| Age | Commit message (Collapse) | Author |
|---|
|
the user anyway and close(2) may crash after setuid(2).
Reported-by: syzbot+90e094f33d329fb2c3ab@syzkaller.appspotmail.com
OK deraadt@
|
|
and close flowrings using bwfm_do_async().
Reported by and ok kettenis@
|
|
|
|
If we're given a pointer to an existing stack, free it and allocate a new
one rather than poping and freeing all of the existing entries so we can
reuse it. While here rename some arguments and variables.
ok inoguchi@ tb@
|
|
Remove the existing o2i_SCT_signature() function and rename
o2i_SCT_signature_internal() to replace it.
ok inoguchi@ tb@
|
|
ok bluhm@
|
|
|
|
When a knote uses the dead event filter, the knote's file descriptor is
not supposed to point to an object with pending out-of-band data. Make
the knote inactive so that userspace will not receive a spurious event.
However, kqueue-based poll(2) should still receive HUP notifications.
This lets the system use dead_filtops with less strings attached
relative to the filter type.
|
|
This enables the system deliver POLLHUP when pollfd.events == 0.
|
|
Do not assume event status in the modify and process callbacks. Instead
always run the event filter so that it has a chance to set knote flags.
The filter can also indicate event inactivity.
|
|
'tdb_data' struct became unused and was removed.
Tested by Hrvoje Popovski.
ok bluhm@
|
|
|
|
This device is part of the 9560 chip family. With a small device-specific
quirk we can make iwm(4) attach and provide a working wifi interface.
Problem reported and fix tested by Joao Victor.
|
|
|
|
ok hastings@ (who submitted the original string, based on a datasheet)
|
|
BN_mod_lshift_quick(3), BN_mod_lshift1(3), and BN_mod_lshift1_quick(3)
|
|
Not enabled yet. Pending firmware availability.
ok stsp@ jmatthew@
|
|
Ported from run(4) with legacy chipsets removed.
Not yet enabled in the build.
ok stsp@ jmatthew@
|
|
the actuall attribute needs to removed instead of leaving back an
empty attribute. Empty attributes are not valid and fail later on
in ldap_modify(). By calling ldap_del_attribute() in this case
properly removes the attribute and with that validate_entry() no
longer fails later on.
OK jmatthew@
|
|
LDAP_INVALID_SYNTAX is returned.
OK jmatthew@
|
|
|
|
the number of slots available, and to put packets on the ring until fewer
than DWGE_NTXSEGS slots are left, making dwge_start() and dwge_txeof()
work independently. While here, only write to GMAC_TX_POLL_DEMAND once
per call to dwge_start() rather than once per packet.
Adjust the rx interrupt path to check the number of slots in use and
return slots once per interrupt.
Add interrupt and ifq barriers before taking the interface down.
With all of this done, we can mark dwge(4) mpsafe.
ok dlg@ patrick@
|
|
|
|
running firmware based Apple's RTKit OS. Use this code to bring up the
storage controller that implements Apple's flavour of NVMe.
ok dlg@, patrick@
|
|
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@
|
|
|
|
|
|
|
|
Allow control over which pubkey methods are used. Added out of
concern that some hardware devices may have difficulty signing
the longer pubkey authentication challenges. This provides a
way for them to disable the extension. It's also handy for
testing.
feedback / ok markus@
|
|
feedback / ok markus@
|
|
Require host-bound userauth requests for forwarded SSH connections.
The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.
ok markus@
|
|
Allow parse_userauth_request() to work with blobs from
publickey-hostbound-v00@openssh.com userauth attempts.
Extract hostkey from these blobs.
ok markus@
|
|
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").
ok markus@
|
|
Add kex->flags member to enable the publickey-hostbound-v00@openssh.com
authentication method.
Use the new hostbound method in client if the kex->flags flag was set,
and include the inital KEX hostkey in the userauth request.
Note: nothing in kex.c actually sets the new flag yet
ok markus@
|
|
This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.
feedback / ok markus@
|
|
allow authentication methods to have one additional name beyond their
primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.
ok markus@
|
|
Gives ssh-agent the ability to parse restrict-destination-v00@openssh.com
constraints and to apply them to keys.
Check constraints against the hostkeys recorded for a SocketEntry when
attempting a signature, adding, listing or deleting keys. Note that
the "delete all keys" request will remove constrained keys regardless of
location.
feedback Jann Horn & markus@
ok markus@
|
|
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
|
|
record session ID/hostkey/forwarding status for each active socket.
Attempt to parse data-to-be-signed at signature request time and extract
session ID from the blob if it is a pubkey userauth request.
ok markus@
|
|
send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-bind@openssh.com" agent extension.
ok markus@
|
|
These will be used later for agent session ID / hostkey binding
ok markus@
|
|
but what i have so far is already better than nothing
|
|
cannot be accommodated. "not enough space" should be enough for
anyone.
Requested by deraadt@
|
|
|
|
|
|
|
|
No functional change.
|
|
|
|
|
|
|
