On Tue, Apr 19, 2022 at 06:53:28PM +0200, Alexander Bluhm wrote:
> On Tue, Apr 19, 2022 at 08:59:25AM +0200, Claudio Jeker wrote:
> > On Tue, Apr 19, 2022 at 01:44:40AM +0200, Alexander Bluhm wrote:
> > > Hi,
> > >
> > > Can we use a pool for rttimer_queue_po
On Tue, Apr 19, 2022 at 04:57:27PM +0200, Alexander Bluhm wrote:
> On Tue, Apr 19, 2022 at 08:46:06AM +0200, Claudio Jeker wrote:
> > On Tue, Apr 19, 2022 at 12:07:49AM +0200, Alexander Bluhm wrote:
> > > Hi,
> > >
> > > Instead of using a MP unsafe glob
If parse_filepath() is unable to locate the repository then fail hard.
It makes no sense to limp along in this case because something bigger is
broken and it is better to know about that early.
--
:wq Claudio
Index: parser.c
===
RCS
The code uses int for talid so there is no reason to use a size_t for the
talsz (which is the maximum talid). I also switched the type of i in
main.c to int which is used in for loops around talsz but also for NFDS.
Adjust the code in the output functions as well.
--
:wq Claudio
Index: extern.h
On Tue, Apr 19, 2022 at 01:44:40AM +0200, Alexander Bluhm wrote:
> Hi,
>
> Can we use a pool for rttimer_queue_pool?
Another option would be to use static rttimer_queues instead of allocating
them. Not that many timers are used. Requires additional changes in the
sysctl handlers (but that code is
On Tue, Apr 19, 2022 at 12:07:49AM +0200, Alexander Bluhm wrote:
> Hi,
>
> Instead of using a MP unsafe global variable, just call rt_timer_init()
> from route_init().
>
> ok?
Wouldn't it be better to move this into rtable_init?
route_init() is called by domaininit() as the last init function
(r
We have released OpenBGPD 7.3, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.
This release includes the following changes to the previous release:
* Macro expansion in the config file is improved. It is now possible
to expand 'set large-community $my
Hit this on sparc64. io_read_ulong() calls io_read_int() which already
does the le32toh() call. So skip the 2nd le32toh() call here.
With this openrsync works a lot better.
--
:wq Claudio
Index: io.c
===
RCS file: /cvs/src/usr.bin/r
On Tue, Apr 12, 2022 at 09:58:21AM +0200, Theo Buehler wrote:
> We can generalize sbgp_sia_location() and reuse it for AIAs and CRLs.
> This makes the checks a bit more stringent, which seems to be fine in
> practice. It also ensures that there are no embedded NULs which came
> up recently. One thi
On Mon, Apr 11, 2022 at 07:37:51PM +0200, Theo Buehler wrote:
> On Mon, Apr 11, 2022 at 05:11:30PM +, Job Snijders wrote:
> > On Mon, Apr 11, 2022 at 06:46:20PM +0200, Theo Buehler wrote:
> > > Is this base64 blob really useful? The exact same thing is contained in
> > > a more readable fashion
rpki-client starts a few processes and it can do this a bit more elegant
by factoring the common code out into process_start(). This makes the code
in main a fair bit shorter.
I decided to move all pledge calles into the individual processes. In my
opinion there is little benefit in keeping them i
On Mon, Apr 11, 2022 at 11:37:11AM +0200, Theo Buehler wrote:
> This should be the last step. It inlines sbgp_sia_resource_entry() into
> sbgp_sia() and dedups the sbgp_sia_resource_{notify,mft,carepo}() using
> a new sbgp_sia_location(). Move the GEN_URI check to sbgp_sia_location()
> since that s
On Mon, Apr 11, 2022 at 09:41:05AM +0200, Theo Buehler wrote:
> On Sun, Apr 10, 2022 at 12:40:08PM +0200, Claudio Jeker wrote:
> > This is a lot cleaner and indeed an improvement. I think some of the rc
> > handling can also be simplified. The code in sbgp_sia_resource_
On Mon, Mar 21, 2022 at 02:17:21PM +1000, David Gwynne wrote:
> in_pcbselsrc has this:
>
> ifp = if_get(mopts->imo_ifidx);
> if (ifp != NULL) {
> if (ifp->if_rdomain == rtable_l2(rtableid))
> IFP_TO_IA(ifp, ia);
>
On Tue, Apr 05, 2022 at 06:33:35PM +0200, Theo Buehler wrote:
> Instead of manually unpacking the SIA extension with super low-level
> ASN.1 fiddling, we can let the templated ASN.1 in libcrypto do this work
> for us, which makes the code quite a bit simpler. This resolves one
> FIXME and removes o
On Mon, Apr 04, 2022 at 08:44:43PM +0200, Theo Buehler wrote:
> p->res->mft and p->res->repo are populated in sbgp_sia_resouce_entry().
> Nothing guarantees that the resources are present. With our current
> strstr() implementation we would let a cert with a missing mft through
> while we would cra
This was fixed in January. Now RRDP issues an RRDP_CLEAR to the parent
which in turns removes all files from the .rrdp cache dir.
--
:wq Claudio
Index: rrdp.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/rrdp.c,v
retrieving revision
Kill a FIXME and simplify the logic around the process list by using a
static ids array on the stack.
Tested with and without -R.
--
:wq Claudio
Index: rsync.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
retrieving revisio
On Mon, Apr 04, 2022 at 01:33:18PM +0200, Theo Buehler wrote:
> We fixed this back in January when we added rtype_from_mftfile().
>
> Index: main.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
> retrieving revision 1.190
>
This diff alters the way rpki-client cleans up the cache directory.
While with rsync any file can be removed and on the next run it will be
fetched again RRDP has no such logic. It is a very fragile protocol and
only works if files are not removed by something else.
Until now files are just unlink
On Fri, Apr 01, 2022 at 06:52:48PM +0200, Claudio Jeker wrote:
> On Fri, Apr 01, 2022 at 06:31:43PM +0200, Theo Buehler wrote:
> > On Fri, Apr 01, 2022 at 05:01:00PM +0200, Claudio Jeker wrote:
> > > cert_parse_inner() now only uses the ta flag to change behaviour of
> > &g
On Fri, Apr 01, 2022 at 06:31:43PM +0200, Theo Buehler wrote:
> On Fri, Apr 01, 2022 at 05:01:00PM +0200, Claudio Jeker wrote:
> > cert_parse_inner() now only uses the ta flag to change behaviour of
> > loading the various x509 extensions (AKI, SKI, AIA und CRL DP).
> >
cert_parse_inner() now only uses the ta flag to change behaviour of
loading the various x509 extensions (AKI, SKI, AIA und CRL DP).
This diff changes these functions to work always. Make AKI, AIA and CRL DP
optional and have the code calling those functions check if they must have
the extension. I
I would like to get rid of the ta flag on cert_parse_inner() and only do
the basic cert parse bits there. Then cert_parse() and ta_parse() do the
other bits.
This moves the easy checks to the right place.
--
:wq Claudio
Index: cert.c
==
On Wed, Mar 30, 2022 at 03:10:58PM +0200, Theo Buehler wrote:
> On Wed, Mar 30, 2022 at 02:38:54PM +0200, Claudio Jeker wrote:
> > Change the code to use less goto and instead use a while loop.
> > I think the result is easier to understand.
>
> Yes this is clearer and preser
Change the code to use less goto and instead use a while loop.
I think the result is easier to understand.
OK?
--
:wq Claudio
Index: rde_update.c
===
RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v
retrieving revision 1.138
diff -u
On Mon, Mar 28, 2022 at 04:38:33PM -0400, Demi Marie Obenour wrote:
> On 3/28/22 10:39, Mark Kettenis wrote:
> >> Date: Mon, 28 Mar 2022 09:51:22 -0400
> >> From: Demi Marie Obenour
> >>
> >> On 3/27/22 21:45, Damien Miller wrote:
> >>> On Fri, 25 Mar 2022, Demi Marie Obenour wrote:
> >>>
> L
On Tue, Mar 22, 2022 at 06:35:47PM +0100, Alexander Bluhm wrote:
> On Tue, Mar 22, 2022 at 04:42:45PM +0100, Claudio Jeker wrote:
> > No but you push this layer into a specifc direction and by that make it
> > harder to fix the PCB tables in a different way. I just see people
&
On Tue, Mar 22, 2022 at 02:56:43PM +0100, Alexander Bluhm wrote:
> On Tue, Mar 22, 2022 at 02:25:08PM +0100, Claudio Jeker wrote:
> > On Tue, Mar 22, 2022 at 02:09:51PM +0100, Alexander Bluhm wrote:
> > > Hi,
> > >
> > > syzkaller and witness found the same bu
On Tue, Mar 22, 2022 at 02:09:51PM +0100, Alexander Bluhm wrote:
> Hi,
>
> syzkaller and witness found the same bug I introduced in UDP also
> for Raw IP. Fix it the same was for rip and rip6.
>
> https://syzkaller.appspot.com/bug?extid=9bac6356a881dc644265
> https://syzkaller.appspot.com/bug?ex
On Tue, Mar 22, 2022 at 11:40:12AM +0100, Theo Buehler wrote:
> On Tue, Mar 22, 2022 at 10:55:48AM +0100, Claudio Jeker wrote:
> > As mentioned I need a TAILQ for the list of prefixes that belong to a rib
> > entry. Mainly because I need TAILQ_PREV. This diff does this replacement
As mentioned I need a TAILQ for the list of prefixes that belong to a rib
entry. Mainly because I need TAILQ_PREV. This diff does this replacement.
I did not change the nexhtop LIST of prefixes to a TAILQ. Maybe something
to consider but there is no real need for that.
This is mostly a mechanical
On Tue, Mar 22, 2022 at 02:24:25PM +1000, David Gwynne wrote:
> i couldnt find any good examples of what to do when you wanted to
> receive multiple control messages from a single recvmsg call. the most
> interesting bit is how much space the buffer needs to be.
>
> if i struggled maybe someone el
On Mon, Mar 21, 2022 at 05:51:36PM +0100, Theo Buehler wrote:
> On Mon, Mar 21, 2022 at 05:16:53PM +0100, Claudio Jeker wrote:
> > In struct rib_entry bgpd keeps the 'best' or active prefix cached.
> > Now to support more than one one prefix per path (for ECMP and add-pat
In struct rib_entry bgpd keeps the 'best' or active prefix cached.
Now to support more than one one prefix per path (for ECMP and add-path)
I need the ability to access the previous element. The currently used
LIST macros do not support that. So I want to switch that to TAILQ but
the TAILQ head is
On Mon, Mar 21, 2022 at 01:19:53PM +0100, Theo Buehler wrote:
> On Mon, Mar 21, 2022 at 12:24:33PM +0100, Claudio Jeker wrote:
> > During config reload the RIB may need to be resynced when the
> > 'no evaluate' setting changes.
> >
> > This changes the code
During config reload the RIB may need to be resynced when the
'no evaluate' setting changes.
This changes the code to actually flush the Adj-RIB-Out of affected peers
and then adjust the RIB in a 2nd step. That way there is no need to use
rde_generate_updates() to remove the prefixes one by one in
On Mon, Mar 21, 2022 at 02:17:21PM +1000, David Gwynne wrote:
> in_pcbselsrc has this:
>
> ifp = if_get(mopts->imo_ifidx);
> if (ifp != NULL) {
> if (ifp->if_rdomain == rtable_l2(rtableid))
> IFP_TO_IA(ifp, ia);
>
This diff just renames F_CTL_ACTIVE and F_PREF_ACTIVE to the more correct
F_CTL_BEST and F_PREF_BEST. The flags are used to mark the one best path.
ACTIVE is not the right term here since with ECMP and add-path more than
one route can be active. I will probably add more flags to mark ECMP
prefixes
On Thu, Mar 17, 2022 at 02:09:39PM +0100, Mark Kettenis wrote:
> > Date: Thu, 17 Mar 2022 13:24:24 +0100
> > From: Alexander Bluhm
> >
> > On Thu, Mar 17, 2022 at 08:24:10AM +0100, Claudio Jeker wrote:
> > > On Thu, Mar 17, 2022 at 12:47:15AM +0100,
On Thu, Mar 17, 2022 at 12:47:15AM +0100, Alexander Bluhm wrote:
> Hi,
>
> My previous atempt to add a mutex to in_pcb.h was reverted as it
> broke userland build.
>
> Is the correct fix to include sys/mutex.h in every .c file that
> includes netinet/in_pcb.h ? I made a release with it.
> Or sho
Currently EoR markers use a full byte in struct prefix what can be done in
a bit. Use the last flags field so that that 1 byte is available again.
I already have a need for that byte this is why I came up with this
change.
--
:wq Claudio
? obj
Index: rde.h
==
This diff just refactors the code by moving the alloc part up.
It makes the code a bit easier to read and more similar with other
prefix_adjout functions. Also I plan to pass the struct prefix in
as an argument and do the prefix_adjout_get() in the callee.
--
:wq Claudio
Index: rde_rib.c
===
On Thu, Mar 10, 2022 at 05:54:21PM +0100, Theo Buehler wrote:
> On Thu, Mar 10, 2022 at 05:51:46PM +0100, Claudio Jeker wrote:
> > On Thu, Mar 10, 2022 at 05:33:28PM +0100, Martin Vahlensieck wrote:
> > > Hi
> > >
> > > This pulls up and adjusts the c
On Thu, Mar 10, 2022 at 05:33:28PM +0100, Martin Vahlensieck wrote:
> Hi
>
> This pulls up and adjusts the check if i exceeds the bounds of pfds.
> Before it was technically wrong, as i > NPFDS means that the last
> write (i == NPFDS) was already out of bounds.
I see no reason to pull up the che
On Tue, Mar 08, 2022 at 07:17:33PM +0100, Stefan Sperling wrote:
> On Tue, Mar 08, 2022 at 03:55:48PM +0100, Stefan Sperling wrote:
> > On Mon, Mar 07, 2022 at 03:04:06PM -0700, Theo de Raadt wrote:
> > > > For now, the structs are identical so the code copying data out is
> > > > kept simple.
> >
bgpd's parse.y uses a lot of STRING that is then further bisected in the
actual rule. One good example are all communities. Now if someone wants to
use macros in such arguments they do not work in all cases. e.g.
large-community $someas:1:2 works but large-community 1:$someas:2 does
not.
Right now
On Tue, Mar 08, 2022 at 01:33:01PM +0100, Theo Buehler wrote:
> If the length checks trigger, roa is leaked. It makes more sense to me
> to copy the data into ip4 and ip6, check lengths and then calloc rather
> than the current order, so I moved the calloc down a bit. Alternatively,
> we could jus
Another day another cleanup.
This diff moves rde_send_kroute() out of rde_generate_update() and back
into prefix_evaluate(). rde_generate_update() should only track the RIBs.
rde_generate_update() is mainly called from prefix_evaluate().
The only other caller is in rde_softreconfig_sync_reeval() t
struct kroute_full is the external representation of kroutes.
It includes the routing label as a string. For some reason there was also
a labelid field but that one is not used and needed, the labelid is an
internal id that has no value for any other process.
Just remove the field and the two plac
This moves the count adjustments into prefix_adjout_update() in a similar
way that was just done for prefix_adjout_withdraw().
Having the counts closer to the actual places where things are
added/removed makes the code a bit easier to grasp. The if cascade in
the prefix_adjout_get != NULL case can
On Wed, Mar 02, 2022 at 01:25:42PM +0100, Theo Buehler wrote:
> On Wed, Mar 02, 2022 at 01:07:09PM +0100, Claudio Jeker wrote:
> > On Wed, Mar 02, 2022 at 01:03:04PM +0100, Claudio Jeker wrote:
> > > This diff changes prefix_adjout_withdraw() to take a prefix pointer
> > &
On Wed, Mar 02, 2022 at 01:03:04PM +0100, Claudio Jeker wrote:
> This diff changes prefix_adjout_withdraw() to take a prefix pointer
> as argument. So instead of doing the lookup in the withdraw function the
> caller may need to do it.
>
> With this one call to up_generate_u
This diff changes prefix_adjout_withdraw() to take a prefix pointer
as argument. So instead of doing the lookup in the withdraw function the
caller may need to do it.
With this one call to up_generate_updates() can be replaced with a direct
call to prefix_adjout_withdraw(). rde_up_flush_upcall() t
On Wed, Mar 02, 2022 at 10:15:07AM +0100, Florian Obser wrote:
> On 2022-03-01 10:22 -08, j...@bitminer.ca wrote:
> > Looking at the gz option, I noticed some kv structs allocated on
> > stack but not fully initialized.
>
> Nice catch.
>
> >
> > This patches initializes the kv struct to avoid ran
On Mon, Feb 28, 2022 at 02:32:07PM +0100, Theo Buehler wrote:
> On Mon, Feb 28, 2022 at 12:35:09PM +0100, Claudio Jeker wrote:
> > From the start bgpd had prefix_link and prefix_unlink to link all the
> > various data objects together to build an actual prefix. Now prefix_move()
>From the start bgpd had prefix_link and prefix_unlink to link all the
various data objects together to build an actual prefix. Now prefix_move()
tries to be smart and reimplemented prefix_link and prefix_unlink as
inline versions (with minimal differences). Later the prefix_adjout_*
functions were
rde_dump_adjout_upcall() and rde_dump_adjout_prefix_upcall() work only
on prefixes that belong to the Adj-RIB-Out so check for the
PREFIX_FLAG_ADJOUT to make sure it is set.
Other code has the same 'assert' in rde_rib.c and I think it makes most
sense to put it here as well.
--
:wq Claudio
Index
On Fri, Feb 25, 2022 at 11:55:08AM +0100, Theo Buehler wrote:
> On Fri, Feb 25, 2022 at 11:15:49AM +0100, Claudio Jeker wrote:
> > For add-path send the Adj-RIB-Out needs to handle multiple paths per
> > prefix. The Adj-RIB-Out stores the prefixes on RB trees and so extend
> >
For add-path send the Adj-RIB-Out needs to handle multiple paths per
prefix. The Adj-RIB-Out stores the prefixes on RB trees and so extend
the lookup function to include the path_id (which will be path_id_tx).
For now the path_id_tx in the Adj-RIB-Out is forced to 0 since
up_generate_updates() is
This is one small step closer to support add-path send side.
We store the path_id_tx on the prefix and we can adjust a few places to
make use of that field. Now it is always 0 so nothing changes in the end
apart from removing some XXX comments.
--
:wq Claudio
Index: rde.c
===
On Thu, Feb 24, 2022 at 08:56:59PM +1000, David Gwynne wrote:
> On Thu, Feb 24, 2022 at 11:13:48AM +0100, Claudio Jeker wrote:
> > On Thu, Feb 24, 2022 at 07:39:54PM +1000, David Gwynne wrote:
> > >
> > > here's the di
On Thu, Feb 24, 2022 at 07:39:54PM +1000, David Gwynne wrote:
> On Mon, Feb 21, 2022 at 03:00:01PM +1000, David Gwynne wrote:
> > On Sun, Feb 20, 2022 at 10:30:22AM +1000, David Gwynne wrote:
> > >
> > >
> > > > On 20 Feb 2022, at 09:46, David Gwynne wrote:
> > > >
> > > > On Sat, Feb 19, 2022
In the big conversion I forgot to include parse.y in the files.
This diff fixes that.
--
:wq Claudio
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v
retrieving revision 1.420
diff -u -p -r1.420 parse.y
--- parse.y
Sometimes (mainly for tests) it can be useful to run bgpd on something
different than port 179. The following diff does mostly that. It allows
to define a port with 'listen on' and makes it possible to set the port
on a neighbor like it is done for rtr sessions.
The only thing not working are IPse
On Tue, Feb 22, 2022 at 02:01:26PM +0100, Theo Buehler wrote:
> EVP_PKEY_set1_EC_KEY() bumps eckey's refcount (that's what "set1" means),
> so eckey isn't freed when pkey is freed at the end of keyproc() or
> acctproc() (which means that secret data isn't wiped). Moving the
> freeing of eckey to th
On Tue, Feb 22, 2022 at 03:46:05PM +1000, David Gwynne wrote:
> this lets ifconfig show the MTU on interfaces like nvgre, vxlan, etc.
> they currently don't show it because they also implement a bridge ioctl,
> so ifconfig thinks they're a bridge.
>
> why ifconfig hides the mtu on bridges looks to
On Tue, Feb 15, 2022 at 04:49:10PM +1000, David Gwynne wrote:
> On Fri, Feb 11, 2022 at 03:13:25PM +1000, David Gwynne wrote:
> > On Fri, Mar 05, 2021 at 05:09:29PM +1000, David Gwynne wrote:
> > > On Thu, Mar 04, 2021 at 03:36:19PM +1000, David Gwynne wrote:
> > > > as the subject says, this is a
On Thu, Feb 10, 2022 at 04:09:40PM +0100, Theo Buehler wrote:
> On Thu, Feb 10, 2022 at 03:02:15PM +0100, Claudio Jeker wrote:
> > This adds the needed bits to print CRL files.
> > Using ASN1_INTEGER_get() is probably bad at least I think there is the
> > possibility the seri
This adds the needed bits to print CRL files.
Using ASN1_INTEGER_get() is probably bad at least I think there is the
possibility the serial number wont fit in the long. I hope tb@ has a
better solution :)
I created x509_get_time() to streamline the ASN1_TIME to time_t
conversion and replaced a bun
On Thu, Feb 10, 2022 at 11:45:06AM +0100, Theo Buehler wrote:
> > > Index: rrdp.c
> > > ===
> > > RCS file: /cvs/src/usr.sbin/rpki-client/rrdp.c,v
> > > retrieving revision 1.21
> > > diff -u -p -r1.21 rrdp.c
> > > --- rrdp.c23
On Thu, Feb 10, 2022 at 09:13:25AM +0100, Theo Buehler wrote:
> This is purely cosmetic. I did some testing on fedora which ships with
> btrfs by default. btrfs is special in that df -i and other tools always
> report 0 inodes. As a consequence, each rpki-client run prints the disk
> space warning,
On Thu, Feb 10, 2022 at 08:44:08AM +0100, Theo Buehler wrote:
> On Thu, Feb 10, 2022 at 07:51:45AM +0100, Theo Buehler wrote:
> > At this point conn->last_modified may or may not be allocated.
> > If it is, overriting it will leak 30 bytes.
>
> rrdp_input_handler() has a leak of the same kind.
>
On Wed, Feb 09, 2022 at 02:59:41PM +0100, Theo Buehler wrote:
> We should not use CRLs if now isn't between thisUpdate and nextUpdate.
> This also ensures that thisUpdate <= nextUpdate. While the verifier will
> catch all this, doing this early will often remove one of the two
> possible choices of
On Sat, Feb 05, 2022 at 12:28:08PM +0100, Mark Kettenis wrote:
> > Date: Sat, 5 Feb 2022 09:29:42 +0100
> > From: Anton Lindqvist
> >
> > Hi,
> > I recently got a USB headset with physical volume buttons, handled by
> > ucc(4). However, after enabling the device in sndiod the volume buttons
> > d
On Fri, Feb 04, 2022 at 07:20:21PM +0100, Theo Buehler wrote:
> On Fri, Feb 04, 2022 at 03:59:34PM +0100, Claudio Jeker wrote:
> > This is something I wanted to do for a while. Switch from u_intXY_t to
> > uintXY_t from stdint.h. The diff is mostly mechanical and was done wit
On Fri, Feb 04, 2022 at 03:56:18PM +0100, Theo Buehler wrote:
> On Fri, Feb 04, 2022 at 12:03:41PM +0100, Claudio Jeker wrote:
> > On Fri, Feb 04, 2022 at 10:41:03AM +0100, Theo Buehler wrote:
> > > It was pointed out to Claudio that rpki-client does not enforce
> >
On illumos sun is defined by some header so better not use sun as a
variable name. Rename variable to sa_un to reduce hacks in -portable.
--
:wq Claudio
Index: bgpctl/bgpctl.c
===
RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.c,v
retrie
On Fri, Feb 04, 2022 at 10:41:03AM +0100, Theo Buehler wrote:
> It was pointed out to Claudio that rpki-client does not enforce
> certificate policies.
>
> The diff below does that. It has two parts.
>
> In cert.c we check that the certificate policy extension matches the
> specification in RFC 6
On Fri, Jan 28, 2022 at 09:31:26AM +0100, Theo Buehler wrote:
> On Thu, Jan 27, 2022 at 09:38:54AM +0100, Claudio Jeker wrote:
> > On Thu, Jan 27, 2022 at 07:46:32AM +0100, Theo Buehler wrote:
> > > On Wed, Jan 26, 2022 at 04:42:04PM +0100, Claudio Jeker wrote:
> > > >
I think I introduced a bit of an error when skipping cleanup of RRDP
directories when RRDP is off. When RRDP is off the cache is updated via
rsync but when RRDP is turned back on later on the cache does not match
with the RRDP state file and so deltas will often fail to apply.
It is better to clea
On Thu, Jan 27, 2022 at 07:46:32AM +0100, Theo Buehler wrote:
> On Wed, Jan 26, 2022 at 04:42:04PM +0100, Claudio Jeker wrote:
> > So the RFC is not very clear but in general the idea is that if multiple
> > MFTs are available the newest one (highest manifest number) sho
So the RFC is not very clear but in general the idea is that if multiple
MFTs are available the newest one (highest manifest number) should be
used.
In our case there are two possible MFTs available the previously valid on
and the now downloaded one. So adjust the parser code so that both files
ar
rpki-client -f is a great tool to figure out what is going in the repo.
I noticed that supporting rsync:// URI (like the one from Authority info
access or Manifest) is easy and it makes it so much easier to follow
the breadcrumbs up and down.
While doing that I noticed that instead of using valid_
On Wed, Jan 26, 2022 at 11:43:25AM +0100, Theo Buehler wrote:
> On Wed, Jan 26, 2022 at 10:06:37AM +0100, Claudio Jeker wrote:
> > This diff removes the valid/ subdir in favor of a more direct directory
> > layout for all valid CA repository files.
> > It moves rrdp and rsyn
On Wed, Jan 26, 2022 at 01:29:42AM +0100, Alexander Bluhm wrote:
> Hi,
>
> There were some problems with ix(4) and ixl(4) hardware checksumming
> for the output path on strict alignment architectures.
>
> I have merged jan@'s diffs and added some sanity checks and
> workarounds.
>
> - If the fir
This diff removes the valid/ subdir in favor of a more direct directory
layout for all valid CA repository files.
It moves rrdp and rsync to .rsync and .rrdp but keeps ta/ because trust
anchors are special.
The biggest change is probably in the FTS code to cleanup the repo since
the traversing now
On Mon, Jan 24, 2022 at 05:20:49PM +, Job Snijders wrote:
> On Mon, Jan 24, 2022 at 04:33:10PM +0100, Claudio Jeker wrote:
> > This diff does a few things regarding MFT file and hash sequences:
> >
> > - it validates the filename early on so that if considered valid it ca
This diff does a few things regarding MFT file and hash sequences:
- it validates the filename early on so that if considered valid it can
be printed by printf(%s) without problems.
- it assigns the file type (based on the file extension) early on and no
longer uses this information when compa
Make all poll loops handle EINTR in the same way. Now since the loop is
restarted not poll related functions need to be called in that part of the
code. In rpki-client this only matters for the repo timeout. By merging
repo_next_timeout() and repo_check_timeout() together this function can be
moved
On Sat, Jan 22, 2022 at 02:21:23PM +0100, Theo Buehler wrote:
> On Sat, Jan 22, 2022 at 12:42:30PM +0100, Theo Buehler wrote:
> > On Sat, Jan 22, 2022 at 11:47:17AM +0100, Claudio Jeker wrote:
> > > The valid_cert() and valid_roa() functions both redo the valid_aki_ski()
> >
On Sat, Jan 22, 2022 at 11:50:34AM +0100, Theo Buehler wrote:
> On Sat, Jan 22, 2022 at 11:07:36AM +0100, Claudio Jeker wrote:
> > On Sat, Jan 22, 2022 at 10:22:02AM +0100, Theo Buehler wrote:
> > > On Sat, Jan 22, 2022 at 10:11:36AM +0100, Claudio Jeker wrote:
> > > &
The valid_cert() and valid_roa() functions both redo the valid_aki_ski()
call that the callee already did. Adjust the functions and skip this
redundant call. Also move the place where we set the talid for roa to a
better place.
With RFC3779 support in LibreSSL these functions no longer trigger sin
On Sat, Jan 22, 2022 at 10:22:02AM +0100, Theo Buehler wrote:
> On Sat, Jan 22, 2022 at 10:11:36AM +0100, Claudio Jeker wrote:
> > On Fri, Jan 21, 2022 at 03:22:51PM +0100, Claudio Jeker wrote:
> > > I would like to change -f into a real mode and with that support to
> > &
On Fri, Jan 21, 2022 at 03:22:51PM +0100, Claudio Jeker wrote:
> I would like to change -f into a real mode and with that support to
> show more then one file at a time.
>
> This is doing most of that. The output may need some extra fixing but the
> logic itself works.
>
>
On Fri, Jan 21, 2022 at 01:36:30PM -0700, Bob Beck wrote:
>
> I like that.. LGTM
>
> ok beck@
Ditto
>
> On Fri, Jan 21, 2022 at 08:37:27PM +0100, Theo Buehler wrote:
> > > Lets start with that and optimize this in tree. I think we can rename the
> > > function to something like rtype_from_mft
On Fri, Jan 21, 2022 at 04:49:47PM +0100, Theo Buehler wrote:
> On Fri, Jan 21, 2022 at 02:58:57PM +0100, Claudio Jeker wrote:
> > On Wed, Jan 19, 2022 at 06:01:38PM +0100, Theo Buehler wrote:
> > > Not sure if it is that much of a win, but it saves some repetition and
> &g
I would like to change -f into a real mode and with that support to
show more then one file at a time.
This is doing most of that. The output may need some extra fixing but the
logic itself works.
Yay or nay?
--
:wq Claudio
Index: main.c
=
On Wed, Jan 19, 2022 at 06:01:38PM +0100, Theo Buehler wrote:
> Not sure if it is that much of a win, but it saves some repetition and
> makes sure we don't forget checking the file name to be longer than 4
> another time (missed on review in main() and proc_parser_file()).
I like the diff. It is
Lets move the time validity checks for TA to cert.c. ta_parse already
checks the pubkey so why not do all validity checks.
While doing that remove the code to extract the subject. All errors print
the filename and the subject itself is just extra information that is less
helpful in the use case of
601 - 700 of 2115 matches
Mail list logo