summaryrefslogtreecommitdiff
path: root/usr.sbin
AgeCommit message (Collapse)Author
2024-11-02Improve detection of gaps in ManifestissuanceJob Snijders
It is helpful for network operators, publication point operators, and CA operators to have more insight into whether the RP noticed an issuance gap between two versions of a given manifest. * high number of gaps all the time might be an indication the RP is not refreshing often enough * the CA is trying to issue manifests more than once a second * the RFC 8181 publication server's ingress API endpoint has issues * the RFC 8181 publication client has trouble reaching the server * the CA's private keys (RPKI + BPKI) are used on a second (cloned) system * the CA's issuance database is broken Correlation opportunity: detection of a gap means some of the CA's intermediate states were occluded from the RP; the RP operator might want to correlate this to traffic shifts in BGP or publication point reachability issues. Going forward, emit a warning per manifest, adds metrics to the openmetrics output, and displays a summary at the end of the run about issuance gaps. OK tb@
2024-10-31Use imsg_get_fd() to extract the fd from an imsg.Claudio Jeker
OK tb@
2024-10-30Install a copy of the UEFI bootloader in /efi/openbsd on the EFI systemMark Kettenis
partition. This will allow us to create boot options for the firmware boot manager that other OSes won't interfere with. ok phessler@, tobhe@, kn@
2024-10-30print pppoe tags as hex dumps rather than strvis-a-like'd text, unlessStuart Henderson
they're tags where text is likely. strvis on random cookies is hard to read and compare, and it's easier to convert 0x05dc than \005\334 to 1500 for PPP-Max-Payload. ok claudio dlg
2024-10-30remove unneeded conf.h includeJonathan Gray
2024-10-30directly use dev_t for swdevt[], remove struct swdevtJonathan Gray
ok mpi@ miod@
2024-10-30Add fw_update pattern for AMD SEV firmware used with psp(4).Alexander Bluhm
from hshoexer@; input deraadt@
2024-10-29Fix logic to return CTL_RES_NOSUCHPEER. The RB_EMPTY check needs to beClaudio Jeker
reversed since no error should be printed if there are no neighbors configured (yet). OK tb@
2024-10-28relayd: add support for client certificatesTheo Buehler
This feature has been requested many times over the years. Various patches were provided by Asherah Connor, Rivo Nurges, Markus Läll and maybe others. These patches always stalled for various reasons. From Sören Tempel, mostly based on Asherah's latest patch. ok florian tb
2024-10-28Remove two fatalx calls in pt_fill since they are wrong.Claudio Jeker
L3VPN withdraws don't carry a labelstack (see util.c::nlri_get_vpn4()). OK tb@
2024-10-25Add support for performing a sysupgrade from a path. This is convenientTheo de Raadt
for offline machines if you can pull the snapshot or release to there there, but want sysupgrade to locally perform signify validation before performing the /home/_sysupgrade and other boot-upgrade steps. ok florian
2024-10-24Adjust ldapclient prototype to prevent an "argument of type 'int[2]' withClaudio Jeker
mismatched bound" warning. OK tb@
2024-10-23Append fd to the variable names proc, rsync, rrdp, http since these variablesClaudio Jeker
are used to store file descriptors. OK tb@
2024-10-22remove duplicate RT_BUF_SIZE defineJonathan Gray
2024-10-22Use imsg_get_fd() like everywhere else.Claudio Jeker
OK florian@ dv@
2024-10-20VM_MAP_BUSY and VM_MAP_WANTLOCK will be removed soon, prep for that.Claudio Jeker
OK dlg@
2024-10-16a.out is no longer the commonly encountered binary file format, the world hasMiod Vallat
moved to ELF. Move the a.out specific defines and macros, but the MID_xxx values, from <sys/exec.h> to <a.out.h>, and update the few userland binaries which really need these defines (i.e. boot-related tools for old architectures) to explicitly include <a.out.h> when needed. "Fine" deraadt@
2024-10-16rpki-client: sprinkle some constTheo Buehler
EVP_PKEY_get0_* were made const correct in OpenSSL 3 and now cause the build of rpki-client to emit warnings. Of course no one is able to see these warnings because they are hidden in all the deprecation vomit. Makes rpki-client build cleanly against OpenSSL 3 when configured with --with-openssl-cflags=-DOPENSSL_SUPPRESS_DEPRECATED. ok claudio deraadt job
2024-10-13Be more eager to install qcpas firmware (more pattern matches)Theo de Raadt
2024-10-12Make fw_update -a mean allAndrew Fresh
When downloading or installing, not just deleting. Noticed by Paul de Weerd Help with manual wording from jmc@ Just fix -a, deraadt@
2024-10-11The fw keys have been added to the signify key bundles. sysupgrade willTheo de Raadt
now extract the fw key also, so that pre-upgrade fw_update can fetch the most uptodate firmware. ok sthen
2024-10-10Always print account URI on first creation of an account key.Florian Obser
This was hidden behind -v but it seems useful to always have this when creating a new account. As sthen points out in his previous commit: This is useful if you want to set a CAA DNS record restricting issuance to a specific user account. OK deraadt
2024-10-09Make it possible to configure tcp md5 and ipsec on rtr as wellClaudio Jeker
Single out the auth_config yacc rules. Even though this requires an extra merge_auth_conf() function to handle manual IPsec setups but even with that this seems like a net gain. There is no rtr cache that does tcp md5 on OpenBSD so those bits remain untested for now. OK tb@
2024-10-09correct indentationJonathan Gray
2024-10-08Extend the socket handover from parent to rtr process to also include teardownClaudio Jeker
This is needed to support tcp md5sum and ipsec auth for rtr. OK tb@
2024-10-08remove unused structJonathan Gray
2024-10-07When acme-client is run with -v, show the account URI from the LocationStuart Henderson
header sent by the server in response to the newAccount API call (used for every cert request). This is useful if you want to set a CAA DNS record restricting issuance to a specific user account, rather than just "all of $whichever_acme_CA". ok florian
2024-10-07use the Ox macro instead of "OpenBSD";Jason McIntyre
2024-10-07merge unbound 1.21.1Stuart Henderson
2024-10-07Fix unbound CVE-2024-8508, put a limit on resources used for handlingStuart Henderson
DNS compression. OK florian From unbound 1.21.1 (rest will be merged shortly).
2024-10-07Add comment accidentally omitted on commitTheo Buehler
2024-10-07update crl number draft linkTheo Buehler
2024-10-07The two usual use cases are sysupgrade and sysupgrade -s, jumpingTheo de Raadt
forward to the same key, or the key+.1. But sometimes you want to update an older machine far forward (either with -s, or with -R), and the required key might not exist on-disk. Since getting the key isn't automated, people make some poor decisions to get the key. Previous to 7.6 the situation was worse, (and obviously older releases will have the old sysupgrade script, though you can copy this one to those machines and it will work, but please do that securely..) Moving forward this improves the workflow: a new set of keybundles (signed by older keys) have been made available so that sysupgrade can securely and automatically download the required key. ok job tb beck sthen
2024-10-07rpki-client: fix validity interval checkTheo Buehler
The language in RFC 5280, section 4.1.2.5 includes the end points of the validity interval. Reported by Tom Harrison ok claudio job
2024-10-07rpki-client: fix seqnum upper boundTheo Buehler
An ASN1_INTEGER doesn't contain the ASN.1 encoding in its data. It contains a BIGNUM. In particular, there's no padding octet for integers with the top bit of the top octet set. Do the check the dumb way and check all the parts individually: non-negative, not larger than 20 octets and bit 159 not set. Reported by Tom Harrison ok claudio job
2024-10-07drop redundant AF attach ioctlKlemens Nanni
SIOCAIFADDR_IN6 to configure an IPv6 address does everything SIOCIFAFATTACH does, i.e. it enables IPv6 on the interface if not done so already. vm.conf(5) 'local inet6' works as before. OK mlarkin
2024-10-05error on long locator lines, don't overflow buffersJonathan Gray
found with afl, feedback and ok millert@
2024-10-02Move some PCI MMIO defines from vmm(4) kernel headers to userland.Dave Voutila
vmm(4) doesn't need this information anymore. vmd(8) is the only consumer of this information. ok mlarkin@
2024-10-02No need to check as->established before calling pfkey_remove().Claudio Jeker
Remove the extra checks in the caller and simplify some code because of that. OK tb@
2024-10-02Adding pkg_add from stdin hasn't worked in ages. It was somethingTheo Buehler
we inherited from the initial implemention on FreeBSD which has made no sense in years. prompted by a diff by Johannes Thyssen Tishman from espie
2024-10-01Extend Log->system to support the same features as BaseState->systemTheo Buehler
In order to support privsep in tags, we need to be able to pass some code values in child/parent. from espie, tested by sthen, ok giovanni
2024-10-01Use auth_conf.method instead of auth_state.method. The latter is always 0.Claudio Jeker
2024-10-01Explicitly set peer.auth_conf.method, the auth_state value is neverClaudio Jeker
initialized in the SE so bgpctl did always see 0, auth_conf.method is on the other hand properly shared. OK tb@
2024-10-01In merge_peers also copy over the auth_conf from the new peer to the oldClaudio Jeker
since that one is kept. OK tb@
2024-10-01Fix typo in commentClaudio Jeker
OK tb@
2024-10-01Adjust to the pfkey changes in bgpd.Claudio Jeker
OK tb@
2024-10-01Rework the pfkey and tcp md5 API to not depend on struct peer.Claudio Jeker
Instead use struct auth_config and struct auth_state in the pfkey calls and those tcp_md5 calls where it matters. This is preparation work to allow RTR to use TCP MD5 as well. OK tb@
2024-09-30Improve some currently impossible error path in log_ext_subtype().Claudio Jeker
Mainly handle unknown ext-communities better and handle the special case of type == -1. OK tb@
2024-09-30In bgpd_rtr_connect() do the setsockopt dance for IP_TOS and TCP_NODELAYClaudio Jeker
before calling connect(). This way it happens for sure and on top the TOS is already set on the initial SYN. OK tb@
2024-09-29sync synopsis and usage, sort commands, fix their spacingKlemens Nanni
OK input lucas