openbsd
12 months agosync
deraadt [Sat, 14 Oct 2023 05:07:05 +0000 (05:07 +0000)]
sync

12 months agoUpdate lang/ruby module documentation for the removal of Ruby 3.0
jeremy [Fri, 13 Oct 2023 23:16:58 +0000 (23:16 +0000)]
Update lang/ruby module documentation for the removal of Ruby 3.0

12 months agoUse a unique mount point rooted in /mnt in order to not conflict with other
anton [Fri, 13 Oct 2023 19:30:18 +0000 (19:30 +0000)]
Use a unique mount point rooted in /mnt in order to not conflict with other
tests.

12 months agoUse the idiom in cleanup target like many others
anton [Fri, 13 Oct 2023 19:28:59 +0000 (19:28 +0000)]
Use the  idiom in cleanup target like many others
in regress already does.

12 months agoAdd Allwinner D1 support.
kettenis [Fri, 13 Oct 2023 15:41:25 +0000 (15:41 +0000)]
Add Allwinner D1 support.

ok mbuhl@, patrick@, dlg@

12 months agoenable dwqe(4) in RAMDISK_CD
stsp [Fri, 13 Oct 2023 13:52:08 +0000 (13:52 +0000)]
enable dwqe(4) in RAMDISK_CD
reminded by jsg@, snapshot test build done by me

12 months agoRemove bold8x16-iso1 font.
fcambus [Fri, 13 Oct 2023 13:28:02 +0000 (13:28 +0000)]
Remove bold8x16-iso1 font.

This font has been unlinked from the build in January 2019 when it was
replaced by Spleen 8x16.

OK mpi@

12 months agoAdjust regress to cope with constraints
tb [Fri, 13 Oct 2023 12:12:05 +0000 (12:12 +0000)]
Adjust regress to cope with constraints

12 months agoAllow imposing constraints on RPKI trust anchors
job [Fri, 13 Oct 2023 12:06:49 +0000 (12:06 +0000)]
Allow imposing constraints on RPKI trust anchors

The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.

For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html

With and OK tb@, OK claudio@

12 months agoForce the router-id on all bgpd instances to make the expected output
claudio [Fri, 13 Oct 2023 07:55:57 +0000 (07:55 +0000)]
Force the router-id on all bgpd instances to make the expected output
predictable.

12 months agoAdd missing Ns in argument list of announce (IPv4|IPv6) ...
claudio [Fri, 13 Oct 2023 07:37:35 +0000 (07:37 +0000)]
Add missing Ns in argument list of announce (IPv4|IPv6) ...

12 months agoTweak previous by using the argument name, not its type
tb [Fri, 13 Oct 2023 05:49:34 +0000 (05:49 +0000)]
Tweak previous by using the argument name, not its type

12 months agoImprove the description of X509_ALGOR_dup(3)
tb [Fri, 13 Oct 2023 05:47:35 +0000 (05:47 +0000)]
Improve the description of X509_ALGOR_dup(3)

The old description was vague, but strictly speaking a lie, so make it
more precise and turn the lie into a truth.

12 months agoRemove ancient version of zlib bundled with GNU cvs.
bluhm [Fri, 13 Oct 2023 00:00:51 +0000 (00:00 +0000)]
Remove ancient version of zlib bundled with GNU cvs.

Avoid false positive in security scan.  Removal of embedded zlib
ensures that cvs is linked dynamically with /usr/lib/libz.so.  We
do not want any zlib 1.1.3 from 2001 in our source tree.

no binary diff; OK millert@ deraadt@

12 months agoTest retry after DNS lookup failure.
bluhm [Thu, 12 Oct 2023 22:41:29 +0000 (22:41 +0000)]
Test retry after DNS lookup failure.

12 months agoRetry DNS lookup for remote loghost.
bluhm [Thu, 12 Oct 2023 22:36:54 +0000 (22:36 +0000)]
Retry DNS lookup for remote loghost.

If DNS lookup for a remote loghost configured in syslog.conf did
not work at startup, the entry was ignored.  Better retry the lookup
in intervals until it succeeds.  Improve debug output to print IP
address after resolution.  Unify retry code that resolves DNS for
UDP and connects to TCP server.

testing and feedback from Paul de Weerd; OK deraadt@

12 months agopflog(4) logs packet dropped by default rule with block.
bluhm [Thu, 12 Oct 2023 19:15:21 +0000 (19:15 +0000)]
pflog(4) logs packet dropped by default rule with block.

If a packet is malformed, it is dropped by pf(4).  The rule referenced
in pflog(4) is the default rule.  As the default rule is a pass
rule, tcpdump printed "pass" although the packet was actually
dropped.  To avoid confusion, change the action to drop.  Then
tcpdump prints "block".

OK sashan@ kn@

12 months agox509_algor: fix error message
tb [Thu, 12 Oct 2023 17:14:17 +0000 (17:14 +0000)]
x509_algor: fix error message

12 months agoLet vnconfig select an unused device as opposed of unconditionally
anton [Thu, 12 Oct 2023 16:59:23 +0000 (16:59 +0000)]
Let vnconfig select an unused device as opposed of unconditionally
assume vnd0 is available.

12 months agoStatic binaries which do not call execve() were not calling
deraadt [Thu, 12 Oct 2023 16:37:05 +0000 (16:37 +0000)]
Static binaries which do not call execve() were not calling
pinsyscall(SYS_execve, ...).  Upon review, this is a fairly small
set of programs which either pledge() aggressively or don't usually
operate in a risky operating environment.  We now point at a location
which is definately not a "syscall" instruction.
ok kettenis

12 months agotimeout: add TIMEOUT_MPSAFE flag
cheloha [Thu, 12 Oct 2023 15:32:38 +0000 (15:32 +0000)]
timeout: add TIMEOUT_MPSAFE flag

Add a TIMEOUT_MPSAFE flag to signal that a timeout is safe to run
without the kernel lock.  Currently, TIMEOUT_MPSAFE requires
TIMEOUT_PROC.  When the softclock() is unlocked in the future this
dependency will be removed.

On MULTIPROCESSOR kernels, softclock() now shunts TIMEOUT_MPSAFE
timeouts to a dedicated "timeout_proc_mp" bucket for processing by the
dedicated softclock_thread_mp() kthread.  Unlike softclock_thread(),
softclock_thread_mp() is not pinned to any CPU and runs run at IPL_NONE.

Prompted by bluhm@.  Lots of input from bluhm@.  Joint work with mvs@.

Prompt: https://marc.info/?l=openbsd-tech&m=169646019109736&w=2
Thread: https://marc.info/?l=openbsd-tech&m=169652212131109&w=2

ok mvs@

12 months agobt(5), btrace(8): add support for binary modulo operator ('%')
cheloha [Thu, 12 Oct 2023 15:16:44 +0000 (15:16 +0000)]
bt(5), btrace(8): add support for binary modulo operator ('%')

Link: https://marc.info/?l=openbsd-tech&m=169695435209410&w=2
ok mpi@

12 months agoBefore calling rde_generate_updates() with EVAL_ALL ensure that the new
claudio [Thu, 12 Oct 2023 14:22:08 +0000 (14:22 +0000)]
Before calling rde_generate_updates() with EVAL_ALL ensure that the new
path is actually eligible. If this is not the case pass NULL instead.
This is an optimisation to bypass extra work if both old and new path
were ineligible.
OK tb@

12 months agoIn up_generate_addpath_all() ensure that the new prefix is valid.
claudio [Thu, 12 Oct 2023 14:16:28 +0000 (14:16 +0000)]
In up_generate_addpath_all() ensure that the new prefix is valid.

This should fix a fatal error reported by Arend Brouwer (arend at eritap com)
when "announce add-path send all" is used.
As a workaround "announce add-path send best plus 500" can used.

OK tb@

12 months agofor a few sysctl nodes, mention standard or at least more widely
schwarze [Thu, 12 Oct 2023 12:56:26 +0000 (12:56 +0000)]
for a few sysctl nodes, mention standard or at least more widely
available libc API functions and utility programs that produce
equivalent output on OpenBSD;
OK deraadt@

12 months agoRemove default sets answer
kn [Thu, 12 Oct 2023 12:31:15 +0000 (12:31 +0000)]
Remove default sets answer

The autoinstall(8) response file contains only non-defaults, except for
        Set name(s)? (or 'abort' or 'done') [done] done
which is the hardcoded default since 2009.

Added in 2019 r1.23 "Let sysupgrade(8) create auto_upgrade.conf file [...]"
with all others, remove the exception.

OK florian

12 months agoAdd a fairly minimal ixp setup generated by arouteserver
claudio [Thu, 12 Oct 2023 09:18:56 +0000 (09:18 +0000)]
Add a fairly minimal ixp setup generated by arouteserver
This does a lot of community manipulation and also tests a few other
bits of code (prepends, roa, prefix-set).

12 months agox509_algor: add a few missing includes
tb [Thu, 12 Oct 2023 04:53:45 +0000 (04:53 +0000)]
x509_algor: add a few missing includes

12 months agotypos and extra debug trace calls
djm [Thu, 12 Oct 2023 03:51:08 +0000 (03:51 +0000)]
typos and extra debug trace calls

12 months agoensure logs are owned by correct user; feedback/ok dtucker@
djm [Thu, 12 Oct 2023 03:48:53 +0000 (03:48 +0000)]
ensure logs are owned by correct user; feedback/ok dtucker@

12 months ago64 %-expansion keys ought to be enough for anybody; ok dtucker
djm [Thu, 12 Oct 2023 03:36:32 +0000 (03:36 +0000)]
64 %-expansion keys ought to be enough for anybody; ok dtucker
(we just hit the previous limit in some cases)

12 months agodon't dereference NULL pointer when hashing jumphost
djm [Thu, 12 Oct 2023 02:48:43 +0000 (02:48 +0000)]
don't dereference NULL pointer when hashing jumphost

12 months agoadd %j token that expands to the configured ProxyJump hostname (or
djm [Thu, 12 Oct 2023 02:18:18 +0000 (02:18 +0000)]
add %j token that expands to the configured ProxyJump hostname (or
the empty string if this option is not being used).
bz3610, ok dtucker

12 months agorelease GSS OIDs only at end of authentication; bz2982, ok dtucker@
djm [Thu, 12 Oct 2023 02:15:53 +0000 (02:15 +0000)]
release GSS OIDs only at end of authentication; bz2982, ok dtucker@

12 months agomask SIGINT/TERM/QUIT/HUP before checking quit_pending and use ppoll()
djm [Thu, 12 Oct 2023 02:12:53 +0000 (02:12 +0000)]
mask SIGINT/TERM/QUIT/HUP before checking quit_pending and use ppoll()
to unmask them in the mainloop. Avoids race condition between signaling
ssh to exit and polling. bz3531; ok dtucker

12 months agosync usage() with ssh.1; spotted by kn@
djm [Wed, 11 Oct 2023 23:23:58 +0000 (23:23 +0000)]
sync usage() with ssh.1; spotted by kn@

12 months agossh -Q does not make sense with other command-line options, so give
djm [Wed, 11 Oct 2023 23:14:33 +0000 (23:14 +0000)]
ssh -Q does not make sense with other command-line options, so give
it its own line in the manpage

12 months agoadd ChannelTimeout support to the client, mirroring the same option
djm [Wed, 11 Oct 2023 22:42:26 +0000 (22:42 +0000)]
add ChannelTimeout support to the client, mirroring the same option
in the server. ok markus@

12 months agoadd support for reading ED25519 private keys in PEM PKCS8 format;
djm [Wed, 11 Oct 2023 22:41:05 +0000 (22:41 +0000)]
add support for reading ED25519 private keys in PEM PKCS8 format;
ok markus@ tb@

12 months agoPrevent deref-after-free when tdb_timeout() fires on invalid new tdb.
tobhe [Wed, 11 Oct 2023 22:13:16 +0000 (22:13 +0000)]
Prevent deref-after-free when tdb_timeout() fires on invalid new tdb.

When receiving a pfkeyv2 SADB_ADD message, a newly created tdb can
fail in tdb_init(), which causes the tdb to not get added to the
global tdb list and an immediate dereference.  If a lifetime timeout
triggers on this tdb, it will unconditionally try to remove it from
the list and in the process deref once more than allowed,
causing a one bit corruption in the already freed up slot in the
tdb pool.

We resolve this issue by moving timeout_add() after tdb_init()
just before puttdb().  This means tdbs failing initialization
get discarded immediately as they only hold a single reference.
Valid tdbs get their timeouts activated just before we add them
to the tdb list, meaning the timeout can safely assume they are
linked.

Feedback from mvs@ and millert@
ok mvs@ mbuhl@

12 months agoCheck if loopback interfaces used are skipped by pf as opposed of
anton [Wed, 11 Oct 2023 18:07:56 +0000 (18:07 +0000)]
Check if loopback interfaces used are skipped by pf as opposed of
bailing out if any loopback interface is skipped other than lo0.

12 months agoInfer rdomains from environment variables N1 and N2 like many others in
anton [Wed, 11 Oct 2023 18:07:15 +0000 (18:07 +0000)]
Infer rdomains from environment variables N1 and N2 like many others in
regress/sys/net already does. No functional change as the defaults
remains the same.

12 months agoRemove dead CRYPTOCHUNK usage
kn [Wed, 11 Oct 2023 17:53:52 +0000 (17:53 +0000)]
Remove dead CRYPTOCHUNK usage

install.sub r1.1245 "Ask for disk crypto after root disk question" got rid
of global CRYPTO* variables;  no functional change.

12 months agokernel: expand fixed clock interrupt periods to 64-bit values
cheloha [Wed, 11 Oct 2023 15:42:44 +0000 (15:42 +0000)]
kernel: expand fixed clock interrupt periods to 64-bit values

Technically, all the current fixed clock interrupt periods fit within
an unsigned 32-bit value.  But 32-bit multiplication is an accident
waiting to happen.  So, expand the fixed periods for hardclock,
statclock, profclock, and roundrobin to 64-bit values.

One exception: statclock_mask remains 32-bit because random(9) yields
32-bit values.  Update the initclocks() comment to make it clear that
this is not an accident.

12 months agoclockintr: move clockintr_schedule() into public API
cheloha [Wed, 11 Oct 2023 15:07:04 +0000 (15:07 +0000)]
clockintr: move clockintr_schedule() into public API

Prototype clockintr_schedule() in <sys/clockintr.h>.

12 months agoput "stub" within grasp of -DREGRESSION_TESTING.
espie [Wed, 11 Oct 2023 13:54:43 +0000 (13:54 +0000)]
put "stub" within grasp of -DREGRESSION_TESTING.
Extend it slightly: do not stub quirks, so that caching mechanisms work
as usual even when using stubs.

12 months agomissing state in locator call, surprised nobody else ran into that
espie [Wed, 11 Oct 2023 13:52:29 +0000 (13:52 +0000)]
missing state in locator call, surprised nobody else ran into that

12 months agoSome housekeeping in x_algor
tb [Wed, 11 Oct 2023 13:22:11 +0000 (13:22 +0000)]
Some housekeeping in x_algor

Fix includes and zap an empty line.

ok jsing

12 months agoRewrite X509_ALGOR_set0()
tb [Wed, 11 Oct 2023 13:20:18 +0000 (13:20 +0000)]
Rewrite X509_ALGOR_set0()

The current implementation is a complete mess. There are three cases:
1) ptype == V_ASN1_UNDEF: parameter must be freed and set to NULL.
2) ptype == 0: existing non-NULL parameters are left untouched, NULL
   parameters are replaced with ASN1_TYPE_new()'s wacky defaults.
3) otherwise allocate new parameters if needed and set them to ptype/pval.
In all three cases free the algorithm and set it to aobj.

The challenge now is to implement this using nine if statements and one
else clause... We can do better. This preserves existing behavior. There
would be cleaner implementations possible, but they would change behavior.

There are many callers in the ecosystem that do not error check
X509_ALGOR_set0() since OpenSSL failed to do so. So this was carefully
rewritten to leave alg in a consisten state so that unchecking callers
don't encounter corrupted algs.

ok jsing

12 months agox509_algor: Turn expected failure into actual failure now that the API is
tb [Wed, 11 Oct 2023 13:13:25 +0000 (13:13 +0000)]
x509_algor: Turn expected failure into actual failure now that the API is
fixed.

12 months agoEnsure that out_value is initialized even if out_type is NULL
tb [Wed, 11 Oct 2023 13:12:46 +0000 (13:12 +0000)]
Ensure that out_value is initialized even if out_type is NULL

This fixes the printf in the x509_algor regress.

ok jsing

12 months agoRewrite X509_ALGOR_get0()
tb [Wed, 11 Oct 2023 13:10:13 +0000 (13:10 +0000)]
Rewrite X509_ALGOR_get0()

Make the logic slightly less convoluted. Preserve the behavior that
*ppval remains unset if pptype == NULL for now. However, ensure that
*ppval is set to NULL if pptype is V_ASN1_UNDER.

ok jsing

12 months agoAdd internal version of X509_ALGOR_set_md()
tb [Wed, 11 Oct 2023 13:05:18 +0000 (13:05 +0000)]
Add internal version of X509_ALGOR_set_md()

X509_ALGOR_set_md() is a void function that cannot easily be error checked.
The caller has to jump through hoops to make sure this function doesn't
fail. Prepare replacing this internally with X509_ALGOR_set_evp_md(), which
allows error checking. There is one slight change of behavior: if the EVP_MD
object passed in does not have an OID known to the library, then this new
API fails.

It is unclear what the library should do with such an object and people
who use EVP_MD_meth_new() need to know what they are doing anyway and they
are better off teaching the lib about the OID if they're going to be
messing with certs.

Oh, and the prototype is in x509_local.h because the rest of this API is
in x509.h despite being implemented in asn1/.

ok jsing

12 months agoAdd preallocation dance for X509_ALGOR_set_md() as documented
tb [Wed, 11 Oct 2023 13:00:16 +0000 (13:00 +0000)]
Add preallocation dance for X509_ALGOR_set_md() as documented

12 months agodwqe(4) may now attach via pci(4)
stsp [Wed, 11 Oct 2023 12:57:53 +0000 (12:57 +0000)]
dwqe(4) may now attach via pci(4)

12 months agoAdd initial support for Elkhart Lake ethernet to dwqe(4).
stsp [Wed, 11 Oct 2023 12:52:00 +0000 (12:52 +0000)]
Add initial support for Elkhart Lake ethernet to dwqe(4).

For now, only attach to PSE0/RGMII (device ID 0x4ba0) which is the
only device I have access to for testing.

There is a known problem where Tx throughput is lower than expected.
This is being looked into.

ok kettenis@

12 months agoClean up X509_ALGOR_cmp()
tb [Wed, 11 Oct 2023 12:51:07 +0000 (12:51 +0000)]
Clean up X509_ALGOR_cmp()

This is currently written in what is likely the most stupid way possible.
Rewrite this function in a more straightforward way.

ok jsing

12 months agoAdd regress coverage for X509_ALGOR_*
tb [Wed, 11 Oct 2023 12:49:00 +0000 (12:49 +0000)]
Add regress coverage for X509_ALGOR_*

This covers the setters and getters. Serialization and deserialization as
well as comparison is already well covered by the pieces of regress using
certs.

There is currently one printf indicating failure. This will be fixed
shortly.

12 months agofix bitmask of GMAC4 hwfeatures1 RX FIFO size
stsp [Wed, 11 Oct 2023 12:32:46 +0000 (12:32 +0000)]
fix bitmask of GMAC4 hwfeatures1 RX FIFO size

ok kettenis

12 months agoI forgot that we now have ASN1_INTEGER_set_uint64()
tb [Wed, 11 Oct 2023 12:06:11 +0000 (12:06 +0000)]
I forgot that we now have ASN1_INTEGER_set_uint64()

12 months agoExtend rde_community_test to check various aspects of non-transitive
claudio [Wed, 11 Oct 2023 07:05:11 +0000 (07:05 +0000)]
Extend rde_community_test to check various aspects of non-transitive
extended communities. Mainly that the non-transitive communities are
properly stripped.
Test fails without rev 1.14 of rde_community.c

12 months agomention "none" is a valid argument to IdentityFile; bz3080
djm [Wed, 11 Oct 2023 06:40:54 +0000 (06:40 +0000)]
mention "none" is a valid argument to IdentityFile; bz3080

12 months agoBump version for -portable release
claudio [Wed, 11 Oct 2023 06:30:10 +0000 (06:30 +0000)]
Bump version for -portable release

12 months agoBe more precise about X509_ALGOR_get0()
tb [Wed, 11 Oct 2023 06:08:57 +0000 (06:08 +0000)]
Be more precise about X509_ALGOR_get0()

12 months agoin olde rcp/scp protocol mode, when rejecting a path from the server
djm [Wed, 11 Oct 2023 05:42:08 +0000 (05:42 +0000)]
in olde rcp/scp protocol mode, when rejecting a path from the server
as not matching the glob that the client sent, log (at debug level) the
received pathname as well as the list of possible expected paths expanded
from the glob. bz2966

12 months agos/%.100s/%s/ in SSH- banner construction as there's no reason to
djm [Wed, 11 Oct 2023 04:46:29 +0000 (04:46 +0000)]
s/%.100s/%s/ in SSH- banner construction as there's no reason to
limit its size: the version string bring included is a compile time
constant going into an allocated banner string.

12 months agoclockintr_stagger: rename parameters: "n" -> "numer", "count" -> "denom"
cheloha [Wed, 11 Oct 2023 00:02:25 +0000 (00:02 +0000)]
clockintr_stagger: rename parameters: "n" -> "numer", "count" -> "denom"

Rename these parameters to align the code with the forthcoming
manpage.  No functional change.

12 months agoCorrectly define GMAC_VERSION. Found by stsp@
kettenis [Tue, 10 Oct 2023 19:06:42 +0000 (19:06 +0000)]
Correctly define GMAC_VERSION.  Found by stsp@

ok stsp@

12 months agoIgnore PCI MEM64 ranges over 4GB, since this 32-bit kernel can't use them;
miod [Tue, 10 Oct 2023 18:40:34 +0000 (18:40 +0000)]
Ignore PCI MEM64 ranges over 4GB, since this 32-bit kernel can't use them;
this prevents a DIAGNOSTIC panic when running in qemu without option
"-M virt,highmem=off".

Reported by and ok jsg@

12 months agoFix timing issue in which one thread could be left hanging in
anton [Tue, 10 Oct 2023 18:18:05 +0000 (18:18 +0000)]
Fix timing issue in which one thread could be left hanging in
pipe_read().

12 months agoMake it possible to run fileops tests in parallel by making use of a
anton [Tue, 10 Oct 2023 18:17:25 +0000 (18:17 +0000)]
Make it possible to run fileops tests in parallel by making use of a
unique mount point and vnd device.

12 months agopf(4) must not pass packet if state cannot be created.
bluhm [Tue, 10 Oct 2023 16:26:06 +0000 (16:26 +0000)]
pf(4) must not pass packet if state cannot be created.

The behavior of the PFRULE_SRCTRACK and max_states check was
unintentionally changed by commit revision 1.964.  If the state was
not created due to some limit had been reached, pf still passed the
packet.  Restore the old logic by setting action to pass later,
after the checks.  In pf_test_rule() action is initialized to drop.

OK sashan@

12 months agoPrint at most pkgsize - hdrsize bytes for pfkey tag and identity to
tobhe [Tue, 10 Oct 2023 16:16:16 +0000 (16:16 +0000)]
Print at most pkgsize - hdrsize bytes for pfkey tag and identity to
prevent out-of-bounds read in strlen().

ok tb@

12 months agoDo not copy stack garbage, that's not going to be used.
florian [Tue, 10 Oct 2023 16:09:53 +0000 (16:09 +0000)]
Do not copy stack garbage, that's not going to be used.

Pointed out by gcc via tb.

rdns_count is validated by all callers of propose_rdns(), so we can
trust it here to be sensible.

While here fix a pasto in an error message.

OK tb

12 months agoWhen rewriting community_writebuf() the handling of non-transitive
claudio [Tue, 10 Oct 2023 14:36:28 +0000 (14:36 +0000)]
When rewriting community_writebuf() the handling of non-transitive
ext-communities was put into the wrong place in the loop finding
start, end and number of communities to dump. As a result the end
pointer for regular communities can point at an ext-community and
with that the COMMUNITY attribute written includes unexpected extra
bytes. This in turn causes the peer to send a NOTIFICATION error
and to terminate the session.

Fix for -portable issue #64 reported by Pier Carlo Chiodi (pierky)
OK tb@

12 months agoImprove X509_ALGOR_new(3) documentation
tb [Tue, 10 Oct 2023 13:59:47 +0000 (13:59 +0000)]
Improve X509_ALGOR_new(3) documentation

The previous wording was misleading since the result of X509_ALGOR_new()
is not actually an empty X509_ALGOR object. Rather, it contains the
undefined ASN1_OBJECT returned by OBJ_nid2obj(NID_undef). Therefore using
X509_ALGOR_get0(3) for error checking X509_ALGOR_set_md() is not trivial.

So: change the initial paragraph into a general intro referring to the
OpenSSL API needed to interface with X509_ALGOR and write a new paragraph
documenting X509_ALGOR_new(3) and drop the incorrect suggestion of an error
check. Notably there's now a reference to the OBJ_nid2obj() family without
which one cannot really use X509_ALGOR_* for anything at all.

With and ok schwarze

12 months agoRemove dead code in pf_pull_hdr().
bluhm [Tue, 10 Oct 2023 11:25:31 +0000 (11:25 +0000)]
Remove dead code in pf_pull_hdr().

pf_pull_hdr() allows to pass an action pointer parameter as output
value.  This is never used, all callers pass a NULL argument.  Remove
ACTION_SET() entirely.

The logic (fragoff >= len) in pf_pull_hdr() does not work since
revision 1.4.  Before it was used to drop short TCP or UDP fragments
that contained only part of the header.  Current code in pf_pull_hdr()
drops the packets anyway, so always set reason PFRES_FRAG.

OK kn@ sashan@

12 months agoFix format string warning in robots/score.c
tb [Tue, 10 Oct 2023 09:48:06 +0000 (09:48 +0000)]
Fix format string warning in robots/score.c

12 months agoPrint a long with %ld instead of %d
tb [Tue, 10 Oct 2023 09:43:52 +0000 (09:43 +0000)]
Print a long with %ld instead of %d

12 months agoUse vw_printw() and fix a format print warning.
tb [Tue, 10 Oct 2023 09:42:56 +0000 (09:42 +0000)]
Use vw_printw() and fix a format print warning.

12 months agoDrop GCC_PRINTFLIKE() at function definition
tb [Tue, 10 Oct 2023 09:30:06 +0000 (09:30 +0000)]
Drop GCC_PRINTFLIKE() at function definition

This makes gcc throw a fit and having the attributes for the prototypes in
engine.h is enough.

ok claudio sthen

12 months agoFix a format warning about a non-literal string
tb [Tue, 10 Oct 2023 09:27:03 +0000 (09:27 +0000)]
Fix a format warning about a non-literal string

ok claudio sthen

12 months agoPrint non-literal string with "%s"
tb [Tue, 10 Oct 2023 08:22:19 +0000 (08:22 +0000)]
Print non-literal string with "%s"

Caught by printf format attribute for printw(3) in newer curses.

12 months agoFiv the value written to dwqe(4) MAC_1US_TIC_CTR register.
stsp [Tue, 10 Oct 2023 07:11:50 +0000 (07:11 +0000)]
Fiv the value written to dwqe(4) MAC_1US_TIC_CTR register.

The calculation of this value is supposed to involve a clock frequency
but we were using a clock ID in the range 0-7 instead.

ok kettenis, patrick

12 months agoGarbage collect cipher_get_keyiv_len()
tb [Tue, 10 Oct 2023 06:49:54 +0000 (06:49 +0000)]
Garbage collect cipher_get_keyiv_len()

This is a compat20 leftover, unused since 2017.

ok djm

12 months agoReserve a range of "local extension" message numbers that OpenSSH promises
djm [Tue, 10 Oct 2023 03:57:45 +0000 (03:57 +0000)]
Reserve a range of "local extension" message numbers that OpenSSH promises
not to use (comment change only)

12 months agoRecognize GICv4 in the MADT and configure it as arm,gic-v3.
patrick [Mon, 9 Oct 2023 22:05:27 +0000 (22:05 +0000)]
Recognize GICv4 in the MADT and configure it as arm,gic-v3.

ok kettenis@

12 months agoHandle an arbitrary number of D11 cores and only disable them instead of
kettenis [Mon, 9 Oct 2023 21:49:34 +0000 (21:49 +0000)]
Handle an arbitrary number of D11 cores and only disable them instead of
doing a full reset.  Based on a diff from Hector Martin for Asahi Linux.

ok patrick@, tobhe@

12 months agoAdd Message-Id as needed for messages received on the submission port.
millert [Mon, 9 Oct 2023 20:55:32 +0000 (20:55 +0000)]
Add Message-Id as needed for messages received on the submission port.

Since listener->port is in network byte order we need to compare
against htons(587).  The fix for this got dropped in the rewrite
in revision 1.335.

12 months agoMention that the strings are OS-specific.
schwarze [Mon, 9 Oct 2023 19:32:51 +0000 (19:32 +0000)]
Mention that the strings are OS-specific.
In part based on input from deraadt@, OK millert@.

12 months agoDocument the OpenBSD-specific output format.
schwarze [Mon, 9 Oct 2023 19:28:42 +0000 (19:28 +0000)]
Document the OpenBSD-specific output format.
Feedback and OK millert, "more reasonable" deraadt@.

12 months agoUse the usual text for X509_ALGOR_free()
tb [Mon, 9 Oct 2023 16:59:55 +0000 (16:59 +0000)]
Use the usual text for X509_ALGOR_free()

12 months agoClarify that 'undefined type' means V_ASN1_UNDEF
tb [Mon, 9 Oct 2023 16:06:01 +0000 (16:06 +0000)]
Clarify that 'undefined type' means V_ASN1_UNDEF

12 months agoClarify documentation of X509_ALGOR_{set0,set_md}()
tb [Mon, 9 Oct 2023 16:03:57 +0000 (16:03 +0000)]
Clarify documentation of X509_ALGOR_{set0,set_md}()

The X509_ALGOR_set0() and X509_ALGOR_set_md() documentation comes from
upstream, which means it is as sloppy as the code and as vague as your
average upstream manpage. Be precise on what X509_ALGOR_set0() does on
different inputs and document return values and failure modes.

X509_ALGOR_set_md() is a void function that calls X509_ALGOR_set0() in a
way that can fail, leaving alg in a corrupted state. Document when that
can occur and how to avoid or detect that, but do not go too far, because
EVP_MD_meth_new(), one potential source of failures, is a whole another
can of worms.

joint work with schwarze

12 months agoAdd pledge("stdio") before parsing pfkey messages. This applies to
tobhe [Mon, 9 Oct 2023 15:32:14 +0000 (15:32 +0000)]
Add pledge("stdio") before parsing pfkey messages. This applies to
ipsecctl -m and ipsecctl -s. Refactor ipsecctl_show_*() to setup all
sysctls first before dropping privileges and finally parsing and
printing IPsec SAs and flows.

feedback and ok mbuhl@
ok deraadt@

12 months agoallow dwqe.c to build on architectures that do not have machine/fdt.h
stsp [Mon, 9 Oct 2023 14:25:00 +0000 (14:25 +0000)]
allow dwqe.c to build on architectures that do not have machine/fdt.h

Move struct if_device to a new fdt-specific softc struct, along with
the gmac_id field which is only used by if_dwqe_fdt.c at present.
This avoids the need to include any fdt header files in dwqe.c.

ok kettenis@

12 months agoplaceholder for later feature
espie [Mon, 9 Oct 2023 07:12:22 +0000 (07:12 +0000)]
placeholder for later feature

12 months agoFix return value confusion of sa_cmp() by renaming the function sa_equal().
claudio [Mon, 9 Oct 2023 07:11:20 +0000 (07:11 +0000)]
Fix return value confusion of sa_cmp() by renaming the function sa_equal().

The code in get_alternate_addr() checked for sa_cmp() == 0 but actually
sa_cmp() returned 1 for equal addrs. So rename the function to sa_equal()
to make it clear that a true return value means equality.

Found by Asa Yeamans (enigma2e at rivin net)
OK tb@

12 months agosimplify: all 3 mock-ups are strings that get eval'd, so do this properly.
espie [Mon, 9 Oct 2023 07:03:49 +0000 (07:03 +0000)]
simplify: all 3 mock-ups are strings that get eval'd, so do this properly.

12 months agodrm/amdkfd: Use gpu_offset for user queue's wptr
jsg [Mon, 9 Oct 2023 02:37:14 +0000 (02:37 +0000)]
drm/amdkfd: Use gpu_offset for user queue's wptr

From YuBiao Wang
b60028c81e463b0930191a4fa2ba770ff6d40e3a in linux-6.1.y/6.1.56
cc39f9ccb82426e576734b493e1777ea01b144a8 in mainline linux