| Age | Commit message (Collapse) | Author |
|---|
|
OK tb@
|
|
OK tb@
|
|
OK tb@
|
|
OK tb@
|
|
ok claudio
|
|
Binary change in main.o and tal.o due to an assertion change and in spl.o
due to line number changes
looks good to claudio, ok clang + sha256
|
|
Having a single letter to distinguish a length from a pointer is error
prone. This results in binary change only in validate.c and cert.c due
to a line wrap resulting in line number changes and in cert.c there's in
addition two asserts that change.
checked with/ok job
|
|
ok tb
|
|
ok claudio
|
|
Currently the validation indicator only takes the certificate's status
into account. In case everything check out, check the product's life
time and the signature path's expiration moment before printing OK.
should fix an issue encountered by job
looks good to claudio
|
|
|
|
It is helpful for network operators, publication point operators, and CA
operators to have more insight into whether the RP noticed an issuance
gap between two versions of a given manifest.
* high number of gaps all the time might be an indication the RP is not
refreshing often enough
* the CA is trying to issue manifests more than once a second
* the RFC 8181 publication server's ingress API endpoint has issues
* the RFC 8181 publication client has trouble reaching the server
* the CA's private keys (RPKI + BPKI) are used on a second (cloned) system
* the CA's issuance database is broken
Correlation opportunity: detection of a gap means some of the CA's
intermediate states were occluded from the RP; the RP operator might
want to correlate this to traffic shifts in BGP or publication point
reachability issues.
Going forward, emit a warning per manifest, adds metrics to the
openmetrics output, and displays a summary at the end of the run about
issuance gaps.
OK tb@
|
|
are used to store file descriptors.
OK tb@
|
|
EVP_PKEY_get0_* were made const correct in OpenSSL 3 and now cause the
build of rpki-client to emit warnings. Of course no one is able to see
these warnings because they are hidden in all the deprecation vomit.
Makes rpki-client build cleanly against OpenSSL 3 when configured with
--with-openssl-cflags=-DOPENSSL_SUPPRESS_DEPRECATED.
ok claudio deraadt job
|
|
|
|
|
|
The language in RFC 5280, section 4.1.2.5 includes the end points of the
validity interval.
Reported by Tom Harrison
ok claudio job
|
|
An ASN1_INTEGER doesn't contain the ASN.1 encoding in its data. It contains
a BIGNUM. In particular, there's no padding octet for integers with the top
bit of the top octet set. Do the check the dumb way and check all the parts
individually: non-negative, not larger than 20 octets and bit 159 not set.
Reported by Tom Harrison
ok claudio job
|
|
ok claudio
|
|
ok claudio
|
|
claudio agress
|
|
requested by tb@
|
|
The CRL number draft clarified what ignoring means and it includes checking
that the CRL number is well-formed again. So do this but continue to ignore
the value for any other purpose. This refactors x509_convert_seqnum() into
a couple of helpers. There's some duplication between crl_check_crl_number()
and crl_parse_crl_number() which could be removed if anyone cares.
tweaks/ok job
|
|
|
|
ok job
|
|
|
|
OK tb@ claudio@
|
|
joint effort with/ok claudio
|
|
This changes the JSON output, without -x some keys are missing from 'metadata'
OK tb@
|
|
does not exist.
OK tb@
|
|
OK claudio@
|
|
ok claudio job
|
|
Requested by claudio@
OK tb@
|
|
It is technically possible for a series of RRDP deltas and a snapshot
to diverge. An RRDP server could distribute files via Deltas and then
forget about those files, causing copies to remain stuck in the caches
of RRDP clients. Resetting RRDP sessions once every few weeks helps with
garbage collection.
In week 0 the probability of triggering re-initialization is ~0.025% and
doubles every week, in week 11 its 50% and always after week 12. Thus,
RPs will reinitialize at least once every 3 months.
OK tb@ claudio@
|
|
This pulls in an overflow check and the change from recallocarray() to
realloc(). claudio tells me that we might soon get rid of this copy.
ok claudio
|
|
OK tb@ claudio@
|
|
OK tb@
|
|
RFC 9632 introduced additional constraints and requirements for RPKI-based
Geofeed authenticators (at my request).
|
|
|
|
OK tb@ claudio@
|
|
repo_abort() called by repo_check_timeout() will add messages to
be sent out.
OK tb@
|
|
The code path gcc is whining about ensures that the struct auth in
question is initialized, but the pile of garbage that is gcc's use
of uninitialized warnings can't figure that one out. Enough time on
this was wasted during the last few releases that silencing gcc with
annoying workarounds may be the lesser evil.
ok claudio
|
|
Only trigger a duplicate error if a valid filepath is revisted. It is
possible that a bad CA references somebody else's files and if that
happens first it would block the valid access.
To make this work, pass the ok flag to filepath_add() and only set the
talmask bit if the file was ok. Since we need to do the duplicate check
before processing the entity introduce filepath_valid() which checks
if the path is in the tree and has its talmask bit set.
In repo_move_valid() handle conflicts more gracefully. When both a valid
and temporary file are present assume that one of the files was never ok
(talmask == 0) and silently remove that file from the filepath tree.
OK tb@
|
|
We need to pass this to filepath_add so lets use a better name.
OK tb@
|
|
for now add an XXX reminder.
Pointed out by job a while back
|
|
discussed with jca and job
ok claudio
|
|
discussed with jca
ok claudio
|
|
OK tb@ claudio@
|
|
There was a shift of the index in the for loop, and invalidating the wrong
member could result in a double free in auth_tree_free() on process exit.
ok claudio job
|
|
Turns out filemode still relies on these. Rather than adding to the
spaghetti in filemode.c, begrudgingly put back the NULL checks with
an additional XXX.
ok claudio job
|
