On Wed, Jan 19, 2022 at 12:56:21PM +0100, Theo Buehler wrote:
> On Wed, Jan 19, 2022 at 11:06:06AM +0100, Claudio Jeker wrote:
> > The idea is that rpki-client -f file will show a human readable output for
> > file. It will also verify that file is valid (o
On Mon, Jan 17, 2022 at 02:54:32PM +0100, Christian Weisgerber wrote:
> usr.sbin/ospf6d: fix -Wunused-but-set-variable warnings
>
> merge_config() sets "rchange", but doesn't use it. Comparing the
> code to osfpd/ospfd.c makes me think that's an omission. Either
> way it seems odd that the two
On Tue, Jan 18, 2022 at 02:41:38PM +0100, Claudio Jeker wrote:
> On Tue, Jan 18, 2022 at 02:09:08PM +0100, Theo Buehler wrote:
> > On Tue, Jan 18, 2022 at 12:16:44PM +0100, Claudio Jeker wrote:
> > > How X509_verify_cert() is called in rpki-client is mostly the same in all
> &
The idea is that rpki-client -f file will show a human readable output for
file. It will also verify that file is valid (or show an error if not).
This implements this as a first version. Especially the output needs
improvement but parsing and validation works.
For validation rpki-client needs to
On Wed, Jan 19, 2022 at 09:35:34AM +0100, Theo Buehler wrote:
> This is the straightforward way to fix the leak of nfile in case the
> repo isn't found. The other option would be to defer the strdup until
> after successful lookup, but that felt clunky.
Yes, that's OK claudio@. I agree that this
On Tue, Jan 18, 2022 at 07:15:54PM +0100, Theo Buehler wrote:
> > I will commit this version in a bit (once rpki-client finished its run).
>
> I like this approach a lot better. ok
>
> One small comment below.
>
> > --
> > :wq Claudio
> >
> > Index: parser.c
> >
On Tue, Jan 18, 2022 at 06:46:35PM +0100, Theo Buehler wrote:
> On Tue, Jan 18, 2022 at 06:38:46PM +0100, Claudio Jeker wrote:
> > This is a follow up to the valid_x509() commit form earlier today.
> > tb@ suggested that the crl check should be grouped together.
> > After s
This is a follow up to the valid_x509() commit form earlier today.
tb@ suggested that the crl check should be grouped together.
After some thought I decided to do this all different.
First of all introduce a checkcrl flag which turns on
X509_V_FLAG_CRL_CHECK. This prevents code that expects a CRL
On Tue, Jan 18, 2022 at 05:20:45PM +0100, Theo Buehler wrote:
> On Tue, Jan 18, 2022 at 04:16:17PM +0100, Claudio Jeker wrote:
> > This diff cleans up cert.c a bit.
> >
> > It removes the X509 handle from cert_parse() and ta_parse(). Callers
> > should instead use ce
This diff cleans up cert.c a bit.
It removes the X509 handle from cert_parse() and ta_parse(). Callers
should instead use cert->x509. No need to double the work on us here.
While there switch auth_insert() to a void function. This function can
not fail. Again the result is simpler code in
On Tue, Jan 18, 2022 at 02:09:08PM +0100, Theo Buehler wrote:
> On Tue, Jan 18, 2022 at 12:16:44PM +0100, Claudio Jeker wrote:
> > How X509_verify_cert() is called in rpki-client is mostly the same in all
> > places so move all this X509 boilerplate into valid_x509().
> >
UNIX does not let you get the path from an open file descriptor. It is not
possible to give this information reliably so you can't provide an API.
While a inode may exist a path to that inode may not. This is the case for
a file that is replaced or deleted while open.
Some systems give people a
How X509_verify_cert() is called in rpki-client is mostly the same in all
places so move all this X509 boilerplate into valid_x509().
This simplifies the x509 validation in the parser a fair but and will also
make it easier for -f to validate certs.
OK?
--
:wq Claudio
Index: parser.c
Use a common x509_init_oid() function to initalize all OID (convert them
to NIDs). I prefer this over having them spread out all over the place.
OK?
--
:wq Claudio
Index: cert.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
On Fri, Jan 14, 2022 at 04:44:49PM +, Stuart Henderson wrote:
> On 2022/01/14 16:52, Rafael Sadowski wrote:
> > On Fri Jan 14, 2022 at 03:17:21PM +0100, Tobias Heider wrote:
> > > Hi,
> > >
> > > clang ships with a pretty useful static analyzer to find all kinds of bugs
> > > in C and C++
On Fri, Jan 14, 2022 at 01:45:19PM +, Job Snijders wrote:
> Thanks Claudio,
>
> A question about stats below
>
> On Fri, Jan 14, 2022 at 10:29:20AM +0100, Claudio Jeker wrote:
> > @@ -1246,8 +1249,8 @@ main(int argc, char *argv[])
> > logx("Certificate re
On Thu, Jan 13, 2022 at 10:51:33PM +0100, Theo Buehler wrote:
> On Thu, Jan 13, 2022 at 05:05:57PM +0100, Claudio Jeker wrote:
> > This diff adds a new cache subdir called "valid". This is the place where
> > all verified and good files are stored after a run. It makes
This diff adds a new cache subdir called "valid". This is the place where
all verified and good files are stored after a run. It makes -n work a lot
better since -n will now only look at what's inside "valid" and ignore
"rsync" and "rrdp".
The trust anchors are still stored in "ta" even if valid.
This diff just shuffles some functions around to reduce the size of the
validate cache diff.
--
:wq Claudio
Index: repo.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/repo.c,v
retrieving revision 1.23
diff -u -p -r1.23 repo.c
---
Noticed the other day, a stale manifest tries to check the fileandhash
data. But when running with -n none of this data will be around since it
was most probably removed on the previous run. The result is a lot of
warnings on top of the warning about the mft being stale. It is better to
skip
On Thu, Jan 13, 2022 at 02:24:59PM +0100, Theo Buehler wrote:
> On Thu, Jan 13, 2022 at 02:16:02PM +0100, Claudio Jeker wrote:
> > Right now a file can only exist in one place in the rpki-client cache.
> > This will change when we split valid data to its own repo.
> >
>
Right now a file can only exist in one place in the rpki-client cache.
This will change when we split valid data to its own repo.
One step to get closer to that is to alter valid_filehash() to take an
open filedescriptor instead of using open(2) itself. This allows the
callers to decide which
This introduces a function remove_contents() which is implementing a basic
rm -r and uses it to clean the RRDP repository when downloading a
snapshot (especially after a delta failure). It also cleans out the temp
directory after a failure to fetch.
With the introduction of a validated cache this
This diff adds the code to pass --compare-dest to rsync. This will be
used once there is a valid cache and then the rsync repo will just act as
a delta on top.
Now --compare-dest is a bit strange as in the directory passed is relative
to the destination directory (last argument of rsync
Since we push repository information over to the parser -n mode was broken
because in that case the TA repositories did not get sent.
This little diff fixes the problem.
--
:wq Claudio
Index: repo.c
===
RCS file:
On Tue, Jan 11, 2022 at 11:36:19AM +, Job Snijders wrote:
> On Mon, Jan 10, 2022 at 03:30:23PM +0100, Claudio Jeker wrote:
> > + if (RB_INSERT(repo_tree, , rp) != NULL)
> > + errx(1, "repository already added to repo tree %d, %s", id,
> > path);
On Tue, Jan 11, 2022 at 08:15:13AM +, Klemens Nanni wrote:
> On Mon, Jan 10, 2022 at 12:06:44PM +, Klemens Nanni wrote:
> > On Fri, Dec 31, 2021 at 07:54:53PM +0300, Vitaliy Makkoveev wrote:
> > > The uvm_wxabort path within uvm_wxcheck() looks not MP-safe.
> >
> > Right, I did not pay
This diff changes the way the parser figures out which file to work on.
Until now the parent process sent a full path to the parser but that does
not work well with the idea of splitting the repo up into validated, rsync
and rrdp parts.
So this diff changes the way the parser opens a file. There
On Thu, Jan 06, 2022 at 01:48:01PM +0100, Theo Buehler wrote:
> On Thu, Jan 06, 2022 at 01:21:03PM +0100, Claudio Jeker wrote:
> > Ran into this the other day and could not help myself to adjust the code.
> > If the mft is stale just bump the stale counter and be done. If not stal
Ran into this the other day and could not help myself to adjust the code.
If the mft is stale just bump the stale counter and be done. If not stale
queue all files from the mft for the next round.
In mft_parse I switched to a switch statement which is more obvious in my
opinion.
--
:wq Claudio
This changes the last proc_parser function over to not pass the entity to
the function. In this case apart from file we also need to pass the public
key of the TA and the tal identifier.
Change is mechanical and makes all callers work the same way.
--
:wq Claudio
Index: parser.c
On Tue, Jan 04, 2022 at 04:57:23PM +0100, Theo Buehler wrote:
> On Tue, Jan 04, 2022 at 04:15:56PM +0100, Claudio Jeker wrote:
> > This is another diff on the way to having a validated repo.
> > Pass the filename of the entity which was parsed back to the parent.
> >
This is another diff on the way to having a validated repo.
Pass the filename of the entity which was parsed back to the parent.
With this we can move the filepath_add() call from entity_write_req()
to entity_process(). As a side-effect the "Already visited" check is moved
after parsing so a file
Currently running rpki-client -n with an up to date repo results in the
loss of around 25% of ROAs. The reason is that most of apnic fails since
they decided it is a glorious idea to put two rsync repos into one rrdp
repo.
When changing the repo state for the noop case from REPO_DONE to
On Tue, Jan 04, 2022 at 02:48:17PM +0100, Theo Buehler wrote:
> As discussed in the previous thread, we can simplify the verify callback
> by getting rid of the extremely noisy warnx at the end. Fail directly on
> encountering an unknown critical extension and succeed otherwise.
OK claudio@ (and
On Tue, Jan 04, 2022 at 08:42:29AM -0500, Dave Voutila wrote:
>
> Claudio Jeker writes:
>
> > This are obvious and easy to fix unused but set variables.
> > There are more in vioscsi.c but those are actually used if compiled with
> > DEBUG set.
>
> ok dv@, but
On Tue, Jan 04, 2022 at 10:58:41AM +0100, Claudio Jeker wrote:
> This are obvious and easy to fix unused but set variables.
> There are more in vioscsi.c but those are actually used if compiled with
> DEBUG set.
The changes in loadfile_elf.c, vioqcow2.c and vmd.c are trivial and can be
On Wed, Dec 29, 2021 at 01:12:25PM +0100, Claudio Jeker wrote:
> On Wed, Dec 29, 2021 at 01:06:30AM +0100, Theo Buehler wrote:
> > On Tue, Dec 28, 2021 at 05:08:46PM +0100, Claudio Jeker wrote:
> > > On Mon, Dec 27, 2021 at 12:23:32PM +0100, Theo Buehler wrote:
> > > &
This are obvious and easy to fix unused but set variables.
There are more in vioscsi.c but those are actually used if compiled with
DEBUG set.
--
:wq Claudio
Index: loadfile_elf.c
===
RCS file:
On Wed, Dec 22, 2021 at 12:34:34PM -0500, Dave Voutila wrote:
>
> Claudio Jeker writes:
>
> > On Wed, Dec 22, 2021 at 10:14:40AM -0500, Dave Voutila wrote:
> >>
> >> Claudio Jeker writes:
> >>
> >> > I added support for vmctl -cL -B n
On Wed, Dec 29, 2021 at 01:06:30AM +0100, Theo Buehler wrote:
> On Tue, Dec 28, 2021 at 05:08:46PM +0100, Claudio Jeker wrote:
> > On Mon, Dec 27, 2021 at 12:23:32PM +0100, Theo Buehler wrote:
> > > On Sat, Dec 25, 2021 at 05:48:53PM +0100, Claudio Jeker wrote:
> > >
On Mon, Dec 27, 2021 at 12:23:32PM +0100, Theo Buehler wrote:
> On Sat, Dec 25, 2021 at 05:48:53PM +0100, Claudio Jeker wrote:
> [...]
> > I would love to get rid of X509_V_FLAG_IGNORE_CRITICAL and use a callback
> > to ensure the right extensions are critical but I never managed
This re-shuffles struct entity a bit and removes the unneeded has_data
indicator. Both data and datasz are not null when data is present and null
when there is no data. With this in mind the code becomes simpler.
--
:wq Claudio
Index: extern.h
On Sat, Dec 25, 2021 at 11:36:50AM +0100, Theo Buehler wrote:
> These extensions MUST be marked critical by the sections of the spec
> mentioned in the cryptowarnx(). That's determined by the ASN1_BOOLEAN
> that is extracted and ignored after the FIXME a few lines below each of
> the two hunks.
Create a common repo_done() function which does the entiyq_flush and in
the case of RRDP the fallback to rsync. This simplifies the code and will
help to add the repo info to the parser process.
One difference between this and the original version is the case when a
RRDP repository merge fails.
On Thu, Dec 23, 2021 at 07:50:24AM +, Raf Czlonka wrote:
> On Wed, Dec 22, 2021 at 08:32:16AM GMT, Claudio Jeker wrote:
> > On Tue, Dec 21, 2021 at 03:49:47PM -0500, jwinnie@tilde.institute wrote:
> > >
> > > Hello OpenBSD developers,
> > >
> > &g
On Wed, Dec 22, 2021 at 10:14:40AM -0500, Dave Voutila wrote:
>
> Claudio Jeker writes:
>
> > I added support for vmctl -cL -B net -b bsd.rd -d disk.img to run the
> > autoinstall by emulating a PXE boot. In the commit
> > https://gi
On Sat, Dec 04, 2021 at 07:01:23PM +0100, Alexandr Nedvedicky wrote:
> Hello,
>
>
> On Fri, Dec 03, 2021 at 03:42:09PM +0100, Claudio Jeker wrote:
> >
> > See comments below.
> >
> >
> > > +void
> > > +pfi_group_delmember(const char *gro
I added support for vmctl -cL -B net -b bsd.rd -d disk.img to run the
autoinstall by emulating a PXE boot. In the commit
https://github.com/openbsd/src/commit/a13de4d12a4c9ba0edc05aab2ad635f782449229
the feature got removed over eagerly.
This diff adds this back because I find this super
On Tue, Dec 21, 2021 at 06:24:44PM +, Job Snijders wrote:
> On Tue, Dec 21, 2021 at 07:00:03PM +0100, Claudio Jeker wrote:
> > For some reasons various ids were stored as size_t (probably because once
> > they used to be the index in an array). This is just silly and annoyed
On Tue, Dec 21, 2021 at 03:49:47PM -0500, jwinnie@tilde.institute wrote:
>
> Hello OpenBSD developers,
>
> I am interested in contributing to improve the uhidpp(4)
> (Logitech Unifying Reciever) support in OpenBSD.
>
> Currently, the uhidpp(4) driver only handles detecting certain
> sensors,
In the roa parser the handling of maxlen is overly complex.
Just set maxlen to addr.prefixlen before parsing the maxlength option.
If present it will override maxlen with the new value and with that the
ternary confusion at the end can be removed.
--
:wq Claudio
Index: roa.c
For some reasons various ids were stored as size_t (probably because once
they used to be the index in an array). This is just silly and annoyed me
for long enough. I think this fixes all of them.
While there also stop using size_t for maxlength of a prefix. Everywhere
else the code uses just a
The limiter for repository count under a TA only makes sense for
repositories referenced from certs but less so for the actual TA. So
remove the logic from ta_lookup() and friends and make the code simpler.
There is no risk in doing so since there is only one TA and one
ta_lookup() done per TAL
In LDAP there is two ways to remove an attribute.
One can remove an attribute by just naming the attribute but it is also
possible to remove a specific attribute: value combo.
In ldapd the latter is broken if the last attribute is removed because
the result of ldap_del_values() is an invalid
On Mon, Dec 13, 2021 at 11:25:02AM +0100, Florian Obser wrote:
> Replace struct member assignment with struct assignment to make the code
> more compact. No binary change (on amd64).
>
> OK? Or is there a reason not to do this?
Looks good to me and I also see no reason why this should not be
On Mon, Dec 13, 2021 at 11:27:20AM +0100, Florian Obser wrote:
> Treat xid as a uint32_t in network byte order on the wire.
>
> Internally this doesn't matter since we only care about equality.
> This makes logging output comparable to tcpdump(8).
>
> Pointed out by joel@
>
> OK?
OK claudio@
On Sun, Dec 12, 2021 at 03:22:37PM +0100, Denis Fondras wrote:
> Le Sun, Dec 12, 2021 at 01:43:06PM +, Stuart Henderson a écrit :
> > On 2021/12/12 14:13, Denis Fondras wrote:
> > > Number of received prefixes appear in `bgpctl sh` but not in `bgpctl -j
> > > sh`.
> > >
> > > Here is a diff
Currently ta, rrdp and rsync repositories use different functions to build
their base path. This diff changes this so that all can use the same
function.
This is a first step to introduce a common validated repository.
--
:wq Claudio
Index: repo.c
On Fri, Nov 26, 2021 at 11:37:37PM +0100, Alexandr Nedvedicky wrote:
> Hello,
>
> On Fri, Nov 26, 2021 at 01:01:40PM +0100, Claudio Jeker wrote:
> >
> > One more thing to consider, I think the following test in pfi_set_flags():
> >
> > > + if
On Thu, Nov 25, 2021 at 02:56:02PM +0100, Alexandr Nedvedicky wrote:
> Hello,
>
> thank you for taking a look at my diff.
>
>
>
> > > }
> > >
> > > - if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || kif == pfi_all)
> > > + if (kif->pfik_ifp != NULL || kif->pfik_group != NULL ||kif
On Thu, Nov 25, 2021 at 08:18:10PM +0100, Sebastian Benoit wrote:
> Job Snijders(j...@openbsd.org) on 2021.11.25 16:13:51 +:
> > It might be advantageous to permit operators to optionally specify the
> > maximum number of publication points with which rpki-client will
> > synchronize.
> >
> >
On Thu, Nov 25, 2021 at 12:54:49PM +, Job Snijders wrote:
> Replace MAX_REPO_TIMEOUT with repo_timeout, which is set to 1/4th of
> timeout, or if timeout is disabled set it to 24 hours.
>
> OK?
OK claudio@
> Index: extern.h
>
On Fri, Nov 19, 2021 at 12:59:38AM +0100, Alexandr Nedvedicky wrote:
> Hello,
>
> it has turned out things are bit more complicated when it comes to interface
> groups. diff below makes following scenario work for me.
>
> we start with etc/pf.conf as follows:
>
> # cat /etc/pf.conf
>
00
@@ -0,0 +1,338 @@
+/* $OpenBSD: rrdp.c,v 1.17 2021/10/29 09:27:36 claudio Exp $ */
+/*
+ * Copyright (c) 2020 Nils Fisher
+ * Copyright (c) 2021 Claudio Jeker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, prov
free(hash);
+ }
}
Index: rrdp_util.c
=======
RCS file: rrdp_util.c
diff -N rrdp_util.c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ rrdp_util.c 24 Nov 2021 12:50:03 -
@@ -0,0 +1,120 @@
+/* $OpenBSD$ */
+/*
+ * Copyright (c) 2020 N
On Mon, Nov 22, 2021 at 12:18:37AM +0100, Theo Buehler wrote:
> bio->num_write aka BIO_number_written(bio). Straightforward. The main
> reason I'm asking is that keeping the two else results in overlong lines
> and awkward line wrapping. So I decided to drop them hoping that's
> acceptable.
On Thu, Nov 18, 2021 at 08:50:37AM +, Stuart Henderson wrote:
> On 2021/11/18 09:15, Claudio Jeker wrote:
> > On Thu, Nov 18, 2021 at 08:10:26AM +, Stuart Henderson wrote:
> > > On 2021/11/15 17:23, Alexander Bluhm wrote:
> > > >
On Thu, Nov 18, 2021 at 08:10:26AM +, Stuart Henderson wrote:
> On 2021/11/15 17:23, Alexander Bluhm wrote:
> > + DUMP(ids, "%p");
> > + DUMP(ids_swapped, "%d");
> > + DUMP(mtu, "%d");
> > + DUMP(mtutimeout, "%lld");
> > + pr("%18s: %08x\n",
This documents count(). This function only works when used like this
@map[key] = count();
But it is implemented and works. If used differently you get a syntax
error which is not helpful. This is why I chose to document it like this.
Another option would be to document the language (so it
On Mon, Nov 15, 2021 at 12:23:02PM +, Klemens Nanni wrote:
> On Mon, Nov 15, 2021 at 12:00:18PM +1000, David Gwynne wrote:
> > On Sat, Nov 13, 2021 at 11:59:59PM +, Klemens Nanni wrote:
> > > Practically all interfaces pull itself up when IPs get assigned, but
> > > vport(4) does not.
> >
This is something I missed to do easy btrace check like:
syscall:exit:entry,
syscall:fork:entry,
syscall:sigaction:entry,
syscall:execve:entry,
syscall:open:entry { @[probe] = count(); }
This will produce something like this as output:
@[syscall:open:entry]: 844
@[syscall:sigaction:entry]: 480
On Thu, Nov 11, 2021 at 02:13:26PM -0600, Scott Cheloha wrote:
> On Thu, Nov 11, 2021 at 08:53:20PM +0100, Mark Kettenis wrote:
> > > Date: Thu, 11 Nov 2021 13:30:04 -0600
> > > From: Scott Cheloha
> > >
> > > My understanding of sigsuspend(2) is that it only returns if a signal
> > > is
On Wed, Nov 10, 2021 at 07:35:26AM +0100, Bjorn Ketelaars wrote:
> On Mon 08/11/2021 11:52, Bjorn Ketelaars wrote:
> > Diff below does two things:
> > 1. add PPP IPCP extensions for name server addresses (rfc1877) to
> >sppp(4)
> > 2. propose negotiated name servers from sppp(4) to resolvd(8)
On Wed, Nov 10, 2021 at 08:22:52AM +0100, Sebastien Marie wrote:
> On Wed, Nov 10, 2021 at 07:35:26AM +0100, Bjorn Ketelaars wrote:
> > On Mon 08/11/2021 11:52, Bjorn Ketelaars wrote:
> > > Diff below does two things:
> > > 1. add PPP IPCP extensions for name server addresses (rfc1877) to
> > >
On Tue, Nov 09, 2021 at 07:44:41PM +0100, Claudio Jeker wrote:
> ip_addr_print() can be simplified. ip4_addr2str() and ip6_addr2str() are
> the same apart from the different AF argument to inet_ntop(). Just collaps
> all into ip_addr_print().
This version is using a switch statement
kn@ removed '~' from unsafe_chars but also changed the code at the same
time. This tries to bring the version in rpki-client back in sync with the
code in ftp(1).
--
:wq Claudio
Index: http.c
===
RCS file:
ip_addr_print() can be simplified. ip4_addr2str() and ip6_addr2str() are
the same apart from the different AF argument to inet_ntop(). Just collaps
all into ip_addr_print().
--
:wq Claudio
Index: ip.c
===
RCS file:
On Mon, Nov 08, 2021 at 11:52:52AM +0100, Bjorn Ketelaars wrote:
> Diff below does two things:
> 1. add PPP IPCP extensions for name server addresses (rfc1877) to
>sppp(4)
> 2. propose negotiated name servers from sppp(4) to resolvd(8) using
>RTM_PROPOSAL_STATIC route messages.
>
> With
On Wed, Nov 03, 2021 at 12:58:17PM +0100, Claudio Jeker wrote:
> In one place this is already done but this makes sure we show the bad
> attribute in all cases where a non conforming attribute is found.
Found another bunch of those non conforming attribute errors. Adjust them
as wel
Noticed the other day. The ip addr arrays and as number array are
marshalled element by element which is not very efficent.
All the data is in one big blob of memory so just use the basic io
operations for a memory blob and ship the full array at once.
This seems to reduce runtime by 5-10% (in my
On Thu, Nov 04, 2021 at 11:27:46AM -0600, Theo de Raadt wrote:
> Claudio Jeker wrote:
>
> > This diff replaces the errx() call in the poll fd check with warnings plus
> > an exit of the main event loop. It also prints an error in case not all
> > files have been proces
There is this bit in parser.c
X509_free(x509); // needed? XXX
As tb@ properly noted this X509_free() is needed because the cert_parse()
returns an up referenced x509 pointer back.
I moved the X509_free() so the error cases become simpler and we no longer
leak a reference on success. At
This diff replaces the errx() call in the poll fd check with warnings plus
an exit of the main event loop. It also prints an error in case not all
files have been processed.
An example after kill -9 of the rsync process is:
rpki-client: https://rrdp.lacnic.net/rrdp/notification.xml: loaded from
When RRDP support was added a repo was added for every caRepository URI
that was different from the others. Now the big RIR repos have many
caRepoistory URIs that are just subdirs and are covered by the same rsync
or RRDP source.
This diff changes this back to not create a new repo for every
On Wed, Nov 03, 2021 at 12:41:52PM -0600, Theo de Raadt wrote:
> + size_t talid; /* covered by which TAL */
>
> You shouldn't use size_t
>
> It is 32bit on ILP32 systems, and 64bit on I32LP64 machines, because the
> underlying definition is:
>
> _types.h:typedefunsigned
This diff changes how the certs and roa track the tal that covers them.
Instead of passing strings around use ids and a simple lookup table
for the description. This will make it possible to add tal ids to more
things.
Usual test run works and the output for openbgpd and json look sane.
--
:wq
On Wed, Nov 03, 2021 at 06:48:51PM +0100, Theo Buehler wrote:
> On Wed, Nov 03, 2021 at 06:34:05PM +0100, Claudio Jeker wrote:
> > Fix CRLF handling by properly setting nl to the right NUL byte.
> > In the CRLF case both \r\n are replaced by \0 and so the code
> > needs to
Fix CRLF handling by properly setting nl to the right NUL byte.
In the CRLF case both \r\n are replaced by \0 and so the code
needs to adjust the nl pointer else valid_url() and the check for .cer
endings fail.
This diff fixes the test.tal I added to regress.
--
:wq Claudio
Index: tal.c
Don't become a fork bomb. Limit the number of processes by stopping to
poll for new jobs once the limit is reached. I set the limit to 16 which
is larger then the biggest concurrency I have seen during fetches.
OK?
--
:wq Claudio
Index: extern.h
In one place this is already done but this makes sure we show the bad
attribute in all cases where a non conforming attribute is found.
OK?
--
:wq Claudio
Index: rrdp_delta.c
===
RCS file:
Noticed by accident. The chunked encoding only works for chunks smaller
than 32k (the HTTP internal read buffer). For chunks bigger than 32k the
state machine jumps too early (after the first write of 32k) into the
STATE_RESPONSE_CHUNKED_TRAILER state and so everything gets confused.
Fix is
On Thu, Oct 28, 2021 at 08:27:40PM +0200, Theo Buehler wrote:
> On Thu, Oct 28, 2021 at 08:21:12PM +0200, Claudio Jeker wrote:
> > As in $SUBJECT said, sync the output at the end of a rpki-client run with
> > outputheader() -- the function used to dump this info into the openbgpd
As in $SUBJECT said, sync the output at the end of a rpki-client run with
outputheader() -- the function used to dump this info into the openbgpd
output file.
OK?
--
:wq Claudio
Index: main.c
===
RCS file:
This diff should implement --max-size and --min-size almost equivalent to
GNU rsync. I decided to use scan_scaled() instead of building something
new that handles all the extra bits GNU rsync has.
The remote rsync process gets the sizes in bytes so scaling is just a
local issue.
Manpage probably
This is part 3 of the BIO removal. Switch tal_parse to pass a file buffer
like all other callers. The parent process can now just use load_file()
and pass that buffer to the parser. From there on the magic just happens.
--
:wq Claudio
Index: encoding.c
This switches the cert parser to use d2i_X509 instead of the BIO versions.
--
:wq Claudio
Index: cert.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.40
diff -u -p -r1.40 cert.c
--- cert.c 23 Oct
I want to be able to pass a buffer to the various parser functions instead
of a filename. This is in preparation for supporting rpki-client -f somefile
This diff switches CMS and CRL to their regular d2i versions. The cert
files will follow in the next diff.
--
:wq Claudio
Index: cms.c
Refactor this code and instead of passing various things around just use
globals.
--
:wq Claudio
Index: parser.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
retrieving revision 1.16
diff -u -p -r1.16 parser.c
---
On Sun, Oct 24, 2021 at 06:39:42PM +0100, Martijn van Duren wrote:
> libagentx currently allows OIDs with a length of 0.
> This isn't wrong from an agentx protocol point of view, but ber encoding
> can't handle OIDs with less then 2 elements, which makes it unable to
> map the values back to SNMP.
701 - 800 of 2249 matches
Mail list logo
