schwarze [Wed, 14 Feb 2018 17:20:29 +0000 (17:20 +0000)]
In ssl.h rev. 1.135 2018/02/14 16:16:10, jsing@ provided
SSL_CTX_get0_param(3) and SSL_get0_param(3).
Merge the related documentation from OpenSSL, with small tweaks.
jsing [Wed, 14 Feb 2018 17:17:43 +0000 (17:17 +0000)]
Sync.
jsing [Wed, 14 Feb 2018 17:16:21 +0000 (17:16 +0000)]
Bump lib{crypto,ssl,tls} minors due to symbol additions.
jsing [Wed, 14 Feb 2018 17:08:44 +0000 (17:08 +0000)]
Provide SSL_CTX_up_ref().
jsing [Wed, 14 Feb 2018 17:06:34 +0000 (17:06 +0000)]
Provide X509_STORE_CTX_get0_{cert,untrusted}() and
X509_STORE_CTX_set0_{trusted_stack,untrusted}().
jsing [Wed, 14 Feb 2018 16:57:25 +0000 (16:57 +0000)]
Provide X509_get{0,m}_not{Before,After}().
jsing [Wed, 14 Feb 2018 16:46:04 +0000 (16:46 +0000)]
Provide ASN1_STRING_get0_data().
jsing [Wed, 14 Feb 2018 16:40:42 +0000 (16:40 +0000)]
Provide EVP_PKEY_up_ref().
jsing [Wed, 14 Feb 2018 16:32:06 +0000 (16:32 +0000)]
Start providing parts of the OpenSSL 1.1 API.
This will ease the burden on ports and others trying to make software
work with LibreSSL, while avoiding #ifdef mazes. Note that we are not
removing 1.0.1 API or making things opaque, hence software written to
use the older APIs will continue to work, as will software written to
use the 1.1 API (as more functionality become available).
Discussed at length with deraadt@ and others.
jsing [Wed, 14 Feb 2018 16:27:24 +0000 (16:27 +0000)]
Ensure that D mod (P-1) and D mod (Q-1) are calculated in constant time.
This avoids a potential side channel timing leak.
ok djm@ markus@
jsing [Wed, 14 Feb 2018 16:18:10 +0000 (16:18 +0000)]
Provide X509_get_signature_nid().
jsing [Wed, 14 Feb 2018 16:16:10 +0000 (16:16 +0000)]
Provide SSL_CTX_get0_param() and SSL_get0_param().
Some applications that use X509_VERIFY_PARAM expect these to exist, since
they're also part of the OpenSSL 1.0.2 API.
jsing [Wed, 14 Feb 2018 16:03:32 +0000 (16:03 +0000)]
Some obvious freezero() conversions.
This also zeros an ed25519_pk when it was not being zeroed previously.
ok djm@ dtucker@
jsing [Wed, 14 Feb 2018 15:59:50 +0000 (15:59 +0000)]
Update keypair regress to match revised keypair hash handling.
Apparently I failed to commit this when I committed the libtls change...
rob [Wed, 14 Feb 2018 12:43:07 +0000 (12:43 +0000)]
whitespace
tb [Wed, 14 Feb 2018 11:43:05 +0000 (11:43 +0000)]
Localize _f in do_upgrade().
ok rpe
mpi [Wed, 14 Feb 2018 08:55:35 +0000 (08:55 +0000)]
kern_mutex.c is gone.
mpi [Wed, 14 Feb 2018 08:55:12 +0000 (08:55 +0000)]
Put WITNESS only functions with the rest of the locking primitives.
mpi [Wed, 14 Feb 2018 08:42:22 +0000 (08:42 +0000)]
Make sure lo5 is tied to rdomain 5.
schwarze [Wed, 14 Feb 2018 02:15:46 +0000 (02:15 +0000)]
New manual page EVP_PKEY_asn1_new(3) from Richard Levitte
via OpenSSL commit
751148e2 Oct 27 00:11:11 2017 +0200,
including only the parts related to functions that exist
in OpenBSD.
The design of these interfaces is not particularly pretty,
they are not particularly easy to document, and the manual
page does not look particularly good when formatted,
but what can we do, things are as they are...
schwarze [Wed, 14 Feb 2018 02:05:55 +0000 (02:05 +0000)]
I recently documented X509_VERIFY_PARAM_lookup(3), so change .Fn to .Xr.
schwarze [Wed, 14 Feb 2018 00:19:03 +0000 (00:19 +0000)]
Mention two more block cipher modes that actually exist in our tree;
from Patrick dot Steuer at de dot ibm dot com
via OpenSSL commit
338ead0f Oct 9 12:16:34 2017 +0200.
Correct the EVP_EncryptUpdate(3) and EVP_DecryptUpdate(3) prototypes;
from FdaSilvaYY at gmail dot com
via OpenSSL commit
7bbb0050 Nov 22 22:00:29 2017 +0100.
Document the additional public function EVP_CIPHER_CTX_rand_key(3);
from Patrick dot Steuer at de dot ibm dot com
via OpenSSL commit
5c5eb286 Dec 5 00:36:43 2017 +0100.
schwarze [Tue, 13 Feb 2018 22:51:23 +0000 (22:51 +0000)]
Add the missing RETURN VALUES section.
Mostly from Paul Yang via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800,
tweaked by me for conciseness and accuracy.
schwarze [Tue, 13 Feb 2018 20:54:10 +0000 (20:54 +0000)]
Add the missing RETURN VALUES section, mostly from Paul Yang
via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800,
but fixing two bugs in his description.
This commit also includes a few minor improvements to the description
of DES_fcrypt(3), also from OpenSSL, tweaked by me.
cheloha [Tue, 13 Feb 2018 17:35:32 +0000 (17:35 +0000)]
Normalize handle limit timeval in microsecond (usec) case.
Makes stuff like
limit
1500000 usec
work correctly.
ok millert@ tb@
cheloha [Tue, 13 Feb 2018 17:28:11 +0000 (17:28 +0000)]
atoll -> strtonum
ok millert@ tb@
espie [Tue, 13 Feb 2018 15:04:54 +0000 (15:04 +0000)]
give up a bit on the infamous cups update issue.
sort dependencies so that at least this is 100% reproducible...
djm [Tue, 13 Feb 2018 03:36:56 +0000 (03:36 +0000)]
remove space before tab
schwarze [Tue, 13 Feb 2018 02:39:29 +0000 (02:39 +0000)]
Correctly describe BN_get_word(3) and BN_set_word(3).
These functions constitute an obvious portability nightmare,
but that's no excuse for incorrect documentation.
Pointed out by Nicolas Schodet
via OpenSSL commit
b713c4ff Jan 22 14:41:09 2018 -0500.
schwarze [Tue, 13 Feb 2018 01:59:16 +0000 (01:59 +0000)]
Mention that BN_new(3) sets the value to zero;
from Hubert Kario <hkario at redhat dot com>
via OpenSSL commit
681acb31 Sep 29 13:10:34 2017 +0200.
schwarze [Tue, 13 Feb 2018 01:34:34 +0000 (01:34 +0000)]
Delete duplicate .Nm entry in the NAME section,
from Rich Salz via OpenSSL commit
8162f6f5 Jun 9 17:02:59 2016 -0400.
Merging the RETURN VALUES section really wouldn't make much sense
here, it contains no additional information and i don't see any way
to reorganize the content and make it better.
schwarze [Tue, 13 Feb 2018 01:15:24 +0000 (01:15 +0000)]
Add the missing RETURN VALUES section.
Triggered by OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800
by Paul Yang, but reworded for intelligibility and precision.
While here, also expand the description of the "ret" argument of
BIO_callback_fn(). That's a fairly complicated and alarmingly
powerful concept, but the description was so brief that is was
barely comprehensible.
espie [Mon, 12 Feb 2018 20:25:18 +0000 (20:25 +0000)]
some mode of session resumptions are not currently supported by ftp(1)
be fair to those servers, display a more accurate message of what we know
schwarze [Mon, 12 Feb 2018 16:57:32 +0000 (16:57 +0000)]
Add the missing RETURN VALUES section;
from Paul Yang via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800
with tweaks by me.
schwarze [Mon, 12 Feb 2018 16:33:07 +0000 (16:33 +0000)]
Add the missing RETURN VALUES section;
from Paul Yang via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800.
schwarze [Mon, 12 Feb 2018 16:04:50 +0000 (16:04 +0000)]
Add missing RETURN VALUES section.
From Paul Yang via OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800
with one tweak.
mpi [Mon, 12 Feb 2018 15:53:05 +0000 (15:53 +0000)]
Use IP6_SOIIKEY_LEN instead of hardcoded value.
from semarie@, ok benno@
mpi [Mon, 12 Feb 2018 15:48:58 +0000 (15:48 +0000)]
Always destroy all interfaces before starting a new test.
This should make tests following a failing test pass.
schwarze [Mon, 12 Feb 2018 15:45:12 +0000 (15:45 +0000)]
Add the missing RETURN VALUES section and reorder the content
accordingly. Make some statements more precise, and point out
some dangerous traps in these ill-designed interfaces.
Also do some minor polishing while here.
Triggered by OpenSSL commit
1f13ad31 Dec 25 17:50:39 2017 +0800
by Paul Yang, but not using most of his wording because that is in
part redundant, in part incomplete, and in part outright wrong.
mpi [Mon, 12 Feb 2018 15:36:40 +0000 (15:36 +0000)]
Pass '-inet6' to the default loopback before each test.
In order to have reproducible tests route entries must not stay. Otherwise
the 'Use' counter keeps growing.
mpi [Mon, 12 Feb 2018 15:29:28 +0000 (15:29 +0000)]
Now that the default loopback interface is brough UP when rdomain 5
is created, it gets default IPv6 addresses. So reflect that change
in netinet6 outputs.
mpi [Mon, 12 Feb 2018 15:22:52 +0000 (15:22 +0000)]
Revert previous, the changed has been backed out and I wasn't running
the last snaphot.
mpi [Mon, 12 Feb 2018 14:25:17 +0000 (14:25 +0000)]
Fix most outputs now that lo5 is getting 127.0.0.1 automagically.
dlg [Mon, 12 Feb 2018 03:30:24 +0000 (03:30 +0000)]
restore the previous semantics wrt if up, tunnel, and address config.
this is a port of the change made to if_etherip.c r1.35 to allow
addresses to be configured before the tunnel is configured.
dlg [Mon, 12 Feb 2018 03:15:32 +0000 (03:15 +0000)]
restore the previous semantics wrt if up, tunnel, and address config.
this is a port of the change made to if_etherip.c r1.35 to allow
addresses to be configured before the tunnel is configured.
this rollback is particularly annoying on gre with keepalives.
keepalives rely on the interface rdomain and tunnel rdomain to be
the same, which the rolled back semantics checked. now it is possible
to create an invalid configuration and not get any feedback about
it.
dlg [Mon, 12 Feb 2018 02:55:40 +0000 (02:55 +0000)]
restore the previous semantics wrt if up, tunnel, and address config.
this is a port of the change made to if_etherip.c r1.35 to allow
addresses to be configured before the tunnel is configured.
dlg [Mon, 12 Feb 2018 02:33:50 +0000 (02:33 +0000)]
use a mobileip_tunnel struct to represent the interfaces tunnel info.
this avoids allocating a mobileip_softc on the stack to build a key
for looking up interfaces with on packet input. struct ifnet inside
mobileip_softc is "quite large", and may blow the 2k limit one day.
dlg [Mon, 12 Feb 2018 01:43:42 +0000 (01:43 +0000)]
restore the previous semantics wrt if up, tunnel, and address config.
our network drivers have a feature where if you configure an address
on the interface, it implicitly brings the interface up. i changed
etherip so you could only change the tunnel configuration while it
down, but maintained the implicit up behaviour. bringing the tunnel
up also relied on having valid configuration, ie, tunnel addreses
must be configured otherwise up will fail.
this means people who have address config in their hostname.etherip
files before config for the tunnel addresses will have problems.
firstly, the address wont be configured because falling through to
the interface up fails because the tunnel isnt configured correctly,
and that error makes the address config roll back. secondly, config
that relies on configuring the address to bring the interface up
will fail because there's no explicit up after the tunnel config.
this diff rolls the tunnel config back to keeping the interface on
a list, and allowing config at any time. the caveat to this is that
it makes mpsafety hard because inconsistent intermediate states are
visible when packets are being processed.
schwarze [Mon, 12 Feb 2018 01:10:46 +0000 (01:10 +0000)]
Simplify documentation of split-screen mode, avoiding abuse of []
to sometimes mean "character set", which conflicts with the normal
meaning of "optional element" in manual pages. While here, add a
few related clarifications and tweak a few details.
Triggered by a minor bug report from <trondd at kagu-tsuchi dot com>,
and by bentley@ subsequently pointing out the abuse of [].
Patch using input from jmc@, who also agreed with some previous versions.
mlarkin [Mon, 12 Feb 2018 00:59:28 +0000 (00:59 +0000)]
Typo in a comment (CR$_VMXE instead of CR4_VMXE). No functional change.
dlg [Mon, 12 Feb 2018 00:09:39 +0000 (00:09 +0000)]
; ends c statements, not ;;
dlg [Mon, 12 Feb 2018 00:07:53 +0000 (00:07 +0000)]
dont handle SIOCSIFRDOMAIN twice, egre isn't supposed to filter it.
krw [Sun, 11 Feb 2018 22:00:19 +0000 (22:00 +0000)]
Ooops. After getting a NAK in response to a renewal REQUEST, we delete
the interface's address and thus the cached configuration data becomes
invalid and must be discarded.
Issue found & fix tested by Christer Solskogen. Thanks!
matthieu [Sun, 11 Feb 2018 21:53:57 +0000 (21:53 +0000)]
Revert rev 1.163. Causes network issues in Firefox.
ok mpi@ who will investigate.
dtucker [Sun, 11 Feb 2018 21:16:56 +0000 (21:16 +0000)]
Don't reset signal handlers inside handlers.
The signal handlers from the original ssh1 code on which OpenSSH
is based assume unreliable signals and reinstall their handlers.
Since OpenBSD (and pretty much every current system) has reliable
signals this is not needed. In the unlikely even that -portable
is still being used on such systems we will deal with it in the
compat layer. ok deraadt@
patrick [Sun, 11 Feb 2018 21:10:03 +0000 (21:10 +0000)]
Use the new APIs for setting block lengths and reading from/writing to
memory regions.
patrick [Sun, 11 Feb 2018 21:07:08 +0000 (21:07 +0000)]
Move .openbsd.randomdata into .rodata. This makes things more
consistent across architectures.
Requested by deraadt@
ok kettenis@
patrick [Sun, 11 Feb 2018 21:04:13 +0000 (21:04 +0000)]
Rework the DDB trace handling for armv7. By switching to clang the
stack frame format has changed. Apparently AAPCS doesn't specify
at all what a stack frame looks like. We end up with much simpler
code, but also with a lot less information in the trace.
ok kettenis@
schwarze [Sun, 11 Feb 2018 20:59:30 +0000 (20:59 +0000)]
Document three more functions recently made public by jsing@
as requested by jsing@, and also document six more related functions
that have already been public before that.
OpenSSL fails to document any of these.
patrick [Sun, 11 Feb 2018 20:58:40 +0000 (20:58 +0000)]
Add sdmmc_io_set_blocklen() which allows to set the block length of an
SDIO function. This is necessary for some SDIO cards that need to be
talked with using smaller block lengths than the maximum supported by
the host controller.
ok kettenis@
patrick [Sun, 11 Feb 2018 20:57:57 +0000 (20:57 +0000)]
Add sdmmc_io_read_region_1() and sdmmc_io_write_region_1() as an
interface for "reading memory" akin to the bus_space(9) API. The
already existing multi interface is used for "reading FIFOs". The
technical difference is that one always reads from the same address
(FIFO) while the other increments the address while reading (memory).
ok kettenis@
jmc [Sun, 11 Feb 2018 20:03:10 +0000 (20:03 +0000)]
typo in output string; from edgar pettijohn
otto [Sun, 11 Feb 2018 18:45:51 +0000 (18:45 +0000)]
fix madvise(2) flags matching; ok deraadt@ tom@
martijn [Sun, 11 Feb 2018 09:47:33 +0000 (09:47 +0000)]
Make sorting in the pcache view work. This allows us to sort on all
shown columns. There's still parts that could do with a good polishing,
but it's an improvement.
OK tedu@
mpi [Sun, 11 Feb 2018 09:30:12 +0000 (09:30 +0000)]
Move landisk to MI mutex.
ok dlg@
jmc [Sun, 11 Feb 2018 07:30:59 +0000 (07:30 +0000)]
macro fix;
patrick [Sun, 11 Feb 2018 05:33:12 +0000 (05:33 +0000)]
Copy the scan results into a new buffer to re-align the data so that we
don't fault on strict alignment architectures.
patrick [Sun, 11 Feb 2018 05:13:07 +0000 (05:13 +0000)]
Since the BCDC header has a variable data offset, so the ethernet packet
alignment can be variable, it's better to move taking care of alignment
into the BCDC receive code.
deraadt [Sun, 11 Feb 2018 05:11:50 +0000 (05:11 +0000)]
oops, typo
patrick [Sun, 11 Feb 2018 05:07:36 +0000 (05:07 +0000)]
Update the packet header length as well as the mbuf length on
receive. Did that everywhere else but missed it here.
deraadt [Sun, 11 Feb 2018 04:50:25 +0000 (04:50 +0000)]
Document how MAP_STACK will be used. All stacks must be mmap'd with
this attribute. The kernel does so for main-process stacks at execve() time,
pthread stack functions do so for new stacks, and stacks provided to
sigaltstack() and other user-provided stacks will need to be allocated
in that way.
Not required yet, but paving the way.
Work done with stefan
deraadt [Sun, 11 Feb 2018 04:39:15 +0000 (04:39 +0000)]
light documentation for MAP_STACK
patrick [Sun, 11 Feb 2018 04:23:02 +0000 (04:23 +0000)]
SDIO support for bwfm(4) is good enough now that we can remove the
claim saying it is not supported. It's slowly getting on par with
the other busses but there's still more work to do.
Prompted by tb@
krw [Sun, 11 Feb 2018 04:16:58 +0000 (04:16 +0000)]
Make "invalid host name" messages log_debug() since the invalid host
name does not cause the lease to be rejected. It just causes the
containing option or field to be ignored.
deraadt [Sun, 11 Feb 2018 04:12:22 +0000 (04:12 +0000)]
Start mapping thread stacks with MAP_STACK. mmap() currently ignores
the flag, but some problem identification can begin.
deraadt [Sun, 11 Feb 2018 04:09:48 +0000 (04:09 +0000)]
Can mask MAP_STACK by name rather than number
deraadt [Sun, 11 Feb 2018 04:09:19 +0000 (04:09 +0000)]
Add MAP_STACK flag. Currently masked by mmap()
schwarze [Sun, 11 Feb 2018 03:33:21 +0000 (03:33 +0000)]
Merge documentation from OpenSSL for seven functions
that jsing@ recently exposed publicly in libcrypto.
Requested by jsing@.
benno [Sun, 11 Feb 2018 02:27:33 +0000 (02:27 +0000)]
Use the new route filter ROUTE_PRIOFILTER in ospfd. Usually we only
need to see routes with a higher priority (lower value) than ospfds
own routes.
ok claudio, ok henning previous version, feedback from sthen
benno [Sun, 11 Feb 2018 02:26:55 +0000 (02:26 +0000)]
Add a ROUTE_PRIOFILTER socket option for roueing sockets that
allows filtering on the priority of the route. All routes up to
the specified value will be passed.
ok claudio, ok henning previous version, feedback and manpage from
sthen.
henning [Sun, 11 Feb 2018 02:17:46 +0000 (02:17 +0000)]
if an interface is added to the bridge that doesn't exist, try to create it
triggered by djm's dhclient on vether on bridge setup
ok djm benno claudio
tb [Sun, 11 Feb 2018 01:23:40 +0000 (01:23 +0000)]
sysctl.h is no longer needed
ok tedu
dlg [Sun, 11 Feb 2018 00:27:10 +0000 (00:27 +0000)]
list M_IPV6_DF_OUT
dlg [Sun, 11 Feb 2018 00:24:13 +0000 (00:24 +0000)]
add an ipv6 "don't fragment" flag to mbufs for ip6_output to use.
if you need to send an ipv6 packet with ip6_send(), there's no DF
bit in an ipv6 packet and no way to pass the ip6 options to ip6_output
to tell it to not allow fragmentation. this adds an M_IPV6_DF_OUT
"checksum" flag so something creating ipv6 packets a long way from
ip6_output can easily tell it to not allow fragmentation.
grumbling and ok claudio@
krw [Sat, 10 Feb 2018 23:25:15 +0000 (23:25 +0000)]
Fix 'ignore ;' so that it really does reset the ignore list.
Mkae 'ignore', 'request' and 'require' cumulative so all
options don't have to be jammed into one line.
deraadt [Sat, 10 Feb 2018 22:59:02 +0000 (22:59 +0000)]
Shift top-of-stack down so that the random==0 case doesn't leave stack
pointer beyond the space.
ok stefan, tedu
kettenis [Sat, 10 Feb 2018 22:32:32 +0000 (22:32 +0000)]
Enable axppmic(4).
kettenis [Sat, 10 Feb 2018 22:32:01 +0000 (22:32 +0000)]
Add AXP803 support.
kettenis [Sat, 10 Feb 2018 22:31:34 +0000 (22:31 +0000)]
More Allwinner A64 clocks.
cheloha [Sat, 10 Feb 2018 19:49:50 +0000 (19:49 +0000)]
Cap wait/interval at 100 million seconds.
Keeps nanosleep(2) from choking.
While here, call the argument to the -w flag "wait" in the
error message to match up with documentation and usage().
ok tedu@ deraadt@ tb@
anton [Sat, 10 Feb 2018 17:51:37 +0000 (17:51 +0000)]
Pledge monitoring process; ok tedu@
mpi [Sat, 10 Feb 2018 12:59:24 +0000 (12:59 +0000)]
Merge license blocks now that they are identical.
mpi [Sat, 10 Feb 2018 12:53:22 +0000 (12:53 +0000)]
Artur Grabowski agreed to relicense his C mutex implementation under ISC.
This will prevent a copyright-o-rama in kern_lock.c
mpi [Sat, 10 Feb 2018 12:44:20 +0000 (12:44 +0000)]
Convert armv7 to MI mutex.
Tested by jsg@, ok patrick@
jmc [Sat, 10 Feb 2018 11:19:09 +0000 (11:19 +0000)]
less macro; ok benno
espie [Sat, 10 Feb 2018 10:35:09 +0000 (10:35 +0000)]
implement the use of new ftp -S session=... for https
- add a setup_session hook that creates an anonymous tempfile in the ::HTTPS
class
- parse tls connection resumed messages and tell on servers that do not
support this
- remove the CLOEXE flag on the fd just before running ftp, so that other
processes do not see it at all.
This makes https somewhat more bearable, though still slower than http... :(
thanks to jsing@ et al for the design of session
mpi [Sat, 10 Feb 2018 10:32:51 +0000 (10:32 +0000)]
Move cleanup job control bits to their own function.
Part of the larger 'proctreelk' diff from guenther@
No functional change, ok benno@, tedu@
mpi [Sat, 10 Feb 2018 10:25:44 +0000 (10:25 +0000)]
Revert previous & incorrect NULL dereference fix.
This unbreak backtrace across interrupt frames.
espie [Sat, 10 Feb 2018 10:08:05 +0000 (10:08 +0000)]
rewrite file around fh_file, temp file creation with signal protection,
to be used to get anon temp files for https
dlg [Sat, 10 Feb 2018 10:00:32 +0000 (10:00 +0000)]
print etherip on ipv6.