0 is still used for 2X replies, and "external" failures (e.g.
network, tls, ...) are still using exit code 1. Gemini non-2x
replies now get their response code reported as-is as status code.
Call the certificates .pem and the keys .key; use contrib/gencert
to generate the certificates and provide a GENCERT_FLAGS knob so
that regress can be run with EC keys (GENCERT_FLAGS=-e). Still no
automatic way of testing with both RSA and EC keys.
There's no much we can do if we resolv an IPv6 address but its
support is disabled in the current kernel, so ignore and go ahead.
Spotted while testing gmid i n a FreeBSD jail without IPv6.
They're not needed on OpenBSD nor in other systems... except under
sandbox. These were added for capsicum() if I remember correctly,
but also with landlock it's better to initialize these things
earlier.
this time targetting ABI level 3; partially based on how claudio@
handled it in rpki-client. Fun how this bit of code has come full
circle (gmid inspired what I wrote for got, which inspired what was
written for rpki-client, which has come back.)
it's not used (we define OPENSSL_PRNG_ONLY) and fails the build
with -Werror. Keep the function commented instead of deleting it
just in case we need to undefine OPENSSL_PRNG_ONLY in the future.
gmid (like all other daemons that want to do privsep crypto) has a
very close relationship with libtls and need to stay in sync with
it.
OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD
instead of the older ECDSA_METHOD, on the gmid side we have to do
the same otherwise failures happens at runtime. In a similar manner,
privsep crypto is silently broken in the current libretls (next
version should fix it.)
The proper solution would be to complete the signer APIs so that
applications don't need to dive into the library' internals, but
that's a mid-term goal, for the immediate bundling the 'little'
libtls is the lesser evil.
The configure script has gained a new (undocumented for the time
being) flag `--with-libtls=bundled|system' to control which libtls
to use. It defaults to `bundled' except for OpenBSD where it uses
the `system' one. Note that OpenBSD versions before 7.3 (inclusive)
ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
Set a sane default for INSTALL, allow it to be changed either as
environment variable or configure argument, and propagate it correctly
to the generated config.mk.
Issue reported by xavi, thanks!
We might end up calling client_close() from start_reply(), but that
will free the fcgi/proxy bufferevent while they're still used on the
stack.
Instead, start_reply() only sets REQUEST_DONE and exits, returning the
error eventually, so callers know when to stop.
The idea is to require SCRIPT_NAME to be defined and strip it from
the beginning of the path to get PATH_INFO. Soon(tm) a `fastcgi
request strip' option will be added too. Maybe even `fastcgi script
name "path"` that sets SCRIPT_NAME automatically.
Omar Polo