openbsd
7 weeks agopull post-quantum ML-KEM/x25519 key exchange out from compile-time
djm [Mon, 9 Sep 2024 02:39:57 +0000 (02:39 +0000)]
pull post-quantum ML-KEM/x25519 key exchange out from compile-time
flag now than an IANA codepoint has been assigned for the algorithm.

Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot.

ok markus@

7 weeks agorpki-client: fix typos in comments and one in a warning message
tb [Sun, 8 Sep 2024 07:23:36 +0000 (07:23 +0000)]
rpki-client: fix typos in comments and one in a warning message

7 weeks agofix RBT_ENTRY in pf_state and pf_state_key
aisha [Sat, 7 Sep 2024 22:41:55 +0000 (22:41 +0000)]
fix RBT_ENTRY in pf_state and pf_state_key

ok sashan@

7 weeks agoFuthermore -> Furthermore
tb [Sat, 7 Sep 2024 16:39:29 +0000 (16:39 +0000)]
Futhermore -> Furthermore

7 weeks agoPrepare for an upcoming tlsfuzzer test that expects decode_error
tb [Fri, 6 Sep 2024 14:56:57 +0000 (14:56 +0000)]
Prepare for an upcoming tlsfuzzer test that expects decode_error
when we send illegal_parameter. Shrug.

7 weeks agoFix KUBSAN by adding invalid builtin detection, as needed by our current clang.
mbuhl [Fri, 6 Sep 2024 13:31:59 +0000 (13:31 +0000)]
Fix KUBSAN by adding invalid builtin detection, as needed by our current clang.
ok anton@

7 weeks agoDocument float cast overflow detection.
mbuhl [Fri, 6 Sep 2024 13:30:59 +0000 (13:30 +0000)]
Document float cast overflow detection.
ok anton@

7 weeks agospelling; ok mglocker@
jsg [Fri, 6 Sep 2024 10:54:08 +0000 (10:54 +0000)]
spelling; ok mglocker@

7 weeks agoReenable AES-NI in libcrypto
tb [Fri, 6 Sep 2024 09:57:32 +0000 (09:57 +0000)]
Reenable AES-NI in libcrypto

The OPENSSL_cpu_caps() change after the last bump missed a crucial bit:
there is more MD mess in the MI code than anticipated, with the result
that AES is now used without AES-NI on amd64 and i386, hurting machines
that previously greatly benefitted from it.

Temporarily add an internal crypto_cpu_caps_ia32() API that returns the
OPENSSL_ia32cap_P or 0 like OPENSSL_cpu_caps() previously did. This can
be improved after the release.

Regression reported and fix tested by Mark Patruck.
No impact on public ABI or API.

with/ok jsing

PS: Next time my pkg_add feels very slow, I should perhaps not mechanically
blame IEEE 802.11...

7 weeks agoAllow tracing interrupts by defering the wakeup(9) to a different context.
mpi [Fri, 6 Sep 2024 08:38:21 +0000 (08:38 +0000)]
Allow tracing interrupts by defering the wakeup(9) to a different context.

It is currently not safe to call wakeup(9) in interrupt handlers at a priority
higher than IPL_SCHED.  As long as dt(4) relies on generic kernel primitives
we have to play tricks to be able to inspect more parts of the kernel.  In this
case defer the wakeup(9) to a custom soft-interrupt.  This will be good enough
as long as we don't add tracepoints to the soft-interrupt machinery.  A more
complex & viable solution would be to not rely on the kernel generic IPC to
avoid recursion.

From visa@ and Christian Ludwig, ok claudio@

7 weeks agoRemove incorrect increment of the context switch counter.
mpi [Fri, 6 Sep 2024 08:21:21 +0000 (08:21 +0000)]
Remove incorrect increment of the context switch counter.

From Christian Ludwig.

ok claudio@

7 weeks agoRegression for '%c'.
mpi [Fri, 6 Sep 2024 08:00:36 +0000 (08:00 +0000)]
Regression for '%c'.

From Christian Ludwig.

7 weeks agoInterpret the argument of '%c' as an integer instead of a string.
mpi [Fri, 6 Sep 2024 07:58:50 +0000 (07:58 +0000)]
Interpret the argument of '%c' as an integer instead of a string.

From Christian Ludwig.

7 weeks agoAdjust documentation to work without X509_LOOKUP_by_subject()
tb [Fri, 6 Sep 2024 07:48:20 +0000 (07:48 +0000)]
Adjust documentation to work without X509_LOOKUP_by_subject()

X509_LOOKUP_by_subject() was made internal a while back. Its documentation
was very detailed, so this was a bit of a tangle to undo.

7 weeks agoRepair build with gcc.
miod [Fri, 6 Sep 2024 06:31:11 +0000 (06:31 +0000)]
Repair build with gcc.

7 weeks agosync
anton [Fri, 6 Sep 2024 04:11:26 +0000 (04:11 +0000)]
sync

7 weeks agomatch on Lunar Lake
jsg [Fri, 6 Sep 2024 03:52:38 +0000 (03:52 +0000)]
match on Lunar Lake

7 weeks agoregen
jsg [Fri, 6 Sep 2024 03:48:52 +0000 (03:48 +0000)]
regen

7 weeks agoadd Intel Lunar Lake ids
jsg [Fri, 6 Sep 2024 03:48:20 +0000 (03:48 +0000)]
add Intel Lunar Lake ids

from:
Intel Core Ultra 200V Series Processors
Datasheet, Volume 1 of 2, Doc. No.: 829568, Rev.: 001

additional graphics ids from Mesa

7 weeks agomake parsing user@host consistently look for the last '@' in the
djm [Fri, 6 Sep 2024 02:30:44 +0000 (02:30 +0000)]
make parsing user@host consistently look for the last '@' in the
string rather than the first. This makes it possible to use usernames
that contain '@' characters.

Prompted by Max Zettlmeißl; feedback/ok millert@

7 weeks agoBump version
claudio [Thu, 5 Sep 2024 20:28:42 +0000 (20:28 +0000)]
Bump version

7 weeks agosync with base
tb [Thu, 5 Sep 2024 16:17:56 +0000 (16:17 +0000)]
sync with base

7 weeks agoAvoid out-of-bounds pointer arithmetic in inflateCopy().
tb [Thu, 5 Sep 2024 16:16:54 +0000 (16:16 +0000)]
Avoid out-of-bounds pointer arithmetic in inflateCopy().

from upstream, no ABI or API change.
ok beck deraadt

7 weeks agoIn ddb(4) print mbuf chain and packet list.
bluhm [Thu, 5 Sep 2024 08:52:27 +0000 (08:52 +0000)]
In ddb(4) print mbuf chain and packet list.

For debugging hardware offloading, DMA requirements, bounce buffers,
and performance optimizations, knowing the memory layout of mbuf
content helps.
Implement /c and /p modifiers in ddb show mbuf.  It traverses the
pointer m_next for mbuf chain or m_nextpkt for packet list.  Show
mbuf type, data offset, mbuf length, packet length, cluster size,
and total number of elements, length and size.

OK claudio@ mvs@

7 weeks agoSync to unbound 1.21.0; heavy lifting by sthen
florian [Thu, 5 Sep 2024 08:22:46 +0000 (08:22 +0000)]
Sync to unbound 1.21.0; heavy lifting by sthen

parse_edns_from_query_pkt() grew a parameter to handle cookies, which
we don't use.

7 weeks agoUpdate libexpat to version 2.6.3.
bluhm [Thu, 5 Sep 2024 07:57:14 +0000 (07:57 +0000)]
Update libexpat to version 2.6.3.

Relevant for OpenBSD are security fixes #887 #890 #888 #891 #889
#892, other changes #886 #885, infrastructure #880.  No library
bump necessary.  CVE-2024-45490 CVE-2024-45491 CVE-2024-45492

OK tb@ deraadt@

7 weeks agohave sysmerge and sysupgrade Xr each other;
jmc [Thu, 5 Sep 2024 06:39:53 +0000 (06:39 +0000)]
have sysmerge and sysupgrade Xr each other;
diff originally from peter n. m. hansteen

ok ajacoutot

7 weeks agonote that "|" and ":include:" are disallowed for root;
jmc [Thu, 5 Sep 2024 06:33:04 +0000 (06:33 +0000)]
note that "|" and ":include:" are disallowed for root;
prompted by mail from illya meyer

ok gilles

7 weeks agoretire this older version of forward(5) to the attic
jmc [Thu, 5 Sep 2024 06:30:52 +0000 (06:30 +0000)]
retire this older version of forward(5) to the attic
(whilst retaining the smtpd copy);

ok op gilles

7 weeks agoremove note falsely claiming that :include: is disallowed
jmc [Thu, 5 Sep 2024 05:51:46 +0000 (05:51 +0000)]
remove note falsely claiming that :include: is disallowed
(it is, but only for root, which i'll address in separate commit);

ok mp gilles

7 weeks agodrm/amd/display: avoid using null object of framebuffer
jsg [Thu, 5 Sep 2024 04:31:26 +0000 (04:31 +0000)]
drm/amd/display: avoid using null object of framebuffer

From Ma Ke
f6f5e39a3fe7cbdba190f42b28b40bdff03c8cf0 in linux-6.6.y/6.6.49
3b9a33235c773c7a3768060cf1d2cf8a9153bc37 in mainline linux

7 weeks agodrm/amdgpu/swsmu: always force a state reprogram on init
jsg [Thu, 5 Sep 2024 04:29:04 +0000 (04:29 +0000)]
drm/amdgpu/swsmu: always force a state reprogram on init

From Alex Deucher
39defab0ebf0872b7a84deafbe903c8e30da7748 in linux-6.6.y/6.6.49
d420c857d85777663e8d16adfc24463f5d5c2dbc in mainline linux

7 weeks agodrm/amdgpu: align pp_power_profile_mode with kernel docs
jsg [Thu, 5 Sep 2024 04:27:10 +0000 (04:27 +0000)]
drm/amdgpu: align pp_power_profile_mode with kernel docs

From Alex Deucher
11182b33faf3ee80f5ea042a465b26a23e257f8a in linux-6.6.y/6.6.49
8f614469de248a4bc55fb07e55d5f4c340c75b11 in mainline linux

7 weeks agoregen
dlg [Wed, 4 Sep 2024 23:57:20 +0000 (23:57 +0000)]
regen

7 weeks agoadd PLX PEX 8718 and SK hynix PC601 devices.
dlg [Wed, 4 Sep 2024 23:56:43 +0000 (23:56 +0000)]
add PLX PEX 8718 and SK hynix PC601 devices.

The PEX 8718 is used on a QNAP QM2-2P-something card, and we have
a couple of pc601 nvme ssds plugged into it.

8 weeks agoPush acpi(4) _CRS parsing down after matching skippable and ISA hardware IDs.
hastings [Wed, 4 Sep 2024 21:39:18 +0000 (21:39 +0000)]
Push acpi(4) _CRS parsing down after matching skippable and ISA hardware IDs.

ok kettenis@

8 weeks agoWork around vnode reuse bug resulting in a panic: vop_generic_badop
beck [Wed, 4 Sep 2024 17:00:08 +0000 (17:00 +0000)]
Work around vnode reuse bug resulting in a panic: vop_generic_badop

Joel hit this frequently on the go builder, and this was
also found by szykiller

https://syzkaller.appspot.com/bug?extid=58bdde9f7a1a407514a7
https://syzkaller.appspot.com/bug?extid=5779bc64fc4fdd0a5140

This is based on a workaround originally done by visa@ and mbuhl@
but not committed or widely distributed.

Realistically this should be fixed more like the previous attempt
with vdoom, but my attempts to do this at the moment are colliding
with finding all sources of similar races, now that kernel unlocking
is exposing these previously existing bugs

for now, let's put in this ugly workaround

ok deraadt@

8 weeks agovmm: set highest cpuid feature leaf based on host cpu.
dv [Wed, 4 Sep 2024 16:12:40 +0000 (16:12 +0000)]
vmm: set highest cpuid feature leaf based on host cpu.

Fixes Linux guests on older Intel hardware. vmm was reporting a
value that doesn't match the host. Cap it at the highest value vmm
currently emulates.

ok bluhm@, ratchov@

8 weeks agoRemove deprecated '-r' command line option
job [Wed, 4 Sep 2024 15:46:43 +0000 (15:46 +0000)]
Remove deprecated '-r' command line option

OK tb@ claudio@

8 weeks agoQualifying nexthops via BGP does not properly work since nexthops need
claudio [Wed, 4 Sep 2024 15:06:36 +0000 (15:06 +0000)]
Qualifying nexthops via BGP does not properly work since nexthops need
to be rechecked when a BGP route is added (or changed).

We need to revalidate nexthops on inserts (kroute_insert) and
on change (krX_change but only for AID_INET and AID_INET6 -- no nexthops
in the other tables) the nexthop needs to be updated.

Only validate nexthops if 'nexthop qualify via bgp' is enabled. For route
changes the code can depend on the F_NEXTHOP flag.

Fix for: https://github.com/openbgpd-portable/openbgpd-portable/issues/81
OK tb@

8 weeks agolist the other doc pspvar.h mentions, add publication numbers
jsg [Wed, 4 Sep 2024 14:24:10 +0000 (14:24 +0000)]
list the other doc pspvar.h mentions, add publication numbers
ok jmc@

8 weeks agocorrect .OBJDIR use; from Denis Bodor
deraadt [Wed, 4 Sep 2024 14:18:36 +0000 (14:18 +0000)]
correct .OBJDIR use; from Denis Bodor

8 weeks agoregen
jsg [Wed, 4 Sep 2024 13:45:25 +0000 (13:45 +0000)]
regen

8 weeks agoCall pfkey_remove() only after the Session Engine finished reloading its
claudio [Wed, 4 Sep 2024 13:30:10 +0000 (13:30 +0000)]
Call pfkey_remove() only after the Session Engine finished reloading its
configuration. Doing so before could result in some messages being sent
out without proper TCP-MD5 signature.

Fix for: https://github.com/openbgpd-portable/openbgpd-portable/issues/82
OK tb@

8 weeks agoadd psp(4) manual page
jsg [Wed, 4 Sep 2024 11:12:53 +0000 (11:12 +0000)]
add psp(4) manual page
ok jmc@ bluhm@

8 weeks agomerge unbound 1.21.0
sthen [Wed, 4 Sep 2024 09:36:40 +0000 (09:36 +0000)]
merge unbound 1.21.0

8 weeks agoimport unbound 1.21.0, ok phessler florian
sthen [Wed, 4 Sep 2024 09:35:34 +0000 (09:35 +0000)]
import unbound 1.21.0, ok phessler florian

8 weeks agovio: put enqueue and dmasync into a function
sf [Wed, 4 Sep 2024 09:12:55 +0000 (09:12 +0000)]
vio: put enqueue and dmasync into a function

Before we enqueue with VIO_DMAMEM_ENQUEUE(), we always sync with
VIO_DMAMEM_SYNC(). In order to reduce verbosity, create a function that
does both.

ok bluhm@

8 weeks agoUpdate bsd.port.mk(5) DISTFILES* description - it no longer uses :0 to :9
sthen [Wed, 4 Sep 2024 09:07:03 +0000 (09:07 +0000)]
Update bsd.port.mk(5) DISTFILES* description - it no longer uses :0 to :9
to select different SITES, the mechanism changed to SITES.somename /
DISTFILES.somename.

8 weeks agowrap long lines
jsg [Wed, 4 Sep 2024 08:14:18 +0000 (08:14 +0000)]
wrap long lines

8 weeks agoFix some spelling.
mglocker [Wed, 4 Sep 2024 07:54:51 +0000 (07:54 +0000)]
Fix some spelling.

Input and ok jmc@, jsg@

8 weeks agoMissing RCSID
tb [Wed, 4 Sep 2024 07:52:45 +0000 (07:52 +0000)]
Missing RCSID

8 weeks agoremove unused timeout from softc
jsg [Wed, 4 Sep 2024 07:47:21 +0000 (07:47 +0000)]
remove unused timeout from softc

8 weeks agomake psp attach to ccp as a different driver
jsg [Wed, 4 Sep 2024 07:45:08 +0000 (07:45 +0000)]
make psp attach to ccp as a different driver
'fine with me' hshoexer, ok bluhm@

8 weeks agovio: style fixes
sf [Wed, 4 Sep 2024 06:36:33 +0000 (06:36 +0000)]
vio: style fixes

ok bluhm@

8 weeks agovio: Re-arrange structs for multi-queue
sf [Wed, 4 Sep 2024 06:34:08 +0000 (06:34 +0000)]
vio: Re-arrange structs for multi-queue

Move per-queue data structures into a new struct vio_queue and adjust
mem allocation. Only one queue is allocated for now.

ok bluhm@

8 weeks agobe more strict in parsing key type names. Only allow shortnames (e.g
djm [Wed, 4 Sep 2024 05:33:34 +0000 (05:33 +0000)]
be more strict in parsing key type names. Only allow shortnames (e.g
"rsa") in user-interface code and require full SSH protocol names (e.g.
"ssh-rsa") everywhere else.

Prompted by bz3725; ok markus@

8 weeks agofix RCSID in output
djm [Wed, 4 Sep 2024 05:11:33 +0000 (05:11 +0000)]
fix RCSID in output

8 weeks agoRemove openssl 1.1 regress
tb [Wed, 4 Sep 2024 04:36:14 +0000 (04:36 +0000)]
Remove openssl 1.1 regress

8 weeks agoUnlink OpenSSL 1.1 regress
tb [Wed, 4 Sep 2024 04:35:30 +0000 (04:35 +0000)]
Unlink OpenSSL 1.1 regress

8 weeks agoLink openssl 3.2 regress to build
tb [Wed, 4 Sep 2024 04:35:05 +0000 (04:35 +0000)]
Link openssl 3.2 regress to build

8 weeks agoAdd regress against OpenSSL 3.2
tb [Wed, 4 Sep 2024 04:34:14 +0000 (04:34 +0000)]
Add regress against OpenSSL 3.2

OpenSSL 1.1 is dead. This directory will use the default version in ports
(currently 3.2) for regress testing.

8 weeks agofix some typos; courtesy of codespell; ok gilles@
op [Tue, 3 Sep 2024 18:27:04 +0000 (18:27 +0000)]
fix some typos;  courtesy of codespell;  ok gilles@

8 weeks agotypo in comment; Effectivly -> Effectively; ok gilles@
op [Tue, 3 Sep 2024 18:21:55 +0000 (18:21 +0000)]
typo in comment; Effectivly -> Effectively; ok gilles@

8 weeks agotypo in comment; saveguard -> safeguard; ok gilles@
op [Tue, 3 Sep 2024 18:20:35 +0000 (18:20 +0000)]
typo in comment; saveguard -> safeguard; ok gilles@

8 weeks agoFor virtual addresses use fixed page frame without AMD SEV reduction.
bluhm [Tue, 3 Sep 2024 17:19:53 +0000 (17:19 +0000)]
For virtual addresses use fixed page frame without AMD SEV reduction.

When running as a SEV guest, page frame mask is calculated from the
CPUID provided "physical address bit reduction".  The amd64 pmap
code uses the variable pg_frame instead of the defined PG_FRAME
0x000ffffffffff000.
There was one instance in pmap code where pg_frame was applied to
virtual address, not physical address.  On some machines the address
bit reduction is rather large with six bits.  So the calculated
pg_frame is 0x00003fffffe00000.  However, on amd64 VM_MAX_ADDRESS
is defined as 0x00007fbfdfeff000.  Masking a such large address
with pg_frame caused havoc.  Therefore, when masking virtual
addresses, still use PG_FRAME.

from hshoexer@

8 weeks agowild white space
deraadt [Tue, 3 Sep 2024 17:05:59 +0000 (17:05 +0000)]
wild white space

8 weeks agoMake state file parsing errors more explicit. Also don't leak the deltas.
tb [Tue, 3 Sep 2024 15:37:03 +0000 (15:37 +0000)]
Make state file parsing errors more explicit. Also don't leak the deltas.

joint effort with/ok claudio

8 weeks agosync
deraadt [Tue, 3 Sep 2024 15:28:58 +0000 (15:28 +0000)]
sync

8 weeks agoAlso gate SPL statistics behind 'experimental' command line option
job [Tue, 3 Sep 2024 15:04:48 +0000 (15:04 +0000)]
Also gate SPL statistics behind 'experimental' command line option

This changes the JSON output, without -x some keys are missing from 'metadata'

OK tb@

8 weeks agovmm(4)/vmx: avoid VPID leakage by allocating at vcpu init.
dv [Tue, 3 Sep 2024 13:36:19 +0000 (13:36 +0000)]
vmm(4)/vmx: avoid VPID leakage by allocating at vcpu init.

VPID allocation being dependent on the host and guest config
(consequently pushing it into the reset register handler) creates
a leak where previous VPIDs are not freed if the hypervisor program
resets a vcpu's registers.

Recent SVM related changes pulled the VPID (ASID in AMD world)
allocation up into vcpu initialization. This change does the same
for VMX and cleans up appropriate logic. Minor changes to keep SVM
and VMX styles in line with each other.

ok bluhm@

8 weeks agoIn rrdp_session_parse() set the last_reset time to now if the .state file
claudio [Tue, 3 Sep 2024 13:31:31 +0000 (13:31 +0000)]
In rrdp_session_parse() set the last_reset time to now if the .state file
does not exist.
OK tb@

8 weeks agobump version
gilles [Tue, 3 Sep 2024 12:07:40 +0000 (12:07 +0000)]
bump version

8 weeks agoregen
bluhm [Tue, 3 Sep 2024 09:36:12 +0000 (09:36 +0000)]
regen

8 weeks agoFor AMD SEV create /dev/psp.
bluhm [Tue, 3 Sep 2024 09:35:46 +0000 (09:35 +0000)]
For AMD SEV create /dev/psp.

To call ioctl(2) for the platform security processor (PSP), vmd(8)
needs a device file.  It is currently linked to the cryptographic
co-processor ccp(4).  We may split this into a separate psp(4)
device.

from hshoexer@; input jsg@

8 weeks agocheck_sym: adjust logic not to exit 1 in the default dynamic mode
tb [Tue, 3 Sep 2024 08:49:16 +0000 (08:49 +0000)]
check_sym: adjust logic not to exit 1 in the default dynamic mode

ok guenther

8 weeks agoenvrionment -> environment;
jmc [Tue, 3 Sep 2024 06:17:48 +0000 (06:17 +0000)]
envrionment -> environment;

8 weeks agoregression test for Include variable expansion
djm [Tue, 3 Sep 2024 05:58:56 +0000 (05:58 +0000)]
regression test for Include variable expansion

8 weeks agoallow the "Include" directive to expand the same set of %-tokens
djm [Tue, 3 Sep 2024 05:29:55 +0000 (05:29 +0000)]
allow the "Include" directive to expand the same set of %-tokens
that "Match Exec" and environment variables.

ok dtucker@

8 weeks agoFix test_fork() prototype.
anton [Tue, 3 Sep 2024 04:59:03 +0000 (04:59 +0000)]
Fix test_fork() prototype.

8 weeks agoStop invoking diff(1) from C in access unveil regress, instead perform
anton [Tue, 3 Sep 2024 04:58:30 +0000 (04:58 +0000)]
Stop invoking diff(1) from C in access unveil regress, instead perform
the diffing from the make target.

8 weeks agoAdjust expected output after recent X_OK changes.
anton [Tue, 3 Sep 2024 04:58:00 +0000 (04:58 +0000)]
Adjust expected output after recent X_OK changes.

8 weeks agomove psp functions to psp.c and remove the ifdefs
jsg [Tue, 3 Sep 2024 00:23:05 +0000 (00:23 +0000)]
move psp functions to psp.c and remove the ifdefs
ok bluhm@ hshoexer@

8 weeks agosync
deraadt [Mon, 2 Sep 2024 16:39:03 +0000 (16:39 +0000)]
sync

8 weeks agoIn our fight against the cosmos, in the chaos of the source tree, we
deraadt [Mon, 2 Sep 2024 16:37:58 +0000 (16:37 +0000)]
In our fight against the cosmos, in the chaos of the source tree, we
deleted the greek quiz.  Some people felt trauma, and called out our
hubris.  At my request, Carson Harding performed a metamorphosis of
the quiz -- kudos to him!  After playing, I consider it the acme of
quizzes.
ok jmc mglocker

8 weeks agoIn our fight against the cosmos, in the chaos of the source tree, we
deraadt [Mon, 2 Sep 2024 16:34:44 +0000 (16:34 +0000)]
In our fight against the cosmos, in the chaos of the source tree, we
deleted the greek quiz.  Some people felt trauma, and called out our
hubris.  At my request, Carson Harding performed a metamorphosis of
the quiz -- kudos to him!  After playing, I consider it the acme of
quizzes.
ok jmc mglocker

8 weeks agomissing ifdef
djm [Mon, 2 Sep 2024 12:18:35 +0000 (12:18 +0000)]
missing ifdef

8 weeks agoAdd experimental support for hybrid post-quantum key exchange
djm [Mon, 2 Sep 2024 12:13:56 +0000 (12:13 +0000)]
Add experimental support for hybrid post-quantum key exchange
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03

This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.

Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.

ok markus@ deraadt@

8 weeks agoIncrease number of concurrent RRDP session handler slots
job [Mon, 2 Sep 2024 11:56:22 +0000 (11:56 +0000)]
Increase number of concurrent RRDP session handler slots

OK claudio@

8 weeks agosimplify ccp ifdef; ok bluhm@
jsg [Mon, 2 Sep 2024 11:08:41 +0000 (11:08 +0000)]
simplify ccp ifdef; ok bluhm@

8 weeks agovirtio: Move interrupt setup into separate function
sf [Mon, 2 Sep 2024 08:26:26 +0000 (08:26 +0000)]
virtio: Move interrupt setup into separate function

Put the MSIX vector into struct virtqueue and create a transport
specific function that feeds the vectors to the device. This will allow
child devices to influence which vectors are used for which virtqueues.
This will be used by multi-queue vio(4) to route corresponding rx/tx
queue interrupts to the same cpu.

The setup_intrs() function also sets the config interrupt MSIX vector
which fixes a bug that virtio_pci_set_msix_config_vector() would not
be called after a device reset.

OK bluhm@

8 weeks agovirtio_pci: Improve interrupt names
sf [Mon, 2 Sep 2024 08:22:08 +0000 (08:22 +0000)]
virtio_pci: Improve interrupt names

Make interrupt strings according to the child device. This gives names
like vio0:1, vioblk0 instead of virtio0, virtio1.  Also allocate array
of interrupt handlers dynamically. The current size will be too small
for vio multi-queue.

OK bluhm@

8 weeks agosync
tb [Mon, 2 Sep 2024 08:05:18 +0000 (08:05 +0000)]
sync

8 weeks agoRemove X509_check_trust documentation
tb [Mon, 2 Sep 2024 08:04:32 +0000 (08:04 +0000)]
Remove X509_check_trust documentation

8 weeks agosync
tb [Mon, 2 Sep 2024 07:58:05 +0000 (07:58 +0000)]
sync

8 weeks agoThe X509at_* manuals are no longer needed
tb [Mon, 2 Sep 2024 07:57:27 +0000 (07:57 +0000)]
The X509at_* manuals are no longer needed

8 weeks agoAlso remove .Xr to X509at_*
tb [Mon, 2 Sep 2024 07:56:28 +0000 (07:56 +0000)]
Also remove .Xr to X509at_*

8 weeks agoExcise X509at_* from X509_REQ_* documentation
tb [Mon, 2 Sep 2024 07:55:26 +0000 (07:55 +0000)]
Excise X509at_* from X509_REQ_* documentation

8 weeks agoRename lastpos to start_after to match other, similar manuals
tb [Mon, 2 Sep 2024 07:54:21 +0000 (07:54 +0000)]
Rename lastpos to start_after to match other, similar manuals

8 weeks agoMore X509at_* removal
tb [Mon, 2 Sep 2024 07:45:09 +0000 (07:45 +0000)]
More X509at_* removal