/usr/src/usr.sbin/rpki-client/main.c

Bug Summary

File:	src/usr.sbin/rpki-client/main.c
Warning:	line 429, column 3 Potential leak of memory pointed to by 'nfile'
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name main.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.sbin/rpki-client/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.sbin/rpki-client -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.sbin/rpki-client/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.sbin/rpki-client/main.c
1/*	$OpenBSD: main.c,v 1.173 2022/01/11 13:06:07 claudio Exp $ */
2/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

19#include <sys/types.h>
20#include <sys/queue.h>
21#include <sys/socket.h>
22#include <sys/resource.h>
23#include <sys/statvfs.h>
24#include <sys/tree.h>
25#include <sys/wait.h>

27#include <assert.h>
28#include <err.h>
29#include <errno(*__errno()).h>
30#include <dirent.h>
31#include <fcntl.h>
32#include <fnmatch.h>
33#include <poll.h>
34#include <pwd.h>
35#include <stdio.h>
36#include <stdlib.h>
37#include <signal.h>
38#include <string.h>
39#include <limits.h>
40#include <syslog.h>
41#include <unistd.h>
42#include <imsg.h>

44#include "extern.h"
45#include "version.h"

47/*
* Maximum number of TAL files we'll load.
*/
50#define	TALSZ_MAX8	8

52const char	*tals[TALSZ_MAX8];
53const char	*taldescs[TALSZ_MAX8];
54unsigned int	 talrepocnt[TALSZ_MAX8];
55size_t		 talsz;

57size_t	entity_queue;
58int	timeout = 60*60;
59volatile sig_atomic_t killme;
60void	suicide(int sig);

62static struct filepath_tree	fpt = RB_INITIALIZER(&fpt){ ((void*)0) };
63static struct msgbuf		procq, rsyncq, httpq, rrdpq;
64static int			cachefd, outdirfd;

66const char	*bird_tablename = "ROAS";

68int	verbose;
69int	noop;
70int	rrdpon = 1;
71int	repo_timeout;

73struct stats	 stats;

75/*
* Log a message to stderr if and only if "verbose" is non-zero.
* This uses the err(3) functionality.
*/
79void
80logx(const char *fmt, ...)
81{
va_list		 ap;

if (verbose && fmt != NULL((void*)0)) {
va_start(ap, fmt)__builtin_va_start(ap, fmt);
vwarnx(fmt, ap);
va_end(ap)__builtin_va_end(ap);
}
89}

91time_t
92getmonotime(void)
93{
struct timespec ts;

if (clock_gettime(CLOCK_MONOTONIC3, &ts) != 0)
err(1, "clock_gettime");
return (ts.tv_sec);
99}

101void
102entity_free(struct entity *ent)
103{
if (ent == NULL((void*)0))
return;

free(ent->path);
free(ent->file);
free(ent->data);
free(ent);
111}

113/*
* Read a queue entity from the descriptor.
* Matched by entity_buffer_req().
* The pointer must be passed entity_free().
*/
118void
119entity_read_req(struct ibuf *b, struct entity *ent)
120{
io_read_buf(b, &ent->type, sizeof(ent->type));
io_read_buf(b, &ent->repoid, sizeof(ent->repoid));
io_read_buf(b, &ent->talid, sizeof(ent->talid));
io_read_str(b, &ent->path);
io_read_str(b, &ent->file);
io_read_buf_alloc(b, (void **)&ent->data, &ent->datasz);
127}

129/*
* Write the queue entity.
* Matched by entity_read_req().
*/
133static void
134entity_write_req(const struct entity *ent)
135{
struct ibuf *b;

b = io_new_buffer();
io_simple_buffer(b, &ent->type, sizeof(ent->type));
io_simple_buffer(b, &ent->repoid, sizeof(ent->repoid));
io_simple_buffer(b, &ent->talid, sizeof(ent->talid));
io_str_buffer(b, ent->path);
io_str_buffer(b, ent->file);
io_buf_buffer(b, ent->data, ent->datasz);
io_close_buffer(&procq, b);
146}

148static void
149entity_write_repo(struct repo *rp)
150{
struct ibuf *b;
enum rtype type = RTYPE_REPO;
unsigned int repoid;
char *path;
int talid = 0;

repoid = repo_id(rp);
path = repo_basedir(rp);
b = io_new_buffer();
io_simple_buffer(b, &type, sizeof(type));
io_simple_buffer(b, &repoid, sizeof(repoid));
io_simple_buffer(b, &talid, sizeof(talid));
io_str_buffer(b, path);
io_str_buffer(b, NULL((void*)0));
io_buf_buffer(b, NULL((void*)0), 0);
io_close_buffer(&procq, b);
free(path);
168}

170/*
* Scan through all queued requests and see which ones are in the given
* repo, then flush those into the parser process.
*/
174void
175entityq_flush(struct entityq *q, struct repo *rp)
176{
struct entity	*p, *np;

entity_write_repo(rp);

TAILQ_FOREACH_SAFE(p, q, entries, np)for ((p) = ((q)->tqh_first); (p) != ((void*)0) && (
(np) = ((p)->entries.tqe_next), 1); (p) = (np)) {
entity_write_req(p);
TAILQ_REMOVE(q, p, entries)do { if (((p)->entries.tqe_next) != ((void*)0)) (p)->entries
.tqe_next->entries.tqe_prev = (p)->entries.tqe_prev; else
 (q)->tqh_last = (p)->entries.tqe_prev; *(p)->entries
.tqe_prev = (p)->entries.tqe_next; ; ; } while (0);
entity_free(p);
}
186}

188/*
* Add the heap-allocated file to the queue for processing.
*/
191static void
192entityq_add(char *path, char *file, enum rtype type, struct repo *rp,
  unsigned char *data, size_t datasz, int talid)
194{
struct entity	*p;

if ((p = calloc(1, sizeof(struct entity))) == NULL((void*)0))
err(1, NULL((void*)0));

p->type = type;
p->talid = talid;
p->path = path;
if (rp != NULL((void*)0))
p->repoid = repo_id(rp);
p->file = file;
p->data = data;
p->datasz = (data != NULL((void*)0)) ? datasz : 0;

entity_queue++;

/*
* Write to the queue if there's no repo or the repo has already
* been loaded else enqueue it for later.
*/

if (rp == NULL((void*)0) || !repo_queued(rp, p)) {
entity_write_req(p);
entity_free(p);
}
220}

222static void
223rrdp_file_resp(unsigned int id, int ok)
224{
enum rrdp_msg type = RRDP_FILE;
struct ibuf *b;

b = io_new_buffer();
io_simple_buffer(b, &type, sizeof(type));
io_simple_buffer(b, &id, sizeof(id));
io_simple_buffer(b, &ok, sizeof(ok));
io_close_buffer(&rrdpq, b);
233}

235void
236rrdp_fetch(unsigned int id, const char *uri, const char *local,
  struct rrdp_session *s)
238{
enum rrdp_msg type = RRDP_START;
struct ibuf *b;

b = io_new_buffer();
io_simple_buffer(b, &type, sizeof(type));
io_simple_buffer(b, &id, sizeof(id));
io_str_buffer(b, local);
io_str_buffer(b, uri);
io_str_buffer(b, s->session_id);
io_simple_buffer(b, &s->serial, sizeof(s->serial));
io_str_buffer(b, s->last_mod);
io_close_buffer(&rrdpq, b);
251}

253/*
* Request a repository sync via rsync URI to directory local.
*/
256void
257rsync_fetch(unsigned int id, const char *uri, const char *local)
258{
struct ibuf	*b;

b = io_new_buffer();
io_simple_buffer(b, &id, sizeof(id));
io_str_buffer(b, local);
io_str_buffer(b, uri);
io_close_buffer(&rsyncq, b);
266}

268/*
* Request a file from a https uri, data is written to the file descriptor fd.
*/
271void
272http_fetch(unsigned int id, const char *uri, const char *last_mod, int fd)
273{
struct ibuf	*b;

b = io_new_buffer();
io_simple_buffer(b, &id, sizeof(id));
io_str_buffer(b, uri);
io_str_buffer(b, last_mod);
/* pass file as fd */
b->fd = fd;
io_close_buffer(&httpq, b);
283}

285/*
* Request some XML file on behalf of the rrdp parser.
* Create a pipe and pass the pipe endpoints to the http and rrdp process.
*/
289static void
290rrdp_http_fetch(unsigned int id, const char *uri, const char *last_mod)
291{
enum rrdp_msg type = RRDP_HTTP_INI;
struct ibuf *b;
int pi[2];

if (pipe2(pi, O_CLOEXEC0x10000 | O_NONBLOCK0x0004) == -1)
err(1, "pipe");

b = io_new_buffer();
io_simple_buffer(b, &type, sizeof(type));
io_simple_buffer(b, &id, sizeof(id));
b->fd = pi[0];
io_close_buffer(&rrdpq, b);

http_fetch(id, uri, last_mod, pi[1]);
306}

308void
309rrdp_http_done(unsigned int id, enum http_result res, const char *last_mod)
310{
enum rrdp_msg type = RRDP_HTTP_FIN;
struct ibuf *b;

/* RRDP request, relay response over to the rrdp process */
b = io_new_buffer();
io_simple_buffer(b, &type, sizeof(type));
io_simple_buffer(b, &id, sizeof(id));
io_simple_buffer(b, &res, sizeof(res));
io_str_buffer(b, last_mod);
io_close_buffer(&rrdpq, b);
321}

323/*
* Add a file (CER, ROA, CRL) from an MFT file, RFC 6486.
* These are always relative to the directory in which "mft" sits.
*/
327static void
328queue_add_from_mft(const char *path, const struct mftfile *file,
  enum rtype type, struct repo *rp)
330{
char		*nfile, *npath = NULL((void*)0);

if (path != NULL((void*)0))
if ((npath = strdup(path)) == NULL((void*)0))
	err(1, NULL((void*)0));
if ((nfile = strdup(file->file)) == NULL((void*)0))
err(1, NULL((void*)0));

entityq_add(npath, nfile, type, rp, NULL((void*)0), 0, -1);
340}

342/*
* Loops over queue_add_from_mft() for all files.
* The order here is important: we want to parse the revocation
* list *before* we parse anything else.
* FIXME: set the type of file in the mftfile so that we don't need to
* keep doing the check (this should be done in the parser, where we
* check the suffix anyway).
*/
350static void
351queue_add_from_mft_set(const struct mft *mft, const char *name, struct repo *rp)
352{
size_t			 i, sz;
const struct mftfile	*f;

for (i = 0; i < mft->filesz; i++) {
f = &mft->files[i];
sz = strlen(f->file);
assert(sz > 4)((sz > 4) ? (void)0 : __assert2("/usr/src/usr.sbin/rpki-client/main.c"
, 359, __func__, "sz > 4"));
if (strcasecmp(f->file + sz - 4, ".crl") != 0)
	continue;
queue_add_from_mft(mft->path, f, RTYPE_CRL, rp);
}

for (i = 0; i < mft->filesz; i++) {
f = &mft->files[i];
sz = strlen(f->file);
assert(sz > 4)((sz > 4) ? (void)0 : __assert2("/usr/src/usr.sbin/rpki-client/main.c"
, 368, __func__, "sz > 4"));
if (strcasecmp(f->file + sz - 4, ".crl") == 0)
	continue;
else if (strcasecmp(f->file + sz - 4, ".cer") == 0)
	queue_add_from_mft(mft->path, f, RTYPE_CER, rp);
else if (strcasecmp(f->file + sz - 4, ".roa") == 0)
	queue_add_from_mft(mft->path, f, RTYPE_ROA, rp);
else if (strcasecmp(f->file + sz - 4, ".gbr") == 0)
	queue_add_from_mft(mft->path, f, RTYPE_GBR, rp);
else
	logx("%s: unsupported file type: %s", name,
	    f->file);
}
381}

383/*
* Add a local TAL file (RFC 7730) to the queue of files to fetch.
*/
386static void
387queue_add_tal(const char *file, int talid)
388{
unsigned char	*buf;
char		*nfile;
size_t		 len;

buf = load_file(file, &len);
if (buf == NULL((void*)0)) {
warn("%s", file);
return;
}

if ((nfile = strdup(file)) == NULL((void*)0))
err(1, NULL((void*)0));
/* Not in a repository, so directly add to queue. */
entityq_add(NULL((void*)0), nfile, RTYPE_TAL, NULL((void*)0), buf, len, talid);
403}

405/*
* Add URIs (CER) from a TAL file, RFC 8630.
*/
408static void
409queue_add_from_tal(struct tal *tal)
410{
struct repo	*repo;
unsigned char	*data;
char		*nfile;

assert(tal->urisz)((tal->urisz) ? (void)0 : __assert2("/usr/src/usr.sbin/rpki-client/main.c"
, 415, __func__, "tal->urisz"));
5
←
Assuming field 'urisz' is not equal to 0→
6
←
'?' condition is true→

if ((taldescs[tal->id] = strdup(tal->descr)) == NULL((void*)0))
7
←
Assuming the condition is false→
8
←
Taking false branch→
err(1, NULL((void*)0));

/* figure out the TA filename, must be done before repo lookup */
nfile = strrchr(tal->uri[0], '/');
assert(nfile != NULL)((nfile != ((void*)0)) ? (void)0 : __assert2("/usr/src/usr.sbin/rpki-client/main.c"
, 422, __func__, "nfile != NULL"));
9
←
Assuming 'nfile' is not equal to null→
10
←
'?' condition is true→
if ((nfile = strdup(nfile + 1)) == NULL((void*)0))
11
←
Memory is allocated→
12
←
Assuming the condition is false→
13
←
Taking false branch→
err(1, NULL((void*)0));

/* Look up the repository. */
repo = ta_lookup(tal->id, tal);
if (repo == NULL((void*)0))
14
←
Assuming 'repo' is equal to NULL→
15
←
Taking true branch→
return;
16
←
Potential leak of memory pointed to by 'nfile'

/* steal the pkey from the tal structure */
data = tal->pkey;
tal->pkey = NULL((void*)0);
entityq_add(NULL((void*)0), nfile, RTYPE_CER, repo, data, tal->pkeysz, tal->id);
435}

437/*
* Add a manifest (MFT) found in an X509 certificate, RFC 6487.
*/
440static void
441queue_add_from_cert(const struct cert *cert)
442{
struct repo	*repo;
char		*nfile, *npath;
const char	*uri, *repouri, *file;
size_t		 repourisz;

repo = repo_lookup(cert->talid, cert->repo,
   rrdpon ? cert->notify : NULL((void*)0));
if (repo == NULL((void*)0))
return;

/*
* Figure out the cert filename and path by chopping up the
* MFT URI in the cert based on the repo base URI.
*/
uri = cert->mft;
repouri = repo_uri(repo);
repourisz = strlen(repouri);
if (strncmp(repouri, cert->mft, repourisz) != 0) {
warnx("%s: URI %s outside of repository", repouri, uri);
return;
}
uri += repourisz + 1;	/* skip base and '/' */
file = strrchr(uri, '/');
if (file == NULL((void*)0)) {
npath = NULL((void*)0);
if ((nfile = strdup(uri)) == NULL((void*)0))
	err(1, NULL((void*)0));
} else {
if ((npath = strndup(uri, file - uri)) == NULL((void*)0))
	err(1, NULL((void*)0));
if ((nfile = strdup(file + 1)) == NULL((void*)0))
	err(1, NULL((void*)0));
}

entityq_add(npath, nfile, RTYPE_MFT, repo, NULL((void*)0), 0, -1);
478}

480/*
* Process parsed content.
* For non-ROAs, we grok for more data.
* For ROAs, we want to extract the valid info.
* In all cases, we gather statistics.
*/
486static void
487entity_process(struct ibuf *b, struct stats *st, struct vrp_tree *tree,
  struct brk_tree *brktree)
489{
enum rtype	 type;
struct tal	*tal;
struct cert	*cert;
struct mft	*mft;
struct roa	*roa;
char		*file;
int		 c;

/*
* For most of these, we first read whether there's any content
* at all---this means that the syntactic parse failed (X509
* certificate, for example).
* We follow that up with whether the resources didn't parse.
*/
io_read_buf(b, &type, sizeof(type));
io_read_str(b, &file);

if (filepath_add(&fpt, file) == 0) {
1
Assuming the condition is false→
2
←
Taking false branch→
warnx("%s: File already visited", file);
free(file);
entity_queue--;
return;
}

switch (type) {
3
←
Control jumps to 'case RTYPE_TAL:'  at line 515→
case RTYPE_TAL:
st->tals++;
tal = tal_read(b);
queue_add_from_tal(tal);
4
←
Calling 'queue_add_from_tal'→
tal_free(tal);
break;
case RTYPE_CER:
st->certs++;
io_read_buf(b, &c, sizeof(c));
if (c == 0) {
	st->certs_fail++;
	break;
}
cert = cert_read(b);
if (cert->purpose == CERT_PURPOSE_CA) {
	/*
	 * Process the revocation list from the
	 * certificate *first*, since it might mark that
	 * we're revoked and then we don't want to
	 * process the MFT.
	 */
	queue_add_from_cert(cert);
} else if (cert->purpose == CERT_PURPOSE_BGPSEC_ROUTER) {
	cert_insert_brks(brktree, cert);
	st->brks++;
} else
	st->certs_fail++;
cert_free(cert);
break;
case RTYPE_MFT:
st->mfts++;
io_read_buf(b, &c, sizeof(c));
if (c == 0) {
	st->mfts_fail++;
	break;
}
mft = mft_read(b);
if (!mft->stale)
	queue_add_from_mft_set(mft, file,
	    repo_byid(mft->repoid));
else
	st->mfts_stale++;
mft_free(mft);
break;
case RTYPE_CRL:
st->crls++;
break;
case RTYPE_ROA:
st->roas++;
io_read_buf(b, &c, sizeof(c));
if (c == 0) {
	st->roas_fail++;
	break;
}
roa = roa_read(b);
if (roa->valid)
	roa_insert_vrps(tree, roa, &st->vrps, &st->uniqs);
else
	st->roas_invalid++;
roa_free(roa);
break;
case RTYPE_GBR:
st->gbrs++;
break;
default:
errx(1, "unknown entity type %d", type);
}

free(file);
entity_queue--;
585}

587static void
588rrdp_process(struct ibuf *b)
589{
enum rrdp_msg type;
enum publish_type pt;
struct rrdp_session s;
char *uri, *last_mod, *data;
char hash[SHA256_DIGEST_LENGTH32];
size_t dsz;
unsigned int id;
int ok;

io_read_buf(b, &type, sizeof(type));
io_read_buf(b, &id, sizeof(id));

switch (type) {
case RRDP_END:
io_read_buf(b, &ok, sizeof(ok));
rrdp_finish(id, ok);
break;
case RRDP_HTTP_REQ:
io_read_str(b, &uri);
io_read_str(b, &last_mod);
rrdp_http_fetch(id, uri, last_mod);
break;
case RRDP_SESSION:
io_read_str(b, &s.session_id);
io_read_buf(b, &s.serial, sizeof(s.serial));
io_read_str(b, &s.last_mod);
rrdp_save_state(id, &s);
free(s.session_id);
free(s.last_mod);
break;
case RRDP_FILE:
io_read_buf(b, &pt, sizeof(pt));
if (pt != PUB_ADD)
	io_read_buf(b, &hash, sizeof(hash));
io_read_str(b, &uri);
io_read_buf_alloc(b, (void **)&data, &dsz);

ok = rrdp_handle_file(id, pt, uri, hash, sizeof(hash),
    data, dsz);
rrdp_file_resp(id, ok);

free(uri);
free(data);
break;
default:
errx(1, "unexpected rrdp response");
}
637}

639/*
* Assign filenames ending in ".tal" in "/etc/rpki" into "tals",
* returning the number of files found and filled-in.
* This may be zero.
* Don't exceded "max" filenames.
*/
645static size_t
646tal_load_default(void)
647{
static const char *confdir = "/etc/rpki";
size_t s = 0;
char *path;
DIR *dirp;
struct dirent *dp;

dirp = opendir(confdir);
if (dirp == NULL((void*)0))
err(1, "open %s", confdir);
while ((dp = readdir(dirp)) != NULL((void*)0)) {
if (fnmatch("*.tal", dp->d_name, FNM_PERIOD0x04) == FNM_NOMATCH1)
	continue;
if (s >= TALSZ_MAX8)
	err(1, "too many tal files found in %s",
	    confdir);
if (asprintf(&path, "%s/%s", confdir, dp->d_name) == -1)
	err(1, NULL((void*)0));
tals[s++] = path;
}
closedir(dirp);
return s;
669}

671static void
672check_fs_size(int fd, const char *cachedir)
673{
struct statvfs	fs;
const long long minsize = 500 * 1024 * 1024;
const long long minnode = 300 * 1000;

if (fstatvfs(fd, &fs) == -1)
err(1, "statfs %s", cachedir);

if (fs.f_bavail < minsize / fs.f_frsize || fs.f_favail < minnode) {
fprintf(stderr(&__sF[2]), "WARNING: rpki-client may need more than "
    "the available disk space\n"
    "on the file-system holding %s.\n", cachedir);
fprintf(stderr(&__sF[2]), "available space: %lldkB, "
    "suggested minimum %lldkB\n",
    (long long)fs.f_bavail * fs.f_frsize / 1024,
    minsize / 1024);
fprintf(stderr(&__sF[2]), "available inodes %lld, "
    "suggested minimum %lld\n\n",
    (long long)fs.f_favail, minnode);
fflush(stderr(&__sF[2]));
}
694}

696void
697suicide(int sig __attribute__((unused)))
698{
killme = 1;
700}

702#define NPFD4	4

704int
705main(int argc, char *argv[])
706{
int		 rc, c, st, proc, rsync, http, rrdp, hangup = 0;
int		 fl = SOCK_STREAM1 | SOCK_CLOEXEC0x8000 | SOCK_NONBLOCK0x4000;
size_t		 i;
pid_t		 pid, procpid, rsyncpid, httppid, rrdppid;
int		 fd[2];
struct pollfd	 pfd[NPFD4];
struct msgbuf	*queues[NPFD4];
struct ibuf	*b, *httpbuf = NULL((void*)0), *procbuf = NULL((void*)0);
struct ibuf	*rrdpbuf = NULL((void*)0), *rsyncbuf = NULL((void*)0);
char		*rsync_prog = "openrsync";
char		*bind_addr = NULL((void*)0);
const char	*cachedir = NULL((void*)0), *outputdir = NULL((void*)0);
const char	*errs, *name;
const char	*file = NULL((void*)0);
struct vrp_tree	 vrps = RB_INITIALIZER(&vrps){ ((void*)0) };
struct brk_tree  brks = RB_INITIALIZER(&brks){ ((void*)0) };
struct rusage	ru;
struct timeval	start_time, now_time;

gettimeofday(&start_time, NULL((void*)0));

/* If started as root, priv-drop to _rpki-client */
if (getuid() == 0) {
struct passwd *pw;

pw = getpwnam("_rpki-client");
if (!pw)
	errx(1, "no _rpki-client user to revoke to");
if (setgroups(1, &pw->pw_gid) == -1 ||
    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 ||
    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
	err(1, "unable to revoke privs");
}
cachedir = RPKI_PATH_BASE_DIR"/var/cache/rpki-client";
outputdir = RPKI_PATH_OUT_DIR"/var/db/rpki-client";
repo_timeout = timeout / 4;

if (pledge("stdio rpath wpath cpath inet fattr dns sendfd recvfd "
   "proc exec unveil", NULL((void*)0)) == -1)
err(1, "pledge");

while ((c = getopt(argc, argv, "b:Bcd:e:f:jnorRs:t:T:vV")) != -1)
switch (c) {
case 'b':
	bind_addr = optarg;
	break;
case 'B':
	outformats |= FORMAT_BIRD0x02;
	break;
case 'c':
	outformats |= FORMAT_CSV0x04;
	break;
case 'd':
	cachedir = optarg;
	break;
case 'e':
	rsync_prog = optarg;
	break;
case 'f':
	file = optarg;
	noop = 1;
	break;
case 'j':
	outformats |= FORMAT_JSON0x08;
	break;
case 'n':
	noop = 1;
	break;
case 'o':
	outformats |= FORMAT_OPENBGPD0x01;
	break;
case 'R':
	rrdpon = 0;
	break;
case 'r':
	rrdpon = 1;
	break;
case 's':
	timeout = strtonum(optarg, 0, 24*60*60, &errs);
	if (errs)
		errx(1, "-s: %s", errs);
	if (timeout == 0)
		repo_timeout = 24*60*60;
	else if (timeout < 1)
		errx(1, "-s: %i too small", timeout);
	else
		repo_timeout = timeout / 4;
	break;
case 't':
	if (talsz >= TALSZ_MAX8)
		err(1,
		    "too many tal files specified");
	tals[talsz++] = optarg;
	break;
case 'T':
	bird_tablename = optarg;
	break;
case 'v':
	verbose++;
	break;
case 'V':
	fprintf(stderr(&__sF[2]), "rpki-client %s\n", RPKI_VERSION"7.5");
	return 0;
default:
	goto usage;
}

argv += optind;
argc -= optind;
if (argc == 1)
outputdir = argv[0];
else if (argc > 1)
goto usage;

signal(SIGPIPE13, SIG_IGN(void (*)(int))1);

if (cachedir == NULL((void*)0)) {
warnx("cache directory required");
goto usage;
}
if (outputdir == NULL((void*)0)) {
warnx("output directory required");
goto usage;
}

if ((cachefd = open(cachedir, O_RDONLY0x0000 | O_DIRECTORY0x20000)) == -1)
err(1, "cache directory %s", cachedir);
if ((outdirfd = open(outputdir, O_RDONLY0x0000 | O_DIRECTORY0x20000)) == -1)
err(1, "output directory %s", outputdir);

check_fs_size(cachefd, cachedir);

if (outformats == 0)
outformats = FORMAT_OPENBGPD0x01;

if (talsz == 0)
talsz = tal_load_default();
if (talsz == 0)
err(1, "no TAL files found in %s", "/etc/rpki");

/*
* Create the file reader as a jailed child process.
* It will be responsible for reading all of the files (ROAs,
* manifests, certificates, etc.) and returning contents.
*/

if (socketpair(AF_UNIX1, fl, 0, fd) == -1)
err(1, "socketpair");
if ((procpid = fork()) == -1)
err(1, "fork");

if (procpid == 0) {
close(fd[1]);

setproctitle("parser");
/* change working directory to the cache directory */
if (fchdir(cachefd) == -1)
	err(1, "fchdir");

if (timeout)
	alarm(timeout);

/* Only allow access to the cache directory. */
if (unveil(".", "r") == -1)
	err(1, "%s: unveil", cachedir);
if (pledge("stdio rpath", NULL((void*)0)) == -1)
	err(1, "pledge");
proc_parser(fd[0]);
errx(1, "parser process returned");
}

close(fd[0]);
proc = fd[1];

/*
* Create a process that will do the rsync'ing.
* This process is responsible for making sure that all the
* repositories referenced by a certificate manifest (or the
* TAL) exists and has been downloaded.
*/

if (!noop) {
if (socketpair(AF_UNIX1, fl, 0, fd) == -1)
	err(1, "socketpair");
if ((rsyncpid = fork()) == -1)
	err(1, "fork");

if (rsyncpid == 0) {
	close(proc);
	close(fd[1]);

	setproctitle("rsync");
	/* change working directory to the cache directory */
	if (fchdir(cachefd) == -1)
		err(1, "fchdir");

	if (timeout)
		alarm(timeout);

	if (pledge("stdio rpath proc exec unveil", NULL((void*)0)) == -1)
		err(1, "pledge");

	proc_rsync(rsync_prog, bind_addr, fd[0]);
	errx(1, "rsync process returned");
}

close(fd[0]);
rsync = fd[1];
} else {
rsync = -1;
rsyncpid = -1;
}

/*
* Create a process that will fetch data via https.
* With every request the http process receives a file descriptor
* where the data should be written to.
*/

if (!noop) {
if (socketpair(AF_UNIX1, fl, 0, fd) == -1)
	err(1, "socketpair");
if ((httppid = fork()) == -1)
	err(1, "fork");

if (httppid == 0) {
	close(proc);
	close(rsync);
	close(fd[1]);

	setproctitle("http");
	/* change working directory to the cache directory */
	if (fchdir(cachefd) == -1)
		err(1, "fchdir");

	if (timeout)
		alarm(timeout);

	if (pledge("stdio rpath inet dns recvfd", NULL((void*)0)) == -1)
		err(1, "pledge");

	proc_http(bind_addr, fd[0]);
	errx(1, "http process returned");
}

close(fd[0]);
http = fd[1];
} else {
http = -1;
httppid = -1;
}

/*
* Create a process that will process RRDP.
* The rrdp process requires the http process to fetch the various
* XML files and does this via the main process.
*/

if (!noop && rrdpon) {
if (socketpair(AF_UNIX1, fl, 0, fd) == -1)
	err(1, "socketpair");
if ((rrdppid = fork()) == -1)
	err(1, "fork");

if (rrdppid == 0) {
	close(proc);
	close(rsync);
	close(http);
	close(fd[1]);

	setproctitle("rrdp");
	/* change working directory to the cache directory */
	if (fchdir(cachefd) == -1)
		err(1, "fchdir");

	if (timeout)
		alarm(timeout);

	if (pledge("stdio recvfd", NULL((void*)0)) == -1)
		err(1, "pledge");

	proc_rrdp(fd[0]);
	/* NOTREACHED */
}

close(fd[0]);
rrdp = fd[1];
} else {
rrdp = -1;
rrdppid = -1;
}

if (timeout) {
/*
 * Commit suicide eventually
 * cron will normally start a new one
 */
alarm(timeout);
signal(SIGALRM14, suicide);
}

/* TODO unveil cachedir and outputdir, no other access allowed */
if (pledge("stdio rpath wpath cpath fattr sendfd", NULL((void*)0)) == -1)
err(1, "pledge");

msgbuf_init(&procq);
msgbuf_init(&rsyncq);
msgbuf_init(&httpq);
msgbuf_init(&rrdpq);
procq.fd = proc;
rsyncq.fd = rsync;
httpq.fd = http;
rrdpq.fd = rrdp;

/*
* The main process drives the top-down scan to leaf ROAs using
* data downloaded by the rsync process and parsed by the
* parsing process.
*/

pfd[0].fd = proc;
queues[0] = &procq;
pfd[1].fd = rsync;
queues[1] = &rsyncq;
pfd[2].fd = http;
queues[2] = &httpq;
pfd[3].fd = rrdp;
queues[3] = &rrdpq;

/*
* Prime the process with our TAL file.
* This will contain (hopefully) links to our manifest and we
* can get the ball rolling.
*/

for (i = 0; i < talsz; i++)
queue_add_tal(tals[i], i);

/* change working directory to the cache directory */
if (fchdir(cachefd) == -1)
err(1, "fchdir");

while (entity_queue > 0 && !killme) {
int polltim;

for (i = 0; i < NPFD4; i++) {
	pfd[i].events = POLLIN0x0001;
	if (queues[i]->queued)
		pfd[i].events |= POLLOUT0x0004;
}

polltim = repo_next_timeout(INFTIM(-1));

if ((c = poll(pfd, NPFD4, polltim)) == -1) {
	if (errno(*__errno()) == EINTR4)
		continue;
	err(1, "poll");
}

for (i = 0; i < NPFD4; i++) {
	if (pfd[i].revents & (POLLERR0x0008|POLLNVAL0x0020)) {
		warnx("poll[%zu]: bad fd", i);
		hangup = 1;
	}
	if (pfd[i].revents & POLLHUP0x0010)
		hangup = 1;
	if (pfd[i].revents & POLLOUT0x0004) {
		switch (msgbuf_write(queues[i])) {
		case 0:
			warnx("write[%zu]: "
			    "connection closed", i);
			hangup = 1;
			break;
		case -1:
			warn("write[%zu]", i);
			hangup = 1;
			break;
		}
	}
}
if (hangup)
	break;

repo_check_timeout();

/*
 * Check the rsync and http process.
 * This means that one of our modules has completed
 * downloading and we can flush the module requests into
 * the parser process.
 */

if ((pfd[1].revents & POLLIN0x0001)) {
	b = io_buf_read(rsync, &rsyncbuf);
	if (b != NULL((void*)0)) {
		unsigned int id;
		int ok;

		io_read_buf(b, &id, sizeof(id));
		io_read_buf(b, &ok, sizeof(ok));
		rsync_finish(id, ok);
		ibuf_free(b);
	}
}

if ((pfd[2].revents & POLLIN0x0001)) {
	b = io_buf_read(http, &httpbuf);
	if (b != NULL((void*)0)) {
		unsigned int id;
		enum http_result res;
		char *last_mod;

		io_read_buf(b, &id, sizeof(id));
		io_read_buf(b, &res, sizeof(res));
		io_read_str(b, &last_mod);
		http_finish(id, res, last_mod);
		free(last_mod);
		ibuf_free(b);
	}
}

/*
 * Handle RRDP requests here.
 */
if ((pfd[3].revents & POLLIN0x0001)) {
	b = io_buf_read(rrdp, &rrdpbuf);
	if (b != NULL((void*)0)) {
		rrdp_process(b);
		ibuf_free(b);
	}
}

/*
 * The parser has finished something for us.
 * Dequeue these one by one.
 */

if ((pfd[0].revents & POLLIN0x0001)) {
	b = io_buf_read(proc, &procbuf);
	if (b != NULL((void*)0)) {
		entity_process(b, &stats, &vrps, &brks);
		ibuf_free(b);
	}
}
}

signal(SIGALRM14, SIG_DFL(void (*)(int))0);
if (killme) {
syslog(LOG_CRIT2|LOG_DAEMON(3<<3),
    "excessive runtime (%d seconds), giving up", timeout);
errx(1, "excessive runtime (%d seconds), giving up", timeout);
}

/*
* For clean-up, close the input for the parser and rsync
* process.
* This will cause them to exit, then we reap them.
*/

close(proc);
close(rsync);
close(http);
close(rrdp);

rc = 0;
for (;;) {
pid = waitpid(WAIT_ANY(-1), &st, 0);
if (pid == -1) {
	if (errno(*__errno()) == EINTR4)
		continue;
	if (errno(*__errno()) == ECHILD10)
		break;
	err(1, "wait");
}

if (pid == procpid)
	name = "parser";
else if (pid == rsyncpid)
	name = "rsync";
else if (pid == httppid)
	name = "http";
else if (pid == rrdppid)
	name = "rrdp";
else
	name = "unknown";

if (WIFSIGNALED(st)(((st) & 0177) != 0177 && ((st) & 0177) != 0)) {
	warnx("%s terminated signal %d", name, WTERMSIG(st)(((st) & 0177)));
	rc = 1;
} else if (!WIFEXITED(st)(((st) & 0177) == 0) || WEXITSTATUS(st)(int)(((unsigned)(st) >> 8) & 0xff) != 0) {
	warnx("%s process exited abnormally", name);
	rc = 1;
}
}

/* processing did not finish because of error */
if (entity_queue != 0)
errx(1, "not all files processed, giving up");

logx("all files parsed: generating output");

repo_cleanup(&fpt);

gettimeofday(&now_time, NULL((void*)0));
timersub(&now_time, &start_time, &stats.elapsed_time)do { (&stats.elapsed_time)->tv_sec = (&now_time)->
tv_sec - (&start_time)->tv_sec; (&stats.elapsed_time
)->tv_usec = (&now_time)->tv_usec - (&start_time
)->tv_usec; if ((&stats.elapsed_time)->tv_usec <
 0) { (&stats.elapsed_time)->tv_sec--; (&stats.elapsed_time
)->tv_usec += 1000000; } } while (0);
if (getrusage(RUSAGE_SELF0, &ru) == 0) {
stats.user_time = ru.ru_utime;
stats.system_time = ru.ru_stime;
}
if (getrusage(RUSAGE_CHILDREN(-1), &ru) == 0) {
timeradd(&stats.user_time, &ru.ru_utime, &stats.user_time)do { (&stats.user_time)->tv_sec = (&stats.user_time
)->tv_sec + (&ru.ru_utime)->tv_sec; (&stats.user_time
)->tv_usec = (&stats.user_time)->tv_usec + (&ru
.ru_utime)->tv_usec; if ((&stats.user_time)->tv_usec
 >= 1000000) { (&stats.user_time)->tv_sec++; (&
stats.user_time)->tv_usec -= 1000000; } } while (0);
timeradd(&stats.system_time, &ru.ru_stime, &stats.system_time)do { (&stats.system_time)->tv_sec = (&stats.system_time
)->tv_sec + (&ru.ru_stime)->tv_sec; (&stats.system_time
)->tv_usec = (&stats.system_time)->tv_usec + (&
ru.ru_stime)->tv_usec; if ((&stats.system_time)->tv_usec
 >= 1000000) { (&stats.system_time)->tv_sec++; (&
stats.system_time)->tv_usec -= 1000000; } } while (0);
}

/* change working directory to the output directory */
if (fchdir(outdirfd) == -1)
err(1, "fchdir output dir");

if (outputfiles(&vrps, &brks, &stats))
rc = 1;

logx("Processing time %lld seconds "
   "(%lld seconds user, %lld seconds system)",
   (long long)stats.elapsed_time.tv_sec,
   (long long)stats.user_time.tv_sec,
   (long long)stats.system_time.tv_sec);
logx("Route Origin Authorizations: %zu (%zu failed parse, %zu invalid)",
   stats.roas, stats.roas_fail, stats.roas_invalid);
logx("BGPsec Router Certificates: %zu", stats.brks);
logx("Certificates: %zu (%zu invalid)",
   stats.certs, stats.certs_fail);
logx("Trust Anchor Locators: %zu (%zu invalid)",
   stats.tals, talsz - stats.tals);
logx("Manifests: %zu (%zu failed parse, %zu stale)",
   stats.mfts, stats.mfts_fail, stats.mfts_stale);
logx("Certificate revocation lists: %zu", stats.crls);
logx("Ghostbuster records: %zu", stats.gbrs);
logx("Repositories: %zu", stats.repos);
logx("Cleanup: removed %zu files, %zu directories",
   stats.del_files, stats.del_dirs);
logx("VRP Entries: %zu (%zu unique)", stats.vrps, stats.uniqs);

/* Memory cleanup. */
repo_free();

return rc;

1254usage:
fprintf(stderr(&__sF[2]),
   "usage: rpki-client [-BcjnoRrVv] [-b sourceaddr] [-d cachedir]"
   " [-e rsync_prog]\n"
   "                   [-s timeout] [-T table] [-t tal]"
   " [outputdir]\n");
return 1;
1261}