openbsd
2 years agoThere no longer is any KVM_ET_* to keep in sync with UVM_ET_*, so
deraadt [Thu, 29 Sep 2022 04:10:27 +0000 (04:10 +0000)]
There no longer is any KVM_ET_* to keep in sync with UVM_ET_*, so
comment can be deleted.

2 years agouse Fn rather than Nm for swab(); from josiah frentsos
jmc [Wed, 28 Sep 2022 20:27:12 +0000 (20:27 +0000)]
use Fn rather than Nm for swab(); from josiah frentsos

2 years agoFix incorrect range check for size in setvbuf
gnezdo [Wed, 28 Sep 2022 16:44:14 +0000 (16:44 +0000)]
Fix incorrect range check for size in setvbuf

From enh AT google.com:

The existing test is wrong for LP64, where size_t has twice as many
relevant bits as int, not just one. (Found by inspection by
rprichard.)

Looks good to deraadt@ and millert@

2 years agoFix memory corruptions with sysv semaphores due to sleeps in copyin,
mbuhl [Wed, 28 Sep 2022 13:21:13 +0000 (13:21 +0000)]
Fix memory corruptions with sysv semaphores due to sleeps in copyin,
copyout and malloc.  During a sleep another thread could delete the
semaphore (and possibly allocate another one at the same location
with different permissions) which would lead to an invalid access
after wake up.  Therefore check the semaphore pointer, the sequence,
the permissions and some values in seminfo after each sleep.
OK bluhm@
Reported-by: syzbot+60ba811fe2e8a6b0f975@syzkaller.appspotmail.com
2 years agoAdd scroll-top and scroll-bottom commands to scroll so cursor is at top
nicm [Wed, 28 Sep 2022 07:59:50 +0000 (07:59 +0000)]
Add scroll-top and scroll-bottom commands to scroll so cursor is at top
or bottom. From Anindya Mukherjee, GitHub issue 3334.

2 years agoAdd a -T flag to capture-pane to stop at the last used cell instead of
nicm [Wed, 28 Sep 2022 07:55:29 +0000 (07:55 +0000)]
Add a -T flag to capture-pane to stop at the last used cell instead of
the full width. Restore the previous behaviour by making it default to
off unless -J is used (the only time it matters). Fixes mosh unit tests;
GitHub issue 3339.

2 years agocomplete bootparamd -> rpc.bootparamd
kn [Tue, 27 Sep 2022 13:30:36 +0000 (13:30 +0000)]
complete bootparamd -> rpc.bootparamd

reminded by jmc

2 years agoAvoid escaping inside here documents
kn [Tue, 27 Sep 2022 12:28:25 +0000 (12:28 +0000)]
Avoid escaping inside here documents

The delimiter can be quoted (single or double) to disable parameter, command
and arithmetic expansion inside the here document:

$ cat <<__EOT
echo $(echo foo)
__EOT
echo foo

$ cat <<'__EOT'
echo $(echo foo)
__EOT
echo $(echo foo)

Do the latter to be able to write the here document/file content exactly as
it would end up in output/rc.firsttime, making it easier to read.

To be more consistent and explicit, switch the remaining here documents with
pure plain text (no shell expansion, etc.) to quoted delimiters.

OK millert

2 years agosimpler ftplist[0-9].o.o removal
kn [Tue, 27 Sep 2022 12:22:29 +0000 (12:22 +0000)]
simpler ftplist[0-9].o.o removal

We read /tmp/i/hosts line-wise to fill /mnt/etc/hosts and remove the tmp
file immediately afterwards, so just skip ftplist entries inside the loop
with a slightly easier to read ksh pattern rather than purge the tmp file
up-front with sed(1).

This is also a tiny bit more robust should the ftplist entries ever be added
with a tab as separator instead of a space and/or an alias since the sed
one-liner hardcodes a single space and expects no alias whereas ksh's read
takes any amount of whitespace between _addr and _hn while not caring about
optional aliases.

Comment is obvious so zap it.

OK millert

2 years agoZap .Nm bootparamd
kn [Tue, 27 Sep 2022 11:52:29 +0000 (11:52 +0000)]
Zap .Nm bootparamd

Match rpc.{lock,stat}d(8) only having their proper name.

OK deraadt

2 years agofix passing explicit stage files
kn [Tue, 27 Sep 2022 11:48:57 +0000 (11:48 +0000)]
fix passing explicit stage files

This fixes installboot regress on octeon; same diff as
macppc_installboot.c r1.6, powerpc64_installboot r1.7 and
octeon_installboot r1.8.

loongson was the last architecture requiring this fix.  I don't have a
machine to test it myself (loongson isn't built anymore, anyway) but given
the same diff works on four other architectures, this should just work.

2 years agofix passing explicit stage files
kn [Tue, 27 Sep 2022 11:42:16 +0000 (11:42 +0000)]
fix passing explicit stage files

This fixes installboot regress on octeon;  same diff as
macppc_installboot.c r1.6 and powerpc64_installboot r1.7.

2 years agofix passing explicit stage files
kn [Tue, 27 Sep 2022 11:31:46 +0000 (11:31 +0000)]
fix passing explicit stage files

This fixes installboot regress on powerpc64.

The exact same diff already landed for macppc;  efi also has the same fix
for md_init() but without the string handling cleanup that entails.

macppc_installboot.c r1.6 "Fix passing explicit stage files":

Using `stage1' leads to a bit more cleanup since early MI installboot.c
handles `-r', i.e. write_filesystem() no longer has needs to do the
fileprefix() dance itself.

OK gkoehler

2 years ago- no more /usr/include/objc; confirmed by miod
jmc [Tue, 27 Sep 2022 05:53:32 +0000 (05:53 +0000)]
- no more /usr/include/objc; confirmed by miod
- add /var/agentx; text from martijn

2 years agotyping ^C and seeing "terminated by signal %d" is so ... I don't
deraadt [Tue, 27 Sep 2022 03:01:42 +0000 (03:01 +0000)]
typing ^C and seeing "terminated by signal %d" is so ... I don't
have the words
ok florian

2 years agowe are now working on 7.2-current
deraadt [Tue, 27 Sep 2022 02:39:24 +0000 (02:39 +0000)]
we are now working on 7.2-current

2 years agoopenssh-9.1
djm [Mon, 26 Sep 2022 22:18:40 +0000 (22:18 +0000)]
openssh-9.1

2 years agoFor framebuffers that don't start on a page boundary, we need to allow
kettenis [Mon, 26 Sep 2022 15:49:59 +0000 (15:49 +0000)]
For framebuffers that don't start on a page boundary, we need to allow
mapping of all the pages used by the framebuffer, even those that are
only used partially.  Adjust the check in simplefb_wsmmap() to allow that.
While there, also make sure we use a (rounded down) page aligned address
base address for the physical address we return.

Fixes X on the 16" Macbook Pro.

ok patrick@, deraadt@

2 years agoFix a use after free in case mta_tls_init fails.
martijn [Mon, 26 Sep 2022 08:48:52 +0000 (08:48 +0000)]
Fix a use after free in case mta_tls_init fails.

Found the hard way by renaud <at> allard <dot> it
OK eric@, gilles@, millert@

2 years agoRegenerate usbdevs{.h,_data.h} for Wacom One S (CTL-472)
sdk [Mon, 26 Sep 2022 06:17:22 +0000 (06:17 +0000)]
Regenerate usbdevs{.h,_data.h} for Wacom One S (CTL-472)

2 years agouwacom(4): Support for Wacom One S (CTL-472)
sdk [Mon, 26 Sep 2022 06:14:21 +0000 (06:14 +0000)]
uwacom(4): Support for Wacom One S (CTL-472)

2 years agoDrop incomplete archs lists from wsmoused(8) comment
kn [Mon, 26 Sep 2022 00:29:55 +0000 (00:29 +0000)]
Drop incomplete archs lists from wsmoused(8) comment

OK deraadt

2 years agoHide error messages while extracting Apple firmware. Depending on the
kettenis [Mon, 26 Sep 2022 00:20:14 +0000 (00:20 +0000)]
Hide error messages while extracting Apple firmware.  Depending on the
model there might be no firmware and we want to avoid confusing users
with WARNING messages about patterns that were not matched.

ok deraadt@

2 years agoDocument savecore_flags
kn [Sun, 25 Sep 2022 22:47:27 +0000 (22:47 +0000)]
Document savecore_flags

OK jmc deraadt

2 years agoadd /etc/rpki/
jmc [Sun, 25 Sep 2022 20:54:07 +0000 (20:54 +0000)]
add /etc/rpki/
tweak/ok claudio

2 years agoGive mfii(4) firmware more time to transition out of UNDEFINED state.
stsp [Sun, 25 Sep 2022 08:15:43 +0000 (08:15 +0000)]
Give mfii(4) firmware more time to transition out of UNDEFINED state.

Prevents occasional failure to recover from firmware FAULT state where
the driver gave up too early: mfii0: firmware stuck in state 0

ok deraadt@

2 years agoascii_load_sockaddr: Remove old IPv6 address parsing for envelope files.
millert [Sat, 24 Sep 2022 17:08:32 +0000 (17:08 +0000)]
ascii_load_sockaddr: Remove old IPv6 address parsing for envelope files.
IPv6 addresses have been formatted as "[address]" in envelope files
for years.  This was supposed to be removed after the 6.6 release
but got forgotten.  Noticed by kn@, OK deraadt@ kn@

2 years agorpki-client 8.1
claudio [Sat, 24 Sep 2022 16:25:22 +0000 (16:25 +0000)]
rpki-client 8.1

2 years agoOpenBGPD 7.7
claudio [Sat, 24 Sep 2022 16:24:34 +0000 (16:24 +0000)]
OpenBGPD 7.7

2 years agoThere are time zones that have minute offsets, display those
florian [Sat, 24 Sep 2022 16:07:26 +0000 (16:07 +0000)]
There are time zones that have minute offsets, display those
correctly. Pointed out by pjanzen@.
To display the offset, use ISO 8601, as suggested by David Goerger.

While here check if tm->tm_gmtoff changed which probably means that we
moved in or out of daylight savings time.

Input & OK millert, deraadt

2 years agomacro tweaks; from josiah frentsos
jmc [Sat, 24 Sep 2022 15:22:59 +0000 (15:22 +0000)]
macro tweaks; from josiah frentsos
ok deraadt

2 years agomacro tweaks; from josiah frentsos
jmc [Sat, 24 Sep 2022 15:21:21 +0000 (15:21 +0000)]
macro tweaks; from josiah frentsos
ok deraadt

2 years agoSync with https://github.com/JodaOrg/global-tz
millert [Sat, 24 Sep 2022 14:33:28 +0000 (14:33 +0000)]
Sync with https://github.com/JodaOrg/global-tz
Major changes:
 o Palestine DST transitions are now Saturdays at 02:00.

2 years agodisable POOL_DEBUG for release
jsg [Sat, 24 Sep 2022 13:30:21 +0000 (13:30 +0000)]
disable POOL_DEBUG for release
ok deraadt@

2 years agoadd SH-B0 0x00000f50 socket 940 family 0Fh Opteron
jsg [Sat, 24 Sep 2022 12:22:31 +0000 (12:22 +0000)]
add SH-B0 0x00000f50 socket 940 family 0Fh Opteron
we already had SH-B0 0x00000f40 socket 754 family 0Fh Athlon 64

SH-B0 is part of amd64_errata_set8[].  Used for:
Errata 89: Potential Deadlock With Locked Transactions

ok deraadt@

2 years agoAdjust dummy rde_generate_updates() to the new prototype.
claudio [Sat, 24 Sep 2022 11:29:16 +0000 (11:29 +0000)]
Adjust dummy rde_generate_updates() to the new prototype.

2 years agoFix detection of duplicate sticky-address in pf.conf parser.
bluhm [Fri, 23 Sep 2022 21:33:17 +0000 (21:33 +0000)]
Fix detection of duplicate sticky-address in pf.conf parser.
reported to FreeBSD by Franco Fichtner; from Kristof Provost

2 years agoSync to libunbound 1.16.3
florian [Fri, 23 Sep 2022 19:37:23 +0000 (19:37 +0000)]
Sync to libunbound 1.16.3

2 years agoXr to correct man page; from Josiah Frentsos, thanks!
florian [Fri, 23 Sep 2022 19:24:08 +0000 (19:24 +0000)]
Xr to correct man page; from  Josiah Frentsos, thanks!

2 years agoPOSIX timzone specs may contain '.' so only reject names containing '../'.
millert [Fri, 23 Sep 2022 17:29:22 +0000 (17:29 +0000)]
POSIX timzone specs may contain '.' so only reject names containing '../'.
Noted by pjanzen@ with input from deraadt@.

2 years agoSince tzset(3) ignores arbitrary files, we no longer need rpath
florian [Fri, 23 Sep 2022 16:58:33 +0000 (16:58 +0000)]
Since tzset(3) ignores arbitrary files, we no longer need rpath
and can depend on the /usr/share/zoneinfo bypass.

OK mestre, millert, deraadt

2 years agoDon't depend on RTLABEL_LEN but instead define our own ROUTELABEL_LEN.
claudio [Fri, 23 Sep 2022 15:50:41 +0000 (15:50 +0000)]
Don't depend on RTLABEL_LEN but instead define our own ROUTELABEL_LEN.
With this bgpd.h no longer depends on net/route.h
OK tb@

2 years agoImplement a special update generator for add-path send all.
claudio [Fri, 23 Sep 2022 15:49:20 +0000 (15:49 +0000)]
Implement a special update generator for add-path send all.

The generic add-path code up_generate_addpath() reevaluates everything
since this is the simplest way to select the announced paths. For add-path
all this is overkill since there is no dependency between prefixes and so
individual prefixes can be handled more efficently.

Extend rde_generate_updates() to pass the current newbest and oldbest
prefixes (for the selected best path) but now also include newpath and
oldpath (which is the prefix that is added/removed/modified).
If newpath or oldpath is set then a single prefix was altered and
up_generate_addpath_all() can just remove or add this prefix.
If newpath and oldpath are NULL than the full list based on newbest
needs to be inserted and any old path/prefix removed in the process.

This improves update generation performance on big route collectors using
add-path all substantially.

OK tb@

2 years agomerge unbound 1.16.3
sthen [Fri, 23 Sep 2022 14:20:01 +0000 (14:20 +0000)]
merge unbound 1.16.3

2 years agoDon't hardcode disk major device types inside DEBUG block. Use
krw [Fri, 23 Sep 2022 12:32:50 +0000 (12:32 +0000)]
Don't hardcode disk major device types inside DEBUG block. Use
findblkname() and DISKUNIT(). Allows all block devices, not just
sd* and vnd* to generate useful names in DEBUG output.

Cluebat by deraadt@

2 years agoDelete unused variables originally come from mvme88k.
aoyama [Fri, 23 Sep 2022 02:35:46 +0000 (02:35 +0000)]
Delete unused variables originally come from mvme88k.

2 years agoonly call printf the first time amd64_errata() is called
jsg [Fri, 23 Sep 2022 01:25:39 +0000 (01:25 +0000)]
only call printf the first time amd64_errata() is called
it may later be used from a resume path when we don't want to print

same change as amd64 amd64errata.c 1.11 by robert

ok robert@ deraadt@

2 years agoremove dup line; from j@bitminer
deraadt [Thu, 22 Sep 2022 17:44:20 +0000 (17:44 +0000)]
remove dup line; from j@bitminer

2 years agouse the always serializing RDTSCP instruction in tsc and usertc if available
robert [Thu, 22 Sep 2022 04:57:07 +0000 (04:57 +0000)]
use the always serializing RDTSCP instruction in tsc and usertc if available

tweaks from cheloha@; ok deraadt@, sthen@, cheloha@

2 years agoCall amd64_errata() from cpu_fix_msrs() instead of identifycpu() so that
robert [Thu, 22 Sep 2022 04:36:37 +0000 (04:36 +0000)]
Call amd64_errata() from cpu_fix_msrs() instead of identifycpu() so that
on resume, the errata is re-applied.
In addition make amd64_errata() print the information about the applied
errata only once for the first CPU.

input from jsg@ and deraadt@, ok deraadt@

2 years agoDistinguish between retransmit ok and nothing to retransmit. This makes
tobhe [Wed, 21 Sep 2022 22:32:10 +0000 (22:32 +0000)]
Distinguish between retransmit ok and nothing to retransmit.  This makes
sure ikes_retransmit_response events don't also increase the
ikes_msg_rcvd_busy counter.

ok markus@

2 years agoFix typo. From AlexanderStohr via github PR#343.
dtucker [Wed, 21 Sep 2022 22:26:50 +0000 (22:26 +0000)]
Fix typo.  From AlexanderStohr via github PR#343.

2 years agoThe values for fib_priority are OS dependent. To help portability move
claudio [Wed, 21 Sep 2022 21:12:03 +0000 (21:12 +0000)]
The values for fib_priority are OS dependent. To help portability move
the RTP_BGP and similar defines all into kroute.c and export them via
kr_default_prio() and kr_check_prio().
OK tb@

2 years agotzset: ignore TZ if it contains an absolute path or issetugid().
millert [Wed, 21 Sep 2022 15:57:49 +0000 (15:57 +0000)]
tzset: ignore TZ if it contains an absolute path or issetugid().
Reading time zone files from user-controlled paths can result in
pledge(2) or unveil(2) violations.  We also ignore files that contain
a '.' character to avoid paths containing ".." or hidden files.
Work with and OK deraadt@

2 years agoTweak symbols test in such a way that it would have caught the recent
tb [Wed, 21 Sep 2022 15:24:45 +0000 (15:24 +0000)]
Tweak symbols test in such a way that it would have caught the recent
Symbols.list mistake: undefine aliases (except _cfb block ciphers which
are aliases for historical reasons). Use -Wl,--no-allow-shlib-undefined.

2 years agoAdjust pathid_assign() to be much faster in the common case.
claudio [Wed, 21 Sep 2022 10:39:17 +0000 (10:39 +0000)]
Adjust pathid_assign() to be much faster in the common case.

Use a per peer path_id_tx to assign to paths received from none add-path
enabled peers. This skips two extra walks of the RIB prefix list and is
a big speed-up when there are many regular sessions. If the session uses
add-path recv then the old way of assigning random path_ids needs to be
used.

With input and OK tb@

2 years agoRevert UVM_VNODE_CANPERSIST removal, it exposes an issue on arm64.
mpi [Wed, 21 Sep 2022 07:32:59 +0000 (07:32 +0000)]
Revert UVM_VNODE_CANPERSIST removal, it exposes an issue on arm64.

Found the hardway by miod@ and deraadt@.

2 years agoDefault request message body size should be 0.
yasuoka [Wed, 21 Sep 2022 05:55:18 +0000 (05:55 +0000)]
Default request message body size should be 0.

ok claudio

2 years agoUpdate awk to Sep 12, 2022 version.
millert [Wed, 21 Sep 2022 01:42:58 +0000 (01:42 +0000)]
Update awk to Sep 12, 2022 version.
Fix undefined behavior and a use-after-free in cat().

2 years agoUpdate libexpat to 2.4.9. This fixes CVE-2022-40674. Relevant for
bluhm [Tue, 20 Sep 2022 23:00:52 +0000 (23:00 +0000)]
Update libexpat to 2.4.9.  This fixes CVE-2022-40674.  Relevant for
OpenBSD are security fixes #629 #640 and other changes #610 #643.
No library bump necessary.
OK deraadt@

2 years agoSplit out handling of cpu family specific MSRs from cpu_init_msrs()
robert [Tue, 20 Sep 2022 14:28:27 +0000 (14:28 +0000)]
Split out handling of cpu family specific MSRs from cpu_init_msrs()
to a separate function that gets called after identifycpu() so that
we have the required information to handle the correct MSRs for each
cpu.

Additionally, move the handling of the DE_CFG_SERIALIZE_LFENCE and
IA32_DEBUG_INTERFACE_LOCK MSRs out of identifycpu() to the new
function so that they get set again after a suspend/resume cycle as
well, which in fixes TSC sync failures.

discussed with and input from deraadt@, mlarkin@

2 years agodrm/amd/amdgpu: skip ucode loading if ucode_size == 0
jsg [Tue, 20 Sep 2022 12:04:35 +0000 (12:04 +0000)]
drm/amd/amdgpu: skip ucode loading if ucode_size == 0

From Chengming Gui
985a5d3d491d558f785b77cc5b86837bfa408587 in linux 5.15.y/5.15.69
39c84b8e929dbd4f63be7e04bf1a2bcd92b44177 in mainline linux

2 years agoRemove unused and unimplemented unp_drain().
mvs [Tue, 20 Sep 2022 10:10:11 +0000 (10:10 +0000)]
Remove unused and unimplemented unp_drain().

ok bluhm@

2 years agoFix line length trimming in -f mode
job [Tue, 20 Sep 2022 10:01:51 +0000 (10:01 +0000)]
Fix line length trimming in -f mode

Reported by Christian Weisgerber

OK kn@

2 years agoReword comment, no functional change
claudio [Tue, 20 Sep 2022 08:53:27 +0000 (08:53 +0000)]
Reword comment, no functional change

2 years agoremove HY_D1_G34R1 enum value and just use HY_D1
jsg [Tue, 20 Sep 2022 07:54:27 +0000 (07:54 +0000)]
remove HY_D1_G34R1 enum value and just use HY_D1

HY-D1 C32r1 (0x00100f81) and HY-D1 G34r1 (0x00100f91) have the same
errata and multiple cpuid values can map to a single enum value.

2 years agoadd RequiredRSASize to the list of keywords accepted by -o;
djm [Mon, 19 Sep 2022 21:39:16 +0000 (21:39 +0000)]
add RequiredRSASize to the list of keywords accepted by -o;
spotted by jmc@

2 years agoRemove now-unused connect_wait() function.
millert [Mon, 19 Sep 2022 21:14:38 +0000 (21:14 +0000)]
Remove now-unused connect_wait() function.

2 years agoAdd iked connection statistics for successful and failed connections, common
tobhe [Mon, 19 Sep 2022 20:54:02 +0000 (20:54 +0000)]
Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

2 years agoChange OF_getnodebyname() such that looking up a node using just the name
patrick [Mon, 19 Sep 2022 16:12:19 +0000 (16:12 +0000)]
Change OF_getnodebyname() such that looking up a node using just the name
without a unit number (so without the @1234 bit) works as well.

This is a re-commit of the backed out change with the endless loop fixed.

2 years agoSymlink chosen time zone file to /etc/localtime so that we don't need
florian [Mon, 19 Sep 2022 15:40:36 +0000 (15:40 +0000)]
Symlink chosen time zone file to /etc/localtime so that we don't need
to use a time zone path that's not relative to /usr/share/zoneinfo.
Hopefully we can limit tzset(3) to only look at zone info files in
/usr/share/zoneinfo, soon.
OK millert, deraadt

2 years agoWhen setting time, date(1) pledges "wpath" for logwtmp(3). Restrict
florian [Mon, 19 Sep 2022 15:36:20 +0000 (15:36 +0000)]
When setting time, date(1) pledges "wpath" for logwtmp(3). Restrict
this using unveil(2), but ignore errors if /var/log doesn't exist. We
want to be able to set the time if the system is damanged or /var is
not mounted yet.
We also need to unveil everything for reading since we still allow
arbitrary locations of zone info files. Hopefully that will go away
soon.
OK deraadt

2 years agoadjust notes for linker set change
jsg [Mon, 19 Sep 2022 12:37:02 +0000 (12:37 +0000)]
adjust notes for linker set change
ok miod@ deraadt@

2 years agoRemove PKCS12_MAKE_{,SH}KEYBAG from Symbols.list
tb [Mon, 19 Sep 2022 12:25:52 +0000 (12:25 +0000)]
Remove PKCS12_MAKE_{,SH}KEYBAG from Symbols.list

These functions were renamed in the last bump

#define PKCS12_MAKE_KEYBAG      PKCS12_SAFEBAG_create0_p8inf                                        #define PKCS12_MAKE_SHKEYBAG    PKCS12_SAFEBAG_create_pkcs8_encrypt

They don't appear in the compiled library itself, so no further bump
required.

Fixes libressl-portable/portable#791

Found the hard way by vollkommenheit
ok deraadt jsing

2 years agouse users-groups-by-id@openssh.com sftp-server extension (when
djm [Mon, 19 Sep 2022 10:46:00 +0000 (10:46 +0000)]
use users-groups-by-id@openssh.com sftp-server extension (when
available) to fill in user/group names for directory listings.
Implement a client-side cache of see uid/gid=>user/group names.
ok markus@

2 years agosftp client library support for users-groups-by-id@openssh.com;
djm [Mon, 19 Sep 2022 10:43:12 +0000 (10:43 +0000)]
sftp client library support for users-groups-by-id@openssh.com;
ok markus@

2 years agoextend sftp-common.c:extend ls_file() to support supplied user/group
djm [Mon, 19 Sep 2022 10:41:58 +0000 (10:41 +0000)]
extend sftp-common.c:extend ls_file() to support supplied user/group
names; ok markus@

2 years agosftp-server(8): add a "users-groups-by-id@openssh.com" extension
djm [Mon, 19 Sep 2022 10:40:52 +0000 (10:40 +0000)]
sftp-server(8): add a "users-groups-by-id@openssh.com" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.

Will be used to make directory listings more useful and consistent
in sftp(1).

ok markus@

2 years agobetter debugging for connect_next()
djm [Mon, 19 Sep 2022 08:49:50 +0000 (08:49 +0000)]
better debugging for connect_next()

2 years agoupdate set sizes
jsg [Mon, 19 Sep 2022 04:29:55 +0000 (04:29 +0000)]
update set sizes

2 years agoDefine PMU_ADB_CMD and PMU_INT_ACK
gkoehler [Sun, 18 Sep 2022 21:36:41 +0000 (21:36 +0000)]
Define PMU_ADB_CMD and PMU_INT_ACK

Taking these definitions from NetBSD's pm_direct.h; most PMU_*
commands have the same names in the BSDs and Linux.

ok miod@ kettenis@

2 years agoFix a memory leak which was introduced by the previous commit.
mglocker [Sun, 18 Sep 2022 21:12:19 +0000 (21:12 +0000)]
Fix a memory leak which was introduced by the previous commit.

The issue was reported by Stephan Somogyi - Thanks!

2 years agotimecounting: tc_reset_quality: print notice if active counter changes
cheloha [Sun, 18 Sep 2022 20:47:09 +0000 (20:47 +0000)]
timecounting: tc_reset_quality: print notice if active counter changes

Give the user a hint as to what happened if they boot up and the TSC
is not the active counter.

"sure" deraadt@

2 years agotsc: make tsc_report_test_results() less noisy without TSC_DEBUG
cheloha [Sun, 18 Sep 2022 20:38:50 +0000 (20:38 +0000)]
tsc: make tsc_report_test_results() less noisy without TSC_DEBUG

By default, just say "tsc: cpu0/cpuN: sync test failed".  If you want
more information you need to recompile with TSC_DEBUG set.

While here, disable TSC_DEBUG.

"sure" deraadt@

2 years agoRevert previous it prevents the PinebookPro and the Rockpro64 to reach userland.
mpi [Sun, 18 Sep 2022 14:41:54 +0000 (14:41 +0000)]
Revert previous it prevents the PinebookPro and the Rockpro64 to reach userland.

Found by kn@ and myself, ok deraadt@

2 years agoAllow TLSv1.3 clients to send CCS without middlebox compatibility mode.
jsing [Sat, 17 Sep 2022 17:14:06 +0000 (17:14 +0000)]
Allow TLSv1.3 clients to send CCS without middlebox compatibility mode.

While RFC 8446 is clear about what legacy session identifiers can be sent
by a TLSv1.3 client and how middlebox compatibility mode is requested, it
is delightfully vague about the circumstances under which a client is
permitted to send CCS messages. While it does not make sense for a client
to send CCS messages when they are not requesting middlebox compatibility
mode, it is not strictly forbidden by the RFC and at least one (unknown)
TLSv1.3 stack has been observed to do this in the wild.

Revert part of the previous change and allow clients to send CCS messages,
even if they are not requesting middlebox compatibility mode.

Found the hard way by florian@

ok tb@

2 years agoLink to SSL_read_early_data(3)
kn [Sat, 17 Sep 2022 16:03:21 +0000 (16:03 +0000)]
Link to SSL_read_early_data(3)

OK tb

2 years agobind/connect is now expected to succeed
benno [Sat, 17 Sep 2022 12:51:23 +0000 (12:51 +0000)]
bind/connect is now expected to succeed

2 years agobind() to AF_UNIX will now require unveil "w". "w" may seem a little odd
deraadt [Sat, 17 Sep 2022 12:40:52 +0000 (12:40 +0000)]
bind() to AF_UNIX will now require unveil "w".  "w" may seem a little odd
(and it may seem it should be "r" to get access to the file to collect
the underlying socket, which is fully r/w in a non-file way).  But this
matches the POSIX spec that the file be 'writeable'.  The regress test
and daemons have been updated for this behaviour.
Gap discovered by martijn, long discussions with benno

2 years agoadd some notes on common pytest arguments
sthen [Sat, 17 Sep 2022 12:17:52 +0000 (12:17 +0000)]
add some notes on common pytest arguments

2 years agotweaks; from jan stary
jmc [Sat, 17 Sep 2022 11:39:09 +0000 (11:39 +0000)]
tweaks; from jan stary

2 years agoAdd RequiredRSASize for sshd(8); RSA keys that fall beneath this limit
djm [Sat, 17 Sep 2022 10:34:29 +0000 (10:34 +0000)]
Add RequiredRSASize for sshd(8); RSA keys that fall beneath this limit
will be ignored for user and host-based authentication.

Feedback deraadt@ ok markus@

2 years agoadd a RequiredRSASize for checking RSA key length in ssh(1).
djm [Sat, 17 Sep 2022 10:33:18 +0000 (10:33 +0000)]
add a RequiredRSASize for checking RSA key length in ssh(1).
User authentication keys that fall beneath this limit will be
ignored. If a host presents a host key beneath this limit then
the connection will be terminated (unfortunately there are no
fallbacks in the protocol for host authentication).

feedback deraadt, Dmitry Belyavskiy; ok markus@

2 years agoShow time zone name and offset in clock border if TZ environment
florian [Sat, 17 Sep 2022 10:32:05 +0000 (10:32 +0000)]
Show time zone name and offset in clock border if TZ environment
variable is set. This is useful when running multiple clocks in
different time zones.
From James Russell Stickney (jrs AT outband.net), tweaked by me.
Input & OK kn

2 years agoAdd a sshkey_check_rsa_length() call for checking the length of an
djm [Sat, 17 Sep 2022 10:30:45 +0000 (10:30 +0000)]
Add a sshkey_check_rsa_length() call for checking the length of an
RSA key; ok markus@

2 years agoactually hook up restrict_websafe; the command-line flag was
djm [Sat, 17 Sep 2022 10:11:29 +0000 (10:11 +0000)]
actually hook up restrict_websafe; the command-line flag was
never actually used. Spotted by Matthew Garrett

2 years agoHook up installboot unconditionally, skip on unsupported archs
kn [Sat, 17 Sep 2022 09:30:18 +0000 (09:30 +0000)]
Hook up installboot unconditionally, skip on unsupported archs

The list of not yet tested archs is smaller, so follow bsd.regress.mk(5)
advise and just print SKIPPED on those.

2 years agomove most of the key combination translation code out of ukbd(4)
robert [Fri, 16 Sep 2022 16:30:10 +0000 (16:30 +0000)]
move most of the key combination translation code out of ukbd(4)
to hidkbd so that it can be re-used by apldc(4) and aplhidev(4) as well

this also adds support for apple fn key combinations to aplhidev(4)

ok miod@

2 years agosemctl1 and msgctl were introduced for binary compatibility for OpenBSD 3.5.
mbuhl [Fri, 16 Sep 2022 15:57:23 +0000 (15:57 +0000)]
semctl1 and msgctl were introduced for binary compatibility for OpenBSD 3.5.
They are no longer needed.
OK bluhm@

2 years agoMake mfii(4) recover from firmware FAULT state on startup.
stsp [Fri, 16 Sep 2022 12:08:27 +0000 (12:08 +0000)]
Make mfii(4) recover from firmware FAULT state on startup.

In case firmware initially comes up in FAULT state, reset the device and
give it one more chance to attach successfully. The Linux megaraid_sas
driver applies the same workaround in this case. There seems to be a bug
in some firmware versions which can trigger this behaviour; see mainline
Linux commit 6431f5d7c6025f8b007af06ea090de308f7e6881

Problem observed by me with mfii(4) attached via KVM PCI-passthrough:
mfii0 at pci0 dev 2 function 0 "Symbios Logic MegaRAID SAS2208" rev 0x05: msi
mfii0: firmware fault

With this workaround in place, attachment succeeds and the device works:
mfii0 at pci0 dev 2 function 0 "Symbios Logic MegaRAID SAS2208" rev 0x05: msi
mfii0: firmware fault; attempting full device reset, this can take some time
mfii0: "RAID Ctrl SAS 6G 1GB (D3116C)", firmware 23.29.0-0019, 1024MB cache

Tested for regressions on bare metal by Hrvoje with two different adapters:
mfii0 at pci1 dev 0 function 0 "Symbios Logic MegaRAID SAS3508" rev 0x01: msi
mfii0: "PERC H740P Mini ", firmware 51.16.0-4076, 8192MB cache
mfii0 at pci4 dev 0 function 0 "Symbios Logic MegaRAID SAS2208" rev 0x05: msi
mfii0: "ServeRAID M5110", firmware 23.34.0-0023, 512MB cache

ok jmatthew@