summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
AgeCommit message (Collapse)Author
2024-08-29Unify proc_parser_* as far as possible and reasonableTheo Buehler
ok claudio job
2024-08-29Improve warning messageJob Snijders
Requested by claudio@ OK tb@
2024-08-29Periodically reinitialize RRDP sessions to snapshot at random intervalsJob Snijders
It is technically possible for a series of RRDP deltas and a snapshot to diverge. An RRDP server could distribute files via Deltas and then forget about those files, causing copies to remain stuck in the caches of RRDP clients. Resetting RRDP sessions once every few weeks helps with garbage collection. In week 0 the probability of triggering re-initialization is ~0.025% and doubles every week, in week 11 its 50% and always after week 12. Thus, RPs will reinitialize at least once every 3 months. OK tb@ claudio@
2024-08-28sync ibuf_realloc() copy with libutilTheo Buehler
This pulls in an overflow check and the change from recallocarray() to realloc(). claudio tells me that we might soon get rid of this copy. ok claudio
2024-08-21Increase maximum Signed Object size to 8MBJob Snijders
OK tb@ claudio@
2024-08-20Use msgbuf_queuelen() instead of accessing the queued member directly.Claudio Jeker
OK tb@
2024-08-20Update Geofeed referenceJob Snijders
RFC 9632 introduced additional constraints and requirements for RPKI-based Geofeed authenticators (at my request).
2024-08-19Prepare for releasing version 9.2Job Snijders
2024-08-15Ensure synchronization jobs are stopped when the timeout is reachedJob Snijders
OK tb@ claudio@
2024-08-15Call repo_check_timeout() before colleting the POLLOUT fds. SinceClaudio Jeker
repo_abort() called by repo_check_timeout() will add messages to be sent out. OK tb@
2024-07-25Silence a false positive warning for gccTheo Buehler
The code path gcc is whining about ensures that the struct auth in question is initialized, but the pile of garbage that is gcc's use of uninitialized warnings can't figure that one out. Enough time on this was wasted during the last few releases that silencing gcc with annoying workarounds may be the lesser evil. ok claudio
2024-07-12Improve duplicate detection and repo_move_validClaudio Jeker
Only trigger a duplicate error if a valid filepath is revisted. It is possible that a bad CA references somebody else's files and if that happens first it would block the valid access. To make this work, pass the ok flag to filepath_add() and only set the talmask bit if the file was ok. Since we need to do the duplicate check before processing the entity introduce filepath_valid() which checks if the path is in the tree and has its talmask bit set. In repo_move_valid() handle conflicts more gracefully. When both a valid and temporary file are present assume that one of the files was never ok (talmask == 0) and silently remove that file from the filepath tree. OK tb@
2024-07-12Rename the variable c to ok. It returns if the file failed to parse or not.Claudio Jeker
We need to pass this to filepath_add so lets use a better name. OK tb@
2024-07-08x509_pubkey_get_ski() should support non-rsa keysTheo Buehler
for now add an XXX reminder. Pointed out by job a while back
2024-07-08Ensure that the rpkiManifest is a file in the caRepositoryTheo Buehler
discussed with jca and job ok claudio
2024-07-08Normalize the rsync caRepository to contain a trailing slashTheo Buehler
discussed with jca ok claudio
2024-06-20Add missing ref & reorderJob Snijders
OK tb@ claudio@
2024-06-17Invalidate the right stack[] memberTheo Buehler
There was a shift of the index in the for loop, and invalidating the wrong member could result in a double free in auth_tree_free() on process exit. ok claudio job
2024-06-17Put back NULL checks in crl_get() and build_chain()Theo Buehler
Turns out filemode still relies on these. Rather than adding to the spaghetti in filemode.c, begrudgingly put back the NULL checks with an additional XXX. ok claudio job
2024-06-12rpki-client: avoid hard error when hitting the maximum cert idTheo Buehler
Instead, continue processing what we can but avoid lots of warning noise. Error out at the end of the parser process to avoid loading a bad config into bgpd. This isn't great as it is and can be refined in tree. ok claudio
2024-06-12rpki-client: mention same-origin policy draft in STANDARDSTheo Buehler
ok job
2024-06-12rpki-client: bump versionTheo Buehler
It's been a few months with lots of changes. We should release soon-ish. discussed with job
2024-06-12rpki-client: use better variable names for issuer and subject UIDTheo Buehler
piuid and psuid annoy me every time I see them. no functional change
2024-06-11rpki-client: add link to rpki-rs PR that supposedly fixes this bugTheo Buehler
https://github.com/NLnetLabs/rpki-rs/pull/295
2024-06-11rpki-client: grammar tweak in commentTheo Buehler
2024-06-11rpki-client: turn assert() into a NULL checkTheo Buehler
ok claudio
2024-06-11rpki-client: fix incorrect use of ASN1_tag2str()Theo Buehler
This goes back to the initial import in mft.c and was then copied to rsc.c. ASN1_tag2str() doesn't take a nid but rather an ASN.1 tag. Use nid2str() instead. ok claudio (who helped me use nid2str() correctly)
2024-06-11I've written/touched/contributed to most of crl.cTheo Buehler
2024-06-11rpki-client: simplify signature type checking for certs/CRLsTheo Buehler
The OpenSSL 1.1 get_signature_nid() API is available for all libraries that we support and it does exactly what we want. It is much simpler than the unergonomic accessors we used previously. The ASN.1 templates ensure that the relevant struct members aren't NULL after successful deserialization, so the calls are safe. ok claudio
2024-06-10rpki-client: allow multiple EKU OIDs for BGPsec certsTheo Buehler
Nothing says there may be only one purpose. We only need to find id-kp-bgpsec-router among them. This matches the intention of the extended key usage extension in RFCs 5280 and 8209 more closely. ok claudio
2024-06-10rpki-client: zap outdated comment.Theo Buehler
The valid_x509() in proc_parser_gbr() was initially left unchecked but has been checked since r1.79.
2024-06-10rpki-client: fix and move more KU/EKU to x509_get_purpose()Theo Buehler
Now all key usage and extended key usage handling is at the same place. This fixes a bug for BGPsec Router certs where key usage was ignored. Another omission that is fixed here is that criticality of the key usage extension was not checked. Drop a comment about possible use of EKU that was in the TA/CA code path but would only apply to EE certs. ok claudio
2024-06-08Improve the check for is_ta in filemodeTheo Buehler
Instead of checking for EXFLAG_SS use the more accurate information we already gathered. ok job
2024-06-08Tigthen cert_parse_ee_cert() and ta_parse()Theo Buehler
Require that a cert fed to cert_parse_ee_cert() have an EE cert purpose. Instead of throwing a warning for BGPsec router certs, check for the TA purpose in ta_parse() and reject everything else. ok job
2024-06-08Add a TODO item for BGPsec router certsTheo Buehler
It is currently assumed that there is only one extended key usage OID. RFC 8209 allows others. For example, it may well make sense for operators to include the anyExtendedKeyUsage OID to be able to use validators that don't recognize the BGPsec Router purpose. ok job
2024-06-08Improve x509_get_purpose()Theo Buehler
Instead of only differentiating between CA and BGPsec Router certs, make it recognize TA and EE certs as well. TAs and CAs have the cA boolean in the basic constraints, while EE and BGPsec router certs do not. TAs are self-signed, CAs not self-issued, all other certs with the cA boolean are invalid. EE certs do not have an extended key usage and BGPsec certs contain the id-kp-bgpsec-router OID. Handle the new purposes where needed. ok job
2024-06-08Helper to convert purpose into a printable stringTheo Buehler
ok job
2024-06-08Extend the cert_purpose enumTheo Buehler
This adds a TA and an EE purpose to be used in upcoming commits. ok job
2024-06-08Add a x509_cache_extensions() helperTheo Buehler
This is a simple wrapper around X509_check_policy(cert, -1, 0) that doesn't need an explanatory comment in the caller. The reason for having to do this is that various OpenSSL API calls rely on having extension information cached. As an unsurprising consequence of OpenSSL's characteristic API misdesign these calls can't report errors, so they call the extension caching without error checking and the result is that they may report nonsense. To work around this, cache the extensions up front so a second call can't fail and thus API calls such as X509_check_ca(), X509_get_key_usage() and X509_cmp() work reliably. ok job
2024-06-07rpki-client: if anything changed, choose the freshly-fetched TATheo Buehler
Instead of just looking at the serial number it's easier to use X509_cmp(). This compares the certs' hashes computed during the extension caching. This is currently SHA-512 for LibreSSL and SHA-1 for OpenSSL, which is good enough. After all, the TA certs were signed by a trusted source and if you choose to use OpenSSL this won't be the worst of your problems. ok job
2024-06-07Fine-tune the TA tiebreaker logicJob Snijders
Additional tiebreaker: prefer TA certificates with the narrower validity window OK tb@
2024-06-07Add two related todo items for purpose handlingTheo Buehler
BGPsec certs are a bit weird and checks for them are all over the place, some of them in the TA handling, which makes very little sense. We'd be better off adding another purpose for trust anchors and use that instead. ok claudio job
2024-06-07Rework trust anchor handlingTheo Buehler
Mimick the approach already taken from manifests and compare the trust anchor fetched from the net with the one in the cache (if any). This allows us to choose which one to use and pick the one we like better. We currently look at the notBefore date and pick the TA later one or pick the new one if the serialNumber changed. These conditions will be tweaked in tree. This prevents replay attacks where a man in the middle could feed us still valid TA certificates with outdated internet number resources. This is not currently an issue since all currently valid TA certs from the RIRs have the same set of resources. Some TA certificates in the RPKI expire so far in the future that its 32-bit time is again positive. Things may well change in the next 100 years... Problem pointed out to us by Ties de Kock a long time ago. with and ok claudio ok job
2024-06-07Download new TA files into a temporary place (.ta/) so that the parserClaudio Jeker
can decide which of the two files to use. With and OK tb@
2024-06-06Tell my future self why I don't want to change this checkTheo Buehler
2024-06-06Check that TA certs are correctly signedTheo Buehler
We know the pubkey from the TAL, so check that the signature is right as required by RFC 6487, section 7, additional condition 1, applied to self-issued certs. Make the error check weird since OpenSSL 3 broke yet another API (thanks claudio for making me go look). ok claudio job
2024-06-06rpki-client: fix RFC section references in ta_parse()Theo Buehler
ok claudio
2024-06-06rpki-client: fix a crash in filemodeTheo Buehler
For an expired TA, cert is freed and zeroed in file mode and cert_print() crashes. For such TAs (and otherwise invalid ones) expired and notafter become dangling pointers. Invalidate them and set them only for valid TA certs. with/ok claudio
2024-06-06ip_resources_print(): zap extra blank lineTheo Buehler
2024-06-06rpki-client: simplify ta_parse()Theo Buehler
Since this is always called after cert_parse_pre(), notBefore and notAfter are available in struct cert, so we can use time_t comparison. ok claudio