tobhe [Mon, 20 Dec 2021 17:09:18 +0000 (17:09 +0000)]
Remove unused variable 'clen'.
ok bluhm@
jsing [Mon, 20 Dec 2021 16:52:26 +0000 (16:52 +0000)]
Add regress coverage for the crazy SCT_new_from_base64() API.
visa [Mon, 20 Dec 2021 16:24:32 +0000 (16:24 +0000)]
Make filt_dead() selectively inactive with EVFILT_EXCEPT
When a knote uses the dead event filter, the knote's file descriptor is
not supposed to point to an object with pending out-of-band data. Make
the knote inactive so that userspace will not receive a spurious event.
However, kqueue-based poll(2) should still receive HUP notifications.
This lets the system use dead_filtops with less strings attached
relative to the filter type.
visa [Mon, 20 Dec 2021 16:22:24 +0000 (16:22 +0000)]
Let poll(2) register EVFILT_EXCEPT filter with dead vnodes
This enables the system deliver POLLHUP when pollfd.events == 0.
visa [Mon, 20 Dec 2021 16:21:07 +0000 (16:21 +0000)]
Run seltrue/dead event filter in modify and process callbacks
Do not assume event status in the modify and process callbacks. Instead
always run the event filter so that it has a chance to set knote flags.
The filter can also indicate event inactivity.
mvs [Mon, 20 Dec 2021 15:59:09 +0000 (15:59 +0000)]
Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.
Tested by Hrvoje Popovski.
ok bluhm@
bluhm [Mon, 20 Dec 2021 15:23:32 +0000 (15:23 +0000)]
Fix function name in panic string.
stsp [Mon, 20 Dec 2021 15:08:10 +0000 (15:08 +0000)]
Make iwm(4) attach to PCI devices with product ID 0x31dc.
This device is part of the 9560 chip family. With a small device-specific
quirk we can make iwm(4) attach and provide a working wifi interface.
Problem reported and fix tested by Joao Victor.
stsp [Mon, 20 Dec 2021 15:05:12 +0000 (15:05 +0000)]
regen
stsp [Mon, 20 Dec 2021 15:04:58 +0000 (15:04 +0000)]
Change a PCI device string: The "Gemini Lake CNVi" is an iwm(4) "AC 9560".
ok hastings@ (who submitted the original string, based on a datasheet)
schwarze [Mon, 20 Dec 2021 15:02:13 +0000 (15:02 +0000)]
document BN_mod_add_quick(3), BN_mod_sub_quick(3), BN_mod_lshift(3),
BN_mod_lshift_quick(3), BN_mod_lshift1(3), and BN_mod_lshift1_quick(3)
hastings [Mon, 20 Dec 2021 14:54:37 +0000 (14:54 +0000)]
Make mtw(4) known to the config(8) framework.
Not enabled yet. Pending firmware availability.
ok stsp@ jmatthew@
hastings [Mon, 20 Dec 2021 13:59:02 +0000 (13:59 +0000)]
Add mtw(4), a driver for MediaTek MT7601U wifi devices.
Ported from run(4) with legacy chipsets removed.
Not yet enabled in the build.
ok stsp@ jmatthew@
claudio [Mon, 20 Dec 2021 13:26:11 +0000 (13:26 +0000)]
When removing the last value from an attribute in ldap_del_values()
the actuall attribute needs to removed instead of leaving back an
empty attribute. Empty attributes are not valid and fail later on
in ldap_modify(). By calling ldap_del_attribute() in this case
properly removes the attribute and with that validate_entry() no
longer fails later on.
OK jmatthew@
claudio [Mon, 20 Dec 2021 13:18:29 +0000 (13:18 +0000)]
Add some debug messages in validate_entry() that explain why
LDAP_INVALID_SYNTAX is returned.
OK jmatthew@
nicm [Mon, 20 Dec 2021 09:02:12 +0000 (09:02 +0000)]
Do not crash on a zero size character.
jmatthew [Mon, 20 Dec 2021 04:21:32 +0000 (04:21 +0000)]
Rework the tx path to use the consumer and producer positions to work out
the number of slots available, and to put packets on the ring until fewer
than DWGE_NTXSEGS slots are left, making dwge_start() and dwge_txeof()
work independently. While here, only write to GMAC_TX_POLL_DEMAND once
per call to dwge_start() rather than once per packet.
Adjust the rx interrupt path to check the number of slots in use and
return slots once per interrupt.
Add interrupt and ifq barriers before taking the interface down.
With all of this done, we can mark dwge(4) mpsafe.
ok dlg@ patrick@
deraadt [Mon, 20 Dec 2021 01:53:34 +0000 (01:53 +0000)]
sync
kettenis [Sun, 19 Dec 2021 23:47:24 +0000 (23:47 +0000)]
Add an implementation for the protocol to communicate with coprocessors
running firmware based Apple's RTKit OS. Use this code to bring up the
storage controller that implements Apple's flavour of NVMe.
ok dlg@, patrick@
bluhm [Sun, 19 Dec 2021 23:30:08 +0000 (23:30 +0000)]
There are occasions where the walker function in tdb_walk() might
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@
djm [Sun, 19 Dec 2021 22:20:12 +0000 (22:20 +0000)]
regression test for destination restrictions in ssh-agent
djm [Sun, 19 Dec 2021 22:15:42 +0000 (22:15 +0000)]
document host-bound publickey authentication
djm [Sun, 19 Dec 2021 22:15:21 +0000 (22:15 +0000)]
document agent protocol extensions
djm [Sun, 19 Dec 2021 22:14:47 +0000 (22:14 +0000)]
PubkeyAuthentication=yes|no|unbound|host-bound
Allow control over which pubkey methods are used. Added out of
concern that some hardware devices may have difficulty signing
the longer pubkey authentication challenges. This provides a
way for them to disable the extension. It's also handy for
testing.
feedback / ok markus@
djm [Sun, 19 Dec 2021 22:14:12 +0000 (22:14 +0000)]
document destination-constrained keys
feedback / ok markus@
djm [Sun, 19 Dec 2021 22:13:55 +0000 (22:13 +0000)]
Use hostkey parsed from hostbound userauth request
Require host-bound userauth requests for forwarded SSH connections.
The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.
ok markus@
djm [Sun, 19 Dec 2021 22:13:33 +0000 (22:13 +0000)]
agent support for parsing hostkey-bound signatures
Allow parse_userauth_request() to work with blobs from
publickey-hostbound-v00@openssh.com userauth attempts.
Extract hostkey from these blobs.
ok markus@
djm [Sun, 19 Dec 2021 22:13:12 +0000 (22:13 +0000)]
EXT_INFO negotiation of hostbound pubkey auth
the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.
Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").
ok markus@
djm [Sun, 19 Dec 2021 22:12:54 +0000 (22:12 +0000)]
client side of host-bound pubkey authentication
Add kex->flags member to enable the publickey-hostbound-v00@openssh.com
authentication method.
Use the new hostbound method in client if the kex->flags flag was set,
and include the inital KEX hostkey in the userauth request.
Note: nothing in kex.c actually sets the new flag yet
ok markus@
djm [Sun, 19 Dec 2021 22:12:30 +0000 (22:12 +0000)]
sshd side of hostbound public key auth
This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.
feedback / ok markus@
djm [Sun, 19 Dec 2021 22:12:07 +0000 (22:12 +0000)]
prepare for multiple names for authmethods
allow authentication methods to have one additional name beyond their
primary name.
allow lookup by this synonym
Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey
Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.
ok markus@
djm [Sun, 19 Dec 2021 22:11:39 +0000 (22:11 +0000)]
ssh-agent side of destination constraints
Gives ssh-agent the ability to parse restrict-destination-v00@openssh.com
constraints and to apply them to keys.
Check constraints against the hostkeys recorded for a SocketEntry when
attempting a signature, adding, listing or deleting keys. Note that
the "delete all keys" request will remove constrained keys regardless of
location.
feedback Jann Horn & markus@
ok markus@
djm [Sun, 19 Dec 2021 22:11:06 +0000 (22:11 +0000)]
ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
djm [Sun, 19 Dec 2021 22:10:24 +0000 (22:10 +0000)]
ssh-add side of destination constraints
Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.
Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".
The first form permits a key to be used to authenticate as the
specified user to the specified host.
The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.
For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.
Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.
host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.
feedback Jann Horn & markus@
ok markus@
djm [Sun, 19 Dec 2021 22:09:23 +0000 (22:09 +0000)]
ssh-agent side of binding
record session ID/hostkey/forwarding status for each active socket.
Attempt to parse data-to-be-signed at signature request time and extract
session ID from the blob if it is a pubkey userauth request.
ok markus@
djm [Sun, 19 Dec 2021 22:08:48 +0000 (22:08 +0000)]
ssh client side of binding
send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-bind@openssh.com" agent extension.
ok markus@
djm [Sun, 19 Dec 2021 22:08:06 +0000 (22:08 +0000)]
Record session ID, host key and sig at intital KEX
These will be used later for agent session ID / hostkey binding
ok markus@
schwarze [Sun, 19 Dec 2021 22:06:35 +0000 (22:06 +0000)]
document BN_consttime_swap(3); this will probably require more work,
but what i have so far is already better than nothing
krw [Sun, 19 Dec 2021 19:26:18 +0000 (19:26 +0000)]
Simplify error message emitted when requested partition size
cannot be accommodated. "not enough space" should be enough for
anyone.
Requested by deraadt@
deraadt [Sun, 19 Dec 2021 18:57:04 +0000 (18:57 +0000)]
sync
schwarze [Sun, 19 Dec 2021 18:39:32 +0000 (18:39 +0000)]
document BN_uadd(3) and BN_usub(3)
schwarze [Sun, 19 Dec 2021 16:18:34 +0000 (16:18 +0000)]
document BN_zero_ex(3)
jsing [Sun, 19 Dec 2021 14:33:53 +0000 (14:33 +0000)]
Put CTLOG and SCT stacks definitions in the right place.
No functional change.
kettenis [Sun, 19 Dec 2021 13:15:47 +0000 (13:15 +0000)]
aplmbox(4)
kettenis [Sun, 19 Dec 2021 13:07:36 +0000 (13:07 +0000)]
Enable aplmbox(4).
kettenis [Sun, 19 Dec 2021 12:45:14 +0000 (12:45 +0000)]
whitespace
claudio [Sun, 19 Dec 2021 12:19:31 +0000 (12:19 +0000)]
log_warn -> log_warnx since the warning printed uses tls_error()
and therefor printing the errno as well makes no sense.
anton [Sun, 19 Dec 2021 07:45:59 +0000 (07:45 +0000)]
Reduce the overhead of all trace routines by returning as early as
possible in kd_curproc().
jsg [Sun, 19 Dec 2021 06:29:30 +0000 (06:29 +0000)]
fix setting palette with 8bpp fb used on 8mb parts
jsg [Sun, 19 Dec 2021 03:39:05 +0000 (03:39 +0000)]
fix radeondrm console colours on sparc64
Directly do register writes in the sparc64 specific
radeondrm_setcolor() instead of trying to pass colour values via
crtc->gamma_store. With these changes the console changes from
white text on a black background to black text on a white background.
Only older radeon families are handled and crtc selection is
skipped as with radeonfb. Both of the sun radeon parts fall
into this family < CHIP_RS600 path.
xvr-100 (0x1002:0x5159 pci rv100)
xvr-300 (0x1002:0x5b64 pcie rv380)
Tested on a Sun Blade 100 with XVR-100 by Ted Bullock
who also helped with the patch.
jsg [Sun, 19 Dec 2021 01:33:26 +0000 (01:33 +0000)]
drm/amd/display: add connector type check for CRC source set
From Perry Yuan
f35f7f04aa80587bfe00c5e679df054918e79a63 in linux 5.10.y/5.10.87
2da34b7bb59e1caa9a336e0e20a76b8b6a4abea2 in mainline linux
jsg [Sun, 19 Dec 2021 01:30:41 +0000 (01:30 +0000)]
drm/amd/display: Fix for the no Audio bug with Tiled Displays
From Mustapha Ghaddar
dd3cea3425226565c959a1a6b1a1cce2e3394713 in linux 5.10.y/5.10.87
5ceaebcda9061c04f439c93961f0819878365c0f in mainline linux
guenther [Sun, 19 Dec 2021 01:07:50 +0000 (01:07 +0000)]
Suppress error output from sysctl: kern.allowdt doesn't exist on
several archs and complaining about that from the Makefile doesn't
help anyone.
ok deraadt@ bluhm@
deraadt [Sat, 18 Dec 2021 23:45:49 +0000 (23:45 +0000)]
sync
jmc [Sat, 18 Dec 2021 21:41:49 +0000 (21:41 +0000)]
tighten the decription of -F; from richard ulmer
ok ratchov
schwarze [Sat, 18 Dec 2021 21:11:50 +0000 (21:11 +0000)]
Document BN_abs_is_word(3).
While here, add the missing "const" qualifier to the second parameter
of BN_is_word(3) - even though i doubt that marking an integral type
parameter as "const" serves any significant purpose...
Note that the OpenSSL documentation for this function that Billy
Brumley committed on August 4, 2021 is actually wrong. Essentially,
it says "BN_abs_is_word() test[s] if a equals ... |w|." Now pray
tell me, what exactly is the point of taking the absolute value of
an unsigned integer number? To compensate for the obvious absurdity
of his patch, Billy made a point of getting *three* OKs from rather
notable people: Pauli Dale, Nicola Tuveri, and Dmitry Belyavskiy.
I believe this is a striking example of the cavalier attitude some
projects put on display when it comes to documentation, and also a
striking example of how bad documentation can occasionally be worse
than no documentation at all, because the OpenSSL manual page will
now thoroughly confuse anyone reading it.
SCNR pointing out this (hopefully unintentional) hilarity - or is
this an attempt at trolling the readers of their documentation?
If it is, they certainly got me.
schwarze [Sat, 18 Dec 2021 19:55:26 +0000 (19:55 +0000)]
support processing <openssl/bn.h>
schwarze [Sat, 18 Dec 2021 19:43:01 +0000 (19:43 +0000)]
add the missing .Nm BN_get_rfc3526_prime_1536,
fixing a minibug found with check_complete.pl
schwarze [Sat, 18 Dec 2021 17:47:44 +0000 (17:47 +0000)]
new manual page OBJ_add_sigid(3)
tb [Sat, 18 Dec 2021 17:26:54 +0000 (17:26 +0000)]
KNF two comments
tb [Sat, 18 Dec 2021 16:58:20 +0000 (16:58 +0000)]
Reinstate the licenses that were replaced with a license stub
in OpenSSL commit
d2e9e320.
tb [Sat, 18 Dec 2021 16:50:40 +0000 (16:50 +0000)]
Revert license stubs to full licenses in the remaining files.
tb [Sat, 18 Dec 2021 16:34:52 +0000 (16:34 +0000)]
Reinstate the license stubs to their original licenses in most of the
files in libcrypto/ct. This reverts OpenSSL commit
d2e9e320
discussed with jsing
jsing [Sat, 18 Dec 2021 15:59:50 +0000 (15:59 +0000)]
Convert o2i_SCT* functions to CBS.
This provides cleaner and safer code.
ok inoguchi@ tb@
jsing [Sat, 18 Dec 2021 15:58:59 +0000 (15:58 +0000)]
Rename argument to SCT_LIST_free()
kettenis [Sat, 18 Dec 2021 13:33:52 +0000 (13:33 +0000)]
Add aplmbox(4), a driver for the mailbox that provides a communication
channel with additional cores integrated on Apple SoCs.
ok patrick@
florian [Sat, 18 Dec 2021 10:34:19 +0000 (10:34 +0000)]
Make sure we receive what we expect over imsg.
Instead of repairing potential garbage ensure that we receive proper C
strings. Inspired by a similar diff by deraadt@ for ldapd.
kettenis [Sat, 18 Dec 2021 09:19:25 +0000 (09:19 +0000)]
Add a mailbox "framework" to handle mailboxes referenced in device trees
in a generic way.
ok visa@
anton [Sat, 18 Dec 2021 08:24:31 +0000 (08:24 +0000)]
Reduce the overhead of the trace compare routines by checking if kcov is
enabled for the current thread before doing anything else.
anton [Sat, 18 Dec 2021 06:53:59 +0000 (06:53 +0000)]
Make use of ntests variable, pointed out by clang 13.
deraadt [Sat, 18 Dec 2021 03:57:15 +0000 (03:57 +0000)]
sync
schwarze [Fri, 17 Dec 2021 17:56:14 +0000 (17:56 +0000)]
new manual page OBJ_NAME_add(3)
jca [Fri, 17 Dec 2021 17:06:39 +0000 (17:06 +0000)]
Avoid errors about clang13-only options here, to ease transition
As pointed out by deraadt@ we can do better than ask people to follow
instructions. Note that you still need an up-to-date clang if you
update your kernel Makefiles, as those use clang13-only options.
Also -Werror doesn't bring much in binutils context. It's an outdated
codebase with lots of warts, which frequently breaks due to -Werror
during clang updates.
"This is the right fix" deraadt@
schwarze [Fri, 17 Dec 2021 16:32:07 +0000 (16:32 +0000)]
mention lh_strhash(3) in the NAME, SYNOPSIS, and HISTORY sections;
while here, repair a typo in the lh_retrieve(3) synopsis
patrick [Fri, 17 Dec 2021 15:00:06 +0000 (15:00 +0000)]
sync
patrick [Fri, 17 Dec 2021 14:59:21 +0000 (14:59 +0000)]
Disable a few warning flags that were introduced and enabled by default
with LLVM 13.
patrick [Fri, 17 Dec 2021 14:55:43 +0000 (14:55 +0000)]
Update build infrastructure for LLVM 13.0.0.
patrick [Fri, 17 Dec 2021 14:46:39 +0000 (14:46 +0000)]
Merge LLVM 13.0.0.
mpi [Fri, 17 Dec 2021 14:18:15 +0000 (14:18 +0000)]
Do not try to unlock a NULL object.
Fix a NULL dereference introduced in previous, reported by anton@ and
Benjamin Baier.
Reported-by: syzbot+c172bd335801b67e515b@syzkaller.appspotmail.com
patrick [Fri, 17 Dec 2021 12:26:52 +0000 (12:26 +0000)]
Import LLVM 13.0.0 release.
patrick [Fri, 17 Dec 2021 12:26:32 +0000 (12:26 +0000)]
Import LLVM 13.0.0 release.
patrick [Fri, 17 Dec 2021 12:26:13 +0000 (12:26 +0000)]
Import LLVM 13.0.0 release.
patrick [Fri, 17 Dec 2021 12:25:51 +0000 (12:25 +0000)]
Import LLVM 13.0.0 release.
patrick [Fri, 17 Dec 2021 12:25:18 +0000 (12:25 +0000)]
Import LLVM 13.0.0 release.
patrick [Fri, 17 Dec 2021 12:25:01 +0000 (12:25 +0000)]
Import LLVM 13.0.0 release.
patrick [Fri, 17 Dec 2021 12:24:32 +0000 (12:24 +0000)]
Import LLVM 13.0.0 release.
patrick [Fri, 17 Dec 2021 12:23:18 +0000 (12:23 +0000)]
Import LLVM 13.0.0 release.
jca [Fri, 17 Dec 2021 12:03:16 +0000 (12:03 +0000)]
Declare pthread_atfork as weak to avoid a fatal error with LLVM 13
Fixes behavior with current clang, which marks the symbol as GLOBAL
instead of WEAK. LLVM change: https://reviews.llvm.org/D90108
base-gcc is unaffected. Keep asm(".weak") for gcc3 until a cleanup can
be tested there.
Initial diff from mortimer@, input and ok kettenis@, ok guenther@
tb [Fri, 17 Dec 2021 11:28:05 +0000 (11:28 +0000)]
alphabetical order is hard, tb...
tb [Fri, 17 Dec 2021 11:25:22 +0000 (11:25 +0000)]
fix indent
millert [Thu, 16 Dec 2021 19:15:29 +0000 (19:15 +0000)]
Document the failure mode if size is too small and mention that
allocating space when buf is NULL is an extension more prominently.
Clarify that getwd() is deprecated and should not be used.
Mention EFAULT errno value for invalid (non-NULL) buf.
OK deraadt@ jmc@
millert [Thu, 16 Dec 2021 19:12:43 +0000 (19:12 +0000)]
getwd(3): don't malloc space for buf if it is NULL
The 4.3BSD getwd(3) did not malloc space, use __getcwd(2) directly
so the compat function doesn't either. OK deraadt@
tb [Thu, 16 Dec 2021 17:32:51 +0000 (17:32 +0000)]
libradius: convert to HMAC_CTX on the heap
This is another fairly mechanical conversion to prepare the switch
to opaque HMAC_CTX. It adds missing error checking for the HMAC API
and uses HMAC_Init_ex() instead of the deprecated HMAC_Init().
ok jsing
tj [Thu, 16 Dec 2021 17:07:56 +0000 (17:07 +0000)]
arm64 can boot from softraid too; ok patrick
schwarze [Thu, 16 Dec 2021 16:36:16 +0000 (16:36 +0000)]
document obj_cleanup_defer(3) and check_defer(3)
bluhm [Thu, 16 Dec 2021 15:38:03 +0000 (15:38 +0000)]
Fix a tiny race in tdb_delete() between TDBF_DELETED, tdb_unlink()
and tdb_cleanspd(). gettdb...() can return a TDB before tdb_unlink().
Then ipsp_spd_lookup() could add it to tdb_policy_head after
tdb_cleanspd(). There it would stay until it hits the kassert in
tdb_free().
OK tobhe@
schwarze [Thu, 16 Dec 2021 12:26:40 +0000 (12:26 +0000)]
To ease maintenance, structure the lists of intentionally undocumented
symbols according to the reason (internal, obsolete, postponed)
and according to the header file (asn1, objects, x509, ...).
Also, add some minor tweaks needed for <openssl/objects.h>.
claudio [Thu, 16 Dec 2021 09:33:56 +0000 (09:33 +0000)]
When adding the extra 10% of space to a needed sysctl buffer use math
that is less likely to overflow the int type used. A BGP fullfeed is
now so big that this calculation overflowed and then got sign extended.
The result was for example 'route -n show' failures.
Problem identified with deraadt@
OK deraadt@ (more cleanup needed but this fix is a good start)
anton [Thu, 16 Dec 2021 08:03:17 +0000 (08:03 +0000)]
Attach com over acpi on amd64. Some hardware uses a different interrupt
assignment compared to the the legacy one supported by com over isa.
This causes the console to halt once userland takes over as no
interrupts are received. The actual address and irq can be read from
ACPI, kettenis@ already added support for arm64 which paved the way for
amd64.
Some consoles that previously attached over isa are now expected to
attach over acpi.
Thanks to patrick@ for testing on arm64.
ok kettenis@
tb [Thu, 16 Dec 2021 06:32:56 +0000 (06:32 +0000)]
unifdef TLS13_USE_LEGACY_CLIENT_AUTH
Before the TLSv1.3 stack grew client certificate support, it fell back
to the legacy stack. Proper client certificate support was added in a2k20
with a TLS13_USE_LEGACY_CLIENT_AUTH knob to provide an easy fallback in
case the new code should have a problem. This was never needed.
As ifdefed code is wont to do, this bitrotted a few months later when
the client and server methods were merged.
discussed with jsing