![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.139 / (download) - annotate - [select for diffs], Fri Jun 7 13:24:35 2024 UTC (29 hours, 49 minutes ago) by tb
Branch: MAIN
CVS Tags: HEAD
Changes since 1.138: +7 -10 lines
Diff to previous 1.138 (colored)
rpki-client: if anything changed, choose the freshly-fetched TA Instead of just looking at the serial number it's easier to use X509_cmp(). This compares the certs' hashes computed during the extension caching. This is currently SHA-512 for LibreSSL and SHA-1 for OpenSSL, which is good enough. After all, the TA certs were signed by a trusted source and if you choose to use OpenSSL this won't be the worst of your problems. ok job
Revision 1.138 / (download) - annotate - [select for diffs], Fri Jun 7 11:48:05 2024 UTC (31 hours, 26 minutes ago) by job
Branch: MAIN
Changes since 1.137: +17 -8 lines
Diff to previous 1.137 (colored)
Fine-tune the TA tiebreaker logic Additional tiebreaker: prefer TA certificates with the narrower validity window OK tb@
Revision 1.137 / (download) - annotate - [select for diffs], Fri Jun 7 08:33:12 2024 UTC (34 hours, 40 minutes ago) by tb
Branch: MAIN
Changes since 1.136: +89 -30 lines
Diff to previous 1.136 (colored)
Rework trust anchor handling Mimick the approach already taken from manifests and compare the trust anchor fetched from the net with the one in the cache (if any). This allows us to choose which one to use and pick the one we like better. We currently look at the notBefore date and pick the TA later one or pick the new one if the serialNumber changed. These conditions will be tweaked in tree. This prevents replay attacks where a man in the middle could feed us still valid TA certificates with outdated internet number resources. This is not currently an issue since all currently valid TA certs from the RIRs have the same set of resources. Some TA certificates in the RPKI expire so far in the future that its 32-bit time is again positive. Things may well change in the next 100 years... Problem pointed out to us by Ties de Kock a long time ago. with and ok claudio ok job
Revision 1.136 / (download) - annotate - [select for diffs], Mon May 20 15:51:43 2024 UTC (2 weeks, 5 days ago) by claudio
Branch: MAIN
Changes since 1.135: +46 -20 lines
Diff to previous 1.135 (colored)
Instead of tracking certificates by SKI track them by an internal identifier. The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid. The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL. In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before. Done together with tb@ OK tb@ job@
Revision 1.135 / (download) - annotate - [select for diffs], Sun Apr 21 19:27:44 2024 UTC (6 weeks, 5 days ago) by claudio
Branch: MAIN
Changes since 1.134: +1 -5 lines
Diff to previous 1.134 (colored)
P-256 support is experimental so require -x to enable it. Also clean up the externs a little bit by moving experimental and noop to extern.h. Reminded by and OK tb@
Revision 1.134 / (download) - annotate - [select for diffs], Wed Apr 17 15:03:22 2024 UTC (7 weeks, 3 days ago) by tb
Branch: MAIN
Changes since 1.133: +5 -6 lines
Diff to previous 1.133 (colored)
Simplify super ugly exit path ok job
Revision 1.133 / (download) - annotate - [select for diffs], Wed Apr 17 15:00:50 2024 UTC (7 weeks, 3 days ago) by job
Branch: MAIN
Changes since 1.132: +1 -2 lines
Diff to previous 1.132 (colored)
Remove outdated (now inaccurate) warning message OK tb@
Revision 1.132 / (download) - annotate - [select for diffs], Mon Apr 15 13:57:45 2024 UTC (7 weeks, 5 days ago) by job
Branch: MAIN
Changes since 1.131: +4 -1 lines
Diff to previous 1.131 (colored)
Use the manifest location as additional differentiator when comparing CRLs OK tb@
Revision 1.131 / (download) - annotate - [select for diffs], Tue Mar 19 05:04:13 2024 UTC (2 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.130: +2 -2 lines
Diff to previous 1.130 (colored)
Rename parent to issuer in struct auth Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'. discussed with beck and job ok job
Revision 1.130 / (download) - annotate - [select for diffs], Fri Mar 1 08:10:09 2024 UTC (3 months, 1 week ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.129: +12 -4 lines
Diff to previous 1.129 (colored)
Add -x to opt into experimental file formats Instead of burning one letter for each new file format (sidrops is known to crank out new things faster than a normal person can read), use -x to opt into parsing and processing file formats that aren't yet considered stable. This is currently only the Signed Prefix List. While a repetition of the ASPA debacle, this code hasn't yet seen enough stress testing to be enabled by default. ok claudio job
Revision 1.129 / (download) - annotate - [select for diffs], Thu Feb 22 12:49:42 2024 UTC (3 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.128: +50 -1 lines
Diff to previous 1.128 (colored)
Add support for RPKI Signed Prefix Lists Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist with and OK claudio@ tb@
Revision 1.128 / (download) - annotate - [select for diffs], Sat Feb 3 14:30:47 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.127: +3 -3 lines
Diff to previous 1.127 (colored)
Refactor handling of stale manifests No need to hoist a staleness indicator through the whole process and count it explicitly. OK tb@
Revision 1.127 / (download) - annotate - [select for diffs], Sat Feb 3 11:27:55 2024 UTC (4 months ago) by tb
Branch: MAIN
Changes since 1.126: +3 -4 lines
Diff to previous 1.126 (colored)
proc_parser_mft: simplify logic slightly This aligns the mft2 case with mft1. There's still a bunch of cleanup needed in here, but the logic seems to converge to something mere mortals can follow. ok job
Revision 1.126 / (download) - annotate - [select for diffs], Fri Feb 2 22:09:56 2024 UTC (4 months ago) by tb
Branch: MAIN
Changes since 1.125: +16 -23 lines
Diff to previous 1.125 (colored)
Rework proc_parser_mft() further By making proc_parser_mft_check() fail on a NULL manifest, we can simplify the manifest selection logic further. This way we can see if the new manifest has all the files it lists with correct hashes and fall back to mft2 if not. This is still more complicated and uglier than it should be, but far les convoluted and mind-bending than a day ago. ok job
Revision 1.125 / (download) - annotate - [select for diffs], Fri Feb 2 19:31:59 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.124: +4 -5 lines
Diff to previous 1.124 (colored)
Update the comment
Revision 1.124 / (download) - annotate - [select for diffs], Fri Feb 2 19:26:26 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.123: +12 -18 lines
Diff to previous 1.123 (colored)
no longer check staleness in proc_parser_mft invert logic for readability OK tb@
Revision 1.123 / (download) - annotate - [select for diffs], Fri Feb 2 18:59:35 2024 UTC (4 months ago) by tb
Branch: MAIN
Changes since 1.122: +17 -32 lines
Diff to previous 1.122 (colored)
parser: inline last call to proc_parser_mft_post() with and ok job
Revision 1.122 / (download) - annotate - [select for diffs], Fri Feb 2 18:22:45 2024 UTC (4 months ago) by tb
Branch: MAIN
Changes since 1.121: +2 -1 lines
Diff to previous 1.121 (colored)
fix previous: a *mp = mft1 got lost ok job
Revision 1.121 / (download) - annotate - [select for diffs], Fri Feb 2 18:11:12 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.120: +13 -7 lines
Diff to previous 1.120 (colored)
refactor: don't call proc_parser_mft_post for the first mft should be exact same behaviour as before OK tb@
Revision 1.120 / (download) - annotate - [select for diffs], Fri Feb 2 16:41:41 2024 UTC (4 months ago) by tb
Branch: MAIN
Changes since 1.119: +2 -6 lines
Diff to previous 1.119 (colored)
parser: no need to overload err1 twice. err2 is only used in the second call to proc_parser_mft_proc() and right before it there is already an error overload. ok job
Revision 1.119 / (download) - annotate - [select for diffs], Fri Feb 2 16:15:08 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.118: +10 -12 lines
Diff to previous 1.118 (colored)
refactor: populate mft->path in the pre parser OK tb@
Revision 1.118 / (download) - annotate - [select for diffs], Fri Feb 2 14:13:58 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.117: +15 -16 lines
Diff to previous 1.117 (colored)
refactor: no longer needed to pass loc to the mft preparser OK tb@
Revision 1.117 / (download) - annotate - [select for diffs], Fri Feb 2 13:40:50 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.116: +20 -19 lines
Diff to previous 1.116 (colored)
refactor: move parse_filepath() to avoid pointer indirection OK tb@
Revision 1.116 / (download) - annotate - [select for diffs], Fri Feb 2 12:35:15 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.115: +17 -16 lines
Diff to previous 1.115 (colored)
refactoring: move time validity window checks out of proc_parser_mft_post() OK tb@
Revision 1.115 / (download) - annotate - [select for diffs], Fri Feb 2 12:23:16 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.114: +11 -11 lines
Diff to previous 1.114 (colored)
Rework error messages a bit OK tb@
Revision 1.114 / (download) - annotate - [select for diffs], Thu Feb 1 09:50:15 2024 UTC (4 months ago) by tb
Branch: MAIN
Changes since 1.113: +2 -2 lines
Diff to previous 1.113 (colored)
proc_parser_mft_pre: tweak a warning message discussed with job
Revision 1.113 / (download) - annotate - [select for diffs], Wed Jan 31 06:57:21 2024 UTC (4 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.112: +24 -5 lines
Diff to previous 1.112 (colored)
Introduce and use mft_compare_issued() Newly issued manifests should not only have a higher manifestNumber, their issuance time should also be later. Add corresponding checks and warnings when comparing a newly fetched manifest to a manifest from the cache. ok job (who noticed that such a check was missing)
Revision 1.112 / (download) - annotate - [select for diffs], Wed Jan 31 06:54:43 2024 UTC (4 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.111: +2 -2 lines
Diff to previous 1.111 (colored)
Rename mft_compare() to mft_compare_seqnum() This makes it clearer what exactly this function compares. Also drop some NULL checks that made the semantics of this function tricky. ok job
Revision 1.111 / (download) - annotate - [select for diffs], Wed Jan 31 06:53:21 2024 UTC (4 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.110: +33 -17 lines
Diff to previous 1.110 (colored)
Pull mft comparison into proc_parser_mft_pre() This way we can be sure more easily that both manifests are non-NULL, thus avoiding some NULL checks and risk of use-after-free. This also makes it clearer which manifest is the "older" one and will simplify an upcoming commit doing issuance time comparison. This adds a bit of a hack to proc_parser_mft_pre() to ensure we don't look into DIR_TEMP in noop mode. ok job
Revision 1.110 / (download) - annotate - [select for diffs], Wed Jan 31 06:48:27 2024 UTC (4 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.109: +13 -10 lines
Diff to previous 1.109 (colored)
proc_parser_mft_pre: move freeing into an error path Simplifies subsequent commits which will use the same exit path. ok job
Revision 1.109 / (download) - annotate - [select for diffs], Wed Jan 31 06:46:31 2024 UTC (4 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.108: +3 -3 lines
Diff to previous 1.108 (colored)
proc_parser_mft: fix overloading of error parser.c r1.101 switched the meaning of mft1 and mft2, but did not fix up the overloading of the error from the temporary file if both are set. ok job
Revision 1.108 / (download) - annotate - [select for diffs], Thu Jan 18 14:34:26 2024 UTC (4 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.107: +2 -2 lines
Diff to previous 1.107 (colored)
The CRL's purported signing time actually is called thisUpdate, not lastUpdate OK tb@ claudio@
Revision 1.107 / (download) - annotate - [select for diffs], Mon Jan 8 19:46:19 2024 UTC (4 months, 4 weeks ago) by tb
Branch: MAIN
Changes since 1.106: +4 -2 lines
Diff to previous 1.106 (colored)
Only use DIR_VALID in noop mode Looking in DIR_TEMP will not find a file, resulting in lots of ugly printf (null). This is another bandaid until I figure out how to fix my fix for this function... with/ok job
Revision 1.106 / (download) - annotate - [select for diffs], Fri Dec 29 17:15:10 2023 UTC (5 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)
Pass correct file to warnx() We end up here only if mft1 == NULL, which can happen because file1 == NULL. Use file2 instead because mft2 != NULL implies file2 != NULL. ok job
Revision 1.105 / (download) - annotate - [select for diffs], Fri Dec 29 14:35:43 2023 UTC (5 months, 1 week ago) by job
Branch: MAIN
Changes since 1.104: +4 -5 lines
Diff to previous 1.104 (colored)
Fix a NULL access or use-after-free bug This is a bandaid, the proc_parser_mft() is too complex and needs reworking OK tb@
Revision 1.104 / (download) - annotate - [select for diffs], Mon Dec 18 23:42:20 2023 UTC (5 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.103: +6 -5 lines
Diff to previous 1.103 (colored)
Rephrase some warnings related to Manifests Feedback from Tom Harrison (APNIC) with and OK tb@
Revision 1.103 / (download) - annotate - [select for diffs], Mon Dec 11 19:05:20 2023 UTC (5 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.102: +10 -1 lines
Diff to previous 1.102 (colored)
Warn when the same manifestNumber is recycled across multiple issuances of that manifest OK tb@
Revision 1.102 / (download) - annotate - [select for diffs], Mon Dec 11 15:50:23 2023 UTC (5 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.101: +8 -3 lines
Diff to previous 1.101 (colored)
Log a warning when a manifest replay is detected OK tb@ claudio@
Revision 1.101 / (download) - annotate - [select for diffs], Sat Dec 9 00:44:18 2023 UTC (6 months ago) by job
Branch: MAIN
Changes since 1.100: +25 -6 lines
Diff to previous 1.100 (colored)
Following a failed fetch, use a previously cached and valid Manifest RPKI Manifests enable Relying Parties (RPs) to detect replay attacks, unauthorized in-flight modification, or deletion of signed objects. RPs can accomplish these security functions by comparing (what is expected to be) a monotonically increasing counter (the 'manifestNumber') - to determine what the latest Manifest is; a list of filenames - in order to establish whether the complete set of files was fetched; and a list of SHA256 message digests to ascertain whether the content's of said files are exactly the same as the CA intended them to be. Over time, two schools of thought arose. One philosophy is that the highest numbered cryptographically valid Manifest represents the express intent of the CA, so if manifest-listed files are missing, someone upstream messed up and gets to enjoy the broken pieces. After all, RFC 9286 section 5.2 puts the onus firmly on the repository operator to publish in a consistent manner. Here, "consistent" means that newly issued manifests - in the same RRDP delta - are bundled together with all new or changed ROAs, and that remote RSYNC repositories are atomically updated (for example, using symlink pivots). To overcome various types of inconsistent, transient, or intermediate states of the remote publication point - previous versions of rpki-client did construct the full CARepository state using a mix of objects from both its local validated cache and the RRDP/RSYNC staging directories (which contain purported new versions of the objects). However, another take on RFC 9286 section 6.6's "use cached versions of the objects" is that 'the objects' not only refers to the listed subordinate products (such as ROAs/Certificates/ASPAs), but also to Manifests themselves. The philosophy being that lower numbered cryptographically valid Manifests with a complete & untampered set of files are to be preferred over a higher numbered cryptographically valid Manifests accompanied by incomplete sets of files. Consequently - potentially - producing more stable VRP outputs, at the expense of being magnanimous towards sloppy CAs and repository operators. Going forward, rpki-client logs errors when inconsistent publications are encountered, but also proceeds to use older cryptographically valid Manifests (from previous successful fetches) in order to construct the tree. With and OK tb@, and also thanks to Ties de Kock from RIPE NCC.
Revision 1.100 / (download) - annotate - [select for diffs], Fri Oct 13 12:06:49 2023 UTC (7 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.99: +9 -1 lines
Diff to previous 1.99 (colored)
Allow imposing constraints on RPKI trust anchors The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope. Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32. For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html With and OK tb@, OK claudio@
Revision 1.99 / (download) - annotate - [select for diffs], Mon Sep 25 11:08:45 2023 UTC (8 months, 2 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.98: +18 -18 lines
Diff to previous 1.98 (colored)
Pass the talid to various parse functions This will be needed by an upcoming feature where we will need to know what trust anchor a given cert chains to. This doesn't change anything except the size of the diff. ok claudio job
Revision 1.98 / (download) - annotate - [select for diffs], Wed Aug 30 10:01:52 2023 UTC (9 months, 1 week ago) by job
Branch: MAIN
Changes since 1.97: +2 -2 lines
Diff to previous 1.97 (colored)
Fix comments OK tb@
Revision 1.97 / (download) - annotate - [select for diffs], Thu Jun 29 10:28:25 2023 UTC (11 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.96: +2 -2 lines
Diff to previous 1.96 (colored)
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.
suggested by claudio
ok job
Revision 1.96 / (download) - annotate - [select for diffs], Tue May 30 16:02:28 2023 UTC (12 months, 1 week ago) by job
Branch: MAIN
Changes since 1.95: +49 -10 lines
Diff to previous 1.95 (colored)
Fixup file modification timestamps to optimize failover from RRDP to RSYNC In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW. Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list. Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered. OK claudio@
Revision 1.95 / (download) - annotate - [select for diffs], Tue May 30 12:14:48 2023 UTC (12 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.94: +8 -5 lines
Diff to previous 1.94 (colored)
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time. Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate. This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
Revision 1.94 / (download) - annotate - [select for diffs], Thu May 11 20:13:30 2023 UTC (12 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.93: +3 -2 lines
Diff to previous 1.93 (colored)
Print the manifestNumber when warning about unrecoverable message digest mismatches This makes it easier to understand "when" certain error conditions arose. OK tb@
Revision 1.93 / (download) - annotate - [select for diffs], Thu Apr 27 08:37:53 2023 UTC (13 months, 1 week ago) by beck
Branch: MAIN
Changes since 1.92: +5 -8 lines
Diff to previous 1.92 (colored)
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time. ok tb@ claudio@
Revision 1.92 / (download) - annotate - [select for diffs], Wed Apr 26 22:05:28 2023 UTC (13 months, 1 week ago) by beck
Branch: MAIN
Changes since 1.91: +2 -2 lines
Diff to previous 1.91 (colored)
Add a -P option to rpki-client to specify the evaluation time This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results ok claudio@
Revision 1.91 / (download) - annotate - [select for diffs], Wed Apr 26 16:32:41 2023 UTC (13 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.90: +6 -1 lines
Diff to previous 1.90 (colored)
Improve accounting by tracking things by repo and tal. This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
Revision 1.90 / (download) - annotate - [select for diffs], Thu Apr 13 17:04:02 2023 UTC (13 months, 3 weeks ago) by job
Branch: MAIN
Changes since 1.89: +29 -17 lines
Diff to previous 1.89 (colored)
Check whether products listed on a manifest were issued by the same authority as the manifest itself OK tb@
Revision 1.89 / (download) - annotate - [select for diffs], Mon Mar 13 09:24:37 2023 UTC (14 months, 3 weeks ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.88: +5 -5 lines
Diff to previous 1.88 (colored)
Rename some data fields to closer match their provenance OK tb@
Revision 1.88 / (download) - annotate - [select for diffs], Sun Mar 12 11:54:56 2023 UTC (14 months, 4 weeks ago) by job
Branch: MAIN
Changes since 1.87: +3 -22 lines
Diff to previous 1.87 (colored)
Refactor expiration calculation Unify common code paths which find the exact expiry moment into a new helper function. Additionally, the new helper offers more accuracy by checking more applicable CRLs whether their 'nextupdate' is 'sooner'. tb@ noted: The helper adds a multiplier of log(#crls), but that's certainly acceptable as it is still very cheap. OK tb@
Revision 1.87 / (download) - annotate - [select for diffs], Fri Mar 10 12:44:56 2023 UTC (15 months ago) by job
Branch: MAIN
Changes since 1.86: +9 -9 lines
Diff to previous 1.86 (colored)
mechanical change, rename struct members to match the original X509 names OK tb@
Revision 1.86 / (download) - annotate - [select for diffs], Thu Feb 23 13:06:42 2023 UTC (15 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.85: +34 -31 lines
Diff to previous 1.85 (colored)
rpki-client: simplify parse_load_crl_from_mft() Now that we always inspect both locations if necessary, we can do away with the loop and simply have the only caller call twice. Removes a bunch of clever complexity and streamlines the code quite a bit. ok claudio job
Revision 1.85 / (download) - annotate - [select for diffs], Thu Feb 23 09:50:40 2023 UTC (15 months, 2 weeks ago) by claudio
Branch: MAIN
Changes since 1.84: +42 -23 lines
Diff to previous 1.84 (colored)
When parsing MFT the CRL referenced by the MFT is loaded and verified at the same time. So in case of a valid crl pass the CRL filename as entity message to the parent process together with the MFT. This way the MFT and CRL end up both in the valid cache even if some files in the MFT are missing. On severe errors (like X.509 verify errors) the CRL is not moved since it is not considered valid. With and OK job@, tb@
Revision 1.84 / (download) - annotate - [select for diffs], Tue Feb 21 17:06:52 2023 UTC (15 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.83: +27 -29 lines
Diff to previous 1.83 (colored)
rpki-client: refactor manifest/crl parsing a bit Now that we always try to load the CRL from both locations, we can deal with loading the DER directly in proc_parser_mft_pre(), so shuffle the code around to accomplish that. This should make an upcoming diff by claudio a bit simpler. ok claudio
Revision 1.83 / (download) - annotate - [select for diffs], Tue Feb 21 11:13:05 2023 UTC (15 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored)
Check all possible storage areas for a matching CRL This change makes proc_parser_mft_pre() -> parse_load_crl_from_mft() search in both DIR_TEMP and DIR_VALID for a CRL with a matching SHA256 hash, increasing our chances of constructing a full publication point. With and OK tb@ claudio@
Revision 1.82 / (download) - annotate - [select for diffs], Fri Jan 6 16:06:43 2023 UTC (17 months ago) by claudio
Branch: MAIN
Changes since 1.81: +7 -18 lines
Diff to previous 1.81 (colored)
Rework the main <-> parser/filemode communication protocol a bit. Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on. OK tb@
Revision 1.81 / (download) - annotate - [select for diffs], Thu Dec 15 12:02:29 2022 UTC (17 months, 3 weeks ago) by claudio
Branch: MAIN
Changes since 1.80: +17 -1 lines
Diff to previous 1.80 (colored)
Rework statistic collection to be per repository and add metric output option Many statistic values are now accounted by repository via repo_stat_inc() At end of the run sum_stats() accumulates these stats per TAL and globally. The new output file metrics is written when the -m output flag is specified. The metrics file is written in OpenMetrics format (with a few tweaks to allow node_exporter to parse the file as well). The ometric code is a copy from bgpctl(8) and should be kept in sync. OK tb@
Revision 1.80 / (download) - annotate - [select for diffs], Tue Nov 29 20:26:22 2022 UTC (18 months, 1 week ago) by job
Branch: MAIN
Changes since 1.79: +1 -2 lines
Diff to previous 1.79 (colored)
Only include assert.h if we call assert() OK tb@
Revision 1.79 / (download) - annotate - [select for diffs], Tue Nov 29 10:33:09 2022 UTC (18 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.78: +51 -27 lines
Diff to previous 1.78 (colored)
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
Revision 1.78 / (download) - annotate - [select for diffs], Wed Nov 2 12:43:02 2022 UTC (19 months ago) by job
Branch: MAIN
Changes since 1.77: +42 -1 lines
Diff to previous 1.77 (colored)
Add support for draft-ietf-sidrops-signed-tal-12 Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand. OK tb@
Revision 1.77 / (download) - annotate - [select for diffs], Sat Sep 3 21:24:02 2022 UTC (21 months ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.76: +5 -2 lines
Diff to previous 1.76 (colored)
Properly free() crl & auth tree in parser process OK claudio@
Revision 1.76 / (download) - annotate - [select for diffs], Sat Sep 3 13:30:27 2022 UTC (21 months ago) by claudio
Branch: MAIN
Changes since 1.75: +4 -2 lines
Diff to previous 1.75 (colored)
Add the repoid of the cert in the cert struct. This way it is possible to track the parent repository id of a publication point. Nomenclature is confusing but not much we can do here. OK tb@ job@
Revision 1.75 / (download) - annotate - [select for diffs], Tue Aug 30 18:56:49 2022 UTC (21 months, 1 week ago) by job
Branch: MAIN
Changes since 1.74: +49 -1 lines
Diff to previous 1.74 (colored)
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10) ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j). With feedback from tb@ OK claudio@ tb@
Revision 1.74 / (download) - annotate - [select for diffs], Fri Aug 19 12:45:53 2022 UTC (21 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.73: +1 -9 lines
Diff to previous 1.73 (colored)
Check the resources in ROAs and RSCs against EE certs The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC. Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on. All this is a bit more annoying and intrusive than it should be... ok claudio job
Revision 1.73 / (download) - annotate - [select for diffs], Thu Apr 21 12:59:03 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.72: +18 -38 lines
Diff to previous 1.72 (colored)
Further refactor and cleanup filemode.c mainly remove the copies of proc_parser_cert_validate() and proc_parser_root_cert() adjust parse_load_certchain() and parse_load_ta() respectivly. Also cleanup the functions in parser.c and make it possible to call ta_parse and cert_parse with a NULL cert. OK tb@
Revision 1.72 / (download) - annotate - [select for diffs], Thu Apr 21 09:53:07 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.71: +10 -587 lines
Diff to previous 1.71 (colored)
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now. The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them. OK tb@
Revision 1.71 / (download) - annotate - [select for diffs], Wed Apr 20 15:13:08 2022 UTC (2 years, 1 month ago) by job
Branch: MAIN
Changes since 1.70: +10 -11 lines
Diff to previous 1.70 (colored)
Improve proc_parser_file handling of Trust Anchors OK tb@
Revision 1.70 / (download) - annotate - [select for diffs], Wed Apr 20 10:46:20 2022 UTC (2 years, 1 month ago) by job
Branch: MAIN
Changes since 1.69: +39 -18 lines
Diff to previous 1.69 (colored)
Add Concatenated JSON output in filemode (rpki-client -j -f *) The schema is still work in progress. OK claudio@
Revision 1.69 / (download) - annotate - [select for diffs], Tue Apr 19 13:25:08 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored)
Make it a hard error when an unknown repoistory id is passed to parse_filepath(). If that happens something went very wrong and it is better to fail hard then to limp along. OK tb@
Revision 1.68 / (download) - annotate - [select for diffs], Tue Apr 19 09:52:29 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.67: +114 -125 lines
Diff to previous 1.67 (colored)
Adjust on how CRL and MFT files are verified. Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use. Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used. Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT. With and OK tb@
Revision 1.67 / (download) - annotate - [select for diffs], Mon Apr 11 18:59:23 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.66: +7 -1 lines
Diff to previous 1.66 (colored)
Refactor on how the subprocesses are started. Move the unveil and pledges to the actuall subprocesses and put all the common code to start these into process_start(). Reduces the lenght of main() a fair bit. OK tb@
Revision 1.7.2.2 / (download) - annotate - [select for diffs], Sun Apr 10 07:37:52 2022 UTC (2 years, 1 month ago) by tb
Branch: OPENBSD_6_9
Changes since 1.7.2.1: +3 -3 lines
Diff to previous 1.7.2.1 (colored) to branchpoint 1.7 (colored) next main 1.8 (colored)
All times in the x509 are UTC so use timegm() and not mktime(). The latter will apply the timezone offset and so the further west the more probable you are to have problems with valid_from times. Fix from tb@ OK job@, benno@ and claudio@ this is errata/6.9/036_rpki.patch.sig
Revision 1.11.4.2 / (download) - annotate - [select for diffs], Sun Apr 10 07:37:27 2022 UTC (2 years, 1 month ago) by tb
Branch: OPENBSD_7_0
Changes since 1.11.4.1: +3 -3 lines
Diff to previous 1.11.4.1 (colored) to branchpoint 1.11 (colored) next main 1.12 (colored)
All times in the x509 are UTC so use timegm() and not mktime(). The latter will apply the timezone offset and so the further west the more probable you are to have problems with valid_from times. Fix from tb@ OK job@, benno@ and claudio@ this is errata/7.0/020_rpki.patch.sig
Revision 1.66 / (download) - annotate - [select for diffs], Sat Apr 2 12:17:53 2022 UTC (2 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.65: +64 -7 lines
Diff to previous 1.65 (colored)
Split certificate parsing in two steps. cert_parse_pre() which does the parse and some checks and cert_parse() or ta_parse() to do the additional checks for regular certs or TAs. With this adjust the cert parser in -f mode to identify TAs (by checking if it is self signed) and adjust the validation in that case. Now -f should be able to parse and show all object correctly. With and OK tb@
Revision 1.65 / (download) - annotate - [select for diffs], Fri Apr 1 17:22:07 2022 UTC (2 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.64: +10 -3 lines
Diff to previous 1.64 (colored)
Change x509_get_aki(), x509_get_ski(), x509_get_aia(), and x509_get_crl() to work more like x509_get_expire(). They will return an error if the extension extraction failed but not if it was not present. The callers must now do that check but most did already. With this cert_parse_inner() no longer cares about TA vs non-TA certs. Feedback and OK tb@
Revision 1.64 / (download) - annotate - [select for diffs], Thu Feb 10 15:33:47 2022 UTC (2 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.63: +16 -22 lines
Diff to previous 1.63 (colored)
Implement some code to print crls with -f. For this introduce x509_get_time() that converts a ASN1_TIME to time_t. Also move time2str() to print.c where it makes more sense. This needs more work but that will happen in tree. OK tb@
Revision 1.63 / (download) - annotate - [select for diffs], Tue Feb 8 14:53:03 2022 UTC (2 years, 3 months ago) by tb
Branch: MAIN
Changes since 1.62: +83 -28 lines
Diff to previous 1.62 (colored)
Check CRLs also for manifests There is a chicken-egg here since manifests reference the CRL themselves. We may also have two CRLs available, in which case we check against the one with the newer thisUpdate time. The RFC situation is a bit of a mess with abundant complexity, unclear recommendations and requirements and draft specs that also need to be considered. This is a first version that works with future improvements to be landed later. Joint work with claudio, prompted by a question by job ok claudio job
Revision 1.62 / (download) - annotate - [select for diffs], Tue Feb 8 12:35:14 2022 UTC (2 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.61: +3 -2 lines
Diff to previous 1.61 (colored)
Before loading the certificate chain for the file under inspection check if the AKI cert is not already present. This fixes a problem when a top level MFT is displayed. Report and OK job@, OK tb@
Revision 1.61 / (download) - annotate - [select for diffs], Tue Feb 8 11:51:51 2022 UTC (2 years, 3 months ago) by tb
Branch: MAIN
Changes since 1.60: +8 -37 lines
Diff to previous 1.60 (colored)
Move the guts of proc_parser_crl() into crl_parse(). This is actually parsing the CRL, so it makes more sense to have it there. It will also make an upcoming change easier. While there, rename free_crl() into crl_free() for consistency with all other *_free() functions. input/ok claudio
Revision 1.60 / (download) - annotate - [select for diffs], Fri Feb 4 16:29:43 2022 UTC (2 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.59: +3 -3 lines
Diff to previous 1.59 (colored)
whitespace
Revision 1.59 / (download) - annotate - [select for diffs], Fri Feb 4 16:21:11 2022 UTC (2 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.58: +15 -3 lines
Diff to previous 1.58 (colored)
Enforce Certificate Policy for RPKI RFCs 6384 defines a certificate policy for RPKI. Ensure that the verifier builds a certification path that follows this OID: set up a policy on the X509_STORE_CTX's verify parameters and set initial-explicit-policy and initial-policy-mapping-inhibit. Pointed out by Ties de Kock ok claudio
Revision 1.58 / (download) - annotate - [select for diffs], Fri Jan 28 15:30:23 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.57: +158 -85 lines
Diff to previous 1.57 (colored)
Properly handle .mft files as intended by the RFC. Instead of always selecting the newest file this opens both the new (from rrdp or rsync) and old (valid) MFT. It then compares the manifest number and based on that the 'newer' MFT is selected. The MFT file and hash check is also changed to always try both locations and selecting whatever matches up with the hash. The selction is passed back to the the main process and used later on to open exactly the same file as was checked against the hash. The MFT parsing code has been split up into multiple steps so that the files can be parsed, compared and then fully validated. In most cases this makes no difference but it prevents replay attacks using old but still valid files. With and OK tb@
Revision 1.57 / (download) - annotate - [select for diffs], Fri Jan 28 06:33:27 2022 UTC (2 years, 4 months ago) by guenther
Branch: MAIN
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)
When it's the possessive of 'it', it's spelled "its", without the apostrophe.
Revision 1.56 / (download) - annotate - [select for diffs], Wed Jan 26 14:42:39 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.55: +13 -7 lines
Diff to previous 1.55 (colored)
Allow rsync:// URI as file in -f mode. This makes it easier to explore rpki repositories by following AIA and manifest URIs. Also stop checking the the loaded file is not part of the auth tree, it is possible that this file was loaded before as a dependency. OK tb@
Revision 1.55 / (download) - annotate - [select for diffs], Wed Jan 26 13:57:56 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.54: +14 -24 lines
Diff to previous 1.54 (colored)
Change the repository layout by removing the valid directory. Everything that was in that directory is now in the chachedir root. The rsync and rrdp directories are now .rsync/ and .rrdp/. The ta/ directory still remains because TAs are special. Idea and most of the diff from job@ OK tb@ and benno@
Revision 1.54 / (download) - annotate - [select for diffs], Mon Jan 24 17:29:37 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.53: +4 -12 lines
Diff to previous 1.53 (colored)
Adjust code to handle unsupported file types a bit more graceful. The file still needs to match its hash to make the MFT valid but then there will only be a warning printed. Parsing of other files from that MFT are not influenced. OK tb@
Revision 1.53 / (download) - annotate - [select for diffs], Sun Jan 23 12:09:24 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.52: +5 -2 lines
Diff to previous 1.52 (colored)
Handle EINTR the same way in all poll loops. In all cases restart the poll loop. In the main process move the timeout handling for repositories into a single function that does the timeouts and the calculation of the timeout in one go. OK tb@
Revision 1.52 / (download) - annotate - [select for diffs], Sun Jan 23 07:21:12 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.51: +17 -7 lines
Diff to previous 1.51 (colored)
Allow rpki-client to display more than one file in -f mode. Change -f to be a mode flag and pass one or multiple files as arguments to rpki-client. Some extra checks need to be done to not load the same certificate or CRL multiple times. Input and OK tb@
Revision 1.51 / (download) - annotate - [select for diffs], Sun Jan 23 05:59:35 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.50: +13 -11 lines
Diff to previous 1.50 (colored)
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
Revision 1.50 / (download) - annotate - [select for diffs], Sat Jan 22 09:18:48 2022 UTC (2 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c. ok beck claudio
Revision 1.49 / (download) - annotate - [select for diffs], Fri Jan 21 18:49:44 2022 UTC (2 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.48: +2 -18 lines
Diff to previous 1.48 (colored)
Add function to determine the file type from the file name extension rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*(). input/ok claudio
Revision 1.48 / (download) - annotate - [select for diffs], Fri Jan 21 14:08:33 2022 UTC (2 years, 4 months ago) by tb
Branch: MAIN
Changes since 1.47: +3 -1 lines
Diff to previous 1.47 (colored)
Avoid out-of-bounds accesses in case the filename is too showrt to contain an extension of length four. ok claudio
Revision 1.47 / (download) - annotate - [select for diffs], Thu Jan 20 16:36:19 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.46: +4 -41 lines
Diff to previous 1.46 (colored)
Move the notBefore and notAfter checks from proc_parser_root_cert() to ta_parse(). This fits better there. Also drop extracting and printing the x509 subject of the TAs. The subject is more or less the filename anyway which is already printed. OK tb@
Revision 1.46 / (download) - annotate - [select for diffs], Thu Jan 20 09:24:08 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.45: +4 -4 lines
Diff to previous 1.45 (colored)
Rename mft_check() to proc_parser_mft_check() and make it a static function.
Revision 1.45 / (download) - annotate - [select for diffs], Wed Jan 19 15:50:31 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.44: +344 -18 lines
Diff to previous 1.44 (colored)
Implement a filemode where the passed file from the command line is printed in human readable form and is also verified against the valid cache of rpki-client. To validate the file the chain is explored backwards by looking at the Authority Information Access URI and X509v3 CRL Distribution Point of the cert. Once the trust anchor is found this chain can be verified. Feedback and OK job@ tb@
Revision 1.44 / (download) - annotate - [select for diffs], Tue Jan 18 18:19:47 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.43: +12 -12 lines
Diff to previous 1.43 (colored)
Pass the X509_V_FLAG_CRL_CHECK flag as argument to valid_x509(). For mfts this flag is cleared since the CRL is referenced by the MFT itself. Also remove some if (crl != NULL) checks since they are not needed. The functions protected by it are all handling NULL as an input. OK job@ tb@
Revision 1.43 / (download) - annotate - [select for diffs], Tue Jan 18 16:36:49 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.42: +8 -20 lines
Diff to previous 1.42 (colored)
Change cert_parse() and ta_parse() to no longer take a x509 handle as argument. The x509 cert is also inside struct cert and easy to access. Also switch auth_insert() to a void function since it can't fail. OK tb@
Revision 1.42 / (download) - annotate - [select for diffs], Tue Jan 18 16:29:06 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.41: +175 -158 lines
Diff to previous 1.41 (colored)
More fixing. Previous revert was incomplete.
Revision 1.41 / (download) - annotate - [select for diffs], Tue Jan 18 16:24:55 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.40: +162 -204 lines
Diff to previous 1.40 (colored)
Revert all the files that should have not been committed in last commit.
Revision 1.40 / (download) - annotate - [select for diffs], Tue Jan 18 16:18:22 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.39: +30 -5 lines
Diff to previous 1.39 (colored)
Kill extra newline
Revision 1.39 / (download) - annotate - [select for diffs], Tue Jan 18 13:46:07 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.38: +56 -103 lines
Diff to previous 1.38 (colored)
Unify the various X509_verify_cert() calls and the boiler plate code around it into its own function valid_x509(). Simplifies the code substantially. This may report a few more errors for .roa and .gbr files but IMO that special case was a left-over from long time ago. OK tb@
Revision 1.38 / (download) - annotate - [select for diffs], Tue Jan 18 13:06:43 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.37: +2 -1 lines
Diff to previous 1.37 (colored)
Cleanup the scattered OBJ_txt2obj() calls and move them into x509_init_oid() to initalize all necessary OID objects at start. OK tb@
Revision 1.37 / (download) - annotate - [select for diffs], Fri Jan 14 15:00:23 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.36: +111 -50 lines
Diff to previous 1.36 (colored)
Introduce a validated cache which holds all the files that have successfully been verified by rpki-client. With this the rsync and rrdp directories are more of a temporary storage location. New files are downloaded there and then moved to the valid directory at the end. In -n mode only the valid directory is looked at with the exception of the ta directory holding the trust anchors. A file can now be in two different locations so adjust all the code paths that open files to check both locations. One nice side-effect of this is that the RRDP handling in the main process got simplified. There is no longer the need for temporary RRDP directories. OK tb@
Revision 1.36 / (download) - annotate - [select for diffs], Thu Jan 13 14:58:21 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.35: +9 -7 lines
Diff to previous 1.35 (colored)
Move mft_check() after setting repoid and path on the mft. Also skip mft_check() if the mft is stale because at least in -n mode the files to check are probably not around. OK tb@
Revision 1.35 / (download) - annotate - [select for diffs], Thu Jan 13 13:46:03 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.34: +41 -1 lines
Diff to previous 1.34 (colored)
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
Revision 1.34 / (download) - annotate - [select for diffs], Tue Jan 11 13:06:07 2022 UTC (2 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.33: +98 -13 lines
Diff to previous 1.33 (colored)
Change the way the parser accesses files. It now builds the file path based on information from the repository, a local path and the filename. This simplifies some code both in the main process and the parser. For this to work repositories are passed to the parser before any other entity of this repository is passed. Struct entity is extended to include the repoid and the path along the file(name). Input and OK tb@ & job@
Revision 1.33 / (download) - annotate - [select for diffs], Wed Jan 5 11:07:35 2022 UTC (2 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.32: +17 -19 lines
Diff to previous 1.32 (colored)
Switch proc_parser_root_cert() to not pass the entity but instead the file, pkey and tal id. This is the last proc_parser function that needed to be converted. OK job@
Revision 1.32 / (download) - annotate - [select for diffs], Tue Jan 4 18:41:32 2022 UTC (2 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.31: +40 -43 lines
Diff to previous 1.31 (colored)
Pass the filename back from the parser to the parent. The parent will then add the filename to the filepath tree instead of doing that in entity_write_req(). In the parser pass the filename instead of the full entity object to various proc_parser functions. With this it will be possible to check more then one file in the parser. OK tb@, earlyer version OK benno@
Revision 1.31 / (download) - annotate - [select for diffs], Tue Jan 4 15:37:23 2022 UTC (2 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.30: +4 -16 lines
Diff to previous 1.30 (colored)
Simplify the verify callback The final warnx() is very noisy and essentially a remnant of earlier debugging code. By ditching it and erroring directly on encountering an unknown critical extension, the code becomes a bit simpler. ok claudio
Revision 1.30 / (download) - annotate - [select for diffs], Tue Jan 4 13:39:01 2022 UTC (2 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.29: +87 -9 lines
Diff to previous 1.29 (colored)
Stop setting X509_V_FLAG_IGNORE_CRITICAL Since the last bump, libcrypto knows about the RFC 3779 extensions. Therefore, setting X509_V_FLAG_IGNORE_CRITICAL is no longer needed. In fact, we want to error on critical extensions neither rpki-client nor libcrypto knows about. On older LibreSSL versions with the default verify callback, this causes verification failures. Implement a verify callback that intercepts X509_V_ERR_UNHANDLED_CRITICAL_EXTENSIONS and checks that the cert doesn't contain critical extensions not supported by libcrypto other than the expected RFC 3779 extensions. Tested with LibreSSL 3.3 and 3.4 on OpenBSD 6.9 and 7.0-stable by me and with LibreSSL 3.2 on Linux by claudio. input/ok claudio
Revision 1.29 / (download) - annotate - [select for diffs], Wed Dec 29 11:37:57 2021 UTC (2 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.28: +4 -4 lines
Diff to previous 1.28 (colored)
Cleanup struct entity. Remove the unneeded has_data field, the same information can be figured out by looking at the data pointer itself. It is NULL when there is no data and not-NULL if there is data. OK benno@
Revision 1.7.2.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:41:19 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_6_9
Changes since 1.7: +245 -225 lines
Diff to previous 1.7 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/6.9/common/021_rpki.patch.sig
Revision 1.11.4.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:40:32 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_7_0
Changes since 1.11: +230 -274 lines
Diff to previous 1.11 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/7.0/common/004_rpki.patch.sig
Revision 1.28 / (download) - annotate - [select for diffs], Thu Nov 4 18:26:48 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.27: +6 -5 lines
Diff to previous 1.27 (colored)
Cleanup some old XXX needed comments. cert_parse() returns a referenced x509 object from the call and that reference needs to be freed. There is a second inside of struct cert but that reference is still held. So the X509_free() calls are indeed needed and by moving them up a bit the code gets a bit simpler too. With and OK tb@
Revision 1.27 / (download) - annotate - [select for diffs], Thu Nov 4 11:32:55 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.26: +4 -5 lines
Diff to previous 1.26 (colored)
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
Revision 1.26 / (download) - annotate - [select for diffs], Wed Nov 3 10:50:18 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.25: +1 -4 lines
Diff to previous 1.25 (colored)
Move the MAX_CERT_DEPTH to extern.h and adjust the comments of all limits a bit.
Revision 1.25 / (download) - annotate - [select for diffs], Wed Nov 3 10:19:22 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.24: +3 -4 lines
Diff to previous 1.24 (colored)
In proc_parser_roa() adjust the expiry calculation to walk all of the auth tree (including the TA) and be more careful to not dereference NULL pointers. Both valid_ski_aki() and get_crl() can return NULL pointers. In these situations X509_verify_cert() should fail and the affected code should be not reachable but better be prepared. With and OK tb@
Revision 1.24 / (download) - annotate - [select for diffs], Tue Nov 2 19:30:30 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.23: +8 -7 lines
Diff to previous 1.23 (colored)
Only add CA certificates to the auth tree, skip BGPsec certificates. Also make sure that trust anchors are not BGPsec certs. While there fix some overly long lines. OK benno@
Revision 1.23 / (download) - annotate - [select for diffs], Mon Nov 1 17:00:34 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.22: +22 -31 lines
Diff to previous 1.22 (colored)
Further simplify cert and auth handling. Move common code into auth_insert and skip this distinction between invalid and failed certificates. The difference between the to is getting more and more blurry. OK tb@
Revision 1.22 / (download) - annotate - [select for diffs], Mon Nov 1 09:12:18 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.21: +5 -19 lines
Diff to previous 1.21 (colored)
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
Revision 1.21 / (download) - annotate - [select for diffs], Thu Oct 28 09:02:19 2021 UTC (2 years, 7 months ago) by beck
Branch: MAIN
Changes since 1.20: +15 -8 lines
Diff to previous 1.20 (colored)
Don't exit in certain cases on failures to parse x509 objects. In most cases we already warn and continue if someone sends us malformed x509 objects. This makes this consistent behaviour in all places so that if someone passes in bogus X509, We end up failing their entry and continuing rather than exiting. We still exit on memory/system failures so that a future run of rpki client can simply do better when the machine is perhaps less hammered on ok job@ claudio@
Revision 1.20 / (download) - annotate - [select for diffs], Tue Oct 26 16:12:54 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.19: +7 -41 lines
Diff to previous 1.19 (colored)
Refactor the tal parsing code to use the same load_file() and buffer passing as done for the other parsers. OK job@ tb@
Revision 1.19 / (download) - annotate - [select for diffs], Tue Oct 26 13:31:05 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.18: +10 -8 lines
Diff to previous 1.18 (colored)
Also move the cert parser code away from using BIO. OK beck@
Revision 1.18 / (download) - annotate - [select for diffs], Tue Oct 26 10:52:50 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.17: +60 -15 lines
Diff to previous 1.17 (colored)
Change CMS and CRL d2i functions from their BIO version to passing the der buffer instead. The file are loaded early in the entity processing loop. OK tb@
Revision 1.17 / (download) - annotate - [select for diffs], Mon Oct 25 18:25:22 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.16: +101 -119 lines
Diff to previous 1.16 (colored)
Refactor the proc_parser code, move the processing of enities into its own function and make a few vars global to simplify the code. OK tb@
Revision 1.16 / (download) - annotate - [select for diffs], Sat Oct 23 20:01:16 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.15: +3 -3 lines
Diff to previous 1.15 (colored)
Rename io_buf_new to io_new_buffer and io_buf_close to io_close_buffer. With this the write functions are all of the form io_xyz_buffer. Remove some prototypes of functions I forgot to remove in previous commit. OK benno@
Revision 1.15 / (download) - annotate - [select for diffs], Sat Oct 23 16:06:04 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.14: +12 -11 lines
Diff to previous 1.14 (colored)
Finnally move away from blocking reads in rpki-client. The code was a mish mash of poll, non-blocking writes and blocking reads. Using the introduced ibuf size header in io_buf_new()/io_buf_close() the read side can be changed to pull in a full ibuf and only start the un-marshal once all data has been read. OK benno@
Revision 1.14 / (download) - annotate - [select for diffs], Fri Oct 22 11:13:06 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.13: +4 -5 lines
Diff to previous 1.13 (colored)
First step of cleanup in the io land. Introduce io_buf_new() and io_buf_close(). These function will inject a size of the the buffer at the beginning of the buffer and will allow the read size to be switched to proper async IO. OK benno@
Revision 1.13 / (download) - annotate - [select for diffs], Mon Oct 11 16:50:03 2021 UTC (2 years, 7 months ago) by job
Branch: MAIN
Changes since 1.12: +5 -4 lines
Diff to previous 1.12 (colored)
Add support for BGPsec Router Certificates (RFC 8209) BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form. OK tb@ claudio@
Revision 1.12 / (download) - annotate - [select for diffs], Thu Oct 7 08:36:17 2021 UTC (2 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.11: +83 -107 lines
Diff to previous 1.11 (colored)
Rework X509 verification a bit. Remove the store and instead pass in the chain for certificates via X509_STORE_CTX_set0_trusted_stack(). To make this work alter build_chains() to also return the root TA. Factor out get_crl() from build_crls() and use it to fetch the crl when validating roas. The crl now sets its expire time in struct crl and this can be used to set the expire time of a ROA entry. This simplifies proc_parser_roa() a fair bit and results in less calls to mktime() (which is a surprisingly complex function). OK tb@
Revision 1.11 / (download) - annotate - [select for diffs], Wed Sep 15 15:51:05 2021 UTC (2 years, 8 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE
Branch point for: OPENBSD_7_0
Changes since 1.10: +9 -2 lines
Diff to previous 1.10 (colored)
Set the X509 validation depth limit to 12 or double the current depth. When the limit is reached the object is considered invalid and the tree traversal stops on that node. OK beck@ job@
Revision 1.10 / (download) - annotate - [select for diffs], Tue May 11 11:32:51 2021 UTC (3 years ago) by claudio
Branch: MAIN
Changes since 1.9: +3 -1 lines
Diff to previous 1.9 (colored)
Before calling ASN1_time_parse() initialize the struct tm. While recent libressl version initalise the struct tm properly older versions did not and so -portable runs into problem on systems with older libressl versions installed. Problem found by job@ OK tb@
Revision 1.9 / (download) - annotate - [select for diffs], Sun May 9 11:18:57 2021 UTC (3 years, 1 month ago) by tb
Branch: MAIN
Changes since 1.8: +3 -9 lines
Diff to previous 1.8 (colored)
Remove unnecessary NULL check that breaks the build with OpenSSL 1.1. ok job
Revision 1.8 / (download) - annotate - [select for diffs], Thu May 6 17:03:57 2021 UTC (3 years, 1 month ago) by job
Branch: MAIN
Changes since 1.7: +66 -5 lines
Diff to previous 1.7 (colored)
Add an 'expires' column to CSV & JSON output The 'expires' value contains a reasonable earliest moment a VRP would expire, in light of the currently available set of CAs and CRLs. The 'expires' value can be used to avoid route selection based on stale data when generating VRP sets, when faced with loss of communication between consumer and valdiator, or validator and CA repository. OK claudio@
Revision 1.7 / (download) - annotate - [select for diffs], Thu Apr 1 08:29:10 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE
Branch point for: OPENBSD_6_9
Changes since 1.6: +12 -9 lines
Diff to previous 1.6 (colored)
Make build_crls() behave like build_chain(). If there is not auth data just NULL the STACK_OF() pointer since libcrypto calls can handle that. Update comments to be more accurate. With and OK tb@
Revision 1.6 / (download) - annotate - [select for diffs], Tue Mar 2 09:00:46 2021 UTC (3 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.5: +8 -4 lines
Diff to previous 1.5 (colored)
When building the chain of the intermediate certificates do not include the root node (which should be a trust anchor). Trust anchors where added to the X509_store and having them in the chain is kind of wrong and confuse the new libressl X509 validator. OK tb@
Revision 1.5 / (download) - annotate - [select for diffs], Thu Feb 18 16:23:17 2021 UTC (3 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.4: +3 -2 lines
Diff to previous 1.4 (colored)
Use X509_get_ext_d2i() also for x509_get_aki() and x509_get_ski(). Now x509_get_extensions() is no longer required to loop over all extensions and the code becomes a lot simpler. While there cleanup x509_get_crl(), as explained by tb@ X509_get_ext_d2i() allocates memory so one needs to free the pointer at the end. For x509_crl_get_aki() use X509_CRL_get_ext_d2i() and more or less copy the rest over from x509_get_aki(). Warn if extensions are missing or present when not expected and also check the the extensions are marked non-critical as required. OK job@ tb@
Revision 1.4 / (download) - annotate - [select for diffs], Thu Feb 4 14:32:01 2021 UTC (3 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.3: +30 -30 lines
Diff to previous 1.3 (colored)
The uri parameter of struct entity is actually a local file path. Rename field to reduce confusion about what is what. OK tb@
Revision 1.3 / (download) - annotate - [select for diffs], Thu Feb 4 08:58:19 2021 UTC (3 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.2: +2 -1 lines
Diff to previous 1.2 (colored)
Eventhough most openssl includes include everything try to be a bit more explicit about what is used where. Seems to be the least worst solution.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Feb 4 08:13:57 2021 UTC (3 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.1: +3 -3 lines
Diff to previous 1.1 (colored)
Cleanup openssl includes a bit. Use x509.h instead of x509v3.h, add asn1.h and remove evp.h. First two suggested by tb@ Compiler agrees
Revision 1.1 / (download) - annotate - [select for diffs], Thu Feb 4 08:10:25 2021 UTC (3 years, 4 months ago) by claudio
Branch: MAIN
Shuffle code around, move all the bits of proc_parser into parser.c. OK tb@