CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/09/19 07:45:07 Modified files: usr.sbin/rpki-client: version.h Log message: Move rpki-client to 9.3 requested by tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/09/18 04:22:36 Modified files: usr.bin/rsync : blocks.c Log message: Fix a memory leak Found by Martin Cracauer "look right" tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/09/04 09:46:43 Modified files: usr.sbin/rpki-client: main.c rpki-client.8 Log message: Remove deprecated '-r' command line option OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/09/03 09:04:48 Modified files: usr.sbin/rpki-client: main.c output-json.c output-ometric.c Log message: Also gate SPL statistics behind 'experimental' command line option This changes the JSON output, without -x some keys are missing from 'metadata' OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/09/02 05:56:22 Modified files: usr.sbin/rpki-client: rrdp.c Log message: Increase number of concurrent RRDP session handler slots OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/08/29 03:54:13 Modified files: usr.sbin/rpki-client: repo.c Log message: Improve warning message Requested by claudio@ OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/08/29 03:53:04 Modified files: usr.sbin/rpki-client: extern.h repo.c Log message: Periodically reinitialize RRDP sessions to snapshot at random intervals It is technically possible for a series of RRDP deltas and a snapshot to diverge. An RRDP server could distribute files via Deltas and then forget about those files, causing copies to remain stuck in the caches of RRDP clients. Resetting RRDP sessions once every few weeks helps with garbage collection. In week 0 the probability of triggering re-initialization is ~0.025% and doubles every week, in week 11 its 50% and always after week 12. Thus, RPs will reinitialize at least once every 3 months. OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/08/21 13:35:31 Modified files: usr.sbin/rpki-client: extern.h Log message: Increase maximum Signed Object size to 8MB OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/08/20 06:53:47 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: Update Geofeed reference RFC 9632 introduced additional constraints and requirements for RPKI-based Geofeed authenticators (at my request).
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/08/19 06:44:33 Modified files: usr.sbin/rpki-client: version.h Log message: Prepare for releasing version 9.2
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/08/15 05:30:43 Modified files: usr.sbin/rpki-client: repo.c Log message: Ensure synchronization jobs are stopped when the timeout is reached OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/08/12 09:34:59 Modified files: usr.bin/openssl: cms.c openssl.1 Log message: Add -CRLfile option to 'cms' sub command This option allows to verify certs in a CMS object against additional CRLs. Ported from work by Tom Harrison from APNIC OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/07/24 13:28:37 Modified files: etc/examples : bgpd.conf Log message: Add 5f00::/16 segment routing SRv6 SIDs prefix to example bogon list "In SRv6, SR source nodes initiate packets with a segment identifier in the Destination Address of the IPv6 header, and SR segment endpoint nodes process a local segment present in the Destination Address of an IPv6 header." https://www.iana.org/assignments/iana-ipv6-special-registry/ https://datatracker.ietf.org/doc/html/draft-ietf-6man-sids OK phessler@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/07/24 12:56:57 Modified files: etc/examples : bgpd.conf Log message: 3fff::/20 has been set aside as an additional documentation prefix Per https://www.iana.org/assignments/iana-ipv6-special-registry/ and https://datatracker.ietf.org/doc/html/draft-ietf-v6ops-rfc3849-update OK phessler@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/07/03 02:39:43 Modified files: usr.sbin/bgpd : util.c Log message: Fix typo Reported by Marco D'Itri
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/06/20 14:15:02 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: Add missing ref & reorder OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/06/16 12:33:56 Modified files: usr.bin/timeout: timeout.1 Log message: Add note about timeout(1)'s standards compliance OK jmc@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/06/16 12:33:06 Modified files: usr.bin/mandoc : st.c Log message: Add new argument for IEEE 1003.1-2024 aka POSIX.1 OK jmc@ schwarze@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/06/07 08:00:09 Modified files: lib/libcrypto/man: X509_cmp.3 Log message: Align documentation with reality OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/06/07 05:48:05 Modified files: usr.sbin/rpki-client: parser.c Log message: Fine-tune the TA tiebreaker logic Additional tiebreaker: prefer TA certificates with the narrower validity window OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/05/30 03:54:59 Modified files: usr.sbin/rpki-client: rrdp_delta.c rrdp_snapshot.c Log message: Increase logging verbosity as to what exactly hit a limit rpki-client: https://testbed.krill.cloud/rrdp/notification.xml: pulling from network rpki-client: https://testbed.krill.cloud/rrdp/notification.xml: downloading snapshot (bfb0a57e-d16b-44a1-9502-f15b4bc1ce1a#110135) rpki-client: parse failed, snapshot element for rsync://testbed.krill.cloud/repo/testbed/0/DDAF321520EE4817D716FA047FC05FE2934204DB.crl too big rpki-client: https://testbed.krill.cloud/rrdp/notification.xml: parse error at line 135: parsing aborted rpki-client: https://testbed.krill.cloud/rrdp/notification.xml: load from network failed, fallback to rsync OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/05/15 03:09:38 Modified files: usr.sbin/bgpd : bgpd.c session.c Log message: Mark RTR and IPv6 BGP packets with DSCP CS6 (network control) Additionally, set TCP_NODELAY on the RTR socket, there is no need to queue up messages towards the RTR server. OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/05/15 02:45:03 Modified files: usr.sbin/ospf6d: ospfe.c Log message: Mark network control packets with DSCP CS6 (parity with ospfd) OK claudio@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2024/05/13 08:11:02 Modified files: . : ftp.html ftplist httpslist build : mirrors.dat openbgpd : ftp.html openntpd : portable.html openssh: ftp.html portable.html rpki-client: portable.html Log message: Add Cloudflare CDN mirror back into rotation Was broken for a while because the TLS cert expired, and getting this cert renewed took a few days.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/25 03:58:17 Modified files: usr.bin/vi/vi : vs_refresh.c Log message: Don't divide by zero (empty files) While there, also increase buf[] OK claudio@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2024/04/24 11:35:40 Modified files: . : ftp.html ftplist httpslist build : mirrors.dat openbgpd : ftp.html openntpd : portable.html openssh: ftp.html portable.html rpki-client: portable.html Log message: Remove CF mirror until we can unbreak it
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/24 09:15:40 Modified files: usr.bin/vi/docs/USD.doc/vi.man: vi.1 usr.bin/vi/vi : vs_refresh.c Log message: In ruler show the current line number as a percentage of the total lines OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/21 03:03:22 Modified files: usr.sbin/rpki-client: cms.c x509.c Log message: Mandate presence of CMS signing-time and disallow binary-signing-time RFC-to-be draft-ietf-sidrops-cms-signing-time updates RFC 6488 by mandating the presence of the CMS signing-time attribute and disallowing the use of the CMS binary-signing-time attribute in RPKI Signed Objects. The ecosystem has behaved this way for a number of years now. Flip from warning to erroring for non-compliant objects. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/20 09:45:41 Modified files: usr.sbin/rpki-client: mft.c Log message: Display distinct errors for various problematic CRL/MFT situationships RFC 6487 section 8 specifies only a single CRL is issued at a time, so error when multiple .crl files are listed in a Manifest's FileList. The CRLDP extension identifies the location of the CRL, so the CRL's filename must match the CA's CRLDP's 'rsync://' entry, error if that isn't the case. (RFC 6486 section 4.8.6) with & OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/17 09:00:50 Modified files: usr.sbin/rpki-client: parser.c Log message: Remove outdated (now inaccurate) warning message OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/17 08:31:59 Modified files: etc/rpki : apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Sync RPKI Trust Anchor constraints to nro-delegated-stats Turns out that registry at https://www.iana.org/assignments/as-numbers/as-numbers.xml is an incomplete one, where only 'new' assignments are listed. In the past this registry used to list all ASNs, but the RIRs asked IANA to revert to not being very detailed... There is another source of truth, the 'nro-delegated-stats' file at https://ftp.ripe.net/pub/stats/ripencc/nro-stats/latest/nro-delegated-stats this is updated daily and composed of information from each RIR. Summary of changes: * LACNIC manages a more ASNs than previously known: - allow those ASNs for LACNIC - deny those for RIPE, APNIC, ARIN * AFRINIC's allow list was good (compared to nro-delegated-stats), but the full set of AfriNIC ASNs wasn't denylisted for RIPE, ARIN, APNIC. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/15 07:57:45 Modified files: usr.sbin/rpki-client: crl.c extern.h parser.c Log message: Use the manifest location as additional differentiator when comparing CRLs OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/12 05:50:29 Modified files: usr.sbin/rpki-client: rrdp_notification.c Log message: Fix warning about delta element issues in the Update Notification File XML OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/05 10:05:15 Modified files: usr.sbin/rpki-client: aspa.c extern.h main.c output-bgpd.c output-json.c Log message: Don't emit Validated ASPAs for Customer ASIDs with more than MAX_ASPA_PROVIDERS The number of providers in a single ASPA object already was limited to MAX_ASPA_PROVIDERS, now also impose a limit on the total number of providers across multiple ASPA objects. If the MAX_ASPA_PROVIDERS limit is hit, omit the Customer ASID's entry from OpenBGPD and JSON output. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/25 05:27:01 Modified files: lib/libcrypto/x509: x509rset.c Log message: Error on setting an invalid CSR version Reported by David Benjamin (BoringSSL) OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/24 04:53:27 Modified files: usr.sbin/httpd : http.h Log message: Sync with IANA Status Code Registry >From https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml OK sthen@ miod@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/22 22:18:56 Modified files: etc/rpki : lacnic.constraints Log message: Expand ASN range for LACNIC LACNIC received a new block of ASNs from IANA https://mail.lacnic.net/pipermail/lacnog/2024-March/009690.html OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/21 21:38:12 Modified files: usr.sbin/rpki-client: cert.c extern.h filemode.c http.c main.c repo.c rrdp_delta.c rrdp_notification.c rrdp_snapshot.c rsync.c tal.c x509.c Log message: Replace protocol literal strings and strlen() calls with defined constants OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/19 22:39:10 Modified files: regress/usr.sbin/rpki-client: test-aspa.c test-gbr.c test-mft.c test-roa.c test-spl.c test-tak.c Log message: Run most of regress explicitly in filemode to avoid hitting location checks with tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/19 22:36:30 Modified files: usr.sbin/rpki-client: x509.c Log message: Check whether filename and SIA match Verify whether the filename as presented by the publication point (which is unsigned information) matches the filename in the SIA attribute (which is signed information). Based on RFC 6487 section 4.8.8. with and OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/15 23:18:01 Modified files: distrib/sets/lists/base: mi distrib/sets/lists/etc: mi Log message: Move RPKI Trust Anchor constraints from etc set to base The cadence of updates being applied to the RPKI Trust Anchor constraints seems sufficiently low, while the required understanding of context to make educated decisions quite high, so centralized coordination of updates through t...@openbsd.org is more appropriate. requested by & OK deraadt@, OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/14 21:38:59 Modified files: usr.sbin/rpki-client: constraints.c Log message: Log which of the constraints files triggered a violation Requested by Ties de Kock (RIPE NCC) OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/14 00:23:14 Modified files: usr.bin/ssh: ssh.1 Log message: Clarify how literal IPv6 addresses can be used in -J mode OK djm@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/12 10:03:56 Modified files: regress/usr.sbin/rpki-client: test-http.c regress/usr.sbin/rpki-client/libressl: Makefile Log message: Add regress for cross-origin HTTP redirection
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/12 10:02:30 Modified files: usr.sbin/rpki-client: http.c Log message: Enforce same-origin policy for HTTP redirects Isolate resources from different RRDP servers to avoid inappropriately increasing resource consumption for both RRDP clients and the referenced server. OK claudio@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/01 02:36:55 Modified files: usr.sbin/rpki-client: main.c Log message: Lipstick on a pig: avoid comparing signed and unsigned OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/26 13:37:27 Modified files: usr.sbin/rpki-client: rsync.c Log message: Also download SPLs via rsync OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/26 08:40:33 Modified files: usr.sbin/rpki-client: extern.h main.c output-json.c output-ometric.c repo.c Log message: Track the number of new files moving from 'staging' to 'validated cache' The OpenMetrics output shows per-repository counters for new files added, the main process and JSON output emit the sum of all new files. OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/26 03:02:37 Modified files: usr.sbin/rpki-client: print.c Log message: Properly close JSON array before continuing in TAK OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/22 05:51:50 Modified files: regress/usr.sbin/rpki-client: Makefile.inc Added files: regress/usr.sbin/rpki-client: test-spl.c regress/usr.sbin/rpki-client/spl: 9X0AhXWTJDl8lJhfOwvnac-42CA.spl Log message: Add regress for Signed Prefix List objects
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/22 05:50:11 src/regress/usr.sbin/rpki-client/spl Update of /cvs/src/regress/usr.sbin/rpki-client/spl In directory cvs.openbsd.org:/tmp/cvs-serv28908/spl Log Message: Directory /cvs/src/regress/usr.sbin/rpki-client/spl added to the repository
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/22 05:49:42 Modified files: usr.sbin/rpki-client: Makefile extern.h filemode.c main.c mft.c output-bgpd.c output-bird.c output-csv.c output-json.c output-ometric.c output.c parser.c print.c repo.c rpki-client.8 validate.c x509.c Added files: usr.sbin/rpki-client: spl.c Log message: Add support for RPKI Signed Prefix Lists Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist with and OK claudio@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/19 03:15:35 Modified files: usr.sbin/bgpd : bgpd.h session.c Log message: IANA assigned error 8 to draft-ietf-idr-sendholdtimer https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtml#bgp-parameters-3 OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/17 07:53:29 Modified files: usr.sbin/tcpdump: print-bgp.c Log message: Add 'Send Hold Timer expired' BGP Error code OK deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 15:44:21 Modified files: usr.sbin/rpki-client: aspa.c mft.c roa.c rsc.c tak.c Log message: Add explicit ASN1_ITEM_EXP prototypes In LibreSSL *_it are variables, in other implementations they might be a function. This helps squash compiler warnings in -portable. Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93 OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 14:18:55 Modified files: usr.sbin/rpki-client: tak.c Log message: Refactor parse_takey() Avoid i2d_RSAPublicKey() to help with future portability efforts. Avoid a complication related to size_t/int for the return value of i2d_X509_PUBKEY. While there, change the out label to 'err'. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 13:41:22 Modified files: usr.sbin/rpki-client: output-json.c output-ometric.c Log message: Remove the stalemanifests metrics (which are no longer in use) OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 13:40:17 Modified files: usr.sbin/rpki-client: print.c Log message: Improve printing of TALs extracted from .tak objects This changeset makes the output align more with the TAL file syntax. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 13:37:15 Modified files: usr.sbin/rpki-client: x509.c Log message: Improve a comment about what exactly the SKI is OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 13:36:42 Modified files: usr.sbin/rpki-client: print.c Log message: Avoid using i2d_RSAPublicKey() This should help with future portability efforts, and perhaps makes the code a bit more readable. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 05:38:43 Modified files: lib/libcrypto/man: d2i_ASN1_OCTET_STRING.3 Log message: Document a portability caveat about GeneralizedTime and UTCTime OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/12 09:42:43 Modified files: usr.bin/vi/common: options.c usr.bin/vi/docs/USD.doc/vi.man: vi.1 usr.bin/vi/vi : vs_refresh.c Log message: Add showfilename set option Pressing control-G all the time to understand 'what file is in what window' might be tedious. Instead, offer a configurable option (default off) to display the file name in the lower left corner. OK millert@ otto@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/09 06:49:41 Modified files: usr.sbin/rpki-client: version.h Log message: Bump release OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/05 12:23:58 Modified files: usr.sbin/rpki-client: aspa.c mft.c roa.c rsc.c tak.c Log message: Check whether all data in eContent has been consumed It is possible that a given ASN.1 template generated d2i_*() function didn't consume all data, so there is a potential for malleability. The econtent is a sequence (which means it could be the concatenation of several DER "blobs"). d2i_*() would only deserialize the first one and not notice blobs following it. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/03 17:53:27 Modified files: usr.sbin/rpki-client: mft.c Log message: Use x509_get_time() to get the Manifest thisUpdate / nextUpdate >From the moment d2i_Manifest() was introduced, it was automatically checked whether the thisUpdate/nextUpdate are ASN1_GENERALIZEDTIME. Unfortunately, an additional check is needed, because OpenSSL doesn't require RFC 5280 conformance for GeneralizedTime DER encoding. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/03 07:30:47 Modified files: usr.sbin/rpki-client: extern.h main.c mft.c output-json.c output-ometric.c output.c parser.c repo.c Log message: Refactor handling of stale manifests No need to hoist a staleness indicator through the whole process and count it explicitly. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 12:31:59 Modified files: usr.sbin/rpki-client: parser.c Log message: Update the comment
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 12:26:49 Modified files: usr.sbin/rpki-client: mft.c Log message: Remove old comment OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 12:26:26 Modified files: usr.sbin/rpki-client: parser.c Log message: no longer check staleness in proc_parser_mft invert logic for readability OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 11:11:13 Modified files: usr.sbin/rpki-client: parser.c Log message: refactor: don't call proc_parser_mft_post for the first mft should be exact same behaviour as before OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 09:15:09 Modified files: usr.sbin/rpki-client: parser.c Log message: refactor: populate mft->path in the pre parser OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 07:13:58 Modified files: usr.sbin/rpki-client: parser.c Log message: refactor: no longer needed to pass loc to the mft preparser OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 06:40:50 Modified files: usr.sbin/rpki-client: parser.c Log message: refactor: move parse_filepath() to avoid pointer indirection OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 05:35:15 Modified files: usr.sbin/rpki-client: parser.c Log message: refactoring: move time validity window checks out of proc_parser_mft_post() OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 05:23:16 Modified files: usr.sbin/rpki-client: parser.c Log message: Rework error messages a bit OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/31 10:19:02 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: Add reference to RRDP Session Desynchronization draft
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/31 08:01:13 Modified files: usr.sbin/rpki-client: x509.c Log message: Make the error a bit easier to read OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/29 20:40:01 Modified files: etc/rpki : apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Add more RPKI TA constraints: LACNIC ASNs cannot transfer to/from other RIRs OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/29 13:37:03 Modified files: lib/libcrypto/objects: obj_mac.num Log message: Add id-ct-rpkiSignedPrefixList NID References: https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-prefixlist/ https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/29 13:36:20 Modified files: lib/libcrypto/objects: objects.txt Log message: Add id-ct-rpkiSignedPrefixList OID References: https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-prefixlist/ https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/26 11:11:49 Modified files: usr.sbin/bgplgd: Makefile bgplgd.8 slowcgi.c Log message: Add a -V flag to bgplgd OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/26 04:58:37 Modified files: regress/usr.bin/openssl: appstest.sh usr.bin/openssl: openssl.1 x509.c Log message: Add 'openssl x509 -new' functionality to the libcrypto CLI utility The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/23 02:32:57 Modified files: usr.sbin/rpki-client: filemode.c Log message: Warn about overclaiming intermediate CAs, but don't error OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/22 06:44:59 Modified files: lib/libcrypto/man: Makefile Added files: lib/libcrypto/man: CMS_signed_add1_attr.3 Log message: Document various CMS_{signed,unsigned}_* functions These functions change signed & unsigned attributes of a CMS SignerInfo object With & OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/18 07:34:26 Modified files: usr.sbin/rpki-client: crl.c extern.h parser.c print.c Log message: The CRL's purported signing time actually is called thisUpdate, not lastUpdate OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/16 12:52:39 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: Update standards reference
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/12 04:24:03 Modified files: regress/usr.bin/openssl: appstest.sh usr.bin/openssl: x509.c openssl.1 Log message: Add -force_pubkey -multivalue-rdn -set_issuer -set_subject -utf8 to x509 app The -set_issuer, -set_subject, and -force_pubkey features can be used to 'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/ and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/ OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/11 04:55:14 Modified files: usr.sbin/rpki-client: cert.c Log message: Make the -P option work for Trust Anchor certificates as well OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/29 07:35:43 Modified files: usr.sbin/rpki-client: parser.c Log message: Fix a NULL access or use-after-free bug This is a bandaid, the proc_parser_mft() is too complex and needs reworking OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/26 06:36:18 Modified files: etc/rpki : apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Align the other RIRs with the recent clarifications from AFRINIC Following https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html Simply apply the inverse of 'afrinic.constraints' r1.2 to the other RIR files (since no resources can be transferred from AFRINIC to any other RIRs). OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/24 03:48:58 Modified files: usr.sbin/rpki-client: rrdp_delta.c Log message: Zal dead code OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/19 01:10:19 Modified files: etc/rpki : afrinic.constraints apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Add markers OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/18 16:42:20 Modified files: usr.sbin/rpki-client: parser.c Log message: Rephrase some warnings related to Manifests Feedback from Tom Harrison (APNIC) with and OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/14 05:26:04 Modified files: etc/rpki : afrinic.constraints Log message: Constrain the AFRINIC TA further Today AFRINIC clarified its actual current resource holdings by issuing a new CA certificate in response to a report on overclaiming: https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/14 02:13:00 Modified files: etc/rpki : apnic.constraints Log message: For historical reasons, APNIC ended up with a v6 block for IX assignments carved out of a larger block assigned to RIPE NCC OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/13 04:34:56 Modified files: etc: Makefile changelist Added files: etc/rpki : afrinic.constraints apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Impose constraints on RPKI Trust Anchors See https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors for more information. Tested for a few months. OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/11 12:05:20 Modified files: usr.sbin/rpki-client: extern.h parser.c Log message: Warn when the same manifestNumber is recycled across multiple issuances of that manifest OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/11 08:50:23 Modified files: usr.sbin/rpki-client: mft.c parser.c Log message: Log a warning when a manifest replay is detected OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/10 07:18:23 Modified files: usr.sbin/rpki-client: crl.c cms.c cert.c Log message: Since errno isn't used here, use warnx() instead of warn() OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/08 17:44:18 Modified files: usr.sbin/rpki-client: parser.c Log message: Following a failed fetch, use a previously cached and valid Manifest RPKI Manifests enable Relying Parties (RPs) to detect replay attacks, unauthorized in-flight modification, or deletion of signed objects. RPs can accomplish these security functions by comparing (what is expected to be) a monotonically increasing counter (the 'manifestNumber') - to determine what the latest Manifest is; a list of filenames - in order to establish whether the complete set of files was fetched; and a list of SHA256 message digests to ascertain whether the content's of said files are exactly the same as the CA intended them to be. Over time, two schools of thought arose. One philosophy is that the highest numbered cryptographically valid Manifest represents the express intent of the CA, so if manifest-listed files are missing, someone upstream messed up and gets to enjoy the broken pieces. After all, RFC 9286 section 5.2 puts the onus firmly on the repository operator to publish in a consistent manner. Here, "consistent" means that newly issued manifests - in the same RRDP delta - are bundled together with all new or changed ROAs, and that remote RSYNC repositories are atomically updated (for example, using symlink pivots). To overcome various types of inconsistent, transient, or intermediate states of the remote publication point - previous versions of rpki-client did construct the full CARepository state using a mix of objects from both its local validated cache and the RRDP/RSYNC staging directories (which contain purported new versions of the objects). However, another take on RFC 9286 section 6.6's "use cached versions of the objects" is that 'the objects' not only refers to the listed subordinate products (such as ROAs/Certificates/ASPAs), but also to Manifests themselves. The philosophy being that lower numbered cryptographically valid Manifests with a complete & untampered set of files are to be preferred over a higher numbered cryptographically valid Manifests accompanied by incomplete sets of files. Consequently - potentially - producing more stable VRP outputs, at the expense of being magnanimous towards sloppy CAs and repository operators. Going forward, rpki-client logs errors when inconsistent publications are encountered, but also proceeds to use older cryptographically valid Manifests (from previous successful fetches) in order to construct the tree. With and OK tb@, and also thanks to Ties de Kock from RIPE NCC.