openbsd
2 years agoAdd tests for concurrent closing of a poll/select monitored fd.
visa [Sun, 21 Nov 2021 06:21:01 +0000 (06:21 +0000)]
Add tests for concurrent closing of a poll/select monitored fd.

2 years agoFix whitespace and long lines.
bluhm [Sun, 21 Nov 2021 02:54:56 +0000 (02:54 +0000)]
Fix whitespace and long lines.

2 years agoGather the setup of the initial OpenBSD MBR partition into one
krw [Sat, 20 Nov 2021 21:35:52 +0000 (21:35 +0000)]
Gather the setup of the initial OpenBSD MBR partition into one
location within MBR_init(), ensuring that MBR_init() creates an
OpenBSD MBR partition only when there is space for it.

No functional change.

2 years agoFix some strdup() leaks in ocsp config option.
tobhe [Sat, 20 Nov 2021 20:44:33 +0000 (20:44 +0000)]
Fix some strdup() leaks in ocsp config option.

ok markus@

2 years agosince it's unlikely that i'll get away with changing fortune's real usage to
jmc [Sat, 20 Nov 2021 19:15:55 +0000 (19:15 +0000)]
since it's unlikely that i'll get away with changing fortune's real usage to
the string below (unfortunately), settle for making it more realistic: Usage->usage

  -Usage: fortune -P [] -a [xsz] [Q: [file]] [rKe9] -v6[+] dataspec ... inputdir
  +usage: fortune -P [] -a [xsz] [Q: [file]] [rKe9] -v6[+] dataspec ... inputdir

2 years agoinstall smtpd-filters.7;
jmc [Sat, 20 Nov 2021 19:11:33 +0000 (19:11 +0000)]
install smtpd-filters.7;

cleanup/push from larry hynes;
gilles agreed the page is suitable for installation;

2 years agosort
tb [Sat, 20 Nov 2021 18:39:48 +0000 (18:39 +0000)]
sort

2 years agoNo need for intermediate 'adj' variable. Add 'disksz'
krw [Sat, 20 Nov 2021 18:35:55 +0000 (18:35 +0000)]
No need for intermediate 'adj' variable. Add 'disksz'
intermediate variable to make MBR_init() code clearer and lay
more groundwork for upcoming functional enhancements.

No functional change.

2 years agoProvide the bytestring APIs for libcrypto internal use.
jsing [Sat, 20 Nov 2021 18:10:52 +0000 (18:10 +0000)]
Provide the bytestring APIs for libcrypto internal use.

Bring a copy of the bytestring APIs (CBB/CBS) from libssl, for use in
libcrypto - these are not exposed publicly.

Discussed with beck@ and tb@

2 years agoConvert openssl(1) to using BN_GENCB on the heap
tb [Sat, 20 Nov 2021 18:10:48 +0000 (18:10 +0000)]
Convert openssl(1) to using BN_GENCB on the heap

This is three times the same thing while genrsa needs some extra steps
to deal with opaque BIGNUMs. We can also garbage collect some Win 3.1
contortions and use the conversion routines directly instead of doing
them manually.

ok jsing

2 years agoSend default client identifier when a config file is present but no
florian [Sat, 20 Nov 2021 17:54:40 +0000 (17:54 +0000)]
Send default client identifier when a config file is present but no
client identifier is configured like the man page claims we would do.

Problem found and patch by Joel Knight (knight.joel AT gmail), thanks!

2 years agoSwitch to BIO_up_ref() instead of adjusting references manually.
tb [Sat, 20 Nov 2021 16:36:55 +0000 (16:36 +0000)]
Switch to BIO_up_ref() instead of adjusting references manually.

2 years agoUse BIO_up_ref() instead of adjusting refcounts manually
tb [Sat, 20 Nov 2021 16:32:55 +0000 (16:32 +0000)]
Use BIO_up_ref() instead of adjusting refcounts manually

2 years agotypo in comment
tb [Sat, 20 Nov 2021 15:55:00 +0000 (15:55 +0000)]
typo in comment

2 years agoSectors-per-cylinder (spc) is a constant value, so make it const
krw [Sat, 20 Nov 2021 15:29:45 +0000 (15:29 +0000)]
Sectors-per-cylinder (spc) is a constant value, so make it const
and use it instead of calculating it twice in MBR_init().

No functional change.

2 years agoDocument ASN1_INTEGER_cmp(3) and ASN1_INTEGER_dup(3).
schwarze [Sat, 20 Nov 2021 13:06:26 +0000 (13:06 +0000)]
Document ASN1_INTEGER_cmp(3) and ASN1_INTEGER_dup(3).
While here, also improve the description of ASN1_INTEGER_set(3)
and add a BUGS section explaining that several of these functions
do not provide type safety.

2 years agoImprove the description of ASN1_OCTET_STRING_cmp(3),
schwarze [Sat, 20 Nov 2021 11:49:08 +0000 (11:49 +0000)]
Improve the description of ASN1_OCTET_STRING_cmp(3),
ASN1_OCTET_STRING_dup(3), and ASN1_OCTET_STRING_set(3).
Explicitly say that they do not provide any type safety
and explain what that means.

2 years agoStart on DOWN interfaces
kn [Sat, 20 Nov 2021 11:47:02 +0000 (11:47 +0000)]
Start on DOWN interfaces

Do not skip interfaces during startup because they're not UP.

dhcpd(8) can start listening on such interfaces just fine (given suitable
IPs on them) and interfaces may come UP later in time.

Otherwise dhcpd would fail to start completely if it didn't find any
interface that would be UP early on and administrators had to restart dhcpd.

Other daemons and nc(1)'s `-l' listen just fine on DOWN interfaces as well.

Noticed while switching a bridge(4)/vether(4) setup to veb(4)/vport(4) and
hostname.vport without explicit "up" (vport does not implicitly pulls itself
UP when configuring an address).

OK dlg florian

2 years agoWhen cmdfile is specified, use lines from it for all input, not just
jcs [Sat, 20 Nov 2021 03:13:37 +0000 (03:13 +0000)]
When cmdfile is specified, use lines from it for all input, not just
commands.  This allows complex actions like changing device
parameters to be done with a command file.

2 years agoMake these files compile - not hooked up to build yet.
beck [Sat, 20 Nov 2021 01:10:49 +0000 (01:10 +0000)]
Make these files compile - not hooked up to build yet.

ok jsing@ tb@

2 years agoisakmpd: stop reaching into EVP_PKEY.
tb [Fri, 19 Nov 2021 23:15:59 +0000 (23:15 +0000)]
isakmpd: stop reaching into EVP_PKEY.

Straightforward conversion to the OpenSSL 1.1 API as a step towards
making EVP_PKEY opaque. EVP_PKEY_get0_RSA() can't fail if we know
that the pkey type is RSA.

ok sthen

2 years agoCheck stdrup() return value.
tobhe [Fri, 19 Nov 2021 21:16:25 +0000 (21:16 +0000)]
Check stdrup() return value.

2 years agolibssl: don't reach for pkey->save_type.
tb [Fri, 19 Nov 2021 18:53:10 +0000 (18:53 +0000)]
libssl: don't reach for pkey->save_type.

For some strange historical reason ECDSA_sign() and ECDSA_verify}() have
a type argument that they ignore. For another strange historical reason,
the type passed to them from libssl is pkey->save_type, which is used to
avoid expensive engine lookups when setting the pkey type... Whatever the
aforementioned reasons were, we can't access pkey->save_type with the
OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque.
Simply pass in 0 instead.

ok jsing

2 years agosync
deraadt [Fri, 19 Nov 2021 18:11:35 +0000 (18:11 +0000)]
sync

2 years agoMark the X509_VERIFY_PARAM_ID variable type as intentionally
schwarze [Fri, 19 Nov 2021 17:42:22 +0000 (17:42 +0000)]
Mark the X509_VERIFY_PARAM_ID variable type as intentionally
undocumented.  It is an opaque struct used only internally, as a
sub-object of the public X509_VERIFY_PARAM type.  All related API
functions take X509_VERIFY_PARAM arguments, so X509_VERIFY_PARAM_ID
is of no interest to the user.

2 years agoMake function prototype parsing a bit stricter,
schwarze [Fri, 19 Nov 2021 17:29:17 +0000 (17:29 +0000)]
Make function prototype parsing a bit stricter,
reducing the risk of accidental misparsing:

Require whitespace after the function return type (before the
asterisk indicating that the function returns a pointer, if any)
and do not accept whitespace between the function name and the
opening parenthesis of the parameter list.  These changes are not
a problem because we want that style for KNF reasons anyway.

2 years agoAdd and enable the new 'undgram_conclose' test which tries to kill the
mvs [Fri, 19 Nov 2021 17:14:38 +0000 (17:14 +0000)]
Add and enable the new 'undgram_conclose' test which tries to kill the
datagram socket connected to the dying socket while it cleaning it's
list of connected sockets. Incorrect handling of this case could produce
kernel crash.

ok bluhm@

2 years agoAdd and enable new 'unsendrecvthr' test which performs multithreaded
mvs [Fri, 19 Nov 2021 17:07:10 +0000 (17:07 +0000)]
Add and enable new 'unsendrecvthr' test which performs multithreaded
writes on unix(4) sockets. The receiver should be sure no data corruption
or loss.

ok bluhm@

2 years agoSync to unbound to allow interface names as scope-id in IPv6
florian [Fri, 19 Nov 2021 16:49:32 +0000 (16:49 +0000)]
Sync to unbound to allow interface names as scope-id in IPv6
link-local addresses. With this dns proposals from slaacd with
link-local addresses from slaacd(8) are wroking.

Requested by & OK kn

2 years agoAllow interface names as scope-id in IPv6 link-local addresses.
florian [Fri, 19 Nov 2021 16:42:01 +0000 (16:42 +0000)]
Allow interface names as scope-id in IPv6 link-local addresses.

For example, this makes
    forward-zone:
        name: "."
        forward-addr: fe80::20d:b9ff:fe46:c7f4%vio0
        forward-first: yes

work instead of using fe80::20d:b9ff:fe46:c7f4%1 for the forward-addr.

This has been submitted upstream.
sthen@ is fine with carrying this as a local diff.

Requested by & OK kn

2 years agominor KNF improvement, changing only whitespace, no code change:
schwarze [Fri, 19 Nov 2021 16:35:10 +0000 (16:35 +0000)]
minor KNF improvement, changing only whitespace, no code change:
say: return_type *function_name(args);
not: return_type* function_name (args);
OK tb@

2 years agonew manual page ASN1_BIT_STRING_num_asc(3)
schwarze [Fri, 19 Nov 2021 16:00:54 +0000 (16:00 +0000)]
new manual page ASN1_BIT_STRING_num_asc(3)
documenting the three functions using the BIT_STRING_BITNAME structure

2 years agoMake futexes work in shared anonymous memory.
kettenis [Fri, 19 Nov 2021 15:58:36 +0000 (15:58 +0000)]
Make futexes work in shared anonymous memory.

ok mpi@

2 years agoadd two missing .Dv macros;
schwarze [Fri, 19 Nov 2021 15:50:46 +0000 (15:50 +0000)]
add two missing .Dv macros;
markup bug found with regress/lib/libcrypto/man/check_complete.pl

2 years agoFix monitor mode on iwm(4) and iwx(4).
stsp [Fri, 19 Nov 2021 13:05:19 +0000 (13:05 +0000)]
Fix monitor mode on iwm(4) and iwx(4).

Set sc->ns_nstate when bypassing the driver's newstate handler while
bringing the interface down.
Otherwise, if the interface was already running, the INIT->RUN transition
which kicks off monitor mode will appear as a RUN->RUN transition to the
driver's newstate handler, and the handler will do nothing.
Monitor mode did not work as a result.

2 years agoMake the public API function a2i_ASN1_STRING(3) actually work.
schwarze [Fri, 19 Nov 2021 09:58:41 +0000 (09:58 +0000)]
Make the public API function a2i_ASN1_STRING(3) actually work.
It contained two bugs:

1. If an input line ended in a backslash requesting line continuation,
there was duplicate code for removing that backslash, erroneously
removing another byte from the input and often causing the function
to return failure instead of correctly parsing valid input.

2. According to a comment in the source code, the former big "for"
loop was intended to "clear all the crap off the end of the line",
but actually, if there were multiple characters on the line that
were not hexadecimal digits, only the last of those and everything
following it was deleted, while all the earlier ones remained.
Besides, code further down clearly intends to error out when there
are invalid characters, which makes no sense if earlier code already
deletes such characters.  Hence the comment did not only contradict
the code above it - but contradicted the code below it, too.

Resolve these contradiction in favour of stricter parsing:
No longer skip invalid characters but always error out
when any are found.

OK & "Unbelievable" tb@

2 years agoFix typo
job [Fri, 19 Nov 2021 09:47:30 +0000 (09:47 +0000)]
Fix typo

2 years agoVery quick and dirty script to help me check that the symbols
schwarze [Fri, 19 Nov 2021 09:15:35 +0000 (09:15 +0000)]
Very quick and dirty script to help me check that the symbols
in one of the public openssl/ header files are all documented.
Before attempting to read this code, make sure that you are
fully vaccinated against leaning toothpick syndrome.

Example usage:
./check_complete.pl x509_vfy
./check_complete.pl -v x509 | less

Intentionally not linked to the build.

jsing@ agrees with the general direction.

2 years agowhitespace tweaks. no functional change.
dlg [Fri, 19 Nov 2021 07:58:34 +0000 (07:58 +0000)]
whitespace tweaks. no functional change.

a lot more knf could be sprinkled in this file...

2 years agolet CH340 chips keep working in 8N1 mode.
dlg [Fri, 19 Nov 2021 07:56:53 +0000 (07:56 +0000)]
let CH340 chips keep working in 8N1 mode.

they get confused if you try to configure them and don't work at
all otherwise. CH341 seems fine otherwise.

from miod
tested by me and Felix Kronlage-Dam

2 years agoAs long as X509_OBJECT_free_contents(3) is a public API function,
schwarze [Fri, 19 Nov 2021 07:49:27 +0000 (07:49 +0000)]
As long as X509_OBJECT_free_contents(3) is a public API function,
make sure it fully re-initializes the object rather than leaving
behind a stale pointer and a stale type in the object.

The old behaviour was dangerous because X509_OBJECT_get_type(3)
would then return the stale type to the user and one of
X509_OBJECT_get0_X509(3) or X509_OBJECT_get0_X509_CRL(3) would
then return the stale pointer to the user, provoking a use-after-free
bug in the application program.  Having these functions return
X509_LU_NONE and NULL is better because those are the documented
return values for these functions when the object is empty.

OK tb@

2 years agoCorrect the CPUID() and CPUID_LEAF() macros to not include a trailing
guenther [Fri, 19 Nov 2021 04:00:53 +0000 (04:00 +0000)]
Correct the CPUID() and CPUID_LEAF() macros to not include a trailing
semicolon

ok deraadt@

2 years agodrm/plane-helper: fix uninitialized variable reference
jsg [Fri, 19 Nov 2021 03:22:29 +0000 (03:22 +0000)]
drm/plane-helper: fix uninitialized variable reference

From Alex Xu
2e548581fe5b48730d814916bd6bb8f8d8b5375a in linux 5.10.y/5.10.80
7be28bd73f23e53d6e7f5fe891ba9503fc0c7210 in mainline linux

2 years agodrm/amdgpu/gmc6: fix DMA mask from 44 to 40 bits
jsg [Fri, 19 Nov 2021 03:19:13 +0000 (03:19 +0000)]
drm/amdgpu/gmc6: fix DMA mask from 44 to 40 bits

From Alex Deucher
ae1f588ca1b0c9e2f82c14479e408759a786f701 in linux 5.10.y/5.10.80
403475be6d8b122c3e6b8a47e075926d7299e5ef in mainline linux

2 years agodrm/amdgpu: fix warning for overflow check
jsg [Fri, 19 Nov 2021 03:17:33 +0000 (03:17 +0000)]
drm/amdgpu: fix warning for overflow check

From Arnd Bergmann
375150b3aaf8cf7d01f6f0b582e264dd2fded814 in linux 5.10.y/5.10.80
335aea75b0d95518951cad7c4c676e6f1c02c150 in mainline linux

2 years agodrm/ttm: stop calling tt_swapin in vm_access
jsg [Fri, 19 Nov 2021 03:12:48 +0000 (03:12 +0000)]
drm/ttm: stop calling tt_swapin in vm_access

From Matthew Auld
cbbf816cb7f9a84696b1f6277fee85c67a1c590c in linux 5.10.y/5.10.80
f5d28856b89baab4232a9f841e565763fcebcdf9 in mainline linux

2 years agodrm/amd/display: dcn20_resource_construct reduce scope of FPU enabled
jsg [Fri, 19 Nov 2021 03:10:49 +0000 (03:10 +0000)]
drm/amd/display: dcn20_resource_construct reduce scope of FPU enabled

From Anson Jacob
6f038b1a941e87886f6bbced0a65aea343a9859e in linux 5.10.y/5.10.80
bc39a69a2ac484e6575a958567c162ef56c9f278 in mainline linux

2 years agodrm/amdkfd: fix resume error when iommu disabled in Picasso
jsg [Fri, 19 Nov 2021 03:08:23 +0000 (03:08 +0000)]
drm/amdkfd: fix resume error when iommu disabled in Picasso

From Yifan Zhang
832fad367cac9ca075a1aff92e21dc77ea308e96 in linux 5.10.y/5.10.80
6f4b590aae217da16cfa44039a2abcfb209137ab in mainline linux

2 years agodrm/amdgpu: Fix MMIO access page fault
jsg [Fri, 19 Nov 2021 03:06:01 +0000 (03:06 +0000)]
drm/amdgpu: Fix MMIO access page fault

From Andrey Grodzovsky
2114f80889d89f96e65e0f8a74bd0ecf10b658f5 in linux 5.10.y/5.10.80
c03509cbc01559549700e14c4a6239f2572ab4ba in mainline linux

2 years agodrm/panel-orientation-quirks: add Valve Steam Deck
jsg [Fri, 19 Nov 2021 03:03:57 +0000 (03:03 +0000)]
drm/panel-orientation-quirks: add Valve Steam Deck

From Simon Ser
7987f31e54a2a453c54bdc516fe7a48035fddf03 in linux 5.10.y/5.10.80
9eeb7b4e40bfd69d8aaa920c7e9df751c9e11dce in mainline linux

2 years agodrm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book 10.6
jsg [Fri, 19 Nov 2021 03:01:48 +0000 (03:01 +0000)]
drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book 10.6

From Hans de Goede
509ae4a4f0745bff108723e5d9a61b1113ea89fe in linux 5.10.y/5.10.80
88fa1fde918951c175ae5ea0f31efc4bb1736ab9 in mainline linux

2 years agodrm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1
jsg [Fri, 19 Nov 2021 02:59:07 +0000 (02:59 +0000)]
drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1

From Hans de Goede
62b90d7eeb6deb0124dcfe1b12f41c1524d26352 in linux 5.10.y/5.10.80
a53f1dd3ab9fec715c6c2e8e01bf4d3c07eef8e5 in mainline linux

2 years agodrm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2)
jsg [Fri, 19 Nov 2021 02:56:07 +0000 (02:56 +0000)]
drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2)

From Hans de Goede
780fff2c75f096f3bc46855b105b83b4cec5cba7 in linux 5.10.y/5.10.80
820a2ab23d5eab4ccfb82581eda8ad4acf18458f in mainline linux

2 years agodrm: panel-orientation-quirks: Add quirk for GPD Win3
jsg [Fri, 19 Nov 2021 02:53:39 +0000 (02:53 +0000)]
drm: panel-orientation-quirks: Add quirk for GPD Win3

From Mario Risoldi
7d1fb5c12cc0c88159ebf946385141ed3019f009 in linux 5.10.y/5.10.80
61b1d445f3bfe4c3ba4335ceeb7e8ba688fd31e2 in mainline linux

2 years agodrm: panel-orientation-quirks: Add quirk for Aya Neo 2021
jsg [Fri, 19 Nov 2021 02:51:05 +0000 (02:51 +0000)]
drm: panel-orientation-quirks: Add quirk for Aya Neo 2021

From Bryant Mairs
bc3e73ebb79b01abc121703669c65f54f0023cfe in linux 5.10.y/5.10.80
def0c3697287f6e85d5ac68b21302966c95474f9 in mainline linux

2 years agoiked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
tb [Thu, 18 Nov 2021 22:59:03 +0000 (22:59 +0000)]
iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

2 years agoCheck if encoding works in dsa_init(). This avoids calling fatal()
tobhe [Thu, 18 Nov 2021 22:42:02 +0000 (22:42 +0000)]
Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

2 years agosha512test: replace EVP_MD_CTX_{cleanup,init} pair with EVP_MD_CTX_reset
tb [Thu, 18 Nov 2021 21:37:57 +0000 (21:37 +0000)]
sha512test: replace EVP_MD_CTX_{cleanup,init} pair with EVP_MD_CTX_reset

2 years agoless confusing debug message; bz#3365
djm [Thu, 18 Nov 2021 21:32:11 +0000 (21:32 +0000)]
less confusing debug message; bz#3365

2 years agogost: missed one cleanup
tb [Thu, 18 Nov 2021 21:26:54 +0000 (21:26 +0000)]
gost: missed one cleanup

2 years agosha256test: EVP_MD_CTX_cleanup -> EVP_MD_CTX_reset
tb [Thu, 18 Nov 2021 21:25:01 +0000 (21:25 +0000)]
sha256test: EVP_MD_CTX_cleanup -> EVP_MD_CTX_reset

2 years agogost2814789t: EVP_MD_CTX_cleanup -> EVP_MD_CTX_reset
tb [Thu, 18 Nov 2021 21:22:41 +0000 (21:22 +0000)]
gost2814789t: EVP_MD_CTX_cleanup -> EVP_MD_CTX_reset

2 years agoevptest: no need to call EVP_MD_CTX_cleanup() before EVP_MD_CTX_free()
tb [Thu, 18 Nov 2021 21:18:28 +0000 (21:18 +0000)]
evptest: no need to call EVP_MD_CTX_cleanup() before EVP_MD_CTX_free()

2 years agoavoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this
djm [Thu, 18 Nov 2021 21:11:01 +0000 (21:11 +0000)]
avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this
for RSA keys). Avoids fatal errors for PKCS#11 libraries that return
empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364

2 years agoUse HMAC_CTX_reset() instead of HMAC_CTX_cleanup() + HMAC_CTX_init()
tb [Thu, 18 Nov 2021 20:11:55 +0000 (20:11 +0000)]
Use HMAC_CTX_reset() instead of HMAC_CTX_cleanup() + HMAC_CTX_init()

2 years agoAdd semicolon that will become non-optional once BN_GENCB_set() will
tb [Thu, 18 Nov 2021 18:05:27 +0000 (18:05 +0000)]
Add semicolon that will become non-optional once BN_GENCB_set() will
move from an awful macro to a proper function.

2 years agotypo in comment
tb [Thu, 18 Nov 2021 18:01:08 +0000 (18:01 +0000)]
typo in comment

2 years agoacme-client: use EVP_PKEY_base_id()
tb [Thu, 18 Nov 2021 17:26:43 +0000 (17:26 +0000)]
acme-client: use EVP_PKEY_base_id()

In an upcoming libcrypto bump, EVP_PKEY will become opaque. In order to
stop reaching inside EVP_PKEY, we must replace EVP_PKEY_type(pkey->type)
with the equivalent EVP_PKEY_base_Id(pkey) in various places.

ok florian

2 years agovndsetcred: don't a reference to credentials in error path.
tb [Thu, 18 Nov 2021 16:57:59 +0000 (16:57 +0000)]
vndsetcred: don't a reference to credentials in error path.

ok deraadt

2 years agoFix ssltest to work with opaque EVP_PKEY.
tb [Thu, 18 Nov 2021 16:45:28 +0000 (16:45 +0000)]
Fix ssltest to work with opaque EVP_PKEY.

2 years agoPrevent future internal use of ASN1_CTX and ASN1_const_CTX by wrapping
tb [Thu, 18 Nov 2021 16:00:15 +0000 (16:00 +0000)]
Prevent future internal use of ASN1_CTX and ASN1_const_CTX by wrapping
them inside #ifndef LIBRESSL_INTERNAL.

suggested by jsing

2 years agoRemove the last pointless use of ASN1_const_CTX. Both ASN1_CTX and
tb [Thu, 18 Nov 2021 15:58:31 +0000 (15:58 +0000)]
Remove the last pointless use of ASN1_const_CTX. Both ASN1_CTX and
ASN1_const_CTX are now unused and will be garbage collected in the
next libcrypto bump.

ok jsing

2 years agosha*test: convert these tests to work with opaque EVP_MD_CTX.
tb [Thu, 18 Nov 2021 15:23:24 +0000 (15:23 +0000)]
sha*test: convert these tests to work with opaque EVP_MD_CTX.

2 years agozap trailing whitespace
tb [Thu, 18 Nov 2021 15:20:33 +0000 (15:20 +0000)]
zap trailing whitespace

2 years agohmactest: convert to opaque HMAC_CTX.
tb [Thu, 18 Nov 2021 15:20:02 +0000 (15:20 +0000)]
hmactest: convert to opaque HMAC_CTX.

2 years agogost2814789t: convert to opaque EVP_{MD,CIPHER}_CTX.
tb [Thu, 18 Nov 2021 15:18:25 +0000 (15:18 +0000)]
gost2814789t: convert to opaque EVP_{MD,CIPHER}_CTX.

2 years agoexptest: convert to opaque BN; minor KNF tweaks.
tb [Thu, 18 Nov 2021 15:17:31 +0000 (15:17 +0000)]
exptest: convert to opaque BN; minor KNF tweaks.

2 years agoevptest: fix compilation with opaque EVP_{CIPHER,MD}_CTX. Uses a
tb [Thu, 18 Nov 2021 15:15:31 +0000 (15:15 +0000)]
evptest: fix compilation with opaque EVP_{CIPHER,MD}_CTX. Uses a
workaround for excessive malloc inspired by mariadb (just kidding).

2 years agoecdsatest: make this test compile with opaque EVP_MD_CTX.
tb [Thu, 18 Nov 2021 15:12:59 +0000 (15:12 +0000)]
ecdsatest: make this test compile with opaque EVP_MD_CTX.

2 years agodsatest: make this work with opaque BN. Some more fixes will be needed
tb [Thu, 18 Nov 2021 15:11:17 +0000 (15:11 +0000)]
dsatest: make this work with opaque BN. Some more fixes will be needed
for opaque DSA. I'll deal with that later. I also lobbed a KNF grenade
in here.

2 years agodhtest: fix this to work with opaque BN. This will need more fixes to
tb [Thu, 18 Nov 2021 15:07:28 +0000 (15:07 +0000)]
dhtest: fix this to work with opaque BN. This will need more fixes to
work with opaque DH, but one step at a time. While here, add a bunch of
missing spaces to reduce the eyebleed.

2 years agobntest: Fix all but one test in this file to work with opaque BN.
tb [Thu, 18 Nov 2021 14:59:44 +0000 (14:59 +0000)]
bntest: Fix all but one test in this file to work with opaque BN.
The remaining test needs some thinking (or disabling once we flip
the switch). It is currently marked with an XXX.

2 years agoRemove X11 blt and bltone regress tests. They fail with the current
bluhm [Thu, 18 Nov 2021 14:55:38 +0000 (14:55 +0000)]
Remove X11 blt and bltone regress tests.  They fail with the current
X server and have been unlinked from the build.  Converting the
tests from libfb to libwfb could be possible, but nobody is working
on that.
OK matthieu@ kettenis@

2 years agoprinting udpencap_port in ddb requires ntohs not ntohl. use better format
sthen [Thu, 18 Nov 2021 11:04:10 +0000 (11:04 +0000)]
printing udpencap_port in ddb requires ntohs not ntohl. use better format
string. help claudio@ ok bluhm@

2 years agoIn x509_vfy.h rev. 1.35 and x509_lu.c rev. 1.34, tb@ provided
schwarze [Thu, 18 Nov 2021 10:09:24 +0000 (10:09 +0000)]
In x509_vfy.h rev. 1.35 and x509_lu.c rev. 1.34, tb@ provided
X509_OBJECT_new(3) and X509_OBJECT_free(3); document them.

While here, stop talking about storing storing EVP_PKEY objects
and plain C strings in X509_OBJECT objects.  LibreSSL never fully
supported that, and it certainly no longer supports that now.

2 years agoMove example from "goo" to @tag.
ajacoutot [Thu, 18 Nov 2021 09:51:30 +0000 (09:51 +0000)]
Move example from "goo" to @tag.

2 years agoregression test for ssh-keygen -Y find-principals fix;
djm [Thu, 18 Nov 2021 03:53:48 +0000 (03:53 +0000)]
regression test for ssh-keygen -Y find-principals fix;
from Fabian Stelzer ok djm markus

2 years agossh-keygen -Y find-principals was verifying key validity when using
djm [Thu, 18 Nov 2021 03:50:41 +0000 (03:50 +0000)]
ssh-keygen -Y find-principals was verifying key validity when using
ca certs but not with simple key lifetimes within the allowed
signers file.

Since it returns the first keys principal it finds this could
result in a principal with an expired key even though a valid
one is just below.

patch from Fabian Stelzer; feedback/ok djm markus

2 years agocheck for POLLHUP wherever we check for POLLIN
djm [Thu, 18 Nov 2021 03:31:44 +0000 (03:31 +0000)]
check for POLLHUP wherever we check for POLLIN

2 years agofd leak in sshd listen loop error path; from Gleb Smirnoff
djm [Thu, 18 Nov 2021 03:07:59 +0000 (03:07 +0000)]
fd leak in sshd listen loop error path; from Gleb Smirnoff

2 years agocheck for POLLHUP as well as POLLIN in sshd listen loop;
djm [Thu, 18 Nov 2021 03:07:20 +0000 (03:07 +0000)]
check for POLLHUP as well as POLLIN in sshd listen loop;
ok deraadt millert

2 years agocheck for POLLHUP as well as POLLIN, handle transient IO errors as well
djm [Thu, 18 Nov 2021 03:06:03 +0000 (03:06 +0000)]
check for POLLHUP as well as POLLIN, handle transient IO errors as well
as half-close on the output side; ok deraadt millert

2 years agosync
deraadt [Thu, 18 Nov 2021 01:31:02 +0000 (01:31 +0000)]
sync

2 years agouniq(1): ignore trailing newlines when comparing lines
cheloha [Wed, 17 Nov 2021 23:09:38 +0000 (23:09 +0000)]
uniq(1): ignore trailing newlines when comparing lines

POSIX.1-2008 tweaked the uniq definition in light of AGI 1003.1-2001
#133.  uniq must now *ignore* the trailing newline when comparing
lines from the input.

In practice this means that if the last line in the input is missing a
trailing newline it isn't necessarily different from the line
preceding it.

So, uniq(1) now stubs the trailing newline before doing any line
comparisons.

For sake of simplicity, this patch introduces a second change: if the
last line in the input is missing a trailing newline and we choose to
print the line, a newline is appended when we print it.

Adopting the newline change aligns our implementation with with
POSIX.1-2008 (which we already claim in the manpage).  Adopting both
changes aligns our behavior with that of FreeBSD and GNU uniq.  For
better or worse, OpenBSD's uniq no longer behaves like NetBSD's uniq
in this corner case.

References:

POSIX.1-2001 uniq:
https://pubs.opengroup.org/onlinepubs/009695399/utilities/uniq.html

Austin Group Interpretation 1003.1-2001 #133:
https://collaboration.opengroup.org/austin/interps/documents/14355/AI-133.txt

POSIX.1-2008 uniq:
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/uniq.html

--

Discussed with millert@.  With input from schwarze@.  Positive feedback
from bcallah@.

Thread: https://marc.info/?l=openbsd-tech&m=163581613829524&w=2

ok millert@

2 years agoWhen unp_connect() releases both solock() and vnode(9) locks the socket we
mvs [Wed, 17 Nov 2021 22:56:19 +0000 (22:56 +0000)]
When unp_connect() releases both solock() and vnode(9) locks the socket we
were connected could be closed by concurrent thread. Check connection
state and return ECONNREFUSED if the connection was lost.

ok bluhm@

2 years agoset num_listen_socks to 0 on close-all instead of -1, which
djm [Wed, 17 Nov 2021 21:06:39 +0000 (21:06 +0000)]
set num_listen_socks to 0 on close-all instead of -1, which
interferes with the new poll()-based listen loop; spotted and
debugged by anton@+deraadt@

2 years agoDisplay DNS information from sppp(4) in ifconfig(8)
bket [Wed, 17 Nov 2021 18:00:24 +0000 (18:00 +0000)]
Display DNS information from sppp(4) in ifconfig(8)

Behaviour is similar to that of umb(4).

OK kn@

2 years agoIn x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided
schwarze [Wed, 17 Nov 2021 16:08:32 +0000 (16:08 +0000)]
In x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided
X509_STORE_CTX_set_verify(3) and X509_STORE_CTX_get_verify(3).
Document them.

In the next bump, tb@ will also provide X509_STORE_CTX_verify_fn(3)
and X509_STORE_set_verify(3) and restore X509_STORE_set_verify_func(3)
to working order.  For efficiency of documentation work, already
document those three, too, but keep the text temporariy .if'ed out
until they become available.

Delete X509_STORE_set_verify_func(3) from X509_STORE_set_verify_cb_func(3)
because it was misplaced in that page: it is not related to the
verification callback.

tb@ agrees with the general direction.

2 years agoDisable active scanning on iwm(4) 9260 and 9560.
stsp [Wed, 17 Nov 2021 15:15:32 +0000 (15:15 +0000)]
Disable active scanning on iwm(4) 9260 and 9560.

For some reason, if we send a scan command that actively scans for a
particular SSID with probe requests, the device will occasionally lock
up after associating to the AP, with no interrupts, totally dead.
The symptom of this is an interface that shows as "active" in ifconfig
but does not receive or transmit any packets.

Observed by kmos@ for some time already, and myself while testing new
Intel wifi firmware versions on iwm(4) 9560.

This problem was also observed on AX200 by me with old firmware. We had
the same workaround in place for iwx(4) for some time, until we upgraded
that driver to use newer firmware which uses a different scan command.

Workaround tested by kmos@ and myself.

2 years agoClarify BUGS wrt. reserving memory for the hypervisor
kn [Wed, 17 Nov 2021 15:13:36 +0000 (15:13 +0000)]
Clarify BUGS wrt. reserving memory for the hypervisor

The previous wording might be understood as "leave memory unused in the
primary domain", which is precisely what causes the hypervisor to reject
the configuration since ldomctl(8) would implicitly allocate all remaining
memory for the primary domain.

Make sure that primary domain memory should be assigned explicitly so the
total amount of allocated memory is less than physically available, i.e.
the hypervisor will have even more memory available and configurations can
boot again.

OK stsp