diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2024-11-02 12:30:29 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2024-11-02 12:30:29 +0000 |
| commit | 0c520c81346145e61f1c829de458bdc31a383fb5 (patch) | |
| tree | d7b0aa0631e20abcd5952de121adefecfac5e03a /usr.sbin/rpki-client/mft.c | |
| parent | 3ef9fe8a9a1f9530b4fea9e825fcea703d2b02c4 (diff) | |
Improve detection of gaps in Manifestissuance
It is helpful for network operators, publication point operators, and CA
operators to have more insight into whether the RP noticed an issuance
gap between two versions of a given manifest.
* high number of gaps all the time might be an indication the RP is not
refreshing often enough
* the CA is trying to issue manifests more than once a second
* the RFC 8181 publication server's ingress API endpoint has issues
* the RFC 8181 publication client has trouble reaching the server
* the CA's private keys (RPKI + BPKI) are used on a second (cloned) system
* the CA's issuance database is broken
Correlation opportunity: detection of a gap means some of the CA's
intermediate states were occluded from the RP; the RP operator might
want to correlate this to traffic shifts in BGP or publication point
reachability issues.
Going forward, emit a warning per manifest, adds metrics to the
openmetrics output, and displays a summary at the end of the run about
issuance gaps.
OK tb@
Diffstat (limited to 'usr.sbin/rpki-client/mft.c')
| -rw-r--r-- | usr.sbin/rpki-client/mft.c | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index e981e04b7be..02f346c235b 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.119 2024/09/12 10:33:25 tb Exp $ */ +/* $OpenBSD: mft.c,v 1.120 2024/11/02 12:30:28 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> @@ -35,6 +35,7 @@ #include "extern.h" extern ASN1_OBJECT *mft_oid; +BN_CTX *bn_ctx; /* * Types and templates for the Manifest eContent, RFC 6486, section 4.2. @@ -538,6 +539,7 @@ mft_buffer(struct ibuf *b, const struct mft *p) io_simple_buffer(b, &p->repoid, sizeof(p->repoid)); io_simple_buffer(b, &p->talid, sizeof(p->talid)); io_simple_buffer(b, &p->certid, sizeof(p->certid)); + io_simple_buffer(b, &p->seqnum_gap, sizeof(p->seqnum_gap)); io_str_buffer(b, p->path); io_str_buffer(b, p->aia); @@ -571,6 +573,7 @@ mft_read(struct ibuf *b) io_read_buf(b, &p->repoid, sizeof(p->repoid)); io_read_buf(b, &p->talid, sizeof(p->talid)); io_read_buf(b, &p->certid, sizeof(p->certid)); + io_read_buf(b, &p->seqnum_gap, sizeof(p->seqnum_gap)); io_read_str(b, &p->path); io_read_str(b, &p->aia); @@ -628,3 +631,35 @@ mft_compare_seqnum(const struct mft *a, const struct mft *b) return 0; } + +/* + * Test if there is a gap in the sequence numbers of two MFTs. + * Return 1 if a gap is detected. + */ +int +mft_seqnum_gap_present(const struct mft *a, const struct mft *b) +{ + BIGNUM *diff, *seqnum_a, *seqnum_b; + int ret = 0; + + BN_CTX_start(bn_ctx); + if ((diff = BN_CTX_get(bn_ctx)) == NULL || + (seqnum_a = BN_CTX_get(bn_ctx)) == NULL || + (seqnum_b = BN_CTX_get(bn_ctx)) == NULL) + errx(1, "BN_CTX_get"); + + if (!BN_hex2bn(&seqnum_a, a->seqnum)) + errx(1, "BN_hex2bn"); + + if (!BN_hex2bn(&seqnum_b, b->seqnum)) + errx(1, "BN_hex2bn"); + + if (!BN_sub(diff, seqnum_a, seqnum_b)) + errx(1, "BN_sub"); + + ret = !BN_is_one(diff); + + BN_CTX_end(bn_ctx); + + return ret; +} |