openbsd
3 years agoRemove tests that are now covered by regress/lib/libssl/verify
tb [Mon, 30 Aug 2021 17:50:05 +0000 (17:50 +0000)]
Remove tests that are now covered by regress/lib/libssl/verify

3 years agohook verify regress test to build
tb [Mon, 30 Aug 2021 17:34:32 +0000 (17:34 +0000)]
hook verify regress test to build

3 years agoRevert accidental commit
tb [Mon, 30 Aug 2021 17:34:01 +0000 (17:34 +0000)]
Revert accidental commit

3 years agolink verify regress tests to build
tb [Mon, 30 Aug 2021 17:28:46 +0000 (17:28 +0000)]
link verify regress tests to build

3 years agoReimplement part of the openssl/x509 regress tests in C
tb [Mon, 30 Aug 2021 17:27:45 +0000 (17:27 +0000)]
Reimplement part of the openssl/x509 regress tests in C

Instead of using s_client and s_server and complicated shell scripts,
we can reuse the framework from the ssl_get_shared_cipher() regress
test and inspect the verify return value directly.

Discussed with beck jan jsing

3 years agoDocument that %n has been neutered -- it now does syslog+abort.
deraadt [Mon, 30 Aug 2021 17:07:47 +0000 (17:07 +0000)]
Document that %n has been neutered -- it now does syslog+abort.
ok ingo

3 years agoFix a locking assertion in error path.
mpi [Mon, 30 Aug 2021 16:59:17 +0000 (16:59 +0000)]
Fix a locking assertion in error path.

In amap_copy() make the new amap share the source amap's lock right in
the begining and only allocate a new one if no anon have been referenced.

Issue reported by Thomas L. <tom.longshine at web dot de> on bugs@.

ok tb@

3 years agoImprove dubgging in /etc/netstart. Enable print only in ifcreate.
bluhm [Mon, 30 Aug 2021 16:58:52 +0000 (16:58 +0000)]
Improve dubgging in /etc/netstart.  Enable print only in ifcreate.
Add debugging output for ipv6 routes.  Make localhost and multicast
code aware of the print only switch.  Allow netstart -n to work
also if no interface is given.
OK kn@

3 years agoIgnore warning alert returns from servername callback in TLSv1.3
tb [Mon, 30 Aug 2021 16:50:23 +0000 (16:50 +0000)]
Ignore warning alert returns from servername callback in TLSv1.3

If a servername callback returns SSL_TLSEXT_ERR_ALERT_WARNING, this
results in a fatal error in TLSv1.3 since alert levels are implicit
in the alert type and neither close_notify nor user_canceled make
sense in this context. OpenSSL chose to ignore this, so we need to
follow suit.

Found via a broken servername callback in p5-IO-Socket-SSL which
returns a Boolean instead of SSL_TLSEXT_ERR_*. This happened to
have worked before TLSv1.3 since warning alerts are often ignored.

This "fixes" sni.t and sni-verify.t in p5-IO-Socket-SSL.

ok beck jsing

3 years agoProperly account entity_queue when the file has already been seen
job [Mon, 30 Aug 2021 16:05:55 +0000 (16:05 +0000)]
Properly account entity_queue when the file has already been seen

Thanks to Ben Maddison for helping create a test case

OK claudio@

3 years agoClarify how dns proposals are replaced not added per interface
kn [Mon, 30 Aug 2021 15:46:07 +0000 (15:46 +0000)]
Clarify how dns proposals are replaced not added per interface

OK benno

3 years agoremove a bunch of forward-only structs that were found with ctfconv.
jasper [Mon, 30 Aug 2021 14:44:39 +0000 (14:44 +0000)]
remove a bunch of forward-only structs that were found with ctfconv.

ok mpi@

3 years agoRemove unused files
job [Mon, 30 Aug 2021 12:44:02 +0000 (12:44 +0000)]
Remove unused files

OK deraadt@

3 years agoClean up end of do_body in openssl(1) ca
inoguchi [Mon, 30 Aug 2021 12:25:54 +0000 (12:25 +0000)]
Clean up end of do_body in openssl(1) ca

suggested from tb@

3 years agoRemove NULL check before free in openssl(1) ca
inoguchi [Mon, 30 Aug 2021 12:12:11 +0000 (12:12 +0000)]
Remove NULL check before free in openssl(1) ca

ok tb@

3 years agoImplement '<' and '>' operators in filters.
mpi [Mon, 30 Aug 2021 11:57:45 +0000 (11:57 +0000)]
Implement '<' and '>' operators in filters.

Based on a diff from and ok dv@

3 years agojca and I converted %n to a syslog warning about a year ago, and the ports
deraadt [Mon, 30 Aug 2021 11:16:49 +0000 (11:16 +0000)]
jca and I converted %n to a syslog warning about a year ago, and the ports
ecosystem experienced a very good cleanup.  Time has arrived to switch (as
planned) to syslog + abort, which will result in a coredump thus identifying
the remaining culprits in a more visible fashion.
vfprintf(3) and vfwprintf(3) man pages still require documentation changes.
with jca

3 years agoINADDR_LOOPBACK check needs htonl(3) to work
kn [Mon, 30 Aug 2021 11:09:58 +0000 (11:09 +0000)]
INADDR_LOOPBACK check needs htonl(3) to work

Found in resolvd(8) which uses the same code.

3 years agoINADDR_LOOPBACK check needs htonl(3) to work
kn [Mon, 30 Aug 2021 11:04:50 +0000 (11:04 +0000)]
INADDR_LOOPBACK check needs htonl(3) to work

3 years agoincrease hibernate writeout speed a little. modern machines have vast
deraadt [Mon, 30 Aug 2021 09:45:29 +0000 (09:45 +0000)]
increase hibernate writeout speed a little.  modern machines have vast
tracts of unused memory, and the empty-space RLE scanner (uvm_page_rle)
would rescan for empty space needlessly wasting excessive cpu time
16G machine, 100sec -> 9sec
40G machine, 325sec -> 28sec
with kettenis mlarkin

3 years agoTest for the pathetic case that the 2nd unveil in
claudio [Mon, 30 Aug 2021 09:09:21 +0000 (09:09 +0000)]
Test for the pathetic case that the 2nd unveil in
    unveil(NULL, NULL); if (fork() == 0) unveil("/", "rwx")
fails with EPERM.

3 years agoAdmit that we return error 20 in the failure case here. Changing
beck [Mon, 30 Aug 2021 09:06:04 +0000 (09:06 +0000)]
Admit that we return error 20 in the failure case here. Changing
our verifier to return 21 results in other regress failures in
ruby and perl.

3 years agoMake sure unveil remains locked over fork even in the case where the
claudio [Mon, 30 Aug 2021 09:05:44 +0000 (09:05 +0000)]
Make sure unveil remains locked over fork even in the case where the
parent just called unveil(NULL, NULL) and nothing else.
With and OK beck@

3 years agoRevert previous change that changed our default return for unable to
beck [Mon, 30 Aug 2021 08:59:33 +0000 (08:59 +0000)]
Revert previous change that changed our default return for unable to
find leaf cert issuers.  This breaks perl and ruby regress, as noticed
by tb that "we tried this before".

Jan's regress that cares about 21 vs 20 needs to change
ok tb@

3 years agoRemove typedef of db_addr_t; mpi converted the users of it to vaddr_t already
jasper [Mon, 30 Aug 2021 08:11:12 +0000 (08:11 +0000)]
Remove typedef of db_addr_t; mpi converted the users of it to vaddr_t already
back in 2019.

ok mpi@

3 years agoCheck that fchdir() works. The problem in unveil was fixed some time ago.
claudio [Mon, 30 Aug 2021 08:07:22 +0000 (08:07 +0000)]
Check that fchdir() works. The problem in unveil was fixed some time ago.

3 years agoMake lines not wrap on 80 char terminals. Code gets more readable.
claudio [Mon, 30 Aug 2021 08:06:02 +0000 (08:06 +0000)]
Make lines not wrap on 80 char terminals. Code gets more readable.

3 years agoFix Jan's regress in openssl/x509 to do what it says it does,
beck [Mon, 30 Aug 2021 06:51:36 +0000 (06:51 +0000)]
Fix Jan's regress in openssl/x509 to do what it says it does,
then fix the only thing it still has complaints about which
is that we don't return the leaf version of the error code
when we can't verify the leaf (as opposed to the rest of the chain)

ok jan@ tb@

3 years agoadapt to RSA/SHA1 deprectation
djm [Mon, 30 Aug 2021 01:15:45 +0000 (01:15 +0000)]
adapt to RSA/SHA1 deprectation

3 years agoAfter years of forewarning, disable the RSA/SHA-1 signature algorithm
djm [Sun, 29 Aug 2021 23:53:10 +0000 (23:53 +0000)]
After years of forewarning, disable the RSA/SHA-1 signature algorithm
by default. It is feasible to create colliding SHA1 hashes, so we
need to deprecate its use.

RSA/SHA-256/512 remains available and will be transparently selected
instead of RSA/SHA1 for most SSH servers released in the last five+
years. There is no need to regenerate RSA keys.

The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the
PubkeyAcceptedAlgorithms directives on the client and server.

ok dtucker deraadt

3 years agowrap at 80 columns
djm [Sun, 29 Aug 2021 23:44:07 +0000 (23:44 +0000)]
wrap at 80 columns

3 years agoRevert: llvm: openbsd driver had one -lcompiler_rt too many
gnezdo [Sun, 29 Aug 2021 21:32:52 +0000 (21:32 +0000)]
Revert: llvm: openbsd driver had one -lcompiler_rt too many

Suggested by jca@ that kettenis@ looks at it first.

3 years agoLee "Scratch" Perry died :(
sthen [Sun, 29 Aug 2021 21:10:31 +0000 (21:10 +0000)]
Lee "Scratch" Perry died :(

3 years agollvm: openbsd driver had one -lcompiler_rt too many
gnezdo [Sun, 29 Aug 2021 21:05:15 +0000 (21:05 +0000)]
llvm: openbsd driver had one -lcompiler_rt too many

Tested by doing a full system build locally. Will work with brad@ for
upstream-ing.

OK patrick & mortimer

3 years agoiwm/iwx: propagate errors out of iw{m,x}_set_bits_mask_prph routines
gnezdo [Sun, 29 Aug 2021 20:31:18 +0000 (20:31 +0000)]
iwm/iwx: propagate errors out of iw{m,x}_set_bits_mask_prph routines

This might help with troubleshooting "iwx0: acquiring device failed"
errors.

OK stsp@

3 years agoDo not call X509_alias_get0(3) with NULL as the second argument.
schwarze [Sun, 29 Aug 2021 19:56:40 +0000 (19:56 +0000)]
Do not call X509_alias_get0(3) with NULL as the second argument.
Even if the buffer is guaranteed to be NUL-terminated in a particular
case, it is still setting a bad example.  Besides, it is unclear
to me whether there is any such guarantee in the case at hand.
Checking that would require auditing all of d2i_X509_bio(3),
ASN1_item_d2i_bio(&NETSCAPE_X509_it, ...), PEM_read_bio_X509_AUX(3),
and PKCS12_parse(3), since no such guarantee is documented for any
of these functions, and even then it would remain fragile with
respect to later changes of implementation details.

In the worst case, this could potentially result in a read buffer
overrun.

OK tb@ on an earlier version of this patch.

While we are here, deraadt@ requested to not use the word "string" in the
name of a variable that is not a string in the sense of the C language.

3 years agonameserver command requires an interface argument
kn [Sun, 29 Aug 2021 19:55:12 +0000 (19:55 +0000)]
nameserver command requires an interface argument

3 years agoPass volume related key presses as both raw and translating input to
anton [Sun, 29 Aug 2021 19:00:59 +0000 (19:00 +0000)]
Pass volume related key presses as both raw and translating input to
wskbd in order to make them visible in X11. Matches what ukbd(4) already
does.

3 years agofix an obvious mixup regarding the order of lines in the SYNOPSIS,
schwarze [Sun, 29 Aug 2021 19:00:20 +0000 (19:00 +0000)]
fix an obvious mixup regarding the order of lines in the SYNOPSIS,
and an omission below HISTORY

3 years agocorrect range upper bound in comment
anton [Sun, 29 Aug 2021 18:31:08 +0000 (18:31 +0000)]
correct range upper bound in comment

3 years agoMake the ucc match criteria more stringent by requiring at least one
anton [Sun, 29 Aug 2021 18:21:16 +0000 (18:21 +0000)]
Make the ucc match criteria more stringent by requiring at least one
usage greater than zero. Usage zero is defined as unassigned by the
specification and cannot be mapped to anything sensible.

Prevents ucc from attaching to bunch of odd report IDs from a Lenovo
ThinkPad USB-C Dock which only exposes the unassigned usage.  This is
not a problem in practice but I think we're better attaching them as
uhid devices instead as ucc cannot provide any functionality.

Thanks to Mario Peter <mp at mpeter dot de> for reporting and testing.

3 years agoSome reports embeds multiple report IDs inside the same collection
anton [Sun, 29 Aug 2021 18:20:18 +0000 (18:20 +0000)]
Some reports embeds multiple report IDs inside the same collection
causing ucc to only being able to attach to the last report ID. This in
turn is caused by hid_is_collection() only being able to observe an end
of collection item with the last report ID for the same collection.

Instead, change the matching of ucc to only consider report IDs with at
least one corresponding Consumer Control usage.

Fixes gnezdo@'s Google Pixel earbuds.

3 years agoAn interrupt report contains the state of all items (Input, Output and
anton [Sun, 29 Aug 2021 18:19:09 +0000 (18:19 +0000)]
An interrupt report contains the state of all items (Input, Output and
Feature) from the corresponding descriptor report for a given report ID.
The ordering of the items is identical in both the descriptor and
interrupt report. As the interrupt report can cover more than Consumer
Control related key presses, ucc must be more careful while examining
the interrupt report in order to not confuse other items as key presses.

While parsing the descriptor report, take note of the bits that
represents Consumer Control key presses and use it to slice the
interrupt report.

Thanks to florian@ gnezdo@ and Alessandro De Laurenzis <just22 at
atlantide dot mooo dot com> for testing.

3 years agoAs the Consumer Control usages are well defined by the HID Usage Tables
anton [Sun, 29 Aug 2021 18:17:51 +0000 (18:17 +0000)]
As the Consumer Control usages are well defined by the HID Usage Tables
specification ucc might as well enumerate all of them. Finding an
appropriate scan code recognized by X11 for each usage is more tricky.
I've added a few more but the majority are still unmapped. Linux has
defined a couple of more usages covered by the evdev[1] key codes but
those symbols are not picked up in an vanilla X11 configuration on
OpenBSD, according to setxkbmap(1).

This should at least lower the barrier for adding scan codes for wanted
keys.

Note that the strings are discarded unless UCC_DEBUG is enabled.

Thanks to gnezdo@ for testing.

[1] xenocara/dist/xkeyboard-config/keycodes/evdev

3 years agoMask viornd descriptor value to prevent out of bound reads.
dv [Sun, 29 Aug 2021 18:01:32 +0000 (18:01 +0000)]
Mask viornd descriptor value to prevent out of bound reads.

viornd did not mask the descriptor value in the avialable ring
allowing guest values to read past the end of the descriptor table.

While here, change fatal to fatalx because errno is not set.

Reported by Ilja van Sprundel

ok mlarkin@

3 years agoNuke unused variable and unnecessary initialization.
krw [Sun, 29 Aug 2021 17:29:14 +0000 (17:29 +0000)]
Nuke unused variable and unnecessary initialization.

3 years agoDon't call the verify callback twice on success.
beck [Sun, 29 Aug 2021 17:13:15 +0000 (17:13 +0000)]
Don't call the verify callback twice on success.
This fixes a problem in the perl regress where it notices the
callback is called twice and complains.

ok tb@ bluhm@

3 years agosync
deraadt [Sun, 29 Aug 2021 16:40:26 +0000 (16:40 +0000)]
sync

3 years agoPass the -quiet option to openssl s_server to make it ignore EOF.
tb [Sun, 29 Aug 2021 15:52:47 +0000 (15:52 +0000)]
Pass the -quiet option to openssl s_server to make it ignore EOF.
This makes some tests run from the Makefile behave as they should.

3 years agoThis needs extern.h for the rmatch prototype
claudio [Sun, 29 Aug 2021 15:37:58 +0000 (15:37 +0000)]
This needs extern.h for the rmatch prototype

3 years agonotify the user about a successful password change; ok millert@
robert [Sun, 29 Aug 2021 15:22:24 +0000 (15:22 +0000)]
notify the user about a successful password change; ok millert@

3 years agolibagentx regress relied on snmp(1) defaulting to -v2c -cpublic. Make this
martijn [Sun, 29 Aug 2021 15:15:45 +0000 (15:15 +0000)]
libagentx regress relied on snmp(1) defaulting to -v2c -cpublic. Make this
explicit.

Pointed out and OK bluhm@

3 years agoImplement --exclude/exclude-file and --include/include-file.
claudio [Sun, 29 Aug 2021 13:43:46 +0000 (13:43 +0000)]
Implement --exclude/exclude-file and --include/include-file.
Currently only simple include and excludes work, the advanced filters
introduced later in rsync are not implemented. It is unclear if the per
directory filters are something we want to implement. This requires
more modern protocols which openrsync is not able to handle right now.

This adds a special matching function to allow the ** matching which behaves
mostly like rsyncs version with the exception of how bad [] patterns are
expanded. For bad patterns openrsync follows more how fnmatch behaves and
not the somewhat strange rsync behaviour.

Not perfect but committing now so people can test and provide feedback.

3 years agoMerge sysupgrade watchdog and prompt timeout code
kn [Sun, 29 Aug 2021 13:31:52 +0000 (13:31 +0000)]
Merge sysupgrade watchdog and prompt timeout code

Provide TIMOUT_{ACTION,PERIOD_SEC} in {start,stop,reset}_timeout() to have
install.sub and dot.profile use the same mnemonic helpers.

3 years agoAdd ober_dup. Needed for upcoming SNMPv3 support for trap receiver in
martijn [Sun, 29 Aug 2021 13:27:11 +0000 (13:27 +0000)]
Add ober_dup. Needed for upcoming SNMPv3 support for trap receiver in
snmpd(8).

OK jmatthew@
OK deraadt@ for bumping libutil now.

3 years agoAdd back the echo Q thing.
tb [Sun, 29 Aug 2021 13:17:42 +0000 (13:17 +0000)]
Add back the echo Q thing.

3 years agoSync prompt timeout code with sysupgrade watchdog
kn [Sun, 29 Aug 2021 13:16:22 +0000 (13:16 +0000)]
Sync prompt timeout code with sysupgrade watchdog

Simplify code and employ the same technique in both places.
The "prompt timeout" hits when on non-interactive installations or upgrades:

Welcome to the OpenBSD/amd64 6.9 installation program.
Starting non-interactive mode in 5 seconds...
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
Performing non-interactive upgrade...

The existing code uses a regular background job and does quirky file
descriptor fiddling just to avoid job control messages when starting the
timeout in the background.

It also does `set +m' a second time for no reason and hardodes the number of
seconds in multiple places.

Do better by using a co-process just like sysupgrade's watchdog that reboots
when the upgrade did not finish in time.

reads good to aja

3 years agoStart naccept .desc with a capital
tb [Sun, 29 Aug 2021 13:16:17 +0000 (13:16 +0000)]
Start naccept .desc with a capital

noted by inoguchi

3 years agoStop parsing unsupported dhcp-options(5)
kn [Sun, 29 Aug 2021 13:05:43 +0000 (13:05 +0000)]
Stop parsing unsupported dhcp-options(5)

dhcpleased(8) does not support everything dhclient(8) did,
so stop pretending.

OK florian

3 years agoUse s_server -naccept 1 and remove echo "Q" | openssl s_client hack.
tb [Sun, 29 Aug 2021 12:40:37 +0000 (12:40 +0000)]
Use s_server -naccept 1 and remove echo "Q" | openssl s_client hack.

3 years agoImplement -naccept in the s_server.
tb [Sun, 29 Aug 2021 12:33:15 +0000 (12:33 +0000)]
Implement -naccept in the s_server.

doc fixes/ok jmc
ok beck

3 years agomask next descriptor value and fix chunk_size calculation
dv [Sun, 29 Aug 2021 12:17:38 +0000 (12:17 +0000)]
mask next descriptor value and fix chunk_size calculation

Guest can cause out of bounds read with a malformed descriptor. In same
loop, also fix a chunk size calculation.

Reported by Ilja van Sprundel.

ok mlarkin@

3 years agoReduce the number of openings for aplns(4) to 1. This isn't correct but
kettenis [Sun, 29 Aug 2021 12:02:52 +0000 (12:02 +0000)]
Reduce the number of openings for aplns(4) to 1.  This isn't correct but
make NVMe on the Apple M1 stable.  Hopefully we can figure out the real
issue in the future.

ok jmatthew@

3 years agocheck for null vioblk info
dv [Sun, 29 Aug 2021 11:41:27 +0000 (11:41 +0000)]
check for null vioblk info

If {c,m}alloc fail, info could be NULL and result in NULL deref.

Reported by Ilja van Sprundel.

ok mlarkin@

3 years agoReduce the number of openings for aplns(4) to 1. This isn't correct but
kettenis [Sun, 29 Aug 2021 11:23:29 +0000 (11:23 +0000)]
Reduce the number of openings for aplns(4) to 1.  This isn't correct but
make NVMe on the Apple M1 stable.  Hopefully we can figure out the real
issue in the future.

ok jmatthew@

3 years agocorrect device status write size
dv [Sun, 29 Aug 2021 11:14:27 +0000 (11:14 +0000)]
correct device status write size

Reported by Ilja van Sprundel.

ok mlarkin@

3 years agoremove old descriptor dump function
dv [Sun, 29 Aug 2021 11:09:05 +0000 (11:09 +0000)]
remove old descriptor dump function

Used originally to aid dev. Unneeded.

ok mlarkin@

3 years agonew installboot will sometimes reuse the existing msdos boot partition instead
deraadt [Sun, 29 Aug 2021 09:10:57 +0000 (09:10 +0000)]
new installboot will sometimes reuse the existing msdos boot partition instead
of running newfs_msdos, so fsck_msdos gets run behind the scenes.  A few
architectures were missing this binary on their install media
jsg notices two more arch need it also, due to crazy Makefile games in installboot

3 years agonew installboot will sometimes reuse the existing msdos boot partition instead
deraadt [Sun, 29 Aug 2021 09:05:21 +0000 (09:05 +0000)]
new installboot will sometimes reuse the existing msdos boot partition instead
of running newfs_msdos, so fsck_msdos gets run behind the scenes.  A few
architectures were missing this binary on their install media
noticed by sthen

3 years ago-w default is now 3;
jmc [Sun, 29 Aug 2021 06:50:29 +0000 (06:50 +0000)]
-w default is now 3;

3 years ago/bin/ps: Implement reporting of supplemental groups
chrisz [Sat, 28 Aug 2021 20:54:54 +0000 (20:54 +0000)]
/bin/ps: Implement reporting of supplemental groups

with help from sthen@ and tim@. OK tim@

3 years agowhitespace nit
sthen [Sat, 28 Aug 2021 19:59:49 +0000 (19:59 +0000)]
whitespace nit

3 years agoAllow traceroute -w values down to 1 second, from John Carmack
sthen [Sat, 28 Aug 2021 19:59:28 +0000 (19:59 +0000)]
Allow traceroute -w values down to 1 second, from John Carmack
Change the default -w from 5 to 3 seconds, reducing the time it waits
for a response. John proposed using 1 second for this, but several
of us are familiar with networks where that would be likely to
remove hops, 3 seems reasonable and still saves 6 seconds on a
non-responding hop (there's always mtr if you need faster output).
Feedback from various, ok phessler@ kn@ florian@

3 years agoGet rid of historical code to extract the roots in the legacy case.
beck [Sat, 28 Aug 2021 15:22:42 +0000 (15:22 +0000)]
Get rid of historical code to extract the roots in the legacy case.
Due to the need to support by_dir, we use the get_issuer stuff when running
in x509_vfy compatibility mode amyway - so just use it any time we are
doing that. Removes a bunch of yukky stuff and a "Don't Look Ethel"

ok tb@ jsing@

3 years agoClean up and simplify ssl3_dispatch_alert() and ssl3_send_alert().
jsing [Sat, 28 Aug 2021 15:20:58 +0000 (15:20 +0000)]
Clean up and simplify ssl3_dispatch_alert() and ssl3_send_alert().

ok inoguchi@ tb@

3 years agoOnly remove the directories if there's an obj/ or obj@
tb [Sat, 28 Aug 2021 15:20:19 +0000 (15:20 +0000)]
Only remove the directories if there's an obj/ or obj@

3 years agoAdd a pass using the modern vfy with by_dir roots, code by me, script to
beck [Sat, 28 Aug 2021 15:13:50 +0000 (15:13 +0000)]
Add a pass using the modern vfy with by_dir roots, code by me, script to
generate certdirs by jsing, and make chicken sacrifies by tb.

ok tb@ jsing@

3 years agoAdd hex_octet() so the strtol(..,16) dance is done in just one
krw [Sat, 28 Aug 2021 11:55:17 +0000 (11:55 +0000)]
Add hex_octet() so the strtol(..,16) dance is done in just one
place.

Allows single-digit partition id's in '-b' as a side benefit.

3 years agoZap blanks before tabs.
tb [Sat, 28 Aug 2021 08:22:48 +0000 (08:22 +0000)]
Zap blanks before tabs.

3 years agoAdd RCS marker
tb [Sat, 28 Aug 2021 08:16:39 +0000 (08:16 +0000)]
Add RCS marker

3 years agoAdd case 2c to the go side. Don't tell jsing I touched go.
beck [Sat, 28 Aug 2021 07:54:57 +0000 (07:54 +0000)]
Add case 2c to the go side.  Don't tell jsing I touched go.

3 years agoRemove the "dump_chain" flag and code. This was a workaround for a problem where
beck [Sat, 28 Aug 2021 07:49:00 +0000 (07:49 +0000)]
Remove the "dump_chain" flag and code. This was a workaround for a problem where
roots were not checked correctly before intermediates that has since been fixed
and is no longer necessary. It is regress checked by case 2c in
regress/lib/libcrypto/x509/verify.c
ok jsing@ tb@

3 years agouse stderr for printing error and informational messages
robert [Sat, 28 Aug 2021 06:46:49 +0000 (06:46 +0000)]
use stderr for printing error and informational messages

this makes it easier to parse what passwd(1) is doing if
spawned from a GUI

ok millert@

3 years agoRemove bogus code that tries to unmap GTT pages in a codepath that clearly
kettenis [Sat, 28 Aug 2021 06:03:25 +0000 (06:03 +0000)]
Remove bogus code that tries to unmap GTT pages in a codepath that clearly
doesn't deal with non-GTT mappings.  What the Linux code does here isn't
possible on OpenBSD and probably unecessary.

Seems to fix a crash reported by sthen@
ok jsg@

3 years agoCheck X509_get_notAfter return value in openssl(1) ca.c
inoguchi [Sat, 28 Aug 2021 05:30:09 +0000 (05:30 +0000)]
Check X509_get_notAfter return value in openssl(1) ca.c

3 years agoUse strndup instead of malloc, memcpy and NULL termination in openssl(1) ca.c
inoguchi [Sat, 28 Aug 2021 05:14:30 +0000 (05:14 +0000)]
Use strndup instead of malloc, memcpy and NULL termination in openssl(1) ca.c

suggested from tb@ for do_updatedb(),
and applied the same for do_body() and do_revoke().

3 years agoRemove ASN1_TIME_new and use NULL for X509_gmtime_adj, free tmptm in err path
inoguchi [Sat, 28 Aug 2021 04:02:20 +0000 (04:02 +0000)]
Remove ASN1_TIME_new and use NULL for X509_gmtime_adj, free tmptm in err path

comments from tb@

3 years agoUnwrap lines in openssl(1) ca.c
inoguchi [Sat, 28 Aug 2021 02:40:17 +0000 (02:40 +0000)]
Unwrap lines in openssl(1) ca.c

suggested from tb@

3 years agoAvoid leak with X509_REVOKED variable in openssl(1) ca.c
inoguchi [Sat, 28 Aug 2021 02:24:10 +0000 (02:24 +0000)]
Avoid leak with X509_REVOKED variable in openssl(1) ca.c

pointed out by tb@

3 years agoChecking the return value in openssl(1) ca.c
inoguchi [Sat, 28 Aug 2021 02:11:18 +0000 (02:11 +0000)]
Checking the return value in openssl(1) ca.c

Some functions are used without verifying the return value in openssl(1) ca.
This diff adds checking for the function return value.
With this diff, I changed return value of the write_new_certificate from void
to int to return the condition to the caller.

ok and comments from tb@

3 years agoReplace %% in command lists (by copying them) for template arguments ,
nicm [Fri, 27 Aug 2021 17:25:55 +0000 (17:25 +0000)]
Replace %% in command lists (by copying them) for template arguments ,
this means they can be used with {} as well. Also make argument
processing from an existing vector preserve commands. GitHub issue 2858.

3 years agoAllow control mode clients to set a hard limit on the window width and
nicm [Fri, 27 Aug 2021 17:15:57 +0000 (17:15 +0000)]
Allow control mode clients to set a hard limit on the window width and
height, GitHub issue 2594.

3 years agoAdd regress test testing having the root cert in the intermediate bundle
beck [Fri, 27 Aug 2021 16:15:42 +0000 (16:15 +0000)]
Add regress test testing having the root cert in the intermediate bundle

3 years agoRemove unused #include <assert.h>.
tb [Fri, 27 Aug 2021 16:12:33 +0000 (16:12 +0000)]
Remove unused #include <assert.h>.

This is from upstream where there is an assert() that EVP_MD_size(digest)
matches the length returned by HMAC(). We avoid asserts in our libraries.

From Martin Vahlensieck

3 years agoReplace stray hand-rolled nitems() with nitems().
krw [Fri, 27 Aug 2021 11:28:22 +0000 (11:28 +0000)]
Replace stray hand-rolled nitems() with nitems().

3 years agodrm/amd/display: workaround for hard hang on HPD on native DP
jsg [Fri, 27 Aug 2021 02:47:48 +0000 (02:47 +0000)]
drm/amd/display: workaround for hard hang on HPD on native DP

From Qingqing Zhuo
2e6cc93e1b8cf3ec2966961c1e98722ee7281023 in linux 5.10.y/5.10.61
c4152b297d56d3696ad0a9003169bc5b98ad7b72 in mainline linux

3 years agodrm/amd/display: Fix Dynamic bpp issue with 8K30 with Navi 1X
jsg [Fri, 27 Aug 2021 02:43:55 +0000 (02:43 +0000)]
drm/amd/display: Fix Dynamic bpp issue with 8K30 with Navi 1X

From Bing Guo
dcc8c5fb8d8595f5061c7b000ca1d16449a5e865 in linux 5.10.y/5.10.61
06050a0f01dbac2ca33145ef19a72041206ea983 in mainline linux

3 years agodrm/amdgpu: fix the doorbell missing when in CGPG issue for renoir.
jsg [Fri, 27 Aug 2021 02:41:36 +0000 (02:41 +0000)]
drm/amdgpu: fix the doorbell missing when in CGPG issue for renoir.

From Yifan Zhang
7525f2e4de0069983497a9d3eab1ca9813ae1b4b in linux 5.10.y/5.10.61
1c0539a6fc8a4a4b77278e35d763073890de96b9 in mainline linux

3 years agoRequest wMaxInputLength bytes of data on each interrupt which should
jcs [Thu, 26 Aug 2021 21:05:01 +0000 (21:05 +0000)]
Request wMaxInputLength bytes of data on each interrupt which should
already account for the two-byte length and one-byte report id,
rather than adding them ourself and requesting wMaxInputLength + 3.

Fixes dwiic timeouts requesting data from at least one touchpad.

Tested by various

3 years agoRename ucc_intr_to_usage() to ucc_bits_to_usage(), no functional change.
anton [Thu, 26 Aug 2021 10:32:35 +0000 (10:32 +0000)]
Rename ucc_intr_to_usage() to ucc_bits_to_usage(), no functional change.