openbsd
3 years agoreadability fixes; from larry hynes
jmc [Sat, 13 Feb 2021 08:05:57 +0000 (08:05 +0000)]
readability fixes; from larry hynes

3 years agovarious readability fixes; from larry hynes
jmc [Sat, 13 Feb 2021 07:59:54 +0000 (07:59 +0000)]
various readability fixes; from larry hynes

3 years agoFix some wrong comments and KNF/long line wraps
mlarkin [Sat, 13 Feb 2021 07:56:26 +0000 (07:56 +0000)]
Fix some wrong comments and KNF/long line wraps

3 years agoFix a comment
mlarkin [Sat, 13 Feb 2021 07:55:38 +0000 (07:55 +0000)]
Fix a comment

3 years agoRemove trailing whitespace
mlarkin [Sat, 13 Feb 2021 07:47:37 +0000 (07:47 +0000)]
Remove trailing whitespace

No code/functional change

3 years agoRemove trailing whitespace
mlarkin [Sat, 13 Feb 2021 07:46:44 +0000 (07:46 +0000)]
Remove trailing whitespace

No code/functional change

3 years agovarious readability fixes; from larry hynes
jmc [Sat, 13 Feb 2021 07:37:13 +0000 (07:37 +0000)]
various readability fixes; from larry hynes

3 years agoadd some missing articles; from larry hynes
jmc [Sat, 13 Feb 2021 07:28:50 +0000 (07:28 +0000)]
add some missing articles; from larry hynes

3 years agoreadability fix; from larry hynes
jmc [Sat, 13 Feb 2021 07:26:18 +0000 (07:26 +0000)]
readability fix; from larry hynes

3 years agocomma swap; from larry hynes
jmc [Sat, 13 Feb 2021 07:20:49 +0000 (07:20 +0000)]
comma swap; from larry hynes

3 years agochange documented drm nodes to /dev/dri/ and mention powerpc64
jsg [Sat, 13 Feb 2021 02:29:39 +0000 (02:29 +0000)]
change documented drm nodes to /dev/dri/ and mention powerpc64

3 years agoFix local and peer addresses in policy lookup for dangling SAs
tobhe [Fri, 12 Feb 2021 19:30:34 +0000 (19:30 +0000)]
Fix local and peer addresses in policy lookup for dangling SAs
after ikectl reload.

ok patrick@

3 years agosync
deraadt [Fri, 12 Feb 2021 19:01:45 +0000 (19:01 +0000)]
sync

3 years agoSome people still argue that rand(3) and random(3) have suitable deterministic
deraadt [Fri, 12 Feb 2021 17:03:51 +0000 (17:03 +0000)]
Some people still argue that rand(3) and random(3) have suitable deterministic
use cases, so explain the situation a bit more.  Since the 80's, I estimate
around 5 algorithm changes, so any chosen seed is unrepeatable UB.

+The deterministic sequence algorithm changed a number of times since
+original development, is underspecified, and should not be relied upon to
+remain consistent between platforms and over time.

ok jmc kettenis

3 years agopf_remove_divert_state() is an entry point into pf, modifying the pf state
patrick [Fri, 12 Feb 2021 16:16:10 +0000 (16:16 +0000)]
pf_remove_divert_state() is an entry point into pf, modifying the pf state
table.  Hence we have to grab both the pf lock and the pf state lock.

Found by dlg@
ok bluhm@ sashan@

3 years agoXr to ssl(8) which has clues about EC key generation that are still useful
sthen [Fri, 12 Feb 2021 14:20:15 +0000 (14:20 +0000)]
Xr to ssl(8) which has clues about EC key generation that are still useful
to acme-client users.

3 years agoTweak ssl(8)'s text about EC generation. Streamline by using "ecparam
sthen [Fri, 12 Feb 2021 14:19:11 +0000 (14:19 +0000)]
Tweak ssl(8)'s text about EC generation. Streamline by using "ecparam
-genkey" rather than separately generating parameters and key. Give a
clue that some CAs accept only prime256v1. Show the user where to stop
if they're just generating a private key for acme-client and therefore
don't need to generate a csr or cert manually. Add xr to acme-client(1)
suggest by tb@.

ok jmc tb

3 years agoFix null pointer dereference in pf_route6(). Embedding scope into
bluhm [Fri, 12 Feb 2021 13:48:31 +0000 (13:48 +0000)]
Fix null pointer dereference in pf_route6().  Embedding scope into
addresses that come from pf cannot be right, so remove the code.
Coverity CID 1501718
OK dlg@ claudio@

3 years agoSync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@
sthen [Fri, 12 Feb 2021 12:16:53 +0000 (12:16 +0000)]
Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@

Notably this update removes various old Symantec roots (GeoTrust,
thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021.
Nobody should have been using these for years; only certain subCAs
signed by these were valid in NSS in that time due to an exemption:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec
Notably Apple's "Apple IST CA 2 - G1" which is still in use for
some endpoints (it is cross signed by another CA too but these
endpoints are publishing the GeoTrust intermediate cert).

So for now I have skipped removal of "GeoTrust Global CA" to avoid
affecting these sites. Debian ran into this when they updated their
cert database and had to back this part out, affected sites are
not reachable on Android Firefox and maybe other newer Firefoxes.
Some sites that were affected have moved to a different CA in the
last few days but others, notably api.push.apple.com, remain
(I can only guess that there is a complicated problem involved,
possibly cert pinning on old devices - the clock is ticking though
as this expires in May 2022 anyway ;)

Additions:

/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2
/C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017
/C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority

Removals:

/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=TW/O=Government Root Certification Authority
/C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2
/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
/C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA

3 years agoA few more flag combo's to test
otto [Fri, 12 Feb 2021 12:03:39 +0000 (12:03 +0000)]
A few more flag combo's to test

3 years agosync
jsg [Fri, 12 Feb 2021 10:28:55 +0000 (10:28 +0000)]
sync

3 years agocreate /dev/ drm nodes with the same names as linux
jsg [Fri, 12 Feb 2021 10:26:33 +0000 (10:26 +0000)]
create /dev/ drm nodes with the same names as linux

This was proposed by Emil Velikov to simplify libdrm and will remove the
need for some patches in ports.

/dev/drm0 -> /dev/dri/card0
/dev/drmR128 -> /dev/dri/renderD128

The previous names will remain for a period of time and will later be
removed.  Major and minor numbers remain the same.

libdrm will not be changed to use the new names until known privsep
and sandbox use has been updated to allow the new names.

ok deraadt@

3 years agodo not need 66 keys anymore
deraadt [Fri, 12 Feb 2021 08:17:33 +0000 (08:17 +0000)]
do not need 66 keys anymore

3 years agoDo not care about the server socket closing if exiting anyway.
nicm [Fri, 12 Feb 2021 06:52:48 +0000 (06:52 +0000)]
Do not care about the server socket closing if exiting anyway.

3 years agosftp: add missing lsetstat@openssh.com documentation
djm [Fri, 12 Feb 2021 03:49:09 +0000 (03:49 +0000)]
sftp: add missing lsetstat@openssh.com documentation
patch from Mike Frysinger

3 years agofactor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own function
djm [Fri, 12 Feb 2021 03:14:18 +0000 (03:14 +0000)]
factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own function
and remove an unused variable; ok dtucker@

3 years agoCall exuart(4) early attach on arm64.
patrick [Thu, 11 Feb 2021 23:55:48 +0000 (23:55 +0000)]
Call exuart(4) early attach on arm64.

ok kettenis@

3 years agoEnable exuart(4).
patrick [Thu, 11 Feb 2021 23:54:40 +0000 (23:54 +0000)]
Enable exuart(4).

ok kettenis@

3 years agoDon't hardcode com(4)'s major number in exuart(4).
patrick [Thu, 11 Feb 2021 23:53:42 +0000 (23:53 +0000)]
Don't hardcode com(4)'s major number in exuart(4).

ok kettenis@

3 years agoExplicitly unset IKED_REQ_CERTVALID before sending cert to ca process.
tobhe [Thu, 11 Feb 2021 22:02:41 +0000 (22:02 +0000)]
Explicitly unset IKED_REQ_CERTVALID before sending cert to ca process.

ok markus@

3 years agoMore route-to fallout in pfctl regress.
bluhm [Thu, 11 Feb 2021 21:09:56 +0000 (21:09 +0000)]
More route-to fallout in pfctl regress.

3 years agosbdrop(): use NULL instead of 0 in pointer assignment
mvs [Thu, 11 Feb 2021 20:28:57 +0000 (20:28 +0000)]
sbdrop(): use NULL instead of 0 in pointer assignment

ok bluhm@

3 years agoWe link `ifp' to `if_list' before we perform if_attachsetup(). It is not
mvs [Thu, 11 Feb 2021 20:28:01 +0000 (20:28 +0000)]
We link `ifp' to `if_list' before we perform if_attachsetup(). It is not
fully initialized because we initialize `if_groups' after linking. It's
not triggered because if_attach() and if_unit(9) are serialized by
kernel lock and `ifp' is often filled by nulls. Move `if_groups'
initialization to if_attach_common() to prevent this.

ok bluhm@ claudio@ deraadt@

3 years agoLink isakmpd dynamically. Mount /usr on NFS via IPsec does not
bluhm [Thu, 11 Feb 2021 19:41:05 +0000 (19:41 +0000)]
Link isakmpd dynamically.  Mount /usr on NFS via IPsec does not
work anyway.  Dynamic binaries help building errata, reduce disk
usage and make ROP harder.  Also remove an unused bsd.subdir.mk
include.
OK sthen@ mvs@ deraadt@ tobhe@ patrick@

3 years agoWhen clang was changed to -fcommon, perl's P_hash_{seed,state} variables
deraadt [Thu, 11 Feb 2021 17:02:39 +0000 (17:02 +0000)]
When clang was changed to -fcommon, perl's P_hash_{seed,state} variables
moved into BSS in the .o, with padding rules following the types -- they
are both char[].  Since P_hash_seed is (system-dependent) not a multiple of 8,
P_hash_state gets layed out misaligned, which sucks because the hash functions
demand 64-bit alignment for both variables.  There is the possibility of using
misalignment macros, but this is not cheap.  Could also use kernel-trap fault
repair, but the performance would really suck for something so crucial.
The correct fix would be for upstream to declare these types as uint64[],
we have requested that in https://github.com/Perl/perl5/issues/18555
In the meantime, carry a diff to roundup P_hash_seed to 64-bit alignment so that
P_hash_state will land aligned.
ok afresh1

3 years agoAdd missing break in switch statement of rge_activate().
stsp [Thu, 11 Feb 2021 16:22:06 +0000 (16:22 +0000)]
Add missing break in switch statement of rge_activate().

CID 1501716

ok kevlo@
and mestre@ had the same diff

3 years agoLeave out gp initialization from kernel entry on mips64
visa [Thu, 11 Feb 2021 14:44:13 +0000 (14:44 +0000)]
Leave out gp initialization from kernel entry on mips64

On OpenBSD/mips64, the kernel is compiled with -mno-abicalls. This
disables gp-relative addressing and essentially makes gp a spare
register in the kernel. Hence it is unnecessary to initialize gp when
entering the kernel. The _gp symbol is not needed either.

Suggested by miod@

3 years ago"proc: table is full" actually means thread table is full; ok mpi@ sthen@
otto [Thu, 11 Feb 2021 13:40:28 +0000 (13:40 +0000)]
"proc: table is full" actually means thread table is full; ok mpi@ sthen@

3 years agoIn the various open functions reduce the fdplock() to only span over the
claudio [Thu, 11 Feb 2021 12:08:21 +0000 (12:08 +0000)]
In the various open functions reduce the fdplock() to only span over the
function which need the lock (falloc, fdinsert, fdremove). In most cases
it is not correct to hold the lock while calling VFS functions or e.g.
closef since those aquire or release long lived VFS locks.
OK visa@ mvs@

3 years agoInitialize var since it's used in a condition a little bit afterwards.
mestre [Thu, 11 Feb 2021 11:57:32 +0000 (11:57 +0000)]
Initialize var since it's used in a condition a little bit afterwards.

CID 1501713

ok jmatthew@

3 years agoInitialize the stack local device id variable correctly.
anton [Thu, 11 Feb 2021 11:03:57 +0000 (11:03 +0000)]
Initialize the stack local device id variable correctly.

CID 1501705

3 years agoSwap faddr/laddr and fport/lport arguments in call to stoeplitz_ipXport().
patrick [Thu, 11 Feb 2021 10:41:19 +0000 (10:41 +0000)]
Swap faddr/laddr and fport/lport arguments in call to stoeplitz_ipXport().
Technically the whole point of the stoeplitz API is that it's symmetric,
meaning that the order of addresses and ports doesn't matter and will produce
the same hash value.

Coverity CID 1501717
ok dlg@

3 years agoAdd a couple of helper functions, and flush imsgs on exit.
nicm [Thu, 11 Feb 2021 09:39:29 +0000 (09:39 +0000)]
Add a couple of helper functions, and flush imsgs on exit.

3 years agoO_TRUNC is needed in case file exists.
nicm [Thu, 11 Feb 2021 09:03:38 +0000 (09:03 +0000)]
O_TRUNC is needed in case file exists.

3 years agoMove file handling protocol stuff all into file.c so it can be reused
nicm [Thu, 11 Feb 2021 08:28:45 +0000 (08:28 +0000)]
Move file handling protocol stuff all into file.c so it can be reused
more easily.

3 years agoMake room for handling of HID++ 1.0 devices. No functional change.
anton [Thu, 11 Feb 2021 07:26:03 +0000 (07:26 +0000)]
Make room for handling of HID++ 1.0 devices. No functional change.

3 years agoUse idx suffix consistently.
anton [Thu, 11 Feb 2021 07:24:50 +0000 (07:24 +0000)]
Use idx suffix consistently.

3 years agoRemove unused software id macro.
anton [Thu, 11 Feb 2021 07:23:48 +0000 (07:23 +0000)]
Remove unused software id macro.

3 years agoFold long line.
anton [Thu, 11 Feb 2021 07:22:21 +0000 (07:22 +0000)]
Fold long line.

3 years agoStop uhidpp from claiming all report ids, instead only claim the
anton [Thu, 11 Feb 2021 06:56:49 +0000 (06:56 +0000)]
Stop uhidpp from claiming all report ids, instead only claim the
necessary ones. Solves a regression introduced with the arrival of
uhidpp causing some Logitech HID devices from attaching to its
appropriate driver.

Thanks to <naszy at poczta dot fm> and Peter Kane <pwkane at gmail dot com>
for reporting and trying out diffs.

ok mglocker@

3 years agoAdd uhidev_unset_report_dev(), doing the opposite of
anton [Thu, 11 Feb 2021 06:55:10 +0000 (06:55 +0000)]
Add uhidev_unset_report_dev(), doing the opposite of
uhidev_set_report_dev(). Needed by some upcoming changes to uhidpp.

ok mglocker@

3 years agoIf uhidev_set_report_dev() already have been invoked for the given
anton [Thu, 11 Feb 2021 06:53:44 +0000 (06:53 +0000)]
If uhidev_set_report_dev() already have been invoked for the given
report id, there's no point in trying to find a matching sub device.

ok mglocker@

3 years agoKNF
tb [Thu, 11 Feb 2021 04:56:43 +0000 (04:56 +0000)]
KNF

3 years agosync
deraadt [Thu, 11 Feb 2021 04:08:17 +0000 (04:08 +0000)]
sync

3 years agoDelay deletion of IKE SAs on rekey when stickyaddress is enabled to make
tobhe [Wed, 10 Feb 2021 22:25:54 +0000 (22:25 +0000)]
Delay deletion of IKE SAs on rekey when stickyaddress is enabled to make
sure peers can keep their previously assigned addresses.

ok patrick@

3 years agorephrase example in a more consistent way
espie [Wed, 10 Feb 2021 22:04:14 +0000 (22:04 +0000)]
rephrase example in a more consistent way

3 years agoAdd a instruction barrier between writing CCSELR_EL1 and reading CCSIDR_EL1
kettenis [Wed, 10 Feb 2021 20:51:27 +0000 (20:51 +0000)]
Add a instruction barrier between writing CCSELR_EL1 and reading CCSIDR_EL1
to guarantee that we read the cache parameters of the cache we just selected.
The required ISB instruction is present in the examples in the ARM ARM.
Fixes the the report on the cores in Apple's M1 SoC.

ok patrick@

3 years agoIf pf changes the routing table when sending packets, the kernel
bluhm [Wed, 10 Feb 2021 18:28:06 +0000 (18:28 +0000)]
If pf changes the routing table when sending packets, the kernel
could get stuck in an endless recursion during TCP path MTU discovery.
Create a dynamic host route in ip_output() that can be used by
tcp_mtudisc() to store the MTU.
Reported by Peter Mueller and Sebastian Sturm
OK claudio@

3 years agoAdd med test, this no longer fails in -current
claudio [Wed, 10 Feb 2021 16:37:29 +0000 (16:37 +0000)]
Add med test, this no longer fails in -current

3 years agoUse the same check in kernel and ifconfig for group names. ifconfig
bluhm [Wed, 10 Feb 2021 14:45:27 +0000 (14:45 +0000)]
Use the same check in kernel and ifconfig for group names.  ifconfig
delete group does not need name sanitation.  The kernel will just
report that it does not exist.
OK deraadt@ gnezdo@ anton@ mvs@ claudio@

3 years agoInterface group names must fit into IFNAMSIZ and be unique. But
bluhm [Wed, 10 Feb 2021 14:41:53 +0000 (14:41 +0000)]
Interface group names must fit into IFNAMSIZ and be unique.  But
the kernel made the unique check before trunkating with strlcpy().
So there could be two interface groups with the same name.  The kif
is created by a name lookup.  The trunkated names are equal, so
there was only one kif owned by both groups.  When the groups got
destroyed, the single kif was removed twice from the RB tree.
Check length of group name before doing the unique check.
The empty group name was allowed and is now invalid.
Reported-by: syzbot+f47e8296ebd559f9bbff@syzkaller.appspotmail.com
OK deraadt@ gnezdo@ anton@ mvs@ claudio@

3 years agoRemove `sc_dead' logic from pppac(4). It is used to prevent
mvs [Wed, 10 Feb 2021 13:38:46 +0000 (13:38 +0000)]
Remove `sc_dead' logic from pppac(4). It is used to prevent
pppac_ioctl() be called on dying pppac(4) interface. But now if_detach()
makes dying `ifp' inaccessible and waits for references which are in-use
in ioctl(2) path. This logic is not required anymore. Also if_detach()
was moved before klist_invalidate() to prevent the case while
pppac_qstart() bump `sc_rsel'.

ok yasuoka@

3 years agoas usual, stuff got removed without updating the documentation
espie [Wed, 10 Feb 2021 12:44:13 +0000 (12:44 +0000)]
as usual, stuff got removed without updating the documentation
GC www/drupal7 description

3 years agoMove UNIX domain sockets out of kernel lock. The new `unp_lock' rwlock(9)
mvs [Wed, 10 Feb 2021 08:20:09 +0000 (08:20 +0000)]
Move UNIX domain sockets out of kernel lock. The new `unp_lock' rwlock(9)
used as solock()'s backend to protect the whole layer.

With feedback from mpi@.

ok bluhm@ claudio@

3 years agoUse ~/.tmux.conf as an example rather than /etc/passwd, suggested by
nicm [Wed, 10 Feb 2021 07:17:07 +0000 (07:17 +0000)]
Use ~/.tmux.conf as an example rather than /etc/passwd, suggested by
deraadt@.

3 years agosome spacing/grammar fixes from dave voutila;
jmc [Wed, 10 Feb 2021 06:52:05 +0000 (06:52 +0000)]
some spacing/grammar fixes from dave voutila;

3 years agoonly amd64 & arm64 lldb work at the moment
deraadt [Wed, 10 Feb 2021 02:53:43 +0000 (02:53 +0000)]
only amd64 & arm64 lldb work at the moment

3 years agocast large to reduce warning on 32-bit machines (an ELF type is printed with %ll)
deraadt [Wed, 10 Feb 2021 00:34:57 +0000 (00:34 +0000)]
cast large to reduce warning on 32-bit machines (an ELF type is printed with %ll)

3 years agoMake sure that switching the console from serial to framebuffer works
kettenis [Tue, 9 Feb 2021 23:58:33 +0000 (23:58 +0000)]
Make sure that switching the console from serial to framebuffer works
for framebuffer nodes under / and /chosen.

ok patrick@

3 years agopfsync_state_import() must not be called with the pf state lock held,
patrick [Tue, 9 Feb 2021 23:37:54 +0000 (23:37 +0000)]
pfsync_state_import() must not be called with the pf state lock held,
since the actual modification of the state table is done by a call to
pf_state_insert(), which takes the pf state lock itself.  Other calls
to pfsync_state_import() also only have the pf lock.

Reported-by: syzbot+d6ea8620b43dc69ecbc6@syzkaller.appspotmail.com
ok bluhm@

3 years agosync
patrick [Tue, 9 Feb 2021 21:58:46 +0000 (21:58 +0000)]
sync

3 years agoBuild and install lldb.
patrick [Tue, 9 Feb 2021 21:57:25 +0000 (21:57 +0000)]
Build and install lldb.

Discussed with deraadt@

3 years agorc: ensure that vfs.mounts.nfs check works without NFS
naddy [Tue, 9 Feb 2021 21:42:04 +0000 (21:42 +0000)]
rc: ensure that vfs.mounts.nfs check works without NFS

If NFS isn't compiled into the kernel, sysctl -n vfs.mounts.nfs
will produce no numerical output.  Make sure that we always have
a valid arithmetic expression.

Reported by and ok patrick@

3 years agoAdd optional 'group none' transform for child SAs and fix handling of
tobhe [Tue, 9 Feb 2021 21:35:48 +0000 (21:35 +0000)]
Add optional 'group none' transform for child SAs and fix handling of
'group none'.   We currently send no transform of type DH by default,
which should be equivalent to explicitly sending a single DH transform
of type 'none'.  However, the proposal matching logic had a bug where
these two would not match, effectively breaking the ability to negotiate
optional PFS.  This commit fixes the bug but continues to send
no DH proposal by default to remain backwards compatible with older
versions.

ok patrick@

3 years agoFix lldb.
mortimer [Tue, 9 Feb 2021 21:35:45 +0000 (21:35 +0000)]
Fix lldb.

Map deliberately invalid signal to zero when passing to PT_STEP and P_CONTINUE.

Also clean up getting Environment so setting LLDB_DEBUGSERVER env vars works again.

ok patrick@

3 years agoThese regress tests expect coredumps to be written so run them with
claudio [Tue, 9 Feb 2021 17:00:30 +0000 (17:00 +0000)]
These regress tests expect coredumps to be written so run them with
ulimit -c unlimited. Also simplify the logic a bit as requested by bluhm@.
OK bluhm@ deraadt@

3 years agoThese regress test expect coredumps as an effect of the test so run
claudio [Tue, 9 Feb 2021 16:58:00 +0000 (16:58 +0000)]
These regress test expect coredumps as an effect of the test so run
the tests with ulimit -c unlimited to make sure coredumps are written.
OK bluhm@ deraadt@

3 years agoWalk over all results from getaddrinfo() instead of giving up after the
claudio [Tue, 9 Feb 2021 16:55:51 +0000 (16:55 +0000)]
Walk over all results from getaddrinfo() instead of giving up after the
first entry. This way ocspcheck will try all returned IPs to contact
the OCSP server. Found by the regress test and a resolv.conf file with
'family inet6 inet4'.
OK kn@ deraadt@

3 years agosync
deraadt [Tue, 9 Feb 2021 14:49:22 +0000 (14:49 +0000)]
sync

3 years agoddb: when a new wsdisplay console attaches, resize ddb cols/rows to it
jcs [Tue, 9 Feb 2021 14:37:13 +0000 (14:37 +0000)]
ddb: when a new wsdisplay console attaches, resize ddb cols/rows to it

ok visa

3 years agoDo not expand times and #() inside #().
nicm [Tue, 9 Feb 2021 14:25:40 +0000 (14:25 +0000)]
Do not expand times and #() inside #().

3 years agoActivate use of PF_LOCK() by removing the WITH_PF_LOCK ifdefs.
patrick [Tue, 9 Feb 2021 14:06:19 +0000 (14:06 +0000)]
Activate use of PF_LOCK() by removing the WITH_PF_LOCK ifdefs.

Silence from the network group
ok sashan@

3 years agosync
deraadt [Tue, 9 Feb 2021 07:12:20 +0000 (07:12 +0000)]
sync

3 years agoAdd a barrier between reading the cqe flags and the command ID, which
jmatthew [Tue, 9 Feb 2021 01:50:10 +0000 (01:50 +0000)]
Add a barrier between reading the cqe flags and the command ID, which
should ensure that we don't read a stale command ID and complete the
wrong scsi io.  powerpc64 base builds were crashing like this fairly
regularly.

ok deraadt@ dlg@

3 years ago7.0 firmware key
sthen [Mon, 8 Feb 2021 22:18:21 +0000 (22:18 +0000)]
7.0 firmware key

3 years ago7.0 packages key
naddy [Mon, 8 Feb 2021 22:09:57 +0000 (22:09 +0000)]
7.0 packages key

3 years agocorrect return type for compressBound();
jmc [Mon, 8 Feb 2021 20:32:07 +0000 (20:32 +0000)]
correct return type for compressBound();
from pedro martelletto

3 years agochange discipline name from "RAID1C" to "RAID 1C" to match the man pages
stsp [Mon, 8 Feb 2021 20:07:04 +0000 (20:07 +0000)]
change discipline name from "RAID1C" to "RAID 1C" to match the man pages

3 years agoadd RAID 1C to the list of supported softraid(4) disciplines
stsp [Mon, 8 Feb 2021 20:05:20 +0000 (20:05 +0000)]
add RAID 1C to the list of supported softraid(4) disciplines

3 years agoRemove maxburst feature from tcp_output
jan [Mon, 8 Feb 2021 19:37:15 +0000 (19:37 +0000)]
Remove maxburst feature from tcp_output

OK bluhm@, claudio@, deraadt@

3 years agosync
deraadt [Mon, 8 Feb 2021 19:09:05 +0000 (19:09 +0000)]
sync

3 years agoMake bioctl properly verify raidlevels specified via the -c option.
stsp [Mon, 8 Feb 2021 19:05:05 +0000 (19:05 +0000)]
Make bioctl properly verify raidlevels specified via the -c option.

Trailing characters in the option argument were ignored, such that
-cC1 (typo of -c1C) was interpreted as -cC instead of being rejected.

ok jsing@

3 years agoUpdate DTLS client hello due to ECC changes.
jsing [Mon, 8 Feb 2021 17:21:50 +0000 (17:21 +0000)]
Update DTLS client hello due to ECC changes.

3 years agoRemove bogus DTLS checks to disable ECC and OCSP.
jsing [Mon, 8 Feb 2021 17:20:47 +0000 (17:20 +0000)]
Remove bogus DTLS checks to disable ECC and OCSP.

ECC and OCSP can be used with DTLS, so remove bogus checks that currently
prevent it. These are long lasting remnants from the original OpenSSL code.

ok tb@

3 years agoEnforce read ahead with DTLS.
jsing [Mon, 8 Feb 2021 17:18:39 +0000 (17:18 +0000)]
Enforce read ahead with DTLS.

DTLS is largely broken/useless without read ahead being enabled, so enforce
it for DTLS. This behaviour matches both our documentation and OpenSSL.

ok tb@

3 years agoUse dtls1_retrieve_buffered_record() to load buffered application data.
jsing [Mon, 8 Feb 2021 17:17:02 +0000 (17:17 +0000)]
Use dtls1_retrieve_buffered_record() to load buffered application data.

Replace the current copy of dtls1_retrieve_buffered_record() with a call
to it instead.

ok tb@

3 years agoadd future 7.0 base key
deraadt [Mon, 8 Feb 2021 16:15:06 +0000 (16:15 +0000)]
add future 7.0 base key

3 years agoClean up kernel IPsec flows and security associations on shutdown.
tobhe [Mon, 8 Feb 2021 16:13:58 +0000 (16:13 +0000)]
Clean up kernel IPsec flows and security associations on shutdown.

Discussed with sthen@
ok patrick@

3 years agoAdd "pipe" variants of the "copy-pipe" commands which do not copy, from
nicm [Mon, 8 Feb 2021 14:46:53 +0000 (14:46 +0000)]
Add "pipe" variants of the "copy-pipe" commands which do not copy, from
Christian Zangl.

3 years agoStart refcounting interface groups with 1. if_creategroup() returns
bluhm [Mon, 8 Feb 2021 12:30:10 +0000 (12:30 +0000)]
Start refcounting interface groups with 1.  if_creategroup() returns
a new object that is already refcounted, so carp attach does not
reach into internal structures.  Add kasserts to detect counter
overflow or underflow.
OK mvs@