rpki-client more http.c cleanup

2021-04-13 Thread Claudio Jeker
This is another minor cleanup. It makes http_done() similar to http_fail() and by taking all the arguments (which would allow it to be called after the http connection was removed) and it also no longer alters the http state. At the same time move some common code between http_connect() and

missing case in rpki-client rrdp repo merge

2021-04-13 Thread Claudio Jeker
rpki-client applies all delta files to a temporary location. At the same time files or uri are tracked in a added and deleted set to know which files to remove from the repo or move into place. Now when adding a file to the temp dir one step is missing. If the file was previously removed and then

Re: rpki-client vs expat API madness

2021-04-12 Thread Claudio Jeker
On Mon, Apr 12, 2021 at 10:25:35AM -0600, Theo de Raadt wrote: > > + line = XML_GetCurrentLineNumber(p); > > I think you can simplify your larger diff and avoid the temporary variable > by doing: > >warnx("%s: XML error at line %llu: %s", s->local, >

rpki-client vs expat API madness

2021-04-12 Thread Claudio Jeker
So expat has a few options that changes the ABI / API of expat. One of them is XML_GetCurrentLineNumber() which returns a XML_Size which is typedef-ed to unsigend long or unsigned long long depending on the XML_LARGE_SIZE define. To work around this I just use a unsigned long long to store the

Re: iscsid/iscsictl: Introduce poll-and-wait delay during reload

2021-04-12 Thread Claudio Jeker
On Sat, Mar 20, 2021 at 04:15:29PM -0400, Ashton Fagg wrote: > Hello. > > Pinging on this one hoping to get some feedback. I've reattached the > diff below. > Hi Ashton, I adjusted your diff a bit (mainly cleanup of spacing and other style changes). Please have a look. I think this version

Re: rpki-client: emit number of deleted files/dirs in JSON output

2021-04-08 Thread Claudio Jeker
On Thu, Apr 08, 2021 at 07:34:00PM +, Job Snijders wrote: > Hi all, > > The below patch exposes two metrics via JSON. This will remove the need > for some rpki-client affiniadios to screen scrape rpki-client's STDOUT. > > OK? > OK claudio@ > Index: output-json.c >

Re: rpki-client http cleanup

2021-04-08 Thread Claudio Jeker
On Thu, Apr 08, 2021 at 07:43:47PM +0200, Theo Buehler wrote: > On Thu, Apr 08, 2021 at 07:18:39PM +0200, Claudio Jeker wrote: > > On Thu, Apr 08, 2021 at 06:22:16PM +0200, Theo Buehler wrote: > > > On Thu, Apr 08, 2021 at 04:47:15PM +0200, Claudio Jeker wrote: > > >

Re: rpki-client http cleanup

2021-04-08 Thread Claudio Jeker
On Thu, Apr 08, 2021 at 06:22:16PM +0200, Theo Buehler wrote: > On Thu, Apr 08, 2021 at 04:47:15PM +0200, Claudio Jeker wrote: > > This diff is a first step in tightening the code in http.c > > It should cleanup the poll handling and make adds some code to ensure that > >

rpki-client http cleanup

2021-04-08 Thread Claudio Jeker
This diff is a first step in tightening the code in http.c It should cleanup the poll handling and make adds some code to ensure that only expected results are returned. The goal is that http_handle() only does IO processing and http_nextstep() is used for transitions into new states. I did

rpki-client collect childs on pipe hangup

2021-04-08 Thread Claudio Jeker
Currently when a pipe to some child is closed the main process errors out hard. This is not great since the exit reason is not shown. Change this to break out of the poll loop and also restructure the wait code to use a loop which checks for both exit and signal status. I also switched rsync and

rpki-client http client and bind to address

2021-04-07 Thread Claudio Jeker
When -b is used rpki-client should bind to that address for outgoing connections. The http code does that but only warns if a bind call fails but try the connect none the less. This is different from other network tools (nc, ftp, telnet). So change this to a real error. -- :wq Claudio Index:

rpki-client rrdp merge repo fix

2021-04-07 Thread Claudio Jeker
In some cases unlink reports 'no such file or directory' when the RRDP repository is merged at the end of a RRDP sync. The problem is that some deleted files are in the temporary location and not part of the real repo. Because of this if unlink return ENOENT then try the alternate location. While

rpki-client don't hang on rrdp hash errors

2021-04-06 Thread Claudio Jeker
When an rrdp request fails because the hash of a delta or snapshot is incorrect the repo never finishes because the setting of RRDP_STATE_PARSE_DONE and the call to rrdp_finished() is skipped. The result is a hanging rpki-client until the alarm kills it after 1h. This simple diff should fix the

rpki-client http cleanup

2021-04-06 Thread Claudio Jeker
Here is a bit more cleanup of the http.c code. - Move http_fail() out of http_free() and more to the places where the failure should be reported. This needs further work but one step at a time. - Change http_connect() to be more like the example in getaddrinfo() with the big difference

Re: iscsid issues with Synology NAS

2021-04-01 Thread Claudio Jeker
On Thu, Apr 01, 2021 at 07:27:10AM +0200, Bruno Flueckiger wrote: > On 31.03., David Alten wrote: > > Hello, > > > > I???m having issues getting iscsid to work with my Synology NAS. > > > > The first issue was that the NAS was returning an error code. Turns out > > it didn???t like not?? missing

rpki-client use setproctitle(3)

2021-03-31 Thread Claudio Jeker
It is time to use setproctitle() in rpki-client. Right now there are three processes, soon it will be four. This should help identify the different processes. I did not change the proc title of the main process to keep the arguments. -- :wq Claudio Index: main.c

Re: rpki-client: better cleanup code

2021-03-31 Thread Claudio Jeker
On Wed, Mar 31, 2021 at 01:41:36PM +0200, Claudio Jeker wrote: > On Wed, Mar 31, 2021 at 12:40:57PM +0200, Claudio Jeker wrote: > > The current code to cleanup the repository after validation did not > > cleanup directories and also skipped any repo directory that is no

Re: rpki-client: better cleanup code

2021-03-31 Thread Claudio Jeker
On Wed, Mar 31, 2021 at 12:40:57PM +0200, Claudio Jeker wrote: > The current code to cleanup the repository after validation did not > cleanup directories and also skipped any repo directory that is no > referenced. > > Adjust the cleanup code to fix these two issues. Thi

rpki-client move encoding functions into own file

2021-03-31 Thread Claudio Jeker
file: encoding.c diff -N encoding.c --- /dev/null 1 Jan 1970 00:00:00 - +++ encoding.c 31 Mar 2021 11:00:49 - @@ -0,0 +1,88 @@ +/* $OpenBSD$ */ +/* + * Copyright (c) 2020 Claudio Jeker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose

rpki-client: better cleanup code

2021-03-31 Thread Claudio Jeker
The current code to cleanup the repository after validation did not cleanup directories and also skipped any repo directory that is no referenced. Adjust the cleanup code to fix these two issues. This uses the fact that the cache directory now only contains 2 directories rsync & ta. Thanks to the

Re: rpki-client, don't double fail on getaddrinfo errors

2021-03-30 Thread Claudio Jeker
On Tue, Mar 30, 2021 at 05:45:39PM +0200, Theo Buehler wrote: > On Tue, Mar 30, 2021 at 05:30:19PM +0200, Claudio Jeker wrote: > > Found the hard way. http_new() call http_free() if http_resolv() failes. > > http_free() call http_fail() in that case since the state is not

rpki-client, don't double fail on getaddrinfo errors

2021-03-30 Thread Claudio Jeker
Found the hard way. http_new() call http_free() if http_resolv() failes. http_free() call http_fail() in that case since the state is not STATE_DONE. In the main poll loop another http_fail() call is made. This results in bad bad things. -- :wq Claudio Index: http.c

Re: rpki-client replace funky bin to hex loop in x509

2021-03-29 Thread Claudio Jeker
On Mon, Mar 29, 2021 at 01:19:21PM +0200, Claudio Jeker wrote: > On Mon, Mar 29, 2021 at 12:42:02PM +0200, Theo Buehler wrote: > > On Mon, Mar 29, 2021 at 10:38:54AM +0200, Claudio Jeker wrote: > > > Replace a super strange way to translate some binary blob into a hex > >

Re: rpki-client replace funky bin to hex loop in x509

2021-03-29 Thread Claudio Jeker
On Mon, Mar 29, 2021 at 12:42:02PM +0200, Theo Buehler wrote: > On Mon, Mar 29, 2021 at 10:38:54AM +0200, Claudio Jeker wrote: > > Replace a super strange way to translate some binary blob into a hex string. > > The code drops the : from the string but this is fine, the : is just &

Re: rpki-client replace funky bin to hex loop in x509

2021-03-29 Thread Claudio Jeker
On Mon, Mar 29, 2021 at 10:38:54AM +0200, Claudio Jeker wrote: > Replace a super strange way to translate some binary blob into a hex string. > The code drops the : from the string but this is fine, the : is just > visual fluff. I used the same function in the not yet finished RRDP &

rpki-client replace funky bin to hex loop in x509

2021-03-29 Thread Claudio Jeker
Replace a super strange way to translate some binary blob into a hex string. The code drops the : from the string but this is fine, the : is just visual fluff. I used the same function in the not yet finished RRDP codebase and there I don't want the extra ':'. Works for me. -- :wq Claudio

rpki-client compare file path properly

2021-03-26 Thread Claudio Jeker
Not sure on what I was tripping when writing filepathcmp() but it makes no sense to use strcasecmp() there. It compares paths in the filesystem and these are case-sensitive. -- :wq Claudio Index: main.c === RCS file:

Re: mpe, mpip, mpw: Only install route with label, fix leak on destroy

2021-03-26 Thread Claudio Jeker
On Fri, Mar 26, 2021 at 01:16:32PM +0100, Klemens Nanni wrote: > On Wed, Mar 17, 2021 at 04:47:36PM +0100, Klemens Nanni wrote: > > `ifconfig mp* mplslabel N' validates the label both in ifconfig and each > > driver's ioctl handler, but there is one case where all drivers install > > a route

Re: rpki-client cleanup poll loop

2021-03-26 Thread Claudio Jeker
On Fri, Mar 26, 2021 at 10:37:27AM +0100, Theo Buehler wrote: > On Fri, Mar 26, 2021 at 09:52:04AM +0100, Claudio Jeker wrote: > > This diff replaces mostly the same code in the poll loop with a for loop. > > It also gives a hint which process closed a connection. > > This

rpki-client cleanup poll loop

2021-03-26 Thread Claudio Jeker
This diff replaces mostly the same code in the poll loop with a for loop. It also gives a hint which process closed a connection. -- :wq Claudio Index: main.c === RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v retrieving revision

Re: fix ospf6d.conf example

2021-03-26 Thread Claudio Jeker
On Fri, Mar 26, 2021 at 09:36:13AM +0100, Remi Locherer wrote: > Hi, > > danj@ noticed that our ospf6d.conf example is using multiple areas. > In the man page of ospf6d we state that multi area support is not > available. The daemon accepts such a config but does not do the right > thing if I

rpki-client http client adjustments

2021-03-25 Thread Claudio Jeker
This diff is mostly cleanup and adding the missing bits needed for RRDP. Instead of a simple bool ok use an enum to report the state back. Can be fail, ok or not-modified (the last is used for 304 Not Modified answers (if a If-Modified-Since header was passed in the request). Additionally add

rpki-client adjust base64_decode

2021-03-25 Thread Claudio Jeker
RRDP has a lot of base64 strings to handle. Because of this adjust the base64_decode function in tal.c to take a regular string as input. For now keep the function static, will change that once RRDP is ready. OK? -- :wq Claudio Index: tal.c

Re: rpki-client show version

2021-03-19 Thread Claudio Jeker
On Fri, Mar 19, 2021 at 12:02:48PM +0100, Theo Buehler wrote: > On Fri, Mar 19, 2021 at 11:01:27AM +0100, Claudio Jeker wrote: > > This is mostly for -portable but also the native version should be able to > > mention that it is not the -portable version. > > This is a

rpki-client show version

2021-03-19 Thread Claudio Jeker
This is mostly for -portable but also the native version should be able to mention that it is not the -portable version. This is a compromise I can live with, hope everyone else agrees. -- :wq Claudio ? obj Index: extern.h === RCS

fix rpki-client -t with relative paths

2021-03-19 Thread Claudio Jeker
rpki-client is currently not able to to load relative tal files via -t option. The problem is that the chdir to the cache directory happens before the tal files are loaded. Move the fchdir down so relative path work when queue_add_tal() is called. Also make sure that the rsync and parser process

Re: rpki-client: do not include ':' in port

2021-03-18 Thread Claudio Jeker
On Thu, Mar 18, 2021 at 04:46:08PM +0100, Theo Buehler wrote: > The port number starts after the ':'. Agreed. OK claudio@ > Index: http.c > === > RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v > retrieving revision 1.7 > diff -u

Re: rpki-client: avoid NULL access in http_parse_uri()

2021-03-18 Thread Claudio Jeker
On Thu, Mar 18, 2021 at 03:54:48PM +0100, Theo Buehler wrote: > A malformed URI such as "https://[::1/index.html; causes a NULL access > in the hosttail[1] == ":" check. Good catch. I think your diff makes this code a bit easier to understand. OK claudio@ > Index: http.c >

Re: ifconfig and MPLS: document commands and ioctls, SIOCDELLABEL inconsistency

2021-03-18 Thread Claudio Jeker
On Tue, Mar 16, 2021 at 09:46:27AM +0100, Klemens Nanni wrote: > On Tue, Mar 16, 2021 at 08:55:43AM +0100, Claudio Jeker wrote: > > > .Sh HISTORY > > > -The > > > +The , > > > > Why did you add this ',' that looks strange to me. > > > >

rpki-client cleanup

2021-03-18 Thread Claudio Jeker
This diff aims at removing some warnings seen in -portable. - gcc has a hard time to realize when a variable like noop ensures that an other variable is not used. - Similar the switch () statements in http.c include all possible enums but gcc warns about control reaches end of non-void function.

Re: mpw: make "ifconfig mpw0 -mplslabel" work

2021-03-17 Thread Claudio Jeker
On Wed, Mar 17, 2021 at 07:09:23PM +0100, Klemens Nanni wrote: > With that the ifconfig(8) bits (which are still pending in the other > tech@ thread) actually hold up. > > Code is there, noone seemed to have used it so far, though. > > OK? OK claudio@ > Index: if_mpw.c >

Re: mpip, mpw: Use correct rdomain when adding/deleting routes

2021-03-17 Thread Claudio Jeker
On Tue, Mar 16, 2021 at 11:33:53PM +0100, Klemens Nanni wrote: > Found while reading the code and testing ifconfig(8)'s `tunneldomain' in > order to document MPLS ioctls (see other thread on tech@). > > mpe(4) consistently uses the softc's rdomain which is tracked > consistently across the

Re: ntpd adjtime offset race

2021-03-17 Thread Claudio Jeker
On Tue, Mar 16, 2021 at 03:05:23PM +0100, Alexander Bluhm wrote: > Hi, > > I am running ntpd as a client with three upstream servers. Some > of them are not synchonized and report a time that is off by several > seconds. > > The ntpd client code corrects both T1 and T4 with the current offset >

bgpd code cleanup

2021-03-17 Thread Claudio Jeker
Base gcc warns about 'rp' may be used uninitialized. Now the code is correct and rp is not use uninitalized but it is not as obvious as it could be. Also rp is a bit of a shitty name for the redo queue tail pointer. So cleanup the code and with it stop the warning. OK? -- :wq Claudio Index:

Re: ifconfig and MPLS: document commands and ioctls, SIOCDELLABEL inconsistency

2021-03-16 Thread Claudio Jeker
On Tue, Mar 16, 2021 at 12:23:31AM +0100, Klemens Nanni wrote: > On Sat, Mar 13, 2021 at 11:45:30PM +0100, Claudio Jeker wrote: > > On Sat, Mar 13, 2021 at 11:31:05PM +0100, Klemens Nanni wrote: > > > First off: I've never used mpe(4), mpw(4) or mpip(4); this occured to >

Re: ifconfig and MPLS: document commands and ioctls, SIOCDELLABEL inconsistency

2021-03-13 Thread Claudio Jeker
On Sat, Mar 13, 2021 at 11:31:05PM +0100, Klemens Nanni wrote: > First off: I've never used mpe(4), mpw(4) or mpip(4); this occured to > me while looking at ifconfig.{c,8} in general. > > > 1. bug: ifconfig(8) forgets to document both `-tunneldomain' and > `-mplslabel' in the first place, diff

rpki-client per repo entity queue

2021-03-10 Thread Claudio Jeker
The entity queue is per repository. It is a queue of files that depend on this repository and need to wait until the repository finished its sync. There is no benefit of a global queue. In my opinion this is more understandable. -- :wq Claudio Index: main.c

rpki-client simplify enqueue from MFT files

2021-03-09 Thread Claudio Jeker
Only .crl files need to be parsed first (the other file depend on the certificate revocation list to be present). Instead of many loops over the same fileset just do it twice. First for .crl and then for the other known file types. This should save some CPU cycles. -- :wq Claudio Index: main.c

Fix bgpd problem with local announcements

2021-03-08 Thread Claudio Jeker
The last commit introduced an error in prefix_eligible(). For nexthops the logic is not quite right since a NULL nexthop is actually fine. These nexhops are created for local announcements (unless their nexthop is overridden). -- :wq Claudio Index: rde_decide.c

Re: Read `ps_single' once

2021-03-08 Thread Claudio Jeker
On Mon, Mar 08, 2021 at 12:11:54PM +0100, Martin Pieuchot wrote: > On 08/03/21(Mon) 11:57, Claudio Jeker wrote: > > On Mon, Mar 08, 2021 at 11:06:44AM +0100, Martin Pieuchot wrote: > > > On 05/03/21(Fri) 11:30, Martin Pieuchot wrote: > > > > On 04/03/21(T

Re: Read `ps_single' once

2021-03-08 Thread Claudio Jeker
On Mon, Mar 08, 2021 at 11:06:44AM +0100, Martin Pieuchot wrote: > On 05/03/21(Fri) 11:30, Martin Pieuchot wrote: > > On 04/03/21(Thu) 11:45, Mark Kettenis wrote: > > > > Date: Thu, 4 Mar 2021 11:19:23 +0100 > > > > From: Martin Pieuchot > > > > > > > > On 04/03/21(Thu) 11:01, Mark Kettenis

Re: single_thread_clear() w/o KERNEL_LOCK()

2021-03-08 Thread Claudio Jeker
On Mon, Mar 08, 2021 at 11:07:01AM +0100, Martin Pieuchot wrote: > On 04/03/21(Thu) 10:44, Martin Pieuchot wrote: > > single_thread_clear() manipulates the same data structures as > > single_thread_set() and, as such, doesn't need the KERNEL_LOCK(). > > > > However cursig() does need some sort of

Re: rpki-client validate URI function

2021-03-05 Thread Claudio Jeker
On Fri, Mar 05, 2021 at 04:58:44PM +0100, Claudio Jeker wrote: > On Fri, Mar 05, 2021 at 04:08:55PM +0100, Theo Buehler wrote: > > On Fri, Mar 05, 2021 at 01:48:43PM +0100, Claudio Jeker wrote: > > > Instead of adding similar checks all over the place introduce a > >

Re: rpki-client validate URI function

2021-03-05 Thread Claudio Jeker
On Fri, Mar 05, 2021 at 04:08:55PM +0100, Theo Buehler wrote: > On Fri, Mar 05, 2021 at 01:48:43PM +0100, Claudio Jeker wrote: > > Instead of adding similar checks all over the place introduce a > > valid_uri() function that checks if a URI is valid enough for rpki-client. >

rpki-client validate filehash function

2021-03-05 Thread Claudio Jeker
RRDP also uses SHA256 hashes to validate files (before withdraws and updates). Again move this from the implementation in mft.c to validate.c this way it can be reused. OK? -- :wq Claudio Index: extern.h === RCS file:

rpki-client validate URI function

2021-03-05 Thread Claudio Jeker
Instead of adding similar checks all over the place introduce a valid_uri() function that checks if a URI is valid enough for rpki-client. rpki-client does not accept files or directories starting with ., bails on URI that have strange characters and valid_uri() will also check that the protocol

Re: rpki-client: unchecked str(n)dup

2021-03-04 Thread Claudio Jeker
On Thu, Mar 04, 2021 at 04:25:53PM +0100, Theo Buehler wrote: > On Thu, Mar 04, 2021 at 04:10:12PM +0100, Claudio Jeker wrote: > > On Thu, Mar 04, 2021 at 03:53:44PM +0100, Theo Buehler wrote: > > > The first two seem obvious oversights. The ones in rsync_base_uri() > >

Re: rpki-client: unchecked str(n)dup

2021-03-04 Thread Claudio Jeker
On Thu, Mar 04, 2021 at 03:53:44PM +0100, Theo Buehler wrote: > The first two seem obvious oversights. The ones in rsync_base_uri() > would end up silently ignored: > queue_add_from_cert > repo_lookup > rsync_base_uri > > Index: http.c >

Re: work with 64bit ethernet addresses in ether_input()

2021-03-04 Thread Claudio Jeker
On Thu, Mar 04, 2021 at 10:06:24PM +1000, David Gwynne wrote: > this applies the tricks with addresses from veb and etherbridge > code to the normal ethernet input processing. it seems to make > things a bit faster. some tests have shown a 15% improvement in > forwarding performance with this

Re: Kill SINGLE_PTRACE

2021-03-04 Thread Claudio Jeker
On Thu, Mar 04, 2021 at 11:06:21AM +0100, Martin Pieuchot wrote: > On 04/03/21(Thu) 10:36, Claudio Jeker wrote: > > On Thu, Mar 04, 2021 at 10:28:50AM +0100, Martin Pieuchot wrote: > > > SINGLE_PTRACE has almost the same semantic as SINGLE_SUSPEND. The > > > differe

Re: Kill SINGLE_PTRACE

2021-03-04 Thread Claudio Jeker
On Thu, Mar 04, 2021 at 10:28:50AM +0100, Martin Pieuchot wrote: > SINGLE_PTRACE has almost the same semantic as SINGLE_SUSPEND. The > difference is that there's no need to wait for other threads to be > parked. > > Diff below changes single_thread_set() to be explicit when waiting is >

rpki-client, unify err() for out of memory situation

2021-03-02 Thread Claudio Jeker
This diff just brings all err(3) calls for out of memory situations to one form: err(1, NULL); It is not very helpful to tell if malloc, strdup or asprintf failed with no mem. Just one common idiom. OK? -- :wq Claudio Index: main.c

Re: Teach rpki-client some https

2021-03-02 Thread Claudio Jeker
On Mon, Mar 01, 2021 at 11:57:03AM +0100, Claudio Jeker wrote: > On Sun, Feb 28, 2021 at 09:09:05AM +0100, Theo Buehler wrote: > > On Thu, Feb 25, 2021 at 05:03:19PM +0100, Claudio Jeker wrote: > > > On Fri, Feb 19, 2021 at 07:10:02PM +0100, Claudio Jeker wrote: > > > &

Re: Teach rpki-client some https

2021-03-01 Thread Claudio Jeker
On Sun, Feb 28, 2021 at 09:09:05AM +0100, Theo Buehler wrote: > On Thu, Feb 25, 2021 at 05:03:19PM +0100, Claudio Jeker wrote: > > On Fri, Feb 19, 2021 at 07:10:02PM +0100, Claudio Jeker wrote: > > > Some TAL files now include an https URI where the TA can be fetched from. &g

Re: Teach rpki-client some https

2021-02-25 Thread Claudio Jeker
On Fri, Feb 19, 2021 at 07:10:02PM +0100, Claudio Jeker wrote: > Some TAL files now include an https URI where the TA can be fetched from. > With this diff rpki-client will download the TA from https unless that > fails and then fall back to rsync. > > This is not yet perfe

rpki-client don't clobber poll events

2021-02-23 Thread Claudio Jeker
It is perfectly fine to wait for read and write at the same time. The code in rpki-client should do that too, I think it will not matter but it is what I intended. -- :wq Claudio Index: main.c === RCS file:

rpki-client lock down rsync process further

2021-02-23 Thread Claudio Jeker
There is no need for cpath or the unveil of . in the rsync process. That process just does fork+exec for rsync. Removing the unveil pledge is the same as unveil(NULL, NULL) so skip that too. OK? -- :wq Claudio Index: main.c === RCS

Teach rpki-client some https

2021-02-19 Thread Claudio Jeker
:32:26 - @@ -0,0 +1,1223 @@ +/* + * Copyright (c) 2020 Nils Fisher + * Copyright (c) 2020 Claudio Jeker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission

rpki-client extra paranoia

2021-02-19 Thread Claudio Jeker
Better to make sure that all URI we ingest are sensitive. Similar check is already done in cert.c so also do it for the TAL files (even though these are normally controled by the user). OK? -- :wq Claudio Index: tal.c === RCS file:

Re: rpki-client: recallocarray conversions

2021-02-19 Thread Claudio Jeker
On Fri, Feb 19, 2021 at 10:27:06AM +0100, Theo Buehler wrote: > As discussed a few days ago, there are a few reallocarray + memset that > can be directly handled by recallocarray. Fine with me. > Index: main.c > === > RCS file:

further x509 cleanup in rpki-client

2021-02-18 Thread Claudio Jeker
Instead of iterating over all x509 extension and look for SKI and AKI use X509_get_ext_d2i(). This reduces the complexity a fair bit. Also add additional checks (e.g. make sure the extensions are non-critical). More cleanup in cert.c should follow but one step at a time. -- :wq Claudio Index:

rpki-client, create repo dir in parent process

2021-02-18 Thread Claudio Jeker
This diff moves the mkpath() call from the rsync child to the parent. As a result the rsync process no longer needs cpath. It will also simplify integration of RRDP since that will be another process. -- :wq Claudio ? obj Index: extern.h

Re: RTR support for bgpd

2021-02-17 Thread Claudio Jeker
On Wed, Feb 17, 2021 at 06:37:56PM -0700, Theo de Raadt wrote: > Regarding port 323, > > +If not specified the default > +.Ic port > +is > +.Em 323 . > > and > > +rtr : RTR address { > + currtr = get_rtr(&$2); > + currtr->remote_port = 323; > +

Re: bgpd rde decide all for route-servers

2021-02-16 Thread Claudio Jeker
On Tue, Feb 16, 2021 at 10:44:31AM +0100, Claudio Jeker wrote: > On route-servers at IXPs there is often the wish to not have path hiding > because of output filters. On way of solving this is to use per peer RIBs > but the cost (in memory) is very high. This solves this issue in a > d

bgpd rde decide all for route-servers

2021-02-16 Thread Claudio Jeker
On route-servers at IXPs there is often the wish to not have path hiding because of output filters. On way of solving this is to use per peer RIBs but the cost (in memory) is very high. This solves this issue in a different way but with the same (or similar result). In bgpd all prefixes/paths are

Re: rpki-client: get Authority Information Access (AIA) from CA & EE certs

2021-02-15 Thread Claudio Jeker
On Mon, Feb 15, 2021 at 04:58:50PM +, Job Snijders wrote: > Hi, > > Thank you for the review > > On Mon, Feb 15, 2021 at 01:42:57PM +0100, Claudio Jeker wrote: > > Please do not define variables in the middle of functions. > > now fixed > > >

Re: RTR support for bgpd

2021-02-15 Thread Claudio Jeker
On Wed, Feb 10, 2021 at 05:30:02PM +0100, Claudio Jeker wrote: > On Tue, Jan 26, 2021 at 10:31:40AM +0100, Claudio Jeker wrote: > > This diff adds initial RTR (RPKI to Router) support to bgpd. > > Instead of loading the roa-set table via the configuration bgpd will use > >

Re: change rpki-client repository code

2021-02-15 Thread Claudio Jeker
On Mon, Feb 15, 2021 at 04:53:17PM +0100, Theo Buehler wrote: > On Fri, Feb 12, 2021 at 10:01:38AM +0100, Claudio Jeker wrote: > > On Mon, Feb 08, 2021 at 05:15:40PM +0100, Claudio Jeker wrote: > > > Split the repository code into two parts: > > > > > > - f

Re: rpki-client: get Authority Information Access (AIA) from CA & EE certs

2021-02-15 Thread Claudio Jeker
On Sun, Feb 14, 2021 at 05:41:55PM +, Job Snijders wrote: > Make the AIA more easily available for debugging purposes & future > changesets > > In the context of the RPKI, the AIA extension identifies the publication > point of the certificate of the issuer of the certificate in which the >

httpd(8) fix tls comparison of servers

2021-02-15 Thread Claudio Jeker
For SNI all TLS servers need to run with the same config. The config parser has an extra step for this. The problem is it also compares the TLS config params with non-TLS servers when a server block has both listen * port 80 and listen * tls port 443. The following diff fixes that and also

Re: use rtalloc_mpath in pf_route{,6}

2021-02-15 Thread Claudio Jeker
On Mon, Feb 15, 2021 at 08:02:37PM +1000, David Gwynne wrote: > if you have multiple links to the same destination, this will let you > use them via route-to/reply-to/dup-to. > > ok? > > Index: pf.c > === > RCS file:

Re: video(4) multiple opens

2021-02-13 Thread Claudio Jeker
On Sat, Feb 13, 2021 at 10:26:48AM +0100, Marcus Glocker wrote: > On Sat, Feb 13, 2021 at 08:30:04AM +0100, Claudio Jeker wrote: > > > On Fri, Feb 12, 2021 at 10:59:05PM +0100, Jeremie Courreges-Anglas wrote: > > > On Wed, Feb 10 2021, M

Re: video(4) multiple opens

2021-02-12 Thread Claudio Jeker
On Fri, Feb 12, 2021 at 10:59:05PM +0100, Jeremie Courreges-Anglas wrote: > On Wed, Feb 10 2021, Martin Pieuchot wrote: > > [...] > > > Which fields is the new lock protecting? Why isn't the KERNEL_LOCK() > > enough? > > When I mentioned this potential lack of locking to Marcus, I was >

Re: Possible null deref on pf.c

2021-02-12 Thread Claudio Jeker
On Fri, Feb 12, 2021 at 01:20:01PM +0100, Alexander Bluhm wrote: > On Fri, Feb 12, 2021 at 01:11:24PM +0100, Claudio Jeker wrote: > > On Fri, Feb 12, 2021 at 12:03:49PM +, Ricardo Mestre wrote: > > > This was reported on CID 1501718, ifp starts as NULL and then might

Re: Possible null deref on pf.c

2021-02-12 Thread Claudio Jeker
On Fri, Feb 12, 2021 at 12:03:49PM +, Ricardo Mestre wrote: > Hi, > > This was reported on CID 1501718, ifp starts as NULL and then might be > deref'ed. > > The question is does the below make any sense to solve it since I don't know > what I'm doing? :) > > What do you net gurus say? >

Re: snmpd: Add end of sequence tests

2021-02-12 Thread Claudio Jeker
On Fri, Feb 12, 2021 at 10:03:21AM +0100, Martijn van Duren wrote: > ping > > On Sun, 2021-01-31 at 11:57 +0100, Martijn van Duren wrote: > > Now that ober_scanf_elements supports '$' lets use it. > > > > Here's a first stab by adding it to snmpd. > > Passing regress and a few manual checks. > >

Re: change rpki-client repository code

2021-02-12 Thread Claudio Jeker
On Mon, Feb 08, 2021 at 05:15:40PM +0100, Claudio Jeker wrote: > Split the repository code into two parts: > > - fetch of the trust anchors (the certs referenced by TAL files) > - fetch of the MFT files of a repository > > While the two things kind of look similar there ar

Re: RTR support for bgpd

2021-02-10 Thread Claudio Jeker
On Tue, Jan 26, 2021 at 10:31:40AM +0100, Claudio Jeker wrote: > This diff adds initial RTR (RPKI to Router) support to bgpd. > Instead of loading the roa-set table via the configuration bgpd will use > RTR to load the RPKI table from one or multiple RTR servers. > This has

ocspcheck try all returned addresses from getaddrinfo

2021-02-09 Thread Claudio Jeker
Running regress/usr.sbin/ocspcheck with a resolv.conf that has 'family inet6 inet4' fails because ocspcheck only tries to contact ::1. The following diff fixes the issue by not breaking out early from the getaddrinfo loop over the results. With this the regress test works and I guess it may help

Re: diff: tcp ack improvement

2021-02-08 Thread Claudio Jeker
On Mon, Feb 08, 2021 at 07:46:46PM +0100, Alexander Bluhm wrote: > On Mon, Feb 08, 2021 at 07:03:59PM +0100, Jan Klemkow wrote: > > On Mon, Feb 08, 2021 at 03:42:54PM +0100, Alexander Bluhm wrote: > > > On Wed, Feb 03, 2021 at 11:20:04AM +0100, Claudio Jeker wrote: > >

change rpki-client repository code

2021-02-08 Thread Claudio Jeker
Split the repository code into two parts: - fetch of the trust anchors (the certs referenced by TAL files) - fetch of the MFT files of a repository While the two things kind of look similar there are some differences. - TA files are loaded via rsync or https URI (only one file needs to be

rpki-client parse and check caRepository Subject Information Access

2021-02-05 Thread Claudio Jeker
RPKI certificates have 3 possible Subject Information Access URI that we may be interested in: - 1.3.6.1.5.5.7.48.5 (caRepository) - 1.3.6.1.5.5.7.48.10 (rpkiManifest) - 1.3.6.1.5.5.7.48.13 (rpkiNotify) rpkiManifest points to the .mft file inside the caRepository. Because of this

rpki-client remove debug code

2021-02-04 Thread Claudio Jeker
This bit of debug code to understand the progress of rpki-client is no longer helpful. Most of the time this is a stuck rsync that causes delays and those are now nicely handled by an internal timeout. I propose to remove this. -- :wq Claudio Index: main.c

rpki-client call a file a file

2021-02-04 Thread Claudio Jeker
The uri field in the entity queue struct is never a URI but always a local path to the file in the repo. Rename the field so I'm less confused. Compiler agrees with my change. -- :wq Claudio ? http.c ? http.diff ? obj Index: extern.h

Re: reference trpt(8) in getsockopt(2)

2021-02-04 Thread Claudio Jeker
On Thu, Feb 04, 2021 at 12:30:17PM +0100, Alexander Bluhm wrote: > Hi, > > I always forget the name of trpt(8). It should be refereced in the > SO_DEBUG section of getsockopt(2). > > ok? Yes please. Also should we export the tcp_debug buffer via sysctl so that trpt can run without

Re: tcpbench -D

2021-02-04 Thread Claudio Jeker
On Thu, Feb 04, 2021 at 11:45:26AM +0100, Alexander Bluhm wrote: > Hi, > > I would like to analyse tcpbench(1) TCP connections. So I copied > the nc -D socket debug option. > > ok? Fine with me. OK claudio@ > Index: usr.bin/tcpbench/tcpbench.1 >

rpki-client, simplify main process

2021-02-04 Thread Claudio Jeker
Instead of passing around variables all the way down to entity_write_req() and repo_lookup() use global variables. Especially for the repository handling this will become more complex with the introduction of RRDP. Also shuffle code around a bit so that all entity queue functions are together.

Re: rpki-client factor out the parser code into own module

2021-02-04 Thread Claudio Jeker
On Wed, Feb 03, 2021 at 10:20:47PM +0100, Theo Buehler wrote: > On Wed, Feb 03, 2021 at 08:08:20PM +0100, Claudio Jeker wrote: > > This is just shuffling code around and adds a few definitions to extern.h. > > The goal is to reduce the amount of code in main.c. I constantly get

rpki-client factor out the parser code into own module

2021-02-03 Thread Claudio Jeker
proc_parser_gbr(entp, store, ctx, , ); - break; - default: - abort(); - } - - ibuf_close(, b); - TAILQ_REMOVE(, entp, entries); - entity_free(entp); - } - - rc = 0; -out: - while (

Re: diff: tcp ack improvement

2021-02-03 Thread Claudio Jeker
On Wed, Feb 03, 2021 at 10:56:38AM +0100, Jan Klemkow wrote: > On Tue, Jan 05, 2021 at 10:30:33AM +0100, Claudio Jeker wrote: > > On Tue, Jan 05, 2021 at 10:16:04AM +0100, Jan Klemkow wrote: > > > On Wed, Dec 23, 2020 at 11:59:13AM +, Stuart Henderson wrote: > > >

  1   2   3   4   5   6   7   8   9   10   >