Age | Commit message (Collapse) | Author |
|
Up until recently filterset_copy() was only used in the parent process
where none of those references exist but by using filterset_copy() in
the RDE to populate per-peer output filters the code needs to handle
such references. Without this rules like 'match to any set nexthop X'
will cause internal corruption on config reloads and session resets.
Bug report from Marko Cupac (marko.cupac (at) mimar.rs)
OK tb@
|
|
The generally rather poor quality RFC 3779 code in libcrypto also performs
abysmally. Flame graphs show that nearly 20% of the parser process is spent
in addr_contains() alone. There is room for improvement in addr_contains()
itself - the containment check for prefixes could be optimized quite a bit.
We can avoid a lot of the most expensive work for certificates with tons of
resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first
one that has no inherited RFC 3779 resources and use that as 'trust anchor'
for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be
sure that a leaf's delegated resources are properly covered and at the same
time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works
equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the
parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain
points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck,
claudio and job during and after m2k23.
ok claudio job
|
|
The bounds are checked for normal ranges in set_element() but in
the case of random ranges this is too late. As a result, a random
range with an invalid high/low bounds would only result in a syntax
error if the randomized value was out of bounds. This means the
entry would be "randomly" rejected by cron or crontab. OK kn@
|
|
Spotted by hshoexer@
ok martijn@
|
|
A bug in the parsing of the optional number after the '~' in a
random range prevented proper syntax checking. OK kn@
|
|
This extends the random range syntax to support step values. Instead
of choosing a random number between the high and low values, the
field is treated as a range with a random offset less than the step
value. This can be used to avoid thundering herd problems where
multiple machines contact a server all at the same time via cron jobs.
The syntax is similar to the existing range/step syntax but uses a
random range. For example, instead of "0-59/10" in the minutes
field, "0~59/10" can be used to run a command every 10 minutes where
the first command starts at a random offset in the range [0,9].
The high and low numbers are optional, "~/10" can be used instead.
Requested by job@, OK phessler@
|
|
This fixes a bug introduced in rev 1.86 where if the second seteuid()
call failed, a temporary file would be left in the spool directory.
|
|
OK tb@
|
|
Convert json_do_printf() calls using static strings or "%s" fmt over
to json_do_string() in the json output.
OK tb@
|
|
setting the size to 64k was increasing the size but now auto-scaling
could grow the buffer size much more. The origianl idea was that sessions
without protection had a small window size to make window attacks
harder. This problem was fixed long time ago and is no longer relevant.
Limiting the buffer size to a reasonable size ensures that not too many
updates end up queued in the TCP stack.
OK benno@ (some time ago)
|
|
|
|
according to rfc3461 4.3
OK millert@
|
|
In case the TAL of a self-signed is unavailable, cert would be freed but
we'd still hold a reference to its expired time in expires, so invalidate
that pointer as well.
Found by, initial fix and ok job
|
|
OK tb@
|
|
Implement json_do_printf() using json_do_string() and vasprintf().
json_do_string() only escapes the basic control chars (\b, \f, \n, \r and \t)
other control chars are considered an error. Also the forward slash is
not escaped since the JSON data is not embedded into HTML or XML.
With feedback from tb@ & millert@
OK tb@
|
|
Before a read error would not be removed from the poll fds and trigger
constantly. RRDP_STATE_PARSE_ERROR should only be used for errors from
xml parser since then the remaining data from the socket still needs to
be consumed.
OK tb@
|
|
ok dv@
|
|
|
|
ok jmatthew@
|
|
the ASPA data from the JSON output.
ok claudio@
|
|
|
|
Previous change to allow overriding changed the way we parsed and
stored the boot image path. The lifetime of the path was...much too
short. Heap allocate the kernel path.
Found by Mischa Peters.
ok mlarkin@
|
|
|
|
vmd allows non-root users to "own" a vm defined in vm.conf(5). While
the user can start/stop the vm, if they break their filesystem they
have no means of booting recovery media like a ramdisk kernel.
This change opens the provided boot kernel via vmctl and passes the
file descriptor through the control channel to vmd. The next boot
of the vm will use the provided file descriptor as boot kernel/bios.
Subsequent boots (e.g. a reboot) will return to using behavior
defined in vm.conf or the default bios image.
ok mlarkin@
|
|
No functional change. virtio block/networking emulation do not need
to know about vmm or any kernel types.
|
|
Add explicit default labels in switch() statements with error handling.
Right now these are not reachable. Should also clear some gcc warnings.
OK tb@
|
|
Right now these are not reachable. Should also clear some gcc warnings.
OK tb@
|
|
Isolate virtio network and block device emulation in dedicated
processes, forked and exec'd from the vm process. This allows for
tightening pledge promises to just "stdio".
Communication between the vcpu's and these devices now occurs via
imsg channels, which adds the benefit of not always blocking the
vcpu thread while emulating the device.
With this commit, it's possible that vmd is the first open source
hypervisor that *defaults* to a multi-process device emulation
model without requiring any additional configuration from the
operator.
Testing help from phessler@ and Mischa Peters.
ok mlarkin@
|
|
so update rad(8) to the new ones.
OK florian@
|
|
|
|
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
|
Much rejoice from tb@ and job@
OK tb@
|
|
This is intended to be able to test rpki-client in a reproducable
way without worrying about the system time changing the results
ok claudio@
|
|
|
|
and return -1 in json_do_finish().
tb@ thinks this is not to horrible
|
|
OK tb@
|
|
applicable provider
Reported by Ties de Kock
OK claudio@
|
|
|
|
Needed for bison.
|
|
|
|
OK claudio@
|
|
"please fix" json
|
|
This fixes some wrong accounting for repositories that are referenced
from more than one TAL. It changes the ometric lable output a little bit
since there are repository metrics that no longer include the 'name' label.
OK tb@
|
|
|
|
OK martijn@
|
|
Finally! We can remove kernel headers from vmctl.
ok mlarkin@
|
|
The object sent to vmm(4) contained file paths and details the
kernel does not need for cpu virtualization as device emulation is
in userland. Effectively, "pull up" the struct members from the
vm_create_params struct to the parent vmop_create_params struct.
This allows us to clean up some of vmd(8) and simplify things for
switching to having vmctl(8) open the "kernel" file (SeaBIOS, bsd.rd,
etc.) to allow users to boot recovery ramdisk kernels.
ok mlarkin@
|
|
media.
No functional change to existing behaviour.
|
|
first (DIR_VALID) but perfer the 2nd (DIR_TEMP) since this allows
rpki-client to move the equal files from .rrdp back into the valid
repo tree and so there are less unaccounted files for.
Problem noticed by and OK job@
|
|
/var/log/{messages,daemon} logs ENOENT as error on default configless vmd.
Only complain on explicitly passed files and print a debug hint under `-vv'
in case someone forgot to populate their /etc/vm.conf.
OK dv mlarkin
|