diff options
Diffstat (limited to 'rpkid')
| -rw-r--r-- | rpkid/rpki/http.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/irdbd.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 8 | ||||
| -rw-r--r-- | rpkid/rpki/log.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/pubd.py | 4 | ||||
| -rw-r--r-- | rpkid/rpki/rootd.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/rpkid.py | 4 | ||||
| -rw-r--r-- | rpkid/rpki/x509.py | 11 | ||||
| -rw-r--r-- | rpkid/tests/smoketest.py | 4 |
9 files changed, 21 insertions, 18 deletions
diff --git a/rpkid/rpki/http.py b/rpkid/rpki/http.py index d7690988..f505f72c 100644 --- a/rpkid/rpki/http.py +++ b/rpkid/rpki/http.py @@ -1051,7 +1051,7 @@ class caller(object): try: r_cms = self.proto.cms_msg(DER = r_der) r_msg = r_cms.unwrap((self.server_ta, self.server_cert)) - self.cms_timestamp = r_cms.check_replay(self.cms_timestamp) + self.cms_timestamp = r_cms.check_replay(self.cms_timestamp, self.url) if self.debug: print "<!-- Reply -->" print r_cms.pretty_print_content() diff --git a/rpkid/rpki/irdbd.py b/rpkid/rpki/irdbd.py index d67027ff..4e9c6b5c 100644 --- a/rpkid/rpki/irdbd.py +++ b/rpkid/rpki/irdbd.py @@ -112,7 +112,7 @@ class main(object): try: q_cms = rpki.left_right.cms_msg(DER = query) q_msg = q_cms.unwrap((serverCA.certificate, rpkid.certificate)) - self.cms_timestamp = q_cms.check_replay(self.cms_timestamp) + self.cms_timestamp = q_cms.check_replay(self.cms_timestamp, path) if not isinstance(q_msg, rpki.left_right.msg) or not q_msg.is_query(): raise rpki.exceptions.BadQuery("Unexpected %r PDU" % q_msg) for q_pdu in q_msg: diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 100e57d2..bb4c66a6 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -551,7 +551,7 @@ class repository_elt(data_elt): rpki.log.debug("Received response from pubd") r_cms = rpki.publication.cms_msg(DER = r_der) r_msg = r_cms.unwrap(bpki_ta_path) - r_cms.check_replay_sql(self) + r_cms.check_replay_sql(self, self.peer_contact_uri) for r_pdu in r_msg: handler = handlers.get(r_pdu.tag, self.default_pubd_handler) if handler: @@ -809,7 +809,7 @@ class parent_elt(data_elt): self.self.bpki_glue, self.bpki_cms_cert, self.bpki_cms_glue)) - r_cms.check_replay_sql(self) + r_cms.check_replay_sql(self, self.peer_contact_uri) r_msg.payload.check_response() except (SystemExit, rpki.async.ExitNow): raise @@ -946,9 +946,9 @@ class child_elt(data_elt): self.self.bpki_glue, self.bpki_cert, self.bpki_glue)) - q_cms.check_replay_sql(self) + q_cms.check_replay_sql(self, "child", self.child_handle) q_msg.payload.gctx = self.gctx - if enforce_strict_up_down_xml_sender and q_msg.sender != str(self.child_id): + if enforce_strict_up_down_xml_sender and q_msg.sender != self.child_handle: raise rpki.exceptions.BadSender, "Unexpected XML sender %s" % q_msg.sender self.gctx.sql.sweep() diff --git a/rpkid/rpki/log.py b/rpkid/rpki/log.py index 38642999..adc85585 100644 --- a/rpkid/rpki/log.py +++ b/rpkid/rpki/log.py @@ -58,7 +58,7 @@ show_python_ids = False # Whether tracebacks are enabled globally. Individual classes and # modules may choose to override this. -enable_tracebacks = True +enable_tracebacks = False ## @var use_setproctitle # Whether to use setproctitle (if available) to change name shown for diff --git a/rpkid/rpki/pubd.py b/rpkid/rpki/pubd.py index b026bfff..a5e0781f 100644 --- a/rpkid/rpki/pubd.py +++ b/rpkid/rpki/pubd.py @@ -147,9 +147,9 @@ class main(object): q_cms = rpki.publication.cms_msg(DER = query) q_msg = q_cms.unwrap(certs) if client is None: - self.irbe_cms_timestamp = q_cms.check_replay(self.irbe_cms_timestamp) + self.irbe_cms_timestamp = q_cms.check_replay(self.irbe_cms_timestamp, "control") else: - q_cms.check_replay_sql(client) + q_cms.check_replay_sql(client, client.client_handle) q_msg.serve_top_level(self, client, done) def control_handler(self, query, path, cb): diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py index a74194ea..a686235d 100644 --- a/rpkid/rpki/rootd.py +++ b/rpkid/rpki/rootd.py @@ -267,7 +267,7 @@ class main(object): try: q_cms = cms_msg(DER = query) q_msg = q_cms.unwrap((self.bpki_ta, self.child_bpki_cert)) - self.cms_timestamp = q_cms.check_replay(self.cms_timestamp) + self.cms_timestamp = q_cms.check_replay(self.cms_timestamp, path) except (rpki.async.ExitNow, SystemExit): raise except Exception, e: diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index 0a3e9675..ce815345 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -198,7 +198,7 @@ class main(object): def unwrap(r_der): r_cms = rpki.left_right.cms_msg(DER = r_der) r_msg = r_cms.unwrap((self.bpki_ta, self.irdb_cert)) - self.irdbd_cms_timestamp = r_cms.check_replay(self.irdbd_cms_timestamp) + self.irdbd_cms_timestamp = r_cms.check_replay(self.irdbd_cms_timestamp, self.irdb_url) if not r_msg.is_reply() or not all(type(r_pdu) in q_types for r_pdu in r_msg): raise rpki.exceptions.BadIRDBReply( "Unexpected response to IRDB query: %s" % r_cms.pretty_print_content()) @@ -280,7 +280,7 @@ class main(object): try: q_cms = rpki.left_right.cms_msg(DER = query) q_msg = q_cms.unwrap((self.bpki_ta, self.irbe_cert)) - self.irbe_cms_timestamp = q_cms.check_replay(self.irbe_cms_timestamp) + self.irbe_cms_timestamp = q_cms.check_replay(self.irbe_cms_timestamp, path) if not q_msg.is_query(): raise rpki.exceptions.BadQuery, "Message type is not query" q_msg.serve_top_level(self, done) diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py index 9befb320..7ab89e83 100644 --- a/rpkid/rpki/x509.py +++ b/rpkid/rpki/x509.py @@ -1674,7 +1674,7 @@ class XML_CMS_object(Wrapped_CMS_object): else: return self.saxify(self.get_content()) # pylint: disable=E1102 - def check_replay(self, timestamp): + def check_replay(self, timestamp, *context): """ Check CMS signing-time in this object against a recorded timestamp. Raises an exception if the recorded timestamp is more @@ -1682,17 +1682,20 @@ class XML_CMS_object(Wrapped_CMS_object): """ new_timestamp = self.get_signingTime() if timestamp is not None and timestamp > new_timestamp: + if context: + context = " (" + " ".join(context) + ")" raise rpki.exceptions.CMSReplay( - "CMS replay: last message %s, this message %s" % (timestamp, new_timestamp)) + "CMS replay: last message %s, this message %s%s" % ( + timestamp, new_timestamp, context)) return new_timestamp - def check_replay_sql(self, obj): + def check_replay_sql(self, obj, *context): """ Like .check_replay() but gets recorded timestamp from "last_cms_timestamp" field of an SQL object and stores the new timestamp back in that same field. """ - obj.last_cms_timestamp = self.check_replay(obj.last_cms_timestamp) + obj.last_cms_timestamp = self.check_replay(obj.last_cms_timestamp, *context) obj.sql_mark_dirty() ## @var saxify diff --git a/rpkid/tests/smoketest.py b/rpkid/tests/smoketest.py index 33f73091..b3ad008a 100644 --- a/rpkid/tests/smoketest.py +++ b/rpkid/tests/smoketest.py @@ -850,7 +850,7 @@ class allocation(object): rpki.log.info("Callback from rpkid %s" % self.name) r_cms = rpki.left_right.cms_msg(DER = r_der) r_msg = r_cms.unwrap((self.rpkid_ta, self.rpkid_cert)) - self.last_cms_time = r_cms.check_replay(self.last_cms_time) + self.last_cms_time = r_cms.check_replay(self.last_cms_time, q_url) rpki.log.debug(r_cms.pretty_print_content()) assert r_msg.is_reply for r_pdu in r_msg: @@ -1254,7 +1254,7 @@ def call_pubd(pdus, cb): global pubd_last_cms_time r_cms = rpki.publication.cms_msg(DER = r_der) r_msg = r_cms.unwrap((pubd_ta, pubd_pubd_cert)) - pubd_last_cms_time = r_cms.check_replay(pubd_last_cms_time) + pubd_last_cms_time = r_cms.check_replay(pubd_last_cms_time, q_url) rpki.log.debug(r_cms.pretty_print_content()) assert r_msg.is_reply for r_pdu in r_msg: |