openbsd
2 years agosync
patrick [Fri, 24 Dec 2021 00:07:56 +0000 (00:07 +0000)]
sync

2 years agoapliic(4)
patrick [Fri, 24 Dec 2021 00:07:06 +0000 (00:07 +0000)]
apliic(4)

2 years agoAdd apliic(4), a driver for the I2C controller found on various Apple SoCs.
patrick [Fri, 24 Dec 2021 00:01:39 +0000 (00:01 +0000)]
Add apliic(4), a driver for the I2C controller found on various Apple SoCs.

ok kettenis@

2 years agoFully check the second strtoul() call in v2i_IPAddrBlocks()
tb [Thu, 23 Dec 2021 23:48:38 +0000 (23:48 +0000)]
Fully check the second strtoul() call in v2i_IPAddrBlocks()

This can read a value in an arbitrary base from a string that is
supposed to be followed by whitespace or a colon, so it cannot be
switched to strtonum(). The current checks don't allow a read past
the end, but let's use the standard idiom instead.

ok jsing

2 years agoFix an arbitrary out-of-bounds stack read in v2i_IPAddrBlocks()
tb [Thu, 23 Dec 2021 23:41:26 +0000 (23:41 +0000)]
Fix an arbitrary out-of-bounds stack read in v2i_IPAddrBlocks()

Switch an insufficiently checked strtoul() to strtonum(). This can
be used to trigger a read of a user-controlled size from the stack.

$ openssl req -new -addext 'sbgp-ipAddrBlock = IPv4:192.0.2.0/12341234'
Segmentation fault (core dumped)

The bogus prefix length 12341234 is fed into X509v3_addr_add_prefix() and
used to read (prefixlen + 7) / 8 bytes from the stack variable 'min[16]'
that ends up as 'data' in the memmove in ASN1_STRING_set().

The full fix will add length checks to X509v3_addr_add_prefix() and
make_addressPrefix() and will be dealt with later. The entire
X509v3_{addr,asid}_* API will need a thorough review before it can be
exposed.

This code is only enabled in -current and can only be reached from
openssl.cnf files that contain sbgp-ipAddrBlock or from the openssl(1)
command line.

ok jsing

2 years agofix indent to make it clear a line isn't part of previous if
jsg [Thu, 23 Dec 2021 23:23:42 +0000 (23:23 +0000)]
fix indent to make it clear a line isn't part of previous if
ok deraadt@ millert@

2 years agoRemove unused variables and assignments in ah and esp output.
bluhm [Thu, 23 Dec 2021 22:35:11 +0000 (22:35 +0000)]
Remove unused variables and assignments in ah and esp output.
found by clang 13; OK tobhe@

2 years agoFix endless loop in the interrupt handler. When iterating over each
patrick [Thu, 23 Dec 2021 20:48:24 +0000 (20:48 +0000)]
Fix endless loop in the interrupt handler.  When iterating over each
GPIO base register we must not replace the iterator variable with the
index of the pin inside the register.

ok kettenis@

2 years agosync
guenther [Thu, 23 Dec 2021 18:50:59 +0000 (18:50 +0000)]
sync

2 years agoRoll the syscalls that have an off_t argument to remove the explicit padding.
guenther [Thu, 23 Dec 2021 18:50:31 +0000 (18:50 +0000)]
Roll the syscalls that have an off_t argument to remove the explicit padding.
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!

Time for a story...

When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets.  This affected the nine system
calls that pass off_t arguments:
   ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate

To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned.  Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.

The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them.  The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument.  So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel.  Keep compat
support for the existing syscalls long enough for the transition.

ok deraadt@

2 years agofix typo: boolean true should decode to 1, not 0
tb [Thu, 23 Dec 2021 18:12:58 +0000 (18:12 +0000)]
fix typo: boolean true should decode to 1, not 0

2 years agoRoute templated implementations of {d2i,i2d}_ASN1_BOOLEAN() through
tb [Thu, 23 Dec 2021 18:04:41 +0000 (18:04 +0000)]
Route templated implementations of {d2i,i2d}_ASN1_BOOLEAN() through
ASN1_item_ex_{d2i,i2d}() instead of ASN1_item_{d2i,i2d}(). Fixes test
failure on sparc64, and hopefully all other architectures.

reported by tobhe
with/ok jsing

2 years agoIPsec is not MP safe yet. To allow forwarding in parallel without
bluhm [Thu, 23 Dec 2021 12:21:48 +0000 (12:21 +0000)]
IPsec is not MP safe yet.  To allow forwarding in parallel without
dirty hacks, it is better to protect IPsec input and output with
kernel lock.  Not much is lost as crypto needs the kernel lock
anyway.  From here we can refine the lock later.
Note that there is no kernel lock in the SPD lockup path.  Goal is
to keep that lock free to allow fast forwarding with non IPsec
traffic.
tested by Hrvoje Popovski; OK tobhe@

2 years agoGet rid of unused next battery level argument.
anton [Thu, 23 Dec 2021 12:14:15 +0000 (12:14 +0000)]
Get rid of unused next battery level argument.

2 years agoUse TAILQ_FOREACH to traverse the disk list in sysctl_diskinit().
bluhm [Thu, 23 Dec 2021 10:17:01 +0000 (10:17 +0000)]
Use TAILQ_FOREACH to traverse the disk list in sysctl_diskinit().
OK anton@

2 years agoDisk lock was held when returning to userland. Add a missing unlock
bluhm [Thu, 23 Dec 2021 10:09:16 +0000 (10:09 +0000)]
Disk lock was held when returning to userland.  Add a missing unlock
in vnd ioctl error path.
Reported-by: syzbot+6dde3fda33074a256318@syzkaller.appspotmail.com
OK jsg@ anton@

2 years agoTemplate for option WITNESS is in the architecture GENERIC.MP file
bluhm [Thu, 23 Dec 2021 10:04:14 +0000 (10:04 +0000)]
Template for option WITNESS is in the architecture GENERIC.MP file
if it is supported.  Remove it from the global GENERIC config.
OK visa@ claudio@

2 years agofix off by one in bounds test
jsg [Thu, 23 Dec 2021 09:17:19 +0000 (09:17 +0000)]
fix off by one in bounds test
ok deraadt@

2 years agofix off by one in bounds test
jsg [Thu, 23 Dec 2021 09:15:59 +0000 (09:15 +0000)]
fix off by one in bounds test
ok tobhe@

2 years agomake array bounds in unix2dosfn() prototype match function
jsg [Thu, 23 Dec 2021 04:37:12 +0000 (04:37 +0000)]
make array bounds in unix2dosfn() prototype match function
missed when unix2dosfn() was changed in the kernel with
msdosfs_conv.c rev 1.15 in 2012

2 years agomake array bounds in unix2dosfn() prototype match function
jsg [Thu, 23 Dec 2021 02:12:52 +0000 (02:12 +0000)]
make array bounds in unix2dosfn() prototype match function
missed when unix2dosfn() was changed with msdosfs_conv.c rev 1.15 in 2012

2 years agogive et_setmulti() more chance of working
jsg [Thu, 23 Dec 2021 01:39:44 +0000 (01:39 +0000)]
give et_setmulti() more chance of working
ok claudio@

2 years agoAvoid GNU printf extension to use 'L' length modifier with a int
jsg [Wed, 22 Dec 2021 23:05:52 +0000 (23:05 +0000)]
Avoid GNU printf extension to use 'L' length modifier with a int
conversion specifier to mean 'll'.  Found by an ok deraadt@

2 years agoWhile malloc sleeps, the disk list could change during sysctl. Then
bluhm [Wed, 22 Dec 2021 22:20:13 +0000 (22:20 +0000)]
While malloc sleeps, the disk list could change during sysctl.  Then
allocated memory could be too short for the list of disks.  Retry
allocating enough space until it did not change.
The disk list and duid memory are protected by kernel lock.  Use
asserts to mark this explicitly.
Reported-by: syzbot+807423f6868bbfb836bc@syzkaller.appspotmail.com
OK anton@ mpi@

2 years agoDisable minimum power consumption in hostap mode. This improves connection
tobhe [Wed, 22 Dec 2021 19:37:33 +0000 (19:37 +0000)]
Disable minimum power consumption in hostap mode. This improves connection
reliability when bwfm is used as an access point.

ok patrick@

2 years agoTrivial update to 4.3.9.
florian [Wed, 22 Dec 2021 18:33:21 +0000 (18:33 +0000)]
Trivial update to 4.3.9.

2 years agoReplace IO::Socket::INET with IO::Socket::IP.
bluhm [Wed, 22 Dec 2021 16:18:49 +0000 (16:18 +0000)]
Replace IO::Socket::INET with IO::Socket::IP.

2 years agoReplace deprecated IO::Socket::INET6 with IO::Socket::IP.
bluhm [Wed, 22 Dec 2021 15:54:01 +0000 (15:54 +0000)]
Replace deprecated IO::Socket::INET6 with IO::Socket::IP.

2 years agoReplace deprecated IO::Socket::INET6 with IO::Socket::IP.
bluhm [Wed, 22 Dec 2021 15:14:13 +0000 (15:14 +0000)]
Replace deprecated IO::Socket::INET6 with IO::Socket::IP.

2 years agoConsolidate enc_getif() lookups in IPsec input path to save one lookup
tobhe [Wed, 22 Dec 2021 13:37:46 +0000 (13:37 +0000)]
Consolidate enc_getif() lookups in IPsec input path to save one lookup
per packet and improve readability.

ok bluhm@

2 years agodrm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE
jsg [Wed, 22 Dec 2021 12:33:02 +0000 (12:33 +0000)]
drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE

From Le Ma
aec5897b277b13acd8f913d777654d4d092a24f1 in linux 5.10.y/5.10.88
f3a8076eb28cae1553958c629aecec479394bbe2 in mainline linux

2 years agodrm/amd/pm: fix a potential gpu_metrics_table memory leak
jsg [Wed, 22 Dec 2021 12:30:38 +0000 (12:30 +0000)]
drm/amd/pm: fix a potential gpu_metrics_table memory leak

From Lang Yu
222cebd995cdf11fe0d502749560f65e64990e55 in linux 5.10.y/5.10.88
aa464957f7e660abd554f2546a588f6533720e21 in mainline linux

2 years agoReplace deprecated IO::Socket::INET6 with IO::Socket::IP.
bluhm [Wed, 22 Dec 2021 11:50:28 +0000 (11:50 +0000)]
Replace deprecated IO::Socket::INET6 with IO::Socket::IP.

2 years agoReplace two questionable size_t types. For the repo id use a unsigned int
claudio [Wed, 22 Dec 2021 09:35:14 +0000 (09:35 +0000)]
Replace two questionable size_t types. For the repo id use a unsigned int
and for the roa maxlength use unsigned char (like the prefixlen in struct
ip_addr).
With input and OK job@

2 years agoThe maxlength is optional in roa entries. By setting it to the address
claudio [Wed, 22 Dec 2021 08:44:15 +0000 (08:44 +0000)]
The maxlength is optional in roa entries. By setting it to the address
prefixlen before looking for the optional maxlength attribute the code
can be simplified and a ternary expression can be removed.
OK tb@ job@

2 years agosort -H and -h in SYNOPSIS/usage();
jmc [Wed, 22 Dec 2021 06:56:41 +0000 (06:56 +0000)]
sort -H and -h in SYNOPSIS/usage();
tweak the -H text;

ok djm

2 years ago%Lx -> %llx kernel printf does not support %Lx
jsg [Wed, 22 Dec 2021 01:38:36 +0000 (01:38 +0000)]
%Lx -> %llx kernel printf does not support %Lx

2 years agoFix a typo in mlock(2) error path triggering a double-free.
mpi [Tue, 21 Dec 2021 22:21:32 +0000 (22:21 +0000)]
Fix a typo in mlock(2) error path triggering a double-free.

Pass the correct entry to uvm_fault_unwire_locked().

Reported-by: syzbot+bb2f63f076618e9ed0d3@syzkaller.appspotmail.com
ok kettenis@, deraadt@

2 years agoMove checks on attach arguments from attach into match.
kettenis [Tue, 21 Dec 2021 20:53:46 +0000 (20:53 +0000)]
Move checks on attach arguments from attach into match.

ok anton@, deraadt@

2 years agoCleanup a few things while reading the code.
claudio [Tue, 21 Dec 2021 17:50:27 +0000 (17:50 +0000)]
Cleanup a few things while reading the code.
OK job@

2 years agoSimplify code a bit. There is only one TA per TAL and so only one
claudio [Tue, 21 Dec 2021 16:16:15 +0000 (16:16 +0000)]
Simplify code a bit. There is only one TA per TAL and so only one
ta_lookup(). Implementing the talrepocnt limiter there makes little
sense and gains us nothing.
OK job@

2 years agoSupport underscore style with capture-pane -e, GitHub issue 2928.
nicm [Tue, 21 Dec 2021 14:57:28 +0000 (14:57 +0000)]
Support underscore style with capture-pane -e, GitHub issue 2928.

2 years agoAdd test cases for intermediate cert with 'set cert_partial_chain'.
tobhe [Tue, 21 Dec 2021 13:50:35 +0000 (13:50 +0000)]
Add test cases for intermediate cert with 'set cert_partial_chain'.

2 years agoARM's Morello CHERI architecture does not support pointers in packed
nicm [Tue, 21 Dec 2021 13:07:53 +0000 (13:07 +0000)]
ARM's Morello CHERI architecture does not support pointers in packed
structures, so remove the packed attribute on struct grid_line and
reorder the members to eliminate unnecessary padding. From Jessica
Clarke in GitHub issue 3012.

2 years agoknf nits
anton [Tue, 21 Dec 2021 11:46:01 +0000 (11:46 +0000)]
knf nits

2 years agodocument BN_MONT_CTX_set_locked(3)
schwarze [Tue, 21 Dec 2021 11:14:07 +0000 (11:14 +0000)]
document BN_MONT_CTX_set_locked(3)

2 years agoDo not print "dt: 451 probes" at boot in dmesg. Btrace device dt(4)
bluhm [Tue, 21 Dec 2021 09:35:08 +0000 (09:35 +0000)]
Do not print "dt: 451 probes" at boot in dmesg.  Btrace device dt(4)
is enabled by default, this line does not provide much information.
requested by kettenis@ deraadt@; OK mpi@

2 years agostate up front that patch(1) operates on text files,
schwarze [Tue, 21 Dec 2021 08:07:20 +0000 (08:07 +0000)]
state up front that patch(1) operates on text files,
fixing an omission pointed out by chrisz@;
OK jmc@ deraadt@ chrisz@

2 years agoavoid returning uninitialised var in hidpp_send_report()
jsg [Tue, 21 Dec 2021 07:44:22 +0000 (07:44 +0000)]
avoid returning uninitialised var in hidpp_send_report()
ok anton@

2 years agoLet malloc return an error as opposed of panicking when sysctl
anton [Tue, 21 Dec 2021 06:12:49 +0000 (06:12 +0000)]
Let malloc return an error as opposed of panicking when sysctl
kern.shminfo.shmseg is set to something ridiculously large.

ok kettenis@ millert@

Reported-by: syzbot+9f1b201cdbc97b19c7f5@syzkaller.appspotmail.com
2 years agoFix another vnd race pointed out by mpi@ and make sure to not unlock the
anton [Tue, 21 Dec 2021 06:12:03 +0000 (06:12 +0000)]
Fix another vnd race pointed out by mpi@ and make sure to not unlock the
vnode twice in the error path.

Tested in snaps for a couple of days.

2 years agoEnsure that the disk has been initialized after acquiring the lock and
anton [Tue, 21 Dec 2021 06:11:16 +0000 (06:11 +0000)]
Ensure that the disk has been initialized after acquiring the lock and
not before as we might end up sleeping while acquiring the lock,
introducing a potential race.

Tested in snaps for a couple of days.

ok mpi@

Reported-by: syzbot+c87cdc2905b441c20d39@syzkaller.appspotmail.com
2 years agoRename local variable intrfn to intr, matches what dev/fdt/com_fdt.c
anton [Tue, 21 Dec 2021 06:10:29 +0000 (06:10 +0000)]
Rename local variable intrfn to intr, matches what dev/fdt/com_fdt.c
already does.

2 years agoDo not attach com at acpi when there's no address or irq present. Fixes
anton [Tue, 21 Dec 2021 06:09:47 +0000 (06:09 +0000)]
Do not attach com at acpi when there's no address or irq present. Fixes
a regression caused by the recent change to start attaching com at acpi
as it turns out that Libreboot exposes console devices lacking crucial
data in their acpi tables. The same console attaches fine over isa,
therefore restore this behavior.

Problem reported by <cipher-hearts at riseup dot net> on bugs@

ok deraadt@ kettenis@

2 years agoerrno overhaul, getting rid of some ambiguity. In the hopes of tracking
anton [Tue, 21 Dec 2021 06:08:57 +0000 (06:08 +0000)]
errno overhaul, getting rid of some ambiguity. In the hopes of tracking
down a rare but annoying problem related to remote coverage exposed by
syzkaller.

2 years agoMultiply the number of states in the example adaptive timeout calculation
jmatthew [Tue, 21 Dec 2021 00:23:15 +0000 (00:23 +0000)]
Multiply the number of states in the example adaptive timeout calculation
by 10 so it works with the numbers in the config, which were previously
multiplied.

ok dlg@

2 years agoRemove useless suser assert from dt(4). The ioctl(2) path checks
bluhm [Mon, 20 Dec 2021 22:28:48 +0000 (22:28 +0000)]
Remove useless suser assert from dt(4).  The ioctl(2) path checks
the user anyway and close(2) may crash after setuid(2).
Reported-by: syzbot+90e094f33d329fb2c3ab@syzkaller.appspotmail.com
OK deraadt@

2 years agobus_dmamem_unmap() should not be called from interrupt context, so free
patrick [Mon, 20 Dec 2021 19:24:32 +0000 (19:24 +0000)]
bus_dmamem_unmap() should not be called from interrupt context, so free
and close flowrings using bwfm_do_async().

Reported by and ok kettenis@

2 years agosync
deraadt [Mon, 20 Dec 2021 18:03:41 +0000 (18:03 +0000)]
sync

2 years agoAlways allocate a new stack in o2i_SCT_LIST().
jsing [Mon, 20 Dec 2021 17:23:07 +0000 (17:23 +0000)]
Always allocate a new stack in o2i_SCT_LIST().

If we're given a pointer to an existing stack, free it and allocate a new
one rather than poping and freeing all of the existing entries so we can
reuse it. While here rename some arguments and variables.

ok inoguchi@ tb@

2 years agoConvert SCT_new_from_base64() to use CBS for o2i_SCT_signature().
jsing [Mon, 20 Dec 2021 17:19:19 +0000 (17:19 +0000)]
Convert SCT_new_from_base64() to use CBS for o2i_SCT_signature().

Remove the existing o2i_SCT_signature() function and rename
o2i_SCT_signature_internal() to replace it.

ok inoguchi@ tb@

2 years agoRemove unused variable 'clen'.
tobhe [Mon, 20 Dec 2021 17:09:18 +0000 (17:09 +0000)]
Remove unused variable 'clen'.

ok bluhm@

2 years agoAdd regress coverage for the crazy SCT_new_from_base64() API.
jsing [Mon, 20 Dec 2021 16:52:26 +0000 (16:52 +0000)]
Add regress coverage for the crazy SCT_new_from_base64() API.

2 years agoMake filt_dead() selectively inactive with EVFILT_EXCEPT
visa [Mon, 20 Dec 2021 16:24:32 +0000 (16:24 +0000)]
Make filt_dead() selectively inactive with EVFILT_EXCEPT

When a knote uses the dead event filter, the knote's file descriptor is
not supposed to point to an object with pending out-of-band data. Make
the knote inactive so that userspace will not receive a spurious event.
However, kqueue-based poll(2) should still receive HUP notifications.

This lets the system use dead_filtops with less strings attached
relative to the filter type.

2 years agoLet poll(2) register EVFILT_EXCEPT filter with dead vnodes
visa [Mon, 20 Dec 2021 16:22:24 +0000 (16:22 +0000)]
Let poll(2) register EVFILT_EXCEPT filter with dead vnodes

This enables the system deliver POLLHUP when pollfd.events == 0.

2 years agoRun seltrue/dead event filter in modify and process callbacks
visa [Mon, 20 Dec 2021 16:21:07 +0000 (16:21 +0000)]
Run seltrue/dead event filter in modify and process callbacks

Do not assume event status in the modify and process callbacks. Instead
always run the event filter so that it has a chance to set knote flags.
The filter can also indicate event inactivity.

2 years agoUse per-CPU counters for tunnel descriptor block (TDB) statistics.
mvs [Mon, 20 Dec 2021 15:59:09 +0000 (15:59 +0000)]
Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

2 years agoFix function name in panic string.
bluhm [Mon, 20 Dec 2021 15:23:32 +0000 (15:23 +0000)]
Fix function name in panic string.

2 years agoMake iwm(4) attach to PCI devices with product ID 0x31dc.
stsp [Mon, 20 Dec 2021 15:08:10 +0000 (15:08 +0000)]
Make iwm(4) attach to PCI devices with product ID 0x31dc.

This device is part of the 9560 chip family. With a small device-specific
quirk we can make iwm(4) attach and provide a working wifi interface.

Problem reported and fix tested by Joao Victor.

2 years agoregen
stsp [Mon, 20 Dec 2021 15:05:12 +0000 (15:05 +0000)]
regen

2 years agoChange a PCI device string: The "Gemini Lake CNVi" is an iwm(4) "AC 9560".
stsp [Mon, 20 Dec 2021 15:04:58 +0000 (15:04 +0000)]
Change a PCI device string: The "Gemini Lake CNVi" is an iwm(4) "AC 9560".

ok hastings@ (who submitted the original string, based on a datasheet)

2 years agodocument BN_mod_add_quick(3), BN_mod_sub_quick(3), BN_mod_lshift(3),
schwarze [Mon, 20 Dec 2021 15:02:13 +0000 (15:02 +0000)]
document BN_mod_add_quick(3), BN_mod_sub_quick(3), BN_mod_lshift(3),
BN_mod_lshift_quick(3), BN_mod_lshift1(3), and BN_mod_lshift1_quick(3)

2 years agoMake mtw(4) known to the config(8) framework.
hastings [Mon, 20 Dec 2021 14:54:37 +0000 (14:54 +0000)]
Make mtw(4) known to the config(8) framework.

Not enabled yet. Pending firmware availability.

ok stsp@ jmatthew@

2 years agoAdd mtw(4), a driver for MediaTek MT7601U wifi devices.
hastings [Mon, 20 Dec 2021 13:59:02 +0000 (13:59 +0000)]
Add mtw(4), a driver for MediaTek MT7601U wifi devices.

Ported from run(4) with legacy chipsets removed.
Not yet enabled in the build.

ok stsp@ jmatthew@

2 years agoWhen removing the last value from an attribute in ldap_del_values()
claudio [Mon, 20 Dec 2021 13:26:11 +0000 (13:26 +0000)]
When removing the last value from an attribute in ldap_del_values()
the actuall attribute needs to removed instead of leaving back an
empty attribute. Empty attributes are not valid and fail later on
in ldap_modify(). By calling ldap_del_attribute() in this case
properly removes the attribute and with that validate_entry() no
longer fails later on.
OK jmatthew@

2 years agoAdd some debug messages in validate_entry() that explain why
claudio [Mon, 20 Dec 2021 13:18:29 +0000 (13:18 +0000)]
Add some debug messages in validate_entry() that explain why
LDAP_INVALID_SYNTAX is returned.
OK jmatthew@

2 years agoDo not crash on a zero size character.
nicm [Mon, 20 Dec 2021 09:02:12 +0000 (09:02 +0000)]
Do not crash on a zero size character.

2 years agoRework the tx path to use the consumer and producer positions to work out
jmatthew [Mon, 20 Dec 2021 04:21:32 +0000 (04:21 +0000)]
Rework the tx path to use the consumer and producer positions to work out
the number of slots available, and to put packets on the ring until fewer
than DWGE_NTXSEGS slots are left, making dwge_start() and dwge_txeof()
work independently.  While here, only write to GMAC_TX_POLL_DEMAND once
per call to dwge_start() rather than once per packet.

Adjust the rx interrupt path to check the number of slots in use and
return slots once per interrupt.

Add interrupt and ifq barriers before taking the interface down.
With all of this done, we can mark dwge(4) mpsafe.

ok dlg@ patrick@

2 years agosync
deraadt [Mon, 20 Dec 2021 01:53:34 +0000 (01:53 +0000)]
sync

2 years agoAdd an implementation for the protocol to communicate with coprocessors
kettenis [Sun, 19 Dec 2021 23:47:24 +0000 (23:47 +0000)]
Add an implementation for the protocol to communicate with coprocessors
running firmware based Apple's RTKit OS.  Use this code to bring up the
storage controller that implements Apple's flavour of NVMe.

ok dlg@, patrick@

2 years agoThere are occasions where the walker function in tdb_walk() might
bluhm [Sun, 19 Dec 2021 23:30:08 +0000 (23:30 +0000)]
There are occasions where the walker function in tdb_walk() might
sleep.  So holding the tdb_sadb_mtx() when calling walker() is not
allowed.  Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock.  Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@

2 years agoregression test for destination restrictions in ssh-agent
djm [Sun, 19 Dec 2021 22:20:12 +0000 (22:20 +0000)]
regression test for destination restrictions in ssh-agent

2 years agodocument host-bound publickey authentication
djm [Sun, 19 Dec 2021 22:15:42 +0000 (22:15 +0000)]
document host-bound publickey authentication

2 years agodocument agent protocol extensions
djm [Sun, 19 Dec 2021 22:15:21 +0000 (22:15 +0000)]
document agent protocol extensions

2 years agoPubkeyAuthentication=yes|no|unbound|host-bound
djm [Sun, 19 Dec 2021 22:14:47 +0000 (22:14 +0000)]
PubkeyAuthentication=yes|no|unbound|host-bound

Allow control over which pubkey methods are used. Added out of
concern that some hardware devices may have difficulty signing
the longer pubkey authentication challenges. This provides a
way for them to disable the extension. It's also handy for
testing.

feedback / ok markus@

2 years agodocument destination-constrained keys
djm [Sun, 19 Dec 2021 22:14:12 +0000 (22:14 +0000)]
document destination-constrained keys

feedback / ok markus@

2 years agoUse hostkey parsed from hostbound userauth request
djm [Sun, 19 Dec 2021 22:13:55 +0000 (22:13 +0000)]
Use hostkey parsed from hostbound userauth request

Require host-bound userauth requests for forwarded SSH connections.

The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.

ok markus@

2 years agoagent support for parsing hostkey-bound signatures
djm [Sun, 19 Dec 2021 22:13:33 +0000 (22:13 +0000)]
agent support for parsing hostkey-bound signatures

Allow parse_userauth_request() to work with blobs from
publickey-hostbound-v00@openssh.com userauth attempts.

Extract hostkey from these blobs.

ok markus@

2 years agoEXT_INFO negotiation of hostbound pubkey auth
djm [Sun, 19 Dec 2021 22:13:12 +0000 (22:13 +0000)]
EXT_INFO negotiation of hostbound pubkey auth

the EXT_INFO packet gets a new publickey-hostbound@openssh.com to
advertise the hostbound public key method.

Client side support to parse this feature flag and set the kex->flags
indicator if the expected version is offered (currently "0").

ok markus@

2 years agoclient side of host-bound pubkey authentication
djm [Sun, 19 Dec 2021 22:12:54 +0000 (22:12 +0000)]
client side of host-bound pubkey authentication

Add kex->flags member to enable the publickey-hostbound-v00@openssh.com
authentication method.

Use the new hostbound method in client if the kex->flags flag was set,
and include the inital KEX hostkey in the userauth request.

Note: nothing in kex.c actually sets the new flag yet

ok markus@

2 years agosshd side of hostbound public key auth
djm [Sun, 19 Dec 2021 22:12:30 +0000 (22:12 +0000)]
sshd side of hostbound public key auth

This is identical to the standard "publickey" method, but it also includes
the initial server hostkey in the message signed by the client.

feedback / ok markus@

2 years agoprepare for multiple names for authmethods
djm [Sun, 19 Dec 2021 22:12:07 +0000 (22:12 +0000)]
prepare for multiple names for authmethods

allow authentication methods to have one additional name beyond their
primary name.

allow lookup by this synonym

Use primary name for authentication decisions, e.g. for
PermitRootLogin=publickey

Pass actual invoked name to the authmethods, so they can tell whether they
were requested via the their primary name or synonym.

ok markus@

2 years agossh-agent side of destination constraints
djm [Sun, 19 Dec 2021 22:11:39 +0000 (22:11 +0000)]
ssh-agent side of destination constraints

Gives ssh-agent the ability to parse restrict-destination-v00@openssh.com
constraints and to apply them to keys.

Check constraints against the hostkeys recorded for a SocketEntry when
attempting a signature, adding, listing or deleting keys. Note that
the "delete all keys" request will remove constrained keys regardless of
location.

feedback Jann Horn & markus@
ok markus@

2 years agossh-add side of destination constraints
djm [Sun, 19 Dec 2021 22:11:06 +0000 (22:11 +0000)]
ssh-add side of destination constraints

Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.

Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".

The first form permits a key to be used to authenticate as the
specified user to the specified host.

The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.

For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.

Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.

host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.

feedback Jann Horn & markus@
ok markus@

2 years agossh-add side of destination constraints
djm [Sun, 19 Dec 2021 22:10:24 +0000 (22:10 +0000)]
ssh-add side of destination constraints

Have ssh-add accept a list of "destination constraints" that allow
restricting where keys may be used in conjunction with a ssh-agent/ssh
that supports session ID/hostkey binding.

Constraints are specified as either "[user@]host-pattern" or
"host-pattern>[user@]host-pattern".

The first form permits a key to be used to authenticate as the
specified user to the specified host.

The second form permits a key that has previously been permitted
for use at a host to be available via a forwarded agent to an
additional host.

For example, constraining a key with "user1@host_a" and
"host_a>host_b". Would permit authentication as "user1" at
"host_a", and allow the key to be available on an agent forwarded
to "host_a" only for authentication to "host_b". The key would not
be visible on agent forwarded to other hosts or usable for
authentication there.

Internally, destination constraints use host keys to identify hosts.
The host patterns are used to obtain lists of host keys for that
destination that are communicated to the agent. The user/hostkeys are
encoded using a new restrict-destination-v00@openssh.com key
constraint.

host keys are looked up in the default client user/system known_hosts
files. It is possible to override this set on the command-line.

feedback Jann Horn & markus@
ok markus@

2 years agossh-agent side of binding
djm [Sun, 19 Dec 2021 22:09:23 +0000 (22:09 +0000)]
ssh-agent side of binding

record session ID/hostkey/forwarding status for each active socket.

Attempt to parse data-to-be-signed at signature request time and extract
session ID from the blob if it is a pubkey userauth request.

ok markus@

2 years agossh client side of binding
djm [Sun, 19 Dec 2021 22:08:48 +0000 (22:08 +0000)]
ssh client side of binding

send session ID, hostkey, signature and a flag indicating whether the
agent connection is being forwarded to ssh agent each time a connection
is opened via a new "session-bind@openssh.com" agent extension.

ok markus@

2 years agoRecord session ID, host key and sig at intital KEX
djm [Sun, 19 Dec 2021 22:08:06 +0000 (22:08 +0000)]
Record session ID, host key and sig at intital KEX

These will be used later for agent session ID / hostkey binding

ok markus@

2 years agodocument BN_consttime_swap(3); this will probably require more work,
schwarze [Sun, 19 Dec 2021 22:06:35 +0000 (22:06 +0000)]
document BN_consttime_swap(3); this will probably require more work,
but what i have so far is already better than nothing

2 years agoSimplify error message emitted when requested partition size
krw [Sun, 19 Dec 2021 19:26:18 +0000 (19:26 +0000)]
Simplify error message emitted when requested partition size
cannot be accommodated. "not enough space" should be enough for
anyone.

Requested by deraadt@