_TIME_* macros to main.c since
they aren't (and can't really be) used elsewhere, document the meaning of
the magic numbers. Also move get_current_time() out of the middle of entity
handlers.

ok claudio job
2024-02-21 12:48:25 +00:00
tb
7ba95c00fa Fix secondary indent of various ip_* and as_* prototypes 2024-02-21 12:38:10 +00:00
tb
b79da5170a Remove prototypes for tak_read() and ip_addr_cmp()
These functions never existed.

ok claudio job
2024-02-21 12:35:36 +00:00
tb
23c6f3a227 Factor SKI calculation into a helper
This is a straightforward deduplication and simplification made more
obvious by prior refactoring by job.

"sure" claudio
2024-02-16 05:18:29 +00:00
job
c6be5ad7f4 Refactor handling of stale manifests
No need to hoist a staleness indicator through the whole process and
count it explicitly.

OK tb@
2024-02-03 14:30:47 +00:00
tb
78de357736 Normalize the nid printing
OBJ_nid2* can return NULL if the gloriously consistent objects.txt
database doesn't specify a long or a short name. So try the long name
first, fall back to the short name, and if both fail, use "unknown".
Always include the nid as a decimal.

ok claudio
2024-02-01 15:11:38 +00:00
tb
1039ba604a Introduce and use mft_compare_issued()
Newly issued manifests should not only have a higher manifestNumber,
their issuance time should also be later. Add corresponding checks
and warnings when comparing a newly fetched manifest to a manifest
from the cache.

ok job (who noticed that such a check was missing)
2024-01-31 06:57:21 +00:00
tb
e73085f88b Rename mft_compare() to mft_compare_seqnum()
This makes it clearer what exactly this function compares. Also drop some
NULL checks that made the semantics of this function tricky.

ok job
2024-01-31 06:54:43 +00:00
job
c527cc7aac The CRL's purported signing time actually is called thisUpdate, not lastUpdate
OK tb@ claudio@
2024-01-18 14:34:26 +00:00
tb
3db25975d7 rpki-client: zap a stray space 2024-01-07 09:48:29 +00:00
tb
4032f119c8 Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job
2023-12-27 07:15:55 +00:00
job
c5b5cf9aac Warn when the same manifestNumber is recycled across multiple issuances of that manifest
OK tb@
2023-12-11 19:05:20 +00:00
job
aed5e91bb4 Require files to be of a minimum size in the RRDP & RSYNC transports
Picked 100 bytes as a minimum, to accommodate future signature schemes
(such as the smaller P-256) and small files like empty CRLs.

With and OK claudio@ tb@
2023-11-24 14:05:47 +00:00
tb
7793203b0d Add a helper to extrct the CRL Number from a crl
ok claudio
2023-11-16 11:10:59 +00:00
job
891d6bce9c Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.

For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html

With and OK tb@, OK claudio@
2023-10-13 12:06:49 +00:00
tb
18c42b3002 rpki-client: Refactor sbgp_assysnum() and sbgp_addrblk()
An upcoming diff requires the ability to convert ASIdentifiers and
IpAddrBlocks into rpki-client's internal structures.  Accordingly,
split already existing code into dedicated parsing functions . The
original functions now only extract the extension-specific data from
the X509_EXTENSION.

input/ok claudio
2023-09-25 14:56:20 +00:00
tb
0636c4d090 Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know
what trust anchor a given cert chains to. This doesn't change anything
except the size of the diff.

ok claudio job
2023-09-25 11:08:45 +00:00
job
782a58ffc8 Introduce ip_addr_range_print() to avoid code repetition
OK tb@
2023-09-25 08:48:14 +00:00
job
7cc1142d2a Ensure the X.509 Subject only contains commonName and optionally serialNumber
OK tb@
2023-09-12 09:33:30 +00:00
tb
74a82ef428 rpki-client: fix vap_pas stats
A small mistake in a diff broke the counters. Make them AFI agnostic and
adjust ometric output.

guidance & ok claudio
2023-06-29 14:33:35 +00:00
tb
c05289013d Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.

suggested by claudio
ok job
2023-06-29 10:28:25 +00:00
job
4b5fc138be Decode and validate ASPA objects following the v1 syntax
Through draft-ietf-sidrops-aspa-profile-15, the ASPA profile was
made AFI-agnostic. This represents a simplification for both operators
and implementers in both the RPKI and BGP layers of the stack.

This update changes the JSON structure.

No effort was made to simultaneously support ASPA v0 and v1 objects.

OK tb@ claudio@
2023-06-26 18:39:53 +00:00
claudio
b268327a38 Improve detection of RRDP session desynchronization
According to RFC 8182, a given session_id and serial number represent an
immutable record of the state of the Repository Server at a certain
point in time.

Add a check to the RRDP notification file processing to compare whether
the delta hashes associated to previously seen serials are different in
newly fetched notification files. Fall back to a snapshot if a difference
is detected, because such a mutation is a strong desynchronization
indicator.

Idea from Ties de Kock (RIPE NCC).
Based on a diff by job@
With and OK job@ tb@
2023-06-23 11:36:24 +00:00