From cd55b6bd00f2e0b78b51ae42a1ced1dab5e6e52e Mon Sep 17 00:00:00 2001 From: job Date: Fri, 5 Apr 2024 16:05:15 +0000 Subject: [PATCH] Don't emit Validated ASPAs for Customer ASIDs with more than MAX_ASPA_PROVIDERS The number of providers in a single ASPA object already was limited to MAX_ASPA_PROVIDERS, now also impose a limit on the total number of providers across multiple ASPA objects. If the MAX_ASPA_PROVIDERS limit is hit, omit the Customer ASID's entry from OpenBGPD and JSON output. OK tb@ --- usr.sbin/rpki-client/aspa.c | 17 +++++++++++++++-- usr.sbin/rpki-client/extern.h | 5 +++-- usr.sbin/rpki-client/main.c | 4 ++-- usr.sbin/rpki-client/output-bgpd.c | 4 +++- usr.sbin/rpki-client/output-json.c | 5 ++++- 5 files changed, 27 insertions(+), 8 deletions(-) diff --git a/usr.sbin/rpki-client/aspa.c b/usr.sbin/rpki-client/aspa.c index 6ec63b6fb7e..6f4945aea9b 100644 --- a/usr.sbin/rpki-client/aspa.c +++ b/usr.sbin/rpki-client/aspa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aspa.c,v 1.28 2024/02/21 09:17:06 tb Exp $ */ +/* $OpenBSD: aspa.c,v 1.29 2024/04/05 16:05:15 job Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2022 Theo Buehler @@ -322,7 +322,8 @@ insert_vap(struct vap *v, uint32_t idx, uint32_t *p) * Duplicated entries are merged. */ void -aspa_insert_vaps(struct vap_tree *tree, struct aspa *aspa, struct repo *rp) +aspa_insert_vaps(char *fn, struct vap_tree *tree, struct aspa *aspa, + struct repo *rp) { struct vap *v, *found; size_t i, j; @@ -338,6 +339,10 @@ aspa_insert_vaps(struct vap_tree *tree, struct aspa *aspa, struct repo *rp) v->expires = aspa->expires; if ((found = RB_INSERT(vap_tree, tree, v)) != NULL) { + if (found->invalid) { + free(v); + return; + } if (found->expires > v->expires) { /* decrement found */ repo_stat_inc(repo_byid(found->repoid), found->talid, @@ -352,6 +357,14 @@ aspa_insert_vaps(struct vap_tree *tree, struct aspa *aspa, struct repo *rp) } else repo_stat_inc(rp, v->talid, RTYPE_ASPA, STYPE_UNIQUE); + if (v->providersz >= MAX_ASPA_PROVIDERS) { + v->invalid = 1; + repo_stat_inc(rp, v->talid, RTYPE_ASPA, STYPE_INVALID); + warnx("%s: too many providers for ASPA Customer ASID " + "(more than %d)", fn, MAX_ASPA_PROVIDERS); + return; + } + repo_stat_inc(rp, aspa->talid, RTYPE_ASPA, STYPE_TOTAL); v->providers = reallocarray(v->providers, diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index d89c352e44b..5ddf6524886 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.213 2024/03/22 03:38:12 job Exp $ */ +/* $OpenBSD: extern.h,v 1.214 2024/04/05 16:05:15 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -403,6 +403,7 @@ struct vap { time_t expires; int talid; unsigned int repoid; + int invalid; }; /* @@ -710,7 +711,7 @@ struct tak *tak_parse(X509 **, const char *, int, const unsigned char *, void aspa_buffer(struct ibuf *, const struct aspa *); void aspa_free(struct aspa *); -void aspa_insert_vaps(struct vap_tree *, struct aspa *, +void aspa_insert_vaps(char *, struct vap_tree *, struct aspa *, struct repo *); struct aspa *aspa_parse(X509 **, const char *, int, const unsigned char *, size_t); diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c index a13faa83d92..e996179d26d 100644 --- a/usr.sbin/rpki-client/main.c +++ b/usr.sbin/rpki-client/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.255 2024/03/22 03:38:12 job Exp $ */ +/* $OpenBSD: main.c,v 1.256 2024/04/05 16:05:15 job Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -664,7 +664,7 @@ entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree, } aspa = aspa_read(b); if (aspa->valid) - aspa_insert_vaps(vaptree, aspa, rp); + aspa_insert_vaps(file, vaptree, aspa, rp); else repo_stat_inc(rp, talid, type, STYPE_INVALID); aspa_free(aspa); diff --git a/usr.sbin/rpki-client/output-bgpd.c b/usr.sbin/rpki-client/output-bgpd.c index 7bf47d30450..1ca6c9913a5 100644 --- a/usr.sbin/rpki-client/output-bgpd.c +++ b/usr.sbin/rpki-client/output-bgpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output-bgpd.c,v 1.29 2024/02/22 12:49:42 job Exp $ */ +/* $OpenBSD: output-bgpd.c,v 1.30 2024/04/05 16:05:15 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -58,6 +58,8 @@ output_bgpd(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks, if (fprintf(out, "\naspa-set {\n") < 0) return -1; RB_FOREACH(vap, vap_tree, vaps) { + if (vap->invalid) + continue; if (fprintf(out, "\tcustomer-as %d expires %lld " "provider-as { ", vap->custasid, (long long)vap->expires) < 0) diff --git a/usr.sbin/rpki-client/output-json.c b/usr.sbin/rpki-client/output-json.c index fd371963018..4c56d547603 100644 --- a/usr.sbin/rpki-client/output-json.c +++ b/usr.sbin/rpki-client/output-json.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output-json.c,v 1.46 2024/03/01 08:10:09 tb Exp $ */ +/* $OpenBSD: output-json.c,v 1.47 2024/04/05 16:05:15 job Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * @@ -93,6 +93,9 @@ print_vap(struct vap *v) { size_t i; + if (v->invalid) + return; + json_do_object("aspa", 1); json_do_int("customer_asid", v->custasid); json_do_int("expires", v->expires); -- 2.20.1