v1.1.1

This release includes bug fixes and minor updates.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.1.0:

• Bug fixes

  • Validate output.bgpsec path, check if the path is writable during configuration checks.
  • Fix bad PDU exchange when the ROAs/Router Keys DB was empty, an End of Data was being sent when a Reset Query PDU was received.

• Updates

  • Add missing validation from RFC 7935 section 3 (subjectPublicKey modulus and exponent).
  • Use type blksize_t (<sys/types.h>) instead of __blksize_t (<bits/types.h>) to avoid a specific compilation error on Alpine Linux.

v1.1.0

The main updates at this release are: RTR version 1 support and improve execution time.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.0.0:

• Updates

  • Create a thread to rsync and validate each TAL, trying to improve execution time.
  • Support RTR version 1:
    • RTR version negotiation.
    • Validate version during PDU exchange.
    • Implement new PDU error "Unexpected Protocol Version".
    • Implement new PDU type "Router Key".
    • Add timing parameters to "End of Data PDU".
  • Support BGPsec EE certificates (validate and consider for deltas) accordingly to RFC 8209 and 8608.
  • Update configuration parameters:
    • Rename server.validation-interval to server.interval.validation.
    • Add server.interval.refresh, server.interval.retry, and server.interval.expire args to use at RTR version 1 "End of Data PDU".
    • Add output.bgpsec (similar to output.roa) to print valid Router Keys, the information is printed as base64url encoded strings.
  • Support BGPsec filters and assertions at SLURM files.
  • Use syslog when running in server mode, print at console otherwise.
  • Update unit tests.

• Docs

  • Indicate full RFC 8209 compliance.
  • Add RFCs compliance (they were missing): 6810, 8210, 8416, 8608, and 8630.
  • Update SLURM module with BGPsec assertions and filters support, as well as some examples.
  • Update Usage module:
    • Rename to "Program Arguments".
    • Updated configuration property (server.validation-interval is now server.interval.validation).
    • New properties (server.interval.refresh, server.interval.retry, server.interval.expire, and output.bgpsec).
    • Show which output.roa headers are printed.
  • Use the same layout at home (landing page) to avoid multiple clicks in order to reach the docs.
  • Use a similar configuration file as example at web docs and user man.
  • Add Logging module to explain how the logs work.
  • Update root README with basic information about the project.
  • Update user man: indicate RTR version 1 support, and add the same updates as in the web docs.

v1.0.0

This is the first official release!

The public key to verify the tarball is here (it isn't certified yet).

Changes since v0.0.2:

• Bug fixes

  • Solved issue #11 "ROAs, MFTs and CAs created with revoked certs are valids".
  • Solved issue #12 "Programming error when a ROA without prefixes is validated".
  • Solved issue #13 "Wrong "serial number X is not unique" error is displayed when an MFT expired error happens".
  • Solved issue #14 "FORT using server mode cannot be interrupted on OpenBSD with SIGINT signal (Control+C)".
  • The whole set of multiple SLURM files wasn't rejected in overlap cases (RFC 8416 section 4.2).
  • Validate "server.port" numeric value, since the function "getaddrinfo" is a bit lax with numeric values (it takes into account only the 16 rightmost bits).
  • Log the configured "server.address" instead of always log "any" as the server address.
  • Validate "output.roa" file path at initialization.
  • LibreSSL couldn't decode base64 text with line breaks where at least one line had more than 80 chars.
  • Remove invalid memory release when a TAL wasn't successfully loaded.
  • Some files needed by the unit tests were not exporting.
  • Join each client thread when the connection is terminated.
  • Avoid memory leak caused by X509_VERIFY_PARAM.
  • Patch bad initialization of CRL stack.
  • SLURM filters weren't correctly applied when an asn and prefix were set, only the asn was taken into account to filter VRPs.
  • SLURM filters of covering prefixes were ignored; e.g. if a prefix X covered ROA prefix Y, the ROA prefix wasn't filtered.

• Updates

  • In case of a SLURM error, log the JSON element with the error instead of logging the element number.
  • Log a warning when a configuration path ("slurm", "tal") contains 0 expected files (extensions ".slurm", ".tal").
  • Configuration property "maximum-certificate-depth" now has a minimum allowed value of 5 to allow a regular validation using RIR TALs.
  • The incidence "Signed Object's hash algorithm has NULL object as parameters" now has the ID "incid-hashalg-has-params", and by default it has an action of "ignore".
  • Update information displayed by "--help" at "--tal" and "--slurm" flags.
  • Show ROA eContent in debug mode.
  • Retry file download when there's an error related to a manifest file.
  • Set compiler optimization level ("-O") from "0" to "2".
  • Display RTR server info when successfully binded.
  • Log property name on value error (for unsigned integer values).
  • Remove compile warning '_BSD_SOURCE and _SVID_SOURCE are deprecated'.
  • Log custom incidences on initialization.

• Docs

  • Indicate current support for 64 bits OSs. 32 bit archs MAY present the 2038 Year Problem.
  • Add installation steps for: CentOS 7, Fedora 30, openSUSE Leap, FreeBSD 12, Slackware current release (as of 2019-08-12)
  • Add minimum dependencies version required: Openssl >= 1.1.0, GCC >= 4.9.
  • Update incidences section, now the registered incidence has a distinct ID and a default action of "ignore".
  • Update link to "UINT_MAX" definition at usage section.
  • Use path "/tmp/fort/" at multiple examples (man, web docs).

beta2

Second beta