openbsd
14 months agoRemove MD32_XARRAY remnants.
jsing [Thu, 10 Aug 2023 13:59:31 +0000 (13:59 +0000)]
Remove MD32_XARRAY remnants.

14 months agoReorder functions.
jsing [Thu, 10 Aug 2023 13:58:34 +0000 (13:58 +0000)]
Reorder functions.

No functional change.

14 months agoImplement MD5_{Update,Transform,Final}() directly in md5.c.
jsing [Thu, 10 Aug 2023 13:54:21 +0000 (13:54 +0000)]
Implement MD5_{Update,Transform,Final}() directly in md5.c.

Copy the update, transform and final functions from md32_common.h, manually
expanding the macros for MD5. This will allow for further clean up to
occur.

No change in generated assembly.

14 months agoTidy includes.
jsing [Thu, 10 Aug 2023 13:41:56 +0000 (13:41 +0000)]
Tidy includes.

14 months agoTidy includes.
jsing [Thu, 10 Aug 2023 13:41:18 +0000 (13:41 +0000)]
Tidy includes.

14 months agoMop up the last MD32_XARRAY.
jsing [Thu, 10 Aug 2023 12:27:35 +0000 (12:27 +0000)]
Mop up the last MD32_XARRAY.

MD32_XARRAY was added as a workaround for a broken HP C compiler (circa
1999). Clean it up to simplify the code.

No change in generated assembly.

14 months agoInline the remaining 10 lines from rmdconst.h.
jsing [Thu, 10 Aug 2023 11:06:36 +0000 (11:06 +0000)]
Inline the remaining 10 lines from rmdconst.h.

Discussed with tb@

14 months agoInline X variables definitions.
jsing [Thu, 10 Aug 2023 11:04:30 +0000 (11:04 +0000)]
Inline X variables definitions.

Inline the WL and WR defines, which only add yet another layer of
abstraction and make the code harder to follow.

No change to generated assembly.

Discussed with tb@

14 months agoInline shift values.
jsing [Thu, 10 Aug 2023 11:00:46 +0000 (11:00 +0000)]
Inline shift values.

Inline the SL and SR defines, which only makes the code harder to follow.

No change to generated assembly.

Discussed with tb@

14 months agodocument .VARIABLES
espie [Thu, 10 Aug 2023 10:56:34 +0000 (10:56 +0000)]
document .VARIABLES

14 months agoAdd support for .VARIABLES, to which I have use.
espie [Thu, 10 Aug 2023 10:52:43 +0000 (10:52 +0000)]
Add support for .VARIABLES, to which I have use.
This is an extension but also exists in gnu-make.
okay millert@, kn@, thfr@
(I've added an XXX comment on top of the patch you've seen,
no actual further code change)

14 months agoApply some more style(9).
jsing [Thu, 10 Aug 2023 10:21:37 +0000 (10:21 +0000)]
Apply some more style(9).

No change in generated assembly.

14 months agoVarious fixes in {dh,dsa}_priv_encode()
tb [Thu, 10 Aug 2023 09:43:51 +0000 (09:43 +0000)]
Various fixes in {dh,dsa}_priv_encode()

Avoid creating an ASN1_STRING with negative length, set type, data
and length via ASN1_STRING_type_new() and ASN1_STRING_set0() instead
of doing this manually. Check return value for i2d_ASN1_INTEGER()
and use an intermediate ASN1_OBJECT instead of nested function calls.
Finally, clear sensitive data with freezero().

ok jsing

14 months agorsa_priv_encode: plug leak on PKCS8_pkey_set0() failure
tb [Thu, 10 Aug 2023 09:36:37 +0000 (09:36 +0000)]
rsa_priv_encode: plug leak on PKCS8_pkey_set0() failure

Change the code to use safer idioms and avoid nested function calls.

ok jsing

14 months agoMake stopped ldom utilization appear as zero
kn [Thu, 10 Aug 2023 07:50:45 +0000 (07:50 +0000)]
Make stopped ldom utilization appear as zero

ldomctl(8) 'status' updated the value only on running guests,
i.e. stopped ones repeated the last ones instead of showing zero.

Always reset per guest before updating it, From Koakuma, thanks!

14 months agoImprove byte order handling in gcm128.
jsing [Thu, 10 Aug 2023 07:18:43 +0000 (07:18 +0000)]
Improve byte order handling in gcm128.

Replace a pile of byte order handling mess with htobe*() and be*toh().

ok tb@

14 months agoRemove MD32_REG_T.
jsing [Thu, 10 Aug 2023 07:15:23 +0000 (07:15 +0000)]
Remove MD32_REG_T.

This is a hack that is only enabled on a handful of 64 bit platforms, as
a workaround for poor compiler optimisation. If you're running an archiac
compiler on an archiac architecture, then you can deal with slightly lower
performance.

ok tb@

14 months agoopenssh-9.4
djm [Thu, 10 Aug 2023 01:01:07 +0000 (01:01 +0000)]
openssh-9.4

14 months agoregen
kmos [Wed, 9 Aug 2023 21:28:30 +0000 (21:28 +0000)]
regen

14 months agoAdd Crucial as a vendor and the P5 Plus NVMe as a product
kmos [Wed, 9 Aug 2023 21:27:47 +0000 (21:27 +0000)]
Add Crucial as a vendor and the P5 Plus NVMe as a product

ok and tweak jsg@

14 months agoAdd the forgotten .In line
schwarze [Wed, 9 Aug 2023 17:34:39 +0000 (17:34 +0000)]
Add the forgotten .In line
and fix a typo: s/content objects/content octets/.

14 months agoIn objects.h rev. 1.14 and 1.15 (Jan 2022), tb@ provided
schwarze [Wed, 9 Aug 2023 17:27:26 +0000 (17:27 +0000)]
In objects.h rev. 1.14 and 1.15 (Jan 2022), tb@ provided
OBJ_get0_data(3) and OBJ_length(3).  Document them.
Feedback and OK tb@.

14 months agoRework BN_BLINDING to use pthread_t directly
tb [Wed, 9 Aug 2023 12:09:06 +0000 (12:09 +0000)]
Rework BN_BLINDING to use pthread_t directly

Instead of CRYPTO_THREADID, which passes pthread_via through unsigned long,
we can use pthread_self() and pthread_equal() directly. This commit keeps
using the awkward 'local' nomenclature as that is used throughout the rsa
code. This will be changed after the blinding code will have been fully
merged into rsa_blinding.c.

ok jsing

14 months agoMerge remainder of rsa_crpt.c into rsa_eay.c
tb [Wed, 9 Aug 2023 09:32:22 +0000 (09:32 +0000)]
Merge remainder of rsa_crpt.c into rsa_eay.c

Most of these are one line wrappers around methods implemented in rsa_eay.c
by default.

14 months agoMove RSA blinding API from rsa_crpt.c to rsa_blinding.c
tb [Wed, 9 Aug 2023 09:26:43 +0000 (09:26 +0000)]
Move RSA blinding API from rsa_crpt.c to rsa_blinding.c

14 months agoMove RSA_blinding_{on,off}() to the bottom of the file
tb [Wed, 9 Aug 2023 09:25:13 +0000 (09:25 +0000)]
Move RSA_blinding_{on,off}() to the bottom of the file

14 months agoMove bn_blind.c to rsa_blinding.c
tb [Wed, 9 Aug 2023 09:23:03 +0000 (09:23 +0000)]
Move bn_blind.c to rsa_blinding.c

discussed with jsing

14 months agoMake declaration and definition of BN_BLINDING_new() match.
tb [Wed, 9 Aug 2023 09:20:00 +0000 (09:20 +0000)]
Make declaration and definition of BN_BLINDING_new() match.
Also, make mod const.

14 months agoMerge BN_BLINDING_create_param() into BN_BLINDING_new()
tb [Wed, 9 Aug 2023 09:09:24 +0000 (09:09 +0000)]
Merge BN_BLINDING_create_param() into BN_BLINDING_new()

14 months agoSet up the blinding factors on first use
tb [Wed, 9 Aug 2023 08:39:46 +0000 (08:39 +0000)]
Set up the blinding factors on first use

Only call BN_BLINDING_setup() from BN_BLINDING_update(). This allows
another simplification of the counter logic.

ok jsing

14 months agoRemove retry loop in BN_BLINDING_setup()
tb [Wed, 9 Aug 2023 08:35:59 +0000 (08:35 +0000)]
Remove retry loop in BN_BLINDING_setup()

If we generate a non-invertible blinding, we have accidentally factored
the modulus. This won't happen, so get rid of this ugly complication.

ok jsing

14 months agoCompute a square using BN_mod_sqr() instead of BN_mod_mul()
tb [Wed, 9 Aug 2023 08:31:13 +0000 (08:31 +0000)]
Compute a square using BN_mod_sqr() instead of BN_mod_mul()

ok jsing

14 months agoSimplify BN_BLINDING_invert()
tb [Wed, 9 Aug 2023 08:29:23 +0000 (08:29 +0000)]
Simplify BN_BLINDING_invert()

If the blinding is non-NULL, Ai is set on it, so no need to check for
that. Also, we can get away with a single call to BN_mod_mul().

ok jsing

14 months agoUnwrap a line
tb [Wed, 9 Aug 2023 08:27:02 +0000 (08:27 +0000)]
Unwrap a line

14 months agocorrect platform id mask, it is 3 bits 52:50
jsg [Wed, 9 Aug 2023 02:59:41 +0000 (02:59 +0000)]
correct platform id mask, it is 3 bits 52:50

14 months agoremove some uneeded includes
jsg [Wed, 9 Aug 2023 02:08:14 +0000 (02:08 +0000)]
remove some uneeded includes
ok dlg@

14 months agoshow x86 cpu patch level in dmesg
jsg [Wed, 9 Aug 2023 00:01:44 +0000 (00:01 +0000)]
show x86 cpu patch level in dmesg
ok guenther@ deraadt@

14 months agoMerge SO_BINDANY cases from both switch blocks within sosetopt(). This
mvs [Tue, 8 Aug 2023 22:07:25 +0000 (22:07 +0000)]
Merge SO_BINDANY cases from both switch blocks within sosetopt(). This
time SO_LINGER case is separated, so there is no reason for dedicated
switch block.

ok bluhm

14 months agoMerge SO_SND* with corresponding SO_RCV* cases within sosetopt(). The
mvs [Tue, 8 Aug 2023 22:06:27 +0000 (22:06 +0000)]
Merge SO_SND* with corresponding SO_RCV* cases within sosetopt(). The
only difference is the socket buffer.

As bonus, in the future solock() will be easily replaced by sblock()
instead pushing it down to each SO_SND* and SO_RCV* case.

ok bluhm

14 months agoUnwrap a line
tb [Tue, 8 Aug 2023 15:24:02 +0000 (15:24 +0000)]
Unwrap a line

14 months agoDrop the unused BN_BLINDING argument of BN_BLINDING_create_param()
tb [Tue, 8 Aug 2023 15:18:24 +0000 (15:18 +0000)]
Drop the unused BN_BLINDING argument of BN_BLINDING_create_param()

14 months agoRename ret into b in BN_BLINDING_setup()
tb [Tue, 8 Aug 2023 15:10:34 +0000 (15:10 +0000)]
Rename ret into b in BN_BLINDING_setup()

14 months agoFactor the actual setup step for the blinding into a helper
tb [Tue, 8 Aug 2023 14:40:56 +0000 (14:40 +0000)]
Factor the actual setup step for the blinding into a helper

ok jsing

14 months agoX509_STORE_CTX_get_check_issued(3) is weird.
schwarze [Tue, 8 Aug 2023 13:59:23 +0000 (13:59 +0000)]
X509_STORE_CTX_get_check_issued(3) is weird.
Both the function return type and the function name are so long
that for displaying the function prototype,
a line break is needed after the function return type.

14 months agoMake BN_BLINDING respect some invariants
tb [Tue, 8 Aug 2023 13:59:04 +0000 (13:59 +0000)]
Make BN_BLINDING respect some invariants

Pass e and mod into BN_BLINDING_new() for now and unconditionally allocate
A and Ai. This way non-NULL blindings always have these four members set.
This allows removing several unnecessary checks in the update, convert and
parameter creation code paths.

Fix exit BN_BLINDING_create_param() so as to signal errors to the caller
if a non-NULL blinding was passed. This fixes a long standing bug.

ok jsing

14 months agoSimplify RSA_setup_blinding()
tb [Tue, 8 Aug 2023 13:49:45 +0000 (13:49 +0000)]
Simplify RSA_setup_blinding()

Make this look a bit more like other code we cleaned up avoiding nesting
and unnecessary else branches.

ok jsing

14 months agoRemove ECDSA nonce padding kludge
tb [Tue, 8 Aug 2023 13:09:28 +0000 (13:09 +0000)]
Remove ECDSA nonce padding kludge

This was a workaround due to the historically non-constant time scalar
multiplication in the EC code. Since Brumley and Tuveri implemented the
Montgomery ladder, this is no longer useful and should have been removed
a long time ago, as it now does more harm than good.

Keep the preallocations as they still help hiding some timing info.

ok jsing

14 months agoIn objects.h rev. 1.17 (Jan 14, 2022),
schwarze [Tue, 8 Aug 2023 12:55:08 +0000 (12:55 +0000)]
In objects.h rev. 1.17 (Jan 14, 2022),
tb@ removed the following macros from the public API:
_DECLARE_OBJ_BSEARCH_CMP_FN
DECLARE_OBJ_BSEARCH_CMP_FN DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN
IMPLEMENT_OBJ_BSEARCH_CMP_FN IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN
OBJ_bsearch OBJ_bsearch_ex

In objects.h rev. 1.20 (Nov 11, 2022), jsing@ unifdef'ed USE_OBJ_MAC.

Stop marking these names as intentionally undocumented.

14 months agodocument new diagnostic
espie [Tue, 8 Aug 2023 12:46:56 +0000 (12:46 +0000)]
document new diagnostic

14 months agohave a go at documenting the Interface config statement.
dlg [Tue, 8 Aug 2023 10:31:03 +0000 (10:31 +0000)]
have a go at documenting the Interface config statement.

im not really happy with this, but it's a start.

14 months agoif sec is being destroyed, prevent it from being brought up again.
dlg [Tue, 8 Aug 2023 10:19:15 +0000 (10:19 +0000)]
if sec is being destroyed, prevent it from being brought up again.

14 months agoadapt more functions to the i915_gem_phys hack
jsg [Tue, 8 Aug 2023 10:16:51 +0000 (10:16 +0000)]
adapt more functions to the i915_gem_phys hack

linux stashes a dma va in the vm_page pointer part of the scatterlist.
We use a pointer to a struct with the dma tag and map.

14 months agotry to avoid a deadlock between sec_down and sec_send.
dlg [Tue, 8 Aug 2023 10:14:29 +0000 (10:14 +0000)]
try to avoid a deadlock between sec_down and sec_send.

sec_send runs in the systq (because it calls ipsec stuff which uses
crypto, which is not mpsafe) and takes the net lock (because ipsec
output calls ip_output and other stuff). sec_down is called with
NET_LOCK held and tries to run a barrier for send task. if the send
task is running but is waiting for the net lock while sec_down is
holding the net lock while waiting for the task to finish, we're
deadlocked.

this copies the sc_up thing from pfsync, which hopefuly avoids this.

pointed out by mvs@

14 months agoAdd flag to next-prompt/previous-prompt to go to command output instead,
nicm [Tue, 8 Aug 2023 08:21:29 +0000 (08:21 +0000)]
Add flag to next-prompt/previous-prompt to go to command output instead,
from Magnus Gross.

14 months agoAdd options and flags for menu styles similar to those existing for
nicm [Tue, 8 Aug 2023 08:08:47 +0000 (08:08 +0000)]
Add options and flags for menu styles similar to those existing for
popups, from Alexis Hildebrandt. GitHub issue 3650.

14 months agoExtend the menu drawing function to support custom characters and
nicm [Tue, 8 Aug 2023 07:41:04 +0000 (07:41 +0000)]
Extend the menu drawing function to support custom characters and
styles, from Alexis Hildebrandt.

14 months agoFix a couple of rounded border characters, from Alexis Hildebrandt.
nicm [Tue, 8 Aug 2023 07:19:48 +0000 (07:19 +0000)]
Fix a couple of rounded border characters, from Alexis Hildebrandt.

14 months agoReplace use of the old BSD st_*timensec members in struct stat with
guenther [Tue, 8 Aug 2023 04:45:44 +0000 (04:45 +0000)]
Replace use of the old BSD st_*timensec members in struct stat with
the POSIX-standard st_*tim.tv_nsec members.

ok millert@

14 months agosync
deraadt [Tue, 8 Aug 2023 02:42:35 +0000 (02:42 +0000)]
sync

14 months agoNo need to mark BN_options() as intentionally undocumented any longer.
schwarze [Mon, 7 Aug 2023 23:10:03 +0000 (23:10 +0000)]
No need to mark BN_options() as intentionally undocumented any longer.
In bn.h rev. 1.75 (July 31, 2023), tb@ removed it from the public API.

While here, stop marking BN_prime_checks as obsolete.
In BN_generate_prime.3 rev. 1.23 (May 11, 2023), tb@ documented
the constant BN_prime_checks in that manual page.

14 months agoMark asn1_ps_func as obsolete and intentionally undocumented.
schwarze [Mon, 7 Aug 2023 22:39:49 +0000 (22:39 +0000)]
Mark asn1_ps_func as obsolete and intentionally undocumented.
In bio.h rev. 1.59 (July 28, 2023), tb@ removed the last four functions
that took function pointers of this type from the public API.

14 months agoMark BIT_STRING_BITNAME as obsolete and intentionally undocumented.
schwarze [Mon, 7 Aug 2023 22:22:15 +0000 (22:22 +0000)]
Mark BIT_STRING_BITNAME as obsolete and intentionally undocumented.
In asn1.h rev. 1.80 (July 28, 2023), tb@ removed the last three
functions that were using this data type from the public API.

15 months agoRaise transmit threshold to 512 bytes. This makes dwqe(4) work at
kettenis [Mon, 7 Aug 2023 20:28:47 +0000 (20:28 +0000)]
Raise transmit threshold to 512 bytes.  This makes dwqe(4) work at
1000baseT.  We still see a small number of underflow errors when hammering
the interface with packets, but it is defenitely usable.

While there, make sure we count transmit errors.

ok jmatthew@

15 months agoRevert 1.43 and always make our own mapping of the Mostek chip. Trying to
miod [Mon, 7 Aug 2023 17:11:13 +0000 (17:11 +0000)]
Revert 1.43 and always make our own mapping of the Mostek chip. Trying to
reuse the prom mapping here is a bad idea because we alter its writeability
and the prom will not always expect this.

Repairs powerdown on Tapdole Ultrabook IIe.

discussed with and ok kettenis@

15 months agosome readability tweaks; ok dlg
jmc [Mon, 7 Aug 2023 16:29:36 +0000 (16:29 +0000)]
some readability tweaks; ok dlg

15 months agoAdd a regress test exercising BIO_dup_chain() and triggering the leak
tb [Mon, 7 Aug 2023 11:00:54 +0000 (11:00 +0000)]
Add a regress test exercising BIO_dup_chain() and triggering the leak
fixed in bio_lib.c r1.47 as confirmed by ASAN.

15 months agoFix two leaks in BIO_dup_chain()
tb [Mon, 7 Aug 2023 10:58:56 +0000 (10:58 +0000)]
Fix two leaks in BIO_dup_chain()

If CRYPTO_dup_ex_data() fails, the new_bio is leaked. If an error occurs
after the first iteration, all members of the new chain except the head
are leaked.

ok jsing

15 months agoAdd missing space before =
tb [Mon, 7 Aug 2023 10:54:14 +0000 (10:54 +0000)]
Add missing space before =

15 months agoFree title earlier, from Alexis Hildebrandt.
nicm [Mon, 7 Aug 2023 10:52:00 +0000 (10:52 +0000)]
Free title earlier, from Alexis Hildebrandt.

15 months agoTrim can generate strings longer than the original if there are many #s,
nicm [Mon, 7 Aug 2023 10:04:29 +0000 (10:04 +0000)]
Trim can generate strings longer than the original if there are many #s,
so create a bigger buffer. Reported by Robert Morris.

15 months agoadd LJG
mbuhl [Mon, 7 Aug 2023 08:22:52 +0000 (08:22 +0000)]
add LJG

15 months agoIn 2016, chat changed its syslog output for hidden strings.
guenther [Mon, 7 Aug 2023 06:21:53 +0000 (06:21 +0000)]
In 2016, chat changed its syslog output for hidden strings.
Sync the manpage to match.

markup advice jmc@

15 months agoadd support route based ipsec vpn negotiation with sec(4) via isakmpd.
dlg [Mon, 7 Aug 2023 04:10:08 +0000 (04:10 +0000)]
add support route based ipsec vpn negotiation with sec(4) via isakmpd.

this adds "interface secX" to the grammar that you can use instead
of specifying tunnel/transport modes and traffic selectors.

if you have config like "ike interface sec0 local ... peer ...",
ipsecctl will generate the right config for isakmpd to negotiate
esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however,
this also specifies that they should be set up as interface SAs in
the kernel for use with sec(4).

this supports route-based instead of policy based ipsec encapsulation,
and allows us to more easily operate with other vendors and products
that also offer route-based vpns with opinions about the negotiated
policy that doesnt fit with the SPD.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

15 months agosupport configuring interface SAs for route-based ipsec vpns.
dlg [Mon, 7 Aug 2023 04:01:29 +0000 (04:01 +0000)]
support configuring interface SAs for route-based ipsec vpns.

add "Interface NUMBER" to the config parser to specify that once
SAs have been negotiated with a peer, install the SAs with the
sadb_x_iface extension set up, but skip installing the flows/SPD
entries.

this allows for the negotiation of multiple esp tunnels covering
all traffic between 0.0.0.0/0 to 0.0.0.0/0, and then being able to
do something useful with them using the routing table and sec(4)
interfaces instead of having SPD entries fight over those packets
in the kernel.

this in turn allows interoperation with other ipsec/vpn solutions
that require the negotiation of such tunnels.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

15 months agoadd the glue between ipsec security associations and sec(4) interfaces.
dlg [Mon, 7 Aug 2023 03:43:57 +0000 (03:43 +0000)]
add the glue between ipsec security associations and sec(4) interfaces.

if TDBF_IFACE is set on a tdb, the ipsec stack will pass it to the
sec(4) driver to keep track of instead of wiring it up for security
associations to use.

when sec(4) transmits a packet, it will look up it's list of tdbs
to find the right SA to encrypt and send the packet out with.

if an incoming ipsec packet arrives with TDBF_IFACE set, it's passed
to sec(4) to be injected back into the network stack as if it was
received on the sec interface, instead of being reinjected into the
IP stack like normal SA/SPD processing does.

note that this means you do not have to configure tunnel endpoints
on sec(4) interfaces, instead you line the interface unit number
in the ipsec config up with the minor number of the sec(4) interfaces.
the peer IPs used on the SAs are what's used as the traffic endpoints.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

15 months agoadd a struct sadb_x_iface message for interface SAs
dlg [Mon, 7 Aug 2023 03:35:06 +0000 (03:35 +0000)]
add a struct sadb_x_iface message for interface SAs

this allows userland to install (and see) security associations for
route-based ipsec vpns. if this message is part of an SA, it causes
the TDBF_IFACE flag and associated fields in a tdb to be set.

the interface unit field in this message maps to minor number of
the sec(4) interface you want to the SA to work with. ie, set the
sadb_x_iface_unit field in struct sadb_x_iface to 1 to set up an
SA for use with sec1. the sadb_x_iface_direction in the message
uses IPSP_DIRECTION_IN and IPSP_DIRECTION_OUT to specify in which
direction that SA is supposed to process traffic.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

15 months agosec(4) to support route-based ipsec vpns.
dlg [Mon, 7 Aug 2023 03:17:42 +0000 (03:17 +0000)]
sec(4) to support route-based ipsec vpns.

committing it now so jmc@ gets commits for any fixes he makes.

15 months ago744c rev ce is Radeon RX 7900 GRE
jsg [Mon, 7 Aug 2023 02:47:55 +0000 (02:47 +0000)]
744c rev ce is Radeon RX 7900 GRE
found in AMD Software: Adrenalin Edition 23.7.2

15 months agowire sec(4) into the kernel config.
dlg [Mon, 7 Aug 2023 01:59:38 +0000 (01:59 +0000)]
wire sec(4) into the kernel config.

this makes #include "sec.h" and #if NSEC > 0 work in kernel code.

15 months agoadd sec(4) to support route based ipsec vpns.
dlg [Mon, 7 Aug 2023 01:57:33 +0000 (01:57 +0000)]
add sec(4) to support route based ipsec vpns.

ipsec security associations (SAs, aka tdbs inside the kernel) can
now specify that they're to be used with an interface (using
TDBF_IFACE) rather than the ipsec security policy database. sec(4)
is the driver providing that interface.

the name is specifically chosen to not be ipsec(4) because that's
already taken by the manpage for the ipsec stack generally. sec(4)
is short, easy to type and pronounce, and kind of sounds like ipsec
anyway. the names for this type of interface in other platforms
seems to be universally terrible and too generic, so i didn't want
to copy any of those either.

sec(4) can be considered equivalent to gif(4) protected by ipsec,
and on the wire it actually looks the same. sec(4) exists to better
support how security associations for route-based ipsec VPNs are
negotiated and to avoid SPD entries for them.

the code is a little green, but i'm putting it in now so it can be
hacked on in the tree.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

15 months agostart adding support for route-based ipsec vpns.
dlg [Mon, 7 Aug 2023 01:44:51 +0000 (01:44 +0000)]
start adding support for route-based ipsec vpns.

rather than use ipsec flows (aka, entries in the ipsec security
policy database) to decide which traffic should be encapsulated in
ipsec and sent to a peer, this tweaks security associations (SAs)
so they can refer to a tunnel interface. when traffic is routed
over that tunnel interface, an ipsec SA is looked up and used to
encapsulate traffic before being sent to the peer on the SA. When
traffic is received from a peer using an interface SA, the specified
interface is looked up and the packet is handed to it so it looks
like packets come out of the tunnel.

to support this, SAs get a TDBF_IFACE flag and iface and iface_dir
fields.  When TDBF_IFACE is set the iface and dir fields are
considered valid, and the tdb/SA should be used with the tunnel
interface instead of the SPD.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

15 months agoPrefer the POSIX standard st_*tim struct timespec members over the
guenther [Sun, 6 Aug 2023 19:36:13 +0000 (19:36 +0000)]
Prefer the POSIX standard st_*tim struct timespec members over the
older BSD st_*timespec names.

ok millert@

15 months agoApply rev 1.29 from NetBSD:
guenther [Sun, 6 Aug 2023 19:33:54 +0000 (19:33 +0000)]
Apply rev 1.29 from NetBSD:
-----
Don't printf time_t with %d; fixes PR 44128 from yamt. With this change it
successfully prints mtimes after 2038.
-----

ok millert@

15 months agoregen
jsg [Sun, 6 Aug 2023 14:41:10 +0000 (14:41 +0000)]
regen

15 months agoadd another Navi 33 device id
jsg [Sun, 6 Aug 2023 14:40:25 +0000 (14:40 +0000)]
add another Navi 33 device id

7480 rev 00 is Radeon Pro W7600
7489 rev 00 is Radeon Pro W7500
found in AMD Software: PRO Edition 23.Q3 W7000 Series

15 months agoAdd acpi_softc == NULL checks and return ENXIO instead of crashing on
tobhe [Sun, 6 Aug 2023 14:30:08 +0000 (14:30 +0000)]
Add acpi_softc == NULL checks and return ENXIO instead of crashing on
non-acpi x86 machines.  This was lost in refactoring when moving /dev/apm
code from acpi.c to acpi_apm.c.

Found by Anton Lindqvist after report from xavier.s at mailoo dot org
ok kettenis@

15 months agohardclock(9): move setitimer(2) code into itimer_update()
cheloha [Sat, 5 Aug 2023 20:07:55 +0000 (20:07 +0000)]
hardclock(9): move setitimer(2) code into itimer_update()

- Move the setitimer(2) code responsible for updating the ITIMER_VIRTUAL
  and ITIMER_PROF timers from hardclock(9) into a new clock interrupt
  routine, itimer_update().  itimer_update() is periodic and runs at the
  same frequency as the hardclock.

  + Revise itimerdecr() to run within itimer_mtx instead of entering
    and leaving it.

- Each schedstate_percpu has its own itimer_update() handle, spc_itimer.
  A new scheduler flag, SPCF_ITIMER, indicates whether spc_itimer was
  started during the last mi_switch() and needs to be stopped during the
  next mi_switch() or sched_exit().

- A new per-process flag, PS_ITIMER, indicates whether ITIMER_VIRTUAL
  and/or ITIMER_PROF are running.  Checking the flag is easier than
  entering itimer_mtx to check process.ps_timer[].  The flag is set
  and cleared in a new helper function, process_reset_itimer_flag().

- In setitimer(), call need_resched() when the state of ITIMER_VIRTUAL
  or ITIMER_PROF is changed to force an mi_switch() and update
  spc_itimer.

claudio@ notes that ITIMER_PROF could be implemented as a high-res
timer using the thread's execution time as a guide for when to
interrupt the process and assert SIGPROF.  This would probably work
really well in single-threaded processes.  ITIMER_VIRTUAL would be
more difficult to make high-res, though, as you need to exclude time
spent in the kernel.

Tested on powerpc64 by gkoehler@.  With input from claudio@.

Thread: https://marc.info/?l=openbsd-tech&m=169038818517101&w=2

ok claudio@

15 months agoremove trailing comma in NAME;
jmc [Sat, 5 Aug 2023 18:27:55 +0000 (18:27 +0000)]
remove trailing comma in NAME;

15 months agoRemove the P_WSLEEP specific KASSERT(). Not only procs in state SSTOP
claudio [Sat, 5 Aug 2023 12:41:04 +0000 (12:41 +0000)]
Remove the P_WSLEEP specific KASSERT(). Not only procs in state SSTOP
can be added to the run queue but also procs in state SRUN. The latter
happens when schedcpu() kicks in before the proc had a chance to run.
Problem spotted by gkoehler@
OK cheloha@

15 months agoRemove empty file left behind in a revert during p2k17
tb [Sat, 5 Aug 2023 08:47:31 +0000 (08:47 +0000)]
Remove empty file left behind in a revert during p2k17

15 months agocpu_idle_{enter,leave} are no-ops on mips64, so just #define
guenther [Sat, 5 Aug 2023 05:46:36 +0000 (05:46 +0000)]
cpu_idle_{enter,leave} are no-ops on mips64, so just #define
away the calls

ok jca@

15 months agocpu_idle_{enter,leave} are no-ops on riscv64, so just #define
guenther [Sat, 5 Aug 2023 05:45:52 +0000 (05:45 +0000)]
cpu_idle_{enter,leave} are no-ops on riscv64, so just #define
away the calls

ok jca@

15 months agoInform 8bpp capability on 8bpp framebuffer in
aoyama [Sat, 5 Aug 2023 00:34:19 +0000 (00:34 +0000)]
Inform 8bpp capability on 8bpp framebuffer in
WSDISPLAYIO_GETSUPPORTEDDEPTH ioctl.

This is needed to use recent updated wsfb(4) driver in 8bpp mode.
We can use 1bpp X server on 8bpp framebuffer by 'startx -- -depth 1'.

Tested by me.

15 months agoConvert calls to ibuf_length() where it is clear that the ibuf is not
claudio [Fri, 4 Aug 2023 19:06:25 +0000 (19:06 +0000)]
Convert calls to ibuf_length() where it is clear that the ibuf is not
NULL to ibuf_size(). In some cases it is clear that the ibuf pointer
should just be checked for NULL since afterwards a new ibuf is allocated
in its place.
OK tb@

15 months agoRemove unused struct field vlan_stripping.
jan [Fri, 4 Aug 2023 10:58:27 +0000 (10:58 +0000)]
Remove unused struct field vlan_stripping.

pointed out by bluhm

ok bluhm@

15 months agoSync the supported hardware list with arm64.html.
fcambus [Fri, 4 Aug 2023 10:29:09 +0000 (10:29 +0000)]
Sync the supported hardware list with arm64.html.

15 months agodma-buf: fix an error pointer vs NULL bug
jsg [Fri, 4 Aug 2023 09:36:28 +0000 (09:36 +0000)]
dma-buf: fix an error pointer vs NULL bug

From Dan Carpenter
c3d576baa6c8f0b34750a0b6f9b12e9d64625512 in linux-6.1.y/6.1.43
00ae1491f970acc454be0df63f50942d94825860 in mainline linux

15 months agodrm_syncobj.c now uses dma_fence_allocate_private_stub() with an arg
jsg [Fri, 4 Aug 2023 09:31:20 +0000 (09:31 +0000)]
drm_syncobj.c now uses dma_fence_allocate_private_stub() with an arg

15 months agodma-buf: keep the signaling time of merged fences v3
jsg [Fri, 4 Aug 2023 09:30:48 +0000 (09:30 +0000)]
dma-buf: keep the signaling time of merged fences v3

From Christian Koenig
23acc2b850ba4dfdfe2700d728be3e27710260a1 in linux-6.1.y/6.1.43
f781f661e8c99b0cb34129f2e374234d61864e77 in mainline linux

15 months agodrm/amd/display: Write to correct dirty_rect
jsg [Fri, 4 Aug 2023 09:23:40 +0000 (09:23 +0000)]
drm/amd/display: Write to correct dirty_rect

From Benjamin Cheng
d701687c898e5358f29ca11bccdfc8f54129e69c in linux-6.1.y/6.1.43
751281c55579f0cb0e56c9797d4663f689909681 in mainline linux