| Age | Commit message (Collapse) | Author |
|---|
|
|
|
(BaseState is a "light weight" base class for State, that does the
common stuff like printing out stuff pkg-style, or exec'ing commands
and reporting exit/signal status, but without needing to create an
object--necessarily--or without the extra option handling code.
|
|
A fix for this was previously commited in r1.32, however while this added
a bounds check the logic means we still fall through and perform the
overread. Fix the logic such that we only log the error if the bounds check
fails. While here, flip the test around such that we check for validity then
print (which is more readable and matches earlier code).
ok inoguchi@ tb@
|
|
|
|
The current implementation uses an unsigned long, then switches to BN once
the arc exceeds its size. However, the complexity of BN_bn2dec() is
quadratic in the length of number being converted. This means that OIDs
with excessively large arcs take a lot of computation to convert to text.
While the X.660 specification states that arcs are unbounded, in reality
they are not overly large numbers - 640K^W64 bits ought to be enough for
any arc. Remove BN entirely, switch from unsigned long to uin64_t and fail
if an arc exceeds this size.
Identified via oss-fuzz timeouts - should fix #41028 and #44372.
ok tb@
|
|
An IP address in a name constraint is actually an IP address concatenated
with a netmask, so it is twice as long as usual.
This fixes a third bug introduced in r1.3 and reported by Volker Schlecht
ok jsing
|
|
Fixes a segfault reported by Volker Schlecht.
ok jsing
|
|
a2i_GENERAL_NAME() modifies and returns the out argument that was
passed in unless out == NULL, in which case it returns something
freshly allocated. Thus, in v2i_GENERAL_NAME_ex() we must only free
ret if out == NULL so v2i_NAME_CONSTRAINTS() can free correctly.
Issue reported by Volker Schlecht
ok jsing
|
|
|
|
|
|
|
|
Currently OBJ_obj2nid() with NID_undef returns NID_ccitt - this is due to
doing a lookup on an empty value and having NID_undef conflict with an
uninitialised NID value.
Somewhat based on OpenSSL 0fb99904809.
ok tb@
|
|
|
|
The lookup tables in tr(1) are called "string1" and "string2". This is
misleading:
- They aren't C strings, they are lookup tables.
- The names "string1" and "string2" don't hint at what their contents
actually mean. The meaning of a given table changes with tr(1)'s
operating mode. There are five different modes.
It would be considerably easier to see what is happening at a glance
if the tables were named for their corresponding byte transformation.
So instead of two tables named "string1" and "string2" we'll have
three tables named "delete", "squeeze", and "translate". In addition,
the "string" passed to the setup() function will be called a "table".
With this patch the code in main() is way easier to understand.
Hopefully this makes subsequent patches easier to review.
Thread: https://marc.info/?l=openbsd-tech&m=164355980600901&w=2
No complaints on tech@ after over a week.
|
|
remove a bunch of stuff that's redundant with update-plist(1) in the
update-plist target description, but instead also points at SUBST_VARS
for the default handling of substituted variables by update-plist.
|
|
|
|
From Alf Schlichting
|
|
input jca
OK kmos sthen deraadt kn
|
|
|
|
WITNESS builds broke^W^Wkernels panic on boot as reported by anton and bluhm.
Booting bsd.mp in single-user mode inside VMM shows:
root on sd0a (5f9e458ed30b39ab.a) swap on sd0b dump on sd0b
Enter pathname of shell or RETURN for sh:
witness: lock order reversal:
1st 0xfffffd801f8ce468 vmmaplk (&map->lock)
2nd 0xfffffd801b8162c0 inode (&ip->i_lock)
lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at:
#0 rw_enter_read+0x38
#1 uvmfault_lookup+0x8a
#2 uvm_fault_check+0x32
#3 uvm_fault+0xfb
#4 kpageflttrap+0x12c
#5 kerntrap+0x91
#6 alltraps_kern_meltdown+0x7b
#7 copyout+0x53
#8 ffs_read+0x1f6
#9 VOP_READ+0x41
#10 vn_rdwr+0xa1
#11 vmcmd_map_readvn+0xa0
#12 exec_process_vmcmds+0x88
#13 sys_execve+0x732
#14 start_init+0x26f
#15 proc_trampoline+0x1c
lock order data w1 -> w2 missing
# exit
kernel: protection fault trap, code=0
Stopped at witness_checkorder+0x312: movl 0x10(%r14),%ecx
gkoehler reported faults on poisened addresses on macppc dual G5.
|
|
WITNESS builds broke as reported by anton and bluhm:
root on sd0a (5ec49b3ad23eb2d4.a) swap on sd0b dump on sd0b
kernel: protection fault trap, code=0
Stopped at witness_checkorder+0x4ec: movl 0x10(%r12),%ecx
https://syzkaller.appspot.com/bug?id=be02b290a93c648986c35370a271aad4135a5044
https://syzkaller.appspot.com/text?tag=CrashLog&x=136e9aa4700000
|
|
OK mpi@
|
|
All callers of KNOTE() supply a non-NULL klist argument. Replace the
NULL pointer check with klist emptiness check as a small optimization.
OK mpi@
|
|
OK mpi@
|
|
need to do this can do it a few moments later in a different hook
|
|
At least when not running in the installer.
Suggestions from espie@
Works for me sthen@
fine deraadt@
|
|
Found by the Valgrind tests on github, ok deraadt@
|
|
noticed by kettenis
|
|
sparc64. Use memcpy() to align the data.
found by regress/usr.bin/ctfdump; OK mpi@
|
|
Build, boot and install tested by bluhm@
ok bluhm@
|
|
tomorrow morning
|
|
suggested by millert
|
|
|
|
Create a common x509_convert_seqnum() function to convert the various
ASN1_INTEGERs into hexnumbers and use this for mft and crl handling.
With and OK tb@, also OK job@
|
|
ok aja@
|
|
HIBERNATE that needs to be in MD code.
ok gkoehler
|
|
from jan@; test and OK dlg@
|
|
For this introduce x509_get_time() that converts a ASN1_TIME to time_t.
Also move time2str() to print.c where it makes more sense.
This needs more work but that will happen in tree.
OK tb@
|
|
Build, boot and install tested by bluhm@
ok bluhm@
|
|
If a relay is not explicitly configured to use TLS but the remote
side supports STARTTLS, we will try to use it. However, in this
case we should not verify the cert or CA (which may be self-signed).
This restores the relay behavior before the switch to libtls was made.
There is no change if the relay is explicitly configured to use TLS.
OK eric@
|
|
We're only reading one file here, so unveil(2) is overkill. We can
achieve the same effect with just pledge(2):
- Start with an initial pledge(2) of "stdio rpath" at the top of main().
We know we need to read a file at this point but don't yet know which
one.
- Drop the pledge(2) down to "stdio" after we open(2) and fstat(2) the
chosen file.
- Dropping "rpath" obviates unveil(2).
Thread: https://marc.info/?l=openbsd-tech&m=164437072017248&w=2
ok millert@
|
|
13.0.0 produces thousands of -Wcompound-token-split-by-macro warnings
wir older ppport.h header files. They are especially frequent in
the ports tree. After this update we can use perl -MDevel::PPPort
-e'Devel::PPPort::WriteFile' to regenerate the ppport.h files. Then
we have a version that is recent enough to build all ports and does
not spit out tons of warnings.
discussed with espie@ sthen@; OK afresh1@
|
|
|
|
anytime a class is looked up, the /etc/login.conf.d/${class} file will be
checked first for a matching class definition; this will allow us to easily
add custom login classes from packages
ok millert@
|
|
than zero free inodes. btrfs always reports zero inodes, so on linux
distros like fedora, users will always see the not enough space warning,
which it is a bit ugly.
fine with claudio
|
|
OK sthen@
|
|
Timing is good deraadt@, OK sthen@
|
|
looking good sthen@, Great! bluhm@
|
|
ok claudio
|
|
If it was set, this would leak 30 bytes.
ok claudio
|
