tb [Fri, 15 Jul 2022 06:10:00 +0000 (06:10 +0000)]
Rename is_perfect_square to out_perfect in prototype to match
the code in bn_isqrt.c.
kettenis [Thu, 14 Jul 2022 19:06:29 +0000 (19:06 +0000)]
Add sxirintc(4), a driver for the "wake up" interrupt controller found
on various Allwinner SoCs.
ok anton@
florian [Thu, 14 Jul 2022 15:23:09 +0000 (15:23 +0000)]
When the autoconf flag flaps around we might end up with multiple bpf
FDs in flight. Things then get confusing. The kernel tells us we can
read from the bpf FD but the data is actually "on the other FD", so
read(2) returns 0.
Found the hard way by, and patiently debugged with weerd@
One way to trigger this is booting a vmm VM where dhcpleased(8)'s
init_ifaces() loses a race against netstart(8). init_ifaces() would
already see the autoconf flag and request a bpf FD.
But then it would receive a RTM_IFINFO message without the autoconf flag
set from when the interface came up. Then it will see another RTM_IFINFO
message with the autoconf flag set and request yet another bpf FD. If
the first bpf FD had not arrived yet we ended up with two in the frontend
process.
While here make sure a bpf FD has been received for an iface before
trying to close(2) it.
tweak & OK dv
tb [Thu, 14 Jul 2022 14:49:09 +0000 (14:49 +0000)]
Zap trailing whitespace
mvs [Thu, 14 Jul 2022 13:52:10 +0000 (13:52 +0000)]
Use capital letters for global ipsec(4) locks description. Use 'D'
instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase.
No functional changes.
ok bluhm@
bluhm [Thu, 14 Jul 2022 13:46:24 +0000 (13:46 +0000)]
Protect all writers to ifm_cur with a mutex. ifmedia_match() does
not return any pointers without lock anymore.
OK mvs@ mbuhl@
job [Thu, 14 Jul 2022 13:24:56 +0000 (13:24 +0000)]
Fix JSON output in filemode for TALs
OK claudio@
claudio [Thu, 14 Jul 2022 12:56:37 +0000 (12:56 +0000)]
More IPv6 scope_id fixes, now hopefully scope_id should be handled
correctly in kroute.c
OK tb@
mvs [Thu, 14 Jul 2022 11:03:15 +0000 (11:03 +0000)]
Turn pppoe(4) back to kernel lock. We can't predict netlock state within
pppoe_start(), so we can't use it for pppoe(4) data protection. Except
input path, pppoe(4) always accessed with kernel lock held, so grab it
around pppoeintr() too.
Interfaces should not use netlock for their data protection. They should
rely on kernel lock or implement their own.
ok bluhm@ bket@
mvs [Thu, 14 Jul 2022 10:52:21 +0000 (10:52 +0000)]
Replace tabs by spaces after "#define". No functional changes, just
prevent future diffs to be ugly.
ok bluhm@
claudio [Thu, 14 Jul 2022 09:16:09 +0000 (09:16 +0000)]
Time to bump version
tb [Thu, 14 Jul 2022 08:37:17 +0000 (08:37 +0000)]
Suppress output of the deprecated -tls1 option in usage() and help
output. The option wasn't documented in the manpage.
pointed out by jsing
tb [Thu, 14 Jul 2022 08:35:15 +0000 (08:35 +0000)]
Switch to using TLS_client_method()
Apparently, TLSv1_client_method() is used for historical reasons.
This behavior is no longer helpful if we want to know what ciphers
a TLS connection could use. This could change again after further
investigation of what the behavior should be...
ok beck jsing
tb [Thu, 14 Jul 2022 08:33:31 +0000 (08:33 +0000)]
Only run the client connection test with supported ciphers. Avoids test
breakage also noted by anton.
tb [Thu, 14 Jul 2022 08:08:26 +0000 (08:08 +0000)]
Document openssl ciphers -s
ok beck jsing
tb [Thu, 14 Jul 2022 08:07:54 +0000 (08:07 +0000)]
Add -s option to openssl ciphers
With this option, the command only shows the ciphers supported by the
SSL method.
ok beck jsing
deraadt [Thu, 14 Jul 2022 03:07:33 +0000 (03:07 +0000)]
sync
schwarze [Wed, 13 Jul 2022 22:05:53 +0000 (22:05 +0000)]
add .Xr links to SSL_CTX_set_security_level(3)
schwarze [Wed, 13 Jul 2022 21:51:35 +0000 (21:51 +0000)]
add a few .Xr links to new manual pages
schwarze [Wed, 13 Jul 2022 21:44:23 +0000 (21:44 +0000)]
In dsa.h rev. 1.34 (14 Jan 2022), tb@ provided DSA_bits(3).
Document it from scratch.
While here, merge a few details from the OpenSSL 1.1.1 branch, which
is still under a free license, into the documentation of DSA_size(3).
schwarze [Wed, 13 Jul 2022 21:17:03 +0000 (21:17 +0000)]
In x509_vfy.h rev. 1.54, tb@ provided X509_VERIFY_PARAM_get_time(3)
and X509_VERIFY_PARAM_set_auth_level(3). Document them.
For the latter, i included a few sentences from the OpenSSL 1.1.1
branch, which is still under a free license.
schwarze [Wed, 13 Jul 2022 20:54:39 +0000 (20:54 +0000)]
link three new manual pages to the build
schwarze [Wed, 13 Jul 2022 20:52:36 +0000 (20:52 +0000)]
Start documenting our new pet octopus, SSL_CTX_set_security_level(3).
Or should we call it a centipede?
Feedback and OK on a previous version from jsing@
and from our chief myriapodologist, tb@.
jsing [Wed, 13 Jul 2022 20:07:44 +0000 (20:07 +0000)]
Cast int64_t to uint64_t before negating.
Avoid undefined behaviour/integer overflow by casting an int64_t to
uint64_t before negating.
Fixes oss-fuzz #49043
ok tb@
schwarze [Wed, 13 Jul 2022 19:10:40 +0000 (19:10 +0000)]
Write documentation for EVP_PKEY_check(3), EVP_PKEY_public_check(3),
EVP_PKEY_param_check(3), and EVP_PKEY_security_bits(3) from scratch.
Move the documentation of EVP_PKEY_size(3) and EVP_PKEY_bits(3)
to the new manual page EVP_PKEY_size(3).
Merge the documentation of the related function pointers
from the OpenSSL 1.1.1 branch, which is still under a free license.
OK tb@ on the new page EVP_PKEY_size(3).
tb [Wed, 13 Jul 2022 18:38:20 +0000 (18:38 +0000)]
Simplify computation of max_pub_key = dh->p - 1.
ok jsing
schwarze [Wed, 13 Jul 2022 17:32:16 +0000 (17:32 +0000)]
New manual page written from scratch;
tb@ recently added these functions to libcrypto
and also provided feedback on my first draft of this page.
tb [Wed, 13 Jul 2022 14:28:09 +0000 (14:28 +0000)]
Remove #ifndef around the definition of OPENSSL_TLS_SECURITY_LEVEL.
We do not intend to make this a compile-time option.
Reminded by schwarze who asked about it
ok jsing
schwarze [Wed, 13 Jul 2022 13:47:59 +0000 (13:47 +0000)]
On May 4 14:19:08 2006 UTC, while fixing a security issue, djm@
provided the new public function DH_check_pub_key(3) in <openssl/dh.h>.
Sorry for being a bit tardy in documenting the new function.
Then again, OpenSSL doesn't document it either, yet.
While here, drop a HISTORY entry about a constant that
was renamed in OpenSSL 0.9.5. That's no longer relevant.
ajacoutot [Wed, 13 Jul 2022 13:36:12 +0000 (13:36 +0000)]
Fix apmd_flags example.
tb [Wed, 13 Jul 2022 11:20:00 +0000 (11:20 +0000)]
Do not make tables static so we can access them from regress.
jca [Wed, 13 Jul 2022 10:20:18 +0000 (10:20 +0000)]
Revert BUILD_LLDB use, don't push manual repair on all people building from source
Pointed out by sthen@
While make build indeed takes care of running make install in share/mk,
running make obj first would error out when encountering the unknown
BUILD_LLDB variable. I can wait a few days before committing this again.
kettenis [Wed, 13 Jul 2022 09:28:18 +0000 (09:28 +0000)]
Implement the fundamentals for suspend/resume on arm64. This uses PSCI
to turn off the secondary CPUs and suspend the primary CPU using the
CPU_OFF and SYSTEM_SUSPEND calls. A new "halt" IPI is added to turn off
the ssecondary CPUs. This IPI is implemented for the ampintc(4) and
agintc(4) interrupt controllers. Fulle suspend/resume support is only
implemented for ampintc(4). This is enough to suspend and resume boards
based on the Allwinner A64 SoC, provided the necessary wakeup interrupts
have been set up (not part of this commit).
ok patrick@
tb [Wed, 13 Jul 2022 06:40:24 +0000 (06:40 +0000)]
Enable Wycheproof primality tests.
tb [Wed, 13 Jul 2022 06:38:02 +0000 (06:38 +0000)]
Enable BPSW primality test.
ok jsing
tb [Wed, 13 Jul 2022 06:36:08 +0000 (06:36 +0000)]
Hook BPSW into BN_is_prime_fasttest_ex()
ok jsing
tb [Wed, 13 Jul 2022 06:32:54 +0000 (06:32 +0000)]
Link bn_bpsw.c to build
ok jsing
tb [Wed, 13 Jul 2022 06:32:15 +0000 (06:32 +0000)]
Implement the Baillie-PSW primality test
It has long been known that pure Miller-Rabin primality tests are
insufficient. "Prime and Prejudice: Primality Testing Under Adversarial
Conditions" https://eprint.iacr.org/2018/749 points out severe flaws
in many widely used libraries. In particular, they exhibited a method to
generate 2048-bit composites that bypass the default OpenSSL (and hence
LibreSSL) primality test with a probability of 1/16 (!).
As a remedy, the authors recommend switching to using BPSW wherever
possible. This possibility has always been there, but someone had to
sit down and actually implement a properly licensed piece of code.
Fortunately, espie suggested to Martin Grenouilloux to do precisely this
after asking us whether we would be interested. Of course we were!
After a good first implementation from Martin and a lot of back and
forth, we came up with the present version.
This implementation is ~50% slower than the current default Miller-Rabin
test, but that is a small price to pay given the improvements.
Thanks to Martin Grenouilloux <martin.grenouilloux () lse ! epita ! fr>
for this awesome work, to espie without whom it wouldn't have happened,
and to djm for pointing us at this problem a long time back.
ok jsing
tb [Wed, 13 Jul 2022 06:28:58 +0000 (06:28 +0000)]
Link bn_isqrt.c to build
ok jsing
tb [Wed, 13 Jul 2022 06:28:22 +0000 (06:28 +0000)]
Integer square root and perfect square test
This adds an implementation of the integer square root using a variant
of Newton's method with adaptive precision. The implementation is based
on a pure Python description of cpython's math.isqrt(). This algorithm
is proven to be correct with a tricky but very neat loop invariant:
https://github.com/mdickinson/snippets/blob/master/proofs/isqrt/src/isqrt.lean
Using this algorithm instead of Newton method, implement Algorithm 1.7.3
(square test) from H. Cohen, "A course in computational algebraic number
theory" to detect perfect squares.
ok jsing
jsg [Wed, 13 Jul 2022 03:56:21 +0000 (03:56 +0000)]
drm/i915: Fix a race between vma / object destruction and unbinding
From Thomas Hellstrom
51a405dea0ae54330b6441c5f7c3bb9ceadedce8 in linux 5.15.y/5.15.54
bc1922e5d349db4be14c55513102c024c2ae8a50 in mainline linux
jsg [Wed, 13 Jul 2022 03:53:37 +0000 (03:53 +0000)]
drm/amdgpu: vi: disable ASPM on Intel Alder Lake based systems
From Richard Gong
7a9e13b86536ce6dca54380f19d537b1c80caee3 in linux 5.15.y/5.15.54
aa482ddca85a3485be0e7b83a0789dc4d987670b in mainline linux
jsg [Wed, 13 Jul 2022 03:50:53 +0000 (03:50 +0000)]
drm/amd: Refactor `amdgpu_aspm` to be evaluated per device
From Mario Limonciello
0a9a60dcedaacde4b903337b7445cb431b4dd119 in linux 5.15.y/5.15.54
0ab5d711ec74d9e60673900974806b7688857947 in mainline linux
jsg [Wed, 13 Jul 2022 03:46:27 +0000 (03:46 +0000)]
drm/amd/vcn: fix an error msg on vcn 3.0
From tiancyin
f3647c369c178c1cdea7f6a60dc32d6118afac40 in linux 5.15.y/5.15.54
425d7a87e54ee358f580eaf10cf28dc95f7121c1 in mainline linux
jsg [Wed, 13 Jul 2022 03:44:50 +0000 (03:44 +0000)]
drm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw
From CHANDAN VURDIGERE NATARAJ
59bf2aca4b1c3eca28b337b5e797bb9b43d44f3b in linux 5.15.y/5.15.54
50e6cb3fd2cde554db646282ea10df7236e6493c in mainline linux
jsg [Wed, 13 Jul 2022 03:42:13 +0000 (03:42 +0000)]
drm/amd/display: Set min dcfclk if pipe count is 0
From Michael Strauss
f276634b12fa8f63988be9cf5492c7d60d5ad7b1 in linux 5.15.y/5.15.54
bc204778b4032b336cb3bde85bea852d79e7e389 in mainline linux
jsg [Wed, 13 Jul 2022 03:40:02 +0000 (03:40 +0000)]
drm/i915: Replace the unconditional clflush with drm_clflush_virt_range()
From Ville Syrjala
b33035945b0a6853f8f6f63fb3c3bc9ea869337e in linux 5.15.y/5.15.54
ef7ec41f17cbc0861891ccc0634d06a0c8dcbf09 in mainline linux
jsg [Wed, 13 Jul 2022 03:37:55 +0000 (03:37 +0000)]
drm/i915/gt: Register the migrate contexts with their engines
From Thomas Hellstrom
9cf3a1c1288e43af00d70a8520ea9efbea01615e in linux 5.15.y/5.15.54
3e42cc61275f95fd7f022b6380b95428efe134d3 in mainline linux
jsg [Wed, 13 Jul 2022 03:32:50 +0000 (03:32 +0000)]
drm/i915: Disable bonding on gen12+ platforms
From Matthew Brost
d839d15b50743164d7ad95f436ea284a2946c179 in linux 5.15.y/5.15.54
ce7e75c7ef1bf8ea3d947da8c674d2f40fd7d734 in mainline linux
bluhm [Tue, 12 Jul 2022 22:27:38 +0000 (22:27 +0000)]
Use __func__ in interface media debug printf().
bluhm [Tue, 12 Jul 2022 22:08:17 +0000 (22:08 +0000)]
Protect interface media list with a mutex. This is just a start
to make make media structures MP safe.
OK mvs@
jca [Tue, 12 Jul 2022 21:10:26 +0000 (21:10 +0000)]
Enter the lldb and lldb-server directories for make obj, even if not built
Apparently favored by deraadt@, pointed out by patrick@, ok patrick@
jca [Tue, 12 Jul 2022 21:06:04 +0000 (21:06 +0000)]
Only build lldb support libraries on archs where lldb is installed
Shaves off a significant amount of time (eg on riscv64) in base builds.
Note that you'll need bsd.own.mk rev 1.213 (which make build should take
care of).
ok miod@ patrick@
jca [Tue, 12 Jul 2022 21:01:37 +0000 (21:01 +0000)]
Introduce a BUILD_LLDB switch, currently active on amd64 and arm64
ok miod@ patrick@
jsing [Tue, 12 Jul 2022 18:43:56 +0000 (18:43 +0000)]
Unbreak the tree, after the previous commit.
op [Tue, 12 Jul 2022 18:09:31 +0000 (18:09 +0000)]
grep: simplify printline, no functional changes
in the previous revision (1.66) I added an extra variable to track
wether we have printed the separator or not. Well, that's what the `n'
variable is for, so no need to duplicate the logic.
tb [Tue, 12 Jul 2022 17:49:33 +0000 (17:49 +0000)]
Zap trailing whitespace on one line to appease mandoc -Tlint
claudio [Tue, 12 Jul 2022 17:30:57 +0000 (17:30 +0000)]
Document announce add-path send
With input from jmc@ and sthen@
jca [Tue, 12 Jul 2022 17:14:12 +0000 (17:14 +0000)]
Use db_rint() in sfuart(4)
This lets me enter ddb(4) even when the riscv64 machines I manage get
unusable because of NFS.
Suggested by miod@, ok miod@ kettenis@
jca [Tue, 12 Jul 2022 17:12:31 +0000 (17:12 +0000)]
Add db_rint(), an MI interface to db_enter() copied from kdbrint() in vax code
If ddb.console is set and your serial console driver uses it, db_rint(),
lets you enter ddb(4) by typing the ESC D escape sequence. This is
useful for drivers like sfuart(4) where the hardware doesn't have a true
BREAK mechanism.
Suggested by miod@, ok kettenis@ miod@
florian [Tue, 12 Jul 2022 16:54:59 +0000 (16:54 +0000)]
Rewrite state machine in the style of dhcpleased(8).
It is less cluttered, easier to reason about and fixes some bugs in
passing that would have been difficult in the old state machine.
Stale IPv6 addresses, default routes and nameservers are now correctly
removed when moving from one IPv6 enabled network to another IPv6
enabled network.
Default routes and nameservers correctly expire when they are not
refreshed and nameservers are updated when router advertisements
change the nameserver option.
Testing & input caspar@
Putting it in now to get wider testing and shake out bugs, discussed
with deraadt@ at r2k22.
claudio [Tue, 12 Jul 2022 16:46:14 +0000 (16:46 +0000)]
Bump version number to 7.9
tb [Tue, 12 Jul 2022 16:08:19 +0000 (16:08 +0000)]
Move BN_lsw() to bn_lcl.h so that other code can use it.
ok jsing
kn [Tue, 12 Jul 2022 14:42:48 +0000 (14:42 +0000)]
Remove mkerr.pl remnants from LibreSSL
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
tb [Tue, 12 Jul 2022 13:31:38 +0000 (13:31 +0000)]
The asn1time test no longer needs static linking.
robert [Tue, 12 Jul 2022 11:52:14 +0000 (11:52 +0000)]
sync: add llvm-profdata
mvs [Tue, 12 Jul 2022 08:58:53 +0000 (08:58 +0000)]
Remove PIPEXCSESSION pipex(4) ioctl(2) command from kernel and man page.
Long time ago pipex(4) session can't be deleted until both pipex(4)
input and output queues become empty. Dead sessions were linked to the
stack and the `ip_forward' flag was used to prevent packets forwarding.
npppd(8) marked such sessions by doing PIPEXCSESSION ioctl(2) call.
But since we started to unlink close session from the stack, this logic
became unnecessary. Also pipex(4) session could be closed just after
close request.
npppd(8) was the only userland program which did PIPEXCSESSION ioctl(2)
call, and we removed it week ago. It's time to remove the remains.
Now the `flags' member of 'pipex_session' structure became immutable.
ok yasuoka@
jsg [Tue, 12 Jul 2022 05:45:49 +0000 (05:45 +0000)]
remove cache parts of struct cpu_info which were used by vmm
jsg [Tue, 12 Jul 2022 04:52:38 +0000 (04:52 +0000)]
allow cpuid 0x8000001d, cache topology on AMD
ok mlarkin@
jsg [Tue, 12 Jul 2022 04:46:00 +0000 (04:46 +0000)]
remove cache parts of struct cpu_info only vmm used
suggested by and ok mlarkin@
jsg [Tue, 12 Jul 2022 03:55:34 +0000 (03:55 +0000)]
recognise Cortex-A715 and Cortex-X3
kettenis [Mon, 11 Jul 2022 19:45:02 +0000 (19:45 +0000)]
Switch bootloaders to the extended BOOTARG_CONSDEV struct.
Make the EFI bootloader provide the extra parameters that are necessary
for using the non-standard UART on the AMD Ryzen Embedded V1000 SoCs.
ok anton@
sthen [Mon, 11 Jul 2022 19:31:19 +0000 (19:31 +0000)]
sync llvm-read{elf,obj} for i386
tobhe [Mon, 11 Jul 2022 18:19:47 +0000 (18:19 +0000)]
Generate P-256 ECDH keys for iked instead of reusing 2048 bit RSA keys
from isakmpd.
ok bluhm@
claudio [Mon, 11 Jul 2022 17:08:21 +0000 (17:08 +0000)]
Implement send side of RFC7911 ADD-PATH
This allows to send out more then one path per perfix to a neighbor that
supports add-path receive. OpenBGPD supports a few different modes to
select which paths to send:
- all: send all valid paths (the ones with a * in bgpctl output)
- best: send out only the single best path
- ecmp: send out paths that evaluate the same up and including
the nexthop metric
- as-wide-best: send out paths that evaluete the same up but not including
the nexthop metric
Currently ecmp and as-wide-best are the same. On top of this best, ecmp
and as-wide-best allow to include extra paths (e.g. best plus 2) and
for the multipath modes there is also a maximum (e.g. ecmp plus 2 max 4)
OK tb@
claudio [Mon, 11 Jul 2022 16:58:58 +0000 (16:58 +0000)]
Properly roll back in the add-path send case in up_dump_prefix()
When up_dump_prefix() runs out of space while filling out prefixes
a possible path_id needs to be removed from the buf or else a corrupted
UPDATE is sent out.
OK tb@
claudio [Mon, 11 Jul 2022 16:55:21 +0000 (16:55 +0000)]
Put the RFC9234 open policy handing in its own function
While there fix a spelling mistake and remove an extra check for new == NULL
and old == NULL. The caller make this check already.
OK tb@
claudio [Mon, 11 Jul 2022 16:51:01 +0000 (16:51 +0000)]
When dumping prefixes for bgpctl just use prefix_eligible() to know if
a prefix is eligible / valid.
OK tb@
claudio [Mon, 11 Jul 2022 16:47:27 +0000 (16:47 +0000)]
s/can not/cannot/ in comments. No functional change.
claudio [Mon, 11 Jul 2022 16:46:41 +0000 (16:46 +0000)]
Use newbest and oldbest instead of xp and active as variable names
for the best prefix before and after the decision process.
OK tb@
robert [Mon, 11 Jul 2022 14:43:24 +0000 (14:43 +0000)]
add llvm-profdata(1) to base so that ports can benefit from profiled builds
ok fcambus@, sthen@
mpi [Mon, 11 Jul 2022 11:33:17 +0000 (11:33 +0000)]
Simplify the aiodone daemon which is only used for async writes.
- Remove unused support for asynchronous read, including error conditions
- Grab the proper lock for each page that has been written to swap. This
allows to enable an assertion in uvm_page_unbusy().
- Move the uvm_anon_release() call outside of uvm_page_unbusy() and
assert for the different anon cases.
ok beck@, kettenis@
mpi [Mon, 11 Jul 2022 11:29:11 +0000 (11:29 +0000)]
Remove asynchronous read support in uvm_swap_get().
Reading pages from swap is always done synchronously. The fault handler
needs to sleep and PGO_SYNCIO is already asserted a couple of lines above.
ok beck@, kettenis@ as part of a larger diff.
stsp [Mon, 11 Jul 2022 11:28:37 +0000 (11:28 +0000)]
remove duplicate 'if (err)' line in iwm_auth()
spotted by waddlesplash at haiku-os
jmatthew [Mon, 11 Jul 2022 10:44:08 +0000 (10:44 +0000)]
r1.3 converted the clock rates from kHz to Hz, so we shouldn't multiply by
1000 to pass the rate to amptimer_set_clockrate(). Fixes the system clock
running too slow for ntpd to keep in sync.
ok patrick@
sthen [Mon, 11 Jul 2022 09:05:16 +0000 (09:05 +0000)]
Sync cert.pem with certdata.txt from the NSS release branch. OK tb@ bcook@
remove (expired):
/O=Cybertrust, Inc/CN=Cybertrust Global Root
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
remove:
/C=ES/O=Agencia Catalana de Certificacio (NIF Q-
0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC
/C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
add new root (existing CAs):
/C=TW/O=Chunghwa Telecom Co., Ltd./CN=HiPKI Root CA - G1
/C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020
/C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 1 2020
/C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS ECC Root CA 2021
/C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021
/C=US/O=Internet Security Research Group/CN=ISRG Root X2
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
add (new CAs):
/C=TN/O=Agence Nationale de Certification Electronique/CN=TunTrust Root CA
/serialNumber=G63287510/C=ES/O=ANF Autoridad de Certificacion/OU=ANF CA Raiz/CN=ANF Secure Server Root CA
/C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum EC-384 CA
/C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum Trusted Root CA
/C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020
/C=CN/O=iTrusChina Co.,Ltd./CN=vTrus ECC Root CA
/C=CN/O=iTrusChina Co.,Ltd./CN=vTrus Root CA
/C=FI/O=Telia Finland Oyj/CN=Telia Root CA v2
replace with another cert with same CN (SHA1 vs SHA256):
/C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF
A62634068
bcook [Mon, 11 Jul 2022 05:33:14 +0000 (05:33 +0000)]
fix NULL return adding missing semicolon
ok tb@
daniel [Mon, 11 Jul 2022 03:11:49 +0000 (03:11 +0000)]
remove the "tbl" suffix for a few man pages
Over a decade ago, the build infrastructure had special logic to process
man pages that ended with the suffix "tbl".
This infrastructure is long gone and the special naming for these man pages
is no longer needed.
Revert the naming of these man pages for consistency with all other man
pages in the tree. As a bonus, we remove a few lines from some of the
Makefiles making them simpler.
ok jmc@, and no objection from schwarze@
mvs [Sun, 10 Jul 2022 21:28:10 +0000 (21:28 +0000)]
Add missing `pipex_list_mtx' mutex(9) around all sessions loop within
pipex_ip_output(). The all sessions loop was reworked to make possible
to drop the lock within.
ok bluhm@ yasuoka@.
mvs [Sun, 10 Jul 2022 21:26:55 +0000 (21:26 +0000)]
if_detach() should wait until concurrent (*if_qstart)() interface start
routines finished.
Call ifq_barrier(9) just after we unlinked dying interface from the stack.
From this point it is not accessible by if_get(9) and if_unit(9), and all
concurrent threads owning interface pointer finished. It also detached
from pseudo drivers like bridge(4). We only could have concurrent
(*if_qstart)() handlers running, so wait them and then continue
destruction.
Reported and tested by Hrvoje Popovski.
ok bluhm@
bluhm [Sun, 10 Jul 2022 21:13:41 +0000 (21:13 +0000)]
Add _cb suffix to callback fields in struct ifmedia. Makes code
easier to read and grep as ifm_status was used in both structs
ifmediareq and ifmedia with different meaning.
OK mvs@
krw [Sun, 10 Jul 2022 20:34:31 +0000 (20:34 +0000)]
Add some anti-feline input protection by refusing to process
input of excessive length.
Make 'args' parameter to Xfuncs const char * and do the multiple
argument parsing in Xswap() and Xflag() on a local copy.
mlarkin [Sun, 10 Jul 2022 20:16:15 +0000 (20:16 +0000)]
Remove trailing whitespace. No code change.
mlarkin [Sun, 10 Jul 2022 20:15:31 +0000 (20:15 +0000)]
Remove trailing whitespace. No code change.
mlarkin [Sun, 10 Jul 2022 20:14:16 +0000 (20:14 +0000)]
Remove trailing whitespace. No code change.
kn [Sun, 10 Jul 2022 19:51:37 +0000 (19:51 +0000)]
s/0/instance/ in usage to match manual synopsis
OK jmc
tb [Sun, 10 Jul 2022 18:40:55 +0000 (18:40 +0000)]
Annotate the security callback and the security ex_data as deliberately
not exposed in the public API.
krw [Sun, 10 Jul 2022 17:46:03 +0000 (17:46 +0000)]
Use nice #define's for input buf size and output help buf size.
No functional change.
schwarze [Sun, 10 Jul 2022 13:41:59 +0000 (13:41 +0000)]
In dsa.h rev. 1.38, tb@ provided DSA_meth_get0_name(3)
and DSA_meth_set1_name(3).
Merge the documentation from the OpenSSL 1.1.1 branch, which
is still under a free license, significantly tweaked by me.
visa [Sun, 10 Jul 2022 08:33:00 +0000 (08:33 +0000)]
Add missing device_unref() calls.
OK kettenis@