summaryrefslogtreecommitdiff
path: root/usr.sbin
AgeCommit message (Collapse)Author
2023-05-09Properly handle references for nexthops and labels in filterset_copy()Claudio Jeker
Up until recently filterset_copy() was only used in the parent process where none of those references exist but by using filterset_copy() in the RDE to populate per-peer output filters the code needs to handle such references. Without this rules like 'match to any set nexthop X' will cause internal corruption on config reloads and session resets. Bug report from Marko Cupac (marko.cupac (at) mimar.rs) OK tb@
2023-05-09rpki-client: use partial chains in certificate validationTheo Buehler
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag. More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated. Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto. This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23. ok claudio job
2023-05-08cron: bounds check the high and low bounds for in a random range.Todd C. Miller
The bounds are checked for normal ranges in set_element() but in the case of random ranges this is too late. As a result, a random range with an invalid high/low bounds would only result in a syntax error if the randomized value was out of bounds. This means the entry would be "randomly" rejected by cron or crontab. OK kn@
2023-05-08Fix a potential mem-leak in usm_decrypt().Gerhard Roth
Spotted by hshoexer@ ok martijn@
2023-05-07cron: check for garbage after the '~' in a random range.Todd C. Miller
A bug in the parsing of the optional number after the '~' in a random range prevented proper syntax checking. OK kn@
2023-05-06Support random offsets when using ranges with a step value in cron.Todd C. Miller
This extends the random range syntax to support step values. Instead of choosing a random number between the high and low values, the field is treated as a range with a random offset less than the step value. This can be used to avoid thundering herd problems where multiple machines contact a server all at the same time via cron jobs. The syntax is similar to the existing range/step syntax but uses a random range. For example, instead of "0-59/10" in the minutes field, "0~59/10" can be used to run a command every 10 minutes where the first command starts at a random offset in the range [0,9]. The high and low numbers are optional, "~/10" can be used instead. Requested by job@, OK phessler@
2023-05-05crontab: move spool temp file creation to spool_mkstemp()Todd C. Miller
This fixes a bug introduced in rev 1.86 where if the second seteuid() call failed, a temporary file would be left in the spool directory.
2023-05-05Pass ASPA objects in reverse since this is what aspa_add_set() expects.Claudio Jeker
OK tb@
2023-05-05Sync json.c with the one from rpki-client. This adds json_do_string().Claudio Jeker
Convert json_do_printf() calls using static strings or "%s" fmt over to json_do_string() in the json output. OK tb@
2023-05-05Limit the socket buffer size to 64k for all sessions. Long time agoClaudio Jeker
setting the size to 64k was increasing the size but now auto-scaling could grow the buffer size much more. The origianl idea was that sessions without protection had a small window size to make window attacks harder. This problem was fixed long time ago and is no longer relevant. Limiting the buffer size to a reasonable size ensures that not too many updates end up queued in the TCP stack. OK benno@ (some time ago)
2023-05-04fix stupid thinko, as noticed while converting to v5.36 (later)Marc Espie
2023-05-04Be more economical with returning bodys in bounce messagesChristopher Zimmermann
according to rfc3461 4.3 OK millert@
2023-05-03Fix a use-after-free in filemodeTheo Buehler
In case the TAL of a self-signed is unavailable, cert would be freed but we'd still hold a reference to its expired time in expires, so invalidate that pointer as well. Found by, initial fix and ok job
2023-05-03Convert json_do_printf() with "%s" a fmt string to json_do_string().Claudio Jeker
OK tb@
2023-05-03Introduce json_do_string() a function that JSON escapes a string.Claudio Jeker
Implement json_do_printf() using json_do_string() and vasprintf(). json_do_string() only escapes the basic control chars (\b, \f, \n, \r and \t) other control chars are considered an error. Also the forward slash is not escaped since the JSON data is not embedded into HTML or XML. With feedback from tb@ & millert@ OK tb@
2023-05-03On read failure just abort the rrdp request.Claudio Jeker
Before a read error would not be removed from the poll fds and trigger constantly. RRDP_STATE_PARSE_ERROR should only be used for errors from xml parser since then the remaining data from the socket still needs to be consumed. OK tb@
2023-05-02free the correct pointer. Missed in rev 1.16.Jonathan Gray
ok dv@
2023-05-01Bump to 8.0Claudio Jeker
2023-04-30avoid use after freeJonathan Gray
ok jmatthew@
2023-04-30document that - with recent changes - the -A option now also excludesSebastian Benoit
the ASPA data from the JSON output. ok claudio@
2023-04-29bump version to 8.4Sebastian Benoit
2023-04-28vmd(8): fix specifying boot image in vm.confDave Voutila
Previous change to allow overriding changed the way we parsed and stored the boot image path. The lifetime of the path was...much too short. Heap allocate the kernel path. Found by Mischa Peters. ok mlarkin@
2023-04-28Clarify -b usage by `vmctl start`.Dave Voutila
2023-04-28vmd(8)/vmctl(8): allow vm owners to override boot kernel.Dave Voutila
vmd allows non-root users to "own" a vm defined in vm.conf(5). While the user can start/stop the vm, if they break their filesystem they have no means of booting recovery media like a ramdisk kernel. This change opens the provided boot kernel via vmctl and passes the file descriptor through the control channel to vmd. The next boot of the vm will use the provided file descriptor as boot kernel/bios. Subsequent boots (e.g. a reboot) will return to using behavior defined in vm.conf or the default bios image. ok mlarkin@
2023-04-28Remove unneeded header includes in vmd.Dave Voutila
No functional change. virtio block/networking emulation do not need to know about vmm or any kernel types.
2023-04-28Same change as in bgpd:Claudio Jeker
Add explicit default labels in switch() statements with error handling. Right now these are not reachable. Should also clear some gcc warnings. OK tb@
2023-04-28Add explicit default labels in switch() statements with error handling.Claudio Jeker
Right now these are not reachable. Should also clear some gcc warnings. OK tb@
2023-04-27vmd(8): introduce multi-process model for virtio devices.Dave Voutila
Isolate virtio network and block device emulation in dedicated processes, forked and exec'd from the vm process. This allows for tightening pledge promises to just "stdio". Communication between the vcpu's and these devices now occurs via imsg channels, which adds the benefit of not always blocking the vcpu thread while emulating the device. With this commit, it's possible that vmd is the first open source hypervisor that *defaults* to a multi-process device emulation model without requiring any additional configuration from the operator. Testing help from phessler@ and Mischa Peters. ok mlarkin@
2023-04-27RFC 9096 changes the default timers for prefix preferred and valid lifetimes,Peter Hessler
so update rad(8) to the new ones. OK florian@
2023-04-27zap APM_CANCEL, dead since import; OK tbKlemens Nanni
2023-04-27Make rpki-client choose the verification time of the time it is invokedBob Beck
rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time. ok tb@ claudio@
2023-04-27Reimplement output-json.c using json.c from bgpctl.Claudio Jeker
Much rejoice from tb@ and job@ OK tb@
2023-04-26Add a -P option to rpki-client to specify the evaluation timeBob Beck
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results ok claudio@
2023-04-26Use < 0 for fprintf() error checking and not == -1.Claudio Jeker
2023-04-26Verify each fprintf call for success. On failure stop calling fprintfClaudio Jeker
and return -1 in json_do_finish(). tb@ thinks this is not to horrible
2023-04-26Use fprintf instead of printf and pass the FILE handle in json_do_start().Claudio Jeker
OK tb@
2023-04-26In JSON/ASPA output, only print commas up to after the pen-ultimate ↵Job Snijders
applicable provider Reported by Ties de Kock OK claudio@
2023-04-26Kill whitespaceTheo Buehler
2023-04-26Add prototypes for geticmptypebyname() and geticmpcodebyname().Claudio Jeker
Needed for bison.
2023-04-26Fix confusing comments, no object change; with casparKlemens Nanni
2023-04-26Make -A also apply to the JSON outputJob Snijders
OK claudio@
2023-04-26WhitespaceTheo Buehler
"please fix" json
2023-04-26Improve accounting by tracking things by repo and tal.Claudio Jeker
This fixes some wrong accounting for repositories that are referenced from more than one TAL. It changes the ometric lable output a little bit since there are repository metrics that no longer include the 'name' label. OK tb@
2023-04-26Fix vmd after vmm MI/MD splitMike Larkin
2023-04-25tiny markup fix: add missing Ic before `group' in the `agentx' ruleOmar Polo
OK martijn@
2023-04-25vmctl(8): no longer needs vmmvar.hDave Voutila
Finally! We can remove kernel headers from vmctl. ok mlarkin@
2023-04-25vmm(4)/vmd(8): pull struct members out of vmm ioctl create struct.Dave Voutila
The object sent to vmm(4) contained file paths and details the kernel does not need for cpu virtualization as device emulation is in userland. Effectively, "pull up" the struct members from the vm_create_params struct to the parent vmop_create_params struct. This allows us to clean up some of vmd(8) and simplify things for switching to having vmctl(8) open the "kernel" file (SeaBIOS, bsd.rd, etc.) to allow users to boot recovery ramdisk kernels. ok mlarkin@
2023-04-25Add option 'rdroot' to simplify creation of rdroot filesystems for the installKenneth R Westerback
media. No functional change to existing behaviour.
2023-04-24If the two mfts in mft_compare() are the same do not prefer theClaudio Jeker
first (DIR_VALID) but perfer the 2nd (DIR_TEMP) since this allows rpki-client to move the equal files from .rrdp back into the valid repo tree and so there are less unaccounted files for. Problem noticed by and OK job@
2023-04-24Missing the optional default config is not an errorKlemens Nanni
/var/log/{messages,daemon} logs ENOENT as error on default configless vmd. Only complain on explicitly passed files and print a debug hint under `-vv' in case someone forgot to populate their /etc/vm.conf. OK dv mlarkin