This feature has been requested many times over the years. Various patches
were provided by Asherah Connor, Rivo Nurges, Markus Läll and maybe others.
These patches always stalled for various reasons.
From Sören Tempel, mostly based on Asherah's latest patch.
ok florian tb
for offline machines if you can pull the snapshot or release to there there,
but want sysupgrade to locally perform signify validation before performing
the /home/_sysupgrade and other boot-upgrade steps.
ok florian
moved to ELF.
Move the a.out specific defines and macros, but the MID_xxx values, from
<sys/exec.h> to <a.out.h>, and update the few userland binaries which really
need these defines (i.e. boot-related tools for old architectures) to
explicitly include <a.out.h> when needed.
"Fine" deraadt@
EVP_PKEY_get0_* were made const correct in OpenSSL 3 and now cause the
build of rpki-client to emit warnings. Of course no one is able to see
these warnings because they are hidden in all the deprecation vomit.
Makes rpki-client build cleanly against OpenSSL 3 when configured with
--with-openssl-cflags=-DOPENSSL_SUPPRESS_DEPRECATED.
ok claudio deraadt job
This was hidden behind -v but it seems useful to always have this when
creating a new account.
As sthen points out in his previous commit:
This is useful if you want to set a CAA DNS record restricting
issuance to a specific user account.
OK deraadt
Single out the auth_config yacc rules. Even though this requires an
extra merge_auth_conf() function to handle manual IPsec setups but
even with that this seems like a net gain.
There is no rtr cache that does tcp md5 on OpenBSD so those bits remain
untested for now.
OK tb@
header sent by the server in response to the newAccount API call (used for
every cert request). This is useful if you want to set a CAA DNS record
restricting issuance to a specific user account, rather than just "all of
$whichever_acme_CA". ok florian
forward to the same key, or the key+.1. But sometimes you want to
update an older machine far forward (either with -s, or with -R), and
the required key might not exist on-disk. Since getting the key isn't
automated, people make some poor decisions to get the key. Previous
to 7.6 the situation was worse, (and obviously older releases will have
the old sysupgrade script, though you can copy this one to those machines
and it will work, but please do that securely..)
Moving forward this improves the workflow: a new set of keybundles
(signed by older keys) have been made available so that sysupgrade
can securely and automatically download the required key.
ok job tb beck sthen
An ASN1_INTEGER doesn't contain the ASN.1 encoding in its data. It contains
a BIGNUM. In particular, there's no padding octet for integers with the top
bit of the top octet set. Do the check the dumb way and check all the parts
individually: non-negative, not larger than 20 octets and bit 159 not set.
Reported by Tom Harrison
ok claudio job
SIOCAIFADDR_IN6 to configure an IPv6 address does everything SIOCIFAFATTACH
does, i.e. it enables IPv6 on the interface if not done so already.
vm.conf(5) 'local inet6' works as before.
OK mlarkin
Instead use struct auth_config and struct auth_state in the pfkey calls
and those tcp_md5 calls where it matters.
This is preparation work to allow RTR to use TCP MD5 as well.
OK tb@
First of all warn that a prefix was dropped. In the generate an update
code handle possible overflows of attributes and NLRI and withdraw the
affected prefix. This way the peer will not have stale data.
OK tb@
than the immediate +0.1. print an https://ftp.openbsd.org/... URL where
the new signify pubkey can be found if not present.
no guarantees: we only test +0.1, but jumping further does work quite
often (and if tight on disk, can work better than multiple steps) -
this avoids editing the script if you're going to do it anyway.
"Only upgrades from one version to the next are tested. Skipping
versions may work. Downgrading is unlikely to work."
discussed with deraadt chris florian, ok deraadt
The default is to install the next release. Snapshots are only
installed when invoked with -s.
The logic on what to do per default got out of hand and it was very
difficult to reason about what sysupgrade(8) actually did. deraadt@
then suggested that we should dumb it all down, sysupgrade(8) is there
to upgrade from one release to the next. More advance usage needs to
be requested by the user.
With all this simplification we can now be a bit more smart to work
out what the next release is. With that, snapshots right before a
release can be sysupgrade(8)'ed to the official release.
OK sthen on a previous version that was much more complicated but
allowed shortly-before-release -> release upgrade
testing sthen on this version
Guidance, prodding & OK deraadt
This extends the zic input format to add support for %z, which
expands to a UTC offset in as-short-as-possible ISO 8601 format.
It's intended to better support zones that do not have an established
abbreviation already. tzdata2024b and higher require a version of
zic that supports the %z format. From upstream tzcode. OK beck@
The CRL number draft clarified what ignoring means and it includes checking
that the CRL number is well-formed again. So do this but continue to ignore
the value for any other purpose. This refactors x509_convert_seqnum() into
a couple of helpers. There's some duplication between crl_check_crl_number()
and crl_parse_crl_number() which could be removed if anyone cares.
tweaks/ok job
To launch a guest with AMD SEV enabled, vmd needs to do a few things:
- retrieve ASID used by guest on VM creation
- provide ASID to psp(4)
- let psp(4) encrypt memory used intially by guest
- run guest
- release resources held by psp(4) on guest shutdown
To enable SEV for a guest use the parameter "sev" in the guest's vm
section in vm.conf.
from hshoexer@; OK mlarkin@
Calling malloc / reallocarray with a 0 size is not portable and the
memcpy with a possible NULL pointer as source and 0 len is seen as UB
by newer C standards (grmbl).
OK tb@
An announce PDU requires at least one provider ASnum while a withdraw
must not include any provider ASnums. The first is mandated by the ASPA
profile and the 2nd by the 8210bis draft.
Further cleanup some leftovers from the old per-AFI split of ASPA.
OK tb@
to be rechecked when a BGP route is added (or changed).
We need to revalidate nexthops on inserts (kroute_insert) and
on change (krX_change but only for AID_INET and AID_INET6 -- no nexthops
in the other tables) the nexthop needs to be updated.
Only validate nexthops if 'nexthop qualify via bgp' is enabled. For route
changes the code can depend on the F_NEXTHOP flag.
Fix for: https://github.com/openbgpd-portable/openbgpd-portable/issues/81
OK tb@
It is technically possible for a series of RRDP deltas and a snapshot
to diverge. An RRDP server could distribute files via Deltas and then
forget about those files, causing copies to remain stuck in the caches
of RRDP clients. Resetting RRDP sessions once every few weeks helps with
garbage collection.
In week 0 the probability of triggering re-initialization is ~0.025% and
doubles every week, in week 11 its 50% and always after week 12. Thus,
RPs will reinitialize at least once every 3 months.
OK tb@ claudio@
Using strtonum() instead of atoi() gives us an extra layer of bounds
checking for free while parsing an entry. This is in addition to
the existing bounds checking in set_range(). The step value is now
limited to the maximum range for an entry. If the field consists
of a range, the step must not be larger than the difference between
the high and low parts of the range. OK deraadt@
This lets us replace inet_aton with inet_pton since we do not need
inet_aton's flexibility.
phessler, sthen and Tom Smyth all confirm that they never came across
a different way of specifying an area.
OK claudio, deraadt
This lets us replace inet_aton with inet_pton since we do not need
inet_aton's flexibility.
phessler, sthen and Tom Smyth all confirm that they never came across
a different way of specifying an area.
OK claudio, deraadt
Also export the msgbuf queue len as a stats member so bgpctl does not need
to dig into the msgbuf structure inside struct peer.
This skips imsg related msgbuf since that will be handled by a imsgbuf
specific function.
OK tb@
In get_number(), reject values that are so large that they are
interpreted as negative numbers. In set_range(), step values smaller
than one or larger than the "stop" value are ignored. This prevents
bit_nset() from being called with out-of-range values.
Bug found by Dave G. of Supernetworks.
filtered prefixes in the Loc-RIB
This includes filtered prefixes into the Loc-RIB but they are marked
ineligible so nothing will select them but it is possible to show them
in bgpctl. So 'bppctl show rib filtered' will return all prefixes filtered
out by the input filters.
OK tb@
The min-version pins a minimal required version for rtr session. This is
needed if specific PDUs are required and it ensures that the session is
not suddenly downgraded. This is important for ASPA where a minimum
version of 2 is required. Only then the ASPA PDUs are transmitted.
By default a RTR version of 1 is used but setting min-version to 2
will enable draft-ietf-sidrops-8210bis-14 support and enforce it
at the same time. Right now defaulting to version 2 is not possible
since draft-ietf-sidrops-8210bis failed to progress for a too long
time resulting in split eco system with various incompatible RTR
version 2 implementations.
OK tb@
pf's rule names are limited by 32 characters, so lower the length bounds
for redirect names and tags that relayd accepts as valid config but would
later fail to load into pf. Also display the offending name on error.
from Mark Johnston
ok florian
Otherwise, it is possible to create a passwd(5) entry that is too
large for getpwent(3), which ignores database entries larger than
_PW_BUF_LEN. This adds a check in db_store() so that we do not
store an entry larger than getpwent(3) can read. Callers of
pwd_mkdb(8), typically via pw_mkdb(3), already check for failure.
In most cases, the checks in chpass(1) will prevent a user from
creating an entry that is too large by changing their gecos field.
However, it is only when storing the db record that we know the
true size.
OK deraadt@
The code path gcc is whining about ensures that the struct auth in
question is initialized, but the pile of garbage that is gcc's use
of uninitialized warnings can't figure that one out. Enough time on
this was wasted during the last few releases that silencing gcc with
annoying workarounds may be the lesser evil.
ok claudio
