#
1.16 |
|
27-Dec-2023 |
tb |
Rework the warnings on internet resources
Unify the printing of warnings about AS numbers and IP address blocks to use a call to as_warn() and ip_warn(). Fix a bug in the latter where the upper bound of an IP range didn't take the RFC 3779 encoding into account and passed the address directly to inet_pton() rather than filling the missing bits with 1. Switch the argument order to match the warnings and tweak some warning messages.
ok claudio job
|
#
1.15 |
|
18-Oct-2023 |
tb |
rpki-client: move inherit in {ip,as}_warn()
While alphabetic order makes sense, having inherit between individual AS and IP entries and ranges makes little sense. Use the order that we have elsewhere.
ok claudio job
|
#
1.14 |
|
18-Oct-2023 |
tb |
rpki-client: rework as_check_overlap()
Avoid early returns and use a single copy of the warning by reworking the control flow through two nested switches.
ok claudio job
|
#
1.13 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.12 |
|
23-May-2023 |
tb |
Simplify as_id_parse() using ASN1_INTEGER_get_uint64()
Instead of decoding an ASN1_INTEGER by hand because ASN1_INTEGER_get() is broken by design and would report an error on LP32 architectures for the reserved ASid UINT32_MAX, we can simplify this ugliness and use the ASN1_INTEGER_get_uint64() API, available since LibreSSL 3.6.
ok claudio
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.11 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.10 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.9 |
|
29-Nov-2022 |
job |
Only include assert.h if we call assert()
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.8 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.7 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.6 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.15 |
|
18-Oct-2023 |
tb |
rpki-client: move inherit in {ip,as}_warn()
While alphabetic order makes sense, having inherit between individual AS and IP entries and ranges makes little sense. Use the order that we have elsewhere.
ok claudio job
|
#
1.14 |
|
18-Oct-2023 |
tb |
rpki-client: rework as_check_overlap()
Avoid early returns and use a single copy of the warning by reworking the control flow through two nested switches.
ok claudio job
|
#
1.13 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.12 |
|
23-May-2023 |
tb |
Simplify as_id_parse() using ASN1_INTEGER_get_uint64()
Instead of decoding an ASN1_INTEGER by hand because ASN1_INTEGER_get() is broken by design and would report an error on LP32 architectures for the reserved ASid UINT32_MAX, we can simplify this ugliness and use the ASN1_INTEGER_get_uint64() API, available since LibreSSL 3.6.
ok claudio
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.11 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.10 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.9 |
|
29-Nov-2022 |
job |
Only include assert.h if we call assert()
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.8 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.7 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.6 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.13 |
|
13-Oct-2023 |
job |
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing authority to a limited set of Internet Number Resources allows Relying Parties to enjoy the potential benefits of assuming trust, within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so it wouldn't make any sense to see a ROA subordinate to ARIN's trust anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense to observe a ROA covering ARIN-managed IPv6 space under APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust arc (a cryptographically valid certificate path) existed. Along these same lines, AFRINIC doesn't support inter-RIR transfers of any kind, and none of the RIRs have authority over private resources like 10.0.0.0/8 and 2001:db8::/32.
For more background see: https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/ https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.12 |
|
23-May-2023 |
tb |
Simplify as_id_parse() using ASN1_INTEGER_get_uint64()
Instead of decoding an ASN1_INTEGER by hand because ASN1_INTEGER_get() is broken by design and would report an error on LP32 architectures for the reserved ASid UINT32_MAX, we can simplify this ugliness and use the ASN1_INTEGER_get_uint64() API, available since LibreSSL 3.6.
ok claudio
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.11 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.10 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.9 |
|
29-Nov-2022 |
job |
Only include assert.h if we call assert()
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.8 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.7 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.6 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.12 |
|
23-May-2023 |
tb |
Simplify as_id_parse() using ASN1_INTEGER_get_uint64()
Instead of decoding an ASN1_INTEGER by hand because ASN1_INTEGER_get() is broken by design and would report an error on LP32 architectures for the reserved ASid UINT32_MAX, we can simplify this ugliness and use the ASN1_INTEGER_get_uint64() API, available since LibreSSL 3.6.
ok claudio
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.11 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.10 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.9 |
|
29-Nov-2022 |
job |
Only include assert.h if we call assert()
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.8 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.7 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.6 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.11 |
|
30-Nov-2022 |
job |
Remove unused sys/socket.h include
OK claudio@
|
#
1.10 |
|
29-Nov-2022 |
job |
Only include stdarg.h, if we call any of va_{start,end}()
OK tb@
|
#
1.9 |
|
29-Nov-2022 |
job |
Only include assert.h if we call assert()
OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.8 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.7 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.6 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.8 |
|
15-May-2022 |
tb |
More KNF and whitespace fixes.
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.7 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.6 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.7 |
|
26-Dec-2021 |
tb |
fix spelling of inheritance
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.6 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.6 |
|
12-Sep-2020 |
claudio |
Include openssl/x509.h in extern.h since it uses a few of the typedefs from there in structs and prototypes. Remove the openssl/ssl.h and other strange openssl includes in the .c files that don't use openssl specific functions. OK beck@ and tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.5 |
|
27-Nov-2019 |
deraadt |
swap some comparisons
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.4 |
|
19-Jun-2019 |
deraadt |
use $OpenBSD$ headers
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|
#
1.3 |
|
19-Jun-2019 |
deraadt |
indentation adjustments, in particular near warn statements ok claudio
|
#
1.2 |
|
17-Jun-2019 |
deraadt |
Don't do -portable in base. It is better done outside the tree. Imagine if we did it throughout the tree, how many copies of strlcpy would we have, and how much time would all the configure shell scripts and includes take? It would be ludicrous.
|
#
1.1 |
|
17-Jun-2019 |
job |
branches: 1.1.1; Initial revision
|