summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* wrong annotationespie2021-02-251-2/+2
|
* make the timing of FIX_CRLF_FILES explicitespie2021-02-251-2/+4
|
* Add a framework for IOMMUs.kettenis2021-02-252-2/+108
| | | | ok patrick@
* document FIX_CRLF_FILES.sthen2021-02-251-2/+7
|
* ftp: prevent double free() in error pathnaddy2021-02-251-1/+2
| | | | Reported by bentley@; ok bentley@ jca@
* Constify cipher API.tobhe2021-02-252-10/+10
| | | | ok markus@
* Typofixkn2021-02-251-3/+3
|
* Fix two bugs in the legacy verifiertb2021-02-251-6/+10
| | | | | | | | | | | | | | | To integrate the new X.509 verifier, X509_verify_cert() was refactored. The code building chains in the legacy verifier was split into a separate function. The first bug is that its return value was treated as a Boolean although it wasn't. Second, the return alone is not enough to decide whether to carry on the validation or not. Slightly rearrange things to restore the behavior of the legacy verifier prior to this refactoring. Issue found and test case provided by Anton Borowka and jan. ok jan jsing
* Update regress to match TLS versions change.jsing2021-02-251-6/+6
|
* Only use TLS versions internally (rather than both TLS and DTLS versions).jsing2021-02-259-128/+132
| | | | | | | | | | | | | | DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
* Rename depth to num_untrusted so it identifies what it actually represents.jsing2021-02-251-6/+6
| | | | ok tb@
* Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.jsing2021-02-251-3/+2
| | | | | | | | | In x509_verify_ctx_set_xsc_chain(), an ENOMEM case is currently passing the last certificate and depth (which is no longer actually depth) to x509_verify_cert_error(). Given we've hit an ENOMEM situation, neither of these are useful so remove both. ok tb@
* - Make use of the fact that we know how the chunks are aligned, andotto2021-02-252-49/+83
| | | | | | | | | | write 8 bytes at the time by using a uint64_t pointer. For an allocation a max of 4 such uint64_t's are written spread over the allocation. For pages sized and larger, the first page is junked in such a way. - Delayed free of a small chunk checks the corresponiding way. - Pages ending up in the cache are validated upon unmapping or re-use. In snaps for a while
* split off the large module documentations, so that port-modules is less ofespie2021-02-257-573/+791
| | | | | | a monster. okay sthen@
* Prevent zero size devices from attachingjan2021-02-251-6/+11
| | | | | | This also fixes two NULL ptr derefs in later code path. OK patick@, krw@
* s/PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms/djm2021-02-255-29/+29
|
* we don't have to cast to caddr_t when calling m_copydata anymore.dlg2021-02-2529-118/+108
| | | | | | | | | | | | | | | | the first cut of this diff was made with coccinelle using this spatch: @rule@ type caddr_t; expression m, off, len, cp; @@ -m_copydata(m, off, len, (caddr_t)cp) +m_copydata(m, off, len, cp) i had fix it's opinionated idea of formatting by hand though, so i'm not sure it was worth it. ok deraadt@ bluhm@
* let m_copydata use a void * instead of caddr_tdlg2021-02-253-8/+9
| | | | | | | i'm not a fan of having to cast to caddr_t when we have modern inventions like void *s we can take advantage of. ok claudio@ mvs@ bluhm@
* enable veb(4), it's time for wider testing.dlg2021-02-251-1/+2
| | | | | | apart from the semantic differences between bridge(4) and veb(4), the only missing bits in veb(4) is the transparent ipsec interception support, and spanning tree.
* Fix SMALL buildkn2021-02-251-0/+8
| | | | OK deraadt
* add support for hashing 64 and 32 bit numbers in host byte order.dlg2021-02-241-1/+17
|
* syncderaadt2021-02-242-0/+2
|
* Rename pubkeyacceptedkeytypes to pubkeyacceptedalgorithms in test todtucker2021-02-241-13/+13
| | | | match change to config-dump output.
* Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data().tobhe2021-02-241-3/+3
| | | | | From Moritz Schmitt ok patrick@
* build resolvdderaadt2021-02-241-2/+2
|
* More accurately describe the DNS proposal sources and reaction by resolvd.deraadt2021-02-241-17/+27
| | | | with jmc
* fairly significant rewrite, including:deraadt2021-02-241-392/+270
| | | | | | | | | replace poll+kevent with kevent only. lockfile to block starting of 2nd instance. remove state file, and recognize '# resolvd: ' lines as state handle DNS proposal withdraws better Still a work in progress. tested and looked at by semarie, benno, florian, dlg
* We need to track the pid of the connecting control connection to beflorian2021-02-241-4/+6
| | | | | | | | | | | | | able to send answers back to the correct client in case two are connecting at the same time. We also need to pass the pid around to the resolver process so that it can hand it back to us. Debugged by deraadt and dlg who noticed that answers would always arrive on the first control connection. deraadt@ points out that tracking the pid is not the best choice in case one process wants to hold open two connections but at least this brings us in line with all the other privsep daemons with control tools. If we change this we should change it in all daemons.
* Import resold(8), a daemon to rewrite resolv.conf.florian2021-02-243-0/+975
| | | | prodding deraadt
* Fix comment explaining last_untrusted. This should really be calledtb2021-02-241-2/+2
| | | | | | num_untrusted, but unfortunately it's public... ok jsing tobhe
* Make the new validator check for EXFLAG_CRITICALtb2021-02-241-8/+15
| | | | | | | | | | | | | | | | | | | | | | As should be obvious from the name and the comment in x509_vfy.h int last_untrusted; /* index of last untrusted cert */ last_untrusted actually counts the number of untrusted certs at the bottom of the chain. Unfortunately, an earlier fix introducing x509_verify_set_xsc_chain() assumed that last_untrusted actually meant the index of the last untrusted cert in the chain, resulting in an off-by-one, which in turn led to x509_vfy_check_chain_extension() skipping the check for the EXFLAG_CRITICAL flag. A second bug in x509_verify_set_xsc_chain() assumed that it is always called with a trusted root, which is not necessarily the case anymore. Address this with a temporary fix which will have to be revisited once we will allow chains with more than one trusted cert. Reported with a test case by tobhe. ok jsing tobhe
* Complete deleting ifi->active before calling write_lease_db().krw2021-02-241-3/+3
| | | | No functional change but a bit more obvious and shrinks upcoming diff.
* No need to get time() twice. Just use the alreadykrw2021-02-241-2/+2
| | | | obtained cur_time to initialize a missing lease->epoch.
* No need to check ifi->active for NULL when looking for duplicate/obsoletekrw2021-02-241-3/+1
| | | | | leases. It can't be NULL, and is unconditionally dereferenced a few lines later anyway.
* Fix annoying typo in a comment.krw2021-02-241-2/+2
|
* Remove incomplete/incorrect connection with autoconf, clearing groundkrw2021-02-244-66/+7
| | | | | | for future attempts at making it more IPv6-like. ok florian@
* show AF for DNS proposal messages; ok claudio bluhmderaadt2021-02-241-2/+4
|
* kqueue: Revise filterops interfacevisa2021-02-242-52/+257
| | | | | | | | | | | | | | | | | Extend kqueue's filterops interface with new callbacks so that it becomes easier to use with fine-grained locking. The new interface delegates the serialization of kn_event access to event sources. Now kqueue uses filterops callbacks to read or write kn_event. This hides event sources' locking patterns from kqueue, and allows clean implementation of atomic read-and-clear for EV_CLEAR, for instance. There are so many existing filterops instances that converting all of them in one go is tricky. This patch adds a wrapper mechanism that kqueue uses when the new callbacks are missing. The new filterops interface has been influenced by XNU's kqueue. OK mpi@ semarie@
* Various fixes from emails Joachim Nilsson sent to tech@ many moonslum2021-02-241-4/+9
| | | | | | | | ago. Sorry for the delay. - Make sure we don't deref NULL ptr in skipwhite() - Only deref vendp if not NULL - Strings must be at least 2 chars for terminating NUL character
* snprintf() does indeed return an int. From an email Joachim Nilssonlum2021-02-241-3/+3
| | | | sent to tech@ many moons ago. Sorry for the delay.
* spelling fix;jmc2021-02-241-3/+3
|
* In sorflush() use m_purge() instead of handrolling it.bluhm2021-02-241-3/+2
| | | | no objections mvs@
* white space tweak, no functional changedlg2021-02-241-2/+2
|
* fix stoeplitz_n16 and stoeplitz_h16dlg2021-02-241-3/+3
|
* Enumerate GCI core, which seems to contain the OTP on the Apple M1.patrick2021-02-242-4/+7
|
* Correct client_prefix so it returns 1 if in prefix, not 0.nicm2021-02-241-3/+3
|
* whitespace tweaks, no functional change.dlg2021-02-241-4/+4
|
* fix the length check on arp packets when handling arp filter rules.dlg2021-02-241-2/+2
| | | | | | another bridge feature i'm not convinced people actually use. ok jmatthew@ claudio@
* syncderaadt2021-02-241-1/+0
|
* remove unused usbd_get_device_string()jsg2021-02-241-21/+1
| | | | ok mpi@