Add "no banner" option to suppress Server header
Introduces a global and per-server "[no] banner" directive that prevents httpd
from sending the Server HTTP response header and removes server identification
from error documents. The SERVER_SOFTWARE CGI environment variable remains set
as required by RFC 3875.
Diff by Lloyd (thanks), ok kirill@
Clean up confusing logic in CMS_EncryptedData_encrypt()
This makes it easier to read and more in line with other code in
libcrypto. Also add a missing error check for the CMS_set_detached()
call.
ok jsing kenjiro
Fix double free in certificate policies configuration
In nref_nos(), nnums must not be freed on error because in the caller it
is not->noticeref->noticenos and hangs off the POLICYQUALINFO qual which
is freed as part of POLICYQUALINFO_free() in the error path.
ok jsing kenjiro
Ignore any iterator when traversing nd6 list.
nd6_rtrequest() could crash with a NULL pointer dereference if an
interator in nd6_list was inspected. Skip freeing neigbor discovery
entries and optimization in this unlikely case and try again later.
reported by Mischa and Anton Kasimov; OK mvs@
Add missing GZIP_STATIC flag to SRVFLAG_BITS macro
GZIP_STATIC flag at position \33 was missing from the debug string.
Also correct the truncated PATH_REWRITE/NO_PATH_REWRITE flag names.
The PATH_REWRITE and NO_PATH_REWRITE flag names were truncated to
PATH and NO_PATH in the SRVFLAG_BITS string definition.
OK kirill@ deraadt@
vmd(8): Use 32-bit direct kernel launch for both amd64 and i386
When bootet by /boot (or EFI boot loaders) both amd64 and i386
kernel start in a 32-bit mode.
When launching kernel directly (vmctl start -b <path>) vmd(8)
configures a flat 64-bit register set as default register set. The
GDT provides a 32-bit flat code segment.
For the i386 kernel the default register set is reconfigured to
32-bit legacy mode; paging is enabled and uses 4 Mb pages. This
is different to i386 being bootet by /boot. /boot launches the
i386 kernel with paging disabled.
The amd64 kernel uses the default register set, i.e. long mode is
enabled in EFER. However, it uses the 32-bit code segment of the
GDT. Thus ther kernel is effectively running in 32-bit compatibility
mode.
[15 lines not shown]
Implement appl_sysuptime() in favour of smi_getticks().
appl_sysuptime() uses CLOCK_MONOTONIC instead of gettimeofday(), works
on a per context basis as per RFC2741, and puts it in a sane namespace.
Makes sense to tb@
OK jmatthew@
tweak make "magic variables" handling
The idea is that it's shorter to special-case ${@D} and the likes
(two characters variables ending in D or F) instead of having a weird
idx encoding.
Cons:
- this yields an extra "ext" parameter to classify_var
Pros:
- the weird index encoding vanishes
- no need for special treatment if we add more similar variables.
- drastically reduces the size of the switch (and the modulo shrinks from
82 to 36)
- code will recognize constructs like ${?D} and ${?F}, which puts us in
line with FreeBSD and NetBSD bmake, and also with gnu make.
from espie
openssl cms: switch to ASN1_STRING_get0_data()
The deprecated ASN1_STRING_data() will be removed in a future release.
This is one small step towards that.
ok kenjiro
openssl pkcs12: stop reaching into ASN1_STRING
Buy a t: rename hex_prin() to hex_print() and accept an ASN1_STRING so that
we only need to use accessors once. Also avoid a printf %s NULL.
ok kenjiro
refactor some mpls input processing for mpe/mpw/mpip.
mpw, mpip, and mpe all add entries to the local mpls fib that points to
themselves, and when these labels are "output" via these interfaces they
then go and push the packets into their input processing. this is all
boilerplate, so it can be factored out and better integrated into the
larger network stack. in particular, we can pass struct netstack through
to the input handlers.
there's some small downsides to this. the main one is that using
if_vinput to dispatch to their input handlers means the vinput
handling has to cope with mpls encapsulated packets. this is easy
except for mpw, where ether_ifattach does a lot of setup that has
to be tweaked for mpls encapsualted ethernet packets.
while here, this changes mpe output so it doesnt have to prepend the
mbuf with the sockaddr it uses as the nexthop on the underlay. it only
had to do that to carry the information across the ifq. if we just don't
use ifq for output then this gets simplified a lot. the only downside is
[4 lines not shown]
SEV-ES: Implement wbinvd in the trap handler
When MP is enabled, OpenBSD uses the WBINVD instruction. With SEV-ES,
this causes a VC trap if the hypervisor has the WBINVD intercept enabled.
In the trap handler, simply forward the WBINVD exit to the hypervisor.
From Sebastian Sturm
ok mlarkin hshoexer
libcrypto: add header guards to *_local.h
An upcoming change requires the inclusion of asn1_local.h in x509_local.h
which doesn't work due to missing header guards. Add guards to all local
headers that don't have them, although reacharounds and multiple inclusions
are unlikely to occur for most of those.
ok jsing
sndiod: Enable fall-back audio devices by default
If the server.device control is used to switch to a new device, then
sndiod will always try to use it first. If the device is not present
sndiod will try to fall back to the previous one and so on until a
working device is found.
ok armani
allocate ifiqs for vport interfaces.
there are some situations where vport will queue packets it has
"received". this spreads the processing of them over the softnet
threads.
this is like what's done for lo(4) and rport(4)
