Remove rpki-client's -f command line option
I haven't come across a use case that requires tricking the software
into accepting out-of-date manifests. Anyone using -f? I think this is a
leftover from the initial debugging era.
OK?
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.30
diff -u -p -r1.30 extern.h
--- extern.h 24 Jun 2020 14:39:21 -0000 1.30
+++ extern.h 30 Jun 2020 10:21:04 -0000
@@ -289,7 +289,7 @@ struct cert *cert_read(int);
void mft_buffer(char **, size_t *, size_t *, const struct mft *);
void mft_free(struct mft *);
-struct mft *mft_parse(X509 **, const char *, int);
+struct mft *mft_parse(X509 **, const char *);
int mft_check(const char *, struct mft *);
struct mft *mft_read(int);
Index: main.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
retrieving revision 1.71
diff -u -p -r1.71 main.c
--- main.c 24 Jun 2020 14:39:21 -0000 1.71
+++ main.c 30 Jun 2020 10:21:05 -0000
@@ -148,7 +148,7 @@ struct filepath_tree fpt = RB_INITIALIZ
/*
* Mark that our subprocesses will never return.
*/
-static void proc_parser(int, int) __attribute__((noreturn));
+static void proc_parser(int) __attribute__((noreturn));
static void proc_rsync(char *, char *, int, int)
__attribute__((noreturn));
static void build_chain(const struct auth *, STACK_OF(X509) **);
@@ -892,8 +892,8 @@ proc_parser_roa(struct entity *entp,
* Return the mft on success or NULL on failure.
*/
static struct mft *
-proc_parser_mft(struct entity *entp, int force, X509_STORE *store,
- X509_STORE_CTX *ctx, struct auth_tree *auths, struct crl_tree *crlt)
+proc_parser_mft(struct entity *entp, X509_STORE *store, X509_STORE_CTX *ctx,
+ struct auth_tree *auths, struct crl_tree *crlt)
{
struct mft *mft;
X509 *x509;
@@ -902,7 +902,7 @@ proc_parser_mft(struct entity *entp, int
STACK_OF(X509) *chain;
assert(!entp->has_dgst);
- if ((mft = mft_parse(&x509, entp->uri, force)) == NULL)
+ if ((mft = mft_parse(&x509, entp->uri)) == NULL)
return NULL;
a = valid_ski_aki(entp->uri, auths, mft->ski, mft->aki);
@@ -1127,7 +1127,7 @@ build_crls(const struct auth *a, struct
* The process will exit cleanly only when fd is closed.
*/
static void
-proc_parser(int fd, int force)
+proc_parser(int fd)
{
struct tal *tal;
struct cert *cert;
@@ -1249,8 +1249,7 @@ proc_parser(int fd, int force)
*/
break;
case RTYPE_MFT:
- mft = proc_parser_mft(entp, force,
- store, ctx, &auths, &crlt);
+ mft = proc_parser_mft(entp, store, ctx, &auths, &crlt);
c = (mft != NULL);
io_simple_buffer(&b, &bsz, &bmax, &c, sizeof(int));
if (mft != NULL)
@@ -1500,8 +1499,7 @@ int
main(int argc, char *argv[])
{
int rc = 1, c, proc, st, rsync,
- fl = SOCK_STREAM | SOCK_CLOEXEC, noop = 0,
- force = 0;
+ fl = SOCK_STREAM | SOCK_CLOEXEC, noop = 0;
size_t i, j, eid = 1, outsz = 0, talsz = 0;
pid_t procpid, rsyncpid;
int fd[2];
@@ -1539,7 +1537,7 @@ main(int argc, char *argv[])
if (pledge("stdio rpath wpath cpath fattr proc exec unveil", NULL) ==
-1)
err(1, "pledge");
- while ((c = getopt(argc, argv, "b:Bcd:e:fjnot:T:v")) != -1)
+ while ((c = getopt(argc, argv, "b:Bcd:e:jnot:T:v")) != -1)
switch (c) {
case 'b':
bind_addr = optarg;
@@ -1556,9 +1554,6 @@ main(int argc, char *argv[])
case 'e':
rsync_prog = optarg;
break;
- case 'f':
- force = 1;
- break;
case 'j':
outformats |= FORMAT_JSON;
break;
@@ -1634,7 +1629,7 @@ main(int argc, char *argv[])
err(1, "%s: unveil", cachedir);
if (pledge("stdio rpath", NULL) == -1)
err(1, "pledge");
- proc_parser(fd[0], force);
+ proc_parser(fd[0]);
/* NOTREACHED */
}
@@ -1826,7 +1821,7 @@ main(int argc, char *argv[])
usage:
fprintf(stderr,
- "usage: rpki-client [-Bcfjnov] [-b sourceaddr] [-d cachedir]"
+ "usage: rpki-client [-Bcjnov] [-b sourceaddr] [-d cachedir]"
" [-e rsync_prog]\n"
" [-T table] [-t tal] [outputdir]\n");
return 1;
Index: mft.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
retrieving revision 1.14
diff -u -p -r1.14 mft.c
--- mft.c 11 Apr 2020 15:53:44 -0000 1.14
+++ mft.c 30 Jun 2020 10:21:05 -0000
@@ -61,7 +61,7 @@ gentime2str(const ASN1_GENERALIZEDTIME *
*/
static time_t
check_validity(const ASN1_GENERALIZEDTIME *from,
- const ASN1_GENERALIZEDTIME *until, const char *fn, int force)
+ const ASN1_GENERALIZEDTIME *until, const char *fn)
{
time_t now = time(NULL);
@@ -82,10 +82,8 @@ check_validity(const ASN1_GENERALIZEDTIM
}
/* check that now is not after until */
if (X509_cmp_time(until, &now) < 0) {
- warnx("%s: mft expired on %s%s", fn, gentime2str(until),
- force ? " (ignoring)" : "");
- if (!force)
- return 0;
+ warnx("%s: mft expired on %s", fn, gentime2str(until));
+ return 0;
}
return 1;
@@ -237,7 +235,7 @@ out:
* Returns <0 on failure, 0 on stale, >0 on success.
*/
static int
-mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p, int
force)
+mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p)
{
ASN1_SEQUENCE_ANY *seq;
const ASN1_TYPE *t;
@@ -311,7 +309,7 @@ mft_parse_econtent(const unsigned char *
}
until = t->value.generalizedtime;
- validity = check_validity(from, until, p->fn, force);
+ validity = check_validity(from, until, p->fn);
if (validity != 1)
goto out;
@@ -356,7 +354,7 @@ out:
* The MFT content is otherwise returned.
*/
struct mft *
-mft_parse(X509 **x509, const char *fn, int force)
+mft_parse(X509 **x509, const char *fn)
{
struct parse p;
int c, rc = 0;
@@ -384,7 +382,7 @@ mft_parse(X509 **x509, const char *fn, i
* references as well as marking it as stale.
*/
- if ((c = mft_parse_econtent(cms, cmsz, &p, force)) == 0) {
+ if ((c = mft_parse_econtent(cms, cmsz, &p)) == 0) {
/*
* FIXME: it should suffice to just mark this as stale
* and have the logic around mft_read() simply ignore
Index: rpki-client.8
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
retrieving revision 1.27
diff -u -p -r1.27 rpki-client.8
--- rpki-client.8 14 May 2020 07:12:16 -0000 1.27
+++ rpki-client.8 30 Jun 2020 10:21:05 -0000
@@ -81,9 +81,6 @@ It must accept the
and
.Fl -delete
flags and connect with rsync-protocol locations.
-.It Fl f
-Accept out-of-date manifests.
-This will still report if a manifest has expired.
.It Fl j
Create output in the file
.Pa json
