![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.116 / (download) - annotate - [select for diffs], Fri May 24 12:57:20 2024 UTC (8 days, 10 hours ago) by tb
Branch: MAIN
CVS Tags: HEAD
Changes since 1.115: +2 -2 lines
Diff to previous 1.115 (colored)
Update references to new and not quite so new RFCs Four warnings now contain "RFC 9582" rather than "RFC 6482bis". Also update some references to I-Ds. ok claudio
Revision 1.115 / (download) - annotate - [select for diffs], Mon May 20 15:51:43 2024 UTC (12 days, 7 hours ago) by claudio
Branch: MAIN
Changes since 1.114: +3 -1 lines
Diff to previous 1.114 (colored)
Instead of tracking certificates by SKI track them by an internal identifier. The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid. The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL. In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before. Done together with tb@ OK tb@ job@
Revision 1.114 / (download) - annotate - [select for diffs], Wed May 15 09:19:48 2024 UTC (2 weeks, 3 days ago) by tb
Branch: MAIN
Changes since 1.113: +7 -7 lines
Diff to previous 1.113 (colored)
rpki-client: plug leak of the crl path also, drop an unnecessary NULL check and make freeing have the same order as the struct field so auditing for leaks is easier. ok claudio
Revision 1.113 / (download) - annotate - [select for diffs], Sat Apr 20 15:45:41 2024 UTC (6 weeks ago) by job
Branch: MAIN
Changes since 1.112: +12 -3 lines
Diff to previous 1.112 (colored)
Display distinct errors for various problematic CRL/MFT situationships RFC 6487 section 8 specifies only a single CRL is issued at a time, so error when multiple .crl files are listed in a Manifest's FileList. The CRLDP extension identifies the location of the CRL, so the CRL's filename must match the CA's CRLDP's 'rsync://' entry, error if that isn't the case. (RFC 6486 section 4.8.6) with & OK tb@
Revision 1.112 / (download) - annotate - [select for diffs], Thu Feb 22 12:49:42 2024 UTC (3 months, 1 week ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.111: +4 -1 lines
Diff to previous 1.111 (colored)
Add support for RPKI Signed Prefix Lists Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist with and OK claudio@ tb@
Revision 1.111 / (download) - annotate - [select for diffs], Wed Feb 21 09:17:06 2024 UTC (3 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.110: +52 -63 lines
Diff to previous 1.110 (colored)
rpki-client: remove the remaining struct parse With the exception of mft.c where there is an additional boolean, this struct carries a file name and a result. This means functions having struct parse in the signature can't be shared between files, which has been annoying. Simply pass file name and necessary info directly as a function parameter and add a small dance to handle the boolean in mft.c. ok job
Revision 1.110 / (download) - annotate - [select for diffs], Fri Feb 16 15:18:08 2024 UTC (3 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.109: +9 -9 lines
Diff to previous 1.109 (colored)
Rename fn into file to avoid clash in upcoming diff ok job
Revision 1.109 / (download) - annotate - [select for diffs], Fri Feb 16 15:13:49 2024 UTC (3 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.108: +20 -19 lines
Diff to previous 1.108 (colored)
Use _asn1 suffix for some aspa/mft/roa/rsc/tak This would otherwie clash with an upcoming replacement of struct parse. ok job
Revision 1.108 / (download) - annotate - [select for diffs], Thu Feb 15 07:01:33 2024 UTC (3 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.107: +79 -1 lines
Diff to previous 1.107 (colored)
Ensure that the FileAndHashes list in a mft has no duplicates ok job
Revision 1.107 / (download) - annotate - [select for diffs], Tue Feb 13 22:44:21 2024 UTC (3 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.106: +4 -1 lines
Diff to previous 1.106 (colored)
Add explicit ASN1_ITEM_EXP prototypes In LibreSSL *_it are variables, in other implementations they might be a function. This helps squash compiler warnings in -portable. Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93 OK tb@
Revision 1.106 / (download) - annotate - [select for diffs], Mon Feb 5 19:23:58 2024 UTC (3 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.105: +8 -1 lines
Diff to previous 1.105 (colored)
Check whether all data in eContent has been consumed It is possible that a given ASN.1 template generated d2i_*() function didn't consume all data, so there is a potential for malleability. The econtent is a sequence (which means it could be the concatenation of several DER "blobs"). d2i_*() would only deserialize the first one and not notice blobs following it. OK tb@
Revision 1.105 / (download) - annotate - [select for diffs], Sun Feb 4 00:53:27 2024 UTC (3 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.104: +26 -54 lines
Diff to previous 1.104 (colored)
Use x509_get_time() to get the Manifest thisUpdate / nextUpdate From the moment d2i_Manifest() was introduced, it was automatically checked whether the thisUpdate/nextUpdate are ASN1_GENERALIZEDTIME. Unfortunately, an additional check is needed, because OpenSSL doesn't require RFC 5280 conformance for GeneralizedTime DER encoding. OK tb@
Revision 1.104 / (download) - annotate - [select for diffs], Sat Feb 3 14:30:47 2024 UTC (3 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.103: +2 -7 lines
Diff to previous 1.103 (colored)
Refactor handling of stale manifests No need to hoist a staleness indicator through the whole process and count it explicitly. OK tb@
Revision 1.103 / (download) - annotate - [select for diffs], Fri Feb 2 19:26:49 2024 UTC (3 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.102: +1 -11 lines
Diff to previous 1.102 (colored)
Remove old comment OK tb@
Revision 1.102 / (download) - annotate - [select for diffs], Wed Jan 31 06:57:21 2024 UTC (4 months ago) by tb
Branch: MAIN
Changes since 1.101: +14 -1 lines
Diff to previous 1.101 (colored)
Introduce and use mft_compare_issued() Newly issued manifests should not only have a higher manifestNumber, their issuance time should also be later. Add corresponding checks and warnings when comparing a newly fetched manifest to a manifest from the cache. ok job (who noticed that such a check was missing)
Revision 1.101 / (download) - annotate - [select for diffs], Wed Jan 31 06:54:43 2024 UTC (4 months ago) by tb
Branch: MAIN
Changes since 1.100: +3 -10 lines
Diff to previous 1.100 (colored)
Rename mft_compare() to mft_compare_seqnum() This makes it clearer what exactly this function compares. Also drop some NULL checks that made the semantics of this function tricky. ok job
Revision 1.100 / (download) - annotate - [select for diffs], Mon Dec 11 15:50:23 2023 UTC (5 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.99: +9 -5 lines
Diff to previous 1.99 (colored)
Log a warning when a manifest replay is detected OK tb@ claudio@
Revision 1.99 / (download) - annotate - [select for diffs], Fri Oct 13 12:06:49 2023 UTC (7 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.98: +2 -2 lines
Diff to previous 1.98 (colored)
Allow imposing constraints on RPKI trust anchors The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope. Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32. For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html With and OK tb@, OK claudio@
Revision 1.98 / (download) - annotate - [select for diffs], Mon Sep 25 11:08:45 2023 UTC (8 months, 1 week ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.97: +3 -2 lines
Diff to previous 1.97 (colored)
Pass the talid to various parse functions This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff. ok claudio job
Revision 1.97 / (download) - annotate - [select for diffs], Sun Sep 3 10:48:50 2023 UTC (8 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.96: +11 -3 lines
Diff to previous 1.96 (colored)
Shuffle the order in which Manifest entries are processed Previously work items were enqueued in the order the CA intended them to appear on a Manifest. However, there is no obvious benefit to letting third parties decide the order in which things are processed. Instead, randomize: ordering has no meaning anyway, and the number of concurrent repository synchronization operations is limited & timeboxed. As they say, a fox is not taken twice in the same snare OK tb@
Revision 1.96 / (download) - annotate - [select for diffs], Thu Jun 29 10:28:25 2023 UTC (11 months ago) by tb
Branch: MAIN
Changes since 1.95: +2 -2 lines
Diff to previous 1.95 (colored)
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.
suggested by claudio
ok job
Revision 1.95 / (download) - annotate - [select for diffs], Tue Jun 20 12:39:50 2023 UTC (11 months, 1 week ago) by job
Branch: MAIN
Changes since 1.94: +6 -1 lines
Diff to previous 1.94 (colored)
Add compliance checks for the version, KU, and EKU of TAK/MFT/GBR EE certs OK tb@
Revision 1.94 / (download) - annotate - [select for diffs], Wed Jun 7 10:46:34 2023 UTC (11 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.93: +2 -2 lines
Diff to previous 1.93 (colored)
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions. OK tb@
Revision 1.93 / (download) - annotate - [select for diffs], Mon May 22 15:15:25 2023 UTC (12 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.92: +13 -8 lines
Diff to previous 1.92 (colored)
Convert generalizedtime_to_tm() to ASN1_TIME_to_tm() Second step of moving away from ASN1_time_parse(). Being an OpenSSL API, ASN1_TIME_to_tm() supports a variety of things. In this specific case we don't really want it to parse anything but a GeneralizedTime expressed in Zulu time. Unfortunately, OpenSSL make this annoying. So punt on this and only do checks for the correct type and length. LibreSSL only accepts Zulu time, so there is no change of behavior. ok claudio job
Revision 1.92 / (download) - annotate - [select for diffs], Mon May 22 14:56:00 2023 UTC (12 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.91: +6 -7 lines
Diff to previous 1.91 (colored)
Avoid use of LibreSSL-specific ASN1_time_tm_cmp() API We convert these struct tm into time_t in the next few lines, so we can simply use > instead. ok claudio job
Revision 1.91 / (download) - annotate - [select for diffs], Wed Apr 26 16:32:41 2023 UTC (13 months ago) by claudio
Branch: MAIN
Changes since 1.90: +3 -1 lines
Diff to previous 1.90 (colored)
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
Revision 1.90 / (download) - annotate - [select for diffs], Mon Apr 24 17:11:33 2023 UTC (13 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.89: +2 -2 lines
Diff to previous 1.89 (colored)
If the two mfts in mft_compare() are the same do not prefer the first (DIR_VALID) but perfer the 2nd (DIR_TEMP) since this allows rpki-client to move the equal files from .rrdp back into the valid repo tree and so there are less unaccounted files for. Problem noticed by and OK job@
Revision 1.89 / (download) - annotate - [select for diffs], Mon Mar 13 19:54:36 2023 UTC (14 months, 2 weeks ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.88: +7 -1 lines
Diff to previous 1.88 (colored)
Check that the CMS signing-time is not after the MFT's nextUpdate Issuing manifests whose validity window is entirely in the past, as observed from the purported CMS signing-time would be a form of backdating. OK tb@
Revision 1.88 / (download) - annotate - [select for diffs], Mon Mar 13 10:39:03 2023 UTC (14 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.87: +2 -2 lines
Diff to previous 1.87 (colored)
Revert accidental change from explicit to implicit tagging in r1.86. ok job
Revision 1.87 / (download) - annotate - [select for diffs], Mon Mar 13 09:24:37 2023 UTC (14 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.86: +3 -3 lines
Diff to previous 1.86 (colored)
Rename some data fields to closer match their provenance OK tb@
Revision 1.86 / (download) - annotate - [select for diffs], Sun Mar 12 11:54:56 2023 UTC (14 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.85: +2 -2 lines
Diff to previous 1.85 (colored)
Refactor expiration calculation Unify common code paths which find the exact expiry moment into a new helper function. Additionally, the new helper offers more accuracy by checking more applicable CRLs whether their 'nextupdate' is 'sooner'. tb@ noted: The helper adds a multiplier of log(#crls), but that's certainly acceptable as it is still very cheap. OK tb@
Revision 1.85 / (download) - annotate - [select for diffs], Sun Mar 12 11:46:35 2023 UTC (14 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.84: +2 -2 lines
Diff to previous 1.84 (colored)
Initialize the local signtime variable in the individual *_parse() functions ok job
Revision 1.84 / (download) - annotate - [select for diffs], Thu Mar 9 18:53:24 2023 UTC (14 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.83: +2 -3 lines
Diff to previous 1.83 (colored)
Unwrap a few lines and zap a tab
Revision 1.83 / (download) - annotate - [select for diffs], Thu Mar 9 09:46:21 2023 UTC (14 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.82: +5 -2 lines
Diff to previous 1.82 (colored)
Show CMS signing-time signed attribute in filemode OK tb@
Revision 1.82 / (download) - annotate - [select for diffs], Thu Dec 1 10:24:28 2022 UTC (18 months ago) by claudio
Branch: MAIN
Changes since 1.81: +4 -3 lines
Diff to previous 1.81 (colored)
Adjust comment for rtype_from_mftfile(). It is important that RTYPE_INVALID is not an error. It marks file as not handled by rpki-client and they will be ignored after checking that the provided hash matches. New file types should only be added once the needed code in parse_entity() is available. OK tb@ job@
Revision 1.81 / (download) - annotate - [select for diffs], Wed Nov 30 08:16:10 2022 UTC (18 months ago) by job
Branch: MAIN
Changes since 1.80: +1 -2 lines
Diff to previous 1.80 (colored)
Remove unused ctype.h include OK tb@
Revision 1.80 / (download) - annotate - [select for diffs], Tue Nov 29 20:41:32 2022 UTC (18 months ago) by job
Branch: MAIN
Changes since 1.79: +1 -2 lines
Diff to previous 1.79 (colored)
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
Revision 1.79 / (download) - annotate - [select for diffs], Sat Nov 26 12:02:37 2022 UTC (18 months ago) by job
Branch: MAIN
Changes since 1.78: +3 -1 lines
Diff to previous 1.78 (colored)
Add support for authenticating geofeed data CSV files in filemode RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature. with and OK tb@
Revision 1.78 / (download) - annotate - [select for diffs], Mon Nov 7 16:23:32 2022 UTC (18 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.77: +11 -5 lines
Diff to previous 1.77 (colored)
Simplify use of strrchr() with and OK tb@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Nov 4 09:43:13 2022 UTC (18 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.76: +7 -3 lines
Diff to previous 1.76 (colored)
Check the SIA signedObject in ROA/MFT/ASPA/TAK/GBR EE certificates Unfortunately we can't yet error out when accessMethods other than signedObject are encountered in the SubjectInformationAccess extension because there is pollution in the ecosystem. OK tb@
Revision 1.76 / (download) - annotate - [select for diffs], Wed Nov 2 12:43:02 2022 UTC (18 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.75: +3 -0 lines
Diff to previous 1.75 (colored)
Add support for draft-ietf-sidrops-signed-tal-12 Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand. OK tb@
Revision 1.75 / (download) - annotate - [select for diffs], Thu Oct 13 04:43:32 2022 UTC (19 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.74: +2 -2 lines
Diff to previous 1.74 (colored)
All of ROA, MFT, ASPA, and RSC define their respective 'version' field in ASN.1 as following: "version [0] INTEGER DEFAULT 0,". Each object profile preamble contains "DEFINITIONS EXPLICIT TAGS ::=". We didn't bump into any issue yet, because all Signed Objects are at version 0, which means the field is entirely omitted (including the tag, be it implicit or explicit). (From X.690 section 11.5: "The encoding of a set value or a sequence value shall not include an encoding for any component value which is equal to its default value.") OK tb@
Revision 1.74 / (download) - annotate - [select for diffs], Tue Aug 30 18:56:49 2022 UTC (21 months ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.73: +4 -1 lines
Diff to previous 1.73 (colored)
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10) ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j). With feedback from tb@ OK claudio@ tb@
Revision 1.73 / (download) - annotate - [select for diffs], Thu Aug 18 15:20:27 2022 UTC (21 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.72: +2 -5 lines
Diff to previous 1.72 (colored)
Remove dangling ASPA references until we land real support OK tb@
Revision 1.72 / (download) - annotate - [select for diffs], Fri Jun 10 10:41:09 2022 UTC (23 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.71: +3 -3 lines
Diff to previous 1.71 (colored)
Unify error messages on d2i failure for econtent
Revision 1.71 / (download) - annotate - [select for diffs], Fri Jun 10 10:36:43 2022 UTC (23 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.70: +3 -20 lines
Diff to previous 1.70 (colored)
Dedup econtent version checks Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code. ok claudio
Revision 1.70 / (download) - annotate - [select for diffs], Wed Jun 1 10:58:34 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.69: +2 -2 lines
Diff to previous 1.69 (colored)
Fix off-by-one in MAX_MANIFEST_ENTRIES check ok claudio job
Revision 1.69 / (download) - annotate - [select for diffs], Tue May 31 18:51:35 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.68: +2 -1 lines
Diff to previous 1.68 (colored)
I made non-trivial contributions to these files.
Revision 1.68 / (download) - annotate - [select for diffs], Mon May 23 14:10:18 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored)
Improve #ifdefs for STACK_OF() helpers. Discussed with claudio
Revision 1.67 / (download) - annotate - [select for diffs], Thu May 19 07:33:02 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.66: +2 -10 lines
Diff to previous 1.66 (colored)
Adjust or remove some stale comments
Revision 1.66 / (download) - annotate - [select for diffs], Thu May 19 06:37:51 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.65: +87 -164 lines
Diff to previous 1.65 (colored)
Rewrite mft.c and roa.c with ASN.1 templates The ASN.1 templates are a rather direct translation of the ASN.1 in the relevant RFCs and they allow deserializing the Manifest and ROA eContent in a single step instead of numerous opaque d2i_ASN1_SEQUENCE_ANY() calls. Once the eContent is deserialized, we can walk the structs, validate it as before and populate the internal data structures. Positive feedback job ok claudio
Revision 1.65 / (download) - annotate - [select for diffs], Sun May 15 15:00:53 2022 UTC (2 years ago) by deraadt
Branch: MAIN
Changes since 1.64: +2 -2 lines
Diff to previous 1.64 (colored)
whitespace spotted during read-thru
Revision 1.64 / (download) - annotate - [select for diffs], Wed May 11 21:19:06 2022 UTC (2 years ago) by job
Branch: MAIN
Changes since 1.63: +6 -1 lines
Diff to previous 1.63 (colored)
Verify MFT and GBR objects only carry RFC 3779 extensions set to 'inherit' OK claudio@ tb@
Revision 1.63 / (download) - annotate - [select for diffs], Tue May 10 07:41:37 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.62: +7 -8 lines
Diff to previous 1.62 (colored)
Validate RSC filenames Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs. input/ok claudio
Revision 1.62 / (download) - annotate - [select for diffs], Tue May 10 07:28:43 2022 UTC (2 years ago) by job
Branch: MAIN
Changes since 1.61: +5 -3 lines
Diff to previous 1.61 (colored)
Improve control flow readability by removing 'else if' stanzas OK tb@ claudio@
Revision 1.61 / (download) - annotate - [select for diffs], Mon May 9 17:02:34 2022 UTC (2 years ago) by job
Branch: MAIN
Changes since 1.60: +3 -1 lines
Diff to previous 1.60 (colored)
Add preliminary support for decoding RSC objects in filemode This implements decoding support for draft-ietf-sidrops-rpki-rsc-06 There are three major outstanding issues: * The wire image might still change to conform to the more widely deployed 3779 API in libressl/openssl. IETF discussion ongoing. * Whether the resources listed in the ResourceBlock are contained within the EE's RFC 3779 extension is not hooked up yet. * There is a fair bit of duplicity between rsc.c and cert.c, look for XXX OK tb@
Revision 1.60 / (download) - annotate - [select for diffs], Wed Apr 20 10:46:20 2022 UTC (2 years, 1 month ago) by job
Branch: MAIN
Changes since 1.59: +2 -2 lines
Diff to previous 1.59 (colored)
Add Concatenated JSON output in filemode (rpki-client -j -f *) The schema is still work in progress. OK claudio@
Revision 1.59 / (download) - annotate - [select for diffs], Tue Apr 19 18:52:36 2022 UTC (2 years, 1 month ago) by tb
Branch: MAIN
Changes since 1.58: +3 -3 lines
Diff to previous 1.58 (colored)
Avoid leaking crldp in mft_parse() if one of the crlfile checks fails. ok claudio
Revision 1.58 / (download) - annotate - [select for diffs], Tue Apr 19 09:52:29 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.57: +37 -3 lines
Diff to previous 1.57 (colored)
Adjust on how CRL and MFT files are verified. Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use. Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used. Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT. With and OK tb@
Revision 1.57 / (download) - annotate - [select for diffs], Mon Apr 11 10:03:12 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.56: +3 -3 lines
Diff to previous 1.56 (colored)
Sort RTYPE in case alphabetically and mention ASPA in the comment. No functional change.
Revision 1.56 / (download) - annotate - [select for diffs], Fri Apr 8 15:29:59 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.55: +4 -4 lines
Diff to previous 1.55 (colored)
All times in the x509 are UTC so use timegm() and not mktime(). The latter will apply the timezone offset and so the further west the more probable you are to have problems with valid_from times. Fix from tb@ OK job@, benno@ and me
Revision 1.55 / (download) - annotate - [select for diffs], Fri Apr 1 17:22:07 2022 UTC (2 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.54: +7 -4 lines
Diff to previous 1.54 (colored)
Change x509_get_aki(), x509_get_ski(), x509_get_aia(), and x509_get_crl() to work more like x509_get_expire(). They will return an error if the extension extraction failed but not if it was not present. The callers must now do that check but most did already. With this cert_parse_inner() no longer cares about TA vs non-TA certs. Feedback and OK tb@
Revision 1.54 / (download) - annotate - [select for diffs], Thu Mar 31 12:00:00 2022 UTC (2 years, 2 months ago) by job
Branch: MAIN
Changes since 1.53: +4 -1 lines
Diff to previous 1.53 (colored)
Sync & permit ASPA objects to appear on Manifests OK tb@ claudio@
Revision 1.53 / (download) - annotate - [select for diffs], Thu Feb 10 17:33:28 2022 UTC (2 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.52: +3 -25 lines
Diff to previous 1.52 (colored)
Fix serial number printing in crl_print() for large serials. Create a common x509_convert_seqnum() function to convert the various ASN1_INTEGERs into hexnumbers and use this for mft and crl handling. With and OK tb@, also OK job@
Revision 1.52 / (download) - annotate - [select for diffs], Fri Jan 28 15:30:23 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.51: +45 -51 lines
Diff to previous 1.51 (colored)
Properly handle .mft files as intended by the RFC. Instead of always selecting the newest file this opens both the new (from rrdp or rsync) and old (valid) MFT. It then compares the manifest number and based on that the 'newer' MFT is selected. The MFT file and hash check is also changed to always try both locations and selecting whatever matches up with the hash. The selction is passed back to the the main process and used later on to open exactly the same file as was checked against the hash. The MFT parsing code has been split up into multiple steps so that the files can be parsed, compared and then fully validated. In most cases this makes no difference but it prevents replay attacks using old but still valid files. With and OK tb@
Revision 1.51 / (download) - annotate - [select for diffs], Mon Jan 24 17:29:37 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.50: +29 -19 lines
Diff to previous 1.50 (colored)
Adjust code to handle unsupported file types a bit more graceful. The file still needs to match its hash to make the MFT valid but then there will only be a warning printed. Parsing of other files from that MFT are not influenced. OK tb@
Revision 1.50 / (download) - annotate - [select for diffs], Sat Jan 22 09:18:48 2022 UTC (2 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.49: +63 -4 lines
Diff to previous 1.49 (colored)
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c. ok beck claudio
Revision 1.49 / (download) - annotate - [select for diffs], Fri Jan 21 18:49:44 2022 UTC (2 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.48: +8 -1 lines
Diff to previous 1.48 (colored)
Add function to determine the file type from the file name extension rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*(). input/ok claudio
Revision 1.48 / (download) - annotate - [select for diffs], Tue Jan 18 16:24:55 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.47: +4 -39 lines
Diff to previous 1.47 (colored)
Revert all the files that should have not been committed in last commit.
Revision 1.47 / (download) - annotate - [select for diffs], Tue Jan 18 16:18:22 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.46: +40 -5 lines
Diff to previous 1.46 (colored)
Kill extra newline
Revision 1.46 / (download) - annotate - [select for diffs], Tue Jan 18 13:06:43 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.45: +2 -9 lines
Diff to previous 1.45 (colored)
Cleanup the scattered OBJ_txt2obj() calls and move them into x509_init_oid() to initalize all necessary OID objects at start. OK tb@
Revision 1.45 / (download) - annotate - [select for diffs], Thu Jan 13 13:46:03 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.44: +1 -40 lines
Diff to previous 1.44 (colored)
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
Revision 1.44 / (download) - annotate - [select for diffs], Tue Jan 11 13:06:07 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.43: +19 -20 lines
Diff to previous 1.43 (colored)
Change the way the parser accesses files. It now builds the file path based on information from the repository, a local path and the filename. This simplifies some code both in the main process and the parser. For this to work repositories are passed to the parser before any other entity of this repository is passed. Struct entity is extended to include the repoid and the path along the file(name). Input and OK tb@ & job@
Revision 1.43 / (download) - annotate - [select for diffs], Thu Jan 6 16:06:30 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.42: +22 -48 lines
Diff to previous 1.42 (colored)
Cleanup mft file handling, especially the stale mft bits. Move staleness check up into mft_parse_econtent() to simplify code. Remove the big FIXME bits since they are no longer needed. The parent process will only process MFTs that are not stale. Cleanup a few other bits mainly unneccessary else if cascades and use valid_filename() to check if the filename embedded in the mft fileandhash is sensible. OK tb@
Revision 1.32.2.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:41:19 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_6_9
Changes since 1.32: +58 -42 lines
Diff to previous 1.32 (colored) next main 1.33 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/6.9/common/021_rpki.patch.sig
Revision 1.38.4.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:40:32 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_7_0
Changes since 1.38: +28 -15 lines
Diff to previous 1.38 (colored) next main 1.39 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/7.0/common/004_rpki.patch.sig
Revision 1.42 / (download) - annotate - [select for diffs], Thu Oct 28 13:51:42 2021 UTC (2 years, 7 months ago) by job
Branch: MAIN
Changes since 1.41: +8 -2 lines
Diff to previous 1.41 (colored)
Limit how many FileAndHash entries a single manifest may contain OK claudio@
Revision 1.41 / (download) - annotate - [select for diffs], Tue Oct 26 10:52:50 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.40: +3 -3 lines
Diff to previous 1.40 (colored)
Change CMS and CRL d2i functions from their BIO version to passing the der buffer instead. The file are loaded early in the entity processing loop. OK tb@
Revision 1.40 / (download) - annotate - [select for diffs], Sun Oct 24 12:06:16 2021 UTC (2 years, 7 months ago) by job
Branch: MAIN
Changes since 1.39: +9 -2 lines
Diff to previous 1.39 (colored)
Restrict the characterset for filenames on Manifests feedback from benno@ OK claudio@
Revision 1.39 / (download) - annotate - [select for diffs], Sat Oct 23 16:06:04 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.38: +11 -11 lines
Diff to previous 1.38 (colored)
Finnally move away from blocking reads in rpki-client. The code was a mish mash of poll, non-blocking writes and blocking reads. Using the introduced ibuf size header in io_buf_new()/io_buf_close() the read side can be changed to pull in a full ibuf and only start the un-marshal once all data has been read. OK benno@
Revision 1.38 / (download) - annotate - [select for diffs], Thu Sep 9 14:15:49 2021 UTC (2 years, 8 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE
Branch point for: OPENBSD_7_0
Changes since 1.37: +11 -3 lines
Diff to previous 1.37 (colored)
Rework how various OIDs are compared in the code. Instead of converting the ASN1_OBJECT into a string and comparing the strings, convert the string into an ASN1_OBJECT once and then compare these objects with OBJ_cmp(). Makes the code a bit easier to read and removes some repetitive conversions. With input and OK tb@
Revision 1.37 / (download) - annotate - [select for diffs], Wed Sep 8 16:37:20 2021 UTC (2 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.36: +5 -7 lines
Diff to previous 1.36 (colored)
The number of elements being processed is known upfront. So allocate the storage needed outside of the loop. This reduces the number of recallocarray calls. OK tb@
Revision 1.36 / (download) - annotate - [select for diffs], Tue Jul 13 18:39:39 2021 UTC (2 years, 10 months ago) by job
Branch: MAIN
Changes since 1.35: +20 -7 lines
Diff to previous 1.35 (colored)
Add more checks for eContent 'version' fields. Input from deraadt@, tb@, claudio@ OK deraadt@ claudio@ tb@
Revision 1.35 / (download) - annotate - [select for diffs], Mon Jun 14 12:08:50 2021 UTC (2 years, 11 months ago) by job
Branch: MAIN
Changes since 1.34: +7 -24 lines
Diff to previous 1.34 (colored)
Fix ROA & MFT version check handling This check was incomplete: to correctly verify the ASN1 INTEGER holding the version component, first the context specific explicit tag would need to be checked. However, the X.690 spec (section 11.5) states that if the one should not encode a component if it is the default value. There are no RFCs specifying new versions of ROA or MFT, so checking the content of the version component should be skipped entirely. Thus if the version component is present, something is wrong.
Revision 1.34 / (download) - annotate - [select for diffs], Tue May 11 11:32:51 2021 UTC (3 years ago) by claudio
Branch: MAIN
Changes since 1.33: +2 -1 lines
Diff to previous 1.33 (colored)
Before calling ASN1_time_parse() initialize the struct tm. While recent libressl version initalise the struct tm properly older versions did not and so -portable runs into problem on systems with older libressl versions installed. Problem found by job@ OK tb@
Revision 1.33 / (download) - annotate - [select for diffs], Sun May 9 11:25:32 2021 UTC (3 years ago) by tb
Branch: MAIN
Changes since 1.32: +3 -3 lines
Diff to previous 1.32 (colored)
Garbage collect sz in mft_parse_filehash() which has been unused since mft.c r1.20.
Revision 1.32 / (download) - annotate - [select for diffs], Mon Mar 29 06:50:44 2021 UTC (3 years, 2 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE
Branch point for: OPENBSD_6_9
Changes since 1.31: +9 -3 lines
Diff to previous 1.31 (colored)
Inline x509_get_extensions() and remove it Since aia, aki and ski are all represented by char *, this is an error-prone interface - as found by job. The function doesn't do much anyway. ok claudio
Revision 1.31 / (download) - annotate - [select for diffs], Sun Mar 28 16:22:17 2021 UTC (3 years, 2 months ago) by job
Branch: MAIN
Changes since 1.30: +42 -3 lines
Diff to previous 1.30 (colored)
Add some restrictions to manifest object profile OK tb@, feedback from claudio@
Revision 1.30 / (download) - annotate - [select for diffs], Sat Mar 27 18:12:15 2021 UTC (3 years, 2 months ago) by job
Branch: MAIN
Changes since 1.29: +3 -3 lines
Diff to previous 1.29 (colored)
Send arguments in alphabetical order OK tb@
Revision 1.29 / (download) - annotate - [select for diffs], Fri Mar 5 16:00:00 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.28: +15 -44 lines
Diff to previous 1.28 (colored)
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
Revision 1.28 / (download) - annotate - [select for diffs], Thu Mar 4 14:24:17 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)
Use the same way to error out in out of memory situation. Just use 'err(1, NULL);' there is no need to include the type of function that failed since it is still impossible to locate the right call. Just use a debugger in that case. OK tb@ deraadt@
Revision 1.27 / (download) - annotate - [select for diffs], Fri Feb 19 12:18:23 2021 UTC (3 years, 3 months ago) by tb
Branch: MAIN
Changes since 1.26: +3 -4 lines
Diff to previous 1.26 (colored)
Convert reallocarray + memset to recallocarray. ok claudio
Revision 1.26 / (download) - annotate - [select for diffs], Tue Feb 16 07:58:30 2021 UTC (3 years, 3 months ago) by job
Branch: MAIN
Changes since 1.25: +7 -3 lines
Diff to previous 1.25 (colored)
get Authority Information Access (AIA) from CA & EE certs In the context of the RPKI, the AIA extension identifies the publication point of the certificate of the issuer of the certificate in which the extension appears. A single reference to the publication point of the immediate superior certificate MUST be present, except for a "self-signed" certificate. Thanks tb@ for review OK claudio@
Revision 1.25 / (download) - annotate - [select for diffs], Thu Feb 4 08:58:19 2021 UTC (3 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.24: +3 -1 lines
Diff to previous 1.24 (colored)
Eventhough most openssl includes include everything try to be a bit more explicit about what is used where. Seems to be the least worst solution.
Revision 1.24 / (download) - annotate - [select for diffs], Fri Jan 29 10:13:16 2021 UTC (3 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
A while ago rpki-client was changed to validate the sha256 hashes of files referenced in MFT files during the validation of the MFT file. An MFT is only valid if all files are present and their hashes are valid. Because of this there is no longer the need to check the hash when these files are parsed later on. Remove these checks for CRT, ROA and CRL files. Use the presence of the pkey when parsing cert files to decide if it is a root cert or not. OK tb@
Revision 1.23 / (download) - annotate - [select for diffs], Fri Jan 8 08:09:07 2021 UTC (3 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.22: +9 -10 lines
Diff to previous 1.22 (colored)
Start using the ibuf API (ibuf_dynamic, ibuf_add, ibuf_close) for writing data between processes. This completely decouples the write side. rpki-client can't really use the imsg framework but it can use the ibuf bits wich imsg is built on. OK benno@ job@
Revision 1.22 / (download) - annotate - [select for diffs], Mon Dec 21 11:35:55 2020 UTC (3 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.21: +4 -1 lines
Diff to previous 1.21 (colored)
Now that a NULL string is marshalled as NULL again we can drop some extra has_xyz integers to indicate if the following buffer is present or not. At the same time sprinkle some asserts for strings which must be not NULL. OK tb@
Revision 1.21 / (download) - annotate - [select for diffs], Fri Dec 18 12:31:06 2020 UTC (3 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.20: +3 -1 lines
Diff to previous 1.20 (colored)
Use asprintf with %.*s to construct the path based on the mft file location and the filename of the referenced file. Use the same method both in main.c and mft.c which is a fair bit simpler than using calloc and strlcpy/strlcat to build the string by hand. OK tb@
Revision 1.20 / (download) - annotate - [select for diffs], Wed Dec 9 11:25:08 2020 UTC (3 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.19: +1 -11 lines
Diff to previous 1.19 (colored)
All files provided in a manifest needs to be checked against the provided hash even if rpki-client ignores this file later on. OK job@
Revision 1.14.4.1 / (download) - annotate - [select for diffs], Mon Nov 9 16:58:09 2020 UTC (3 years, 6 months ago) by tb
Branch: OPENBSD_6_7
Changes since 1.14: +35 -9 lines
Diff to previous 1.14 (colored) next main 1.15 (colored)
Fix checks for manifest validity interval The check_validity() function used the X509_cmp_time() functions with GeneralizedTime. This doesn't work with current dates since LibreSSL enforces conformance with RFC 5280 in X509_cmp_time(), which requires that dates before 2050 are represented with UTCTime. The functions would return an error, but missing error checking led to failing to detect expired or not yet valid manifests. Fix this by converting the dates into struct tm and using ASN1_time_tm_cmp() instead. With input from claudio, jsing ok benno claudio jsing This is errata/6.7/029_rpki.patch.sig
Revision 1.16.4.1 / (download) - annotate - [select for diffs], Mon Nov 9 16:58:04 2020 UTC (3 years, 6 months ago) by tb
Branch: OPENBSD_6_8
Changes since 1.16: +35 -9 lines
Diff to previous 1.16 (colored) next main 1.17 (colored)
Fix checks for manifest validity interval The check_validity() function used the X509_cmp_time() functions with GeneralizedTime. This doesn't work with current dates since LibreSSL enforces conformance with RFC 5280 in X509_cmp_time(), which requires that dates before 2050 are represented with UTCTime. The functions would return an error, but missing error checking led to failing to detect expired or not yet valid manifests. Fix this by converting the dates into struct tm and using ASN1_time_tm_cmp() instead. With input from claudio, jsing ok benno claudio jsing This is errata/6.8/006_rpki.patch.sig
Revision 1.19 / (download) - annotate - [select for diffs], Fri Nov 6 04:22:18 2020 UTC (3 years, 6 months ago) by tb
Branch: MAIN
Changes since 1.18: +8 -5 lines
Diff to previous 1.18 (colored)
Treat stale manifests as such, not as 'failed to parse' There is currently dead code in mft_parse() that handles stale manifests by setting the stale flag and removing all files they reference. This code was made unreachable in a refactor that fixed a logic error that made mft_parse() succeed despite its error handling. check_validity() returns three possible values. Report failures and stale mfts back immediately via rc. Success needs to reset rc to -1, so subsequent errors are reported as such. This is mostly cosmetic and only changes the rpki-client output in that the comment at the top of the config now actually shows stale manifests. This makes regress pass again. ok claudio job
Revision 1.18 / (download) - annotate - [select for diffs], Thu Nov 5 16:38:09 2020 UTC (3 years, 6 months ago) by tb
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
typo
Revision 1.17 / (download) - annotate - [select for diffs], Thu Nov 5 15:53:55 2020 UTC (3 years, 6 months ago) by tb
Branch: MAIN
Changes since 1.16: +35 -9 lines
Diff to previous 1.16 (colored)
Fix checks for manifest validity interval The check_validity() function used the X509_cmp_time() functions with GeneralizedTime. This doesn't work with current dates since LibreSSL enforces conformance with RFC 5280 in X509_cmp_time(), which requires that dates before 2050 are represented with UTCTime. The functions would return an error, but missing error checking led to failing to detect expired or not yet valid manifests. Fix this by converting the dates into struct tm and using ASN1_time_tm_cmp() instead. With input from claudio, jsing ok benno claudio jsing
Revision 1.16 / (download) - annotate - [select for diffs], Sat Sep 12 15:46:48 2020 UTC (3 years, 8 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE
Branch point for: OPENBSD_6_8
Changes since 1.15: +1 -2 lines
Diff to previous 1.15 (colored)
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
Revision 1.15 / (download) - annotate - [select for diffs], Tue Jun 30 12:52:44 2020 UTC (3 years, 11 months ago) by job
Branch: MAIN
Changes since 1.14: +8 -10 lines
Diff to previous 1.14 (colored)
Remove -f (force) option. The -f option existed for some initial debugging work. Thanks Weerd for review OK claudio@
Revision 1.14 / (download) - annotate - [select for diffs], Sat Apr 11 15:53:44 2020 UTC (4 years, 1 month ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE
Branch point for: OPENBSD_6_7
Changes since 1.13: +17 -30 lines
Diff to previous 1.13 (colored)
Avoid using libc SHA256File(), just perform the operation inline to make things easier for -portable ok claudio
Revision 1.13 / (download) - annotate - [select for diffs], Wed Apr 1 14:15:49 2020 UTC (4 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.12: +78 -55 lines
Diff to previous 1.12 (colored)
Split the mft file and hash check from the mft parsing. This makes it easier to check all files in a mft before failing and also the check is now done after the embedded cert was checked. This refactor was triggered because of a bug in mft_parse_econtent(). check_validity() altered rc but later failure code assumed that goto out is good enough to return an error (rc == -1) but since rc was 1 success was returned. This bug is now also fixed. Bug report and OK job@
Revision 1.12 / (download) - annotate - [select for diffs], Mon Mar 30 12:12:51 2020 UTC (4 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.11: +30 -22 lines
Diff to previous 1.11 (colored)
Delay failure in mft parsing until all elements of FileAndHash have been checked. This way all corrupted or missing files should show up in a single run. This should help operators to get a better idea what and how much is broken. OK benno@
Revision 1.11 / (download) - annotate - [select for diffs], Mon Mar 30 11:09:03 2020 UTC (4 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.10: +46 -2 lines
Diff to previous 1.10 (colored)
Check the hash and with it the presence of a file referenced in a MFT early on. In case the file hash does not match or the file does not exist the full MFT is considered invalid and dropped. With this partial ROA updates based on a corrupt data set will produce less likely inconsistencies in the VRP output. With and OK job@
Revision 1.10 / (download) - annotate - [select for diffs], Fri Nov 29 05:05:46 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.9: +7 -7 lines
Diff to previous 1.9 (colored)
The code is more what you'd call 'guidelines' than actual rules. s/EXIT_FAILURE/1/ ok claudio@
Revision 1.9 / (download) - annotate - [select for diffs], Thu Nov 28 21:12:00 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)
enable more warning flags and fix a few issues noticed. ok claudio@ deraadt@
Revision 1.8 / (download) - annotate - [select for diffs], Wed Oct 23 07:36:29 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.7: +48 -55 lines
Diff to previous 1.7 (colored)
Rewrite the time validity check for mfts. Using ASN1_GENERALIZEDTIME_print and strptime to convert the timestamp does not correctly account for the timezone. Instead use X509_cmp_time which later on should be replaced with ASN1_time_tm_cmp since the ASN1_STRING_cmp() check at the end will fail around 2049. Problem with timezone reported by Alexandre Hamada (hamada at registro.br). He also tested this diff. OK tb@
Revision 1.7 / (download) - annotate - [select for diffs], Tue Aug 13 13:27:26 2019 UTC (4 years, 9 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.6: +6 -4 lines
Diff to previous 1.6 (colored)
Show the most common warnings only if verbose is set. Most of these warnings were shown because of an inconsistent rpki database and is no real problem. OK florian@
Revision 1.6 / (download) - annotate - [select for diffs], Thu Jun 20 15:29:01 2019 UTC (4 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.5: +1 -1 lines
Diff to previous 1.5 (colored)
Those changes should not have been in last commit. Revert them for now.
Revision 1.5 / (download) - annotate - [select for diffs], Thu Jun 20 15:26:49 2019 UTC (4 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)
Don't use assert to validate user input. assert() is not for that, instead check and error out like it is done one other parsing issues. Agreed by deraadt@ Fixes another afl "crash" found by jsg@
Revision 1.4 / (download) - annotate - [select for diffs], Wed Jun 19 16:30:37 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +1 -1 lines
Diff to previous 1.3 (colored)
use $OpenBSD$ headers
Revision 1.3 / (download) - annotate - [select for diffs], Wed Jun 19 04:21:43 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +55 -59 lines
Diff to previous 1.2 (colored)
indentation adjustments, in particular near warn statements ok claudio
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 17 15:04:59 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +1 -2 lines
Diff to previous 1.1 (colored)
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Mon Jun 17 14:31:31 2019 UTC (4 years, 11 months ago) by job
Branch: job
CVS Tags: job_20190617
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)
Import Kristaps Dzonsons' RPKI validator into the tree rpki-client(1) is an implementation of the Resource Public Key Infrastructure (RPKI), specified by RFC 6480. The client is responsible for downloading, validating and converting Route Origin Authorisations (ROAs) into Validated ROA Payloads (VRPs). The client's output (VRPs) can be used by bgpd(8) to perform BGP Origin Validation (RFC 6811). The current rpki-client(1) version depends on the CMS functions in OpenSSL, this of course needs to be addressed urgently. Thanks to NetNod, IIS.SE, SUNET & 6connect for supporting this effort! OK deraadt@
Revision 1.1 / (download) - annotate - [select for diffs], Mon Jun 17 14:31:31 2019 UTC (4 years, 11 months ago) by job
Branch: MAIN
Initial revision