jsg [Sat, 18 Apr 2015 09:27:54 +0000 (09:27 +0000)]
Regis Leroy reported that httpd does not strictly accept CRLF for
newlines which could lead to http response splitting/smuggling
if a badly behaved proxy is in front of httpd.
Switch from evbuffer_readline() to evbuffer_readln() with
EVBUFFER_EOL_CRLF_STRICT to avoid this.
ok florian@
guenther [Sat, 18 Apr 2015 05:14:05 +0000 (05:14 +0000)]
i386 and amd64 have only one syscall entry point now, so simply the
EIP/RIP adjustment for ERESTART
ok mlarkin@
guenther [Sat, 18 Apr 2015 03:15:46 +0000 (03:15 +0000)]
Use futimens() to preserve timestamps with subsec precision.
Don't cast file sizes to size_t when comparing file contents for the -C option
ok deraadt@
deraadt [Fri, 17 Apr 2015 17:20:41 +0000 (17:20 +0000)]
Use getint() instead of intval() for parsing the columns variable,
allowing the addition of more accurate bounds and garbage checks.
ok millert
deraadt [Fri, 17 Apr 2015 16:47:47 +0000 (16:47 +0000)]
FALLTHROUGH in getopt is incorrect. While here use strtonum
to parse tz_minuteswest.
ok millert
bluhm [Fri, 17 Apr 2015 16:42:50 +0000 (16:42 +0000)]
On Ethernet packets have a minimal length, so very short packets
get padding appended to them. This padding is not stripped off in
ip6_input() (due to support for IPv6 Jumbograms, RFC2675). That
means PF needs to be careful when reassembling fragmented packets
to not include the padding in the reassembled packet.
from FreeBSD; via Kristof Provost; OK henning@
djm [Fri, 17 Apr 2015 13:32:09 +0000 (13:32 +0000)]
s/recommended/required/ that private keys be og-r
this wording change was made a while ago but got accidentally reverted
djm [Fri, 17 Apr 2015 13:25:52 +0000 (13:25 +0000)]
don't try to cleanup NULL KEX proposals in kex_prop_free();
found by Jukka Taimisto and Markus Hietava
djm [Fri, 17 Apr 2015 13:19:22 +0000 (13:19 +0000)]
use error/logit/fatal instead of fprintf(stderr, ...) and exit(0),
fix a few errors that were being printed to stdout instead of stderr
and a few non-errors that were going to stderr instead of stdout
bz#2325; ok dtucker
djm [Fri, 17 Apr 2015 13:16:48 +0000 (13:16 +0000)]
debug log missing DISPLAY environment when X11 forwarding
requested; bz#1682 ok dtucker@
dlg [Fri, 17 Apr 2015 12:38:54 +0000 (12:38 +0000)]
while trying to reproduce lockups on mp alpha i hit an
MUTEX_ASSERT_UNLOCKED, but it turns out alpha mutexes arent very
friendly to diagnostics on smp systems.
alpha mutexes contained an mtx_lock member. when 0 the mutex was
unlocked, and when 1 it was locked. the MUTEX_ASSERT_UNLOCKED checked
if mtx_lock was 1 to see if the current cpu owned the mutex, but
in an mp system another cpu may have set mtx_lock to 1, which causes
the assert to fire.
this changes alpha mutexes so they record which cpu owns the lock
rather than just if the lock is held or not. the diagnostics compare
the owner to the current cpus curcpu() address so they can actually
tell if the current cpu holds the lock instead of whether any cpu
holds the lock.
instead of using custom asm to implement a cas this uses atomic_cas_ptr,
which on alpha uses gcc cas code. miod says he has far more confidence
in the gcc cas than the code that was there before.
while im here i also shuffled the code. on MULTIPROCESSOR systems
instead of duplicating code between mtx_enter and mtx_enter_try,
mtx_enter simply loops on mtx_enter_try until it succeeds.
this also provides an alternative implementation of mutexes on
!MULTIPROCESSOR systems that avoids interlocking opcodes. mutexes
wont contend on UP boxes, theyre basically wrappers around spls.
we can just do the splraise, stash the owner as a guard value for
DIAGNOSTIC and return. similarly, mtx_enter_try on UP will never
fail, so we can just call mtx_enter and return 1.
ok miod@
mikeb [Fri, 17 Apr 2015 11:06:39 +0000 (11:06 +0000)]
IPSEC_IN_CRYPTO_DONE and OUT_CRYPTO_NEEDED are gone
mikeb [Fri, 17 Apr 2015 11:04:01 +0000 (11:04 +0000)]
Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer
mikeb [Fri, 17 Apr 2015 10:08:07 +0000 (10:08 +0000)]
Remove unused ipsp_parse_headers that was supposed to parse packets
returned by IPsec-enabled NICs; OK markus, hshoexer
mikeb [Fri, 17 Apr 2015 10:04:37 +0000 (10:04 +0000)]
Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer
mpi [Fri, 17 Apr 2015 08:20:24 +0000 (08:20 +0000)]
Remove superflous "::1" route, test currently failing but a fix is
in its way.
mpi [Fri, 17 Apr 2015 08:19:27 +0000 (08:19 +0000)]
Local routes should be present in the routing table output.
phessler [Fri, 17 Apr 2015 07:51:09 +0000 (07:51 +0000)]
parse_prefix in parse.c got changed but the declaration in bgpctl.c
wasn't updated, so we would crash when doing `bgpctl net bulk` commands.
Fix by moving parse_prefix into a header, since we use it in more than
one file.
crash found by henning@
underlying problem found by blambert@
OK sthen@ deraadt@ claudio@ henning@
mpi [Fri, 17 Apr 2015 07:46:10 +0000 (07:46 +0000)]
Match -current output. Every configured address should have a local route
and remove redundant loopback cloning route.
Note that tests using IPv6 still contain two routes to "::1" this should
cause no harm but is being investigated.
mpi [Fri, 17 Apr 2015 07:17:51 +0000 (07:17 +0000)]
Crank the timeout and decrease the buffer size to not end up dropping
all the entropy provided by the device.
Also make sure we match the right endpoint.
From Sean Levy based on comments from Andreas Gustafsson who's behind
Alea.
guenther [Fri, 17 Apr 2015 06:33:30 +0000 (06:33 +0000)]
oops, started expecting sockoptlevelname() to handle two arguments
but never actually did so. Fix that so that we stop losing the
second argument to {get,set}sockopt(). Handling of levels other than
SOL_SOCKET could be improved.
guenther [Fri, 17 Apr 2015 06:14:36 +0000 (06:14 +0000)]
The first argument to socket/socketpair is an address family, not a protocol
family. (sysctl(3) is practically the only place where PF_* is correct)
guenther [Fri, 17 Apr 2015 04:43:20 +0000 (04:43 +0000)]
Tweaks utimensat/futimens handling to always update ctime, even when both
atime and mtime are UTIME_OMIT (at least for ufs, tmpfs, and ext2fs), and
to correctly handle a timestamp of -1.
ok millert@
djm [Fri, 17 Apr 2015 04:32:31 +0000 (04:32 +0000)]
don't call record_login() in monitor when UseLogin is enabled;
bz#278 reported by drk AT sgi.com; ok dtucker
dtucker [Fri, 17 Apr 2015 04:12:35 +0000 (04:12 +0000)]
Add some missing options to sshd -T and fix the output of VersionAddendum
HostCertificate. bz#2346, patch from jjelen at redhat com, ok djm.
jsg [Fri, 17 Apr 2015 00:54:41 +0000 (00:54 +0000)]
Make drm ioctls table driven. Further reduces the diff to linux.
ok kettenis@
dtucker [Thu, 16 Apr 2015 23:25:50 +0000 (23:25 +0000)]
Document "none" for PidFile XAuthLocation TrustedUserCAKeys and RevokedKeys.
bz#2382, feedback from jmc@, ok djm@
schwarze [Thu, 16 Apr 2015 20:21:08 +0000 (20:21 +0000)]
Restore the page headers and page footers that accidentally got lost
in rev. 1.225. Regression reported by florian@.
jmc [Thu, 16 Apr 2015 20:01:39 +0000 (20:01 +0000)]
firmware, not firmwares;
jmc [Thu, 16 Apr 2015 19:59:28 +0000 (19:59 +0000)]
tweak previous;
markus [Thu, 16 Apr 2015 19:44:01 +0000 (19:44 +0000)]
ipa_inp_next is unused; via mikeb@
markus [Thu, 16 Apr 2015 19:24:13 +0000 (19:24 +0000)]
remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb
markus [Thu, 16 Apr 2015 19:18:10 +0000 (19:18 +0000)]
change {import,export}_identity so it can be used for policies; ok mikeb
(fixes sadb_ident_type conversion for policies)
schwarze [Thu, 16 Apr 2015 16:35:02 +0000 (16:35 +0000)]
shorten "outdated mandoc.db" warning message; requested by deraadt@
deraadt [Thu, 16 Apr 2015 15:50:47 +0000 (15:50 +0000)]
sync
gsoares [Thu, 16 Apr 2015 15:14:30 +0000 (15:14 +0000)]
Tweak error output.
ok krw@
mpi [Thu, 16 Apr 2015 14:23:48 +0000 (14:23 +0000)]
Make sure LLVM static analyzer do not report a false positive,
found by and fix confirmed by jsg@.
espie [Thu, 16 Apr 2015 14:11:29 +0000 (14:11 +0000)]
document %m, sort %.
espie [Thu, 16 Apr 2015 14:08:19 +0000 (14:08 +0000)]
add %m as a shorthand, will expand to
pub/OpenBSD/5.7/packages/amd64
for lazy typers.
okay aja@
espie [Thu, 16 Apr 2015 13:40:56 +0000 (13:40 +0000)]
document % sequences.
espie [Thu, 16 Apr 2015 13:29:16 +0000 (13:29 +0000)]
reorg code, the arch/osversion code should live in a single place,
short and sweet
mpi [Thu, 16 Apr 2015 11:21:01 +0000 (11:21 +0000)]
Match the Nd of the page, prodded by jmc@
espie [Thu, 16 Apr 2015 09:32:23 +0000 (09:32 +0000)]
commit expanded tags for %c, %v, %a
mpi [Thu, 16 Apr 2015 09:09:49 +0000 (09:09 +0000)]
Enable ualea(4) where we have uhub(4), these USB device lists cry for
unification...
mpi [Thu, 16 Apr 2015 08:56:53 +0000 (08:56 +0000)]
Manpage for ualea(4) with tweaks from jmc@.
mpi [Thu, 16 Apr 2015 08:55:21 +0000 (08:55 +0000)]
New driver for Araneus Alea II TRNG. All the hardwork has been done by
Sean Levy, aka attila, <attila + stalphonsos ! com>, thanks!
ok deraadt@
dtucker [Wed, 15 Apr 2015 23:23:25 +0000 (23:23 +0000)]
Plug leak of address passed to logging. bz#2373, patch from jjelen at redhat,
ok markus@
nicm [Wed, 15 Apr 2015 22:34:46 +0000 (22:34 +0000)]
Fix some issues in bright colour handling. Bold background doesn't exist
so there is no reason for tty_check_bg to mess with the BRIGHT flag at
all, ever. Also use aixterm colours for 256-to-16 translation if the
terminal supports them. And there is no reason for tty_colours_bg to
worry about whether the terminal supports them - tty_check_bg has
already taken care of it.
nicm [Wed, 15 Apr 2015 22:10:13 +0000 (22:10 +0000)]
Use tty_term_flag not _has for flags, also fix a typo (position not
permission).
bluhm [Wed, 15 Apr 2015 21:29:15 +0000 (21:29 +0000)]
Test that ping6 fragments with ethernet padding get reassembled
correctly.
millert [Wed, 15 Apr 2015 16:43:11 +0000 (16:43 +0000)]
Convert error/errorx/errorc functions -> fatal/fatalx/fatalc and
make then take a printf format string instead of requiring the
caller to snprintf into a buffer first. OK deraadt@
jsing [Wed, 15 Apr 2015 16:33:49 +0000 (16:33 +0000)]
Only set the cipher list if one was specified and actually check the return
value from SSL_CTX_set_cipher_list(). Also remove pointless getenv()
handling.
ok bcook@ doug@
jsing [Wed, 15 Apr 2015 16:25:43 +0000 (16:25 +0000)]
Clean up the ssl_bytes_to_cipher_list() API - rather than having the
ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either
zeroed or if NULL a new one is allocated, always allocate one and return it
directly.
Inspired by simliar changes in BoringSSL.
ok beck@ doug@
jsing [Wed, 15 Apr 2015 16:09:29 +0000 (16:09 +0000)]
Now that tls_close() is more robust, consider a failure to be fatal.
jsing [Wed, 15 Apr 2015 16:08:43 +0000 (16:08 +0000)]
Treat SSL_ERROR_ZERO_RETURN as a success, rather than a failure. Also
ensure that outlen is set to zero so that tls_read() has read(2) like
semantics for EOF.
Spotted by doug@
jsing [Wed, 15 Apr 2015 16:05:23 +0000 (16:05 +0000)]
Make tls_close() more robust - do not rely on a close notify being received
from the other side and only return TLS_READ_AGAIN/TLS_WRITE_AGAIN if we
failed to send a close notify on a non-blocking socket.
Otherwise be more forceful and always shutdown/close the socket regardless
of other failures. Also do not consider ENOTCONN or ECONNRESET to be a
shutdown failure, since there are various situations where this can occur.
ok doug@ guenther@
nicm [Wed, 15 Apr 2015 15:44:40 +0000 (15:44 +0000)]
Fix setting old-style window -fg/-bg/-attr options that aren't global.
mpi [Wed, 15 Apr 2015 15:16:17 +0000 (15:16 +0000)]
Add the necessary glue to keep carp(4) working while other pseudo-drivers
are converted to if_input().
ok dlg@, claudio@
mpi [Wed, 15 Apr 2015 15:14:37 +0000 (15:14 +0000)]
Use ether_ifattach() and ether_ifdetach() when cloning/destroying an
interface instead of rewritting most of them.
This change is also needed for upcoming if_input() conversion.
As a bonus pseudo-driver attached on top of carp are now detached in
the right order.
ok claudio@, henning@
naddy [Wed, 15 Apr 2015 14:06:03 +0000 (14:06 +0000)]
include header required for DEBUG build; ok jsg@
krw [Wed, 15 Apr 2015 12:40:57 +0000 (12:40 +0000)]
Avoid using inet_ntoa() twice in a single printf() parameter list
by caching the results from excess inet_ntoa() calls before doing
the printf(). Should improve usefullness (?) of DHCPRELEASE log
entries by actually printing ciaddr and giaddr correctly when
dhcprelays stand between servers and clients.
Looks good to dlg@.
mpi [Wed, 15 Apr 2015 10:11:29 +0000 (10:11 +0000)]
Fix a typo introduced in the niq_enqueue() conversion.
Should fix a panic reported by many on bugs@ and misc@.
ok dlg@
mpi [Wed, 15 Apr 2015 09:58:44 +0000 (09:58 +0000)]
Add the necessary glue to keep vlan(4) working while other pseudo-drivers
are converted to if_input().
Reviewed by Rafael Zalamena.
ok claudio@, dlg@
kettenis [Wed, 15 Apr 2015 09:48:18 +0000 (09:48 +0000)]
Convert remaining drm ioctl implementation functions to return Linux-style
negative errno values.
ok jsg@
jsg [Wed, 15 Apr 2015 07:41:53 +0000 (07:41 +0000)]
add the include dir for libepoxy
mlarkin [Wed, 15 Apr 2015 03:52:45 +0000 (03:52 +0000)]
Unneeded return at the end of a void function.
deraadt [Wed, 15 Apr 2015 02:32:28 +0000 (02:32 +0000)]
opt{ind,err,arg} are already known
deraadt [Wed, 15 Apr 2015 02:12:00 +0000 (02:12 +0000)]
remove historical (void)foo (which were only here to hide lint's
undrenchable thirst for false positives)
deraadt [Wed, 15 Apr 2015 02:10:25 +0000 (02:10 +0000)]
It feels like this Makefile should contain -Wall at least
deraadt [Tue, 14 Apr 2015 23:59:40 +0000 (23:59 +0000)]
document missing argument; ok jmc
nicm [Tue, 14 Apr 2015 22:16:03 +0000 (22:16 +0000)]
Another couple of commas in the wrong place, ok jmc
nicm [Tue, 14 Apr 2015 21:34:45 +0000 (21:34 +0000)]
Remove an extra comma pointed out by jmc@.
nicm [Tue, 14 Apr 2015 21:25:54 +0000 (21:25 +0000)]
Reorder prototypes to better match manpage layout and add some missing
argument names, from Fabian Raetz. ok deraadt
miod [Tue, 14 Apr 2015 19:10:13 +0000 (19:10 +0000)]
sparc{,64} do not need softraid partitions to be defined as 4.2BSD, probably
since only one month after this was mentioned in CAVEATS.
mikeb [Tue, 14 Apr 2015 17:53:13 +0000 (17:53 +0000)]
IPsec auth and credentials are not stored in the kernel anymore;
noticed by deraadt@
deraadt [Tue, 14 Apr 2015 17:29:06 +0000 (17:29 +0000)]
wrap a long line
millert [Tue, 14 Apr 2015 17:05:28 +0000 (17:05 +0000)]
Fix sa_sigaction() handler example. The third argument is void * and
should be cast to ucontext_t * to actually use it. OK deraadt@
millert [Tue, 14 Apr 2015 16:40:46 +0000 (16:40 +0000)]
This is not System V, we spell it SIGCHLD.
Adapted from a diff from Jan Stary.
mpi [Tue, 14 Apr 2015 14:57:05 +0000 (14:57 +0000)]
Setting the configuration in *_attach() is a bad practise because if it
fails it's impossible to debug and you cannot use your device.
So instead of calling usbd_set_config_index(), match the right interface.
This is trivial with this device because it has only one configuration
and interface.
mpi [Tue, 14 Apr 2015 14:38:17 +0000 (14:38 +0000)]
It's not possible to call umcs_get_status() in interrupt context
because it submits synchronous transfers, so schedule a task when
necessary.
mikeb [Tue, 14 Apr 2015 14:20:01 +0000 (14:20 +0000)]
make ipsp_address thread safe; ok mpi
mikeb [Tue, 14 Apr 2015 14:18:37 +0000 (14:18 +0000)]
ip6_sprintf is long gone; noticed by blambert
jsing [Tue, 14 Apr 2015 12:56:36 +0000 (12:56 +0000)]
Move verify externs into the header file.
mikeb [Tue, 14 Apr 2015 12:22:15 +0000 (12:22 +0000)]
Remove support for storing credentials and auth information in the kernel.
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
jsing [Tue, 14 Apr 2015 11:45:00 +0000 (11:45 +0000)]
Convert openssl(1) s_time to new option handling.
ok doug@
jsing [Tue, 14 Apr 2015 10:54:40 +0000 (10:54 +0000)]
Clean up and improve openssl(1) errstr:
- Use BIO_new_fp() instead of BIO_new()/BIO_set_fp() and handle NULL
return value in a more appropriate manner.
- Use stroul() instead of sscanf() with appropriate error checking.
ok doug@
mpi [Tue, 14 Apr 2015 07:57:33 +0000 (07:57 +0000)]
Make sure we close the interrupt pipe when the device is detached.
Bug reported and fix tested by Thomas Pfaff, thanks!
mlarkin [Tue, 14 Apr 2015 05:21:51 +0000 (05:21 +0000)]
Reduce differences between non-PAE and PAE pmaps. This diff removes an
unneeded disable/enable_intr sequence around the PTE unmap operation.
dtucker [Tue, 14 Apr 2015 04:17:03 +0000 (04:17 +0000)]
Output remote username in debug output since with Host and Match it's not
always obvious what it will be. bz#2368, ok djm@
millert [Tue, 14 Apr 2015 02:24:17 +0000 (02:24 +0000)]
Log a more useful error message if ttyname() fails. OK deraadt@
deraadt [Mon, 13 Apr 2015 21:27:05 +0000 (21:27 +0000)]
pwd_mkdb now fits onto the install media. no more chroot games.
sthen [Mon, 13 Apr 2015 20:45:49 +0000 (20:45 +0000)]
Initialize RX/TX on re(4) slightly later; it appears that newer chips
don't setup DMA correctly until more configuration has been done -
enabling RX too soon causes DMA to bad places. KVM corruption problems
reported by Adam Wolk on Lenovo G50-70 (RTL8111GU).
Diff derived by Brad from FreeBSD commit; see bz# 197535 and 193743, inspired by
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=
d6e572911a4cb2b9fcd1c26a38d5317a3971f2fd
Tested on the following by Brad, Adam Wolk, box963 at gmail, Jim Smith
re0 at pci4 dev 0 function 0 "Realtek 8168" rev 0x03: RTL8168D/8111D (0x2800), apic 2 int 16, address 00:0a:cd:1a:86:04
re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G (0x4c00), msi, address 80:ee:73:76:8e:8a
re0 at pci0 dev 3 function 0 "Realtek 8169" rev 0x10: RTL8110S (0x0400), ivec 0x78c, address 00:22:3f:ee:fa:25
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:31:2e:88
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x10: RTL8168GU/8111GU (0x5080), msi, address 68:f7:28:18:35:8e
ok mpi@ dlg@
kettenis [Mon, 13 Apr 2015 20:02:58 +0000 (20:02 +0000)]
Make sure we print the MAC address on sparc64 as well.
mikeb [Mon, 13 Apr 2015 16:52:26 +0000 (16:52 +0000)]
Make filter argument to ipsp_aux_match optional like the rest of them.
OK markus, hshoexer
mikeb [Mon, 13 Apr 2015 16:50:43 +0000 (16:50 +0000)]
Perform IPsec bypass check on a socket before performing TDB lookups.
OK markus, hshoexer
mikeb [Mon, 13 Apr 2015 16:48:01 +0000 (16:48 +0000)]
Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi
mikeb [Mon, 13 Apr 2015 16:45:52 +0000 (16:45 +0000)]
Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi
jsing [Mon, 13 Apr 2015 15:02:23 +0000 (15:02 +0000)]
Convert openssl(1) errstr to new option handling.
ok bcook@ doug@
mpi [Mon, 13 Apr 2015 08:52:51 +0000 (08:52 +0000)]
Move one "#ifdef NVLAN" chunk needed only if you're running bridge(4) on
to of vlan(4) from ether_input() to bridge_input().
One of the goal of the if_input() plumbing is to stop doing all possible
pseudo-drivers checks on every packets. There's no reason that even if
you're not running a bridge(4) you've to run this code.
This change also will also makes it easier to convert vlan(4) to if_input().
Reviewed by Rafael Zalamena and mikeb@, ok markus@
mpi [Mon, 13 Apr 2015 08:45:48 +0000 (08:45 +0000)]
Now that if_input() set the receiving interface pointer on mbufs for us
there's no need to do it in m_devget(9).
Stop passing an ``ifp'' will help for upcoming interface pointer -> index
conversion.
While here remove unused ``ifp'' argument from m_clget(9) and kill two
birds^W layer violations in one commit.
ok henning@
projects / openbsd / log