openbsd
2 years agoAlign ssl_kex_derive_ecdhe_ecp() with ssl_kex_derive_dhe()
tb [Tue, 30 Nov 2021 18:17:03 +0000 (18:17 +0000)]
Align ssl_kex_derive_ecdhe_ecp() with ssl_kex_derive_dhe()

sk is commonly used for a STACK_OF(), so call the shared key simply key.

ok jsing

2 years agoisakmpd: convert modp_init() for opaque DH.
tb [Tue, 30 Nov 2021 18:12:44 +0000 (18:12 +0000)]
isakmpd: convert modp_init() for opaque DH.

ok jsing

2 years agowhitespace
tobhe [Tue, 30 Nov 2021 17:47:30 +0000 (17:47 +0000)]
whitespace

2 years agoadd ixl(4)
deraadt [Tue, 30 Nov 2021 17:05:59 +0000 (17:05 +0000)]
add ixl(4)

2 years agos/ECDHE/ECDH/
jsing [Tue, 30 Nov 2021 15:58:08 +0000 (15:58 +0000)]
s/ECDHE/ECDH/

If we can provide an EC key that is used, then it is by definition
non-ephemeral.

ok tb@

2 years agoFix indentation of return in yy_try_NUL_trans().
millert [Tue, 30 Nov 2021 15:50:06 +0000 (15:50 +0000)]
Fix indentation of return in yy_try_NUL_trans().
M4_YY_NOOP_GUTS_VAR is a no-op in most cases but its indentation
remains, leading to double indentation of the return statement.
This fixes "misleading indentation" warnings from clang.  OK tb@

2 years agoRemove unused parameter from ipsp_spd_inp().
bluhm [Tue, 30 Nov 2021 13:17:43 +0000 (13:17 +0000)]
Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@

2 years agoAdd regress for {d2i,i2d}_{,DSA_,EC_,RSA_}PUBKEY{,_bio}().
jsing [Tue, 30 Nov 2021 07:34:29 +0000 (07:34 +0000)]
Add regress for {d2i,i2d}_{,DSA_,EC_,RSA_}PUBKEY{,_bio}().

2 years agoPrevent select(2) from blocking if registering found pending events.
visa [Tue, 30 Nov 2021 02:58:33 +0000 (02:58 +0000)]
Prevent select(2) from blocking if registering found pending events.

OK mpi@

2 years agoenable uhid/fido
deraadt [Tue, 30 Nov 2021 02:13:55 +0000 (02:13 +0000)]
enable uhid/fido
from Ashton Fagg

2 years agoUse nanosleep(3) instead of select(2) for test run time delay. Use ~10
mvs [Mon, 29 Nov 2021 21:25:09 +0000 (21:25 +0000)]
Use nanosleep(3) instead of select(2) for test run time delay. Use ~10
years interval as operational infinity.

2 years agoCreate socket within current directory instead of /tmp. Also remove it
mvs [Mon, 29 Nov 2021 21:21:26 +0000 (21:21 +0000)]
Create socket within current directory instead of /tmp. Also remove it
with "make clean".

2 years agoCrank the number of rounds of Miller-Rabin from 50 to 64
tb [Mon, 29 Nov 2021 20:13:25 +0000 (20:13 +0000)]
Crank the number of rounds of Miller-Rabin from 50 to 64
for DSA key generation.

From Kurt Roeckx, OpenSSL 74ee3796

ok bcook inoguchi jsing

2 years agoClean up DH_check_pub_key() and ensure that y^q (mod p) == 1.
tb [Mon, 29 Nov 2021 20:02:14 +0000 (20:02 +0000)]
Clean up DH_check_pub_key() and ensure that y^q (mod p) == 1.

This aligns our behavior with OpenSSL 1.1.1 which includes a mitigation
for small subgroup attacks. This did not affect LibreSSL since we do
not support X9.42 style parameter files or RFC 5114.

The meat of this commit is from Matt Caswell, OpenSSL b128abc3

ok inoguchi jsing

2 years agoIncrease number of iterations in Miller-Rabin checks for DH.
tb [Mon, 29 Nov 2021 19:54:07 +0000 (19:54 +0000)]
Increase number of iterations in Miller-Rabin checks for DH.

BN_prime_checks is only to be used for random input. Here, the
input isn't random, so increase the number of checks. According
to https://eprint.iacr.org/2019/032, 64 rounds is suitable.

From Jake Massimo, OpenSSL 1.1.1, af6ce3b4

ok inoguchi jsing

2 years agoSynchronize DH_check() mostly with OpenSSL 1.1.1 with some
tb [Mon, 29 Nov 2021 19:47:47 +0000 (19:47 +0000)]
Synchronize DH_check() mostly with OpenSSL 1.1.1 with some
simplifications and readability tweaks.  This ensures in
particular that dh->q is suitable if present.

Based on work by Stephen Henson and Bernd Edlinger in OpenSSL.

Issues with the current implementation found via regression
tests in py-cryptography.

ok inoguchi jsing

2 years agoProvide a version of DH_check_params() for internal use.
tb [Mon, 29 Nov 2021 19:41:02 +0000 (19:41 +0000)]
Provide a version of DH_check_params() for internal use.

Based on the version in OpenSSL 1.1.1l with minor tweaks.

ok inoguchi jsing

2 years agoProvide a number of flags for DH_check and DH_check_pubkey
tb [Mon, 29 Nov 2021 19:34:51 +0000 (19:34 +0000)]
Provide a number of flags for DH_check and DH_check_pubkey
that will be used in subsequent commits.

ok inoguchi jsing

2 years agoThe network stack currently uses IPL_SOFTNET. Consistently initialize
bluhm [Mon, 29 Nov 2021 19:19:00 +0000 (19:19 +0000)]
The network stack currently uses IPL_SOFTNET.  Consistently initialize
the TDB sadb mutex with that.  The old IPL_NET was chosen by accident.
OK mpi@

2 years agotcpdump: convert print-ipsec to a EVP_CIPHER_CTX on the heap.
tb [Mon, 29 Nov 2021 18:50:16 +0000 (18:50 +0000)]
tcpdump: convert print-ipsec to a EVP_CIPHER_CTX on the heap.

Fix and add some error checking while there.

ok deraadt

2 years agoFirst pass of converting ssl_kex.c to opaque DH.
tb [Mon, 29 Nov 2021 18:48:22 +0000 (18:48 +0000)]
First pass of converting ssl_kex.c to opaque DH.

Assign the result of BN_dup() and BN_bn2bin() to local BIGNUMs, then
set the factors and pubkey on the dh using DH_set0_{pqg,key}().

A second pass will be done during the upcoming bump.

ok jsing

2 years agoHide BIO_s_file_internal() from internal view.
tb [Mon, 29 Nov 2021 18:37:34 +0000 (18:37 +0000)]
Hide BIO_s_file_internal() from internal view.

ok jsing

2 years agoStop using BIO_s_file_inernal() in libssl.
tb [Mon, 29 Nov 2021 18:36:27 +0000 (18:36 +0000)]
Stop using BIO_s_file_inernal() in libssl.

BIO_s_file_internal() should never have leaked out of libcrypto,
but it did. As a first step of getting rid of it, stop using it
internally.

ok jsing

2 years agoregen
mvs [Mon, 29 Nov 2021 16:31:43 +0000 (16:31 +0000)]
regen

2 years agoUnlock accept(2) and accept4(2) syscalls. Unlock them both because they
mvs [Mon, 29 Nov 2021 16:30:30 +0000 (16:30 +0000)]
Unlock accept(2) and accept4(2) syscalls. Unlock them both because they
follow the same code path.

ok bluhm@

2 years agoRegister-time event should make poll/select non-blocking.
visa [Mon, 29 Nov 2021 16:11:46 +0000 (16:11 +0000)]
Register-time event should make poll/select non-blocking.

2 years agoConvert server serialisation of DHE parameters/public key to new functions.
jsing [Mon, 29 Nov 2021 16:03:56 +0000 (16:03 +0000)]
Convert server serialisation of DHE parameters/public key to new functions.

ok inoguchi@ tb@

2 years agoFactor out/rewrite DHE key exchange.
jsing [Mon, 29 Nov 2021 16:00:32 +0000 (16:00 +0000)]
Factor out/rewrite DHE key exchange.

This follows what was done previously for ECDHE EC point key exchange and
will allow for deduplication and further code improvement.

Convert the TLSv1.2 client to use the new DHE key exchange functions.

ok inoguchi@ tb@

2 years agoAvoid including sys/param.h. Make a local copy of MINIMUM() in test_helper.h
tobhe [Mon, 29 Nov 2021 15:56:33 +0000 (15:56 +0000)]
Avoid including sys/param.h. Make a local copy of MINIMUM() in test_helper.h
instead, like we did elsewhere.

ok bluhm@

2 years agovmm(4): bump remote vmclear spinout ticks
dv [Mon, 29 Nov 2021 15:55:36 +0000 (15:55 +0000)]
vmm(4): bump remote vmclear spinout ticks

Older/slower hosts could easily hit the cap under load. Set it to
the same value we use in mplock_debug.

ok mlarkin@

2 years agokqueue: Revise badfd knote handling
visa [Mon, 29 Nov 2021 15:54:04 +0000 (15:54 +0000)]
kqueue: Revise badfd knote handling

When closing a file descriptor and converting the poll/select knotes
into badfd knotes, keep the knotes attached to the by-fd table. This
should prevent kqueue_purge() from returning before the kqueue has
become quiescent. This in turn should fix a
KASSERT(TAILQ_EMPTY(&kq->kq_head)) panic in KQRELE() that bluhm@ has
reported.

The badfd conversion is only needed when a poll/select scan is ongoing.
The system can skip the conversion if the knote is not part of the
active event set.

The code of this commit skips the conversion when the fd is closed by
the same thread that has done the fd polling. This can be improved but
should already cover typical fd usage patterns.

As badfd knotes now hold slots in the by-fd table, kqueue_register()
clears them. poll/select use kqueue_register() to set up a new scan;
any found fd close notification is a leftover from the previous scan.

The new badfd handling should be free of accidental knote accumulation.
This obsoletes kqpoll_dequeue() and lowers kqpoll_init() overhead.

Re-enable lazy removal of poll/select knotes because the panic should
no longer happen.

OK mpi@

2 years agoUsing a void pointer for temporary allocated TDB in pfkeyv2 does
bluhm [Mon, 29 Nov 2021 15:39:59 +0000 (15:39 +0000)]
Using a void pointer for temporary allocated TDB in pfkeyv2 does
not make sense.  Do not use the freeme pointer for TDB in pfkeyv2_send().
The pattern is tdb_alloc() and tdb_unref() in case of error.  Replace
tdb_free() in reserve_spi() with tdb_unref() to keep this consistent.
Only tdb_unref() should call tdb_free().
OK mvs@

2 years agopoints people to more current ways to find package information.
espie [Mon, 29 Nov 2021 14:06:03 +0000 (14:06 +0000)]
points people to more current ways to find package information.
with inputs from danj@ and kn@, thx guys

2 years agoadd -V to usage(), and list it before -v in both SYNOPSIS and the
jmc [Mon, 29 Nov 2021 13:20:24 +0000 (13:20 +0000)]
add -V to usage(), and list it before -v in both SYNOPSIS and the
options list;

2 years agoAdd and enable 'unconacc' test which provides multithreaded connect(2)
mvs [Mon, 29 Nov 2021 13:05:04 +0000 (13:05 +0000)]
Add and enable 'unconacc' test which provides multithreaded connect(2)
and accept(2) calls on single unix(4) socket.

ok bluhm@

2 years agoAdd command line option to show the version
tobhe [Mon, 29 Nov 2021 12:27:18 +0000 (12:27 +0000)]
Add command line option to show the version

ok patrick@

2 years agoBump response timer to three seconds, GitHub issue 2984.
nicm [Mon, 29 Nov 2021 11:05:28 +0000 (11:05 +0000)]
Bump response timer to three seconds, GitHub issue 2984.

2 years agoFix user option lookup ordering.
nicm [Mon, 29 Nov 2021 11:01:51 +0000 (11:01 +0000)]
Fix user option lookup ordering.

2 years agosys/param.h was included for MAX(), MIN() and roundup(). make local
deraadt [Mon, 29 Nov 2021 06:43:42 +0000 (06:43 +0000)]
sys/param.h was included for MAX(), MIN() and roundup().  make local
copies of MAXIMUM() and MINIMUM() like we have done in 50+ other places,
and also include a roundup()
ok jsg

2 years agothe code in this file has reason to include any sys/*.h header files,
deraadt [Mon, 29 Nov 2021 06:42:13 +0000 (06:42 +0000)]
the code in this file has reason to include any sys/*.h header files,
let alone sys/param.h, which it uses to get roundup().  make a local
copy of the macro, and call it a day.

2 years agolocal copy of roundup() means no more sys/param.h
deraadt [Mon, 29 Nov 2021 06:39:23 +0000 (06:39 +0000)]
local copy of roundup() means no more sys/param.h

2 years agomostly avoid sys/param.h with a local nitems()
deraadt [Mon, 29 Nov 2021 05:17:35 +0000 (05:17 +0000)]
mostly avoid sys/param.h with a local nitems()
ok mlarkin

2 years agoA few sys/param.h annotations lacked ALIGNBYTES
deraadt [Mon, 29 Nov 2021 03:20:37 +0000 (03:20 +0000)]
A few sys/param.h annotations lacked ALIGNBYTES

2 years agoNiels agreed to remove the advertising clause; switching these
djm [Mon, 29 Nov 2021 01:04:45 +0000 (01:04 +0000)]
Niels agreed to remove the advertising clause; switching these
to 3-term BSD license.

2 years agoStop using MAXBSIZE to eliminate sys/param.h including (which injects a
deraadt [Sun, 28 Nov 2021 19:28:41 +0000 (19:28 +0000)]
Stop using MAXBSIZE to eliminate sys/param.h including (which injects a
ton of namespace intrusion).  Create local sizes, and refactor some code
along the way.
ok millert

2 years agoremove sys/param.h includes by stopping use of NODEV, ALIGNED and ALIGN().
deraadt [Sun, 28 Nov 2021 19:26:03 +0000 (19:26 +0000)]
remove sys/param.h includes by stopping use of NODEV, ALIGNED and ALIGN().
The latter two exposed a large block allocator on top of malloc() which
doesn't really make sense in this decade (the objects are never freed, so
not quite like the famous openssl allocator)
ok millert jsg

2 years agodocument ASN1_tag2bit(3)
schwarze [Sun, 28 Nov 2021 17:40:14 +0000 (17:40 +0000)]
document ASN1_tag2bit(3)

2 years agoDocument ASN1_object_size(3).
schwarze [Sun, 28 Nov 2021 15:48:12 +0000 (15:48 +0000)]
Document ASN1_object_size(3).

While here,
* call the function arguments "content_length" rather than just
"length" to make it less likely that the reader confuses them with
the total length returned by ASN1_object_size(3);
* state that only the short form is supported for content_length <= 127;
* add the missing STANDARDS section.

2 years agomark ASN1_check_infinite_end() and ASN1_const_check_infinite_end()
schwarze [Sun, 28 Nov 2021 14:32:34 +0000 (14:32 +0000)]
mark ASN1_check_infinite_end() and ASN1_const_check_infinite_end()
as intentionally undocumented

2 years agoSpacing
mglocker [Sun, 28 Nov 2021 14:10:32 +0000 (14:10 +0000)]
Spacing

2 years agoutvfu(4) only has one frame size, either for PAL or NTSC. Therefore
mglocker [Sun, 28 Nov 2021 13:57:37 +0000 (13:57 +0000)]
utvfu(4) only has one frame size, either for PAL or NTSC.  Therefore
return EINVAL after the first frame size has been returned in the
VIDIOC_ENUM_FRAMESIZES ioctl.

ok mpi@

2 years agoMake sure the interface still exists before updating it.
florian [Sun, 28 Nov 2021 12:51:52 +0000 (12:51 +0000)]
Make sure the interface still exists before updating it.

When we get a route message, for example an address being added
(RTM_NEWADDR, but the problem exists with most of the route messages)
and the interface gets unplugged at just the right moment
if_nametoindex(3) will return NULL. We will pass NULL through
update_iface() to get_xflags() which will then crash because we
dereference the NULL pointer there.

OK kn

2 years agoMake sure if_index is set in all case statements and use it
florian [Sun, 28 Nov 2021 12:49:55 +0000 (12:49 +0000)]
Make sure if_index is set in all case statements and use it
consistently. This makes the next diff easier, also consistency is
good.
OK kn

2 years agoAlign with the recent memory allocation changes we did for the other
mglocker [Sun, 28 Nov 2021 09:25:02 +0000 (09:25 +0000)]
Align with the recent memory allocation changes we did for the other
USB HC drivers;  M_DEVBUF -> M_USBHC.

ok kettenis@

2 years agosshsig: return "key not found" when searching empty files rather than
djm [Sun, 28 Nov 2021 07:21:26 +0000 (07:21 +0000)]
sshsig: return "key not found" when searching empty files rather than
"internal error"

2 years agossh-keygen -Y match-principals doesn't accept any -O options
djm [Sun, 28 Nov 2021 07:15:10 +0000 (07:15 +0000)]
ssh-keygen -Y match-principals doesn't accept any -O options
at present, so don't say otherwise in SYNOPSIS; spotted jmc@

2 years agofix indenting in last commit
djm [Sun, 28 Nov 2021 07:14:29 +0000 (07:14 +0000)]
fix indenting in last commit

2 years agomissing initialisation for oerrno
djm [Sun, 28 Nov 2021 07:10:18 +0000 (07:10 +0000)]
missing initialisation for oerrno

2 years agoRename msg_id to msg_peerid now that we also have msg_localid.
tobhe [Sat, 27 Nov 2021 21:50:05 +0000 (21:50 +0000)]
Rename msg_id to msg_peerid now that we also have msg_localid.

ok patrick@

2 years agosync
deraadt [Sat, 27 Nov 2021 17:45:49 +0000 (17:45 +0000)]
sync

2 years agoprevious commit causes gcc to perform an unaligned access to the tcphdr
deraadt [Sat, 27 Nov 2021 16:25:40 +0000 (16:25 +0000)]
previous commit causes gcc to perform an unaligned access to the tcphdr
(at least on sparc64) since it accesses the bitfield using an "int sized"
instructions, rather than the minimally sized byte instruction.  This is
permitted by the language laywers who probably prefer we change the tcphdr
in every packet.  It is not clear how to convince gcc to avoid this behaviour,
and a week of futzing hasn't found fast path solutions yet.  In the meantime
the tree may not be broken.

2 years agonew manual page BIO_f_asn1(3)
schwarze [Sat, 27 Nov 2021 16:18:03 +0000 (16:18 +0000)]
new manual page BIO_f_asn1(3)

2 years agoRemove an unneeded variable to fix compiler warning with clang 13.
visa [Sat, 27 Nov 2021 15:13:09 +0000 (15:13 +0000)]
Remove an unneeded variable to fix compiler warning with clang 13.

OK jsg@

2 years agoMake brk() and sbrk() weak again to fix build with clang 13.
visa [Sat, 27 Nov 2021 15:12:19 +0000 (15:12 +0000)]
Make brk() and sbrk() weak again to fix build with clang 13.

OK jsg@

2 years agoAdjust wait channel name and re-enable test.
visa [Sat, 27 Nov 2021 15:07:26 +0000 (15:07 +0000)]
Adjust wait channel name and re-enable test.

2 years agoFix timeouts in poll/select regress tests
visa [Sat, 27 Nov 2021 15:06:10 +0000 (15:06 +0000)]
Fix timeouts in poll/select regress tests

Disable poll/select timeout so that the wchan wait would work as
intended. The timeout is not essential to the test flow. In addition,
the top-level alarm timer prevents the tests from getting stuck should
something go wrong.

2 years agoFix incomplete initialization bug: BIO_new(BIO_f_asn1()) neglected
schwarze [Sat, 27 Nov 2021 13:10:33 +0000 (13:10 +0000)]
Fix incomplete initialization bug: BIO_new(BIO_f_asn1()) neglected
initializing five of the fields in BIO_ASN1_BUF_CTX (prefix,
prefix_free, suffix, suffix_free, ex_arg), inviting a segfault in
a subsequent call from the application program to BIO_write(3)
because subroutines of that function assume that the function
pointers are either NULL or valid.

Fix this by using the less error-prone calloc(3) idiom.

While here, inline asn1_bio_init() at the only call site
in asn1_bio_new() to simplify the code and make it easier to read.

Bug found and initial patch by me,
this version (with inlining) by and OK tb@.

2 years agoLet iwm(4) use per-Tx-queue interface timers to ensure that the interface
stsp [Sat, 27 Nov 2021 11:22:26 +0000 (11:22 +0000)]
Let iwm(4) use per-Tx-queue interface timers to ensure that the interface
watchdog will trigger a device timeout if a particular Tx queue gets stuck
while other Tx queues keep working.

The Linux driver is using a similar workaround for "stuck queues".
I have only observed this problem on iwx(4) hardware but it won't hurt
to add this workaround to iwm(4) as well.

2 years agowhitespac e
djm [Sat, 27 Nov 2021 07:23:35 +0000 (07:23 +0000)]
whitespac e

2 years agoregression test for match-principals. Mostly by Fabian Stelzer
djm [Sat, 27 Nov 2021 07:20:58 +0000 (07:20 +0000)]
regression test for match-principals. Mostly by Fabian Stelzer

2 years agoAdd ssh-keygen -Y match-principals operation to perform matching of
djm [Sat, 27 Nov 2021 07:14:46 +0000 (07:14 +0000)]
Add ssh-keygen -Y match-principals operation to perform matching of
principals names against an allowed signers file.

Requested by and mostly written by Fabian Stelzer, towards a TOFU
model for SSH signatures in git. Some tweaks by me.

"doesn't bother me" deraadt@

2 years agofree() with nullptr is OK, but not if the size is unitialized, and the
deraadt [Sat, 27 Nov 2021 06:14:10 +0000 (06:14 +0000)]
free() with nullptr is OK, but not if the size is unitialized, and the
fail label is reachable before the sizes are known.

2 years agodrm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi...
jsg [Sat, 27 Nov 2021 04:32:32 +0000 (04:32 +0000)]
drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors

From hongao
04c586a601dc0acb8e739205db350ab660dffc4f in linux 5.10.y/5.10.82
bf552083916a7f8800477b5986940d1c9a31b953 in mainline linux

2 years agodrm/i915/dp: Ensure sink rate values are always valid
jsg [Sat, 27 Nov 2021 04:29:00 +0000 (04:29 +0000)]
drm/i915/dp: Ensure sink rate values are always valid

From Imre Deak
47901b77bf7dc801a084a0b377aee5974d9bc4ce in linux 5.10.y/5.10.82
6c34bd4532a3f39952952ddc102737595729afc4 in mainline linux

2 years agodrm/amd/display: Update swizzle mode enums
jsg [Sat, 27 Nov 2021 04:26:18 +0000 (04:26 +0000)]
drm/amd/display: Update swizzle mode enums

From Alvin Lee
3d68d6ee83144044f610d67304cc194c2af7d0c5 in linux 5.10.y/5.10.82
58065a1e524de30df9a2d8214661d5d7eed0a2d9 in mainline linux

2 years agostop building kernels with -Wno-uninitialized on clang archs
jsg [Sat, 27 Nov 2021 00:49:21 +0000 (00:49 +0000)]
stop building kernels with -Wno-uninitialized on clang archs
this hides real problems that could be found at build time

ok kettenis@ visa@, ok sashan@ on amd64/i386

2 years agoPut a mutex assert locked into puttdb_locked().
bluhm [Fri, 26 Nov 2021 19:24:41 +0000 (19:24 +0000)]
Put a mutex assert locked into puttdb_locked().
OK tobhe@

2 years agomake the bn/mont test compile with opaque DH.
tb [Fri, 26 Nov 2021 16:52:07 +0000 (16:52 +0000)]
make the bn/mont test compile with opaque DH.

2 years agoStop reaching into EVP_PKEY in the rest of libssl.
tb [Fri, 26 Nov 2021 16:41:42 +0000 (16:41 +0000)]
Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

2 years agoSimplify two weirdly formatted pieces of code in ssl_rsa.c and stop
tb [Fri, 26 Nov 2021 16:40:02 +0000 (16:40 +0000)]
Simplify two weirdly formatted pieces of code in ssl_rsa.c and stop
reaching into the EVP_PKEY struct.

ok inoguchi jsing

2 years agoopenssl(1): drop support for netscape certificates and server gated keys.
tb [Fri, 26 Nov 2021 16:23:27 +0000 (16:23 +0000)]
openssl(1): drop support for netscape certificates and server gated keys.

ok inoguchi jsing

2 years agoA peer sends both his local id and remote id he expects us to be. So far we
patrick [Fri, 26 Nov 2021 16:22:44 +0000 (16:22 +0000)]
A peer sends both his local id and remote id he expects us to be.  So far we
have only looked at the peer's local id, so that we can find a policy with the
matching dstid set.  Hence dstid is involved in the decision making.  While we
do send out our local id, which the peer will use to verify his policies, we
do not yet make a decision based on the id the peer expects us to have.  If you
have two policies configured with only srcid set, we will always pick the same.
To be able to choose a policy that matches the peer's expectations, save the
local id the peer expects us to have and use it during policy lookup.

ok tobhe@

2 years agoReplace TDBF_DELETED flag with check if tdb was already unlinked.
tobhe [Fri, 26 Nov 2021 16:16:35 +0000 (16:16 +0000)]
Replace TDBF_DELETED flag with check if tdb was already unlinked.
Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex.

Tested by Hrvoje Popovski
ok bluhm@ mvs@

2 years agoThe IORT table usually only contains single mappings. While on the LX2K there
patrick [Fri, 26 Nov 2021 15:21:26 +0000 (15:21 +0000)]
The IORT table usually only contains single mappings.  While on the LX2K there
is a non-single mapping for the networking subsystem, we don't yet have support
for it and apparently Linux has trouble with it as well.  So for now we can
remove the code, because it uses an uninitialized variable and there's no easy
way to fix it without re-thinking the concept.  The code got there in the first
place because it's a copy of the same pattern in our other IOMMU code.

ok jsg@

2 years agoavoid clang -Wsometimes-uninitialized warning when DDB is not defined
jsg [Fri, 26 Nov 2021 14:59:42 +0000 (14:59 +0000)]
avoid clang -Wsometimes-uninitialized warning when DDB is not defined
ok kettenis@ visa@

2 years agoavoid clang -Wsometimes-uninitialized warning when MULTIPROCESSOR is not
jsg [Fri, 26 Nov 2021 14:45:13 +0000 (14:45 +0000)]
avoid clang -Wsometimes-uninitialized warning when MULTIPROCESSOR is not
defined
feedback from millert@, ok kettenis@, mips64 diff from and ok visa@

2 years agoFix ikev2_child_sa_rekey() warnings. The SPI can't be printed without a
tobhe [Fri, 26 Nov 2021 14:05:01 +0000 (14:05 +0000)]
Fix ikev2_child_sa_rekey() warnings.  The SPI can't be printed without a
parent SA.

2 years agospelling
jsg [Fri, 26 Nov 2021 13:48:21 +0000 (13:48 +0000)]
spelling
ok schwarze@

2 years agoafter the bugfix in x509_vfy.c rev. 1.100,
schwarze [Fri, 26 Nov 2021 13:35:10 +0000 (13:35 +0000)]
after the bugfix in x509_vfy.c rev. 1.100,
replace the BUGS section with a shorter CAVEATS section

2 years agoBugfix in X509_get_pubkey_parameters(3):
schwarze [Fri, 26 Nov 2021 13:17:09 +0000 (13:17 +0000)]
Bugfix in X509_get_pubkey_parameters(3):

If EVP_PKEY_copy_parameters(3) fails - among other reasons, this
may happen when out of memory - the pkey argument and/or the chain
argument will not contain all the desired parameters after returning.
Consequently, report the failure to the caller rather than silently
ignoring it.

OK tb@

2 years agoSimplify the code in X509_get_pubkey_parameters(3)
schwarze [Fri, 26 Nov 2021 13:05:03 +0000 (13:05 +0000)]
Simplify the code in X509_get_pubkey_parameters(3)
by using X509_get0_pubkey(3) instead of X509_get_pubkey(3);
no functional change.

OK tb@

This is similar to the relevant part of the follwoing commit
from the OpenSSL 1.1.1 branch, which is still under a free licence,
but without the bug that commit introduced into this function in OpenSSL:

commit c01ff880d47392b82cce2f93ac4a9bb8c68f8cc7
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Mon Dec 14 13:13:32 2015 +0000

2 years agouse the keywords instead of vague english so that it's indexed better by
espie [Fri, 26 Nov 2021 12:14:33 +0000 (12:14 +0000)]
use the keywords instead of vague english so that it's indexed better by
mandocdb

2 years agodocument annotation interactions with pkg_mklocatedb
espie [Fri, 26 Nov 2021 12:08:35 +0000 (12:08 +0000)]
document annotation interactions with pkg_mklocatedb

2 years agoAdd interfaces to enable all power domains for a node.
kettenis [Fri, 26 Nov 2021 11:44:01 +0000 (11:44 +0000)]
Add interfaces to enable all power domains for a node.

ok patrick@, visa@

2 years agoMark exit1() and sigexit() as non-returning
visa [Fri, 26 Nov 2021 04:42:13 +0000 (04:42 +0000)]
Mark exit1() and sigexit() as non-returning

The late 1990s reasons for avoiding __dead with exit1() should not apply
with the current compilers.

This fixes compiler warnings about uninitialized variables in trap.c
on mips64.

Discussed with guenther@ and miod@

2 years agofollowng -> following
jsg [Fri, 26 Nov 2021 03:42:33 +0000 (03:42 +0000)]
followng -> following

2 years agodefiniton -> definition
jsg [Fri, 26 Nov 2021 03:41:39 +0000 (03:41 +0000)]
definiton -> definition

2 years agoTransmiter -> Transmitter
jsg [Fri, 26 Nov 2021 03:37:39 +0000 (03:37 +0000)]
Transmiter -> Transmitter

2 years agoaddresss -> address
jsg [Fri, 26 Nov 2021 03:34:14 +0000 (03:34 +0000)]
addresss -> address

2 years agoremaing -> remaining
jsg [Fri, 26 Nov 2021 03:31:38 +0000 (03:31 +0000)]
remaing -> remaining