From: Alberto Leiva Popper Date: Mon, 23 Sep 2024 19:34:19 +0000 (-0600) Subject: Protocolary updates for release 1.6.4 X-Git-Tag: 1.6.4^0 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b0914e8cf864dabc99db81d247054e063c71e003;p=thirdparty%2FFORT-validator.git Protocolary updates for release 1.6.4 --- diff --git a/configure.ac b/configure.ac index acdf4a21..938d5133 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.69]) -AC_INIT([fort],[1.6.3],[validadorfort@fortproject.net]) +AC_INIT([fort],[1.6.4],[validadorfort@fortproject.net]) AC_CONFIG_SRCDIR([src/main.c]) AM_INIT_AUTOMAKE([subdir-objects]) diff --git a/docs/_config.yml b/docs/_config.yml index 7f087fca..f76e04ec 100644 --- a/docs/_config.yml +++ b/docs/_config.yml @@ -8,7 +8,7 @@ defaults: layout: "default" image: "/img/logo_validador_og.png" -fort-latest-version: 1.6.3 +fort-latest-version: 1.6.4 plugins: - jekyll-seo-tag - jekyll-sitemap diff --git a/docs/intro-fort.md b/docs/intro-fort.md index 862f9c24..2c3fadf0 100644 --- a/docs/intro-fort.md +++ b/docs/intro-fort.md @@ -17,17 +17,14 @@ Fort is a command-line application intended for UNIX operating systems, written ## Roadmap - - | Issue | Title | Urgency | Due release | |-------|-------|---------|-------------| -| [issue82](https://github.com/NICMx/FORT-validator/issues/82) | Reach 100% RFC 9286 compliance | Critical | 1.6.4 | -| [issue112](https://github.com/NICMx/FORT-validator/issues/112) | Enforce same origin for RRDP files | High | 1.6.4 | -| [issue113](https://github.com/NICMx/FORT-validator/issues/113) | Detect and properly respond to subtler RRDP session desynchronization | Medium | 1.6.4 | -| [issue114](https://github.com/NICMx/FORT-validator/issues/114) | Support automatic TA key rollover | Very High | 1.6.5 | -| [issue50](https://github.com/NICMx/FORT-validator/issues/50) | Provide prometheus endpoint | Very High | 1.6.6 | -| [issue58](https://github.com/NICMx/FORT-validator/issues/58) | Fort's validation produces no router keys | Very High | 1.6.7 | -| [issue74](https://github.com/NICMx/FORT-validator/issues/74) | Kill rsync if a timeout is exceeded | Very High | 1.6.8 | +| [issue82](https://github.com/NICMx/FORT-validator/issues/82) | Reach 100% RFC 9286 compliance | Critical | 1.7.0 | +| [issue112](https://github.com/NICMx/FORT-validator/issues/112) | Enforce same origin for RRDP files | High | 1.7.0 | +| [issue113](https://github.com/NICMx/FORT-validator/issues/113) | Detect and properly respond to subtler RRDP session desynchronization | Medium | 1.7.0 | +| [issue114](https://github.com/NICMx/FORT-validator/issues/114) | Support automatic TA key rollover | Very High | 1.7.1 | +| [issue50](https://github.com/NICMx/FORT-validator/issues/50) | Provide prometheus endpoint | Very High | 1.7.2 | +| [issue58](https://github.com/NICMx/FORT-validator/issues/58) | Fort's validation produces no router keys | Very High | 1.7.3 | | [issue116](https://github.com/NICMx/FORT-validator/issues/116) | SLURM review | High | - | | [issue118](https://github.com/NICMx/FORT-validator/issues/118) | Implement validation re-reconsidered | High | - | | [issue119](https://github.com/NICMx/FORT-validator/issues/119) | Review IRIs to file names transition | High | - | diff --git a/docs/usage.md b/docs/usage.md index ab1edd38..319417e7 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -993,7 +993,7 @@ The configuration options are mostly the same as the ones from the `argv` interf "count": 1, "interval": 4 }, - "transfer-timeout": 0, + "transfer-timeout": 900, "program": "rsync", "arguments-recursive": [ "-rtz", @@ -1021,10 +1021,10 @@ The configuration options are mostly the same as the ones from the `argv` interf "count": 1, "interval": 4 }, - "user-agent": "fort/1.6.2", + "user-agent": "fort/{{ site.fort-latest-version }}", "max-redirs": 10, "connect-timeout": 30, - "transfer-timeout": 0, + "transfer-timeout": 900, "low-speed-limit": 100000, "low-speed-time": 10, "max-file-size": 1000000000, @@ -1034,8 +1034,8 @@ The configuration options are mostly the same as the ones from the `argv` interf "log": { "enabled": true, "output": "console", - "level": "info", - "tag": "Operation", + "level": "warning", + "tag": "Op", "facility": "daemon", "file-name-format": "global-url", "color-output": false diff --git a/examples/tal/apnic.tal b/examples/tal/apnic.tal index fc781ee2..803eb20d 100644 --- a/examples/tal/apnic.tal +++ b/examples/tal/apnic.tal @@ -1,3 +1,4 @@ +https://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9RWSL61YAAYumEiU8z8 diff --git a/man/fort.8 b/man/fort.8 index 2ce26ad6..6e32e14f 100644 --- a/man/fort.8 +++ b/man/fort.8 @@ -1,4 +1,4 @@ -.TH fort 8 "2024-08-19" "v1.6.3" "FORT validator" +.TH fort 8 "2024-09-23" "v1.6.4" "FORT validator" .SH NAME fort \- RPKI validator and RTR server @@ -264,24 +264,6 @@ specific protocol needs to be deactivated, use \fB--rsync.enabled\fR or .RE .P -.B \-\-shuffle-uris -.RS 4 -If enabled, FORT will access TAL URLs in random order. This is meant for load -balancing. If disabled, FORT will access TAL URLs in sequential order. -.P -By default, the flag is disabled. -.P -This flag is only relevant if the TAL lists more than one URL. Regardless of -this flag, FORT will stop iterating through the URLs as soon as it finds one -that yields a successful traversal. -.P -If the TAL lists more than one URL, the shuffle is done honoring the priority -of the protocols (see \fB--rsync.priority\fR and \fB--http.priority\fR). i.e. -if the HTTP protocol has a higher priority than RSYNC, then all the shuffled -HTTP URLs will come first. -.RE -.P - .B \-\-maximum-certificate-depth=\fIUNSIGNED_INTEGER\fR .RS 4 Maximum allowable certificate chain length. Meant to protect FORT from @@ -761,7 +743,7 @@ request at least once. If there was an error requesting the URI, the validator will retry at most \fI--http.retry.count\fR times to fetch the file, waiting \fI--http.retry.interval\fR seconds between each retry. .P -By default, the value is \fI2\fR. +By default, the value is \fI4\fR. .RE .P @@ -914,78 +896,6 @@ requests. .RE .P -.B \-\-rsync.strategy=(\fIstrict\fR|\fIroot\fR|\fIroot-except-ta\fR) -.RS 4 -\fIrsync\fR download strategy; states the way rsync URLs are approached during -downloads. It can have one of three values: -.IR strict ", " -.IR root ", " -.IB "root-except-ta" "(default value)" \fR. \fR -.P -.I strict -.RS 4 -In order to enable this strategy, FORT must be compiled using the flag: -ENABLE\_STRICT\_STRATEGY. e.g. -\fB $ make FORT_FLAGS='-DENABLE_STRICT_STRATEGY'\fR -.P -RSYNC every repository publication point separately. Only skip publication -points that have already been downloaded during the current validation cycle. -(Assuming each synchronization is recursive.) -.P -For example, suppose the validator gets certificates whose caRepository access -methods (in their Subject Information Access extensions) point to the following -publication points: -.P -1. rsync://rpki.example.com/foo/bar/ -.br -2. rsync://rpki.example.com/foo/qux/ -.br -3. rsync://rpki.example.com/foo/bar/ -.br -4. rsync://rpki.example.com/foo/corge/grault/ -.br -5. rsync://rpki.example.com/foo/corge/ -.br -6. rsync://rpki.example.com/foo/corge/waldo/ -.P -A validator following the `strict` strategy would download `bar`, download -`qux`, skip `bar`, download `corge/grault`, download `corge` and skip -`corge/waldo`. -.P -This is the slowest, but also the strictly correct sync strategy. -.RE -.P -.I root -.RS 4 -For each publication point found, guess the root of its repository and RSYNC -that instead. Then skip any subsequent children of said root. -.P -(To guess the root of a repository, the validator counts four slashes, and -prunes the rest of the URL.) -.P -Reusing the caRepository URLs from the `strict` strategy (above) as example, a -validator following the `root` strategy would download -`rsync://rpki.example.com/foo`, and then skip everything else. -.P -Assuming that the repository is specifically structured to be found within as -few roots as possible, and they contain minimal RPKI-unrelated noise files, this -is the fastest synchronization strategy. At time of writing, this is true for -all the current official repositories. -.RE -.P -.I root-except-ta -.RS 4 -Synchronizes the root certificate (the one pointed by the TAL) in 'strict' mode, -and once it's validated, synchronizes the rest of the repository in 'root' mode. -.P -Useful if you want 'root', but the root certificate is separated from the rest -of the repository. Also useful if you don't want the validator to download the -entire repository without first confirming the integrity and legitimacy of the -root certificate. -.RE -.RE -.P - .B \-\-rsync.retry.count=\fIUNSIGNED_INTEGER\fR .RS 4 Maximum number of retries whenever there's an error executing RSYNC. @@ -997,7 +907,7 @@ at least once. If there was an error executing the RSYNC, the validator will retry it at most \fI--rsync.retry.count\fR times, waiting \fI--rsync.retry.interval\fR seconds between each retry. .P -By default, the value is \fI2\fR. +By default, the value is \fI4\fR. .RE .P @@ -1121,26 +1031,6 @@ Maximum: \fIUINT_MAX\fR Default: \fI20\fR .RE -.B \-\-thread-pool.validation.max=\fIUNSIGNED_INTEGER\fR -.RS 4 -Maximum number of threads that will be spawned at an internal thread pool in -order to run validation cycles. -.P -When a validation cycle begins, one thread per configured TAL is utilized; once -the whole RPKI tree of the TAL is validated, the thread is returned to the pool. -.P -If there are more TALs at \fI--tal\fR than \fI--thread-pool.validation.max\fR -threads at the pool, is very likely that the validation cycles take a bit more -of time to complete since only \fI--thread-pool.validation.max\fR threads will -be working at the same time. E.g. if \fI--thread-pool.validation.max=2\fR and -the location at \fI--tal\fR has 4 TAL files, only 2 TALs will be validated -simultaneously while the rest waits in a queue until there's an available thread -at the pool to attend them. -.P -By default, it has a value of \fI5\fR. Minimum allowed value: \fI1\fR, -maximum allowed value \fI100\fR. -.RE - .B \-\-asn1-decode-max-stack=\fIUNSIGNED_INTEGER\fR .RS 4 ASN1 decoder max allowed stack size in bytes, utilized to avoid a stack @@ -1150,12 +1040,6 @@ By default, it has a value of \fI4096\fR (4 kB). .RE .P -.B \-\-stale-repository-period=\fIUNSIGNED_INTEGER\fR -.RS 4 -Deprecated; does nothing. -.RE -.P - .SH EXAMPLES .B fort \-\-init-tals \-\-tal=/tmp/tal .RS 4 @@ -1243,6 +1127,7 @@ to a specific value: "count": 1, "interval": 4 }, + "transfer-timeout": 900, "program": "rsync", "arguments-recursive": [ "-rtz", @@ -1270,10 +1155,10 @@ to a specific value: "count": 1, "interval": 4 }, - "user-agent": "fort/1.6.2", + "user-agent": "fort/1.6.4", "max-redirs": 10, "connect-timeout": 30, - "transfer-timeout": 0, + "transfer-timeout": 900, "low-speed-limit": 100000, "low-speed-time": 10, "max-file-size": 1000000000, @@ -1283,8 +1168,8 @@ to a specific value: "log": { "enabled": true, "output": "console", - "level": "info", - "tag": "Operation", + "level": "warning", + "tag": "Op", "facility": "daemon", "file-name-format": "global-url", "color-output": false @@ -1409,7 +1294,7 @@ well as some dummy Router Keys (BGPsec) info: .P .\".SH COPYRIGHT -.\" FORT-validator 2021 +.\" FORT-validator 2024 .\" MIT License .SH SEE ALSO diff --git a/src/config.c b/src/config.c index 5290308c..caee4691 100644 --- a/src/config.c +++ b/src/config.c @@ -3,8 +3,7 @@ #include #include #include -#include -#include +#include #include #include @@ -1055,6 +1054,9 @@ print_usage(FILE *stream, bool print_doc) fprintf(stream, "Usage: %s\n", program_name); FOREACH_OPTION(options, option, AVAILABILITY_GETOPT) { + if (option->deprecated) + continue; + fprintf(stream, "\t["); fprintf(stream, "--%s", option->name); diff --git a/src/object/certificate.c b/src/object/certificate.c index d3619780..fd84f57d 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -5,11 +5,9 @@ #if OPENSSL_VERSION_MAJOR >= 3 #include #endif -#include #include #include #include -#include #include #include