FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F13.5 2023-10-05T15:55:33Z 2023-10-05T15:55:33Z Michael Osipov michael.osipov@siemens.com 2023-10-03T05:53:20Z urn:sha1:baf69f6c997392cde9ae75d3ebc25a8201c7cc99 Before certctl(8), there was no system trust store, and libfetch relied on the CA certificate bundle from the ca_root_nss port to verify peers. We now have a system trust store and a reliable mechanism for manipulating it (to explicitly add, remove, or revoke certificates), but if ca_root_nss is installed, libfetch will still prefer that to the system trust store. With this change, unless explicitly overridden, libfetch will rely on OpenSSL to pick up the default system trust store. PR: 256902 MFC after: 3 days Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D42059 (cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59) 2023-08-23T17:43:26Z Warner Losh imp@FreeBSD.org 2023-08-22T01:31:41Z urn:sha1:3d497e17ebd33fe0f58d773e35ab994d750258d6 Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/ Similar commit in main: (cherry picked from commit 1d386b48a555) 2022-12-03T15:17:10Z Mike Karels karels@FreeBSD.org 2022-11-02T15:59:09Z urn:sha1:8d44502e7f6438e32bf1d9f48cbf341d3c985bed With the change to return EAI_ADDRFAMILY from getaddrinfo(), fetch would print "Unknown resolver error" for that error. Add that error and its string to libfetch's table, using an #ifdef just in case. Correct error strings for EAI_NODATA (although it is currently unused) and EAI_NONAME. Should maybe rework the code to use gai_strerror(3), but that doesn't map directly, and the current strings are shortened. Reviewed in https://reviews.freebsd.org/D37139 with related changes. Reviewed by: bz (cherry picked from commit 631b82aca0fd41c8e0d48eebdb9c4e38b7306472) 2022-11-11T18:18:54Z John Baldwin jhb@FreeBSD.org 2022-10-03T23:10:43Z urn:sha1:7cefb4bc4b1cf8c5e61a2dde8c84249712290319 The length passed to strncpy is the length of the source string, not the destination buffer. This triggers a non-fatal warning in GCC 12. Hoewver, the code is also odd. It is really just a memcpy of the string without its nul terminator. For that use case, memcpy is clearer. Reviewed by: imp, emaste Differential Revision: https://reviews.freebsd.org/D36824 (cherry picked from commit 611cf392672cf7aa52a593412fb2537546a7d6a4) 2020-11-24T22:10:33Z Jung-uk Kim jkim@FreeBSD.org 2020-11-24T22:10:33Z urn:sha1:fe85238ef758d1adead72be009d07c597fdba0bb Support for SSLv3 was already removed from OpenSSL (r361392). Differential Revision: https://reviews.freebsd.org/D24947 2020-10-27T11:29:11Z Stefan Eßer se@FreeBSD.org 2020-10-27T11:29:11Z urn:sha1:1f474190fc280d4a4ef0c214e4d7fff0d1237e22 Literal references to /usr/local exist in a large number of files in the FreeBSD base system. Many are in contributed software, in configuration files, or in the documentation, but 19 uses have been identified in C source files or headers outside the contrib and sys/contrib directories. This commit makes it possible to set _PATH_LOCALBASE in paths.h to use a different prefix for locally installed software. In order to avoid changes to openssh source files, LOCALBASE is passed to the build via Makefiles under src/secure. While _PATH_LOCALBASE could have been used here, there is precedent in the construction of the path used to a xauth program which depends on the LOCALBASE value passed on the compiler command line to select a non-default directory. This could be changed in a later commit to make the openssh build consistently use _PATH_LOCALBASE. It is considered out-of-scope for this commit. Reviewed by: imp MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D26942 2020-02-21T18:21:57Z Kyle Evans kevans@FreeBSD.org 2020-02-21T18:21:57Z urn:sha1:5ac6a2c94d36c885f1cdfd473b3bdcdf4c446082 In the successful case, sockshost is not freed prior to return. The failure case can now be hit after fetch_reopen(), which was not true before. Thus, we need to make sure to clean up all of the conn resources which will also close sd. For all of the points prior to fetch_reopen(), we continue to just close sd. CID: 1419598, 1419616 2020-02-15T19:47:49Z Kyle Evans kevans@FreeBSD.org 2020-02-15T19:47:49Z urn:sha1:86fd2105dcebdecbcaf36d634d79515ace012e8f fetch_socks5_getenv will allocate memory for the host (or set it to NULL) in all cases through the function; the caller is responsible for freeing it if we end up allocating. While I'm here, I've eliminated a label that just jumps to the next line... 2020-02-15T19:39:50Z Kyle Evans kevans@FreeBSD.org 2020-02-15T19:39:50Z urn:sha1:3dc455e8974c1a4723f6703f47b2f667a61c934b In case the port was specified, we never actually populated *host. Do so now. Pointy hat: kevans 2020-02-15T19:31:40Z Kyle Evans kevans@FreeBSD.org 2020-02-15T19:31:40Z urn:sha1:0f3fa96016c82f700733941d4c148cefff4c4f1c This commit separates out port parsing and validation from grabbing the host from the env var. The only related bit really is that we need to be more specific with the delimiter in the IPv6 case.