Make sure that only a CA without a CRL is being reported.
1. CRL verification takes places when provided. As OpenSSL
assumes that hidden CRLs may exist but a distribution point
is not mandatory there is no definitive truth about the matter.
OpenSSL makes no effort to bridge this gap.
2. CRLs are anchored in the CA that is signing the certificate
underneath so printing when that check fails because no CRL
was provided is enough.
libarchive 3.8.1
New features:
#2088 7-zip reader: improve self-extracting archive detection
#2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support
#2403 zip writer: added LZMA + RISCV BCJ filter
#2601 bsdtar: support --mtime and --clamp-mtime
#2602 libarchive: mbedtls 3.x compatibility
Security fixes:
#2422 tar reader: Handle truncation in the middle of a GNU long linkname
(CVE-2024-57970)
#2532 tar reader: fix unchecked return value in list_item_verbose()
(CVE-2025-25724)
#2532 unzip: fix null pointer dereference (CVE-2025-1632)
#2568 warc: prevent signed integer overflow (CVE-2025-5916)
#2584 rar: do not skip past EOF while reading (CVE-2025-5918)
#2588 tar: fix overflow in build_ustar_entry (CVE-2025-5917)
#2598 rar: fix double free with over 4 billion nodes (CVE-2025-5914)
#2599 rar: fix heap-buffer-overflow (CVE-2025-5915)
Important bugfixes:
#2399 7-zip reader: add SPARC filter support for non-LZMA compressors
#2405 tar reader: ignore ustar size when pax size is present
#2435 tar writer: fix bug when -s/a/b/ used more than once with b flag
#2459 7-zip reader: add POWERPC filter support for non-LZMA compressors
#2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter
#2539 libarchive: add missing seeker function to archive_read_open_FILE()
#2544 gzip: allow setting the original filename for gzip compressed files
#2564 libarchive: improve lseek handling
#2582 rar: support large headers on 32 bit systems
#2587 bsdtar: don't hardlink negative inode files together
#2596 rar: support large headers on 32 bit systems
#2606 libarchive: support @-prefixed Unix epoch timestamps as date strings
#2634 tar: Support negative time values with pax
#2637 tar: Keep block alignment after pax error
#2642 libarchive: fix FILE_skip regression
#2643 tar: Handle extra bytes after sparse entries
#2649 compress: Prevent call stack overflow
#2651 iso9660: always check archive_string_ensure return value
CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724,
CVE-2025-5914, CVE-2025-5915, CVE-2025-5916,
CVE-2025-5917, CVE-2025-5918
PR: 286944 (exp-run, main, libarchive 3.8.0)
Approved by: so
Security: FreeBSD-SA-25:07.libarchive
(cherry picked from commit 2e113ef82465598b8c26e0ca415fbe90677fbd47)
(cherry picked from commit 6dad4525a2910496ecf3c41de659aac906f6c1f4)
This is a small oversight in the transition to netlink; the non-netlink
implementation would explicitly flush its stdout as necessary to avoid
apparent long stalls in output when we end up fully-buffered. Adjust
the netlink implementation to do the same. This was noticed while
trying to triage failures in the wg-quick script.
Commit message by kevans, patch by author.
PR: 278265
Fixes: 091fec1188929 ("route: switch transport protocol [...]")
Approved by: so
Security: FreeBSD-EN-25:14.route
(cherry picked from commit 97b61b22edba74c62adba1d022fb73541aa5ff93)
(cherry picked from commit dd695839efd80fe81143cd6c7a552c30df8448f6)
This change produced by melifaro and the commit is concerted with him
as he is pretty busy IRL these days.
The change restores performance of /sbin/ifconfig utility
for non-listing case after it switched from rtsock to netlink(4) API
in FreeBSD 14+.
PR: 287872
(cherry picked from commit b1b17432aa1be670564161232d110461a5dde4ce)
Approved by: so
Security: FreeBSD-EN-25:11.ena
(cherry picked from commit 59b30c1a864ee8a22c2e9912301cb88674f714c9)
(cherry picked from commit a1685d25601ee7abfaf6d6a993932ae3318e070e)
Patch 0a33c047a443 introduced new values to
hw.ena.force_large_llq_header. The default value of 2 means no
preference, while 0 and 1 act as the previous false and true
respectively, which allowed forcefully setting regular or large LLQ.
There are 2 ways to force the driver to select regular LLQ:
1. Setting hw.ena.force_large_llq_header = 0 via sysctl.
2. Turning on ena express, which makes the recommendation by the FW to
be regular LLQ.
When the device supports large LLQ but the driver is forced to
regular LLQ, llq_config->llq_ring_entry_size_value is never initialized
and since it is a variable allocated on the stack, it stays garbage.
Since this variable is involved in calculating max_entries_in_tx_burst,
it could cause the maximum burst size to be zero. This causes the driver
to ignore the real maximum burst size of the device, leading to driver
resets in devices that have a maximum burst size (Nitro v4 and on. see
[1] for more information).
In case the garbage value is 0, the calculation of
max_entries_in_tx_burst divides by 0 and causes kernel panic.
The patch modifies the logic to take into account all use-cases and
ensure that the relevant fields are properly initialized.
[1]: https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html
Fixes: 0a33c047a443 ("ena: Support LLQ entry size recommendation from device")
Sponsored by: Amazon, Inc.
Differential Revision: https://reviews.freebsd.org/D50040
Approved by: so
Security: FreeBSD-EN-25:11.ena
(cherry picked from commit 56c45700f2ae15755358f2da8266247613c564df)
(cherry picked from commit 3f4a674a8ee430dec7c72c45ffe759eabefa7a1f)
From the upstream pull request merges:
#17340 b144b160b Fix 2 bugs in non-raw send with encryption
Obtained from: OpenZFS
Approved by: so
Security: FreeBSD-EN-25:10.zfs
science/dlib-cpp reveals an interesting scenario that works fine on
other platforms but not on FreeBSD; notably, it ends up creating a new
global object from some destructor which is called during
__cxa_finalize. This breaks when libdlib is dlopen()ed and then
subsequently dlclose()ed, as we never end up invoking the created
object's dtor until program exit when the shlib is already unmapped.
Fix it by noting when we're in the middle of __cxa_finalize for a dso,
and then restarting the search if __cxa_atexit() was called in the
middle somewhere.
We wait until we've processed the initial set before starting over and
processing the newly added handlers as if it were a complete set of
handlers added during runtime. The alternative is calling them as
they're added to maintain a LIFO in terms of total ordering, but in
theory a constructor could add another global object that also needs to
be destroyed, and that object needs to be destroyed after the one that
constructed it to avoid creating unexpected lifetime issues.
This manifests in the pdlib PHP extension for dlib crashing, see [0].
[0] https://github.com/goodspb/pdlib/issues/39
PR: 285870
Reviewed by: kevans (also supplied commit message)
Approved by: so
Security: FreeBSD-EN-25:09.libc
(cherry picked from commit 23427c8e1fedb9fc68ad0bd27a59c7ffd2b3008c)
(cherry picked from commit c43ae65b4b89be422cdcd399a7abc44f6db4b298)
After the pf_state_insert() call we may not use these pointers again.
Explicitly NULL them to ensure we don't.
Also NULL them out if we free the keys directly.
Reviewed by: glebius, markj
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D49553
(cherry picked from commit 592418343348bcf4355c249f53cff89ed90ea1f5)
We (correctly) NULL out sk and nk before calling pf_return(), but that
function still tried to use them to undo NAT transformations.
Store the old port numbers and use those rather than sk/nk.
This is a partial import of e11dacbf8484adc7bbb61b20fee3ab8385745925
(osport/odport), and the missing parts of
bdea9cbcf2decafeb4da5a0280313efccc09e1b3.
Direct commit to stable/14.
PR: 287254
pf_state_insert() may free the state keys, it's not safe to access these
pointers after the call.
Introduce osrc/odst (similar to osport/odport) to store the original source and
destination addresses. This allows us to undo NAT transformations without having
to access the state keys.
Reviewed by: glebius, markj
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D49551
(cherry picked from commit bdea9cbcf2decafeb4da5a0280313efccc09e1b3)
As in f7174eb2b4c4 ("netinet: Do not forward or ICMP response to
INADDR_ANY"), the IPv6 stack should avoid sending packets to the
unspecified address. In particular:
- Make sure that we do not forward received packets to the unspecified
address; the check in ip6_input() catches this in the common case, but
after commit 40faf87894ff it's possible for a pfil hook to bypass this
check and pass the packet to ip6_forward() using the
PACKET_TAG_IPFORWARD tag.
- Make sure that we do not reflect packets back to the unspecified
address; RFC 4443 section 2.4 states that we must not generate error
messages in response to packets from the unspecified address.
Reviewed by: zlei, glebius
Reported by: Franco Fichtner <franco@opnsense.org>
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D49339
(cherry picked from commit b7a61e09e4ad5fda44b7f4b6fee14f1b53996b41)
if_unroute() is static since 2004 and is not used anywhere except for
if_down().
This also makes it easier to grep by the pattern `if_flags &= ~IFF_UP`.
No functional change intended.
Reviewed by: glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49356
(cherry picked from commit 0693c3f7cb3d9e5389863a0c131ddef799c77091)
A pool is not a zpool.
Reviewed by: jbh, ivy
Approved by: des (mentor)
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/1569
(cherry picked from commit f69afe4201ff33da0b3c3ca464a92e2e0b07ac43)
Only call sctp_gather_internal_ifa_flags() for IPv6 addresses and
also compile this code only, when IPv6 is supported.
This fixes the compilation of IPv4 only kernels.
Reported by: bz@
Fixes: 6ab4b0c0df57 ("sctp: initilize local address flags correctly")
(cherry picked from commit 99c58ad021b2f7dc0496e16d313c5e28a552f0d0)
When reporting the local addresses of an endpoint (inp without
stcb), ignore unusable addresses.
(cherry picked from commit 8f5f6680efa28135bf37f3def2aa71f35bd30333)
When binding to an address, which is not available, use
consistently EADDRNOTAVAIL.
(cherry picked from commit 79952cd7649b63fa312ecafcffb719f5060929d4)
Do not clear the SCTP_ADDR_IFA_UNUSEABLE flag, if it was set due
to the address being deprecated. Also don't declare tentative
addresses as unusable.
While there, cleanup the code.
PR: 230242
(cherry picked from commit 9639de2a6f7eec8b2158782fbfab3419d507fdc5)
we have to use 'goto out' here rather than 'break' because otherwise
error is set to 0, which means the error is not propagated back to the
caller.
Reviewed by: kp
(cherry picked from commit 1408670c90ae38fd51ea6aaabe46757bc880608e)
previously these _KERNEL functions were inconsistent, with some having
parameter names and some not. fix this by giving them all names, per
style(9).
Reviewed by: thj, des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50219
(cherry picked from commit 8c7d193e3cbe3d1c9a7f7869f1748bebefabaccf)
ether_vlanid_t is a type to represent a VLAN ID, for example inside a
.1q tag. since this is specific to Ethernet, put it in net/ethernet.h.
change bridge to use the new type instead of uint{16,32}_t.
Reviewed by: adrian, kp
Differential Revision: https://reviews.freebsd.org/D49836
(cherry picked from commit 96f830456fd449c4cb5a7df8a2f6c3c96993b43e)
An updated rtw88 driver requires minimal changes to leds.h. On
the positive side we can now remove the __DUMMY from the enum as we
actually have a valid field name.
Sponsored by: The FreeBSD Foundation
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D50002
(cherry picked from commit 69880fede78fc769ad417e5a984fb9fee7815d8b)
This is needed for rtw89 updates.
Sponsored by: The FreeBSD Foundation
Reviewed by: emaste, zarychtam_plan-b.pwste.edu.pl
Differential Revision: https://reviews.freebsd.org/D50000
(cherry picked from commit c8e2458de590d7427ef3311412b8ddbc326cd3b5)
Driver updates introduce a new field "mlo" to the sta.
Add the field to the struct and initialize it in the 802.11 compat
code along with a IMPROVE so once we get to 11be we can deal with it.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 71034267d861c183297bb209770004751f0e30c5)
If the user accepts our offer of a shell to perform final configuration
tasks before rebooting, start a login shell. This ensures it will have
the correct PATH and be able to install packages without issues.
PR: 286722
MFC after: 3 days
Reviewed by: jrtc27, allanjude, emaste
Differential Revision: https://reviews.freebsd.org/D50297
(cherry picked from commit 5870d6a1ef4ec5d6fc91d0f1635bca59e09a040d)
Until July 2024, dhclient kept track of time as seconds-since-epoch as
a time_t. This was a problem because (a) we wanted sub-second timeouts
and (b) timeouts didn't always do the right thing if the system clock
changed.
Switching to using CLOCK_MONOTONIC and struct timespec fixed those
issues but introduced a new problem: CLOCK_MONOTONIC values were being
intepreted as seconds-since-epoch and written to the dhclient.leases
file, causing confusion with DHCP leases expiring in early 1970.
Attempt to compromise between these by keeping track of both times;
any type within dhclient which is a time_t now refers to seconds past
the epoch, while any struct timespec value is a CLOCK_MONOTONIC time.
PR: 283256
Reviewed by: dch
Fixes: f0a38976b01e ("dhclient: Use clock_gettime() instead of time()")
Sponsored by: Amazon
Differential Revision: https://reviews.freebsd.org/D49720
(cherry picked from commit 43d19e6a4c42ade0f276ceca18a09e2e3829fce4)
The SUS doesn't mention this error code as a possible one [1]. The FreeBSD
manual page specifies a possible ECONNRESET for close(2):
[ECONNRESET] The underlying object was a stream socket that was
shut down by the peer before all pending data was
delivered.
In the past it had been EINVAL (see 21367f630d72), and this EINVAL was
added as a safety measure in 623dce13c64ef. After conversion to
ECONNRESET it had been documented in the manual page in 78e3a7fdd51e6, but
I bet wasn't ever tested to actually be ever returned, cause the
tcp-testsuite[2] didn't exist back then. So documentation is incorrect
since 2006, if my bet wins. Anyway, in the modern FreeBSD the condition
described above doesn't end up with ECONNRESET error code from close(2).
The error condition is reported via SO_ERROR socket option, though. This
can be checked using the tcp-testsuite, temporarily disabling the
getsockopt(SO_ERROR) lines using sed command [3]. Most of these
getsockopt(2)s are followed by '+0.00 close(3) = 0', which will confirm
that close(2) doesn't return ECONNRESET even on a socket that has the
error stored, neither it is returned in the case described in the manual
page. The latter case is covered by multiple tests residing in tcp-
testsuite/state-event-engine/rcv-rst-*.
However, the deleted block of code could be entered in a race condition
between close(2) and processing of incoming packet, when connection had
already been half-closed with shutdown(SHUT_WR) and sits in TCPS_LAST_ACK.
This was reported in the bug 146845. With the block deleted, we will
continue into tcp_disconnect() which has proper handling of INP_DROPPED.
The race explanation follows. The connection is in TCPS_LAST_ACK. The
network input thread acquires the tcpcb lock first, sets INP_DROPPED,
acquires the socket lock in soisdisconnected() and clears SS_ISCONNECTED.
Meanwhile, the syscall thread goes through sodisconnect() which checks for
SS_ISCONNECTED locklessly(!). The check passes and the thread blocks on
the tcpcb lock in tcp_usr_disconnect(). Once input thread releases the
lock, the syscall thread observes INP_DROPPED and returns ECONNRESET.
- Thread 1: tcp_do_segment()->tcp_close()->in_pcbdrop(),soisdisconnected()
- Thread 2: sys_close()...->soclose()->sodisconnect()->tcp_usr_disconnect()
Note that the lockless operation in sodisconnect() isn't correct, but
enforcing the socket lock there will not fix the problem.
[1] https://pubs.opengroup.org/onlinepubs/9799919799/
[2] https://github.com/freebsd-net/tcp-testsuite
[3] sed -i "" -Ee '/\+0\.00 getsockopt\(3, SOL_SOCKET, SO_ERROR, \[ECONNRESET\]/d' $(grep -lr ECONNRESET tcp-testsuite)
PR: 146845
Reviewed by: tuexen, rrs, imp
Differential Revision: https://reviews.freebsd.org/D48148
(cherry picked from commit 053a988497342a6fd0a717cc097d09c23f83e103)
Introduce the net.inet.tcp.bind_all_fibs tunable, set to 1 by default
for compatibility with current behaviour. When set to 0, all TCP
listening sockets are private to their FIB. Inbound connection requests
will only succeed if a matching inpcb is bound to the same FIB as the
request.
No functional change intended, as the new behaviour is not enabled by
default.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D48663
(cherry picked from commit 5dc99e9bb985dce58e8fc85c09ef4e49bf051971)
Clear the black box logging containing union rather than the u_bbr
structure for clarity and consistency. Currently u_bbr, u_raw, and
u64_raw are the same size.
No functional change intended.
Reviewed by: tuexen
Sponsored by: Netflix, Inc.
(cherry picked from commit 382af4d38b62675f00f64275793a6b5fccfe62fa)
As with net.inet.{tcp,udp}.bind_all_fibs, this causes raw sockets to
accept only packets from the same FIB.
Reviewed by: glebius
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D48707
(cherry picked from commit 4009a98fe80b8a51837d471076152e6ff505b675)
