Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.34 / (download) - annotate - [select for diffs], Thu Feb 22 12:49:42 2024 UTC (3 months, 1 week ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.33: +2 -2 lines
Diff to previous 1.33 (colored)
Add support for RPKI Signed Prefix Lists Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist with and OK claudio@ tb@
Revision 1.33 / (download) - annotate - [select for diffs], Fri Oct 13 12:06:49 2023 UTC (7 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.32: +7 -7 lines
Diff to previous 1.32 (colored)
Allow imposing constraints on RPKI trust anchors The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope. Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32. For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html With and OK tb@, OK claudio@
Revision 1.32 / (download) - annotate - [select for diffs], Thu Jun 29 10:28:25 2023 UTC (11 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)
Retire log.c Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us. suggested by claudio ok job
Revision 1.31 / (download) - annotate - [select for diffs], Mon Jun 12 14:56:38 2023 UTC (11 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.30: +3 -3 lines
Diff to previous 1.30 (colored)
Add content-encoding compression support (just gzip and deflate). This will allow servers to send compressed XML which saves around 50%. The uncompressed output is limited to MAX_CONTENTLEN bytes so the impact of decompression bombs is limited. With and OK job@ tb@
Revision 1.30 / (download) - annotate - [select for diffs], Thu Apr 27 07:57:25 2023 UTC (13 months ago) by claudio
Branch: MAIN
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)
Reimplement output-json.c using json.c from bgpctl. Much rejoice from tb@ and job@ OK tb@
Revision 1.29 / (download) - annotate - [select for diffs], Thu Dec 15 12:02:29 2022 UTC (17 months, 2 weeks ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.28: +6 -5 lines
Diff to previous 1.28 (colored)
Rework statistic collection to be per repository and add metric output option Many statistic values are now accounted by repository via repo_stat_inc() At end of the run sum_stats() accumulates these stats per TAL and globally. The new output file metrics is written when the -m output flag is specified. The metrics file is written in OpenMetrics format (with a few tweaks to allow node_exporter to parse the file as well). The ometric code is a copy from bgpctl(8) and should be kept in sync. OK tb@
Revision 1.28 / (download) - annotate - [select for diffs], Sat Nov 26 12:02:36 2022 UTC (18 months ago) by job
Branch: MAIN
Changes since 1.27: +6 -6 lines
Diff to previous 1.27 (colored)
Add support for authenticating geofeed data CSV files in filemode RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature. with and OK tb@
Revision 1.27 / (download) - annotate - [select for diffs], Wed Nov 2 12:43:02 2022 UTC (18 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
Add support for draft-ietf-sidrops-signed-tal-12 Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand. OK tb@
Revision 1.26 / (download) - annotate - [select for diffs], Tue Aug 30 18:56:49 2022 UTC (21 months ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.25: +3 -3 lines
Diff to previous 1.25 (colored)
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10) ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j). With feedback from tb@ OK claudio@ tb@
Revision 1.25 / (download) - annotate - [select for diffs], Mon May 9 17:02:34 2022 UTC (2 years ago) by job
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)
Add preliminary support for decoding RSC objects in filemode This implements decoding support for draft-ietf-sidrops-rpki-rsc-06 There are three major outstanding issues: * The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX OK tb@
Revision 1.24 / (download) - annotate - [select for diffs], Thu Apr 21 09:53:07 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.23: +3 -3 lines
Diff to previous 1.23 (colored)
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now. The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them. OK tb@
Revision 1.23 / (download) - annotate - [select for diffs], Wed Nov 24 15:24:16 2021 UTC (2 years, 6 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.22: +3 -3 lines
Diff to previous 1.22 (colored)
Move some functions from rrdp.c to rrdp_util.c and hex_decode to encoding.c. This will make it easier to write a RRDP regress test. OK job@ deraadt@
Revision 1.21.2.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:41:19 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_6_9
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (colored) next main 1.22 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/6.9/common/021_rpki.patch.sig
Revision 1.21.6.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:40:32 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_7_0
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (colored) next main 1.22 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/7.0/common/004_rpki.patch.sig
Revision 1.22 / (download) - annotate - [select for diffs], Mon Oct 25 14:08:34 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (colored)
Hook up the print.c functions in rpki-client
Revision 1.21 / (download) - annotate - [select for diffs], Thu Apr 1 16:04:48 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_6_9_BASE
Branch point for: OPENBSD_7_0,
OPENBSD_6_9
Changes since 1.20: +5 -4 lines
Diff to previous 1.20 (colored)
Initial commit of RRDP (The RPKI Repository Delta Protocol - RFC8182) support in rpki-client. For now it is off by default. All XML processing is done in its own process with minimal pledge rights. It uses the already present https process to fetch the xml files and uses the master porcess to handle the file IO into the repositories. RRDP data is stored in the cache under ./rrdp/ and the first directory is the SHA256 hash of the notify URI. Fetching snapshots and deltas works to bring the cache up to date. If something goes wrong rpki-client will fall back to rsync. RRDP was implemented by Nils Fisher and integrated into rpki-client by myself. "Time to get it in" deraadt@
Revision 1.20 / (download) - annotate - [select for diffs], Thu Apr 1 06:43:23 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.19: +5 -4 lines
Diff to previous 1.19 (colored)
Move base64 and hex encoding functions into their own place. OK tb@
Revision 1.19 / (download) - annotate - [select for diffs], Thu Mar 4 13:01:41 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.18: +6 -6 lines
Diff to previous 1.18 (colored)
Implement a https client as a sub-process for rpki-client. This code will be used to fetch TA certs and later on for RRDP. Kind of unreached for now since the default TAL files don't include https URI. The http client is fully asynchronous and can handle multiple downloads at the same time. This code was based on the http client in ftp(1). OK tb@, job@
Revision 1.18 / (download) - annotate - [select for diffs], Thu Feb 4 08:10:24 2021 UTC (3 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
Shuffle code around, move all the bits of proc_parser into parser.c. OK tb@
Revision 1.17 / (download) - annotate - [select for diffs], Tue Feb 2 18:33:11 2021 UTC (3 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.16: +3 -3 lines
Diff to previous 1.16 (colored)
Add a mkpath() helper function to rpki-client to recursively create directories. OK deraadt@
Revision 1.16 / (download) - annotate - [select for diffs], Fri Jan 8 08:09:07 2021 UTC (3 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.15: +3 -3 lines
Diff to previous 1.15 (colored)
Start using the ibuf API (ibuf_dynamic, ibuf_add, ibuf_close) for writing data between processes. This completely decouples the write side. rpki-client can't really use the imsg framework but it can use the ibuf bits wich imsg is built on. OK benno@ job@
Revision 1.15 / (download) - annotate - [select for diffs], Wed Dec 9 11:29:04 2020 UTC (3 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
Validate ghostbuster records (RFC 6493) but for now do nothing with the provided vcard payload. This change verifies the certificate of the .gbr file and makes sure it is valid (like we do for e.g. .roa files). OK job@
Revision 1.14 / (download) - annotate - [select for diffs], Wed Dec 4 12:40:17 2019 UTC (4 years, 5 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
split output management code into seperate file. iterate over output methods using a table. detect output truncation (for instance filesystem full) and don't overwrite previous output ok claudio
Revision 1.13 / (download) - annotate - [select for diffs], Thu Nov 28 21:12:00 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.12: +5 -4 lines
Diff to previous 1.12 (colored)
enable more warning flags and fix a few issues noticed. ok claudio@ deraadt@
Revision 1.12 / (download) - annotate - [select for diffs], Thu Nov 28 19:25:52 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
add missing prototype
Revision 1.11 / (download) - annotate - [select for diffs], Thu Nov 28 17:39:54 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.10: +7 -1 lines
Diff to previous 1.10 (colored)
build with -Wall, more -W coming, ok claudio@
Revision 1.10 / (download) - annotate - [select for diffs], Sat Nov 2 13:38:33 2019 UTC (4 years, 7 months ago) by jsing
Branch: MAIN
Changes since 1.9: +3 -3 lines
Diff to previous 1.9 (colored)
Build rpki-client with LibreSSL.
Revision 1.9 / (download) - annotate - [select for diffs], Wed Oct 16 17:43:29 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.8: +3 -2 lines
Diff to previous 1.8 (colored)
Add an output format for bird and one doing CSV. Also update the manpage to include all the changes.
Revision 1.8 / (download) - annotate - [select for diffs], Tue Oct 8 10:04:36 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
Revision 1.7 / (download) - annotate - [select for diffs], Mon Aug 12 18:03:17 2019 UTC (4 years, 9 months ago) by jsing
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
Stop pulling libssl into rpki-client. None of this code actually does TLS, hence libssl is not needed. Instead, pull in the correct headers and call the appropriate libcrypto initialisation functions (even this is only necessary to support OpenSSL prior to 1.1). While here also remove libssl/libcrypto initialisation/uninitialisation from main() - it should only be necessary in proc_parser(). ok deraadt@ job@
Revision 1.6 / (download) - annotate - [select for diffs], Tue Jun 18 06:15:54 2019 UTC (4 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
There is no need to -I${.OBJDIR}
Revision 1.5 / (download) - annotate - [select for diffs], Mon Jun 17 16:40:06 2019 UTC (4 years, 11 months ago) by job
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)
Fix Makefile
Revision 1.4 / (download) - annotate - [select for diffs], Mon Jun 17 15:36:56 2019 UTC (4 years, 11 months ago) by jsg
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
rpk-client.8 -> rpki-client.8
Revision 1.3 / (download) - annotate - [select for diffs], Mon Jun 17 15:11:12 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
whitespace
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 17 15:05:42 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +8 -70 lines
Diff to previous 1.1 (colored)
Use bsd.prog.mk style for building
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Mon Jun 17 14:31:30 2019 UTC (4 years, 11 months ago) by job
Branch: job
CVS Tags: job_20190617
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)
Import Kristaps Dzonsons' RPKI validator into the tree rpki-client(1) is an implementation of the Resource Public Key Infrastructure (RPKI), specified by RFC 6480. The client is responsible for downloading, validating and converting Route Origin Authorisations (ROAs) into Validated ROA Payloads (VRPs). The client's output (VRPs) can be used by bgpd(8) to perform BGP Origin Validation (RFC 6811). The current rpki-client(1) version depends on the CMS functions in OpenSSL, this of course needs to be addressed urgently. Thanks to NetNod, IIS.SE, SUNET & 6connect for supporting this effort! OK deraadt@
Revision 1.1 / (download) - annotate - [select for diffs], Mon Jun 17 14:31:30 2019 UTC (4 years, 11 months ago) by job
Branch: MAIN
Initial revision