Merge branch 'main' into issue76

Makefile.am

@@ -18,6 +18,7 @@ EXTRA_DIST += LICENSE
 EXTRA_DIST += src/asn1/asn1c/LICENSE
 EXTRA_DIST += examples/tal/afrinic.tal
 EXTRA_DIST += examples/tal/apnic.tal
+EXTRA_DIST += examples/tal/arin.tal
 EXTRA_DIST += examples/tal/lacnic.tal
 EXTRA_DIST += examples/tal/ripe-ncc.tal
 EXTRA_DIST += examples/config.json

README.md

@@ -2,12 +2,6 @@
 
 An RPKI Validator and RTR Server, part of the [FORT project](https://www.fortproject.net).
 
-## Status
-
-Due to a temporary resource shortage, the project's development has slowed down to essential maintenance. No new features are expected to be developed during the first half of 2023, but bugfixing and support will remain active.
-
-Development will resume in full during the second half of 2023.
-
 ## Documentation
 
 FORT Validator's documentation (installation, usage, etc.) can be found at [https://nicmx.github.io/FORT-validator/](https://nicmx.github.io/FORT-validator/).

examples/config.json

@@ -114,5 +114,5 @@
       "max": 5
     }
   },
-  "asn1-decode-max-stack": 4096,
+  "asn1-decode-max-stack": 4096
 }

src/Makefile.am

@@ -6,6 +6,7 @@ bin_PROGRAMS = fort
 
 fort_SOURCES  = main.c
 
+fort_SOURCES += as_number.h
 fort_SOURCES += algorithm.h algorithm.c
 fort_SOURCES += alloc.h alloc.c
 fort_SOURCES += certificate_refs.h certificate_refs.c
@@ -66,7 +67,6 @@ fort_SOURCES += crypto/hash.h crypto/hash.c
 fort_SOURCES += data_structure/array_list.h
 fort_SOURCES += data_structure/common.h
 fort_SOURCES += data_structure/uthash.h
-fort_SOURCES += data_structure/uthash_nonfatal.h
 
 fort_SOURCES += http/http.h http/http.c
 

src/as_number.h

@@ -0,0 +1,11 @@
+#ifndef SRC_AS_NUMBER_H_
+#define SRC_AS_NUMBER_H_
+
+#include <stdint.h>
+
+struct asn_range {
+	uint32_t min;
+	uint32_t max;
+};
+
+#endif /* SRC_AS_NUMBER_H_ */

src/asn1/signed_data.c

@@ -27,10 +27,7 @@ signed_object_args_init(struct signed_object_args *args,
     STACK_OF(X509_CRL) *crls,
     bool force_inherit)
 {
-	args->res = resources_create(force_inherit);
-	if (args->res == NULL)
-		enomem_panic();
-
+	args->res = resources_create(RPKI_POLICY_RFC6484, force_inherit);
 	args->uri = uri;
 	args->crls = crls;
 	memset(&args->refs, 0, sizeof(args->refs));
@@ -95,7 +92,7 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
 	error = certificate_validate_chain(cert, args->crls);
 	if (error)
 		goto end2;
-	error = certificate_validate_rfc6487(cert, EE);
+	error = certificate_validate_rfc6487(cert, CERTYPE_EE);
 	if (error)
 		goto end2;
 	error = certificate_validate_extensions_ee(cert, sid, &args->refs,
@@ -110,7 +107,7 @@ handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
 		goto end2;
 
 	resources_set_policy(args->res, policy);
-	error = certificate_get_resources(cert, args->res, EE);
+	error = certificate_get_resources(cert, args->res, CERTYPE_EE);
 	if (error)
 		goto end2;
 

src/cert_stack.c

@@ -248,11 +248,8 @@ init_resources(X509 *x509, enum rpki_policy policy, enum cert_type type,
 	struct resources *result;
 	int error;
 
-	result = resources_create(false);
-	if (result == NULL)
-		enomem_panic();
+	result = resources_create(policy, false);
 
-	resources_set_policy(result, policy);
 	error = certificate_get_resources(x509, result, type);
 	if (error)
 		goto fail;
@@ -264,7 +261,7 @@ init_resources(X509 *x509, enum rpki_policy policy, enum cert_type type,
 	 * The "It MUST NOT use the "inherit" form of the INR extension(s)"
 	 * part is already handled in certificate_get_resources().
 	 */
-	if (type == TA && resources_empty(result)) {
+	if (type == CERTYPE_TA && resources_empty(result)) {
 		error = pr_val_err("Trust Anchor certificate does not define any number resources.");
 		goto fail;
 	}

src/certificate_refs.c

@@ -58,7 +58,7 @@ validate_signedObject(struct certificate_refs *refs,
 
 /**
  * Ensures the @refs URIs match the parent Manifest's URIs. Assumes @refs came
- * from a CA certificate.
+ * from a (non-TA) CA certificate.
  *
  * @refs: References you want validated.
  * @pp: Repository Publication Point, as described by the parent Manifest.
@@ -68,9 +68,6 @@ refs_validate_ca(struct certificate_refs *refs, struct rpp const *pp)
 {
 	int error;
 
-	if (pp == NULL)
-		return 0; /* This CA is the TA, and therefore lacks a parent. */
-
 	error = validate_cdp(refs, pp);
 	if (error)
 		return error;

src/internal_pool.c

@@ -12,7 +12,7 @@
 
 #define INTERNAL_POOL_MAX 10
 
-struct thread_pool *pool;
+static struct thread_pool *pool;
 
 int
 internal_pool_init(void)

src/log.c

@@ -66,7 +66,7 @@ static pthread_mutex_t logck;
  * aware that pthread_mutex_lock() can return error codes, which shouldn't
  * prevent critical stack traces from printing.)
  */
-void
+static void
 print_stack_trace(char const *title)
 {
 #ifdef BACKTRACE_ENABLED
@@ -409,7 +409,7 @@ __vfprintf(int level, struct log_config *cfg, char const *format, va_list args)
 	if (cfg->color)
 		fprintf(lvl->stream, "%s", lvl->color);
 
-	now = time(0);
+	now = time(NULL);
 	if (now != ((time_t) -1)) {
 		localtime_r(&now, &stm_buff);
 		strftime(time_buff, sizeof(time_buff), "%b %e %T", &stm_buff);

src/object/bgpsec.c

@@ -1,53 +1,83 @@
-#include "bgpsec.h"
+#include "object/bgpsec.h"
 
 #include "alloc.h"
 #include "log.h"
 #include "validation_handler.h"
+#include "object/certificate.h"
 
 struct resource_params {
-	unsigned char const	*ski;
-	unsigned char const	*spk;
-	struct resources	*resources;
+	unsigned char const *ski;
+	unsigned char const *spk;
+	struct resources *parent_resources;
 };
 
 static int
-asn_cb(unsigned long asn, void *arg)
+asn_cb(struct asn_range const *range, void *arg)
 {
 	struct resource_params *params = arg;
 
-	if (!resources_contains_asn(params->resources, asn))
-		return pr_val_err("BGPsec certificate is not allowed for ASN %lu.",
-		    asn);
+	if (!resources_contains_asns(params->parent_resources, range))
+		return pr_val_err("BGPsec certificate is not allowed to contain ASN range %u-%u.",
+		    range->min, range->max);
 
-	return vhandler_handle_router_key(params->ski, asn, params->spk);
+	return vhandler_handle_router_key(params->ski, range, params->spk);
 }
 
 int
-handle_bgpsec(X509 *cert, unsigned char const *ski, struct resources *resources)
+handle_bgpsec(X509 *cert, struct resources *parent_resources, struct rpp *pp)
 {
-	struct resource_params res_params;
+	unsigned char *ski;
+	enum rpki_policy policy;
+	struct resources *resources;
 	X509_PUBKEY *pub_key;
 	unsigned char *cert_spk, *tmp;
 	int cert_spk_len;
-	int ok;
+	struct resource_params res_params;
+	int error;
+
+	error = certificate_validate_rfc6487(cert, CERTYPE_BGPSEC);
+	if (error)
+		return error;
+	error = certificate_validate_extensions_bgpsec(cert, &ski, &policy, pp);
+	if (error)
+		return error;
+
+	resources = resources_create(policy, false);
+	if (resources == NULL)
+		goto revert_ski;
+	error = certificate_get_resources(cert, resources, CERTYPE_BGPSEC);
+	if (error)
+		goto revert_resources;
 
 	pub_key = X509_get_X509_PUBKEY(cert);
-	if (pub_key == NULL)
-		return val_crypto_err("X509_get_X509_PUBKEY() returned NULL at BGPsec");
+	if (pub_key == NULL) {
+		error = val_crypto_err("X509_get_X509_PUBKEY() returned NULL at BGPsec");
+		goto revert_resources;
+	}
 
 	cert_spk = pmalloc(RK_SPKI_LEN);
 
 	/* Use a temporal pointer, since i2d_X509_PUBKEY moves it */
 	tmp = cert_spk;
 	cert_spk_len = i2d_X509_PUBKEY(pub_key, &tmp);
-	if(cert_spk_len < 0)
-		return val_crypto_err("i2d_X509_PUBKEY() returned error");
+	if (cert_spk_len != RK_SPKI_LEN) {
+		error = val_crypto_err("i2d_X509_PUBKEY() returned %d",
+		    cert_spk_len);
+		goto revert_spk;
+	}
 
 	res_params.spk = cert_spk;
 	res_params.ski = ski;
-	res_params.resources = resources;
+	res_params.parent_resources = resources;
+
+	error = resources_foreach_asn(resources, asn_cb, &res_params);
+	/* Fall through */
 
-	ok = resources_foreach_asn(resources, asn_cb, &res_params);
+revert_spk:
 	free(cert_spk);
-	return ok;
+revert_resources:
+	resources_destroy(resources);
+revert_ski:
+	free(ski);
+	return error;
 }

src/object/bgpsec.h

@@ -3,7 +3,8 @@
 
 #include <openssl/x509.h>
 #include "resource.h"
+#include "rpp.h"
 
-int handle_bgpsec(X509 *, unsigned char const *, struct resources *);
+int handle_bgpsec(X509 *, struct resources *, struct rpp *);
 
 #endif /* SRC_OBJECT_BGPSEC_H_ */