libfetch: Gracefully skip unsupported protocols

If socket() fails because the address family or protocol is unsupported,
just continue with the next address.

MFC after: 1 week
Reviewed by: imp
Diff

libfetch: Gracefully skip unsupported protocols

If socket() fails because the address family or protocol is unsupported,
just continue with the next address.

MFC after: 1 week
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D55407

show more ...

libfetch: Fail hard if interrupted while connecting

This fixes an issue where the first address that DNS returns is blocked
by a packet filter, so we hang for a while, then the user hits Ctrl-C,
int

libfetch: Fail hard if interrupted while connecting

This fixes an issue where the first address that DNS returns is blocked
by a packet filter, so we hang for a while, then the user hits Ctrl-C,
interrupting connect(2), whereupon we move on to the next address, get
a connection, request the file, and return to fetch(1), which sees that
SIGINT was caught and bails.

Note that we make no attempt to enforce fetchTimeout in the connection
phase, and never have. It's feasible, but non-trivial, so we'll leave
it as an exercise for future us.

PR: 293312
MFC after: 1 week
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D55406

show more ...

libfetch: Clean up fetch_info usage

* Provide a wrapper for the common if (verbose) fetch_info(...) idiom.

* Replace remaining instances of fprintf(stderr, ...) with fetch_info().

* Fix a few styl

libfetch: Clean up fetch_info usage

* Provide a wrapper for the common if (verbose) fetch_info(...) idiom.

* Replace remaining instances of fprintf(stderr, ...) with fetch_info().

* Fix a few style nits.

MFC after: 1 week
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D55405

show more ...

libfetch: Restore timeout functionality

PR: 293124
MFC after: 1 week
Fixes: 792ef1ae7b94 ("Refactor fetch_connect() and fetch_bind() to improve readability and avoid repeating the same DNS lookups

libfetch: Restore timeout functionality

PR: 293124
MFC after: 1 week
Fixes: 792ef1ae7b94 ("Refactor fetch_connect() and fetch_bind() to improve readability and avoid repeating the same DNS lookups.")
Reverts: 8f8a7f6fffd7 ("libfetch: apply timeout to SSL_read()")
Reviewed by: eugen, imp
Differential Revision: https://reviews.freebsd.org/D55293

show more ...

libfetch: Check for failure to create SSL context

* Drop the ssl_meth member, there is no reason to hang on to it.

* Replace deprecated SSLv23_client_method() with TLS_client_method().

* Check the

libfetch: Check for failure to create SSL context

* Drop the ssl_meth member, there is no reason to hang on to it.

* Replace deprecated SSLv23_client_method() with TLS_client_method().

* Check the return value from SSL_CTX_new().

MFC after: 1 week
PR: 292903
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D55098

show more ...

libfetch: allow disabling TLS v1.3 when the connection

MFC after: 3 days

libfetch: apply timeout to SSL_read()

Currently, fetchTimeout works for non-SSL connections only, so does fetch -T.
Fix it applying specified timeout to SSL_read().

MFC after: 3 days

libfetch: Fix -Wunterminated-string-initialization

This defaults to an error in clang HEAD, use a char-by-char
initializer instead.

Reviewed by: emaste, jhb
MFC after: 1 week
Differential Revision:

libfetch: Fix -Wunterminated-string-initialization

This defaults to an error in clang HEAD, use a char-by-char
initializer instead.

Reviewed by: emaste, jhb
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52532

show more ...

lib: Fix calls that naively set F_SETFD.

With the recent inclusion of the FD_CLOFORK and FD_RESOLVE_BENEATH flags,
we must avoid clearing them when setting only FD_CLOEXEC.

Signed-off-by: Ricardo B

lib: Fix calls that naively set F_SETFD.

With the recent inclusion of the FD_CLOFORK and FD_RESOLVE_BENEATH flags,
we must avoid clearing them when setting only FD_CLOEXEC.

Signed-off-by: Ricardo Branco <rbranco@suse.de>

Reviewed by: kib, markj
MFC after: 1 month
Pull Request: https://github.com/freebsd/freebsd-src/pull/1766

show more ...

lib/libfetch/common.c: remove an extra semicolon

Signed-off-by: rilysh <nightquick@proton.me>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/959

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remov

lib: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

show more ...

libfetch: don't rely on ca_root_nss for certificate validation

Before certctl(8), there was no system trust store, and libfetch
relied on the CA certificate bundle from the ca_root_nss port to
verif

libfetch: don't rely on ca_root_nss for certificate validation

Before certctl(8), there was no system trust store, and libfetch
relied on the CA certificate bundle from the ca_root_nss port to
verify peers.

We now have a system trust store and a reliable mechanism for
manipulating it (to explicitly add, remove, or revoke certificates),
but if ca_root_nss is installed, libfetch will still prefer that to
the system trust store.

With this change, unless explicitly overridden, libfetch will rely on
OpenSSL to pick up the default system trust store.

PR: 256902
MFC after: 3 days
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42059

show more ...

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

libfetch: remove all old OpenSSL support

This change removes pre-OpenSSL 1.1 supporting code and removes/adjusted
preprocessor conditionals which were tautilogically true as FreeBSD main
has shipped

libfetch: remove all old OpenSSL support

This change removes pre-OpenSSL 1.1 supporting code and removes/adjusted
preprocessor conditionals which were tautilogically true as FreeBSD main
has shipped with OpenSSL 1.1+ for some time.

Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D40711

show more ...

libfetch: do not call deprecated OpenSSL functions

As of OpenSSL 1.1 SSL_library_init() and SSL_load_error_strings() are
deprecated. There are replacement initialization functions but they do
not n

libfetch: do not call deprecated OpenSSL functions

As of OpenSSL 1.1 SSL_library_init() and SSL_load_error_strings() are
deprecated. There are replacement initialization functions but they do
not need to be called: "As of version 1.1.0 OpenSSL will automatically
allocate all resources that it needs so no explicit initialisation is
required."

Wrap both calls in an OPENSSL_VERSION_NUMBER block.

PR: 271615
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>
Event: Kitchener-Waterloo Hackathon 202305
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40265

show more ...

fetch: support EAI_ADDRFAMILY error, correct two error messages

With the change to return EAI_ADDRFAMILY from getaddrinfo(), fetch
would print "Unknown resolver error" for that error. Add that erro

fetch: support EAI_ADDRFAMILY error, correct two error messages

With the change to return EAI_ADDRFAMILY from getaddrinfo(), fetch
would print "Unknown resolver error" for that error. Add that error
and its string to libfetch's table, using an #ifdef just in case.
Correct error strings for EAI_NODATA (although it is currently unused)
and EAI_NONAME. Should maybe rework the code to use gai_strerror(3),
but that doesn't map directly, and the current strings are shortened.

Reviewed in https://reviews.freebsd.org/D37139 with related changes.

Reviewed by: bz
MFC after: 1 month

show more ...

libfetch: Use memcpy in place of an odd strncpy.

The length passed to strncpy is the length of the source string, not
the destination buffer. This triggers a non-fatal warning in GCC 12.
Hoewver, t

libfetch: Use memcpy in place of an odd strncpy.

The length passed to strncpy is the length of the source string, not
the destination buffer. This triggers a non-fatal warning in GCC 12.
Hoewver, the code is also odd. It is really just a memcpy of the
string without its nul terminator. For that use case, memcpy is
clearer.

Reviewed by: imp, emaste
Differential Revision: https://reviews.freebsd.org/D36824

show more ...

Remove support for SSLv3 from fetch(3).

Support for SSLv3 was already removed from OpenSSL (r361392).

Differential Revision: https://reviews.freebsd.org/D24947

Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE

Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, i

Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE

Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.

This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.

In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.

This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.

Reviewed by: imp
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D26942

show more ...

Merge r358179 through r358238.

PR: 244251

fetch(3): plug some leaks

In the successful case, sockshost is not freed prior to return.

The failure case can now be hit after fetch_reopen(), which was not true
before. Thus, we need to make sure

fetch(3): plug some leaks

In the successful case, sockshost is not freed prior to return.

The failure case can now be hit after fetch_reopen(), which was not true
before. Thus, we need to make sure to clean up all of the conn resources
which will also close sd. For all of the points prior to fetch_reopen(), we
continue to just close sd.

CID: 1419598, 1419616

show more ...

Merge ^/head r357966 through r357999.

fetch(3): don't leak sockshost on failure

fetch_socks5_getenv will allocate memory for the host (or set it to NULL) in
all cases through the function; the caller is responsible for freeing it if
we

fetch(3): don't leak sockshost on failure

fetch_socks5_getenv will allocate memory for the host (or set it to NULL) in
all cases through the function; the caller is responsible for freeing it if
we end up allocating.

While I'm here, I've eliminated a label that just jumps to the next line...

show more ...

fetch(3): fix regression in IPv6:port spec from r357977

In case the port was specified, we never actually populated *host. Do so
now.

Pointy hat: kevans

fetch(3): move bits of fetch_socks5_getenv around

This commit separates out port parsing and validation from grabbing the host
from the env var. The only related bit really is that we need to be mor

fetch(3): move bits of fetch_socks5_getenv around

This commit separates out port parsing and validation from grabbing the host
from the env var. The only related bit really is that we need to be more
specific with the delimiter in the IPv6 case.

show more ...