| Age | Commit message (Collapse) | Author |
|---|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
These are two functions that will help streamlining various functions
in the TLSv1.3 code that do not need to know about the interna of this
struct.
input/ok jsing
|
|
|
|
In tls13_{client,server}_finished_recv() we use verify_data_len, which
makes more sense than hmac_len. Use the same name in
tls13_{client,server}_finished_send(), keeping things consistent between
functions.
ok tb@
|
|
The new verifier builds all chains, starting with the shortest possible
path. It also does not currently return partial chains. Both of these
things conflict with auto chain, where we want to build the longest
possible chain (to include all intermediates, and probably the root
unnecessarily), as well as using an incomplete chain when a trusted chain
is not known.
Depending on software configuration, we can end up building a chain
consisting only of a leaf certificate, rather than a longer chain. This
results in auto chain not including intermediates, which is undesireable.
For now, switch auto chain building to use the legacy verifier.
This should resolve the issues encountered by ajacoutot@ with sendmail.
ok tb@
|
|
Yet another mostly meaningless error value...
Noted by and ok tb@
|
|
When a certificate (namely a root) is specified as both a trusted and
untrusted certificate, the new verifier will find multiple chains - the
first being back to the trusted root certificate and a second via the root
that is untrusted, followed by the trusted root certificate. This situation
can be triggered by a server that (unnecessarily) includes the root
certificate in its certificate list.
While this validates correctly (using the first chain), it means that we
encounter a failure while building the second chain due to the root
certificate already being in the chain. When this occurs we call the verify
callback indicating a bad certificate. Some sensitive software (including
bacula and icinga), treat this single bad chain callback as terminal, even
though we successfully verify the certificate.
Avoid this problem by simply dumping the chain if we encounter a situation
where the certificate is already in the chain and also a trusted root -
we'll have already picked up the trusted root as a shorter path.
Issue with icinga2 initially reported by Theodore Wynnychenko.
Fix tested by sthen@ for both bacula and icinga2.
ok tb@
|
|
fix in libcrypto/asn1/a_time_tm.c r1.16.
Suggested by jsing
|
|
methods support it. if anyone finds a method which does not work, please
speak up.
|
|
|
|
addr2sa needs to return NULL. Without this connection establishment fails
because bind is called with a bad sockaddr.
|
|
of the VPN address into a sockaddr but it allows to use log_sockaddr for
all cases of log_addr now.
OK florian@
|
|
|
|
|
|
make it easier to reorder. Re-inline int32_MINMAX. ok tobhe@
|
|
Less scheduling, lock contention and queues.
Previously, if_netisr() handled the net lock around those calls, now
if_input_process() does it before calling ether_input(), so no need to add
or remove NET_*LOCK() anywhere.
OK mvs claudio
|
|
|
|
|
|
|
|
Also change the startup code to use enum bgpd_process to select which
process needs to be run. Makes the code in my opinion easier to understand.
OK denis@
|
|
order of the struct members for reviewability.
ok jsing
|
|
patch submitted by Ralf Horstmann from ackstorm.de
OK dlg@
|
|
"struct pppoe_softc" documents no member being protected by the kernel lock
(alone); further review of the code paths starting from pppoeintr() shows
no sleeping points which must be avoided in the softnet thread.
Everything is fine as is to run without the big lock, so remove it.
Tests sthen
Feedback mpi mvs
OK mvs claudio
|
|
the system. While at use memcmp in prefixset_cmp() as well for address
checks.
OK florian@
|
|
IPv6 scoped addresses will print correctly.
OK tb@ florian@
|
|
longer memcopied but assigned. Alignment should not be an issue
as it is __packed.
Part of a larger diff from dlg@; OK dlg@ sashan@
|
|
ok ok@ yasuoka@
|
|
ok claudio
|
|
failed, GitHub issue 2513.
|
|
used anywhere.
OK jan@
|
|
ok jmatthew@
|
|
require more than 768M to build itself.
|
|
OK schwarze@, jmc@, deraadt@
|
|
Fixes compilation on luna88k.
Feedback millert@
Found by and ok aoyama@
|
|
Moreover, this makes default datasize limits consistent mips64-wide.
|
|
quintuple negation into one with a simple negation.
From miod, ok millert
|
|
certificate file.
These files are not terribly big and they might become helpful if one
re-creates a certificate with additional or removed domains and
whishes to revoke the old cert (this part needs a bit of work to make
it convenient to do).
OK sthen
|
|
sockets in one test process.
|
|
comments that they will evaluate their arguments multiple times.
From miod, ok millert
|
|
than uvm_km_valloc(9).
ok kettenis@
|
|
|
|
ones only or vice versa is an error rather than a recipe for success.
|
|
bug reported and patch provided
by Tilo Stritzky <lfsdc at gmx dot de> on bugs@;
OK martijn@
|
|
|
|
and build location.
|
|
From miod@, OK tb@
|
|
For constant strings we don't actually need to use auth_mkvalue(3).
Problem reported by Ross L Richardson.
|
|
|
