| Age | Commit message (Collapse) | Author |
|---|
|
The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
|
OK tb@
|
|
OK tb@
|
|
The EE Cert has just been allocated as part of deserializing the cms.
There is no need for an expensive copy, we can just keep a reference.
ok job
|
|
|
|
The ROA specification (RFC 6482 section 4) is a bit underspecified, however
in the wild the RFC 3779 AS Resources extension never ever appears on ROA EE
certificates, as it serves no purpose in the validation process.
OK tb@
|
|
If a repository is uncommunicative, rpki-client will try other transports,
or come back later (because of a next crontab invocation).
OK claudio@
|
|
hit this timeout. This is in line with the rsync code.
OK tb@ job@
|
|
OK claudio@
|
|
OK sthen@
|
|
the cachedir and if output files are written to outputdir. In -f mode
the unveil can be read-only in normal operation rwc is required because
the main process writes the RRDP files and also does the cleanup at the
end of the run.
Input from tb@ and mestre@, OK tb@
|
|
|
|
|
|
OK claudio@
|
|
|
|
|
|
|
|
Blocking outbound connections towards RPKI publication servers based
on IP or IPv6 address in external instrumentation like HTTP proxies
or pf(4) rules is somewhat unwieldy. It might be easier for operators
if we offer a mechanism that cuts at the CA cert SIA parsing step.
OK claudio@ tb@
|
|
without good reason. Regression introduced in a recent refactoring found
by job
ok claudio job
|
|
Warn if the serial number decreases between syncs.
On top of this only allow a small window of up to 2 deltas from the
current one to consider our cache to be in sync.
The number 2 is probably to conservative and should be adjusted once
some data points got collected.
It seems to happen that CAs restore RRDP snapshots instead of building
a fresh snapshot with a new session-id. Which results in rpki-client to
ignore the repo until the serial number is bigger again.
OK tb@
|
|
|
|
Since the ASN.1 template conversions, we have three copies of mostly dead
code that validates that the econtent version is at its default value 0.
Until a new standard bumps this version and we decide to support that,
we're better off with only one copy of this code.
ok claudio
|
|
If a certificate along the chain does not have an AS numbers extension,
this is a failure condition according to RFC 3779, section 3.3.
ok job
|
|
|
|
|
|
|
|
as mft FileAndHash entries are checked.
ok claudio job
|
|
ok claudio job
|
|
|
|
This way the helper functions appear in the order they are used in
rsc_parse_econtent().
|
|
ok claudio job
|
|
ok claudio job
|
|
This implements the constrained versions of the RFC 3779 structures
since OpenSSL's 3779 API doesn't expose IPAddrBlocks. This way we can
also avoid extra checks after walking the structs. Use the previously
exposed sbgp_as_{id,range}() and sbgp_addr{,_range}() to remove a lot
of copy-pasted code.
While parsing ConstrainedASIdentifiers allocate only once and for
ConstrainedIPAddrBlocks allocate once per address family instead of
doing a reallocation for each asid or prefix.
This removes the last explicit use of ASN1_TYPE and ASN1_SEQUENCE_ANY
from rpki-client.
ok claudio job
|
|
Change signatures of various functions to avoid using struct parse and
expose sbgp_as_{id,range}() and sbgp_addr{,_range}() so they can be used
from rsc.c. This is a mostly mechanical diff.
ok claudio job
|
|
once at the start.
OK tb@
|
|
These just replace MAX_CONNECTIONS and MAX_RSYNC_PROCESSES to be more unified.
OK tb@
|
|
Discussed with claudio
|
|
perfectly fine. So switch the stats output at the end of the run to
simply use printtf(3) and no longer depend on -v flag.
OK tb@
|
|
|
|
|
|
|
|
The ASN.1 templates are a rather direct translation of the ASN.1 in the
relevant RFCs and they allow deserializing the Manifest and ROA eContent
in a single step instead of numerous opaque d2i_ASN1_SEQUENCE_ANY() calls.
Once the eContent is deserialized, we can walk the structs, validate it
as before and populate the internal data structures.
Positive feedback job
ok claudio
|
|
|
|
ok job
|
|
|
|
|
|
If ASN1_STRING_FLAG_BITS_LEFT is set, only the lower three bits of the
flags represent the unused bits. Other flags have nothing to with
lengths, so stop interpreting them as such and throwing strange errors.
ok claudio
|
|
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with
OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
|
|
|
We now do one allocation per address family instead of one per prefix or
range.
ok claudio
|
