summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client/main.c
AgeCommit message (Collapse)Author
2024-11-14rpki-client: use macros for skipping rather than hardcoded numbersTheo Buehler
ok claudio
2024-11-13Second sweep of foosz -> num_foos and friendsTheo Buehler
Binary change in main.o and tal.o due to an assertion change and in spl.o due to line number changes looks good to claudio, ok clang + sha256
2024-11-02Improve detection of gaps in ManifestissuanceJob Snijders
It is helpful for network operators, publication point operators, and CA operators to have more insight into whether the RP noticed an issuance gap between two versions of a given manifest. * high number of gaps all the time might be an indication the RP is not refreshing often enough * the CA is trying to issue manifests more than once a second * the RFC 8181 publication server's ingress API endpoint has issues * the RFC 8181 publication client has trouble reaching the server * the CA's private keys (RPKI + BPKI) are used on a second (cloned) system * the CA's issuance database is broken Correlation opportunity: detection of a gap means some of the CA's intermediate states were occluded from the RP; the RP operator might want to correlate this to traffic shifts in BGP or publication point reachability issues. Going forward, emit a warning per manifest, adds metrics to the openmetrics output, and displays a summary at the end of the run about issuance gaps. OK tb@
2024-10-23Append fd to the variable names proc, rsync, rrdp, http since these variablesClaudio Jeker
are used to store file descriptors. OK tb@
2024-09-27rpki-client: check for getline error when reading the skiplist fileTheo Buehler
ok claudio
2024-09-04Remove deprecated '-r' command line optionJob Snijders
OK tb@ claudio@
2024-09-03Also gate SPL statistics behind 'experimental' command line optionJob Snijders
This changes the JSON output, without -x some keys are missing from 'metadata' OK tb@
2024-08-20Use msgbuf_queuelen() instead of accessing the queued member directly.Claudio Jeker
OK tb@
2024-08-15Call repo_check_timeout() before colleting the POLLOUT fds. SinceClaudio Jeker
repo_abort() called by repo_check_timeout() will add messages to be sent out. OK tb@
2024-07-12Improve duplicate detection and repo_move_validClaudio Jeker
Only trigger a duplicate error if a valid filepath is revisted. It is possible that a bad CA references somebody else's files and if that happens first it would block the valid access. To make this work, pass the ok flag to filepath_add() and only set the talmask bit if the file was ok. Since we need to do the duplicate check before processing the entity introduce filepath_valid() which checks if the path is in the tree and has its talmask bit set. In repo_move_valid() handle conflicts more gracefully. When both a valid and temporary file are present assume that one of the files was never ok (talmask == 0) and silently remove that file from the filepath tree. OK tb@
2024-07-12Rename the variable c to ok. It returns if the file failed to parse or not.Claudio Jeker
We need to pass this to filepath_add so lets use a better name. OK tb@
2024-06-08Improve x509_get_purpose()Theo Buehler
Instead of only differentiating between CA and BGPsec Router certs, make it recognize TA and EE certs as well. TAs and CAs have the cA boolean in the basic constraints, while EE and BGPsec router certs do not. TAs are self-signed, CAs not self-issued, all other certs with the cA boolean are invalid. EE certs do not have an extended key usage and BGPsec certs contain the id-kp-bgpsec-router OID. Handle the new purposes where needed. ok job
2024-06-07Download new TA files into a temporary place (.ta/) so that the parserClaudio Jeker
can decide which of the two files to use. With and OK tb@
2024-05-20Instead of tracking certificates by SKI track them by an internal identifier.Claudio Jeker
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid. The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL. In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before. Done together with tb@ OK tb@ job@
2024-04-08Fix capping of VAPsTheo Buehler
The previous approach introduced a cap, but it might not always be hit as intended (I missed this on review). Fix this to check the cap after merging an ASPA into an already existing VAP. Also free the list of providers since nothing should be looking at it anymore. Count VAPs that hit the limit with a new overflowed counter. There are still a few aspects of the accounting that probably aren't entirely right. This will be fixed at another point. It's just statistics after all. with/ok claudio, ok job
2024-04-05Don't emit Validated ASPAs for Customer ASIDs with more than MAX_ASPA_PROVIDERSJob Snijders
The number of providers in a single ASPA object already was limited to MAX_ASPA_PROVIDERS, now also impose a limit on the total number of providers across multiple ASPA objects. If the MAX_ASPA_PROVIDERS limit is hit, omit the Customer ASID's entry from OpenBGPD and JSON output. OK tb@
2024-03-22Replace protocol literal strings and strlen() calls with defined constantsJob Snijders
OK tb@ claudio@
2024-03-01Lipstick on a pig: avoid comparing signed and unsignedJob Snijders
OK tb@ claudio@
2024-03-01Add -x to opt into experimental file formatsTheo Buehler
Instead of burning one letter for each new file format (sidrops is known to crank out new things faster than a normal person can read), use -x to opt into parsing and processing file formats that aren't yet considered stable. This is currently only the Signed Prefix List. While a repetition of the ASPA debacle, this code hasn't yet seen enough stress testing to be enabled by default. ok claudio job
2024-02-26Track the number of new files moving from 'staging' to 'validated cache'Job Snijders
The OpenMetrics output shows per-repository counters for new files added, the main process and JSON output emit the sum of all new files. OK claudio@
2024-02-22Add support for RPKI Signed Prefix ListsJob Snijders
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist with and OK claudio@ tb@
2024-02-21Group logx() getmonotime() and get_current_time() togetherTheo Buehler
Fix their indent in extern.h, move the X509_TIME_* macros to main.c since they aren't (and can't really be) used elsewhere, document the meaning of the magic numbers. Also move get_current_time() out of the middle of entity handlers. ok claudio job
2024-02-16fix whitespaceTheo Buehler
2024-02-03Refactor handling of stale manifestsJob Snijders
No need to hoist a staleness indicator through the whole process and count it explicitly. OK tb@
2023-10-13Allow imposing constraints on RPKI trust anchorsJob Snijders
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope. Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32. For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html With and OK tb@, OK claudio@
2023-08-30Constify argument to entity_write_repo()Job Snijders
OK tb@
2023-08-30Fix commentsJob Snijders
OK tb@
2023-06-29rpki-client: fix vap_pas statsTheo Buehler
A small mistake in a diff broke the counters. Make them AFI agnostic and adjust ometric output. guidance & ok claudio
2023-06-23Improve detection of RRDP session desynchronizationClaudio Jeker
According to RFC 8182, a given session_id and serial number represent an immutable record of the state of the Repository Server at a certain point in time. Add a check to the RRDP notification file processing to compare whether the delta hashes associated to previously seen serials are different in newly fetched notification files. Fall back to a snapshot if a difference is detected, because such a mutation is a strong desynchronization indicator. Idea from Ties de Kock (RIPE NCC). Based on a diff by job@ With and OK job@ tb@
2023-06-20Use new ibuf API in rpki-client.Claudio Jeker
Use ibuf_fd_get/set/avail in the file descriptor passing code. Switch some ibuf_seek() calls to ibuf_set() and use ibuf_add_zero() instead of ibuf_reserve(). OK tb@ job@
2023-05-30Fixup file modification timestamps to optimize failover from RRDP to RSYNCJob Snijders
In the RSYNC protocol a file's last modification time and its size are used to determine whether sending a (partial) copy over the wire is needed. Previously, when RRDP data structures are serialized to disk, the mtime of files in DIR_VALID ended up being UTIME_NOW. Thus, the mtimes of files obtained through RRDP will never match the mtimes of the same files available through RSYNC - causing each and every file to be added to the file transfer list. Instead, use the internal timestamps of RPKI files as the last modified timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs) the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files the CRL lastUpdate. This results in a surprising optimization for the number files which have to be transfered. OK claudio@
2023-05-30Revert commitid ANSBO0rBvIUtTi45:Claudio Jeker
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time. Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate. This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
2023-05-30Split cleanup into cleanup and repository cleanup and show how many filesClaudio Jeker
are kept / removed in the repository temporary storage. After a discussion with tb@ and job@
2023-05-26Properly account del_extra_files and add the value to the json header.Claudio Jeker
OK tb@ (from a larger diff)
2023-05-25Update usage add -P epochClaudio Jeker
2023-04-27Make rpki-client choose the verification time of the time it is invokedBob Beck
rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time. ok tb@ claudio@
2023-04-26Add a -P option to rpki-client to specify the evaluation timeBob Beck
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results ok claudio@
2023-04-26Improve accounting by tracking things by repo and tal.Claudio Jeker
This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
2023-04-13Check whether products listed on a manifest were issued by the same ↵Job Snijders
authority as the manifest itself OK tb@
2023-02-23When parsing MFT the CRL referenced by the MFT is loaded and verified atClaudio Jeker
the same time. So in case of a valid crl pass the CRL filename as entity message to the parent process together with the MFT. This way the MFT and CRL end up both in the valid cache even if some files in the MFT are missing. On severe errors (like X.509 verify errors) the CRL is not moved since it is not considered valid. With and OK job@, tb@
2023-01-13Add aspa-set to openbgpd config output.Claudio Jeker
Change the way the validated ASPA tree is built since OpenBGPD config follows more the ASPA profile and puts the optional AFI to each provider ASnum instead of duplicated everything into an IPv4 and IPv6 tree. The JSON output of ASPA is still the same. The inclusion of the aspa-set can currently be disabled by the -A flag. OK tb@
2023-01-06Rework the main <-> parser/filemode communication protocol a bit.Claudio Jeker
Swap repo_id and filename to simplify the code in parser.c. In filemode both repo_id and filename are ignored. Additionally do not errx() in case of unknown file types. Instead send back enough info that the code can move on. OK tb@
2022-12-15Rework statistic collection to be per repository and add metric output optionClaudio Jeker
Many statistic values are now accounted by repository via repo_stat_inc() At end of the run sum_stats() accumulates these stats per TAL and globally. The new output file metrics is written when the -m output flag is specified. The metrics file is written in OpenMetrics format (with a few tweaks to allow node_exporter to parse the file as well). The ometric code is a copy from bgpctl(8) and should be kept in sync. OK tb@
2022-12-14Switch to struct timespec for collecting stats. This allows to useClaudio Jeker
clock_gettime(CLOCK_MONOTONIC) for runtime calculation. OK tb@
2022-11-30Remove unused ctype.h includeJob Snijders
OK tb@
2022-11-29Only include stdarg.h, if we call any of va_{start,end}()Job Snijders
OK tb@
2022-11-28Reshuffle case a little bit. No functional change.Claudio Jeker
2022-11-18Move skiplist to main and merge with shortlist.Theo Buehler
With/ok job
2022-11-18zap errant space in usage();Jason McIntyre
2022-11-17Schedule cleanup of '-r' now useless getopt optionJob Snijders
OK tb@