openbsd
6 months agoMake arc4random() depend on less subsystems by decoupling extract_entropy()
claudio [Fri, 14 Jun 2024 10:17:05 +0000 (10:17 +0000)]
Make arc4random() depend on less subsystems by decoupling extract_entropy()
from the enqueue_randomness() logic.

Add add_event_data() which just enqueues some data into the event buffer
which can be used by extract_entropy(). On top of this remove the
timeout_del() call in dequeue_randomness() it does serve any meaningful
reason.
OK kettenis@ deraadt@ mpi@

6 months agoSwitch AF_ROUTE sockets to the new locking scheme.
mvs [Fri, 14 Jun 2024 08:32:22 +0000 (08:32 +0000)]
Switch AF_ROUTE sockets to the new locking scheme.

At sockets layer only mark buffers as SB_MTXLOCK. At PCB layer only
protect `so_rcv' with corresponding `sb_mtx' mutex(9).

SS_ISCONNECTED and SS_CANTRCVMORE bits are redundant for AF_ROUTE
sockets. Since SS_CANTRCVMORE modifications performed with both solock()
and `sb_mtx' held, the 'unlocked' SS_CANTRCVMORE check in
rtm_senddesync() is safe.

ok bluhm

6 months agosync to unbound 1.20.0
florian [Fri, 14 Jun 2024 07:45:44 +0000 (07:45 +0000)]
sync to unbound 1.20.0

heavy lifting by sthen

6 months agodrm/i915/xelpg: Add Wa_14020495402
jsg [Fri, 14 Jun 2024 06:08:11 +0000 (06:08 +0000)]
drm/i915/xelpg: Add Wa_14020495402

From Radhakrishna Sripada
b4985cce8136d1cd91fafac1ec9a6d90b774fd01 in mainline linux

6 months agodrm/i915: Add Wa_14015150844
jsg [Fri, 14 Jun 2024 05:54:23 +0000 (05:54 +0000)]
drm/i915: Add Wa_14015150844

From Shekhar Chauhan
4632e3209f4b4349ebe67597897045b1a8af9daa in mainline linux

6 months agodrm/i915/xelpg: Add workaround 14019877138
jsg [Fri, 14 Jun 2024 05:31:20 +0000 (05:31 +0000)]
drm/i915/xelpg: Add workaround 14019877138

From Tejas Upadhyay
c5b32a41946139b9f4f7a087fda2355a90f671cb in mainline linux

6 months agodrm/i915: Add Wa_14019877138
jsg [Fri, 14 Jun 2024 05:28:34 +0000 (05:28 +0000)]
drm/i915: Add Wa_14019877138

From Haridhar Kalvala
97bb5e691189d342fc617dc0f1ab3e51a3676602 in mainline linux

6 months agosort -q in the options list;
jmc [Fri, 14 Jun 2024 05:20:34 +0000 (05:20 +0000)]
sort -q in the options list;

6 months agoclarify KEXAlgorithms supported vs available. Inspired by bz3701
djm [Fri, 14 Jun 2024 05:01:22 +0000 (05:01 +0000)]
clarify KEXAlgorithms supported vs available. Inspired by bz3701
from Colin Watson.

6 months agossh-keyscan -q man bits
djm [Fri, 14 Jun 2024 05:00:42 +0000 (05:00 +0000)]
ssh-keyscan -q man bits

6 months agosplit the PerSourcePenalties test in two: one tests penalty enforcement
djm [Fri, 14 Jun 2024 04:43:11 +0000 (04:43 +0000)]
split the PerSourcePenalties test in two: one tests penalty enforcement
but not penalty expiry, the other tests penalty expiry.

This lets us disable the expiry testing in certain CI test environments.

6 months agodrm/i915/mtl: Add Wa_14019821291
jsg [Fri, 14 Jun 2024 04:04:14 +0000 (04:04 +0000)]
drm/i915/mtl: Add Wa_14019821291

From Dnyaneshwar Bhadane
43dea469e99b10ecc967a3576e50a5d416daf13c in mainline linux

6 months agounstub probe_gmdid_display()
jsg [Fri, 14 Jun 2024 01:30:45 +0000 (01:30 +0000)]
unstub probe_gmdid_display()

There is a temporary mapping of the first pci bar as this occurs before
the runtime info is setup and a generation specific bar is mapped based
on that.

6 months agounstub ip_ver_read()
jsg [Fri, 14 Jun 2024 01:14:18 +0000 (01:14 +0000)]
unstub ip_ver_read()

6 months agodon't redirect stderr for ssh-keyscan we expect to succeed
djm [Fri, 14 Jun 2024 00:26:12 +0000 (00:26 +0000)]
don't redirect stderr for ssh-keyscan we expect to succeed

6 months agomake host/banner comments go to stderr instead of stdout, so they
djm [Fri, 14 Jun 2024 00:25:25 +0000 (00:25 +0000)]
make host/banner comments go to stderr instead of stdout, so they
are useful as comments without extra shell redirection and so they
don't clutter actual errors on stderr.

Add a -q flag to shut them up.

ok dtucker@

6 months agospecify an algorithm for ssh-keyscan, otherwise it will make
djm [Fri, 14 Jun 2024 00:23:55 +0000 (00:23 +0000)]
specify an algorithm for ssh-keyscan, otherwise it will make
multiple attempts simultaneously and confuse the test

6 months agoImplement acpi_target_system_state().
kettenis [Thu, 13 Jun 2024 18:05:54 +0000 (18:05 +0000)]
Implement acpi_target_system_state().

ok jsg@

6 months agoAvoid ccp error message if SEV-ES is missing.
bluhm [Thu, 13 Jun 2024 17:59:08 +0000 (17:59 +0000)]
Avoid ccp error message if SEV-ES is missing.

PSP is optional to ccp(4).  Thus if PSP attachment fails (e.g.
interrupt can not be set up), do not unmap IO space.  It will still
be needed by ccp(4).  Nonetheless, disestablish interrupt handler
if PSP attachment fails.

Another tweak:  If PSP can not be initialized, there's no need to
actually flush caches (wbinvd) on all CPUs.

Cleanup dmesg output and make it more precise.

from hshoexer@; reported and tested by Hrvoje Popovski

6 months agoseparate keywords with comma
naddy [Thu, 13 Jun 2024 15:06:33 +0000 (15:06 +0000)]
separate keywords with comma

6 months agomerge unbound 1.20.0
sthen [Thu, 13 Jun 2024 14:30:28 +0000 (14:30 +0000)]
merge unbound 1.20.0

6 months agoimport unbound 1.20.0, ok florian
sthen [Thu, 13 Jun 2024 14:29:32 +0000 (14:29 +0000)]
import unbound 1.20.0, ok florian

6 months agosync uncore mmio sizes with intel_uncore_setup_mmio()
jsg [Thu, 13 Jun 2024 09:01:13 +0000 (09:01 +0000)]
sync uncore mmio sizes with intel_uncore_setup_mmio()

6 months agoEnable uvm percpu caches on sparc64.
claudio [Thu, 13 Jun 2024 06:47:13 +0000 (06:47 +0000)]
Enable uvm percpu caches on sparc64.
OK kettenis@ jca@ mpi@

6 months agoWrong variable used in indexing meant that when a CPU's cache setup
guenther [Thu, 13 Jun 2024 02:19:20 +0000 (02:19 +0000)]
Wrong variable used in indexing meant that when a CPU's cache setup
differed on the second or later cache, the generated dmesg didn't
report the earlier, identical cache levels correctly.

report, testing, and ok jsg@

6 months agosplit PerSourcePenalties address tracking. Previously it used one
djm [Wed, 12 Jun 2024 22:36:00 +0000 (22:36 +0000)]
split PerSourcePenalties address tracking. Previously it used one
shared table and overflow policy for IPv4 and IPv6 addresses, now
it will use separate tables and optionally different overflow
policies.

This prevents misbehaviour from IPv6 addresses (which are vastly easier
to obtain many of) from affecting IPv4 connections and may allow for
stricter overflow policies.

ok deraadt@

6 months agoAdd support for the AMD Platform Security Processor (PSP) to ccp(4).
bluhm [Wed, 12 Jun 2024 12:54:54 +0000 (12:54 +0000)]
Add support for the AMD Platform Security Processor (PSP) to ccp(4).

Several commands for basic platform initialization and launch of
SEV/SEV-ES enabled guests are implemented.  These can be used by
e.g. vmd(8) later.

from hshoexer@; OK mlarkin@

6 months agorpki-client: avoid hard error when hitting the maximum cert id
tb [Wed, 12 Jun 2024 10:03:09 +0000 (10:03 +0000)]
rpki-client: avoid hard error when hitting the maximum cert id

Instead, continue processing what we can but avoid lots of warning noise.
Error out at the end of the parser process to avoid loading a bad config
into bgpd. This isn't great as it is and can be refined in tree.

ok claudio

6 months agoUpdate
kettenis [Wed, 12 Jun 2024 09:08:43 +0000 (09:08 +0000)]
Update

6 months agoAdd RK3588 support.
kettenis [Wed, 12 Jun 2024 09:06:15 +0000 (09:06 +0000)]
Add RK3588 support.

ok mlarkin@, kurt@

6 months agorpki-client: mention same-origin policy draft in STANDARDS
tb [Wed, 12 Jun 2024 04:24:59 +0000 (04:24 +0000)]
rpki-client: mention same-origin policy draft in STANDARDS

ok job

6 months agorpki-client: bump version
tb [Wed, 12 Jun 2024 04:11:19 +0000 (04:11 +0000)]
rpki-client: bump version

It's been a few months with lots of changes. We should release soon-ish.

discussed with job

6 months agorpki-client: use better variable names for issuer and subject UID
tb [Wed, 12 Jun 2024 04:01:20 +0000 (04:01 +0000)]
rpki-client: use better variable names for issuer and subject UID

piuid and psuid annoy me every time I see them.

no functional change

6 months agopiuid, psuid -> issuerUID, subjectUID
tb [Wed, 12 Jun 2024 03:55:46 +0000 (03:55 +0000)]
piuid, psuid -> issuerUID, subjectUID

6 months agoremove BMAJ and CMAJ defines only used by arm64; ok deraadt@
jsg [Wed, 12 Jun 2024 02:50:25 +0000 (02:50 +0000)]
remove BMAJ and CMAJ defines only used by arm64; ok deraadt@

6 months agoreentrant functions were not in 386BSD
jsg [Tue, 11 Jun 2024 23:35:27 +0000 (23:35 +0000)]
reentrant functions were not in 386BSD
spotted by and ok deraadt@

6 months agoAvoid powering down PCI devices if we're rebooting. This makes some
kettenis [Tue, 11 Jun 2024 17:35:26 +0000 (17:35 +0000)]
Avoid powering down PCI devices if we're rebooting.  This makes some
machines (e.g. the t410) unhappy.

ok mglocker@

6 months agosync includes in tls_signer.c
op [Tue, 11 Jun 2024 16:35:24 +0000 (16:35 +0000)]
sync includes in tls_signer.c

pthread -> mutex
stdint -> uint8_t
stdio.h -> asprintf
stdlib.h -> calloc
string.h -> memcpy

ecdsa -> ECDSA_METHOD leftover, remove
ec -> EC_KEY
evp -> EVP_PKEY
pem -> PEM_read_bio_X509
x509 -> X509

90% of the diff is from tb@, I only spotted the missing string.h :)

ok tb@

6 months agosmtpd: fix indent
tb [Tue, 11 Jun 2024 16:30:06 +0000 (16:30 +0000)]
smtpd: fix indent

ok op

6 months agoEnable UVM percpu cache on riscv64
jca [Tue, 11 Jun 2024 16:02:35 +0000 (16:02 +0000)]
Enable UVM percpu cache on riscv64

Proved stable in multiple ports bulk builds.  ok kettenis@ phessler@

6 months agoClamp CPU clock frequencies to [min, max] range when determining the
kettenis [Tue, 11 Jun 2024 15:44:55 +0000 (15:44 +0000)]
Clamp CPU clock frequencies to [min, max] range when determining the
initial perflevel.

ok deraadt@, phessler@, patrick@, jca@

6 months agorpki-client: add link to rpki-rs PR that supposedly fixes this bug
tb [Tue, 11 Jun 2024 15:33:46 +0000 (15:33 +0000)]
rpki-client: add link to rpki-rs PR that supposedly fixes this bug

https://github.com/NLnetLabs/rpki-rs/pull/295

6 months agorpki-client: grammar tweak in comment
tb [Tue, 11 Jun 2024 13:09:02 +0000 (13:09 +0000)]
rpki-client: grammar tweak in comment

6 months agorpki-client: turn assert() into a NULL check
tb [Tue, 11 Jun 2024 12:44:00 +0000 (12:44 +0000)]
rpki-client: turn assert() into a NULL check

ok claudio

6 months agorpki-client: fix incorrect use of ASN1_tag2str()
tb [Tue, 11 Jun 2024 10:38:40 +0000 (10:38 +0000)]
rpki-client: fix incorrect use of ASN1_tag2str()

This goes back to the initial import in mft.c and was then copied to rsc.c.
ASN1_tag2str() doesn't take a nid but rather an ASN.1 tag. Use nid2str()
instead.

ok claudio (who helped me use nid2str() correctly)

6 months agoMake sure qwx(4) always calls refcnt_init() before other refcnt functions.
stsp [Tue, 11 Jun 2024 10:06:35 +0000 (10:06 +0000)]
Make sure qwx(4) always calls refcnt_init() before other refcnt functions.

I recently enabled automatic recovery from firmware crashes. if loading
firmware at boot would fail with a firmware error then the init task would
call refcnt_finalize() via qwx_stop() before refcnt_init() was called and
trigger a KASSERT in the refcnt code.

ok patrick@, who also reported the problem to me and tested the fix

6 months agoremove prototypes and defines for drivers landisk doesn't use
jsg [Tue, 11 Jun 2024 09:55:38 +0000 (09:55 +0000)]
remove prototypes and defines for drivers landisk doesn't use
build test and ok miod@

6 months agoremove drm prototypes duplicating those in sys/conf.h
jsg [Tue, 11 Jun 2024 09:21:32 +0000 (09:21 +0000)]
remove drm prototypes duplicating those in sys/conf.h

6 months agoAdd RK3588 TSADC clocks and resets.
kettenis [Tue, 11 Jun 2024 09:15:33 +0000 (09:15 +0000)]
Add RK3588 TSADC clocks and resets.

ok patrick@, dlg@

6 months agoI've written/touched/contributed to most of crl.c
tb [Tue, 11 Jun 2024 07:30:47 +0000 (07:30 +0000)]
I've written/touched/contributed to most of crl.c

6 months agorpki-client: simplify signature type checking for certs/CRLs
tb [Tue, 11 Jun 2024 07:27:14 +0000 (07:27 +0000)]
rpki-client: simplify signature type checking for certs/CRLs

The OpenSSL 1.1 get_signature_nid() API is available for all libraries
that we support and it does exactly what we want. It is much simpler
than the unergonomic accessors we used previously. The ASN.1 templates
ensure that the relevant struct members aren't NULL after successful
deserialization, so the calls are safe.

ok claudio

6 months agoremove kbd/ms prototypes with no matching functions
jsg [Tue, 11 Jun 2024 06:11:50 +0000 (06:11 +0000)]
remove kbd/ms prototypes with no matching functions

6 months agodo not mark up "(default: 20ms)";
jmc [Tue, 11 Jun 2024 05:24:39 +0000 (05:24 +0000)]
do not mark up "(default: 20ms)";

6 months agoremove prototypes for pre-wscons mouse drivers
jsg [Tue, 11 Jun 2024 03:28:42 +0000 (03:28 +0000)]
remove prototypes for pre-wscons mouse drivers

6 months agoreap preauth net child if it hangs up during privsep message send, not
djm [Tue, 11 Jun 2024 02:54:51 +0000 (02:54 +0000)]
reap preauth net child if it hangs up during privsep message send, not
just message receive

6 months agoreap the pre-auth [net] child if it hangs up during privsep message
djm [Tue, 11 Jun 2024 02:00:30 +0000 (02:00 +0000)]
reap the pre-auth [net] child if it hangs up during privsep message
sending, not just receiving

6 months agofix PIDFILE handling, broken for SUDO=doas in last commit here
djm [Tue, 11 Jun 2024 01:58:27 +0000 (01:58 +0000)]
fix PIDFILE handling, broken for SUDO=doas in last commit here

6 months agoremove cdev_decl(ses), none of the prototypes have matching functions
jsg [Tue, 11 Jun 2024 01:49:17 +0000 (01:49 +0000)]
remove cdev_decl(ses), none of the prototypes have matching functions

6 months agoa little more RB_TREE paranoia
djm [Tue, 11 Jun 2024 01:23:25 +0000 (01:23 +0000)]
a little more RB_TREE paranoia

6 months agofix off-by-one comparison for PerSourcePenalty overflow:deny-all mode
djm [Tue, 11 Jun 2024 01:22:25 +0000 (01:22 +0000)]
fix off-by-one comparison for PerSourcePenalty overflow:deny-all mode

6 months agomove tree init before possible early return
djm [Tue, 11 Jun 2024 01:21:41 +0000 (01:21 +0000)]
move tree init before possible early return

6 months agoupdate to mention that PerSourcePenalties default to being enabled
djm [Tue, 11 Jun 2024 01:07:35 +0000 (01:07 +0000)]
update to mention that PerSourcePenalties default to being enabled
and document the default values for each parameter.

6 months agoreap the [net] child if it hangs up while writing privsep message
djm [Tue, 11 Jun 2024 00:44:52 +0000 (00:44 +0000)]
reap the [net] child if it hangs up while writing privsep message
payloads, not just the message header

6 months agolog waitpid() status for abnormal exits
djm [Tue, 11 Jun 2024 00:40:21 +0000 (00:40 +0000)]
log waitpid() status for abnormal exits

6 months agocorrect error message
djm [Tue, 11 Jun 2024 00:36:20 +0000 (00:36 +0000)]
correct error message

6 months agoUse TCP Large Receive Offload in vio(4).
jan [Mon, 10 Jun 2024 19:26:17 +0000 (19:26 +0000)]
Use TCP Large Receive Offload in vio(4).

Also introduce the guest offload feature to turn LRO off/on.

Tested by Mark Patruck, sf@ and bluhm@

ok sf@ and bluhm@

6 months agoClarify panic strings in vio(4)
jan [Mon, 10 Jun 2024 18:21:59 +0000 (18:21 +0000)]
Clarify panic strings in vio(4)

suggested by bluhm
ok bluhm

6 months agoIn get_alternate_addr() consider sessions to IPv6 link-local addresses
claudio [Mon, 10 Jun 2024 12:51:25 +0000 (12:51 +0000)]
In get_alternate_addr() consider sessions to IPv6 link-local addresses
as connected (they are so by definition).

Issue reported by Jason Tubnor ( Jason.Tubnor (at) lchs.com.au )
OK tb@

6 months agorpki-client: allow multiple EKU OIDs for BGPsec certs
tb [Mon, 10 Jun 2024 12:44:06 +0000 (12:44 +0000)]
rpki-client: allow multiple EKU OIDs for BGPsec certs

Nothing says there may be only one purpose. We only need to find
id-kp-bgpsec-router among them. This matches the intention of the
extended key usage extension in RFCs 5280 and 8209 more closely.

ok claudio

6 months agorpki-client: zap outdated comment.
tb [Mon, 10 Jun 2024 11:49:29 +0000 (11:49 +0000)]
rpki-client: zap outdated comment.

The valid_x509() in proc_parser_gbr() was initially left unchecked but
has been checked since r1.79.

6 months agorpki-client: fix and move more KU/EKU to x509_get_purpose()
tb [Mon, 10 Jun 2024 10:50:13 +0000 (10:50 +0000)]
rpki-client: fix and move more KU/EKU to x509_get_purpose()

Now all key usage and extended key usage handling is at the same place.
This fixes a bug for BGPsec Router certs where key usage was ignored.
Another omission that is fixed here is that criticality of the key usage
extension was not checked. Drop a comment about possible use of EKU that
was in the TA/CA code path but would only apply to EE certs.

ok claudio

6 months agoremove decls for removed gpr(4) and urio(4)
jsg [Mon, 10 Jun 2024 04:59:15 +0000 (04:59 +0000)]
remove decls for removed gpr(4) and urio(4)

6 months agoRemove struct mymsg. An example from SVID, not intended for a header.
jsg [Mon, 10 Jun 2024 04:10:25 +0000 (04:10 +0000)]
Remove struct mymsg.  An example from SVID, not intended for a header.
ok millert@ miod@ jca@

6 months agoAdd a compiler barrier where missing in CPU_BUSY_CYCLE() implems
jca [Sun, 9 Jun 2024 21:15:29 +0000 (21:15 +0000)]
Add a compiler barrier where missing in CPU_BUSY_CYCLE() implems

Having differences between architectures is asking for problems. And
adding a barrier here just makes sense in most cases. This is also what
cpu_relax() provides in Linux land.

ok kettenis@ claudio@

6 months agoSilently ignore setuid changes in relinked binaries
afresh1 [Sun, 9 Jun 2024 18:31:17 +0000 (18:31 +0000)]
Silently ignore setuid changes in relinked binaries

If these files are being relinked at reboot, this causes false positives
and alert fatigue.

Prompted by florian@
Feedback from millert@ and deraadt@

6 months agoinclude BUILDINFO file in the iso/img files; requested by florian for sysupgrade...
deraadt [Sun, 9 Jun 2024 17:24:19 +0000 (17:24 +0000)]
include BUILDINFO file in the iso/img files; requested by florian for sysupgrade changes

6 months agoIntroduce IFCAP_VLAN_HWOFFLOAD for vio(4).
jan [Sun, 9 Jun 2024 16:25:27 +0000 (16:25 +0000)]
Introduce IFCAP_VLAN_HWOFFLOAD for vio(4).

Add IFCAP_VLAN_HWOFFLOAD to signal hardware like vio(4) can handle
checksum or TSO offloading with inline VLAN tags.

tested by Mark Patruck, sf@ and bluhm@

ok sf@ and bluhm@

6 months agointroduce a new K_AUTH service to allow offloading the credentials to a
gilles [Sun, 9 Jun 2024 10:13:05 +0000 (10:13 +0000)]
introduce a new K_AUTH service to allow offloading the credentials to a
table for non-crypt(3) authentication. tables configured with auth that
support K_AUTH are asked to check if a user and passwd are valid rather
than asked to provide the password for a user so smtpd does crypt(3) on
its side. helps with cases like ldap or custom auth.

ok op@

6 months agoremove prototypes with no matching function
jsg [Sun, 9 Jun 2024 05:18:12 +0000 (05:18 +0000)]
remove prototypes with no matching function

6 months agoremove prototypes for functions removed in rev 1.34
jsg [Sun, 9 Jun 2024 03:21:54 +0000 (03:21 +0000)]
remove prototypes for functions removed in rev 1.34

6 months agoremove unused prototypes and pin number defines
jsg [Sun, 9 Jun 2024 03:12:59 +0000 (03:12 +0000)]
remove unused prototypes and pin number defines

6 months agoPerl 5.38 permanently stops reading a file after it has seen EOF.
bluhm [Sat, 8 Jun 2024 22:50:40 +0000 (22:50 +0000)]
Perl 5.38 permanently stops reading a file after it has seen EOF.
Call clearerr() to continously receive log file from remote machine
while grepping for test patterns.

6 months agoFix typo in last commits comment.
mglocker [Sat, 8 Jun 2024 16:05:23 +0000 (16:05 +0000)]
Fix typo in last commits comment.

6 months agoImprove the check for is_ta in filemode
tb [Sat, 8 Jun 2024 13:34:59 +0000 (13:34 +0000)]
Improve the check for is_ta in filemode

Instead of checking for EXFLAG_SS use the more accurate information
we already gathered.

ok job

6 months agoTigthen cert_parse_ee_cert() and ta_parse()
tb [Sat, 8 Jun 2024 13:33:49 +0000 (13:33 +0000)]
Tigthen cert_parse_ee_cert() and ta_parse()

Require that a cert fed to cert_parse_ee_cert() have an EE cert purpose.
Instead of throwing a warning for BGPsec router certs, check for the TA
purpose in ta_parse() and reject everything else.

ok job

6 months agoAdd a TODO item for BGPsec router certs
tb [Sat, 8 Jun 2024 13:32:30 +0000 (13:32 +0000)]
Add a TODO item for BGPsec router certs

It is currently assumed that there is only one extended key usage OID.
RFC 8209 allows others. For example, it may well make sense for operators
to include the anyExtendedKeyUsage OID to be able to use validators that
don't recognize the BGPsec Router purpose.

ok job

6 months agoImprove x509_get_purpose()
tb [Sat, 8 Jun 2024 13:31:37 +0000 (13:31 +0000)]
Improve x509_get_purpose()

Instead of only differentiating between CA and BGPsec Router certs,
make it recognize TA and EE certs as well. TAs and CAs have the cA
boolean in the basic constraints, while EE and BGPsec router certs
do not.

TAs are self-signed, CAs not self-issued, all other certs with the
cA boolean are invalid. EE certs do not have an extended key usage
and BGPsec certs contain the id-kp-bgpsec-router OID.

Handle the new purposes where needed.
                                                                                                    ok job

6 months agoHelper to convert purpose into a printable string
tb [Sat, 8 Jun 2024 13:30:35 +0000 (13:30 +0000)]
Helper to convert purpose into a printable string

ok job

6 months agoExtend the cert_purpose enum
tb [Sat, 8 Jun 2024 13:29:54 +0000 (13:29 +0000)]
Extend the cert_purpose enum

This adds a TA and an EE purpose to be used in upcoming commits.

ok job

6 months agoAdd a x509_cache_extensions() helper
tb [Sat, 8 Jun 2024 13:28:35 +0000 (13:28 +0000)]
Add a x509_cache_extensions() helper

This is a simple wrapper around X509_check_policy(cert, -1, 0) that
doesn't need an explanatory comment in the caller.

The reason for having to do this is that various OpenSSL API calls rely
on having extension information cached. As an unsurprising consequence of
OpenSSL's characteristic API misdesign these calls can't report errors,
so they call the extension caching without error checking and the result
is that they may report nonsense.

To work around this, cache the extensions up front so a second call can't
fail and thus API calls such as X509_check_ca(), X509_get_key_usage() and
X509_cmp() work reliably.

ok job

6 months agoDo not enforce the next version key if installing a snapshot.
florian [Sat, 8 Jun 2024 06:05:40 +0000 (06:05 +0000)]
Do not enforce the next version key if installing a snapshot.

Developers sometimes have dev machines with an older snapshot that
already has the correct signify key but sysupgrade(8) refuses to do an
upgrade because it thinks it's a version jump. That's just silly.

tb pointed out that signify(1) can just work out the correct key all
by itself.

problem reported, same diff & OK deraadt

6 months agoremove unused SECMIN and SECHOUR defines
jsg [Sat, 8 Jun 2024 00:24:00 +0000 (00:24 +0000)]
remove unused SECMIN and SECHOUR defines

6 months agoremove unused TAB defines; ok miod@
jsg [Fri, 7 Jun 2024 23:19:18 +0000 (23:19 +0000)]
remove unused TAB defines; ok miod@

6 months agoRead IP forwarding variables only once.
bluhm [Fri, 7 Jun 2024 18:24:16 +0000 (18:24 +0000)]
Read IP forwarding variables only once.

Do not assume that ip_forwarding and ip_directedbcast cannot change
while processing one packet.  Read it once and pass down its value
with a flag.  This is necessary for unlocking the sysctl path.
There are a few places where a consistent value does not really
matter, they are unchanged.  Use a proper ip_ prefix for the global
variable.

OK claudio@

6 months agotrim the -w text: it's obvious -l is a different case, so no need to note
jmc [Fri, 7 Jun 2024 17:38:22 +0000 (17:38 +0000)]
trim the -w text: it's obvious -l is a different case, so no need to note
ok florian

6 months agoMake sure we select the deepest possible C-state during suspend-to-idle.
kettenis [Fri, 7 Jun 2024 16:53:35 +0000 (16:53 +0000)]
Make sure we select the deepest possible C-state during suspend-to-idle.

ok deraadt@, guenther@, mlarkin@, jsg@

6 months agoAlign documentation with reality
job [Fri, 7 Jun 2024 14:00:09 +0000 (14:00 +0000)]
Align documentation with reality

OK tb@

6 months agoremove ph_ppp_proto define, unused since rev 1.123
jsg [Fri, 7 Jun 2024 13:43:21 +0000 (13:43 +0000)]
remove ph_ppp_proto define, unused since rev 1.123

6 months agorpki-client: if anything changed, choose the freshly-fetched TA
tb [Fri, 7 Jun 2024 13:24:35 +0000 (13:24 +0000)]
rpki-client: if anything changed, choose the freshly-fetched TA

Instead of just looking at the serial number it's easier to use X509_cmp().
This compares the certs' hashes computed during the extension caching. This
is currently SHA-512 for LibreSSL and SHA-1 for OpenSSL, which is good
enough. After all, the TA certs were signed by a trusted source and if you
choose to use OpenSSL this won't be the worst of your problems.

ok job

6 months agoavoid shadowing issues which some compilers won't accept
deraadt [Fri, 7 Jun 2024 13:23:30 +0000 (13:23 +0000)]
avoid shadowing issues which some compilers won't accept
ok djm