openbsd/src/lib/libc/net, branch libressl-v3.7.0

openbsd/src/lib/libc/net, branch libressl-v3.7.0 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.7.0 2022-11-16T18:30:12+00:00 tolower(3) guarantees to return its argument unchanged if it's not 2022-11-16T18:30:12+00:00 florian 2022-11-16T18:30:12+00:00 urn:sha1:6f8d4c4c4cdd0843000799b6361ddf6edb10edcd uppercase. While here use the correct idiom of casting to unsigned char. OK millert, farewell to ultrix deraadt .Li -> .Vt where appropriate; 2022-09-11T06:38:11+00:00 jmc 2022-09-11T06:38:11+00:00 urn:sha1:62590e3e551e5acaf5ee4726dac3ed5fadbdf680 from josiah frentsos, tweaked by schwarze ok schwarze Fix typo in last commit. 2022-04-13T22:17:33+00:00 millert 2022-04-13T22:17:33+00:00 urn:sha1:60db7fb12f9323e67b80cf94592799f1e2f931ea inet_net_pton_ipv6: avoid signed vs unsigned comparison 2022-04-13T16:20:11+00:00 millert 2022-04-13T16:20:11+00:00 urn:sha1:61604225d69faf376476dc94f932171f19816004 Use a temporary variable to store the number of bytes to be copied (size_t) and also use it as the memcpy(3) length. Previously we copied "size" bytes instead of just the necessary number. OK claudio@ tb@ man pages: add missing commas between subordinate and main clauses 2022-03-31T17:27:26+00:00 naddy 2022-03-31T17:27:26+00:00 urn:sha1:3d8be07546f5ec331a0f851b0ea88212376ebb95 jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@ man pages: add missing word, The foo() ... -> The foo() function ... 2022-03-29T18:15:52+00:00 naddy 2022-03-29T18:15:52+00:00 urn:sha1:bdf85107fe61cee7a4395de94b85298d6592c8ae ok jmc@ schwarze@ A few sys/param.h annotations lacked ALIGNBYTES 2021-11-29T03:20:37+00:00 deraadt 2021-11-29T03:20:37+00:00 urn:sha1:3ff0ca30be40ac85767c463af5dda1f3a1c9fe6e Describe what RES_USE_DNSSEC does and how it's affected by trust-ad 2021-11-24T20:06:32+00:00 jca 2021-11-24T20:06:32+00:00 urn:sha1:757c7646fbdf4543d7d64d84a70fae57d5aa6849 ok florian@ Implement rfc6840 (AD flag processing) if using trusted name servers 2021-11-22T20:18:27+00:00 jca 2021-11-22T20:18:27+00:00 urn:sha1:ca02920211b601ee0c85b3f9e9730859d617b1c2 libc can't do DNSSEC validation but it can ask a "security-aware" resolver to do so. Let's send queries with the AD flag set when appropriate, and let applications look at the AD flag in responses in a safe way, ie clear the AD flag if the resolvers aren't trusted. By default we only trust resolvers if resolv.conf(5) only lists name servers on localhost - the obvious candidates being unwind(8) and unbound(8). For non-localhost resolvers, an admin who trusts *all the name servers* listed in resolv.conf(5) *and the network path leading to them* can annotate this with "options trust-ad". AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch SSHFP records in a secure manner, and tightens the situation for other applications, eg those using RES_USE_DNSSEC for DANE. It should be noted that postfix currently assumes trusted name servers by default and forces RES_TRUSTAD if available. RES_TRUSTAD and "options trust-ad" were first introduced in glibc by Florian Weimer. Florian Obser (florian@) contributed various improvements, fixed a bug and added automatic trust for name servers on localhost. ok florian@ phessler@ Revert accidental change. 2021-10-25T14:41:09+00:00 jca 2021-10-25T14:41:09+00:00 urn:sha1:da5b44a9e9a9d701839763c8b3d2b856dd0a047d Dunno why this ended up here, cvs is always full of surprises.