| Age | Commit message (Collapse) | Author |
|---|
|
|
|
"Reads better indeed" otto
|
|
OK millert
|
|
handling. Code from mount_msdos (which got it from chmod/chown).
ok tb@ deraadt@
|
|
opendev(3) takes a const char * (since 2012, thanks tb),
just what getinfo() provides.
No amd64 object change.
OK millert tb
|
|
Check for numeric levels before checking for single-character ones
("c" and "C") such that a) invalid synopsis (no "-l") is detected as such
# bioctl -c 10 vnd0 softraid0
bioctl: Invalid RAID level
# ./obj/bioctl -c 10 vnd0 softraid0
usage: bioctl ...
and b) ten is correctly treated as valid but unsupported level:
# bioctl -c 10 -l vnd0a softraid0
bioctl: Invalid RAID level
# ./obj/bioctl -c 10 -l vnd0a softraid0
bioctl: unsupported RAID level
Uppercase the abbreviation while here.
Feedback OK tb
|
|
when comparing section headers. For example, ".Sh SEE ELSEWHERE"
and ".Sh SEE Em ALSO" were considered instances of a SEE ALSO
section. In groff-current, exact matches with no sub-macros are
required. Adjust mandoc behaviour.
While here, also fix a very minor mandoc bug, even though no
detrimental effect of the bug on formatting is known. While using
sub-macros in the .Sh HEAD is bad style, the parsers accept it, so
setting the section attribute on the HEAD needs to act recursively.
|
|
The resources delegated in the RFC 3779 extensions of the EE cert for
ROAs or RSCs can be a subset of the resources in the auth chain. So far
we compared that the resources of ROAs and RSCs are covered by the auth
chain, which is not entirely correct. Extract the necessary data from
the EE cert into rpki-client's own data structures, then verify that
the EE cert's resources cover the ones claimed in the ROA or RSC.
Do this as part or ROA and RSC parsing, that the EE cert's resources are
covered by the auth chain is checked in valid_x509() later on.
All this is a bit more annoying and intrusive than it should be...
ok claudio job
|
|
In knexthop_true_nexthop() connected routes need to be handled specially.
If a nexthop is directly reachable the gateway needs to remain the same.
There is no nexthop set for F_CONNECTED kroutes. A very similar trick
is used in rde_rib.c::nexthop_update() but was forgotten here.
Regression noticed by Daniel Jakots (danj at chown.me).
OK tb@
|
|
Platform-dependent preparation of the filesystem required by the boot loader
only ever creates a new fileystem without instaling using any bootstrap files.
To reflect reality, turn
# installboot -nvp vnd0
Using / as root
would install bootstrap on /dev/rvnd0c
using first-stage /usr/mdec/biosboot, second-stage /usr/mdec/boot
would newfs 545c9bdf92aa18f9.i
into
# ./obj/installboot -nvp vnd0
would newfs 4db2c0e89e0d3268.i
and error out if -p is combined with -r or stages:
$ man -hl./installboot.8
installboot [-nv] [-r root] disk [stage1 [stage2]]
installboot [-nv] -p disk
Feedback OK millert
|
|
Feedback OK jmc
|
|
to fall back only if necessary. Avoids PIN prompts for FIDO tokens
that don't require them; part of GHPR#302
|
|
(introduced in r1.40)
|
|
Prevent race reported some months ago.
ok mlarkin@, jsg@, kn@
|
|
|
|
and prevent a one-byte buffer overflow. Patch from Qualys, ok djm@
|
|
rather than relying on ypbind to do it, which also means you don't need
portmap running. In this mode, ypldap binds its rpc sockets to loopback,
so YP services are only available to the host it's running on. The
previous behaviour, now called portmap bind mode, is still the default.
encouragement from deraadt@ and dlg@
|
|
|
|
In bio.h r1.54, the signature of BIO_callback_ctrl() was changed from
bio_info_cb to BIO_info_cb. Adjust manual to reflect this change.
At the moment, bio_info_cb and BIO_info_cb are still distinct types with
our BIO_info_cb matching OpenSSL's definition. Historically, bio_info_cb
had a different type, but that leads to issues with casting function
pointers. The ecosystem has moved on to embrace the new type and several
ports confuse the two types because OpenSSL decided to "solve" the issues
with "typedef BIO_info_cb bio_info_cb; /* backward compatibilty */". We
will align with this in the next bump.
ok jsing
|
|
since krm is only set for IPv4 routes but not for IPv6 ones.
OK tb@
|
|
While each attribute must contain at least one extension, it is not
required that a CSR have attributes at all. Instead of signalling an
error by returning NULL if no extensions are found, return an empty
stack of extensions.
Via OpenSSL 1f02ca2d
ok jsing
|
|
OK tb@
|
|
ok daniel@ mlarkin@
|
|
one from kr_state and removing this argument helps portability.
OK tb@
|
|
|
|
glkclk disabled keep correct values of those. NFC
|
|
From Maxime Ripard
f2725951579701420879c29e87043e77537ac0c6 in linux 5.15.y/5.15.61
d4ae66f10c8b9959dce1766d9a87070e567236eb in mainline linux
|
|
From Imre Deak
4a54c13786c5a596b4e072b36e245029e11a565c in linux 5.15.y/5.15.61
7a710a8bc909313951eb9252d8419924c771d7c2 in mainline linux
|
|
From Maxime Ripard
ed486d15084f7429298ca4c577e5647a3fdca934 in linux 5.15.y/5.15.61
87ea95808d53e56b03e620e8f8f3add48899a88d in mainline linux
|
|
|
|
From Alexey Kodanev
deb603c5928e546609c0d5798e231d0205748943 in linux 5.15.y/5.15.61
136f614931a2bb73616b292cf542da3a18daefd5 in mainline linux
|
|
From xinhui pan
e45491556e2ae96d02eb4ccf18a5cc6ff2d30edc in linux 5.15.y/5.15.61
e1aadbab445b06e072013a1365fd0cf2aa25e843 in mainline linux
|
|
From Alex Deucher
27f8f5219fe4658537ba28fd01657e1062ac3960 in linux 5.15.y/5.15.61
|
|
From Leo Li
eb3c69c7c777d9d3c016568cb062ef02197a5a4e in linux 5.15.y/5.15.61
f5ba14043621f4afdf3ad5f92ee2d8dbebbe4340 in mainline linux
|
|
From Dmitry Osipenko
da2a1aa058acd7eb2cccd9de74df0809cbe4f1f8 in linux 5.15.y/5.15.61
2939deac1fa220bc82b89235f146df1d9b52e876 in mainline linux
|
|
This implements SSL_get_shared_{curve,group}() in a bug-compatible
fashion with OpenSSL.
This is your average OpenSSL-style overloaded parameter API where n >= 0
means "return the n-th shared group's NID" (as if anyone possibly ever
cared about the case n > 0) and n == -1 means "return the number of
shared groups". There is also an undocumented case n == -2 for Suite B
profile support which falls back to n == 0 in case Suite B profile
support is disabled, so n == -2 is the same as n == 0 in LibreSSL.
The API also returns 0 for error, which is indistinguishable from a
count of 0 shared groups but coincides with NID_undef. Contrary to claims
in the documentation, the API doesn't actually return -1 for clients,
rather it returns 0.
Obviously this entire exercise is pretty useless, but since somebody
exposed it because they could and someone else used it because they could
we need to provide it.
ok jsing
|
|
|
|
This splits tls1_get_supported_group() into a few helper functions to
be able to count shared groups and to return the n-th shared group since
someone thought it is a great idea to expose that in a single API and
some others thought it is useful to add this info to log noise.
This is all made a bit more complicated thanks to the security level
having its tentacles everywhere and because a user-provided security
callback can influence the list of groups shared by the peers.
ok jsing
|
|
These are wrappers of SSL_ctrl() using the SSL_CTRL_GET_SHARED_GROUP
control. Do not provide SSL_CTRL_GET_SHARED_CURVE since that is only
mentioned in Net::SSLeay docs according to codesearch.debian.net.
ok jsing
|
|
ok jsing
|
|
Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_shared_group() which will be needed in upcoming
commits.
ok jsing
|
|
|
|
Indicate non-activeness when the device is not ready for reading
or writing. This should make the event filters behave more like
the old poll code.
"makes sense to me" mpi@
|
|
OK tb@ deraadt@
|
|
The memory regions passed to memcpy() can not overlap so no need for memmove().
OK tb@ deraadt@
|
|
|
|
Adds experimental structured comments in zone1970.tab to clarify
whether Zones like Africa/Abidjan and Europe/Istanbul cross continent
or ocean boundaries.
|
|
OK tb@
|
|
struct.
OK tb@
|
|
|
