summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* route-to rules take ips now, not interfaces with optional ips.dlg2021-02-043-19/+19
| | | | reminded by bluhm@
* route-to rules take ips, not interfaces with optional ips.dlg2021-02-043-38/+38
| | | | reminded by bluhm@
* route-to rules take an ip now, not an interface with optional ip.dlg2021-02-042-2/+4
| | | | | | | they now also only work on keep state rules, so there's even more errors from the parser to expect. reminded by bluhm@
* 'struct group' is now called 'struct dh_group'.tobhe2021-02-042-4/+4
|
* Rename 'struct group' to 'struct dh_group' for more clarity andtobhe2021-02-044-63/+63
| | | | | | to avoid name clashes. ok patrick@
* EC_POINT_get_affine_coordinates_GFp() and EC_POINT_get_affine_coordinates_GF2m()tobhe2021-02-041-21/+7
| | | | | | | do the same thing. Remove redundant check and always use the _GFp() variant. discussed with tb@ ok patrick@
* Upgrade to OpenSSL 1.1 compatible crypto API. Add additionaltobhe2021-02-045-144/+231
| | | | | | checks where needed. ok markus@ patrick@
* Referece trpt(8) from the SO_DEBUG section of getsockopt(2).bluhm2021-02-041-2/+4
| | | | OK claudio@ visa@
* Implement the nc(1) -D socket debug option also in tcpbench(1).bluhm2021-02-042-8/+26
| | | | | This allows to analyse TCP connections. OK claudio@
* syncanton2021-02-041-0/+1
|
* Add uhidpp(4), a driver for Logitech HID++ devices. Currently limited toanton2021-02-0421-23/+1149
| | | | | | | | | exposing battery sensors for HID++ 2.0 devices. Most of the code is derived from the hid-logitech-hidpp Linux driver. Thanks to Ville Valkonen <weezeldinga at gmail dot com> for testing. ok mglocker@
* Add uhidev_set_report_dev() allowing usb drivers to early on install aanton2021-02-042-5/+25
| | | | | | | handler for a specific report id. Needed by an upcoming driver in order to communicate with the device already in the attach routine. ok mglocker@ as part of a larger diff
* Handle Netgear ProSecure UTM25visa2021-02-044-4/+26
| | | | | | | | | | | This makes the system recognize and configure Netgear ProSecure UTM25. Of the network ports, LAN1-4 and WAN1 are functional. WAN2 does not work for some reason. Even though WAN1 has a separate link to the SoC, the connection appears to go through the same switch that the LAN ports use. At the moment, the system relies on U-Boot to set up the switch so that the LAN and WAN segments stay separate. Initial diff and input from Thaison Nguyen, thank you!
* The uri parameter of struct entity is actually a local file path.claudio2021-02-043-37/+37
| | | | | Rename field to reduce confusion about what is what. OK tb@
* Redraw status line and borders on pane enable/disable, GitHub issue 2554.nicm2021-02-041-4/+12
|
* Define the msgbuf queues globably. Clean up the code since rsyncq and procqclaudio2021-02-041-96/+79
| | | | | | no longer need to be passed all the way down anymore. Shuffle code a bit to bring it into more order. OK tb@
* Revert previous commit. The vnode returned by ptm_vn_open() is open andclaudio2021-02-041-33/+28
| | | | | | | can not simply be vrele()-ed on error. The code currently depends on closef() to do the cleanup. Reported-by: syzbot+b0e18235e96adf81883d@syzkaller.appspotmail.com
* Fix an overly long lineclaudio2021-02-041-2/+3
|
* Eventhough most openssl includes include everything try to be a bit moreclaudio2021-02-045-6/+15
| | | | explicit about what is used where. Seems to be the least worst solution.
* Remove openssl includes and fcntl.h neither of those are used in main.c.claudio2021-02-041-6/+2
| | | | Add errno.h since this code makes direct use of errno.
* Cleanup openssl includes a bit. Use x509.h instead of x509v3.h, add asn1.hclaudio2021-02-041-3/+3
| | | | | and remove evp.h. First two suggested by tb@ Compiler agrees
* Shuffle code around, move all the bits of proc_parser into parser.c.claudio2021-02-044-619/+656
| | | | OK tb@
* Prevent a lock order issue by shuffling code around. Instead of allocatingclaudio2021-02-041-28/+33
| | | | | | the file descriptors early do it late. This way the fdplock is not held during the VFS operations. OK mvs@
* Unconditionally allocate a buffer big enough to hold a structanton2021-02-041-8/+2
| | | | | | | | | | | | | usb_ctl_report. Limiting the size of the buffer to the size of the requested report can cause the ioctl(USB_GET_REPORT) command to fail with EFAULT as the kernel will always copy sizeof(struct usb_ctl_report) bytes from the address passed from user space. That is when the given address + sizeof(struct usb_ctl_report) crosses a page boundary and the adjacent page is not mapped. ok mglocker@
* Remove last remnants of ASU ac_flag from accounting.rob2021-02-042-8/+3
| | | | OK deraadt@, bluhm@
* make if_pfsync.c a better friend with PF_LOCKsashan2021-02-044-179/+385
| | | | | | | | | | | | The code delivered in this change is currently disabled. Brave souls may enable the code by adding -DWITH_PF_LOCK when building customized kernel. Big thanks goes to Hrvoje@ for providing test equipment and testing. As soon as we enter the next release cycle, the WITH_PF_LOCK will be defined as default option for MP kernels. OK dlg@
* Add SIOCAIFADDR_IN and SIOCDIFADDR_IN to the wroute pledgetobhe2021-02-031-1/+3
| | | | | | | | to allow setting and removing IPv4 addresses. Needed for future iked(8) improvements. Discussed with sthen@ and florian@ ok bluhm@ deraadt@
* Fail early in legacy exporter if master secret is not availabletb2021-02-031-1/+6
| | | | | | | | | | | | The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard. with/ok jsing
* unbreak getline() conversion in disklabelnaddy2021-02-031-5/+6
|
* Turns off the direct ACK on every other segmentjan2021-02-031-5/+4
| | | | | | | | | | | | The kernel uses a huge amount of processing time for sending ACKs to the sender on the receiving interface. After receiving a data segment, we send out two ACKs. The first one in tcp_input() direct after receiving. The second ACK is send out, after the userland or the sosplice task read some data out of the socket buffer. Thus, we save some processing time and improve network performance. Longer tested by sthen@ OK claudio@
* Adding a hard-trap instruction after the __threxit syscall instructionkurt2021-02-031-2/+1
| | | | broke pthreads on hppa. Reverting. Ok deraadt@
* Add OID for draft-ietf-opsawg-finding-geofeedsjob2021-02-032-0/+2
| | | | | | | | | https://tools.ietf.org/html/draft-ietf-opsawg-finding-geofeeds describes a mechanism to authenticate RFC 8805 Geofeed data files through the RPKI. OpenSSL counterpart https://github.com/openssl/openssl/pull/14050 OK tb@ jsing@
* After the rev. 1.108 commit we see some issues with ugen(4) behaviour,mglocker2021-02-031-1/+5
| | | | | | | | | | which finally makes umb(4) fail, since ugen(4) attaches to one of the umb(4) interfaces, fails, and marks the whole device dying. Therefore make usbd_device2interface_handle() backwards compatible again. Problem reported by Mikolaj Kucharski. ok edd@
* Remove rsync.c from the test tool builds, nothing depends on that anymoreclaudio2021-02-031-3/+3
|
* Use mkpath() == -1 to check for failure. No functional change.claudio2021-02-031-2/+2
|
* change pf_route so pf only runs when packets enter and leave the stack.dlg2021-02-031-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | before this change pf_route operated on the semantic that pf runs when packets go over an interface, so when pf_route changed which interface the packet was on it would run pf_test again. this change changes (restores) the semantic that pf is only supposed to run when packets go in or out of the network stack, even if route-to is responsibly for short circuiting past the network stack. just to be clear, for normal packets (ie, those not touched by route-to/reply-to/dup-to), there isn't a difference between running pf when packets enter or leave the stack, or having pf run when a packet goes over an interface. the main reason for this change is that running the same packet through pf multiple times creates confusion for the state table. by default, pf states are floating, meaning that packets are matched to states regardless of which interface they're going over. if a packet leaving on em0 is rerouted out em1, both traversals will end up using the same state, which at best will make the accounting look weird, or at worst fail some checks in the state and get dropped. another reason for this commit is is to make handling of the changes that route-to makes consistent with other changes that are made to packet. eg, when nat is applied to a packet, we don't run pf_test again with the new addresses. the main caveat with this diff is you can't have one rule that pushes a packet out a different interface, and then have a rule on that second interface that NATs the packet. i'm not convinced this ever worked reliably or was used much anyway, so we don't think it's a big concern. discussed with many, with special thanks to bluhm@, sashan@ and sthen@ for weathering most of that pain. ok claudio@ sashan@ jmatthew@
* remove ancient malloc ? realloc dance. always use realloc.deraadt2021-02-031-5/+3
| | | | ok millert tb
* whitespacedjm2021-02-021-2/+1
|
* fix memleaks in private key deserialisation; enforce more consistencydjm2021-02-021-1/+20
| | | | | between redundant fields in private key certificate and private key body; ok markus@
* memleak on error path; ok markus@djm2021-02-021-2/+2
|
* add -Tu to usage();jmc2021-02-021-2/+2
|
* Adjust the repository handling a bit. Instead of storing host/module pairsclaudio2021-02-022-66/+54
| | | | | | store repo (rsync URI) and local (the local path to the repository). Simplifies the the rsync handling a fair bit. OK deraadt@
* Add a mkpath() helper function to rpki-client to recursively createclaudio2021-02-023-4/+81
| | | | | directories. OK deraadt@
* As done for the AF_INET multicast case, ensure that passed interfaceclaudio2021-02-021-3/+5
| | | | | via index is actually in the right rdomain for the socket. OK bluhm@ mvs@
* KNF, move { up to if () statementclaudio2021-02-021-3/+2
|
* If IP_MULTICAST_IF or IP_ADD_MEMBERSHIP pass a interface index to theclaudio2021-02-021-3/+6
| | | | | | | kernel make sure that the rdomain of that interface is the same as the rdomain of the inpcb. Problem spotted and fix tested by semarie@ OK bluhm@ mvs@
* dhclient(8): fork_privchld, take_charge, propose_release: poll(2) -> ppoll(2)cheloha2021-02-021-30/+33
| | | | | | | | | | | | | | | | Switch from poll(2) to ppoll(2) in a few more functions. Because we're working with ppoll(2) and clock_gettime(2) it is easier to encode the various timeouts as static const timespecs instead of preprocessor macros. This way we aren't packing timespecs in the middle of the code, which distracts from the (more important) logic of what the code is doing. Part of a larger campaign improve "time stuff" in dhclient(8). Prompted by and discussed with krw@. Based on a diff by krw@. ok krw@
* replace fgetln(3) with getline(3) in disklabelnaddy2021-02-021-14/+12
| | | | | | | Since getline() returns a C string, we don't need to carry around the length separately. ok millert@
* Properly implement 'rde med compare strict' and make sure that the orderclaudio2021-02-021-25/+141
| | | | | | | | | | | | | | | | | | | | of prefixes is always correct. The strict RFC4271 way of checking MED is requires to check the neighbor AS and only do the check if the AS are equal. Because of this it is possible that inserting or removing a route reshuffles the total order. prefix_cmp() was extended to return the location where the decision happened: - 0 if the decision was before the MED comparison or med compare always is set - 1 if the decision happened after the MED comparison - 2 if the MED made caused the decision With this the new functions prefix_insert() and prefix_remove() are able to decide if more prefixes need to be evaluated (testall was not 0.) and if prefixes need to be re-evaluated after this one was put (testall = 2). There is a local redo list where prefixes where the MED resulted in a reshuffle are put on. After the new prefix is inserted all prefixes on the redo list are reinserted. Because now all affected MED routes get reevaluated the order is always correct.
* Add a bunch of RPKI OIDsjob2021-02-022-1/+26
| | | | | | | | | | | | | RFC6482 - A Profile for Route Origin Authorizations (ROAs) RFC6484 - Certificate Policy (CP) for the RPKI RFC6493 - The RPKI Ghostbusters Record RFC8182 - The RPKI Repository Delta Protocol (RRDP) RFC8360 - RPKI Validation Reconsidered draft-ietf-sidrops-rpki-rta - A profile for RTAs Also in OpenSSL: https://github.com/openssl/openssl/commit/d3372c2f35495d0c61ab09daf7fba3ecbbb595aa OK sthen@ tb@ jsing@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.