openbsd
6 years agoSince each database that has the rpath promise only needs to access one
mestre [Tue, 25 Sep 2018 06:48:48 +0000 (06:48 +0000)]
Since each database that has the rpath promise only needs to access one
specific file (in read mode) we can add a 4th attribute to the struct getentdb
to define each of those files, except for group/hosts/passwd dbs which will be
assigned NULL to that attribute because all the necessary files they need to
open are already whitelisted through pledge(2) via either dns or getpw
promises.

With that set we can then check if the 4th attribute (called unveil) is not
NULL and in that case unveil(2) that specific file per each database.

After a discussion with millert@ regarding YP then deraadt@ chimed in referring
that when he wrote this code even though we can have YP mappings with several
of these dbs "it doesn't mean that things use it, or should, or will" so adding
unveil(2) here should not impact any YP environments.

OK millert@ deraadt@

6 years agoRemove initial pledge(2) that doesn't give us much protection since it's so
mestre [Tue, 25 Sep 2018 06:43:20 +0000 (06:43 +0000)]
Remove initial pledge(2) that doesn't give us much protection since it's so
short lived, we either go directly exiting the program or just a few lines
below we call pledge(2) again, where it actually should be, and with really
reduced promises. Next commit will restrict further access to the filesystem
through unveil(2).

OK deraadt@ kn@

6 years agounveil maildir, utmp, /tmp, and /dev. For the vast number of people
deraadt [Mon, 24 Sep 2018 22:56:54 +0000 (22:56 +0000)]
unveil maildir, utmp, /tmp, and /dev.  For the vast number of people
using biff.

6 years agounveil(2) is easy since this only uses one directory tree
deraadt [Mon, 24 Sep 2018 22:55:50 +0000 (22:55 +0000)]
unveil(2) is easy since this only uses one directory tree
(containing no exterior pointing symlinks), and a file.
In snaps for about 2 months.

6 years agounveil(2) in getty. This has been in snaps for more than 2 months,
deraadt [Mon, 24 Sep 2018 21:30:00 +0000 (21:30 +0000)]
unveil(2) in getty.  This has been in snaps for more than 2 months,
since I worry that a mistake in here will cause significant grief.

6 years agoAfter opening required descriptors, savecore only plays in one directory
deraadt [Mon, 24 Sep 2018 21:26:38 +0000 (21:26 +0000)]
After opening required descriptors, savecore only plays in one directory
so use unveil(2).

6 years agoUse unveil(2). These programs fit together in various strange ways,
deraadt [Mon, 24 Sep 2018 21:26:00 +0000 (21:26 +0000)]
Use unveil(2).  These programs fit together in various strange ways,
so if a problem is encountered with this the whole set needs backout
and study.

6 years agoPrevent ieee80211_get_txkey() from returning the integrity group temporal
stsp [Mon, 24 Sep 2018 20:14:59 +0000 (20:14 +0000)]
Prevent ieee80211_get_txkey() from returning the integrity group temporal
key (IGTK) if a node doesn't have management frame protection (MFP) enabled.
The IGTK is not initialized if MFP is disabled, so using it triggers this
panic in ieee80211_encrypt(): panic("invalid key cipher 0x%x", k->k_cipher)

(As far as I can tell, at present, MFP is never enabled.)

Problem reported and fix tested by tj@ on athn(4) hostap

6 years agosync host*() changes from bgpd
denis [Mon, 24 Sep 2018 18:14:39 +0000 (18:14 +0000)]
sync host*() changes from bgpd

OK kn@

6 years agoAllow to use the "tls" keyword on any relay action to force TLS, with
eric [Mon, 24 Sep 2018 16:14:34 +0000 (16:14 +0000)]
Allow to use the "tls" keyword on any relay action to force TLS, with
strict certificate validation.  The "no-verify" becomes optional.

ok gilles@ millert@ semarie@

6 years agoOnly include pane status in minimum size if it is turned on, GitHub
nicm [Mon, 24 Sep 2018 15:29:56 +0000 (15:29 +0000)]
Only include pane status in minimum size if it is turned on, GitHub
issue 1480.

6 years agoTurn carp_ourether() mp-safe, this is a requirement for taking bridge(4)
mpi [Mon, 24 Sep 2018 12:25:52 +0000 (12:25 +0000)]
Turn carp_ourether() mp-safe, this is a requirement for taking bridge(4)
out of the KERNEL_LOCK().

ok visa@, bluhm@

6 years agoenable futex(2) based mutexes on armv7 and use futex based semaphores in
jsg [Mon, 24 Sep 2018 11:25:09 +0000 (11:25 +0000)]
enable futex(2) based mutexes on armv7 and use futex based semaphores in
librthread on armv7 as well
from brad ok visa@ kettenis@ mpi@

6 years agosync
fcambus [Mon, 24 Sep 2018 11:11:44 +0000 (11:11 +0000)]
sync

6 years agoAdd "Spleen 5x8" to wsfont, a font targetted at small OLED displays
fcambus [Mon, 24 Sep 2018 11:10:34 +0000 (11:10 +0000)]
Add "Spleen 5x8" to wsfont, a font targetted at small OLED displays
to be used with devices handled by ssdfb(4). It contains all printable
ASCII characters (96 glyphes).

The font is 2-Clause BSD licensed and is my original creation.

OK patrick@

6 years agobump for LibreSSL 2.8.1
bcook [Sun, 23 Sep 2018 17:52:40 +0000 (17:52 +0000)]
bump for LibreSSL 2.8.1

6 years agoDocument bufferevent_setwatermark(). Initial diff from Geoff Hill on tech@ with
anton [Sun, 23 Sep 2018 08:56:19 +0000 (08:56 +0000)]
Document bufferevent_setwatermark(). Initial diff from Geoff Hill on tech@ with
some tweaks.

With feedback and ok jmc@

6 years agoadd 6.5 syspatch public key
robert [Sun, 23 Sep 2018 03:54:47 +0000 (03:54 +0000)]
add 6.5 syspatch public key

6 years agoRemap the UEFI buffer early such that we can use a write combining mapping
kettenis [Sat, 22 Sep 2018 17:41:52 +0000 (17:41 +0000)]
Remap the UEFI buffer early such that we can use a write combining mapping
which speeds things up considerably compared to an uncached mapping.

ok deraadt@

6 years agoOnly clear the character backing store when the RI_CLEAR flag is set.
kettenis [Sat, 22 Sep 2018 17:40:57 +0000 (17:40 +0000)]
Only clear the character backing store when the RI_CLEAR flag is set.

ok deraadt@

6 years agoRemove unused Table_size define and digits() function.
millert [Sat, 22 Sep 2018 17:10:28 +0000 (17:10 +0000)]
Remove unused Table_size define and digits() function.

6 years agoUse user_from_uid() and uid_from_user() directly. The wrappers
millert [Sat, 22 Sep 2018 16:50:35 +0000 (16:50 +0000)]
Use user_from_uid() and uid_from_user() directly.  The wrappers
in username.c are now so simple there is no longer a good reason
to use them.  OK deraadt@

6 years agoAdd a comment on the acceptable RSASSA cases.
tb [Sat, 22 Sep 2018 15:53:38 +0000 (15:53 +0000)]
Add a comment on the acceptable RSASSA cases.

6 years agogather statistics in checkAead{Open,Seal}() as well.
tb [Sat, 22 Sep 2018 14:12:47 +0000 (14:12 +0000)]
gather statistics in checkAead{Open,Seal}() as well.

6 years agoBack out the following if_iwm.c revisions:
stsp [Sat, 22 Sep 2018 13:55:55 +0000 (13:55 +0000)]
Back out the following if_iwm.c revisions:

r1.232 Fix length checks in the receive path of iwm(4)
r1.230 Add monitor mode support to iwm(4)
r1.229 Implement Rx of multiple frames per interrupt in the iwm(4) driver

There is an apparent block-ack problem (base.tgz takes 8 hours to download)
which goes away when these changes are reverted. To be revisited after release.

ok deraadt@

6 years agoremove some unneeded checks
tb [Sat, 22 Sep 2018 13:42:46 +0000 (13:42 +0000)]
remove some unneeded checks

6 years agogather and print some statistics on the acceptable cases we need to
tb [Sat, 22 Sep 2018 11:00:25 +0000 (11:00 +0000)]
gather and print some statistics on the acceptable cases we need to
look into

6 years agoEnable USB bwfm(4) on macppc RAMDISK as well, matching GENERIC.
stsp [Sat, 22 Sep 2018 10:12:42 +0000 (10:12 +0000)]
Enable USB bwfm(4) on macppc RAMDISK as well, matching GENERIC.
Passes 'make release' build.

6 years agoHarmonize spacing after ellipses in displayed messages.
fcambus [Sat, 22 Sep 2018 09:12:36 +0000 (09:12 +0000)]
Harmonize spacing after ellipses in displayed messages.

We were using spacing after ellipses in an inconsistent way in the
installer. Standardize on using "... " everywhere and take into account
the cursor position while we are waiting for the task to complete: the
cursor is now always positioned after the last dot, and the space is
added when displaying completion confirmation.

While there, also take cursor position into account in vfs_shutdown(),
and remove the extra leading space before ticks in dhclient.

OK deraadt@

6 years agomore flags printing
tb [Sat, 22 Sep 2018 06:06:36 +0000 (06:06 +0000)]
more flags printing

6 years agoCorrect the uid_from_user() and gid_from_group() comments.
millert [Sat, 22 Sep 2018 02:47:23 +0000 (02:47 +0000)]
Correct the uid_from_user() and gid_from_group() comments.

6 years agoRevert previous. It broke /etc/rc.
visa [Sat, 22 Sep 2018 02:20:44 +0000 (02:20 +0000)]
Revert previous. It broke /etc/rc.

Prompted by kn@

6 years agofix uid -> username lookup
procter [Sat, 22 Sep 2018 02:18:19 +0000 (02:18 +0000)]
fix uid -> username lookup
ok deraadt@

6 years agoimprove logic involving acceptableAudit
tb [Sat, 22 Sep 2018 00:29:13 +0000 (00:29 +0000)]
improve logic involving acceptableAudit

6 years agoSwap order of "action" and "wt.Flags" in a few fmt.Printfs.
tb [Sat, 22 Sep 2018 00:14:37 +0000 (00:14 +0000)]
Swap order of "action" and "wt.Flags" in a few fmt.Printfs.

6 years agoIntroduce a couple of convenience targets to help with auditing the
tb [Sat, 22 Sep 2018 00:10:18 +0000 (00:10 +0000)]
Introduce a couple of convenience targets to help with auditing the
acceptable cases.

6 years agoPrint the flags field in INFO: and FAIL: messages. It's helpful in
tb [Fri, 21 Sep 2018 23:16:16 +0000 (23:16 +0000)]
Print the flags field in INFO: and FAIL: messages. It's helpful in
identifying the important failures while auditing.

6 years agosync host*() changes from pfctl
kn [Fri, 21 Sep 2018 20:45:50 +0000 (20:45 +0000)]
sync host*() changes from pfctl

This simplifies host() and merges host_v{4,6}() into host_ip() as recently
done for pfctl and ntpd.

Tested and OK denis, OK deraadt, "go ahead" benno

6 years agoUse password/group cache functions and avoid stashing a pointer to
millert [Fri, 21 Sep 2018 19:13:49 +0000 (19:13 +0000)]
Use password/group cache functions and avoid stashing a pointer to
the return value of getgrgid(3) or getgrnam(3) which relies on
undefined behavior.  The rdist server will now use getgroups(2) to
determine group membership of the invoking user.  In addition, there
is now one implementation of tilde expansion instead of two.
OK tb@ tim@

6 years agoUse password/group cache functions and avoid stashing a pointer to
millert [Fri, 21 Sep 2018 19:00:45 +0000 (19:00 +0000)]
Use password/group cache functions and avoid stashing a pointer to
the return value of getgrgid(3) or getgrnam(3) which relies on
undefined behavior.  The rdist server will now use getgroups(2) to
determine group membership of the invoking user.  In addition, there
is now one implementation of tilde expansion instead of two.
OK tb@ tim@

6 years agoStop displaying vfsconf reference counts so that the vfc_refcount field
visa [Fri, 21 Sep 2018 14:31:29 +0000 (14:31 +0000)]
Stop displaying vfsconf reference counts so that the vfc_refcount field
can be removed from struct mount.

As a result of this diff, arrays vfsname[] and vfsvars[] are indexed
by filesystem typenum. This makes the vfs_typenums[] array redundant.

OK bluhm@ mpi@

6 years agoIncrease /usr/local max size to 20 GB in default template
solene [Fri, 21 Sep 2018 14:07:34 +0000 (14:07 +0000)]
Increase /usr/local max size to 20 GB in default template
ok krw@ deraadt@ jca@

6 years agoAdd explanations about vmctl send command
solene [Fri, 21 Sep 2018 14:04:37 +0000 (14:04 +0000)]
Add explanations about vmctl send command

ok jmc@ jca@ mlarkin@
mdoc tip from bentley@

6 years agoAllow ssh_config ForwardX11Timeout=0 to disable the timeout and allow
djm [Fri, 21 Sep 2018 12:46:22 +0000 (12:46 +0000)]
Allow ssh_config ForwardX11Timeout=0 to disable the timeout and allow
X11 connections in untrusted mode indefinitely. ok dtucker@

6 years agoEnable bwfm(4) in GENERIC on macppc.
stsp [Fri, 21 Sep 2018 12:42:34 +0000 (12:42 +0000)]
Enable bwfm(4) in GENERIC on macppc.
Tested by Christian Hammerschmidt.

6 years agowhen compiled with GSSAPI support, cache supported method OIDs by
djm [Fri, 21 Sep 2018 12:23:17 +0000 (12:23 +0000)]
when compiled with GSSAPI support, cache supported method OIDs by
calling ssh_gssapi_prepare_supported_oids() regardless of whether
GSSAPI authentication is enabled in the main config.

This avoids sandbox violations for configurations that enable GSSAPI
auth later, e.g.

Match user djm
GSSAPIAuthentication yes

bz#2107; ok dtucker@

6 years agoIn sshkey_in_file(), ignore keys that are considered for being too
djm [Fri, 21 Sep 2018 12:20:12 +0000 (12:20 +0000)]
In sshkey_in_file(), ignore keys that are considered for being too
short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered to
be "in the file". This allows key revocation lists to contain short
keys without the entire revocation list being considered invalid.

bz#2897; ok dtucker

6 years agoBoth AS 23456 and AS 0 are reserved and can nor be used. Extend check for
claudio [Fri, 21 Sep 2018 08:17:15 +0000 (08:17 +0000)]
Both AS 23456 and AS 0 are reserved and can nor be used. Extend check for
AS 0 and adjust yyerror message to print the right number.
With input and OK denis@

6 years ago6.5 firmware key
sthen [Fri, 21 Sep 2018 08:17:04 +0000 (08:17 +0000)]
6.5 firmware key

6 years agobetter yyerror messages. "syntax error" is generally not very helpful.
claudio [Fri, 21 Sep 2018 08:15:33 +0000 (08:15 +0000)]
better yyerror messages. "syntax error" is generally not very helpful.
OK denis@

6 years agoupdate rtwn;
jmc [Fri, 21 Sep 2018 06:06:56 +0000 (06:06 +0000)]
update rtwn;

6 years agoBasic testing of roa-sets.
claudio [Fri, 21 Sep 2018 05:14:07 +0000 (05:14 +0000)]
Basic testing of roa-sets.

6 years agoMove setting of the PREFIXSET_FLAG_OPS higher up since prefixset_item rule
claudio [Fri, 21 Sep 2018 05:13:35 +0000 (05:13 +0000)]
Move setting of the PREFIXSET_FLAG_OPS higher up since prefixset_item rule
is now also used by roa-set. Also set the prefix operation for roa-set
items to OP_NONE since that what it actually needs to be.

6 years agoAdd some more prefix-set test cases. Mainly to test edge cases in the RB
claudio [Fri, 21 Sep 2018 05:06:30 +0000 (05:06 +0000)]
Add some more prefix-set test cases. Mainly to test edge cases in the RB
tree implementation now used.

6 years agoImplement code to parse, print and reload roa-set tables.
claudio [Fri, 21 Sep 2018 04:55:27 +0000 (04:55 +0000)]
Implement code to parse, print and reload roa-set tables.
This is sharing a lot of code with prefixset which makes all a bit easier.
A roa-set is defined like this:
roa-set "test2" {
  1.2.3.0/24 source-as 1,
  1.2.8.0/22 maxlen 24 source-as 3
}
No support for acting on this data yet.
Put it in deraadt@, OK benno@, input and OK denis@

6 years agoTreat connections with ProxyJump specified the same as ones with a
djm [Fri, 21 Sep 2018 03:11:36 +0000 (03:11 +0000)]
Treat connections with ProxyJump specified the same as ones with a
ProxyCommand set with regards to hostname canonicalisation (i.e.
don't try to canonicalise the hostname unless CanonicalizeHostname
is set to 'always').

Patch from Sven Wegener via bz#2896

6 years agoU-Boot 2018.05 and later will attempt to load a dtb for PocketBeagle if
jsg [Fri, 21 Sep 2018 02:21:53 +0000 (02:21 +0000)]
U-Boot 2018.05 and later will attempt to load a dtb for PocketBeagle if
the hardware is detected.  Add this to the miniroot/ramdisk.
requires dtb 4.18

U-Boot 2018.09 and later will load a dtb for 'SanCloud BeagleBone
Enhanced' if required which will be in dtb 4.19 after linux 4.19 is
released and can be added then.

6 years agomention RTL8188EE support
jmatthew [Fri, 21 Sep 2018 02:14:37 +0000 (02:14 +0000)]
mention RTL8188EE support

6 years agoAdd support for RTL8188EE.
jmatthew [Fri, 21 Sep 2018 01:45:53 +0000 (01:45 +0000)]
Add support for RTL8188EE.

This needs a new firmware image, which should be added to the rtwn
firmware package shortly.

testing and lots of help from kevlo@
ok kevlo@ stsp@

6 years agoadd missing braces implied by indentation
jsg [Fri, 21 Sep 2018 01:33:55 +0000 (01:33 +0000)]
add missing braces implied by indentation
ok millert@ claudio@

6 years agoactually make CASignatureAlgorithms available as a config option
djm [Thu, 20 Sep 2018 23:40:16 +0000 (23:40 +0000)]
actually make CASignatureAlgorithms available as a config option

6 years agomerge unbound 1.8.0
sthen [Thu, 20 Sep 2018 23:15:39 +0000 (23:15 +0000)]
merge unbound 1.8.0

6 years agoimport unbound 1.8.0, tested by myself and benno@
sthen [Thu, 20 Sep 2018 23:14:36 +0000 (23:14 +0000)]
import unbound 1.8.0, tested by myself and benno@

6 years agoAs a step towards per inpcb or socket locks, remove the net lock
bluhm [Thu, 20 Sep 2018 18:59:10 +0000 (18:59 +0000)]
As a step towards per inpcb or socket locks, remove the net lock
for netstat -a.  Introduce a global mutex that protects the tables
and hashes for the internet PCBs.  To detect detached PCB, set its
inp_socket field to NULL.  This has to be protected by a per PCB
mutex.  The protocol pointer has to be protected by the mutex as
netstat uses it.
Always take the kernel lock in in_pcbnotifyall() and in6_pcbnotify()
before the table mutex to avoid lock ordering problems in the notify
functions.
OK visa@

6 years agomissing space after comma
tb [Thu, 20 Sep 2018 16:16:52 +0000 (16:16 +0000)]
missing space after comma

6 years agogrow alpha and hppa media to accomodate some recent growth
deraadt [Thu, 20 Sep 2018 15:19:36 +0000 (15:19 +0000)]
grow alpha and hppa media to accomodate some recent growth

6 years agovmm(4): Clear the guest MWAITX/MONITORX extended CPUID feature bit,
brynet [Thu, 20 Sep 2018 14:32:59 +0000 (14:32 +0000)]
vmm(4): Clear the guest MWAITX/MONITORX extended CPUID feature bit,
like we already do for MWAIT/MONITOR. Also match Intel here by not
exposing the SVM capability to AMD guests.

Allows Linux guests to boot in vmd(8) on Ryzen CPUs.

ok mlarkin@

6 years agoadd missing explanation about daemon_variables removed when disabling a pkg
solene [Thu, 20 Sep 2018 12:24:14 +0000 (12:24 +0000)]
add missing explanation about daemon_variables removed when disabling a pkg
script

ok aja@ jca@

6 years agoadd missing braces implied by indentation
jsg [Thu, 20 Sep 2018 12:23:13 +0000 (12:23 +0000)]
add missing braces implied by indentation
ok millert@

6 years agoadd missing braces implied by indentation
jsg [Thu, 20 Sep 2018 11:49:55 +0000 (11:49 +0000)]
add missing braces implied by indentation
ok millert@ mpi@

6 years agoAdjust unittests to the adjustments done to the as_set code.
claudio [Thu, 20 Sep 2018 11:47:50 +0000 (11:47 +0000)]
Adjust unittests to the adjustments done to the as_set code.
OK benno@

6 years agoas_set_match() changed again, so adjust it here too.
claudio [Thu, 20 Sep 2018 11:46:40 +0000 (11:46 +0000)]
as_set_match() changed again, so adjust it here too.
OK benno@

6 years agoSplit up as_set into a set_table and an as_set. The first is what does
claudio [Thu, 20 Sep 2018 11:45:59 +0000 (11:45 +0000)]
Split up as_set into a set_table and an as_set. The first is what does
the lookup and will now also be used in roa-set tries. The as_set is glue
to add the name and dirty flag. Add an accessor to get the set data so
that the imsg sending and printing can be moved into the right places.
This is done mainly because roa-sets need similar but slightly different
versions and making the code more generic is the best way fixing this.
OK benno@

6 years agofix indentation
jsg [Thu, 20 Sep 2018 11:42:42 +0000 (11:42 +0000)]
fix indentation
ok krw@ millert@

6 years agoproperly handle credentials and fix auth in smtp(1)
eric [Thu, 20 Sep 2018 11:42:28 +0000 (11:42 +0000)]
properly handle credentials and fix auth in smtp(1)

ok gilles@

6 years agofix indentation
jsg [Thu, 20 Sep 2018 11:41:28 +0000 (11:41 +0000)]
fix indentation
ok krw@ millert@

6 years agowhitespace cleanup, ok claudio@
benno [Thu, 20 Sep 2018 11:06:04 +0000 (11:06 +0000)]
whitespace cleanup, ok claudio@

6 years agofix indentation
eric [Thu, 20 Sep 2018 10:22:14 +0000 (10:22 +0000)]
fix indentation

6 years agoImport updated moduli.
dtucker [Thu, 20 Sep 2018 08:07:03 +0000 (08:07 +0000)]
Import updated moduli.

6 years agoSort order changed because an RB tree is now used for prefixsets.
claudio [Thu, 20 Sep 2018 07:58:22 +0000 (07:58 +0000)]
Sort order changed because an RB tree is now used for prefixsets.

6 years agoSwitch prefixset to an RB_TREE instead of a SIMPLEQ. This allows to trigger
claudio [Thu, 20 Sep 2018 07:46:39 +0000 (07:46 +0000)]
Switch prefixset to an RB_TREE instead of a SIMPLEQ. This allows to trigger
on duplicates (which are only reported) but is needed as a preparation step
for roa-sets.
OK benno@ denis@

6 years agoFix the empty aspath segments check. seg_size is never 0, this needs to use
claudio [Thu, 20 Sep 2018 07:41:25 +0000 (07:41 +0000)]
Fix the empty aspath segments check. seg_size is never 0, this needs to use
seg_len instead. Since seg_len is known early move the check up.
Found while hunting for the other bug in aspath_verify.

6 years agoFix an out of bound read that could crash the RDE because it touched
claudio [Thu, 20 Sep 2018 07:37:06 +0000 (07:37 +0000)]
Fix an out of bound read that could crash the RDE because it touched
unallocated memory while looking for AS 0.
Found by and debugged with Aaron A. Glenn. Thanks a lot.

6 years agoreorder CASignatureAlgorithms, and add them to the various -o lists;
jmc [Thu, 20 Sep 2018 06:58:48 +0000 (06:58 +0000)]
reorder CASignatureAlgorithms, and add them to the various -o lists;
ok djm

6 years agofix "ssh -Q sig" to show correct signature algorithm list (it was
djm [Thu, 20 Sep 2018 03:31:49 +0000 (03:31 +0000)]
fix "ssh -Q sig" to show correct signature algorithm list (it was
erroneously showing certificate algorithms); prompted by markus@

6 years agoadd CASignatureAlgorithms option for the client, allowing it to specify
djm [Thu, 20 Sep 2018 03:30:44 +0000 (03:30 +0000)]
add CASignatureAlgorithms option for the client, allowing it to specify
which signature algorithms may be used by CAs when signing certificates.
Useful if you want to ban RSA/SHA1; ok markus@

6 years agoAdd sshd_config CASignatureAlgorithms option to allow control over
djm [Thu, 20 Sep 2018 03:28:06 +0000 (03:28 +0000)]
Add sshd_config CASignatureAlgorithms option to allow control over
which signature algorithms a CA may use when signing certificates.
In particular, this allows a sshd to ban certificates signed with
RSA/SHA1.

ok markus@

6 years agofix a memory leak in ihidev_hid_command()
jsg [Thu, 20 Sep 2018 01:19:56 +0000 (01:19 +0000)]
fix a memory leak in ihidev_hid_command()
ok claudio@

6 years agoIf getcwd() fails in dinit(), the stat buffer 'swd' is used
millert [Wed, 19 Sep 2018 18:55:33 +0000 (18:55 +0000)]
If getcwd() fails in dinit(), the stat buffer 'swd' is used
uninitialized by the else clause.  Since it is used in both clauses
we should perform the stat before the if().  However, fixing this
causes 'cp' to be unitialized in some case so initialize cp to NULL
and move the "cp == NULL" check out of the first if() clause now
that it can be true in either case.  OK miko@ deraadt@

6 years agoFix last commit, I made one of the changes to the wrong line.
millert [Wed, 19 Sep 2018 18:48:55 +0000 (18:48 +0000)]
Fix last commit, I made one of the changes to the wrong line.
Noticed by martijn@

6 years agoUpdate disklabel(8) man page with the new 5G minimum for /usr/obj.
bluhm [Wed, 19 Sep 2018 18:35:21 +0000 (18:35 +0000)]
Update disklabel(8) man page with the new 5G minimum for /usr/obj.
Remove Tn macro to make mandoc lint happy.
requested by jmc@

6 years agofix message to reflect "rmidi" is the expected string; ok ratchov@
miko [Wed, 19 Sep 2018 16:21:00 +0000 (16:21 +0000)]
fix message to reflect "rmidi" is the expected string; ok ratchov@

6 years agoCompare against NULL, not '\0' for pointers. Quiets a warning on
millert [Wed, 19 Sep 2018 15:14:35 +0000 (15:14 +0000)]
Compare against NULL, not '\0' for pointers.  Quiets a warning on
newer gcc.

6 years agosys/stat.h not needed here; ok ratchov@
miko [Wed, 19 Sep 2018 14:01:52 +0000 (14:01 +0000)]
sys/stat.h not needed here; ok ratchov@

6 years agoAlways call bridge_iflist `bif'.
mpi [Wed, 19 Sep 2018 13:17:21 +0000 (13:17 +0000)]
Always call bridge_iflist `bif'.

ok bluhm@, visa@

6 years agoWrap sending imsg to the RDE in a function and make sure that the ibuf
claudio [Wed, 19 Sep 2018 13:09:30 +0000 (13:09 +0000)]
Wrap sending imsg to the RDE in a function and make sure that the ibuf
to the RDE is valid. The SE is stopping all sessions on exit and so
session_stop() is called which will send an imsg to the RDE which is no
longer there. Instead of fixing just one call fix all. Now the SE should
no longer crash when the RDE crashes.
OK sthen@

6 years agoTry to turn this into an actual regress test.
krw [Wed, 19 Sep 2018 12:20:47 +0000 (12:20 +0000)]
Try to turn this into an actual regress test.

with & ok bluhm@

6 years agoDo not abort when the ca privenc runs into a timeout.
reyk [Wed, 19 Sep 2018 11:28:02 +0000 (11:28 +0000)]
Do not abort when the ca privenc runs into a timeout.

OK claudio@

6 years agoReport duplex state correctly for adapters with firmware interface versions
jmatthew [Wed, 19 Sep 2018 10:26:17 +0000 (10:26 +0000)]
Report duplex state correctly for adapters with firmware interface versions
older than 1.08.

tested by and ok ccardenas@

6 years agoFree edid_buf after use so to fix possible memory leak.
claudio [Wed, 19 Sep 2018 08:12:39 +0000 (08:12 +0000)]
Free edid_buf after use so to fix possible memory leak.
With and ok jsg@