On Wed, Mar 29, 2023 at 10:22:09AM +0200, Omar Polo wrote:
> mg keeps the path to the last loaded tag file in tagsfn which was used
> both for the lazily loading (now removed) and as a flag to know if any
> tags are currently loaded. It's redundant, we can just check if the
> rb tree is empty inst
On Wed, Mar 29, 2023 at 10:39:29AM +0200, Claudio Jeker wrote:
> The lookup functions for the Adj-RIB-Out trees (prefix_adjout_{get,lookup})
> work mainly with a pt_entry so lets change them.
> Now prefix_adjout_lookup() which returns the first path (in case of
> add-path) is also used by bgpctl co
On Wed, Mar 29, 2023 at 09:51:56AM +0200, Claudio Jeker wrote:
> In the metrics file the TA is currently reported as:
> rpki_client_repository_objects{type="cert",state="valid",name="ripe",carepo="ripe"}
> 1
>
> The carepo which is a rsync URI for other repositories is just the TAL
> name. Instea
Contrary to what I convinced op@ to be the case, duplicate tags may exist
in legitimate tags files. So we should ignore duplicates rather than
erroring on them. This fixes parsing the /var/db/libc.tags file.
$ grep -wc ^memcpy /var/db/libc.tags
2
Index: tags.c
On Tue, Mar 28, 2023 at 06:49:38PM +0200, Claudio Jeker wrote:
> I almost stepped into this trap and tried to pt_ref the static memory
> returned by pt_fill(). That wont work so better make the code explode.
> By setting the refcnt to USHRT_MAX a following pr_ref() call will fail.
> Since pt_alloc
On Tue, Mar 28, 2023 at 03:35:46PM +0200, Claudio Jeker wrote:
> This diff moves prefix_write to rde_prefix.c and renames it to pt_write.
> The function now takes a struct pt_entry * as argument and with this the
> extra indirection via pt_getaddr() falls away.
I'm ok with this, although it's not
On Tue, Mar 28, 2023 at 02:19:46PM +0200, Claudio Jeker wrote:
> Now that the accounting in bgpctl is fixed we can move some structs from
> rde.h into rde_prefix.c and hide them from everyone else.
> Also cleanup the AID_PTSIZE define it is only used in one place now.
ok tb
On Tue, Mar 28, 2023 at 11:48:07AM +0200, Claudio Jeker wrote:
> When an RTR session updates the data it happens between CACHE_RESPONSE and
> END_OF_DATA PDUs. When an END_OF_DATA PDU is received the various sources
> are merged into one table and sent to the RDE.
> Now since bgpd supports multiple
On Tue, Mar 28, 2023 at 11:33:11AM +0200, Claudio Jeker wrote:
> On Tue, Mar 28, 2023 at 11:00:37AM +0200, Theo Buehler wrote:
> > On Tue, Mar 28, 2023 at 10:35:34AM +0200, Claudio Jeker wrote:
> > > Switch mrt_dump_entry_v2() to use a dynamic ibuf for the prefix and
> &g
On Tue, Mar 28, 2023 at 10:35:34AM +0200, Claudio Jeker wrote:
> Switch mrt_dump_entry_v2() to use a dynamic ibuf for the prefix and
> switch the order of operation so that the memmove() of pbuf is no longer
> needed. Using a static buffer is problematic when flowspec support is
> added since flows
On Tue, Mar 28, 2023 at 10:17:28AM +0200, Claudio Jeker wrote:
> I think flipping the logic around makes the statements easier to read.
> Also we may need to add an extra role for siblings which behave like
> customers (using the downstream algorithm result).
Makes sense, ok
>
> --
> :wq Claudi
Fixed the same problem in iked/dh.c r1.31:
In the unlikely event that EC_KEY_check_key() fails, dh_init() fails and
group_free() is called, which will EC_KEY_free(group-ec) a second time.
Index: dh.c
===
RCS file: /cvs/src/sbin/isakm
On Mon, Mar 27, 2023 at 09:59:47AM +0200, Jan Klemkow wrote:
> On Fri, Mar 24, 2023 at 10:02:05PM +0100, Theo Buehler wrote:
> > > Thus, I would suggest to set this constant to ELAST. So, we will avoid
> > > useless unknown error strings and a non-zero errno after tls_init().
> Thus, I would suggest to set this constant to ELAST. So, we will avoid
> useless unknown error strings and a non-zero errno after tls_init().
ELAST isn't portable. It's under __BSD_VISIBLE in sys/errno.h.
It would seem better to use the save_errno idiom to store the errno
at the start of the l
On Fri, Mar 17, 2023 at 11:39:20AM +0100, Claudio Jeker wrote:
> Dumb mistake from my side. The rtr_aspa struct is on the stack and only
> covers that data up to the spas. The spas are a variable array and not
> copied over. So access these from the buf.
Ugh. How did I miss that.
> Remove the tra
On Mon, Mar 13, 2023 at 06:07:23PM +0100, Claudio Jeker wrote:
> Add the plumbing in bgplgd to allow for leaked and invalid show rib
> options.
Sure
>
> --
> :wq Claudio
>
> Index: bgplgd.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpl
On Mon, Mar 13, 2023 at 05:26:35PM +0100, Claudio Jeker wrote:
> This diff extends the show rib command to only show invalid (ineligible)
> or leaked (via OTC leak detection) routes.
>
> While there rename the OTC_LOOP defines to OTC_LEAK since this is not a
> route loop but a route leak.
Apart f
The signtime may be used uninitialized, you can see this when pointing
rpki-client -f at the aspa test objects in regress that don't have it.
I think we should initialize on all levels: the local signtime variable
in the individual *_parse functions, in cms_parse_validate_internal(),
and in cms_ge
On Fri, Mar 10, 2023 at 09:35:19AM +0100, Claudio Jeker wrote:
> This is mainly cleanup of the rtr code. Rename a few functions to be more
> explicit (rtr_send_reset_query(), rtr_send_serial_query()) introduce a
> function to reset the rtr cache (rtr_reset_cache()). The reset function
> always rese
> Other shells do not have this bug, such as bash, yash, mksh, ash, dash.
On the other hand, ksh93 behaves the same way as ksh.
Obviously zsh has a configuration knob for this, conspicuously named
CD_POSIX:
https://zsh.sourceforge.io/Doc/Release/Options.html
Indeed, see point 5:
https://pubs.o
> I also believe that the given directory to cd should be preferred over
> CDPATH; what i mean by this is if a directory exists within CDPATH but
> also exists within the current working directory; the latter should be
> preferred.
I haven't checked how other shells behave. This is the document
On Thu, Mar 09, 2023 at 05:07:40PM +0100, Claudio Jeker wrote:
> On my big IXP RS test setup with 600 peers the rde_filter call in the
> output path is rather expensive. By splitting the output ruleset into
> output rulesets per peer the performance is improved by around 5min on a
> 20min runtime.
On Fri, Feb 24, 2023 at 06:05:21PM +0100, Claudio Jeker wrote:
> For those people who enjoy pain here some code that allows bgpd to load
> ASPA records from a very current StayRTR cache.
>
> This implements mostly what draft-ietf-sidrops-8210bis-10 specifies.
> Now the version negotiation is a hot
Thanks. I dislike trailing whitespace since it screws up code navigation,
and I tend to remove it in code I'm working on since it distracts me.
However, to be honest, sending diffs removing it is a waste of time.
Someone has to check the diff, apply it, compile it, write a message and
commit it. T
On Tue, Feb 28, 2023 at 01:11:14PM +0100, Claudio Jeker wrote:
> When I implemented RFC9234 support I was a bit to conservative and only
> enabled the loop detection if the capability was enabled. This is
> how every other capability works but RFC9234 is special.
> On top of this with the addition
Some error messages don't match the function calls. There's still this
one that looks weird. Not sure what it should say to be helpful:
"unexpected ec signature length" perhaps?
if (siglen < 64 || siglen > 132 || siglen % 2) {
ossl_error("d2i_ECDSA_SIG failed");
Index: ssh
> So here's the dif with the fix.
The new diff went through an amd64 bulk without fallout and also works
fine on some dev machines. No noticeable performance impact for my
workloads.
It also reads fine to me (ok tb).
Do you want it to make it into the release or can/should it wait?
Either way, i
On Mon, Mar 06, 2023 at 08:10:49PM +, Job Snijders wrote:
> Upon re-reading RFC 6487 section 4.8.2, SKIs are not at all arbitary
> identifiers: they must be the SHA-1 hash of the 'Subject Public Key'.
Ah, good.
> The below changeset adds a SPK digest calculation and comparison to the
> X509v3
On Mon, Mar 06, 2023 at 02:50:14PM +, Job Snijders wrote:
> On Mon, Mar 06, 2023 at 12:27:36PM +0100, Theo Buehler wrote:
> > On Mon, Mar 06, 2023 at 10:52:31AM +, Job Snijders wrote:
> > > RFC 7935 states in section 3: "The RSA key pairs used to compute the
>
On Mon, Mar 06, 2023 at 10:52:31AM +, Job Snijders wrote:
> Hi,
>
> RFC 7935 states in section 3: "The RSA key pairs used to compute the
> signatures MUST have a 2048-bit modulus and a public exponent (e) of
> 65,537."
>
> The below adds a check for that.
That's a good first step. See commen
On Sun, Jan 29, 2023 at 08:16:06AM -0700, Todd C. Miller wrote:
> Unfortunately we cannot use strtonum(3) here since there may be
> non-digit characters following the number. So, strtoll(3)
> it is then.
Since strptime's %s is supposed to be the inverse of strftime's %s,
which is produced with mk
On Wed, Mar 01, 2023 at 08:39:08AM +0100, Otto Moerbeek wrote:
> On Wed, Mar 01, 2023 at 08:31:47AM +0100, Theo Buehler wrote:
>
> > On Tue, Feb 28, 2023 at 05:52:28PM +0100, Otto Moerbeek wrote:
> > > Second iteration.
> > >
> > > Gain back performance by
On Tue, Feb 28, 2023 at 05:52:28PM +0100, Otto Moerbeek wrote:
> Second iteration.
>
> Gain back performance by allocation chunk_info pages in a bundle, and
> use less buckets is !malloc option S. The chunk sizes used are 16, 32,
> 48, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 384, 448, 512,
On Fri, Feb 24, 2023 at 08:13:13AM +0100, Otto Moerbeek wrote:
> On Sat, Feb 18, 2023 at 04:12:08PM +0100, Otto Moerbeek wrote:
>
> > Hi,
> >
> > these recent sshd double free issue prompted me to look at malloc
> > again. I have something bigger brewing, but this diff makes sure the
> > to be cl
Now that the tricky bits are done, here's my suggestion for simplifying
parse_load_crl_from_mft() after claudio's latest commit.
Since we now explicitly want to look in both locations in all cases, it
seems cleanest to drop the loop altogether and to call the function
twice, once for each possible
> Why did you rename *crl to *res? For me res is normally more like an
> integer result. I would prefer if you keep that as crl.
>
> Still OK claudio@
I would prefer to keep the refactor/cleanup separate from the behavior
change. This change is incomplete and not easy to follow. For example,
ther
On Tue, Feb 21, 2023 at 02:51:09AM +, Job Snijders wrote:
> ps. If there are 'bytes trailing garbage' on an *.mft discovered in the
> DIR_VALID storage area, would a more pristine version of the MFT in
> DIR_TEMP be ignored?
Yes. The whole point of the complicated dance in proc_parser_mft() is
By design of d2i, it's the caller's responsibility to check a DER object
has been fully consumed. We read files from the disk, check hashes,
parse and validate the DER we encounter, but we do not make sure that
nothing follows the DER blob we parsed.
As Job noticed, it is possible to append data t
On Wed, Feb 15, 2023 at 11:30:34AM -0800, Philip Guenther wrote:
> llvm-strip is somehow ignoring the alignment requirements of the segments.
> If you look at the "readelf -l" output instead:
>
> Good:
> Program Headers:
> Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
>
On Tue, Feb 14, 2023 at 01:05:36PM +0100, Claudio Jeker wrote:
> bgpd does not really synchronize the start of sessions with
> the config reload of the RDE. This is fine but there is one gotcha.
> When loading big configs including RTR tables the delay between the SE
> finishing the config reload (
On Tue, Feb 14, 2023 at 11:38:20AM +0100, Claudio Jeker wrote:
> Currently route monitor only accepts -inet and -inet6 as address family
> but -mpls is also a valid option. It is the 3 routing tables we support.
>
> OK?
ok
> --
> :wq Claudio
>
> Index: route.c
> ===
On Sun, Feb 12, 2023 at 09:16:58PM +, Job Snijders wrote:
> I noticed there is an issue in openrsync when a port is specified in the
> rsync:// URL, the port number ends up becoming part of the path:
>
> $ openrsync -r rsync://rsync.roa.tohunet.com:3873/repo/ /tmp/r
> rsync: [sender] c
On Mon, Feb 13, 2023 at 02:33:05PM +0100, Claudio Jeker wrote:
> Instead of passing the rib and new and old best prefix just pass the
> rib_entry to rde_generate_updates(). This simplifies a few things down
> that rabbit hole. This is also a step towards decoupling prefix_evaluate()
> and the Loc-R
On Fri, Feb 10, 2023 at 01:05:17PM +0100, Claudio Jeker wrote:
> There are three functions used to update the Adj-RIB-Out of a peer
> depending of the mode of the peer:
> up_generate_updates(), up_generate_addpath() and up_generate_addpath_all()
>
> There is a lot of similar code in there that mak
On Thu, Feb 09, 2023 at 10:56:03AM +0100, Claudio Jeker wrote:
> In IMSG_CTL_SHOW_NEIGHBOR a struct peer is sent from the SE to the RDE to
> fill out 10 values. This is a waste of IO, struct peer is over 1000 bytes
> large. Instead just pass the peerid to the RDE, let the rde send back a
> stats ob
People have made passes at using ANSI-style function definitions in the
past. Some functions were missed and this upsets clang 15.
Index: dump/traverse.c
===
RCS file: /cvs/src/sbin/dump/traverse.c,v
retrieving revision 1.39
diff -u -
On Sat, Jan 28, 2023 at 06:30:55PM +0100, Matthieu Herrb wrote:
> Hi,
>
> The patch below updates xterm to version 378. As always testing
> (especially for specific use cases) is welcome.
Works fine here on several amd64 and arm64 machines.
ok tb
as soon as you think you've seen enough tests.
On Mon, Jan 30, 2023 at 03:29:49PM +0100, Claudio Jeker wrote:
> Extended communities are annoying, especially the ASnum encodings are a
> problem since the same extended community can be encoded in more than one
> way. This results in strange behaviour when used with local-as and/or
> neighbor-as.
On Wed, Jan 25, 2023 at 12:20:29PM +0100, Claudio Jeker wrote:
> This diff is a result of a longer discussion with Sriram from NIST about
> ASPA validation behaviour on route-servers and especially non-transparent RS.
>
> Handling transparent route-servers (which is the default) requires no
> spec
On Tue, Jan 24, 2023 at 02:21:47PM +0100, Claudio Jeker wrote:
> Here is hopefully the last pieces to finish ASAP support.
> This adds filter support. It is similar to origin validation and called
> AVS (ASPA validation state). Only difference is that not-found is called
> unknown in AVS.
> The dif
On Fri, Jan 20, 2023 at 02:44:16PM +0100, Claudio Jeker wrote:
> On Fri, Jan 20, 2023 at 12:21:14PM +0100, Claudio Jeker wrote:
> > This diff adds the reload logic and rewrites larger parts of what was
> > already there to have ASPA validation in the RDE.
> >
> > The main reason this diff is so la
On Fri, Jan 20, 2023 at 09:13:04PM +, Job Snijders wrote:
> On Fri, Jan 20, 2023 at 09:35:08PM +0100, Theo Buehler wrote:
> > On Fri, Jan 20, 2023 at 08:06:00PM +, Job Snijders wrote:
> > > While studying why X509_check_ca() is the ugly thing it is, t
On Fri, Jan 20, 2023 at 08:06:00PM +, Job Snijders wrote:
> While studying why X509_check_ca() is the ugly thing it is, tb@
> suggested x509v3_cache_extensions() might benefit from a wrapper to
> avoid duplication of locking and checking the stupid EXFLAG_INVALID
> flag. x509v3_cache_extensions
On Fri, Jan 20, 2023 at 03:38:45PM +0100, Claudio Jeker wrote:
> This diff removes the extra "allow" from the aspa-set provider-set element
> spec. The allow is not needed and confuses more than it helps.
>
> This change adjusts the parser, printconf, rpki-client and the regress
> tests. Job and I
On Wed, Jan 18, 2023 at 06:01:46PM +, Job Snijders wrote:
> All RRDP servers in the field now issue session IDs using the correct
> UUID version & type.
Thanks for taking care of this.
> OK?
ok
>
> Kind regards,
>
> Job
>
> Index: validate.c
>
> But those calls have either a break or continue, so either the loop is
> exited or restarted (depending on PEERFLAG_EVALUATE_ALL).
That's what I was missing. Not sure how.
> So there should be no way to go from a rde_filterstate_clean(&state) to
> prefix_adjout_update(new).
>
> There is a miss
On Wed, Jan 18, 2023 at 05:37:37PM +0100, Claudio Jeker wrote:
> On Wed, Jan 18, 2023 at 05:18:58PM +0100, Theo Buehler wrote:
> > On Wed, Jan 18, 2023 at 02:46:19PM +0100, Claudio Jeker wrote:
> > > This is the next step in vstate cleanup.
> > > Since the vstate is now
On Wed, Jan 18, 2023 at 02:46:19PM +0100, Claudio Jeker wrote:
> This is the next step in vstate cleanup.
> Since the vstate is now part of struct filterstate use that information
> instead of passing an explicit vstate to the various update functions.
It took me a moment to understand that rde_fi
On Wed, Jan 18, 2023 at 12:06:08PM +0100, Claudio Jeker wrote:
> In the RDE the poll loop needs to know if any additional work is pending.
> This is done calling various functions and if anyone has pending work the
> timeout is reduced to 0.
>
> Now some of the functions will more often trigger th
Until a few minutes ago, the new validator checked policies by default.
The legacy validator and OpenSSL don't do so. Let's explicitly enable
policy checks for all these validators (X509_V_FLAG_EXPLICIT_POLICY is
not enough - our X509_VERIFY_PARAM_set_flags() manual even calls out
that trap).
Inde
> at least this tool works for me:
Surely you have kern.allowkmem=1 set.
On Tue, Jan 17, 2023 at 03:11:26PM +0100, Claudio Jeker wrote:
> This diff adds all the plumbing to push the ASPA table from the RTR
> process into the RDE. It is still missing important bits but the table
> itself should load and `bgpctl show sets` will show what was loaded.
>
> After that the re
> This isn't completely without noise, but it lets you see the substantive
> changes clearly.
This looks good to me and works fine in my environment. Inlining the
weird get_hram() makes things quite a bit clearer. I can't spot anything
wrong in this diff.
ok tb
On Wed, Jan 11, 2023 at 06:34:01PM +0100, Claudio Jeker wrote:
> Introduce rde_filterstate_init() and rde_filterstate_copy() for the cases
> where either the filterstate needs to be initalized or copied from an
> other filterstate. Also switch rde_filterstate_prep() to take a struct
> prefix as arg
On Wed, Jan 11, 2023 at 03:22:17PM +0100, Claudio Jeker wrote:
> This diff does actually 2 things.
>
> 1) it adds the validation state to the filterstate struct and with that
> removes it from rde_filter(). As a next step it can also be removed from
> prefix_update() and friends.
>
> 2) rename pr
On Mon, Jan 09, 2023 at 01:59:50PM +0100, Claudio Jeker wrote:
> So here is the validaton logic for ASPA. Now this is currently not
> hooked up to anything apart from a larger regress test.
> What is missing is code to send the ASPA table to the RDE and the reload
> logic for ASPA.
>
> Most of the
On Tue, Jan 10, 2023 at 09:44:25AM -0300, Crystal Kolipe wrote:
> Fix a fairly obvious comment typo:
Fixed, thanks.
On Fri, Jan 06, 2023 at 11:39:03PM -0600, Purple Rain wrote:
> Hi, everyone! Some spelling fixes for libcrypto.
>
> I added a diff for revision.
Thanks. You can't just change the name of a constant in a public header.
Some code out there might use it and no longer compile after we commit
your dif
On Fri, Jan 06, 2023 at 02:04:21PM +0100, Claudio Jeker wrote:
> Do not fatal out when an unknown filetype shows up.
> Also change the message sent from parser/filemode process to main from
> type::file::repoid to type::repoid::file since that simplifies the code a
> fair amount.
Yes, that's much
On Thu, Jan 05, 2023 at 11:03:04AM +0100, Claudio Jeker wrote:
> gcc4 does not really support C99 initalizers. It works most of the time
> but fails for more complex structs. Just fall back to memset() here.
deraadt used { {0} } in kr_send_dependon(). Apparently that works.
I really don't understa
On Wed, Jan 04, 2023 at 12:21:59PM +0100, Claudio Jeker wrote:
> bgpd already supports Open Policy (RFC 9234) and the role of the router is
> set as part of the `announce policy` config. Now ASPA also needs the role
> so it makes sense to promote setting the role in the config.
>
> I also switched
On Fri, Dec 30, 2022 at 12:41:59PM +1100, Damien Miller wrote:
> On Fri, 30 Dec 2022, Theo Buehler wrote:
>
> > On Fri, Dec 30, 2022 at 10:09:16AM +1100, Damien Miller wrote:
> > > This updates libcbor to upstream version v.0.10.0. This version includes
> > > clang1
On Fri, Dec 30, 2022 at 10:09:16AM +1100, Damien Miller wrote:
> This updates libcbor to upstream version v.0.10.0. This version includes
> clang15 header fixes and fixes a few memory leaks. Full release notes
> are at https://github.com/PJK/libcbor/releases/tag/v0.10.0
I understand that it is a l
On Wed, Dec 28, 2022 at 07:48:29PM +0100, Jeremie Courreges-Anglas wrote:
>
> To build src cleanly with clang-15 you'd need the diff below. The
> alternative would be to patch our three zlib copies and wait for
> upstream to fix it. A more comfortable alternative is to just neuter
> the warning.
On Thu, Dec 22, 2022 at 11:26:30AM +0100, Theo Buehler wrote:
> If the line contains no location info and a comma in a comment, what
> follows the comma will be interpreted as location info. Actually ignore
> what's in comments by adjusting the line length.
It's probably b
On Tue, Dec 27, 2022 at 05:44:39PM +0100, Claudio Jeker wrote:
> The role capability only works on ebgp sessions. It makes no sense on
> ibgp sessions and the RFC 9234 does not define any behaviour for that.
> I decided to:
> - Exclude the role capability for ibgp sessions when sending an OPEN
>
On Mon, Dec 26, 2022 at 07:18:45AM -0300, Crystal Kolipe wrote:
> On Mon, Dec 26, 2022 at 07:34:04AM +, Jason McIntyre wrote:
> > On Thu, Dec 22, 2022 at 10:49:06PM -0500, Paul Tagliamonte wrote:
> >
> > hi. i've committed the parts of this diff relating to libssl.
> > jmc
> >
> > > =
On Sat, Dec 24, 2022 at 12:52:59PM +0100, Patrick Wildt wrote:
> On Thu, Dec 22, 2022 at 01:14:57AM +0100, Patrick Wildt wrote:
> > On Tue, Dec 20, 2022 at 05:48:41PM -0700, Todd C. Miller wrote:
> > > On Tue, 20 Dec 2022 23:44:08 +0100, Patrick Wildt wrote:
> > >
> > > > clang complains when the
If the line contains no location info and a comma in a comment, what
follows the comma will be interpreted as location info. Actually ignore
what's in comments by adjusting the line length.
Index: geofeed.c
===
RCS file: /cvs/src/usr.
On Thu, Dec 22, 2022 at 11:39:41AM +1100, Jonathan Gray wrote:
> On Thu, Dec 22, 2022 at 01:20:32AM +0100, Theo Buehler wrote:
> > > Any concerns regarding the changes in libz? It introduces diff to
> > > upstream, but the recent commits seemed to indicate we hav
> Any concerns regarding the changes in libz? It introduces diff to
> upstream, but the recent commits seemed to indicate we have forked
> anyway?
I've worked hard to keep the diff to upstream minimal. Why are these
changes needed?
This is the remaining bit of mpf's recent netcat diff. The commit log
shows that it was bumped to 64k in the past, but that was promptly
reverted due to concerns of buffer bloat caused by atomicio blocking
traffic in the other direction.
I don't know if things are different enough 8 years later th
Here's a diff to clean up the XXX that I added in my previous commit.
If the SAN isn't listed in the config file, it could be anything, so
let's print it with strvisx(). If the SAN is listed but duplicate, this
feels like overkill, so let's not bother.
Index: revokeproc.c
=
The diff below has three independent parts which I intend to commit
separately. It does not change anything.
In op_thumbprint() use EVP_Digest() for simplicity. The conversion
is straightforward and it's an obvious win.
The second part converts EVP_Sign*() usage to EVP_DigestSign(). This is
a bit
> > -* Parse the SAN line.
> > -* Make sure that all of the domains are represented only once.
> > +* Ensure the certificate's SAN entries fully cover those passed on
> > +* the command line and that all domains are represented only once.
> > */
>
> The SAN entries do not come
I would appreciate some testing by people who actually use acme-client
with multiple SANs. The diff works for me and should not change any
important behavior.
When I learned about CVE-2021-44532 in node, I was horrified, but oh,
well, it was node. Little did I suspect that acme-client did somethin
This should probably been part of my last diff, but I noticed it only
on commit... acme-client contains the same mistake as rpki-client had:
all times in certificates are expressed in GMT, so using the TZ dependent
output of mktime() and mixing it with the output of time(NULL) is wrong.
I don't th
Methods to convert ASN1_TIMEs to something else have long been available
in both LibreSSL and OpenSSL. The internals in libcrypto are safer, more
correct and better vetted than this (the actual conversion happens in
asn1_time_parse_cbs() in lib/libcrypto/asn1/a_time_tm.c).
Also, use X509_getm_notA
> > > > + io_read_buf(b, &id, sizeof(id));
> > > > + rp = repo_byid(id);
> > >
> > > Can we assert(rp != NULL) here or should we error? For example, the
> > > repo_id() call in roa_insert_vrps() could result in a crash otherwise.
> >
> > I added an assert and added an if (rp != NULL)
I'm ok with landing your second version.
ok tb
On Wed, Dec 14, 2022 at 12:14:55PM +0100, Claudio Jeker wrote:
> This diff adds per repository statistics, tracks a few more bits like how
> long it took to sync a repo and finally adds a new openmetrics output.
> The ometric code is from bgpctl but currently has two hacks in to display
> the info
On Wed, Dec 14, 2022 at 03:02:48PM +0100, Claudio Jeker wrote:
> From my ASPA tree.
>
> In rde_update_dispatch() the MP capability check for IPv4 is done for
> every prefix again instead of once for withdraws and once for updates.
> In the real MP case this is not an issue since the code does not
On Wed, Dec 14, 2022 at 12:43:26PM +0100, Claudio Jeker wrote:
> This helps me in regress for the new ASAP unittest.
> I think making these accessors static inline makes sense here.
ok
I would use parens after return for all or none of them. rde.h isn't
super consistent about this - it uses them
Noticed while looking for the buffer overwrite mentioned on bugs.
ec_sig is allocated by d2i_ECDSA_SIG() and needs to be freed.
PS: There are a few things that should be cleaned up and fixed in this
file. I'll send a diff after the overwrite is resolved.
Index: acctproc.c
On Wed, Dec 14, 2022 at 10:40:47AM +0100, Claudio Jeker wrote:
> rpki-client IO buffers start with a small header (the size of the full
> message) followed by the payload. io_buf_read() currently does this in
> two steps. Because of this simple messages require two calls through the
> event loop an
On Wed, Dec 14, 2022 at 09:25:03AM +0100, Claudio Jeker wrote:
> Use clock_gettime(CLOCK_MONOTONIC) to calculate the runtime of
> rpki-client. While there switch all timevals in the stats struct to
> timespecs in preparation for openmetric support.
> I also resorted the headers and added the missin
On Wed, Dec 14, 2022 at 09:25:03AM +0100, Claudio Jeker wrote:
> Use clock_gettime(CLOCK_MONOTONIC) to calculate the runtime of
> rpki-client. While there switch all timevals in the stats struct to
> timespecs in preparation for openmetric support.
> I also resorted the headers and added the missin
On Fri, Dec 09, 2022 at 12:56:44PM +0100, Claudio Jeker wrote:
> cheloha@ switched the bgpctl code to use struct timespec and a monotonic
> clock. Adjust the ometric code to use a timespec internally so that there
> is no need to convert from timespec to timeval.
ok tb
On Wed, Dec 07, 2022 at 03:56:56PM +0100, Alexander Bluhm wrote:
> On Mon, Nov 28, 2022 at 03:04:17PM +0100, Mark Kettenis wrote:
> > So here is an updated diff that checks the UVM_VNODE_DYING flag and
> > skips the refcount manipulation if it is set.
>
> My macppc has build a full release with it
> Indeed much better. Updated diff below.
ok tb
201 - 300 of 1186 matches
Mail list logo
