kn [Fri, 20 Oct 2023 19:58:16 +0000 (19:58 +0000)]
Adopt MI re-upgrade prevention
In comparison to MI boot which only cares about /bsd.upgrade's x bit,
powerpc64 rdboot just wants a regular file.
Require and strip u+x before execution to prevent sysupgrade(8) loops.
OK kettenis
kn [Fri, 20 Oct 2023 19:55:49 +0000 (19:55 +0000)]
Adopt MI re-upgrade prevention
In comparison to MI boot which only cares about /bsd.upgrade's x bit,
octeon rdboot just wants a regular file.
Require and strip u+x before execution to prevent sysupgrade(8) loops.
OK kettenis
kettenis [Fri, 20 Oct 2023 18:53:12 +0000 (18:53 +0000)]
Avoid forcible mounting a dirty filessystem. Mount such filesystems
read-only instead. This means that writing to the filesystem will fail.
As a consequence chmod'ing of files in the bootloader will fail, but that
will fix itself on the next clean boot.
Same change as I committed to powerpc64 a few days ago.
ok kn@, deraadt@
schwarze [Fri, 20 Oct 2023 18:51:09 +0000 (18:51 +0000)]
Improve markup in some cases where .Li was abused.
Triggered by a smaller diff from jan@.
OK jmc@ jan@
bluhm [Fri, 20 Oct 2023 16:25:15 +0000 (16:25 +0000)]
Avoid assertion failure when splitting mbuf cluster.
m_split() calls m_align() to initialize the data pointer of newly
allocated mbuf. If the new mbuf will be converted to a cluster,
this is not necessary. If additionally the new mbuf is larger than
MLEN, this can lead to a panic.
Only call m_align() when a valid m_data is needed. This is the
case if we do not refecence the existing cluster, but memcpy() the
data into the new mbuf.
Reported-by: syzbot+0e6817f5877926f0e96a@syzkaller.appspotmail.com
OK claudio@ deraadt@
jan [Fri, 20 Oct 2023 13:21:15 +0000 (13:21 +0000)]
Add missing tcps_outpkttso counter to ixl(4) TSO setup.
ok bluhm@
dtucker [Fri, 20 Oct 2023 07:37:07 +0000 (07:37 +0000)]
Allow overriding the locations of the Dropbear binaries similar to what
we do for the PuTTY ones.
jan [Fri, 20 Oct 2023 07:31:12 +0000 (07:31 +0000)]
Improve bad comment.
pointed out by kn@
ok kn@
dtucker [Fri, 20 Oct 2023 06:56:45 +0000 (06:56 +0000)]
Add interop test with Dropbear. Right now this is only dbclient not the
Dropbear server since it won't currently run as a ProxyCommand.
jsg [Fri, 20 Oct 2023 03:49:31 +0000 (03:49 +0000)]
dma-buf: add dma_fence_timestamp helper
From Christian Koenig
d67b5a2b97b6e8959117ff71fc2daa30e66c8290 in linux-6.1.y/6.1.59
b83ce9cb4a465b8f9a3fa45561b721a9551f60e3 in mainline linux
jsg [Fri, 20 Oct 2023 03:46:56 +0000 (03:46 +0000)]
drm/amd/display: Don't set dpms_off for seamless boot
From Daniel Miess
f0410917561cb56f93ac8c502eb0ec94f25cafe9 in linux-6.1.y/6.1.59
23645bca98304a2772f0de96f97370dd567d0ae6 in mainline linux
jsg [Fri, 20 Oct 2023 03:45:42 +0000 (03:45 +0000)]
drm/amdgpu: add missing NULL check
From Christian Koenig
a61d905a86879427e330a5a66cba8b2330dac4d1 in linux-6.1.y/6.1.59
ff89f064dca38e2203790bf876cc7756b8ab2961 in mainline linux
jsg [Fri, 20 Oct 2023 03:43:33 +0000 (03:43 +0000)]
drm/atomic-helper: relax unregistered connector check
From Simon Ser
0fb82afee55fc6e12f3581e87d47fd1beae36a98 in linux-6.1.y/6.1.59
2b7947bd32e243c52870d54141d3b4ea6775e63d in mainline linux
jsg [Fri, 20 Oct 2023 03:41:56 +0000 (03:41 +0000)]
drm/i915: Don't set PIPE_CONTROL_FLUSH_L3 for aux inval
From Nirmoy Das
f175665385fe9fdd996080806aa67e666475d3d8 in linux-6.1.y/6.1.59
128c20eda73bd3e78505c574fb17adb46195c98b in mainline linux
jsg [Fri, 20 Oct 2023 03:38:58 +0000 (03:38 +0000)]
add dma_fence_timestamp() for 6.1.59 drm
bluhm [Thu, 19 Oct 2023 22:19:16 +0000 (22:19 +0000)]
Add test for dropped messages to UDP loghost.
bluhm [Thu, 19 Oct 2023 22:16:10 +0000 (22:16 +0000)]
syslogd(8) counts dropped UDP packets.
Now that syslogd handles delayed DNS lookups, also count dropped
packets to UDP loghosts. Although not every outgoing UDP packet
dropped along the path can be detected, the message makes the admin
aware that there is a local blind spot during startup.
Improve debug and log messages, especially if UDP logging is shut
down permanently. Also do not print 'last message repeated' if the
message was dropped.
OK deraadt@
tb [Thu, 19 Oct 2023 19:17:46 +0000 (19:17 +0000)]
Rename the modulus from n into m
This matches what other pages use. Also rewrite the definition of the
modular inverse to be less ugly.
kn [Thu, 19 Oct 2023 18:39:46 +0000 (18:39 +0000)]
root disk can be enrypted with a key disk now
anton [Thu, 19 Oct 2023 18:36:40 +0000 (18:36 +0000)]
Add missing removal of network interfaces in regress cleanup targets.
Reducing the risk tests conflicting with each other.
ok bluhm@
deraadt [Thu, 19 Oct 2023 18:04:44 +0000 (18:04 +0000)]
sync
job [Thu, 19 Oct 2023 17:05:54 +0000 (17:05 +0000)]
Add experimental support for secp256r1 aka P-256 aka prime256v1
ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.
OK tb@
jan [Thu, 19 Oct 2023 16:28:02 +0000 (16:28 +0000)]
Enable TCP Segmentation Offloading for ixl(4)
Tested on amd64 and sparc64.
Also tested by bluhm@.
ok bluhm@
tb [Thu, 19 Oct 2023 13:38:12 +0000 (13:38 +0000)]
Add a few more test cases for mod_exp aliasing
claudio [Thu, 19 Oct 2023 13:14:19 +0000 (13:14 +0000)]
While the ibuf_add calls should not fail the way they are used it
is still better to check for error.
OK tb@
claudio [Thu, 19 Oct 2023 11:12:10 +0000 (11:12 +0000)]
Convert rtr_proto.c to use new ibuf API.
More yak shaving required which will follow.
OK tb@
tb [Thu, 19 Oct 2023 10:27:27 +0000 (10:27 +0000)]
Garbage collect weird /* 1 */ and /* 2 */ comments
If they ever had any meaning, that's long been lost.
Requested by jsing
tb [Thu, 19 Oct 2023 10:23:38 +0000 (10:23 +0000)]
The bn_mod_exp test is no longer an expected failure
tb [Thu, 19 Oct 2023 10:23:00 +0000 (10:23 +0000)]
Fix aliasing of result and exponent in the internal BN_mod_exp_recp()
This is basically the same fix as the one applied in BN_mod_exp_simple().
tb [Thu, 19 Oct 2023 10:17:52 +0000 (10:17 +0000)]
Fix aliasing of result with exponent or modulus in BN_mod_exp_simple()
Reported and reminded by Guido Vranken in OpenSSL issue #21110
ok jsing
tb [Thu, 19 Oct 2023 10:17:24 +0000 (10:17 +0000)]
Add test case checking aliasing of the result with other arguments
These are expected failures for BN_mod_exp_simple() and the internal
BN_mod_exp_recp(), which will be fixed shortly.
claudio [Thu, 19 Oct 2023 07:02:45 +0000 (07:02 +0000)]
Convert the session engine to use the new ibuf API.
OK tb@
fcambus [Thu, 19 Oct 2023 06:47:36 +0000 (06:47 +0000)]
Add IBM encoded version of "Spleen 8x16".
The font is 2-Clause BSD licensed and is my original creation.
OK miod@
kn [Thu, 19 Oct 2023 02:43:58 +0000 (02:43 +0000)]
Reduce unpractical package URL to usual package name; OK deraadt
This section about ports/packages really wants a revamp, though...
kn [Thu, 19 Oct 2023 02:39:06 +0000 (02:39 +0000)]
Support encrypting the root disk with a key disk
Extend the yes/no question to no/passphrase/keydisk and have users pick an
existing, preformated RAID partition; no support (yet) for creating one.
OK tb afresh1
kettenis [Wed, 18 Oct 2023 22:44:42 +0000 (22:44 +0000)]
Avoid forcible mounting a dirty filessystem. Mount such filesystems
read-only instead. This means that writing to the filesystem will fail.
As a consequence chmod'ing of files in the bootloader will fail, but that
will fix itself on the next clean boot.
ok kn@
anton [Wed, 18 Oct 2023 19:14:32 +0000 (19:14 +0000)]
Make libssl interop server/client tests less flaky by ensuring the
server has terminated before examining the outcome.
anton [Wed, 18 Oct 2023 18:01:10 +0000 (18:01 +0000)]
adjust sgr0 escape sequence after ncurses update; ok nicm@
tb [Wed, 18 Oct 2023 17:26:06 +0000 (17:26 +0000)]
Remove EVP_add_alg_module() prototype
This function was the unfortunate protagonist in a series of tragic merge
errors resulting in only a short stint of a year and nine months between
OpenSSL 0.9.8j and 1.0.0a actually present in OpenBSD. Then it said good
bye for good, but somehow a prototype came back with 1.0.1g, a famous
version released when there were slightly more pressing things to be
taken care of than a function supporting a config knob whose only purpose
was to turn off fips mode or to error.
from schwarze
PS: The mechanism that it was supposed to provide is still documented in
openssl.cnf(5). I am going remove the relevant bit at some point, but not
today.
schwarze [Wed, 18 Oct 2023 16:11:29 +0000 (16:11 +0000)]
Support the GNU-specific syntax ".IP \\[bu]" for bullet lists in man(7)
pages that Alejandro Colomar recommends in the "Lists" subsection of
https://man7.org/linux/man-pages/man7/man-pages.7.html#STYLE_GUIDE .
For example, this will improve HTML formatting of the first list in
the subsection "Feature test macros understood by glibc" on the page
https://manpages.debian.org/bookworm/manpages/ftm.7.en.html .
Issue reported by Alejandro Colomar <alx at kernel dot org>.
schwarze [Wed, 18 Oct 2023 14:47:22 +0000 (14:47 +0000)]
Better document the purpose and features of the file mandoc.css
and the purpose and limitations of the embedded stylesheet.
Triggered by a conversation with Alejandro Colomar <alx at kernel dot org>.
jan [Wed, 18 Oct 2023 14:24:29 +0000 (14:24 +0000)]
Avoid segments greater than maxsegsz during map merging
Found with hints from kettenis@
Tested on Sun-Fire-V215.
Also tested on U2 and UltraBook IIe by miod@
ok miod@
espie [Wed, 18 Oct 2023 08:50:13 +0000 (08:50 +0000)]
only strip actual file/line part from the eval error
espie [Wed, 18 Oct 2023 08:03:19 +0000 (08:03 +0000)]
document semi-internal parts used by dpb(1)
benno [Wed, 18 Oct 2023 07:56:45 +0000 (07:56 +0000)]
with pfsync rewrite, pfsync interfaces need an "up" after configuration, not before.
Noted by Marko Cupac, thanks.
tb [Wed, 18 Oct 2023 07:30:49 +0000 (07:30 +0000)]
Use X509_ALGOR_set_evp_md() in CMS_add1_signer()
Contrary to X509_ALGOR_set_md() this allows for error checking. Avoid
local complications by freeing in the exit path and use a const version
of X509_ALGOR for walking a STACK_OF() to avoid a bad free.
Clean up includes
ok jsing
tb [Wed, 18 Oct 2023 07:24:15 +0000 (07:24 +0000)]
cms_DigestedData_create() use X509_ALGOR_set_evp_md()
Our internal version allows for error checking and this avoids a silent
failure leading to corruption later on.
Clean up includes while there.
ok jsing
fcambus [Wed, 18 Oct 2023 07:23:58 +0000 (07:23 +0000)]
Sync the supported hardware list with arm64.html.
tb [Wed, 18 Oct 2023 07:10:24 +0000 (07:10 +0000)]
rpki-client: move inherit in {ip,as}_warn()
While alphabetic order makes sense, having inherit between individual
AS and IP entries and ranges makes little sense. Use the order that we
have elsewhere.
ok claudio job
tb [Wed, 18 Oct 2023 07:08:19 +0000 (07:08 +0000)]
rpki-client: rework ip_addr_check_overlap()
Avoid conditional early returns and significantly simplify the printing
of ip addresses/ranges by using the new ip_warn(). This also eliminates
an extremely weird usage of the comma operator and reduces noise levels
quite a bit.
ok claudio job
tb [Wed, 18 Oct 2023 07:04:24 +0000 (07:04 +0000)]
rpki-client: rework as_check_overlap()
Avoid early returns and use a single copy of the warning by reworking
the control flow through two nested switches.
ok claudio job
kevlo [Wed, 18 Oct 2023 06:45:45 +0000 (06:45 +0000)]
Mention U-Boot file and offset for Rockchip RK356x.
"Sure." miod@
tb [Wed, 18 Oct 2023 06:30:40 +0000 (06:30 +0000)]
rfc3779: no need for err.h, but we do need asn1.h
jsg [Wed, 18 Oct 2023 01:52:20 +0000 (01:52 +0000)]
drm/amd: Fix logic error in sienna_cichlid_update_pcie_parameters()
From Mario Limonciello
d2894c4f473ab71cd68ef0f9b086148bb2c02132 in linux-6.1.y/6.1.57
2a1fe39a5be785e962e387146aed34fa9a829f3f in mainline linux
jsg [Wed, 18 Oct 2023 01:49:45 +0000 (01:49 +0000)]
drm/amd: Fix detection of _PR3 on the PCIe root port
From Mario Limonciello
c8bd3e12b3291e632ae189619169914743ba77d1 in linux-6.1.y/6.1.57
134b8c5d8674e7cde380f82e9aedfd46dcdd16f7 in mainline linux
afresh1 [Wed, 18 Oct 2023 01:49:26 +0000 (01:49 +0000)]
Increase max depth for termcaps
With the update to ncurses 6.4-
20230826 /etc/termcap now needs at
least a 36 deep search. Instead, we'll just bump to 64. It seems
32 has been enough since perl 5.001 in 1995, so hopefully this buys
us at least another 28 years.
"please commit that" deraadt@
jsg [Wed, 18 Oct 2023 01:47:42 +0000 (01:47 +0000)]
drm/amd/display: Adjust the MST resume flow
From Wayne Lin
71472872932b11ca2591104eb73255fecaae9d33 in linux-6.1.y/6.1.57
ec5fa9fcdeca69edf7dab5ca3b2e0ceb1c08fe9a in mainline linux
deraadt [Wed, 18 Oct 2023 01:45:42 +0000 (01:45 +0000)]
grow arm64 iso media space
claudio [Tue, 17 Oct 2023 17:59:59 +0000 (17:59 +0000)]
Neither sin_len nor sin6_len can be 0 so these checks are not needed.
Also reorder the RTF_HOST vs netmask check. RTF_HOST wins if both are set.
Makes the code a bit neater.
OK tb@
claudio [Tue, 17 Oct 2023 17:58:15 +0000 (17:58 +0000)]
Remove bogus plen != 0xff check
OK tb@
nicm [Tue, 17 Oct 2023 10:13:53 +0000 (10:13 +0000)]
sync, from sthen
nicm [Tue, 17 Oct 2023 10:05:46 +0000 (10:05 +0000)]
Update termtypes to 6.4-
20230424 with local changes.
nicm [Tue, 17 Oct 2023 09:55:32 +0000 (09:55 +0000)]
Switch to tiparm_s (added in ncurses 6.4-
20230424) instead of tparm,
which allows ncurses to validate the capabilities correctly.
nicm [Tue, 17 Oct 2023 09:52:08 +0000 (09:52 +0000)]
Update ncurses and associated libraries (form, panel, menu) to
6.4-
20230826 (from 5.7-
20081102).
Based on result from Thomas Dickey's ncu2openbsd script and then
modified. Switches to the upstream tput. Major bump for the ncurses
libraries and for libedit and libreadline.
Help from tb, millert.
ok deraadt sthen
cheloha [Tue, 17 Oct 2023 00:04:02 +0000 (00:04 +0000)]
clockintr: move callback-specific API behaviors to "clockrequest" namespace
The API's behavior when invoked from a callback function is impossible
to document. Move the special behavior into a distinct namespace,
"clockrequest".
- Add a 'struct clockrequest'. Basically a stripped-down 'struct clockintr'
for exclusive use during clockintr_dispatch().
- In clockintr_queue, replace the "cq_shadow" clockintr with a "cq_request"
clockrequest. They serve the same purpose.
- CLST_SHADOW_PENDING -> CR_RESCHEDULE; different namespace, same meaning.
- CLST_IGNORE_SHADOW -> CLST_IGNORE_REQUEST; same meaning.
- Move shadow branch in clockintr_advance() to clockrequest_advance().
- clockintr_request_random() becomes clockrequest_advance_random().
- Delete dead shadow branches in clockintr_cancel(), clockintr_schedule().
- Callback functions now get a clockrequest pointer instead of a special
clockintr pointer: update all prototypes, callers.
No functional change intended.
claudio [Mon, 16 Oct 2023 12:49:15 +0000 (12:49 +0000)]
Adjust lladdr test to use templates in rdomain1 (e.g. fe80::%pair11/64)
The code allready supports matching of templates with a scope id and
fe80::%pair11/64 and fe80::%gif11/64 are different to session_match_mask().
mpi [Mon, 16 Oct 2023 11:32:54 +0000 (11:32 +0000)]
Consider required constraint when moving pages from active to inactive lists.
Make sure low pages are deactivated first when there is a shortage of inactive
pages. Without this the system can have a ton of high pages on the active list
and never swapout anything if there's a shortage of low pages.
This prevents a deadlock on amd64 reported and tested by bluhm@.
ok kettenis@
claudio [Mon, 16 Oct 2023 10:26:51 +0000 (10:26 +0000)]
Add regress test to verify that IPv6 link-local addresses work
claudio [Mon, 16 Oct 2023 10:25:45 +0000 (10:25 +0000)]
Improve IPv6 link-local address handling
When a session is established determine the possible interface scope of that
session. The scope is only set when the remote address is directly connected.
This interface scope is passed to the RDE that uses this information when
link-local nexthops are received. Again checking that a link-local nexthop
is actually acceptable.
OK tb@
dtucker [Mon, 16 Oct 2023 08:40:00 +0000 (08:40 +0000)]
Move declaration of "len" into the block where it's used. This lets
us compile Portable with -Werror with when OpenSSL doesn't have
Ed25519
support.
op [Mon, 16 Oct 2023 08:33:16 +0000 (08:33 +0000)]
reinstate space-to-tabstop entry in the manpage
removed in rev 1.95 since was hidden behind NOTAB, and forgot to be
re-added when no-tab-mode was resurrected.
claudio [Mon, 16 Oct 2023 06:14:20 +0000 (06:14 +0000)]
Set fib-update no since the fib is not needed here.
cheloha [Sun, 15 Oct 2023 18:20:25 +0000 (18:20 +0000)]
time(1): miscellaneous style(9) tweaks
Use a space after keywords, binary operators require spaces, second-level
indents are four spaces, remove some extraneous parentheses and empty lines,
fill empty loop bodies with a "continue" statement.
No binary change.
chrisz [Sun, 15 Oct 2023 15:49:47 +0000 (15:49 +0000)]
audio(9): deprecate start_{output,input}
ok ratchov@, kn@
kn [Sun, 15 Oct 2023 09:49:57 +0000 (09:49 +0000)]
Pledge once with or without "proc exec", not twice
Spotted while comparing ktraces between 'tar -z' and 'gzcat | tar -f-'.
Only the former runs, e.g. gzip(1), but the latter also pledges theses promises
just to pledge again immediately afterwards without them.
Make the calls mutually exclusive so 'tar -f-' et al. skip the first pledge
and thus never have "proc exec" to begin wth.
"looks good to me" mbuhl
OK millert
kettenis [Sat, 14 Oct 2023 19:02:16 +0000 (19:02 +0000)]
Document the hw.battery sysctls.
ok benno@, jmc@, schwarze@
afresh1 [Sat, 14 Oct 2023 18:10:47 +0000 (18:10 +0000)]
Verify but don't overwrite SHA256.sig in fw_update(8)
Signify is happy to overwite the file with the signature stripped off.
However, if we do that, when downloading firmware we lose the ability
to check the signature before verifying checksums on the downloaded files.
Noticed by Thomas <exnihilo () fastmail ! org>
Right deraadt@
anton [Sat, 14 Oct 2023 13:05:43 +0000 (13:05 +0000)]
Suppress harmless EPIPE errors during test shutdown.
claudio [Sat, 14 Oct 2023 09:46:14 +0000 (09:46 +0000)]
Rewrite log_peer_info() and log_peer_warn[x]()
Passing the peer description as part of the format string was a bad idea
since the peer description may include some % signs (e.g. for link local
IPv6 addresses). So instead of asprintf a new fmt string use vasprintf
to get the message and then use logit("%s: %s", peer_info, msg).
OK tb@
jmc [Sat, 14 Oct 2023 06:29:11 +0000 (06:29 +0000)]
align the intel wifi entries with the other pci wifi entries; ok stsp
deraadt [Sat, 14 Oct 2023 05:07:05 +0000 (05:07 +0000)]
sync
jeremy [Fri, 13 Oct 2023 23:16:58 +0000 (23:16 +0000)]
Update lang/ruby module documentation for the removal of Ruby 3.0
anton [Fri, 13 Oct 2023 19:30:18 +0000 (19:30 +0000)]
Use a unique mount point rooted in /mnt in order to not conflict with other
tests.
anton [Fri, 13 Oct 2023 19:28:59 +0000 (19:28 +0000)]
Use the idiom in cleanup target like many others
in regress already does.
kettenis [Fri, 13 Oct 2023 15:41:25 +0000 (15:41 +0000)]
Add Allwinner D1 support.
ok mbuhl@, patrick@, dlg@
stsp [Fri, 13 Oct 2023 13:52:08 +0000 (13:52 +0000)]
enable dwqe(4) in RAMDISK_CD
reminded by jsg@, snapshot test build done by me
fcambus [Fri, 13 Oct 2023 13:28:02 +0000 (13:28 +0000)]
Remove bold8x16-iso1 font.
This font has been unlinked from the build in January 2019 when it was
replaced by Spleen 8x16.
OK mpi@
tb [Fri, 13 Oct 2023 12:12:05 +0000 (12:12 +0000)]
Adjust regress to cope with constraints
job [Fri, 13 Oct 2023 12:06:49 +0000 (12:06 +0000)]
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.
For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
claudio [Fri, 13 Oct 2023 07:55:57 +0000 (07:55 +0000)]
Force the router-id on all bgpd instances to make the expected output
predictable.
claudio [Fri, 13 Oct 2023 07:37:35 +0000 (07:37 +0000)]
Add missing Ns in argument list of announce (IPv4|IPv6) ...
tb [Fri, 13 Oct 2023 05:49:34 +0000 (05:49 +0000)]
Tweak previous by using the argument name, not its type
tb [Fri, 13 Oct 2023 05:47:35 +0000 (05:47 +0000)]
Improve the description of X509_ALGOR_dup(3)
The old description was vague, but strictly speaking a lie, so make it
more precise and turn the lie into a truth.
bluhm [Fri, 13 Oct 2023 00:00:51 +0000 (00:00 +0000)]
Remove ancient version of zlib bundled with GNU cvs.
Avoid false positive in security scan. Removal of embedded zlib
ensures that cvs is linked dynamically with /usr/lib/libz.so. We
do not want any zlib 1.1.3 from 2001 in our source tree.
no binary diff; OK millert@ deraadt@
bluhm [Thu, 12 Oct 2023 22:41:29 +0000 (22:41 +0000)]
Test retry after DNS lookup failure.
bluhm [Thu, 12 Oct 2023 22:36:54 +0000 (22:36 +0000)]
Retry DNS lookup for remote loghost.
If DNS lookup for a remote loghost configured in syslog.conf did
not work at startup, the entry was ignored. Better retry the lookup
in intervals until it succeeds. Improve debug output to print IP
address after resolution. Unify retry code that resolves DNS for
UDP and connects to TCP server.
testing and feedback from Paul de Weerd; OK deraadt@
bluhm [Thu, 12 Oct 2023 19:15:21 +0000 (19:15 +0000)]
pflog(4) logs packet dropped by default rule with block.
If a packet is malformed, it is dropped by pf(4). The rule referenced
in pflog(4) is the default rule. As the default rule is a pass
rule, tcpdump printed "pass" although the packet was actually
dropped. To avoid confusion, change the action to drop. Then
tcpdump prints "block".
OK sashan@ kn@
tb [Thu, 12 Oct 2023 17:14:17 +0000 (17:14 +0000)]
x509_algor: fix error message
anton [Thu, 12 Oct 2023 16:59:23 +0000 (16:59 +0000)]
Let vnconfig select an unused device as opposed of unconditionally
assume vnd0 is available.
deraadt [Thu, 12 Oct 2023 16:37:05 +0000 (16:37 +0000)]
Static binaries which do not call execve() were not calling
pinsyscall(SYS_execve, ...). Upon review, this is a fairly small
set of programs which either pledge() aggressively or don't usually
operate in a risky operating environment. We now point at a location
which is definately not a "syscall" instruction.
ok kettenis
projects / openbsd / log