summaryrefslogtreecommitdiff
path: root/usr.sbin
AgeCommit message (Collapse)Author
2023-12-14rpki-client: make IP address block checks stricterTheo Buehler
There are only two valid AFIs in this context, so check that we have one or two of them. We only accept the IPv4 and IPv6 AFIs in ip_add_afi_parse() and reject any SAFI, so enforce that neither AFI is repeated. This doesn't change things for certificates, where all this is implied by other checks combined. Making this explicit and match the logic needed for ROAs is a win. looks good to job ok claudio
2023-12-13Match what reorder_kernel is doing and use kern.osversion to find out whetherAntoine Jacoutot
we are running an MP kernel or not. based on a reworked submission from kris at devtty dot one via deraadt@ input and ok robert@
2023-12-13Use imsg_get_fd() to access the control fd.Claudio Jeker
OK tb@
2023-12-12The OID inside snmpTrapOID is of type NOTIFICATION-TYPE, which does notMartijn van Duren
have a zero appended. OK tb@
2023-12-12Do a bitter cleanup after the config defined objects on shutdown.Martijn van Duren
OK tb@
2023-12-12io_read_buf() abused the ibuf internal rpos which is no longer allowed.Claudio Jeker
This is now just a simple wrapper around ibuf_get(). OK tb@
2023-12-11Warn when the same manifestNumber is recycled across multiple issuances of ↵Job Snijders
that manifest OK tb@
2023-12-11Log a warning when a manifest replay is detectedJob Snijders
OK tb@ claudio@
2023-12-10Since errno isn't used here, use warnx() instead of warn()Job Snijders
OK tb@
2023-12-09Following a failed fetch, use a previously cached and valid ManifestJob Snijders
RPKI Manifests enable Relying Parties (RPs) to detect replay attacks, unauthorized in-flight modification, or deletion of signed objects. RPs can accomplish these security functions by comparing (what is expected to be) a monotonically increasing counter (the 'manifestNumber') - to determine what the latest Manifest is; a list of filenames - in order to establish whether the complete set of files was fetched; and a list of SHA256 message digests to ascertain whether the content's of said files are exactly the same as the CA intended them to be. Over time, two schools of thought arose. One philosophy is that the highest numbered cryptographically valid Manifest represents the express intent of the CA, so if manifest-listed files are missing, someone upstream messed up and gets to enjoy the broken pieces. After all, RFC 9286 section 5.2 puts the onus firmly on the repository operator to publish in a consistent manner. Here, "consistent" means that newly issued manifests - in the same RRDP delta - are bundled together with all new or changed ROAs, and that remote RSYNC repositories are atomically updated (for example, using symlink pivots). To overcome various types of inconsistent, transient, or intermediate states of the remote publication point - previous versions of rpki-client did construct the full CARepository state using a mix of objects from both its local validated cache and the RRDP/RSYNC staging directories (which contain purported new versions of the objects). However, another take on RFC 9286 section 6.6's "use cached versions of the objects" is that 'the objects' not only refers to the listed subordinate products (such as ROAs/Certificates/ASPAs), but also to Manifests themselves. The philosophy being that lower numbered cryptographically valid Manifests with a complete & untampered set of files are to be preferred over a higher numbered cryptographically valid Manifests accompanied by incomplete sets of files. Consequently - potentially - producing more stable VRP outputs, at the expense of being magnanimous towards sloppy CAs and repository operators. Going forward, rpki-client logs errors when inconsistent publications are encountered, but also proceeds to use older cryptographically valid Manifests (from previous successful fetches) in order to construct the tree. With and OK tb@, and also thanks to Ties de Kock from RIPE NCC.
2023-12-06Periodically reset constraint DNS info for constraints that failedOtto Moerbeek
to reply; ok florian@
2023-12-05reject headers that start with a space or tabOmar Polo
If the first header starts with a space but still contains a colon character, it is added to the body mail effectively appending it to the Received header due to the folding rules. Issue reported by Crystal Kolipe ok millert@, giovanni@
2023-12-03move to using updatedb annotation exclusivelyMarc Espie
2023-12-03add the `no-dsn' option to `listen on socket' tooOmar Polo
ok millert@
2023-12-03set the socket family too to mirror the LISTEN case; no-op in practiceOmar Polo
since AF_UNSPEC is zero.
2023-12-03enable DSN (Delivery Status Notification) for the implicit socket tooOmar Polo
DSN is implicitly enabled when using `listen on sock' but it's not for the implicit socket, avoid this incoherence by enabling it on the implicit socket too. Report and diff by Tassilo Philipp (tphilipp at potion-studios dot com) ok millert@
2023-12-01relay_read_http: strip out Content-Length if we strip the body tooTodd C. Miller
We should not forward Content-Length if the body is not also forwarded.
2023-12-01Make sure we read a complete struct fsinfo even if the filesystem sectorsMiod Vallat
are smaller. bug report and ok kn@
2023-12-01allow tables and filter over multiple linesOmar Polo
This augments the grammar for tables and filter listing so that a newline is allowed after a comma. i.e. these now works as expected: table foo { "one", "two" } listen on socket filter { "foo", "bar" } based on a diff from tim@ ok millert@, tim@
2023-11-29relay_read_http: defer header parsing until after line continuationTodd C. Miller
Wait until we have a complete line before parsing the Content-Length, Transfer-Encoding and Host headers. This prevents potential request smuggling attacks. Filtering already happens after header line continuation has been performed. Reported by Ben Kallus. OK claudio@
2023-11-29aliases package.5 as packing-list and plist, since this is the entryMarc Espie
point for people looking for packing-list details. small tweak by tb@ for readability okay tb@, jca@
2023-11-28relay_read_http: tighten up header parsingTodd C. Miller
1) reject headers with embedded NULs 2) reject headers with invalid characters in the name 3) reject Transfer-Encoding with values other than "chunked" 4) reject chunk values containing non-hex characters 5) reject Content-Length values of "+0" or "-0" 6) reject requests without a ' ' and headers without a ':' Reported by Ben Kallus, OK bluhm@
2023-11-27Add missing error check for yp_get_default_domain()Theo Buehler
Avoids a crash when no default domain is set. from hshoexer ok deraadt who had the same diff
2023-11-27interfacename -> interface to match usage and other manuals; OK florianKlemens Nanni
2023-11-25recognize future updatedb tagged packagesMarc Espie
2023-11-25forgot to zap really old D/FMarc Espie
2023-11-25-h is handled by State.pm, don't try to recognize itMarc Espie
2023-11-25check_security has been around long enough, no need to check quirks canMarc Espie
do it
2023-11-25reinstate checking the keytype, which I unwittingly dropped a long time ago.Marc Espie
2023-11-25reason this is hereMarc Espie
2023-11-25dead tooMarc Espie
2023-11-25this is dead since 2016Marc Espie
2023-11-24add glue to match usage against actual options, as a debugging facilityMarc Espie
2023-11-24Require files to be of a minimum size in the RRDP & RSYNC transportsJob Snijders
Picked 100 bytes as a minimum, to accommodate future signature schemes (such as the smaller P-256) and small files like empty CRLs. With and OK claudio@ tb@
2023-11-23tweak previous; suggested by jmcFlorian Obser
2023-11-23Don't set directory modtimes to match the sourceJob Snijders
When syncing against remote repositories, the modtimes of the remote directories is irrelevant. In the RRDP protocol the directory modtimes aren't signalled either. This should save some IOPS. OK tb@
2023-11-23need to represent the option for it to actually make it into the packageMarc Espie
2023-11-22Recognize option ipv6-only-preferred (RFC8925).Florian Obser
"option option-108 00:00:07:08;" is unwieldy and error prone. OK denis, kn, deraadt
2023-11-22Prepare to do the updatedb stuff as an @option, so that the code is less ad-hocMarc Espie
2023-11-21Make RTFILTER/filter-routes a simple boolean assignment, since theMartijn van Duren
specific value isn't used anymore, and is just used to generate an argument for snmpd_metrics. OK tb@
2023-11-20Rename struct imsgbuf *ibuf to *imsgbuf. Same was done in bgpd.Claudio Jeker
OK tb@
2023-11-20KNF, fix long line.Claudio Jeker
OK tb@
2023-11-20KNFClaudio Jeker
2023-11-20In snmpe_writecb, don't call snmpe_prepare_read() when there's stillMartijn van Duren
data left inside sm_data. If there's an incomplete packet left in the buffer it will be called from snmpe_tryparse, if there's a complete packet left we can end up with new events from the tcp socket, which the tcp subsystem isn't prepared to handle. OK tb@
2023-11-19util.c requires stdint.h for UINT32_MAX and friends.Claudio Jeker
OK tb@
2023-11-17Set "unique_subject = no" to allow renewing expired certificates.Tobias Heider
Without this, openssl throws an error when creating a second req for the same subject which leads to ikectl deleting the old cert without creating a new one. Reported by Ryan Kavanagh in openiked-portable here: https://github.com/openiked/openiked-portable/issues/125 discussed with tb@ ok patrick@
2023-11-16In appl_processpdu() no need to set avi_next, and only set av_next upMartijn van Duren
to varbindlen, since its only use is to print the varbindlist via appl_pdu_log() and both are further properly initialized in appl_request_upstream_resolve(). This fixes a cosmetic off by one for getbulk requests. OK tb@
2023-11-16avi_origid must also be set when transitioning out of theMartijn van Duren
APPL_VBSTATE_MUSTFILL state, else snmpd won't like use once we reach EOMV of our view of the world. OK tb@
2023-11-16Simplify CRL printingTheo Buehler
ok claudio
2023-11-16Improve CRL extension checkingTheo Buehler
RFC 6487 section 5 requires AKI and CRL Number and no other numbers to be present in a CRL. We only checked for AKI and ignored other extensions. Pointed out by Haya Schulmann et al ok claudio