summaryrefslogtreecommitdiff
path: root/usr.sbin
AgeCommit message (Collapse)Author
2022-11-03Constrain KeyUsage and ExtendedKeyUsage on both CA & EE certificatesJob Snijders
RFC 6487 section 4.8.4 restricts the KeyUsage extension on EE certificates to only be digitalSignature. RFC 6487 section 4.8.5 forbids the ExtendedKeyUsage extension from appearing on CA certificates. However, this may change in the future through the standardisation process. OK tb@
2022-11-03shorten Autonomous System Provider AuthorizationsJob Snijders
2022-11-03Add notion of ASPAJob Snijders
2022-11-03Permit only keyCertSign and CRLSign in CA KeyUsage extensionJob Snijders
OK tb@
2022-11-02Emit warnings when unexpected X.509v3 extensions are encounteredJob Snijders
OK tb@
2022-11-02Introduce conn_info() which combines http_info() and ip_info() to outputClaudio Jeker
both the host/uri and IP address of a connection. Adjust http_connect() error handling to make sure conn->res is set to the last address when hitting the error condition after the loop. OK tb@
2022-11-02Reference RSC RFC-to-be instead of internet-draftJob Snijders
2022-11-02Add support for draft-ietf-sidrops-signed-tal-12Job Snijders
Add support validation of Signed Objects containing Trust Anchor Keys (TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs to distribute and sign the next Trust Anchor with the current Trust Anchor. This might be an improvement over visiting RIR websites and copy+pasting TAL data by hand. OK tb@
2022-11-02Don't free the addrinfo array after connect and refactor http_finish_connect.Claudio Jeker
In http_connect_done() the addrinfo array was freed but this makes it impossible to show the IP address of the connection in log messages. Also refactor http_finish_connect() to call http_connect_failed() instead of doing the same inline. OK tb@
2022-11-02Length check URI before strncasecmp()Theo Buehler
A priori URI is not NUL terminated, so we should first check it is long enough before comparing it against proto. As a side effect, this now rejects "https://" and "rsync://", which are invalid due to the missing host in the authority section. ok claudio
2022-11-02Also print IP address of the connection that timed out to aid debuggingJob Snijders
OK claudio@
2022-11-02Fix x509_get_time() error checksTheo Buehler
Like most x509_* functions, x509_get_time() returns 0/1 on error/success, not -1/0. ok claudio job
2022-11-01Have -S actually behave like the other introspection options, namely onlyMarc Espie
eschew building the package is -n is mentionned. Document that -S -n is heavily optimized for speed since it's mostly used by dpb -R to figure out what to rebuild.
2022-11-01fix a logic error from 2018: be silent if any of -S, -n, -q are mentioned.Marc Espie
The actual bug reverted in 1.128 was from "make print-plist-libs" which would invoke pkg_create -n -Q and filter out the libs: but in that case, pkg_create would not be silent, thus yielding reading plist|-/usr/local/lib/libpython3.9.so.0.0 to filter, which obviously wouldn't work. So, turn on silent mode for -Q as well.
2022-11-01Use unsigned long long to store integer value. At least that can alwaysClaudio Jeker
be printed with %llu unlike uint64_t.
2022-11-01I plain forgot to document -S !Marc Espie
2022-10-31vmd(8): remove unfinished user accounting.Dave Voutila
User accounting and enforcement was never finished. tedu the thing until someone wants to pick it up and finish it. Originally found by Matthew Martin. ok mlarkin@, kn@. input from tb@.
2022-10-28getopt optstring doesn't need '?'.David Gwynne
found while hacking up a comp3301 prac/assignment ok millert@ deraadt@
2022-10-27Print the pid in some additional debug messages to be able to match themClaudio Jeker
with the fork messages. OK tb@
2022-10-25Fix LDADD and DPADD.Martijn van Duren
DPADD bit pointed out by deraadt@ "No kidding" deraadt@
2022-10-24remove unused references to httpd.sock; found by dante catalfamoJason McIntyre
ok florian
2022-10-24Make x509_init_oid() table basedTheo Buehler
Reduces the amount of copy-paste and makes things easier on the eye. ok claudio job
2022-10-22add some missing flags, as pointed out by deraadt; whileJason McIntyre
here rework the text so it reads a little better; ok deraadt
2022-10-20remove file no longer present in unbound 1.17.0Stuart Henderson
2022-10-20merge unbound 1.17.0Stuart Henderson
2022-10-20import unbound 1.17.0, ok florianStuart Henderson
2022-10-20Display the correct recipient in a Received: header with one recipient.Todd C. Miller
If multiple recipients are specified but only one is valid, use the first entry in the recipient list for the Received: header, not the value from the last "RCPT TO:" command (which could be invalid). From Chris Waddey
2022-10-19Replace "newfs/fsck_ext2fs" with "newfs/msdos -t ext2fs", constifyKlemens Nanni
OK miod
2022-10-18Copy port to proxyport since the sting may point into memory that isClaudio Jeker
freed. Should fix https://github.com/rpki-client/rpki-client-portable/issues/74 Reported by Ben Castricum OK tb@
2022-10-18Switch from up/down time to time of last change.Claudio Jeker
Having metrics depend on session state makes reporting more complex. This now reports the number of seconds a session was up or down. OK tb@
2022-10-18Initalize last_updown in init_peer() so that it is reported correctlyClaudio Jeker
for peers that never managed to establish a connection. OK tb@
2022-10-18Fix some spelling errorsJob Snijders
Thanks Marco D'Itri for spotting them OK claudio@
2022-10-17SHOW_METRICS for the actions enum. Just to match the rest.Claudio Jeker
2022-10-17Document /metrics endpoint and use bgpctl show metrics as command.Claudio Jeker
OK tb@
2022-10-17Use metrics as the command name and document show metrics.Claudio Jeker
OK tb@
2022-10-17Add /metrics endpoint which outputs stats in openmetrics format.Claudio Jeker
This uses `bgpctl show metric` to produce the payload. OK tb@
2022-10-17Implement openmetric output via bgpctl show metric commandClaudio Jeker
This adds most of the generic code to output the metrics with labels and implements some basic metrics. The code works but metrics may still change. OK tb@
2022-10-15.Oc -> .Op in previous;Jason McIntyre
2022-10-15Do not throw away errno.Florian Obser
Pointed out in the pref64 code, which was copied from here, by kn.
2022-10-15Implement RFC 8781 PREF64 router advertisement option.Florian Obser
With this clients can learn the presence and used prefix for Network Address and Protocol Translation between IPv6 and IPv4 (NAT64). Apparently there is support in mobile devices as well as in macOS. This option, together with the the dhcp "IPv6-only preferred" option (108) enables the Customer-side transLATor (CLAT) on macOS so IPv4 literals can be used in IPv6-only networks. Input & OK kn
2022-10-14some macro fixes, mostly Cm -> Ic;Jason McIntyre
from josiah frentsos
2022-10-13Add client certificate authentication and optional SASL EXTERNAL bind,Jonathan Matthew
which allows the client to bind as the subject of the certificate in cases where the directory doesn't implicitly do that. The client certificate is configured with 'certfile' and 'keyfile' directives, and SASL EXTERNAL bind is configured with the 'bindext' directive. ok tb@
2022-10-13All of ROA, MFT, ASPA, and RSC define their respective 'version' fieldJob Snijders
in ASN.1 as following: "version [0] INTEGER DEFAULT 0,". Each object profile preamble contains "DEFINITIONS EXPLICIT TAGS ::=". We didn't bump into any issue yet, because all Signed Objects are at version 0, which means the field is entirely omitted (including the tag, be it implicit or explicit). (From X.690 section 11.5: "The encoding of a set value or a sequence value shall not include an encoding for any component value which is equal to its default value.") OK tb@
2022-10-12avoid use after free in error pathsJonathan Gray
ok miod@ martijn@
2022-10-12use correct type with sizeofJonathan Gray
ok miod@ claudio@ tb@
2022-10-10consistently use IPv4/IPv6; from jmc@Jonathan Gray
2022-10-09Drop fattr promise unless file creation is allowedKlemens Nanni
This is only required for the single fchmod(2) ensuring default permissions which only happens in the -c code path. OK millert
2022-10-09allow newlines inside the `alternative names' block in acme-client.confOmar Polo
ok florian
2022-10-07Show the entry immutable bit in the various output formats.Theo de Raadt
2022-10-07Kill extra space in ext community ovs output.Claudio Jeker
Noticed by job@, OK tb@