The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisations (ROAs) and finally outputs Validated ROA Payloads (VRPs) in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks.
6.8p112 Nov 2020 20:33
Incorporate OpenBSD 6.8 errata 006 of November 10, 2020: rpki-client incorrectly checks the manifest validity interval. Add compat code for the LibreSSL ASN1_time_parse() and ASN1_time_tm_cmp() functions. Those are needed to properly check the validity of MFT files.
6.8p020 Oct 2020 21:07
Improve how repositories are downloaded: do not fetch symlinks and clean extraneous files in the repositories after download using the cryptographically signed RPKI manifest listings. Fix a bug where rpki-client could hang after calling rsync. Remove the -f option, no longer needed. Improved validation of the trust anchors. Add new option '-s timeout' to make rpki-client automatically terminate after a timeout (default 1 hour). This helps when rpki-client is run via cron to prevent a hanging process to cause problems. Portability improvements: Replace warnc() with warnx() + strerror(), replace b64_pton() with code using the libcrypto EVP_Decode* functionality, adjust for OpenSSL 1.1.x compatible use of the EVP_ENCODE_CTX struct.
6.7p130 Jul 2020 22:54
Incorrect use of "EVP_PKEY_cmp" allowed an authentication bypass.