Age | Commit message (Collapse) | Author |
|
It is helpful for network operators, publication point operators, and CA
operators to have more insight into whether the RP noticed an issuance
gap between two versions of a given manifest.
* high number of gaps all the time might be an indication the RP is not
refreshing often enough
* the CA is trying to issue manifests more than once a second
* the RFC 8181 publication server's ingress API endpoint has issues
* the RFC 8181 publication client has trouble reaching the server
* the CA's private keys (RPKI + BPKI) are used on a second (cloned) system
* the CA's issuance database is broken
Correlation opportunity: detection of a gap means some of the CA's
intermediate states were occluded from the RP; the RP operator might
want to correlate this to traffic shifts in BGP or publication point
reachability issues.
Going forward, emit a warning per manifest, adds metrics to the
openmetrics output, and displays a summary at the end of the run about
issuance gaps.
OK tb@
|
|
OK tb@
|
|
partition. This will allow us to create boot options for the firmware
boot manager that other OSes won't interfere with.
ok phessler@, tobhe@, kn@
|
|
they're tags where text is likely. strvis on random cookies is hard to read
and compare, and it's easier to convert 0x05dc than \005\334 to 1500 for
PPP-Max-Payload. ok claudio dlg
|
|
|
|
ok mpi@ miod@
|
|
from hshoexer@; input deraadt@
|
|
reversed since no error should be printed if there are no neighbors
configured (yet).
OK tb@
|
|
This feature has been requested many times over the years. Various patches
were provided by Asherah Connor, Rivo Nurges, Markus Läll and maybe others.
These patches always stalled for various reasons.
From Sören Tempel, mostly based on Asherah's latest patch.
ok florian tb
|
|
L3VPN withdraws don't carry a labelstack (see util.c::nlri_get_vpn4()).
OK tb@
|
|
for offline machines if you can pull the snapshot or release to there there,
but want sysupgrade to locally perform signify validation before performing
the /home/_sysupgrade and other boot-upgrade steps.
ok florian
|
|
mismatched bound" warning.
OK tb@
|
|
are used to store file descriptors.
OK tb@
|
|
|
|
OK florian@ dv@
|
|
OK dlg@
|
|
moved to ELF.
Move the a.out specific defines and macros, but the MID_xxx values, from
<sys/exec.h> to <a.out.h>, and update the few userland binaries which really
need these defines (i.e. boot-related tools for old architectures) to
explicitly include <a.out.h> when needed.
"Fine" deraadt@
|
|
EVP_PKEY_get0_* were made const correct in OpenSSL 3 and now cause the
build of rpki-client to emit warnings. Of course no one is able to see
these warnings because they are hidden in all the deprecation vomit.
Makes rpki-client build cleanly against OpenSSL 3 when configured with
--with-openssl-cflags=-DOPENSSL_SUPPRESS_DEPRECATED.
ok claudio deraadt job
|
|
|
|
When downloading or installing, not just deleting.
Noticed by Paul de Weerd
Help with manual wording from jmc@
Just fix -a, deraadt@
|
|
now extract the fw key also, so that pre-upgrade fw_update can fetch
the most uptodate firmware.
ok sthen
|
|
This was hidden behind -v but it seems useful to always have this when
creating a new account.
As sthen points out in his previous commit:
This is useful if you want to set a CAA DNS record restricting
issuance to a specific user account.
OK deraadt
|
|
Single out the auth_config yacc rules. Even though this requires an
extra merge_auth_conf() function to handle manual IPsec setups but
even with that this seems like a net gain.
There is no rtr cache that does tcp md5 on OpenBSD so those bits remain
untested for now.
OK tb@
|
|
|
|
This is needed to support tcp md5sum and ipsec auth for rtr.
OK tb@
|
|
|
|
header sent by the server in response to the newAccount API call (used for
every cert request). This is useful if you want to set a CAA DNS record
restricting issuance to a specific user account, rather than just "all of
$whichever_acme_CA". ok florian
|
|
|
|
|
|
DNS compression. OK florian
From unbound 1.21.1 (rest will be merged shortly).
|
|
|
|
|
|
forward to the same key, or the key+.1. But sometimes you want to
update an older machine far forward (either with -s, or with -R), and
the required key might not exist on-disk. Since getting the key isn't
automated, people make some poor decisions to get the key. Previous
to 7.6 the situation was worse, (and obviously older releases will have
the old sysupgrade script, though you can copy this one to those machines
and it will work, but please do that securely..)
Moving forward this improves the workflow: a new set of keybundles
(signed by older keys) have been made available so that sysupgrade
can securely and automatically download the required key.
ok job tb beck sthen
|
|
The language in RFC 5280, section 4.1.2.5 includes the end points of the
validity interval.
Reported by Tom Harrison
ok claudio job
|
|
An ASN1_INTEGER doesn't contain the ASN.1 encoding in its data. It contains
a BIGNUM. In particular, there's no padding octet for integers with the top
bit of the top octet set. Do the check the dumb way and check all the parts
individually: non-negative, not larger than 20 octets and bit 159 not set.
Reported by Tom Harrison
ok claudio job
|
|
SIOCAIFADDR_IN6 to configure an IPv6 address does everything SIOCIFAFATTACH
does, i.e. it enables IPv6 on the interface if not done so already.
vm.conf(5) 'local inet6' works as before.
OK mlarkin
|
|
found with afl, feedback and ok millert@
|
|
vmm(4) doesn't need this information anymore. vmd(8) is the only
consumer of this information.
ok mlarkin@
|
|
Remove the extra checks in the caller and simplify some code because of that.
OK tb@
|
|
we inherited from the initial implemention on FreeBSD which has
made no sense in years.
prompted by a diff by Johannes Thyssen Tishman
from espie
|
|
In order to support privsep in tags, we need to be able to pass some
code values in child/parent.
from espie, tested by sthen, ok giovanni
|
|
|
|
initialized in the SE so bgpctl did always see 0, auth_conf.method
is on the other hand properly shared.
OK tb@
|
|
since that one is kept.
OK tb@
|
|
OK tb@
|
|
OK tb@
|
|
Instead use struct auth_config and struct auth_state in the pfkey calls
and those tcp_md5 calls where it matters.
This is preparation work to allow RTR to use TCP MD5 as well.
OK tb@
|
|
Mainly handle unknown ext-communities better and handle the special
case of type == -1.
OK tb@
|
|
before calling connect(). This way it happens for sure and on top the TOS
is already set on the initial SYN.
OK tb@
|
|
OK input lucas
|