Age | Commit message (Collapse) | Author |
|
RFC 6487 section 4.8.4 restricts the KeyUsage extension on EE
certificates to only be digitalSignature.
RFC 6487 section 4.8.5 forbids the ExtendedKeyUsage extension from
appearing on CA certificates. However, this may change in the future
through the standardisation process.
OK tb@
|
|
|
|
|
|
OK tb@
|
|
OK tb@
|
|
both the host/uri and IP address of a connection.
Adjust http_connect() error handling to make sure conn->res is set to the
last address when hitting the error condition after the loop.
OK tb@
|
|
|
|
Add support validation of Signed Objects containing Trust Anchor Keys
(TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs
to distribute and sign the next Trust Anchor with the current Trust
Anchor. This might be an improvement over visiting RIR websites and
copy+pasting TAL data by hand.
OK tb@
|
|
In http_connect_done() the addrinfo array was freed but this makes it
impossible to show the IP address of the connection in log messages.
Also refactor http_finish_connect() to call http_connect_failed() instead
of doing the same inline.
OK tb@
|
|
A priori URI is not NUL terminated, so we should first check it is long
enough before comparing it against proto. As a side effect, this now
rejects "https://" and "rsync://", which are invalid due to the missing
host in the authority section.
ok claudio
|
|
OK claudio@
|
|
Like most x509_* functions, x509_get_time() returns 0/1 on error/success,
not -1/0.
ok claudio job
|
|
eschew building the package is -n is mentionned.
Document that -S -n is heavily optimized for speed since it's mostly used
by dpb -R to figure out what to rebuild.
|
|
The actual bug reverted in 1.128 was from "make print-plist-libs"
which would invoke pkg_create -n -Q and filter out the libs: but
in that case, pkg_create would not be silent, thus yielding
reading plist|-/usr/local/lib/libpython3.9.so.0.0
to filter, which obviously wouldn't work.
So, turn on silent mode for -Q as well.
|
|
be printed with %llu unlike uint64_t.
|
|
|
|
User accounting and enforcement was never finished. tedu the thing
until someone wants to pick it up and finish it.
Originally found by Matthew Martin.
ok mlarkin@, kn@. input from tb@.
|
|
found while hacking up a comp3301 prac/assignment
ok millert@ deraadt@
|
|
with the fork messages.
OK tb@
|
|
DPADD bit pointed out by deraadt@
"No kidding" deraadt@
|
|
ok florian
|
|
Reduces the amount of copy-paste and makes things easier on the eye.
ok claudio job
|
|
here rework the text so it reads a little better;
ok deraadt
|
|
|
|
|
|
|
|
If multiple recipients are specified but only one is valid, use the
first entry in the recipient list for the Received: header, not the
value from the last "RCPT TO:" command (which could be invalid).
From Chris Waddey
|
|
OK miod
|
|
freed.
Should fix https://github.com/rpki-client/rpki-client-portable/issues/74
Reported by Ben Castricum
OK tb@
|
|
Having metrics depend on session state makes reporting more complex.
This now reports the number of seconds a session was up or down.
OK tb@
|
|
for peers that never managed to establish a connection.
OK tb@
|
|
Thanks Marco D'Itri for spotting them
OK claudio@
|
|
|
|
OK tb@
|
|
OK tb@
|
|
This uses `bgpctl show metric` to produce the payload.
OK tb@
|
|
This adds most of the generic code to output the metrics with labels
and implements some basic metrics. The code works but metrics may still
change.
OK tb@
|
|
|
|
Pointed out in the pref64 code, which was copied from here, by kn.
|
|
With this clients can learn the presence and used prefix for Network
Address and Protocol Translation between IPv6 and IPv4 (NAT64).
Apparently there is support in mobile devices as well as in macOS.
This option, together with the the dhcp "IPv6-only preferred"
option (108) enables the Customer-side transLATor (CLAT) on macOS so
IPv4 literals can be used in IPv6-only networks.
Input & OK kn
|
|
from josiah frentsos
|
|
which allows the client to bind as the subject of the certificate in cases
where the directory doesn't implicitly do that.
The client certificate is configured with 'certfile' and 'keyfile'
directives, and SASL EXTERNAL bind is configured with the 'bindext'
directive.
ok tb@
|
|
in ASN.1 as following: "version [0] INTEGER DEFAULT 0,". Each object
profile preamble contains "DEFINITIONS EXPLICIT TAGS ::=".
We didn't bump into any issue yet, because all Signed Objects are at
version 0, which means the field is entirely omitted (including the tag,
be it implicit or explicit). (From X.690 section 11.5: "The encoding of
a set value or a sequence value shall not include an encoding for any
component value which is equal to its default value.")
OK tb@
|
|
ok miod@ martijn@
|
|
ok miod@ claudio@ tb@
|
|
|
|
This is only required for the single fchmod(2) ensuring default permissions
which only happens in the -c code path.
OK millert
|
|
ok florian
|
|
|
|
Noticed by job@, OK tb@
|