isakmpd: Bound check ID-payload memcmp()
Make sure the ID supplied by the peer is the size anticipated from
the configuration. Only apply memcmp() if the size matches.
Otherwise, reject the ID right away.
ok markus@
isakmpd: Bound check decode_* in policy_callback() and attribute_unacceptable()
Before decoding 16-bit or 32-bit TLV values, verify that the provided
values have proper minimum size.
ok markus@
isakmpd: Bound check decode_16() in ipsec_decode_attribute()
Before decoding a 16 bit TLV value verify that the provided value
is at least 16 bit in size.
The LIFE_DURATION attributes will already be validated individually,
so just pass them on.
ok markus@
isakmpd: Bound check decode_16() in ipsec_is_attribute_incompatible()
Before decoding a 16 bit TLV value verify that the provided value
is at least 16 bit in size.
ok markus@
Implement ch_meta_locate() using some bit tricks to avoid branches and loops.
ch_haszero() first sets the high bit for every byte in lookup that is 0
and then uses a multiplaction plus shift to compact this bits into the
output.
Also use a multiplication with 0x0101010101010101 instead of the memset().
Modern compilers produce the same code but older ones produce a bit simpler
code this way.
Based on a diff from Rango (kombucha at mm.st)
OK tb@
isakmpd: Only call sa_isakmp_upgrade() when ISAKMP SAs actually exist
Informational and transactional exchanges do not have ISAKMP SAs.
Therefore only upgrade ISAKMP SAs when these actually exist.
ok markus@
Address CVE-2025-10263. This requires doing the TLB invalidation twice.
However, this has a considerable cost on some CPU cores (such as Apple's
M1/M2 and Qualcomm Snapdragon X) that aren't vulnerable. So bring over
the code patching infrastructure from amd64 and use it to NOP out the
additional TLB invalidation on CPUs that aren't vulnerable.
This also addresses errata on some older ARM CPU cores (that are
classified as unlikely to happen) on some cores that aren't vulnerable to
this particular CVE.
ok jca@, deraadt@
Check for errors returned by _asr_unpack_{header,query,rr}
dname_expand() is the main parsing function for DNS labels. Its errors
are propagated via unpack_dname() to _asr_unpack_query() and
_asr_unpack_rr().
Those two functions would also propagate the errors, but they were
then ignored by the callers which would continue parsing invalid DNS
data.
_asr_unpack_header has the same issue but the call chain is shorter.
input & OK deraadt
Import clang-scan-deps
Computes deps so that build systems may rebuild only what's needed after
changing a C++20 module. Needed by a small (4) but growing number of
ports and expected to be needed by a lot more in the future. Working
around the lack of it in base is especially awkward.
ok tb@ sthen@
Make msg_copyout() to check the remaining space within userland buffer.
Otherwise, if the userland buffer size is smaller than the message size,
we write data beyond its end.
Use `xfer' for chunk size like msg_copyin() does.
ok cludwig
crl_cb(): fix EXFLAG_CRITICAL mishandling
The EXFLAG_CRITICAL should be set on encountering a critical CRL
extension unsupported by the library. The current loop does the
opposite: it stops looking as soon as it finds the first critical
extension the library supports...
ok kenjiro
libcrypto/x509 regress: x509_crl regress from Boring via OpenSSL #1775
Currently expected to fail due to mishandling of unknown critical
extensions in x_crl.c, to be fixed shortly.
don't increment scatterlist length twice
this occurs as sg_dma_len() returns the length member of struct scatterlist
where as on x86 linux it returns a dma_length member of the struct
Problem reported by Ryan Fahy in FreeBSD drm-kmod PR 468.
Avoids a 'Data modified on freelist' panic on boot when using discrete
Intel cards (DG2). DG2 has other issues, so remains disabled for now.
revert scatterlist dma_length changes
deraadt reports this caused 'flip_done timed out', 'commit wait timed out'
and a black screen when starting X on meteor lake
cpp: no longer default to -traditional
calendar(1) and xrdb(1) that use cpp as a generic macro processor
already call "/usr/libexec/cpp -traditional".
ok jsg@ deraadt@