Commits
- Commit:
4d9d3093d48025a1a66c125f7878a094cf2c9d10
- From:
- Omar Polo <op@omarpolo.com>
- Date:
resurrect landlock support
this time targetting ABI level 3; partially based on how claudio@
handled it in rpki-client. Fun how this bit of code has come full
circle (gmid inspired what I wrote for got, which inspired what was
written for rpki-client, which has come back.)
- Commit:
f9ab77a898ec008a445b3842afc21bb4eac60657
- From:
- Omar Polo <op@omarpolo.com>
- Date:
bundle libtls
gmid (like all other daemons that want to do privsep crypto) has a
very close relationship with libtls and need to stay in sync with
it.
OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD
instead of the older ECDSA_METHOD, on the gmid side we have to do
the same otherwise failures happens at runtime. In a similar manner,
privsep crypto is silently broken in the current libretls (next
version should fix it.)
The proper solution would be to complete the signer APIs so that
applications don't need to dive into the library' internals, but
that's a mid-term goal, for the immediate bundling the 'little'
libtls is the lesser evil.
The configure script has gained a new (undocumented for the time
being) flag `--with-libtls=bundled|system' to control which libtls
to use. It defaults to `bundled' except for OpenBSD where it uses
the `system' one. Note that OpenBSD versions before 7.3 (inclusive)
ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
- Commit:
9019e55e7ef1369c37f5a7d4c7b0e441d55d6b44
- From:
- Omar Polo <op@omarpolo.com>
- Date:
sync DISTFILES
- Commit:
603e4dd82f35107950dec17aa1492a321f0a9eb4
- From:
- Omar Polo <op@omarpolo.com>
- Date:
two more missing ge -> gemexp
- Commit:
f59543490d613d2af0c3954879e17ad9f0699c86
- From:
- Omar Polo <op@omarpolo.com>
- Date:
rename ge -> gemexp
gemserv is already taken...
- Commit:
e137cb0348e6269ec5059d9d0ea99f473e00d42a
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add missing -include titan.d
- Commit:
2ff1e2a9237514d5d473b2b3562ec767542b55bc
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add titan(1) -- a draft titan client
- Commit:
24f644dbb64379875f31f8b975c769371bbad164
- From:
- Omar Polo <op@omarpolo.com>
- Date:
there's no more any `static' target
- Commit:
c3d502d4556b4174bcd748fdd4c136ba9867ba20
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add a `lint' maintainer target to check the manpages
- Commit:
5a345722826201a4da926abc096aed76de3cdaa4
- From:
- Omar Polo <op@omarpolo.com>
- Date:
use REGRESS_HOST to specify the host to listen to; use in CI
some CI envs don't like `listen on localhost' but tolerate INADDR_ANY
or IN6ADDR_ANY_INIT.
- Commit:
f29d705e04b5fdb74980622803ddff3adb9fb09d
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add missing -include of *.d files
- Commit:
5dad390015970eb1e35f6e6fd9f8f28bf6e6db0e
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add `release' target
- Commit:
1610f9541d742906f7f683e9ad1ad2a29225ae8a
- From:
- Omar Polo <op@omarpolo.com>
- Date:
rework the configure script
now it resembles less oconfigure and more the configure scripts I'm
using in my recent projects. I'd argue it's more easy to use it.
- Commit:
86693a33abd5e8c31530adb3045c9f4664d4d6c9
- From:
- Omar Polo <op@omarpolo.com>
- Date:
add a privsep crypto engine
Incorporate the OpenSMTPD' privsep crypto engine. The idea behind
it is to never load the certificate' private keys in a networked
process, instead they are loaded in a separate process (the `crypto'
one) which signs payloads on the behalf of the server processes.
This way, we greatly reduce the risk of leaking the certificate'
private key should the server process be compromised.
This currently compiles only on LibreSSL (portable fix is in the
way).
- Commit:
cbb7f9fc28abffd18642b83eeb8fe22e8931540f
- From:
- Omar Polo <op@omarpolo.com>
- Date:
move logger() prototype to gmid.h and delete logger.h