X509_NAME_ENTRY_set_data: remove V_ASN1_APP_CHOOSE quirk
This is the last remaining actual use of ASN1_PRINTABLE_type(), which will
go away in the next major bump.
ok kenjiro
conf_api: remove CONF_DEBUG and disabling of assert()
The only thing CONF_DEBUG has done in ages is defining NDEBUG in a file
that does not contain a single assert. Kill it.
ok jsing kenjiro
relayd: fix relay_http_time() to emit GMT times again
The HTTP standard RFC 9110 requires GMT, in HTTP-date. We used to do this
until a recent modification to localtime.c changed GMT to UTC.
sync from httpd
Reimplement ASN1_PRINTABLE_type() dance in ca.c
In ca.c, there is some minimal validation of strings in the subject of
a certificate. ASN1_PRINTABLE_type() is silly API that only exists for
this one call. I want to remove a_print.c in the next major bump.
ASN1_PRINTABLE_type() returns V_ASN1_PRINTABLESTRING if all characters
belong to the specific subset of ASCII listed in X.680, 41.4, Table 10.
Otherwise it returns V_ASN1_T61STRING or V_ASN1_IA5STRING depending on
whether there is a character with the high bit set or not.
With this in mind, the logic in ca.c comes down to this: blindly allow
UTF-8, BMP and T61 strings. All other strings get rejected if the high
bit of some character is set, or if the string is printable and there
is a non-printable character.
ok jsing kenjiro
httpd: fix server_http_time() to emit GMT times again
The HTTP standard RFC 9110 requires GMT, in HTTP-date. We used to do this
until a recent change to localtime.c changed GMT to UTC.
From Sören Tempel, ok sthen
Fix race in vmm(4) where
vmm(4) tracks the number of virtual machines and vcpus being emulated
at a given time. When the last known vm is terminated, it disables
virtualization extensions on all host cpus. Consequently, if the
virtualization extensions are not currently enabled on the current
host processor and a caller issues a VMM_IOC_CREATE ioctl(2), vmm(4)
will enable the extensions on all host cpus before proceeding with
creation.
The current method of counting known vm's races with this check. A
caller issuing a VMM_IOC_CREATE ioctl(2) may be past the initial
check for extensions being active while another caller issuing a
VMM_IOC_TERM may be terminating the only running virtual machine.
The counter will reach zero, and the caller in the VMM_IOC_TERM
path will trigger the host-wide deactivation.
On Intel machines, this results in the vcpu initialization code
(executed by the VMM_IOC_CREATE caller) producing #UD as VMX-specific
[11 lines not shown]
pkcs7: add PKCS7_NO_DUAL_CONTENT flag/behavior
What Netscape fucked up just had to be embraced by secure boot and
other nonsense. First OpenSSL wanted to be strict (which we inherited)
then Rich Salz Postel-ized this and made OpenSSL bypass this check by
default and added a flag to be strict 10 years ago.
Now sthen found that PHP 8.5 uses/exposes this flag.
Follows OpenSSL 6b2ebe43 (2016)
ok kenjiro
In pmap_enter(), decide whether to map cache inhibited or not based upon the
presence of a matching vm_page, rather than comparing the physical address to
`last_addr'. This is a dependency upon a contiguous memory layout we don't need.
ok aoyama@
openssl: Remove -{,un}compress from cms "app"
We haven't supported compiling against zlib in a very long time. These
are the only two calls to CMS_{,un}compress(3) in the ecosystem. I am
going to remove these two API stubs in the next major bump.
ok jsing kenjiro
In _bus_dmamap_load_mbuf() of sparc64 check the M_PKTHDR flag before
using the m_pkthdr struct.
The reset of _dm_type and _dm_source should not depend on DIAGNOSTIC.
ok stsp@ and claudio@
netinet/ip.h: fix IPTOS_DSCP_VA value to be 0xb0
As the comment preceding this group of macros says: these are the 6 most
significant bits as they appear on the wire, so it's 0x2c << 2 == 0xb0,
matching the other entries in this list. This results in moving it to a
place that makes a bit more sense. Update comment to include RFC 5685.
Compare with RFC 2474, section 3, RFC 5685, section 4 and the values in
https://www.iana.org/assignments/dscp-registry/dscp-registry.xhtml
ok stsp
Apparently a store into a package element is supposed simply store a
copy of the object being stored into the package element. Our current
code tries to convert the object to the current type of the package
element. However the current generation of thinkpad with Intel CPUs have
AML that tries to store an integer into a package element that is a package
itself. And such conversions aren't allowed.
While there, populate the index member of an AML_OBJTYPE_OBJREF object that
references a package element. This helped me verifying this change and
should prevent further headscratching in the future.
ok armani@, mlarkin@
replace SRPs with SMRs for carp iface list hanging off an ethernet iface
this is possible now that if_vinput doesnt sleep.
carp_input is called by if_ether_input, which iterates over the
list of carp interface and checks if one of them should get the
packet, or if they should all get a copy of a multicast packet.
this traversal was done over an SRP list, but this replaces that
with an SMR based list. either way, if a carp interface is supposed
to receive a packet, it's done via a call to if_vinput during this
traversal.
i'm trying to replace SRPs with SMRs, but SMR critical sections
don't let you sleep, which if_vinput could do cos it used to run
the network stack.
