summaryrefslogtreecommitdiff
path: root/usr.sbin
AgeCommit message (Collapse)Author
2021-10-12Emit SKI in the JSON output and improve flow in x509_get_pubkey()Job Snijders
OK claudio@
2021-10-12do the matching as a last resort to handle .libsMarc Espie
fix the bug I introduced that bluhm@ et al noticed
2021-10-11Add support for BGPsec Router Certificates (RFC 8209)Job Snijders
BGPsec router keys are extracted from RPKI certificates and emitted via the JSON output in base64 encoded form. OK tb@ claudio@
2021-10-11base64_encode() should not add any newlines into the output. BecauseClaudio Jeker
of this switch from EVP_EncodeUpdate() plus complexity to the much simpler use of calling EVP_EncodeBlock() directly. OK job@
2021-10-10Remove unused variableJob Snijders
2021-10-10Make style consistent and remove an unused code pathJob Snijders
OK tb@
2021-10-09delete unneccessary arpa/nameser.h includesTheo de Raadt
ok millert
2021-10-07Make sure BGPsec router certs don't have a SIAJob Snijders
OK claudio@
2021-10-07Call normalize_dn() on the newly added namespace so that later comparesClaudio Jeker
with normalized basedns work. Seems all other DN attributes in parse.y pass through normalize_dn() so this seems to be the last one missing out. With this configs using capitalized namespace DN like o=OpenBSD,c=CA will actually work. OK kn@ gsoares@
2021-10-07Change host() error check to the more simple for of != 1.Claudio Jeker
Host() return 1 on success and 0 or -1 on failure. OK kn@ gsoares@
2021-10-07Clarify error messageJob Snijders
OK benno@
2021-10-07Rework X509 verification a bit. Remove the store and instead pass inClaudio Jeker
the chain for certificates via X509_STORE_CTX_set0_trusted_stack(). To make this work alter build_chains() to also return the root TA. Factor out get_crl() from build_crls() and use it to fetch the crl when validating roas. The crl now sets its expire time in struct crl and this can be used to set the expire time of a ROA entry. This simplifies proc_parser_roa() a fair bit and results in less calls to mktime() (which is a surprisingly complex function). OK tb@
2021-10-07Add x509_get_expire() to extract the not-after time from a certificateClaudio Jeker
as a epoch time_t. Store the expire time for certs, crls will follow after. OK tb@
2021-10-07mktime() may not properly set errno on error. Just use errx() instead.Claudio Jeker
Noticed by benno@, OK tb@
2021-10-06fix for the XXX-warning warning... have the test be a bit more specificMarc Espie
for the really bizarre case where we would end up having several update paths.
2021-10-06annotate all required sys/param.h uses with what they bring into scope,Theo de Raadt
and delete all others. use PATH_MAX and other standardized symbols instead of prehistoric kernel-only names, create local MINIMUM/MAXIMUM macros where required, and directly include standard userland .h files as required.
2021-10-05Add rudimentary support for BGPsec router certificatesJob Snijders
OK claudio@
2021-10-05Remove some extra spacesClaudio Jeker
2021-10-05The HTTP chunked transfer encoding test in regress/usr.sbin/rpki-client/libresslAnton Lindqvist
often fails. It happens when the HTTP parser reads more than one chunk in a single tls_read() invocation causing the state machine to think it needs to read more data while buffer already contains unexamined data. Considering a non-empty buffer before tls_read() fixes the problem. ok benno@ claudio@
2021-10-043 groups of realtek firmware are now in base (with new filenames).Theo de Raadt
fw_update does not need to install the 3 realtek firmwares anymore. We must keep them around during the 7.0 cycle, but 7.1 onwards will not require the files. discussed with sthen and kevlo
2021-10-03bt(5)/btrace(8): add support for str()Dave Voutila
Implement initial support for the str() function, which is used primarily to truncate or NUL-terminate strings from either cli args or args to tracepoints and syscalls. Current implementation only supports cli args and is primarily for compatability with bpftrace. Future work is needed once dt(4) supports builtin args other than long values. Adds a regress test and wires in argument-based tests again. ok mpi@
2021-09-23Plug leaks of buf flagged by LLVM scan-build.Theo Buehler
ok claudio
2021-09-22Adjust handling of RIB_GENERIC_ADDPATH MRT messages. Parse it the wayClaudio Jeker
OpenBGPD and GoBGP dump so that it works with all the MRT implementations out there supporting this. While there do some additional minor cleanup. OK deraadt@
2021-09-22remove test traces committed by mistakeEric Faurot
2021-09-22bump version to 7.0.0Eric Faurot
2021-09-22decode srs-encoded address in the right place.Eric Faurot
fixes a bug where ruleset was not evaluated with the expanded address. reported by Stefan Haller ok millert@
2021-09-22sync table_db capabilities with table_staticEric Faurot
ok millert@
2021-09-21Add NUL termination to btfile content to avoid that strlcpy(3) readsAlexander Bluhm
too much in btrace(8). OK mpi@ deraadt@
2021-09-21bump rpki-client versionSebastian Benoit
2021-09-21Move us to OpenBGPD 7.2Claudio Jeker
2021-09-19The LocalDomain in syslogd(8) is not used, remove variable.Alexander Bluhm
Use RFC 5424 NILVALUE as fallback for LocalHostName. OK millert@ mvs@
2021-09-18check_send_expect() does some nasty ibuf magic to allow fn_match()Claudio Jeker
to work with a buffer that is not a real string. The wpos is decremented in the wrong spot and would affect both binary and non binary checks. Simplify this code by using strndup. OK rob@ benno@
2021-09-17Fix subjectAlternativeName (SAN) generation for CSRs. CA/B Forum baselineStuart Henderson
requirements require that it's used in certificates so it makes sense to generate a CSR compliant with this, additionally it replaces rather than adds to the name in the certificate's subject which we weren't handling correctly. Diff from wolf at wolfsden/cz, ok florian@
2021-09-16tcpdump: Fix data alignment issue in WireGuard printerVisa Hankala
Access 8-byte nonce as unaligned data to avoid a crash on strict alignment architectures. With IP and UDP, payload alignment is guaranteed to 4-byte boundary only. Reported and tested by Peter J. Philipp OK deraadt@
2021-09-16Add EXTRACT_LE_64BITS().Visa Hankala
OK deraadt@
2021-09-16sync SYNOPSIS and usage(); ok florianJason McIntyre
2021-09-15Set the X509 validation depth limit to 12 or double the current depth.Claudio Jeker
When the limit is reached the object is considered invalid and the tree traversal stops on that node. OK beck@ job@
2021-09-15Explain that traceroute compresses * * * lines at the end of theFlorian Obser
output when we never reach the destination. Prompted by & input jmc
2021-09-15Rewrite and simplify dhcpleasectl(8).Florian Obser
With this dhcpleasectl em0 does the same as dhclient em0 used to do. To please people's muscle memory one can be aliased to the other. earlier version OK benno with lots of help massaging the output & OK deraadt
2021-09-14Add missing void to definition of http_init().Theo Buehler
ok deraadt florian
2021-09-14Do not download more than 300 deltas to sync a RRDP repo. Somewhere aroundClaudio Jeker
300 the time it takes to fetch and process all the deltas is higher than fetching just a snapshot. OK job@ sthen@
2021-09-13fix SEE ALSO;Jason McIntyre
2021-09-13introduce /etc/bsd.re-config which can be used to configure the kernelRobert Nagy
using config(8); the contents of this configuration file will be fed to config(8) after kernel relinking is done, so on the next boot the new kernel will have all the configuration changes set by the user this comes handy if you still want to use KARL while making changes to the GENERIC kernel diff from Paul de Weerd with input from several developers
2021-09-10When writing a message, syslogd did a combination of puttingAlexander Bluhm
everything into an iov and do some sprintf() formating later. Better put everything into the iov upfront based on what the output methods need. Then either the full iov is written or a line is created by concatenating. OK martijn@
2021-09-10Properly handle keep-alive for HTTP/1.1. If the server uses HTTP/1.1Claudio Jeker
keep-alive is the default. Check this early on and disable keep-alive if a Connection: closed header is sent. Fixes the keep-alive issues I have seen. OK sthen@
2021-09-09fix crash when passing empty cli arguments as B_AT_NIL wasn't handled as a ↵Jasper Lievisse Adriaanse
valid argument type found with afl++ ok mpi@
2021-09-09Rework how various OIDs are compared in the code.Claudio Jeker
Instead of converting the ASN1_OBJECT into a string and comparing the strings, convert the string into an ASN1_OBJECT once and then compare these objects with OBJ_cmp(). Makes the code a bit easier to read and removes some repetitive conversions. With input and OK tb@
2021-09-09Relax the check for accessing variable before setting them.Martin Pieuchot
First we can't assume rules are written in the order they will be executed. Secondly filters might need to check variables before they had a chance to be populated by the right event.
2021-09-09Let ba2str() handle unitialized map just like ba2long() does.Martin Pieuchot
2021-09-09Make it possible to associate multiple probes to a single rule.Martin Pieuchot
The following syntax, reducing duplication, is now allowed: END, interval:hz:2 { ... } Rule descriptors are now linked to a list of probe descriptors instead of a single one. Enabled kernel probes are now linked to btrace(8) probe descriptors. While here stop parsing filter and probe if debug is not enabled.