| Age | Commit message (Collapse) | Author |
|---|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
to work with a buffer that is not a real string.
The wpos is decremented in the wrong spot and would affect both
binary and non binary checks.
Simplify this code by using strndup.
OK rob@ benno@
|
|
consistently.
OK benno@
|
|
"%s". Same for the output of relay_expand_http().
with and ok claudio@
Found by Cedric Tessier, thanks!
|
|
As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of
it being needed.
Feedback tb
OK Tests mestre
|
|
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
|
These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.
ok bluhm@, tb@
|
|
a Content-Length header). HTTP RFC 7231 section 4.3.2.
found by niklas@, claudio@ agrees.
|
|
path. These have to be dropped or every subsequent call will cause decrypt
errors. Use a sequence number cookie to keep the systems in sync.
Diff from niklas@ with some minor adjustments by myself.
|
|
previous attempt at running a check script has finished yet, so we
can avoid building up a backlog of check requests.
ok dlg@ tb@ giovanni@
|
|
no objection claudio@
ok tb@ jsing@
|
|
to privsep_procid.
ok mortimer
|
|
OK tb@
|
|
daemons. This avoids giving an additional permission (in this case unveil(2)
"c") to the daemon just to be able to delete the socket and we already discussed
in the past that leaving that file behind doesn't cause any problems.
Discussed with deraadt@ rob@ florian@
OK rob@ benno@ deraadt@
|
|
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
they might be able to find said metrics.
OK denis@ jmc@
|
|
OK denis@
|
|
but better safe then sorry.
OK tb@
|
|
OK tb@
Enthousiasm from Mischa Peters
|
|
|
|
confirmed by tb@. While there remove the "no" in front of the statement.
text from tb@
|
|
ok claudio
|
|
|
|
|
|
This is no issue, since a pointer is always >= 4 bytes, but incorrect is
incorrect.
Found by tb's static analyzer.
OK beck@
|
|
Found the static analyzer from tb@
OK beck@
|
|
to add new objects easier if so desired and should handle a lot more
corner-cases.
This commit should also fix the following:
- On most (all) tables it omits the *Entry elements, making it not map to
OPENBSD-RELAYD-MIB.txt.
- sstolen returns the size of the sockaddr_in{,6}, instead of the
sin{,6}_addr resulting in garbage data to be put in the ip-field.
- relaydSessionPortIn and relaydSessionPortOut are swapped
- relaydSessions only uses relaydSessionIndex, while
OPENBSD-RELAYD-MIB.txt says it should have 2 indices
- miscellaneous minor things related to the AGENTX-protocol, like wonky
index handeling and returning NOSUCHINSTANCE where NOSUCHOBJECT
should be returned, etc.
This commit does remove traps, but it's large enough as is and I intent
on adding it soon(tm). It also deprecates the snmp keyword in favour of
an agentx keyword. The snmp keyword is still available, but will be
removed in the future.
Tweaks and OK denis@ on the relayd parts
Tweaks and OK claudio@ on the agentx parts
"Get it in" deraadt@
|
|
OK millert@, florian@
|
|
this allows reading from anywhere in the filesystem (in order to read the
config file and those ones included from it), but also executing, which I
missed from my last attempt, because it's required for "check script(s)".
even though it's a broad permission, and the main proc cannot be pledged due to
forbidden ioctls, then this at least prevents it from creating/writing/deleting
files which is not required here.
OK benno@ a long time ago
|
|
Prodded by and OK jmc@
|
|
agentx header.
OK denis@
|
|
Reported by Prof. Dr. Steffen Wendzel <wendzel @ hs-worms . de>,
thanks!
OK martijn@ sthen@
|
|
with the help from tb@ jsing@; ok tb@
|
|
configure EDH-based cipher suites with Perfect Forward Secrecy (PFS)
for older clients that do not support ECDHE. Problem noticed and
initial diff by Jesper Wallin, thanks!
ok kn@
|
|
|
|
- Do not accept multiple protocol statements, as only one will be
used, it is better to error out if more arespecified.
- do not allow tcp and http options in dns protocol definitions, they
are ignored anyway.
Suggested by Nick (nick -AT- kousu -DOT- ca) thanks.
ok claudio@
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
doesn't exist in its own structure. This could greatly be improved upon,
but it makes snmp walk on its mib work.
OK claudio@
|
|
state changes/host checks/connection' some time ago. ok reyk@
claudio@ on first version, kn@ noticed that the tokens could be
removed too.
|
|
benno@ and reky@. Man page tweaks from jmc@.
ok benno@
|
|
filesystem.
"Well the first step is to back the commit out" deraadt@
|
|
OK benno@
|
|
This matches the documented behaviour.
On matching "forward to <table>" filter rules the "forward to destination"
address is unset, so that in that case the "forward to <table>" rule is still
used.
OK benno@, regression tests still passing.
|
|
back to the same value as $SERVER_ADDR in case the Host header is not available.
ok reyk@
|
|
for yyerror.
From Moritz Buhl
ok claudio@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
Many thanks to Bruno Flueckiger who independently sent a very similar
patch. He also tested the one I'm committing that it works as
expected.
OK tb@
|
|
This fixes an issue that might better be solved in imsg itself.
The problem is that IMSG_CTL_RESET does not include an fd while the
following messages (IMSG_CFG_RELAY and IMSG_CFG_RELAY_FD) do contain
fds. If the receiver gets them in one buffer (via recvmsg), the first
fd might be wrongly associated to the IMSG_CTL_RESET message. This is
theoretically taken care of by the imsg API, so it is either a bug in
relayd's API usage or in imsg itself.
"sure" claudio@ as a temporary fix.
|
|
Tested by many (thanks!)
Feedback & OK rob@
|
