| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
the tests with ulimit -c unlimited to make sure coredumps are written.
OK bluhm@ deraadt@
|
| |
|
|
|
|
|
| |
first entry. This way ocspcheck will try all returned IPs to contact
the OCSP server. Found by the regress test and a resolv.conf file with
'family inet6 inet4'.
OK kn@ deraadt@
|
| | |
|
| |
|
|
| |
ok visa
|
| | |
|
| |
|
|
|
| |
Silence from the network group
ok sashan@
|
| | |
|
| |
|
|
|
|
|
|
| |
should ensure that we don't read a stale command ID and complete the
wrong scsi io. powerpc64 base builds were crashing like this fairly
regularly.
ok deraadt@ dlg@
|
| | |
|
| | |
|
| |
|
|
| |
from pedro martelletto
|
| | |
|
| | |
|
| |
|
|
| |
OK bluhm@, claudio@, deraadt@
|
| | |
|
| |
|
|
|
|
|
| |
Trailing characters in the option argument were ignored, such that
-cC1 (typo of -c1C) was interpreted as -cC instead of being rejected.
ok jsing@
|
| | |
|
| |
|
|
|
|
|
| |
ECC and OCSP can be used with DTLS, so remove bogus checks that currently
prevent it. These are long lasting remnants from the original OpenSSL code.
ok tb@
|
| |
|
|
|
|
|
| |
DTLS is largely broken/useless without read ahead being enabled, so enforce
it for DTLS. This behaviour matches both our documentation and OpenSSL.
ok tb@
|
| |
|
|
|
|
|
| |
Replace the current copy of dtls1_retrieve_buffered_record() with a call
to it instead.
ok tb@
|
| | |
|
| |
|
|
|
| |
Discussed with sthen@
ok patrick@
|
| |
|
|
| |
Christian Zangl.
|
| |
|
|
|
|
|
| |
a new object that is already refcounted, so carp attach does not
reach into internal structures. Add kasserts to detect counter
overflow or underflow.
OK mvs@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RAID1C discipline encrypts data like the CRYPTO discipline, and accepts
multiple chunks during creation and assembly like the RAID1 discipline.
To deal with failing disks a RAID1C volume may be assembled with a smaller
number of chunks than the volume was created with. The volume will then come
up in degraded state. If the volume is now detached and assembled again with
the correct number of chunks, any re-added chunks will require a rebuild.
Consequently, assembling RAID1C volumes requires careful attention to the
chunks passed via 'bioctl -l'. If a chunk is accidentally omitted from the
command line during volume assembly, then this chunk will need to be rebuilt.
At least one known-good chunk is required in order to assemble the volume.
Like CRYPTO, RAID1C supports passphrase and key-disk authentication.
Key-disk based volumes are assembled automatically if the key disk is present
while the system is booting up.
Unlike CRYPTO and RAID1, there is no boot support for RAID1C yet.
RAID1C largely reuses existing code of RAID1 and CRYPTO disciplines.
At present RAID1C's discipline-specific data structure is shared with that
of the CRYPTO discipline to allow re-use of existing CRYPTO code. A custom
RAID1C data structure would require CRYPTO code to access struct sr_crypto
via a pointer instead of via a member field of struct sr_discipline.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RAID1C discipline encrypts data like the CRYPTO discipline, and accepts
multiple chunks during creation and assembly like the RAID1 discipline.
To deal with failing disks a RAID1C volume may be assembled with a smaller
number of chunks than the volume was created with. The volume will then come
up in degraded state. If the volume is now detached and assembled again with
the correct number of chunks, any re-added chunks will require a rebuild.
Consequently, assembling RAID1C volumes requires careful attention to the
chunks passed via 'bioctl -l'. If a chunk is accidentally omitted from the
command line during volume assembly, then this chunk will need to be rebuilt.
At least one known-good chunk is required in order to assemble the volume.
Like CRYPTO, RAID1C supports passphrase and key-disk authentication.
Key-disk based volumes are assembled automatically if the key disk is present
while the system is booting up.
Unlike CRYPTO and RAID1, there is no boot support for RAID1C yet.
RAID1C largely reuses existing code of RAID1 and CRYPTO disciplines.
At present RAID1C's discipline-specific data structure is shared with that
of the CRYPTO discipline to allow re-use of existing CRYPTO code. A custom
RAID1C data structure would require CRYPTO code to access struct sr_crypto
via a pointer instead of via a member field of struct sr_discipline.
ok jsing@
|
| |
|
|
|
| |
We did not reach a consensus about using SMR to unlock single_thread_set()
so there's no point in keeping this change.
|
| |
|
|
| |
Improve debugging of filters and print operator names in debug output.
|
| |
|
|
| |
and rpkiNotify SIA.
|
| |
|
|
|
|
| |
Make sure that the caRepository matches the start of the URI of rpkiManifest.
The MFT must be a file inside the caRepository.
OK tb@
|
| |
|
|
|
|
|
| |
the initial falloc() calls and then regrab it for the fdinsert() or
fdremove() calls respectiviely. Also move closef() outside of the lock.
This replaces the previously reverted lock order change that was reverted.
OK mvs@ visa@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the SCHED_LOCK().
Putting a thread on a sleep queue is reduce to the following:
sleep_setup();
/* check condition or release lock */
sleep_finish();
Previous version ok cheloha@, jmatthew@, ok claudio@
|
| |
|
|
| |
another gentle reminder by bluhm@ who pointed out i missed some
|
| |
|
|
| |
gentle reminded by bluhm@
|
| |
|
|
|
|
|
|
| |
The mess that is ssl_get_algorithm2() only exists to upgrade the handshake
MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TLSv1.2. We can
readily do this in ssl_get_handshake_evp_md(), which is far more readable.
ok tb@
|
| |
|
|
|
|
|
|
| |
For some reason various TLSv1.2 cipher suites were added with the default
handshake MAC and PRF, rather than the SHA256 handshake MAC and PRF. This
gets patched up in ssl3_get_algorithm2(), hence goes unnoticed.
ok tb@
|
| |
|
|
|
|
|
| |
Also check for explicit version numbers, rather than just the major version
value.
ok tb@
|
| |
|
|
| |
This allows us to drop the server messages that we intend on dropping.
|
| |
|
|
|
|
|
|
|
| |
provided nameservers, i.e. the stub resolver check succeeded.
Previously we would only probe DNS64 on network change but would not
reschedule when it failed. Sometimes (most of the time?) this failes
because our address is still tentative or a default route has
not yet been installed.
OK phessler
|
| | |
|
| | |
|
| |
|
|
| |
ok patrick@
|
| |
|
|
| |
pledge(2) permissions are required
|
| |
|
|
|
|
|
|
|
|
| |
Common variables will be flagged as errors by default. This can
be overridden with -fcommon.
Cherry-pick this change that will be part of LLVM11. We bring it
forward so we can finish fixing the fallout in the ports tree.
ok deraadt@ sthen@ mglocker@
|
| | |
|
| |
|
|
|
|
| |
ugly and the underlying problem (dhclient and unwind playing well
together) should be solved differently.
Final straw was jca reporting that it breaks his setup.
|
| |
|
|
|
|
|
|
| |
offloading. The checksum must be calculated in software. Use the
same condition in ether_resolve() to send the broadcast packet back
to the stack and in in_ifcap_cksum() to force software checksumming.
This fixes regress/sys/kern/sosplice/loop.
OK procter@
|
| |
|
|
| |
in man page.
|
| | |
|
claudio
deraadt
jcs
nicm
patrick
jmatthew
sthen
naddy
jmc
stsp
jan
jsing
tobhe
bluhm
mpi
dlg
florian
mestre
visa