there in structs and prototypes. Remove the openssl/ssl.h and other strange
openssl includes in the .c files that don't use openssl specific functions.
OK beck@ and tb@
Extract the notify URL from the cert if it is available and pass it back to
the parent process. The parent process can then use this info to load the
repo via RRDP instead of rsync.
OK benno@ (some long time ago)
use the files referenced in the manifests to build up a list of files
to keep and remove anything that is not in the list after doing the
full computation.
OK job@ benno@
to check all files in a mft before failing and also the check is now done
after the embedded cert was checked.
This refactor was triggered because of a bug in mft_parse_econtent().
check_validity() altered rc but later failure code assumed that goto out
is good enough to return an error (rc == -1) but since rc was 1 success
was returned. This bug is now also fixed.
Bug report and OK job@
- bird v1 with IPv4 routes
- bird v1 with IPv6 routes
- bird v2
when using command line option -B.
BIRD v2 output from Robert Scheck, robert AT fedoraproject DOT org
time_t cast hint from jca@, and tested by job@
ok deraadt@ claudio@
rpki-client will use the defaults for cache and output directory. If not
started as root users need to provide both directories as arguments.
While there switch from absolute path names to relative ones. For this
the parser and rsync process do a chdir(2) to the cache directory on startup.
OK benno@
compute, based upon flags. OpenBGPD compatible format by default if
no options, to integrate with bgpd.conf and bgpctl reload. Adapt
mtree and stuff. This will receive further refactoring...
ok benno job
the parent auth struct is stored as a pointer so walking up the certificate
chain remains simple. Doing this replaces a few slow lookups and speeds up
rpki-client by a factor of 2.
OK benno@
against the CA one layer above it. This check just needs to use the
certificate revocation list published by that CA.
Instead of loading all CRLs we find into the trust store, we create a
STACK_OF(X509_CRL), push the onto it and use it with
X509_STORE_CTX_set0_crls(ctx, crls);
The x509_get_crl() function to retrieve a crl path from an X509 object
is written by claudio@.
ok claudio@
intermediate certificates for use in X509_STORE_CTX_init(). To do that
save the X509 cert in struct cert.
claudio sees > 2x speed increase.
ok claudio@ and feedback from jsing@ and beck@.
parser process. This way the parser never needs to read outside of the
cache directory which makes the unveil simpler. Additionally rsync_uri_parse
no longer needs to know about .tal files so there is now no chance to sneak
in a .tal file later on.
OK deraadt@
data in JSON format. To make the JSON output the same as the output of the
RIPE rpki-validator the basename of the TAL had to be added and passed around
in rpki-client. Additinally the VRPs are now stored in an RB tree in the
main process instead of keeping them per ROA object. This changes the sort
order to be in network order and no longer just lexographical.
Agreed by job@ deraadt@
as arguments rpki-client will now load the TAL installed in /etc/rpki by
default. For debug reasons an option -t tal is added to pass in TAL files
by hand. The argument is now instead the filename of the output file.
Now `rpki-client roa.conf` will do what you need which is a lot nicer.
Agreed by deraadt@ job@ to be a step in the right direction.
and a count of how many bits of the last byte are unused switch to a much
more normal prefixlen in bits encoding for internal use. This makes the
code easier to understand. Also switch to inet_ntop() for converting a
struct ip_addr into a string.
OK job@
