summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Rename f_err into fatal_err.tb2021-02-207-183/+183
| | | | discussed with jsing
* Rename the truncated label into decode_err. This describes its purposetb2021-02-202-73/+73
| | | | | | | better and doesn't look odd if there's trailing data for exapmle. Indent a few labels in the neighborhood while there. ok jsing
* zap unneccessary .Pp;jmc2021-02-201-4/+2
|
* Revise regress to match change in SSL{_CTX,}_get_{min,max}_proto_version().jsing2021-02-201-34/+45
|
* Return a min/max version of zero if set to zero.jsing2021-02-203-17/+41
| | | | | | | | | | OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero if the minimum or maximum has been set to zero (which means the minimum or maximum version supported by the method). Previously we returned the minimum or maximum version supported by the method, instead of zero. Match OpenSSL's behaviour by using shadow variables. Discussed with tb@
* Add DTLSv1.2 methods.jsing2021-02-202-3/+159
| | | | | | These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL. ok tb@
* Handle DTLS1_2_VERSION in various places.jsing2021-02-203-6/+9
| | | | ok tb@
* Revise HelloVerifyRequest handling for DTLSv1.2.jsing2021-02-202-4/+14
| | | | | | | | Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always contain DTLSv1.0 - ensure this is the case on the server side, allow both DTLSv1.0 and DTLSv1.2 on the client. ok tb@
* Group HelloVerifyRequest decoding and add missing check for trailing data.jsing2021-02-201-4/+5
| | | | ok tb@
* Add various public DTLS related defines.jsing2021-02-202-2/+14
| | | | | | These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL. ok tb@
* Clean up/simplify dtls1_get_cipher().jsing2021-02-201-7/+8
| | | | ok tb@
* move from calling l3 protocol input handlers to using if_vinput.dlg2021-02-202-40/+14
| | | | | | if_vinput requires mpsafe interface counters, so add those in. this factors out some more code between drivers. monitor mode will work on these interfaces now too.
* move gre and mgre from calling l3 input handlers to using if_vinput.dlg2021-02-201-46/+11
| | | | | | | | using if_vinput factors out a lot of repeated code between tunnel drivers, and it means monitor mode works on gre and mgre now too. make the l2 gre interfaces do some things in the same order while here.
* move gif from calling l3 protocol input handlers to using if_vinput.dlg2021-02-201-25/+5
| | | | | | if_vinput requires mpsafe interface counters, so gif is a bit more mpsafe now than it was before. using if_vinput means monitor mode works on gif now too.
* add p2p_input, like ether_input but for l3 tunnel interfaces.dlg2021-02-202-2/+44
| | | | | | | | the l3 protocol input to push the packet is based on a value in m->m_pkthdr.ph_family, which tunnel drivers should set before calling if_vinput. add p2p_bpf_mtap to call bpf_mtap_af also using m->m_pkthdr.ph_family.
* let tun use bpf_mtap for handling input packets.dlg2021-02-201-1/+4
| | | | | | | tun (not tap) input packets are written from userland in the same format that it's bpf dlt is expecting, so we can push the packet straight into bpf with bpf_mtap. this is more correct that using bpf_mtap_ether for tun.
* default interfaces to bpf_mtap_ether for their if_bpf_mtap handler.dlg2021-02-202-4/+8
| | | | | call (*ifp->if_bpf_mtap) instead of bpf_mtap_ether in ifiq_input and if_vinput.
* give interfaces an if_bpf_mtap handler.dlg2021-02-201-1/+2
| | | | | | | | the network stack is now responsible for calling bpf for packets that the interface receives, and we so far got away with using bpf_mtap_ether for everything. this doesn't work if layer 3 input goes through the same functions, so letting drivers specify the appropriate bpf mtap function means they will be able to cope.
* syncsthen2021-02-201-1/+1
|
* Recommit upstream alignment fix plus libperl version bumpafresh12021-02-204-25/+41
| | | | | | | This reapplies commit e0lLUzj1XNW7pJMh and moves libperl to 21.0 The ABI change appears to be fine after XS modules are rebuilt. OK sthen@
* document the monitor flag.dlg2021-02-201-2/+8
| | | | reminded by benno@
* add support for handling the interface monitor flagdlg2021-02-201-2/+4
| | | | ok benno@
* add a MONITOR flag to ifaces to say they're only used for watching packets.dlg2021-02-203-8/+12
| | | | | | | | | | | an example use of this is when you have a span port on a switch and you want to be able to see the packets coming out of it with tcpdump, but do not want these packets to enter the network stack for processing. this is particularly important if the span port is pushing a copy of any packets related to the machine doing the monitoring as it will confuse pf states and the stack. ok benno@
* Fail on duplicate nonce payload.tobhe2021-02-191-2/+5
| | | | ok patrick@
* Add 't' to options in man page. ok jmc@ kn@lum2021-02-191-3/+6
|
* Append .html suffix to temporary files enabling browsers to recognise itkn2021-02-193-8/+10
| | | | | | | | | | | | | Occasionally one might read a manual page in a webbrowser, e.g. "MANPAGER=firefox man -T html jq", however temporary files created for pagers lack file extensions and most web browsers are unable to detect a file's content without it. Special case mandoc(1)'s HTML output format by appending the ".html" suffix to file names such that browsers will actually render HTML as such instead of showing it as plain text. Input schwarze
* Put duplicated code calculating backoff interval and packet 'secs'krw2021-02-191-115/+91
| | | | | | | into new set_interval()/set_secs() functions. send_request() and send_discover() become much easier to understand. No intentional functional change.
* Missed poll -> ppoll in log_warn() verbiage.krw2021-02-191-2/+2
|
* Convert reallocarray + memset to recallocarray.tb2021-02-193-12/+10
| | | | ok claudio
* Add the same ASCII check to the URI in TAL files as we do for URI in .cer filesclaudio2021-02-191-1/+9
| | | | OK tb@
* Check return value of chdir() to stop a silly warning with somenicm2021-02-192-10/+10
| | | | compilers, GitHub issue 2573.
* Move the mkpath() call from the rsync path to the main process. This allowsclaudio2021-02-194-25/+30
| | | | | | to drop cpath from the rsync proc pledge (down to "stdio proc exec"). This will also make work easier with the upcoming http fetcher. OK tb@
* Add an EXAMPLES sectionsolene2021-02-191-2/+26
| | | | | rewording by jmc@ ok jmc@
* we dont need to wrap some short lines.dlg2021-02-191-5/+3
|
* check the state for PF_ROUTE when undeferring a packet, not the rule.dlg2021-02-191-2/+2
|
* Save one allocation by passing msg_nonce ownership instead of usingtobhe2021-02-181-10/+10
| | | | | | ibuf_dup(). ok patrick@
* Remove redundant ibuf_release. msg_ke is always NULL because of thetobhe2021-02-181-2/+1
| | | | duplicate check above.
* Pass ownership instead of duplicating ibuf msg_ke.tobhe2021-02-181-12/+5
| | | | ok patrick@
* Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.tb2021-02-181-1/+23
| | | | | | | | | | | | | | ok inoguchi commit 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Author: Matt Caswell <matt@openssl.org> Date: Tue Feb 2 17:17:23 2021 +0000 Don't overflow the output length in EVP_CipherUpdate calls CVE-2021-23840 Reviewed-by: Paul Dale <pauli@openssl.org>
* Make kernel ld.script similar to octeon's on loongson and sgi.visa2021-02-182-14/+74
|
* Use X509_get_ext_d2i() also for x509_get_aki() and x509_get_ski().claudio2021-02-184-136/+153
| | | | | | | | | | | | Now x509_get_extensions() is no longer required to loop over all extensions and the code becomes a lot simpler. While there cleanup x509_get_crl(), as explained by tb@ X509_get_ext_d2i() allocates memory so one needs to free the pointer at the end. For x509_crl_get_aki() use X509_CRL_get_ext_d2i() and more or less copy the rest over from x509_get_aki(). Warn if extensions are missing or present when not expected and also check the the extensions are marked non-critical as required. OK job@ tb@
* Mention that U-Boot serial speed should be 115200.visa2021-02-181-1/+7
| | | | Initial diff from Janne Johansson
* Reduce len when moving past spaces in OSC 11 parameter.nicm2021-02-181-2/+4
|
* Release mbuf(9) chain with a simple m_freem(9) loop in sorflush().mvs2021-02-182-8/+8
| | | | | | | | | | | | Passing local copy of socket to sbrelease() is too complicated to just free receive buffer. We don't allocate large object on the stack. Also we don't pass unlocked socket to soassertlocked() within sbdrop(). This was not triggered because we lock the whole layer with one lock. Also sorflush() is now private to kern/uipc_socket.c, so it's definition was made to be in accordance. ok claudio@ mpi@
* All the code for output handling was moved to output.c some time ago.claudio2021-02-182-29/+29
| | | | Also move the license that came along with it to output.c.
* Only pick up files matching alphanumeric and underscore characters underajacoutot2021-02-181-2/+2
| | | | | | | /etc/rc.d. This prevents issues with editor backup files (foo~) or other bogus files. ok sthen@
* Fix the hostkeys rotation extension documentationdjm2021-02-181-1/+2
| | | | | | | The documentation was lacking the needed want-reply field in the initial global request. https://github.com/openssh/openssh-portable/pull/218 by dbussink
* add rpki-rtr port 323; ok jobderaadt2021-02-181-1/+2
|
* make names in function prototypes match those in definitiondjm2021-02-182-4/+4
| | | | | from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
* unbreak SK_DEBUG buildsdjm2021-02-181-3/+3
| | | | | from https://github.com/openssh/openssh-portable/pull/225 by ZenithalHourlyRate
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.