| Age | Commit message (Collapse) | Author |
|---|
|
OK deraadt
|
|
unix/net.{c.h}. We need to sprinkle in a few #includes that net.h
dragged in.
OK deraadt
|
|
into dig sources, lets us get rid of unix/time.{c,h}
OK deraadt
|
|
ok tb@
|
|
the roots for a ctx are only freed in the free function, not in the
clear function, so that a ctx can be re-used with the same roots.
ok tb@
|
|
from miod@
|
|
so we don't need to pop free the roots separately
|
|
|
|
|
|
ok jsing@ tb@
|
|
|
|
openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS
version number. Incompatible versions must fail. Check that client
and server have used correct version by grepping in their session
print out.
|
|
|
|
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
|
|
From Martijn Dekker
|
|
One uncommon but useful way of writing shell scripts is to start off by
disabling field/word splitting (IFS='') and pathname expansion/globbing
(set -f), re-enabling either or both only for the commands that need
them, e.g. within a subshell. This helps avoid a lot of snags with field
splitting and globbing if you forget to quote a variable somewhere,
adding to the general robustness of a script. (In fact it eliminates
much of the need to quote variable/parameter expansions, with empty
removal remaining as the only issue.)
Unfortunately OpenBSD ksh (like all pdksh variants except mksh) has a
POSIX compliance bug that is a show stopper for this approach: "$@" does
not generate words (arguments) if IFS is empty. As a result, the
separate command arguments represented by "$@" become a single argument.
So passing on an intact set of positional parameters to a command or
function is impossible with field splitting disabled.
Of course this is illogical: the quoted special parameter "$@" generates
zero or more words, it doesn't split any words, so the contents of IFS
(or lack thereof) should be neither here nor there. It's old ksh88
behaviour copied by the original pdksh, but it violates POSIX and it has
been fixed many years ago in ksh93 and all other POSIX shells.
From Martijn Dekker (who also wrote the above paragraphs) back in 2016.
Thanks to Avi Halachmi for reminding us of the issue.
ok czarkoff deraadt kn
|
|
The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator
This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
|
When BIO returns a failure, it does not always add an error to the error
stack. In the case of the legacy stack, this was generally handled by the
guesswork performed by SSL_get_error(). However, in the case of the new
stack we push an 'unknown' error onto the stack.
Improve this situation by specifically checking errno in the case of a
BIO_read() or BIO_write() failure. If the error stack is empty then push
a SYSerror() with the errno which is preferable to the 'unknown' error
later.
Noted by bluhm@ via syslogd regress.
ok beck@ tb@
|
|
also noticed by semarie@
|
|
READ(16)/WRITE(16) to access the last sectors
Fixes (at least) large 512E (a.k.a. emulated 512-byte sector) devices plugged
into overly helpful USB <-> ATA/ATAPI bridges. Which can tell you they are using
512-byte sector addresses but spontaneously/silently interpret
READ(10)/WRITE(10) commands as using 4K sector addresses/sizes.
Diagnosed and fix tested with James Cook. Thanks!
|
|
doesn't need to be hard coded anymore.
|
|
ok kettenis@
|
|
struct sigacts since that is the only thing that is modified by siginit.
|
|
|
|
with this we can revert the recent coherency workaround in mesa
ok deraadt@ kettenis@
|
|
OK deraadt@
|
|
ok kettenis@ deraadt@
|
|
|
|
tweak from deraadt@
ok martijn@ tb@
|
|
Pretty much all members are under the net lock, some are proctected by
both net and kernel lock, e.g. the start routine is called with
KERNEL_LOCK().
OK mpi
|
|
|
|
|
|
|
|
ok tb@ (who had the same diff) & deraadt@
|
|
|
|
|
|
little step towards moving signal delivery outside of KERNEL_LOCK.
OK mpi@
|
|
Return _ret from TEST_FLOWS to allow known-negative tests.
|
|
OK mpi@
|
|
While here use the standard strtonum error messages.
input & OK beck, OK kn
|
|
|
|
|
|
|
|
|
|
ok kettenis@
|
|
process.
ok kettenis@ as part of a larger diff
|
|
There is no reason to change flags on member interfaces when removing
them, aggr(4) does not pull its members down either.
OK florian bluhm
|
|
garbage to the description column if the server gives us that.
OK jan@
|
|
Please note that dt(4) still need manual enabling in the kernel.
ok deraadt@ sthen@ mpi@
|
|
The curve_id is a uint16, not an int.
ok beck jsing
|
