Dear all,
In case no mirror was previously configured (aka, this is a fresh
install) and ftplist1.openbsd.org is unreachable, perhaps it's useful to
suggest a default mirror to expedite the installation process.
Terminal transcript on a machine that's not able to reach ftplist1,
doing 'enter
On Wed, Sep 27, 2023 at 12:31:52PM +0200, Claudio Jeker wrote:
> Graceful Shutdown should only be done on eBGP sessions.
> If you alter the local-pref on ibgp sessions it is possible to produce
> loops or other network instabilities. Now if all iBGP routers apply the
> same rule it is fine but if
an 1970 00:00:00 -
+++ usr.sbin/rpki-client/constraints.c 26 Sep 2023 14:27:46 -
@@ -0,0 +1,584 @@
+/* $OpenBSD$ */
+/*
+ * Copyright (c) 2023 Job Snijders
+ * Copyright (c) 2023 Theo Buehler
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with o
On Mon, Sep 11, 2023 at 09:31:03AM +0200, Theo Buehler wrote:
> > - * This only parses the RFC 3779 extensions since these are necessary for
> > - * validation.
>
> Isn't this still true? You don't really parse the subject name.
I took 'parse' to mean something like 'inspects', and since it also
This adds another compliance check for the X.509 subject name.
Only commonName, and optionally serialNumber, are permitted in the
certificate subject name. See RFC 6487 section 4.4 and 4.5.
It seems the one CA who was not compliant with this requirement got
their act together, so now is an
At the moment work items are enqueued in the order the CA intended them
to appear on a Manifest. However, I don't see any benefit to letting
third parties decide the order in which things are processed. Instead,
let's randomize: ordering has no meaning anyway, and the number of
concurrent
On Thu, Jun 29, 2023 at 09:30:19AM +0200, Theo Buehler wrote:
> I wrote versions of this diff several times in the past but never sent
> it out. A question by claudio encouraged me...
>
> cryptowarnx() and cryptoerrx() fail at showing openssl error stacks
> in a pleasant way as no amount of
On Tue, Jun 20, 2023 at 10:10:43PM +0200, Theo Buehler wrote:
> The first warning cannot be hit because the X509v3_asid_is_canonical()
> errors on empty asIdsOrRanges sequences. This is not the case for
> IPAddrBlocks...
>
> There is some ambiguity in RFC 6487, 4.8.10 whether empty
>
On Tue, Jun 20, 2023 at 07:50:19PM +0200, Theo Buehler wrote:
> X509_get_ext_d2i() is one of those very special OpenSSL interfaces...
>
> It can return NULL for various reasons. If it returns NULL and crit is
> not -1, something bad happened. If crit is -2, multiple extensions with
> the same OID
On Tue, Jun 20, 2023 at 08:58:23PM +0200, Theo Buehler wrote:
> For some reason libcrypto doesn't check this part of RFC 5280, 4.2: A
> certificate MUST NOT include more than one instance of a particular
> extension.
>
> With the badCertSIA2x.cer from Ties's test artefacts, I get this
> warning:
Hi all,
Would it be worth it to reorder libssl & libtls at boot?
Kind regards,
Job
Index: etc/rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.571
diff -u -p -r1.571 rc
--- etc/rc 26 Apr 2023 14:28:09 - 1.571
Dear all,
To simplify the concept of RPKI ASPAs, the sidrops@ group came to
consensus on removing the notion of 'afiLimit'. This means that going
forward, ASPA will be AFI-agnostic.
Advantages to operators are that by creating just one ASPA they'll be
prepared for a IPv4+IPv6 dual-stack future
In anticipation of a bump of the ASPA eContent profile version, update
valid_econtent_version() to allow for non-zero versions.
OK?
Kind regards,
Job
Index: aspa.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/aspa.c,v
retrieving
On Tue, May 30, 2023 at 03:12:46PM +0200, Claudio Jeker wrote:
> On Tue, May 30, 2023 at 02:38:23PM +0200, Claudio Jeker wrote:
> > On Wed, May 24, 2023 at 04:18:30PM +0000, Job Snijders wrote:
> > > Dear all,
> > >
> > > Claudio made some suggestions to
Dear all,
Claudio made some suggestions to pass the desired modification times
around in a different way, below is an updated patch proposal.
I also added some instrumentation to also adjust GBRs and TAKs.
RIPE & APNIC informally indicated some interest in this hack.
Kind regards,
Job
Index:
Dear all, Claudio,
A series of RRDP outages around the world prompted me to study whether
the subsequent (perhaps even first-ever) RSYNC synchronization can be
optimised for both client and rsync server.
In the RSYNC protocol a file's last modification time and its size are
used to determine
On Thu, May 11, 2023 at 11:47:44AM +0200, Claudio Jeker wrote:
> I'm not sure if this is quite right.
>
> valid_filehash() can be called twice first with the temp file and then
> with the file from the valid repo. If the temp file has a bad hash then it
> will result in a warning but the file
Hi Theo,
On Wed, May 10, 2023 at 09:02:13PM +0200, Theo Buehler wrote:
> Again, try to keep the code as it was as far as possible.
Indeed, thank you for the feedback! Below is an amended version.
Kind regards,
Job
Index: extern.h
Hi folks,
Without this changeset, rpki-client will display diagnostic information
about missing files like so:
$ doas rpki-client -t /etc/rpki/lacnic.tal -H repository.lacnic.net
rpki-client:
Hi Sebastien,
Super super interesting stuff!
On Tue, Apr 11, 2023 at 09:28:31AM +0200, Sebastien Marie wrote:
> ## compile and collect profil information (-tu option on ktrace is optional)
> $ cc -static -pg test.c
> $ ktrace -di -tu ./a.out
>
> ## get gmon.out file
> $ kdump -u gmon.out |
An illustration of the idea, this crontab configuration:
$ crontab -l | grep touch
*/10 * * * * touch /tmp/normal-$(date +\%s)
*/~10* * * * touch /tmp/mixedup-$(date +\%s)
Resulted on my local machine in the following:
$ ls
Add man page bits for X509_CRL_get0_tbs_sigalg()
OK?
Index: lib/libcrypto/man/X509_get0_signature.3
===
RCS file: /cvs/src/lib/libcrypto/man/X509_get0_signature.3,v
retrieving revision 1.7
diff -u -p -r1.7 X509_get0_signature.3
---
On Mon, Mar 06, 2023 at 10:19:36PM +, Job Snijders wrote:
> Am I using X509_get_X509_PUBKEY() properly?
I was not! Thanks for the clue tb@
I think the newly introduced RSA parameter check valid_ca_pkey() can
also be applied to the outside-TBS RSA signature in .cer files.
Am I using X509_get_X509_PUBKEY() properly?
OK?
Kind regards,
Job
Index: cert.c
===
RCS file:
Upon re-reading RFC 6487 section 4.8.2, SKIs are not at all arbitary
identifiers: they must be the SHA-1 hash of the 'Subject Public Key'.
The below changeset adds a SPK digest calculation and comparison to the
X509v3 extension containing the SKI.
OK?
Index: x509.c
On Mon, Mar 06, 2023 at 04:35:05PM +0100, Theo Buehler wrote:
> > 3) Signatures (outside the TBS) in a .cer must be RSA (TODO: also
> > check mod + (e))
>
> I'd prefer to skip this for now. This does not really buy us much, it
> is independent and I see it as some polish that doesn't need to go
On Mon, Mar 06, 2023 at 12:27:36PM +0100, Theo Buehler wrote:
> On Mon, Mar 06, 2023 at 10:52:31AM +0000, Job Snijders wrote:
> > RFC 7935 states in section 3: "The RSA key pairs used to compute the
> > signatures MUST have a 2048-bit modulus and a public expone
Hi,
RFC 7935 states in section 3: "The RSA key pairs used to compute the
signatures MUST have a 2048-bit modulus and a public exponent (e) of
65,537."
The below adds a check for that.
OK?
Kind regards,
Job
Index: cms.c
===
RCS
Dear Mohamed,
On Wed, Feb 22, 2023 at 05:42:10AM +, Mohamed Bukhris wrote:
> This patch adds the -m/--prume-empty-dirs option to openrsync
> while keeping said feature compatible with rsync
> this avoids the 27 -> 31 protocol mismatch error by not sharing the -m option
> to remote
> This was
On Tue, Feb 21, 2023 at 03:07:00AM +0100, Theo Buehler wrote:
> By design of d2i, it's the caller's responsibility to check a DER object
> has been fully consumed. We read files from the disk, check hashes,
> parse and validate the DER we encounter, but we do not make sure that
> nothing follows
Hi,
I wasn't entirely happy about how parse_load_crl_from_mft() behaved and
refactored the function.
The good: if the MFT at hand was located in DIR_TEMP and no matching CRL
could be found in DIR_TEMP, it would additionally attempt to find a CRL
in DIR_VALID.
The bad: if the MFT at hand was
Hi Theo,
Thanks for the feedback, good catch on 'len'! Following your suggestions
- how about the below?
Kind regards,
Job
Index: main.c
===
RCS file: /cvs/src/usr.bin/rsync/main.c,v
retrieving revision 1.65
diff -u -p -r1.65
I noticed there is an issue in openrsync when a port is specified in the
rsync:// URL, the port number ends up becoming part of the path:
$ openrsync -r rsync://rsync.roa.tohunet.com:3873/repo/ /tmp/r
rsync: [sender] change_dir "/3873/repo" (in repo) failed: No such file or
directory (2)
When the RTR's Session ID changes (for example when the RTR server is
restarted), bgpd would incorreectly branch into the "received %s: bad
msg len:" path.
The length fields in the RTR PDU error messages are 32-bits, so we
should use ntohl() instead of ntohs(). While there, add an additional
ASDOT started out as sort of a joke, but unfortunately gained some
popularity in the 2010s with the rise of 4-byte ASNs and some people
thinking "cute, I can write my longish number in a shorter exotic
notation".
Then, many operators came to realize that using a '.' (dot) in places
which used to
On Fri, Jan 20, 2023 at 09:35:08PM +0100, Theo Buehler wrote:
> On Fri, Jan 20, 2023 at 08:06:00PM +0000, Job Snijders wrote:
> > While studying why X509_check_ca() is the ugly thing it is, tb@
> > suggested x509v3_cache_extensions() might benefit from a wrapper to
> > avoid d
While studying why X509_check_ca() is the ugly thing it is, tb@
suggested x509v3_cache_extensions() might benefit from a wrapper to
avoid duplication of locking and checking the stupid EXFLAG_INVALID
flag. x509v3_cache_extensions() isn't a public function anyway.
Passes regress & rpki-client.
All RRDP servers in the field now issue session IDs using the correct
UUID version & type.
OK?
Kind regards,
Job
Index: validate.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
retrieving revision 1.53
diff -u -p -r1.53
On Mon, Jan 16, 2023 at 08:57:25AM -0700, Theo de Raadt wrote:
> I propose to relink sshd on every boot, before it gets started.
>
> This is like kernel, libc.so, libcrypto, and ld.so relinking.
>
> The sshd design self-protects itself quite well, but this kind of
> address space secrecy is
Hi Theo,
Thank you for taking the time to review this.
On Fri, Nov 25, 2022 at 03:18:30PM +0100, Theo Buehler wrote:
> On Fri, Nov 25, 2022 at 09:36:41AM +0000, Job Snijders wrote:
> [...]
> > $ ftp -MV https://sobornost.net/geofeed.csv
>
> Your example file contains
>
&g
=
RCS file: geofeed.c
diff -N geofeed.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ geofeed.c 25 Nov 2022 09:26:11 -
@@ -0,0 +1,233 @@
+/* $OpenBSD: geofeed.c,v 1.18 2022/11/02 12:46:49 job Exp $ */
+/*
+ * Copyright (c) 2022 Job Snijder
I don't think I've ever heard anyone use the '-T' feature. Perhaps
better to fold it into '-B' (BIRD output) using getopt '::' trick?
I don't feel super strong about this, but it helps reclaim a getopt
letter.
Kind regards,
Job
Index: main.c
Heya!
On Thu, Nov 17, 2022 at 08:39:36PM +0100, Theo Buehler wrote:
> > This functionality is handy if you want to inspect only specific
> > repositories and ignore the rest of the world. Useful for monitoring
> > too.
> >
> > OK? Feedback?
>
> I have no objection code-wise and I understand the
Dear all,
I introduced a 'shortlist' feature in rpki-client(8). If the operator
specifies one or more '-q' options followed by FQDNs, the utility will
*only* connect to those hosts and skip all others.
$ doas rpki-client -q rpki.ripe.net -q chloe.sobornost.net
Processing time 84 seconds
On Wed, Nov 16, 2022 at 02:43:40PM +0100, Claudio Jeker wrote:
> On Wed, Nov 16, 2022 at 12:18:14PM +0000, Job Snijders wrote:
> > On Wed, Nov 16, 2022 at 12:47:46PM +0100, Claudio Jeker wrote:
> > > A aspa-set is defined like this:
> > > aspa-set {
> > >
On Wed, Nov 16, 2022 at 12:47:46PM +0100, Claudio Jeker wrote:
> A aspa-set is defined like this:
> aspa-set {
> source-as 1 transit-as { 5 }
> source-as 2 expires 1668181648 transit-as { 3 4 }
> source-as 5 transit-as { 1 2 allow inet 7 allow inet6 }
> }
bikeshed.com
I'd
Hi all,
The ASN.1 profile in draft-ietf-sidrops-rfc6482bis section 4
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rfc6482bis-01
specifies that there must not be more than 2 ipAddrBlocks (one for IPv4,
and one for IPv6). This changeset enforces that constraint. Compatible
with all
Dear all,
Support for using Ed25519 for server and user authentication was
introduced in 2014. I like the compactness of Ed25519 public keys.
Perhaps now is a good time to make Ed25519 the default key type when
invoking ssh-keygen(1) without arguments?
Kind regards,
Job
Index: ssh-keygen.1
Hi all,
RFC 6487 section 4.8.8.2 mandates that the SIA extension must be
present, and contain *at least* an instance of accessMethod
id-ad-signedObject. The below changeset enforces this requirement.
OK?
Index: aspa.c
===
RCS file:
It can be useful to see a little bit more detail on what exactly isn't
working.
OK?
Index: http.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v
retrieving revision 1.70
diff -u -p -r1.70 http.c
--- http.c 18 Oct 2022
On Mon, Oct 24, 2022 at 11:58:50AM +0200, Theo Buehler wrote:
> The amount of copy-paste and repetition in x509_init_oid() is becoming
> a bit much. The function is an eyesore due to the repetition and made
> worse by the inconsistent wrapping. It's long past the point where my
> brain is still
12
+RPKI Signed Object for Trust Anchor Key.
.El
.Sh HISTORY
.Nm
Index: rsync.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
retrieving revision 1.43
diff -u -p -r1.43 rsync.c
--- rsync.c 2 Sep 2022 17:39:51 -
Hi all,
All of ROA, MFT, ASPA, and RSC define their respective 'version' field
in ASN.1 as following:
version [0] INTEGER DEFAULT 0,
Each object profile preamble "DEFINITIONS EXPLICIT TAGS ::="
We haven't bumped into an issue yet, because all Signed Objects are at
version 0, which means
Hi all,
I often find myself piping data through ... | awk '{print length}' | ...
I figured there should be a more direct way that requires less typing.
Perhaps other developers have a similar itch?
The FreeBSD, NetBSD, Dragonfly, and GNU variants of the wc(1) utility
have a similar -L feature.
Christian Weisgerber reported the new 'f' feature in ps(1) does not
apply line length trimming correctly.
The problem can be observed when comparing '$ COLUMNS=79 ps l' and
'$ COLUMNS=79 ps lf'
OK?
Index: print.c
===
RCS file:
IANA made a permanent registration in the SMI Security for S/MIME CMS
Content Type registry at
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1
for signed objects conforming to draft-ietf-sidrops-signed-tal.
OK?
Kind regards,
Job
Index:
On Mon, Sep 05, 2022 at 02:46:45PM +0200, Theo Buehler wrote:
> Once a ProviderAS has an afiLimit, all subsequent ProviderAS without
> afiLimit will erroneously inherit that limit since provider.afi is
> only (re)set if pa->afiLimit != NULL. Zeroing the provider inside the
> loop avoids this
On Sat, Sep 03, 2022 at 08:42:53PM +, Job Snijders wrote:
> Found a small todo item in proc_parser() to free the entries in the auth
> and crl trees.
Reworked the diff to retain RB_GENERATE_STATIC() scope
OK?
Index:
Found a small todo item in proc_parser() to free the entries in the auth
and crl trees.
OK?
Kind regards,
Job
Index: cert.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.88
diff -u -p -r1.88 cert.c
---
RPKI Trust Anchors (self-signed root certificates) MAY NOT contain
'inherit' elements in their RFC 3779 resource extensions according to
RFC 6490 section 2.2.
We could check way earlier on in the validation process whether the TA
certificate conforms to this constraint. The below changeset moves
On Sat, Sep 03, 2022 at 01:27:03PM +0200, Theo Buehler wrote:
> On Sat, Sep 03, 2022 at 01:18:13PM +0200, Claudio Jeker wrote:
> > This diff adds the parentid to struct cert. The parentid is the id of the
> > repository the cert lives in. This information will be used to track the
> > parent
Hi Claudio,
This looks mostly OK, just a few nit:
On Fri, Sep 02, 2022 at 10:02:33PM +0200, Claudio Jeker wrote:
> @@ -1223,8 +1224,26 @@ repo_check_timeout(int timeout)
> {
> struct repo *rp;
> time_t now;
> + int diff;
>
> now =
On Thu, Sep 01, 2022 at 06:14:17PM +0200, Florian Obser wrote:
> >> NetBSD's and FreeBSD's ps(1) use '-d' to display process hierarchy.
> >
> > using -f would follow the path of least resistance. Is there really a
> > common
> > user commnity between freebsd netbsd and openbsd? I doubt it.
> >
On Thu, Sep 01, 2022 at 03:14:40PM +0200, Martin Schröder wrote:
> Am Do., 1. Sept. 2022 um 05:38 Uhr schrieb Job Snijders :
> > Some ps(1) implementations have an '-d' ('descendancy') option. Through
> > ASCII art parent/child process relationships are grouped and displayed.
&
Dear all,
Some ps(1) implementations have an '-d' ('descendancy') option. Through
ASCII art parent/child process relationships are grouped and displayed.
Here is an example:
$ ps ad -O ppid,user
PID PPID USER TT STATTIME COMMAND
18180 12529 job pb I+p
On Thu, Aug 25, 2022 at 06:38:36PM +0200, Theo Buehler wrote:
> On Thu, Aug 25, 2022 at 04:04:27PM +0000, Job Snijders wrote:
> > On Thu, Aug 25, 2022 at 03:38:45PM +0200, Claudio Jeker wrote:
> > > I wonder why is PEM printing not part of -f? It seems to be something
> &g
On Thu, Aug 25, 2022 at 03:38:45PM +0200, Claudio Jeker wrote:
> I wonder why is PEM printing not part of -f? It seems to be something
> that should be part of filemode.
OK, how about this?
Kind regards,
Job
Index: filemode.c
===
=
RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
retrieving revision 1.14
diff -u -p -r1.14 print.c
--- print.c 14 Jul 2022 13:24:56 - 1.14
+++ print.c 25 Aug 2022 13:00:27 -
@@ -1,5 +1,6 @@
/* $OpenBSD: print.c,v 1.14 2022/07/14 13:24:56 job Exp $
print.c
--- print.c 14 Jul 2022 13:24:56 - 1.14
+++ print.c 24 Aug 2022 23:33:25 -
@@ -1,5 +1,6 @@
/* $OpenBSD: print.c,v 1.14 2022/07/14 13:24:56 job Exp $ */
/*
+ * Copyright (c) 2022 Job Snijders
* Copyright (c) 2021 Claudio Jeker
* Copyright (c) 2019 Kristaps Dzonsons
On Mon, Aug 22, 2022 at 12:14:53PM +0200, Theo Buehler wrote:
> rpki-client portable makes sure that libcrypto has RFC 3779 support.
> Therefore the X509_verify_cert() call in valid_x509() will already
> perform the checks that the RFC 3779 extensions are covered along the
> chain. While
On Sat, Aug 13, 2022 at 04:51:05PM +0200, Theo Buehler wrote:
> job mentioned that it might be preferable to do the validation in
> parse_{roa,rsc,aspa}(). So here's a diff that does this. It reworks
> valid_{roa,rsc}() to compare only against the EE cert's resources
> since it doesn't really make
ex: aspa.c
===
RCS file: aspa.c
diff -N aspa.c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ aspa.c 13 Aug 2022 00:24:24 -
@@ -0,0 +1,447 @@
+/* $OpenBSD: aspa.c,v 1.16 2022/05/11 21:19:06 job Exp $ */
+/*
+ * Copyright (c) 2022 Jo
On Wed, Aug 10, 2022 at 06:16:30PM +0200, Theo Buehler wrote:
> On Wed, Aug 10, 2022 at 03:10:19PM +0000, Job Snijders wrote:
> > An errata exists for RFC 6482, which informs us: """The EE certificate
> > MUST NOT use "inherit" elements as described in [RF
Hi all,
An errata exists for RFC 6482, which informs us: """The EE certificate
MUST NOT use "inherit" elements as described in [RFC3779].""" Read the
full report here: https://www.rfc-editor.org/errata/eid3166
Although it might seem a bit 'wasteful' to d2i the IP Resources
extension in multiple
Hi,
The ROA specification (RFC 6482 § 4) is a bit underspecified, but in the
wild the RFC 3779 AS Resources extension never ever appears on ROA EE
certificates, as it serves no purpose in the validation process. I've
seen it happen once, in the past, which was a CA mistake.
Related reading
Dear all,
I like to run rpki-client very often, and not be bogged down with
non-responsive respositories. If a repository is uncommunicative,
rpki-client as-is will try other transports, or come back later (because
of a next crontab invocation).
In rpki-client, RSYNC & HTTPS timeouts now are
On Tue, Aug 02, 2022 at 12:27:57PM -0600, Theo de Raadt wrote:
> I think you intend for that to be two seperate diffs, not merged into
> one.
>
> For connect < 15 seconds, I think that is a bit strict.
>
> For IO stalling 15 seconds, I suspect such IO stalls happen more than
> we know, and will
On Tue, Aug 02, 2022 at 12:27:57PM -0600, Theo de Raadt wrote:
> I don't see any way this can be tested in less than 24 hours.
Good idea.
I've set up a fast testrig that runs two instances in parallel in a
'while true' loop (with and without the changeset), each with their own
cachedir on MFS.
On Tue, Aug 02, 2022 at 03:59:40PM +0200, Claudio Jeker wrote:
> What makes you think that 15sec is enough to open connections in all
> scenarios? I feel this is one of those changes that just shows that
> maybe the current connect timeout from the system is too conservative.
Yeah, maybe. How
On Tue, Aug 02, 2022 at 04:15:39PM +0200, Claudio Jeker wrote:
> On Tue, Aug 02, 2022 at 12:42:26PM +0000, Job Snijders wrote:
> > This adds '--contimeout' to rsync(1)
> >
> > $ time openrsync --contimeout=5 -rt rsync://203.119.21.1/test /tmp/k
> > openrsyn
Hi,
We were doing a lot of waiting in connect() for some (currently) broken
repositories. Move on with life after MAX_CONTIMEOUT seconds.
This changeset reduces the real time spent fetching the RIPE TAL (with
hot cache) from 7m14.57s to 3m20.10s on an IPv4+IPv6 dual-stacked host.
This changeset
Hi all,
This adds '--contimeout' to rsync(1)
$ time openrsync --contimeout=5 -rt rsync://203.119.21.1/test /tmp/k
openrsync: warning: connect timeout: 203.119.21.1, 203.119.21.1
openrsync: error: cannot connect to host: 203.119.21.1
0m05.01s real 0m00.00s user 0m00.01s system
OK?
> > this changeset too.
>
> Ah right, we print us not ms.
>
> > nitpick: the changeset doesn't apply cleanly:
>
> Forgot to update that tree :)
>
> Updated diff below
OK job@
On Tue, Jul 05, 2022 at 11:08:13AM +0200, Claudio Jeker wrote:
> On Mon, Jul 04, 2022 at 05:10:05PM -0500, Scott Cheloha wrote:
> > On Mon, Jul 04, 2022 at 11:15:24PM +0200, Claudio Jeker wrote:
> > > On Mon, Jul 04, 2022 at 01:28:12PM -0500, Scott Cheloha wrote:
> > > > Hi,
> > > >
> > > >
On Wed, Jun 29, 2022 at 07:34:08PM +0100, Jason McIntyre wrote:
> On Wed, Jun 29, 2022 at 08:27:54PM +0200, Leon Fischer wrote:
> > > The below changeset is a from scratch & pledged C implementation of the
> > > 'ts' perl utility found in the moreutils collection by Joey Hess.
> >
> > Hi, a few
On Wed, Jun 29, 2022 at 09:18:08AM +, Job Snijders wrote:
> Add a '-m' monotonic clock option
I misunderstood what the moreutils ts -m option was doing, below is a
different version, which is 'resistant' against the wallclock jump back
and forth.
Index: t
Hi all,
Add a '-m' monotonic clock option
Index: ts.1
===
RCS file: /cvs/src/usr.bin/ts/ts.1,v
retrieving revision 1.1
diff -u -p -r1.1 ts.1
--- ts.129 Jun 2022 08:39:49 - 1.1
+++ ts.129 Jun 2022 09:15:29
ts.1
===
RCS file: ts/ts.1
diff -N ts/ts.1
--- /dev/null 1 Jan 1970 00:00:00 -
+++ ts/ts.1 28 Jun 2022 22:32:32 -
@@ -0,0 +1,93 @@
+.\"$OpenBSD$
+.\"
+.\" Copyright (c) 2022 Job Snijders
+.\"
+.\" Permission to use, copy, modify, and distribute this
On Wed, Jun 01, 2022 at 09:09:35AM +0200, Claudio Jeker wrote:
> On Wed, Jun 01, 2022 at 08:44:43AM +0200, Theo Buehler wrote:
> > When compared to manifest FileAndHash, the RSC code doesn't limit
> > the size of the FileNameAndHash list. Should we do this for
> > consistency?
> >
> > The
On Tue, May 31, 2022 at 04:16:20PM +0200, Claudio Jeker wrote:
> On Tue, May 31, 2022 at 01:16:19PM +0200, Theo Buehler wrote:
> > I chose to implement the constrained versions of the RFC 3779 types from
> > the draft because the OpenSSL RFC 3779 code has static IPAddrBlocks_it,
> > so we have to
Hi all,
I based this off reading https://datatracker.ietf.org/doc/html/rfc9234
This code is untested! I haven't had a chance yet to tcpdump a RFC 9234
capable BGP speaker. There might be some out there, according to
https://trac.ietf.org/trac/idr/wiki/draft-ietf-idr-bgp-open-policy
Kind
Hi,
Following this errata report https://www.rfc-editor.org/errata/eid6854
If the Basic Constraints extension is present, and the certificate is
*not* a CA - as determined by X509_check_ca(3), leave the purpose as
CERT_PURPOSE_INVALID.
While there, use the value name rather than 0.
OK?
Kind
On Mon, May 09, 2022 at 05:08:53PM +0200, Theo Buehler wrote:
> On Mon, May 09, 2022 at 02:59:06PM +0200, Claudio Jeker wrote:
> > On Mon, May 09, 2022 at 12:53:05PM +0200, Theo Buehler wrote:
> > > Regarding the spec:
> > >
> > > * isn't it a bit unfortunate that the ResourceBlock contains an
>
+ }
+
+ if (outformats & FORMAT_JSON)
+ printf("\t],\n");
+}
Index: usr.sbin/rpki-client/rpki-client.8
=======
RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
retrieving revision 1.61
diff -
hash);
+ }
+
+ if (outformats & FORMAT_JSON)
+ printf("\t],\n");
+}
Index: usr.sbin/rpki-client/rpki-client.8
===
RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
retrieving revision 1
les[i].filename : "no filename");
+ printf("\thash %s\n", hash);
+ }
+
+ free(hash);
+ }
+
+ if (outformats & FORMAT_JSON)
+ printf("\t],\n");
+}
Index: usr.sbin/rpki-client/rpki-client.
Hi all,
Since certificate mallebility no longer is a problem in the RPKI
ecosystem ... the SHA256 digest of a RPKI signed object input file is a
very stable identifier to associate to the decoded (validated) output
from filemode!
Example:
$ rpki-client -j -f rZWj66_V88W5B41mgMEm-TNr_EU.roa
On Mon, Apr 11, 2022 at 06:46:20PM +0200, Theo Buehler wrote:
> Is this base64 blob really useful? The exact same thing is contained in
> a more readable fashion (i.e. with line breaks) in the .tal file itself.
OK, cat(1) can also be used indeed :-)
> Apart from that, I'm fine with having
Hi,
This changeset extends rpki-client to print more detail encapsulated
inside TAL files, of specific interest is printing the Subject Key
Identifier (SKI) of the Trust Anchor you'd find if you download the
referenced .cer file. The SPKI is printed as base64 encoded DER.
Example:
$
On Mon, Jan 24, 2022 at 06:50:51PM +0100, Claudio Jeker wrote:
> > Requiring any content to be present (and the file's calculated digest to
> > match with the hash listed on the Manifest) might pose a problem with
> > our --exclude/--include rsync filter: files of unknown type are not
> >
1 - 100 of 245 matches
Mail list logo
