jsg [Sat, 30 Oct 2021 03:22:08 +0000 (03:22 +0000)]
add Intel 600 Series and Alder Lake S ids
described in
648364-001 Intel 600 Series Chipset Family Platform Controller Hub Datasheet
655258-001 12th Generation Intel Core Processors Datasheet
bluhm [Fri, 29 Oct 2021 20:15:03 +0000 (20:15 +0000)]
If the test fails, do not hang forever. Abort with a 10 seconds
timeout.
krw [Fri, 29 Oct 2021 18:38:19 +0000 (18:38 +0000)]
Tweak code to make it clear that MBR_init() uses just the boot code and
partition 0 information from the default MBR.
loongson and macppc provide partition 0 information but no boot code.
amd64, i386, landisk provide boot code but no partition 0 information.
Other arch's get by w/o a default MBR (a.k.a. /usr/mdec/mbr).
No functional change.
deraadt [Fri, 29 Oct 2021 18:09:26 +0000 (18:09 +0000)]
sync
jmc [Fri, 29 Oct 2021 16:42:57 +0000 (16:42 +0000)]
the list of devices which can be created it getting unwieldy and keep getting
out of date: remove it (sthen) and add a pointer to -C (dlg);
ok sthen
anton [Fri, 29 Oct 2021 15:52:44 +0000 (15:52 +0000)]
poll needs similar treatment as select recently gained in order to not
mask failed kqueue_register() attempts which in turn causes the thread to
end up sleeping as opposed of propagating the failure to user space.
Regression introduced in the recent switch to implement poll on top of
kqueue.
Thanks to Larry Hynes <larry at larryhynes dot com> for reporting and
Leah Neukirchen <leah at vuxu dot org> for providing a reproducer; which
also already made its way into regress.
ok mpi@
anton [Fri, 29 Oct 2021 15:43:55 +0000 (15:43 +0000)]
A USB HID report ID must be represented using a single byte ranging
between 1-255 where 0 is reserved. The pseudo report ID
UHIDEV_CLAIM_MULTIPLE_REPORTID is currently colliding with the valid
report ID 255. Therefore crank it which gets rid of the collision and
increase the related fields in order to cope with larger integers.
Thanks to Damien Couderc <openbsd at petrocore dot eu> for reporting and
testing.
schwarze [Fri, 29 Oct 2021 14:29:24 +0000 (14:29 +0000)]
In x509/x509_purp.c rev. 1.11, tb@ fixed X509_check_purpose(3)
to fail if parsing of a certificate extension failed.
Adjust the documentation accordingly.
OK tb@
jsg [Fri, 29 Oct 2021 14:25:05 +0000 (14:25 +0000)]
match more Prolific HXN ids
tested by robert@ on PL2303GT
ok deraadt@ robert@ patrick@
jsg [Fri, 29 Oct 2021 14:23:07 +0000 (14:23 +0000)]
regen
jsg [Fri, 29 Oct 2021 14:22:26 +0000 (14:22 +0000)]
more Prolific HXN ids
ok deraadt@ robert@ patrick@
ratchov [Fri, 29 Oct 2021 13:24:50 +0000 (13:24 +0000)]
Don't grab audio_lock in filt_midi{read,write} if NOTE_SUBMIT is set.
Fixes panics caused by attempts to grab audio_lock twice in the
interrupt code path: once in the low-lever interrupt handler and once
in selwakeup()
This is exactly how audio(4) handles this problem.
ok mpi
mpi [Fri, 29 Oct 2021 13:13:20 +0000 (13:13 +0000)]
Hook poll tests.
mpi [Fri, 29 Oct 2021 13:13:04 +0000 (13:13 +0000)]
Test that poll(2) returns POLLNVAL for an already closed fd.
poll(2) rewrite on top of kqueue is currently blocking instead of
returning. Regression reported by Larry Hynes with a reproducer
from Leah Neukirchen, thanks a lot!
tb [Fri, 29 Oct 2021 12:11:13 +0000 (12:11 +0000)]
Actually error in X509_check_purpose() if x509v3_cache_extensions()
indicates failure. The previous "error return" X509_V_ERR_UNSPECIFIED
translates to 1, i.e., success. This changes to the intended behavior
of x509_purp.c r1.3 and matches OpenSSL. This will need various
adjustments in the documentation.
ok jsing
schwarze [Fri, 29 Oct 2021 11:25:37 +0000 (11:25 +0000)]
document the horrifying function X509_TRUST_set_default(3)
deraadt [Fri, 29 Oct 2021 10:54:33 +0000 (10:54 +0000)]
add missing .h file include
from Emil Engler
claudio [Fri, 29 Oct 2021 10:36:55 +0000 (10:36 +0000)]
rpki-client 7.4 is imminent, bump version
schwarze [Fri, 29 Oct 2021 10:22:00 +0000 (10:22 +0000)]
document X509_EXTENSION_dup(3);
while here, add the missing const qualifier to the obj argument of
X509_EXTENSION_create_by_OBJ(3) and correct a typo in the argument
name of X509_EXTENSION_get_data(3)
schwarze [Fri, 29 Oct 2021 09:42:07 +0000 (09:42 +0000)]
new manual page X509_REQ_print_ex(3),
also documenting X509_REQ_print(3) and X509_REQ_print_fp(3)
claudio [Fri, 29 Oct 2021 09:27:36 +0000 (09:27 +0000)]
Ensure that RRDP snapshot and delta files are fetched from the same host
as the notification file.
OK tb@ job@
claudio [Fri, 29 Oct 2021 08:51:20 +0000 (08:51 +0000)]
Limit the HTTP requests to 2GB of data. This is enforced via a quick
check of the content-lenght header and also with a check when writing
data out so that chunked encoding can not bypass the limit.
OK beck@ job@
claudio [Fri, 29 Oct 2021 08:00:59 +0000 (08:00 +0000)]
Properly implement --max-size and --min-size.
This uses scan_scaled(3) from libutil which is very similar to how rsync
behaves. Not implemented are the +/-1 math and the 1000 vs 1024 multipliers.
OK benno@ job@
djm [Fri, 29 Oct 2021 03:20:46 +0000 (03:20 +0000)]
ssh-keygen: make verify-time argument parsing optional
From Fabian Stelzer
djm [Fri, 29 Oct 2021 03:03:06 +0000 (03:03 +0000)]
sshsig: add tests for signing key validity and find-principals
- adds generic find-principals tests (this command had none before)
- tests certs with a timeboxed validity both with and without a
restriced lifetime for the CA
- test for a revoked CA cert
by Fabian Stelzer
djm [Fri, 29 Oct 2021 02:48:19 +0000 (02:48 +0000)]
avoid signedness warning; spotted in -portable
claudio [Thu, 28 Oct 2021 19:02:36 +0000 (19:02 +0000)]
Sync output at end of run with output inside the openbgpd output file.
With and OK tb@
nicm [Thu, 28 Oct 2021 18:57:06 +0000 (18:57 +0000)]
Do not force the cursor to move if it is in the automargin space at EOL
and that is where we want it to be, GitHub issue 2956.
nicm [Thu, 28 Oct 2021 18:54:33 +0000 (18:54 +0000)]
Allow detach even if suspend flag set, GitHub issue 2932.
nicm [Thu, 28 Oct 2021 18:39:15 +0000 (18:39 +0000)]
Expand command as a format, GitHub issue 2920.
schwarze [Thu, 28 Oct 2021 15:30:54 +0000 (15:30 +0000)]
document X509_REQ_to_X509(3)
sthen [Thu, 28 Oct 2021 15:06:36 +0000 (15:06 +0000)]
flesh out veb(4)/vport description a bit, spell out in more words what
is meant by "independently of the host network stack"
feedback jmc dlg
tb [Thu, 28 Oct 2021 14:24:08 +0000 (14:24 +0000)]
unwrap a line
job [Thu, 28 Oct 2021 13:51:42 +0000 (13:51 +0000)]
Limit how many FileAndHash entries a single manifest may contain
OK claudio@
job [Thu, 28 Oct 2021 13:50:29 +0000 (13:50 +0000)]
Don't fetch files larger than 2MB
OK claudio@
schwarze [Thu, 28 Oct 2021 13:23:19 +0000 (13:23 +0000)]
document X509_to_X509_REQ(3)
tb [Thu, 28 Oct 2021 13:13:03 +0000 (13:13 +0000)]
sort
claudio [Thu, 28 Oct 2021 13:07:43 +0000 (13:07 +0000)]
Provide --max-size and --min-size arguments. Currently ignored but
rpki-client wants --max-size and this will unblock that work.
With job@
sthen [Thu, 28 Oct 2021 12:01:56 +0000 (12:01 +0000)]
sync
claudio [Thu, 28 Oct 2021 11:57:00 +0000 (11:57 +0000)]
Limit the size of the base64 blob inside the RRDP XML to be less than
MAX_FILE_SIZE after base64 decoding it. This way hostile RRDP servers
do less damage.
OK beck@ tb@
beck [Thu, 28 Oct 2021 11:55:43 +0000 (11:55 +0000)]
Mechanical KNF in preparation for changing
beck [Thu, 28 Oct 2021 11:23:07 +0000 (11:23 +0000)]
Add headers normally contained in include/openssl, verbatim from 1.1.1
beck [Thu, 28 Oct 2021 11:21:03 +0000 (11:21 +0000)]
Import Certificate Transparency verbatim from OpenSSL 1.1.1
This is not yet hooked up and will not compile. Follow on commits
will KNF and then make it build.
ok jsing@ tb@
tb [Thu, 28 Oct 2021 11:01:19 +0000 (11:01 +0000)]
openssl-ruby tests: rework for x509_alt.c r1.3 and r1.5.
ruby can no longer generate certs with bogus wildcards in it to check
that they will fail to verify when creating TLS connections. It will
throw an error. This change needs openssl-ruby-tests-20211024p0 or later
to work.
tb [Thu, 28 Oct 2021 10:58:23 +0000 (10:58 +0000)]
Bring back r1.3, ok beck
Original commit message from beck:
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
kn [Thu, 28 Oct 2021 09:44:49 +0000 (09:44 +0000)]
Accept server replies from any server port
There is no requirement other than replying to client port 68/udp
as per RFC 2131, so drop the 67/udp check.
Same conclusion from florian
Reported and tested by Roc Vallès < vallesroc AT gmail DOT com>, thanks!
beck [Thu, 28 Oct 2021 09:02:19 +0000 (09:02 +0000)]
Don't exit in certain cases on failures to parse x509 objects.
In most cases we already warn and continue if someone sends us malformed
x509 objects. This makes this consistent behaviour in all places
so that if someone passes in bogus X509, We end up failing their entry
and continuing rather than exiting.
We still exit on memory/system failures so that a future run of rpki
client can simply do better when the machine is perhaps less hammered
on
ok job@ claudio@
jasper [Thu, 28 Oct 2021 08:47:40 +0000 (08:47 +0000)]
add proper declaration for addr in dt_prov_kprobe_hook
djm [Thu, 28 Oct 2021 02:55:30 +0000 (02:55 +0000)]
increment SSH_SK_VERSION_MAJOR to match last change
djm [Thu, 28 Oct 2021 02:54:18 +0000 (02:54 +0000)]
When downloading resident keys from a FIDO token, pass back the
user ID that was used when the key was created and append it to
the filename the key is written to (if it is not the default).
Avoids keys being clobbered if the user created multiple
resident keys with the same application string but different
user IDs.
feedback Pedro Martelletto; ok markus
NB. increments SSH_SK_VERSION_MAJOR
tb [Wed, 27 Oct 2021 22:11:21 +0000 (22:11 +0000)]
Fix HISTORY section: 6.9 -> 7.0
beck [Wed, 27 Oct 2021 21:56:58 +0000 (21:56 +0000)]
Add limits on size of certain untrusted inputs
ok job@
matthieu [Wed, 27 Oct 2021 21:31:31 +0000 (21:31 +0000)]
create directory for libxcvt headers
jasper [Wed, 27 Oct 2021 21:21:35 +0000 (21:21 +0000)]
extend checks of ensuring there's valid CTF data before attempting to use it.
job [Wed, 27 Oct 2021 18:09:08 +0000 (18:09 +0000)]
Limit length on URIs
OK beck@
bluhm [Wed, 27 Oct 2021 16:58:44 +0000 (16:58 +0000)]
The crypto layer needs the kernel lock. ah_zeroize() takes it when
called from tdb_walk(). tdb_walk() needs mutex tdb_sadb_mtx to
protect the loop traversal. First take the kernel lock in tdb_walk()
to preserve lock order.
found by witness
OK tobhe@ mvs@
jasper [Wed, 27 Oct 2021 15:18:12 +0000 (15:18 +0000)]
use db_get_probe_addr() instead of handrolling the expression wrapped in ifdef
ok mpi@
schwarze [Wed, 27 Oct 2021 14:54:07 +0000 (14:54 +0000)]
new manual page X509_REQ_add_extensions(3)
documenting six functions for extensions in certification requests
mvs [Wed, 27 Oct 2021 13:41:09 +0000 (13:41 +0000)]
Replace 'DIAGNOSTIC' block within soqinsque() by KASSERT(9).
ok sashan@
schwarze [Wed, 27 Oct 2021 11:24:47 +0000 (11:24 +0000)]
add some .Xrs involving recently added pages
schwarze [Wed, 27 Oct 2021 11:22:57 +0000 (11:22 +0000)]
minor tweaks to wording and punctuation,
and add .Xrs to relevant objects
schwarze [Wed, 27 Oct 2021 10:35:43 +0000 (10:35 +0000)]
Minor tweaks:
* Say "number of bytes" instead of "length of bytes".
* Remove mention of a BUGS section that exists neither here nor in OpenSSL.
* List all authors who contributed Copyright-worthy amounts of text.
* Remove years from the Copyright line that saw no non-trivial changes.
* Add the year 2014: that's when Emilia wrote the i2d_re_X509_tbs() text.
* Improve merge comments.
beck [Wed, 27 Oct 2021 10:22:08 +0000 (10:22 +0000)]
Revert version 1.3 - not allowing the creation of bogus certificates
breaks the ruby regression tests that expect to make bogus certificates
and see that they are rejected :(
I am reverting this for now to make the regress tests pass, and will
bring it back if we decide to patch the regress tests to remove the
problem cases
beck [Wed, 27 Oct 2021 09:56:43 +0000 (09:56 +0000)]
Fix to correctly parse the 'to' time into the to_tm
beck [Wed, 27 Oct 2021 09:50:56 +0000 (09:50 +0000)]
Add ASN1_TIME_diff from OpenSSL.
The symbol is not yet exposed and will show up with tb@'s forthcoming bump
ok tb@ jsing@
jasper [Wed, 27 Oct 2021 09:09:55 +0000 (09:09 +0000)]
fix spello in comment
solene [Wed, 27 Oct 2021 06:36:51 +0000 (06:36 +0000)]
Mention vether(4) and mpip(4) interfaces in the create list
ok benno@ dlg@
visa [Wed, 27 Oct 2021 03:25:11 +0000 (03:25 +0000)]
regen
visa [Wed, 27 Oct 2021 03:24:44 +0000 (03:24 +0000)]
Unlock the kevent(2) system call.
Tested by mpi@ and tb@
OK mpi@
jsg [Wed, 27 Oct 2021 02:27:34 +0000 (02:27 +0000)]
backport a perl patch to avoid excessive warnings with llvm 13 clang
originally from Tony Cook in
skip using gcc brace groups for STMT_START/END
7169efc77525df70484a824bff4ceebd1fafc760
looks fine millert@ ok afresh1@
tb [Tue, 26 Oct 2021 23:37:56 +0000 (23:37 +0000)]
Merge documentation for i2d_re_X509*_tbs(3) from OpenSSL 1.1
djm [Tue, 26 Oct 2021 21:36:23 +0000 (21:36 +0000)]
update to libfido2 1.8.0; ok sthen@ "timing is fine" deraadt@
jmc [Tue, 26 Oct 2021 18:50:38 +0000 (18:50 +0000)]
spelling fixes;
tb [Tue, 26 Oct 2021 18:17:09 +0000 (18:17 +0000)]
sync
tb [Tue, 26 Oct 2021 18:11:04 +0000 (18:11 +0000)]
install X509_get_extension_flags.3 and X509_SIG_get0.3
tb [Tue, 26 Oct 2021 18:05:07 +0000 (18:05 +0000)]
Remove a line documenting that X509_get_X509_PUBKEY(3) is missing
discussed with schwarze
tb [Tue, 26 Oct 2021 18:04:24 +0000 (18:04 +0000)]
Document X509_get0_pubkey.3
tb [Tue, 26 Oct 2021 18:01:00 +0000 (18:01 +0000)]
Document new signature of X509_get_X509_PUBKEY() and remove claim
that the API is implemented as a macro. This will change in an
upcoming bump.
job [Tue, 26 Oct 2021 17:35:38 +0000 (17:35 +0000)]
Add tlsfeature NID
OK beck@ tb@
tobhe [Tue, 26 Oct 2021 17:31:22 +0000 (17:31 +0000)]
Make proto config option accept a list to allow specifying multiple
protocols for a single policy, e.g. "proto { ipencap, ipv6 }".
feedback and ok benno@
ok patrick@
claudio [Tue, 26 Oct 2021 16:59:54 +0000 (16:59 +0000)]
Adjust regress to the new BIO-free world order.
claudio [Tue, 26 Oct 2021 16:59:19 +0000 (16:59 +0000)]
Move load_file() to encoding.c so that regress can use the function.
matthieu [Tue, 26 Oct 2021 16:49:12 +0000 (16:49 +0000)]
Add a new TEMPerHUM device id. style tweak deraadt@, ok mlarkin@
deraadt [Tue, 26 Oct 2021 16:29:49 +0000 (16:29 +0000)]
Improve unhibernate performance (30% on some machines, another upcoming diff
shows gains up to 50%) by skipping attach of irrelevant devices, which are
tagged CD_SKIPHIBERNATE in the per-driver cfdriver. In particular, usb devices
are not attached, so they don't need to detach during the suspend-unpack-resume.
New bootblocks are required (which tell the kernel it's job is unhibernate
before configure runs)
tested by various
claudio [Tue, 26 Oct 2021 16:12:54 +0000 (16:12 +0000)]
Refactor the tal parsing code to use the same load_file() and buffer
passing as done for the other parsers.
OK job@ tb@
kn [Tue, 26 Oct 2021 15:48:25 +0000 (15:48 +0000)]
Generalise "nameserver" workings
The generated route message is not at all resolvd(8) specific.
Mention how unwind(8) reacts to proposals as well.
"Broadcast" wording deraadt jmc
OK millert
job [Tue, 26 Oct 2021 15:14:18 +0000 (15:14 +0000)]
Add RFC 3779 checks to both legacy and new verifier
OK beck@
beck [Tue, 26 Oct 2021 14:34:02 +0000 (14:34 +0000)]
Free memory on text exit to make asan quieter
ok tb@
patrick [Tue, 26 Oct 2021 14:20:47 +0000 (14:20 +0000)]
Enable vmx(4) on arm64. Tested using VMware Fusion on the Apple M1.
ok kettenis@
deraadt [Tue, 26 Oct 2021 14:15:02 +0000 (14:15 +0000)]
sync
patrick [Tue, 26 Oct 2021 14:13:57 +0000 (14:13 +0000)]
Only flush freshly mapped uncached/device mappings if we have a vm_page for it,
meaning we make sure it is indeed managed memory/RAM and not some MMIO. Fixes
booting on VMware Fusion (and an older QEMU diff for HVF acceleration).
ok kettenis@
patrick [Tue, 26 Oct 2021 14:10:02 +0000 (14:10 +0000)]
Allocate fresh memory to put our device tree into, to make sure we have least
one page of free space for us to extend into. Fixes booting on VMware Fusion.
ok kettenis@
claudio [Tue, 26 Oct 2021 13:31:05 +0000 (13:31 +0000)]
Also move the cert parser code away from using BIO.
OK beck@
claudio [Tue, 26 Oct 2021 13:26:53 +0000 (13:26 +0000)]
rpki-client supports RFC8630 TAL files.
schwarze [Tue, 26 Oct 2021 12:56:48 +0000 (12:56 +0000)]
new manual page X509_REQ_add1_attr(3) documenting nine functions
for X.501 Attributes in PKCS#10 certification requests
schwarze [Tue, 26 Oct 2021 12:45:31 +0000 (12:45 +0000)]
correct a wrong function name below RETURN VALUES
nicm [Tue, 26 Oct 2021 12:29:41 +0000 (12:29 +0000)]
Accept some emacs control keys in vi normal mode, from Alexis
Hildebrandt in GitHub issue 2922.
nicm [Tue, 26 Oct 2021 12:22:23 +0000 (12:22 +0000)]
Do not allow inline styles to replace mode-style for the selected item,
from Alexis Hildebrandt in GitHub issue 2946.
claudio [Tue, 26 Oct 2021 10:52:49 +0000 (10:52 +0000)]
Change CMS and CRL d2i functions from their BIO version to passing the
der buffer instead. The file are loaded early in the entity processing
loop.
OK tb@
schwarze [Tue, 26 Oct 2021 10:50:08 +0000 (10:50 +0000)]
document X509_REQ_dup(3)