openbsd
2 years agotsc: configure LFENCE to serialize dispatch before testing TSC sync
cheloha [Thu, 15 Sep 2022 19:30:51 +0000 (19:30 +0000)]
tsc: configure LFENCE to serialize dispatch before testing TSC sync

On AMD CPUs, LFENCE does not serialize instruction dispatch until MSR
C001_1029[1] is properly configured.  We do this in identifycpu(); see
amd64/identcpu.c,v 1.103.

The upshot is that the first TSC synchronization test is currently
invalid on most AMD CPUs because the LFENCE in the test loop does not
ensure that the AP loads the BP's latest TSC value before executing
RDTSC.  So the synchronization test is yielding false positives on AMD
CPUs where the TSCs are actually synchronized.

The simplest fix is to wait until after the secondary CPU runs
identifycpu() in cpu_hatch() to test TSC synchronization.

Moving the TSC sync test after CPU identification means that we can
remove the CPUID() calls from tsc.c: the CPU feature flags are set in
identifycpu() so we no longer need to test for IA32_TSC_ADJUST support
by hand.

While we are at it, we should also pass the correct cpu_info pointer
to tsc_test_sync_bp().  It was unused before, so the bug was harmless,
but we definitely need the BP's cpu_info pointer, not the AP's pointer.

Unfortunately, this change does not fix the TSC sync problems we've
been seeing on e.g. dv@'s and jmc@'s Ryzen 5 machines.  Hopefully the
problem on those machines is buggy firmware and not another
architectural misunderstanding on my part.

Prompted by robert@.  Problem diagnosed by brynet@.  With input from
robert@, brynet@, and deraadt@.  Tested by robert@, brynet@, dv@,
phessler@, and jmc@.

ok robert@ brynet@ sthen@

2 years agoEnable the keyboard on the Samsung Galaxy Book Go.
mglocker [Thu, 15 Sep 2022 18:03:52 +0000 (18:03 +0000)]
Enable the keyboard on the Samsung Galaxy Book Go.

Help from kettenis@, "Nice!" deraadt@

2 years agoShort names make for shorter and prettier lines.
krw [Thu, 15 Sep 2022 15:05:58 +0000 (15:05 +0000)]
Short names make for shorter and prettier lines.

2 years agoAdd support for Apple fn key combinations. Based on Apple fn key handling
tobhe [Thu, 15 Sep 2022 14:45:49 +0000 (14:45 +0000)]
Add support for Apple fn key combinations. Based on Apple fn key handling
in ukbd(4).

ok miod@

2 years agoUse non-blocking connect() with ppoll() and timeout instead of alarm().
millert [Thu, 15 Sep 2022 12:47:10 +0000 (12:47 +0000)]
Use non-blocking connect() with ppoll() and timeout instead of alarm().
For hosts with multiple IP addrs this makes it possible to fall
over from an unresponsive IP to another.  This also replaces the
other connect(2) + connect_wait() calls with timed_connect() so the
-w option now works for more that just http.  OK sthen@ deraadt@

2 years agoAdd GPTPARTATTR_MS_* defines for Microsoft basic data attributes
krw [Thu, 15 Sep 2022 10:10:14 +0000 (10:10 +0000)]
Add GPTPARTATTR_MS_* defines for Microsoft basic data attributes
and make 'fdisk -v' display their names (NoAutoMount, Hidden,
Shadow, ReadOnly).

Shift 1ULL instead of 1 to make it clear these are uint64_t
flags. Makes clang happier.

2 years agoRemove unneeded interim DPRINTF() verbiage. Make DEBUG compile
krw [Thu, 15 Sep 2022 09:08:29 +0000 (09:08 +0000)]
Remove unneeded interim DPRINTF() verbiage. Make DEBUG compile
again.

2 years agoAdd OID for RPKI signedTAL objects
job [Thu, 15 Sep 2022 08:20:34 +0000 (08:20 +0000)]
Add OID for RPKI signedTAL objects

IANA made a permanent registration in the SMI Security for S/MIME CMS
Content Type registry at
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1
for signed objects conforming to draft-ietf-sidrops-signed-tal.

OK tb@

2 years agoMake kroute_matchgw() also work with connected routes.
claudio [Thu, 15 Sep 2022 08:20:14 +0000 (08:20 +0000)]
Make kroute_matchgw() also work with connected routes.

Connected routes have no gateway set but only have ifindex set.
When an interface is deconfigured this makes sure the right route is
removed.
OK tb@

2 years agoIgnore error when we try to delete an address that's already gone.
florian [Thu, 15 Sep 2022 07:59:59 +0000 (07:59 +0000)]
Ignore error when we try to delete an address that's already gone.

This will happen when an address expires because the vltime drops to
zero. The kernel then deletes the address and slaacd tries to do so,
too. The correct fix is to track in slaacd that the kernel already
deleted the address for us, but that's too much work shortly before a
release so just hide the ugly warning for now, it's harmless.
Problem reported by semarie some time ago.
OK deraadt, benno

2 years agoUse LONG_MAX as the limit for ciphers with long based APIs.
jsing [Thu, 15 Sep 2022 07:04:19 +0000 (07:04 +0000)]
Use LONG_MAX as the limit for ciphers with long based APIs.

These ciphers have long based APIs, while EVP has a size_t based API. The
intent of these loops is to handle sizes that are bigger than LONG_MAX.
Rather than using the rather crazy EVP_MAXCHUNK construct, use LONG_MAX
rounded down to a large block size, ensuring that it is a block size
multiple. Revert the recently added overflow checks now that this is
handled more appropriately.

ok tb@

2 years agoregen
kmos [Thu, 15 Sep 2022 04:28:51 +0000 (04:28 +0000)]
regen

2 years agoAdd IDs for the JHL6240 Thunderbolt 3 controller found in my Thinkpad T490
kmos [Thu, 15 Sep 2022 04:28:07 +0000 (04:28 +0000)]
Add IDs for the JHL6240 Thunderbolt 3 controller found in my Thinkpad T490

ok jsg

2 years agorecognise Neoverse V2 (Demeter)
jsg [Thu, 15 Sep 2022 01:57:52 +0000 (01:57 +0000)]
recognise Neoverse V2 (Demeter)

2 years agoAF_UNIX bind() must use UNVEIL_CREATE for namei() because it is creating
deraadt [Wed, 14 Sep 2022 22:28:52 +0000 (22:28 +0000)]
AF_UNIX bind() must use UNVEIL_CREATE for namei() because it is creating
a file in the filesystem.  Spotted by martijn.  A review of AF_UNIX
binding programs has been done by benno, and we think it is worth commiting
this semantic change now and watching for fallout.

2 years agoBackout "Reflect script failure in exit code"
kn [Wed, 14 Sep 2022 16:43:00 +0000 (16:43 +0000)]
Backout "Reflect script failure in exit code"

amd64 install using (G)PT seems busted as reported by tb

2 years agoremove an extraneous empty line
tb [Wed, 14 Sep 2022 16:31:36 +0000 (16:31 +0000)]
remove an extraneous empty line

2 years agocloser to potential release date
deraadt [Wed, 14 Sep 2022 14:25:31 +0000 (14:25 +0000)]
closer to potential release date

2 years agoMerge common FORMAT_FDISK and USE_SOFTRAID default, simpler cleanup
kn [Wed, 14 Sep 2022 13:37:03 +0000 (13:37 +0000)]
Merge common FORMAT_FDISK and USE_SOFTRAID default, simpler cleanup

2 years agoCompare 'srcnat' when comparing policies. Fixes a bug where policy lookup could
tobhe [Wed, 14 Sep 2022 13:07:49 +0000 (13:07 +0000)]
Compare 'srcnat' when comparing policies.  Fixes a bug where policy lookup could
not differentiate between similar policies that only differ in srcnat.  Also
include srcnat when logging flows or policies.

ok markus@

2 years agoFold root disk setup targets into one
kn [Wed, 14 Sep 2022 10:09:48 +0000 (10:09 +0000)]
Fold root disk setup targets into one

2 years agoFold vnd disk setup targets into a single loop
kn [Wed, 14 Sep 2022 10:06:14 +0000 (10:06 +0000)]
Fold vnd disk setup targets into a single loop

2 years agoMake NDISKS an integer, simplify CLEANFILES with globbing
kn [Wed, 14 Sep 2022 09:57:47 +0000 (09:57 +0000)]
Make NDISKS an integer, simplify CLEANFILES with globbing

Testing with three softraid chunks now means NDISKS=3 as one would expect
and not NDISKS='1 2 3'.

This uses the powerful jot(1) -w and rs(1) -T commands and allows for more
simplifications in the Makefile.

2 years agoFormat softraid keydisk to make regress pass without installboot fix
kn [Wed, 14 Sep 2022 08:52:47 +0000 (08:52 +0000)]
Format softraid keydisk to make regress pass without installboot fix

Treat keydisks like real chunks until installboot properly skips it and
does not touch/install to them anymore.

2 years agoclarify behaviour when the second address in a range is smaller than
jmc [Wed, 14 Sep 2022 07:14:02 +0000 (07:14 +0000)]
clarify behaviour when the second address in a range is smaller than
or equal to the first;

diff from luka krmpotic
ok kn

2 years agosync
deraadt [Wed, 14 Sep 2022 06:31:14 +0000 (06:31 +0000)]
sync

2 years agosk_enroll: never drop SSH_SK_USER_VERIFICATION_REQD flag from response
djm [Wed, 14 Sep 2022 00:14:37 +0000 (00:14 +0000)]
sk_enroll: never drop SSH_SK_USER_VERIFICATION_REQD flag from response

Now that all FIDO signing calls attempt first without PIN and then
fall back to trying PIN only if that attempt fails, we can remove the
hack^wtrick that removed the UV flag from the keys returned during
enroll.

By Corinna Vinschen

2 years agoa little extra debugging
djm [Wed, 14 Sep 2022 00:13:13 +0000 (00:13 +0000)]
a little extra debugging

2 years agossh-agent: attempt FIDO key signing without PIN and use the error
djm [Wed, 14 Sep 2022 00:02:03 +0000 (00:02 +0000)]
ssh-agent: attempt FIDO key signing without PIN and use the error
to determine whether a PIN is required and prompt only if necessary.
from Corinna Vinschen

2 years agoadd some initial docs for MODPY_PYBUILD, prompted by espie
sthen [Tue, 13 Sep 2022 20:56:47 +0000 (20:56 +0000)]
add some initial docs for MODPY_PYBUILD, prompted by espie

2 years ago== in [[ does pattern matching as well
kn [Tue, 13 Sep 2022 20:26:26 +0000 (20:26 +0000)]
== in [[ does pattern matching as well

OK millert

2 years agoSplit out the code that collects data from acpiac(4), acpibat(4) and
kettenis [Tue, 13 Sep 2022 17:14:54 +0000 (17:14 +0000)]
Split out the code that collects data from acpiac(4), acpibat(4) and
acpisbs(4) for apm(4) and hook it up to the arm64 version of apm(4) on
systems with ACPI.

ok kn@

2 years agoAdd (partial) support for agentx in vmd.
martijn [Tue, 13 Sep 2022 10:28:19 +0000 (10:28 +0000)]
Add (partial) support for agentx in vmd.

Metrics can be found under mib-2.236 and VM-MIB (RFC7666).

Stress tested by and happy noises from Mischa Peters
OK dv@

2 years agovarbind was designed to allow both a ber NULL and a NULL pointer for
martijn [Tue, 13 Sep 2022 10:22:07 +0000 (10:22 +0000)]
varbind was designed to allow both a ber NULL and a NULL pointer for
value. The ber NULL case is there for when it was received via a PDU.
The NULL pointer case can happen if application.c runs into a timeout
or when a backend runs into problems.

The NULL pointer case however was overlooked in appl_varbind_valid and
results in an "missing value" error, (needlessly) terminating the
connection to the backend.

Found the hard way by Mischa Peters while stress testing agentx support
for vmd.

OK tb@, sthen@

2 years agoWhen a connection is reset while we still have an outstanding request,
martijn [Tue, 13 Sep 2022 10:20:22 +0000 (10:20 +0000)]
When a connection is reset while we still have an outstanding request,
the connection from the request to the rest of the structure is removed,
so we don't send any old data over the new connection.

However, the old code dereferences axc at a couple of places before
we check it for NULL.

Found the hard way by Mischa Peters while stress testing agentx support
for vmd.

OK tb@, sthen@

2 years agosupport more than one input file in llvm-ranlib by backporting
robert [Tue, 13 Sep 2022 09:57:09 +0000 (09:57 +0000)]
support more than one input file in llvm-ranlib by backporting
commit aa173573198e024b065c5f6523ce26bb865781b7 from upstream

ok kettenis@

2 years agoChange pru_rcvd() return type to the type of void. We have no interest
mvs [Tue, 13 Sep 2022 09:05:47 +0000 (09:05 +0000)]
Change pru_rcvd() return type to the type of void. We have no interest
on pru_rcvd() return value.

Drop "pru_rcvd != NULL" check within pru_rcvd() wrapper. We only call it
if the socket's protocol have PR_WANTRCVD flag set. Such sockets are
route domain, tcp(4) and unix(4) sockets.

ok guenther@ bluhm@

2 years agoDo soreceive() with shared netlock for raw sockets.
mvs [Tue, 13 Sep 2022 09:05:02 +0000 (09:05 +0000)]
Do soreceive() with shared netlock for raw sockets.

ok bluhm@

2 years agodocument "configtest" in SYNOPSIS; from andrei
jmc [Tue, 13 Sep 2022 06:20:38 +0000 (06:20 +0000)]
document "configtest" in SYNOPSIS; from andrei
while here, sort SYNOPSIS at the behest of ajacoutot;

ok ajacoutot

2 years agofix Xr;
jmc [Tue, 13 Sep 2022 05:49:23 +0000 (05:49 +0000)]
fix Xr;

2 years agoadd missing quote;
jmc [Tue, 13 Sep 2022 05:48:54 +0000 (05:48 +0000)]
add missing quote;

2 years agoadd arch to Dt;
jmc [Tue, 13 Sep 2022 05:46:00 +0000 (05:46 +0000)]
add arch to Dt;

2 years agoStop pretending that EVP_CIPHER cleanup can fail.
jsing [Tue, 13 Sep 2022 04:59:18 +0000 (04:59 +0000)]
Stop pretending that EVP_CIPHER cleanup can fail.

Now that EVP_CIPHER is opaque, stop pretending that EVP_CIPHER cleanup can
fail.

ok tb@

2 years agoSIOCDIFPARENT removes configuration not SIOCGIFPARENT
jsg [Tue, 13 Sep 2022 01:38:31 +0000 (01:38 +0000)]
SIOCDIFPARENT removes configuration not SIOCGIFPARENT
spotted by kn@

2 years agoEnable acpiac(4) and acpibat(4).
kettenis [Mon, 12 Sep 2022 20:31:53 +0000 (20:31 +0000)]
Enable acpiac(4) and acpibat(4).

ok deraadt@

2 years agoStore mod/ref flags using md pg_flags values rather than a specific field in
miod [Mon, 12 Sep 2022 19:35:20 +0000 (19:35 +0000)]
Store mod/ref flags using md pg_flags values rather than a specific field in
vm_page_md, which allows this struct to shrink a bit.

2 years agoStore mod/ref flags using md pg_flags values rather than a specific field in
miod [Mon, 12 Sep 2022 19:33:34 +0000 (19:33 +0000)]
Store mod/ref flags using md pg_flags values rather than a specific field in
vm_page_md, which allows this struct to shrink a bit.

2 years agoDrop orphaned pv_flags values.
miod [Mon, 12 Sep 2022 19:28:19 +0000 (19:28 +0000)]
Drop orphaned pv_flags values.

2 years agoAdd support for level-triggered GPIO events.
kettenis [Mon, 12 Sep 2022 17:42:31 +0000 (17:42 +0000)]
Add support for level-triggered GPIO events.

ok mlarkin@

2 years agosxirintc(4)
kettenis [Mon, 12 Sep 2022 17:30:32 +0000 (17:30 +0000)]
sxirintc(4)

2 years agoqcgpio(4) and qciic(4)
kettenis [Mon, 12 Sep 2022 15:59:16 +0000 (15:59 +0000)]
qcgpio(4) and qciic(4)

2 years agoqcgpio(4) and qciic(4)
kettenis [Mon, 12 Sep 2022 15:49:36 +0000 (15:49 +0000)]
qcgpio(4) and qciic(4)

2 years agozap extra .Pp
tb [Mon, 12 Sep 2022 14:36:09 +0000 (14:36 +0000)]
zap extra .Pp

2 years agoStop documenting i2c_ASN1_INTEGER.
tb [Mon, 12 Sep 2022 14:33:47 +0000 (14:33 +0000)]
Stop documenting i2c_ASN1_INTEGER.

This is no longer public API. Also remove some comments about i2c and c2i
functions being intentionally undocumented since they are no longer public.

2 years agodisable Panel Self Refresh (PSR) by default in inteldrm
jsg [Mon, 12 Sep 2022 14:18:17 +0000 (14:18 +0000)]
disable Panel Self Refresh (PSR) by default in inteldrm

After i915_drv.c 1.144 PSR changed to being on by default.
On a TUXEDO InfinityBook Pro 14 Gen6 (Tiger Lake) this introduced screen
flicker.  Reported and tested by Matthias Schmidt.

Should also avoid flicker problem on Dell XPS 13 7390 (Comet Lake)
reported by James Cook.

2 years agoAdd CBC, CFB64 and OFB64 test coverage for RC2
tb [Mon, 12 Sep 2022 13:11:36 +0000 (13:11 +0000)]
Add CBC, CFB64 and OFB64 test coverage for RC2

From Joshua Sing

2 years agoHook up installboot(8) tests on all covered archs
kn [Mon, 12 Sep 2022 13:10:03 +0000 (13:10 +0000)]
Hook up installboot(8) tests on all covered archs

Those that still fail (softraid+keydisk or explicit-stage-files) have fixes on tech@.

2 years agowhitespace nits
tb [Mon, 12 Sep 2022 13:09:01 +0000 (13:09 +0000)]
whitespace nits

2 years agoBump version for upcoming -portable release
claudio [Mon, 12 Sep 2022 12:04:55 +0000 (12:04 +0000)]
Bump version for upcoming -portable release

2 years agoDon't use options from pane if pane is NULL.
nicm [Mon, 12 Sep 2022 12:02:17 +0000 (12:02 +0000)]
Don't use options from pane if pane is NULL.

2 years agoacpihpet(4): acpihpet_delay: only use lower 32 bits of counter
cheloha [Mon, 12 Sep 2022 10:58:05 +0000 (10:58 +0000)]
acpihpet(4): acpihpet_delay: only use lower 32 bits of counter

We can't use acpihpet_r() to implement acpihpet_delay().  Even if we
made acpihpet_r() atomic on amd64, i386 would still be incapable of
doing atomic 8-byte reads.  As-is, the code does a split read on all
platforms, which may or may not already be causing problems with TSC
calibration:

https://marc.info/?l=openbsd-tech&m=166220561709496&w=2

Switch from acpihpet_r() to bus_space_read_4() and only use the lower
32 bits of the counter.  This makes acpihpet_delay() slightly larger,
but unless we want two acpihpet_delay() implementations we have no
choice.

Link: https://marc.info/?l=openbsd-tech&m=166165347220077&w=2
ok jsg@

2 years agospelling
jsg [Mon, 12 Sep 2022 10:16:09 +0000 (10:16 +0000)]
spelling

2 years agoIntroduce tree walkers that only walk a subtree of the RIB.
claudio [Mon, 12 Sep 2022 10:03:17 +0000 (10:03 +0000)]
Introduce tree walkers that only walk a subtree of the RIB.

In some cases only a "small" part of the RIB needs to be looked at. Like
bgpctl show rib 10/8 or-longer that only needs to travers nodes under
10/8 all other RIB entries do not matter. By setting the start node to
the RB_NFIND(10/8) the all nodes below this point can be skipped.
Using prefix_compare() while walking the tree with RB_NEXT() the walker
know when it steps outside of the 10/8 subtree and stops.
With this the or-longer commands become a lot faster.

Looks good to tb@

2 years agoSIOCGIFPARENT uses struct if_parent not ireq
jsg [Mon, 12 Sep 2022 09:18:30 +0000 (09:18 +0000)]
SIOCGIFPARENT uses struct if_parent not ireq
ok jmc@

2 years agoSIOCGVNETID uses struct ifreq not if_parent
jsg [Mon, 12 Sep 2022 09:15:29 +0000 (09:15 +0000)]
SIOCGVNETID uses struct ifreq not if_parent
ok jmc@

2 years agoMove division by two out of sizeof()
tb [Mon, 12 Sep 2022 04:26:38 +0000 (04:26 +0000)]
Move division by two out of sizeof()

2 years agoError checks for EVP_*
tb [Mon, 12 Sep 2022 04:20:59 +0000 (04:20 +0000)]
Error checks for EVP_*

CID 356777

2 years agoMove division by two out of sizeof()
tb [Mon, 12 Sep 2022 04:12:39 +0000 (04:12 +0000)]
Move division by two out of sizeof()

CID 356778

2 years agoAdd regression tests for the sendmmsg and recvmmsg system calls.
mbuhl [Sun, 11 Sep 2022 20:51:44 +0000 (20:51 +0000)]
Add regression tests for the sendmmsg and recvmmsg system calls.

2 years agoRemove the DKF_LABELVALID flag from struct disk. Instead, trust disk drivers
miod [Sun, 11 Sep 2022 19:34:40 +0000 (19:34 +0000)]
Remove the DKF_LABELVALID flag from struct disk. Instead, trust disk drivers
to always be able to provide a duid, and keep ignoring whole zero duids.

This fixes a race in vnd setup where the disk_attach callback could run
before any I/O occurs on the vnd, thus not having a label available yet.

noticed by otto@ and kn@; ok kn@

2 years agoAdd the new inout vmm(4) tracepoint to dt(4).
dv [Sun, 11 Sep 2022 19:05:44 +0000 (19:05 +0000)]
Add the new inout vmm(4) tracepoint to dt(4).

Forgot to put it in the list of static tracepoints when I committed
the tracepoint at g2k22. Woops.

2 years agoEnforce the minimum TLS version requirement for QUIC.
jsing [Sun, 11 Sep 2022 18:13:30 +0000 (18:13 +0000)]
Enforce the minimum TLS version requirement for QUIC.

ok tb@

2 years agoAdjust for opaque structs in ts.h
tb [Sun, 11 Sep 2022 18:08:17 +0000 (18:08 +0000)]
Adjust for opaque structs in ts.h

ok jsing

2 years agoAdjust for opaque structs in pkcs12.h
tb [Sun, 11 Sep 2022 18:07:46 +0000 (18:07 +0000)]
Adjust for opaque structs in pkcs12.h

ok jsing

2 years agoRegister the I2C controller with ACPI. Skip this on the SC8280XP SoC for
kettenis [Sun, 11 Sep 2022 18:07:26 +0000 (18:07 +0000)]
Register the I2C controller with ACPI.  Skip this on the SC8280XP SoC for
now as the AML on the Lenovo X13S tries to do I2C transactions to a device
that doesn't respond leading to the ACPI thread spinning until the
transaction times out.

ok mlarkin@, deraadt@

2 years agosync
tb [Sun, 11 Sep 2022 17:45:14 +0000 (17:45 +0000)]
sync

2 years agobump major after libcrypto and libssl major bump
tb [Sun, 11 Sep 2022 17:43:27 +0000 (17:43 +0000)]
bump major after libcrypto and libssl major bump

2 years agoCrank major after symbol addition and libcrypto major bump
tb [Sun, 11 Sep 2022 17:42:55 +0000 (17:42 +0000)]
Crank major after symbol addition and libcrypto major bump

2 years agoUpdate Symbols.list
tb [Sun, 11 Sep 2022 17:42:09 +0000 (17:42 +0000)]
Update Symbols.list

ok jsing

2 years agoExpose SSL_get_share_{group,curve}() and related #defines
tb [Sun, 11 Sep 2022 17:39:46 +0000 (17:39 +0000)]
Expose SSL_get_share_{group,curve}() and related #defines

ok jsing

2 years agoExpose some error codes needed for QUIC support
tb [Sun, 11 Sep 2022 17:38:58 +0000 (17:38 +0000)]
Expose some error codes needed for QUIC support

ok jsing

2 years agoDefine LIBRESSL_HAS_QUIC
tb [Sun, 11 Sep 2022 17:36:34 +0000 (17:36 +0000)]
Define LIBRESSL_HAS_QUIC

ok jsing

2 years agoBump major after symbol addition and removal and struct visibility changes
tb [Sun, 11 Sep 2022 17:34:41 +0000 (17:34 +0000)]
Bump major after symbol addition and removal and struct visibility changes

2 years agoUpdate Symbols.list
tb [Sun, 11 Sep 2022 17:32:01 +0000 (17:32 +0000)]
Update Symbols.list

ok jsing

2 years agoMake structs in ts.h opaque
tb [Sun, 11 Sep 2022 17:31:19 +0000 (17:31 +0000)]
Make structs in ts.h opaque

ok jsing

2 years agoMake structs in pkcs12.h opaque
tb [Sun, 11 Sep 2022 17:30:13 +0000 (17:30 +0000)]
Make structs in pkcs12.h opaque

ok jsing

2 years agoExpose EVP_chacha20_poly1305()
tb [Sun, 11 Sep 2022 17:29:24 +0000 (17:29 +0000)]
Expose EVP_chacha20_poly1305()

ok jsing

2 years agoExpose various EVP AEAD constants for EVP ChaCha and QUIC
tb [Sun, 11 Sep 2022 17:28:33 +0000 (17:28 +0000)]
Expose various EVP AEAD constants for EVP ChaCha and QUIC

ok jsing

2 years agoExpose OPENSL_cleanup()
tb [Sun, 11 Sep 2022 17:26:51 +0000 (17:26 +0000)]
Expose OPENSL_cleanup()

ok jsing

2 years agoMake BIO_info_cb() identical to bio_info_cb()
tb [Sun, 11 Sep 2022 17:26:03 +0000 (17:26 +0000)]
Make BIO_info_cb() identical to bio_info_cb()

Various projects use bio_info_cb and BIO_info_cb interchangeably, for
example mupdf and freerdp. This is because this was changed in OpenSSL
commit fce78bd4 (2017), triggered by new warnings in gcc 8.

https://github.com/openssl/openssl/pull/4493

This results in some scary compiler warnings and useless patches in ports.
Nobody seems to be using the old bio_info_cb() version.

ok jsing

2 years agoRemove c2i_* and i2c_* from public visibility
tb [Sun, 11 Sep 2022 17:22:52 +0000 (17:22 +0000)]
Remove c2i_* and i2c_* from public visibility

This removes c2i_ASN1_OBJECT(), {c2i,i2c}_ASN1_BIT_STRING() and
{c2i,i2c}_ASN1_INTEGER(). These are not part of the OpenSSL 1.1
API and should never have been exposed in the first place.

ok jsing

2 years agolink asn1object test statically in preparation for upcoming bump
tb [Sun, 11 Sep 2022 15:24:53 +0000 (15:24 +0000)]
link asn1object test statically in preparation for upcoming bump

2 years agoReplace "echo 'w\ny\nq\n' | disklabel -E" with equivalent
krw [Sun, 11 Sep 2022 15:05:27 +0000 (15:05 +0000)]
Replace "echo 'w\ny\nq\n' | disklabel -E" with equivalent
'disklabel -dw'.

Tested & ok visa@

2 years agoBe stricter with middlebox compatibility mode in the TLSv1.3 server.
jsing [Sun, 11 Sep 2022 14:39:44 +0000 (14:39 +0000)]
Be stricter with middlebox compatibility mode in the TLSv1.3 server.

Only allow a TLSv1.3 client to request middlebox compatibility mode if
this is permitted. Ensure that the legacy session identifier is either
zero length or 32 bytes in length. Additionally, only allow CCS messages
on the server side if the client actually requested middlebox compatibility
mode.

ok tb@

2 years agoOnly permit CCS messages if requesting middlebox compatibility mode.
jsing [Sun, 11 Sep 2022 14:33:07 +0000 (14:33 +0000)]
Only permit CCS messages if requesting middlebox compatibility mode.

Currently the TLSv1.3 client always permits the server to send CCS
messages. Be more strict and only permit this if the client is actually
requesitng middlebox compatibility mode.

ok tb@

2 years agodrop the -beta
deraadt [Sun, 11 Sep 2022 14:27:09 +0000 (14:27 +0000)]
drop the -beta

2 years agoUse CBS when procesing a CCS message in the legacy stack.
jsing [Sun, 11 Sep 2022 13:51:25 +0000 (13:51 +0000)]
Use CBS when procesing a CCS message in the legacy stack.

ok tb@

2 years agoEnsure there is no trailing data for a CCS received by the TLSv1.3 stack.
jsing [Sun, 11 Sep 2022 13:50:41 +0000 (13:50 +0000)]
Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.

ok tb@

2 years ago.Li in previous didn;t make sense;
jmc [Sun, 11 Sep 2022 11:56:28 +0000 (11:56 +0000)]
.Li in previous didn;t make sense;

2 years agoAdd #define's for GPT partition attribute bits REQUIRED, IGNORE
krw [Sun, 11 Sep 2022 11:47:55 +0000 (11:47 +0000)]
Add #define's for GPT partition attribute bits REQUIRED, IGNORE
and BOOTABLE, set BOOTABLE attribute bit instead of using the
incorrect GPTDOSACTIVE value, have 'fdisk -v' print out GPT
partition attributes if any of the 64 bits are set, don't spoof
any partition with REQUIRED bit set.

Prompted by kettenis@ stumbling across a machine with 40+ (!!)
REQUIRED GPT partitions.

Tested & ok kettenis@