| Age | Commit message (Collapse) | Author |
|---|
|
in x509_vpm.c r1.39.
|
|
Without this, hostflags set on the SSL_CTX would not propagate to newly
created SSL. This is surprising behavior that was changed in OpenSSL 1.1
by Christian Heimes after the issue was flagged by Quentin Pradet:
https://bugs.python.org/issue43522
This is a version of the fix that landed in OpenSSL.
There used to be a workaround in place in urllib3, but that was removed at
some point. We haven't fixed this earlier since it wasn't reported. It only
showed up after recent fallout of extraordinarily strict library checking
in urllib3 coming from their own interpretation of the implications of
PEP 644.
ok jsing
|
|
This is currently an expected failure that will be fixed shortly.
|
|
This will be needed for the ssl_verify_param test
|
|
This is needed for an upcoming regress test that needs to access the
hostflag. This is public API in OpenSSL but since nothing seems to be
using this, this accessor will be kept internal-only for the time being.
ok jsing
|
|
Some com@acpi devices will fail the comprobe1() check which can lead to
hang or reboot of the machine.
Input from deraadt@ kettenis@
OK miod@
|
|
|
|
This subsystem typically provides an interface for clocks and regulators
not controlled via RPMH. We will use it to switch the load state of the
ADSP co-processor. Surprisingly, or maybe not, the interface uses ASCII
text that kind of looks like JSON.
ok kettenis@
|
|
OK tobhe@ tb@ kn@
|
|
get_cpt() simply set a partition's p_fragblock/p_cpg to default
values. Replace them with a single function set_fragblock().
No functional change.
|
|
OK kn@ tb@
|
|
More cleanup will follow.
OK tobhe@
|
|
ibuf_open() will return an error in this case while ibuf_dynamic() accepts
a 0 len argument and just initialized the buffer and length to zero.
A later ibuf_realloc() call will take care of allocating the buffer.
Additionally switch from malloc() to calloc() when allocating the buffer
this way the buffer is initalized and in ibuf_reserve() an addtional
memset() is used to make sure that the reserved data is zeroed.
OK tb@
|
|
Instead of adding a NUL termination to OBJ_obj2txt(), move the aobj == NULL
or aobj->data == NULL checks to i2t_ASN1_OBJECT_internal(). The only other
caller, i2t_ASN1_OBJECT(), fails on aobj == NULL and aobj->length == 0, and
the latter condition is implied by aobj->data.
Cleaner solution for obj_dat.c r1.52
suggested by/ok jsing
|
|
|
|
|
|
OBJ_obj2txt() is often called without error checking and is used for
reporting unexpected or malformed objects. As such, we should ensure
buf is a string even on failure. This had long been the case before it
was lost in a recent rewrite. If obj and obj->data are both non-NULL
this is already taken care of by i2t_ASN1_OBJECT_internal(), so many
callers were still safe.
ok miod
|
|
|
|
default on OpenBSD this will give us IBT support by default. Fixes
indirect function calls for functions in shared libraries.
This doesn't fix retpoline+znow PLTs yet; a fix for that will follow.
ok miod@, guenther@
|
|
result in a malloc(0) call which is no bueno. Use ibuf_open(1) instead.
OK miod@
|
|
With tweaks from patrick@ and bluhm@.
OK bluhm@
|
|
|
|
The former is broken by design and should not be used. The latter allows
for unambiguous error checking. Add a few casts to print uint64_t without
the PRIu64 monstrosity.
ok claudio
|
|
Instead of decoding an ASN1_INTEGER by hand because ASN1_INTEGER_get()
is broken by design and would report an error on LP32 architectures for
the reserved ASid UINT32_MAX, we can simplify this ugliness and use the
ASN1_INTEGER_get_uint64() API, available since LibreSSL 3.6.
ok claudio
|
|
It takes just one, the disk; the second snuck from earlier development into
the intial r1.1231 commit.
|
|
ok hackroom
tested by plenty
|
|
|
|
When sending TCP packets with software TSO to the local address of
a physical interface, the TCP checksum was miscalculated. As the
small MSS is taken from the physical interface, but the large MTU
of the loopback interface is used, large TSO packets are generated,
but sent directly to the loopback interface. There we need the
regular pseudo header checksum and not the modified without packet
length.
To avoid this confusion, use the same decision for checksum generation
in in_proto_cksum_out() as for using hardware TSO in tcp_if_output_tso().
bug reported and tested by robert@ bket@ Hrvoje Popovski
OK claudio@ jan@
|
|
Now that rpki-client no longer uses LibreSSL-specific ASN1_time_* API,
we can get rid of some of the gross hacks needed for testing against
OpenSSL in regress. This simplifies things greatly.
Unfortunately, the unistd.h hack needs to stay until someone unearths
their STACK_OF compat diffs.
|
|
Second step of moving away from ASN1_time_parse(). Being an OpenSSL API,
ASN1_TIME_to_tm() supports a variety of things. In this specific case we
don't really want it to parse anything but a GeneralizedTime expressed in
Zulu time. Unfortunately, OpenSSL make this annoying. So punt on this and
only do checks for the correct type and length. LibreSSL only accepts Zulu
time, so there is no change of behavior.
ok claudio job
|
|
Instead of using the LibreSSL-specific ASN1_time_parse(), we can use
OpenSSL's ASN1_TIME_to_tm() which LibreSSL provides since 3.6.0. The
latter has a few API quirks such as silently falling back to being a
timegm() replacement if called with a NULL ASN1_TIME. We don't want
that, so just return an error instead.
rpki-client portable now needs LibreSSL >= 3.6. This is a small price
to pay for rather significant smiplifications in regress and portable
(which will be possible after the next commit).
Also adjust a couple of error strings.
ok claudio job
|
|
We convert these struct tm into time_t in the next few lines, so we can
simply use > instead.
ok claudio job
|
|
Input by sthen@
OK miod@
|
|
ok bluhm@
|
|
OK tobhe@
|
|
|
|
|
|
just until one accepts the TCP connection. In multi server environments,
this makes ypldap more resilient when some servers are misbehaving.
While here, add the server address to log messages relating to connection
errors to make it easier to identify which server is failing.
ok tb@
|
|
they're used in the 32bit-compat support, which we dropped years ago.
Bye bye!
ok deraadt@
|
|
case it ever gets called through a function pointer (with retpoline
disabled)
ok deraadt@
|
|
both CHS and LBA values in the MBR partition.
Restores pre-7.0 initialization of MBR partition start/end, using
slightly less opaque code that retains the slightly different
initialization required by GPT protective MBR's.
Fixes booting from disks >8G on systems where the BIOS uses CHS.
Encountered by Paul de Weerd on his Alix.2 using BIOS 0.99.
Much diagnosis and testing by Paul of various iterations. Thanks!
|
|
|
|
|
|
accordingly, load it "just in time" in State.
Most calls get simplified, and we can save more state for later.
|
|
export part, and be explicit about how we call code refs.
|
|
instead of defined/undefined, so that the code sub is called with
the right number of parameters.
|
|
and not hw_battery_setchargestart.
OK kettenis@
|
|
|
|
|
|
|
