openbsd
6 years agoAdd a caveat wrt use of non-decimal fractional notation; from kshe; ok jmc@
otto [Sat, 2 Dec 2017 07:35:46 +0000 (07:35 +0000)]
Add a caveat wrt use of non-decimal fractional notation; from kshe; ok jmc@

6 years agoswitching to _pbuild is tricky, you can't take it back.
espie [Sat, 2 Dec 2017 00:52:47 +0000 (00:52 +0000)]
switching to _pbuild is tricky, you can't take it back.
in particular, disable future PORTS_PRIVSEP mechanisms under
pkg_create, because we should already be running as _pbuild
by this point.

6 years agoRedo the calculation of the alignment and placement of static TLS data to
guenther [Fri, 1 Dec 2017 23:30:05 +0000 (23:30 +0000)]
Redo the calculation of the alignment and placement of static TLS data to
correctly take into account the segment p_align.  Previously, anything
with a size belong the natural alignment or with alignment larger than
the natural one would either not be intialized correctly, be misaligned,
or result in the TIB being misaligned.

Problems reported by Charles Collicutt (charles (at) collicutt.co.uk)
ok kettenis@

6 years agoThe RFC specifies that in an SA payload the proposals must be numbered
patrick [Fri, 1 Dec 2017 20:19:05 +0000 (20:19 +0000)]
The RFC specifies that in an SA payload the proposals must be numbered
starting with number 1.  Subsequent proposals must be one more than the
previous proposal.

ok sthen@

6 years agoTurns out that, as specified in the RFC, the initial Child SA does not
patrick [Fri, 1 Dec 2017 19:49:31 +0000 (19:49 +0000)]
Turns out that, as specified in the RFC, the initial Child SA does not
do PFS and is assumed to be secured using the DH exchange in the first
handshake.  Thus there is no KE/N payload in the IKE_AUTH exchange and
we must not include a DH group other than None, which essentially means
we must not supply any DH transforms in the IKE_AUTH messages.  So now
we skip adding the DH transforms for initiating and responding to
IKE_AUTH messages.

ok sthen@

6 years agofix buglet in split_number() and optimize count_digits();
otto [Fri, 1 Dec 2017 19:04:15 +0000 (19:04 +0000)]
fix buglet in split_number() and optimize count_digits();
from kshe with a twist from myself; ok tb@

6 years agoarm64 is now also a _syspatch_arch
tb [Fri, 1 Dec 2017 18:19:30 +0000 (18:19 +0000)]
arm64 is now also a _syspatch_arch

6 years agoIn the macppc installer, switch the default answer for the partition
stsp [Fri, 1 Dec 2017 18:13:48 +0000 (18:13 +0000)]
In the macppc installer, switch the default answer for the partition
table question from "HFS" to "MBR". Most people will want to run
OpenBSD exclusively on such machines these days.
ok kettenis@

6 years agoAdd quotes around the name of (unconfigured) devices like we do for other
kettenis [Fri, 1 Dec 2017 16:06:25 +0000 (16:06 +0000)]
Add quotes around the name of (unconfigured) devices like we do for other
iic(4) controllers.

ok jcs@

6 years agoAvoid using an uninitialized variable.
visa [Fri, 1 Dec 2017 14:42:23 +0000 (14:42 +0000)]
Avoid using an uninitialized variable.
Found by gcc.

OK jca@

6 years agoFix white spaces and shorten long line.
bluhm [Fri, 1 Dec 2017 12:40:58 +0000 (12:40 +0000)]
Fix white spaces and shorten long line.

6 years agoConsistently .Xr the corresponding wide char functions from char- and
schwarze [Fri, 1 Dec 2017 11:18:40 +0000 (11:18 +0000)]
Consistently .Xr the corresponding wide char functions from char- and
string-handling <stdio.h> functions, like we already do it for <string.h>.
Includes a smaller patch from <kshe59 at zoho dot eu>, OK jmc@.

6 years agoadd missing argument name; from <kshe59 at zoho dot eu>; OK jmc@;
schwarze [Fri, 1 Dec 2017 10:56:07 +0000 (10:56 +0000)]
add missing argument name; from <kshe59 at zoho dot eu>; OK jmc@;
while here, consistently use .Fo to cure execessive line lengths

6 years agoSimplify the reverse PCB lookup logic. The PF_TAG_TRANSLATE_LOCALHOST
bluhm [Fri, 1 Dec 2017 10:33:33 +0000 (10:33 +0000)]
Simplify the reverse PCB lookup logic.  The PF_TAG_TRANSLATE_LOCALHOST
security check prevents that the user accidentally configures
redirect where a divert-to would be appropriate.  Instead of spreading
the logic into tcp and udp input, check the flag during PCB listen
lookup.  This also reduces parameters of in_pcblookup_listen().
OK visa@

6 years agoupdate currency exchange rates;
jmc [Fri, 1 Dec 2017 09:40:33 +0000 (09:40 +0000)]
update currency exchange rates;

6 years agoremove deprectaed linkX notation;
jmc [Fri, 1 Dec 2017 09:10:38 +0000 (09:10 +0000)]
remove deprectaed linkX notation;
from lucas gabriel vuotto

6 years agoand enable new test
otto [Fri, 1 Dec 2017 08:40:47 +0000 (08:40 +0000)]
and enable new test

6 years agoextra tests for Z (upcoming implementation change)
otto [Fri, 1 Dec 2017 08:40:04 +0000 (08:40 +0000)]
extra tests for Z (upcoming implementation change)

6 years agoFix the IPL and flags of the MP-safe crypto taskq. Now a sane IPL
visa [Thu, 30 Nov 2017 16:31:12 +0000 (16:31 +0000)]
Fix the IPL and flags of the MP-safe crypto taskq. Now a sane IPL
is passed to the mutex implementation, and the queue actually runs
without the kernel lock.

Tested by dhill@
OK mikeb@, dhill@, kettenis@

6 years agoadd bgw;
jmc [Thu, 30 Nov 2017 16:14:30 +0000 (16:14 +0000)]
add bgw;

6 years agoReplace `coremask' with `numcores'.
visa [Thu, 30 Nov 2017 15:31:16 +0000 (15:31 +0000)]
Replace `coremask' with `numcores'.

6 years agoPrefer `numcores' to `coremask'. The former is probably easier
visa [Thu, 30 Nov 2017 15:25:37 +0000 (15:25 +0000)]
Prefer `numcores' to `coremask'. The former is probably easier
to use than the latter.

6 years agoFix typos in comments.
nayden [Thu, 30 Nov 2017 15:24:50 +0000 (15:24 +0000)]
Fix typos in comments.
OK florian@

6 years agoAdd bgw(4) man page.
kettenis [Thu, 30 Nov 2017 15:06:35 +0000 (15:06 +0000)]
Add bgw(4) man page.

6 years agoFix variable expansion.
visa [Thu, 30 Nov 2017 15:03:03 +0000 (15:03 +0000)]
Fix variable expansion.

From Rafael Neves

6 years agoAdd bgw(4), a driver for a family of Bosch acceleration sensors.
kettenis [Thu, 30 Nov 2017 14:53:21 +0000 (14:53 +0000)]
Add bgw(4), a driver for a family of Bosch acceleration sensors.

ok deraadt@, mlarkin@

6 years agoAdd support for rejecting IKE SA messages. This means that we can reply
patrick [Thu, 30 Nov 2017 12:18:44 +0000 (12:18 +0000)]
Add support for rejecting IKE SA messages.  This means that we can reply
to IKE SA INIT messages with no proposal chosen, as we already do for
Child SAs.  For that the error "adding" is done in a new function shared
by both send error handlers.  We need two "send error" functions because
the init error is unencrypted, while all later ones are not.  Now we can
add more cases, like Child SA not found or that the DH group is not what
we expect.

Save the IKE SA INIT responses, even if it's an error message, so we can
retransmit it if the response is lost on the way back to the initiator
and he tries again.  This also helps mitigate DoS attacks as specified
in the RFC.  Only if it is indeed a new attempt, like after an INVALID
KE PAYLOAD response, we can drop the old SA so that iked(8) can attempt
to create a new SA.

ok sthen@

6 years agovn_open(9) does not pass the open(2) flags to VOP_CREATE(9) so we can't
helg [Thu, 30 Nov 2017 11:29:03 +0000 (11:29 +0000)]
vn_open(9) does not pass the open(2) flags to VOP_CREATE(9) so we can't
support FBT_CREATE. Fall back to FBT_MKNOD + FBT_OPEN so that a valid
sequence of FUSE messages is sent to the file system when creating files.

input from mpi@, otto@

6 years agoDefault unknowns to application/octet-stream instead of x-not-regular-file.
bentley [Thu, 30 Nov 2017 11:10:07 +0000 (11:10 +0000)]
Default unknowns to application/octet-stream instead of x-not-regular-file.

This makes more sense and matches what the latest "other" file(1) now does.

ok nicm@

6 years agouse the same macro consistently for the various carp balancing modes;
jmc [Thu, 30 Nov 2017 07:41:01 +0000 (07:41 +0000)]
use the same macro consistently for the various carp balancing modes;

6 years agono more arp mode for carp; from martin rettberg
jmc [Thu, 30 Nov 2017 07:37:13 +0000 (07:37 +0000)]
no more arp mode for carp; from martin rettberg

6 years agoWhen performing vmctl reload and a previously configured vm is running,
ccardenas [Thu, 30 Nov 2017 01:28:27 +0000 (01:28 +0000)]
When performing vmctl reload and a previously configured vm is running,
exit with an EALREADY vs EPERM.

ok mlarkin@

6 years ago__MAP_NOFAULT doesn't make sense with anon mappings, so return EINVAL if
guenther [Thu, 30 Nov 2017 00:36:10 +0000 (00:36 +0000)]
__MAP_NOFAULT doesn't make sense with anon mappings, so return EINVAL if
that is attempted.
Minor cleanups:
 - Eliminate some always false and always true tests against MAP_ANON
 - We treat anon mappings with neither MAP_{SHARED,PRIVATE} as MAP_PRIVATE
   so explicitly indicate that

ok kettenis@ beck@

6 years agoPer https://patchwork.kernel.org/patch/5838821/, the documented check of ACPI
guenther [Thu, 30 Nov 2017 00:21:42 +0000 (00:21 +0000)]
Per https://patchwork./patch/5838821/, the documented check of ACPI
mwait info against CPUID is wrong; loosen the test per Intel's suggestion.
While here, fix the wrapping of dmesg lines when reporting bogus C-state
info.

ok mlarkin@ kettenis@ (who pointed out the email from Intel)

6 years agoAdd regress to ensure that execve bypasses pledgepath checks (for now)
beck [Thu, 30 Nov 2017 00:01:50 +0000 (00:01 +0000)]
Add regress to ensure that execve bypasses pledgepath checks (for now)

6 years agoMixing -url with any of -host, -port, or -path should be a usage error
guenther [Wed, 29 Nov 2017 23:47:18 +0000 (23:47 +0000)]
Mixing -url with any of -host, -port, or -path should be a usage error
instead of trying to work and then triggering a double-free().

problem noted by trondd (trondd (at) kagu-tsuchi.com)
ok beck@

6 years agoAdd support for GPIO-signaled events.
kettenis [Wed, 29 Nov 2017 22:51:01 +0000 (22:51 +0000)]
Add support for GPIO-signaled events.

ok mlarkin@

6 years agovmd(8): fix broken IRR bit setting for the slave PIC. Noticed by claudio
mlarkin [Wed, 29 Nov 2017 22:08:40 +0000 (22:08 +0000)]
vmd(8): fix broken IRR bit setting for the slave PIC. Noticed by claudio
when he tried to make a vm with 4 network interfaces.

ok claudio

6 years agofix double dot;
jmc [Wed, 29 Nov 2017 21:17:51 +0000 (21:17 +0000)]
fix double dot;

6 years agoadd -i to SYNOPSIS/usage() and sundry tweaks;
jmc [Wed, 29 Nov 2017 21:15:45 +0000 (21:15 +0000)]
add -i to SYNOPSIS/usage() and sundry tweaks;
ok beck

6 years agoRecognize .Bl -column at parse time, and not only at validation time,
schwarze [Wed, 29 Nov 2017 20:04:36 +0000 (20:04 +0000)]
Recognize .Bl -column at parse time, and not only at validation time,
even if other arguments precede -column.  This is required because
the .It parser needs to know whether or not we are a -column list.
Fixes tree corruption leading to an assertion failure.
Bug reported by bentley@.

6 years agoInsert MPLS VPN routes with the RTF_GATEWAY flag cleared. mpe(4) is now
claudio [Wed, 29 Nov 2017 19:40:47 +0000 (19:40 +0000)]
Insert MPLS VPN routes with the RTF_GATEWAY flag cleared. mpe(4) is now
expecting this and will use the route gateway and the mpls label to forward
packets. This plus the other diffs to if_mpe.c and route.c should fix
L3 MPLS VPNs. Problem reported by henning@

6 years agoMake mpe(4) work again by:
claudio [Wed, 29 Nov 2017 19:36:03 +0000 (19:36 +0000)]
Make mpe(4) work again by:
- Change the way mpe figures out the IP of the MPLS nexthop. Instead of using
RTF_GATEWAY and so a valid (and cachable) gateway route just use the
gateway IP address of the route (rt->rt_gateway).
- Make sure the interface is up when adding a mplslabel. The inserted route
is in rtable 0 and so invisible for the link state tracker. Forcing the if_up
ensures that the added route is RTF_UP.
OK mpi@

6 years agoRevert 1.353, this breaks mpe(4). Also it seems not complete since rt_ifa_del
claudio [Wed, 29 Nov 2017 19:15:48 +0000 (19:15 +0000)]
Revert 1.353, this breaks mpe(4). Also it seems not complete since rt_ifa_del
still had this hack in. This needs to be revisted and better understood.
It may be needed to add a mplsrdomain to mpe(4) but MPLS only in the rtable 0
is hardcoded in more places and we should fix them all.
OK mpi@

6 years agofold bsqrt_stop into bsqrt; from kshe; ok tom@
otto [Wed, 29 Nov 2017 19:13:31 +0000 (19:13 +0000)]
fold bsqrt_stop into bsqrt; from kshe; ok tom@

6 years agosimplify print_ascii; from kshe; ok tom@
otto [Wed, 29 Nov 2017 19:12:48 +0000 (19:12 +0000)]
simplify print_ascii; from kshe; ok tom@

6 years agoDon't do OCSP stapling only if the staple file is 0 length.
beck [Wed, 29 Nov 2017 16:55:08 +0000 (16:55 +0000)]
Don't do OCSP stapling only if the staple file is 0 length.

This allows something external (like ocspcheck) to disable the stapling
deliberatly if it can not retreive a valid staple by truncating the
staple file to indicate "do not provide a staple", while the file not
existin will still be treated as a configuration error
ok claudio@ florian@, and prompted by @jsing

6 years agofcntl(F_GETOWN) doesn't have an argument, so don't display it. While
guenther [Wed, 29 Nov 2017 15:53:44 +0000 (15:53 +0000)]
fcntl(F_GETOWN) doesn't have an argument, so don't display it.  While
here, make it easier to extend the set of such fcntl() commands

ok deraadt@

6 years agoadd options to specify the control socket in relayd and relayctl.
benno [Wed, 29 Nov 2017 15:24:50 +0000 (15:24 +0000)]
add options to specify the control socket in relayd and relayctl.
From Kapetanakis Giannis, thanks.
ok claudio@

6 years agoRevise OperatingRegion code to make it extensible and have chvgpio(4)
kettenis [Wed, 29 Nov 2017 15:22:22 +0000 (15:22 +0000)]
Revise OperatingRegion code to make it extensible and have chvgpio(4)
provide the OEM defined regions that are used by the AML on some
Cherryview-based machines.

ok mlarkin@

6 years agoShow line number correctly in synthetic mutex names.
visa [Wed, 29 Nov 2017 15:12:52 +0000 (15:12 +0000)]
Show line number correctly in synthetic mutex names.

OK jca@

6 years agozap untrue comment (since bcode.c 1.43)
otto [Wed, 29 Nov 2017 15:06:31 +0000 (15:06 +0000)]
zap untrue comment (since bcode.c 1.43)

6 years agoPledge can be done earlier; from kshe
otto [Wed, 29 Nov 2017 14:34:17 +0000 (14:34 +0000)]
Pledge can be done earlier; from kshe

6 years agofix decl of main
otto [Wed, 29 Nov 2017 14:31:50 +0000 (14:31 +0000)]
fix decl of main

6 years agoTest invalid divert combinations and adapt error messages.
bluhm [Wed, 29 Nov 2017 13:37:08 +0000 (13:37 +0000)]
Test invalid divert combinations and adapt error messages.

6 years agomissing Sx; ok jmc@
anton [Wed, 29 Nov 2017 07:28:21 +0000 (07:28 +0000)]
missing Sx; ok jmc@

6 years agosync
deraadt [Wed, 29 Nov 2017 05:58:22 +0000 (05:58 +0000)]
sync

6 years agoImport updated moduli.
dtucker [Wed, 29 Nov 2017 05:49:54 +0000 (05:49 +0000)]
Import updated moduli.

6 years agoclang doesn't propagate attributes like "asm labels" and "visibility(hidden)"
guenther [Wed, 29 Nov 2017 05:13:57 +0000 (05:13 +0000)]
clang doesn't propagate attributes like "asm labels" and "visibility(hidden)"
to builtins like mem{set,cpy,move} and __stack_smash_handler.  So, when
building with clang, instead mark those as protected visibility to get rid
of the PLT relocations.  We can't take the address of them then, but that's
ok: it's a build-time error not a run-time error.

ok kettenis@

6 years agoturns out you dont have to configure a vsi as the default in a veb.
dlg [Wed, 29 Nov 2017 05:09:59 +0000 (05:09 +0000)]
turns out you dont have to configure a vsi as the default in a veb.

what a waste of two days.

6 years agoregen
dlg [Wed, 29 Nov 2017 05:00:40 +0000 (05:00 +0000)]
regen

6 years agoadd some mellanox parts
dlg [Wed, 29 Nov 2017 05:00:16 +0000 (05:00 +0000)]
add some mellanox parts

6 years agofix this on sparc64 (or maybe gcc)
dlg [Wed, 29 Nov 2017 03:59:34 +0000 (03:59 +0000)]
fix this on sparc64 (or maybe gcc)

ok jmatthew@ guenther@ kettenis@

6 years agolet this build on sparc64 again.
dlg [Wed, 29 Nov 2017 03:38:03 +0000 (03:38 +0000)]
let this build on sparc64 again.

6 years agovmm(4) :Add the ukvm/Solo5 hypercall I/O ports to the list of ports to be
mlarkin [Wed, 29 Nov 2017 02:56:21 +0000 (02:56 +0000)]
vmm(4) :Add the ukvm/Solo5 hypercall I/O ports to the list of ports to be
passed through to userspace. When not using ukvm, if a guest does I/O to
these ports, vmd(8) will just discard the I/O.

Thanks to Adam Steen for helping test these past few diffs, in order
to get ukvm working on vmm(4).

6 years agoadd an adaptive polling mode when no interrupt handler is available,
jcs [Wed, 29 Nov 2017 02:48:16 +0000 (02:48 +0000)]
add an adaptive polling mode when no interrupt handler is available,
such as on PCI dwiic(4) devices.

this is a temporary workaround until the underlying interrupt
problem is fixed.

tested by various

6 years agomake vmm(4) less responsible for initial register state, preferring to let
mlarkin [Wed, 29 Nov 2017 02:46:10 +0000 (02:46 +0000)]
make vmm(4) less responsible for initial register state, preferring to let
usermode daemons handle that.

ok pd@

6 years agoPrint_host is used mainly in printf style functions. So do not return NULL
claudio [Wed, 29 Nov 2017 01:25:11 +0000 (01:25 +0000)]
Print_host is used mainly in printf style functions. So do not return NULL
instead return "unknown".
OK beck@

6 years agoAdd a bunch of DPRINTFs in failure paths, fix some whitespace and some
mlarkin [Wed, 29 Nov 2017 00:38:01 +0000 (00:38 +0000)]
Add a bunch of DPRINTFs in failure paths, fix some whitespace and some
misspelled words.

6 years agoadd some comments. no functional change
mlarkin [Wed, 29 Nov 2017 00:32:52 +0000 (00:32 +0000)]
add some comments. no functional change

6 years ago- regression tests for 'load anchor ... from ...'
sashan [Wed, 29 Nov 2017 00:24:32 +0000 (00:24 +0000)]
- regression tests for 'load anchor ... from ...'
  the test case itself comes from Leonardo Guardati

6 years agoDocument NAT and DNS forwarding rules for vmd(8)
mlarkin [Wed, 29 Nov 2017 00:15:34 +0000 (00:15 +0000)]
Document NAT and DNS forwarding rules for vmd(8)

discussed at length with benno, beck, deraadt, and florian

6 years agofix some spelling errors in a few comments
mlarkin [Tue, 28 Nov 2017 23:58:30 +0000 (23:58 +0000)]
fix some spelling errors in a few comments

6 years agorefer to ixl as "Intel Ethernet 700 Series"
dlg [Tue, 28 Nov 2017 23:54:04 +0000 (23:54 +0000)]
refer to ixl as "Intel Ethernet 700 Series"

calling it intel 40g is less correct because the same driver is used for
10g and 25g parts as well.

6 years agoremove the #if 0ed out ixl_add_veb now that cvs has backed it up
dlg [Tue, 28 Nov 2017 23:47:25 +0000 (23:47 +0000)]
remove the #if 0ed out ixl_add_veb now that cvs has backed it up

im pretty sure we dont need it if we're just using the chip as a
single ethernet port.

6 years agoadd missing $OpenBSD$ tag
dlg [Tue, 28 Nov 2017 23:40:52 +0000 (23:40 +0000)]
add missing $OpenBSD$ tag

6 years agoadd ixl(4) for the "Intel Ethernet 700 Series"
dlg [Tue, 28 Nov 2017 23:39:39 +0000 (23:39 +0000)]
add ixl(4) for the "Intel Ethernet 700 Series"

this doesn't work yet, but it very recently got too big to hack on
without cvs to help me manage further changes to it.

ok deraadt@

6 years agoAdd option -i to allow oscpcheck to be used to validate an on-disk staple
beck [Tue, 28 Nov 2017 23:32:00 +0000 (23:32 +0000)]
Add option -i to allow oscpcheck to be used to validate an on-disk staple
ok claudio@ benno@

6 years agoHave sftp print a warning about shell cleanliness when decoding the first
dtucker [Tue, 28 Nov 2017 21:10:22 +0000 (21:10 +0000)]
Have sftp print a warning about shell cleanliness when decoding the first
packet fails, which is usually caused by shells polluting stdout of
non-interactive starups.  bz#2800, ok markus@ deraadt@.

6 years agoduplicate word, found by igor(1)
schwarze [Tue, 28 Nov 2017 20:26:03 +0000 (20:26 +0000)]
duplicate word, found by igor(1)

6 years agoAdd a member to be used by __cxa_thread_atexit(). Remove padding which would
kettenis [Tue, 28 Nov 2017 18:57:02 +0000 (18:57 +0000)]
Add a member to be used by __cxa_thread_atexit().  Remove padding which would
now misalign things.

ok guenther@

6 years agoOne less lie in comments
claudio [Tue, 28 Nov 2017 18:25:53 +0000 (18:25 +0000)]
One less lie in comments

6 years agoAdd the missing STANDARDS section (kettenis@ noticed that these are
schwarze [Tue, 28 Nov 2017 18:10:59 +0000 (18:10 +0000)]
Add the missing STANDARDS section (kettenis@ noticed that these are
POSIX functions) and turn the weird DIAGNOSTICS section into a normal
RETURN VALUES section while here.

6 years agozap newline in warn(); from kshe
otto [Tue, 28 Nov 2017 17:43:45 +0000 (17:43 +0000)]
zap newline in warn(); from kshe

6 years agoImplement a DL_REFERENCE dlctl. To be used by the upcoming
kettenis [Tue, 28 Nov 2017 17:19:47 +0000 (17:19 +0000)]
Implement a DL_REFERENCE dlctl.  To be used by the upcoming
__cxa_thread_atexit() implementation.

ok guenther@

6 years agoAllow TLS ciphers and protocols to be specified for nc(1).
jsing [Tue, 28 Nov 2017 16:59:10 +0000 (16:59 +0000)]
Allow TLS ciphers and protocols to be specified for nc(1).

Replace the "tlscompat" and "tlsall" options with "cipher" and "protocol"
options that are key/value pairs. This allows the user to specify ciphers
and protocols in a form that are accepted by tls_config_set_ciphers() and
tls_config_set_protocols() respectively.

ok beck@

(also ok jmc@ for a previous revision of the man page).

6 years agoRewrite ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
jsing [Tue, 28 Nov 2017 16:51:21 +0000 (16:51 +0000)]
Rewrite ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.

This removes the last remaining use of the old M_ASN1_* macros (asn1_mac.h)
from API that needs to continue to exist.

ok beck@ inoguchi@

6 years agoAdd regress coverage for ASN1_TYPE_{get,set}_int_octetstring()
jsing [Tue, 28 Nov 2017 16:47:55 +0000 (16:47 +0000)]
Add regress coverage for ASN1_TYPE_{get,set}_int_octetstring()

6 years agoCorrect TLS extensions handling when no extensions are present.
jsing [Tue, 28 Nov 2017 16:46:14 +0000 (16:46 +0000)]
Correct TLS extensions handling when no extensions are present.

If no TLS extensions are present in a client hello or server hello, omit
the entire extensions block, rather than including it with a length of
zero.

ok beck@ inoguchi@

6 years agoAdd regress test coverage for building clienthello and serverhello
jsing [Tue, 28 Nov 2017 16:40:21 +0000 (16:40 +0000)]
Add regress test coverage for building clienthello and serverhello
extensions, both with extensions being present and not present. The not
present case currently fails.

6 years agoAdd regress for CBB_discard_child().
jsing [Tue, 28 Nov 2017 16:35:05 +0000 (16:35 +0000)]
Add regress for CBB_discard_child().

Converted from BoringSSL.

6 years agoAdd CBB_discard_child(), which allows for a child CBB to be discarded.
jsing [Tue, 28 Nov 2017 16:34:20 +0000 (16:34 +0000)]
Add CBB_discard_child(), which allows for a child CBB to be discarded.

Based on BoringSSL.

6 years agoSilence the "Unclaimed register before interrupt" errors. While these do
kettenis [Tue, 28 Nov 2017 16:29:56 +0000 (16:29 +0000)]
Silence the "Unclaimed register before interrupt" errors.  While these do
indicate a bug somewhere, it is unlikely to be in the OpenBSD glue code.
There are reports that these go away in newer Linux code anyway.

Stops claudio@ from whining.

6 years agoRaise the IPL of the sbar taskq to avoid lock order issues
visa [Tue, 28 Nov 2017 16:22:27 +0000 (16:22 +0000)]
Raise the IPL of the sbar taskq to avoid lock order issues
with the kernel lock.

Fixes a deadlock seen by Hrvoje Popovski and dhill@.
OK mpi@, dhill@

6 years agoThe divert structure was using the port number to indicate that
bluhm [Tue, 28 Nov 2017 16:05:46 +0000 (16:05 +0000)]
The divert structure was using the port number to indicate that
divert-to or divert-reply was active.  If the address was also set,
it meant divert-to.  Divert packet used a separate structure.  This
is confusing and makes it hard to add new features.  It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@

6 years agofktrace(2) has been removed
guenther [Tue, 28 Nov 2017 16:05:13 +0000 (16:05 +0000)]
fktrace(2) has been removed

6 years agoNeed to remove fktrace here too
guenther [Tue, 28 Nov 2017 15:35:02 +0000 (15:35 +0000)]
Need to remove fktrace here too
Noted by Andreas Kusalananda Kähäri (andreas.kahari(at)icm.uu.se)

6 years agoFix mbuf leak when an interface is destroyed while forwarding IPv6
mpi [Tue, 28 Nov 2017 15:32:51 +0000 (15:32 +0000)]
Fix mbuf leak when an interface is destroyed while forwarding IPv6
packets.

Found by Hrvoje Popovski.

ok visa@, bluhm@

6 years agofix some clang warnings when building with VMM_DEBUG. Matches a previous
mlarkin [Tue, 28 Nov 2017 15:06:08 +0000 (15:06 +0000)]
fix some clang warnings when building with VMM_DEBUG. Matches a previous
commit to the amd64 version of this file

6 years agobetter handling for invalid instruction lengths.
mlarkin [Tue, 28 Nov 2017 14:51:34 +0000 (14:51 +0000)]
better handling for invalid instruction lengths.

equivalent amd64 version (already committed) was ok beck@, ccardenas@