florian [Thu, 6 Jun 2024 06:26:14 +0000 (06:26 +0000)]
Accept more compact forms of prefix delegation requests.
For example, these are now valid, too:
request prefix delegation on vio1 for vether4/64
request prefix delegation on vio1 for { vether5 vether6/64 }
Reminded by Tim Kuijsten
tb [Thu, 6 Jun 2024 05:57:36 +0000 (05:57 +0000)]
ip_resources_print(): zap extra blank line
tb [Thu, 6 Jun 2024 03:29:52 +0000 (03:29 +0000)]
rpki-client: simplify ta_parse()
Since this is always called after cert_parse_pre(), notBefore and notAfter
are available in struct cert, so we can use time_t comparison.
ok claudio
bluhm [Thu, 6 Jun 2024 00:36:46 +0000 (00:36 +0000)]
Clear DF flag after kcopy faulted.
A memory corruption in the kernel happend that was caused by memset
in the wrong direction. After that DF bit was set in ddb rflags.
Only kcopy and memmove use std to set DF bit. kcopy has the special
property that it can fault. In this case DF is set in the trap
frame. kpageflttrap() changes the return address to copy_fault via
pcb_onfault. When alltraps_kern returns, it restores the rflags
with DF set and jumps into copy_fault. From there a function return
goes back into regular kernel execution. Now DF is set, but kernel
memset and memcpy expect that it is cleared.
After copy fault, also reset the DF bit with cld in copy_fault.
The crash happend on OpenBSD 7.4 amd64. As i386 code looks similar,
also insert cld there.
OK guenther@ miod@
deraadt [Wed, 5 Jun 2024 20:19:26 +0000 (20:19 +0000)]
disable -fret-clean in the kernel until the returns_twice situation is handled
tb [Wed, 5 Jun 2024 19:43:06 +0000 (19:43 +0000)]
Revert __bounded__ hack in chacha-merged.c
Thanks to Viktor Szakats for figuring out that stdint.h was missing
in the portable tarballs.
miod [Wed, 5 Jun 2024 19:22:04 +0000 (19:22 +0000)]
Pass cpu_fork() function to the new process through caller-saved registers
in the pcb rather than on the stack. This makes the code simpler and faster
and gets rid of one short timeframe where the stack pointer is only aligned
to an 8 byte boundary instead of a 16 byte boundary.
florian [Wed, 5 Jun 2024 16:15:47 +0000 (16:15 +0000)]
Implement lease files.
florian [Wed, 5 Jun 2024 16:14:12 +0000 (16:14 +0000)]
Use a loop to add request options.
This makes it easier to extend in the future.
florian [Wed, 5 Jun 2024 16:12:09 +0000 (16:12 +0000)]
unused function
florian [Wed, 5 Jun 2024 16:11:26 +0000 (16:11 +0000)]
implement removing of addresses from interfaces
tb [Wed, 5 Jun 2024 13:36:28 +0000 (13:36 +0000)]
Only complain about empty list of revoked certs if verbosity > 1
Given that 15% of CRLs is affected, this is a noisy warning. Krill is
dormant and it will take forever until a fixed version iss deployed.
Until then I'd like to avoid being annoyed wiht this stupid noise.
ok claudio
krw [Wed, 5 Jun 2024 11:04:17 +0000 (11:04 +0000)]
No need to call d_open/d_close for every hibernate resume i/o.
Speeds up resuming from hibernate.
Testing florian@ stsp@
ok mlarkin@ stsp@
florian [Wed, 5 Jun 2024 10:48:56 +0000 (10:48 +0000)]
Do not try to configure an interface with prefix length 0.
florian [Wed, 5 Jun 2024 10:25:07 +0000 (10:25 +0000)]
Do not request a prefix with length zero.
If we got a prefix delegation for some IA but not others use the
prefix lenght from the configuration for the ones we did not get a
prefix delegation.
stsp [Wed, 5 Jun 2024 10:19:55 +0000 (10:19 +0000)]
add support for VLAN tag offloading to dwqe(4)
Tested:
RK3568: kettenis@, jmatthew@; RK3568 can do Rx VLAN tag stripping only
Intel Elkhart Lake: stsp@; EHL additionally supports VLAN tagging on Tx
tweaks + ok jmatthew@
mglocker [Wed, 5 Jun 2024 04:58:05 +0000 (04:58 +0000)]
Now that our hibernation sub-system supports 4096 byte sectors, add
hibernation support for ufshci(4).
Input from kettenis@, krw@, deraadt@, mlarkin@.
ok mlarkin@, deraadt@
tb [Wed, 5 Jun 2024 04:50:36 +0000 (04:50 +0000)]
make test struct const
krw [Tue, 4 Jun 2024 21:48:20 +0000 (21:48 +0000)]
Bump versions of boot media now capable of un-hibernating from non-DEV_BSIZE
sectored media.
Bump to common version (3.67) to indicate new MI capability.
Reminded by deraadt@
krw [Tue, 4 Jun 2024 20:31:35 +0000 (20:31 +0000)]
Enable hibernate/resume to nvme(4) disks with 4096 byte sectors.
testing by florian@ mglocker@ mlarkin@
ok deraadt@ mglocker@ mlarkin@
landry [Tue, 4 Jun 2024 18:13:23 +0000 (18:13 +0000)]
services: add matrix-fed tcp port 8448
registered at IANA since last august for Matrix Federation Protocol
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=8448
ok djm@ solene@
gkoehler [Tue, 4 Jun 2024 17:31:59 +0000 (17:31 +0000)]
Allow sbld allocation to fail when PMAP_CANFAIL.
pool_get in powerpc64's pmap might fail when uvm_km_pages.free == 0.
This might cause KASSERT(slbd) to panic 'kernel diagnostic assertion
"sbld" failed'. Remove this KASSERT and add a check for PMAP_CANFAIL.
pmap_enter calls without PMAP_CANFAIL might still panic.
ok mpi@ jca@
florian [Tue, 4 Jun 2024 15:48:47 +0000 (15:48 +0000)]
IAIDs can start at 0.
I was under the impression that an IAID of 0 is special, but that's
not true. Letting IAID start at zero makes array indexing easier and
avoids an out of bounds access pointed out by dhill.
While here, do not trust IAID received via imsg but do our own
accounting.
deraadt [Tue, 4 Jun 2024 15:14:44 +0000 (15:14 +0000)]
enable -fret-clean on amd64, for libc libcrypto ld.so kernel, and all the
ssh tools. The dynamic objects are entirely ret-clean, static binaries
will contain a blend of cleaning and non-cleaning callers.
millert [Tue, 4 Jun 2024 14:40:46 +0000 (14:40 +0000)]
Avoid unnecessary string traversals in u8_isutf() and substr().
For u8_isutf() the conditionals already ensure that a NUL byte won't
match. For substr() we can use the byte offset of 'm' to avoid
re-scanning the initial part of the string. From Jonas Bechtel.
tb [Tue, 4 Jun 2024 14:17:24 +0000 (14:17 +0000)]
rpki-client: rework AIA, SIA, and CRL handling
Assert that the out parameter is NULL rather than blindly NULL-ing it,
and follow the approach in sbgp_sia() more closely: use a local variable
and warn on any ignored accessMethod/distributionPoint in verbose mode.
AIA is slightly different because there's only a single accessMethod.
Drop the now useless (and previously wrong) warning on *out != NULL in
x509_location(). Instead, assert that the out parameter is NULL. This
way things are a bit less clever, but more explicit, more correct, more
robust, and the code grew only very slightly.
ok claudio
tb [Tue, 4 Jun 2024 14:10:53 +0000 (14:10 +0000)]
rpki-client: reject certs with unexpected SIA accessMethods
RFC 6487, section 4.8.8.1 only lists caRepository and rpkiManifest, and
RFC 8182 added rpkiNotify for RRDP. All other access methods (which would
be children of id-ad), are not allowed and do not really make sense here.
ok claudio
tb [Tue, 4 Jun 2024 14:07:10 +0000 (14:07 +0000)]
rpki-client: only allow a single rpkiNotify SIA accessMethod
RFC 8182, section 3.2 is not super explicit about it, but there should
only be one rpkiNotify accessMethod, and it should contain a location
with a URI of type https. Check this and reject certs that contain more
than one.
ok claudio
jan [Tue, 4 Jun 2024 09:51:52 +0000 (09:51 +0000)]
vio(4): remove useless casts and fix spacing
ok sf@
claudio [Tue, 4 Jun 2024 08:26:11 +0000 (08:26 +0000)]
In dequeue_randomness() use an atomic instruction to increase the
rnd_event_cons. This way even concurrent calls to dequeue_randomness()
will use some different events.
OK deraadt@ djm@
op [Tue, 4 Jun 2024 06:51:15 +0000 (06:51 +0000)]
now that we have dired-up-directory, use it in dired-jump too
it's handy to be able to do C-x C-j (dired-jump) repeatedly to
navigate upwards starting from a buffer, and follows GNU Emacs
behaviour too.
op [Tue, 4 Jun 2024 06:48:34 +0000 (06:48 +0000)]
add dired-up-directory bound to ^ to go up on directory in dired buffers
diff from Dante Catalfamo (date [at] lambda [dot] cx) with some minor
style nits and the manpage bits from me.
ok florian@
tb [Tue, 4 Jun 2024 04:17:18 +0000 (04:17 +0000)]
rpki-client: remove proto argument from x509_location()
After recent changes, the rpkiNotify access description became the last
user of it, so this is now a pointless complication.
ok claudio
dv [Mon, 3 Jun 2024 20:53:00 +0000 (20:53 +0000)]
Lock and unlock EPT pmaps before page table entry modification.
ok mlarkin@
matthieu [Mon, 3 Jun 2024 20:08:12 +0000 (20:08 +0000)]
add .mjs -> text/javascript. ok florian@
florian [Mon, 3 Jun 2024 18:10:04 +0000 (18:10 +0000)]
gc v4 struct
deraadt [Mon, 3 Jun 2024 17:58:33 +0000 (17:58 +0000)]
more sleepy florian knf issues
florian [Mon, 3 Jun 2024 15:55:52 +0000 (15:55 +0000)]
OpenBSD intentionally does not print a flavor for -r.
confirmed by & OK deraadt
deraadt [Mon, 3 Jun 2024 15:53:26 +0000 (15:53 +0000)]
more whitespace and knf
florian [Mon, 3 Jun 2024 15:52:17 +0000 (15:52 +0000)]
knf; pointed out by deraadt
jsg [Mon, 3 Jun 2024 14:59:22 +0000 (14:59 +0000)]
correcly -> correctly
op [Mon, 3 Jun 2024 14:46:03 +0000 (14:46 +0000)]
httpd: render "emojis" as text in directory listing
The "up and down" character used in the directory listing is
technically an emoji and can, depending on the browser configuration,
be rendered in colors and whatnot. set `font-variant-emoji' to ask
the browser to render it as text. This property, as of now, needs
to be enabled manually in some browsers, but since it's part of the
"CSS Fonts Module Level 4" spec, support for it is expected to be
implemented and turned on "soon" in major browsers.
While here, remove the italic for directories.
Diff from Paul W. Rankin (hello (at) paulwrankin dot com)
ok claudio@
claudio [Mon, 3 Jun 2024 14:34:19 +0000 (14:34 +0000)]
Remove lock_class_sched_lock from lock_classes since the corresponding
entry in enum lock_class_index was removed in sys/_lock.h
You get fireworks if the lock_classes array and enum lock_class_index
get out of sync.
deraadt [Mon, 3 Jun 2024 14:11:31 +0000 (14:11 +0000)]
sort
tb [Mon, 3 Jun 2024 12:58:39 +0000 (12:58 +0000)]
Rework SIA handling to be less incorrect
Currently we would only accept rsync URIs in caRepository and rpkiManifest.
This is wrong. The specification requires at least one rsync URI to be
resent, but allows for other URI types, ordered by descending CA preference.
With this diff we will still only respect the first rsync address, but we
will no longer reject certificates listing other URIs. Make the warning
conditional on verbose mode.
Also make it clearer that sbgp_sia() (which is poorly named) is for CA
certs while x509_get_sia() is for EE certs.
input/ok claudio
claudio [Mon, 3 Jun 2024 12:48:25 +0000 (12:48 +0000)]
Remove the now unsued s argument to SCHED_LOCK and SCHED_UNLOCK.
The SPL level is not tacked by the mutex and we no longer need to track
this in the callers.
OK miod@ mlarkin@ tb@ jca@
claudio [Mon, 3 Jun 2024 12:46:59 +0000 (12:46 +0000)]
There is no more LO_CLASS_SCHED_LOCK lock class.
OK miod@ mlarkin@ tb@ jca@
mglocker [Mon, 3 Jun 2024 12:01:57 +0000 (12:01 +0000)]
Remove superfluous pmap_extract() call in the hibernation path.
ok jsg@
florian [Mon, 3 Jun 2024 11:08:31 +0000 (11:08 +0000)]
implement rapid commit
florian [Mon, 3 Jun 2024 10:08:05 +0000 (10:08 +0000)]
sync
florian [Mon, 3 Jun 2024 10:07:27 +0000 (10:07 +0000)]
Track changes to dhcp6leased.conf
looks correct to deraadt
florian [Mon, 3 Jun 2024 10:06:35 +0000 (10:06 +0000)]
etc bits for dhcp6leased
looks correct to deraadt
florian [Mon, 3 Jun 2024 10:05:18 +0000 (10:05 +0000)]
hook dhcp6leased to the build
OK deraadt
otto [Mon, 3 Jun 2024 09:43:10 +0000 (09:43 +0000)]
Fix input handling wrt redrawing. The new version of curses does
not like shortcutting switching windows, especially if you're also
using libc for i/o. Reported by Don Wilburn; ok jsg@
anton [Mon, 3 Jun 2024 08:02:22 +0000 (08:02 +0000)]
Pledge violation messages are no longer accessible through dmesg since
the switch to uprintf. Attach a pseudo terminal in pledge regress in order to
observe the syscall number that caused the pledge violation, shrug.
anton [Mon, 3 Jun 2024 06:14:32 +0000 (06:14 +0000)]
Passing a NULL digest to SHA routines from libcrypto is no longer
supported.
ok tb@
deraadt [Mon, 3 Jun 2024 03:41:47 +0000 (03:41 +0000)]
avoid shadowing a local variable in a lower scope
millert [Mon, 3 Jun 2024 00:58:04 +0000 (00:58 +0000)]
Spelling fixes and removal of unneeded prototypes and extern.
From jsg@ via upstream.
millert [Mon, 3 Jun 2024 00:55:05 +0000 (00:55 +0000)]
Build with WARNINGS=Yes and fix resulting warnings.
jsg [Sun, 2 Jun 2024 23:26:39 +0000 (23:26 +0000)]
remove prototypes with no matching function
leave prototypes with functions in OpenSMTPD-extras
ok op@
jsg [Sun, 2 Jun 2024 22:41:42 +0000 (22:41 +0000)]
sencond -> second; ok florian@
deraadt [Sun, 2 Jun 2024 18:47:17 +0000 (18:47 +0000)]
ugh, another typo; spotted by naddy
deraadt [Sun, 2 Jun 2024 18:01:37 +0000 (18:01 +0000)]
oops typo
florian [Sun, 2 Jun 2024 17:44:06 +0000 (17:44 +0000)]
prev_plen is only accessed on the 2nd round through the loop.
Static analysers don't understand this. So give it a value
to shut them up.
Reported by jsg
florian [Sun, 2 Jun 2024 17:38:44 +0000 (17:38 +0000)]
Fix indent; pointed out by miod
florian [Sun, 2 Jun 2024 17:33:48 +0000 (17:33 +0000)]
Make sure we find a link-local address and rdomain
pointed out by jsg & miod
florian [Sun, 2 Jun 2024 17:26:54 +0000 (17:26 +0000)]
gc unused variable
pointed out by jsg
deraadt [Sun, 2 Jun 2024 16:00:07 +0000 (16:00 +0000)]
Grow amd64 install*.{iso,img} because -fret-clean *.tgz sets are a tiny
bit bigger.
deraadt [Sun, 2 Jun 2024 15:55:36 +0000 (15:55 +0000)]
Due to growth, crunchgen must also try to block -fret-clean, so also use
COPTS+=-fno-ret-clean
deraadt [Sun, 2 Jun 2024 15:54:03 +0000 (15:54 +0000)]
Due to growth we can't allow -fret-clean behaviour in distrib/special,
so use COPTS+=-fno-ret-clean
florian [Sun, 2 Jun 2024 15:43:24 +0000 (15:43 +0000)]
oops, we need to hold on to ifap for a bit longer
deraadt [Sun, 2 Jun 2024 15:42:19 +0000 (15:42 +0000)]
add -fret-clean option (amd64 and i386 only at first), defaulting to off.
This causes the caller to cleans the return address off the stack after
a callq completes. The option is best used in low-level libraries (such as
libc), because libc contains low-level system call stubs. The option
reduces hints (found on the stale parts of the stack) about libc.so's mapping
location, and together with random-relinking, relro got/pic, and xonly
makes some exploit methods more difficult.
ok mortimer, mlarkin, much discussion with kettenis, in snaps for 2 weeks.
deraadt [Sun, 2 Jun 2024 15:40:38 +0000 (15:40 +0000)]
add -fret-clean option (amd64 and i386 only at first), defaulting to off.
This causes the caller to cleans the return address off the stack after
a callq completes. The option is best used in low-level libraries (such as
libc), because libc contains low-level system call stubs. The option
reduces hints (found on the stale parts of the stack) about libc.so's mapping
location, and together with random-relinking, relro got/pic, and xonly
makes some exploit methods more difficult.
ok mortimer, mlarkin, much discussion with kettenis, in snaps for 2 weeks.
deraadt [Sun, 2 Jun 2024 15:31:56 +0000 (15:31 +0000)]
pledge, MAP_STACK, and pinsyscall failures have been providing failure
visibility with kernel printf(9) (thus, onto console and into dmesg) since
the start of development. I want to reduce the dmesg spam, and bring
this more into the attention of the user who ran the command, so let's
try using uprintf(9) which puts it onto the active foreground tty (yes,
there maybe cases where there is no tty, but that's ok. I'll admit
I've considered deleting the logging messages entirely)
tested in snaps for a week
florian [Sun, 2 Jun 2024 15:19:05 +0000 (15:19 +0000)]
fix leaks
florian [Sun, 2 Jun 2024 14:07:19 +0000 (14:07 +0000)]
Unlike DHCPv4 we will only send multicast messages.
Initialize destination address once and fold udp_send_packet()
into send_packet().
While here improve debugging output a bit.
florian [Sun, 2 Jun 2024 13:55:37 +0000 (13:55 +0000)]
we do not poke around in udp headers
florian [Sun, 2 Jun 2024 13:35:52 +0000 (13:35 +0000)]
DHCPv6 is not concerned with link layer addresses.
pointed out by martijn
florian [Sun, 2 Jun 2024 12:41:46 +0000 (12:41 +0000)]
Implement renew & rebind.
Missed in previous.
florian [Sun, 2 Jun 2024 12:39:26 +0000 (12:39 +0000)]
Switch to rebinding at the rebinding time not when one timeout past.
Spotted while hacking on dhcp6leased(8)
florian [Sun, 2 Jun 2024 12:33:56 +0000 (12:33 +0000)]
sync
florian [Sun, 2 Jun 2024 12:32:33 +0000 (12:32 +0000)]
user, group & /var/db/dhcp6leased for dhcpleased(8)
typo spotted by ccappuc
Input & OK deraadt
florian [Sun, 2 Jun 2024 12:28:05 +0000 (12:28 +0000)]
Import dhcp6leased(8)
dhcp6leased is a daemon to manage IPv6 prefix delegations. It requests
a prefix from an upstream DHCPv6 server and configures downstream
network interfaces. rad(8) can be used to advertise available prefixes
to clients.
It's a transmogrified dhcpleased(8), so it's a bit rough around the
edges. But it can already request and renew prefixes and configure
interfaces. It's time to hack on it in-tree.
OK deraadt
kettenis [Sun, 2 Jun 2024 11:08:41 +0000 (11:08 +0000)]
Power down PCI devices in S0 as well. Needed for suspend-to-idle.
ok mglocker@
tb [Sat, 1 Jun 2024 18:42:49 +0000 (18:42 +0000)]
md4/ripemd: remove misplaced semicolons
tb [Sat, 1 Jun 2024 17:56:44 +0000 (17:56 +0000)]
Neuter the bounded attribute as was done elsewhere for portable
tb [Sat, 1 Jun 2024 12:35:23 +0000 (12:35 +0000)]
Remove mention of SHA-0, update STANDARDS section
ratchov [Sat, 1 Jun 2024 09:44:10 +0000 (09:44 +0000)]
sndiod: Don't add/remove server.device entries in dev_{open,close}()
Fixes server.device entries disappearing when usb devices are unplugged
while in use. Found, analysed and tested by Laurie Tratt, thanks!
tb [Sat, 1 Jun 2024 08:11:44 +0000 (08:11 +0000)]
Missed SHA224() in previous: reverse order of attributes
tb [Sat, 1 Jun 2024 07:44:11 +0000 (07:44 +0000)]
Reverse order of attributes
requested by jsing on review
tb [Sat, 1 Jun 2024 07:36:16 +0000 (07:36 +0000)]
Remove support for static buffers in HMAC/digests
HMAC() and the one-step digests used to support passing a NULL buffer and
would return the digest in a static buffer. This design is firmly from the
nineties, not thread safe and it saves callers a single line. The few ports
that used to rely this were fixed with patches sent to non-hostile (and
non-dead) upstreams. It's early enough in the release cycle that remaining
uses hidden from the compiler should be caught, at least the ones that
matter.
There won't be that many since BoringSSL removed this feature in 2017.
https://boringssl-review.googlesource.com/14528
Add non-null attributes to the headers and add a few missing bounded
attributes.
ok beck jsing
djm [Sat, 1 Jun 2024 07:03:37 +0000 (07:03 +0000)]
be really strict with fds reserved for communication with the separate
sshd-session process - reserve them early and fatal if we can't dup2(2)
them later. The pre-split fallback to re-reading the configuration
files is not possible, so sshd-session absolutely requires the fd the
configuration is passed over to be in order.
ok deraadt@
aoyama [Sat, 1 Jun 2024 00:48:16 +0000 (00:48 +0000)]
Move common definitions into the header file.
No binary change.
florian [Fri, 31 May 2024 16:19:53 +0000 (16:19 +0000)]
Preferred and valid lifetime options are sometimes ignored.
When a prefix is discovered on a network interface and and the IP
address has a valid or preferred lifetime configured that value is
used instead of the static value from the configuration.
Limitation pointed out by & man page text proposed by Ryan Vogt.
Slightly tweaked by me.
rad(8) should calculate the minimum of the static value from the
config file and what is configured on the interface. Implementing that
is slightly complicated and is left for a future diff.
florian [Fri, 31 May 2024 16:10:42 +0000 (16:10 +0000)]
Prefixes delegated via DHCPv6 have a lifetime, honour it.
The "auto prefix" feature derives the prefix to announce from a
configured IPv6 address. If that address has a vltime / pltime use
that value in router advertisements instead of statically configured
values.
We also need to count down the vltime / pltime as time progresses.
testing Ryan Vogt
testing & OK bket@, jmatthew@
florian [Fri, 31 May 2024 16:10:02 +0000 (16:10 +0000)]
getifaddrs(3) does a non trivial amount of work.
Call it once and pass a pointer to the head of the list around when
reconfiguring interfaces.
testing Ryan Vogt
ok benno
testing & OK bket@, jmatthew@
tb [Fri, 31 May 2024 11:27:34 +0000 (11:27 +0000)]
Document a weird decision in RFC 8209
The subject commonName of a BGPsec Router Certificate is RECOMMENDED to
be "CN=ROUTER-%08x", asn. It thus made perfect sense to deviate from
RFC 6487 and support encoding this as a UTF8String... We have three such
certs in the wild, so punt on complicating the logic at least until the
point where we need more than the fingers of one hand to count them.
ok claudio
djm [Fri, 31 May 2024 09:01:08 +0000 (09:01 +0000)]
warn when -r (deprecated option to disable re-exec) is passed
djm [Fri, 31 May 2024 08:49:35 +0000 (08:49 +0000)]
typos
tb [Fri, 31 May 2024 02:45:15 +0000 (02:45 +0000)]
rpki-client: check issuer for certs and CRLs
Per RFC 6487, the subject and issuer fields of a certificate and the issuer
field of a CRL are subject to the same restrictions: only a commonName and
an optional serialNumber may be present and the commonName must be an ASN.1
printable string.
So far we've only checked the subject of certificates, which covers almost
everything by relying on the verifier to check that the issuer's subject is
identical to the subject's issuer, also for CRLs per X509_V_FLAG_CRL_CHECK.
The only thing missing this way is the TA's issuer.
Since the check is cheap and simple, we're better off doing it ourselves:
Refactor the x509_vaild_subject() helper to take an X509_NAME (which is of
course the appropriate name for a type representing an X.501 distinguished
name). This checks the details of RFC 6487, section 4.4, except that we
still can't check for a printable string since afrinic has ~3000 EE certs
that don't follow the spec, which would knock out ~45% of their ROAs. We're
told that this is going to be fixed this year.
looks good to claudio
ok job