Don't emit Validated ASPAs for Customer ASIDs with more than MAX_ASPA_PROVIDERS

The number of providers in a single ASPA object already was limited to
MAX_ASPA_PROVIDERS, now also impose a limit on the total number of providers
across multiple ASPA objects. If the MAX_ASPA_PROVIDERS limit is hit, omit
the Customer ASID's entry from OpenBGPD and JSON output.

OK tb@

diff --git a/usr.sbin/rpki-client/aspa.c b/usr.sbin/rpki-client/aspa.c
index 6ec63b6..6f4945a 100644 (file)
--- a/usr.sbin/rpki-client/aspa.c
+++ b/usr.sbin/rpki-client/aspa.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: aspa.c,v 1.28 2024/02/21 09:17:06 tb Exp $ */
+/*     $OpenBSD: aspa.c,v 1.29 2024/04/05 16:05:15 job Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -322,7 +322,8 @@ insert_vap(struct vap *v, uint32_t idx, uint32_t *p)
  * Duplicated entries are merged.
  */
 void
-aspa_insert_vaps(struct vap_tree *tree, struct aspa *aspa, struct repo *rp)
+aspa_insert_vaps(char *fn, struct vap_tree *tree, struct aspa *aspa,
+    struct repo *rp)
 {
        struct vap      *v, *found;
        size_t           i, j;
@@ -338,6 +339,10 @@ aspa_insert_vaps(struct vap_tree *tree, struct aspa *aspa, struct repo *rp)
        v->expires = aspa->expires;
 
        if ((found = RB_INSERT(vap_tree, tree, v)) != NULL) {
+               if (found->invalid) {
+                       free(v);
+                       return;
+               }
                if (found->expires > v->expires) {
                        /* decrement found */
                        repo_stat_inc(repo_byid(found->repoid), found->talid,
@@ -352,6 +357,14 @@ aspa_insert_vaps(struct vap_tree *tree, struct aspa *aspa, struct repo *rp)
        } else
                repo_stat_inc(rp, v->talid, RTYPE_ASPA, STYPE_UNIQUE);
 
+       if (v->providersz >= MAX_ASPA_PROVIDERS) {
+               v->invalid = 1;
+               repo_stat_inc(rp, v->talid, RTYPE_ASPA, STYPE_INVALID);
+               warnx("%s: too many providers for ASPA Customer ASID "
+                   "(more than %d)", fn, MAX_ASPA_PROVIDERS);
+               return;
+       }
+
        repo_stat_inc(rp, aspa->talid, RTYPE_ASPA, STYPE_TOTAL);
 
        v->providers = reallocarray(v->providers,

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index d89c352..5ddf652 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.213 2024/03/22 03:38:12 job Exp $ */
+/*     $OpenBSD: extern.h,v 1.214 2024/04/05 16:05:15 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -403,6 +403,7 @@ struct vap {
        time_t                   expires;
        int                      talid;
        unsigned int             repoid;
+       int                      invalid;
 };
 
 /*
@@ -710,7 +711,7 @@ struct tak  *tak_parse(X509 **, const char *, int, const unsigned char *,
 
 void            aspa_buffer(struct ibuf *, const struct aspa *);
 void            aspa_free(struct aspa *);
-void            aspa_insert_vaps(struct vap_tree *, struct aspa *,
+void            aspa_insert_vaps(char *, struct vap_tree *, struct aspa *,
                    struct repo *);
 struct aspa    *aspa_parse(X509 **, const char *, int, const unsigned char *,
                    size_t);

diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index a13faa8..e996179 100644 (file)
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: main.c,v 1.255 2024/03/22 03:38:12 job Exp $ */
+/*     $OpenBSD: main.c,v 1.256 2024/04/05 16:05:15 job Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -664,7 +664,7 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree,
                }
                aspa = aspa_read(b);
                if (aspa->valid)
-                       aspa_insert_vaps(vaptree, aspa, rp);
+                       aspa_insert_vaps(file, vaptree, aspa, rp);
                else
                        repo_stat_inc(rp, talid, type, STYPE_INVALID);
                aspa_free(aspa);

diff --git a/usr.sbin/rpki-client/output-bgpd.c b/usr.sbin/rpki-client/output-bgpd.c
index 7bf47d3..1ca6c99 100644 (file)
--- a/usr.sbin/rpki-client/output-bgpd.c
+++ b/usr.sbin/rpki-client/output-bgpd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: output-bgpd.c,v 1.29 2024/02/22 12:49:42 job Exp $ */
+/*     $OpenBSD: output-bgpd.c,v 1.30 2024/04/05 16:05:15 job Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -58,6 +58,8 @@ output_bgpd(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks,
        if (fprintf(out, "\naspa-set {\n") < 0)
                return -1;
        RB_FOREACH(vap, vap_tree, vaps) {
+               if (vap->invalid)
+                       continue;
                if (fprintf(out, "\tcustomer-as %d expires %lld "
                    "provider-as { ", vap->custasid,
                    (long long)vap->expires) < 0)

diff --git a/usr.sbin/rpki-client/output-json.c b/usr.sbin/rpki-client/output-json.c
index fd37196..4c56d54 100644 (file)
--- a/usr.sbin/rpki-client/output-json.c
+++ b/usr.sbin/rpki-client/output-json.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: output-json.c,v 1.46 2024/03/01 08:10:09 tb Exp $ */
+/*     $OpenBSD: output-json.c,v 1.47 2024/04/05 16:05:15 job Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  *
@@ -93,6 +93,9 @@ print_vap(struct vap *v)
 {
        size_t i;
 
+       if (v->invalid)
+               return;
+
        json_do_object("aspa", 1);
        json_do_int("customer_asid", v->custasid);
        json_do_int("expires", v->expires);