sync with OpenBSD -current

lib/libc/arch/aarch64/net/Makefile.inc

@@ -1,5 +0,0 @@
-# $OpenBSD: Makefile.inc,v 1.1 2017/01/11 18:09:24 patrick Exp $
-# $NetBSD: Makefile.inc,v 1.1 2000/12/29 20:13:53 bjh21 Exp $
-
-# hton* and nto* functions provided by ../gen/byte_swap_*.S
-SRCS+=

lib/libc/arch/arm/gen/byte_swap_2.S

@@ -1,46 +0,0 @@
-/*	$OpenBSD: byte_swap_2.S,v 1.4 2022/05/24 17:15:23 guenther Exp $	*/
-/*	$NetBSD: byte_swap_2.S,v 1.3 2003/04/05 23:08:51 bjh21 Exp $	*/
-
-/*-
- * Copyright (c) 1999 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Charles M. Hannum.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "DEFS.h"
-
-_ENTRY(__bswap16)
-_ENTRY_NB(ntohs)
-ENTRY_NB(htons)
-	and		r1, r0, #0xff
-	mov		r0, r0, lsr #8
-	orr		r0, r0, r1, lsl #8
-	mov		pc, lr
-END(htons)
-_END(ntohs)
-_END(__bswap16)
-	.weak	htons
-	.weak	ntohs

lib/libc/arch/arm/net/Makefile.inc

@@ -1,5 +0,0 @@
-# $OpenBSD: Makefile.inc,v 1.2 2004/02/01 05:40:52 drahn Exp $
-# $NetBSD: Makefile.inc,v 1.1 2000/12/29 20:13:53 bjh21 Exp $
-
-# hton* and nto* functions provided by ../gen/byte_swap_*.S
-SRCS+=

lib/libcrypto/cryptlib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: cryptlib.c,v 1.50 2024/04/10 14:51:02 beck Exp $ */
+/* $OpenBSD: cryptlib.c,v 1.51 2024/04/21 13:41:14 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -277,8 +277,7 @@ CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function)(
 LCRYPTO_ALIAS(CRYPTO_set_dynlock_destroy_callback);
 
 struct CRYPTO_dynlock_value *
-(*CRYPTO_get_dynlock_create_callback(void))(
-    const char *file, int line)
+(*CRYPTO_get_dynlock_create_callback(void))(const char *file, int line)
 {
 	return NULL;
 }

lib/libcrypto/man/X509_LOOKUP_new.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_LOOKUP_new.3,v 1.10 2024/04/14 10:56:18 tb Exp $
+.\" $OpenBSD: X509_LOOKUP_new.3,v 1.11 2024/04/22 02:30:23 jsg Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 14 2024 $
+.Dd $Mdocdate: April 22 2024 $
 .Dt X509_LOOKUP_NEW 3
 .Os
 .Sh NAME
@@ -75,7 +75,7 @@
 is a deprecated function that
 releases the memory used by
 .Fa lookup .
-It is provided for compatibility only. 
+It is provided for compatibility only.
 If
 .Fa lookup
 is a

sbin/slaacd/engine.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.c,v 1.88 2024/02/11 21:29:12 bluhm Exp $	*/
+/*	$OpenBSD: engine.c,v 1.89 2024/04/21 17:33:05 florian Exp $	*/
 
 /*
  * Copyright (c) 2017 Florian Obser <florian@openbsd.org>
@@ -2130,6 +2130,7 @@ configure_address(struct address_proposal *addr_proposal)
 
 	address.if_index = addr_proposal->if_index;
 	memcpy(&address.addr, &addr_proposal->addr, sizeof(address.addr));
+	memcpy(&address.gw, &addr_proposal->from, sizeof(address.gw));
 	memcpy(&address.mask, &addr_proposal->mask, sizeof(address.mask));
 	address.vltime = addr_proposal->vltime;
 	address.pltime = addr_proposal->pltime;

sbin/slaacd/engine.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.h,v 1.6 2021/03/21 18:25:24 florian Exp $	*/
+/*	$OpenBSD: engine.h,v 1.7 2024/04/21 17:33:05 florian Exp $	*/
 
 /*
  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
@@ -19,6 +19,7 @@
 struct imsg_configure_address {
 	uint32_t		 if_index;
 	struct sockaddr_in6	 addr;
+	struct sockaddr_in6	 gw;
 	struct in6_addr		 mask;
 	uint32_t		 vltime;
 	uint32_t		 pltime;

sbin/slaacd/slaacd.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: slaacd.c,v 1.68 2023/02/15 13:47:00 florian Exp $	*/
+/*	$OpenBSD: slaacd.c,v 1.69 2024/04/21 17:33:05 florian Exp $	*/
 
 /*
  * Copyright (c) 2017 Florian Obser <florian@openbsd.org>
@@ -632,6 +632,8 @@ configure_interface(struct imsg_configure_address *address)
 
 	memcpy(&in6_addreq.ifra_addr, &address->addr,
 	    sizeof(in6_addreq.ifra_addr));
+	memcpy(&in6_addreq.ifra_dstaddr, &address->gw,
+	    sizeof(in6_addreq.ifra_dstaddr));
 	memcpy(&in6_addreq.ifra_prefixmask.sin6_addr, &address->mask,
 	    sizeof(in6_addreq.ifra_prefixmask.sin6_addr));
 	in6_addreq.ifra_prefixmask.sin6_family = AF_INET6;

sys/netinet6/icmp6.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: icmp6.c,v 1.251 2023/12/03 20:36:24 bluhm Exp $	*/
+/*	$OpenBSD: icmp6.c,v 1.252 2024/04/21 17:32:10 florian Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -1164,7 +1164,7 @@ icmp6_reflect(struct mbuf **mp, size_t off, struct sockaddr *sa)
 			rtfree(rt);
 			goto bad;
 		}
-		ia6 = in6_ifawithscope(rt->rt_ifa->ifa_ifp, &t, rtableid);
+		ia6 = in6_ifawithscope(rt->rt_ifa->ifa_ifp, &t, rtableid, rt);
 		if (ia6 != NULL)
 			src = &ia6->ia_addr.sin6_addr;
 		if (src == NULL)

sys/netinet6/in6.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: in6.c,v 1.264 2024/04/17 08:36:30 florian Exp $	*/
+/*	$OpenBSD: in6.c,v 1.265 2024/04/21 17:32:10 florian Exp $	*/
 /*	$KAME: in6.c,v 1.372 2004/06/14 08:14:21 itojun Exp $	*/
 
 /*
@@ -562,13 +562,19 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra,
 		return (EINVAL);
 
 	/*
-	 * The destination address for a p2p link must have a family
-	 * of AF_UNSPEC or AF_INET6.
+	 * The destination address for a p2p link or the address of the
+	 * announcing router for an autoconf address must have a family of
+	 * AF_UNSPEC or AF_INET6.
 	 */
-	if ((ifp->if_flags & IFF_POINTOPOINT) != 0 &&
-	    ifra->ifra_dstaddr.sin6_family != AF_INET6 &&
-	    ifra->ifra_dstaddr.sin6_family != AF_UNSPEC)
-		return (EAFNOSUPPORT);
+	if ((ifp->if_flags & IFF_POINTOPOINT) ||
+	    (ifp->if_flags & IFF_LOOPBACK) ||
+	    (ifra->ifra_flags & IN6_IFF_AUTOCONF)) {
+		if (ifra->ifra_dstaddr.sin6_family != AF_INET6 &&
+		    ifra->ifra_dstaddr.sin6_family != AF_UNSPEC)
+			return (EAFNOSUPPORT);
+
+	} else if (ifra->ifra_dstaddr.sin6_family != AF_UNSPEC)
+			return (EINVAL);
 
 	/*
 	 * validate ifra_prefixmask.  don't check sin6_family, netmask
@@ -597,27 +603,15 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra,
 		 */
 		plen = in6_mask2len(&ia6->ia_prefixmask.sin6_addr, NULL);
 	}
-	/*
-	 * If the destination address on a p2p interface is specified,
-	 * and the address is a scoped one, validate/set the scope
-	 * zone identifier.
-	 */
+
 	dst6 = ifra->ifra_dstaddr;
-	if ((ifp->if_flags & (IFF_POINTOPOINT|IFF_LOOPBACK)) != 0 &&
-	    (dst6.sin6_family == AF_INET6)) {
+	if (dst6.sin6_family == AF_INET6) {
 		error = in6_check_embed_scope(&dst6, ifp->if_index);
 		if (error)
 			return error;
-	}
-	/*
-	 * The destination address can be specified only for a p2p or a
-	 * loopback interface.  If specified, the corresponding prefix length
-	 * must be 128.
-	 */
-	if (ifra->ifra_dstaddr.sin6_family == AF_INET6) {
-		if ((ifp->if_flags & (IFF_POINTOPOINT|IFF_LOOPBACK)) == 0)
-			return (EINVAL);
-		if (plen != 128)
+
+		if (((ifp->if_flags & IFF_POINTOPOINT) ||
+		    (ifp->if_flags & IFF_LOOPBACK)) && plen != 128)
 			return (EINVAL);
 	}
 	/* lifetime consistency check */
@@ -652,7 +646,8 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra,
 		ia6->ia_addr.sin6_family = AF_INET6;
 		ia6->ia_addr.sin6_len = sizeof(ia6->ia_addr);
 		ia6->ia6_updatetime = getuptime();
-		if ((ifp->if_flags & (IFF_POINTOPOINT | IFF_LOOPBACK)) != 0) {
+		if ((ifp->if_flags & IFF_POINTOPOINT) ||
+		    (ifp->if_flags & IFF_LOOPBACK)) {
 			/*
 			 * XXX: some functions expect that ifa_dstaddr is not
 			 * NULL for p2p interfaces.
@@ -686,10 +681,10 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra,
 
 	/*
 	 * If a new destination address is specified, scrub the old one and
-	 * install the new destination.  Note that the interface must be
-	 * p2p or loopback (see the check above.)
+	 * install the new destination.
 	 */
-	if ((ifp->if_flags & IFF_POINTOPOINT) && dst6.sin6_family == AF_INET6 &&
+	if (((ifp->if_flags & IFF_POINTOPOINT)  ||
+	    (ifp->if_flags & IFF_LOOPBACK)) && dst6.sin6_family == AF_INET6 &&
 	    !IN6_ARE_ADDR_EQUAL(&dst6.sin6_addr, &ia6->ia_dstaddr.sin6_addr)) {
 		struct ifaddr *ifa = &ia6->ia_ifa;
 
@@ -706,6 +701,13 @@ in6_update_ifa(struct ifnet *ifp, struct in6_aliasreq *ifra,
 		ia6->ia_dstaddr = dst6;
 	}
 
+	if ((ifra->ifra_flags & IN6_IFF_AUTOCONF) &&
+	    dst6.sin6_family == AF_INET6 &&
+	    !IN6_ARE_ADDR_EQUAL(&dst6.sin6_addr, &ia6->ia_gwaddr.sin6_addr)) {
+		/* Set or update announcing router */
+		ia6->ia_gwaddr = dst6;
+	}
+
 	/*
 	 * Set lifetimes.  We do not refer to ia6t_expire and ia6t_preferred
 	 * to see if the address is deprecated or invalidated, but initialize
@@ -1329,13 +1331,21 @@ in6_prefixlen2mask(struct in6_addr *maskp, int len)
  * return the best address out of the same scope
  */
 struct in6_ifaddr *
-in6_ifawithscope(struct ifnet *oifp, struct in6_addr *dst, u_int rdomain)
+in6_ifawithscope(struct ifnet *oifp, struct in6_addr *dst, u_int rdomain,
+    struct rtentry *rt)
 {
 	int dst_scope =	in6_addrscope(dst), src_scope, best_scope = 0;
 	int blen = -1;
 	struct ifaddr *ifa;
 	struct ifnet *ifp;
 	struct in6_ifaddr *ia6_best = NULL;
+	struct in6_addr *gw6 = NULL;
+
+	if (rt) {
+		if (rt->rt_gateway != NULL &&
+		    rt->rt_gateway->sa_family == AF_INET6)
+			gw6 = &(satosin6(rt->rt_gateway)->sin6_addr);
+	}
 
 	if (oifp == NULL) {
 		printf("%s: output interface is not specified\n", __func__);
@@ -1460,8 +1470,16 @@ in6_ifawithscope(struct ifnet *oifp, struct in6_addr *dst, u_int rdomain)
 			/*
 			 * Rule 5.5: Prefer addresses in a prefix advertised
 			 * by the next-hop.
-			 * We do not track this information.
 			 */
+			if (gw6) {
+				struct in6_addr *in6_bestgw, *in6_newgw;
+
+				in6_bestgw = &ia6_best->ia_gwaddr.sin6_addr;
+				in6_newgw = &ifatoia6(ifa)->ia_gwaddr.sin6_addr;
+				if (!IN6_ARE_ADDR_EQUAL(in6_bestgw, gw6) &&
+				    IN6_ARE_ADDR_EQUAL(in6_newgw, gw6))
+					goto replace;
+			}
 
 			/*
 			 * Rule 6: Prefer matching label.

sys/netinet6/in6.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: in6.h,v 1.116 2024/02/13 12:22:09 bluhm Exp $	*/
+/*	$OpenBSD: in6.h,v 1.117 2024/04/21 17:32:11 florian Exp $	*/
 /*	$KAME: in6.h,v 1.83 2001/03/29 02:55:07 jinmei Exp $	*/
 
 /*
@@ -404,6 +404,7 @@ struct sockaddr_in6;
 struct ifaddr;
 struct in6_ifaddr;
 struct ifnet;
+struct rtentry;
 
 void	ipv6_input(struct ifnet *, struct mbuf *);
 struct mbuf *
@@ -413,7 +414,8 @@ int	in6_cksum(struct mbuf *, uint8_t, uint32_t, uint32_t);
 void	in6_proto_cksum_out(struct mbuf *, struct ifnet *);
 int	in6_localaddr(struct in6_addr *);
 int	in6_addrscope(struct in6_addr *);
-struct	in6_ifaddr *in6_ifawithscope(struct ifnet *, struct in6_addr *, u_int);
+struct	in6_ifaddr *in6_ifawithscope(struct ifnet *, struct in6_addr *, u_int,
+	    struct rtentry *);
 int	in6_mask2len(struct in6_addr *, u_char *);
 int	in6_nam2sin6(const struct mbuf *, struct sockaddr_in6 **);
 int	in6_sa2sin6(struct sockaddr *, struct sockaddr_in6 **);

sys/netinet6/in6_src.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: in6_src.c,v 1.98 2024/03/31 15:53:12 bluhm Exp $	*/
+/*	$OpenBSD: in6_src.c,v 1.99 2024/04/21 17:32:11 florian Exp $	*/
 /*	$KAME: in6_src.c,v 1.36 2001/02/06 04:08:17 itojun Exp $	*/
 
 /*
@@ -162,7 +162,7 @@ in6_pcbselsrc(const struct in6_addr **in6src, struct sockaddr_in6 *dstsock,
 		if (ifp == NULL)
 			return (ENXIO); /* XXX: better error? */
 
-		ia6 = in6_ifawithscope(ifp, dst, rtableid);
+		ia6 = in6_ifawithscope(ifp, dst, rtableid, NULL);
 		if_put(ifp);
 
 		if (ia6 == NULL)
@@ -192,7 +192,7 @@ in6_pcbselsrc(const struct in6_addr **in6src, struct sockaddr_in6 *dstsock,
 	if (rt != NULL) {
 		ifp = if_get(rt->rt_ifidx);
 		if (ifp != NULL) {
-			ia6 = in6_ifawithscope(ifp, dst, rtableid);
+			ia6 = in6_ifawithscope(ifp, dst, rtableid, rt);
 			if_put(ifp);
 		}
 		if (ia6 == NULL) /* xxx scope error ?*/
@@ -256,7 +256,7 @@ in6_selectsrc(const struct in6_addr **in6src, struct sockaddr_in6 *dstsock,
 		if (ifp == NULL)
 			return (ENXIO); /* XXX: better error? */
 
-		ia6 = in6_ifawithscope(ifp, dst, rtableid);
+		ia6 = in6_ifawithscope(ifp, dst, rtableid, NULL);
 		if_put(ifp);
 
 		if (ia6 == NULL)
@@ -280,7 +280,7 @@ in6_selectsrc(const struct in6_addr **in6src, struct sockaddr_in6 *dstsock,
 			ifp = if_get(htons(dstsock->sin6_scope_id));
 
 		if (ifp) {
-			ia6 = in6_ifawithscope(ifp, dst, rtableid);
+			ia6 = in6_ifawithscope(ifp, dst, rtableid, NULL);
 			if_put(ifp);
 
 			if (ia6 == NULL)

sys/netinet6/in6_var.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: in6_var.h,v 1.78 2022/11/23 07:57:39 kn Exp $	*/
+/*	$OpenBSD: in6_var.h,v 1.79 2024/04/21 17:32:11 florian Exp $	*/
 /*	$KAME: in6_var.h,v 1.55 2001/02/16 12:49:45 itojun Exp $	*/
 
 /*
@@ -93,6 +93,7 @@ struct	in6_ifaddr {
 #define	ia_flags	ia_ifa.ifa_flags
 
 	struct	sockaddr_in6 ia_addr;	/* interface address */
+	struct	sockaddr_in6 ia_gwaddr; /* router we learned address from */
 	struct	sockaddr_in6 ia_dstaddr; /* space for destination addr */
 	struct	sockaddr_in6 ia_prefixmask; /* prefix mask */
 	TAILQ_ENTRY(in6_ifaddr) ia_list;	/* list of IP6 addresses */

usr.sbin/rpki-client/cert.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.129 2024/03/22 03:38:12 job Exp $ */
+/*	$OpenBSD: cert.c,v 1.130 2024/04/21 19:27:44 claudio Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -773,7 +773,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 	}
 	X509_ALGOR_get0(&cobj, NULL, NULL, palg);
 	nid = OBJ_obj2nid(cobj);
-	if (nid == NID_ecdsa_with_SHA256) {
+	if (experimental && nid == NID_ecdsa_with_SHA256) {
 		if (verbose)
 			warnx("%s: P-256 support is experimental", fn);
 	} else if (nid != NID_sha256WithRSAEncryption) {

usr.sbin/rpki-client/cms.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cms.c,v 1.42 2024/02/01 15:11:38 tb Exp $ */
+/*	$OpenBSD: cms.c,v 1.44 2024/04/21 19:27:44 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -30,7 +30,6 @@
 extern ASN1_OBJECT	*cnt_type_oid;
 extern ASN1_OBJECT	*msg_dgst_oid;
 extern ASN1_OBJECT	*sign_time_oid;
-extern ASN1_OBJECT	*bin_sign_time_oid;
 
 static int
 cms_extract_econtent(const char *fn, CMS_ContentInfo *cms, unsigned char **res,
@@ -108,8 +107,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 	EVP_PKEY			*pkey;
 	X509_ALGOR			*pdig, *psig;
 	int				 i, nattrs, nid;
-	int				 has_ct = 0, has_md = 0, has_st = 0,
-					 has_bst = 0;
+	int				 has_ct = 0, has_md = 0, has_st = 0;
 	time_t				 notafter;
 	int				 rc = 0;
 
@@ -218,12 +216,6 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 			}
 			if (!cms_get_signtime(fn, attr, signtime))
 				goto out;
-		} else if (OBJ_cmp(obj, bin_sign_time_oid) == 0) {
-			if (has_bst++ != 0) {
-				warnx("%s: RFC 6488: duplicate "
-				    "signed attribute", fn);
-				goto out;
-			}
 		} else {
 			OBJ_obj2txt(buf, sizeof(buf), obj, 1);
 			warnx("%s: RFC 6488: "
@@ -239,11 +231,11 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 		goto out;
 	}
 
-	if (has_bst)
-		warnx("%s: unsupported CMS signing-time attribute", fn);
-
-	if (!has_st)
+	if (!has_st) {
+		/* RFC-to-be draft-ietf-sidrops-cms-signing-time */
 		warnx("%s: missing CMS signing-time attribute", fn);
+		goto out;
+	}
 
 	if (CMS_unsigned_get_attr_count(si) != -1) {
 		warnx("%s: RFC 6488: CMS has unsignedAttrs", fn);
@@ -265,7 +257,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 	X509_ALGOR_get0(&obj, NULL, NULL, psig);
 	nid = OBJ_obj2nid(obj);
 	/* RFC7935 last paragraph of section 2 specifies the allowed psig */
-	if (nid == NID_ecdsa_with_SHA256) {
+	if (experimental && nid == NID_ecdsa_with_SHA256) {
 		if (verbose)
 			warnx("%s: P-256 support is experimental", fn);
 	} else if (nid != NID_rsaEncryption &&

usr.sbin/rpki-client/crl.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crl.c,v 1.33 2024/04/15 13:57:45 job Exp $ */
+/*	$OpenBSD: crl.c,v 1.34 2024/04/21 19:27:44 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -63,7 +63,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 	}
 	X509_ALGOR_get0(&cobj, NULL, NULL, palg);
 	nid = OBJ_obj2nid(cobj);
-	if (nid == NID_ecdsa_with_SHA256) {
+	if (experimental && nid == NID_ecdsa_with_SHA256) {
 		if (verbose)
 			warnx("%s: P-256 support is experimental", fn);
 	} else if (nid != NID_sha256WithRSAEncryption) {

usr.sbin/rpki-client/extern.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.216 2024/04/15 13:57:45 job Exp $ */
+/*	$OpenBSD: extern.h,v 1.217 2024/04/21 19:27:44 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -645,8 +645,10 @@ struct msgbuf;
 
 /* global variables */
 extern int verbose;
+extern int noop;
 extern int filemode;
 extern int excludeaspa;
+extern int experimental;
 extern const char *tals[];
 extern const char *taldescs[];
 extern unsigned int talrepocnt[];

usr.sbin/rpki-client/filemode.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: filemode.c,v 1.40 2024/03/22 03:38:12 job Exp $ */
+/*	$OpenBSD: filemode.c,v 1.41 2024/04/21 19:27:44 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -41,8 +41,6 @@
 #include "extern.h"
 #include "json.h"
 
-extern int		 verbose;
-
 static X509_STORE_CTX	*ctx;
 static struct auth_tree	 auths = RB_INITIALIZER(&auths);
 static struct crl_tree	 crlt = RB_INITIALIZER(&crlt);

usr.sbin/rpki-client/output-json.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: output-json.c,v 1.48 2024/04/08 14:02:13 tb Exp $ */
+/*	$OpenBSD: output-json.c,v 1.49 2024/04/21 19:27:44 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  *
@@ -23,8 +23,6 @@
 #include "extern.h"
 #include "json.h"
 
-extern int experimental;
-
 static void
 outputheader_json(struct stats *st)
 {

usr.sbin/rpki-client/parser.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.134 2024/04/17 15:03:22 tb Exp $ */
+/*	$OpenBSD: parser.c,v 1.135 2024/04/21 19:27:44 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -38,10 +38,6 @@
 
 #include "extern.h"
 
-extern int noop;
-extern int experimental;
-extern int verbose;
-
 static X509_STORE_CTX	*ctx;
 static struct auth_tree	 auths = RB_INITIALIZER(&auths);
 static struct crl_tree	 crlt = RB_INITIALIZER(&crlt);

usr.sbin/rpki-client/repo.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: repo.c,v 1.56 2024/04/08 14:02:13 tb Exp $ */
+/*	$OpenBSD: repo.c,v 1.57 2024/04/21 19:27:44 claudio Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -38,7 +38,6 @@
 #include "extern.h"
 
 extern struct stats	stats;
-extern int		noop;
 extern int		rrdpon;
 extern int		repo_timeout;
 extern time_t		deadline;

usr.sbin/rpki-client/x509.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.86 2024/04/03 04:20:13 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.87 2024/04/21 09:03:22 job Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -39,7 +39,6 @@ ASN1_OBJECT	*bgpsec_oid;	/* id-kp-bgpsec-router Key Purpose */
 ASN1_OBJECT	*cnt_type_oid;	/* pkcs-9 id-contentType */
 ASN1_OBJECT	*msg_dgst_oid;	/* pkcs-9 id-messageDigest */
 ASN1_OBJECT	*sign_time_oid;	/* pkcs-9 id-signingTime */
-ASN1_OBJECT	*bin_sign_time_oid;	/* pkcs-9 id-aa-binarySigningTime */
 ASN1_OBJECT	*rsc_oid;	/* id-ct-signedChecklist */
 ASN1_OBJECT	*aspa_oid;	/* id-ct-ASPA */
 ASN1_OBJECT	*tak_oid;	/* id-ct-SignedTAL */
@@ -98,10 +97,6 @@ static const struct {
 		.oid = "1.2.840.113549.1.9.5",
 		.ptr = &sign_time_oid,
 	},
-	{
-		.oid = "1.2.840.113549.1.9.16.2.46",
-		.ptr = &bin_sign_time_oid,
-	},
 	{
 		.oid = "1.2.840.113549.1.9.16.1.47",
 		.ptr = &geofeed_oid,