jsg [Tue, 11 Jun 2024 23:35:27 +0000 (23:35 +0000)]
reentrant functions were not in 386BSD
spotted by and ok deraadt@
kettenis [Tue, 11 Jun 2024 17:35:26 +0000 (17:35 +0000)]
Avoid powering down PCI devices if we're rebooting. This makes some
machines (e.g. the t410) unhappy.
ok mglocker@
op [Tue, 11 Jun 2024 16:35:24 +0000 (16:35 +0000)]
sync includes in tls_signer.c
pthread -> mutex
stdint -> uint8_t
stdio.h -> asprintf
stdlib.h -> calloc
string.h -> memcpy
ecdsa -> ECDSA_METHOD leftover, remove
ec -> EC_KEY
evp -> EVP_PKEY
pem -> PEM_read_bio_X509
x509 -> X509
90% of the diff is from tb@, I only spotted the missing string.h :)
ok tb@
tb [Tue, 11 Jun 2024 16:30:06 +0000 (16:30 +0000)]
smtpd: fix indent
ok op
jca [Tue, 11 Jun 2024 16:02:35 +0000 (16:02 +0000)]
Enable UVM percpu cache on riscv64
Proved stable in multiple ports bulk builds. ok kettenis@ phessler@
kettenis [Tue, 11 Jun 2024 15:44:55 +0000 (15:44 +0000)]
Clamp CPU clock frequencies to [min, max] range when determining the
initial perflevel.
ok deraadt@, phessler@, patrick@, jca@
tb [Tue, 11 Jun 2024 15:33:46 +0000 (15:33 +0000)]
rpki-client: add link to rpki-rs PR that supposedly fixes this bug
https://github.com/NLnetLabs/rpki-rs/pull/295
tb [Tue, 11 Jun 2024 13:09:02 +0000 (13:09 +0000)]
rpki-client: grammar tweak in comment
tb [Tue, 11 Jun 2024 12:44:00 +0000 (12:44 +0000)]
rpki-client: turn assert() into a NULL check
ok claudio
tb [Tue, 11 Jun 2024 10:38:40 +0000 (10:38 +0000)]
rpki-client: fix incorrect use of ASN1_tag2str()
This goes back to the initial import in mft.c and was then copied to rsc.c.
ASN1_tag2str() doesn't take a nid but rather an ASN.1 tag. Use nid2str()
instead.
ok claudio (who helped me use nid2str() correctly)
stsp [Tue, 11 Jun 2024 10:06:35 +0000 (10:06 +0000)]
Make sure qwx(4) always calls refcnt_init() before other refcnt functions.
I recently enabled automatic recovery from firmware crashes. if loading
firmware at boot would fail with a firmware error then the init task would
call refcnt_finalize() via qwx_stop() before refcnt_init() was called and
trigger a KASSERT in the refcnt code.
ok patrick@, who also reported the problem to me and tested the fix
jsg [Tue, 11 Jun 2024 09:55:38 +0000 (09:55 +0000)]
remove prototypes and defines for drivers landisk doesn't use
build test and ok miod@
jsg [Tue, 11 Jun 2024 09:21:32 +0000 (09:21 +0000)]
remove drm prototypes duplicating those in sys/conf.h
kettenis [Tue, 11 Jun 2024 09:15:33 +0000 (09:15 +0000)]
Add RK3588 TSADC clocks and resets.
ok patrick@, dlg@
tb [Tue, 11 Jun 2024 07:30:47 +0000 (07:30 +0000)]
I've written/touched/contributed to most of crl.c
tb [Tue, 11 Jun 2024 07:27:14 +0000 (07:27 +0000)]
rpki-client: simplify signature type checking for certs/CRLs
The OpenSSL 1.1 get_signature_nid() API is available for all libraries
that we support and it does exactly what we want. It is much simpler
than the unergonomic accessors we used previously. The ASN.1 templates
ensure that the relevant struct members aren't NULL after successful
deserialization, so the calls are safe.
ok claudio
jsg [Tue, 11 Jun 2024 06:11:50 +0000 (06:11 +0000)]
remove kbd/ms prototypes with no matching functions
jmc [Tue, 11 Jun 2024 05:24:39 +0000 (05:24 +0000)]
do not mark up "(default: 20ms)";
jsg [Tue, 11 Jun 2024 03:28:42 +0000 (03:28 +0000)]
remove prototypes for pre-wscons mouse drivers
djm [Tue, 11 Jun 2024 02:54:51 +0000 (02:54 +0000)]
reap preauth net child if it hangs up during privsep message send, not
just message receive
djm [Tue, 11 Jun 2024 02:00:30 +0000 (02:00 +0000)]
reap the pre-auth [net] child if it hangs up during privsep message
sending, not just receiving
djm [Tue, 11 Jun 2024 01:58:27 +0000 (01:58 +0000)]
fix PIDFILE handling, broken for SUDO=doas in last commit here
jsg [Tue, 11 Jun 2024 01:49:17 +0000 (01:49 +0000)]
remove cdev_decl(ses), none of the prototypes have matching functions
djm [Tue, 11 Jun 2024 01:23:25 +0000 (01:23 +0000)]
a little more RB_TREE paranoia
djm [Tue, 11 Jun 2024 01:22:25 +0000 (01:22 +0000)]
fix off-by-one comparison for PerSourcePenalty overflow:deny-all mode
djm [Tue, 11 Jun 2024 01:21:41 +0000 (01:21 +0000)]
move tree init before possible early return
djm [Tue, 11 Jun 2024 01:07:35 +0000 (01:07 +0000)]
update to mention that PerSourcePenalties default to being enabled
and document the default values for each parameter.
djm [Tue, 11 Jun 2024 00:44:52 +0000 (00:44 +0000)]
reap the [net] child if it hangs up while writing privsep message
payloads, not just the message header
djm [Tue, 11 Jun 2024 00:40:21 +0000 (00:40 +0000)]
log waitpid() status for abnormal exits
djm [Tue, 11 Jun 2024 00:36:20 +0000 (00:36 +0000)]
correct error message
jan [Mon, 10 Jun 2024 19:26:17 +0000 (19:26 +0000)]
Use TCP Large Receive Offload in vio(4).
Also introduce the guest offload feature to turn LRO off/on.
Tested by Mark Patruck, sf@ and bluhm@
ok sf@ and bluhm@
jan [Mon, 10 Jun 2024 18:21:59 +0000 (18:21 +0000)]
Clarify panic strings in vio(4)
suggested by bluhm
ok bluhm
claudio [Mon, 10 Jun 2024 12:51:25 +0000 (12:51 +0000)]
In get_alternate_addr() consider sessions to IPv6 link-local addresses
as connected (they are so by definition).
Issue reported by Jason Tubnor ( Jason.Tubnor (at) lchs.com.au )
OK tb@
tb [Mon, 10 Jun 2024 12:44:06 +0000 (12:44 +0000)]
rpki-client: allow multiple EKU OIDs for BGPsec certs
Nothing says there may be only one purpose. We only need to find
id-kp-bgpsec-router among them. This matches the intention of the
extended key usage extension in RFCs 5280 and 8209 more closely.
ok claudio
tb [Mon, 10 Jun 2024 11:49:29 +0000 (11:49 +0000)]
rpki-client: zap outdated comment.
The valid_x509() in proc_parser_gbr() was initially left unchecked but
has been checked since r1.79.
tb [Mon, 10 Jun 2024 10:50:13 +0000 (10:50 +0000)]
rpki-client: fix and move more KU/EKU to x509_get_purpose()
Now all key usage and extended key usage handling is at the same place.
This fixes a bug for BGPsec Router certs where key usage was ignored.
Another omission that is fixed here is that criticality of the key usage
extension was not checked. Drop a comment about possible use of EKU that
was in the TA/CA code path but would only apply to EE certs.
ok claudio
jsg [Mon, 10 Jun 2024 04:59:15 +0000 (04:59 +0000)]
remove decls for removed gpr(4) and urio(4)
jsg [Mon, 10 Jun 2024 04:10:25 +0000 (04:10 +0000)]
Remove struct mymsg. An example from SVID, not intended for a header.
ok millert@ miod@ jca@
jca [Sun, 9 Jun 2024 21:15:29 +0000 (21:15 +0000)]
Add a compiler barrier where missing in CPU_BUSY_CYCLE() implems
Having differences between architectures is asking for problems. And
adding a barrier here just makes sense in most cases. This is also what
cpu_relax() provides in Linux land.
ok kettenis@ claudio@
afresh1 [Sun, 9 Jun 2024 18:31:17 +0000 (18:31 +0000)]
Silently ignore setuid changes in relinked binaries
If these files are being relinked at reboot, this causes false positives
and alert fatigue.
Prompted by florian@
Feedback from millert@ and deraadt@
deraadt [Sun, 9 Jun 2024 17:24:19 +0000 (17:24 +0000)]
include BUILDINFO file in the iso/img files; requested by florian for sysupgrade changes
jan [Sun, 9 Jun 2024 16:25:27 +0000 (16:25 +0000)]
Introduce IFCAP_VLAN_HWOFFLOAD for vio(4).
Add IFCAP_VLAN_HWOFFLOAD to signal hardware like vio(4) can handle
checksum or TSO offloading with inline VLAN tags.
tested by Mark Patruck, sf@ and bluhm@
ok sf@ and bluhm@
gilles [Sun, 9 Jun 2024 10:13:05 +0000 (10:13 +0000)]
introduce a new K_AUTH service to allow offloading the credentials to a
table for non-crypt(3) authentication. tables configured with auth that
support K_AUTH are asked to check if a user and passwd are valid rather
than asked to provide the password for a user so smtpd does crypt(3) on
its side. helps with cases like ldap or custom auth.
ok op@
jsg [Sun, 9 Jun 2024 05:18:12 +0000 (05:18 +0000)]
remove prototypes with no matching function
jsg [Sun, 9 Jun 2024 03:21:54 +0000 (03:21 +0000)]
remove prototypes for functions removed in rev 1.34
jsg [Sun, 9 Jun 2024 03:12:59 +0000 (03:12 +0000)]
remove unused prototypes and pin number defines
bluhm [Sat, 8 Jun 2024 22:50:40 +0000 (22:50 +0000)]
Perl 5.38 permanently stops reading a file after it has seen EOF.
Call clearerr() to continously receive log file from remote machine
while grepping for test patterns.
mglocker [Sat, 8 Jun 2024 16:05:23 +0000 (16:05 +0000)]
Fix typo in last commits comment.
tb [Sat, 8 Jun 2024 13:34:59 +0000 (13:34 +0000)]
Improve the check for is_ta in filemode
Instead of checking for EXFLAG_SS use the more accurate information
we already gathered.
ok job
tb [Sat, 8 Jun 2024 13:33:49 +0000 (13:33 +0000)]
Tigthen cert_parse_ee_cert() and ta_parse()
Require that a cert fed to cert_parse_ee_cert() have an EE cert purpose.
Instead of throwing a warning for BGPsec router certs, check for the TA
purpose in ta_parse() and reject everything else.
ok job
tb [Sat, 8 Jun 2024 13:32:30 +0000 (13:32 +0000)]
Add a TODO item for BGPsec router certs
It is currently assumed that there is only one extended key usage OID.
RFC 8209 allows others. For example, it may well make sense for operators
to include the anyExtendedKeyUsage OID to be able to use validators that
don't recognize the BGPsec Router purpose.
ok job
tb [Sat, 8 Jun 2024 13:31:37 +0000 (13:31 +0000)]
Improve x509_get_purpose()
Instead of only differentiating between CA and BGPsec Router certs,
make it recognize TA and EE certs as well. TAs and CAs have the cA
boolean in the basic constraints, while EE and BGPsec router certs
do not.
TAs are self-signed, CAs not self-issued, all other certs with the
cA boolean are invalid. EE certs do not have an extended key usage
and BGPsec certs contain the id-kp-bgpsec-router OID.
Handle the new purposes where needed.
ok job
tb [Sat, 8 Jun 2024 13:30:35 +0000 (13:30 +0000)]
Helper to convert purpose into a printable string
ok job
tb [Sat, 8 Jun 2024 13:29:54 +0000 (13:29 +0000)]
Extend the cert_purpose enum
This adds a TA and an EE purpose to be used in upcoming commits.
ok job
tb [Sat, 8 Jun 2024 13:28:35 +0000 (13:28 +0000)]
Add a x509_cache_extensions() helper
This is a simple wrapper around X509_check_policy(cert, -1, 0) that
doesn't need an explanatory comment in the caller.
The reason for having to do this is that various OpenSSL API calls rely
on having extension information cached. As an unsurprising consequence of
OpenSSL's characteristic API misdesign these calls can't report errors,
so they call the extension caching without error checking and the result
is that they may report nonsense.
To work around this, cache the extensions up front so a second call can't
fail and thus API calls such as X509_check_ca(), X509_get_key_usage() and
X509_cmp() work reliably.
ok job
florian [Sat, 8 Jun 2024 06:05:40 +0000 (06:05 +0000)]
Do not enforce the next version key if installing a snapshot.
Developers sometimes have dev machines with an older snapshot that
already has the correct signify key but sysupgrade(8) refuses to do an
upgrade because it thinks it's a version jump. That's just silly.
tb pointed out that signify(1) can just work out the correct key all
by itself.
problem reported, same diff & OK deraadt
jsg [Sat, 8 Jun 2024 00:24:00 +0000 (00:24 +0000)]
remove unused SECMIN and SECHOUR defines
jsg [Fri, 7 Jun 2024 23:19:18 +0000 (23:19 +0000)]
remove unused TAB defines; ok miod@
bluhm [Fri, 7 Jun 2024 18:24:16 +0000 (18:24 +0000)]
Read IP forwarding variables only once.
Do not assume that ip_forwarding and ip_directedbcast cannot change
while processing one packet. Read it once and pass down its value
with a flag. This is necessary for unlocking the sysctl path.
There are a few places where a consistent value does not really
matter, they are unchanged. Use a proper ip_ prefix for the global
variable.
OK claudio@
jmc [Fri, 7 Jun 2024 17:38:22 +0000 (17:38 +0000)]
trim the -w text: it's obvious -l is a different case, so no need to note
ok florian
kettenis [Fri, 7 Jun 2024 16:53:35 +0000 (16:53 +0000)]
Make sure we select the deepest possible C-state during suspend-to-idle.
ok deraadt@, guenther@, mlarkin@, jsg@
job [Fri, 7 Jun 2024 14:00:09 +0000 (14:00 +0000)]
Align documentation with reality
OK tb@
jsg [Fri, 7 Jun 2024 13:43:21 +0000 (13:43 +0000)]
remove ph_ppp_proto define, unused since rev 1.123
tb [Fri, 7 Jun 2024 13:24:35 +0000 (13:24 +0000)]
rpki-client: if anything changed, choose the freshly-fetched TA
Instead of just looking at the serial number it's easier to use X509_cmp().
This compares the certs' hashes computed during the extension caching. This
is currently SHA-512 for LibreSSL and SHA-1 for OpenSSL, which is good
enough. After all, the TA certs were signed by a trusted source and if you
choose to use OpenSSL this won't be the worst of your problems.
ok job
deraadt [Fri, 7 Jun 2024 13:23:30 +0000 (13:23 +0000)]
avoid shadowing issues which some compilers won't accept
ok djm
jsg [Fri, 7 Jun 2024 13:15:25 +0000 (13:15 +0000)]
remove MAXBUFSIZ define, unused since rev 1.33
job [Fri, 7 Jun 2024 11:48:05 +0000 (11:48 +0000)]
Fine-tune the TA tiebreaker logic
Additional tiebreaker: prefer TA certificates with the narrower validity window
OK tb@
jsg [Fri, 7 Jun 2024 10:14:29 +0000 (10:14 +0000)]
remove unused defines, missed in rev 1.34
florian [Fri, 7 Jun 2024 09:48:19 +0000 (09:48 +0000)]
Fix slaac on P2P interfaces
slaacd(8) can work on P2P interfaces, it will just never configure the
destination address. But this works fine on at least pppoe(4) and
tun(4).
To make this less confusing pull ifra_dstaddr into dst6 or gw6
depending on if we are doing autoconf or not.
I accidentally broke this when implementing rule 5.5 of RFC 6724.
reported by & testing naddy
OK bluhm
jsg [Fri, 7 Jun 2024 09:26:37 +0000 (09:26 +0000)]
remove unused ROOTNAME define and part of a comment
matches part of cd9660_vfsops.c rev 1.11 and ffs_vfsops.c rev 1.12
jsg [Fri, 7 Jun 2024 08:48:10 +0000 (08:48 +0000)]
remove unused IPL_SOFTAUDIO define, missed in rev 1.200
jan [Fri, 7 Jun 2024 08:44:25 +0000 (08:44 +0000)]
Use TCP Large Receive Offload in vmx(4).
tested by Hrvoje Popovski and bluhm@
ok bluhm@
jsg [Fri, 7 Jun 2024 08:37:59 +0000 (08:37 +0000)]
remove unused defines
tb [Fri, 7 Jun 2024 08:36:54 +0000 (08:36 +0000)]
Add two related todo items for purpose handling
BGPsec certs are a bit weird and checks for them are all over the place,
some of them in the TA handling, which makes very little sense. We'd be
better off adding another purpose for trust anchors and use that instead.
ok claudio job
tb [Fri, 7 Jun 2024 08:33:12 +0000 (08:33 +0000)]
Rework trust anchor handling
Mimick the approach already taken from manifests and compare the trust
anchor fetched from the net with the one in the cache (if any). This
allows us to choose which one to use and pick the one we like better.
We currently look at the notBefore date and pick the TA later one or
pick the new one if the serialNumber changed. These conditions will
be tweaked in tree.
This prevents replay attacks where a man in the middle could feed us
still valid TA certificates with outdated internet number resources.
This is not currently an issue since all currently valid TA certs from
the RIRs have the same set of resources. Some TA certificates in the RPKI
expire so far in the future that its 32-bit time is again positive.
Things may well change in the next 100 years...
Problem pointed out to us by Ties de Kock a long time ago.
with and ok claudio
ok job
claudio [Fri, 7 Jun 2024 08:22:53 +0000 (08:22 +0000)]
Download new TA files into a temporary place (.ta/) so that the parser
can decide which of the two files to use.
With and OK tb@
jsg [Fri, 7 Jun 2024 08:02:17 +0000 (08:02 +0000)]
remove unused packet header length defines
jsg [Fri, 7 Jun 2024 06:26:23 +0000 (06:26 +0000)]
remove unused CONCAT define
tb [Fri, 7 Jun 2024 06:21:40 +0000 (06:21 +0000)]
Fix non-xsc path in x509_verify_potential_parent()
The combination of two bugs made this unexpectedly work as intended. To
appreciate this, let's first note that
a) check_issued(..., child, parent) checks if child was issued by parent.
b) X509_check_issued(child, parent) checks if parent was issued by child.
Now like in the real world, b) will only be true in unusual circumstances
(child is known not to be self-issued at this point). X509_check_issued()
fails by returning something different from X509_V_OK, so
return X509_check_issued(child, parent) != X509_V_OK;
will return true if child was issued by parent since then parent was indeed
not issued by child. On the other hand, if child was not issued by parent,
the verifier will notice elsewhere, e.g., in a signature check.
Fix this by reversing the order of child and parent in the above return
line and check for equality instead. This is nearly impossible to detect
in regress.
ok beck
jsg [Fri, 7 Jun 2024 06:04:43 +0000 (06:04 +0000)]
remove UADDR_HINT_MAXGAP, missed when uaddr_hint allocator was removed
tb [Fri, 7 Jun 2024 05:51:39 +0000 (05:51 +0000)]
Call out argument reversal between check_issued() and X509_check_issued()
It's a trap!
deraadt [Fri, 7 Jun 2024 05:17:34 +0000 (05:17 +0000)]
ret-clean is compatible with unhibernate again, due to a fix in
LLVM X86RetClean.cpp
issue observed by mglocker, diagnosed by mlarkin, kettenis, guenther.
deraadt [Fri, 7 Jun 2024 05:16:32 +0000 (05:16 +0000)]
Inside LLVM, Functions become marked with exposesReturnsTwice() if they
call a setjmp-type function (protyped with __attribute__((returns_twice)).
LLVM anticipates the longjmp type function will perform a direct branch
back (rather of a push;ret combo, almost certainly due to CET
shadow-stack coherency difficulties). Since we have CET/IBT enforced,
LLVM makes that direct branch legal by placing an endbr64 immediately
after the callq. Where I was placing the ret-clean sequence... this blows
up badly, in unhibernate / resume situations.
In the Functions marked exposesReturnsTwice(), skip doing ret-clean.
(placing the ret-clear after that endbr64 is much more difficult)
observed by mglocker, diagnosed by mlarkin, kettenis, guenther.
jmc [Thu, 6 Jun 2024 21:14:49 +0000 (21:14 +0000)]
escape the final dot at eol in "e.g." to avoid double spacing;
djm [Thu, 6 Jun 2024 20:25:48 +0000 (20:25 +0000)]
enable PerSourcePenalties by default.
ok markus
NB. if you run a sshd that accepts connections from behind large NAT
blocks, proxies or anything else that aggregates many possible users
behind few IP addresses, then this change may cause legitimate traffic
to be denied.
Please read the PerSourcePenalties, PerSourcePenaltyExemptList and
PerSourceNetBlockSize options in sshd_config(5) for how to tune your
sshd(8) for your specific circumstances.
djm [Thu, 6 Jun 2024 20:20:42 +0000 (20:20 +0000)]
mention that PerSourcePenalties don't affect concurrent in-progress
connections.
djm [Thu, 6 Jun 2024 19:50:01 +0000 (19:50 +0000)]
disable stderr redirection before closing fds
djm [Thu, 6 Jun 2024 19:49:25 +0000 (19:49 +0000)]
regress test for PerSourcePenalties
djm [Thu, 6 Jun 2024 19:48:40 +0000 (19:48 +0000)]
make sure logs are saved from sshd run via start_sshd
djm [Thu, 6 Jun 2024 19:47:48 +0000 (19:47 +0000)]
simplify
djm [Thu, 6 Jun 2024 18:48:13 +0000 (18:48 +0000)]
prepare for PerSourcePenalties being enabled by default in future
djm [Thu, 6 Jun 2024 17:15:25 +0000 (17:15 +0000)]
Add a facility to sshd(8) to penalise particular problematic client
behaviours, controlled by two new sshd_config(5) options:
PerSourcePenalties and PerSourcePenaltyExemptList.
When PerSourcePenalties are enabled, sshd(8) will monitor the exit
status of its child pre-auth session processes. Through the exit
status, it can observe situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly indicating
an attack against one or more accounts, e.g. password guessing), or
when client behaviour caused sshd to crash (possibly indicating
attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of some
duration (e.g. 30 seconds) against the client's address. If this time
is above a minimum threshold specified by the PerSourcePenalties, then
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
option allows certain address ranges to be exempt from all penalties.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself.
PerSourcePenalties is off by default, but we expect to enable it
automatically in the near future.
much feedback markus@ and others, ok markus@
tb [Thu, 6 Jun 2024 16:13:12 +0000 (16:13 +0000)]
ssl_tlsext: fix uninitialized variable warning with gcc
This is a false positive but as is well-known, gcc is terrible at
understanding conditionally initialized variables and it is tedious
to explain this to downstream maintainers who look at warnings.
ok miod
florian [Thu, 6 Jun 2024 15:24:46 +0000 (15:24 +0000)]
sync
florian [Thu, 6 Jun 2024 15:21:01 +0000 (15:21 +0000)]
hook dhcp6leasectl to the built
florian [Thu, 6 Jun 2024 15:16:57 +0000 (15:16 +0000)]
dhcp6leasectl
florian [Thu, 6 Jun 2024 15:15:44 +0000 (15:15 +0000)]
hand PD_IAs to dhcp6leasectl
florian [Thu, 6 Jun 2024 15:07:46 +0000 (15:07 +0000)]
Correct plural form usage.
tb [Thu, 6 Jun 2024 12:38:02 +0000 (12:38 +0000)]
Tell my future self why I don't want to change this check
bluhm [Thu, 6 Jun 2024 12:36:41 +0000 (12:36 +0000)]
Fix call instruction disassembler in ddb.
Disassembling the amd64 call instruction in ddb produced wrong
output. The operand of e8 is only 4 bytes long, not 8. The shown
address was off by 4 bytes. Following instructions were interpreted
incorrectly.
OK guenther@
projects / openbsd / log