summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client/main.c
AgeCommit message (Collapse)Author
2022-01-28Properly handle .mft files as intended by the RFC. Instead of alwaysClaudio Jeker
selecting the newest file this opens both the new (from rrdp or rsync) and old (valid) MFT. It then compares the manifest number and based on that the 'newer' MFT is selected. The MFT file and hash check is also changed to always try both locations and selecting whatever matches up with the hash. The selction is passed back to the the main process and used later on to open exactly the same file as was checked against the hash. The MFT parsing code has been split up into multiple steps so that the files can be parsed, compared and then fully validated. In most cases this makes no difference but it prevents replay attacks using old but still valid files. With and OK tb@
2022-01-26Allow rsync:// URI as file in -f mode. This makes it easier to exploreClaudio Jeker
rpki repositories by following AIA and manifest URIs. Also stop checking the the loaded file is not part of the auth tree, it is possible that this file was loaded before as a dependency. OK tb@
2022-01-24Adjust code to handle unsupported file types a bit more graceful.Claudio Jeker
The file still needs to match its hash to make the MFT valid but then there will only be a warning printed. Parsing of other files from that MFT are not influenced. OK tb@
2022-01-23rearrange SYNOPSIS/usage to be a bit clearer;Jason McIntyre
discussed with and ok claudio
2022-01-23Handle EINTR the same way in all poll loops. In all cases restart theClaudio Jeker
poll loop. In the main process move the timeout handling for repositories into a single function that does the timeouts and the calculation of the timeout in one go. OK tb@
2022-01-23Allow rpki-client to display more than one file in -f mode.Claudio Jeker
Change -f to be a mode flag and pass one or multiple files as arguments to rpki-client. Some extra checks need to be done to not load the same certificate or CRL multiple times. Input and OK tb@
2022-01-21Add function to determine the file type from the file name extensionTheo Buehler
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*(). input/ok claudio
2022-01-21Avoid out-of-bounds accesses in case the filename is too showrt toTheo Buehler
contain an extension of length four. ok claudio
2022-01-19Add -f to usage in main routineJob Snijders
OK tb@
2022-01-19Implement a filemode where the passed file from the command line isClaudio Jeker
printed in human readable form and is also verified against the valid cache of rpki-client. To validate the file the chain is explored backwards by looking at the Authority Information Access URI and X509v3 CRL Distribution Point of the cert. Once the trust anchor is found this chain can be verified. Feedback and OK job@ tb@
2022-01-19rpki-client: don't leak nfile if no repo is found.Theo Buehler
ok claudio
2022-01-14Introduce a validated cache which holds all the files that haveClaudio Jeker
successfully been verified by rpki-client. With this the rsync and rrdp directories are more of a temporary storage location. New files are downloaded there and then moved to the valid directory at the end. In -n mode only the valid directory is looked at with the exception of the ta directory holding the trust anchors. A file can now be in two different locations so adjust all the code paths that open files to check both locations. One nice side-effect of this is that the RRDP handling in the main process got simplified. There is no longer the need for temporary RRDP directories. OK tb@
2022-01-13Implement a RRDP_CLEAR message that instructs the parent to cleanupClaudio Jeker
the rrdp directory. This is used before a snapshot download to ensure that the snapshot is applied to a clean repo. Similar cleanup happens if the transfer fails. In that case remove the temp directory contents only. This uses a new function remove_contents() to remove everything below a base directory (a bit like rm -r X/*). OK tb@
2022-01-13Implement but don't use code to use rsync's --compare-dest feature.Claudio Jeker
One gotcha is that the path passed to --compare-dest needs to be relative to the dst directory. rsync_fixup_dest() will prepend the necessary ../ for that by counting number of '/' in dst. OK tb@
2022-01-11Change the way the parser accesses files. It now builds the file pathClaudio Jeker
based on information from the repository, a local path and the filename. This simplifies some code both in the main process and the parser. For this to work repositories are passed to the parser before any other entity of this repository is passed. Struct entity is extended to include the repoid and the path along the file(name). Input and OK tb@ & job@
2022-01-06Cleanup mft file handling, especially the stale mft bits.Claudio Jeker
Move staleness check up into mft_parse_econtent() to simplify code. Remove the big FIXME bits since they are no longer needed. The parent process will only process MFTs that are not stale. Cleanup a few other bits mainly unneccessary else if cascades and use valid_filename() to check if the filename embedded in the mft fileandhash is sensible. OK tb@
2022-01-04Pass the filename back from the parser to the parent.Claudio Jeker
The parent will then add the filename to the filepath tree instead of doing that in entity_write_req(). In the parser pass the filename instead of the full entity object to various proc_parser functions. With this it will be possible to check more then one file in the parser. OK tb@, earlyer version OK benno@
2021-12-29Cleanup struct entity. Remove the unneeded has_data field, the sameClaudio Jeker
information can be figured out by looking at the data pointer itself. It is NULL when there is no data and not-NULL if there is data. OK benno@
2021-12-22Replace two questionable size_t types. For the repo id use a unsigned intClaudio Jeker
and for the roa maxlength use unsigned char (like the prefixlen in struct ip_addr). With input and OK job@
2021-12-21Cleanup a few things while reading the code.Claudio Jeker
OK job@
2021-11-25Initialize the repo_timeout to timeout / 4 at start of main().Claudio Jeker
OK job@
2021-11-25Replace MAX_REPO_TIMEOUT with repo_timeout, which is set to 1/4th ofJob Snijders
timeout, or if timeout is disabled set to 24 hours. OK claudio@
2021-11-19Fix typoJob Snijders
2021-11-09Limit the number of publication points under a given TAL.Claudio Jeker
Introduce an additional timeout for each publication point. The limits are large enough to accomodate normal operating levels. With and OK benno@ job@ tb@ beck@ deraadt@
2021-11-04On errors related to the pipes to the childs don't error out right away.Claudio Jeker
Instead exit the main event loop and use waitpid to know why a child went away. This should make it hopefully more clear when shit hits the fan. OK tb@ deraadt@
2021-11-04Move and promote getmonotime() to an internal API function.Claudio Jeker
2021-11-04Instead of passing tal descriptions around just pass a tal id andClaudio Jeker
use a small lookup table to print the description in the output path. OK tb@
2021-11-01Further simplify cert and auth handling. Move common code into auth_insertClaudio Jeker
and skip this distinction between invalid and failed certificates. The difference between the to is getting more and more blurry. OK tb@
2021-10-31Further improve load_file(). Always set an errno on errors and make sureClaudio Jeker
the errno is not clobbered in the error path. Check result from load_file() and issue a warning and skip the file in queue_add_tal(). OK benno@ beck@
2021-10-31When converting the TAL parser to use load_file and pass the file viaClaudio Jeker
data/datasz element to the parser process I forgot to remove the old buf argument that abused descr for that. Because of this rpki-client can crash. Found by benno@, OK benno@ beck@
2021-10-28Sync output at end of run with output inside the openbgpd output file.Claudio Jeker
With and OK tb@
2021-10-26Move load_file() to encoding.c so that regress can use the function.Claudio Jeker
2021-10-26Refactor the tal parsing code to use the same load_file() and bufferClaudio Jeker
passing as done for the other parsers. OK job@ tb@
2021-10-24For open/openat, if the flags parameter does not contain O_CREAT, theTheo de Raadt
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past have passed mode_t (0, 044, 0644, or such), which might lead future people to copy this broken idiom, and perhaps even believe this parameter has some meaning or implication or application. Delete them all. This comes out of a conversation where tb@ noticed that a strange (but intentional) pledge behaviour is to always knock-out high-bits from mode_t on a number of system calls as a safety factor, and his bewilderment that this appeared to be happening against valid modes (at least visually), but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef. ok millert
2021-10-24Add my copyright to some filesClaudio Jeker
OK job@
2021-10-23Rename io_buf_new to io_new_buffer and io_buf_close to io_close_buffer.Claudio Jeker
With this the write functions are all of the form io_xyz_buffer. Remove some prototypes of functions I forgot to remove in previous commit. OK benno@
2021-10-23Finnally move away from blocking reads in rpki-client. The code was aClaudio Jeker
mish mash of poll, non-blocking writes and blocking reads. Using the introduced ibuf size header in io_buf_new()/io_buf_close() the read side can be changed to pull in a full ibuf and only start the un-marshal once all data has been read. OK benno@
2021-10-22First step of cleanup in the io land. Introduce io_buf_new() andClaudio Jeker
io_buf_close(). These function will inject a size of the the buffer at the beginning of the buffer and will allow the read size to be switched to proper async IO. OK benno@
2021-10-11Add support for BGPsec Router Certificates (RFC 8209)Job Snijders
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form. OK tb@ claudio@
2021-10-10Remove unused variableJob Snijders
2021-10-10Make style consistent and remove an unused code pathJob Snijders
OK tb@
2021-10-05Add rudimentary support for BGPsec router certificatesJob Snijders
OK claudio@
2021-08-30Properly account entity_queue when the file has already been seenJob Snijders
Thanks to Ben Maddison for helping create a test case OK claudio@
2021-06-29Flip the -r RRDP switch, which went through community testing for half a year.Theo de Raadt
Default is now to attempt RRDP first, then try RSYNC. If problems show up, return to rsync-only behaviour with -R, and file a report. ok claudio
2021-06-14Do a fstatvfs() call to figure out if the filesystem used for the cacheClaudio Jeker
is large enough for the cache. People like to build VM images with way too small filesystems and so warning about this situation should help. With deraadt@ and job@
2021-06-03Use O_DIRECTORY when opening directories. This makes some errors a bitClaudio Jeker
clearer when using -d. OK deraadt@
2021-05-11Make sure some variables are initialised since modern gcc warns about them.Claudio Jeker
Handle rrdppid like we do for all other child processes. The two warnings in rrdp are probably false positives. OK tb@
2021-05-11Arm the alarms in all childs so they terminate if the timeout is hit.Claudio Jeker
Also install the special signal handler around the main poll() loop. The main process handles SIGALRM so it can log an error to the operator before exiting. With and OK deraadt@
2021-04-19code review results in KNF, and moving local variables into lowest scopeTheo de Raadt
ok claudio
2021-04-15Rework the http code to require poll() only when really needed.Claudio Jeker
Especially tls_read() and tls_write() do not map 1:1 to read() and write() calls and so assuming that after a tls_read() one needs to poll for more data is wrong. Instead call tls_read() until it returns a TLS_WANT_* return. While here also ignore SIGPIPE. It is almost impossible to properly guard from SIGPIPE by looking at POLLHUP. Instead just let write() handle it and return an error. Putting this in now so this can be tested widely.