![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.45 / (download) - annotate - [select for diffs], Fri May 24 12:57:20 2024 UTC (2 weeks, 1 day ago) by tb
Branch: MAIN
CVS Tags: HEAD
Changes since 1.44: +3 -2 lines
Diff to previous 1.44 (colored)
Update references to new and not quite so new RFCs Four warnings now contain "RFC 9582" rather than "RFC 6482bis". Also update some references to I-Ds. ok claudio
Revision 1.44 / (download) - annotate - [select for diffs], Sun Apr 21 19:27:44 2024 UTC (6 weeks, 5 days ago) by claudio
Branch: MAIN
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)
P-256 support is experimental so require -x to enable it. Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
Revision 1.43 / (download) - annotate - [select for diffs], Sun Apr 21 09:03:22 2024 UTC (6 weeks, 6 days ago) by job
Branch: MAIN
Changes since 1.42: +6 -14 lines
Diff to previous 1.42 (colored)
Mandate presence of CMS signing-time and disallow binary-signing-time RFC-to-be draft-ietf-sidrops-cms-signing-time updates RFC 6488 by mandating the presence of the CMS signing-time attribute and disallowing the use of the CMS binary-signing-time attribute in RPKI Signed Objects. The ecosystem has behaved this way for a number of years now. Flip from warning to erroring for non-compliant objects. OK tb@
Revision 1.42 / (download) - annotate - [select for diffs], Thu Feb 1 15:11:38 2024 UTC (4 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.41: +3 -3 lines
Diff to previous 1.41 (colored)
Normalize the nid printing OBJ_nid2* can return NULL if the gloriously consistent objects.txt database doesn't specify a long or a short name. So try the long name first, fall back to the short name, and if both fail, use "unknown". Always include the nid as a decimal. ok claudio
Revision 1.41 / (download) - annotate - [select for diffs], Sun Dec 10 14:18:23 2023 UTC (5 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)
Since errno isn't used here, use warnx() instead of warn() OK tb@
Revision 1.40 / (download) - annotate - [select for diffs], Thu Oct 19 17:05:54 2023 UTC (7 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.39: +6 -2 lines
Diff to previous 1.39 (colored)
Add experimental support for secp256r1 aka P-256 aka prime256v1 ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA. OK tb@
Revision 1.39 / (download) - annotate - [select for diffs], Mon Aug 14 08:25:26 2023 UTC (9 months, 3 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.38: +19 -2 lines
Diff to previous 1.38 (colored)
Check SignedData and SignerInfo versions to be 3 This adds two missing checks required by RFC 6488, section 3. ok job
Revision 1.38 / (download) - annotate - [select for diffs], Thu Jun 29 10:28:25 2023 UTC (11 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.37: +17 -17 lines
Diff to previous 1.37 (colored)
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.
suggested by claudio
ok job
Revision 1.37 / (download) - annotate - [select for diffs], Tue Jun 20 02:46:18 2023 UTC (11 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)
Fix diagnostic values emitted in warnx OK tb@
Revision 1.36 / (download) - annotate - [select for diffs], Sat Jun 17 04:46:11 2023 UTC (11 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.35: +4 -1 lines
Diff to previous 1.35 (colored)
Warn when CMS signing-time attribute is missing OK tb@
Revision 1.35 / (download) - annotate - [select for diffs], Mon Jun 12 18:22:02 2023 UTC (11 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.34: +2 -4 lines
Diff to previous 1.34 (colored)
Downgrade CMS signing-time being after notAfter to a warning Feedback from Ties, Ben OK tb@
Revision 1.34 / (download) - annotate - [select for diffs], Tue May 30 11:09:08 2023 UTC (12 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.33: +12 -3 lines
Diff to previous 1.33 (colored)
Use error check to ensure we have SignedData in CMS CMS_get0_SignerInfos() only returns a non-NULL pointer if the CMS object contains SignedData. The subsequent assert can trigger if we parse an object that is not of this type. Nothing ensures this up to this point, so we have no way of knowing that the assertion is actually true. If we get a CMS object without SignedData, we should ignore it, not abort the rpki-client run. With this check in place it is also clear that we actually check point 1a of the list of things to check in RFC 6488, section 3. ok claudio job
Revision 1.33 / (download) - annotate - [select for diffs], Mon Mar 13 19:46:55 2023 UTC (14 months, 3 weeks ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.32: +10 -1 lines
Diff to previous 1.32 (colored)
Check that the CMS signing-time isn't after the X.509 notAfter The CMS signing-time is the purported 'now' from the perspective of the issuer. It doesn't make sense for an issuer to sign objects that have a validity window that falls entirely in the past (from the perspective of the signer). Although CMS signing-time is not a trusted timestamp, it should never be after X.509 notAfter. OK tb@
Revision 1.32 / (download) - annotate - [select for diffs], Sun Mar 12 11:45:52 2023 UTC (14 months, 4 weeks ago) by tb
Branch: MAIN
Changes since 1.31: +3 -1 lines
Diff to previous 1.31 (colored)
Invalidate the signtime output parameter in cms_parse_validate_internal() and in cms_get_signtime(). ok job
Revision 1.31 / (download) - annotate - [select for diffs], Thu Mar 9 18:53:24 2023 UTC (15 months ago) by tb
Branch: MAIN
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)
Unwrap a few lines and zap a tab
Revision 1.30 / (download) - annotate - [select for diffs], Thu Mar 9 09:46:21 2023 UTC (15 months ago) by job
Branch: MAIN
Changes since 1.29: +40 -6 lines
Diff to previous 1.29 (colored)
Show CMS signing-time signed attribute in filemode OK tb@
Revision 1.29 / (download) - annotate - [select for diffs], Mon Mar 6 16:04:52 2023 UTC (15 months ago) by job
Branch: MAIN
Changes since 1.28: +7 -3 lines
Diff to previous 1.28 (colored)
Add check for RSA key pair modulus & public exponent Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001 OK tb@
Revision 1.28 / (download) - annotate - [select for diffs], Mon Mar 6 09:14:29 2023 UTC (15 months ago) by job
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)
Fix comment
Revision 1.27 / (download) - annotate - [select for diffs], Tue Feb 21 10:18:47 2023 UTC (15 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.26: +9 -3 lines
Diff to previous 1.26 (colored)
rpki-client: ensure there is no trailing garbage in signed objects The d2i functions are designed in such a way that the caller is responsible to check if the entire buffer was consumed. Add checks on deserializing a signed object to ensure the entire file has been consumed. Reject the file if it has trailing garbage. found by & ok job, ok claudio
Revision 1.26 / (download) - annotate - [select for diffs], Wed Dec 28 21:30:18 2022 UTC (17 months, 1 week ago) by jmc
Branch: MAIN
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored)
spelling fixes; from paul tagliamonte any parts of his diff not taken are noted on tech
Revision 1.25 / (download) - annotate - [select for diffs], Tue Nov 29 20:41:32 2022 UTC (18 months, 1 week ago) by job
Branch: MAIN
Changes since 1.24: +1 -2 lines
Diff to previous 1.24 (colored)
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
Revision 1.24 / (download) - annotate - [select for diffs], Mon Nov 28 18:33:56 2022 UTC (18 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
Fix indent
Revision 1.23 / (download) - annotate - [select for diffs], Sat Nov 26 12:36:19 2022 UTC (18 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.22: +33 -26 lines
Diff to previous 1.22 (colored)
Split eContent extration into a small helper job didn't like jumping over a bunch of code, so handle this via a small helper. It's not as if cms_parse_validate_internal() could not do with a bit of splitting in general. ok job
Revision 1.22 / (download) - annotate - [select for diffs], Sat Nov 26 12:02:36 2022 UTC (18 months, 1 week ago) by job
Branch: MAIN
Changes since 1.21: +56 -26 lines
Diff to previous 1.21 (colored)
Add support for authenticating geofeed data CSV files in filemode RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature. with and OK tb@
Revision 1.21 / (download) - annotate - [select for diffs], Fri Aug 12 13:19:02 2022 UTC (21 months, 3 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.20: +6 -2 lines
Diff to previous 1.20 (colored)
No need to make a deep copy of the EE cert The EE Cert has just been allocated as part of deserializing the cms. There is no need for an expensive copy, we can just keep a reference. ok job
Revision 1.20 / (download) - annotate - [select for diffs], Tue May 31 18:41:43 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.19: +1 -59 lines
Diff to previous 1.19 (colored)
Remove now unused ASN1_frame() and cms_econtent_version() ok claudio job
Revision 1.19 / (download) - annotate - [select for diffs], Sun May 15 16:43:34 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.18: +3 -3 lines
Diff to previous 1.18 (colored)
More KNF and whitespace fixes.
Revision 1.18 / (download) - annotate - [select for diffs], Sun May 15 15:00:53 2022 UTC (2 years ago) by deraadt
Branch: MAIN
Changes since 1.17: +5 -5 lines
Diff to previous 1.17 (colored)
whitespace spotted during read-thru
Revision 1.17 / (download) - annotate - [select for diffs], Wed May 11 16:13:05 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.16: +7 -1 lines
Diff to previous 1.16 (colored)
Cache X509v3 extensions as soon as we have a cert X509 API functions such as X509_check_ca() or X509_get_extension_flags() can't be used reliably unless we know that X509v3 extensions are cached. Otherwise they try to cache the extensions themselves but can't report possible errors sensibly. They carry on and may return nonsense. An old trick is to call X509_check_purpose() with a purpose of -1 which is a wrapper around the internal x509v3_cache_extensions() that allows error checking. Do this when we have a new cert. This way the API functions affected by this can be relied upon. Another nice side effect of doing this is that with LibreSSL we then know that the RFC 3779 extensions are in canonical form. ok beck claudio
Revision 1.16 / (download) - annotate - [select for diffs], Mon Mar 28 13:04:01 2022 UTC (2 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.15: +12 -2 lines
Diff to previous 1.15 (colored)
Compare the SKI of the embedded EE certificate of the CMS message with the SID of the Signer Info structure. RFC6488 mandates this. OK job@ tb@
Revision 1.15 / (download) - annotate - [select for diffs], Mon Mar 28 08:19:15 2022 UTC (2 years, 2 months ago) by tb
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
Fix error check of CMS_unsigned_get_addr_count() According to RFC 5652, unsignedAttrs are a SET OF at least one member, however the CMS code doesn't actually check for this. Since SET OF may contain zero members in general, an empty set of unsignedAttrs would be accepted. Catch this by explicitly checking for a -1 return value. ok claudio
Revision 1.14 / (download) - annotate - [select for diffs], Fri Mar 25 08:19:04 2022 UTC (2 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.13: +133 -9 lines
Diff to previous 1.13 (colored)
Implement most of the CMS related checks required by RFC 6488 section 3 Verify that SignerInfo and Signed Attributes are set according to the RFC. Especially enforce that the right attributes are signed. Check that there are no unsigned attributes, no CRL and that the correct content-type, digest and signature algorithm are used. The OpenSSL API makes it impossible to verify the versions and some other more suttle differences like detecting signle attributes vs a SET OF one. Similarly OpenSSL accepts both DER and BER encoding in the payload. These smaller differences to the RFC are not optimal but not a risk. Lots of feedback and OK tb@
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jan 18 16:24:55 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.12: +1 -11 lines
Diff to previous 1.12 (colored)
Revert all the files that should have not been committed in last commit.
Revision 1.12 / (download) - annotate - [select for diffs], Tue Jan 18 16:18:22 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.11: +12 -2 lines
Diff to previous 1.11 (colored)
Kill extra newline
Revision 1.8.2.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:41:19 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_6_9
Changes since 1.8: +77 -31 lines
Diff to previous 1.8 (colored) next main 1.9 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/6.9/common/021_rpki.patch.sig
Revision 1.10.4.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:40:32 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_7_0
Changes since 1.10: +8 -21 lines
Diff to previous 1.10 (colored) next main 1.11 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/7.0/common/004_rpki.patch.sig
Revision 1.11 / (download) - annotate - [select for diffs], Tue Oct 26 10:52:49 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.10: +8 -21 lines
Diff to previous 1.10 (colored)
Change CMS and CRL d2i functions from their BIO version to passing the der buffer instead. The file are loaded early in the entity processing loop. OK tb@
Revision 1.10 / (download) - annotate - [select for diffs], Thu Sep 9 14:15:49 2021 UTC (2 years, 8 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE
Branch point for: OPENBSD_7_0
Changes since 1.9: +14 -13 lines
Diff to previous 1.9 (colored)
Rework how various OIDs are compared in the code. Instead of converting the ASN1_OBJECT into a string and comparing the strings, convert the string into an ASN1_OBJECT once and then compare these objects with OBJ_cmp(). Makes the code a bit easier to read and removes some repetitive conversions. With input and OK tb@
Revision 1.9 / (download) - annotate - [select for diffs], Tue Jul 13 18:39:39 2021 UTC (2 years, 10 months ago) by job
Branch: MAIN
Changes since 1.8: +59 -1 lines
Diff to previous 1.8 (colored)
Add more checks for eContent 'version' fields. Input from deraadt@, tb@, claudio@ OK deraadt@ claudio@ tb@
Revision 1.8 / (download) - annotate - [select for diffs], Fri Jan 29 10:13:16 2021 UTC (3 years, 4 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE
Branch point for: OPENBSD_6_9
Changes since 1.7: +4 -42 lines
Diff to previous 1.7 (colored)
A while ago rpki-client was changed to validate the sha256 hashes of files referenced in MFT files during the validation of the MFT file. An MFT is only valid if all files are present and their hashes are valid. Because of this there is no longer the need to check the hash when these files are parsed later on. Remove these checks for CRT, ROA and CRL files. Use the presence of the pkey when parsing cert files to decide if it is a root cert or not. OK tb@
Revision 1.7 / (download) - annotate - [select for diffs], Thu Apr 2 09:16:43 2020 UTC (4 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.6: +8 -4 lines
Diff to previous 1.6 (colored)
Use fopen() and BIO_new_fd() instead of BIO_new_file so that a possible open error can be better logged to the operator. The cryptowarnx function logs warnings is a less optimal way (mainly because of OpenSSL error stacks). OK benno@ deraadt@
Revision 1.6 / (download) - annotate - [select for diffs], Fri Nov 29 05:14:11 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
not a backout commit s/EXIT_FAILURE/1/ ok claudio@
Revision 1.5 / (download) - annotate - [select for diffs], Tue Aug 13 13:27:26 2019 UTC (4 years, 9 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.4: +3 -2 lines
Diff to previous 1.4 (colored)
Show the most common warnings only if verbose is set. Most of these warnings were shown because of an inconsistent rpki database and is no real problem. OK florian@
Revision 1.4 / (download) - annotate - [select for diffs], Wed Jun 19 16:30:36 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +1 -1 lines
Diff to previous 1.3 (colored)
use $OpenBSD$ headers
Revision 1.3 / (download) - annotate - [select for diffs], Wed Jun 19 04:21:43 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +16 -16 lines
Diff to previous 1.2 (colored)
indentation adjustments, in particular near warn statements ok claudio
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 17 15:04:59 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +1 -2 lines
Diff to previous 1.1 (colored)
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Mon Jun 17 14:31:30 2019 UTC (4 years, 11 months ago) by job
Branch: job
CVS Tags: job_20190617
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)
Import Kristaps Dzonsons' RPKI validator into the tree rpki-client(1) is an implementation of the Resource Public Key Infrastructure (RPKI), specified by RFC 6480. The client is responsible for downloading, validating and converting Route Origin Authorisations (ROAs) into Validated ROA Payloads (VRPs). The client's output (VRPs) can be used by bgpd(8) to perform BGP Origin Validation (RFC 6811). The current rpki-client(1) version depends on the CMS functions in OpenSSL, this of course needs to be addressed urgently. Thanks to NetNod, IIS.SE, SUNET & 6connect for supporting this effort! OK deraadt@
Revision 1.1 / (download) - annotate - [select for diffs], Mon Jun 17 14:31:30 2019 UTC (4 years, 11 months ago) by job
Branch: MAIN
Initial revision