Codebase list rpki-client / upstream/8.2+git20221218.1.4e92920 CHANGELOG
upstream/8.2+git20221218.1.4e92920

Tree @upstream/8.2+git20221218.1.4e92920 (Download .tar.gz)

CHANGELOG @upstream/8.2+git20221218.1.4e92920raw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
Version 8.2 - December 14th, 2022
=================================

- Add a new '-H' command line option to create a shortlist of repositories to
  synchronize to. For example, when invoking "rpki-client -H rpki.ripe.net -H
  chloe.sobornost.net", the utility will not connect to any other hosts other
  than the two specified through the -H option.

- Add support for validating Geofeed (RFC 9092) authenticators.  To see an
  example download https://sobornost.net/geofeed.csv and run
  "rpki-client -f geofeed.csv"

- Add support for validating Trust Anchor Key (TAK) objects. TAK objects can be
  used to produce new Trust Anchor Locators (TALs) signed by and verified
  against the previous Trust Anchor. See draft-ietf-sidrops-signed-tal for the
  full specification.

- Log lines related to RRDP/HTTPS connection problems now include the IP
  address of the problematic endpoint (in brackets).

- Improve the error message when an invalid filename is encountered in the
  rpkiManifest field in the Subject Access Information (SIA) extension.

- Emit a warning when unexpected X.509 extensions are encountered.

- Restrict the ROA ipAddrBlocks field to only allow two ROAIPAddressFamily
  structures (one per address family). See draft-ietf-sidrops-rfc6482bis.

- Check the absence of the Path Length constraint in the Basic Constraints
  extension.

- Restrict the SIA extension to only allow the signedObject and rpkiNotify
  accessMethods.

- Check that the Signed Object access method is present in ROA, MFT, ASPA, TAK,
  and GBR End-Entity certificates.

- In addition to the 'rsync://' scheme, also permit other schemes (such as
  'https://') in the SIA signedObject access method.

- Check that the KeyUsage extension is set to nothing but digitalSignature on
  End-Entity certificates.

- Chect that the KeyUsage extension is set to nothing but keyCertSign and
  CRLSign on CA certificates.

- Check that the ExtendedKeyUsage extension is absent on CA certificates.

- Fix a bug in the handling of the port of http_proxy.

- The '-r' command line option has been deprecated.

- Filemode (-f) output is now presented as a text based table.

Version 8.0 - September 11th, 2022
==================================

- Add suport for validating Autonomous System Provider Authorization
  (ASPA) objects conforming to draft-ietf-sidrops-aspa-profile-10.
  Validated ASPA payloads are visible in JSON and filemode (-f) output.

- Set rsync connection I/O idle timeout to 15 seconds.

- Unify the maximum idle I/O and connect timeouts for RSYNC & HTTPS.

- Rpki-client now performs stricter EE certificate validation:
    - Disallow AS Resources extensions in ROA EE certificates.
    - Disallow Subject Information Access (SIA) extensions in RPKI
      Signed Checklist (RSC) EE certs.
    - Check the resources in ROAs and RSCs against EE certs.

- Improve readability and add various information being printed in
  verbose mode.

- Extend filemode (-f) output and print X.509 certificates in PEM format
  when increased verbosity (-vv) is specified.

- Shorten the RRDP I/O idle timeout.

- Introduce a deadline timer that aborts all repository synchronization
  after seven eights of timeout (-s). With this rpki-client has improved
  chances to complete and produce an output even when a CA is excessivly
  slow.

- Abort a currently running RRDP request process when the per-repository
  timeout is reached.

- Permit multiple AccessDescription entries in SIA X.509 extensions.
  While fetching from secondary locations is not yet supported,
  rpki-client will not treat occurence as a fatal error.

- Resolve a potential for a race condition in non-atomic RRDP deltas.

- Fix some memory leaks.

- Improve compliance with the HTTP protocol specification.

Version 7.9 - July 14th, 2022
=============================

- Add support for an operator-configurable skiplist facility. Operators
  can specify a list of FQDNs which should not be contacted when
  synchronizing the local cache to the network.

- Emit a warning when a RRDP session serial number decreases.

- DER decoding functions were refactored to leverage ASN.1 templates.

- Add support to validate & inspect .sig files containing RPKI Signed
  Checklists in filemode (-f). (draft-ietf-sidrops-rpki-rsc-08)

- Print various statistics after the completion of the main process.

- Add support to decode & print TAL (RFC 8630) details in filemode (-f).

- Emit objects in Concatenated JSON format when filemode (-f) and the
  JSON output flag (-j) are combined.

Version 7.8 - April 9th, 2022
=============================

- Do not apply timezone offsets when converting X509 times.  X509 times
  are in UTC and comparing them to times in different timezones would
  cause validity problems.

Version 7.7 - April 7th, 2022
=============================

- Add various RFC 6488 compliance checks to improve the CMS parser.

- Improve RRDP replication through less aggressive cache cleanup.

- Add a check whether a given Manifest EE certificate is listed on the
  applicable CRL.

- For forward compatibility permit ASPA object to appear on Manifests.

- Various improvements to the '-f <file>' diagnostic option to now also
  validate files containing Trust Anchor certs and CRLs.

Version 7.6 - February 7th, 2022
================================

- Enforce the correct namespace of rrdp files.

- Fail certificate verification if a certificate contains unknown
  critical extensions.

- Improve cleanup of rrdp directory contents.

- Introduce a validated cache which holds all the files that have
  successfully been verified by rpki-client.

- Add a new option '-f <file>' to validate a signed object in a file
  against the RPKI cache.

Version 7.5 - November 9th, 2021
================================

- Make rpki-client more resilient regarding untrusted input:
  * fail repository synchronisation after 15 min runtime.
  * limit the number of repositories per TAL.
  * don't allow DOCTYPE definitions in RRDP XML files.
  * fix detection of HTTP redirect loops.

- limit the number of concurrent rsync processes.

- fix CRLF in TAL files.

Version 7.4 - October 30th, 2021
================================

- Added support for validating BGPsec Router Public Keys.

- Fix issues with chunked transfer encoding in the RRDP HTTP client.

- Cleanup and improvement of how IO is handled.

- Improvements in the way X509 certificates are verified.

- Make rpki-client more resilient regarding untrusted input:
  * Limit the allowed character set for filename listings on
    Manifests.
  * Limit the length of SIA URIs.
  * Limit the size of certain untrusted inputs.
  * Don't exit on failures to parse x509 objects.
  * Limit the size of objects retreived via RRDP or RSYNC.
  * Limit the number of FileAndHash entries on a manifest.
  * Constrain RRDP such that the delta/snapshot files must be hosted
    at the same host as the notification file.

Version 7.3 - September 23rd, 2021
==================================

- Improve the HTTP client code (status code handling, http proxy
  support, keep-alive).

- In RRDP, do not access URI with userinfo (@-sign)

- Improve RRDP syncing by considering a notification file serial
  jumping backwards as synced repository.

- Make -R (rsync only) also apply to the fetching of TA files.

- Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.

- When producing output for OpenBGPd, make use of the 'roa-set expires'
  attribute to prevent machines from loading outdated roa-sets.

- In RRDP, limit the number of deltas to 300 per repo. If more deltas
  exist, downloading a full snapshot is faster.

- Limit the validation depth of X509 certificate chains to 12, double
  the current depth seen in RPKI.

Version 7.2 - July 28th, 2021
=============================

- Use RRDP as default protocol for syncronizing the RPKI repository
  data, with rsync used as secondary.

- At startup, warn if the filesystem containing the cache directory is
  probably too small. 500 MB is the suggested minimum size.

- Handle running out of disk space more gracefully, including cleanup of
  temporary and old files before exiting.

- Improve the HTTP/1.1 request headers being sent.

- Improved validation checks for ROA and MFT objects.

Version 7.1 - May 18th, 2021
============================

- Add keep-alive support to the HTTP client code for RRDP.

- Reference-count and delete unused files synced via RRDP, as far as
  possible.

- In the JSON output, change the AS Number from a string ("AS123") to an
  integer ("123") to make processing of the output easier.

- Add an 'expires' column to CSV & JSON output, based on certificate and
  CRL validity times. The 'expires' value can be used to avoid route
  selection based on stale data when generating VRP sets, when faced
  with loss of communication between consumer and valdiator, or
  validator and CA repository.

- Make the runtime timeout (-s option) also triggers in child processes.

- Improved RRDP support, we encourage testing of RRDP with the -r option
  so that RRDP can be enabled by default in a future release.  Please
  report any issues found.

- Improved RRDP support, we encourage testing of RRDP with the -r option
  so that RRDP can be enabled by default in a future release.  Please
  report any issues found.

Version 7.0 - April 15th, 2021
==============================

- Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support as a
  'technology preview'. To use it, the "-r" flag needs to be used.

- Support the use of more than one URI in the TAL file sorting with a
  preference for https.

- Validation of ghostbuster records (RFC 6493).

- Fixed checks of the manifest validity interval.

- The rsync connection is now killed when the rsync server stalls.

- Limited the URL embedded in .cer files to alphanumeric characters and
  punctuation.

- Added a "-V" option to show version.

- Included the default cert.pem file path in tls_load_file error
  messages.

- Use of the ibuf (imsg) API for data exchange between the rpki-client
  processes.

Version 6.8 - November 12th, 2020
=================================

- incorporate OpenBSD 6.8 errata 006 of November 10, 2020: rpki-client
  incorrectly checks the manifest validity interval.

In the portable version,

- Add compat code for the LibreSSL ASN1_time_parse() and
  ASN1_time_tm_cmp() functions. Those are needed to properly check the
  validity of MFT files.

Version 6.7 - May 19th, 2020
============================

- Document the suggested interval for running rpki-client in man page.

- Always initialize cachedir and outputdir.

- Print statistics as comments at the top of the output files which can
  take comments, including the date and time when the files were
  produced, and runtime statistics when producing them.

- Improve log messages to clarify what's happening.

- Fix a bug where rpki-client would not properly wait for exiting rsync
  processes, causing rpki-client to hang.

Version 6.6 - April 19th, 2020
==============================

- First release, based on the OpenBSD source code available in the
  OpenBSD CVS repository as of 2020-04-19.