![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.49 / (download) - annotate - [select for diffs], Sun Apr 21 19:27:44 2024 UTC (6 weeks, 6 days ago) by claudio
Branch: MAIN
CVS Tags: HEAD
Changes since 1.48: +1 -3 lines
Diff to previous 1.48 (colored)
P-256 support is experimental so require -x to enable it. Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
Revision 1.48 / (download) - annotate - [select for diffs], Mon Apr 8 14:02:13 2024 UTC (2 months ago) by tb
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored)
Fix capping of VAPs The previous approach introduced a cap, but it might not always be hit as intended (I missed this on review). Fix this to check the cap after merging an ASPA into an already existing VAP. Also free the list of providers since nothing should be looking at it anymore. Count VAPs that hit the limit with a new overflowed counter. There are still a few aspects of the accounting that probably aren't entirely right. This will be fixed at another point. It's just statistics after all. with/ok claudio, ok job
Revision 1.47 / (download) - annotate - [select for diffs], Fri Apr 5 16:05:15 2024 UTC (2 months ago) by job
Branch: MAIN
Changes since 1.46: +4 -1 lines
Diff to previous 1.46 (colored)
Don't emit Validated ASPAs for Customer ASIDs with more than MAX_ASPA_PROVIDERS The number of providers in a single ASPA object already was limited to MAX_ASPA_PROVIDERS, now also impose a limit on the total number of providers across multiple ASPA objects. If the MAX_ASPA_PROVIDERS limit is hit, omit the Customer ASID's entry from OpenBGPD and JSON output. OK tb@
Revision 1.46 / (download) - annotate - [select for diffs], Fri Mar 1 08:10:09 2024 UTC (3 months, 1 week ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.45: +4 -1 lines
Diff to previous 1.45 (colored)
Add -x to opt into experimental file formats Instead of burning one letter for each new file format (sidrops is known to crank out new things faster than a normal person can read), use -x to opt into parsing and processing file formats that aren't yet considered stable. This is currently only the Signed Prefix List. While a repetition of the ASPA debacle, this code hasn't yet seen enough stress testing to be enabled by default. ok claudio job
Revision 1.45 / (download) - annotate - [select for diffs], Fri Mar 1 07:59:20 2024 UTC (3 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.44: +27 -19 lines
Diff to previous 1.44 (colored)
Factor signed prefix list JSON output into a helper ok claudio job (as part of a larger diff)
Revision 1.44 / (download) - annotate - [select for diffs], Mon Feb 26 15:40:33 2024 UTC (3 months, 1 week ago) by job
Branch: MAIN
Changes since 1.43: +2 -1 lines
Diff to previous 1.43 (colored)
Track the number of new files moving from 'staging' to 'validated cache' The OpenMetrics output shows per-repository counters for new files added, the main process and JSON output emit the sum of all new files. OK claudio@
Revision 1.43 / (download) - annotate - [select for diffs], Thu Feb 22 12:49:42 2024 UTC (3 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.42: +26 -2 lines
Diff to previous 1.42 (colored)
Add support for RPKI Signed Prefix Lists Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist with and OK claudio@ tb@
Revision 1.42 / (download) - annotate - [select for diffs], Tue Feb 13 20:41:22 2024 UTC (3 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.41: +1 -4 lines
Diff to previous 1.41 (colored)
Remove the stalemanifests metrics (which are no longer in use) OK tb@
Revision 1.41 / (download) - annotate - [select for diffs], Sat Feb 3 14:30:47 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.40: +4 -2 lines
Diff to previous 1.40 (colored)
Refactor handling of stale manifests No need to hoist a staleness indicator through the whole process and count it explicitly. OK tb@
Revision 1.40 / (download) - annotate - [select for diffs], Mon Jun 26 18:39:53 2023 UTC (11 months, 1 week ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.39: +8 -23 lines
Diff to previous 1.39 (colored)
Decode and validate ASPA objects following the v1 syntax Through draft-ietf-sidrops-aspa-profile-15, the ASPA profile was made AFI-agnostic. This represents a simplification for both operators and implementers in both the RPKI and BGP layers of the stack. This update changes the JSON structure. No effort was made to simultaneously support ASPA v0 and v1 objects. OK tb@ claudio@
Revision 1.39 / (download) - annotate - [select for diffs], Mon Jun 5 14:19:13 2023 UTC (12 months ago) by claudio
Branch: MAIN
Changes since 1.38: +6 -6 lines
Diff to previous 1.38 (colored)
Add an extra argument compact to json_do_object() to instruct the parser to dump this object on a single line. While one can select on an object to object basis for arrays the compact setting is inherited from the surrounding object. Requested by job@, OK job@ tb@
Revision 1.38 / (download) - annotate - [select for diffs], Fri May 26 14:57:38 2023 UTC (12 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.37: +4 -2 lines
Diff to previous 1.37 (colored)
Properly account del_extra_files and add the value to the json header. OK tb@ (from a larger diff)
Revision 1.37 / (download) - annotate - [select for diffs], Wed May 3 09:54:25 2023 UTC (13 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.36: +9 -9 lines
Diff to previous 1.36 (colored)
Convert json_do_printf() with "%s" a fmt string to json_do_string(). OK tb@
Revision 1.36 / (download) - annotate - [select for diffs], Thu Apr 27 07:57:25 2023 UTC (13 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.35: +88 -177 lines
Diff to previous 1.35 (colored)
Reimplement output-json.c using json.c from bgpctl. Much rejoice from tb@ and job@ OK tb@
Revision 1.35 / (download) - annotate - [select for diffs], Wed Apr 26 18:34:40 2023 UTC (13 months, 1 week ago) by job
Branch: MAIN
Changes since 1.34: +10 -6 lines
Diff to previous 1.34 (colored)
In JSON/ASPA output, only print commas up to after the pen-ultimate applicable provider Reported by Ties de Kock OK claudio@
Revision 1.34 / (download) - annotate - [select for diffs], Wed Apr 26 17:59:00 2023 UTC (13 months, 1 week ago) by job
Branch: MAIN
Changes since 1.33: +8 -2 lines
Diff to previous 1.33 (colored)
Make -A also apply to the JSON output OK claudio@
Revision 1.33 / (download) - annotate - [select for diffs], Wed Apr 26 16:32:41 2023 UTC (13 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.32: +23 -23 lines
Diff to previous 1.32 (colored)
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
Revision 1.32 / (download) - annotate - [select for diffs], Thu Apr 20 15:05:44 2023 UTC (13 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.31: +9 -1 lines
Diff to previous 1.31 (colored)
ASPAs solely containing providers limited to one AFI, imply AS 0 for the other AFI OK claudio@
Revision 1.31 / (download) - annotate - [select for diffs], Fri Jan 13 08:58:36 2023 UTC (16 months, 3 weeks ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.30: +17 -18 lines
Diff to previous 1.30 (colored)
Add aspa-set to openbgpd config output. Change the way the validated ASPA tree is built since OpenBGPD config follows more the ASPA profile and puts the optional AFI to each provider ASnum instead of duplicated everything into an IPv4 and IPv6 tree. The JSON output of ASPA is still the same. The inclusion of the aspa-set can currently be disabled by the -A flag. OK tb@
Revision 1.30 / (download) - annotate - [select for diffs], Thu Dec 15 12:02:29 2022 UTC (17 months, 3 weeks ago) by claudio
Branch: MAIN
Changes since 1.29: +48 -35 lines
Diff to previous 1.29 (colored)
Rework statistic collection to be per repository and add metric output option Many statistic values are now accounted by repository via repo_stat_inc() At end of the run sum_stats() accumulates these stats per TAL and globally. The new output file metrics is written when the -m output flag is specified. The metrics file is written in OpenMetrics format (with a few tweaks to allow node_exporter to parse the file as well). The ometric code is a copy from bgpctl(8) and should be kept in sync. OK tb@
Revision 1.29 / (download) - annotate - [select for diffs], Wed Nov 2 12:43:02 2022 UTC (19 months ago) by job
Branch: MAIN
Changes since 1.28: +3 -2 lines
Diff to previous 1.28 (colored)
Add support for draft-ietf-sidrops-signed-tal-12 Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand. OK tb@
Revision 1.28 / (download) - annotate - [select for diffs], Tue Aug 30 23:40:37 2022 UTC (21 months, 1 week ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.27: +3 -3 lines
Diff to previous 1.27 (colored)
whitespace
Revision 1.27 / (download) - annotate - [select for diffs], Tue Aug 30 18:56:49 2022 UTC (21 months, 1 week ago) by job
Branch: MAIN
Changes since 1.26: +80 -3 lines
Diff to previous 1.26 (colored)
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10) ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j). With feedback from tb@ OK claudio@ tb@
Revision 1.26 / (download) - annotate - [select for diffs], Sun May 15 16:43:34 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.25: +4 -4 lines
Diff to previous 1.25 (colored)
More KNF and whitespace fixes.
Revision 1.25 / (download) - annotate - [select for diffs], Wed Apr 20 15:29:24 2022 UTC (2 years, 1 month ago) by tb
Branch: MAIN
Changes since 1.24: +2 -3 lines
Diff to previous 1.24 (colored)
Print UTC time with gmtime() This replaces a strange hack that sets TZ=UTC and calls localtime(). Tweak format string to keep printing UTC. ok claudio
Revision 1.24 / (download) - annotate - [select for diffs], Tue Apr 19 13:52:24 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
Change type of talsz and dependent code from size_t to int. Tal ids are already stored as int and and talsz is the limit for these ids. OK tb@
Revision 1.23 / (download) - annotate - [select for diffs], Fri Jan 14 15:00:23 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.22: +3 -2 lines
Diff to previous 1.22 (colored)
Introduce a validated cache which holds all the files that have successfully been verified by rpki-client. With this the rsync and rrdp directories are more of a temporary storage location. New files are downloaded there and then moved to the valid directory at the end. In -n mode only the valid directory is looked at with the exception of the ta directory holding the trust anchors. A file can now be in two different locations so adjust all the code paths that open files to check both locations. One nice side-effect of this is that the RRDP handling in the main process got simplified. There is no longer the need for temporary RRDP directories. OK tb@
Revision 1.15.2.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:41:19 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_6_9
Changes since 1.15: +49 -15 lines
Diff to previous 1.15 (colored) next main 1.16 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/6.9/common/021_rpki.patch.sig
Revision 1.17.4.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:40:32 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_7_0
Changes since 1.17: +46 -13 lines
Diff to previous 1.17 (colored) next main 1.18 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/7.0/common/004_rpki.patch.sig
Revision 1.22 / (download) - annotate - [select for diffs], Thu Nov 4 11:32:55 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.21: +23 -9 lines
Diff to previous 1.21 (colored)
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
Revision 1.21 / (download) - annotate - [select for diffs], Mon Nov 1 17:00:34 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.20: +2 -5 lines
Diff to previous 1.20 (colored)
Further simplify cert and auth handling. Move common code into auth_insert and skip this distinction between invalid and failed certificates. The difference between the to is getting more and more blurry. OK tb@
Revision 1.20 / (download) - annotate - [select for diffs], Fri Oct 15 08:48:18 2021 UTC (2 years, 7 months ago) by job
Branch: MAIN
Changes since 1.19: +3 -3 lines
Diff to previous 1.19 (colored)
Update json key names OK claudio@
Revision 1.19 / (download) - annotate - [select for diffs], Tue Oct 12 15:16:45 2021 UTC (2 years, 7 months ago) by job
Branch: MAIN
Changes since 1.18: +4 -3 lines
Diff to previous 1.18 (colored)
Emit SKI in the JSON output and improve flow in x509_get_pubkey() OK claudio@
Revision 1.18 / (download) - annotate - [select for diffs], Mon Oct 11 16:50:03 2021 UTC (2 years, 7 months ago) by job
Branch: MAIN
Changes since 1.17: +26 -5 lines
Diff to previous 1.17 (colored)
Add support for BGPsec Router Certificates (RFC 8209) BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form. OK tb@ claudio@
Revision 1.17 / (download) - annotate - [select for diffs], Thu May 6 17:03:57 2021 UTC (3 years, 1 month ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE
Branch point for: OPENBSD_7_0
Changes since 1.16: +4 -3 lines
Diff to previous 1.16 (colored)
Add an 'expires' column to CSV & JSON output The 'expires' value contains a reasonable earliest moment a VRP would expire, in light of the currently available set of CAs and CRLs. The 'expires' value can be used to avoid route selection based on stale data when generating VRP sets, when faced with loss of communication between consumer and valdiator, or validator and CA repository. OK claudio@
Revision 1.16 / (download) - annotate - [select for diffs], Wed May 5 17:25:44 2021 UTC (3 years, 1 month ago) by job
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
Emit an integer instead of a string in JSON output We added the "AS123" format because this is what the other tools did and there was the goal to have equal output. However, many in the community have voiced complaints about having to do string conversions. OK deraadt@ claudio@
Revision 1.15 / (download) - annotate - [select for diffs], Thu Apr 8 19:49:27 2021 UTC (3 years, 2 months ago) by job
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE
Branch point for: OPENBSD_6_9
Changes since 1.14: +6 -3 lines
Diff to previous 1.14 (colored)
Expose two extra metrics via JSON This removes some of the needs of rpki-client affiniadios who screen-scrape rpki-client's STDOUT. OK deraadt@
Revision 1.14 / (download) - annotate - [select for diffs], Wed Dec 9 11:29:04 2020 UTC (3 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.13: +3 -1 lines
Diff to previous 1.13 (colored)
Validate ghostbuster records (RFC 6493) but for now do nothing with the provided vcard payload. This change verifies the certificate of the .gbr file and makes sure it is valid (like we do for e.g. .roa files). OK job@
Revision 1.13 / (download) - annotate - [select for diffs], Sat Sep 12 15:46:48 2020 UTC (3 years, 8 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.12: +1 -2 lines
Diff to previous 1.12 (colored)
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
Revision 1.12 / (download) - annotate - [select for diffs], Sun May 3 20:24:02 2020 UTC (4 years, 1 month ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.11: +5 -3 lines
Diff to previous 1.11 (colored)
Use strftime() rather than ctime() to generate timestamps nicer. ok job, input claudio benno
Revision 1.11 / (download) - annotate - [select for diffs], Sun May 3 19:41:54 2020 UTC (4 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
Make it clear the date is in UTC. ok job
Revision 1.10 / (download) - annotate - [select for diffs], Thu Apr 30 13:46:39 2020 UTC (4 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.9: +6 -2 lines
Diff to previous 1.9 (colored)
Place elapsed, user, and system time for processing in the comment headers. ok job benno claudio
Revision 1.9 / (download) - annotate - [select for diffs], Wed Apr 29 04:29:40 2020 UTC (4 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.8: +4 -4 lines
Diff to previous 1.8 (colored)
json should have headers in same order
Revision 1.8 / (download) - annotate - [select for diffs], Tue Apr 28 15:04:05 2020 UTC (4 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.7: +29 -39 lines
Diff to previous 1.7 (colored)
re-organize statistics printing code, to make it less verbose and more readable.
Revision 1.7 / (download) - annotate - [select for diffs], Tue Apr 28 13:41:35 2020 UTC (4 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.6: +63 -3 lines
Diff to previous 1.6 (colored)
Print statistics as comments at the top of the files which can take comments. ok claudio job
Revision 1.6 / (download) - annotate - [select for diffs], Wed Dec 4 23:03:05 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.5: +6 -6 lines
Diff to previous 1.5 (colored)
use return x; instead of return (x);, like all other files here. ok deraadt@
Revision 1.5 / (download) - annotate - [select for diffs], Wed Dec 4 12:40:17 2019 UTC (4 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +15 -14 lines
Diff to previous 1.4 (colored)
split output management code into seperate file. iterate over output methods using a table. detect output truncation (for instance filesystem full) and don't overwrite previous output ok claudio
Revision 1.4 / (download) - annotate - [select for diffs], Mon Dec 2 02:11:13 2019 UTC (4 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +2 -3 lines
Diff to previous 1.3 (colored)
output_createtmp() remembers the true name, so output_finish() does not need to replay it.
Revision 1.3 / (download) - annotate - [select for diffs], Sat Nov 30 02:31:12 2019 UTC (4 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +8 -2 lines
Diff to previous 1.2 (colored)
Tweak rpki-client to create all 4 output file formats from a single compute, based upon flags. OpenBGPD compatible format by default if no options, to integrate with bgpd.conf and bgpctl reload. Adapt mtree and stuff. This will receive further refactoring... ok benno job
Revision 1.2 / (download) - annotate - [select for diffs], Wed Oct 16 17:38:46 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.1: +1 -6 lines
Diff to previous 1.1 (colored)
Clean up header includes. Most are no longer required.
Revision 1.1 / (download) - annotate - [select for diffs], Tue Oct 8 10:04:36 2019 UTC (4 years, 8 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@