CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/17 09:00:50 Modified files: usr.sbin/rpki-client: parser.c Log message: Remove outdated (now inaccurate) warning message OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/17 08:31:59 Modified files: etc/rpki : apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Sync RPKI Trust Anchor constraints to nro-delegated-stats Turns out that registry at https://www.iana.org/assignments/as-numbers/as-numbers.xml is an incomplete one, where only 'new' assignments are listed. In the past this registry used to list all ASNs, but the RIRs asked IANA to revert to not being very detailed... There is another source of truth, the 'nro-delegated-stats' file at https://ftp.ripe.net/pub/stats/ripencc/nro-stats/latest/nro-delegated-stats this is updated daily and composed of information from each RIR. Summary of changes: * LACNIC manages a more ASNs than previously known: - allow those ASNs for LACNIC - deny those for RIPE, APNIC, ARIN * AFRINIC's allow list was good (compared to nro-delegated-stats), but the full set of AfriNIC ASNs wasn't denylisted for RIPE, ARIN, APNIC. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/15 07:57:45 Modified files: usr.sbin/rpki-client: crl.c extern.h parser.c Log message: Use the manifest location as additional differentiator when comparing CRLs OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/12 05:50:29 Modified files: usr.sbin/rpki-client: rrdp_notification.c Log message: Fix warning about delta element issues in the Update Notification File XML OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/04/05 10:05:15 Modified files: usr.sbin/rpki-client: aspa.c extern.h main.c output-bgpd.c output-json.c Log message: Don't emit Validated ASPAs for Customer ASIDs with more than MAX_ASPA_PROVIDERS The number of providers in a single ASPA object already was limited to MAX_ASPA_PROVIDERS, now also impose a limit on the total number of providers across multiple ASPA objects. If the MAX_ASPA_PROVIDERS limit is hit, omit the Customer ASID's entry from OpenBGPD and JSON output. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/25 05:27:01 Modified files: lib/libcrypto/x509: x509rset.c Log message: Error on setting an invalid CSR version Reported by David Benjamin (BoringSSL) OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/24 04:53:27 Modified files: usr.sbin/httpd : http.h Log message: Sync with IANA Status Code Registry >From https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml OK sthen@ miod@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/22 22:18:56 Modified files: etc/rpki : lacnic.constraints Log message: Expand ASN range for LACNIC LACNIC received a new block of ASNs from IANA https://mail.lacnic.net/pipermail/lacnog/2024-March/009690.html OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/21 21:38:12 Modified files: usr.sbin/rpki-client: cert.c extern.h filemode.c http.c main.c repo.c rrdp_delta.c rrdp_notification.c rrdp_snapshot.c rsync.c tal.c x509.c Log message: Replace protocol literal strings and strlen() calls with defined constants OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/19 22:39:10 Modified files: regress/usr.sbin/rpki-client: test-aspa.c test-gbr.c test-mft.c test-roa.c test-spl.c test-tak.c Log message: Run most of regress explicitly in filemode to avoid hitting location checks with tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/19 22:36:30 Modified files: usr.sbin/rpki-client: x509.c Log message: Check whether filename and SIA match Verify whether the filename as presented by the publication point (which is unsigned information) matches the filename in the SIA attribute (which is signed information). Based on RFC 6487 section 4.8.8. with and OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/15 23:18:01 Modified files: distrib/sets/lists/base: mi distrib/sets/lists/etc: mi Log message: Move RPKI Trust Anchor constraints from etc set to base The cadence of updates being applied to the RPKI Trust Anchor constraints seems sufficiently low, while the required understanding of context to make educated decisions quite high, so centralized coordination of updates through t...@openbsd.org is more appropriate. requested by & OK deraadt@, OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/14 21:38:59 Modified files: usr.sbin/rpki-client: constraints.c Log message: Log which of the constraints files triggered a violation Requested by Ties de Kock (RIPE NCC) OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/14 00:23:14 Modified files: usr.bin/ssh: ssh.1 Log message: Clarify how literal IPv6 addresses can be used in -J mode OK djm@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/12 10:03:56 Modified files: regress/usr.sbin/rpki-client: test-http.c regress/usr.sbin/rpki-client/libressl: Makefile Log message: Add regress for cross-origin HTTP redirection
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/12 10:02:30 Modified files: usr.sbin/rpki-client: http.c Log message: Enforce same-origin policy for HTTP redirects Isolate resources from different RRDP servers to avoid inappropriately increasing resource consumption for both RRDP clients and the referenced server. OK claudio@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/03/01 02:36:55 Modified files: usr.sbin/rpki-client: main.c Log message: Lipstick on a pig: avoid comparing signed and unsigned OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/26 13:37:27 Modified files: usr.sbin/rpki-client: rsync.c Log message: Also download SPLs via rsync OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/26 08:40:33 Modified files: usr.sbin/rpki-client: extern.h main.c output-json.c output-ometric.c repo.c Log message: Track the number of new files moving from 'staging' to 'validated cache' The OpenMetrics output shows per-repository counters for new files added, the main process and JSON output emit the sum of all new files. OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/26 03:02:37 Modified files: usr.sbin/rpki-client: print.c Log message: Properly close JSON array before continuing in TAK OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/22 05:51:50 Modified files: regress/usr.sbin/rpki-client: Makefile.inc Added files: regress/usr.sbin/rpki-client: test-spl.c regress/usr.sbin/rpki-client/spl: 9X0AhXWTJDl8lJhfOwvnac-42CA.spl Log message: Add regress for Signed Prefix List objects
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/22 05:50:11 src/regress/usr.sbin/rpki-client/spl Update of /cvs/src/regress/usr.sbin/rpki-client/spl In directory cvs.openbsd.org:/tmp/cvs-serv28908/spl Log Message: Directory /cvs/src/regress/usr.sbin/rpki-client/spl added to the repository
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/22 05:49:42 Modified files: usr.sbin/rpki-client: Makefile extern.h filemode.c main.c mft.c output-bgpd.c output-bird.c output-csv.c output-json.c output-ometric.c output.c parser.c print.c repo.c rpki-client.8 validate.c x509.c Added files: usr.sbin/rpki-client: spl.c Log message: Add support for RPKI Signed Prefix Lists Signed Prefix List are a CMS protected content type for use with the RPKI to carry the complete list of prefixes which an Autonomous System may originate to all or any of its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object, and that this list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist with and OK claudio@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/19 03:15:35 Modified files: usr.sbin/bgpd : bgpd.h session.c Log message: IANA assigned error 8 to draft-ietf-idr-sendholdtimer https://www.iana.org/assignments/bgp-parameters/bgp-parameters.xhtml#bgp-parameters-3 OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/17 07:53:29 Modified files: usr.sbin/tcpdump: print-bgp.c Log message: Add 'Send Hold Timer expired' BGP Error code OK deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 15:44:21 Modified files: usr.sbin/rpki-client: aspa.c mft.c roa.c rsc.c tak.c Log message: Add explicit ASN1_ITEM_EXP prototypes In LibreSSL *_it are variables, in other implementations they might be a function. This helps squash compiler warnings in -portable. Related: https://github.com/openbsd/src/commit/65af98848fc7a42e34d470d10fc1db8e23f9db93 OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 14:18:55 Modified files: usr.sbin/rpki-client: tak.c Log message: Refactor parse_takey() Avoid i2d_RSAPublicKey() to help with future portability efforts. Avoid a complication related to size_t/int for the return value of i2d_X509_PUBKEY. While there, change the out label to 'err'. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 13:41:22 Modified files: usr.sbin/rpki-client: output-json.c output-ometric.c Log message: Remove the stalemanifests metrics (which are no longer in use) OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 13:40:17 Modified files: usr.sbin/rpki-client: print.c Log message: Improve printing of TALs extracted from .tak objects This changeset makes the output align more with the TAL file syntax. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 13:37:15 Modified files: usr.sbin/rpki-client: x509.c Log message: Improve a comment about what exactly the SKI is OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 13:36:42 Modified files: usr.sbin/rpki-client: print.c Log message: Avoid using i2d_RSAPublicKey() This should help with future portability efforts, and perhaps makes the code a bit more readable. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/13 05:38:43 Modified files: lib/libcrypto/man: d2i_ASN1_OCTET_STRING.3 Log message: Document a portability caveat about GeneralizedTime and UTCTime OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/12 09:42:43 Modified files: usr.bin/vi/common: options.c usr.bin/vi/docs/USD.doc/vi.man: vi.1 usr.bin/vi/vi : vs_refresh.c Log message: Add showfilename set option Pressing control-G all the time to understand 'what file is in what window' might be tedious. Instead, offer a configurable option (default off) to display the file name in the lower left corner. OK millert@ otto@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/09 06:49:41 Modified files: usr.sbin/rpki-client: version.h Log message: Bump release OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/05 12:23:58 Modified files: usr.sbin/rpki-client: aspa.c mft.c roa.c rsc.c tak.c Log message: Check whether all data in eContent has been consumed It is possible that a given ASN.1 template generated d2i_*() function didn't consume all data, so there is a potential for malleability. The econtent is a sequence (which means it could be the concatenation of several DER "blobs"). d2i_*() would only deserialize the first one and not notice blobs following it. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/03 17:53:27 Modified files: usr.sbin/rpki-client: mft.c Log message: Use x509_get_time() to get the Manifest thisUpdate / nextUpdate >From the moment d2i_Manifest() was introduced, it was automatically checked whether the thisUpdate/nextUpdate are ASN1_GENERALIZEDTIME. Unfortunately, an additional check is needed, because OpenSSL doesn't require RFC 5280 conformance for GeneralizedTime DER encoding. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/03 07:30:47 Modified files: usr.sbin/rpki-client: extern.h main.c mft.c output-json.c output-ometric.c output.c parser.c repo.c Log message: Refactor handling of stale manifests No need to hoist a staleness indicator through the whole process and count it explicitly. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 12:31:59 Modified files: usr.sbin/rpki-client: parser.c Log message: Update the comment
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 12:26:49 Modified files: usr.sbin/rpki-client: mft.c Log message: Remove old comment OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 12:26:26 Modified files: usr.sbin/rpki-client: parser.c Log message: no longer check staleness in proc_parser_mft invert logic for readability OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 11:11:13 Modified files: usr.sbin/rpki-client: parser.c Log message: refactor: don't call proc_parser_mft_post for the first mft should be exact same behaviour as before OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 09:15:09 Modified files: usr.sbin/rpki-client: parser.c Log message: refactor: populate mft->path in the pre parser OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 07:13:58 Modified files: usr.sbin/rpki-client: parser.c Log message: refactor: no longer needed to pass loc to the mft preparser OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 06:40:50 Modified files: usr.sbin/rpki-client: parser.c Log message: refactor: move parse_filepath() to avoid pointer indirection OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 05:35:15 Modified files: usr.sbin/rpki-client: parser.c Log message: refactoring: move time validity window checks out of proc_parser_mft_post() OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/02/02 05:23:16 Modified files: usr.sbin/rpki-client: parser.c Log message: Rework error messages a bit OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/31 10:19:02 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: Add reference to RRDP Session Desynchronization draft
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/31 08:01:13 Modified files: usr.sbin/rpki-client: x509.c Log message: Make the error a bit easier to read OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/29 20:40:01 Modified files: etc/rpki : apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Add more RPKI TA constraints: LACNIC ASNs cannot transfer to/from other RIRs OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/29 13:37:03 Modified files: lib/libcrypto/objects: obj_mac.num Log message: Add id-ct-rpkiSignedPrefixList NID References: https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-prefixlist/ https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/29 13:36:20 Modified files: lib/libcrypto/objects: objects.txt Log message: Add id-ct-rpkiSignedPrefixList OID References: https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-prefixlist/ https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/26 11:11:49 Modified files: usr.sbin/bgplgd: Makefile bgplgd.8 slowcgi.c Log message: Add a -V flag to bgplgd OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/26 04:58:37 Modified files: regress/usr.bin/openssl: appstest.sh usr.bin/openssl: openssl.1 x509.c Log message: Add 'openssl x509 -new' functionality to the libcrypto CLI utility The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/23 02:32:57 Modified files: usr.sbin/rpki-client: filemode.c Log message: Warn about overclaiming intermediate CAs, but don't error OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/22 06:44:59 Modified files: lib/libcrypto/man: Makefile Added files: lib/libcrypto/man: CMS_signed_add1_attr.3 Log message: Document various CMS_{signed,unsigned}_* functions These functions change signed & unsigned attributes of a CMS SignerInfo object With & OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/18 07:34:26 Modified files: usr.sbin/rpki-client: crl.c extern.h parser.c print.c Log message: The CRL's purported signing time actually is called thisUpdate, not lastUpdate OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/16 12:52:39 Modified files: usr.sbin/rpki-client: rpki-client.8 Log message: Update standards reference
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/12 04:24:03 Modified files: regress/usr.bin/openssl: appstest.sh usr.bin/openssl: x509.c openssl.1 Log message: Add -force_pubkey -multivalue-rdn -set_issuer -set_subject -utf8 to x509 app The -set_issuer, -set_subject, and -force_pubkey features can be used to 'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/ and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/ OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2024/01/11 04:55:14 Modified files: usr.sbin/rpki-client: cert.c Log message: Make the -P option work for Trust Anchor certificates as well OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/29 07:35:43 Modified files: usr.sbin/rpki-client: parser.c Log message: Fix a NULL access or use-after-free bug This is a bandaid, the proc_parser_mft() is too complex and needs reworking OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/26 06:36:18 Modified files: etc/rpki : apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Align the other RIRs with the recent clarifications from AFRINIC Following https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html Simply apply the inverse of 'afrinic.constraints' r1.2 to the other RIR files (since no resources can be transferred from AFRINIC to any other RIRs). OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/24 03:48:58 Modified files: usr.sbin/rpki-client: rrdp_delta.c Log message: Zal dead code OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/19 01:10:19 Modified files: etc/rpki : afrinic.constraints apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Add markers OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/18 16:42:20 Modified files: usr.sbin/rpki-client: parser.c Log message: Rephrase some warnings related to Manifests Feedback from Tom Harrison (APNIC) with and OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/14 05:26:04 Modified files: etc/rpki : afrinic.constraints Log message: Constrain the AFRINIC TA further Today AFRINIC clarified its actual current resource holdings by issuing a new CA certificate in response to a report on overclaiming: https://lists.afrinic.net/pipermail/dbwg/2023-December/000496.html OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/14 02:13:00 Modified files: etc/rpki : apnic.constraints Log message: For historical reasons, APNIC ended up with a v6 block for IX assignments carved out of a larger block assigned to RIPE NCC OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/13 04:34:56 Modified files: etc: Makefile changelist Added files: etc/rpki : afrinic.constraints apnic.constraints arin.constraints lacnic.constraints ripe.constraints Log message: Impose constraints on RPKI Trust Anchors See https://datatracker.ietf.org/doc/html/draft-snijders-constraining-rpki-trust-anchors for more information. Tested for a few months. OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/11 12:05:20 Modified files: usr.sbin/rpki-client: extern.h parser.c Log message: Warn when the same manifestNumber is recycled across multiple issuances of that manifest OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/11 08:50:23 Modified files: usr.sbin/rpki-client: mft.c parser.c Log message: Log a warning when a manifest replay is detected OK tb@ claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/10 07:18:23 Modified files: usr.sbin/rpki-client: crl.c cms.c cert.c Log message: Since errno isn't used here, use warnx() instead of warn() OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/12/08 17:44:18 Modified files: usr.sbin/rpki-client: parser.c Log message: Following a failed fetch, use a previously cached and valid Manifest RPKI Manifests enable Relying Parties (RPs) to detect replay attacks, unauthorized in-flight modification, or deletion of signed objects. RPs can accomplish these security functions by comparing (what is expected to be) a monotonically increasing counter (the 'manifestNumber') - to determine what the latest Manifest is; a list of filenames - in order to establish whether the complete set of files was fetched; and a list of SHA256 message digests to ascertain whether the content's of said files are exactly the same as the CA intended them to be. Over time, two schools of thought arose. One philosophy is that the highest numbered cryptographically valid Manifest represents the express intent of the CA, so if manifest-listed files are missing, someone upstream messed up and gets to enjoy the broken pieces. After all, RFC 9286 section 5.2 puts the onus firmly on the repository operator to publish in a consistent manner. Here, "consistent" means that newly issued manifests - in the same RRDP delta - are bundled together with all new or changed ROAs, and that remote RSYNC repositories are atomically updated (for example, using symlink pivots). To overcome various types of inconsistent, transient, or intermediate states of the remote publication point - previous versions of rpki-client did construct the full CARepository state using a mix of objects from both its local validated cache and the RRDP/RSYNC staging directories (which contain purported new versions of the objects). However, another take on RFC 9286 section 6.6's "use cached versions of the objects" is that 'the objects' not only refers to the listed subordinate products (such as ROAs/Certificates/ASPAs), but also to Manifests themselves. The philosophy being that lower numbered cryptographically valid Manifests with a complete & untampered set of files are to be preferred over a higher numbered cryptographically valid Manifests accompanied by incomplete sets of files. Consequently - potentially - producing more stable VRP outputs, at the expense of being magnanimous towards sloppy CAs and repository operators. Going forward, rpki-client logs errors when inconsistent publications are encountered, but also proceeds to use older cryptographically valid Manifests (from previous successful fetches) in order to construct the tree. With and OK tb@, and also thanks to Ties de Kock from RIPE NCC.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/11/24 07:05:47 Modified files: usr.sbin/rpki-client: extern.h rrdp_util.c rsync.c Log message: Require files to be of a minimum size in the RRDP & RSYNC transports Picked 100 bytes as a minimum, to accommodate future signature schemes (such as the smaller P-256) and small files like empty CRLs. With and OK claudio@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/11/23 06:01:15 Modified files: usr.sbin/rpki-client: rsync.c Log message: Don't set directory modtimes to match the source When syncing against remote repositories, the modtimes of the remote directories is irrelevant. In the RRDP protocol the directory modtimes aren't signalled either. This should save some IOPS. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/11/23 04:59:53 Modified files: usr.bin/rsync : extern.h fargs.c main.c rsync.1 uploader.c Log message: Add --omit-dir-times / -O OK claudio@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/11/22 09:10:49 Modified files: . : ftp.html ftplist httpslist build : mirrors.dat openbgpd : ftp.html openntpd : portable.html openssh: ftp.html portable.html rpki-client: portable.html Log message: Add mirror in Tokyo, Japan - from Jing Luo
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/11/22 07:26:46 Modified files: . : ftp.html httpslist build : mirrors.dat openbgpd : ftp.html openntpd : portable.html openssh: ftp.html portable.html rpki-client: portable.html Log message: Add new mirror in Lyon, France - by IBCP.fr
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/11/22 07:14:09 Modified files: . : ftp.html httpslist build : mirrors.dat openbgpd : ftp.html openntpd : portable.html openssh: ftp.html portable.html rpki-client: portable.html Log message: Add mirror.businessconnect.nl
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/10/24 18:00:10 Modified files: . : artwork.html Log message: List 7.4 in the art gallery
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/10/19 11:05:55 Modified files: usr.sbin/rpki-client: cert.c cms.c crl.c validate.c Log message: Add experimental support for secp256r1 aka P-256 aka prime256v1 ECDSA signatures are much smaller than RSA signatures while offering similar security. Adding support for P-256 now allows CA developers to test their implementations, and paving the way for signers in the production environment in the future to take advantage of ECDSA. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/10/13 06:06:49 Modified files: usr.sbin/rpki-client: Makefile as.c aspa.c cert.c extern.h filemode.c gbr.c geofeed.c ip.c main.c mft.c parser.c roa.c rpki-client.8 rsc.c tak.c Added files: usr.sbin/rpki-client: constraints.c rfc3779.c Log message: Allow imposing constraints on RPKI trust anchors The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope. Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32. For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html With and OK tb@, OK claudio@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/10/03 16:52:34 Modified files: . : 74.html Log message: Add release artwork artist name
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/09/25 02:48:14 Modified files: usr.sbin/rpki-client: extern.h ip.c validate.c Log message: Introduce ip_addr_range_print() to avoid code repetition OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/09/12 03:33:30 Modified files: usr.sbin/rpki-client: cert.c extern.h x509.c Log message: Ensure the X.509 Subject only contains commonName and optionally serialNumber OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/09/10 18:50:47 Modified files: lib/libcrypto/x509: x509_addr.c Log message: Back out superfluous initialization requested by jsing@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/09/06 09:53:07 Modified files: lib/libcrypto/x509: x509_addr.c Log message: Initialize afi & safi to zero OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/09/04 04:29:58 Modified files: usr.bin/ssh: ssh-keygen.1 ssh-keygen.c Log message: Generate Ed25519 keys when invoked without arguments Ed25519 public keys are very convenient due to their small size. OpenSSH has supported Ed25519 since version 6.5 (January 2014). OK djm@ markus@ sthen@ deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/09/03 04:48:50 Modified files: usr.sbin/rpki-client: mft.c Log message: Shuffle the order in which Manifest entries are processed Previously work items were enqueued in the order the CA intended them to appear on a Manifest. However, there is no obvious benefit to letting third parties decide the order in which things are processed. Instead, randomize: ordering has no meaning anyway, and the number of concurrent repository synchronization operations is limited & timeboxed. As they say, a fox is not taken twice in the same snare OK tb@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/09/02 18:47:11 Modified files: . : hackathons.html Added files: images/hackathons: p2k23-s.gif p2k23.gif Log message: p2k23 is happening! Artwork by Sophie Smyth. (Maybe it is just Ireland we don't understand.)
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/09/01 16:17:57 Modified files: . : innovations.html Log message: Update entry for rpki-client(8)
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/08/30 04:13:12 Modified files: regress/lib/libcrypto/asn1: asn1time.c lib/libcrypto/asn1: a_time_tm.c Log message: Ensure no memory is leaked after passing NULL to ASN1_TIME_normalize() OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/08/30 04:02:28 Modified files: usr.sbin/rpki-client: main.c Log message: Constify argument to entity_write_repo() OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/08/30 04:01:52 Modified files: usr.sbin/rpki-client: main.c parser.c Log message: Fix comments OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/08/16 02:38:40 Modified files: usr.sbin/bgpd : bgpd.conf.5 Log message: ASPAs are AFI-agnostic OK claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/07/19 15:53:45 Added files: regress/usr.sbin/rpki-client/aspa: AS945.asa Log message: Add extra ASPA regress object
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/07/19 15:49:30 Modified files: usr.sbin/rpki-client: print.c Log message: Rename ASPA providers field in filemode fine with me @tb
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/07/10 06:02:37 Modified files: usr.sbin/rpki-client: aspa.c Log message: Update outdated comment
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/07/07 07:58:57 Modified files: faq: faq14.html Log message: Also remove Soft Updates from TOC
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/07/07 07:21:28 Modified files: share/man/man5 : fstab.5 Log message: Remove softdep from example fstab file
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: j...@cvs.openbsd.org2023/07/07 07:17:17 Modified files: faq: faq14.html Log message: Remove paragraph about softdep
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/06/29 04:22:37 Modified files: usr.sbin/rpki-client: print.c Log message: There no longer is a need to wrap the (now AFI-agnostic) ASPA providers in objects in filemode OK claudio@