![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / rpki-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.40 / (download) - annotate - [select for diffs], Fri Mar 22 03:38:12 2024 UTC (2 months, 2 weeks ago) by job
Branch: MAIN
CVS Tags: HEAD
Changes since 1.39: +3 -3 lines
Diff to previous 1.39 (colored)
Replace protocol literal strings and strlen() calls with defined constants OK tb@ claudio@
Revision 1.39 / (download) - annotate - [select for diffs], Thu Jun 29 10:28:25 2023 UTC (11 months, 1 week ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of
warn() and err{,x}(). Neither users nor developers benefit from them.
If we need better errors, we need to do some thinking. libcrypto won't
do that for us.
suggested by claudio
ok job
Revision 1.38 / (download) - annotate - [select for diffs], Wed Nov 30 09:02:58 2022 UTC (18 months, 1 week ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.37: +1 -2 lines
Diff to previous 1.37 (colored)
Remove unused include OK claudio@
Revision 1.37 / (download) - annotate - [select for diffs], Wed Nov 30 08:16:10 2022 UTC (18 months, 1 week ago) by job
Branch: MAIN
Changes since 1.36: +1 -2 lines
Diff to previous 1.36 (colored)
Remove unused ctype.h include OK tb@
Revision 1.36 / (download) - annotate - [select for diffs], Sat Sep 3 15:13:44 2022 UTC (21 months ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)
Clarify warning
Revision 1.35 / (download) - annotate - [select for diffs], Sun May 15 16:43:35 2022 UTC (2 years ago) by tb
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)
More KNF and whitespace fixes.
Revision 1.30.2.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:41:19 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_6_9
Changes since 1.30: +30 -83 lines
Diff to previous 1.30 (colored) next main 1.31 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/6.9/common/021_rpki.patch.sig
Revision 1.30.6.1 / (download) - annotate - [select for diffs], Tue Nov 9 13:40:32 2021 UTC (2 years, 6 months ago) by benno
Branch: OPENBSD_7_0
Changes since 1.30: +30 -83 lines
Diff to previous 1.30 (colored) next main 1.31 (colored)
rpki-client(8) should handle CA misbehaviours as soft-errors. This is a merge of usr.sbin/rpki-client and usr.bin/rsync from current and includes all commits in rpki-client 7.5 up to Tue Nov 9 11:03:40 2021 and to openrsync up to Wed Nov 3 14:42:13 2021, including: * Make rpki-client more resilient regarding untrusted input: - fail repository synchronisation after 15min runtime - limit the number of publication points per TAL - don't allow DOCTYPE definitions in RRDP XML files - fix detection of HTTP redirect loops. * limit the number of concurrent rsync processes. * fix CRLF in tal files. This is patches/7.0/common/004_rpki.patch.sig
Revision 1.34 / (download) - annotate - [select for diffs], Thu Nov 4 11:32:55 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.33: +5 -3 lines
Diff to previous 1.33 (colored)
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
Revision 1.33 / (download) - annotate - [select for diffs], Wed Nov 3 18:10:12 2021 UTC (2 years, 7 months ago) by tb
Branch: MAIN
Changes since 1.32: +8 -6 lines
Diff to previous 1.32 (colored)
When handling CRLF and nulling out the optional CR, point nl at the right NUL so that valid_url() and the .cer check work. Tweaked version of a diff by claudio. ok claudio
Revision 1.32 / (download) - annotate - [select for diffs], Tue Oct 26 16:12:54 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.31: +19 -76 lines
Diff to previous 1.31 (colored)
Refactor the tal parsing code to use the same load_file() and buffer passing as done for the other parsers. OK job@ tb@
Revision 1.31 / (download) - annotate - [select for diffs], Sat Oct 23 16:06:04 2021 UTC (2 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.30: +6 -6 lines
Diff to previous 1.30 (colored)
Finnally move away from blocking reads in rpki-client. The code was a mish mash of poll, non-blocking writes and blocking reads. Using the introduced ibuf size header in io_buf_new()/io_buf_close() the read side can be changed to pull in a full ibuf and only start the un-marshal once all data has been read. OK benno@
Revision 1.30 / (download) - annotate - [select for diffs], Thu Apr 1 06:43:23 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_6_9_BASE
Branch point for: OPENBSD_7_0,
OPENBSD_6_9
Changes since 1.29: +1 -38 lines
Diff to previous 1.29 (colored)
Move base64 and hex encoding functions into their own place. OK tb@
Revision 1.29 / (download) - annotate - [select for diffs], Thu Mar 25 09:27:38 2021 UTC (3 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.28: +8 -11 lines
Diff to previous 1.28 (colored)
Adjust base64_decode() to just take a base64 string as input instead of a string plus length. Preparation work for RRDP. OK tb@
Revision 1.28 / (download) - annotate - [select for diffs], Fri Mar 5 17:15:19 2021 UTC (3 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.27: +2 -5 lines
Diff to previous 1.27 (colored)
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
Revision 1.27 / (download) - annotate - [select for diffs], Fri Feb 19 10:23:50 2021 UTC (3 years, 3 months ago) by claudio
Branch: MAIN
Changes since 1.26: +9 -1 lines
Diff to previous 1.26 (colored)
Add the same ASCII check to the URI in TAL files as we do for URI in .cer files OK tb@
Revision 1.26 / (download) - annotate - [select for diffs], Fri Jan 8 08:09:07 2021 UTC (3 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.25: +6 -6 lines
Diff to previous 1.25 (colored)
Start using the ibuf API (ibuf_dynamic, ibuf_add, ibuf_close) for writing data between processes. This completely decouples the write side. rpki-client can't really use the imsg framework but it can use the ibuf bits wich imsg is built on. OK benno@ job@
Revision 1.25 / (download) - annotate - [select for diffs], Mon Dec 21 11:35:55 2020 UTC (3 years, 5 months ago) by claudio
Branch: MAIN
Changes since 1.24: +5 -2 lines
Diff to previous 1.24 (colored)
Now that a NULL string is marshalled as NULL again we can drop some extra has_xyz integers to indicate if the following buffer is present or not. At the same time sprinkle some asserts for strings which must be not NULL. OK tb@
Revision 1.24 / (download) - annotate - [select for diffs], Thu Dec 3 15:02:12 2020 UTC (3 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
Make sure that the strcasecmp for .tal is only done if dlen is large enough. Found by naddy@
Revision 1.23 / (download) - annotate - [select for diffs], Thu Dec 3 14:56:32 2020 UTC (3 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.22: +2 -4 lines
Diff to previous 1.22 (colored)
Use strndup() instead of hand rolling our own version. OK naddy@
Revision 1.22 / (download) - annotate - [select for diffs], Sun Oct 11 12:39:25 2020 UTC (3 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.21: +34 -24 lines
Diff to previous 1.21 (colored)
Implement more of RFC 8630 and support more than one URI in the TAL file. The URI are sorted which results in preferrence of https URI. To make rpki-client's handling easier enforce that all URI use the same filename. OK benno@
Revision 1.21 / (download) - annotate - [select for diffs], Thu Oct 1 19:57:00 2020 UTC (3 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.20: +8 -5 lines
Diff to previous 1.20 (colored)
In OpenSSL 1.1.x EVP_ENCODE_CTX is an opaque struct and has to be allocated with EVP_ENCODE_CTX_new(). Do this once on the first call and keep the context around for all subsequent calls. OK tb@ and benno@
Revision 1.20 / (download) - annotate - [select for diffs], Wed Sep 30 14:42:14 2020 UTC (3 years, 8 months ago) by claudio
Branch: MAIN
Changes since 1.19: +42 -13 lines
Diff to previous 1.19 (colored)
Instead of using the kind of hidden b64_pton() from libc resolv.h switch to the -lcrypto base64 decoder using EVP_Decode* this is more portable. With and OK tb@, OK benno@ (on a less polished version)
Revision 1.19 / (download) - annotate - [select for diffs], Sat Sep 12 15:46:48 2020 UTC (3 years, 8 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.18: +1 -3 lines
Diff to previous 1.18 (colored)
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
Revision 1.18 / (download) - annotate - [select for diffs], Sat Apr 11 15:52:24 2020 UTC (4 years, 1 month ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.17: +6 -4 lines
Diff to previous 1.17 (colored)
To help -portable, use a strrchr instead of basename, since we know what kinds of paths are coming in here. ok benno claudio
Revision 1.17 / (download) - annotate - [select for diffs], Fri Mar 27 12:46:00 2020 UTC (4 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)
Use the correct math to calculate how many bytes are needed for b64_pton(). The size is first rounded up in case where the input string length is not a multiple of 4. Reported by kristaps@
Revision 1.16 / (download) - annotate - [select for diffs], Fri Nov 29 17:29:28 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.15: +2 -1 lines
Diff to previous 1.15 (colored)
add a comment noting missing functionality
Revision 1.15 / (download) - annotate - [select for diffs], Fri Nov 29 05:01:41 2019 UTC (4 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.14: +17 -17 lines
Diff to previous 1.14 (colored)
s/EXIT_FAILURE/1/ ok claudio@ muppets@
Revision 1.14 / (download) - annotate - [select for diffs], Mon Nov 18 08:34:55 2019 UTC (4 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.13: +15 -8 lines
Diff to previous 1.13 (colored)
tal_read_file() should error out instead of returning a NULL buffer. This can happen with an empty file or one consisting only of comments. Do some additional cleanup of comments, remove a unused variable and change a zero into a NUL for clarity. From kristaps@
Revision 1.13 / (download) - annotate - [select for diffs], Wed Nov 6 08:29:03 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.12: +7 -1 lines
Diff to previous 1.12 (colored)
For now ignore https:// URI in tal files. rpki-client only does rsync. Problem reported by Alexandre Hamada
Revision 1.12 / (download) - annotate - [select for diffs], Wed Nov 6 08:18:11 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.11: +5 -2 lines
Diff to previous 1.11 (colored)
The memory returned by realloc(NULL, ...) is uninitalized. Therefore make sure that on the first round the buffer is set to an empty string so that strlcat() works correctly. Also check for strlcat() overflow and error out in case it happens. Found by infrequent regress test failures.
Revision 1.11 / (download) - annotate - [select for diffs], Wed Nov 6 07:04:03 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.10: +3 -1 lines
Diff to previous 1.10 (colored)
If tal_parse_buffer() fails return early because the code that follows will try to access the NULL tal pointer. Reported by Alexandre Hamada
Revision 1.10 / (download) - annotate - [select for diffs], Mon Nov 4 09:39:06 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.9: +3 -2 lines
Diff to previous 1.9 (colored)
The argument to the ctype functions needs to be representable as an unsigned char or EOF. Cast the char to unsigned char as required. Reminded by Hiltjo Posthuma
Revision 1.9 / (download) - annotate - [select for diffs], Mon Nov 4 09:35:43 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.8: +59 -1 lines
Diff to previous 1.8 (colored)
Refactor tal code a bit. Move the file reader back into tal.c so that the regress test is able to use it. OK deraadt@
Revision 1.8 / (download) - annotate - [select for diffs], Thu Oct 31 08:36:43 2019 UTC (4 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.7: +29 -81 lines
Diff to previous 1.7 (colored)
Handle the TAL files in the master process and pass them as buffer to the parser process. This way the parser never needs to read outside of the cache directory which makes the unveil simpler. Additionally rsync_uri_parse no longer needs to know about .tal files so there is now no chance to sneak in a .tal file later on. OK deraadt@
Revision 1.7 / (download) - annotate - [select for diffs], Tue Oct 8 10:04:36 2019 UTC (4 years, 8 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.6: +20 -2 lines
Diff to previous 1.6 (colored)
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
Revision 1.6 / (download) - annotate - [select for diffs], Thu Jun 20 15:26:49 2019 UTC (4 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.5: +11 -3 lines
Diff to previous 1.5 (colored)
Don't use assert to validate user input. assert() is not for that, instead check and error out like it is done one other parsing issues. Agreed by deraadt@ Fixes another afl "crash" found by jsg@
Revision 1.5 / (download) - annotate - [select for diffs], Wed Jun 19 16:30:37 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +1 -1 lines
Diff to previous 1.4 (colored)
use $OpenBSD$ headers
Revision 1.4 / (download) - annotate - [select for diffs], Wed Jun 19 04:21:43 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +8 -10 lines
Diff to previous 1.3 (colored)
indentation adjustments, in particular near warn statements ok claudio
Revision 1.3 / (download) - annotate - [select for diffs], Mon Jun 17 15:08:08 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
system includes first, always.
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 17 15:04:59 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +1 -2 lines
Diff to previous 1.1 (colored)
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Mon Jun 17 14:31:31 2019 UTC (4 years, 11 months ago) by job
Branch: job
CVS Tags: job_20190617
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)
Import Kristaps Dzonsons' RPKI validator into the tree rpki-client(1) is an implementation of the Resource Public Key Infrastructure (RPKI), specified by RFC 6480. The client is responsible for downloading, validating and converting Route Origin Authorisations (ROAs) into Validated ROA Payloads (VRPs). The client's output (VRPs) can be used by bgpd(8) to perform BGP Origin Validation (RFC 6811). The current rpki-client(1) version depends on the CMS functions in OpenSSL, this of course needs to be addressed urgently. Thanks to NetNod, IIS.SE, SUNET & 6connect for supporting this effort! OK deraadt@
Revision 1.1 / (download) - annotate - [select for diffs], Mon Jun 17 14:31:31 2019 UTC (4 years, 11 months ago) by job
Branch: MAIN
Initial revision