Make sure that only a CA without a CRL is being reported.
1. CRL verification takes places when provided. As OpenSSL
assumes that hidden CRLs may exist but a distribution point
is not mandatory there is no definitive truth about the matter.
OpenSSL makes no effort to bridge this gap.
2. CRLs are anchored in the CA that is signing the certificate
underneath so printing when that check fails because no CRL
was provided is enough.
and the macro EN_SWABIPS.
The macro EN_SWABIPS is identical to IFF_LINK0 (also historically
IFF_LLC0) and we already have the parameter link0 to toggle IFF_LINK0.
These were inherited from 386BSD 0.1 and have never been used since
the very first FreeBSD release.
Reviewed by: adrian, #network
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D51368
(cherry picked from commit 8632e4e73a6934f3f9996a18932e36b04e6a3faf)
Remove an always-false check for whether the request has already
completed before sleeping. Even if the request is complete, the
response tag is updated while holding the channel lock, which is also
held here.
No functional change intended.
Sponsored by: Klara, Inc.
(cherry picked from commit 28c9b13b236d25512cfe4e1902411ff421a14b64)
Once a new vnode is visible from the mountpoint hash, we should set its
state from VSTATE_UNINITIALIZED to VSTATE_CONSTRUCTED. I do not think
this affects correctness at all, but the bug trips a check in
vop_unlock_debugpost(), previously hidden under options DEBUG_VFS_LOCKS.
Reviewed by: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D51720
(cherry picked from commit e2ac6de6e4edc1c6e7bfdfb0ec8fcf62f46d503f)
When the socket has a tunneling function attached, udp_append() drops
the inpcb lock before calling it. To keep the inpcb alive, we bump the
refcount. After commit 742e7210d0 we only dropped the reference if
the tunnel consumed the packet, but it needs to be dropped in either
case. if_ovpn is the only driver that can trigger this bug.
Fixes: 742e7210d0 ("udp: allow udp_tun_func_t() to indicate it did not eat the packet")
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51505
(cherry picked from commit e1751ef896119d7372035b1b60f18a6342bd0e3b)
It cannot be used safely, and Kyua doesn't even pretend to try.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: igoro
Differential Revision: https://reviews.freebsd.org/D51680
(cherry picked from commit 65bae451c23b8d61b2433259d8e707250660eeff)
Failing to reset the cookie between messages can lead to an attempt
to interpret a zeroed buffer as a struct nlattr, causing a length
calculation to underflow, resulting in a memcpy() call where the
length exceeds the actual size of the buffer.
MFC after: 1 week
PR: 283797
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D51634
(cherry picked from commit a8d90e32133b77a49c2551f22e59f72d65293b64)
In UDP server mode, openvpn implements the "multihome" option, which
makes it avoid binding to an address. Instead, the server socket is
bound to INADDR_ANY.
Today, when configuring a new peer and setting the source address,
sockaddr() returns the wildcard address, so the source address is
implicitly determined by the output interface. This doesn't work as one
would want if the WAN interface has multiple addresses and clients
connect to non-primary addresses.
Make multihome mode work properly: use the local address supplied by
openvpn in preference to that of the socket. We still fetch the port
number out of the socket.
PR: 273664
Reviewed by: kp
MFC after: 1 month
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51498
(cherry picked from commit 05b5d56c540335ed17acf843810901338bf862d5)
We do this elsewhere, so copy the pattern here.
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51496
(cherry picked from commit a7dfc570f2747668b2fdd8fde6e1954fcedb2378)
Description of net.inet.ip.fw.one_pass tunable refers only to dummynet(4),
while in reality is applicable on any divert-like packet action like
in-kernel nat, netgraph, reass, or similar.
Reviewed by: ae
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D51436
libarchive 3.8.1
New features:
#2088 7-zip reader: improve self-extracting archive detection
#2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support
#2403 zip writer: added LZMA + RISCV BCJ filter
#2601 bsdtar: support --mtime and --clamp-mtime
#2602 libarchive: mbedtls 3.x compatibility
Security fixes:
#2422 tar reader: Handle truncation in the middle of a GNU long linkname
(CVE-2024-57970)
#2532 tar reader: fix unchecked return value in list_item_verbose()
(CVE-2025-25724)
#2532 unzip: fix null pointer dereference (CVE-2025-1632)
#2568 warc: prevent signed integer overflow (CVE-2025-5916)
#2584 rar: do not skip past EOF while reading (CVE-2025-5918)
#2588 tar: fix overflow in build_ustar_entry (CVE-2025-5917)
#2598 rar: fix double free with over 4 billion nodes (CVE-2025-5914)
#2599 rar: fix heap-buffer-overflow (CVE-2025-5915)
Important bugfixes:
#2399 7-zip reader: add SPARC filter support for non-LZMA compressors
#2405 tar reader: ignore ustar size when pax size is present
#2435 tar writer: fix bug when -s/a/b/ used more than once with b flag
#2459 7-zip reader: add POWERPC filter support for non-LZMA compressors
#2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter
#2539 libarchive: add missing seeker function to archive_read_open_FILE()
#2544 gzip: allow setting the original filename for gzip compressed files
#2564 libarchive: improve lseek handling
#2582 rar: support large headers on 32 bit systems
#2587 bsdtar: don't hardlink negative inode files together
#2596 rar: support large headers on 32 bit systems
#2606 libarchive: support @-prefixed Unix epoch timestamps as date strings
#2634 tar: Support negative time values with pax
#2637 tar: Keep block alignment after pax error
#2642 libarchive: fix FILE_skip regression
#2643 tar: Handle extra bytes after sparse entries
#2649 compress: Prevent call stack overflow
#2651 iso9660: always check archive_string_ensure return value
CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724,
CVE-2025-5914, CVE-2025-5915, CVE-2025-5916,
CVE-2025-5917, CVE-2025-5918
PR: 286944 (exp-run, main, libarchive 3.8.0)
Approved by: so
Security: FreeBSD-SA-25:07.libarchive
(cherry picked from commit 2e113ef82465598b8c26e0ca415fbe90677fbd47)
(cherry picked from commit 6dad4525a2910496ecf3c41de659aac906f6c1f4)
This is a small oversight in the transition to netlink; the non-netlink
implementation would explicitly flush its stdout as necessary to avoid
apparent long stalls in output when we end up fully-buffered. Adjust
the netlink implementation to do the same. This was noticed while
trying to triage failures in the wg-quick script.
Commit message by kevans, patch by author.
PR: 278265
Fixes: 091fec1188 ("route: switch transport protocol [...]")
Approved by: so
Security: FreeBSD-EN-25:14.route
(cherry picked from commit 97b61b22edba74c62adba1d022fb73541aa5ff93)
(cherry picked from commit dd695839efd80fe81143cd6c7a552c30df8448f6)
With the new 32-bit UEFI loader, it's convenient to have a sysctl to
figure out how we booted. Can be accessed at machdep.efi_arch
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1098
(cherry picked from commit b538d4911004ca541507166b8ec9689d2e87d1aa)
(cherry picked from commit 0e8890a425bc778d323566c881e26bad7c54baf2)
Approved by: so
Security: FreeBSD-EN-25:12.efi
Since commit 19df0c5abcb9d4e9 ("LinuxKPI: make __kmalloc() play by the
rules"), kmalloc() systematically allocates contiguous physical memory,
as it should. However, kvzalloc() was left defined in terms of
kmalloc(), which makes it allocate contiguous physical memory too. This
is a too stringent restriction, as kvzalloc() is supposed to be a simple
page-zeroing wrapper around kvmalloc().
According to Linux's documentation ("memory-allocation.rst"), kvmalloc()
first tries to allocate contiguous memory, falling back to
non-contiguous one if that fails. Thus, callers are already supposed to
deal with the possibility of non-contiguous memory being returned.
Reviewed by: bz
Fixes: 19df0c5abcb9 ("LinuxKPI: make __kmalloc() play by the rules")
MFC after: 10 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51247
(cherry picked from commit 986edb19a49c7d7d3050c759d9b0826283492ebf)
Forgotten on commit to main/-CURRENT:
PR: 277476
Pass VM_ALLOC_NORECLAIM to vm_page_alloc_noobj_contig() so that it
avoids reclaiming (currently, calling vm_reserv_reclaim_contig()).
According to Linux's documentation, __GFP_NORETRY should not cause any
"disruptive reclaim". alloc_pages() is called a lot from the amdgpu DRM
driver via ttm_pool_alloc(), which tries to allocate pages of the
highest order first and fallback to lower order pages (as allocating
contiguous physical pages is in fact not a requirement). This process
relies on failing fast, as requested by __GFP_NORETRY. See also related
commit 718d1928f874 ("LinuxKPI: make linux_alloc_pages() honor
__GFP_NORETRY").
Reviewed by: jeffpc_josefsipek.net, bz
MFC after: 10 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51246
(cherry picked from commit 4ca9190251bbd00c928a3cba54712c3ec25e9e26)
Forgotten on commit to main/-CURRENT:
PR: 277476
Replace priorities specified by a base priority and some hardcoded
offset value by symbolic constants. Hardcoded offsets prevent changing
the difference between priorities without changing their relative
ordering, and is generally a dangerous practice since the resulting
priority may inadvertently belong to a different selection policy's
range.
Since RQ_PPQ is 4, differences of less than 4 are insignificant, so just
remove them. These small differences have not been changed for years,
so it is likely they have no real meaning (besides having no practical
effect). One can still consult the changes history to recover them if
ever needed.
No functional change (intended).
MFC after: 1 month
Event: Kitchener-Waterloo Hackathon 202506
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45390
(cherry picked from commit 8ecc41918066422d6788a67251b22d11a6efeddf)
In a mixed lagg, its likely that ifcaps or hwassist may not
match between members. If this is true, the logical OR will
be short-circuited and if_hw_tsomax_update() will not be called.
Fix this by calling it inside the body of the if as well
Sponsored by: Netflix
(cherry picked from commit 78bdaa57cfbac759a6d79ecad2fae570e294a4b3)
It is possible to restart the installation process upon errors, when
installing normally through the `auto` script, or when installing a jail
with the `jail` script. However, some values obtained interactively from
the user or guessed by some scripts were kept in the environment when
restarting the process; this made it impossible to re-run some steps as
expected after the restart.
For instance, if a bad choice of mirror was made in the `mirrorselect`
phase, restarting the installer remembered the choice made, and would
never prompt for a different one again. Rebooting was then the only easy
way out of this situation.
This change restores a pre-defined list of environment variables when
restarting the installation process.
PR: 266987
Reviewed by: emaste
Approved by: philip (mentor)
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D42281
(cherry picked from commit 9de72af2cceb6fc4aead0990cccdf565531bc248)
When recursing into a directory to delete it, start by chmod'ing it to
0700. This fixes an issue where kyua is able to run, but not debug, a
test case that creates unwriteable directories, because when debugging
it tries (and fails) to delete the directory after the test completes.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: igoro
Differential Revision: https://reviews.freebsd.org/D51229
(cherry picked from commit 9bf14f2a475e221c48488984dc5a02a4608bb877)
Without the extra '\n' the dual-column ('REGD' '') are not properly
separated for dialog which leads to an [misleading] error hidden on
the command line:
Error: --menu bad arguments items number.
[Writing this I wonder why the dual-column input is needed].
It is still unclear as to where the error message quoted in PR287538
suddenly came from for 14.3-RELEASE given the code was broken since 2016
(or noone ever noticed or reported).
Looking at manual ifconfig output:
ifconfig wlan0 country GB regdomain Expected
-> ifconfig: unknown regdomain Expected
and "ifconfig: " gets stripped by the script, which means the regdomain
variable would have to be set to "Expected" or more likely to
"Expected eval: Use: not found" which looks like a concatination of
errors.
Sponsored by: The FreeBSD Foundation
Fixes: 95ee591e83
PR: 287538
Reviewed by: emaste, thj
Differential Revision: https://reviews.freebsd.org/D51313
(cherry picked from commit 5a1e2927d63ed6394b767088eb2d66676f275467)
For $reasons, we can't rely on flags in wireguard-tools for the kernel
side of WireGuard. Provide a mapping function that uses flags from the
kernel that we're building against and fail the operation if we made it
to the end without turning some wg(8) flag off.
Signed-off-by: Kyle Evans <kevans@FreeBSD.org>
Reviewed by: ivy (previous version), Jason A. Donenfeld, jhb
(cherry picked from commit f6d9e22982a1d0354c0199e94ebdb4474eaa74b9)
Update wireguard-tools to the latest version, which has some stubbed out support
for incremental Allowed-IPs updates that we would need to add kernel support
for.
(cherry picked from commit 137de4b34d45192985e21f6d6163533da547fbac)
This was recently added to Linux to improve incremental update support,
as you could previously add Allowed-IPs but not remove without replacing
the whole set (and thus, potentially disrupting existing traffic).
Removal is incredibly straightforward; we'll find it in p_aips first
to ensure that it's actually valid for this peer, then we'll delete it
from the radix tree before we remove the corresponding p_aips entry.
Reviewed by: Jason A. Donenfeld, jhb
(cherry picked from commit d15d610fac97df4fefed3f14b31dcfbdcec65bf9)
(cherry picked from commit d1ac3e245f084ee0637bde9a446687621358c418)
We'll re-use these in a future wg_aip_del() to perfectly reconstruct
what we expect to find in a_addr/a_mask.
Reviewed by: ivy, markj (both earlier version), Aaron LI, jhb
(cherry picked from commit 2475a3dab0d5c5614e303c0022a834f725e2a078)
The only difference in the wg_aip_add() call after IP validation is the
address family. Just pull that out into a variable and avoid the two
different callsites for wg_aip_add(). A future change will add a new
call for each case to remove an address from the peer, so it's nice to
avoid needing to repeat the logic for two different branches.
Reviewed by: Aaron LI, Jason A. Donenfeld, ivy, jhb, markj
(cherry picked from commit ba2607ae7dff17957d9e62ccd567ba716c168e77)
Create a state with an rtableid (i.e. fib) that doesn't exist on the receiving
side. This used to not be handled, and could provoke panics. Create such a
situation to ensure we still don't panic.
PR: 287981
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit f651e87be28dd6c3f466dc865b1a036089b892ff)
It's possible for a peer to send us a state update with an rtableid we don't
support (i.e. >= net.fibs).
Drop these updates rather than potentially crashing later by setting an invalid
fib number.
PR: 287981
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 4af4fefedd1bf14b5a27387075edde98744b722e)
This was broken in c63d67e137f3, the early returns prevent building the
media lists as expected.
The BASE-T parts of the patch were suggested by "cyric@mm.st", while I
am adding the additional 40G AOC, 1CX, autoneg and unknown PHY fixes
based on code inspection. There may be additional work left here for
Broadcom but this is certainly better than the returns.
PR: 287395
Reported by: mickael.maillot@gmail.com, cyric@mm.st
Tested by: Einar Bjarni Halldórsson <einar@isnic.is>
(cherry picked from commit 5e6e4f752833acc96f1efc893318d3f6b74b9689)
The header file might be included after linux/stddef.h or others are
included and the macros would be re-defined.
Sponsored by: The FreeBSD Foundation
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D50156
(cherry picked from commit 152e6197615570e7a2f5f1c6c2ed00ecee9dd10c)
Start using m_get3() instead of m_get2() as we may get up to 11K
frames and m_get2() only gives us up to MJUMPAGESIZE (8K).
Sponsored by: The FreeBSD Foundation
Discovered by: adrian with rtwn(4) [see D50049].
(cherry picked from commit 02382a0ac822b88e17d86643e27964eba18479e0)
For iwlwifi, rtw88, and rtw89 we can treat GCMP the same way as we
treat CCMP which allows us to re-use the CCMP code for now.
Add the missing case statements and factor out some common code.
Allow IEEE80211_CRYPTO_AES_GCM_128 through our filter of supported
cipher suites to announce it to net80211.
Sponsored by; The FreeBSD Foundation
(cherry picked from commit 29ddd583693aced69be48b545e1c7e7249bdfb9c)
Introduce an internal lkpi_ieee80211_wake_queues_locked() function
that can be used from context holding the wiphy lock.
Make linuxkpi_ieee80211_wake_queues() a wrapper with locking around
this.
Equally apply the wiphy lock to linuxkpi_ieee80211_wake_queue().
In lkpi_ieee80211_wake_queues() only wakeup the driver if the queue
is not empty; otherwise weird sideeffects can happen with some drivers.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit bc24342d96aa816b448bec4d32b1f5e4a5793886)
Update threshold values once we are associated.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 6e7a6a66b239180778bb31da9fa8544bbd977cde)
The joffoes changes are not (yet) merged if they will be. In order to
not break a possible future MFC of them, cast jiffies to unsigned long
already. They are only used in logging/debugging here.
Sponsored by: The FreeBSD Foundation
Fixes: dcc99bf830b2
Since b8dfc3ecf7031 we hold the wiphy lock over any key updates.
Assert that on function entry.
Given this invariant there is no need to recheck a kay under lock now,
as the first lookup already is under the lock, so simplify the code.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 284af342971d102702df950a2f1e5479eaabdf0b)
While we decided that we will not provide WEP support for the LinuxKPI
802.11 compat code, some of it is in there already (also because drivers
still support it). Put proper keylen checks in place as net80211 only
knows about WEP while LinuxKPI has WEP40 and WEP104.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit aaee0ed3d163a1d29ea74d7e4d2c3658a51cfb27)
Given there are still problems observed (at least in the Lab) adjust
crypto key handling routines and enhance logging with td_tid, jiffies.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 80386ed954aaa33b849877e8a86918de9365a087)
We set rx_nss to at least 1 and the sync functions for HT and VHT are
careful not to set it to 0. Rather than relying on that and any
possible future call to lkpi_sta_sync_from_ni() migrate the MAX()
call into the sync function after each standard level went through
to make sure that at the end we at least have rx_nss set to 1.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 34c150cc5fdb3c599bb6ff14eb56afee00c45258)
While we could select our own channel width and station bandwidth
indepedent of net80211 that is not a good idea and will lead to
trouble. Make sure the station bandwidth we select does not
exceed the bandwidth of the channel we are tuned into.
Now that VHT160 work we may locally disable it (-vht160) and the
AP may still support it but we would be on a 80Mhz channel.
Or we do support VHT160 but the AP does not. Again we would be
on a 80Mhz channel and not support 160Mhz.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 9df0d1f3d1f3dd8823800210dd49e40170d5abd8)
