| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
it needs NET_LOCK because it modifies if_flags and if_pcount.
ok visa@
|
| |
|
|
|
|
|
|
| |
if_pcount is only touched in ifpromisc(), and ifpromisc() needs
NET_LOCK anyway because it also modifies if_flags.
suggested by mpi@
ok visa@
|
| |
|
|
|
|
|
|
|
|
|
| |
aggr_p_dtor() calls ifpromisc(), and ifpromisc() callers need to
be holding NET_LOCK to make changes to if_flags and if_pcount, and
before calling the interfaces ioctl to apply the flag change.
i found this while reading code with my eyes, and was able to trigger
the NET_ASSERT_LOCKED in the vlan_ioctl path.
ok visa@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
tpmr_p_dtor() calls ifpromisc(), and ifpromisc() callers need to
be holding NET_LOCK to make changes to if_flags and if_pcount, and
before calling the interfaces ioctl to apply the flag change.
found by hrvoje popovski who was testing tpmr with vlan interfaces.
vlan(4) asserts that the net lock is held in it's ioctl path, which
started this whole bug hunt.
ok visa@ (who came up with a similar diff, which hrvoje tested)
|
| |
|
|
|
|
|
|
|
| |
promiscuous mode from bridge(4). This fixes a regression of r1.332
of sys/net/if_bridge.c.
splassert with bridge(4) and vlan(4) reported by David Hill
OK mpi@, dlg@
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
time, make sure to send a DPD packet to him so that we break up
the connection faster if it's dead.
ok patrick@
|
| |
|
|
|
| |
make things easier for -portable
ok claudio
|
| |
|
|
|
| |
kinds of paths are coming in here.
ok benno claudio
|
| |
|
|
| |
ok claudio@
|
| |
|
|
|
| |
them in line with sbappendstream() and sbappendrecord().
Agreed by mpi@
|
| |
|
|
|
|
|
| |
TLSv1 control word, and explain how TLSv1.3 cipher suites can be
configured in LibreSSL and in OpenSSL. While here, also mention
how users can inspect the DEFAULT list of cipher suites.
Stimulus, feedback and OK from jsing@.
|
| |
|
|
| |
suggested by jmatthew
|
| |
|
|
|
|
| |
maximum rate of our current rateset.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
current best rate, not worse than the rate currently being probed.
This seems to be a more accurate interpretation of the MiRA paper.
The paper says the interval for a rate needs to be updated if the rate's
goodput is worse than that of the "current transmission rate" (see the
"Adaptive probing interval" section). Our implementation interpreted
"current transmission rate" as "rate being probed right now" and adjusted
the interval of the previously probed rate. However, the context of this
section of the paper suggests that "current transmissions rate" intends to
refer to the currently selected best rate for our non-probing transmissions.
testing and ok tb@ jmatthew@
|
| |
|
|
|
|
| |
the device is present instead.
ok deraadt@
|
| | |
|
| |
|
|
| |
ok mpi@
|
| |
|
|
|
|
|
|
|
| |
Prevent a data corruption on a UDP receive socket buffer reported by
procter@ who triggered it with wireguard-go.
The symptoms are underflow of sb_cc/sb_datacc/sb_mcnt.
ok visa@
|
| | |
|
| |
|
|
|
|
|
| |
code and fixes oss-fuzz#20074 (NULL deref) caused by a missing
key type check in the ECDSA_CERT parsing path.
feedback and ok markus@
|
| |
|
|
| |
definition; from Michael Forney
|
| | |
|
| | |
|
| |
|
|
|
|
| |
structure that is used in current mainline Linux device trees.
ok jsg@
|
| |
|
|
|
|
| |
resource descriptors. Add support for this.
ok deraadt@
|
| |
|
|
|
|
|
| |
'/etc/iked', otherwise certs with SubjAltNames containing uppercase
letters are not found.
ok markus@
|
| | |
|
| |
|
|
|
|
|
|
| |
desired name of the MX not being present in the certificate, log that
this is he reason for the failure and the name we couldn't find in
the cert.
ok millert@ martijn@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
reference to it, it isn't necessary that the pane in copy mode is the
same as the one copying from. Add a -s flag to copy-mode to specify a
different pane for the source content. This means it is possible to view
two places in a pane's history at the same time in different panes, or
copy from a pane's history into an editor or shell in the same pane.
From Anindya Mukherjee.
|
| |
|
|
|
|
|
| |
Removing a malloc(9) with M_WAITOK reduces possible context switches which
helps when dealing with parallelism issues.
From Vitaliy Makkoveev.
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
| |
ok gkoehler@
|
| |
|
|
|
|
|
|
|
| |
bytes in case ASN1_INTEGER_get() failed. This happens more often since
asn1/a_int.c -r1.34. Matches OpenSSL behavior.
Issue in openssl x509 -text output reported by sthen
ok jsing sthen
|
| | |
|
| |
|
|
|
|
| |
for Unix domain socket forwarding. Factor out the code for the config
keywords that use the most common subset of TOKENS into its own function.
bz#3014, ok jmc@ (man page bits) djm@
|
| |
|
|
|
|
|
| |
in place which should have been deleted entirely. As a result firmware-based
retries weren't being used in 11n mode anymore. Fix this.
I really shouldn't be committing non-trivial changes without OK...
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
for normal operation (UDP port 500) and one for NAT traversal (UDP 4500).
There are several command line options resulting in only one of the sockets
being created (-T, -t and -p). Add a new 'enum natt_mode' to make the
logic for those somewhat less complicated as well as some comments where
it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com>
ok patrick@
|
| |
|
|
| |
included in the output from `openssl ciphers`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has always taken the approach of enabling almost everything by
default. As a result, if you wanted to run a secure TLS client/server
you had to specify your own "secure" cipher string, rather than being
able to trust the defaults as being sensible and secure. The problem
is that with the introduction of TLSv1.3, most of these "secure" cipher
strings result in the new TLSv1.3 cipher suites being excluded.
The "work around" for this issue in OpenSSL was to add a new TLSv1.3
API (SSL_CTX_set_ciphersuites(), SSL_set_ciphersuites()) and have separate
knobs for the pre-TLSv1.3 and TLSv1.3 cipher suites. This of course means
that every application now needs to call two APIs, but it does mean that
applications that only call SSL_CTX_set_cipher_list()/SSL_set_cipher_list()
cannot remove TLSv1.3 cipher suites and prevent TLSv1.3 from working.
We've taken a different approach and have allowed TLSv1.3 cipher suites
to be manipulated via the existing SSL_set_cipher_list() API. However,
in order to avoid problems with hardcoded cipher strings, change this
behaviour so that we always include TLSv1.3 cipher suites unless the
cipher string has a specific reference to the TLSv1.3 protocol or a
TLSv1.3 cipher suite.
This means that:
$ openssl ciphers -v TLSv1.2:!TLSv1.3
still gives TLSv1.2 only cipher suites and:
$ openssl ciphers -v AEAD-CHACHA20-POLY1305-SHA256
only lists a single TLSv1.3 cipher, however:
$ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384
now includes both TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 and all TLSv1.3
cipher suites (which also matches OpenSSL's openssl(1) behaviour).
Issue encountered by kn@ with mumble.
ok tb@
|
| | |
|
| | |
|
| |
|
|
| |
explicitly comparing against a value.
|
nicm
visa
dlg
tobhe
jmc
deraadt
benno
claudio
schwarze
stsp
kettenis
mpi
djm
otto
beck
sthen
jca
tb
dtucker
jsing