From: Claudio Jeker Subject: Re: rpki-client: updates for roas (RFC 9582) To: Theo Buehler Cc: tech@openbsd.org Date: Sun, 24 Aug 2025 14:13:09 +0200 On Sun, Aug 24, 2025 at 02:06:12PM +0200, Theo Buehler wrote: > > Typo here. This should be RFC 9582 not 6582 (The NewReno Modification to > > TCP's Fast Recovery Algorithm). > > Thanks. Fixed before commit. > > Here's the analogous diff for manifests. Unlike for ROAs, the relevant > section numbers still match in the new RFC. Go for it. > Index: extern.h > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v > diff -u -p -r1.259 extern.h > --- extern.h 24 Aug 2025 11:52:20 -0000 1.259 > +++ extern.h 24 Aug 2025 11:59:21 -0000 > @@ -221,7 +221,7 @@ struct mftfile { > }; > > /* > - * A manifest, RFC 6486. > + * A manifest, RFC 9286. > * This consists of a bunch of files found in the same directory as the > * manifest file. > */ > Index: main.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v > diff -u -p -r1.294 main.c > --- main.c 23 Aug 2025 09:13:14 -0000 1.294 > +++ main.c 24 Aug 2025 11:59:21 -0000 > @@ -408,7 +408,7 @@ rrdp_http_done(unsigned int id, enum htt > } > > /* > - * Add a file (CER, ROA, CRL) from an MFT file, RFC 6486. > + * Add a file (CER, ROA, CRL, ...) from a manifest fileList, RFC 9286. > * These are always relative to the directory in which "mft" sits. > */ > static void > Index: mft.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v > diff -u -p -r1.129 mft.c > --- mft.c 23 Aug 2025 09:13:14 -0000 1.129 > +++ mft.c 24 Aug 2025 11:59:21 -0000 > @@ -39,13 +39,8 @@ > * Manifest eContent definition in RFC 9286, section 4.2. > */ > > -ASN1_ITEM_EXP FileAndHash_it; > ASN1_ITEM_EXP Manifest_it; > - > -ASN1_SEQUENCE(FileAndHash) = { > - ASN1_SIMPLE(FileAndHash, file, ASN1_IA5STRING), > - ASN1_SIMPLE(FileAndHash, hash, ASN1_BIT_STRING), > -} ASN1_SEQUENCE_END(FileAndHash); > +ASN1_ITEM_EXP FileAndHash_it; > > ASN1_SEQUENCE(Manifest) = { > ASN1_EXP_OPT(Manifest, version, ASN1_INTEGER, 0), > @@ -58,6 +53,10 @@ ASN1_SEQUENCE(Manifest) = { > > IMPLEMENT_ASN1_FUNCTIONS(Manifest); > > +ASN1_SEQUENCE(FileAndHash) = { > + ASN1_SIMPLE(FileAndHash, file, ASN1_IA5STRING), > + ASN1_SIMPLE(FileAndHash, hash, ASN1_BIT_STRING), > +} ASN1_SEQUENCE_END(FileAndHash); > > #define GENTIME_LENGTH 15 > > @@ -146,7 +145,7 @@ rtype_from_mftfile(const char *fn) > } > > /* > - * Parse an individual "FileAndHash", RFC 6486, sec. 4.2. > + * Parse an individual "FileAndHash", RFC 9286, sec. 4.2. > * Return zero on failure, non-zero on success. > */ > static int > @@ -160,7 +159,7 @@ mft_parse_filehash(const char *fn, struc > size_t new_idx = 0; > > if (!valid_mft_filename(fh->file->data, fh->file->length)) { > - warnx("%s: RFC 6486 section 4.2.2: bad filename", fn); > + warnx("%s: RFC 9286 section 4.2.2: bad filename", fn); > goto out; > } > file = strndup(fh->file->data, fh->file->length); > @@ -168,7 +167,7 @@ mft_parse_filehash(const char *fn, struc > err(1, NULL); > > if (fh->hash->length != SHA256_DIGEST_LENGTH) { > - warnx("%s: RFC 6486 section 4.2.1: hash: " > + warnx("%s: RFC 9286 section 4.2.1: hash: " > "invalid SHA256 length, have %d", fn, fh->hash->length); > goto out; > } > @@ -280,7 +279,7 @@ mft_has_unique_names_and_hashes(const ch > } > > /* > - * Handle the eContent of the manifest object, RFC 6486 sec. 4.2. > + * Handle the eContent of the manifest object, RFC 9286 sec. 4.2. > * Returns 0 on failure and 1 on success. > */ > static int > @@ -294,7 +293,7 @@ mft_parse_econtent(const char *fn, struc > > oder = d; > if ((mft_asn1 = d2i_Manifest(NULL, &d, dsz)) == NULL) { > - warnx("%s: RFC 6486 section 4: failed to parse Manifest", fn); > + warnx("%s: RFC 9286 section 4: failed to parse Manifest", fn); > goto out; > } > if (d != oder + dsz) { > @@ -339,7 +338,7 @@ mft_parse_econtent(const char *fn, struc > } > > if (OBJ_obj2nid(mft_asn1->fileHashAlg) != NID_sha256) { > - warnx("%s: RFC 6486 section 4.2.1: fileHashAlg: " > + warnx("%s: RFC 9286 section 4.2.1: fileHashAlg: " > "want SHA256 object, have %s", fn, > nid2str(OBJ_obj2nid(mft_asn1->fileHashAlg))); > goto out; > @@ -384,7 +383,7 @@ mft_parse_econtent(const char *fn, struc > > /* > * Parse the objects that have been published in the manifest. > - * Return mft if it conforms to RFC 6486, otherwise NULL. > + * Return mft if it conforms to RFC 9286, otherwise NULL. > */ > struct mft * > mft_parse(struct cert **out_cert, const char *fn, int talid, -- :wq Claudio