Recent Releases
9.322 Sep 2024 20:30
major bugfix:
Avoid a quadratic complexity issue in ibuf_realloc() due to misuse of recallocarray(). Transferring a manifest with a large FileAndHash list across a privsep boundary could cost significant resources. RRDP sessions are periodically reinitialized to snapshot at random intervals. RRDP deltas and snapshots can diverge content-wise over time, leaving stale files in the cache. Reinitialization is triggered at random with increasing probability with increasing snapshot age, at least once every three months. this helps garbage collection. The internal state file format changed. The first run after an upgrade may produce harmless warning messages about invalid last_reset. Signed Prefix List statistics are now only emitted when rpki-client is run with -x. This changes the JSON output: without -x some keys are missing from 'metadata'. The -r command line option formerly enabling RRDP has long been the default and is now removed. The CRL number extension in CRLs is checked to be in the range 0..2 159-1 and otherwise the CRL is considered invalid, see https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-crl-numbers.
9.224 Aug 2024 11:55
major bugfix:
Ensure synchronization jobs are stopped when the timeout is reached. Fix a corner case in repository handling. If the last RRDP repository failed to load, rpki-client would fail to fall back to rsync due to an ordering bug in the event loop. Improve detection of duplicate file paths. Only trigger a duplicate error if a valid path is revisited otherwise a bad CA could prevent legitimate files from being considered valid. Normalize internal representation of the caRepository to have a trailing slash and ensure that the rpkiManifest is a file inside it.
9.120 Jun 2024 17:45
major feature:
Impose same-origin policy for RRDP. Introduce tiebreaking for trust anchors. Fix internal identification of CA resource certificates. Verify self-signage for trust anchors. Introduce a check for filenames as presented by publication points. Improved compliance with RFCs 6487 and 8209 for certificates and CRLs. Presence of CMS signing-time is now enforced and presence of CMS binary-signing-time is disallowed, per RFC 9589. Lowered the maximum acceptable manifest number to 2 159 - 1. Limit number of validated ASPAs per customer ASID. Ignore the CRL Number extension in CRLs. Various minor bug fixes and improvements in logging and error reporting.
9.003 Mar 2024 22:58
major feature:
Added support for RPKI Signed Prefix Lists: Signed Prefix Lists carry the complete list of prefixes which an Autonomous System may originate its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object. This list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS (https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist). Signed prefix lists are only parsed in filemode or if rpki-client is run with the new -x flag. Added an -x flag to opt into parsing and evaluation of file types that are still considered experimental. At this point in time this covers the signed prefix lists. Added a metric to track the number of new files that were moved to the validated cache. In the OpenMetrics output, per-repository counters are shown. The main process and the JSON output only show the total. Per the announcement in the last release, the stale manifest counters were removed from the OpenMetrics and the JSON output. Ensure that the FileAndHashes list in a Manifest contains no duplicate file names and no duplicate hashes. Various refactoring work, notably to reduce the warning spam generated by OpenSSL 3's deprecations and to remove unergonomic internal structs.
8.913 Feb 2024 11:45
minor feature:
The handling of manifests fetched via rsync or RRDP was reworked to fully conform to RFC 9286. The issuance date and manifest number of the purported new manifest file must have been increased, otherwise the cached version is used. As a consequence of the above changes, some warnings for .mft files were reworded. The notion of a stale manifest is no longer used. The following counters will be removed in rpki-client 9.0: The stalemanifest counter in JSON output. The "stale" state for manifest objects in Open Metrics output. A race condition between closing an idle connection and scheduling a new request on it could trigger an assert in rare circumstances. The evaluation time specified with -P now also applies to trust anchor certificates. Check that the entire CMS eContent was consumed. Previously, trailing data would be silently discarded on deserialization of products. In file mode do not consider overclaiming intermediate CA certificates as invalid. A warning is still issued. Print the revocation time of certificates in file mode. Be more careful when converting OpenSSL numeric identifiers (NIDs) to strings.
8.831 Dec 2023 03:05
major bugfix:
A failed manifest fetch could result in a NULL pointer dereference or a use after free. Reject non-conforming RRDP delta elements that contain neither publish nor a withdraw element and fall back to the RRDP snapshot. Refactoring and minor bug fixes in the warning display functions.
8.721 Dec 2023 07:05
major feature:
Add ability to constrain an RPKI Trust Anchor's effective signing authority to a limited set of Internet numbers. This allows Relying Parties to enjoy the potential benefits of assuming trust, but within a bounded scope. This distribution includes curated constraints files. More information: https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors. Following a 'failed fetch' (described in RFC 9286), emit a warning and continue with a previously cached Manifest file, if present and still valid. Emit a warning when the same manifestNumber is re-used across multiple issuances. Emit a warning when the remote repository presents a Manifest with an unexpected manifestNumber. Purported new manifests are expected to have a higher manifestNumber than previously validated manifests. Otherwise fall back to the previously cached manifest, if it is still valid. This warning can be indicative of manifest replays or of out-of-order publishing. Require RPKI object files to be of a minimum of 100 bytes in both the RRDP and RSYNC transports. No longer synchronize directory modtimes in the local cache to align with remote RSYNC repository sources. Improved CRL extension checking. Experimental support for the P-256 signature algorithm. Various refactoring work.
8.604 Oct 2023 21:52
minor feature:
A compliance check was added to ensure the X.509 Subject only contains commonName and optionally serialNumber. A compliance check was added to ensure the CMS SignedData and SignerInfo versions to be 3. Fisher-Yates shuffle the order in which Manifest entries are processed. Previously, work items were enqueued in the order the CA intended them to appear on a Manifest. However, there is no obvious benefit to third parties deciding the order in which things are processed. Now the Manifest ordering is randomized (as the order has no meaning anyway), and the number of concurrent repository synchronization operations is limited timeboxed. Various refactoring work.
8.530 Jul 2023 03:17
minor feature:
ASPA support was updated to draft-ietf-sidrops-aspa-profile-16. As part of supporting AFI-agnostic ASPAs, JSON syntax for Validated ASPA Payloads changed in both filemode and normal output. Support for gzip and deflate HTTP Content-Encoding compression was added. This allows web servers to send RRDP XML in compressed form, saving around 50 of bandwidth. File modification timestamps of objects retrieved via RRDP are now deterministically set to prepare on-disk cache for seamless failovers from RRDP to RSYNC. 30-50 performance improvement was achieved through libcrypto's partial chains certificate validation feature. Already validated non-inheriting CA certificates are now marked as trusted roots. Improved detection of RRDP session desynchronization: Check was added to compare whether delta hashes associated to previously seen serials are different in newly fetched notification files. Improved handling of RRDP deltas in which objects are published, withdrawn, and published again. Check to disallow duplicate X.509 certificate extensions, empty sets of IPs or ASNs in RFC 3779 extensions were added. Compliance checks were added for proper X.509 Certificate version and CRL version, to ensure CMS Signed Objects contain SignedData, in accordance to RFC 6488 section 3 checklist item 1a, for version, KeyUsage, and ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed Objects. Warning is printed when CMS signing-time attribute in Signed Object is missing. Warnings about unrecoverable message digest mismatches now include manifestNumber to aid debugging the cause. Check was added to disallow multiple RRDP publish elements for same file in RRDP snapshots. If this error condition is encountered, RRDP transfer is failed and RP falls back to rsync. CMS signing-time value being after X.509 notAfter timestamp was downgraded from an error to warning. Bug was fixed for handling of CA certificates which inherit IP resources.
8.402 May 2023 20:37
major feature:
The synchronisation protocol used to sync the repository is now included in the OpenMetrics output. In filemode (-f option) the applicable manifests are now shown as part of the signature path. A new -P option was added to manually specify a moment in time to use when parsing the validity window of certificates. Useful for regression testing. Default is invocation time of rpki-client. The -A option will now also exclude ASPA data from the JSON output. Improved accounting by tracking objects both by repo and tal. For consistency, emit an explicit 'AS 0' Provider entry for ASPAs containing implicit information for one AFI. Fix missing whitespace in ASPA-set output for OpenBGPD. (This bugfix was also released as OpenBSD 7.3 errata 001.) Disallow X.509 v2 issuer and subject unique identifiers in certs. RPKI CAs will never issue certificates with V2 unique identifiers. Check whether products listed on a manifest were issued by the same authority as the manifest itself.
8.319 Mar 2023 13:56
major feature:
The 'expires' key in the JSON/CSV/OpenBGPD output formats is now calculated with more accuracy. Handling of CRLs and Manifests in the face of inconsistent RRDP delta publications has been improved. The OpenBGPD configuration output now includes validated Autonomous System Provider Authorization (ASPA) payloads as an 'aspa-set ' configuration block. When rpki-client is invoked with increased verbosity ('-v'), the current RRDP Serial Session ID are shown to aid debugging. Self-signed X.509 certificates (such as Trust Anchor certificates) now are considered invalid if they contain an X.509 AuthorityInfoAccess extension. Signed Objects where the CMS signing-time attribute contains a timestamp later then the X.509 certificate's notAfter timestamp are considered invalid. Manifests where the CMS signing-time attribute contains a timestamp later then the Manifest eContent nextUpdate timestamp are considered invalid. Any objects whose CRL Distribution Points extension contains a CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are considered invalid in accordance with RFC 6487 section 4.8.6. For every X.509 certificate the SHA-1 of the Subject Public Key is calculated and compared to the Subject Key Identifier (SKI), if a mismatch is found the certificate is not trusted. Require the outside-TBS signature OID for every X.509 intermediate CA certificate and CRL to be sha256WithRSAEncryption. Require the RSA key pair modulus and public exponent parameters to strictly conform to the RFC 7935 profile. Ensure there is no trailing garbage present in Signed Objects beyond the self-embedded length field. Require RRDP Session IDs to strictly be version 4 UUIDs. When decoding and validating an individual RPKI file using filemode (rpki-client -f file), display the signature path towards the trust anchor, the timestamp when the signature path will expire, the optional CMS signing-time, non-optional X.509 notBefore, and X.509 notAfter timestamps.
8.214 Dec 2022 00:12
major feature:
Add a new '-H' command line option to create a shortlist of repositories to synchronize to. For example, when invoking "rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility will not connect to any other hosts other than the two specified through the -H option. Add support for validating Geofeed (RFC 9092) authenticators. To see an example download https://sobornost.net/geofeed.csv and run "rpki-client -f geofeed.csv". Add support for validating Trust Anchor Key (TAK) objects. TAK objects can be used to produce new Trust Anchor Locators (TALs) signed by and verified against the previous Trust Anchor. See draft-ietf-sidrops-signed-tal for the full specification. Log lines related to RRDP/HTTPS connection problems now include the IP address of the problematic endpoint (in brackets). Improve the error message when an invalid filename is encountered in the rpkiManifest field in the Subject Access Information (SIA) extension. Emit a warning when unexpected X.509 extensions are encountered. Restrict the ROA ipAddrBlocks field to only allow two ROAIPAddressFamily structures (one per address family). See draft-ietf-sidrops-rfc6482bis. Check the absence of the Path Length constraint in the Basic Constraints extension. Restrict the SIA extension to only allow the signedObject and rpkiNotify accessMethods. Check that the Signed Object access method is present in ROA, MFT, ASPA, TAK, and GBR End-Entity certificates. In addition to the 'rsync://' scheme, also permit other schemes (such as 'https://') in the SIA signedObject access method. Check that the KeyUsage extension is set to nothing but digitalSignature on End-Entity certificates. Check that the KeyUsage extension is set to nothing but keyCertSign and CRLSign on CA certificates. Check that the ExtendedKeyUsage extension is absent on CA certificates. Fix a bug in the handling of the port of http_proxy. The '-r' command line option has been deprecated. Filemode (-f) output is now presented as a text based table.
8.011 Sep 2022 21:36
major feature:
Add suport for validating Autonomous System Provider Authorization (ASPA) objects conforming to draft-ietf-sidrops-aspa-profile-10. Validated ASPA payloads are visible in JSON and filemode (-f) output. Set rsync connection I/O idle timeout to 15 seconds. Unify the maximum idle I/O and connect timeouts for RSYNC HTTPS. Rpki-client now performs stricter EE certificate validation: Disallow AS Resources extensions in ROA EE certificates; disallow Subject Information Access (SIA) extensions in RPKI Signed Checklist (RSC) EE certs; check the resources in ROAs and RSCs against EE certs. Improve readability and add various information being printed in verbose mode. Extend filemode (-f) output and print X.509 certificates in PEM format when increased verbosity (-vv) is specified. Shorten the RRDP I/O idle timeout. Introduce a deadline timer that aborts all repository synchronization after seven eights of timeout (-s). With this rpki-client has improved chances to complete and produce an output even when a CA is excessivly slow. Abort a currently running RRDP request process when the per-repository timeout is reached. Permit multiple AccessDescription entries in SIA X.509 extensions. While fetching from secondary locations is not yet supported, rpki-client will not treat occurence as a fatal error. Resolve a potential for a race condition in non-atomic RRDP deltas. Fix some memory leaks. Improve compliance with the HTTP protocol specification.
7.914 Jul 2022 10:25
minor feature:
Add support for an operator-configurable skiplist facility. Operators can specify a list of FQDNs which should not be contacted when synchronizing the local cache to the network. Emit a warning when a RRDP session serial number decreases. DER decoding functions were refactored to leverage ASN.1 templates. Add support to validate inspect .sig files containing RPKI Signed Checklists in filemode (-f) (draft-ietf-sidrops-rpki-rsc-08). Print various statistics after the completion of the main process. Add support to decode print TAL (RFC 8630) details in filemode (-f). Emit objects in Concatenated JSON format when filemode (-f) and the JSON output flag (-j) are combined.
7.809 Apr 2022 20:28
major bugfix:
Do not apply timezone offsets when converting X509 times. X509 times are in UTC and comparing them to times in different timezones would cause validity problems.
7.707 Apr 2022 23:09
major feature:
Add various RFC 6488 compliance checks to improve the CMS parser. Improve RRDP replication through less aggressive cache cleanup. Add a check whether a given Manifest EE certificate is listed on the applicable CRL. For forward compatibility permit ASPA object to appear on Manifests. Various improvements to the '-f ' diagnostic option to now also validate files containing Trust Anchor certs and CRLs.
7.607 Feb 2022 22:51
major bugfix:
Enforce the correct namespace of rrdp files. Fail certificate verification if a certificate contains unknown critical extensions. Improve cleanup of rrdp directory contents. Introduce a validated cache which holds all the files that have successfully been verified by rpki-client. Add a new option '-f file' to validate a signed object in a file against the RPKI cache.
7.509 Nov 2021 22:45
security:
Make rpki-client more resilient regarding untrusted input: Fail repository synchronisation after 15min runtime, limit the number of repositories per TAL, don't allow DOCTYPE definitions in RRDP XML files, fix detection of HTTP redirect loops, limit the number of concurrent rsync processes, fix CRLF in TAL files.
7.430 Oct 2021 03:18
security:
Added support for validating BGPsec Router Public Keys. Fix issues with chunked transfer encoding in the RRDP HTTP client. Cleanup and improvement of how IO is handled. Improvements in the way X509 certificates are verified. Make rpki-client more resilient regarding untrusted input: Limit the allowed character set for filename listings on Manifests, limit the length of SIA URIs, limit the size of certain untrusted inputs, don't exit on failures to parse x509 objects, limit the size of objects retreived via RRDP or RSYNC, limit the number of FileAndHash entries on a manifest, constrain RRDP such that the delta/snapshot files must be hosted at the same host as the notification file.
7.323 Sep 2021 06:45
minor feature:
Improve the HTTP client code (status code handling, http proxy support, keep-alive). In RRDP, do not access URI with userinfo (@-sign). Improve RRDP syncing by considering a notification file serial jumping backwards as synced repository. Make -R (rsync only) also apply to the fetching of TA files. Only sync *. cer,crl,gbr,mft,roa files via rsync and exclude all others. When producing output for OpenBGPd, make use of the 'roa-set expires' attribute to prevent machines from loading outdated roa-sets. In RRDP, limit the number of deltas to 300 per repo. If more deltas exist, downloading a full snapshot is faster. Limit the validation depth of X509 certificate chains to 12, double the current depth seen in RPKI.
7.228 Jul 2021 21:18
major feature:
Use RRDP as default protocol for syncronizing the RPKI repository data, with rsync used as secondary. At startup, warn if the filesystem containing the cache directory is probably too small. 500 MB is the suggested minimum size. Handle running out of disk space more gracefully, including cleanup of temporary and old files before exiting. Improve the HTTP/1.1 request headers being sent. Improved validation checks for ROA and MFT objects.
7.118 May 2021 21:52
major feature:
Add keep-alive support to the HTTP client code for RRDP. Reference-count and delete unused files synced via RRDP, as far as possible. In the JSON output, change the AS Number from a string ("AS123") to an integer ("123") to make processing of the output easier. Add an 'expires' column to CSV JSON output, based on certificate and CRL validity times. The 'expires' value can be used to avoid route selection based on stale data when generating VRP sets, when faced with loss of communication between consumer and valdiator, or validator and CA repository. Make the runtime timeout ("-s" option) also triggers in child processes. Improved RRDP support, upstream encourages testing of RRDP with the "-r" option so that RRDP can be enabled by default in a future release. In the portable version additionally: Improve support for older libressl versions (although the latest stable release is recommended). Add missing compat headers in release packages so they build on Alpine Linux and macOS.
7.015 Apr 2021 23:28
major feature:
Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support as a 'technology preview'. To use it, the "-r" flag needs to be used. Support the use of more than one URI in the TAL file sorting with a preference for https. Validation of ghostbuster records (RFC 6493). Fixed checks of the manifest validity interval. The rsync connection is now killed when the rsync server stalls. Limited the URL embedded in .cer files to alphanumeric characters and punctuation. Added a "-V" option to show version. Included the default cert.pem file path in tls_load_file error messages. Use of the ibuf (imsg) API for data exchange between the rpki-client processes. In the portable version additionally: Emit all output formats, no need to choose with options. Changes to for using GitHub actions for automatic testing. The RRDP support requires HTTPS connections, necessitating a dependency for libtls from LibreSSL. Support for building rpki-client on Mac OS X. Added expat as an extra dependency, needed for RRDP support.
6.8p112 Nov 2020 20:33
security:
Incorporate OpenBSD 6.8 errata 006 of November 10, 2020: rpki-client incorrectly checks the manifest validity interval. Add compat code for the LibreSSL ASN1_time_parse() and ASN1_time_tm_cmp() functions. Those are needed to properly check the validity of MFT files.
6.8p020 Oct 2020 21:07
major feature:
Improve how repositories are downloaded: do not fetch symlinks and clean extraneous files in the repositories after download using the cryptographically signed RPKI manifest listings. Fix a bug where rpki-client could hang after calling rsync. Remove the -f option, no longer needed. Improved validation of the trust anchors. Add new option '-s timeout' to make rpki-client automatically terminate after a timeout (default 1 hour). This helps when rpki-client is run via cron to prevent a hanging process to cause problems. Portability improvements: Replace warnc() with warnx() + strerror(), replace b64_pton() with code using the libcrypto EVP_Decode* functionality, adjust for OpenSSL 1.1.x compatible use of the EVP_ENCODE_CTX struct.
6.7p130 Jul 2020 22:54
security:
Incorrect use of "EVP_PKEY_cmp" allowed an authentication bypass.
6.7p019 May 2020 00:38
major bugfix:
Document the suggested interval for running rpki-client in man page. Always initialize cachedir and outputdir. Print statistics as comments at the top of the output files which can take comments, including the date and time when the files were produced, and runtime statistics when producing them. Improve log messages to clarify what's happening. Fix a bug where rpki-client would not properly wait for exiting rsync processes, causing rpki-client to hang.