| Age | Commit message (Collapse) | Author |
|---|
|
Single out the auth_config yacc rules. Even though this requires an
extra merge_auth_conf() function to handle manual IPsec setups but
even with that this seems like a net gain.
There is no rtr cache that does tcp md5 on OpenBSD so those bits remain
untested for now.
OK tb@
|
|
|
|
This is needed to support tcp md5sum and ipsec auth for rtr.
OK tb@
|
|
|
|
header sent by the server in response to the newAccount API call (used for
every cert request). This is useful if you want to set a CAA DNS record
restricting issuance to a specific user account, rather than just "all of
$whichever_acme_CA". ok florian
|
|
|
|
|
|
DNS compression. OK florian
From unbound 1.21.1 (rest will be merged shortly).
|
|
|
|
|
|
forward to the same key, or the key+.1. But sometimes you want to
update an older machine far forward (either with -s, or with -R), and
the required key might not exist on-disk. Since getting the key isn't
automated, people make some poor decisions to get the key. Previous
to 7.6 the situation was worse, (and obviously older releases will have
the old sysupgrade script, though you can copy this one to those machines
and it will work, but please do that securely..)
Moving forward this improves the workflow: a new set of keybundles
(signed by older keys) have been made available so that sysupgrade
can securely and automatically download the required key.
ok job tb beck sthen
|
|
The language in RFC 5280, section 4.1.2.5 includes the end points of the
validity interval.
Reported by Tom Harrison
ok claudio job
|
|
An ASN1_INTEGER doesn't contain the ASN.1 encoding in its data. It contains
a BIGNUM. In particular, there's no padding octet for integers with the top
bit of the top octet set. Do the check the dumb way and check all the parts
individually: non-negative, not larger than 20 octets and bit 159 not set.
Reported by Tom Harrison
ok claudio job
|
|
SIOCAIFADDR_IN6 to configure an IPv6 address does everything SIOCIFAFATTACH
does, i.e. it enables IPv6 on the interface if not done so already.
vm.conf(5) 'local inet6' works as before.
OK mlarkin
|
|
found with afl, feedback and ok millert@
|
|
vmm(4) doesn't need this information anymore. vmd(8) is the only
consumer of this information.
ok mlarkin@
|
|
Remove the extra checks in the caller and simplify some code because of that.
OK tb@
|
|
we inherited from the initial implemention on FreeBSD which has
made no sense in years.
prompted by a diff by Johannes Thyssen Tishman
from espie
|
|
In order to support privsep in tags, we need to be able to pass some
code values in child/parent.
from espie, tested by sthen, ok giovanni
|
|
|
|
initialized in the SE so bgpctl did always see 0, auth_conf.method
is on the other hand properly shared.
OK tb@
|
|
since that one is kept.
OK tb@
|
|
OK tb@
|
|
OK tb@
|
|
Instead use struct auth_config and struct auth_state in the pfkey calls
and those tcp_md5 calls where it matters.
This is preparation work to allow RTR to use TCP MD5 as well.
OK tb@
|
|
Mainly handle unknown ext-communities better and handle the special
case of type == -1.
OK tb@
|
|
before calling connect(). This way it happens for sure and on top the TOS
is already set on the initial SYN.
OK tb@
|
|
OK input lucas
|
|
ok claudio
|
|
ok claudio
|
|
|
|
ok sthen, florian
Committing on behalf of jmc as requested.
|
|
|
|
First of all warn that a prefix was dropped. In the generate an update
code handle possible overflows of attributes and NLRI and withdraw the
affected prefix. This way the peer will not have stale data.
OK tb@
|
|
than the immediate +0.1. print an https://ftp.openbsd.org/... URL where
the new signify pubkey can be found if not present.
no guarantees: we only test +0.1, but jumping further does work quite
often (and if tight on disk, can work better than multiple steps) -
this avoids editing the script if you're going to do it anyway.
"Only upgrades from one version to the next are tested. Skipping
versions may work. Downgrading is unlikely to work."
discussed with deraadt chris florian, ok deraadt
|
|
|
|
- simpler tense
- fix the -width parameter
- add -nosplit to AUTHORS
|
|
Document the shutdown behaviour for vmd(8). Suggested via bugs@
via eric at mulh.net.
ok jmc@, bluhm@
|
|
The default is to install the next release. Snapshots are only
installed when invoked with -s.
The logic on what to do per default got out of hand and it was very
difficult to reason about what sysupgrade(8) actually did. deraadt@
then suggested that we should dumb it all down, sysupgrade(8) is there
to upgrade from one release to the next. More advance usage needs to
be requested by the user.
With all this simplification we can now be a bit more smart to work
out what the next release is. With that, snapshots right before a
release can be sysupgrade(8)'ed to the official release.
OK sthen on a previous version that was much more complicated but
allowed shortly-before-release -> release upgrade
testing sthen on this version
Guidance, prodding & OK deraadt
|
|
ok benno@
|
|
|
|
|
|
claudio agress
|
|
requested by tb@
|
|
|
|
OK claudio@
|
|
This extends the zic input format to add support for %z, which
expands to a UTC offset in as-short-as-possible ISO 8601 format.
It's intended to better support zones that do not have an established
abbreviation already. tzdata2024b and higher require a version of
zic that supports the %z format. From upstream tzcode. OK beck@
|
|
from hshoexer@; OK mlarkin@
|
|
|
|
|
