| Age | Commit message (Collapse) | Author |
|---|
|
userland can request that network packets that are read from or
written to the device special file get prepended with a "tun_hdr"
struct. this struct contains bits which say what offloads are
requested for the packet, including things like ip/tcp/udp/icmp
checksums, tcp segmentation offloads, or ethernet vlan tags.
userland can write a packet with any of these offloads requested
into the kernel at any time, but has to request which ones it's
able to handle coming from the kernel. enabling the tun_hdr struct
and which offloads userland can handle is done with a new TUNSCAP
ioctl.
this is based on the virtio_net_hdr in linux, which jan@ actually
implemented and had working with vmd. however, claudio@ and i
strongly opposed to what feels like a layer violation by pulling
virtio structures into the tun driver, and then trying to emulate
virtio/linux semantics in our network stack, and playing catch up
when the "upstream" projects decide to change the shape or meaning
of these bits. tun_hdr is specific to the openbsd network stack and
it's semantics, which simplifies our kernel implementation. jan has
been pretty gracious about the extra work on the vmd side of things.
tested by and ok jan@
ok claudio@
|
|
"A return statement with an expression shall not appear in a function
whose return type is void."
ok deraadt miod
|
|
|
|
|
|
punt. A single res_query() call can return immediately (e.g. success
or the nameservers are unreachable), or take quite some time,
depending on how many nameservers are configured. So measure the
actual time it takes and decide wat to do based on that.
Early version from beck@; ok claudio@ deraadt@
|
|
ok stu deraadt
|
|
ok and tweaks from claudio@ and jmc@
|
|
Binary change in main.o and tal.o due to an assertion change and in spl.o
due to line number changes
looks good to claudio, ok clang + sha256
|
|
|
|
|
|
A certificate must have a subject, so X509_get_subject_name() cannot
return NULL on a correctly parsed certificate, even if the subject is
empty (which is allowed). So if X509_get_subject_name() returns NULL,
error instead of silently ignoring it in tls_check_common_name().
This is currently no issue. Where it matters, the match against the
common name will fail later, so we fail closed anyway.
ok jsing
|
|
offsets for RGB formats explicitly.
From Paul Fertser
ok patrick@ miod@ kettenis@
|
|
by u-boot.
From Paul Fertser
ok patrick@ miod@ kettenis@
|
|
Relevant for OpenBSD are security fix #915, other changes #905 #902
#904 #317 #918 #914. Major library bump is necessary as new error
constant has been added to a public header file. CVE-2024-50602
OK matthieu@ tb@ deraadt@
|
|
and purge the superseded information from the algorithm-independent
page EVP_PKEY_new(3).
|
|
stand a chance of using the API correctly.
Admittedly, having so much text below EXAMPLES is somewhat unusual.
While all that information is required to use the function correctly,
strictly speaking, it is not part of the specification of what
EVP_PKEY_new_CMAC_key(3) does, so it woundn't really belong
in the DESCRIPTION.
Now, designing an API function in such a way that using it correctly
requires lots of information about *other* functions and such that
all that additional information does not belong into the manual pages
of those other functions (both because that would cause distractions
in various other manual pages and because it would scatter required
information around lots of different pages) is certainly not stellar
API design. But we can't help that because these APIs were all
originally designed by OpenSSL.
Significant feedback and OK tb@.
|
|
|
|
|
|
|
|
spotted by jsing
|
|
|
|
|
|
These functions are no longer shared between multiple files, so they can
be static in ecp_methods.c and the long list of prototypes can go away.
|
|
|
|
|
|
While not the greatest of names, ecp_methods.c is better than ecp_smpl.c.
It matches the naming ecx_methods.c and in a subsequent commit it will
become the new home of the stuff in ecp_mont.c as well.
discussed with jsing
|
|
|
|
|
|
Having a single letter to distinguish a length from a pointer is error
prone. This results in binary change only in validate.c and cert.c due
to a line wrap resulting in line number changes and in cert.c there's in
addition two asserts that change.
checked with/ok job
|
|
|
|
ok miod@
|
|
this should let people specify interface and queue bandwidths greater
than ~4Gbit.
this changes the pf ioctls used to specify queues, so if you want
to try this you'll need a new kernel, new headers, and a new pfctl
(and systat). or upgrade using a snapshot. the effort and benefit
of providing compat isn't worth it.
putting it in now so people can kick it around.
|
|
It is impossible to use EVP_DigestInit_ex(3) for CMAC.
Besides, EVP_PKEY_CTX_new_id(3) does not produce an EVP_MD_CTX object.
Instead, mention the easiest way to actually get the job done
using EVP_PKEY_new_CMAC_key(3) and EVP_DigestSignInit(3).
OK tb@
|
|
|
|
|
|
|
|
This is meaningless in dhcpleased(8) and *not* needed to receive
leases for an interface. In fact dhcpleased(8) works just fine without
any configuration file at all.
man page diff & OK kn
|
|
preserve alignment with other sets;
diff from chohag at jtan com, but i chose to indent by first column
rather than second;
|
|
The check right now is in the wrong spot so fix this.
OK mpi@
|
|
|
|
|
|
From Srinivasan Shanmugam
10c20d79d59cadfe572480d98cec271a89ffb024 in linux-6.6.y/6.6.60
15c2990e0f0108b9c3752d7072a97d45d4283aea in mainline linux
|
|
ok mlarkin@
|
|
In soo_stat() lock send socket buffer mutex around access to sb_state.
Althoug not strictly necessary as this is only a single read access,
make clear where parallel variable access happens. As this is not
performance critical, use mutex instead of read once wrapper. This
is also consistent to the receive socket buffer a few lines above.
OK mvs@
|
|
|
|
|
|
|
|
|
|
a change mpi@ committed to all architectures in 2015
|
|
|
