.RE
.P
---sync-strategy=(off|strict|root)
+--sync-strategy=(off|strict|root|root-except-ta)
.RS 4
RSYNC download strategy.
.P
is the fastest synchronization strategy. At time of writing, this is true for
all the current official repositories.
.RE
+.P
+root-except-ta
+.RS 4
+Synchronizes the root certificate (the one pointed by the TAL) in 'strict' mode,
+and once it's validated, synchronizes the rest of the repository in 'root' mode.
+.P
+Useful if you want 'root', but the root certificate is separated from the rest
+of the repository. Also useful if you don't want the validator to download the
+entire repository without first confirming the integrity and legitimacy of the
+root certificate.
+.RE
.RE
.P
struct string_array const *
config_get_rsync_args(bool is_ta)
{
- return is_ta
- ? &rpki_config.rsync.args.flat
- : &rpki_config.rsync.args.recursive;
+ switch (rpki_config.sync_strategy) {
+ case SYNC_ROOT:
+ return &rpki_config.rsync.args.recursive;
+ case SYNC_ROOT_EXCEPT_TA:
+ return is_ta
+ ? &rpki_config.rsync.args.flat
+ : &rpki_config.rsync.args.recursive;
+ case SYNC_STRICT:
+ return &rpki_config.rsync.args.flat;
+ case SYNC_OFF:
+ break;
+ }
+
+ pr_crit("Invalid sync strategy: '%u'", rpki_config.sync_strategy);
+ /*
+ * Return something usable anyway; don't want to check NULL.
+ * This is supposed to be unreachable code anyway.
+ */
+ return &rpki_config.rsync.args.recursive;
}
void
#include "log.h"
#include "config/str.h"
-#define SYNC_VALUE_OFF "off"
-#define SYNC_VALUE_STRICT "strict"
-#define SYNC_VALUE_ROOT "root"
+#define SYNC_VALUE_OFF "off"
+#define SYNC_VALUE_STRICT "strict"
+#define SYNC_VALUE_ROOT "root"
+#define SYNC_VALUE_ROOT_EXCEPT_TA "root-except-ta"
static void
print_sync_strategy(struct group_fields const *group,
case SYNC_ROOT:
str = SYNC_VALUE_ROOT;
break;
+ case SYNC_ROOT_EXCEPT_TA:
+ str = SYNC_VALUE_ROOT_EXCEPT_TA;
+ break;
}
pr_info("%s.%s: %s", group->name, field->name, str);
*result = SYNC_STRICT;
else if (strcmp(str, SYNC_VALUE_ROOT) == 0)
*result = SYNC_ROOT;
+ else if (strcmp(str, SYNC_VALUE_ROOT_EXCEPT_TA) == 0)
+ *result = SYNC_ROOT_EXCEPT_TA;
else
return pr_err("Unknown synchronization strategy: '%s'", str);
.print = print_sync_strategy,
.parse.argv = parse_argv_sync_strategy,
.parse.toml = parse_toml_sync_strategy,
- .arg_doc = SYNC_VALUE_OFF "|" SYNC_VALUE_STRICT "|" SYNC_VALUE_ROOT,
+ .arg_doc = SYNC_VALUE_OFF
+ "|" SYNC_VALUE_STRICT
+ "|" SYNC_VALUE_ROOT
+ "|" SYNC_VALUE_ROOT_EXCEPT_TA,
};
* structured to benefit this strategy.
*/
SYNC_ROOT,
+ /**
+ * Same as SYNC_ROOT, except the root certificate is synchronized
+ * separately.
+ * (Either because it's in a separate directory, or because we don't
+ * want to download its entire repository until we've verified its
+ * legitimacy and integrity.)
+ */
+ SYNC_ROOT_EXCEPT_TA,
};
extern const struct global_type gt_sync_strategy;
get_rsync_uri(struct rpki_uri const *requested_uri, bool is_ta,
struct rpki_uri *rsync_uri)
{
- if (is_ta)
- return handle_strict_strategy(requested_uri, rsync_uri);
-
switch (config_get_sync_strategy()) {
case SYNC_ROOT:
return handle_root_strategy(requested_uri, rsync_uri);
+ case SYNC_ROOT_EXCEPT_TA:
+ return is_ta
+ ? handle_strict_strategy(requested_uri, rsync_uri)
+ : handle_root_strategy(requested_uri, rsync_uri);
case SYNC_STRICT:
return handle_strict_strategy(requested_uri, rsync_uri);
case SYNC_OFF:
projects / thirdparty / FORT-validator.git / commitdiff
