| Age | Commit message (Collapse) | Author |
|---|
|
issue hit by florian@
diff by jsing@
ok tb@
|
|
couldn't handle ICCN message which has a ProxyAuthenChallenge AVP
longer than 24 octets. Juniper actually send such challenges.
Reported and tested by Ryan Freeman.
|
|
ok yasuoka@
|
|
that the order does not matter so simplify the code and just walk the
list twice. Add the .crl first and then in the second round all other files.
OK job@
|
|
anymore after moving it from its own subprocess to snmpe.
feedback and OK jan@
|
|
are started before syslogd(8). This resulted in ugly sendsyslog(2)
dropped logs and the real message was lost.
Create a temporary stash for log messages within the kernel. It
has a limited size of 100 messages, and each message is truncated
to 8192 bytes. When the stash is exhausted, the well-known dropped
message is generated with a counter. After syslogd(8) has setup
everything, it sends a debug line through libc to flush the kernel
stash. Then syslogd receives all messages from the kernel before
the usual logs.
OK deraadt@ visa@
|
|
For nexthops it is fine if they point to NULL. This is used in local
announcements. Only if they point to a real struct the state must be
NEXTHOP_REACH.
Bug reported by and OK florian@
|
|
and installing USD/SMM/PSD docs.
jmc@ agrees with the direction, ok millert@ on an earlier diff
|
|
dns for the peer address.
spotted by krw@
ok krw@ tb@
|
|
The subclass arrays have to be empty.
OK deraadt@
|
|
RRDP will add a bunch more checks so this makes even more sense.
With and OK tb@
|
|
be used by the RRDP code as well.
OK tb@
|
|
OK dlg@
|
|
Note that it changes the way SNI works: The certificate to use is now
selected by looking at the names found in the certificates themselves,
rather than the names of the pki entries in the configuration file.
The set of certificates for a tls listener must be defined explicitly by
using the pki listener option multiple times.
ok tb@
|
|
|
|
|
|
ok claudio
|
|
|
|
everything. Oups.
|
|
|
|
Just use 'err(1, NULL);' there is no need to include the type of function
that failed since it is still impossible to locate the right call.
Just use a debugger in that case.
OK tb@ deraadt@
|
|
|
|
|
|
the proc_xyz() function at least in two occastions and it is not that
trivial to realize what goes wrong.
|
|
exit(rc);
/* NOTREACHED */
|
|
too many servers out there fail to properly close the TLS session which
results in unneccessary warnings like
TLS close: EOF without close notify
Result of a discussion with job@ and tb@
|
|
be used to fetch TA certs and later on for RRDP. Kind of unreached for now
since the default TAL files don't include https URI.
The http client is fully asynchronous and can handle multiple downloads at
the same time. This code was based on the http client in ftp(1).
OK tb@, job@
|
|
ok mlarkin@
|
|
now handle_continue and find_window_size are fully separated.
|
|
route-server environments.
By default only the best path is sent to peers and if that path is filtered
then the path is hidden for that peer. On route-servers this is sometimes
not desried. For this 'rde evaluate all' will cause the evaluation process
to fall back to alternate routes and will redistribute the first non-filtered
path to the peer. This is very similar to per-peer RIBs but accomplishes
the same effect without the massive increase in memory usage. Compared to
the default mode this requires more CPU resources but it is probably less
than what per-peer RIBs would require.
'rde evaluate all' can be set and reset globally, on groups and on idividual
neighbors. It is not limited to route-server configs but route loops are
possible if not properly used.
OK benno@
|
|
the cachedir.
|
|
switch between the two.
OK deraadt@ job@
|
|
root node (which should be a trust anchor). Trust anchors where added to
the X509_store and having them in the chain is kind of wrong and confuse
the new libressl X509 validator.
OK tb@
|
|
|
|
ok florian@
|
|
ok mvs@ mlarkin@
|
|
ok sthen@ millert@
|
|
Feedback jmc
OK dlg
|
|
ok claudio@
|
|
ok florian@
|
|
ok claudio@
|
|
tested by josh rickmar
ok kn@
|
|
Pointed out by deraadt
|
|
Pointed out by deraadt
|
|
pointed out by deraadt
|
|
pointed out by deraadt
|
|
the go ecosystem).
Properly handle failing daemon startup now that we have pipefail.
To take advantage of this new feature, just add foo_logger=facility to the
daemon rc.d(8) script or in rc.conf.local(8) or use rcctl:
rcctl set foo logger daemon.info
tweak for checking flags in rcctl(8) from martijn@
"this looks pretty good" deraadt@
ok sthen@
|
|
actually make things a bit faster.
OK deraadt@
|
|
OK deraadt
|
|
from servers.
dhcpleased(8) follows the well known three process design of all our
privsep daemons. It uses pledge(2) and unveil(2) to restrict access
further. In particular the "engine" process, responsible for parsing
of untrusted data, is pledge'd "stdio". It cannot access the outside
world nor the filesystem at all.
Like slaacd(8) for IPv6 it will be always running and acquire addresses
for all interface with the autoconf4 flag set.
The flag can be set by "ifconfig $if inet autoconf" or by adding
"inet autoconf" to /etc/hostname.if. An existing "dhcp" line should
be removed.
Various iterations tested by deraadt@
The hardest part, finding a name, was handled by jmatthew@ & otto@
"get to it :)" deraadt@
|
