From: pcarana Date: Tue, 17 Dec 2019 23:52:11 +0000 (-0600) Subject: Add args to disable rrdp/http, update docs and setup script. X-Git-Tag: v1.2.0~33 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=f5cb83af9f8d6fed5e3f25ddcc0592600b0022ac;p=thirdparty%2FFORT-validator.git Add args to disable rrdp/http, update docs and setup script. +The new arguments are 'rrdp-disabled' and 'http.disabled', both are treated as flags. +Update docs to include: new arguments, rrdp support, new 'libxml2' dependency. +Update configuration file example to include new arguments. +Fix bug at arguments whose value is expected to be a path, this '--tal=' was treated as valid when it isn't, so validate that no empty paths are received. +Update unit tests impersonator with new args. +Updates at setup script: - Fix bug: paths that included a space in between, weren't correctly utilized. - Use wget always. - Ignore case when accepting ARIN's RPA. --- diff --git a/docs/index.md b/docs/index.md index b0f5d9d5..9a26c088 100644 --- a/docs/index.md +++ b/docs/index.md @@ -10,7 +10,9 @@ FORT validator is an MIT-licensed RPKI Relying Party, this is a tool offered as ## Status -Version [{{ site.fort-latest-version }}](https://github.com/NICMx/FORT-validator/releases/tag/v{{ site.fort-latest-version }}){:target="_blank"} is the latest official release, includes minor updates, including: +Version [{{ site.fort-latest-version }}](https://github.com/NICMx/FORT-validator/releases/tag/v{{ site.fort-latest-version }}){:target="_blank"} is the latest official release, includes several updates, including: +- RRDP support (see [RFC 8182](https://tools.ietf.org/html/rfc8182)). +- Support HTTPS URIs at TALs (see [RFC 8630](https://tools.ietf.org/html/rfc8630)). - Remember last valid SLURM in case of syntax error with a newer version. - Setup script to fetch ARINs TAL. - Add incidence to validate signed objects DER encoding. \ No newline at end of file diff --git a/docs/installation.md b/docs/installation.md index 037098d3..c099b396 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -29,6 +29,7 @@ The dependencies are 2. libcrypto (Either [LibreSSL](http://www.libressl.org/) or [OpenSSL](https://www.openssl.org/) >= 1.1) 3. [rsync](http://rsync.samba.org/) 4. [libcurl](https://curl.haxx.se/libcurl/) +5. [libxml2](http://www.xmlsoft.org/) Fort is currently supported in *64-bit* OS. A 32-bit OS may face the [Year 2038 problem](https://en.wikipedia.org/wiki/Year_2038_problem) when handling dates at certificates, and currently there's no work around for this. @@ -80,7 +81,7 @@ etc. ### Debian version {% highlight bash %} -sudo apt install autoconf automake build-essential libjansson-dev libssl-dev pkg-config rsync libcurl4 +sudo apt install autoconf automake build-essential libjansson-dev libssl-dev pkg-config rsync libcurl4 libxml2 wget https://github.com/NICMx/FORT-validator/releases/download/v{{ site.fort-latest-version }}/fort-{{ site.fort-latest-version }}.tar.gz tar xvzf fort-{{ site.fort-latest-version }}.tar.gz @@ -94,7 +95,7 @@ sudo make install {% highlight bash %} su -pkg_add jansson libexecinfo rsync # OpenBSD already ships with LibreSSL +pkg_add jansson libexecinfo rsync libxml # OpenBSD already ships with LibreSSL exit ftp https://github.com/NICMx/FORT-validator/releases/download/v{{ site.fort-latest-version }}/fort-{{ site.fort-latest-version }}.tar.gz @@ -119,7 +120,7 @@ This OS requires additional steps due to its GCC supported version (currently 4. OpenSSL devel (openssl-devel) package isn't necessary, if it's previously installed remove it to avoid future conflicts with newer OpenSSL versions. {% highlight bash %} -sudo yum install autoconf automake git jansson-devel pkgconfig rsync +sudo yum install autoconf automake git jansson-devel pkgconfig rsync libxml2 # Install supported GCC to compile OpenSSL sudo yum groupinstall "Development Tools" {% endhighlight %} @@ -168,7 +169,7 @@ exit The following steps are for Fedora 30. {% highlight bash %} -sudo yum install autoconf automake gcc make openssl-devel jansson-devel +sudo yum install autoconf automake gcc make openssl-devel jansson-devel libxml2 wget https://github.com/NICMx/FORT-validator/releases/download/v{{ site.fort-latest-version }}/fort-{{ site.fort-latest-version }}.tar.gz tar xvzf fort-{{ site.fort-latest-version }}.tar.gz @@ -183,7 +184,7 @@ sudo make install The following steps are for openSUSE Leap 15.1. {% highlight bash %} -sudo zypper install autoconf automake gcc libopenssl-devel libjansson-devel +sudo zypper install autoconf automake gcc libopenssl-devel libjansson-devel libxml2 wget https://github.com/NICMx/FORT-validator/releases/download/v{{ site.fort-latest-version }}/fort-{{ site.fort-latest-version }}.tar.gz tar xvzf fort-{{ site.fort-latest-version }}.tar.gz @@ -199,7 +200,7 @@ The following steps are for FreeBSD 12.0. {% highlight bash %} su -pkg install autoconf automake gcc jansson pkgconf rsync +pkg install autoconf automake gcc jansson pkgconf rsync libxml2 exit curl -L https://github.com/NICMx/FORT-validator/releases/download/v{{ site.fort-latest-version }}/fort-{{ site.fort-latest-version }}.tar.gz --output fort-{{ site.fort-latest-version }}.tar.gz @@ -234,7 +235,7 @@ In case you wan't a fresh version of Fort validator, there's this third option. The following example is the processo to clone, compile and install in Debian OS. {% highlight bash %} -sudo apt install autoconf automake build-essential git libjansson-dev libssl-dev pkg-config rsync libcurl4-openssl-dev +sudo apt install autoconf automake build-essential git libjansson-dev libssl-dev pkg-config rsync libcurl4-openssl-dev libxml2-dev git clone https://github.com/NICMx/FORT-validator.git cd FORT-validator/ diff --git a/docs/intro-fort.md b/docs/intro-fort.md index b68dfb79..56271306 100644 --- a/docs/intro-fort.md +++ b/docs/intro-fort.md @@ -30,7 +30,7 @@ Further information can be found in the subsections below. | [6810](https://tools.ietf.org/html/rfc6810) (RTR Version 0) | 100% | | [7318](https://tools.ietf.org/html/rfc7318) (Policy Qualifiers) | 100% | | [7935](https://tools.ietf.org/html/rfc7935) (RPKI algorithms) | 100% | -| [8182](https://tools.ietf.org/html/rfc8182) (RRDP) | 0% | +| [8182](https://tools.ietf.org/html/rfc8182) (RRDP) | 100% | | [8209](https://tools.ietf.org/html/rfc8209) (BGPSec Certificates) | 100% | | [8210](https://tools.ietf.org/html/rfc8210) (RTR Version 1) | 100% | | [8360](https://tools.ietf.org/html/rfc8360) (Validation Reconsidered) | 100% | @@ -52,10 +52,6 @@ This RFC states a bunch of rules that allow some level of tolerance to missing, These constitute the approximate missing 25%. -### RFC 8182 (RRDP) - -RRDP is a protocol intended to replace RSYNC in the RPKI. Fort only implements RSYNC, currently. - ## TO-DO - Reach 100% RFC compliance diff --git a/docs/usage.md b/docs/usage.md index b7fe5d55..fe46243f 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -19,33 +19,35 @@ command: fort 2. [`strict`](#strict) 3. [`root`](#root) 4. [`root-except-ta`](#root-except-ta) - 7. [`--shuffle-uris`](#--shuffle-uris) - 8. [`--maximum-certificate-depth`](#--maximum-certificate-depth) - 9. [`--mode`](#--mode) - 10. [`--server.address`](#--serveraddress) - 11. [`--server.port`](#--serverport) - 12. [`--server.backlog`](#--serverbacklog) - 13. [`--server.interval.validation`](#--serverintervalvalidation) - 14. [`--server.interval.refresh`](#--serverintervalrefresh) - 15. [`--server.interval.retry`](#--serverintervalretry) - 16. [`--server.interval.expire`](#--serverintervalexpire) - 17. [`--slurm`](#--slurm) - 18. [`--log.level`](#--loglevel) - 19. [`--log.output`](#--logoutput) - 20. [`--log.color-output`](#--logcolor-output) - 21. [`--log.file-name-format`](#--logfile-name-format) - 22. [`--http.user-agent`](#--httpuser-agent) - 23. [`--http.connect-timeout`](#--httpconnect-timeout) - 24. [`--http.transfer-timeout`](#--httptransfer-timeout) - 25. [`--http.ca-path`](#--httpca-path) - 26. [`--output.roa`](#--outputroa) - 27. [`--output.bgpsec`](#--outputbgpsec) - 28. [`--asn1-decode-max-stack`](#--asn1-decode-max-stack) - 29. [`--configuration-file`](#--configuration-file) - 30. [`rsync.program`](#rsyncprogram) - 31. [`rsync.arguments-recursive`](#rsyncarguments-recursive) - 32. [`rsync.arguments-flat`](#rsyncarguments-flat) - 33. [`incidences`](#incidences) + 7. [`--rrdp-disabled`](#--rrdp-disabled) + 8. [`--shuffle-uris`](#--shuffle-uris) + 9. [`--maximum-certificate-depth`](#--maximum-certificate-depth) + 10. [`--mode`](#--mode) + 11. [`--server.address`](#--serveraddress) + 12. [`--server.port`](#--serverport) + 13. [`--server.backlog`](#--serverbacklog) + 14. [`--server.interval.validation`](#--serverintervalvalidation) + 15. [`--server.interval.refresh`](#--serverintervalrefresh) + 16. [`--server.interval.retry`](#--serverintervalretry) + 17. [`--server.interval.expire`](#--serverintervalexpire) + 18. [`--slurm`](#--slurm) + 19. [`--log.level`](#--loglevel) + 20. [`--log.output`](#--logoutput) + 21. [`--log.color-output`](#--logcolor-output) + 22. [`--log.file-name-format`](#--logfile-name-format) + 23. [`--http.user-agent`](#--httpuser-agent) + 24. [`--http.connect-timeout`](#--httpconnect-timeout) + 25. [`--http.transfer-timeout`](#--httptransfer-timeout) + 26. [`--http.ca-path`](#--httpca-path) + 27. [`--http.disabled`](#--httpdisabled) + 28. [`--output.roa`](#--outputroa) + 29. [`--output.bgpsec`](#--outputbgpsec) + 30. [`--asn1-decode-max-stack`](#--asn1-decode-max-stack) + 31. [`--configuration-file`](#--configuration-file) + 32. [`rsync.program`](#rsyncprogram) + 33. [`rsync.arguments-recursive`](#rsyncarguments-recursive) + 34. [`rsync.arguments-flat`](#rsyncarguments-flat) + 35. [`incidences`](#incidences) ## Syntax @@ -58,6 +60,7 @@ command: fort [--tal=|] [--local-repository=] [--sync-strategy=off|strict|root|root-except-ta] + [--rrdp-disabled] [--shuffle-uris] [--maximum-certificate-depth=] [--mode=server|standalone] @@ -77,6 +80,7 @@ command: fort [--http.connect-timeout=] [--http.transfer-timeout=] [--http.ca-path=] + [--http.disabled] [--output.roa=] [--output.bgpsec=] ``` @@ -189,7 +193,11 @@ LQIDAQAB Path to the directory where Fort will store a local cache of the repository. -Right now, Fort accesses RPKI repositories by way of [rsync](https://en.wikipedia.org/wiki/Rsync). (The alternate protocol [RRDP](https://tools.ietf.org/html/rfc8182) is in the road map.) During each validation cycle, Fort will literally invoke an `rsync` command (see [`rsync.program`](#rsyncprogram) and [`rsync.arguments-recursive`](#rsyncarguments-recursive)), which will download the files into `--local-repository`. Fort's entire validation process operates on the resulting copy. +Fort accesses RPKI repositories either with [rsync](https://en.wikipedia.org/wiki/Rsync) or [RRDP](https://tools.ietf.org/html/rfc8182). During each validation cycle, and depending on the preferred access methods defined by the CAs, Fort can do two things: +- Literally invoke an `rsync` command (see [`rsync.program`](#rsyncprogram) and [`rsync.arguments-recursive`](#rsyncarguments-recursive)), which will download the files into `--local-repository`. +- Fetch the RRDP Update Notification file (which implies an HTTP request) and fetch the files from there on (can be obtained from a Snapshot file or Delta files). The files will be downloaed into `--local-repository`. + +Fort's entire validation process operates on the resulting copy of the files (doesn't matter if the files where fetched by rsync of https). Because rsync uses delta encoding, you're advised to keep this cache around. It significantly speeds up subsequent validation cycles. @@ -243,6 +251,15 @@ Synchronizes the root certificate (the one pointed by the TAL) in `strict` mode, Useful if you want `root`, but the root certificate is separated from the rest of the repository. Also useful if you don't want the validator to download the entire repository without first confirming the integrity and legitimacy of the root certificate. +### `--rrdp-disabled` + +- **Type:** None +- **Availability:** `argv` and JSON + +If this flag is activated, Fort will utilize always RSYNC as the preferred access method. + +Otherwise, Fort will utilize RRDP when the preferred access method for a certificate repository is an Update Notification file URI. + ### `--shuffle-uris` - **Type:** None @@ -503,6 +520,15 @@ Useful when the CA from the peer isn't located at the default OS certificate bun The value specified is utilized in libcurl's option [CURLOPT_CAPATH](https://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html). +### `--http.disabled` + +- **Type:** None +- **Availability:** `argv` and JSON + +If the flag is activated, HTTP requests won't be performed and the files that should have been fetched are searched locally at [`--local-repository`](#--local-repository). + +Otherwise, Fort will perform HTTP requests when needed (eg. an HTTPS URI at a TAL, RRDP URIs). + ### `--output.roa` - **Type:** String (Path to file) @@ -555,6 +581,7 @@ The configuration options are mostly the same as the ones from the `argv` interf "tal": "/tmp/fort/tal/", "local-repository": "/tmp/fort/repository/", "sync-strategy": "root", + "rrdp-disabled": false, "shuffle-uris": true, "maximum-certificate-depth": 32, "slurm": "/tmp/fort/test.slurm", @@ -583,7 +610,8 @@ The configuration options are mostly the same as the ones from the `argv` interf "user-agent": "{{ page.command }}/{{ site.fort-latest-version }}", "connect-timeout": 30, "transfer-timeout": 30, - "ca-path": "/usr/local/ssl/certs" + "ca-path": "/usr/local/ssl/certs", + "disabled": false }, "rsync": { diff --git a/examples/config.json b/examples/config.json index 188a581c..9e7585e9 100644 --- a/examples/config.json +++ b/examples/config.json @@ -2,6 +2,7 @@ "tal": "/tmp/fort/tal/", "local-repository": "/tmp/fort/repository/", "sync-strategy": "root", + "rrdp-disabled": false, "shuffle-uris": false, "maximum-certificate-depth": 32, "mode": "server", @@ -27,7 +28,8 @@ "user-agent": "fort/1.2.0", "connect-timeout": 30, "transfer-timeout": 30, - "ca-path": "/usr/local/ssl/certs" + "ca-path": "/usr/local/ssl/certs", + "disabled": false }, "rsync": { "program": "rsync", diff --git a/fort_setup.sh b/fort_setup.sh index 7fe9b4aa..9ddbf0f8 100755 --- a/fort_setup.sh +++ b/fort_setup.sh @@ -38,8 +38,6 @@ exit_on_err() fi } -# Request program (0=wget, 1=curl, 2=ftp) -DOWN_OPT=0 # Timeout for http requests DOWN_TIME=20 @@ -47,50 +45,40 @@ get_tal() { echo "" echo "Fetching $1 TAL..." - case $DOWN_OPT in - 0) - wget -O $2 -T $DOWN_TIME $3 - RES=$? - break - ;; - 1) - curl --output $2 --connect-timeout $DOWN_TIME -L $3 - RES=$? - break - ;; - 2) - # Just in case, specific for OpenBSD, older versions may not support -o or -w - ftp -o $2 -w $DOWN_TIME $3 - RES=$? - break - ;; - *) - echo "Please check the script, there's a programming error." - exit 1 - ;; - esac + wget -O "$2" -T $DOWN_TIME $3 + RES=$? exit_on_err "\"$RES\" = \"0\"" "Couldn't fetch $1 TAL, try again." } # Validate expected args exit_on_err "$# -gt 0" 'Usage: '"$0"' TALS_PATH.\nTALS_PATH must be an existent directory path.' -exit_on_err "-d $1" "Path $1 isn't a directory." -exit_on_err "-w $1" "Write permission denied on path $1." +TMP=`echo "$1"` +if ! [ -d "$TMP" ] ; then + echo "Path '$TMP' isn't a directory." + exit 1 +fi +if ! [ -w "$TMP" ] ; then + echo "Write permission denied on path '$TMP'." + exit 1 +fi # Define download command if type wget >/dev/null 2>&1 ; then - DOWN_OPT=0 -elif type curl >/dev/null 2>&1 ; then - DOWN_OPT=1 -elif type ftp >/dev/null 2>&1 ; then - DOWN_OPT=2 + echo "" else - echo "Couldn't found 'wget', 'curl' nor 'ftp' programs; I need at least one of them to fetch the TALs." + echo "Couldn't find 'wget' program; I need it to fetch the TALs." exit 1 fi +# Get the absolute path, in case the configuration file is placed elsewhere +TALS_LOC=$TMP +TMP=$(readlink -f "$TALS_LOC") +if [ "$?" = "0" ] ; then + TALS_LOC="$TMP" + TMP="" +fi + # Declare variables -TALS_LOC=$1 GITHUB_TALS="https://raw.githubusercontent.com/NICMx/FORT-validator/master/examples/tal" ACCEPT="no" REPO_DIR="/var/cache/fort/repository" @@ -98,14 +86,13 @@ CONF_FILE="fort-config.json" ARIN_TAL="https://www.arin.net/resources/manage/rpki/arin-rfc7730.tal" # Agree ARIN RPA. Exit on denial or unknown response, download otherwise. -echo "" echo "Please download and read ARIN Relying Party Agreement (RPA) from https://www.arin.net/resources/manage/rpki/rpa.pdf" echo "" echo -n "Once you've read and if you agree ARIN RPA, type \"yes\" to proceed with ARIN's TAL download: " read ACCEPT -exit_on_err "\"$ACCEPT\" = \"yes\"" '\nYou haven'"'"'t agreed ARIN RPA! You can manually download its TAL or try running this script again.\n\nWe strongly advise to download ARIN TAL so that the Relying Party (validator) can validate the whole RPKI.' +exit_on_err "\"$(echo $ACCEPT | tr '[:upper:]' '[:lower:]')\" = \"yes\"" '\nYou haven'"'"'t agreed ARIN RPA! You can manually download its TAL or try running this script again.\n\nWe strongly advise to download ARIN TAL so that the Relying Party (validator) can validate the whole RPKI.' -get_tal "ARIN" $TALS_LOC/arin-rfc7730.tal $ARIN_TAL +get_tal "ARIN" "$TALS_LOC/arin-rfc7730.tal" $ARIN_TAL # Get the rest of the TALs echo "" @@ -129,13 +116,6 @@ if ! [ "$?" = "0" ] ; then fi fi -# Get the absolute path, in case the configuration file is placed elsewhere -TMP=$(readlink -f $TALS_LOC) -if [ "$?" = "0" ] ; then - TALS_LOC=$TMP - TMP="" -fi - # Create or overwrite configuration file touch $CONF_FILE echo "{ " > $CONF_FILE @@ -155,7 +135,7 @@ else fi echo "------------------------------------------------------" echo "" -echo "- The five RIRs TAL's were downloaded to $TALS_LOC." +echo "- The five RIRs TAL's were downloaded to '$TALS_LOC'." if ! [ -z "$REPO_DIR" ] ; then echo "- The directory $REPO_DIR was created, so it can be used as the local repository." fi diff --git a/man/fort.8 b/man/fort.8 index 6b32512a..79933b36 100644 --- a/man/fort.8 +++ b/man/fort.8 @@ -187,11 +187,22 @@ its public key. (See RFC 8630.) Path to a directory where the local cache of the repository will be stored and/or read. .P -Right now, FORT accesses RPKI repositories by way of \fIrsync\fR. During each -validation cycle, FORT will literally invoke an rsync command (see -\fBrsync.program\fR and \fBrsync.arguments-recursive\fR), which will download -the files into \fB--local-repository\fR. FORT’s validation operates on the -resulting copy. +FORT accesses RPKI repositories either with \fIrsync\fR or \fIRRDP\fR (see RFC +8182). During each validation cycle, and depending on the preferred access +methods defined by the CAs, Fort can do two things: +.RS 4 +.br +- Literally invoke an rsync command (see \fBrsync.program\fR and +\fBrsync.arguments-recursive\fR), which will download the files into +\fB--local-repository\fR. +.br +- Fetch the RRDP Update Notification file (which implies an HTTP request) and +fetch the files from there on (can be obtained from a Snapshot file or Delta +files). The files will be downloaed into \fB--local-repository\fR. +.RE +.P +Fort's entire validation process operates on the resulting copy of the files +(doesn't matter if the files where fetched by rsync of https). .P Because rsync uses delta encoding, you’re advised to keep this cache around. It significantly speeds up subsequent validation cycles. @@ -279,6 +290,16 @@ root certificate. .RE .P +.B \-\-rrdp-disabled +.RS 4 +If this flag is activated, Fort will utilize always RSYNC as the preferred +access method. +.P +Otherwise, Fort will utilize RRDP when the preferred access method for a +certificate repository is an Update Notification file URI. +.RE +.P + .B \-\-shuffle-uris .RS 4 If enabled, FORT will access TAL URLs in random order. This is meant for load @@ -578,6 +599,16 @@ By default, the path has a NULL value. .RE .P +.B \-\-http.disabled +.RS 4 +If this flag is activated, HTTP requests won't be performed and the files that +should have been fetched are searched locally at \fB--local-repository\fR. +.P +Otherwise, Fort will perform HTTP requests when needed (eg. an HTTPS URI at a +TAL, RRDP URIs). +.RE +.P + .B \-\-output.roa=\fIFILE\fR .RS 4 File where the ROAs will be printed in CSV format. @@ -672,6 +703,7 @@ to a specific value: "tal": "/tmp/fort/tal/", "local-repository": "/tmp/fort/repository/", "sync-strategy": "root", + "rrdp-disabled": false, "shuffle-uris": true, "maximum-certificate-depth": 32, "mode": "server", @@ -697,7 +729,8 @@ to a specific value: "user-agent": "fort/1.2.0", "connect-timeout": 30, "transfer-timeout": 30, - "ca-path": "/usr/local/ssl/certs" + "ca-path": "/usr/local/ssl/certs", + "disabled": false }, "rsync": { "program": "rsync", diff --git a/src/config.c b/src/config.c index 9b236e93..b2d52794 100644 --- a/src/config.c +++ b/src/config.c @@ -36,6 +36,8 @@ struct rpki_config { char *local_repository; /** Synchronization (currently only RSYNC) download strategy. */ enum sync_strategy sync_strategy; + /* Disable RRDP file processing */ + bool rrdp_disabled; /** * Handle TAL URIs in random order? * (https://tools.ietf.org/html/rfc8630#section-3, last @@ -86,6 +88,11 @@ struct rpki_config { unsigned int transfer_timeout; /* Directory where CA certs to verify peers are found */ char *ca_path; + /* + * Disable HTTP requests, if 'true' uses local files located at + * local-repository. + */ + bool disabled; } http; struct { @@ -190,6 +197,12 @@ static const struct option_field options[] = { .doc = "RSYNC download strategy", }, { .id = 2000, + .name = "rrdp-disabled", + .type = >_bool, + .offset = offsetof(struct rpki_config, rrdp_disabled), + .doc = "Disable RRDP file(s) processing", + }, { + .id = 2001, .name = "shuffle-uris", .type = >_bool, .offset = offsetof(struct rpki_config, shuffle_tal_uris), @@ -371,6 +384,13 @@ static const struct option_field options[] = { .doc = "Directory where CA certificates are found, used to verify the peer", .arg_doc = "", }, + { + .id = 9004, + .name = "http.disabled", + .type = >_bool, + .offset = offsetof(struct rpki_config, http.disabled), + .doc = "Enable or disable HTTP requests", + }, /* Logging fields */ { @@ -609,6 +629,7 @@ set_default_values(void) goto revert_port; } + rpki_config.rrdp_disabled = false; rpki_config.sync_strategy = SYNC_ROOT; rpki_config.shuffle_tal_uris = false; rpki_config.maximum_certificate_depth = 32; @@ -638,6 +659,7 @@ set_default_values(void) rpki_config.http.connect_timeout = 30; rpki_config.http.transfer_timeout = 30; rpki_config.http.ca_path = NULL; /* Use system default */ + rpki_config.http.disabled = false; rpki_config.log.color = false; rpki_config.log.filename_format = FNF_GLOBAL; @@ -875,6 +897,12 @@ config_get_sync_strategy(void) return rpki_config.sync_strategy; } +bool +config_get_rrdp_disabled(void) +{ + return rpki_config.rrdp_disabled; +} + bool config_get_shuffle_tal_uris(void) { @@ -960,6 +988,12 @@ config_get_http_ca_path(void) return rpki_config.http.ca_path; } +bool +config_get_http_disabled(void) +{ + return rpki_config.http.disabled; +} + char const * config_get_output_roa(void) { diff --git a/src/config.h b/src/config.h index ea4c5945..7d960f33 100644 --- a/src/config.h +++ b/src/config.h @@ -28,6 +28,7 @@ char const *config_get_slurm(void); char const *config_get_tal(void); char const *config_get_local_repository(void); enum sync_strategy config_get_sync_strategy(void); +bool config_get_rrdp_disabled(void); bool config_get_shuffle_tal_uris(void); unsigned int config_get_max_cert_depth(void); enum mode config_get_mode(void); @@ -37,6 +38,7 @@ char const *config_get_http_user_agent(void); unsigned int config_get_http_connect_timeout(void); unsigned int config_get_http_transfer_timeout(void); char const *config_get_http_ca_path(void); +bool config_get_http_disabled(void); uint8_t config_get_log_level(void); enum log_output config_get_log_output(void); char *config_get_rsync_program(void); diff --git a/src/config/str.c b/src/config/str.c index 83880562..63cd4994 100644 --- a/src/config/str.c +++ b/src/config/str.c @@ -24,7 +24,8 @@ static int string_parse_argv(struct option_field const *field, char const *str, void *result) { - if (field->type->has_arg != required_argument || str == NULL) { + if (field->type->has_arg != required_argument || str == NULL || + strlen(str) == 0) { return pr_err("String options ('%s' in this case) require an argument.", field->name); } diff --git a/src/http/http.c b/src/http/http.c index 929675d9..8cdaa8f4 100644 --- a/src/http/http.c +++ b/src/http/http.c @@ -135,6 +135,11 @@ __http_download_file(struct rpki_uri *uri, http_write_cb cb, FILE *out; int error; + if (config_get_http_disabled()) { + response_code = 0; /* Not 200 code, but also not an error */ + return 0; + } + error = create_dir_recursive(uri_get_local(uri)); if (error) return error; diff --git a/src/object/certificate.c b/src/object/certificate.c index 94944bbb..aedf5370 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -1906,7 +1906,7 @@ use_access_method(struct sia_ca_uris *sia_uris, * RSYNC will always be present (at least for now, see * rfc6487#section-4.8.8.1) */ - if (sia_uris->rpkiNotify.uri == NULL) + if (sia_uris->rpkiNotify.uri == NULL || config_get_rrdp_disabled()) return rsync_cb(sia_uris); /* Get the preferred */ diff --git a/test/impersonator.c b/test/impersonator.c index 90a4c733..448f2342 100644 --- a/test/impersonator.c +++ b/test/impersonator.c @@ -70,6 +70,12 @@ config_get_sync_strategy(void) return SYNC_ROOT; } +bool +config_get_rrdp_disabled(void) +{ + return true; +} + bool config_get_color_output(void) { @@ -171,3 +177,9 @@ config_get_http_ca_path(void) { return NULL; } + +bool +config_get_http_disabled(void) +{ + return true; +}