Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.14 / (download) - annotate - [select for diffs], Thu May 30 09:54:59 2024 UTC (2 days, 9 hours ago) by job
Branch: MAIN
CVS Tags: HEAD
Changes since 1.13: +3 -2 lines
Diff to previous 1.13 (colored)
Increase logging verbosity as to what exactly hit a limit rpki-client: https://testbed.krill.cloud/rrdp/notification.xml: pulling from network rpki-client: https://testbed.krill.cloud/rrdp/notification.xml: downloading snapshot (bfb0a57e-d16b-44a1-9502-f15b4bc1ce1a#110135) rpki-client: parse failed, snapshot element for rsync://testbed.krill.cloud/repo/testbed/0/DDAF321520EE4817D716FA047FC05FE2934204DB.crl too big rpki-client: https://testbed.krill.cloud/rrdp/notification.xml: parse error at line 135: parsing aborted rpki-client: https://testbed.krill.cloud/rrdp/notification.xml: load from network failed, fallback to rsync OK tb@ claudio@
Revision 1.13 / (download) - annotate - [select for diffs], Fri Mar 22 03:38:12 2024 UTC (2 months, 1 week ago) by job
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
Replace protocol literal strings and strlen() calls with defined constants OK tb@ claudio@
Revision 1.12 / (download) - annotate - [select for diffs], Wed Dec 27 07:17:39 2023 UTC (5 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored)
Mark rrdp debug logging functions as used in regress ok claudio
Revision 1.11 / (download) - annotate - [select for diffs], Tue Dec 26 11:03:27 2023 UTC (5 months ago) by tb
Branch: MAIN
Changes since 1.10: +7 -3 lines
Diff to previous 1.10 (colored)
Do not accept empty delta elements Ties de Kock found RRDP content that doesn't match the XML schema, most likely generated by krill: https://github.com/NLnetLabs/krill/issues/1180 Use the state machine to mark a new delta element as empty and check at the end whether that state was changed (which means it contained publish or withdraw elements). If so, raise a parse failure. ok claudio job
Revision 1.10 / (download) - annotate - [select for diffs], Sun Dec 24 10:48:58 2023 UTC (5 months, 1 week ago) by job
Branch: MAIN
Changes since 1.9: +1 -8 lines
Diff to previous 1.9 (colored)
Zal dead code OK tb@
Revision 1.9 / (download) - annotate - [select for diffs], Wed Jan 4 14:22:43 2023 UTC (16 months, 3 weeks ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.8: +3 -2 lines
Diff to previous 1.8 (colored)
Validate the session_id to be a real UUID. RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
Revision 1.8 / (download) - annotate - [select for diffs], Sun May 15 16:43:35 2022 UTC (2 years ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.7: +1 -2 lines
Diff to previous 1.7 (colored)
More KNF and whitespace fixes.
Revision 1.7 / (download) - annotate - [select for diffs], Thu Feb 3 18:19:32 2022 UTC (2 years, 3 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.6: +3 -2 lines
Diff to previous 1.6 (colored)
Enforce the RRDP XMLNS to "http://www.ripe.net/rpki/rrdp" Missing check reported by Ties de Kock OK tb@ benno@
Revision 1.1.2.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:41:19 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_6_9
Changes since 1.1: +17 -4 lines
Diff to previous 1.1 (colored) next main 1.2 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/6.9/common/021_rpki.patch.sig
Revision 1.2.4.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:40:32 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_7_0
Changes since 1.2: +16 -3 lines
Diff to previous 1.2 (colored) next main 1.3 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/7.0/common/004_rpki.patch.sig
Revision 1.6 / (download) - annotate - [select for diffs], Tue Nov 9 11:01:04 2021 UTC (2 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.5: +12 -1 lines
Diff to previous 1.5 (colored)
Issue a parse error for XML files that include a DOCTYPE section. DTD handling is known for various security problems and so it is best to not even enter that mine field. Also the RFC defines the RRDP XML schema using RELAX NG instead of DTD. With and OK benno@ job@ tb@ beck@ deraadt@
Revision 1.5 / (download) - annotate - [select for diffs], Wed Nov 3 13:30:56 2021 UTC (2 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.4: +3 -3 lines
Diff to previous 1.4 (colored)
Print the name of the non conforming attribute in the XML parse error. OK beck@
Revision 1.4 / (download) - annotate - [select for diffs], Thu Oct 28 11:57:00 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.3: +4 -2 lines
Diff to previous 1.3 (colored)
Limit the size of the base64 blob inside the RRDP XML to be less than MAX_FILE_SIZE after base64 decoding it. This way hostile RRDP servers do less damage. OK beck@ tb@
Revision 1.3 / (download) - annotate - [select for diffs], Sun Oct 24 17:16:09 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.2: +1 -0 lines
Diff to previous 1.2 (colored)
Add $OpenBSD$ header and add a licence to rrdp.h which was lacking it.
Revision 1.2 / (download) - annotate - [select for diffs], Tue May 11 11:48:02 2021 UTC (3 years ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE
Branch point for: OPENBSD_7_0
Changes since 1.1: +1 -1 lines
Diff to previous 1.1 (colored)
Make sure some variables are initialised since modern gcc warns about them. Handle rrdppid like we do for all other child processes. The two warnings in rrdp are probably false positives. OK tb@
Revision 1.1 / (download) - annotate - [select for diffs], Thu Apr 1 16:04:48 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE
Branch point for: OPENBSD_6_9
Initial commit of RRDP (The RPKI Repository Delta Protocol - RFC8182) support in rpki-client. For now it is off by default. All XML processing is done in its own process with minimal pledge rights. It uses the already present https process to fetch the xml files and uses the master porcess to handle the file IO into the repositories. RRDP data is stored in the cache under ./rrdp/ and the first directory is the SHA256 hash of the notify URI. Fetching snapshots and deltas works to bring the cache up to date. If something goes wrong rpki-client will fall back to rsync. RRDP was implemented by Nils Fisher and integrated into rpki-client by myself. "Time to get it in" deraadt@