openbsd
2 years agoprevious commit causes gcc to perform an unaligned access to the tcphdr
deraadt [Sat, 27 Nov 2021 16:25:40 +0000 (16:25 +0000)]
previous commit causes gcc to perform an unaligned access to the tcphdr
(at least on sparc64) since it accesses the bitfield using an "int sized"
instructions, rather than the minimally sized byte instruction.  This is
permitted by the language laywers who probably prefer we change the tcphdr
in every packet.  It is not clear how to convince gcc to avoid this behaviour,
and a week of futzing hasn't found fast path solutions yet.  In the meantime
the tree may not be broken.

2 years agonew manual page BIO_f_asn1(3)
schwarze [Sat, 27 Nov 2021 16:18:03 +0000 (16:18 +0000)]
new manual page BIO_f_asn1(3)

2 years agoRemove an unneeded variable to fix compiler warning with clang 13.
visa [Sat, 27 Nov 2021 15:13:09 +0000 (15:13 +0000)]
Remove an unneeded variable to fix compiler warning with clang 13.

OK jsg@

2 years agoMake brk() and sbrk() weak again to fix build with clang 13.
visa [Sat, 27 Nov 2021 15:12:19 +0000 (15:12 +0000)]
Make brk() and sbrk() weak again to fix build with clang 13.

OK jsg@

2 years agoAdjust wait channel name and re-enable test.
visa [Sat, 27 Nov 2021 15:07:26 +0000 (15:07 +0000)]
Adjust wait channel name and re-enable test.

2 years agoFix timeouts in poll/select regress tests
visa [Sat, 27 Nov 2021 15:06:10 +0000 (15:06 +0000)]
Fix timeouts in poll/select regress tests

Disable poll/select timeout so that the wchan wait would work as
intended. The timeout is not essential to the test flow. In addition,
the top-level alarm timer prevents the tests from getting stuck should
something go wrong.

2 years agoFix incomplete initialization bug: BIO_new(BIO_f_asn1()) neglected
schwarze [Sat, 27 Nov 2021 13:10:33 +0000 (13:10 +0000)]
Fix incomplete initialization bug: BIO_new(BIO_f_asn1()) neglected
initializing five of the fields in BIO_ASN1_BUF_CTX (prefix,
prefix_free, suffix, suffix_free, ex_arg), inviting a segfault in
a subsequent call from the application program to BIO_write(3)
because subroutines of that function assume that the function
pointers are either NULL or valid.

Fix this by using the less error-prone calloc(3) idiom.

While here, inline asn1_bio_init() at the only call site
in asn1_bio_new() to simplify the code and make it easier to read.

Bug found and initial patch by me,
this version (with inlining) by and OK tb@.

2 years agoLet iwm(4) use per-Tx-queue interface timers to ensure that the interface
stsp [Sat, 27 Nov 2021 11:22:26 +0000 (11:22 +0000)]
Let iwm(4) use per-Tx-queue interface timers to ensure that the interface
watchdog will trigger a device timeout if a particular Tx queue gets stuck
while other Tx queues keep working.

The Linux driver is using a similar workaround for "stuck queues".
I have only observed this problem on iwx(4) hardware but it won't hurt
to add this workaround to iwm(4) as well.

2 years agowhitespac e
djm [Sat, 27 Nov 2021 07:23:35 +0000 (07:23 +0000)]
whitespac e

2 years agoregression test for match-principals. Mostly by Fabian Stelzer
djm [Sat, 27 Nov 2021 07:20:58 +0000 (07:20 +0000)]
regression test for match-principals. Mostly by Fabian Stelzer

2 years agoAdd ssh-keygen -Y match-principals operation to perform matching of
djm [Sat, 27 Nov 2021 07:14:46 +0000 (07:14 +0000)]
Add ssh-keygen -Y match-principals operation to perform matching of
principals names against an allowed signers file.

Requested by and mostly written by Fabian Stelzer, towards a TOFU
model for SSH signatures in git. Some tweaks by me.

"doesn't bother me" deraadt@

2 years agofree() with nullptr is OK, but not if the size is unitialized, and the
deraadt [Sat, 27 Nov 2021 06:14:10 +0000 (06:14 +0000)]
free() with nullptr is OK, but not if the size is unitialized, and the
fail label is reachable before the sizes are known.

2 years agodrm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi...
jsg [Sat, 27 Nov 2021 04:32:32 +0000 (04:32 +0000)]
drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors

From hongao
04c586a601dc0acb8e739205db350ab660dffc4f in linux 5.10.y/5.10.82
bf552083916a7f8800477b5986940d1c9a31b953 in mainline linux

2 years agodrm/i915/dp: Ensure sink rate values are always valid
jsg [Sat, 27 Nov 2021 04:29:00 +0000 (04:29 +0000)]
drm/i915/dp: Ensure sink rate values are always valid

From Imre Deak
47901b77bf7dc801a084a0b377aee5974d9bc4ce in linux 5.10.y/5.10.82
6c34bd4532a3f39952952ddc102737595729afc4 in mainline linux

2 years agodrm/amd/display: Update swizzle mode enums
jsg [Sat, 27 Nov 2021 04:26:18 +0000 (04:26 +0000)]
drm/amd/display: Update swizzle mode enums

From Alvin Lee
3d68d6ee83144044f610d67304cc194c2af7d0c5 in linux 5.10.y/5.10.82
58065a1e524de30df9a2d8214661d5d7eed0a2d9 in mainline linux

2 years agostop building kernels with -Wno-uninitialized on clang archs
jsg [Sat, 27 Nov 2021 00:49:21 +0000 (00:49 +0000)]
stop building kernels with -Wno-uninitialized on clang archs
this hides real problems that could be found at build time

ok kettenis@ visa@, ok sashan@ on amd64/i386

2 years agoPut a mutex assert locked into puttdb_locked().
bluhm [Fri, 26 Nov 2021 19:24:41 +0000 (19:24 +0000)]
Put a mutex assert locked into puttdb_locked().
OK tobhe@

2 years agomake the bn/mont test compile with opaque DH.
tb [Fri, 26 Nov 2021 16:52:07 +0000 (16:52 +0000)]
make the bn/mont test compile with opaque DH.

2 years agoStop reaching into EVP_PKEY in the rest of libssl.
tb [Fri, 26 Nov 2021 16:41:42 +0000 (16:41 +0000)]
Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

2 years agoSimplify two weirdly formatted pieces of code in ssl_rsa.c and stop
tb [Fri, 26 Nov 2021 16:40:02 +0000 (16:40 +0000)]
Simplify two weirdly formatted pieces of code in ssl_rsa.c and stop
reaching into the EVP_PKEY struct.

ok inoguchi jsing

2 years agoopenssl(1): drop support for netscape certificates and server gated keys.
tb [Fri, 26 Nov 2021 16:23:27 +0000 (16:23 +0000)]
openssl(1): drop support for netscape certificates and server gated keys.

ok inoguchi jsing

2 years agoA peer sends both his local id and remote id he expects us to be. So far we
patrick [Fri, 26 Nov 2021 16:22:44 +0000 (16:22 +0000)]
A peer sends both his local id and remote id he expects us to be.  So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set.  Hence dstid is involved in the decision making.  While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have.  If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.

ok tobhe@

2 years agoReplace TDBF_DELETED flag with check if tdb was already unlinked.
tobhe [Fri, 26 Nov 2021 16:16:35 +0000 (16:16 +0000)]
Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@

2 years agoThe IORT table usually only contains single mappings. While on the LX2K there
patrick [Fri, 26 Nov 2021 15:21:26 +0000 (15:21 +0000)]
The IORT table usually only contains single mappings.  While on the LX2K there
is a non-single mapping for the networking subsystem, we don't yet have support
for it and apparently Linux has trouble with it as well.  So for now we can
remove the code, because it uses an uninitialized variable and there's no easy
way to fix it without re-thinking the concept.  The code got there in the first
place because it's a copy of the same pattern in our other IOMMU code.

ok jsg@

2 years agoavoid clang -Wsometimes-uninitialized warning when DDB is not defined
jsg [Fri, 26 Nov 2021 14:59:42 +0000 (14:59 +0000)]
avoid clang -Wsometimes-uninitialized warning when DDB is not defined
ok kettenis@ visa@

2 years agoavoid clang -Wsometimes-uninitialized warning when MULTIPROCESSOR is not
jsg [Fri, 26 Nov 2021 14:45:13 +0000 (14:45 +0000)]
avoid clang -Wsometimes-uninitialized warning when MULTIPROCESSOR is not
defined
feedback from millert@, ok kettenis@, mips64 diff from and ok visa@

2 years agoFix ikev2_child_sa_rekey() warnings. The SPI can't be printed without a
tobhe [Fri, 26 Nov 2021 14:05:01 +0000 (14:05 +0000)]
Fix ikev2_child_sa_rekey() warnings.  The SPI can't be printed without a
parent SA.

2 years agospelling
jsg [Fri, 26 Nov 2021 13:48:21 +0000 (13:48 +0000)]
spelling
ok schwarze@

2 years agoafter the bugfix in x509_vfy.c rev. 1.100,
schwarze [Fri, 26 Nov 2021 13:35:10 +0000 (13:35 +0000)]
after the bugfix in x509_vfy.c rev. 1.100,
replace the BUGS section with a shorter CAVEATS section

2 years agoBugfix in X509_get_pubkey_parameters(3):
schwarze [Fri, 26 Nov 2021 13:17:09 +0000 (13:17 +0000)]
Bugfix in X509_get_pubkey_parameters(3):

If EVP_PKEY_copy_parameters(3) fails - among other reasons, this
may happen when out of memory - the pkey argument and/or the chain
argument will not contain all the desired parameters after returning.
Consequently, report the failure to the caller rather than silently
ignoring it.

OK tb@

2 years agoSimplify the code in X509_get_pubkey_parameters(3)
schwarze [Fri, 26 Nov 2021 13:05:03 +0000 (13:05 +0000)]
Simplify the code in X509_get_pubkey_parameters(3)
by using X509_get0_pubkey(3) instead of X509_get_pubkey(3);
no functional change.

OK tb@

This is similar to the relevant part of the follwoing commit
from the OpenSSL 1.1.1 branch, which is still under a free licence,
but without the bug that commit introduced into this function in OpenSSL:

commit c01ff880d47392b82cce2f93ac4a9bb8c68f8cc7
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Mon Dec 14 13:13:32 2015 +0000

2 years agouse the keywords instead of vague english so that it's indexed better by
espie [Fri, 26 Nov 2021 12:14:33 +0000 (12:14 +0000)]
use the keywords instead of vague english so that it's indexed better by
mandocdb

2 years agodocument annotation interactions with pkg_mklocatedb
espie [Fri, 26 Nov 2021 12:08:35 +0000 (12:08 +0000)]
document annotation interactions with pkg_mklocatedb

2 years agoAdd interfaces to enable all power domains for a node.
kettenis [Fri, 26 Nov 2021 11:44:01 +0000 (11:44 +0000)]
Add interfaces to enable all power domains for a node.

ok patrick@, visa@

2 years agoMark exit1() and sigexit() as non-returning
visa [Fri, 26 Nov 2021 04:42:13 +0000 (04:42 +0000)]
Mark exit1() and sigexit() as non-returning

The late 1990s reasons for avoiding __dead with exit1() should not apply
with the current compilers.

This fixes compiler warnings about uninitialized variables in trap.c
on mips64.

Discussed with guenther@ and miod@

2 years agofollowng -> following
jsg [Fri, 26 Nov 2021 03:42:33 +0000 (03:42 +0000)]
followng -> following

2 years agodefiniton -> definition
jsg [Fri, 26 Nov 2021 03:41:39 +0000 (03:41 +0000)]
definiton -> definition

2 years agoTransmiter -> Transmitter
jsg [Fri, 26 Nov 2021 03:37:39 +0000 (03:37 +0000)]
Transmiter -> Transmitter

2 years agoaddresss -> address
jsg [Fri, 26 Nov 2021 03:34:14 +0000 (03:34 +0000)]
addresss -> address

2 years agoremaing -> remaining
jsg [Fri, 26 Nov 2021 03:31:38 +0000 (03:31 +0000)]
remaing -> remaining

2 years agomove label to fix RAMDISK
deraadt [Thu, 25 Nov 2021 23:03:05 +0000 (23:03 +0000)]
move label to fix RAMDISK

2 years agodebug("func: ...") -> debug_f("...")
djm [Thu, 25 Nov 2021 23:02:24 +0000 (23:02 +0000)]
debug("func: ...") -> debug_f("...")

2 years agoLibreSSL error message has changed again, make test more tolerant.
bluhm [Thu, 25 Nov 2021 21:09:48 +0000 (21:09 +0000)]
LibreSSL error message has changed again, make test more tolerant.

2 years agorevert recent change, breakage reported by dv@
anton [Thu, 25 Nov 2021 20:31:24 +0000 (20:31 +0000)]
revert recent change, breakage reported by dv@

2 years agoRemove unused variable fd.
tobhe [Thu, 25 Nov 2021 19:41:03 +0000 (19:41 +0000)]
Remove unused variable fd.

2 years agoSilence unitialized variable warnings.
tobhe [Thu, 25 Nov 2021 18:28:51 +0000 (18:28 +0000)]
Silence unitialized variable warnings.

2 years agoforgot the case about find... oops
espie [Thu, 25 Nov 2021 18:23:53 +0000 (18:23 +0000)]
forgot the case about find... oops
fixes GraphicsMagick updates

2 years agoWe know how to print a size_t now. Drop a comment and a cast.
tb [Thu, 25 Nov 2021 16:53:58 +0000 (16:53 +0000)]
We know how to print a size_t now. Drop a comment and a cast.

ok bluhm inoguchi

2 years agoRework this test to compile with opaque RSA
tb [Thu, 25 Nov 2021 16:51:31 +0000 (16:51 +0000)]
Rework this test to compile with opaque RSA

2 years agoHonour /usr/mdec/mbr or -f partition 0 information even outside
krw [Thu, 25 Nov 2021 15:40:26 +0000 (15:40 +0000)]
Honour /usr/mdec/mbr or -f partition 0 information even outside
of _powerpc__ and __mips__, preventing the possible creation of
MBRs with overlapping partitions 0 and 3.

Don't set bootprt DOSACTIVE flag if no partition 0 information
was provided via /usr/mdec/mbr or -f. Lets octeon fdisk(8) set
DOSACTIVE on the OpenBSD partition in the default MBR like
every other fdisk(8) does.

2 years agoInitialize the repo_timeout to timeout / 4 at start of main().
claudio [Thu, 25 Nov 2021 15:03:04 +0000 (15:03 +0000)]
Initialize the repo_timeout to timeout / 4 at start of main().
OK job@

2 years agoPrepare iwx(4) for using new firmware (API version -67) in the future.
stsp [Thu, 25 Nov 2021 14:51:26 +0000 (14:51 +0000)]
Prepare iwx(4) for using new firmware (API version -67) in the future.

Bump command versions array size as required for -67 firmware.
Ignore new TLVs found in -67 images.
Add room for another ucode section needed for -67 on AX201 devices.

2 years agoReplace MAX_REPO_TIMEOUT with repo_timeout, which is set to 1/4th of
job [Thu, 25 Nov 2021 14:03:40 +0000 (14:03 +0000)]
Replace MAX_REPO_TIMEOUT with repo_timeout, which is set to 1/4th of
timeout, or if timeout is disabled set to 24 hours.

OK claudio@

2 years agoImplement reference counting for IPsec tdbs. Not all cases are
bluhm [Thu, 25 Nov 2021 13:46:02 +0000 (13:46 +0000)]
Implement reference counting for IPsec tdbs.  Not all cases are
covered yet, more ref counts to come.  The timeouts are protected,
so the racy tdb_reaper() gets retired.  The tdb_policy_head, onext
and inext lists are protected.  All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later.  A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@

2 years agoCheck for possible negative diff timeout. Clamp it to 0 in that case.
claudio [Thu, 25 Nov 2021 12:55:34 +0000 (12:55 +0000)]
Check for possible negative diff timeout. Clamp it to 0 in that case.
poll with negative timeout noticed by job@
OK job@

2 years agoDocument BIO_method_name(3).
schwarze [Thu, 25 Nov 2021 12:15:37 +0000 (12:15 +0000)]
Document BIO_method_name(3).
While here, also improve the rest of the page:
* add missing BIO_TYPE_* constants
* describe BIO_TYPE_START
* better function argument names
* more precision in the descriptions and regarding the RETURN VALUES
* lots of wording improvements
* improve the coding style below EXAMPLES
* delete a BUGS section describing cretaceous behaviour

2 years agoResolve last issue with opaque BIGNUM in this test.
tb [Thu, 25 Nov 2021 11:07:17 +0000 (11:07 +0000)]
Resolve last issue with opaque BIGNUM in this test.

2 years agoAssert that at least one report id is claimed during multiple report ids
anton [Thu, 25 Nov 2021 06:25:32 +0000 (06:25 +0000)]
Assert that at least one report id is claimed during multiple report ids
attachment. Should prevent uhidev drivers from doing the wrong thing in their
corresponding match routine.

2 years agosync with arm64.html
jsg [Thu, 25 Nov 2021 03:50:42 +0000 (03:50 +0000)]
sync with arm64.html

2 years agoSpacing and remove an unused macro.
mglocker [Wed, 24 Nov 2021 22:03:05 +0000 (22:03 +0000)]
Spacing and remove an unused macro.

2 years agoSpacing
mglocker [Wed, 24 Nov 2021 21:57:56 +0000 (21:57 +0000)]
Spacing

2 years agoFix panic when running utvfu(4) on xhci(4).
mglocker [Wed, 24 Nov 2021 21:47:14 +0000 (21:47 +0000)]
Fix panic when running utvfu(4) on xhci(4).

tested and ok ian@

2 years agoUnregister event on pfkey socket during pfkey_reply(). Using events
tobhe [Wed, 24 Nov 2021 21:06:21 +0000 (21:06 +0000)]
Unregister event on pfkey socket during pfkey_reply().  Using events
and poll() at the same time may lead to a race that locks up the
process in recv().

ok bluhm@

2 years agoPass env to pfkey API. Consistently call pfkey file descriptor fd.
tobhe [Wed, 24 Nov 2021 20:48:00 +0000 (20:48 +0000)]
Pass env to pfkey API. Consistently call pfkey file descriptor fd.

ok bluhm@

2 years agoDescribe what RES_USE_DNSSEC does and how it's affected by trust-ad
jca [Wed, 24 Nov 2021 20:06:32 +0000 (20:06 +0000)]
Describe what RES_USE_DNSSEC does and how it's affected by trust-ad

ok florian@

2 years agoFix OCSP_basic_verify() cert chain construction in case the
tb [Wed, 24 Nov 2021 19:33:24 +0000 (19:33 +0000)]
Fix OCSP_basic_verify() cert chain construction in case the
OCSP_BASICRESP bs contains no certificates.

From David von Oheimb (OpenSSL 121738d1)

ok beck

2 years agoSimplify slightly by using X509_get0_pubkey() thus eliminating the
tb [Wed, 24 Nov 2021 19:29:19 +0000 (19:29 +0000)]
Simplify slightly by using X509_get0_pubkey() thus eliminating the
need for EVP_PKEY_free().

ok beck

2 years agoFix a whitespace error that has annoyed me for way too long
tb [Wed, 24 Nov 2021 19:27:03 +0000 (19:27 +0000)]
Fix a whitespace error that has annoyed me for way too long

2 years agoFix timestamp printing in Signed Certificate Timestamps
tb [Wed, 24 Nov 2021 19:24:46 +0000 (19:24 +0000)]
Fix timestamp printing in Signed Certificate Timestamps

Our ASN1_GENERALIZEDTIME_set() doesn't accept time strings with
fractional seconds, so don't feed it milliseconds, but only seconds.
Ensures that openssl x509 -text prints timestamps instead of skipping
them.

ok beck jsing

2 years agoAdd certificate transparency methods to the standard extensions.
tb [Wed, 24 Nov 2021 19:22:14 +0000 (19:22 +0000)]
Add certificate transparency methods to the standard extensions.

This way, CT extensions in certs will be parsed by the new CT code
when they are encountered. This gets rid of a lot of gibberish when
looking at a cert with 'openssl x509 -text -noout -in server.pem'

ok beck jsing

2 years agoWhen sending ICMP packets for IPsec path MTU discovery, the first
bluhm [Wed, 24 Nov 2021 18:48:33 +0000 (18:48 +0000)]
When sending ICMP packets for IPsec path MTU discovery, the first
ICMP packet could be wrong.  The mtu was taken from the loopback
interface as the tdb mtu was copied to the route too late.  Without
crypto task, ipsp_process_packet() returns the EMSGSIZE error
earlier.  Immediately update tdb and route mtu.
IPv4 part from markus@; OK tobhe@

2 years agopreliminary work: have the compiled_stemlist be case independent.
espie [Wed, 24 Nov 2021 16:51:08 +0000 (16:51 +0000)]
preliminary work: have the compiled_stemlist be case independent.
This has not useful repercussions so far, as the actual package name
comparison is done with case dependent regexps, but this will allow
searching for "user specs" as case independent in the future,
allowing stuff like
pkg_add graphicsmagick
to work.

2 years agoMove some functions from rrdp.c to rrdp_util.c and hex_decode to encoding.c.
claudio [Wed, 24 Nov 2021 15:24:16 +0000 (15:24 +0000)]
Move some functions from rrdp.c to rrdp_util.c and hex_decode to encoding.c.
This will make it easier to write a RRDP regress test.
OK job@ deraadt@

2 years agosync
deraadt [Wed, 24 Nov 2021 15:20:23 +0000 (15:20 +0000)]
sync

2 years agoinstall /usr/bin/llvm-ar as /usr/bin/ar directly without adding another
robert [Wed, 24 Nov 2021 15:15:19 +0000 (15:15 +0000)]
install /usr/bin/llvm-ar as /usr/bin/ar directly without adding another
binary to /usr/bin and do the same with the manpage as well and make sure
that we only build llvm-ar on architectures where it is actually enabled

discussed with deraadt@

2 years agoadd the missing const qualifiers below EXAMPLES;
schwarze [Wed, 24 Nov 2021 13:30:56 +0000 (13:30 +0000)]
add the missing const qualifiers below EXAMPLES;
from <Malgorzata dot Olszowka at stunnel dot org>
via OpenSSL commit 256989ce in the OpenSSL 1.1.1 branch,
which is still under a free license

2 years agodocument ASN1_item_ndef_i2d(3)
schwarze [Wed, 24 Nov 2021 13:18:08 +0000 (13:18 +0000)]
document ASN1_item_ndef_i2d(3)

2 years agoFix type of count.
visa [Wed, 24 Nov 2021 13:17:37 +0000 (13:17 +0000)]
Fix type of count.

2 years agoSimplify arithmetics on the main path.
visa [Wed, 24 Nov 2021 13:16:00 +0000 (13:16 +0000)]
Simplify arithmetics on the main path.

2 years agoDisable poll_close test for now as it expects kqueue backend.
visa [Wed, 24 Nov 2021 12:58:01 +0000 (12:58 +0000)]
Disable poll_close test for now as it expects kqueue backend.

2 years agoRemove unneeded <sys/stdarg.h>.
visa [Wed, 24 Nov 2021 12:40:40 +0000 (12:40 +0000)]
Remove unneeded <sys/stdarg.h>.

OK guenther@

2 years agoRefactor postsig_done(). Pass the catchmask and signal reset flag to the
claudio [Wed, 24 Nov 2021 10:40:15 +0000 (10:40 +0000)]
Refactor postsig_done(). Pass the catchmask and signal reset flag to the
function. This will make unlocking cursig() & postsig() a bit easier.
OK mpi@

2 years agoMinor code cleanup. Move a comment to the right place, move a function
claudio [Wed, 24 Nov 2021 10:28:55 +0000 (10:28 +0000)]
Minor code cleanup. Move a comment to the right place, move a function
to get a better order of functions. Also reduce the size of sigprop
to NSIG from NSIG+1. NSIG is defined as 33 and so includes the extra
element for this array.
OK mpi@

2 years agoAdd a few dt(4) TRACEPOINTS to SMR. Should help to better understand what
claudio [Wed, 24 Nov 2021 09:47:49 +0000 (09:47 +0000)]
Add a few dt(4) TRACEPOINTS to SMR. Should help to better understand what
goes on in SMR.
OK mpi@

2 years agoIn some situations, the verifier would discard the error on an unvalidated
beck [Wed, 24 Nov 2021 05:38:12 +0000 (05:38 +0000)]
In some situations, the verifier would discard the error on an unvalidated
certificte chain. This would happen when the verification callback was
in use, instructing the verifier to continue unconditionally. This could
lead to incorrect decisions being made in software.

2 years agolibkeynote: stop reaching into EVP_PKEY internals.
tb [Wed, 24 Nov 2021 04:32:52 +0000 (04:32 +0000)]
libkeynote: stop reaching into EVP_PKEY internals.

Use EVP_PKEY_get0_RSA() instead of pPublicKey->pkey.rsa.

Fix a couple of leaks in the vicinity: we need a reference on the RSA,
which is what keynote_free_key() frees, not on the EVP_PKEY. Also, don't
leak the entire certificate on success.

ok beck

2 years agoMake the certificate transparency code build with the rest of the library
beck [Wed, 24 Nov 2021 01:12:43 +0000 (01:12 +0000)]
Make the certificate transparency code build with the rest of the library
Do not expose it yet, this will wait for an upcoming bump

ok tb@

2 years agoUse system uptime not UTC time to calculate PPPoE session duration
kn [Tue, 23 Nov 2021 19:13:45 +0000 (19:13 +0000)]
Use system uptime not UTC time to calculate PPPoE session duration

Systems without RTC are likely to boot with wrong time, but pppoe(4) used
microtime(9) anyway to remember when a new session began.

(In)adequately, ifconfig(8) used gettimeofday(2) and calculated the
difference between two absoloute dates to infer the PPPoE session duration.

This goes off the rails if the wall clock jumps in between, e.g. due to NTP
kicking in.

Use getmicrouptime(9) and clock_gettime(2)/CLOCK_BOOTTIME instead to rely
on the monotonically increasing system uptime instead to fix this.

Reported and tested by Peter J. Philipp <pjp AT delphinusdns DOT org> on
some octeon box without RTC.
I've seen this on a Edgerouter 4 as well (2m uptime, 19d session).

OK claudio

2 years agoTransform a mangled comment into something intelligible.
tb [Tue, 23 Nov 2021 18:26:23 +0000 (18:26 +0000)]
Transform a mangled comment into something intelligible.

from beck

2 years agodocument ASN1_TYPE_set_int_octetstring(3) and ASN1_TYPE_get_int_octetstring(3)
schwarze [Tue, 23 Nov 2021 17:53:59 +0000 (17:53 +0000)]
document ASN1_TYPE_set_int_octetstring(3) and ASN1_TYPE_get_int_octetstring(3)

2 years agoUse LIBRESSL_NEXT_API to document the commented-out functions that are
tb [Tue, 23 Nov 2021 17:06:05 +0000 (17:06 +0000)]
Use LIBRESSL_NEXT_API to document the commented-out functions that are
not yet available.

ok schwarze

2 years agodocument ASN1_TYPE_set_octetstring(3) and ASN1_TYPE_get_octetstring(3)
schwarze [Tue, 23 Nov 2021 14:58:08 +0000 (14:58 +0000)]
document ASN1_TYPE_set_octetstring(3) and ASN1_TYPE_get_octetstring(3)

2 years agoAdd logging for rekey failures.
tobhe [Tue, 23 Nov 2021 13:52:51 +0000 (13:52 +0000)]
Add logging for rekey failures.

ok patrick@

2 years agodocument a2i_ASN1_INTEGER(3),
schwarze [Tue, 23 Nov 2021 13:52:27 +0000 (13:52 +0000)]
document a2i_ASN1_INTEGER(3),
i2a_ASN1_ENUMERATED(3), and a2i_ASN1_ENUMERATED(3)

2 years agore-align these copies of the a2i_*(3) code with f_string.c rev. 1.19
schwarze [Tue, 23 Nov 2021 11:10:51 +0000 (11:10 +0000)]
re-align these copies of the a2i_*(3) code with f_string.c rev. 1.19
to fix the same double-counting of the backslash
and to make the parsing stricter in the same way;
OK tb@

2 years agoadd llvm-ar(1) to the build with its two dependencies libLLVMDlltoolDriver
robert [Tue, 23 Nov 2021 10:30:08 +0000 (10:30 +0000)]
add llvm-ar(1) to the build with its two dependencies libLLVMDlltoolDriver
and libLLVMLibDriver;

switch LLD_ARCHs to llvm-ar(1) by skipping the installation of binutils' ar(1)
and linking llvm-ar(1) to ar(1)

tested on amd64, i386, arm64 and mips64

ok patrick@, kettenis@

2 years agoIn DH_set0_pqg() also set dh->length if q is set to match what OpenSSL do.
tb [Tue, 23 Nov 2021 09:53:45 +0000 (09:53 +0000)]
In DH_set0_pqg() also set dh->length if q is set to match what OpenSSL do.

ok inoguchi jsing

2 years agotemporarily disable test unless this is fixed
espie [Tue, 23 Nov 2021 08:27:37 +0000 (08:27 +0000)]
temporarily disable test unless this is fixed

2 years agonameserver->name server, as the rest of the file does;
jmc [Tue, 23 Nov 2021 06:58:36 +0000 (06:58 +0000)]
nameserver->name server, as the rest of the file does;

2 years agosync
deraadt [Tue, 23 Nov 2021 04:11:06 +0000 (04:11 +0000)]
sync