artulab.com Git - openbsd/log

Add regress for Signed TAL (.tak) files

Reference RSC RFC-to-be instead of internet-draft

Add support for draft-ietf-sidrops-signed-tal-12

Add support validation of Signed Objects containing Trust Anchor Keys
(TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs
to distribute and sign the next Trust Anchor with the current Trust
Anchor. This might be an improvement over visiting RIR websites and
copy+pasting TAL data by hand.

OK tb@

Don't free the addrinfo array after connect and refactor http_finish_connect.

In http_connect_done() the addrinfo array was freed but this makes it
impossible to show the IP address of the connection in log messages.
Also refactor http_finish_connect() to call http_connect_failed() instead
of doing the same inline.
OK tb@

Length check URI before strncasecmp()

A priori URI is not NUL terminated, so we should first check it is long
enough before comparing it against proto. As a side effect, this now
rejects "https://" and "rsync://", which are invalid due to the missing
host in the authority section.

ok claudio

Also print IP address of the connection that timed out to aid debugging

OK claudio@

Remove audio(9) speaker_ctl(), let open() handle speakers where needed

Only five legacy half-duplex hardware drivers require this function to
change between playing and recording:
i386: ess(4), gus(4), pas(4), sb(4)
luna88k: nec86(4)

If defined, it is always called early in audio_open(), so just move the
call from audio(4) to each hardware driver's open() handler.

SPKR_ON/OFF remain defined to leave driver-specific code unchanged.

Further cleanup (unchecked speaker_ctl() return values,
FWRITE -> AUMODE_PLAY -> SPKR_ON dances, etc.) can happen later.

Builds fine on i386.
OK ratchov

Fix x509_get_time() error checks

Like most x509_* functions, x509_get_time() returns 0/1 on error/success,
not -1/0.

ok claudio job

Instead of always setting the extended flag, set it only when searching.
Allows send-keys to work. From Aaron Jensen.

Clean up more ancient history: since 2015 the libc stubs for
fork/vfork/__tfork haven't cared about the second return register.
So, stop setting retval[1] in kern_fork.c and stop setting the
second return register in the MD child_return() routines.

With the above, we have no multi-register return values on LP64,
so stop touching that register in the trapframe on those archs.

testing miod@ and aoyama@
ok miod@

Do not neuter __attribute__ with __STRICT_ANSI__

This broke readline support in newer Pythons and generally seems a
bad idea. Upstream have removed this conditional in 5.0.

ok millert

Have -S actually behave like the other introspection options, namely only
eschew building the package is -n is mentionned.

Document that -S -n is heavily optimized for speed since it's mostly used
by dpb -R to figure out what to rebuild.

fix a logic error from 2018: be silent if any of -S, -n, -q are mentioned.

The actual bug reverted in 1.128 was from "make print-plist-libs"
which would invoke pkg_create -n -Q and filter out the libs: but
in that case, pkg_create would not be silent, thus yielding
reading plist|-/usr/local/lib/libpython3.9.so.0.0
to filter, which obviously wouldn't work.

So, turn on silent mode for -Q as well.

Use todr_attach().

ok phessler@

Use unsigned long long to store integer value. At least that can always
be printed with %llu unlike uint64_t.

On endOfMibView reset OID back to the original requested OID as per RFC3416
section 4.2.2, instead of returning the (internal) current OID, which could
happen on empty tables.

Found and diff tested by Ryan Freeman (ryan <at> slipgate <dot> org)
OK sthen@

Only load the SOII key if IPv6 is available

Possible now that IP6KERNERL is hoisted.
This also improves readability and zaps double negation logic.

I plain forgot to document -S !

Do not wait for DAD completion in dry-run mode

1. only do so when running without -n
2. move code to own wait_dad() helper like wait_autoconf_default() has it
3. use local _count as usual in both functions rather than the global count

Feedback OK claudio

Add modified Tab key sequences, from Aaron Jensen, GitHub issue 3368.

Use active pane in target window not current window for +/-. GitHub
issue 3370.

vmm(4): vcpu_reset_regs_svm: allow reads of MSR_HWCR, MSR_PSTATEDEF(0)

Guests may need these MSRs to determine the TSC frequency on AMD
families 17h and 19h.

GP fault reported by weerd@, observed on "AMD EPYC 3201 8-Core Processor"
(17-01-02). Same issue observed by Jesper Wallin on "AMD Ryzen PRO 3700U".
Tested by Jesper Wallin.

Link: https://marc.info/?l=openbsd-bugs&m=166721628323483&w=2
ok mlarkin@

Hoist only the feature check

Keep adding IPv6 routes after lo0 got an addres like before, meant to be
committed together with r1.223.

Fix comment: IPv6 link local addresses do not use SOII anymore

sys/netinet6/in6_ifattach.c r1.114 limited it to SLAAC addresses in 2019.

Improve shell style wrt. variable naming/boolean convention

The mixed use of upper and lower case variables is neither obvious nor
consistent.

PRINT_ONLY is local to netstart.
ip6kernel is local to netstart.
multicast gets sourced from rc.subr(8).

1. uppercase ip6kernel as is common for global variables in base scripts
2. use the simpler true/false idiom and default with the rest of
   netstart-only variables, making it clearer that only `multicast=YES/NO'
   comes from the rc environment
3. hoist kernel feature detection such that a later diff can load the SOII
   key conditionally
4. zap obvious comment

OK aja

Add a intergration test that checks if the pftable feature works.

Make CLEANFILES patterns not match anything that may live outside of obj.
Running make clean without obj should not remove any non-temp files
like *.conf.

The cad(4) ethernet controller works well on the Hifive Unmatched

From Miguel Landaeta

Update to 2022fgtz from https://github.com/JodaOrg/global-tz
Major changes:
o Mexico will no longer observe DST except near the US border.
o Chihuahua moves to year-round -06 on 2022-10-30.
o Fiji no longer observes DST.

vmd(8): remove unfinished user accounting.

User accounting and enforcement was never finished. tedu the thing
until someone wants to pick it up and finish it.

Originally found by Matthew Martin.

ok mlarkin@, kn@. input from tb@.

mips64: Raise SPL for hardclock()

This lets the MI clock interrupt code see the correct SPL.

The full splx() is skipped because the updating of the hardware interrupt
masks should not be needed here.

Prompted by and OK cheloha@

Fix VMMAP_DEBUG code to compile with not-so-recent changes.

If enabled the debug code currently panic the kernel. To investigate.

style: 'The function type should be on a line by itself preceding the function.'

Use variable for diff options instead of unconditionally specifying "-rN".
This will make life easier in -portable where not all diff's understand -N.

Simplfity setregs() by passing it the ps_strings and switching
sys_execve() to return EJUSTRETURN.

setregs() is the MD routine used by sys_execve() to set up the
thread's trapframe and PCB such that, on 'return' to userspace, it
has the register values defined by the ABI and otherwise zero. It
had to set the syscall retval[] values previously because the normal
syscall return path overwrites a couple registers with the retval[]
values. By instead returning EJUSTRETURN that and some complexity
with program-counter handling on m88k and sparc64 goes away.

Also, give setregs() add a 'struct ps_strings *arginfo' argument
so powerpc, powerpc64, and sh can directly get argc/argv/envp
values for registers instead of copyin()ing the one in userspace.

Improvements from miod@ and millert@
Testing assistance miod@, kettenis@, and aoyama@
ok miod@ kettenis@

On the Lenovo X13s attaching to the multiport USB controller leads to hard
resets.  Previously this was only seen with smmu(4) enabled, probably as
there is no IORT reference to that controller and hence no IOMMU mapping
established.  Since recent BIOS updates, this now also happens without
smmu(4) enabled.  Let's skip this node for now to keep machines running.

Prompted by deraadt@
ok phessler@

The previous commit message out to say this:
---
Fix sparc64 build

cc1: warnings being treated as errors
.../constraints.c: In function 'test_constraints1':
.../constraints.c:451: warning: ISO C90 forbids mixed declarations and code

Fix RCS ID while here.

/* $OpenBSD: $ */
/*
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

#include <err.h>
#include <string.h>

#include <openssl/safestack.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "x509_internal.h"

#define FAIL(msg, ...) \
do { \
fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \
fprintf(stderr, msg, ##__VA_ARGS__); \
} while(0)

unsigned char *valid_hostnames[] = {
"openbsd.org",
"op3nbsd.org",
"org",
"3openbsd.com",
"3-0penb-d.c-m",
"a",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"open_bsd.org", /* because this is liberal */
NULL,
};

unsigned char *valid_sandns_names[] = {
"*.ca",
"*.op3nbsd.org",
"c*.openbsd.org",
"foo.*.d*.c*.openbsd.org",
NULL,
};

unsigned char *valid_domain_constraints[] = {
"",
".ca",
".op3nbsd.org",
".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"www.openbsd.org",
NULL,
};

unsigned char *valid_mbox_names[] = {
"\"!#$%&\\\"*+-/=?\002^_`{|}~.\"@openbsd.org",
"beck@openbsd.org",
"beck@openbsd.org",
"beck@op3nbsd.org",
"beck@org",
"beck@3openbsd.com",
"beck@3-0penb-d.c-m",
"bec@a",
"beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
"beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"beck@open_bsd.org", /* because this is liberal */
NULL,
};

unsigned char *invalid_hostnames[] = {
"openbsd.org.",
"openbsd..org",
"openbsd.org-",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
"-p3nbsd.org",
"openbs-.org",
"openbsd\n.org",
"open\178bsd.org",
"open\255bsd.org",
"*.openbsd.org",
NULL,
};

unsigned char *invalid_sandns_names[] = {
"",
".",
"*.a",
"*.",
"*.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
"*.-p3nbsd.org",
"*.*..openbsd.org",
"*..openbsd.org",
".openbsd.org",
"c*c.openbsd.org",
NULL,
};

unsigned char *invalid_mbox_names[] = {
"beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
"beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
"beck@.-openbsd.org",
"beck@.openbsd.org.",
"beck@.a",
"beck@.",
"beck@",
"beck@.ca",
"@openbsd.org",
NULL,
};

unsigned char *invalid_domain_constraints[] = {
".",
".a",
"..",
".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
".-p3nbsd.org",
"..openbsd.org",
NULL,
};

unsigned char *invaliduri[] = {
"https://-www.openbsd.org",
"https://.www.openbsd.org/",
"https://www.ope|nbsd.org%",
"https://www.openbsd.org.#",
"///",
"//",
"/",
"",
NULL,
};

static int
test_valid_hostnames(void)
{
int i, failure = 0;

for (i = 0; valid_hostnames[i] != NULL; i++) {
if (!x509_constraints_valid_host(valid_hostnames[i],
strlen(valid_hostnames[i]))) {
FAIL("Valid hostname '%s' rejected\n",
    valid_hostnames[i]);
failure = 1;
goto done;
}
if (!x509_constraints_valid_sandns(valid_hostnames[i],
strlen(valid_hostnames[i]))) {
FAIL("Valid sandns '%s' rejected\n",
    valid_hostnames[i]);
failure = 1;
goto done;
}
}
done:
return failure;
}

static int
test_valid_sandns_names(void)
{
int i, failure = 0;
for (i = 0; valid_sandns_names[i] != NULL; i++) {
if (!x509_constraints_valid_sandns(valid_sandns_names[i],
strlen(valid_sandns_names[i]))) {
FAIL("Valid dnsname '%s' rejected\n",
    valid_sandns_names[i]);
failure = 1;
goto done;
}
}
done:
return failure;
}

static int
test_valid_domain_constraints(void)
{
int i, failure = 0;
for (i = 0; valid_domain_constraints[i] != NULL; i++) {
if (!x509_constraints_valid_domain_constraint(valid_domain_constraints[i],
    strlen(valid_domain_constraints[i]))) {
FAIL("Valid dnsname '%s' rejected\n",
    valid_domain_constraints[i]);
failure = 1;
goto done;
}
}
done:
return failure;
}

static int
test_valid_mbox_names(void)
{
struct x509_constraints_name name = {0};
int i, failure = 0;
for (i = 0; valid_mbox_names[i] != NULL; i++) {
if (!x509_constraints_parse_mailbox(valid_mbox_names[i],
    strlen(valid_mbox_names[i]), &name)) {
FAIL("Valid mailbox name '%s' rejected\n",
    valid_mbox_names[i]);
failure = 1;
goto done;
}
free(name.name);
name.name = NULL;
free(name.local);
name.local = NULL;
}
done:
return failure;
}

static int
test_invalid_hostnames(void)
{
int i, failure = 0;
char *nulhost = "www.openbsd.org\0";

for (i = 0; invalid_hostnames[i] != NULL; i++) {
if (x509_constraints_valid_host(invalid_hostnames[i],
    strlen(invalid_hostnames[i]))) {
FAIL("Invalid hostname '%s' accepted\n",
    invalid_hostnames[i]);
failure = 1;
goto done;
}
}
if (x509_constraints_valid_host(nulhost,
    strlen(nulhost) + 1)) {
FAIL("hostname with NUL byte accepted\n");
failure = 1;
goto done;
}
if (x509_constraints_valid_sandns(nulhost,
    strlen(nulhost) + 1)) {
FAIL("sandns with NUL byte accepted\n");
failure = 1;
goto done;
}
done:
return failure;
}

static int
test_invalid_sandns_names(void)
{
int i, failure = 0;
for (i = 0; invalid_sandns_names[i] != NULL; i++) {
if (x509_constraints_valid_sandns(invalid_sandns_names[i],
    strlen(invalid_sandns_names[i]))) {
FAIL("Valid dnsname '%s' rejected\n",
    invalid_sandns_names[i]);
failure = 1;
goto done;
}
}
done:
return failure;
}

static int
test_invalid_mbox_names(void)
{
int i, failure = 0;
struct x509_constraints_name name = {0};
for (i = 0; invalid_mbox_names[i] != NULL; i++) {
if (x509_constraints_parse_mailbox(invalid_mbox_names[i],
    strlen(invalid_mbox_names[i]), &name)) {
FAIL("invalid mailbox name '%s' accepted\n",
    invalid_mbox_names[i]);
failure = 1;
goto done;
}
free(name.name);
name.name = NULL;
free(name.local);
name.local = NULL;
}
done:
return failure;
}

static int
test_invalid_domain_constraints(void)
{
int i, failure = 0;
for (i = 0; invalid_domain_constraints[i] != NULL; i++) {
if (x509_constraints_valid_domain_constraint(invalid_domain_constraints[i],
    strlen(invalid_domain_constraints[i]))) {
FAIL("invalid dnsname '%s' accepted\n",
    invalid_domain_constraints[i]);
failure = 1;
goto done;
}
}
done:
return failure;
}

static int
test_invalid_uri(void)
{
int j, failure=0;
char *hostpart = NULL;

for (j = 0; invaliduri[j] != NULL; j++) {
if (x509_constraints_uri_host(invaliduri[j],
strlen(invaliduri[j]), &hostpart) != 0) {
FAIL("invalid URI '%s' accepted\n",
    invaliduri[j]);
failure = 1;
goto done;
}
free(hostpart);
hostpart = NULL;
}

done:
return failure;
}

static int
test_constraints1(void)
{
char *c; size_t cl;
char *d; size_t dl;
int failure = 0;
int error = 0;
int i, j;
unsigned char *constraints[] = {
".org",
".openbsd.org",
"www.openbsd.org",
NULL,
};
unsigned char *failing[] = {
".ca",
"openbsd.ca",
"org",
NULL,
};
unsigned char *matching[] = {
"www.openbsd.org",
NULL,
};
unsigned char *matchinguri[] = {
"https://www.openbsd.org",
"https://www.openbsd.org/",
"https://www.openbsd.org?",
"https://www.openbsd.org#",
"herp://beck@www.openbsd.org:",
"spiffe://beck@www.openbsd.org/this/is/so/spiffe/",
NULL,
};
unsigned char *failinguri[] = {
"https://www.openbsd.ca",
"https://www.freebsd.com/",
"https://www.openbsd.net?",
"https://org#",
"herp://beck@org:",
"///",
"//",
"/",
"",
NULL,
};
unsigned char *noauthority[] = {
"urn:open62541.server.application",
NULL,
};
for (i = 0; constraints[i] != NULL; i++) {
char *constraint = constraints[i];
size_t clen = strlen(constraints[i]);
for (j = 0; matching[j] != NULL; j++) {
if (!x509_constraints_domain(matching[j],
    strlen(matching[j]), constraint, clen)) {
FAIL("constraint '%s' should have matched"
    " '%s'\n",
    constraint, matching[j]);
failure = 1;
goto done;
}
}
for (j = 0; matchinguri[j] != NULL; j++) {
error = 0;
if (!x509_constraints_uri(matchinguri[j],
    strlen(matchinguri[j]), constraint, clen, &error)) {
FAIL("constraint '%s' should have matched URI"
    " '%s' (error %d)\n",
    constraint, matchinguri[j], error);
failure = 1;
goto done;
}
}
for (j = 0; failing[j] != NULL; j++) {
if (x509_constraints_domain(failing[j],
    strlen(failing[j]), constraint, clen)) {
FAIL("constraint '%s' should not have matched"
    " '%s'\n",
    constraint, failing[j]);
failure = 1;
goto done;
}
}
for (j = 0; failinguri[j] != NULL; j++) {
error = 0;
if (x509_constraints_uri(failinguri[j],
    strlen(failinguri[j]), constraint, clen, &error)) {
FAIL("constraint '%s' should not have matched URI"
    " '%s' (error %d)\n",
    constraint, failinguri[j], error);
failure = 1;
goto done;
}
}
for (j = 0; noauthority[j] != NULL; j++) {
char *hostpart = NULL;
error = 0;
if (!x509_constraints_uri_host(noauthority[j],
strlen(noauthority[j]), &hostpart)) {
FAIL("name '%s' should parse as a URI",
    noauthority[j]);
failure = 1;
free(hostpart);
goto done;
}
free(hostpart);

if (x509_constraints_uri(noauthority[j],
    strlen(noauthority[j]), constraint, clen, &error)) {
FAIL("constraint '%s' should not have matched URI"
    " '%s' (error %d)\n",
    constraint, failinguri[j], error);
failure = 1;
goto done;
}
}
}
c = ".openbsd.org";
cl = strlen(".openbsd.org");
d = "*.openbsd.org";
dl = strlen("*.openbsd.org");
if (!x509_constraints_domain(d, dl, c, cl)) {
FAIL("constraint '%s' should have matched '%s'\n",
    c, d);
failure = 1;
goto done;
}
c = "www.openbsd.org";
cl = strlen("www.openbsd.org");
if (x509_constraints_domain(d, dl, c, cl)) {
FAIL("constraint '%s' should not have matched '%s'\n",
    c, d);
failure = 1;
goto done;
}
c = "";
cl = 0;
if (!x509_constraints_domain(d, dl, c, cl)) {
FAIL("constraint '%s' should have matched '%s'\n",
    c, d);
failure = 1;
goto done;
}
done:
return failure;
}

int
main(int argc, char **argv)
{
int failed = 0;

failed |= test_valid_hostnames();
failed |= test_invalid_hostnames();
failed |= test_valid_sandns_names();
failed |= test_invalid_sandns_names();
failed |= test_valid_mbox_names();
failed |= test_invalid_mbox_names();
failed |= test_valid_domain_constraints();
failed |= test_invalid_domain_constraints();
failed |= test_invalid_uri();
failed |= test_constraints1();

return (failed);
}

Move duplex check from sbdsp_midi_open() to sbdsp_open() where it belongs

sbdsp.c r1.42 "Replace audio(9) get_props() with duplex check in open()
in partial duplex drivers" added it to the wrong function.

The x13s only defines the (legacy) 32-bit SMBIOS entry point. Add code to
handle that such that we can see the firmware version in dmesg.

ok deraadt@, phessler@

Fix indent botch; noticed by kettenis@

Remove antique^Wolder-than-binutils-2.17 c++filt(1).

Build and install binutils-2.17's version of c++filt(1), since we already
install its manual page.
Reported by vol at ljabl dot com

Decode DT_MIPS_RLD_MAP_REL.

ok deraadt@

Remove unused audio(9) get_props()/AUDIO_PROP_FULLDUPLEX

All audio drivers have been cleaned up and, if needed, now check for duplex
mode in their open() handler.

OK ratchov miod

Replace audio(9) get_props() with duplex check in open() in non-duplex drivers

Make drivers which do *not* adverise AUDIO_PROP_FULLDPLEX return ENXIO
in their open() if full-duplex mode was requested.

This way, sys/dev/audio.c:audio_open() will fail immediately rather than
later through the to-be-removed get_props() check.

These are all drivers which simply don't support full-duplex mode.

In device-tree based drivers like simpleaudio(4)/rkiis(4) and newer Apple
ones like aplaudio(4)/aplmca(4), this adds a new open() stub to the
low-level drivers which merely does the duplex check.

My Pinebook Pro keeps playing audio and recording silence with this diff
just like before (rkiis(4) is currently play-only):
simpleaudio0 at mainbus0
simpleaudio1 at mainbus0
audio0 at simpleaudio1

$ aucat -i song69.wav -o rec.wav

OK ratchov miod

Add DT_MIPS_RLD_MAP_REL support to the in-tree GDB.

ok deraadt@

Implement DT_MIPS_RLD_MAP_REL support and add such an entry to PIE
executables.

ok deraadt@

Implement support for DT_MIPS_RLD_MAP_REL.

ok deraadt@

Remove audio(9) get_props() from record-only drivers

utvfu(4) seems to be the only driver that currently supports recording but
not playing and its open() already returns ENXIO when playing is requested,
so no need to add another duplex check after get_props() is gone.

OK ratchov miod

Replace audio(9) get_props() with duplex check in open() in partial duplex drivers

Make drivers which do *not* adverise AUDIO_PROP_FULLDPLEX return ENXIO
in their open() if full-duplex mode was requested.

This way, sys/dev/audio.c:audio_open() will fail immediately rather than
later through the to-be-removed get_props() check.

This is the first round for drivers with logic in their get_props(), i.e.
those that only support full-duplex mode for specific hardware:

ess(4), gus(4), pas(4) and sb(4)

All of these are i386/GENERIC only and share code through
sys/dev/isa/{ad1848,sbdsp}{.c,var.h} which are not used by any other kernel.

i386/GENERIC.MP builds and boots with this diff.
OK ratchov miod

Add paste-buffer-deleted notification and fix name of paste-buffer-changed.

Do not send focus sequences when reporting is enabled, matches other
terminals behaviour.

getopt optstring doesn't need '?'.

found while hacking up a comp3301 prac/assignment
ok millert@ deraadt@

put sshkey_check_rsa_length() back in sshkey.c to unbreak
OPENSSL=no builds

allow ssh-keyscan(1) to accept CIDR address ranges, e.g.
ssh-keyscan 192.168.0.0/24

If a CIDR range is passed, then it will be expanded to all possible
addresses in the range including the all-0s and all-1s addresses.

bz#976 feedback/ok markus@

refactor sshkey_private_deserialize

feedback/ok markus@

refactor sshkey_private_serialize_opt()

feedback/ok markus@

refactor certify

feedback/ok markus@

refactor sshkey_sign() and sshkey_verify()

feedback/ok markus@

refactor sshkey_from_blob_internal()

feedback/ok markus@

refactor sshkey_from_private()

feedback/ok markus@

factor out key generation

feedback/ok markus@

refactor and simplify sshkey_read()

feedback/ok markus@

factor out public key serialization

feedback/ok markus@

factor out sshkey_equal_public()

feedback/ok markus@

begin big refactor of sshkey

Move keytype data and some of the type-specific code (allocation,
cleanup, etc) out into each key type's implementation. Subsequent
commits will move more, with the goal of having each key-*.c file
owning as much of its keytype's implementation as possible.

lots of feedback + ok markus@

In dynamic binaries, AUX_base is the ld.so address. In static PIE binaries,
it is the base of the binary itself. Repair of this comment does not undo
the hair pulling that happened today.
ok guenther

Unfortunately there are still ugly text-relocation binaries in the wild.
Libraries are less of a concern, because ld.so can fix them in the right
order. So we must scan DYNAMIC for the TEXTREL marker, and not make
X LOADs immutable. ld.so will apply changes to the text segment. In
upcoming diff, crt0 and ld.so will then apply immutability.
ok kettenis

hppa and mips64 have private copies of RCRT0_RELRO(), which should
also perform mimmutable()
ok guenther

VMCMD_SYSCALL cannot be incorporated into flags variable, because flags
is inspected narrowly for base address later.
ok kettenis

Print the pid in some additional debug messages to be able to match them
with the fork messages.
OK tb@

Match ure(4) on Windows Dev Kit 2023

ok jsg@

regen

Add USB device id for integrated ure(4) on Windows Dev Kit 2023

ok jsg@

Update libexpat to 2.5.0. This fixes CVE-2022-43680. Relevant for
OpenBSD are security fixes #616 #649 #650 and bug fixes #612 #645
#613 #654 #616 #652 #653. No library bump necessary.
OK tb@

sync

Enable waitid(2) regress tests and a new test derived from NetBSD's
wait6(2) tests.

ok millert@, deraadt@

Add waitid(2) syscall stub.

Minor bump to both libc and libpthread: make sure you install a new kernel!

ok millert@, deraadt@

dtlstest: Ensure the timeouts are at least 10 ms. This makes these tests
a bit less flaky if the machine is otherwise under load.

from jsing

Make audio(9) get_props() optional, remove it from duplex drivers

The property bits of audio(9) are obsolete and ought to be removed
completely.

sys/dev/audio.c:audio_open() currently uses get_props() to bail out if
read *and* write was requested on a non-duplex driver.

Drivers that currently support playing but not recording need adjustment
before the API can be cleaned up.

Drivers that advertise themselves as full duplex, i.e. those that always
return AUDIO_PROP_FULLDUPLEX unconditionally in their get_props() currently
always succeed this check.

As this is the only property, losen audio_open()'s DIAGNOSTIC check and only
do the duplex check if the driver provides get_props().

This allows for simple removal of get_props() from full-duplex drivers
without adding any other code or without changing functionality.

This includes all audio drivers under sys/dev/pci/ (maestro(4) being the
only unfinished exception here).

Other drivers as well as the API change can then follow in smaller diffs.

This builds on amd64, arm64, i386, macppc and sparc64.
amd64 with azalia(4) still plays, records as well as plays and records
at the same time on my X230 as tested with

$ aucat -i play.wav [-o rec.wav]

alpha and hppa tests by miod
OK ratchov miod

Limit wireguard peers listing to -A or wg-interface

ifconfig(8) output can get too long when always printing `wgpeers' for all
wg(4) interfaces, so omit it output is requested and/or output is limited
to the interface group "wg" or a specific interface "wgX".

No install media size change as wireguard code is under #ifndef SMALL.

Diff from Mikolaj Kucharski <mikolaj AT kucharski DOT name>
makes Hrvoje Popovski happy
manual bits from jmc
OK sthen

Constify device table

OK jcs

Constify battery check table

OK jcs

Fix handling of PGIDs in wait4(2) that I broke with the previous commit.

ok anton@, millert@

compress: fix minor TOCTOU when checking for existing file
Use open(2) + fstat(2) instead of stat(2) + open(2). The file open
code has been moved into its own functions so it can be shared
between docompress() and dodecompress().

Make the floating-point computations a sligthly teeny bit more complex (but
real), to prevent llvm panzers from optimizing too aggressively and generating
code which does not touch the slightest floating point register on some
platforms.

ok otto@

Calculate approx. battery re-charge time.

Store mod/ref flags using md pg_flags values rather than a specific field in
vm_page_md, which allows this struct to shrink a bit.

Initialize context before testing it.

trim DESCRIPTION

- just call it (a sh(1)) script, in line with MAKEDEV(8) and rc.d(8)
- use only .Nm thereafter instead of .Nm/the .Nm script/...
- zap the additional rc.conf(8) bits for they can be found in this manual
- zap unhelpful "(or can be)"

Feedback OK jmc

Move CLOCKS_PER_SEC to sys/_time.h so the kernel has access to it.
This will be used in waitid(2) to set si_utime and si_stime.
The definition of struct timespec also moves from time.h to sys/_time.h
for struct itimerspec. OK kettenis@

regen

mplement waitid(2) which is now part of POSIX and used by mozilla.
This includes a change of siginfo_r which is technically an ABI break but
this should have no real-world impact since the members involved are
never touched by the kernel.

ok millert@, deraadt@

Implement waitid(2) which is now part of POSIX and used by mozilla.
This includes a change of siginfo_r which is technically an ABI break but
this should have no real-world impact since the members involved are
never touched by the kernel.

ok millert@, deraadt@

Consistently use 'proc_trampoline' as the name of the trampoline
used by cpu_fork()

ok miod@ kettenis@ mpi@ deraadt@

Add more chance to process IPI in the interrupt service routine.

This prevents "luna88k_ext_int: cpu0 level 1 interrupt" message on
heavy load.

"This makes sense" miod@, tested by me.

Fix LDADD and DPADD.
DPADD bit pointed out by deraadt@

"No kidding" deraadt@

Fix several "bytes" in DESCRIPTION to their clearly intended "packets".

Found by Alec olp_76 <at> yahoo <dot> ca
OK sthen@, denis@

Fix a memory leak, from Japin Li in GitHub issue 3358.