-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
38 changed files
with
451 additions
and
254 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -114,5 +114,5 @@ | |
"max": 5 | ||
} | ||
}, | ||
"asn1-decode-max-stack": 4096, | ||
"asn1-decode-max-stack": 4096 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#ifndef SRC_AS_NUMBER_H_ | ||
#define SRC_AS_NUMBER_H_ | ||
|
||
#include <stdint.h> | ||
|
||
struct asn_range { | ||
uint32_t min; | ||
uint32_t max; | ||
}; | ||
|
||
#endif /* SRC_AS_NUMBER_H_ */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,53 +1,83 @@ | ||
#include "bgpsec.h" | ||
#include "object/bgpsec.h" | ||
|
||
#include "alloc.h" | ||
#include "log.h" | ||
#include "validation_handler.h" | ||
#include "object/certificate.h" | ||
|
||
struct resource_params { | ||
unsigned char const *ski; | ||
unsigned char const *spk; | ||
struct resources *resources; | ||
unsigned char const *ski; | ||
unsigned char const *spk; | ||
struct resources *parent_resources; | ||
}; | ||
|
||
static int | ||
asn_cb(unsigned long asn, void *arg) | ||
asn_cb(struct asn_range const *range, void *arg) | ||
{ | ||
struct resource_params *params = arg; | ||
|
||
if (!resources_contains_asn(params->resources, asn)) | ||
return pr_val_err("BGPsec certificate is not allowed for ASN %lu.", | ||
asn); | ||
if (!resources_contains_asns(params->parent_resources, range)) | ||
return pr_val_err("BGPsec certificate is not allowed to contain ASN range %u-%u.", | ||
range->min, range->max); | ||
|
||
return vhandler_handle_router_key(params->ski, asn, params->spk); | ||
return vhandler_handle_router_key(params->ski, range, params->spk); | ||
} | ||
|
||
int | ||
handle_bgpsec(X509 *cert, unsigned char const *ski, struct resources *resources) | ||
handle_bgpsec(X509 *cert, struct resources *parent_resources, struct rpp *pp) | ||
{ | ||
struct resource_params res_params; | ||
unsigned char *ski; | ||
enum rpki_policy policy; | ||
struct resources *resources; | ||
X509_PUBKEY *pub_key; | ||
unsigned char *cert_spk, *tmp; | ||
int cert_spk_len; | ||
int ok; | ||
struct resource_params res_params; | ||
int error; | ||
|
||
error = certificate_validate_rfc6487(cert, CERTYPE_BGPSEC); | ||
if (error) | ||
return error; | ||
error = certificate_validate_extensions_bgpsec(cert, &ski, &policy, pp); | ||
if (error) | ||
return error; | ||
|
||
resources = resources_create(policy, false); | ||
if (resources == NULL) | ||
goto revert_ski; | ||
error = certificate_get_resources(cert, resources, CERTYPE_BGPSEC); | ||
if (error) | ||
goto revert_resources; | ||
|
||
pub_key = X509_get_X509_PUBKEY(cert); | ||
if (pub_key == NULL) | ||
return val_crypto_err("X509_get_X509_PUBKEY() returned NULL at BGPsec"); | ||
if (pub_key == NULL) { | ||
error = val_crypto_err("X509_get_X509_PUBKEY() returned NULL at BGPsec"); | ||
goto revert_resources; | ||
} | ||
|
||
cert_spk = pmalloc(RK_SPKI_LEN); | ||
|
||
/* Use a temporal pointer, since i2d_X509_PUBKEY moves it */ | ||
tmp = cert_spk; | ||
cert_spk_len = i2d_X509_PUBKEY(pub_key, &tmp); | ||
if(cert_spk_len < 0) | ||
return val_crypto_err("i2d_X509_PUBKEY() returned error"); | ||
if (cert_spk_len != RK_SPKI_LEN) { | ||
error = val_crypto_err("i2d_X509_PUBKEY() returned %d", | ||
cert_spk_len); | ||
goto revert_spk; | ||
} | ||
|
||
res_params.spk = cert_spk; | ||
res_params.ski = ski; | ||
res_params.resources = resources; | ||
res_params.parent_resources = resources; | ||
|
||
error = resources_foreach_asn(resources, asn_cb, &res_params); | ||
/* Fall through */ | ||
|
||
ok = resources_foreach_asn(resources, asn_cb, &res_params); | ||
revert_spk: | ||
free(cert_spk); | ||
return ok; | ||
revert_resources: | ||
resources_destroy(resources); | ||
revert_ski: | ||
free(ski); | ||
return error; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.