hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-21 18:50:50 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'freebsd/current/main' into hardened/current/master

Browse Source
This commit is contained in:
HardenedBSD Sync Services 2023-10-20 18:01:40 -06:00
commit 7dd201ded6
No known key found for this signature in database
15 changed files with 191 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Makefile.inc1
View File

@ -1494,6 +1494,7 @@ distributeworld installworld stageworld: _installcheck_world .PHONY
.if !make(packageworld) && ${MK_CAROOT} != "no"
@if which openssl>/dev/null; then \
PATH=${TMPPATH:Q}:${PATH:Q} \
LOCALBASE=${LOCALBASE:Q} \
sh ${SRCTOP}/usr.sbin/certctl/certctl.sh ${CERTCTLFLAGS} rehash; \
else \
echo "No openssl on the host, not rehashing certificates target -- /etc/ssl may not be populated."; \

5
ObsoleteFiles.inc
View File

@ -2779,6 +2779,11 @@ OLD_FILES+=usr/share/man/man4/ng_h4.4.gz
# 20210923: rename boot(9) to kern_reboot(9)
OLD_FILES+=usr/share/man/man9/boot.9.gz
# 20210922: Old mixer(8) tests removed
OLD_FILES+=usr/tests/usr.sbin/mixer/Kyuafile
OLD_FILES+=usr/tests/usr.sbin/mixer/mixer_test
OLD_DIRS+=usr/tests/usr.sbin/mixer
# 20210921: remove cloudabi
OLD_FILES+=usr/share/man/man4/cloudabi.4.gz
OLD_FILES+=usr/share/man/man4/cloudabi32.4.gz

2
sbin/fsck_ffs/setup.c
View File

@ -299,6 +299,8 @@ checksnapinfo(struct inode *snapip)
size = fragroundup(fs,
DIP(snapip->i_dp, di_size) - lblktosize(fs, lbn));
bp = getdatablk(idesc.id_parent, size, BT_DATA);
if (bp->b_errs != 0)
return (0);
snapblklist = (daddr_t *)bp->b_un.b_buf;
/*
* snapblklist[0] is the size of the list

3
sys/conf/options.amd64
View File

@ -71,3 +71,6 @@ NO_LEGACY_PCIB opt_cpu.h
# Compatibility with Linux MP table bugs.
MPTABLE_LINUX_BUG_COMPAT
# x86 specific uart options
UART_NS8250_EARLY_PORT opt_uart.h

3
sys/conf/options.i386
View File

@ -108,3 +108,6 @@ NO_LEGACY_PCIB opt_cpu.h
# Compatibility with Linux MP table bugs.
MPTABLE_LINUX_BUG_COMPAT
# x86 specific uart options
UART_NS8250_EARLY_PORT opt_uart.h

12
sys/dev/acpica/acpi_pcib_acpi.c
View File

@ -288,18 +288,18 @@ acpi_pcib_producer_handler(ACPI_RESOURCE *res, void *context)
#endif
#if defined(NEW_PCIB) && defined(PCI_RES_BUS)
static int
decoded_bus_range(struct acpi_hpcib_softc *sc, rman_res_t *startp,
static bool
get_decoded_bus_range(struct acpi_hpcib_softc *sc, rman_res_t *startp,
rman_res_t *endp)
{
struct resource_list_entry *rle;
rle = resource_list_find(&sc->ap_host_res.hr_rl, PCI_RES_BUS, 0);
if (rle == NULL)
return (ENXIO);
return (false);
*startp = rle->start;
*endp = rle->end;
return (0);
return (true);
}
#endif
@ -497,7 +497,7 @@ acpi_pcib_acpi_attach(device_t dev)
* If we have a region of bus numbers, use the first
* number for our bus.
*/
if (decoded_bus_range(sc, &start, &end) == 0)
if (get_decoded_bus_range(sc, &start, &end))
sc->ap_bus = start;
else {
rid = 0;
@ -517,7 +517,7 @@ acpi_pcib_acpi_attach(device_t dev)
* If there is a decoded bus range, assume the bus number is
* the first value in the range. Warn if _BBN doesn't match.
*/
if (decoded_bus_range(sc, &start, &end) == 0) {
if (get_decoded_bus_range(sc, &start, &end)) {
if (sc->ap_bus != start) {
device_printf(dev,
"WARNING: BIOS configured bus number (%d) is "

21
sys/dev/uart/uart_dev_ns8250.c
View File

@ -78,6 +78,27 @@ static int broken_txfifo = 0;
SYSCTL_INT(_hw, OID_AUTO, broken_txfifo, CTLFLAG_RWTUN,
&broken_txfifo, 0, "UART FIFO has QEMU emulation bug");
/*
* To use early printf on x86, add the following to your kernel config:
*
* options UART_NS8250_EARLY_PORT=0x3f8
* options EARLY_PRINTF
*/
#if defined(EARLY_PRINTF) && (defined(__amd64__) || defined(__i386__))
static void
uart_ns8250_early_putc(int c)
{
u_int stat = UART_NS8250_EARLY_PORT + REG_LSR;
u_int tx = UART_NS8250_EARLY_PORT + REG_DATA;
int limit = 10000; /* 10ms is plenty of time */
while ((inb(stat) & LSR_THRE) == 0 && --limit > 0)
continue;
outb(tx, c);
}
early_putc_t *early_putc = uart_ns8250_early_putc;
#endif /* EARLY_PRINTF */
/*
* Clear pending interrupts. THRE is cleared by reading IIR. Data
* that may have been received gets lost here.

4
sys/fs/nfsclient/nfs_clport.c
View File

@ -264,10 +264,10 @@ nfscl_nget(struct mount *mntp, struct vnode *dvp, struct nfsfh *nfhp,
np->n_fhp = nfhp;
/*
* For NFSv4, we have to attach the directory file handle and
* For NFSv4.0, we have to attach the directory file handle and
* file name, so that Open Ops can be done later.
*/
if (nmp->nm_flag & NFSMNT_NFSV4) {
if (NFSHASNFSV4(nmp) && !NFSHASNFSV4N(nmp)) {
np->n_v4 = malloc(sizeof (struct nfsv4node)
+ dnp->n_fhp->nfh_len + cnp->cn_namelen - 1, M_NFSV4NODE,
M_WAITOK);

92
sys/fs/nfsclient/nfs_clrpcops.c
View File

@ -392,16 +392,6 @@ nfsrpc_open(vnode_t vp, int amode, struct ucred *cred, NFSPROC_T *p)
nfhp = np->n_fhp;
retrycnt = 0;
#ifdef notdef
{ char name[100]; int namel;
namel = (np->n_v4->n4_namelen < 100) ? np->n_v4->n4_namelen : 99;
bcopy(NFS4NODENAME(np->n_v4), name, namel);
name[namel] = '\0';
printf("rpcopen p=0x%x name=%s",p->p_pid,name);
if (nfhp->nfh_len > 0) printf(" fh=0x%x\n",nfhp->nfh_fh[12]);
else printf(" fhl=0\n");
}
#endif
do {
dp = NULL;
error = nfscl_open(vp, nfhp->nfh_fh, nfhp->nfh_len, mode, 1,
@ -452,6 +442,39 @@ else printf(" fhl=0\n");
op->nfso_own->nfsow_clp,
nfhp->nfh_fh, nfhp->nfh_len, cred, p, &dp);
}
} else if (NFSHASNFSV4N(nmp)) {
/*
* For the first attempt, try and get a layout, if
* pNFS is enabled for the mount.
*/
if (!NFSHASPNFS(nmp) || nfscl_enablecallb == 0 ||
nfs_numnfscbd == 0 ||
(np->n_flag & NNOLAYOUT) != 0 || retrycnt > 0)
error = nfsrpc_openrpc(nmp, vp, nfhp->nfh_fh,
nfhp->nfh_len, nfhp->nfh_fh, nfhp->nfh_len,
mode, op, NULL, 0, &dp, 0, 0x0, cred, p, 0,
0);
else
error = nfsrpc_getopenlayout(nmp, vp,
nfhp->nfh_fh, nfhp->nfh_len, nfhp->nfh_fh,
nfhp->nfh_len, mode, op, NULL, 0, &dp,
cred, p);
if (dp != NULL) {
NFSLOCKNODE(np);
np->n_flag &= ~NDELEGMOD;
/*
* Invalidate the attribute cache, so that
* attributes that pre-date the issue of a
* delegation are not cached, since the
* cached attributes will remain valid while
* the delegation is held.
*/
NFSINVALATTRCACHE(np);
NFSUNLOCKNODE(np);
(void) nfscl_deleg(nmp->nm_mountp,
op->nfso_own->nfsow_clp,
nfhp->nfh_fh, nfhp->nfh_len, cred, p, &dp);
}
} else {
error = EIO;
}
@ -538,19 +561,40 @@ nfsrpc_openrpc(struct nfsmount *nmp, vnode_t vp, u_int8_t *nfhp, int fhlen,
*tl = txdr_unsigned(delegtype);
} else {
if (dp != NULL) {
*tl = txdr_unsigned(NFSV4OPEN_CLAIMDELEGATECUR);
NFSM_BUILD(tl, u_int32_t *, NFSX_STATEID);
if (NFSHASNFSV4N(nmp))
*tl++ = 0;
else
if (NFSHASNFSV4N(nmp)) {
*tl = txdr_unsigned(
NFSV4OPEN_CLAIMDELEGATECURFH);
NFSLOCKMNT(nmp);
if ((nmp->nm_privflag & NFSMNTP_BUGGYFBSDSRV) !=
0) {
NFSUNLOCKMNT(nmp);
/*
* Add a stateID argument to make old
* broken FreeBSD NFSv4.1/4.2 servers
* happy.
*/
NFSM_BUILD(tl, uint32_t *,NFSX_STATEID);
*tl++ = 0;
*tl++ = dp->nfsdl_stateid.other[0];
*tl++ = dp->nfsdl_stateid.other[1];
*tl = dp->nfsdl_stateid.other[2];
} else
NFSUNLOCKMNT(nmp);
} else {
*tl = txdr_unsigned(NFSV4OPEN_CLAIMDELEGATECUR);
NFSM_BUILD(tl, u_int32_t *, NFSX_STATEID);
*tl++ = dp->nfsdl_stateid.seqid;
*tl++ = dp->nfsdl_stateid.other[0];
*tl++ = dp->nfsdl_stateid.other[1];
*tl = dp->nfsdl_stateid.other[2];
*tl++ = dp->nfsdl_stateid.other[0];
*tl++ = dp->nfsdl_stateid.other[1];
*tl = dp->nfsdl_stateid.other[2];
(void)nfsm_strtom(nd, name, namelen);
}
} else if (NFSHASNFSV4N(nmp)) {
*tl = txdr_unsigned(NFSV4OPEN_CLAIMFH);
} else {
*tl = txdr_unsigned(NFSV4OPEN_CLAIMNULL);
(void)nfsm_strtom(nd, name, namelen);
}
(void) nfsm_strtom(nd, name, namelen);
}
NFSM_BUILD(tl, u_int32_t *, NFSX_UNSIGNED);
*tl = txdr_unsigned(NFSV4OP_GETATTR);
@ -2713,6 +2757,8 @@ nfsrpc_createv4(vnode_t dvp, char *name, int namelen, struct vattr *vap,
if ((rflags & NFSV4OPEN_RESULTCONFIRM) &&
(owp->nfsow_clp->nfsc_flags & NFSCLFLAGS_GOTDELEG) &&
!error && dp == NULL) {
KASSERT(!NFSHASNFSV4N(nmp),
("nfsrpc_createv4: result confirm"));
do {
ret = nfsrpc_openrpc(VFSTONFS(dvp->v_mount), dvp,
np->n_fhp->nfh_fh, np->n_fhp->nfh_len,
@ -8009,8 +8055,12 @@ nfsrpc_openlayoutrpc(struct nfsmount *nmp, vnode_t vp, u_int8_t *nfhp,
nfsm_strtom(nd, op->nfso_own->nfsow_owner, NFSV4CL_LOCKNAMELEN);
NFSM_BUILD(tl, uint32_t *, 2 * NFSX_UNSIGNED);
*tl++ = txdr_unsigned(NFSV4OPEN_NOCREATE);
*tl = txdr_unsigned(NFSV4OPEN_CLAIMNULL);
nfsm_strtom(nd, name, namelen);
if (NFSHASNFSV4N(nmp)) {
*tl = txdr_unsigned(NFSV4OPEN_CLAIMFH);
} else {
*tl = txdr_unsigned(NFSV4OPEN_CLAIMNULL);
nfsm_strtom(nd, name, namelen);
}
NFSM_BUILD(tl, uint32_t *, NFSX_UNSIGNED);
*tl = txdr_unsigned(NFSV4OP_GETATTR);
NFSZERO_ATTRBIT(&attrbits);

47
sys/fs/nfsclient/nfs_clstate.c
View File

@ -4383,9 +4383,15 @@ nfscl_moveopen(vnode_t vp, struct nfsclclient *clp, struct nfsmount *nmp,
nfscl_newopen(clp, NULL, &owp, NULL, &op, &nop, owp->nfsow_owner,
lop->nfso_fh, lop->nfso_fhlen, cred, &newone);
ndp = dp;
error = nfscl_tryopen(nmp, vp, np->n_v4->n4_data, np->n_v4->n4_fhlen,
lop->nfso_fh, lop->nfso_fhlen, lop->nfso_mode, op,
NFS4NODENAME(np->n_v4), np->n_v4->n4_namelen, &ndp, 0, 0, cred, p);
if (NFSHASNFSV4N(nmp))
error = nfscl_tryopen(nmp, vp, lop->nfso_fh, lop->nfso_fhlen,
lop->nfso_fh, lop->nfso_fhlen, lop->nfso_mode, op,
NULL, 0, &ndp, 0, 0, cred, p);
else
error = nfscl_tryopen(nmp, vp, np->n_v4->n4_data,
np->n_v4->n4_fhlen, lop->nfso_fh, lop->nfso_fhlen,
lop->nfso_mode, op, NFS4NODENAME(np->n_v4),
np->n_v4->n4_namelen, &ndp, 0, 0, cred, p);
if (error) {
if (newone)
nfscl_freeopen(op, 0, true);
@ -4476,14 +4482,16 @@ nfsrpc_reopen(struct nfsmount *nmp, u_int8_t *fhp, int fhlen,
if (error)
return (error);
vp = NFSTOV(np);
if (np->n_v4 != NULL) {
if (NFSHASNFSV4N(nmp))
error = nfscl_tryopen(nmp, vp, fhp, fhlen, fhp, fhlen, mode, op,
NULL, 0, dpp, 0, 0, cred, p);
else if (np->n_v4 != NULL)
error = nfscl_tryopen(nmp, vp, np->n_v4->n4_data,
np->n_v4->n4_fhlen, fhp, fhlen, mode, op,
NFS4NODENAME(np->n_v4), np->n_v4->n4_namelen, dpp, 0, 0,
cred, p);
} else {
else
error = EINVAL;
}
vrele(vp);
return (error);
}
@ -4500,18 +4508,43 @@ nfscl_tryopen(struct nfsmount *nmp, vnode_t vp, u_int8_t *fhp, int fhlen,
int reclaim, u_int32_t delegtype, struct ucred *cred, NFSPROC_T *p)
{
int error;
struct nfscldeleg *dp;
bool try_busted_xdr;
dp = *ndpp;
do {
*ndpp = dp; /* *ndpp needs to be set for retries. */
error = nfsrpc_openrpc(nmp, vp, fhp, fhlen, newfhp, newfhlen,
mode, op, name, namelen, ndpp, reclaim, delegtype, cred, p,
0, 0);
try_busted_xdr = false;
if (error == NFSERR_DELAY)
(void) nfs_catnap(PZERO, error, "nfstryop");
} while (error == NFSERR_DELAY);
else if (error == NFSERR_EXPIRED && NFSHASNFSV4N(nmp) &&
reclaim == 0 && dp != NULL) {
/* This case is a Claim_Deleg_Cur_FH Open. */
NFSLOCKMNT(nmp);
if ((nmp->nm_privflag & NFSMNTP_BUGGYFBSDSRV) == 0) {
/*
* Old FreeBSD NFSv4.1/4.2 servers erroneously
* expect a stateID argument for Open
* Claim_Deleg_Cur_FH and interpret the
* Getattr reply as a stateID. This results
* in an NFSERR_EXPIRED failure.
* Setting NFSMNTP_BUGGYFBSDSRV makes the Open
* send a stateID, in violation of RFC8881.
*/
try_busted_xdr = true;
nmp->nm_privflag |= NFSMNTP_BUGGYFBSDSRV;
}
NFSUNLOCKMNT(nmp);
}
} while (error == NFSERR_DELAY || try_busted_xdr);
if (error == EAUTH || error == EACCES) {
/* Try again using system credentials */
newnfs_setroot(cred);
do {
*ndpp = dp; /* *ndpp needs to be set for retries. */
error = nfsrpc_openrpc(nmp, vp, fhp, fhlen, newfhp,
newfhlen, mode, op, name, namelen, ndpp, reclaim,
delegtype, cred, p, 1, 0);

16
sys/fs/nfsclient/nfs_clvnops.c
View File

@ -2052,14 +2052,6 @@ nfs_rename(struct vop_rename_args *ap)
tdnp->n_fhp->nfh_len != fnp->n_v4->n4_fhlen ||
NFSBCMP(tdnp->n_fhp->nfh_fh, fnp->n_v4->n4_data,
tdnp->n_fhp->nfh_len))) {
#ifdef notdef
{ char nnn[100]; int nnnl;
nnnl = (tcnp->cn_namelen < 100) ? tcnp->cn_namelen : 99;
bcopy(tcnp->cn_nameptr, nnn, nnnl);
nnn[nnnl] = '\0';
printf("ren replace=%s\n",nnn);
}
#endif
free(fnp->n_v4, M_NFSV4NODE);
fnp->n_v4 = newv4;
newv4 = NULL;
@ -2713,14 +2705,6 @@ nfs_lookitup(struct vnode *dvp, char *name, int len, struct ucred *cred,
dnp->n_fhp->nfh_len != np->n_v4->n4_fhlen ||
NFSBCMP(dnp->n_fhp->nfh_fh, np->n_v4->n4_data,
dnp->n_fhp->nfh_len))) {
#ifdef notdef
{ char nnn[100]; int nnnl;
nnnl = (len < 100) ? len : 99;
bcopy(name, nnn, nnnl);
nnn[nnnl] = '\0';
printf("replace=%s\n",nnn);
}
#endif
free(np->n_v4, M_NFSV4NODE);
np->n_v4 = malloc(
sizeof (struct nfsv4node) +

1
sys/fs/nfsclient/nfsmount.h
View File

@ -124,6 +124,7 @@ struct nfsmount {
#define NFSMNTP_DELEGISSUED 0x00000400
#define NFSMNTP_NODEALLOCATE 0x00000800
#define NFSMNTP_FAKEROOTFH 0x00001000
#define NFSMNTP_BUGGYFBSDSRV 0x00002000
/* New mount flags only used by the kernel via nmount(2). */
#define NFSMNT_TLS 0x00000001

2
sys/kern/vfs_subr.c
View File

@ -1506,7 +1506,7 @@ static int vnlruproc_sig;
static u_long vnlruproc_kicks;
SYSCTL_ULONG(_vfs_vnode_vnlru, OID_AUTO, kicks, CTLFLAG_RD, &vnlruproc_kicks, 0,
"Number of times vnlru got woken up due to vnode shortage");
"Number of times vnlru awakened due to vnode shortage");
#define VNLRU_COUNT_SLOP 100

48
sys/x86/x86/msi.c
View File

@ -114,14 +114,15 @@ struct msi_intsrc {
struct intsrc msi_intsrc;
device_t msi_dev; /* Owning device. (g) */
struct msi_intsrc *msi_first; /* First source in group. */
u_int *msi_irqs; /* Group's IRQ list. (g) */
u_int msi_irq; /* IRQ cookie. */
u_int msi_msix; /* MSI-X message. */
u_int msi_vector:8; /* IDT vector. */
u_int msi_cpu; /* Local APIC ID. (g) */
u_int msi_remap_cookie; /* IOMMU cookie. */
u_int msi_vector:8; /* IDT vector. */
u_int msi_count:8; /* Messages in this group. (g) */
u_int msi_maxcount:8; /* Alignment for this group. (g) */
u_int *msi_irqs; /* Group's IRQ list. (g) */
u_int msi_remap_cookie;
u_int msi_enabled:8; /* Enabled messages in this group. (g) */
bool msi_msix; /* MSI-X message. */
};
static void msi_create_source(void);
@ -204,7 +205,12 @@ msi_enable_intr(struct intsrc *isrc)
{
struct msi_intsrc *msi = (struct msi_intsrc *)isrc;
apic_enable_vector(msi->msi_cpu, msi->msi_vector);
msi = msi->msi_first;
if (msi->msi_enabled == 0) {
for (u_int i = 0; i < msi->msi_count; i++)
apic_enable_vector(msi->msi_cpu, msi->msi_vector + i);
}
msi->msi_enabled++;
}
static void
@ -212,7 +218,12 @@ msi_disable_intr(struct intsrc *isrc)
{
struct msi_intsrc *msi = (struct msi_intsrc *)isrc;
apic_disable_vector(msi->msi_cpu, msi->msi_vector);
msi = msi->msi_first;
msi->msi_enabled--;
if (msi->msi_enabled == 0) {
for (u_int i = 0; i < msi->msi_count; i++)
apic_disable_vector(msi->msi_cpu, msi->msi_vector + i);
}
}
static int
@ -266,7 +277,7 @@ msi_assign_cpu(struct intsrc *isrc, u_int apic_id)
/* Allocate IDT vectors on this cpu. */
if (msi->msi_count > 1) {
KASSERT(msi->msi_msix == 0, ("MSI-X message group"));
KASSERT(!msi->msi_msix, ("MSI-X message group"));
vector = apic_alloc_vectors(apic_id, msi->msi_irqs,
msi->msi_count, msi->msi_maxcount);
} else
@ -277,11 +288,8 @@ msi_assign_cpu(struct intsrc *isrc, u_int apic_id)
/* Must be set before BUS_REMAP_INTR as it may call back into MSI. */
msi->msi_cpu = apic_id;
msi->msi_vector = vector;
if (msi->msi_intsrc.is_handlers > 0)
apic_enable_vector(msi->msi_cpu, msi->msi_vector);
for (i = 1; i < msi->msi_count; i++) {
sib = (struct msi_intsrc *)intr_lookup_source(msi->msi_irqs[i]);
if (sib->msi_intsrc.is_handlers > 0)
if (msi->msi_enabled > 0) {
for (i = 0; i < msi->msi_count; i++)
apic_enable_vector(apic_id, vector + i);
}
error = BUS_REMAP_INTR(device_get_parent(msi->msi_dev), msi->msi_dev,
@ -317,15 +325,13 @@ msi_assign_cpu(struct intsrc *isrc, u_int apic_id)
* to prevent races where we could miss an interrupt. If BUS_REMAP_INTR
* failed then we disable and free the new, unused vector(s).
*/
if (msi->msi_intsrc.is_handlers > 0)
apic_disable_vector(old_id, old_vector);
apic_free_vector(old_id, old_vector, msi->msi_irq);
for (i = 1; i < msi->msi_count; i++) {
sib = (struct msi_intsrc *)intr_lookup_source(msi->msi_irqs[i]);
if (sib->msi_intsrc.is_handlers > 0)
if (msi->msi_enabled > 0) {
for (i = 0; i < msi->msi_count; i++)
apic_disable_vector(old_id, old_vector + i);
apic_free_vector(old_id, old_vector + i, msi->msi_irqs[i]);
}
apic_free_vector(old_id, old_vector, msi->msi_irq);
for (i = 1; i < msi->msi_count; i++)
apic_free_vector(old_id, old_vector + i, msi->msi_irqs[i]);
return (error);
}
@ -727,7 +733,7 @@ again:
msi->msi_cpu = cpu;
msi->msi_first = msi;
msi->msi_vector = vector;
msi->msi_msix = 1;
msi->msi_msix = true;
msi->msi_count = 1;
msi->msi_maxcount = 1;
msi->msi_irqs = NULL;
@ -769,7 +775,7 @@ msix_release(int irq)
msi->msi_dev = NULL;
apic_free_vector(msi->msi_cpu, msi->msi_vector, msi->msi_irq);
msi->msi_vector = 0;
msi->msi_msix = 0;
msi->msi_msix = false;
msi->msi_count = 0;
msi->msi_maxcount = 0;

12
usr.sbin/certctl/certctl.8
View File

@ -24,7 +24,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd July 13, 2022
.Dd October 10, 2023
.Dt CERTCTL 8
.Os
.Sh NAME
@ -98,18 +98,22 @@ Remove the specified file from the untrusted list.
Alternate destination directory to operate on.
.It Ev DISTBASE
Additional path component to include when operating on certificate directories.
.It Ev LOCALBASE
Location for local programs.
Defaults to the value of the user.localbase sysctl which is usually
.Pa /usr/local .
.It Ev TRUSTPATH
List of paths to search for trusted certificates.
Default:
.Pa <DESTDIR><DISTBASE>/usr/share/certs/trusted
.Pa <DESTDIR><DISTBASE>/usr/local/share/certs
.Pa <DESTDIR><DISTBASE>/usr/local/etc/ssl/certs
.Pa <DESTDIR><DISTBASE><LOCALBASE>/etc/ssl/certs
.It Ev UNTRUSTPATH
List of paths to search for untrusted certificates.
Default:
.Pa <DESTDIR><DISTBASE>/usr/share/certs/untrusted
.Pa <DESTDIR><DISTBASE>/usr/local/etc/ssl/untrusted
.Pa <DESTDIR><DISTBASE>/usr/local/etc/ssl/blacklisted
.Pa <DESTDIR><DISTBASE><LOCALBASE>/etc/ssl/untrusted
.Pa <DESTDIR><DISTBASE><LOCALBASE>/etc/ssl/blacklisted
.It Ev CERTDESTDIR
Destination directory for symbolic links to trusted certificates.
Default: