| Age | Commit message (Collapse) | Author |
|---|
|
around, but with my name instead... which makes absolutely no sense
whatsoever, especially the regents part.
replace with ISC licence, much saner.
(as noticed by miod@, who else ?)
|
|
when more than one is received. The first CERT is always the leaf
certificate, additional payloads can be used to send intermediate certs
which iked can not handle at the moment.
This fixes exchanges where the certificate chain is still valid because
matching intermediate certs are available locally in /etc/iked.
Reported and tested by Loïc Revest <l.revest (at) apc.fr>
ok mbuhl@
|
|
names that have succeeded and skip those on a re-run.
|
|
SA shall be deleted. ni should be set to the minimum nonce for the
exchange intitiated by us while nr should be the smaller of the
nonces of the simultaneous exchange initiated by the peer, which
is stored in sa_simulat.
This fixes the ni < nr comparison below and makes sure our Child SA
is only deleted in the correct case as specified in RFC 7296.
Reported by and fix from Sibar Soumi <sibar.soumi (at) achelos.de>
ok mbuhl@
|
|
|
|
issue 3242.
|
|
|
|
|
|
in the SYNOPSIS is not strictly wrong, the conventional way is
to always state the name explicitely in the SYNOPSIS.
With help from Ingo Schwarze
|
|
Pointed out by & OK deraadt
|
|
file to be used is sys/types.h
|
|
|
|
A client is required to send an empty list if it does not have a suitable
certificate - handle this case up front, rather than going through the
normal code path and ending up with an empty certificate list. This matches
what we do in the TLSv1.3 stack and will allow for ruther clean up (in
addition to making the code more readable).
Also tidy up the CBS code and remove some unnecessary length checks. Use
'cert' and 'certs' for certificates, rather than 'x' and 'sk'.
ok tb@
|
|
Tidy up CBS code and remove some unnecessary length checks. Use 'cert' and
'certs' for certificates, rather than 'x' and 'sk'.
ok tb@
|
|
HTML <main> element. The benefit is that it has the ARIA landmark
role "main" by default. To ease the transition for people using
their own CSS file instead of mandoc.css, retain the custom class
for now.
I had this idea in a discussion with Anna Vyalkova <cyber at sysrq dot in>.
Patch from Anna, slightly tweaked by me.
|
|
From Daniel Ebdrup
|
|
In cases like `sh /etc/netstart pair1 pair2', one of hostname.pair{1,2}
will contain a "patch pair{2,1}" command which expects the other interface
to exist.
If none exist, this would fail and netstart had to be run separately or
"patch"ed interface had to be manually created before.
There are other use cases where interfaces depend on each other, so before
(re)configuring an explicit list of interfaces, create all virtual ones
upfront so that a single netstart invocation will configure everything
correctly without having reflect dependencies in multiple ordered netstart
invocations.
Copy isin() from install.sub to help.
Feedback OK halex
|
|
Testing caspar, otto
OK otto
|
|
Replace long switch statement duplicating data from nid_list[] with a
linear scan.
requested by and ok jsing
|
|
Instead of a nonsensical NULL check, check nid_list[group_id].{bits,nid}
is not 0. This way we can drop the group_id < 1 check.
ok jsing
|
|
ok tb@
|
|
timeout.c's parse_signal() basically does what kill.c's signame_to_num()
does, except it expects "SIG" in string signals.
Borrow the isalpha() check from kill.c to get the same behaviour.
OK deraadt
|
|
Rather than having yet another (broken) ASN.1 INTEGER content builder and
parser, use {c2i,i2c}_ASN1_INTEGER().
ok beck@
|
|
|
|
for a couple of years, backed by dhcpleased(8), which provides much better
dns handling. The next step is to make the dhclient simply execve
ifconfig in that way, and provide syslog warnings about deprecated options
along the way. This way, we can find the last few dhclient users, and what
they are missing.
ok florian krw
|
|
Consumers should include openssl/objects.h instead.
|
|
The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.
ok beck jsing
|
|
ok florian
|
|
|
|
This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.
Based on a suggestion by jsing
ok jsing
|
|
Spotted by jsing
|
|
Previously for __cpu_simple_lock parts. Now only hppa and m88k use
__cpu_simple_lock (and hppa uses atomic.h for it).
ok miod@ visa@
|
|
Reported-by: syzbot+a648408d6a58fd40b59a@syzkaller.appspotmail.com
by anton@
|
|
and adjust the only caller that didn't check for NID_undef already.
ok beck jsing
|
|
the Yeelong Lemote mips-based netbook. Kernel bits only for now, needs
polishing; most of this work done during h2k9 last month, although the
porting effort started earlier this year.
|
|
Also remove unneeded includes of <sys/poll.h> and <sys/select.h>.
Some addenda from jsg@.
OK miod@ mpi@
|
|
ok tb
|
|
|
|
Long time ago pipex(4) sessions can't be deleted until pipex(4) queues
become empty. Such dead sessions stay linked to the stack and the
session `ip_forward' flag was used to prevent packets processing. But
now pipex(4) session could be closed just after close request. This
logic became unnecessary.
PIPEXCSESSION ioctl(2) will be removed from kernel with upcoming diff.
ok yasuoka@
|
|
`so_lock' rwlock(9) instead of global `unp_lock' which locks the whole
layer.
The PCB of unix(4) sockets are linked to each other and we need to lock
them both. This introduces the lock ordering problem, because when the
thread (1) keeps lock on `so1' and trying to lock `so2', the thread (2)
could hold lock on `so2' and trying to lock `so1'. To solve this we
always lock sockets in the strict order.
For the sockets which are already accessible from userland, we always
lock socket with the smallest memory address first. Sometimes we need to
unlock socket before lock it's peer and lock it again.
We use reference counters for prevent the connected peer destruction
during to relock. We also handle the case where the peer socket was
replaced by another socket.
For the newly connected sockets, which are not yet exported to the
userland by accept(2), we always lock the listening socket `head' first.
This allows us to avoid unwanted relock within accept(2) syscall.
ok claudio@
|
|
|
|
|
|
keys/principals file for errno != ENOENT; bz2042 ok dtucker
|
|
list_hostkey_types() that are passed to compat_pkalg_proposal().
Part of github PR#324 from ZoltanFridrich, ok djm@
This is a roll-forward of the previous rollback now that the required
changes in compat.c have been done.
|
|
can free them later. Fix one leak in compat_kex_proposal. Based
on github PR#324 from ZoltanFridrich with some simplications by me.
ok djm@
|
|
which performs operations that could cause one; Reported by
Noam Lewis via bz3454, ok dtucker@
|
|
about any specific standards
- only use escapes where needed
- SEE ALSO
ok claudio
|
|
Code uses struct sockaddr_storage to have enough space for ROUNDUP() in
all cases. Makes the code mostly nicer.
OK tb@
|
|
. If a direct map exists use it to map single-page allocations
. Use pmap_kenter_pa() instead of pmap_enter() in all other cases.
This speeds up file-based mmap up to 75% when I/O are performed and it
also reduces possible allocations failtures in the page daemon making
it more stable in OOM situations.
ok kettenis@, beck@
|
|
The net80211 stack detach routine can trigger more tasks to be scheduled,
e.g. to delete WPA keys. So let's not free the driver's taskq before
net80211 has been detached.
fixed with and ok by mpi@
Crash reported by mlarkin@ who yanked the USB cable to test our fix.
|
