Age | Commit message (Collapse) | Author |
|
selecting the newest file this opens both the new (from rrdp or rsync)
and old (valid) MFT. It then compares the manifest number and based on
that the 'newer' MFT is selected.
The MFT file and hash check is also changed to always try both locations
and selecting whatever matches up with the hash. The selction is passed
back to the the main process and used later on to open exactly the same
file as was checked against the hash.
The MFT parsing code has been split up into multiple steps so that the
files can be parsed, compared and then fully validated.
In most cases this makes no difference but it prevents replay attacks
using old but still valid files.
With and OK tb@
|
|
rpki repositories by following AIA and manifest URIs.
Also stop checking the the loaded file is not part of the auth tree,
it is possible that this file was loaded before as a dependency.
OK tb@
|
|
The file still needs to match its hash to make the MFT valid but then
there will only be a warning printed. Parsing of other files from that
MFT are not influenced.
OK tb@
|
|
discussed with and ok claudio
|
|
poll loop. In the main process move the timeout handling for repositories
into a single function that does the timeouts and the calculation of the
timeout in one go.
OK tb@
|
|
Change -f to be a mode flag and pass one or multiple files as arguments
to rpki-client. Some extra checks need to be done to not load the same
certificate or CRL multiple times.
Input and OK tb@
|
|
rpki-client uses the same idiom to determine the file type in too many
places. Use one function that determines the appropriate RTYPE from the
file name. Add that type to struct mftfile and use this new member to
simplify queue_add_from_mft*().
input/ok claudio
|
|
contain an extension of length four.
ok claudio
|
|
OK tb@
|
|
printed in human readable form and is also verified against the valid
cache of rpki-client.
To validate the file the chain is explored backwards by looking at the
Authority Information Access URI and X509v3 CRL Distribution Point of
the cert. Once the trust anchor is found this chain can be verified.
Feedback and OK job@ tb@
|
|
ok claudio
|
|
successfully been verified by rpki-client.
With this the rsync and rrdp directories are more of a temporary storage
location. New files are downloaded there and then moved to the valid
directory at the end. In -n mode only the valid directory is looked at with
the exception of the ta directory holding the trust anchors.
A file can now be in two different locations so adjust all the code paths
that open files to check both locations.
One nice side-effect of this is that the RRDP handling in the main process
got simplified. There is no longer the need for temporary RRDP directories.
OK tb@
|
|
the rrdp directory. This is used before a snapshot download to ensure
that the snapshot is applied to a clean repo.
Similar cleanup happens if the transfer fails. In that case remove the
temp directory contents only.
This uses a new function remove_contents() to remove everything below
a base directory (a bit like rm -r X/*).
OK tb@
|
|
One gotcha is that the path passed to --compare-dest needs to be relative
to the dst directory. rsync_fixup_dest() will prepend the necessary ../
for that by counting number of '/' in dst.
OK tb@
|
|
based on information from the repository, a local path and the filename.
This simplifies some code both in the main process and the parser.
For this to work repositories are passed to the parser before any other
entity of this repository is passed. Struct entity is extended to include
the repoid and the path along the file(name).
Input and OK tb@ & job@
|
|
Move staleness check up into mft_parse_econtent() to simplify code.
Remove the big FIXME bits since they are no longer needed. The parent
process will only process MFTs that are not stale.
Cleanup a few other bits mainly unneccessary else if cascades and
use valid_filename() to check if the filename embedded in the mft
fileandhash is sensible.
OK tb@
|
|
The parent will then add the filename to the filepath tree instead
of doing that in entity_write_req(). In the parser pass the filename
instead of the full entity object to various proc_parser functions.
With this it will be possible to check more then one file in the parser.
OK tb@, earlyer version OK benno@
|
|
information can be figured out by looking at the data pointer itself.
It is NULL when there is no data and not-NULL if there is data.
OK benno@
|
|
and for the roa maxlength use unsigned char (like the prefixlen in struct
ip_addr).
With input and OK job@
|
|
OK job@
|
|
OK job@
|
|
timeout, or if timeout is disabled set to 24 hours.
OK claudio@
|
|
|
|
Introduce an additional timeout for each publication point.
The limits are large enough to accomodate normal operating levels.
With and OK benno@ job@ tb@ beck@ deraadt@
|
|
Instead exit the main event loop and use waitpid to know why a child
went away. This should make it hopefully more clear when shit hits the fan.
OK tb@ deraadt@
|
|
|
|
use a small lookup table to print the description in the output path.
OK tb@
|
|
and skip this distinction between invalid and failed certificates.
The difference between the to is getting more and more blurry.
OK tb@
|
|
the errno is not clobbered in the error path. Check result from load_file()
and issue a warning and skip the file in queue_add_tal().
OK benno@ beck@
|
|
data/datasz element to the parser process I forgot to remove the old
buf argument that abused descr for that. Because of this rpki-client
can crash.
Found by benno@, OK benno@ beck@
|
|
With and OK tb@
|
|
|
|
passing as done for the other parsers.
OK job@ tb@
|
|
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert
|
|
OK job@
|
|
With this the write functions are all of the form io_xyz_buffer.
Remove some prototypes of functions I forgot to remove in previous commit.
OK benno@
|
|
mish mash of poll, non-blocking writes and blocking reads. Using the
introduced ibuf size header in io_buf_new()/io_buf_close() the read
side can be changed to pull in a full ibuf and only start the un-marshal
once all data has been read.
OK benno@
|
|
io_buf_close(). These function will inject a size of the the buffer
at the beginning of the buffer and will allow the read size to be
switched to proper async IO.
OK benno@
|
|
BGPsec router keys are extracted from RPKI certificates and
emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
|
|
|
OK tb@
|
|
OK claudio@
|
|
Thanks to Ben Maddison for helping create a test case
OK claudio@
|
|
Default is now to attempt RRDP first, then try RSYNC.
If problems show up, return to rsync-only behaviour with -R, and file a report.
ok claudio
|
|
is large enough for the cache. People like to build VM images with way
too small filesystems and so warning about this situation should help.
With deraadt@ and job@
|
|
clearer when using -d.
OK deraadt@
|
|
Handle rrdppid like we do for all other child processes. The two warnings
in rrdp are probably false positives.
OK tb@
|
|
Also install the special signal handler around the main poll() loop.
The main process handles SIGALRM so it can log an error to the operator
before exiting.
With and OK deraadt@
|
|
ok claudio
|
|
Especially tls_read() and tls_write() do not map 1:1 to read() and write()
calls and so assuming that after a tls_read() one needs to poll for more
data is wrong. Instead call tls_read() until it returns a TLS_WANT_*
return.
While here also ignore SIGPIPE. It is almost impossible to properly guard
from SIGPIPE by looking at POLLHUP. Instead just let write() handle it and
return an error.
Putting this in now so this can be tested widely.
|