pcarana [Fri, 17 Jan 2020 23:40:18 +0000 (17:40 -0600)]
Avoid HTTP requests on previously error'd URIs.
+Create type to set RRDP URIs request status (error, unvisited, visited). The status is set accordingly to the result of the last request and processing of the RRDP Update Notification URIs; during RRDP loading, the status is validated to either do a request (URIs hasn't been visited) or skip it (was previously visited or had an error). If a request had an error, then continue the access methods flow considering priorities.
+Update RET_NOT_FOUND_URI macro, it always returned the same error code.
+Remove downloaded files via HTTP (and its local directory structure) whenever there's an error during the download process.
pcarana [Thu, 16 Jan 2020 00:59:20 +0000 (18:59 -0600)]
Load previous valid SLURM on any error, validate tal/slurm conf args.
+Previous valid SLURM was applied only if a newer SLURM had syntax errors; this has changed, now it's applied on any error.
+Log error when the version isn't set at SLURM file.
+Validate configured location (can be a file or directory) of 'tal' and 'slurm' args when the application starts.
pcarana [Wed, 15 Jan 2020 21:56:04 +0000 (15:56 -0600)]
Fix bugs at snapshot processing, and uint args parsing.
+The errors raised during snapshot files processing were ignored. Despite the affected files were deleted, the validation flow kept going, thus presenting an incorrect behavior.
+Unsigned integer arguments were treating an empty string as '0'.
pcarana [Tue, 14 Jan 2020 23:42:31 +0000 (17:42 -0600)]
Add 'rsync.retry.*' and 'rrdp.retry.*' conf args.
+The new arguments are 'rsync.retry.count', 'rsync.retry.interval', 'rrdp.retry.count', and 'rrdp.retry.interval'. Utilized whenever there's an rsync or rrdp sync error, the validator will retry at most '*.retry.count' times, waiting '*.retry.interval' between each retry.
+Ensure that HTTP files download returns a negative error in case of error.
+Wrap files download function at rrdp_parser.
pcarana [Tue, 14 Jan 2020 21:17:03 +0000 (15:17 -0600)]
Use SO_REUSEADDR at server socket, log rsync execution output.
+SO_REUSEADDR sockopt allows to reuse server address and port at once when the service has been stoped (or killed).
+Fix bug: the output of rsync execution (either error or verbose) wasn't being logged when 'log.output' was syslog. The stderr of rsync fork is sent to 'pr_err' function, and stdout is sent to 'pr_info' function.
pcarana [Mon, 13 Jan 2020 19:58:47 +0000 (13:58 -0600)]
Add extra rsync and rrdp configurations (enabled and priority).
+The new configuration properties are: 'rsync.enabled', 'rsync.priority', 'rsync.strategy', 'rrdp.enabled', 'rrdp.priority', and 'work-offline'.
+'sync-strategy' will be deprecated but still it can be set. Whenever is set, its value will be set to 'rsync.priority'.
+Fix possible bug at 'visited_uris', a nul char was being set at a wrong location.
+Consider configured priorities and enabled flags whenever an access method is utilized while processing certificates.
+Boolean configuration parameters value can now be set also at command line, using the syntax '--key=value'.
+Remove 'http.disabled' and 'rrdp-disabled', they aren't needed anymore.
pcarana [Tue, 7 Jan 2020 18:05:52 +0000 (12:05 -0600)]
Fix SLURM bugs and unitiliazed var warning.
+Initialize serial var when logging validation run information.
+Use a write lock when removing non-visited tals RRDP info.
+There was a segfault on two scenarios:
- When run as server and using a slurm file, during the second run, the validator couldn't access RRDP data from the previous run. Fix: the RRDP TAL DB must be static (lives at the parent stack).
- When SLURM was discarded due to a bad file content (eg. empty file, or malformed JSON) and during the next run the file content was valid again, the previous SLURM pointer was freed but didn't pointed at NULL (and this was expected). Fix: point at NULL when the whole SLURM is discarded.
pcarana [Wed, 18 Dec 2019 19:03:58 +0000 (13:03 -0600)]
Fix segfaults at visited_uris.c, add minor updates and RRDP debug logs.
+The segfaults where due to a bad initialization of visited URI elements and reference count.
+Add some debug logs when processing RRDP files.
+Replace 'Valid ROAs' label with 'Valid Prefixes' when there are updates at VRPS DB (and update docs where this label is referenced).
pcarana [Tue, 17 Dec 2019 23:52:11 +0000 (17:52 -0600)]
Add args to disable rrdp/http, update docs and setup script.
+The new arguments are 'rrdp-disabled' and 'http.disabled', both are treated as flags.
+Update docs to include: new arguments, rrdp support, new 'libxml2' dependency.
+Update configuration file example to include new arguments.
+Fix bug at arguments whose value is expected to be a path, this '--tal=' was treated as valid when it isn't, so validate that no empty paths are received.
+Update unit tests impersonator with new args.
+Updates at setup script:
- Fix bug: paths that included a space in between, weren't correctly utilized.
- Use wget always.
- Ignore case when accepting ARIN's RPA.
pcarana [Mon, 16 Dec 2019 20:49:32 +0000 (14:49 -0600)]
Delete temporary XML files and unused TALs RRDP data.
+Remove XML files and its directory structure once they have been utilized.
+Mark as visited TAL information related to RRDP once per cycle; if no RRDP information was visited (means, the TAL wasn't validated during the cycle) the data is forgotten, including its local data.
+Move the directory tree removal functions to 'common.h', so that it can be called from multiple parts.
+Remove created file in case of error during an HTTP download.
pcarana [Fri, 13 Dec 2019 17:50:46 +0000 (11:50 -0600)]
Refactor RRDP URIs storage, implement session ID update.
+Delete dir daemon: detach thread, renames the directory that's going to be deleted.
+Update logic (structs and relations) to remember RRDP URIs: each TAL thread will hold its own RRDP URIs, and each URI (update notification URI) will have its own visited uris struct; the main thread holds each TALs information, so that it can be accesed during every validation run. This way we know who owns what, and in case of a session ID update it's easier to remove the whole file system directory tree related to an RRDP URI.
+Rename 'visited_uris' of rsync to 'rsync_visited_uris', in validation state struct.
+Assure that update notification files are requested only once per cycle (in case they're found as the prefered access method).
+Implement session ID update, remove all files related to the previous session ID.
pcarana [Wed, 11 Dec 2019 00:30:53 +0000 (18:30 -0600)]
Remember which manifests where fetched using RRDP, remove rrdp_handler.
+Remember all manifests URIs that were processed from a snapshot or delta file, this will aid to avoid unnecessary rsync's on child CAs.
+Create 'visited_uris' struct and methods to remember URIs from RRDP snapshot/delta file(s). This should be updated to use another struct more efficient than an SLIST.
+Remove 'rrdp_handler' and do its calls directly where needed.
+Add warning message whenever an access method fails and the secondary access method is utilized.
+Assure that RRDP Update Notification URIs are visited only once per validation run.
+In case there's a manifest error, don't retry the repository download if the accessMethod to get the manifest was RRDP.
pcarana [Tue, 10 Dec 2019 21:03:31 +0000 (15:03 -0600)]
Parse XML docs using a reader, don't load the whole DOM at memory.
+Use 'libxml/xmlreader.h' functions to validate and parse XML documents, this decreases the use of memory that was being allocated using other functions.
+Update the logic at 'rrdp_parser.c' to parse a document element by element, using an 'xmlTextReader'.
+Update unit test to use the XML text reader.
pcarana [Thu, 5 Dec 2019 23:57:19 +0000 (17:57 -0600)]
Validate list of deltas at update notification file.
+Assure that the list of deltas is ordered to facilitate the validation of contiguous serials, and the processing of only the required deltas (only if there's a delta update).
+Change enum 'rrdp_uri_cmp_result' to a type 'rrdp_uri_cmp_result_t'.
+Process the snapshot if there's an error processing deltas.
+Make 'delta_head' attributes public, global and doc data init methods are now void.
+Remove 'SLIST' usage at 'deltas_head' struct, use instead an array list implementation, ready to store a defined amount of elements.
pcarana [Wed, 4 Dec 2019 16:05:55 +0000 (10:05 -0600)]
Send 'If-Modified-Since' header on update notification requests.
+The last update is stored along with the RRDP URIs DB, this date is updated once the file processing (snapshot or deltas) is successfully terminated.
+Be ready in case the server responds an HTTP 304 status code.
+Use CURL option 'CURLOPT_FAILONERROR' to treat HTTP status code > 400 as errors.
pcarana [Tue, 3 Dec 2019 00:14:26 +0000 (18:14 -0600)]
Fix bug due to bad error handling on multithreading.
+Don't consider validation results if at least one TAL has an error fetching it's root certificate. The bug was: on TAL 'hard error' (whenever the root certificate couldn't be fetched), the error was minimized and the rest of the TAL validation results were considered to update DB; this can lead to a considerable number of withdrawal PDUs for the routers.
pcarana [Mon, 2 Dec 2019 22:39:31 +0000 (16:39 -0600)]
Validate hashes and some missing things.
+Add validations of: hash, namespace, version, session ID, and serial of files.
+Validate that only one serial is listed at the update notification file.
+Quick validation of delta elements listed at the notification file (needs a better algorithm to check that all are part of a contiguous sequence).
+Remove unnecessary struct 'xml_source', initially meant to calculate the hash, but it's needed at all.
+Fix a bug: the hash wasn't being set at 'delta_head' new element(s).
pcarana [Fri, 29 Nov 2019 21:54:33 +0000 (15:54 -0600)]
Process delta files, create rrdp_loader to centralize rrdp processing.
+Parse and process delta files, includes file deleting due to a withdraw as well as the parent dir deletion if the dir is empty.
+Consider that 'publish' elements have an optional 'hash' in some cases.
+Calculate the deltas necessary to process from a notification file, based on the current loaded serial and the last downloaded serial.
+Add handler function to get the last downloaded serial.
+The RRDP loader gets the notification file and takes the decission to process such file (no changes, serial update, session update, or new uri). Its code was at certificate.c, but was rellocated here.
+Remove SLIST from rrdp_objects, as well as some other properties that aren't necessary (lists at delta and at snapshot structs).
+Prepare 'deltas_head' to be referenced from distinct parts.
+Fix serial validation when parsing a 'son' object (e.g. validating a delta that was listed at the update notification file).
+No need to return parsed snapshot and delta, since they are processed asap and no further actions are required with the allocated structs.
pcarana [Wed, 27 Nov 2019 21:49:39 +0000 (15:49 -0600)]
Parse and process snapshot, remember RRDP URIs (session ID and serial).
+Create struct and method to store RRDP URIs data.
+Create handler so that multiple threads can access RRDP URIs data.
+Rename 'gdata' property to 'global_data' at update_notification struct.
+Use prefered access method according to the order specified at the CAs.
+Implement RRDP URIs comparison, considers: URI, session ID and serial so that the caller can determine what to do (process snapshot, deltas, etc.)
+Document rrdp_objects.h structs.
+Add content length to 'publish' structure.
+Add functions to parse 'publish' elements.
+Validate that a new RRDP object parsed matches session ID and serial of the parent.
+Whenever a snapshot file is parsed (and validated), all of its 'publish' elements are parsed as well and created at the local repository.
+Use 'fnstack' to log whenever an RRDP file is being processed.
+Update 'uri.h' to explicitly create either rsync or https URIs.
+Use rrdp_handler at the validation state of each thread (or each TAL, it's the same thing).
+Fix wrong return value on error at __do_file_validation, it should return a 'no memory' error instead of 'invalid value'.
+Fix macro ARRAYLIST_FOREACH, one argument wasn't being utilized.
+Update unit tests, add reference to new header 'db_rrdp.h'.
pcarana [Thu, 21 Nov 2019 17:12:30 +0000 (11:12 -0600)]
Add XML parsing structs and methods.
+Validate and parse an Update Notification file whenever is found at a certificate. Currently this does nothing else, is merely to download and validate the file; rsync is still utilized to fetch the repository data.
+Add libxml2 dependency, utilized to validate XML files using relaxNG schema.
+Initialize and cleanup XML parser on main thread.
+Currently libxml2 doesn't seems to support Relax NG compact form, but due to its license, it's the best option to use. The RRDP schema was transformed to Relax NG schema with the tool rnc2rng.
+Add basic unit test to parse an RRDP XML file.
pcarana [Wed, 13 Nov 2019 23:47:58 +0000 (17:47 -0600)]
Support RFC8630, TALs can have comments and HTTPS URIs.
-Remove all references to RFC 7730 (docs and source comments), now obsolete.
-Indicate full RFC 8630 compliance at docs.
-Implement full validation of AIA (RFC 6487 section 4.8.7), since HTTPS URIs loaded from a TAL can cause the current validation to fail.
-The AIA validation function is now exposed, so that CAs and EEs can do it when the current certificate is being validated (and already loaded at heap).
-Allow to create uris that start with 'https://', let uri.c ready to validate https and/or rsync uris.
-Parse comments and https URIs from a tal file, comments are ignored. Whenever and https URI is found and utilized, the file is downloaded using the previously commited HTTP module.
pcarana [Tue, 12 Nov 2019 23:42:29 +0000 (17:42 -0600)]
Add module to support HTTPS requests.
-New program arguments to configure http requests:
+http.user-agent
+http.connect-timeout
+http.transfer-timeout
+http.ca-path
-Relocate functions that create a local directory structure from a local URI, so that can be utilized by rsync.c and http.c.
-Expose a function to download a file from an HTTPS URL, the function is expected to write the bytes from the response into a file using a callback (defined by the caller).
-Add libcurl dependency at makefile and docs (still needs an update for the distinct OSs installation).
-Add unit test for the http module.
-Update man and docs with new configuration properties.
-Update configuration example with new configuration properties.
pcarana [Tue, 29 Oct 2019 20:57:41 +0000 (14:57 -0600)]
Fix unit tests, create common function to print IP addresses.
-Add missing getters at configuration impersonator.
-Create a common function to print IPv4 and IPv6 addresses, the function already existed but it was created multiple times at distinct sources.
pcarana [Thu, 24 Oct 2019 15:46:26 +0000 (10:46 -0500)]
Validate SignedObject DER encoding using incidences schema.
-asn1c doesn't have a DER decoder, but it has DER encoders. Once the data is BER decoded, encode it again as DER and compare against the original data, the difference (if there's one) will be at ASN1 TLVs.
-Create new incidence 'incid-obj-not-der-encoded' to handle such error.
-Update docs: RFC 6488 100% compliance, new incidence description.
-Add new incidence to configuration example (examples/config.json).
pcarana [Fri, 18 Oct 2019 19:39:34 +0000 (14:39 -0500)]
Create setup script, add examples directory (includes tal dir).
-The script invites to agree ARIN RPA and downloads ARIN's TAL. Additionally, downloads the rest of the TALS, creates a local repository directory, and an example configuration file.
-Create 'examples' directory to include examples of: configuration file, SLURM, TALs.
-Move 'tal' directory to 'examples/tal'.
-Update docs, add the usage of the setup script at Installation module.
pcarana [Tue, 15 Oct 2019 20:04:32 +0000 (15:04 -0500)]
Log additional information on start/end of validation cycle.
+The information is printed at INFO level:
- When a client starts/ends a connection, or when the connection is killed (print its address and an internal ID).
- When a new validation cycle is started and finished (includes number of valid ROAs and Router Keys, current/new serial number, and real execution time).
+Update function 'log_debug_enabled' and add 'log_info_enabled' function.
+Add functions to get total ROAs and Router Keys from db_table struct.
pcarana [Fri, 11 Oct 2019 22:30:12 +0000 (17:30 -0500)]
Remember last valid SLURM in case of syntax error with newer SLURM(s).
-Remove 'comment' member from slurm structs, there's no need to store its value.
-Rename 'slurm/slurm_db.*' to 'slurm/db_slurm.*'.
-Allocate SLURM data, so that the last valid SLURM can be used if needed; so, now the SLURM lives on the heap and is 'remembered' as part of the VRPs state. Also remember the date and time when the last valid SLURM was loaded.
-Move 'slurm_bgpsec' and 'slurm_prefix' structs, and SLURM data flags to 'db_slurm.h'.
-Update 'slurm_parser' to return a specific error in case of a syntax error, so that further actions can be taken (ignore slurm, use last valid version, or store as the last valid version).
-In case a previous valid version of SLURM is utilized, log a WARNING indicating that such action is being taken, and log SLURM content at INFO level.
-Fix bug at common function 'process_file', there was an issue before releasing temporal pointers.
Update docs structure and content, merge with master.
-Bring the last updates from master (from commit 298c8f9ab0147159e70e47fb7f0766a5bc1b8b31).
-Fix background of some images (use white instead of none).
-Remove the 'doc' dir and move all its content to root folder, so that the whole documentation can be consulted from the root directory.
-Update the documentation index.
-Update docs layout references to match the new directory structure.
Fix bug, complete some unit tests, downgrade NID info logging.
-Bug fixed: Router Key PDUs overriding each others weren't removed due to a bad 'memcmp' use.
-Complete unit tests where Router Keys data can be tested.
-Downgrade NID registering log from info to debug on initialization.
+Each TAL will validate its own repositories without waiting for the others to terminate.
+Remove a TODO on configure.ac
+Update unit tests.
+Fix warning at base64 sanitizer, replace the function 'strchr' with a local one since the read buffer isn't necessarily a string.
pcarana [Wed, 21 Aug 2019 17:24:49 +0000 (12:24 -0500)]
Fix SLURM issues, and compile warning.
-SLURM filters weren't correctly applied when the filter had a prefix and an asn, only the asn was taken into account.
-Another error at filters, if a prefix X covered ROA prefix Y, the ROA prefix wasn't filtered; so apply the filter as specified in RFC 8416.
-Remove compile warning '_BSD_SOURCE and _SVID_SOURCE are deprecated', and set '_DEFAULT_SOURCE' at generated code by asn1c 'GeneralizedTime.c'.
pcarana [Wed, 14 Aug 2019 22:10:25 +0000 (17:10 -0500)]
Fix #14, remove SIGINT handler and adequate rsync return status.
-The SIGINT handler wasn't terminating the process as it should be, so let the signal be handled as default (like SIGTERM).
-Update the rsync (do_rsync) function to read the returned pid status and know how did the process was terminated; in case of interruption, use the returned value to terminate the validation cycle as well.
projects / thirdparty / FORT-validator.git / log
