| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
No code/functional change
|
|
|
|
|
|
|
|
|
|
|
|
after ikectl reload.
ok patrick@
|
|
|
|
use cases, so explain the situation a bit more. Since the 80's, I estimate
around 5 algorithm changes, so any chosen seed is unrepeatable UB.
+The deterministic sequence algorithm changed a number of times since
+original development, is underspecified, and should not be relied upon to
+remain consistent between platforms and over time.
ok jmc kettenis
|
|
table. Hence we have to grab both the pf lock and the pf state lock.
Found by dlg@
ok bluhm@ sashan@
|
|
to acme-client users.
|
|
-genkey" rather than separately generating parameters and key. Give a
clue that some CAs accept only prime256v1. Show the user where to stop
if they're just generating a private key for acme-client and therefore
don't need to generate a csr or cert manually. Add xr to acme-client(1)
suggest by tb@.
ok jmc tb
|
|
addresses that come from pf cannot be right, so remove the code.
Coverity CID 1501718
OK dlg@ claudio@
|
|
Notably this update removes various old Symantec roots (GeoTrust,
thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021.
Nobody should have been using these for years; only certain subCAs
signed by these were valid in NSS in that time due to an exemption:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec
Notably Apple's "Apple IST CA 2 - G1" which is still in use for
some endpoints (it is cross signed by another CA too but these
endpoints are publishing the GeoTrust intermediate cert).
So for now I have skipped removal of "GeoTrust Global CA" to avoid
affecting these sites. Debian ran into this when they updated their
cert database and had to back this part out, affected sites are
not reachable on Android Firefox and maybe other newer Firefoxes.
Some sites that were affected have moved to a different CA in the
last few days but others, notably api.push.apple.com, remain
(I can only guess that there is a complicated problem involved,
possibly cert pinning on old devices - the clock is ticking though
as this expires in May 2022 anyway ;)
Additions:
/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2
/C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017
/C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority
Removals:
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=TW/O=Government Root Certification Authority
/C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2
/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
/C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
|
|
|
|
|
|
This was proposed by Emil Velikov to simplify libdrm and will remove the
need for some patches in ports.
/dev/drm0 -> /dev/dri/card0
/dev/drmR128 -> /dev/dri/renderD128
The previous names will remain for a period of time and will later be
removed. Major and minor numbers remain the same.
libdrm will not be changed to use the new names until known privsep
and sandbox use has been updated to allow the new names.
ok deraadt@
|
|
|
|
|
|
patch from Mike Frysinger
|
|
and remove an unused variable; ok dtucker@
|
|
ok kettenis@
|
|
ok kettenis@
|
|
ok kettenis@
|
|
ok markus@
|
|
|
|
ok bluhm@
|
|
fully initialized because we initialize `if_groups' after linking. It's
not triggered because if_attach() and if_unit(9) are serialized by
kernel lock and `ifp' is often filled by nulls. Move `if_groups'
initialization to if_attach_common() to prevent this.
ok bluhm@ claudio@ deraadt@
|
|
work anyway. Dynamic binaries help building errata, reduce disk
usage and make ROP harder. Also remove an unused bsd.subdir.mk
include.
OK sthen@ mvs@ deraadt@ tobhe@ patrick@
|
|
moved into BSS in the .o, with padding rules following the types -- they
are both char[]. Since P_hash_seed is (system-dependent) not a multiple of 8,
P_hash_state gets layed out misaligned, which sucks because the hash functions
demand 64-bit alignment for both variables. There is the possibility of using
misalignment macros, but this is not cheap. Could also use kernel-trap fault
repair, but the performance would really suck for something so crucial.
The correct fix would be for upstream to declare these types as uint64[],
we have requested that in https://github.com/Perl/perl5/issues/18555
In the meantime, carry a diff to roundup P_hash_seed to 64-bit alignment so that
P_hash_state will land aligned.
ok afresh1
|
|
CID 1501716
ok kevlo@
and mestre@ had the same diff
|
|
On OpenBSD/mips64, the kernel is compiled with -mno-abicalls. This
disables gp-relative addressing and essentially makes gp a spare
register in the kernel. Hence it is unnecessary to initialize gp when
entering the kernel. The _gp symbol is not needed either.
Suggested by miod@
|
|
|
|
function which need the lock (falloc, fdinsert, fdremove). In most cases
it is not correct to hold the lock while calling VFS functions or e.g.
closef since those aquire or release long lived VFS locks.
OK visa@ mvs@
|
|
CID 1501713
ok jmatthew@
|
|
CID 1501705
|
|
Technically the whole point of the stoeplitz API is that it's symmetric,
meaning that the order of addresses and ports doesn't matter and will produce
the same hash value.
Coverity CID 1501717
ok dlg@
|
|
|
|
|
|
more easily.
|
|
|
|
|
|
|
|
|
|
necessary ones. Solves a regression introduced with the arrival of
uhidpp causing some Logitech HID devices from attaching to its
appropriate driver.
Thanks to <naszy at poczta dot fm> and Peter Kane <pwkane at gmail dot com>
for reporting and trying out diffs.
ok mglocker@
|
|
uhidev_set_report_dev(). Needed by some upcoming changes to uhidpp.
ok mglocker@
|
|
report id, there's no point in trying to find a matching sub device.
ok mglocker@
|
|
|
