sys/sparc64: accept ide nodes in IDE bootpaths
OpenBIOS reports QEMU IDE disks with an intermediate ide node, while the
sparc64 bootpath code only treats ata as a channel node.
The disk is attached as wd0, but the final disk component is not nailed
as the boot device, so the kernel asks for the root device.
No QEMU level option seems possible to enforce ata disk.
OK: claudio@
Clear last_modified after each response on a persistent HTTP connection
(In case a later response doesn't contain its own "Last-Modified" header field.)
Reported by Ties de Kock.
OK tb@ claudio@
When redrawing a whole pane line, fall into tty_draw_line for any
characters that are not plain ASCII. Fixes redraw issues with partial
tabs and other wide characters when a pane is partly outside the window.
more closely match how linux maps vram on xgmi parts
map cacheable not wc for xgmi parts connected to cpu on x86
don't try to map vram if there isn't any
fix multiple problems with testing hostkey types that are
not enabled by default.
1) Add all hostkey types in the "multiple hostkeys" subtest.
Previously known_hosts was accidentally clobbered, causing
only the last added hostkey type to be used.
2) Explicitly enable the hostkey types under test via
HostKeyAlgorithms
Fix various errors in redrawing:
- Fix the active pane colour when only two panes and scrollbars enabled.
- Clip left and right scrollbars the same for floating panes.
- Do not subtract scrollbar width twice when working out width of status
line.
- Check if a character is inside a visible range correctly (do not
include the next position outside the range).
Correct secondary key share handling for HelloRetryRequests.
With the introduction of a secondary key share, we fail to ensure that the
HelloRetryRequest does not specify the group that was used for the
secondary key share. We also fail to free the secondary key share early in
this case, meaning that it lingers in memory until the SSL is reset or
freed. Fix both of these issues.
ok tb@
Improve TLSv1.3 server handling of no shared groups.
While we currently correctly handle the no-shared-group case, it currently
fails late when we try to create the key share. Improve detection and
handling so that we fail sooner and send an alert to the client when
processing client key shares.
While here rename preferred_group_found to shared_group_found - we look for
the client preferred group, but any group that we select will always be in
the client list (even if it's the last one).
Reported by the tlspuffin team.
ok tb@
Send illegal parameter alerts for various HelloRetryRequest violations.
Be more RFC compliant and send illegal parameter alerts when the client
receives a HelloRetryRequest that requests a group that we did not offer
or a group that we sent a key share for in the ClientHello. These were
annotated as missing, but not previously implemented.
Prompted by a report from the tlspuffin team.
ok tb@
Mop up SSL_CTX_set_options(3).
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is now a no-op, tidy up
SSL_OP_LEGACY_SERVER_CONNECT and reflect the current state of SSL_OP_ALL
Delete the entire "SECURE RENEGOTIATION" section that contained ancient
ramblings.
ok beck@ tb@
Remove SSL_OP_LEGACY_SERVER_CONNECT from default options.
Remove SSL_OP_LEGACY_SERVER_CONNECT from the default SSL options and the
SSL_OP_ALL define. This means that we will now refuse to connect to a
TLSv1.2 server if it does not support the Renegotiation Indication (RI)
extension. This prevents a class of attacks against TLS clients that are
talking to TLSv1.2-only servers that permit client initiated renegotiation.
Raised by Lucca Hirschi et al from Inria.
ok beck@ tb@
relayd: drain OpenSSL error queue on TLS failures
Borrowed from smtpd. Without draining we just log "RSA_meth_dup failed"
and lose the actual reason.
Wire ssl_error() into ca_engine_init(), which also kills a dead
RSA_meth_free() on a NULL pointer there, and into ssl_load_key()s fail
path.
Tweaks and OK tb
relayd: use ibuf_get_string() and ibuf_get_data() to read imsg payloads
Drop the local get_string() and read variable-length string and binary
payloads through the ibuf getters instead of the raw imsg->data pointer.
ibuf_get_string() no longer trims the input at the first non-printable
byte like the old get_string() did; the payloads come from the parent
over privsep imsg.
idea and ok claudio
