aboutsummaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h5
-rw-r--r--contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp41
-rw-r--r--contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp44
-rw-r--r--contrib/pam-krb5/docs/pam_krb5.pod15
-rw-r--r--contrib/pam-krb5/module/auth.c6
-rw-r--r--contrib/pam-krb5/module/internal.h3
-rw-r--r--contrib/pam-krb5/module/options.c3
-rw-r--r--contrib/unbound/iterator/iter_scrub.c39
8 files changed, 109 insertions, 47 deletions
diff --git a/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h b/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h
index 7ab63905ed4f..7d090ba682b3 100644
--- a/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h
+++ b/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h
@@ -78,6 +78,11 @@ public:
void AddHIPIncludeArgs(const llvm::opt::ArgList &DriverArgs,
llvm::opt::ArgStringList &CC1Args) const override;
+ bool IsAArch64OutlineAtomicsDefault(
+ const llvm::opt::ArgList &Args) const override {
+ return true;
+ }
+
UnwindTableLevel
getDefaultUnwindTableLevel(const llvm::opt::ArgList &Args) const override;
bool isPIEDefault(const llvm::opt::ArgList &Args) const override;
diff --git a/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp b/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp
index 110e803b3354..0778eb320dcf 100644
--- a/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp
+++ b/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp
@@ -14,12 +14,13 @@
#include <sys/sysctl.h>
#include <sys/user.h>
-#include <machine/elf.h>
-
#include <cstdio>
#include <dlfcn.h>
#include <execinfo.h>
+#include "llvm/Object/ELF.h"
+
+#include "lldb/Host/FileSystem.h"
#include "lldb/Host/Host.h"
#include "lldb/Host/HostInfo.h"
#include "lldb/Utility/DataBufferHeap.h"
@@ -101,17 +102,33 @@ GetFreeBSDProcessArgs(const ProcessInstanceInfoMatch *match_info_ptr,
proc_args.AppendArgument(llvm::StringRef(cstr));
}
- return true;
-}
-
-static bool GetFreeBSDProcessCPUType(ProcessInstanceInfo &process_info) {
- if (process_info.ProcessIDIsValid()) {
- process_info.GetArchitecture() =
- HostInfo::GetArchitecture(HostInfo::eArchKindDefault);
+ auto buffer_sp = FileSystem::Instance().CreateDataBuffer(pathname, 0x20, 0);
+ if (!buffer_sp) {
+ process_info.Clear();
return true;
}
- process_info.GetArchitecture().Clear();
- return false;
+ uint8_t exe_class =
+ llvm::object::getElfArchType(
+ {reinterpret_cast<const char *>(buffer_sp->GetBytes()),
+ size_t(buffer_sp->GetByteSize())})
+ .first;
+
+ switch (exe_class) {
+ case llvm::ELF::ELFCLASS32:
+ process_info.SetArchitecture(
+ HostInfo::GetArchitecture(HostInfo::eArchKind32));
+ break;
+ case llvm::ELF::ELFCLASS64:
+ process_info.SetArchitecture(
+ HostInfo::GetArchitecture(HostInfo::eArchKind64));
+ break;
+ case llvm::ELF::ELFCLASSNONE:
+ process_info.SetArchitecture(
+ HostInfo::GetArchitecture(HostInfo::eArchKindDefault));
+ break;
+ }
+
+ return true;
}
static bool GetFreeBSDProcessUserAndGroup(ProcessInstanceInfo &process_info) {
@@ -218,7 +235,6 @@ uint32_t Host::FindProcessesImpl(const ProcessInstanceInfoMatch &match_info,
// Make sure our info matches before we go fetch the name and cpu type
if (match_info_noname.Matches(process_info) &&
GetFreeBSDProcessArgs(&match_info, process_info)) {
- GetFreeBSDProcessCPUType(process_info);
if (match_info.Matches(process_info))
process_infos.push_back(process_info);
}
@@ -232,7 +248,6 @@ bool Host::GetProcessInfo(lldb::pid_t pid, ProcessInstanceInfo &process_info) {
if (GetFreeBSDProcessArgs(NULL, process_info)) {
// should use libprocstat instead of going right into sysctl?
- GetFreeBSDProcessCPUType(process_info);
GetFreeBSDProcessUserAndGroup(process_info);
return true;
}
diff --git a/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp b/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp
index e0f3971c6e27..c361b2abb726 100644
--- a/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp
+++ b/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp
@@ -9,6 +9,7 @@
#include "RegisterContextFreeBSD_x86_64.h"
#include "RegisterContextFreeBSD_i386.h"
#include "RegisterContextPOSIX_x86.h"
+#include "llvm/Support/Threading.h"
#include <vector>
using namespace lldb_private;
@@ -69,40 +70,34 @@ struct UserArea {
#include "RegisterInfos_x86_64.h"
#undef DECLARE_REGISTER_INFOS_X86_64_STRUCT
-static std::vector<lldb_private::RegisterInfo> &GetSharedRegisterInfoVector() {
- static std::vector<lldb_private::RegisterInfo> register_infos;
- return register_infos;
-}
-
-static const RegisterInfo *
-GetRegisterInfo_i386(const lldb_private::ArchSpec &arch) {
- static std::vector<lldb_private::RegisterInfo> g_register_infos(
- GetSharedRegisterInfoVector());
-
- // Allocate RegisterInfo only once
- if (g_register_infos.empty()) {
- // Copy the register information from base class
- std::unique_ptr<RegisterContextFreeBSD_i386> reg_interface(
- new RegisterContextFreeBSD_i386(arch));
- const RegisterInfo *base_info = reg_interface->GetRegisterInfo();
- g_register_infos.insert(g_register_infos.end(), &base_info[0],
- &base_info[k_num_registers_i386]);
+static std::vector<lldb_private::RegisterInfo> &
+GetSharedRegisterInfoVector_i386(const lldb_private::ArchSpec &arch) {
+ static std::vector<lldb_private::RegisterInfo> g_register_infos;
+ static llvm::once_flag g_initialized;
+ llvm::call_once(g_initialized, [&]() {
+ if (g_register_infos.empty()) {
+ // Copy the register information from base class
+ std::unique_ptr<RegisterContextFreeBSD_i386> reg_interface(
+ new RegisterContextFreeBSD_i386(arch));
+ const RegisterInfo *base_info = reg_interface->GetRegisterInfo();
+ g_register_infos.insert(g_register_infos.end(), &base_info[0],
+ &base_info[k_num_registers_i386]);
// Include RegisterInfos_x86_64 to update the g_register_infos structure
// with x86_64 offsets.
#define UPDATE_REGISTER_INFOS_I386_STRUCT_WITH_X86_64_OFFSETS
#include "RegisterInfos_x86_64.h"
#undef UPDATE_REGISTER_INFOS_I386_STRUCT_WITH_X86_64_OFFSETS
- }
-
- return &g_register_infos[0];
+ }
+ });
+ return g_register_infos;
}
static const RegisterInfo *
PrivateGetRegisterInfoPtr(const lldb_private::ArchSpec &target_arch) {
switch (target_arch.GetMachine()) {
case llvm::Triple::x86:
- return GetRegisterInfo_i386(target_arch);
+ return &GetSharedRegisterInfoVector_i386(target_arch)[0];
case llvm::Triple::x86_64:
return g_register_infos_x86_64;
default:
@@ -116,9 +111,10 @@ PrivateGetRegisterCount(const lldb_private::ArchSpec &target_arch) {
switch (target_arch.GetMachine()) {
case llvm::Triple::x86:
// This vector should have already been filled.
- assert(!GetSharedRegisterInfoVector().empty() &&
+ assert(!GetSharedRegisterInfoVector_i386(target_arch).empty() &&
"i386 register info vector not filled.");
- return static_cast<uint32_t>(GetSharedRegisterInfoVector().size());
+ return static_cast<uint32_t>(
+ GetSharedRegisterInfoVector_i386(target_arch).size());
case llvm::Triple::x86_64:
return static_cast<uint32_t>(sizeof(g_register_infos_x86_64) /
sizeof(g_register_infos_x86_64[0]));
diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod
index 024584dfd4cd..f352af71b553 100644
--- a/contrib/pam-krb5/docs/pam_krb5.pod
+++ b/contrib/pam-krb5/docs/pam_krb5.pod
@@ -57,12 +57,10 @@ is vulnerable to KDC spoofing, but it requires that the system have a
local key and that the PAM module be running as a user that can read the
keytab file (normally F</etc/krb5.keytab>. You can point the Kerberos PAM
module at a different keytab with the I<keytab> option. If that keytab
-cannot be read or if no keys are found in it, the default (potentially
-insecure) behavior is to skip this check. If you want to instead fail
-authentication if the obtained tickets cannot be checked, set
-C<verify_ap_req_nofail> to true in the [libdefaults] section of
-F</etc/krb5.conf>. Note that this will affect applications other than
-this PAM module.
+cannot be read or if no keys are found in it, the default behavior is to
+fail authentication. If you want to skip this check, set the
+C<allow_kdc_spoof> option to true either in the [appdefaults] section of
+F</etc/krb5.conf> or in the PAM policy.
By default, whenever the user is authenticated, a basic authorization
check will also be done using krb5_kuserok(). The default behavior of
@@ -218,6 +216,11 @@ pam-krb5 in which that option was added with the current meaning.
=over 4
+=item allow_kdc_spoof
+
+Allow authentication to succeed even if there is no host or service
+key available in a keytab to authenticate the Kerberos KDC's ticket.
+
=item alt_auth_map=<format>
[3.12] This functions similarly to the I<search_k5login> option. The
diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c
index 065ce97b6596..46f2be791000 100644
--- a/contrib/pam-krb5/module/auth.c
+++ b/contrib/pam-krb5/module/auth.c
@@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds)
if (cursor_valid)
krb5_kt_end_seq_get(c, keytab, &cursor);
}
+#ifdef __FreeBSD__
+ if (args->config->allow_kdc_spoof)
+ opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+ else
+ opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+#endif /* __FreeBSD__ */
retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts);
if (retval != 0)
putil_err_krb5(args, retval, "credential verification failed");
diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h
index f3ea30139815..c797f7a56cd3 100644
--- a/contrib/pam-krb5/module/internal.h
+++ b/contrib/pam-krb5/module/internal.h
@@ -62,6 +62,9 @@ struct pam_config {
long minimum_uid; /* Ignore users below this UID. */
bool only_alt_auth; /* Alt principal must be used. */
bool search_k5login; /* Try password with each line of .k5login. */
+#ifdef __FreeBSD__
+ bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */
+#endif /* __FreeBSD__ */
/* Kerberos behavior. */
char *fast_ccache; /* Cache containing armor ticket. */
diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c
index 799b3a33e168..0118fb451af6 100644
--- a/contrib/pam-krb5/module/options.c
+++ b/contrib/pam-krb5/module/options.c
@@ -30,6 +30,9 @@
#define K(name) (#name), offsetof(struct pam_config, name)
/* clang-format off */
static const struct option options[] = {
+#ifdef __FreeBSD__
+ { K(allow_kdc_spoof), true, BOOL (false) },
+#endif /* __FreeBSD__ */
{ K(alt_auth_map), true, STRING (NULL) },
{ K(anon_fast), true, BOOL (false) },
{ K(banner), true, STRING ("Kerberos") },
diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iterator/iter_scrub.c
index 553d3655f0e3..8507a3fb65ac 100644
--- a/contrib/unbound/iterator/iter_scrub.c
+++ b/contrib/unbound/iterator/iter_scrub.c
@@ -418,12 +418,13 @@ shorten_rrset(sldns_buffer* pkt, struct rrset_parse* rrset, int count)
* @param qinfo: original query.
* @param region: where to allocate synthesized CNAMEs.
* @param env: module env with config options.
+ * @param zonename: name of server zone.
* @return 0 on error.
*/
static int
scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
struct query_info* qinfo, struct regional* region,
- struct module_env* env)
+ struct module_env* env, uint8_t* zonename)
{
uint8_t* sname = qinfo->qname;
size_t snamelen = qinfo->qname_len;
@@ -431,7 +432,8 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
int cname_length = 0; /* number of CNAMEs, or DNAMEs */
if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR &&
- FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN)
+ FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN &&
+ FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_YXDOMAIN)
return 1;
/* For the ANSWER section, remove all "irrelevant" records and add
@@ -470,6 +472,11 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
&aliaslen, pkt)) {
verbose(VERB_ALGO, "synthesized CNAME "
"too long");
+ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) {
+ prev = rrset;
+ rrset = rrset->rrset_all_next;
+ continue;
+ }
return 0;
}
cname_length++;
@@ -650,6 +657,29 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
"RRset:", pkt, msg, prev, &rrset);
continue;
}
+ /* Also delete promiscuous NS for other RCODEs */
+ if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR
+ && env->cfg->iter_scrub_promiscuous) {
+ remove_rrset("normalize: removing promiscuous "
+ "RRset:", pkt, msg, prev, &rrset);
+ continue;
+ }
+ /* Also delete promiscuous NS for NOERROR with nodata
+ * for authoritative answers, not for delegations.
+ * NOERROR with an_rrsets!=0 already handled.
+ * Also NOERROR and soa_in_auth already handled.
+ * NOERROR with an_rrsets==0, and not a referral.
+ * referral is (NS not the zonename, noSOA).
+ */
+ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR
+ && msg->an_rrsets == 0
+ && !(dname_pkt_compare(pkt, rrset->dname,
+ zonename) != 0 && !soa_in_auth(msg))
+ && env->cfg->iter_scrub_promiscuous) {
+ remove_rrset("normalize: removing promiscuous "
+ "RRset:", pkt, msg, prev, &rrset);
+ continue;
+ }
if(nsset == NULL) {
nsset = rrset;
} else {
@@ -1060,7 +1090,8 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
/* this is not required for basic operation but is a forgery
* resistance (security) feature */
if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR ||
- FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) &&
+ FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN ||
+ FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) &&
msg->qdcount == 0)
return 0;
@@ -1074,7 +1105,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
}
/* normalize the response, this cleans up the additional. */
- if(!scrub_normalize(pkt, msg, qinfo, region, env))
+ if(!scrub_normalize(pkt, msg, qinfo, region, env, zonename))
return 0;
/* delete all out-of-zone information */
if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate))
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-26 16:56:56 +0000