tb [Sun, 1 Oct 2023 08:23:58 +0000 (08:23 +0000)]
Refer to RFC 3779, 2.1.2 for encoding of ranges
Mention sections 2.1.1 and 2.1.2 in STANDARDS
tb [Sun, 1 Oct 2023 08:17:52 +0000 (08:17 +0000)]
Point out that the result of IPAddressRange_new() is an invalid range
since it should be a prefix.
tb [Sun, 1 Oct 2023 05:20:41 +0000 (05:20 +0000)]
encoding -> decoding for d2i
tb [Sun, 1 Oct 2023 04:48:39 +0000 (04:48 +0000)]
Add an empty line
tb [Sat, 30 Sep 2023 19:07:38 +0000 (19:07 +0000)]
Reorder list of additional validation checks needed
tb [Sat, 30 Sep 2023 18:16:44 +0000 (18:16 +0000)]
Switch copyright year to 2023.
Apparently I should have used 2023 despite sharing versions of these
files with several people under this license (and thus permitting them
to redistribute and share with the public). It makes no sense to me,
but shrug.
tb [Sat, 30 Sep 2023 16:01:18 +0000 (16:01 +0000)]
Use addrblocks for .Fa
schwarze [Sat, 30 Sep 2023 14:29:41 +0000 (14:29 +0000)]
avoid using the string "a" without markup as a placeholder
where that feels potentially confusing,
and add one missing .Pp macro; no change of meaning
schwarze [Sat, 30 Sep 2023 14:26:09 +0000 (14:26 +0000)]
consistently use "allow_inherit" for the argument name
and fix whitespace on one text line; no change of meaning
schwarze [Sat, 30 Sep 2023 14:24:00 +0000 (14:24 +0000)]
drop one pair of needless parentheses
and polish one wording; no change of meaning
schwarze [Sat, 30 Sep 2023 14:21:57 +0000 (14:21 +0000)]
remove a useless repetition of a function name
that was also followed by a bogus argument,
and fix one grammatical error; no change of meaning
schwarze [Sat, 30 Sep 2023 14:12:40 +0000 (14:12 +0000)]
polish an awkward wording
and capitalize "AFI" where is does not refer to the function argument;
no change of meaning
schwarze [Sat, 30 Sep 2023 14:10:56 +0000 (14:10 +0000)]
two instances of missing .Fa macros
and some missing escaping of HYPHEN-MINUS; no text change
schwarze [Sat, 30 Sep 2023 13:58:29 +0000 (13:58 +0000)]
fix one copy and paste error: d2i_*() decode rather than encode;
plus some minor markup and punctuation fixes
schwarze [Sat, 30 Sep 2023 13:51:00 +0000 (13:51 +0000)]
garbage collect two stray words, no change of meaning
naddy [Sat, 30 Sep 2023 13:03:40 +0000 (13:03 +0000)]
list tracepoints directly in kdump.1 instead of pointing to ktrace.1
Also add a note to the respective section in kdump.1, ktrace.1, and
ltrace.1 to keep in sync with each other; suggested by schwarze@.
ok deraadt@ schwarze@
bluhm [Fri, 29 Sep 2023 19:44:47 +0000 (19:44 +0000)]
Replace kernel lock with mutex in ixl(4) media status.
Witness found that sc_atq_mtx mutex is held when kernel lock is
acquired. This might cause a deadlock. Protect sc_media_status
and sc_media_active with the link state mutex instead. Global
fields ifm->ifm_status and ifm->ifm_active are still protected by
kernel lock.
OK tobhe@
tobhe [Fri, 29 Sep 2023 18:45:42 +0000 (18:45 +0000)]
Make sure pfkeyv2_parsemessage() only returns 0 if the message was
successfully validated. Decline all messages from userland that contain
errnos and remove unneeded special handling for type SADB_X_PROMISC.
ok bluhm@
tobhe [Fri, 29 Sep 2023 18:40:08 +0000 (18:40 +0000)]
Only forward validated pfkey messages to promiscuous listeners.
Fixes a bunch of crashes with ipsecctl -m.
ok bluhm@
op [Fri, 29 Sep 2023 18:30:14 +0000 (18:30 +0000)]
bump version to 7.4.0
deraadt [Fri, 29 Sep 2023 18:29:35 +0000 (18:29 +0000)]
sync
kettenis [Fri, 29 Sep 2023 17:30:35 +0000 (17:30 +0000)]
Revert previous commit; botched testing meant that I missed USB device no
longer attach to the USB 2.0 ports.
beck [Fri, 29 Sep 2023 15:53:59 +0000 (15:53 +0000)]
Allow IP addresses to be specified in a URI.
Our checking here was a bit too aggressive, and did not permit an
IP address in a URI. IP's in a URI are allowed for things like CRLdp's
AIA, SAN URI's etc.). The check for this was also slightly flawed as
we would permit an IP if memory allocation failed while checking for
an IP.
Correct both issues.
ok tb@
kettenis [Fri, 29 Sep 2023 15:51:48 +0000 (15:51 +0000)]
Newer versions of U-Boot may disable the USB PHYs and gate their clocks.
Add support for the rk3399 to rkusbphy(4) and implement support for the
required clocks.
ok kevlo@
tb [Fri, 29 Sep 2023 15:41:06 +0000 (15:41 +0000)]
Some wording tweaks to make things a bit more precise.
claudio [Fri, 29 Sep 2023 12:47:34 +0000 (12:47 +0000)]
Extend single_thread_set() mode with additional flag attributes.
The mode can now be or-ed with SINGLE_DEEP or SINGLE_NOWAIT to alter
the behaviour of single_thread_set(). This allows explicit control
of the SINGLE_DEEP behaviour.
If SINGLE_DEEP is set the deep flag is passed to the initial check call
and by that the check will error out instead of suspending (SINGLE_UNWIND)
or exiting (SINGLE_EXIT). The SINGLE_DEEP flag is required in calls to
single_thread_set() outside of userret. E.g. at the start of sys_execve
because the proc is not allowed to call exit1() in that location.
SINGLE_NOWAIT skips the wait at the end of single_thread_set() and therefor
returns BEFORE all threads have been parked. Currently this is only used by
the ptrace code and should not be used anywhere else. Not waiting for all
threads to settle is asking for trouble.
This solves an issue by using SINGLE_UNWIND in the coredump case where
the code should actually exit in case another thread crashed moments earlier.
Also the SINGLE_UNWIND in pledge_fail() is now marked SINGLE_DEEP since
the call to pledge_fail() is for sure not at the kernel boundary.
OK mpi@
tb [Fri, 29 Sep 2023 09:28:21 +0000 (09:28 +0000)]
Fix a wrong tag and work around an ugly linebreak
tb [Fri, 29 Sep 2023 08:59:04 +0000 (08:59 +0000)]
sync
tb [Fri, 29 Sep 2023 08:57:49 +0000 (08:57 +0000)]
Document X509v3_{addr,asid}_validate_{path,resource_set}(3)
These were the last four RFC 3779 things that check_complete.pl x509v3
complained about. I will surely tweak and try to improve a few things
in the coming days, but the pages should now be stable enough that
review efforts will likely not be wasted. Any feedback appreciated.
tb [Fri, 29 Sep 2023 06:53:05 +0000 (06:53 +0000)]
Appease coverity
This is a static pointer, so it ain't ever NULL, but shrug
schwarze [Thu, 28 Sep 2023 17:00:21 +0000 (17:00 +0000)]
add a missing .Fa macro
schwarze [Thu, 28 Sep 2023 16:41:36 +0000 (16:41 +0000)]
fix two wrong function names in the description;
from <Lucas at sexy dot is>
tb [Thu, 28 Sep 2023 14:55:48 +0000 (14:55 +0000)]
Fix error message
tb [Thu, 28 Sep 2023 14:54:39 +0000 (14:54 +0000)]
Don't leak ctx on failure
tb [Thu, 28 Sep 2023 12:37:21 +0000 (12:37 +0000)]
sync
tb [Thu, 28 Sep 2023 12:36:36 +0000 (12:36 +0000)]
Document X509v3_{addr,asid}_subset.3 take two (missed cvs add)
First RFC 3779 page without a BUG section. It could have one, but I'm
in a lenient mood right now. Maybe it's just that this is bad but not
quite as bad as EVP.
tb [Thu, 28 Sep 2023 12:35:31 +0000 (12:35 +0000)]
Document X509v3_{addr,asid}_subset.3
First RFC 3779 page without a BUG section. It could have one, but I'm
in a lenient mood right now. Maybe it's just that this is bad but not
quite as bad as EVP.
tb [Thu, 28 Sep 2023 11:39:35 +0000 (11:39 +0000)]
Add more regress coverage for EVP_CIPHER_CTX_iv_length()
Awesome: the IV length for GCM is only bounded by INT_MAX or malloc limits.
In the absence of an overflowing issue tracker, I'm labeling this
"good first issue", "help wanted" here.
tb [Thu, 28 Sep 2023 11:35:10 +0000 (11:35 +0000)]
Check that EVP_CIPHER_CTX_iv_length() matches what was set
This really only covers AES-GCM.
From beck
tb [Thu, 28 Sep 2023 11:29:10 +0000 (11:29 +0000)]
Fix EVP_CIPHER_CTX_iv_length()
In today's episode of "curly nonsense from EVP land" we deal with a quite
harmless oversight and a not too bad suboptimal fix, relatively speaking.
At some point EVP_CIPHER_{CCM,GCM}_SET_IVLEN was added. It modified some
object hanging off of EVP_CIPHER. However, EVP_CIPHER_CTX_iv_length() wasn't
taught about this and kept returning the hardcoded default value on the
EVP_CIPHER. Once it transpired that a doc fix isn't going to cut it, this
was fixed. And of course it's easy to fix: you only have to dive through
about three layers of EVP, test and set a flag and handle a control in a
couple methods.
The upstream fix was done poorly and we begrudgingly have to match the API:
the caller is expected to pass a raw pointer next to a 0 length along with
EVP_CIPHER_GET_IV_LENGTH and the control handler goes *(int *)ptr = length
in full YOLO mode. That's never going to be an issue because of course the
caller will always pass a properly aligned pointer backing a sufficient
amount of memory. Yes, unlikely to be a real issue, but it could have been
done with proper semantics and checks without complicating the code. But
why do I even bother to complain? We're used to this.
Of note here is that there was some pushback painting other corners of a
bikeshed until the reviewer gave up with a resigned
That kind of changes the semantics and is one extra complexity level,
but [shrug] ok...
Anyway, the reason this matters now after so many years is that rust-openssl
has an assert, notably added in a +758 -84 commit with the awesome message
"Docs" that gets triggered by recent tests added to py-cryptography.
Thanks to Alex Gaynor for reporting this. Let me take the opportunity to
point out that pyca contributed to improve rust-openssl, in particular its
libressl support, quite a bit. That's much appreciated and very noticeable.
Regress coverage to follow in subsequent commits.
Based on OpenSSL PR #9499 and issue #8330.
ok beck jsing
PS: A few macros were kept internal for now to avoid impact on the release
cycle that is about to finish. They will be exposed after release.
tb [Thu, 28 Sep 2023 08:21:43 +0000 (08:21 +0000)]
whitespace
claudio [Thu, 28 Sep 2023 07:02:50 +0000 (07:02 +0000)]
Prep for OpenBGPD 8.2
claudio [Thu, 28 Sep 2023 07:01:26 +0000 (07:01 +0000)]
Enforce NUL termination of the neighbor shutdown reason sent from
bgpctl before calling strlcpy() with that string.
OK tb@ some long time ago
jsg [Thu, 28 Sep 2023 03:34:32 +0000 (03:34 +0000)]
plaform -> platform
jsg [Thu, 28 Sep 2023 01:51:00 +0000 (01:51 +0000)]
don't mention what language functions are implemented in
remove a line relating to the 2BSD libNS
ok schwarze@
afresh1 [Thu, 28 Sep 2023 01:18:52 +0000 (01:18 +0000)]
Don't register firmware already in /var/db/pkg
If installing firmware with `make install` from a port, it doesn't register
properly by adding "@option firmware" to the packing list, this means we ignore
that it is installed and reinstall it over and over with the registration
ending up in a tmpdir named directory inside the existing directory in
/var/db/pkg.
Unfortunately I don't know of a good way to automatically clean up from that,
so we just print a message after installing the actual firmware.
Reported by job@
No complaints about the patch on tech@ for several weeks.
afresh1 [Thu, 28 Sep 2023 00:52:16 +0000 (00:52 +0000)]
Exit successfully at the end of fw_update
Otherwise the exit status depends on whether we kept any firmware.
Reported by Brian Conway <bconway () rcesoftware ! com>
The clean solution suggested by guenther@
afresh1 [Thu, 28 Sep 2023 00:45:22 +0000 (00:45 +0000)]
Download firmware to LOCALSRC when using filenames
Previously if you did: fw_update otus-firmware-1.0p1.tgz
and that firmware didn't exist in the current directory,
we would download that firmware into the current directory.
Which is not the expected outcome.
jeremy [Wed, 27 Sep 2023 21:46:17 +0000 (21:46 +0000)]
Full rewrite of lang/ruby port module documentation
Restructure so that the most important information is first.
Describe how it modifies bsd.port.mk variables.
Document all public variables set by the module.
Rewrite prompted by feedback from schwarze@
Multiple rounds of review and many fixes from schwarze@
OK schwarze@
millert [Wed, 27 Sep 2023 21:06:33 +0000 (21:06 +0000)]
Use a dynamically-allocated line buffer and resize as needed.
Fixes a buffer overflow for lines over 2048 bytes.
Problem reported by Crystal Kolipe. OK deraadt@
jmc [Wed, 27 Sep 2023 20:30:19 +0000 (20:30 +0000)]
fix punctuation and formatting in AUTHORS;
otto [Wed, 27 Sep 2023 17:06:42 +0000 (17:06 +0000)]
We're not interested in the core dump, so prevent it. Also catch
SIGABRT, to avoid the "Abort trap" message, which confuses me sometimes
until I realize it's the purpose of this test to abort.
deraadt [Wed, 27 Sep 2023 15:18:31 +0000 (15:18 +0000)]
disable POOL_DEBUG for release
espie [Wed, 27 Sep 2023 12:24:22 +0000 (12:24 +0000)]
document the obvious
tb [Wed, 27 Sep 2023 11:29:22 +0000 (11:29 +0000)]
RFC 3779: stop pretending we support AFIs other than IPv4 and IPv6
This code is a complete bug fest and using it with any other AFI is
downright dangerous. Such don't arise in this context in practice.
ok claudio jsing
claudio [Wed, 27 Sep 2023 10:49:21 +0000 (10:49 +0000)]
Match GRACEFUL_SHUTDOWN only from ebgp sessions as specified by
RFC8326 Section 4.1.
OK sthen@ phessler@ job@
tb [Wed, 27 Sep 2023 08:46:46 +0000 (08:46 +0000)]
Various small tweaks in the RFC 3779 docs
Mention a few more bugs and unify manpage descriptions
semarie [Wed, 27 Sep 2023 08:20:50 +0000 (08:20 +0000)]
extent USE_LLD to Yes/No/ports values.
'ports' permits to force the use of ld.lld from lang/clang module.
ok landry@
phessler [Wed, 27 Sep 2023 07:52:48 +0000 (07:52 +0000)]
sync
phessler [Wed, 27 Sep 2023 07:50:46 +0000 (07:50 +0000)]
add a manpage for the qcrng(4) driver
reminded by pamela@
anton [Wed, 27 Sep 2023 05:18:40 +0000 (05:18 +0000)]
Cope with progname now being present in vmd errors messages.
tb [Wed, 27 Sep 2023 04:54:49 +0000 (04:54 +0000)]
sync
deraadt [Wed, 27 Sep 2023 02:13:18 +0000 (02:13 +0000)]
sync
tb [Tue, 26 Sep 2023 21:18:01 +0000 (21:18 +0000)]
Fix reference to x509v3.cnf(5) bis
tb [Tue, 26 Sep 2023 21:17:03 +0000 (21:17 +0000)]
Fix reference to x509v3.cnf(5)
tb [Tue, 26 Sep 2023 20:44:16 +0000 (20:44 +0000)]
sync
tb [Tue, 26 Sep 2023 20:42:45 +0000 (20:42 +0000)]
Document X509v3_{addr,asid}_inherits(3)
Also note another bug in X509v3_asid_{canonize,is_canonical}(3).
mvs [Tue, 26 Sep 2023 19:55:24 +0000 (19:55 +0000)]
Use existing `audio_lock' mutex(9) to make `midi{read,write}_filtops' MP
safe. knote_locked(9) will not grab kernel lock, so call it directly from
interrupt handlers instead of scheduling software interrupts.
feedback and ok ratchov
tb [Tue, 26 Sep 2023 18:36:33 +0000 (18:36 +0000)]
sync
tb [Tue, 26 Sep 2023 18:35:34 +0000 (18:35 +0000)]
Document X509v3_addr_get_{afi,range}(3)
tb [Tue, 26 Sep 2023 15:39:06 +0000 (15:39 +0000)]
sync
tb [Tue, 26 Sep 2023 15:34:23 +0000 (15:34 +0000)]
Document the guts of RFC 3779 IPAddrBlocks
Let's just say there's room for improvement...
sthen [Tue, 26 Sep 2023 15:16:44 +0000 (15:16 +0000)]
Have wg(4) copy the priority from the inner packet to the outer encrypted
packet, so that higher priority packets are picked from hfsc queues for
earlier transmission.
(Does not copy ToS bits from inner to outer packet headers sent on the
wire, which some may regard as secret).
tested by Andrew Lemin, ok dlg@
deraadt [Tue, 26 Sep 2023 13:27:32 +0000 (13:27 +0000)]
we are heading out of -beta
tb [Tue, 26 Sep 2023 13:02:47 +0000 (13:02 +0000)]
Missing variable name in prototype
tb [Tue, 26 Sep 2023 09:36:22 +0000 (09:36 +0000)]
Fix section title of X.690 reference (missing article)
tb [Tue, 26 Sep 2023 08:56:18 +0000 (08:56 +0000)]
Document some barely usable parts of the ASIdentifiers API.
Someone clearly didn't actually use much of the code they wrote and exposed
and therefore didn't think it through properly.
mvs [Tue, 26 Sep 2023 08:30:13 +0000 (08:30 +0000)]
Use shared netlock to protect ifnet data within vmt_tclo_broadcastip().
Execute vmt_tclo_tick() timeout handler in process context to allow
context switch within vmt_tclo_broadcastip().
ok yasuoka
tb [Tue, 26 Sep 2023 06:49:30 +0000 (06:49 +0000)]
Update APNIC's TA cert.
The old one expired last night. noted by anton
dv [Tue, 26 Sep 2023 01:53:54 +0000 (01:53 +0000)]
vmd(8): disambiguate log messages per vm and device.
The logging output from vmd(8) often specifies the function performing
the logging, but leaves which vm or vm device to guesswork and
reading tea leaves.
Change the logging formatting to prefix with information about the
specific vm and potentially the device subprocess. Most of this
logging is behind the "verbose" mode, but for warnings this will
clarify which vm or device logged the warning.
The format of vm/<name>/<device><index> is chosen to be concise and
less ugly than other approaches. This adjusts the process naming
for devices to match, dropping the use of brackets.
In the process of this change, updating log settings dynamically
via vmctl(8) is fixed by properly broadcasting that information to
the device subprocesses. The "vmm" process also now updates its own
state properly, so settings survive vm reboots.
ok mlarkin@
dv [Tue, 26 Sep 2023 01:23:02 +0000 (01:23 +0000)]
vmd(8): fix vm pause deadlock.
When vcpu threads pause, they are holding the run mutex lock. If
the event thread is asked to assert an irq on the pic and interrupts
are pending, it will try to take the run mutex lock on the vcpu.
This deadlocks.
Release the lock in the vcpu thread before waiting on the pause
condition variable.
ok mlarkin@
kettenis [Mon, 25 Sep 2023 19:23:34 +0000 (19:23 +0000)]
Implement support for stream IDs.
ok tobhe@, patrick@
sthen [Mon, 25 Sep 2023 16:42:19 +0000 (16:42 +0000)]
adapt to new dir layout in dtb packages; ok deraadt
deraadt [Mon, 25 Sep 2023 15:39:12 +0000 (15:39 +0000)]
document Meinberg PZF180PEX; from Maurice Janssen
deraadt [Mon, 25 Sep 2023 15:38:46 +0000 (15:38 +0000)]
match on Meinberg PZF180PEX; from Maurice Janssen
deraadt [Mon, 25 Sep 2023 15:38:11 +0000 (15:38 +0000)]
sync
deraadt [Mon, 25 Sep 2023 15:37:36 +0000 (15:37 +0000)]
add Meinberg Funkuhren PZF180PEX; from Maurice Janssen
deraadt [Mon, 25 Sep 2023 15:36:35 +0000 (15:36 +0000)]
enable mbg(4) at pci on amd64, from Maurice Janssen
tb [Mon, 25 Sep 2023 15:33:08 +0000 (15:33 +0000)]
rpki-client: mechanical rename of some variables
The previous commit used suboptimal variable names for ease of review.
Fix this up now.
ok claudio
tb [Mon, 25 Sep 2023 14:56:20 +0000 (14:56 +0000)]
rpki-client: Refactor sbgp_assysnum() and sbgp_addrblk()
An upcoming diff requires the ability to convert ASIdentifiers and
IpAddrBlocks into rpki-client's internal structures. Accordingly,
split already existing code into dedicated parsing functions . The
original functions now only extract the extension-specific data from
the X509_EXTENSION.
input/ok claudio
tb [Mon, 25 Sep 2023 13:09:52 +0000 (13:09 +0000)]
sync (zap trailing whitespace, pointed out by jsg)
tb [Mon, 25 Sep 2023 12:00:49 +0000 (12:00 +0000)]
sort
tb [Mon, 25 Sep 2023 12:00:26 +0000 (12:00 +0000)]
sync
tb [Mon, 25 Sep 2023 11:59:10 +0000 (11:59 +0000)]
New manual page documenting the usual four ASN.1 functions for both
ASRange and ASIdOrRange
tb [Mon, 25 Sep 2023 11:12:08 +0000 (11:12 +0000)]
tweak wording and fix a typo
tb [Mon, 25 Sep 2023 11:09:30 +0000 (11:09 +0000)]
Adjust regress for *_parse change
tb [Mon, 25 Sep 2023 11:08:45 +0000 (11:08 +0000)]
Pass the talid to various parse functions
This will be needed by an upcoming feature where we will need to know
what trust anchor a given cert chains to. This doesn't change anything
except the size of the diff.
ok claudio job
tb [Mon, 25 Sep 2023 10:34:44 +0000 (10:34 +0000)]
Tiny tweaks: missing article, capitalize a word and change an Xr
job [Mon, 25 Sep 2023 08:48:14 +0000 (08:48 +0000)]
Introduce ip_addr_range_print() to avoid code repetition
OK tb@
tb [Mon, 25 Sep 2023 07:47:52 +0000 (07:47 +0000)]
Document the RFC 3779 extensions as supported
projects / openbsd / log