rpki-client: reject certs with duplicate extension OIDs
We check this for extensions we know about in cert_parse_extensions().
We keep doing it there since we need to keep track of the extensions we
encountered anyway.
While cert_parse_extensions() rejects certs with critical extensions we
don't know about, we allow duplicate non-critical ones mainly because
that's annoying to keep track of. LibreSSL's libcrypto checks for this
and rejects the cert when caching the extensions, OpenSSL 4 adds a new
EXFLAG_DUPLICATE flag and accepts the cert, and OpenSSL 3 simply ignores
duplicates. In short: we get to do it ourselves.
This check is basically lifted from libcrypto's x509_purp.c with a few
extra contortions due to const sprinkling and making things opaque. The
warnx is the same as the one already present in cert_parse_extensions().
We do not NULL check X509_EXTENSION_get_object() because the extension
parsed, so an OID is present.
[2 lines not shown]
Make sure UDP header length field at least covers the UDP header.
We clamp the amount of data we are willing to parse to the length of
the UDP packet as indicated by the UDP header length field. While we
made sure that the length field did not point past the received data,
we never checked if the length is smaller than the udp header. Since
we are using BPF, the kernel also does not doe this for us. This might
in turn lead to an underflow and a subsequent crash of the engine
process.
Pointed out and diff provided by Andrew Griffiths, thanks!
Tighten well-formedness checks on AIA & SIA extensions in certs
Valid Rsync URIs always contain a module component.
To avoid duplication of URI validation code, refactor rsync_base_uri()
to optionally allocate & dup the base URI portion.
Thanks to Ties de Kock for reporting.
OK tb@ claudio@
sys/sparc64: accept ide nodes in IDE bootpaths
OpenBIOS reports QEMU IDE disks with an intermediate ide node, while the
sparc64 bootpath code only treats ata as a channel node.
The disk is attached as wd0, but the final disk component is not nailed
as the boot device, so the kernel asks for the root device.
No QEMU level option seems possible to enforce ata disk.
OK: claudio@
Clear last_modified after each response on a persistent HTTP connection
(In case a later response doesn't contain its own "Last-Modified" header field.)
Reported by Ties de Kock.
OK tb@ claudio@
When redrawing a whole pane line, fall into tty_draw_line for any
characters that are not plain ASCII. Fixes redraw issues with partial
tabs and other wide characters when a pane is partly outside the window.
more closely match how linux maps vram on xgmi parts
map cacheable not wc for xgmi parts connected to cpu on x86
don't try to map vram if there isn't any
fix multiple problems with testing hostkey types that are
not enabled by default.
1) Add all hostkey types in the "multiple hostkeys" subtest.
Previously known_hosts was accidentally clobbered, causing
only the last added hostkey type to be used.
2) Explicitly enable the hostkey types under test via
HostKeyAlgorithms
Fix various errors in redrawing:
- Fix the active pane colour when only two panes and scrollbars enabled.
- Clip left and right scrollbars the same for floating panes.
- Do not subtract scrollbar width twice when working out width of status
line.
- Check if a character is inside a visible range correctly (do not
include the next position outside the range).
