| Commit message (Collapse) | Author | Files | Lines |
|---|
|
From kristaps@
|
|
From kristaps@
|
|
of trying to be smart and clearing already acknowledged frames which are
still within the firmware's BA window.
This matches what the Linux driver does and makes our driver code simpler.
Also, Tx rate control code relies on sequence numbers falling into the
BA window so let's skip Tx rate control for frames before this window.
Tested by:
myself on 6205 and 6300
afresh1, bluhm, and paco on 6300
jmatthew on 5100
Balder Oddson on 6205
|
|
|
|
|
|
|
|
The CBC code path initializes rrec.padding_length in an indirect fashion
and later makes use of it for copying the MAC. This is confusing some
static analyzers as well as people investigating the whining. Avoid this
confusion and add a bit of robustness by clearing the stack variable up
front.
ok jsing
|
|
|
|
There are currently three different handshake structs that are in use -
the SSL_HANDSHAKE struct (as S3I(s)->hs), the SSL_HANDSHAKE_TLS13 struct
(as S3I(s)->hs_tls13 or ctx->hs in the TLSv1.3 code) and the infamous
'tmp' embedded in SSL3_STATE_INTERNAL (as S3I(s)->tmp)).
This is the first step towards cleaning up the handshake structs so that
shared data is in the SSL_HANDSHAKE struct, with sub-structs for TLSv1.2
and TLSv1.3 specific information. Place SSL_HANDSHAKE_TLS13 inside
SSL_HANDSHAKE and change ctx->hs to refer to the SSL_HANDSHAKE struct
instead of the SSL_HANDSHAKE_TLS13 struct. This allows the TLSv1.3 code
to access the shared handshake data without needing the SSL struct.
ok inoguchi@ tb@
|
|
with "temporary".
|
|
"There is a race between sending/receiving handshake packets. This
occurs if we consume an initiation, then send an initiation prior to
replying to the consumed initiation.
In particular, when consuming an initiation, we don't generate the
index until creating the response (which is incorrect). If we attempt
to create an initiation between these processes, we drop any
outstanding handshake which in this case has index 0 as set when
consuming the initiation.
The fix attached is to generate the index when consuming the initiation
so that any spurious initiation creation can drop a valid index. The
patch also consolidates setting fields on the handshake."
|
|
This makes the TLSv1.2 and TLSv1.3 record layers more consistent and while
it is not currently necessary from a functionality perspective, it makes
for more readable and simpler code.
ok inoguchi@ tb@
|
|
This is currently needed for DTLS1_2_VERSION, however it should be used
here regardless.
|
|
A parent CBB retains a reference to a child CBB until CBB_flush() or
CBB_cleanup() is called. As such, the cert_exts CBB must be at function
scope.
Reported by Ilya Shipitsin.
ok tb@
|
|
ok gnezdo@
|
|
|
|
Since r1.7, input in base64_decoding_test() is allocated unconditionally,
so free it unconditionally.
|
|
deprecates a prefix by sending a pltime of 0, this is normal.
Continue warning when the pltime is smaller than 5 as this is almost
certainly a configuration error.
Found the hard way by & OK otto.
|
|
detection in between them though. Add limitation to characters
allowed in symbol names, equivalent to mg function names (A-Za-z-),
quite restrictive but can grow of course. If value is not quoted and
is not a variable, give an error.
|
|
- use C99-style initialization (grep works better with that)
- use const as execsw is not modified during runtime
ok mpi@
|
|
No functional change.
ok semarie@
|
|
|
|
ok mpi@ kn@
|
|
|
|
Suspend/resume and other power events are NOT YET SUPPORTED.
|
|
line. Next to look at "values" (quotes around values).
Current regress tests pass.
|
|
|
|
Keep "temporary" the default when setting inet6 autoconf but make it
possible to disable the "autoconf" flag but keep "temporary" enabled.
The normal usecase to only have temporary autoconf addresses would be
"inet6 temporary" in hostname.if
OK kn
|
|
Make the interface come up when the IFXF_AUTOCONF6TEMP is set.
OK kn
|
|
Track autoconf and temporary flag individually to be able to support
this.
OK kn
|
|
distrib/special/slaccd is the actual SMALL user but having it build from here
is useful, too; in fact, it showed some more unused variables under SMALL.
OK florian
|
|
|
|
|
|
- move 'fail' label to end of function (instead of using the first
if-condition)
- merge the most simples error code paths idioms from 'cleanup+return'
to 'goto-fail'
ok mpi@
|
|
No functionnal change.
ok kettenis@
|
|
initialise a pty, run the specified file of mg commands and then exit.
This is to facilitate mg fitting into the OpenBSD regress test
framework and be able to run via a cron job.
|
|
This is a test that checks for NSS's CCS flood DoS CVE-2020-25648.
The test script currently fails on LibreSSL and OpenSSL 1.1.1j because
it sends invalid records with version 0x0300 instead of 0x0303.
We have the ccs_seen logic corresponding to NSS's fix:
https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361
but we do allow up to two CCS due to an interop issue with Fizz, so
at least one of the tests will likey be broken once the record version
is fixed.
|
|
this ensures more stuff is copied, in particular the flowid
information. this is also how v6 does it, which makes things more
consistent.
ok bluhm@
|
|
It is over a year old and corresponds to LLVM 8.0.0 after the
"-msvr4-struct-return" ABI change; saves 47M (on amd64).
OK deraadt
|
|
|
|
|
|
This is the same as SSL_CTX_use_certificate_chain_file() but for an
SSL object instead of an SSL_CTX object. remi found this in a recent
librelp update, so we need to provide it. The function will be exposed
in an upcoming library bump.
ok inoguchi on an earlier version, input/ok jsing
|
|
Swap -wgpeerall and wgpeer in synopsis to ease parsing.
"I'm good" - Matt Dunwoodie. "just commit" - jmc
suggestions and ok sthen@
|
|
Found the hard way by lists y42 org via an OCSP validation failure that
in turn caused pkg_add over TLS to fail. Detailed report by sthen.
ok sthen
|
|
it will show just OpenBSD while -portable will show the portable version.
OK sthen@, tb@, kn@
|
|
Using the -t option relative locations can be passed as tal locations
and so the process can not chdir until these files were read.
OK job@
|
|
Diff and (slightly tweaked) text below from
Dave Voutila < dave at sisu dot io >, thanks!
--
Since 6.7 switched to FFS2 as the default filesystem for new installs,
the ability for vmd(8) to load a kernel and boot.conf from a disk image
directly (without SeaBIOS) has been broken.
A diff from tb to add FFS2 support never mdae it into the tree.
On 5th Jan 2021, new ramdisks for amd64 have started shipping gzipped,
breaking the ability to load the bsd.rd directly as a kernel image for a vmd
guest without first uncompressing the image.
Using BIOS works, the FFS2 change happend ten months ago and few if any have
complained about the breakage. vmctl(8) is still vague about supporting it
per its man page and one still has to pass the disk image twice as a "-b"
and "-d" argument to boot an OpenBSD guest *without* BIOS.
Josh Rickmar reported the gzip issue on bugs@ and provided patches to add
support for compressed ramdisks and kernel images. The easiest way to do so
is to drop support for FFS images since they require a call to fmemopen(3)
while all the other logic uses fopen(3)/fdopen(3) calls and a file
descriptor. It is much easier to get thsoe patches merged if they don't
have to account for extracting files from disk images.
--
No objections anyone
"Removing it makes sense" reyk (who wrote the FFS module)
OK mlarkin
|
|
|
|
getifaddrs on every route message.
This also allows us to drop the route pledge since we only need to
fetch the interface state with getifaddrs on startup.
|
|
|
claudio
stsp
lum
espie
tobhe
tb
jsing
florian
sthen
bru
visa
semarie
mpi
jmc
jmatthew
kn
dlg
procter
deraadt