rpki-client: reject certs with duplicate extension OIDs
We check this for extensions we know about in cert_parse_extensions().
We keep doing it there since we need to keep track of the extensions we
encountered anyway.
While cert_parse_extensions() rejects certs with critical extensions we
don't know about, we allow duplicate non-critical ones mainly because
that's annoying to keep track of. LibreSSL's libcrypto checks for this
and rejects the cert when caching the extensions, OpenSSL 4 adds a new
EXFLAG_DUPLICATE flag and accepts the cert, and OpenSSL 3 simply ignores
duplicates. In short: we get to do it ourselves.
This check is basically lifted from libcrypto's x509_purp.c with a few
extra contortions due to const sprinkling and making things opaque. The
warnx is the same as the one already present in cert_parse_extensions().
We do not NULL check X509_EXTENSION_get_object() because the extension
parsed, so an OID is present.
[2 lines not shown]
Make sure UDP header length field at least covers the UDP header.
We clamp the amount of data we are willing to parse to the length of
the UDP packet as indicated by the UDP header length field. While we
made sure that the length field did not point past the received data,
we never checked if the length is smaller than the udp header. Since
we are using BPF, the kernel also does not doe this for us. This might
in turn lead to an underflow and a subsequent crash of the engine
process.
Pointed out and diff provided by Andrew Griffiths, thanks!
adjust handling of erlang's -wx subpackage. it doesn't actually build on
machines that don't have wxWidgets,-webview, so disable wx completely on
those archs, rather than try to build it without webview present (which
fails).
this both fixes the build, and allows DPB to attempt to build erlang (it
was previously disabling it due to webkitgtk4 not being available, for
some reason).
ok volker
Tighten well-formedness checks on AIA & SIA extensions in certs
Valid Rsync URIs always contain a module component.
To avoid duplication of URI validation code, refactor rsync_base_uri()
to optionally allocate & dup the base URI portion.
Thanks to Ties de Kock for reporting.
OK tb@ claudio@
sys/sparc64: accept ide nodes in IDE bootpaths
OpenBIOS reports QEMU IDE disks with an intermediate ide node, while the
sparc64 bootpath code only treats ata as a channel node.
The disk is attached as wd0, but the final disk component is not nailed
as the boot device, so the kernel asks for the root device.
No QEMU level option seems possible to enforce ata disk.
OK: claudio@
