jsing [Mon, 25 Mar 2024 10:41:36 +0000 (10:41 +0000)]
Codify more insane CRYPTO_EX_DATA API.
The current CRYPTO_EX_DATA implementation allows for data to be set without
calling new, indexes can be used without allocation, new can be called without
getting an index and dup can be called after new or without calling new.
jsing [Mon, 25 Mar 2024 10:19:14 +0000 (10:19 +0000)]
Revise for TLS extension parsing/processing changes.
jsing [Mon, 25 Mar 2024 10:18:13 +0000 (10:18 +0000)]
Simplify TLS extension parsing and processing.
Rather than having a separate parse and process step for each TLS
extension, do a first pass that parses all of the TLS outer extensions and
retains the extension data, before running a second pass that calls the TLS
extension processing code.
ok beck@ tb@
tb [Mon, 25 Mar 2024 10:16:02 +0000 (10:16 +0000)]
Clean up create_digest()
The ts code is its own kind of special. I only sent this diff out to hear
beck squeal. This diff doesn't actually fix anything, apart from (maybe)
appeasing some obscure static analyzer. It is decidedly less bad than a
similar change in openssl's issue tracker.
ok beck
beck [Mon, 25 Mar 2024 07:02:22 +0000 (07:02 +0000)]
Fix time conversion that broke regress.
ok tb@
joshua [Mon, 25 Mar 2024 06:20:16 +0000 (06:20 +0000)]
Move custom sigctx handling out of EVP_DigestSignFinal
ok tb@
dtucker [Mon, 25 Mar 2024 06:05:42 +0000 (06:05 +0000)]
Verify string returned from local shell command.
tb [Mon, 25 Mar 2024 05:48:39 +0000 (05:48 +0000)]
Fix typo msg_types -> msg_type
from jsing
jsing [Mon, 25 Mar 2024 04:06:41 +0000 (04:06 +0000)]
Revise TLS extension regress for parse/process changes.
joshua [Mon, 25 Mar 2024 04:05:22 +0000 (04:05 +0000)]
Clean up EVP_CIPHER_CTX_{legacy_clear,cleanup} usage in evp/bio_enc.c
Additionally, this tidies up some surrounding code and replaces usage of
free with freezero and malloc with calloc.
ok tb@
tb [Mon, 25 Mar 2024 04:03:26 +0000 (04:03 +0000)]
Final tweaks in x509_trs.c for now
looked over by jsing
jsing [Mon, 25 Mar 2024 04:02:29 +0000 (04:02 +0000)]
Split TLS extension parsing from processing.
The TLS extension parsing and processing order is currently dependent on
the order of the extensions in the handshake message. This means that the
processing order (and callback order) is not under our control. Split the
parsing from the processing such that the processing (and callbacks) are
run in a defined order.
Convert ALPN to the new model - other extensions will be split into
separate parse/process in following diffs.
ok beck@ tb@
tb [Mon, 25 Mar 2024 03:57:13 +0000 (03:57 +0000)]
Kill X509_TRUST
After peeling off enough layers, the entire wacky abstraction turns out
to be nothing but dispatching from a trust_id to a trust handler and
passing the appropriate nid and the cert.
ok beck jsing
joshua [Mon, 25 Mar 2024 03:41:16 +0000 (03:41 +0000)]
Clean up EVP_MD_CTX_{legacy_clear,cleanup}() usage in x509/x509_cmp.c
ok tb@
dtucker [Mon, 25 Mar 2024 03:30:31 +0000 (03:30 +0000)]
Improve shell portability: grep -q is not portable so redirect stdout,
and use printf instead of relying on echo to do \n substitution. Reduces
diff vs Portable.
jsing [Mon, 25 Mar 2024 03:23:59 +0000 (03:23 +0000)]
Decouple TLS extension table order from tlsext_randomize_build_order()
The PSK extension must be the last extension in the client hello. This is
currently implemented by relying on the fact that it is the last extension
in the TLS extension table. Remove this dependency so that we can reorder
the table as needed.
ok tb@
tb [Mon, 25 Mar 2024 02:18:35 +0000 (02:18 +0000)]
Add back trust member of X509_TRUST that I accidentally deleted
dtucker [Mon, 25 Mar 2024 02:07:08 +0000 (02:07 +0000)]
Save error code from SSH for use inside case statement, from portable.
In some shells, "case" will reset the value of $?, so save it first.
tb [Mon, 25 Mar 2024 01:48:50 +0000 (01:48 +0000)]
Const correct the trust handlers
The certificates no longer need to be modified since we cache the
extensions up front.
ok beck
dtucker [Mon, 25 Mar 2024 01:40:47 +0000 (01:40 +0000)]
Increase timeout. Resyncs with portable where some of the test
VMs are slow enough for this to matter.
dtucker [Mon, 25 Mar 2024 01:28:29 +0000 (01:28 +0000)]
In PuTTY interop test, don't assume the PuTTY major version is 0.
Patch from cjwatson at debian.org via bz#3671.
tb [Mon, 25 Mar 2024 01:00:02 +0000 (01:00 +0000)]
Pass the nid instead of the entire trust structure
This code is so ridiculously overengineered that it is an achievement even
by early OpenSSL standards.
ok beck
tb [Mon, 25 Mar 2024 00:46:57 +0000 (00:46 +0000)]
Pull extension caching into X509_check_trust()
This way the trust handlers can stop modifying the certificates.
ok beck
beck [Mon, 25 Mar 2024 00:05:49 +0000 (00:05 +0000)]
Remove unnecessary stat() calls from by_dir
When searching for a CA or CRL file in by_dir, this stat()
was used to short circuit attempting to open the file with
X509_load_cert_file(). This was a deliberate TOCTOU introduced
to avoid setting an error on the error stack, when what you
really want to say is "we couldn't find a CA" and continue
merrily on your way.
As it so happens you really do not care why the load_file failed
in any of these cases, it all boils down to "I can't find the CA
or CRL". Instead we just omit the stat call, and clear the error
stack if the load_file fails. The fact that you don't have a CA or
CRL is caught later in the callers and is what you want, mimicing
the non by_dir behaviour instead of possibly some bizzaro file
system error.
Based on a similar change in Boring.
ok tb@
patrick [Sun, 24 Mar 2024 22:34:48 +0000 (22:34 +0000)]
Enable cad(4).
ok kettenis@
patrick [Sun, 24 Mar 2024 22:34:06 +0000 (22:34 +0000)]
Implement resetting the PHY via a GPIO pin, like in fec(4). This helps
enable the PHY on the Raspberry Pi 5.
ok kettenis@
millert [Sun, 24 Mar 2024 19:51:47 +0000 (19:51 +0000)]
whois: remove obsolete handle support
Contact handles have been obsolete for some time now. The "!handle"
InterNic syntax no longer works and core COCO handle queries seems
to only return empty records. OK sthen@ job@
jca [Sun, 24 Mar 2024 14:00:11 +0000 (14:00 +0000)]
Add tests for EVP_get_cipherbyname(NULL) and EVP_get_digestbyname(NULL)
Requested by and ok tb@
jca [Sun, 24 Mar 2024 13:56:35 +0000 (13:56 +0000)]
Restore EVP_get_cipherbyname(NULL)/EVP_get_digestbyname(NULL) handling
The previous implementation used the now defunct OBJ_NAME_get() which
bailed out when passed a NULL argument. Difference spotted by the
regress tests in ports/net/openvpn (regular openvpn use is fine but
openvpn --show-ciphers/--show-digests crashes).
ok tb@
beck [Sun, 24 Mar 2024 11:30:12 +0000 (11:30 +0000)]
Convert libressl to use the BoringSSL style time conversions
This gets rid of our last uses of timegm and gmtime in the
library and things that ship with it. It includes a bit
of refactoring in ocsp_cl.c to remove some obvious ugly.
ok tb@
job [Sun, 24 Mar 2024 10:53:27 +0000 (10:53 +0000)]
Sync with IANA Status Code Registry
From https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
OK sthen@ miod@
mpi [Sun, 24 Mar 2024 10:29:35 +0000 (10:29 +0000)]
Cleanup uvmpd_tune() & document global variable ownership.
- Stop calling uvmpd_tune() inside uvm_pageout(). OpenBSD currently doesn't
support adding RAM. `uvmexp.npages' is immutable after boot.
- Document that `uvmexp.freemin' and `uvmexp.freetarg' are immutable.
- Reduce the scope of the `uvm_pageq_lock' lock. It serializes accesses
to `uvmexp.active' and `uvmexp.inactive'.
ok kettenis@
tb [Sun, 24 Mar 2024 08:27:35 +0000 (08:27 +0000)]
Rename ax into aux
tb [Sun, 24 Mar 2024 08:03:29 +0000 (08:03 +0000)]
Drop redundant NULL checks around two for loops
ok beck
tb [Sun, 24 Mar 2024 06:48:03 +0000 (06:48 +0000)]
Fix namespace build
noticed/ok beck
jsg [Sun, 24 Mar 2024 06:22:18 +0000 (06:22 +0000)]
permament -> permanent
tb [Sun, 24 Mar 2024 06:15:59 +0000 (06:15 +0000)]
Remove OPENSSL_NO_* #ifdefs from evp_names.c
discussed with jsing
tb [Sun, 24 Mar 2024 06:05:41 +0000 (06:05 +0000)]
Bye bye gost, bye, bye turdiness
ok beck
jsg [Sun, 24 Mar 2024 05:50:20 +0000 (05:50 +0000)]
use LIST_FOREACH_SAFE() to avoid use after free
this can't happen in a libsa environment
found by smatch, ok jsing@
tb [Sun, 24 Mar 2024 01:24:26 +0000 (01:24 +0000)]
Rename arg1 to nid because that's what it is
"Yeah, arg1 is always such an imaginative name" ian
ok beck
tb [Sun, 24 Mar 2024 00:38:58 +0000 (00:38 +0000)]
Clamp the manifestNumber to 20 octets value
The standards contain somewhat ambiguous language as to what the largest
acceptable value for a crlNumber or manifestNumber could be, due to a
limitation to 20 octets. The question is what 20 octets specifically are
meant...
Consensus seems to have emerged that the largest value is 2^159-1 since
2^160-1 would encode to 21 octets due to a padding octet to disambiguate
ff .. ff from -7f ff .. ff (iow the top bit of the first octet is a sign
bit).
Thus, switch from 2^160 - 1 to 2^159 - 1 as an upper bound by checking
the length of the value portion of the DER encoded ASN.1 integer to be
at most 20 octets.
Thanks to Martin Hoffmann, Tom Harrison, and Ben Maddison for raising and
discussing the issue. Thanks also to the spec authors for making me waste
a few hours of my life on a single bit.
ok job
tb [Sun, 24 Mar 2024 00:35:45 +0000 (00:35 +0000)]
Drop the unused 'name' member from X509_TRUST
This used to be exposed via an accessor, but this accessor is no longer
part of the library, so nuke it.
ok beck
sthen [Sun, 24 Mar 2024 00:33:41 +0000 (00:33 +0000)]
update project-cymru url, from Robert Keizer, slightly tweaked
yasuoka [Sun, 24 Mar 2024 00:14:19 +0000 (00:14 +0000)]
Remove radius.c which is added mistakenly and under review.
yasuoka [Sun, 24 Mar 2024 00:05:01 +0000 (00:05 +0000)]
Allow zero-length identity response
ok tobhe
yasuoka [Sat, 23 Mar 2024 22:51:49 +0000 (22:51 +0000)]
In kq_del(), delete matching EV_ADD entries to prevent libevent from
passing both EV_ADD and EV_DELETE for the same fd to kevent().
ok visa
guenther [Sat, 23 Mar 2024 16:30:01 +0000 (16:30 +0000)]
readdir_r(3) was never necessary and has been deprecated by POSIX.
Document that in the manpage and stop using it internally.
ok deraadt@ millert@ jmc@
sthen [Sat, 23 Mar 2024 10:38:02 +0000 (10:38 +0000)]
Recognise Meinberg PCI510, from Maurice Janssen
sthen [Sat, 23 Mar 2024 10:36:37 +0000 (10:36 +0000)]
sync
sthen [Sat, 23 Mar 2024 10:35:50 +0000 (10:35 +0000)]
Add Meinberg PCI510, from Maurice Janssen
tb [Sat, 23 Mar 2024 06:38:01 +0000 (06:38 +0000)]
Remove unused flags and arg2 members from X509_TRUST
ok jsing
tb [Sat, 23 Mar 2024 06:37:15 +0000 (06:37 +0000)]
Remove unused flags argument from the trust handlers
The public X509_check_trust() takes a flag parameter which we must leave
in place. However, we can stop passing the flag parameter around without
ever looking at it.
ok jsing
job [Sat, 23 Mar 2024 04:18:56 +0000 (04:18 +0000)]
Expand ASN range for LACNIC
LACNIC received a new block of ASNs from IANA
https://mail.lacnic.net/pipermail/lacnog/2024-March/009690.html
OK tb@
mvs [Sat, 23 Mar 2024 01:35:57 +0000 (01:35 +0000)]
Fix main() definition.
jan [Fri, 22 Mar 2024 21:49:52 +0000 (21:49 +0000)]
Increase /usr/src partition to 2GB - 5GB
ok miod@, deraadt@, otto@ and bluhm@
bluhm [Fri, 22 Mar 2024 21:48:38 +0000 (21:48 +0000)]
Remove padding from union inpaddru.
Alignment of IPv4 address with lower part of IPv6 address looks
like a leftover from times when IPv6 compatible addresses should
contain IPv4 addreses. Better use a simple union for both IPv4 and
IPv6 addresses like everywhere else. Use this type also for common
zero address.
OK mvs@
jcs [Fri, 22 Mar 2024 19:22:23 +0000 (19:22 +0000)]
add "-V none" to prevent making any backups
from FreeBSD
ok bluhm deraadt
bluhm [Fri, 22 Mar 2024 19:14:28 +0000 (19:14 +0000)]
Fix chroot(2) call in control process.
Use /var/empty as chroot directory. Call chroot(2) before setresuid(2).
Do the error check correctly. Call chdir(2) after chroot(2).
from spiros thanasoulas; with florian@ tb@; OK millert@
bluhm [Fri, 22 Mar 2024 18:05:01 +0000 (18:05 +0000)]
Make local port which is bound during connect(2) unique per laddr.
in_pcbconnect() did not pass down the address it got from in_pcbselsrc()
to in_pcbpickport(). As a consequence local port numbers selected
during connect(2) were globally unique although they belong to
different addresses. This strict uniqueness is not necessary and
wastes usable ports for outgoing connections.
To solve this, pass ina from in_pcbconnect() to in_pcbbind_locked().
This does not interfere how wildcard sockets are matched with
specific sockets during bind(2). It only allows non-wildcard sockets
to share a local port during connect(2).
OK mvs@ deraadt@
mvs [Fri, 22 Mar 2024 17:34:11 +0000 (17:34 +0000)]
Use sorflush() instead of direct unp_scan(..., unp_discard) to discard
dead unix(4) sockets.
The difference in direct unp_scan() and sorflush() is the mbuf(9) chain.
For the first case it is still linked to the `so_rcv', for the second it
is not. This is required to make `sb_mtx' mutex(9) the only `so_rcv'
sockbuf protection and remove socket re-locking from the most of
uipc_*send() paths. The unlinked mbuf(9) chain doesn't require any
protection, so this allows to perform sleeping unp_discard() lockless.
Also, the mbuf(9) chain of the discarded socket still contains addresses
of file descriptors and it is much safer to unlink it before FRELE()
them. This is the reason to commit this diff standalone.
ok bluhm
claudio [Fri, 22 Mar 2024 15:41:34 +0000 (15:41 +0000)]
Rework the cease shutdown reason to work in both directions by looking
at the ibuf payload passed to log_notification().
Because of this move ibuf_get_string() and the log_notification() call
in parse_notification().
OK tb@
jsg [Fri, 22 Mar 2024 12:29:33 +0000 (12:29 +0000)]
correct history of /dev/mem and /dev/kmem
The history section (added in CSRG) claimed both first appeared in v6.
Looking at the manuals in the TUHS archive, /dev/mem was in v1 and
/dev/kmem was introduced in v5.
ok jan@
claudio [Fri, 22 Mar 2024 07:19:28 +0000 (07:19 +0000)]
Rework parse_notification() to use the ibuf API for everything.
While there fix the RFC5492 handling of ERR_OPEN_CAPA (the current code
has the logic inversed). ERR_OPEN_CAPA is there to signal that a needed
capability is missing in our OPEN message. Just add the handling of
ERR_OPEN_CAPA to log_notification().
Also rework the handling of the shutdown reason and move the printing
into log_notification().
OK tb@
claudio [Fri, 22 Mar 2024 07:15:04 +0000 (07:15 +0000)]
Limit NFS connections to originate from a reserved port.
For TCP connections do the check when adding the socket via nfssvc(2).
For UDP do the check early after soreceive().
On top of this limit the sockets added via nfssvc(2) to IPv4 TCP and UDP
sockets.
OK millert@ deraadt@
tb [Fri, 22 Mar 2024 06:24:54 +0000 (06:24 +0000)]
Simplify X509_STORE_free()
This had an inlined version of sk_pop_free(). We can just call it the
right way.
ok jsing
ratchov [Fri, 22 Mar 2024 06:20:48 +0000 (06:20 +0000)]
aucat: Allow any device sample encoding.
If the device doesn't support the aucat internal encoding,
then setup a conversion layer instead of failing. This allows
aucat to be used for audio equipment testing/debugging
without involving the full sndiod processing chain.
ratchov [Fri, 22 Mar 2024 06:06:06 +0000 (06:06 +0000)]
aucat: Add a bytes-per-sample argument to allcobuf()
No behavior change.
ratchov [Fri, 22 Mar 2024 05:54:25 +0000 (05:54 +0000)]
pledge: Allow the AUDIO_GETDEV ioctl in "audio"
ok deraadt, kn, phessler
job [Fri, 22 Mar 2024 03:38:12 +0000 (03:38 +0000)]
Replace protocol literal strings and strlen() calls with defined constants
OK tb@ claudio@
patrick [Thu, 21 Mar 2024 23:12:33 +0000 (23:12 +0000)]
Never bindings use the phy-handle property instead of the phy property.
ok kettenis@
tobhe [Thu, 21 Mar 2024 22:08:49 +0000 (22:08 +0000)]
Avoid redundant allocation in ikev2_prfplus()
from markus@
bluhm [Thu, 21 Mar 2024 16:46:04 +0000 (16:46 +0000)]
Fix white space. OK tobhe@
nicm [Thu, 21 Mar 2024 12:10:57 +0000 (12:10 +0000)]
Write padding character into the right position.
nicm [Thu, 21 Mar 2024 11:53:11 +0000 (11:53 +0000)]
Reduce escape-time default to 10 milliseconds, 500 is far too long for
modern terminals and networks. Case made by Kurtis Rader in GitHub issue
3844.
nicm [Thu, 21 Mar 2024 11:51:32 +0000 (11:51 +0000)]
Add -M to always turn mouse on in a menu, GitHub issue 3779.
nicm [Thu, 21 Mar 2024 11:47:55 +0000 (11:47 +0000)]
Look for feature code 21 for DECSLRM and 28 for DECFRA in the device
attributes and also accept level 1 (there is no hardware with this but
some emulators may use it). Pointed out by James Holderness.
nicm [Thu, 21 Mar 2024 11:32:49 +0000 (11:32 +0000)]
Use -p for default paste-buffer command in buffer mode, it will only do
anything if the application asked for it. From Gregory Anders.
nicm [Thu, 21 Mar 2024 11:30:42 +0000 (11:30 +0000)]
Do not notify window-layout-changed if the window is about to be
destroyed (since it may have been freed by the time the notify happens),
from Romain Francoise in GitHub issue 3860.
nicm [Thu, 21 Mar 2024 11:27:18 +0000 (11:27 +0000)]
Revert detach-client part of last, did not intend this to go in.
nicm [Thu, 21 Mar 2024 11:26:28 +0000 (11:26 +0000)]
Do not consider a selection present if it is empty, from Michael Grant
(GitHub issue 3869). Also a typo fix from GitHub issue 3877.
claudio [Thu, 21 Mar 2024 10:58:15 +0000 (10:58 +0000)]
Do not exit the master process if a client TCP connection fails to be
added.
OK millert@
jsing [Thu, 21 Mar 2024 08:17:23 +0000 (08:17 +0000)]
Remove now unused certificates (which are also soon to expire).
jsg [Thu, 21 Mar 2024 05:14:35 +0000 (05:14 +0000)]
add uao_read_to_iosys_map() alternative to shmem_read_to_iosys_map()
jsg [Thu, 21 Mar 2024 05:06:42 +0000 (05:06 +0000)]
unstub intel_uc_fw_copy_rsa()
jmatthew [Thu, 21 Mar 2024 04:10:37 +0000 (04:10 +0000)]
mention that SR-IOV virtual functions work too
afresh1 [Thu, 21 Mar 2024 01:02:29 +0000 (01:02 +0000)]
Clear spinner after each cycle
Otherwise we can get left with a piece of the spinner if all firmware
gets updates and don't print a "kept" value.
While here, replace \010 with the ksh supported \b, as suggested by cheloha@
Noticed by deraadt@
bluhm [Wed, 20 Mar 2024 22:52:44 +0000 (22:52 +0000)]
Fix build with bitmap_copy() on i386 by adding const qualifier.
OK jsg@
tb [Wed, 20 Mar 2024 22:11:07 +0000 (22:11 +0000)]
Rename the remaining pmod to mod
tb [Wed, 20 Mar 2024 22:08:22 +0000 (22:08 +0000)]
pmod -> mod in CONF_IMODULE
Hungarian notation occasionally helps, but only if it is done consistently.
Steve and consistency... cf e.g the last few commits. Accordingly,
Hensonian Hungarian notation is a complete disaster. Start cleaning this
mess up.
tb [Wed, 20 Mar 2024 21:53:57 +0000 (21:53 +0000)]
tmod -> mod
requested by jsing
tb [Wed, 20 Mar 2024 21:51:23 +0000 (21:51 +0000)]
md -> imod for CONF_IMODULEs
A CONF_IMODULE is neither an EVP_MD nor a CONF_MODULE, so call it imod
instead of md or mod.
tb [Wed, 20 Mar 2024 21:49:00 +0000 (21:49 +0000)]
md -> mod for CONF_MODULEs
A CONF_MODULE is no EVP_MD, so call it mod instead of md.
tb [Wed, 20 Mar 2024 21:41:09 +0000 (21:41 +0000)]
Change return type of module_add()
There is one caller of this function which returns module_add() != NULL.
Make the function return an int instead.
suggested by and ok jsing
tb [Wed, 20 Mar 2024 21:31:31 +0000 (21:31 +0000)]
Implement imodule_free() and call it from module_finish()
ok jsing
tb [Wed, 20 Mar 2024 21:21:03 +0000 (21:21 +0000)]
Make module_free() NULL safe
ok jsing
op [Wed, 20 Mar 2024 17:52:43 +0000 (17:52 +0000)]
fix ORCPT handling
due to a swapped strlcpy() arguments we don't save the ORCPT argument
after validation. There's no buffer overflow since dsn_orcpt is zeroed.
Spotted by Tassilo Philipp, thanks!
ok millert gilles
jsing [Wed, 20 Mar 2024 10:38:05 +0000 (10:38 +0000)]
Use the new certificates/chains in regress.
The new certificates are more representative of the real world. The old
certificates use weak algorithms and expire in the very near future. Most
of our regress has already been switched over, this changes the remainder.
Thanks to Bernhard M. Wiedemann for reminding us of the upcoming expiry.
ok tb@
claudio [Wed, 20 Mar 2024 09:35:46 +0000 (09:35 +0000)]
Cleanup AID handling.
- Loops over all valid AID should start with AID_MIN and go up to AID_MAX - 1
e.g. for (i = AID_MIN; i < AID_MAX; i++)
If for some reason AID_UNSPEC must be handled make that explicit in the
for loop.
- aid2afi() now returns an error for AID_UNSPEC since there is no valid
AFI SAFI combo for AID_UNSPEC.
- Add additional checks for AID_MIN where currently only AID_MAX was checked.
This affects imsg for route refresh and graceful restart.
- Simplify add-path capability handling. Only the negotiated add_path capa
sets the flag for AID_UNSPEC to help code to quickly check if any add-path
is active.
OK tb@
claudio [Wed, 20 Mar 2024 09:26:42 +0000 (09:26 +0000)]
Remove some else statements in if () else if () chains that don't need
to be written this way. Makes the code more readable.
OK tb@
ratchov [Wed, 20 Mar 2024 08:42:11 +0000 (08:42 +0000)]
aucat: Add generic channel mapping in place of -j and -c options.
The argument to the -m option specifies the source and destination
channel ranges to be mapped. Compatibility is maintained: if -m
is not used, the -c and -j options still work.
Help and suggestions from Jan Stary <hans@stare.cz>, thanks.