Age | Commit message (Collapse) | Author |
|
the timer is stopped if HoldTime is 0.
OK tb@
|
|
This gets rid of our last uses of timegm and gmtime in the
library and things that ship with it. It includes a bit
of refactoring in ocsp_cl.c to remove some obvious ugly.
ok tb@
|
|
From https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
OK sthen@ miod@
|
|
|
|
The standards contain somewhat ambiguous language as to what the largest
acceptable value for a crlNumber or manifestNumber could be, due to a
limitation to 20 octets. The question is what 20 octets specifically are
meant...
Consensus seems to have emerged that the largest value is 2^159-1 since
2^160-1 would encode to 21 octets due to a padding octet to disambiguate
ff .. ff from -7f ff .. ff (iow the top bit of the first octet is a sign
bit).
Thus, switch from 2^160 - 1 to 2^159 - 1 as an upper bound by checking
the length of the value portion of the DER encoded ASN.1 integer to be
at most 20 octets.
Thanks to Martin Hoffmann, Tom Harrison, and Ben Maddison for raising and
discussing the issue. Thanks also to the spec authors for making me waste
a few hours of my life on a single bit.
ok job
|
|
|
|
Use /var/empty as chroot directory. Call chroot(2) before setresuid(2).
Do the error check correctly. Call chdir(2) after chroot(2).
from spiros thanasoulas; with florian@ tb@; OK millert@
|
|
at the ibuf payload passed to log_notification().
Because of this move ibuf_get_string() and the log_notification() call
in parse_notification().
OK tb@
|
|
While there fix the RFC5492 handling of ERR_OPEN_CAPA (the current code
has the logic inversed). ERR_OPEN_CAPA is there to signal that a needed
capability is missing in our OPEN message. Just add the handling of
ERR_OPEN_CAPA to log_notification().
Also rework the handling of the shutdown reason and move the printing
into log_notification().
OK tb@
|
|
OK tb@ claudio@
|
|
Otherwise we can get left with a piece of the spinner if all firmware
gets updates and don't print a "kept" value.
While here, replace \010 with the ksh supported \b, as suggested by cheloha@
Noticed by deraadt@
|
|
due to a swapped strlcpy() arguments we don't save the ORCPT argument
after validation. There's no buffer overflow since dsn_orcpt is zeroed.
Spotted by Tassilo Philipp, thanks!
ok millert gilles
|
|
- Loops over all valid AID should start with AID_MIN and go up to AID_MAX - 1
e.g. for (i = AID_MIN; i < AID_MAX; i++)
If for some reason AID_UNSPEC must be handled make that explicit in the
for loop.
- aid2afi() now returns an error for AID_UNSPEC since there is no valid
AFI SAFI combo for AID_UNSPEC.
- Add additional checks for AID_MIN where currently only AID_MAX was checked.
This affects imsg for route refresh and graceful restart.
- Simplify add-path capability handling. Only the negotiated add_path capa
sets the flag for AID_UNSPEC to help code to quickly check if any add-path
is active.
OK tb@
|
|
Verify whether the filename as presented by the publication point (which
is unsigned information) matches the filename in the SIA attribute
(which is signed information). Based on RFC 6487 section 4.8.8.
with and OK tb@
|
|
Parent is confusing and issuer is the appropriate terminology. This is
a mechanical diff. The only remaining uses of 'parent' in this code
base now mean 'parent process'.
discussed with beck and job
ok job
|
|
only works that way correctly.
OK deraadt@
|
|
OK sthen@, deraadt@, dlg@, tb@
|
|
is optional.
OK tb@
|
|
- add a pointer to the section when documenting the `mda' keyword
- rename the section to MDA COMMANDS
- document also what happens when the MDA doesn't exit with status 0
- add the missing environment variables
- sort the variables
- minor other tweaks to the text
with several improvements from jmc, ok jmc
|
|
This was used in rsc.c prior to the switch to ASN.1 templates.
ok job
|
|
Currently, every kelf_snprintsym() call performs a linear search
through the .symtab for a symbol matching the given PC. The search is
expensive and seems to be a major source of dropped profiling events.
Storing all STT_FUNC .symtab entries and their names in a sorted array
cuts search time from O(n) to O(lg n). In practice, the faster
lookups seem to dramatically reduce the profiling drop rate.
With tweaks from mpi@.
Thread: https://marc.info/?l=openbsd-tech&m=170830125132105&w=2
ok mpi@
|
|
this adds some initial commentary for how MDAs should behave and
in what environment they are executed.
diff from Philipp (philipp+openbsd [at] bureaucracy [dot] de) with
some tweaks from Richard Toohey and me.
ok gilles@
|
|
mostly for compatibility with postfix since some mdas (like
public-inbox) make use of it.
diff from Philipp (philipp+openbsd [at] bureaucracy [dot] de)
ok gilles@
|
|
|
|
Requested by Ties de Kock (RIPE NCC)
OK tb@
|
|
"No it's not okay." mpi@
|
|
Currently, every kelf_snprintsym() call performs a linear search
through the .symtab for a matching symbol. The search is very
costly and causes btrace(8) to drop a lot of profiling events.
Storing the STT_FUNC .symtab entries and their corresponding .strtab
entries in a sorted array cuts the lookup cost from O(n) to O(lg n).
Lower overhead reduces the drop rate for profiling events.
With tweaks from mpi@.
Thread: https://marc.info/?l=openbsd-tech&m=170830125132105&w=2
probably ok mpi@
|
|
Isolate resources from different RRDP servers to avoid
inappropriately increasing resource consumption for both
RRDP clients and the referenced server.
OK claudio@ tb@
|
|
unbound, fixing an indefinite loop that could be triggered by a client
against an unbound server where the (non-default) configuration "ede: yes"
is used.
https://nlnetlabs.nl/downloads/unbound/CVE-2024-1931.txt
ok florian@
|
|
boot in ACPI mode, then the qcpas0 driver isn't found. But we want
a firmware associated with that device name. So also match for the
qcpas firmware on
^ppb0*\"Qualcomm SC8280XP PCIe\"
ok phessler kettenis
|
|
|
|
|
|
|
|
OK tb@ claudio@
|
|
Instead of burning one letter for each new file format (sidrops is known
to crank out new things faster than a normal person can read), use -x to
opt into parsing and processing file formats that aren't yet considered
stable. This is currently only the Signed Prefix List. While a repetition
of the ASPA debacle, this code hasn't yet seen enough stress testing to be
enabled by default.
ok claudio job
|
|
ok claudio job (as part of a larger diff)
|
|
|
|
|
|
OK tb@
|
|
The OpenMetrics output shows per-repository counters for new files
added, the main process and JSON output emit the sum of all new files.
OK claudio@
|
|
when RADIUS accounting is configured.
|
|
OK claudio@
|
|
found by smatch, ok claudio@
|
|
the message authenticators of any received messages from servers only
if they include a message authenticator.
|
|
|
|
|
|
|
|
Allow to save stacktrace and process name in tuples.
|
|
A current limitation is the value read from a map is converted to an
integer. To preserve the original type we have to make maps aware of
the type of its elements.
|
|
|