openbsd
2 years agodrm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2)
jsg [Fri, 19 Nov 2021 02:56:07 +0000 (02:56 +0000)]
drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2)

From Hans de Goede
780fff2c75f096f3bc46855b105b83b4cec5cba7 in linux 5.10.y/5.10.80
820a2ab23d5eab4ccfb82581eda8ad4acf18458f in mainline linux

2 years agodrm: panel-orientation-quirks: Add quirk for GPD Win3
jsg [Fri, 19 Nov 2021 02:53:39 +0000 (02:53 +0000)]
drm: panel-orientation-quirks: Add quirk for GPD Win3

From Mario Risoldi
7d1fb5c12cc0c88159ebf946385141ed3019f009 in linux 5.10.y/5.10.80
61b1d445f3bfe4c3ba4335ceeb7e8ba688fd31e2 in mainline linux

2 years agodrm: panel-orientation-quirks: Add quirk for Aya Neo 2021
jsg [Fri, 19 Nov 2021 02:51:05 +0000 (02:51 +0000)]
drm: panel-orientation-quirks: Add quirk for Aya Neo 2021

From Bryant Mairs
bc3e73ebb79b01abc121703669c65f54f0023cfe in linux 5.10.y/5.10.80
def0c3697287f6e85d5ac68b21302966c95474f9 in mainline linux

2 years agoiked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
tb [Thu, 18 Nov 2021 22:59:03 +0000 (22:59 +0000)]
iked: replace a conditional EVP_CIPHER_CTX_cleanup() + free() stanza
with an unconditional EVP_CIPHER_CTX_free().

ok tobhe

2 years agoCheck if encoding works in dsa_init(). This avoids calling fatal()
tobhe [Thu, 18 Nov 2021 22:42:02 +0000 (22:42 +0000)]
Check if encoding works in dsa_init(). This avoids calling fatal()
in dsa_length() or dsa_prefix() when the selected encoding is invalid.

ok markus@

2 years agosha512test: replace EVP_MD_CTX_{cleanup,init} pair with EVP_MD_CTX_reset
tb [Thu, 18 Nov 2021 21:37:57 +0000 (21:37 +0000)]
sha512test: replace EVP_MD_CTX_{cleanup,init} pair with EVP_MD_CTX_reset

2 years agoless confusing debug message; bz#3365
djm [Thu, 18 Nov 2021 21:32:11 +0000 (21:32 +0000)]
less confusing debug message; bz#3365

2 years agogost: missed one cleanup
tb [Thu, 18 Nov 2021 21:26:54 +0000 (21:26 +0000)]
gost: missed one cleanup

2 years agosha256test: EVP_MD_CTX_cleanup -> EVP_MD_CTX_reset
tb [Thu, 18 Nov 2021 21:25:01 +0000 (21:25 +0000)]
sha256test: EVP_MD_CTX_cleanup -> EVP_MD_CTX_reset

2 years agogost2814789t: EVP_MD_CTX_cleanup -> EVP_MD_CTX_reset
tb [Thu, 18 Nov 2021 21:22:41 +0000 (21:22 +0000)]
gost2814789t: EVP_MD_CTX_cleanup -> EVP_MD_CTX_reset

2 years agoevptest: no need to call EVP_MD_CTX_cleanup() before EVP_MD_CTX_free()
tb [Thu, 18 Nov 2021 21:18:28 +0000 (21:18 +0000)]
evptest: no need to call EVP_MD_CTX_cleanup() before EVP_MD_CTX_free()

2 years agoavoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this
djm [Thu, 18 Nov 2021 21:11:01 +0000 (21:11 +0000)]
avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this
for RSA keys). Avoids fatal errors for PKCS#11 libraries that return
empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364

2 years agoUse HMAC_CTX_reset() instead of HMAC_CTX_cleanup() + HMAC_CTX_init()
tb [Thu, 18 Nov 2021 20:11:55 +0000 (20:11 +0000)]
Use HMAC_CTX_reset() instead of HMAC_CTX_cleanup() + HMAC_CTX_init()

2 years agoAdd semicolon that will become non-optional once BN_GENCB_set() will
tb [Thu, 18 Nov 2021 18:05:27 +0000 (18:05 +0000)]
Add semicolon that will become non-optional once BN_GENCB_set() will
move from an awful macro to a proper function.

2 years agotypo in comment
tb [Thu, 18 Nov 2021 18:01:08 +0000 (18:01 +0000)]
typo in comment

2 years agoacme-client: use EVP_PKEY_base_id()
tb [Thu, 18 Nov 2021 17:26:43 +0000 (17:26 +0000)]
acme-client: use EVP_PKEY_base_id()

In an upcoming libcrypto bump, EVP_PKEY will become opaque. In order to
stop reaching inside EVP_PKEY, we must replace EVP_PKEY_type(pkey->type)
with the equivalent EVP_PKEY_base_Id(pkey) in various places.

ok florian

2 years agovndsetcred: don't a reference to credentials in error path.
tb [Thu, 18 Nov 2021 16:57:59 +0000 (16:57 +0000)]
vndsetcred: don't a reference to credentials in error path.

ok deraadt

2 years agoFix ssltest to work with opaque EVP_PKEY.
tb [Thu, 18 Nov 2021 16:45:28 +0000 (16:45 +0000)]
Fix ssltest to work with opaque EVP_PKEY.

2 years agoPrevent future internal use of ASN1_CTX and ASN1_const_CTX by wrapping
tb [Thu, 18 Nov 2021 16:00:15 +0000 (16:00 +0000)]
Prevent future internal use of ASN1_CTX and ASN1_const_CTX by wrapping
them inside #ifndef LIBRESSL_INTERNAL.

suggested by jsing

2 years agoRemove the last pointless use of ASN1_const_CTX. Both ASN1_CTX and
tb [Thu, 18 Nov 2021 15:58:31 +0000 (15:58 +0000)]
Remove the last pointless use of ASN1_const_CTX. Both ASN1_CTX and
ASN1_const_CTX are now unused and will be garbage collected in the
next libcrypto bump.

ok jsing

2 years agosha*test: convert these tests to work with opaque EVP_MD_CTX.
tb [Thu, 18 Nov 2021 15:23:24 +0000 (15:23 +0000)]
sha*test: convert these tests to work with opaque EVP_MD_CTX.

2 years agozap trailing whitespace
tb [Thu, 18 Nov 2021 15:20:33 +0000 (15:20 +0000)]
zap trailing whitespace

2 years agohmactest: convert to opaque HMAC_CTX.
tb [Thu, 18 Nov 2021 15:20:02 +0000 (15:20 +0000)]
hmactest: convert to opaque HMAC_CTX.

2 years agogost2814789t: convert to opaque EVP_{MD,CIPHER}_CTX.
tb [Thu, 18 Nov 2021 15:18:25 +0000 (15:18 +0000)]
gost2814789t: convert to opaque EVP_{MD,CIPHER}_CTX.

2 years agoexptest: convert to opaque BN; minor KNF tweaks.
tb [Thu, 18 Nov 2021 15:17:31 +0000 (15:17 +0000)]
exptest: convert to opaque BN; minor KNF tweaks.

2 years agoevptest: fix compilation with opaque EVP_{CIPHER,MD}_CTX. Uses a
tb [Thu, 18 Nov 2021 15:15:31 +0000 (15:15 +0000)]
evptest: fix compilation with opaque EVP_{CIPHER,MD}_CTX. Uses a
workaround for excessive malloc inspired by mariadb (just kidding).

2 years agoecdsatest: make this test compile with opaque EVP_MD_CTX.
tb [Thu, 18 Nov 2021 15:12:59 +0000 (15:12 +0000)]
ecdsatest: make this test compile with opaque EVP_MD_CTX.

2 years agodsatest: make this work with opaque BN. Some more fixes will be needed
tb [Thu, 18 Nov 2021 15:11:17 +0000 (15:11 +0000)]
dsatest: make this work with opaque BN. Some more fixes will be needed
for opaque DSA. I'll deal with that later. I also lobbed a KNF grenade
in here.

2 years agodhtest: fix this to work with opaque BN. This will need more fixes to
tb [Thu, 18 Nov 2021 15:07:28 +0000 (15:07 +0000)]
dhtest: fix this to work with opaque BN. This will need more fixes to
work with opaque DH, but one step at a time. While here, add a bunch of
missing spaces to reduce the eyebleed.

2 years agobntest: Fix all but one test in this file to work with opaque BN.
tb [Thu, 18 Nov 2021 14:59:44 +0000 (14:59 +0000)]
bntest: Fix all but one test in this file to work with opaque BN.
The remaining test needs some thinking (or disabling once we flip
the switch). It is currently marked with an XXX.

2 years agoRemove X11 blt and bltone regress tests. They fail with the current
bluhm [Thu, 18 Nov 2021 14:55:38 +0000 (14:55 +0000)]
Remove X11 blt and bltone regress tests.  They fail with the current
X server and have been unlinked from the build.  Converting the
tests from libfb to libwfb could be possible, but nobody is working
on that.
OK matthieu@ kettenis@

2 years agoprinting udpencap_port in ddb requires ntohs not ntohl. use better format
sthen [Thu, 18 Nov 2021 11:04:10 +0000 (11:04 +0000)]
printing udpencap_port in ddb requires ntohs not ntohl. use better format
string. help claudio@ ok bluhm@

2 years agoIn x509_vfy.h rev. 1.35 and x509_lu.c rev. 1.34, tb@ provided
schwarze [Thu, 18 Nov 2021 10:09:24 +0000 (10:09 +0000)]
In x509_vfy.h rev. 1.35 and x509_lu.c rev. 1.34, tb@ provided
X509_OBJECT_new(3) and X509_OBJECT_free(3); document them.

While here, stop talking about storing storing EVP_PKEY objects
and plain C strings in X509_OBJECT objects.  LibreSSL never fully
supported that, and it certainly no longer supports that now.

2 years agoMove example from "goo" to @tag.
ajacoutot [Thu, 18 Nov 2021 09:51:30 +0000 (09:51 +0000)]
Move example from "goo" to @tag.

2 years agoregression test for ssh-keygen -Y find-principals fix;
djm [Thu, 18 Nov 2021 03:53:48 +0000 (03:53 +0000)]
regression test for ssh-keygen -Y find-principals fix;
from Fabian Stelzer ok djm markus

2 years agossh-keygen -Y find-principals was verifying key validity when using
djm [Thu, 18 Nov 2021 03:50:41 +0000 (03:50 +0000)]
ssh-keygen -Y find-principals was verifying key validity when using
ca certs but not with simple key lifetimes within the allowed
signers file.

Since it returns the first keys principal it finds this could
result in a principal with an expired key even though a valid
one is just below.

patch from Fabian Stelzer; feedback/ok djm markus

2 years agocheck for POLLHUP wherever we check for POLLIN
djm [Thu, 18 Nov 2021 03:31:44 +0000 (03:31 +0000)]
check for POLLHUP wherever we check for POLLIN

2 years agofd leak in sshd listen loop error path; from Gleb Smirnoff
djm [Thu, 18 Nov 2021 03:07:59 +0000 (03:07 +0000)]
fd leak in sshd listen loop error path; from Gleb Smirnoff

2 years agocheck for POLLHUP as well as POLLIN in sshd listen loop;
djm [Thu, 18 Nov 2021 03:07:20 +0000 (03:07 +0000)]
check for POLLHUP as well as POLLIN in sshd listen loop;
ok deraadt millert

2 years agocheck for POLLHUP as well as POLLIN, handle transient IO errors as well
djm [Thu, 18 Nov 2021 03:06:03 +0000 (03:06 +0000)]
check for POLLHUP as well as POLLIN, handle transient IO errors as well
as half-close on the output side; ok deraadt millert

2 years agosync
deraadt [Thu, 18 Nov 2021 01:31:02 +0000 (01:31 +0000)]
sync

2 years agouniq(1): ignore trailing newlines when comparing lines
cheloha [Wed, 17 Nov 2021 23:09:38 +0000 (23:09 +0000)]
uniq(1): ignore trailing newlines when comparing lines

POSIX.1-2008 tweaked the uniq definition in light of AGI 1003.1-2001
#133.  uniq must now *ignore* the trailing newline when comparing
lines from the input.

In practice this means that if the last line in the input is missing a
trailing newline it isn't necessarily different from the line
preceding it.

So, uniq(1) now stubs the trailing newline before doing any line
comparisons.

For sake of simplicity, this patch introduces a second change: if the
last line in the input is missing a trailing newline and we choose to
print the line, a newline is appended when we print it.

Adopting the newline change aligns our implementation with with
POSIX.1-2008 (which we already claim in the manpage).  Adopting both
changes aligns our behavior with that of FreeBSD and GNU uniq.  For
better or worse, OpenBSD's uniq no longer behaves like NetBSD's uniq
in this corner case.

References:

POSIX.1-2001 uniq:
https://pubs.opengroup.org/onlinepubs/009695399/utilities/uniq.html

Austin Group Interpretation 1003.1-2001 #133:
https://collaboration.opengroup.org/austin/interps/documents/14355/AI-133.txt

POSIX.1-2008 uniq:
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/uniq.html

--

Discussed with millert@.  With input from schwarze@.  Positive feedback
from bcallah@.

Thread: https://marc.info/?l=openbsd-tech&m=163581613829524&w=2

ok millert@

2 years agoWhen unp_connect() releases both solock() and vnode(9) locks the socket we
mvs [Wed, 17 Nov 2021 22:56:19 +0000 (22:56 +0000)]
When unp_connect() releases both solock() and vnode(9) locks the socket we
were connected could be closed by concurrent thread. Check connection
state and return ECONNREFUSED if the connection was lost.

ok bluhm@

2 years agoset num_listen_socks to 0 on close-all instead of -1, which
djm [Wed, 17 Nov 2021 21:06:39 +0000 (21:06 +0000)]
set num_listen_socks to 0 on close-all instead of -1, which
interferes with the new poll()-based listen loop; spotted and
debugged by anton@+deraadt@

2 years agoDisplay DNS information from sppp(4) in ifconfig(8)
bket [Wed, 17 Nov 2021 18:00:24 +0000 (18:00 +0000)]
Display DNS information from sppp(4) in ifconfig(8)

Behaviour is similar to that of umb(4).

OK kn@

2 years agoIn x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided
schwarze [Wed, 17 Nov 2021 16:08:32 +0000 (16:08 +0000)]
In x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided
X509_STORE_CTX_set_verify(3) and X509_STORE_CTX_get_verify(3).
Document them.

In the next bump, tb@ will also provide X509_STORE_CTX_verify_fn(3)
and X509_STORE_set_verify(3) and restore X509_STORE_set_verify_func(3)
to working order.  For efficiency of documentation work, already
document those three, too, but keep the text temporariy .if'ed out
until they become available.

Delete X509_STORE_set_verify_func(3) from X509_STORE_set_verify_cb_func(3)
because it was misplaced in that page: it is not related to the
verification callback.

tb@ agrees with the general direction.

2 years agoDisable active scanning on iwm(4) 9260 and 9560.
stsp [Wed, 17 Nov 2021 15:15:32 +0000 (15:15 +0000)]
Disable active scanning on iwm(4) 9260 and 9560.

For some reason, if we send a scan command that actively scans for a
particular SSID with probe requests, the device will occasionally lock
up after associating to the AP, with no interrupts, totally dead.
The symptom of this is an interface that shows as "active" in ifconfig
but does not receive or transmit any packets.

Observed by kmos@ for some time already, and myself while testing new
Intel wifi firmware versions on iwm(4) 9560.

This problem was also observed on AX200 by me with old firmware. We had
the same workaround in place for iwx(4) for some time, until we upgraded
that driver to use newer firmware which uses a different scan command.

Workaround tested by kmos@ and myself.

2 years agoClarify BUGS wrt. reserving memory for the hypervisor
kn [Wed, 17 Nov 2021 15:13:36 +0000 (15:13 +0000)]
Clarify BUGS wrt. reserving memory for the hypervisor

The previous wording might be understood as "leave memory unused in the
primary domain", which is precisely what causes the hypervisor to reject
the configuration since ldomctl(8) would implicitly allocate all remaining
memory for the primary domain.

Make sure that primary domain memory should be assigned explicitly so the
total amount of allocated memory is less than physically available, i.e.
the hypervisor will have even more memory available and configurations can
boot again.

OK stsp

2 years agoProvide real output for the "ldomctl console" EXAMPLE
kn [Wed, 17 Nov 2021 13:48:12 +0000 (13:48 +0000)]
Provide real output for the "ldomctl console" EXAMPLE

2 years agoexplicitly talk a bit about "informal" specs
espie [Wed, 17 Nov 2021 12:53:05 +0000 (12:53 +0000)]
explicitly talk a bit about "informal" specs

2 years agoforbid non-sensical empty parts
espie [Wed, 17 Nov 2021 10:59:13 +0000 (10:59 +0000)]
forbid non-sensical empty parts
explicitly forbid % to be in packages-specs, so that people don't get confused
about it.

2 years agoadd more checks for badly specified pkgspecs
espie [Wed, 17 Nov 2021 10:58:21 +0000 (10:58 +0000)]
add more checks for badly specified pkgspecs

2 years agouhidpp does claim multiple report ids
anton [Wed, 17 Nov 2021 06:22:14 +0000 (06:22 +0000)]
uhidpp does claim multiple report ids

2 years agoucc does not claim multiple report ids
anton [Wed, 17 Nov 2021 06:21:23 +0000 (06:21 +0000)]
ucc does not claim multiple report ids

2 years agoFix a double free in uhidev_close() caused by a race between
anton [Wed, 17 Nov 2021 06:20:30 +0000 (06:20 +0000)]
Fix a double free in uhidev_close() caused by a race between
uhidev_open() and uhidev_close(). In uhidev_close() the UHIDEV_OPEN flag
is cleared early on but the same thread can end up sleeping while
closing the input or output pipe. This allows another thread to enter
uhidev_open() but only to fail opening either the input or output pipe
since they are already open for exclusive use. The uhidev_open() error
path frees the input buffer but leaves a dangling pointer around;
causing uhidev_close() to free the same buffer.

This can at least happen on xhci(4) which can end up sleeping in
xhci_pipe_close().

Reported by and ok gnezdo@

2 years agowc(1): fix NULL pointer dereference in cnt()
cheloha [Tue, 16 Nov 2021 23:34:24 +0000 (23:34 +0000)]
wc(1): fix NULL pointer dereference in cnt()

If the "file" argument to cnt() is NULL and we call warn(3) we will
get a NULL dereference.

Change the name of the argument to "path" and make "file" a local
variable.  Ensure that we set "file" to a valid C-string, even if
"path" is NULL.

While we're here, const the file name pointers, too.

Thread: https://marc.info/?l=openbsd-tech&m=163708784422157&w=2

ok millert@

2 years agofix an accidental NULL deref introduced last year, found by patrick.
deraadt [Tue, 16 Nov 2021 21:55:21 +0000 (21:55 +0000)]
fix an accidental NULL deref introduced last year, found by patrick.
rewrite the code with a goto so this never happens again.
ok patrick millert

2 years agoZero all copies of pre-shared key.
tobhe [Tue, 16 Nov 2021 21:43:36 +0000 (21:43 +0000)]
Zero all copies of pre-shared key.

ok markus@

2 years agodocument GH_DISTFILE that was added to ports/infrastructure/mk/bsd.port.mk
sthen [Tue, 16 Nov 2021 21:19:24 +0000 (21:19 +0000)]
document GH_DISTFILE that was added to ports/infrastructure/mk/bsd.port.mk

2 years agomove memory allocations in pfr_add_addrs() outside of NET_LOCK()/PF_LOCK()
sashan [Tue, 16 Nov 2021 20:51:30 +0000 (20:51 +0000)]
move memory allocations in pfr_add_addrs() outside of NET_LOCK()/PF_LOCK()
scope.

feedback by bluhm@

OK bluhm@

2 years agoValidate RTM_PROPOSAL in resolver not frontend
kn [Tue, 16 Nov 2021 16:45:23 +0000 (16:45 +0000)]
Validate RTM_PROPOSAL in resolver not frontend

The resolver is the actual consumer and shouldn't trust the frontend.
Fold the IPv4/IPv6 specific checks thanks to the previous commit.

Idea from florian
OK florian

2 years agoSimplify address family handling, ditch inet_ntop(3)
kn [Tue, 16 Nov 2021 16:37:52 +0000 (16:37 +0000)]
Simplify address family handling, ditch inet_ntop(3)

Reduce duplicate code and use getnameinfo(3) for IPv4 as well.

This commit is the equivalent of sbin/resolvd/resolvd.c revision 1.21
"Simplify address family handling, ditch inet_ntop(3)".

OK florian

2 years agoInstall missing scope identifier for IPv6 link-local addresses
kn [Tue, 16 Nov 2021 16:30:42 +0000 (16:30 +0000)]
Install missing scope identifier for IPv6 link-local addresses

RTM_PROPOSAL's list of IP addresses does not contain scope IDs by design.
This is not a problem as the proposal is always bound to an interface,
as long as we use it...

Fill in the scope ID for link-local IPs and replace inet_ntop(3) usage with
getnameinfo(3) in the IPv6 case such that it actually turns up in the string
representation.

This is the unwind specific fix to ensure working IPv6LL;  libunbound still
requires another fix.

This commit is the equivalent of sbin/resolvd/resolvd.c revision 1.20
"Install missing scope identifier for IPv6 link-local addresses".

OK florian

2 years agoUse size of struct not pointer
kn [Tue, 16 Nov 2021 16:24:22 +0000 (16:24 +0000)]
Use size of struct not pointer

Pointed out by florian, thanks.
No change as the sockaddr remains unused by getnameinfo() in this case.

2 years agoadd a few more checks for incorrect specs
espie [Tue, 16 Nov 2021 15:59:58 +0000 (15:59 +0000)]
add a few more checks for incorrect specs

2 years agoreally nail down the flavor part better... write this as an extended
espie [Tue, 16 Nov 2021 15:56:44 +0000 (15:56 +0000)]
really nail down the flavor part better... write this as an extended
regexp because it's not that readable

2 years agotweak the packages-specs regexp a bit:
espie [Tue, 16 Nov 2021 15:38:52 +0000 (15:38 +0000)]
tweak the packages-specs regexp a bit:
stem-* shouldn't have any cruft added.

2 years agoIn x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided
schwarze [Tue, 16 Nov 2021 14:07:57 +0000 (14:07 +0000)]
In x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided
X509_STORE_CTX_get_verify_cb(3); document it.

2 years agoTo debug IPsec and tdb refcounting it is useful to have "show tdb"
bluhm [Tue, 16 Nov 2021 13:53:14 +0000 (13:53 +0000)]
To debug IPsec and tdb refcounting it is useful to have "show tdb"
and "show all tdbs" in ddb.
tested by Hrvoje Popovski; OK mvs@

2 years agoUse nowake when poll/select has empty fd set
visa [Tue, 16 Nov 2021 13:48:23 +0000 (13:48 +0000)]
Use nowake when poll/select has empty fd set

When the fd set is empty, the code waits for a signal or timeout.
Wakeups from the kqueue are neither expected nor wanted.

OK cheloha@, millert@, anton@, mpi@

2 years agoRemove an old note about poor performance
visa [Tue, 16 Nov 2021 13:46:16 +0000 (13:46 +0000)]
Remove an old note about poor performance

The new kqueue-based poll/select implementation does not suffer from
select collisions.

OK cheloha@, millert@

2 years agofix typo in an error message printed by iwx_phy_ctxt_update()
stsp [Tue, 16 Nov 2021 12:56:11 +0000 (12:56 +0000)]
fix typo in an error message printed by iwx_phy_ctxt_update()

2 years agofix typo in an error message printed by iwm_phy_ctxt_update()
stsp [Tue, 16 Nov 2021 12:55:50 +0000 (12:55 +0000)]
fix typo in an error message printed by iwm_phy_ctxt_update()

2 years agoRecently, tb@ provided the following functions:
schwarze [Tue, 16 Nov 2021 12:06:57 +0000 (12:06 +0000)]
Recently, tb@ provided the following functions:
X509_STORE_CTX_set_error_depth      x509_vfy.h 1.37  x509_vfy.c  1.91
X509_STORE_CTX_set_current_cert     x509_vfy.h 1.37  x509_vfy.c  1.91
X509_STORE_CTX_get_num_untrusted    x509_vfy.h 1.36  x509_vfy.c  1.90
X509_STORE_CTX_set0_verified_chain  x509_vfy.h 1.37  x509_vfy.c  1.91

Merge the documentation from the OpenSSL 1.1.1 branch,
which is still under a free license; tweaked by me.

2 years agohilkbd(4): Fix swedish keyboard layout botch on non-PS/2 style keyboards
landry [Tue, 16 Nov 2021 10:20:52 +0000 (10:20 +0000)]
hilkbd(4): Fix swedish keyboard layout botch on non-PS/2 style keyboards
introduced in 1.7 and preventing `o' and `p' keys from working as
intended.  Reported by Anders Gustafsson.

From miod@

2 years agoMove UNIX domain sockets garbage collector out of `unp_lock.
mvs [Tue, 16 Nov 2021 08:56:19 +0000 (08:56 +0000)]
Move UNIX domain sockets garbage collector out of `unp_lock.

Except `unp_ino' this leaves only per-socket data protected by
`unp_lock'. The `unp_ino' protection is not the big deal and will be
done with mutex(9) in the future diff.

The garbage collector flags moved from from `unp_flags' to unp_gcflags'.

The two new locks introduced to protect garbage collector data. The
`unp_gc_lock' rwlock(9) protects `unp_defer', `unp_gcing', `unp_gcflags'
and `unp_link' list. The `unp_df_lock' protects `ud_link' list.

We need to simultaneously lock `unp_gc_lock' and `unp_lock'. When we
perform unp_attach() or unp_detach() we link PCB to `unp_link' list with
`unp_lock' held. But when unp_gc() does `unp_link' list walkthrough with
the `unp_gc_lock' lock held it should lock socket while performs
`so_rcv' buffer scan and the lock order should be the opposite.

In the future diff `unp_lock' will be replaced by per-socket `so_lock'
so it's better to enforce `unp_gc_lock' -> `unp_lock' (solock()) lock
order and release `unp_lock' in the unp_attach() and unp_detach() paths.
The previously committed diffs made this safe.

The `unp_df_lock' introduced because the `unp_lock' and `unp_gc_lock'
state are unknown when unp_discard() called. Since it touches only
`ud_link' list the re-lock dances are unwanted in this path. Also this
keeps M_WAITOK allocation outside rwlock(9) when unp_discard() called
from unp_externalize() error path.

ok bluhm@

2 years agoSync boot.h with ld.so's boot.c, getting rid of struct boot_dyn,
guenther [Tue, 16 Nov 2021 02:46:46 +0000 (02:46 +0000)]
Sync boot.h with ld.so's boot.c, getting rid of struct boot_dyn,
only initializing the variables we need to, and switching to a
"while < end-of-array" style for DT_REL/RELA processing

ok drahn@ kettenis@

2 years agostyle
tobhe [Mon, 15 Nov 2021 22:37:35 +0000 (22:37 +0000)]
style

2 years agoPass sockaddr length to be on the safe side, still
kn [Mon, 15 Nov 2021 18:25:52 +0000 (18:25 +0000)]
Pass sockaddr length to be on the safe side, still

2 years agoRevert previous
kn [Mon, 15 Nov 2021 18:23:45 +0000 (18:23 +0000)]
Revert previous

sockaddr_storage should stay since it is preferred and less error prone.

From deraadt
OK florian

2 years agosync
deraadt [Mon, 15 Nov 2021 17:42:50 +0000 (17:42 +0000)]
sync

2 years agoAvoid huge sockaddr_storage
kn [Mon, 15 Nov 2021 17:33:51 +0000 (17:33 +0000)]
Avoid huge sockaddr_storage

sockaddr_{in,in6} are enough and a simple sockaddr pointer is enough to
abstract them  (sockaddr_storage is what worked for me, there is no other
reason to use it).

While here, be portable and pass a non-zero length to getnameinfo(3);
while OpenBSD's implementation ignores it in the NI_NUMERICHOST case,
at least the old KAME stack didn't.

No functional change.

Prodded by florian
OK florian

2 years agoCopy p_p->ps_pledge into a local variable (called pledge) in every function
deraadt [Mon, 15 Nov 2021 17:14:51 +0000 (17:14 +0000)]
Copy p_p->ps_pledge into a local variable (called pledge) in every function
which checks PLEDGE_* bits more than once.  Some functions are called without
locking, and this avoids misinterpreting bits which have some coupled behaviour.
ok cheloha kettenis

2 years agoAdjust how the repository count limit works. Instead of failing hard just
claudio [Mon, 15 Nov 2021 16:32:15 +0000 (16:32 +0000)]
Adjust how the repository count limit works. Instead of failing hard just
fall back to a possible cache and try to validate what is available.
This still limits the number of repositories fetched but allows valid
repositories to finish with the available data.
OK job@

2 years agonew manual page ASN1_BIT_STRING_set(3) documenting four BIT STRING accessors
schwarze [Mon, 15 Nov 2021 16:18:36 +0000 (16:18 +0000)]
new manual page ASN1_BIT_STRING_set(3) documenting four BIT STRING accessors

2 years agoRevert to eager removal of poll/select knotes
visa [Mon, 15 Nov 2021 15:48:54 +0000 (15:48 +0000)]
Revert to eager removal of poll/select knotes

This should prevent a panic that bluhm@ has reported.

2 years agoThird attempt to solve the claim multiple report ids conflict. Using the
anton [Mon, 15 Nov 2021 15:38:08 +0000 (15:38 +0000)]
Third attempt to solve the claim multiple report ids conflict. Using the
report id to signal that multiple ones should be claimed by the match
routines does not work. All valid report ids 1-255 cannot of course be
used and 0 which is reserved by the USB HID specification is internally
used to represents devices lacking an explicit report id.

Therefore, use presence of the claimed array to signal that multiple
report ids can be claimed.

Tested by gnezdo@

2 years agoIn preparation for once again trying the resolve the claim multiple
anton [Mon, 15 Nov 2021 15:36:24 +0000 (15:36 +0000)]
In preparation for once again trying the resolve the claim multiple
report ids conflict, extract the claim multiple report ids conditional
in order to minimize the required upcoming changes to resolve the
conflict.

Tested by gnezdo@

2 years agoNo need to declare optind, optarg or opterr; unistd.h does this for us.
millert [Mon, 15 Nov 2021 15:14:24 +0000 (15:14 +0000)]
No need to declare optind, optarg or opterr; unistd.h does this for us.
From Jan Stary.  OK deraadt@

2 years agoChange printing of maps to use qsort to order the output using a pointer
claudio [Mon, 15 Nov 2021 14:57:57 +0000 (14:57 +0000)]
Change printing of maps to use qsort to order the output using a pointer
array. This replaces the current solution that only prints one element for
a certain value and not all elements with tha same value.
This can be further optimized but printing is not really a hot path in btrace.
OK mpi@

2 years agodocument ASN1_PRINTABLE_type(3) and ASN1_UNIVERSALSTRING_to_string(3)
schwarze [Mon, 15 Nov 2021 13:39:40 +0000 (13:39 +0000)]
document ASN1_PRINTABLE_type(3) and ASN1_UNIVERSALSTRING_to_string(3)

2 years agoTidy up; no change.
ajacoutot [Mon, 15 Nov 2021 12:56:11 +0000 (12:56 +0000)]
Tidy up; no change.

2 years agodocument ASN1_item_pack(3) and ASN1_item_unpack(3)
schwarze [Mon, 15 Nov 2021 11:51:09 +0000 (11:51 +0000)]
document ASN1_item_pack(3) and ASN1_item_unpack(3)

2 years agoLeave the hardware cursor at the position of the selected line in choose
nicm [Mon, 15 Nov 2021 10:58:13 +0000 (10:58 +0000)]
Leave the hardware cursor at the position of the selected line in choose
modes and current editing position and at the command prompt. It is
invisible but this is helpful for people using screen readers. GitHub
issue 2970.

2 years agodocument i2a_ASN1_STRING(3) and a2i_ASN1_STRING(3)
schwarze [Mon, 15 Nov 2021 10:41:11 +0000 (10:41 +0000)]
document i2a_ASN1_STRING(3) and a2i_ASN1_STRING(3)

2 years agoFix a strange check in the auto DH codepath
tb [Sun, 14 Nov 2021 22:31:29 +0000 (22:31 +0000)]
Fix a strange check in the auto DH codepath

The code assumes that the server certificate has an RSA key and bases
the calculation of the size of the ephemeral DH key on this assumption.
So instead of checking whether we have any key by inspecting the dh
part of the union, let's check that we actually have an RSA key.
While here, make sure that its length is non-negative.

ok jsing

2 years agoDelete all the no-op RELOC_GOT() macros and their uses.
guenther [Sun, 14 Nov 2021 22:07:38 +0000 (22:07 +0000)]
Delete all the no-op RELOC_GOT() macros and their uses.
Annotate RELOC_DYN() on non-hppa as only used in lib/csu.
Delete some inconsistent comments, adjust whitespace, and reorder
  mips64's archdep.h so that the ld.so/*/archdep.h files look
  (almost) the same.

ok visa@ kettenis@

2 years agoMake sure efiboot is built with RELA/REL relocations and not RELR,
guenther [Sun, 14 Nov 2021 21:51:48 +0000 (21:51 +0000)]
Make sure efiboot is built with RELA/REL relocations and not RELR,
as self_reloc.c only handles the former.

ok deraadt@ kettenis@

2 years agouse ppoll() instead of pselect()
deraadt [Sun, 14 Nov 2021 18:47:43 +0000 (18:47 +0000)]
use ppoll() instead of pselect()
with djm

2 years agoWhen we transition from RENEWING to REBINDING state we have to
florian [Sun, 14 Nov 2021 18:13:19 +0000 (18:13 +0000)]
When we transition from RENEWING to REBINDING state we have to
calculate the next timeout based on the rebinding time (T2), not
renewal time (T1). At this point T1 already expired and we would wait
way too long, past the lease lifetime.

Spotted while investigating a problem reported by Zack Newman on misc@