Stop printing the riscv,isa string; our code to do so is broken and the
string is now deprecated. Instead change hw.model to be the CPU core
name for cpu0 like we do on other architectures.
We'll revisit printing CPU features for riscv64 in the future.
ok jca@, mlarkin@
Add hw.blockcpu support for arm64. Here we classify CPU cores based on
their "capacity". This a concept borrowed from the device tree standard
that indicates the nominal performance of a CPU core. For ACPI machines
we use similar information from ACPI's Collaborative Processor Performance
Control (CPPC). If performance is less than 30% of the fastest cores in
the same we classify them as L. Between 30% and 80% we classify them as E.
And above 80% we classify them as P. The CPU capacity is communicated to
userland though kstat(4).
ok deraadt@, jca@
fix memory leak in config_purge() when dealing CONFIG_PROTOS
original diff from CypherFox (openbsd at cypher-fox com), thanks!
slightly rearranged to be a bit smaller by me, but still equivalent.
Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability.
We no longer support TLSv1.0 and definitely do not support SSLv3 - remove
the empty fragments workaround for the CBC vulnerability in these
protocols.
ok kenjiro@ tb@
Ensure that we cannot negotiate TLSv1.1 or lower.
TLS versions prior to TLSv1.2 were disabled a while ago, however this
was done in the version handling code. Remove TLSv1.1 and earlier from
ssl_get_method() and add an explicit min version check in the legacy
client and server, to provide a stronger guarantee.
ok kenjiro@ tb@
Add some new mouse ranges called "control0" to "control9", will be used
for controls on floating panes, from Dane Jensen, with some bits from
Michael Grant.
remove dup block that tries to close tls client ca fd
it's already closed and fd set to -1 a few lines above.
diff from Marc Jorge (openbsd [at] cypher-fox com), thanks!
Remove ssl_server_legacy_first_packet()
This has not been reachable since we made the TLSv1.3 stack the default
entry point - tls13_record_layer_read_record() will send a protocol
version alert and raise an error, which means we never transition into
the legacy stack.
ok kenjiro@
rpki-client: stop aligning variables in cert_parse_extensions()
While it looks a bit tidier if the variables are aligned with a tab in
the declarations, this is also a source of churn, so give up on this in
this function.
rpki-client: const for ext and OID in cert_parse_extensions()
This is the last step of sprinkling const for OpenSSL 4. Move the extension
retrieved via X509_get_ext() to a const. The extension is first passed to
the simple X509_EXTENSION_get_object() getter and in the extension parsers
to X509V3_EXT_d2i(). The OID is passed to the const correct OBJ_obj2nid()
and OBJ_obj2text().
discussed with claudio
rpki-client: cast extension passed to X509_EXTENSION_get_object()
Again this is currently a noop which is needed since this simple getter
isn't const correct in OpenSSL < 4 and LibreSSL and because OpenSSL 4
fixed this.
discussed with claudio
rpki-client: const correct cert extension handlers
The only reason the extension passed in wasn't const was X509V3_EXT_d2i(),
for which we now cast away const.
discussed with claudio
rpki-client: cast extension passed to X509V3_EXT_d2i()
This function has never modified the extensions. It only uses the extension's
object (OID) to retrieve the X509_EXT_METHOD and then calls the appropriate
d2i handler on the extension's value. OpenSSL 4 correctly added a const
qualifier to this function.
The cast is a noop right now, but once we switch the extension handlers'
signatures to take a const, this will generate a warning due to passing a
const pointer to a non-const function for OpensSL < 4 and LibreSSL.
Annotate the cast for our future selves.
discussed with claudio
rpki-client: rename certificate_policies() into cert_policies()
This is slightly more consistent with the remainder of the file.
All other extension handlers except those for ipAddrBlocks and
autonomousSysIds, which start with sbgp_ for historical reasons,
have a cert_ prefix.
discussed with claudio
rpki-client: cast away const for X509_get_X509_PUBKEY()
In cert_check_spki() the pubkey is a libcrypto-internal pointer hanging
off cert->x509, which is then passed to the very const-incorrect getter
X509_PUBKEY_get0_param(): that's a piece of art which hands back pointers
to things deeper down in the x509 - some of them const, some non-const.
OpenSSL 3 made its X509_PUBKEY argument const, but their X509_ALGOR **
still isn't. I don't believe they thought about this in #11894 as they
had a more important _cmp() vs _eq() bikeshed to sort out.
discussed with claudio
rpki-client: make the X509_NAME *xissuer const
X509_get_issuer_name() isn't const correct in LibreSSL and OpenSSL < 4
and it returns a modifiable X509_NAME *. The xissuer is only passed to
X509_NAME_oneline() which takes a const X509_NAME, so it can be const.
discussed with claudio
Fix leap year detection.
Found and initial diff from Alvar Penning, shorter diff from me (I
guess it's a matter of taste).
ok jca@, who would do it the same way.
If a fd satisfies both POLLIN and POLLOUT in the same cycle, but the
POLLIN resulted in a file close, the POLLOUT runs incorrectly which
matters in the TLS context which attempts to read after free.
from James J. Lippard
ok millert
Prevent integer overflow in regex repetition count
Limit the repetition count to 255 like POSIX does. Also avoid a
crash when the repetition is the first atom parsed.
From Renaud Allard.