#
1.76 |
|
17-Jun-2024 |
tb |
Put back NULL checks in crl_get() and build_chain()
Turns out filemode still relies on these. Rather than adding to the spaghetti in filemode.c, begrudgingly put back the NULL checks with an additional XXX.
ok claudio job
|
#
1.75 |
|
12-Jun-2024 |
tb |
rpki-client: avoid hard error when hitting the maximum cert id
Instead, continue processing what we can but avoid lots of warning noise. Error out at the end of the parser process to avoid loading a bad config into bgpd. This isn't great as it is and can be refined in tree.
ok claudio
|
#
1.74 |
|
20-May-2024 |
claudio |
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before.
Done together with tb@ OK tb@ job@
|
#
1.73 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.72 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.71 |
|
01-Feb-2024 |
tb |
Normalize the nid printing
OBJ_nid2* can return NULL if the gloriously consistent objects.txt database doesn't specify a long or a short name. So try the long name first, fall back to the short name, and if both fail, use "unknown". Always include the nid as a decimal.
ok claudio
|
#
1.70 |
|
07-Jan-2024 |
tb |
rpki-client: print revocation time in filemode
If a certificate was revoked, extract the revocation timestamp and update the warning message in filemode to include it.
ok job
|
#
1.69 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.75 |
|
12-Jun-2024 |
tb |
rpki-client: avoid hard error when hitting the maximum cert id
Instead, continue processing what we can but avoid lots of warning noise. Error out at the end of the parser process to avoid loading a bad config into bgpd. This isn't great as it is and can be refined in tree.
ok claudio
|
#
1.74 |
|
20-May-2024 |
claudio |
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before.
Done together with tb@ OK tb@ job@
|
#
1.73 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.72 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.71 |
|
01-Feb-2024 |
tb |
Normalize the nid printing
OBJ_nid2* can return NULL if the gloriously consistent objects.txt database doesn't specify a long or a short name. So try the long name first, fall back to the short name, and if both fail, use "unknown". Always include the nid as a decimal.
ok claudio
|
#
1.70 |
|
07-Jan-2024 |
tb |
rpki-client: print revocation time in filemode
If a certificate was revoked, extract the revocation timestamp and update the warning message in filemode to include it.
ok job
|
#
1.69 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.74 |
|
20-May-2024 |
claudio |
Instead of tracking certificates by SKI track them by an internal identifier.
The certificate SKI is not strictly unique so using it as a unique id is problematic. It is also not really needed to do that since in theory we already know the path (but this got lost in the privsep communication). So add a cert id and pass this id back and forth between main process and the parser. With this id we can lookup the authentication chain in the parser and this even works with multiple paths to the same resource. Since we no longer lookup by SKI the valid_aki_ski function is replaced by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this replaces the SKI based lookups from before.
Done together with tb@ OK tb@ job@
|
#
1.73 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.72 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.71 |
|
01-Feb-2024 |
tb |
Normalize the nid printing
OBJ_nid2* can return NULL if the gloriously consistent objects.txt database doesn't specify a long or a short name. So try the long name first, fall back to the short name, and if both fail, use "unknown". Always include the nid as a decimal.
ok claudio
|
#
1.70 |
|
07-Jan-2024 |
tb |
rpki-client: print revocation time in filemode
If a certificate was revoked, extract the revocation timestamp and update the warning message in filemode to include it.
ok job
|
#
1.69 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.73 |
|
19-Mar-2024 |
tb |
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is a mechanical diff. The only remaining uses of 'parent' in this code base now mean 'parent process'.
discussed with beck and job ok job
|
Revision tags: OPENBSD_7_5_BASE
|
#
1.72 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.71 |
|
01-Feb-2024 |
tb |
Normalize the nid printing
OBJ_nid2* can return NULL if the gloriously consistent objects.txt database doesn't specify a long or a short name. So try the long name first, fall back to the short name, and if both fail, use "unknown". Always include the nid as a decimal.
ok claudio
|
#
1.70 |
|
07-Jan-2024 |
tb |
rpki-client: print revocation time in filemode
If a certificate was revoked, extract the revocation timestamp and update the warning message in filemode to include it.
ok job
|
#
1.69 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.72 |
|
22-Feb-2024 |
job |
Add support for RPKI Signed Prefix Lists
Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
#
1.71 |
|
01-Feb-2024 |
tb |
Normalize the nid printing
OBJ_nid2* can return NULL if the gloriously consistent objects.txt database doesn't specify a long or a short name. So try the long name first, fall back to the short name, and if both fail, use "unknown". Always include the nid as a decimal.
ok claudio
|
#
1.70 |
|
07-Jan-2024 |
tb |
rpki-client: print revocation time in filemode
If a certificate was revoked, extract the revocation timestamp and update the warning message in filemode to include it.
ok job
|
#
1.69 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.71 |
|
01-Feb-2024 |
tb |
Normalize the nid printing
OBJ_nid2* can return NULL if the gloriously consistent objects.txt database doesn't specify a long or a short name. So try the long name first, fall back to the short name, and if both fail, use "unknown". Always include the nid as a decimal.
ok claudio
|
#
1.70 |
|
07-Jan-2024 |
tb |
rpki-client: print revocation time in filemode
If a certificate was revoked, extract the revocation timestamp and update the warning message in filemode to include it.
ok job
|
#
1.69 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.70 |
|
07-Jan-2024 |
tb |
rpki-client: print revocation time in filemode
If a certificate was revoked, extract the revocation timestamp and update the warning message in filemode to include it.
ok job
|
#
1.69 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.69 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.68 |
|
19-Oct-2023 |
job |
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA.
OK tb@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.67 |
|
25-Sep-2023 |
job |
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.66 |
|
29-Jun-2023 |
tb |
Retire log.c
Convert all cryptowarnx() and cryptoerrx() to appropriate versions of warn() and err{,x}(). Neither users nor developers benefit from them. If we need better errors, we need to do some thinking. libcrypto won't do that for us.
suggested by claudio ok job
|
#
1.65 |
|
07-Jun-2023 |
tb |
Cosmetic tweak for previous
Once we expect ASPA version 1 and someone sends us version 0, make that explicit instead of complaining about ASN1_INTEGER_get_uint64() failing.
ok job
|
#
1.64 |
|
07-Jun-2023 |
job |
In anticipation of a bump of the ASPA eContent profile version, update valid_econtent_version() to allow for non-zero versions.
OK tb@
|
#
1.63 |
|
30-May-2023 |
claudio |
Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@
|
#
1.62 |
|
23-May-2023 |
tb |
Convert ASN1_INTEGER_get() to ASN1_INTEGER_get_uint64()
The former is broken by design and should not be used. The latter allows for unambiguous error checking. Add a few casts to print uint64_t without the PRIu64 monstrosity.
ok claudio
|
#
1.61 |
|
11-May-2023 |
claudio |
In valid_cert() also skip the check for CERT_IP_INHERIT objects like it is done for CERT_AS_INHERIT.
Without this inheritance of IP address resources does not work. Problem noticed by Ties de Kock (tdekock (at) ripe.net)
OK job@ tb@ benno@
|
#
1.60 |
|
09-May-2023 |
tb |
rpki-client: use partial chains in certificate validation
The generally rather poor quality RFC 3779 code in libcrypto also performs abysmally. Flame graphs show that nearly 20% of the parser process is spent in addr_contains() alone. There is room for improvement in addr_contains() itself - the containment check for prefixes could be optimized quite a bit. We can avoid a lot of the most expensive work for certificates with tons of resources close to the TA by using the verifier's partial chains flag.
More precisely, in the tree of already validated certs look for the first one that has no inherited RFC 3779 resources and use that as 'trust anchor' for our chains via the X509_V_FLAG_PARTIAL_CHAIN flag. This way we can be sure that a leaf's delegated resources are properly covered and at the same time significantly shorten most paths validated.
Job's and my testing indicates that this avoids 30-50% of overhead and works equally well with LibreSSL and OpenSSL >= 1.1. The main bottlenecks in the parser process now appear to be SHA-2 and RSA/BIGNUM, two well-known pain points in libcrypto.
This is based on a hint by beck and was discussed extensively with beck, claudio and job during and after m2k23.
ok claudio job
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
branches: 1.55.4; Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
branches: 1.45.2; Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.59 |
|
27-Apr-2023 |
beck |
Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
#
1.58 |
|
26-Apr-2023 |
beck |
Add a -P option to rpki-client to specify the evaluation time
This is intended to be able to test rpki-client in a reproducable way without worrying about the system time changing the results
ok claudio@
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.57 |
|
14-Apr-2023 |
tb |
A tab snuck in
|
#
1.56 |
|
13-Apr-2023 |
job |
Check whether products listed on a manifest were issued by the same authority as the manifest itself
OK tb@
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.55 |
|
06-Mar-2023 |
job |
Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.55 |
|
06-Mar-2023 |
job |
Add check for RSA key pair modulus & public exponent
Both the SPKI inside a CA's .cer TBS section and Signers wrapped in CMS must be RSA, with mod 2048 & (e) 0x10001
OK tb@
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.54 |
|
18-Jan-2023 |
job |
Require version 4 UUIDs as RRDP session IDs
OK tb@
|
#
1.53 |
|
18-Jan-2023 |
tb |
rpki-client: explicitly enable policy checks
In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly.
ok beck
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.52 |
|
04-Jan-2023 |
claudio |
Validate the session_id to be a real UUID.
RFC 8182 requires the session_id to be a version 4 random UUID (using variant 1). Now checking the version and variant is currently disabled because there is at least one CA with a session_id that is all random and therefor the version check triggers there. Joint work with job@. OK job@, tb@
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.51 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.50 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.49 |
|
29-Nov-2022 |
claudio |
Update valid_x509 comment to reality. crl is no longer optional. OK tb@
|
#
1.48 |
|
29-Nov-2022 |
claudio |
Return an error string instead of surpressing the warning in valid_x509. This way manifests can should a better error message when something fails. With and OK tb@
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.47 |
|
26-Nov-2022 |
job |
Add support for authenticating geofeed data CSV files in filemode
RFC 9092 describes a scheme in which an authenticator is appended to a geofeed (RFC 8805) file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The authenticator is a detached CMS signature.
with and OK tb@
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.46 |
|
02-Nov-2022 |
tb |
Length check URI before strncasecmp()
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section.
ok claudio
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.45 |
|
03-Sep-2022 |
job |
Don't doublecheck whether the RSC eContent Resourceblock contains inherit elements
The RSC ASN.1 templates make it impossible to pass an RFC3779-style inherit option because of the use of ConstrainedIPAddressFamily and ConstrainedASIdentifiers.
OK tb@
|
#
1.44 |
|
03-Sep-2022 |
job |
Introduce x509_any_inherit() for objects which may not have inherit elements
Unify conformance checking of Trust Anchors, ROAs, ASPAs, RSCs - none of which may have any 'inherit' elements in the RFC 3779 IP/AS Resources extension of the X509 certificate.
OK tb@
|
#
1.43 |
|
03-Sep-2022 |
tb |
Move non-inheritance check for BGPsec certs into cert_parse_pre()
ok claudio job (as part of a larger diff)
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.42 |
|
30-Aug-2022 |
job |
Add support for ASPA objects (draft-ietf-sidrops-aspa-profile-10)
ASPA objects are published in the RPKI and can be used to detect and mitigate BGP route leaks. Validated ASPA Payloads are visible through filemode (-f) and the JSON output format (-j).
With feedback from tb@
OK claudio@ tb@
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.41 |
|
19-Aug-2022 |
tb |
Check the resources in ROAs and RSCs against EE certs
The resources delegated in the RFC 3779 extensions of the EE cert for ROAs or RSCs can be a subset of the resources in the auth chain. So far we compared that the resources of ROAs and RSCs are covered by the auth chain, which is not entirely correct. Extract the necessary data from the EE cert into rpki-client's own data structures, then verify that the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.40 |
|
10-Jun-2022 |
tb |
Dedup econtent version checks
Since the ASN.1 template conversions, we have three copies of mostly dead code that validates that the econtent version is at its default value 0. Until a new standard bumps this version and we decide to support that, we're better off with only one copy of this code.
ok claudio
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.39 |
|
07-Jun-2022 |
tb |
Fix path validation of AS numbers
If a certificate along the chain does not have an AS numbers extension, this is a failure condition according to RFC 3779, section 3.3.
ok job
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.38 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
#
1.37 |
|
15-May-2022 |
tb |
Remove misplaced continue
ok job
|
#
1.36 |
|
15-May-2022 |
deraadt |
whitespace spotted during read-thru
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.35 |
|
12-May-2022 |
tb |
Remove verify callback
It is no longer possible to build rpki-client with LibreSSL < 3.5 or with OpenSSL built with OPENSSL_NO_RFC3779, so this compat code can be retired.
ok claudio job
|
#
1.34 |
|
12-May-2022 |
tb |
nuke tabs
|
#
1.33 |
|
11-May-2022 |
job |
In filemode check whether ROA & RSC resources are properly contained
with and OK tb@ claudio@
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.32 |
|
10-May-2022 |
tb |
Validate RSC filenames
Factor out POSIX portable filename check into a new valid_filename() and rename the previous valid_filename() to valid_mft_filename(). Fixes and supersedes imcomplete checks in the RSC code. Avoids truncation via strndup() in case of embedded NULs.
input/ok claudio
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.31 |
|
21-Apr-2022 |
claudio |
The filemode code is enough different from the regular parser code that it makes sense to totally split it out. Duplicate proc_parser_cert_validate() and proc_parser_root_cert() for now.
The valid_x509() plus the required static functions are moved to validate.c. The crl_tree code moved into crl.c similar to the auth_tree handling in cert.c. All the proc functions are now tagged with __attribute(noreturn) which allows to remove the errx() after them.
OK tb@
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.30 |
|
19-Apr-2022 |
claudio |
Adjust on how CRL and MFT files are verified.
Verify the CRL referenced from the mft against the mft's fileAndHash info. If the CRL matches then load it and use it to validate this mft. If the mft validated OK add the now also valid CRL to the auth store for later use.
Before the newest CRL was always selected but that has negative consequences because it is common practice to revoke the previous MFT's EE cert and with that the cache is turned useless as soon as a new CRL is used. Also there was a possibility that the CRL used for validation of the MFT was not the one later used.
Both RFC6486 and draft-ietf-sidrops-6486bis are unclear about this part of the validation process. We opted in favor of the chached MFT.
With and OK tb@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.29 |
|
04-Feb-2022 |
job |
Fix outdated comment
Nowadays SKI/AKI validation happens in proc_parser_roa()
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.28 |
|
23-Jan-2022 |
tb |
zap extra blank line
|
#
1.27 |
|
23-Jan-2022 |
claudio |
Simplify valid_cert() and valid_roa() by passing in struct auth instead of looking it up again. For this valid_roa() needs to be moved up in proc_parser_roa() also move out the assignment of the TAL id. Not the right thing to alter an object in a validation function. OK tb@
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.26 |
|
22-Jan-2022 |
tb |
Change valid_filename() ot return an enum rtype and rename it to rtype_from_mftfile(). Move both rtype_from functions to mft.c.
ok beck claudio
|
#
1.25 |
|
21-Jan-2022 |
tb |
Add function to determine the file type from the file name extension
rpki-client uses the same idiom to determine the file type in too many places. Use one function that determines the appropriate RTYPE from the file name. Add that type to struct mftfile and use this new member to simplify queue_add_from_mft*().
input/ok claudio
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.24 |
|
13-Jan-2022 |
claudio |
Alter valid_filehash() to take a file descriptor instead of a path. This is needed so that callers can allow a file to be in multiple locations. Also move mft_check() from mft.c to parser.c. OK tb@
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.23 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
branches: 1.15.4; add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
branches: 1.13.2; Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.22 |
|
04-Nov-2021 |
claudio |
Instead of passing tal descriptions around just pass a tal id and use a small lookup table to print the description in the output path. OK tb@
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.21 |
|
01-Nov-2021 |
claudio |
Cleanup struct auth a bit. The tal description is also stored in the cert and the filename is only used in tracewarn which is not that helpful. OK tb@
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.20 |
|
29-Oct-2021 |
claudio |
Ensure that RRDP snapshot and delta files are fetched from the same host as the notification file. OK tb@ job@
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.19 |
|
27-Oct-2021 |
beck |
Add limits on size of certain untrusted inputs
ok job@
|
#
1.18 |
|
27-Oct-2021 |
job |
Limit length on URIs
OK beck@
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.17 |
|
24-Oct-2021 |
job |
Restrict the characterset for filenames on Manifests
feedback from benno@
OK claudio@
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.16 |
|
11-Oct-2021 |
job |
Add support for BGPsec Router Certificates (RFC 8209)
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form.
OK tb@ claudio@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.15 |
|
16-Aug-2021 |
jsg |
add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.15 |
|
16-Aug-2021 |
jsg |
add missing break ok claudio@
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.14 |
|
19-Apr-2021 |
deraadt |
code review results in KNF, and moving local variables into lowest scope ok claudio
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.13 |
|
05-Mar-2021 |
claudio |
Factor out the URI check we do in various places into valid_uri(). RRDP will add a bunch more checks so this makes even more sense. With and OK tb@
|
#
1.12 |
|
05-Mar-2021 |
claudio |
Factor out the SHA256 hash checks into valid_filehash() so that it can be used by the RRDP code as well. OK tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.11 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.10 |
|
29-Nov-2019 |
benno |
e2k19 - above par s/EXIT_FAILURE/1/ ok claudio@
|
#
1.9 |
|
29-Nov-2019 |
claudio |
valid_as() should be as strict as valid_ip() when it comes to not-covered blocks. No longer bubble up the chain in the hope that something is covered. If this causes issues people need to fix the repository where it causes errors.
|
#
1.8 |
|
28-Nov-2019 |
claudio |
Convert the auths array into an RB tree indexed by SKI. For fast lookups the parent auth struct is stored as a pointer so walking up the certificate chain remains simple. Doing this replaces a few slow lookups and speeds up rpki-client by a factor of 2. OK benno@
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.7 |
|
27-Nov-2019 |
benno |
Only store ta certs in the trust store and build chains of the intermediate certificates for use in X509_STORE_CTX_init(). To do that save the X509 cert in struct cert. claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.6 |
|
18-Nov-2019 |
claudio |
Add and fix some comments. From kristaps@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.5 |
|
08-Oct-2019 |
claudio |
Rewrite the output handling of rpki-client and add an option to dump the data in JSON format. To make the JSON output the same as the output of the RIPE rpki-validator the basename of the TAL had to be added and passed around in rpki-client. Additinally the VRPs are now stored in an RB tree in the main process instead of keeping them per ROA object. This changes the sort order to be in network order and no longer just lexographical. Agreed by job@ deraadt@
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|