openbsd
8 years agoReset the mt state completely in wsmouse_mt_init.
bru [Tue, 12 Jul 2016 22:02:53 +0000 (22:02 +0000)]
Reset the mt state completely in wsmouse_mt_init.

ok kettenis@

8 years agoThe only valid flag for unmount(2) is MNT_FORCE, ignore any others.
millert [Tue, 12 Jul 2016 20:53:04 +0000 (20:53 +0000)]
The only valid flag for unmount(2) is MNT_FORCE, ignore any others.
Fixes a crash when MNT_DOOMED is passed in the flags to unmount(2)
found by NCC Group.  OK bluhm@

8 years agoTurn ahci(4) glue code for the i.MX6 platform into its own imxahci(4) driver
kettenis [Tue, 12 Jul 2016 19:17:49 +0000 (19:17 +0000)]
Turn ahci(4) glue code for the i.MX6 platform into its own imxahci(4) driver
such that we can don't end up with conflicting attachments of other
SoC-specific glue code.

8 years agoChange over to imxehci(4) here as well.
kettenis [Tue, 12 Jul 2016 19:04:53 +0000 (19:04 +0000)]
Change over to imxehci(4) here as well.

8 years agoLink path MTU discovery regress test into build.
bluhm [Tue, 12 Jul 2016 15:54:55 +0000 (15:54 +0000)]
Link path MTU discovery regress test into build.

8 years agoAllow to run the syslogd tests as root without SUDO also if the
bluhm [Tue, 12 Jul 2016 15:44:58 +0000 (15:44 +0000)]
Allow to run the syslogd tests as root without SUDO also if the
libevent method environment is set.

8 years agoTurn ehci(4) glue code for the i.MX6 platform into its own imxehci(4) driver
kettenis [Tue, 12 Jul 2016 15:16:00 +0000 (15:16 +0000)]
Turn ehci(4) glue code for the i.MX6 platform into its own imxehci(4) driver
such that we can don't end up with conflicting attachments of other
SoC-specific glue code.

ok jsg@, patrick@

8 years agoin the great unp_gc rewrite, a null check was lost. we have spent some
tedu [Tue, 12 Jul 2016 14:28:02 +0000 (14:28 +0000)]
in the great unp_gc rewrite, a null check was lost. we have spent some
time investigating and arguing about whether a NULL fp is a bug or not,
but what has become clear is that NULL fps get passed to unp_discard
and have been for quite some time.
restore old accomodating behavior by checking for null in unp_gc.
ok deraadt kettenis

8 years agoThe check for pledge "recvfd" was mistakenly only being performed
deraadt [Tue, 12 Jul 2016 13:19:14 +0000 (13:19 +0000)]
The check for pledge "recvfd" was mistakenly only being performed
for chroot'd processes.
ok stefan semarie

8 years agoadd "recvfd" to doas(1) for use with skey.
semarie [Tue, 12 Jul 2016 12:10:42 +0000 (12:10 +0000)]
add "recvfd" to doas(1) for use with skey.

ok tb@ deraadt@

8 years agoAdd regression tests for syslogd TLS client certificates.
bluhm [Tue, 12 Jul 2016 09:57:20 +0000 (09:57 +0000)]
Add regression tests for syslogd TLS client certificates.

8 years agoAdd support for TLS client certificates in syslogd. This allows a
bluhm [Tue, 12 Jul 2016 09:47:25 +0000 (09:47 +0000)]
Add support for TLS client certificates in syslogd.  This allows a
remote server to verify that the log messages from our syslogd are
authentic.
From Kapetanakis Giannis; man page input jmc@; OK jung@ deraadt@

8 years agoDirectly drop packets filtered by bpf(4) instead of going through the
mpi [Tue, 12 Jul 2016 09:33:13 +0000 (09:33 +0000)]
Directly drop packets filtered by bpf(4) instead of going through the
input handlers.

ok dlg@

8 years agoremove more noisy messages in "sendfd" and "recvfd"
deraadt [Tue, 12 Jul 2016 06:06:34 +0000 (06:06 +0000)]
remove more noisy messages in "sendfd" and "recvfd"

8 years agoMake all components of the URI individually optional,
schwarze [Mon, 11 Jul 2016 22:46:57 +0000 (22:46 +0000)]
Make all components of the URI individually optional,
independent of each other, as in:
http://man.openbsd.org[/manpath][/mansec][/arch]/name[.sec]
The restrictions in the past kept confusing people.
Triggered by a question from RafaelNeves at gmail dot com.

8 years agoRevert previous adaption of the test. The behavior change in libtls
bluhm [Mon, 11 Jul 2016 22:43:28 +0000 (22:43 +0000)]
Revert previous adaption of the test.  The behavior change in libtls
has been backed out.

8 years agodon't allow mounting with noval owner. panics later.
tedu [Mon, 11 Jul 2016 22:36:25 +0000 (22:36 +0000)]
don't allow mounting with noval owner. panics later.
reported by Tim Newsham at NCC.
ok millert natano

8 years agoAdd missing "recvfd" pledge promise: Raf Czlonka reported ssh coredumps
tb [Mon, 11 Jul 2016 21:38:13 +0000 (21:38 +0000)]
Add missing "recvfd" pledge promise: Raf Czlonka reported ssh coredumps
when Control* keywords were set in ssh_config. This patch also fixes
similar problems with scp and sftp.

ok deraadt, looks good to millert

8 years agobe less noisy on console in case of "recvfd" refusal
deraadt [Mon, 11 Jul 2016 19:11:34 +0000 (19:11 +0000)]
be less noisy on console in case of "recvfd" refusal
ok semarie

8 years agosync
deraadt [Mon, 11 Jul 2016 18:32:29 +0000 (18:32 +0000)]
sync

8 years agoInstead of using the floating point square root, use an integer version
tb [Mon, 11 Jul 2016 18:30:21 +0000 (18:30 +0000)]
Instead of using the floating point square root, use an integer version
of the Newton method from ping.c.  Fixes a rounding issue that caused
failure to factor numbers close to 2^64, e.g. 18446744030759878681.
While there, fix an off by one error that caused 4295360521 to be
reported as a prime.  Issues reported by Paul Stoeber and Michael Bozon.

ok tedu, deraadt

8 years agoUse gpio framework to implement hardware reset of the PHY instead of
kettenis [Mon, 11 Jul 2016 14:56:18 +0000 (14:56 +0000)]
Use gpio framework to implement hardware reset of the PHY instead of
hardcoding particular gpios based on board IDs.

ok visa@, jsg@

8 years agoUse gpio framework to implement card detect instead of hardcoding particular
kettenis [Mon, 11 Jul 2016 14:54:18 +0000 (14:54 +0000)]
Use gpio framework to implement card detect instead of hardcoding particular
gpios based on board IDs.

ok visa@, jsg@

8 years agoHook up imxgpio(4) to the FDT gpio framework.
kettenis [Mon, 11 Jul 2016 14:51:31 +0000 (14:51 +0000)]
Hook up imxgpio(4) to the FDT gpio framework.

ok visa@, jsg@

8 years agoAdd a simple framework for handling gpio controllers and pins on FDT-enabled
kettenis [Mon, 11 Jul 2016 14:49:41 +0000 (14:49 +0000)]
Add a simple framework for handling gpio controllers and pins on FDT-enabled
platforms.

ok visa@, jsg@

8 years agoAdd CN61xx.
visa [Mon, 11 Jul 2016 13:23:14 +0000 (13:23 +0000)]
Add CN61xx.

8 years agoAdd regression tests for the path MTU discovery implementation in
bluhm [Mon, 11 Jul 2016 13:15:20 +0000 (13:15 +0000)]
Add regression tests for the path MTU discovery implementation in
the kernel.  Generate TCP and TCP6 and UDP6 packets with Scapy,
check the kernel's reaction to ICMP fragmentation needed and ICMP6
packet too big.
OK mpi@

8 years agosync
visa [Mon, 11 Jul 2016 13:08:59 +0000 (13:08 +0000)]
sync

8 years agoPath MTU discovery was slightly broken. I took two ICMP packets
bluhm [Mon, 11 Jul 2016 13:06:31 +0000 (13:06 +0000)]
Path MTU discovery was slightly broken.  I took two ICMP packets
to create and change the dynamic route.  This behavior was introduced
in net/route.c rev 1.269 when the gateway route allocation was moved
from rt_setgateway() to _rtalloc().  So rtrequest(RTM_ADD) could
return a route without a valid gateway route.  To fix this, call
rt_setgwroute() from _rtalloc() and rt_setgateway().
OK mpi@

8 years agoDo not increase the size of the socket buffer under memory pressure.
mpi [Mon, 11 Jul 2016 10:35:43 +0000 (10:35 +0000)]
Do not increase the size of the socket buffer under memory pressure.

From Simon Mages, ok beck@, claudio@, bluhm@

8 years agoInitialize oui and model fields in the softc.
kettenis [Mon, 11 Jul 2016 09:50:02 +0000 (09:50 +0000)]
Initialize oui and model fields in the softc.

ok deraadt@, mpi@

8 years agoRevert the introduction of ``rt_addr''.
mpi [Mon, 11 Jul 2016 09:23:06 +0000 (09:23 +0000)]
Revert the introduction of ``rt_addr''.

Being able to add route entries without configured addresses is a nice
feature but this is not my fight.  So I'd rather no add another pointer
to ``struct rtentry'' if I'm not removing another one.

8 years agoMake sure variables are used initialized in amap_wiperange
stefan [Mon, 11 Jul 2016 08:38:49 +0000 (08:38 +0000)]
Make sure variables are used initialized in amap_wiperange

Uninitialized variables used in an if/else could cause a slower
codepath to be taken, but the end effect of both paths is the same.

Found by jsg@

8 years agoobsolete note about fascistloggin is obsolete. ok djm dtucker
tedu [Mon, 11 Jul 2016 03:19:44 +0000 (03:19 +0000)]
obsolete note about fascistloggin is obsolete. ok djm dtucker

8 years agoTeach tcpdump to recognize MPLS pseudowire with control words. Added
rzalamena [Mon, 11 Jul 2016 00:27:50 +0000 (00:27 +0000)]
Teach tcpdump to recognize MPLS pseudowire with control words. Added
support to print encapsulated ethernet packets as well.

"Looks good" deraadt@

8 years agozero the read buffer after copying data to user so it doesn't linger.
tedu [Sun, 10 Jul 2016 23:07:34 +0000 (23:07 +0000)]
zero the read buffer after copying data to user so it doesn't linger.
ok beck

8 years agouse offsetof to create an offset instead of illegal unaligned pointers
tedu [Sun, 10 Jul 2016 23:06:48 +0000 (23:06 +0000)]
use offsetof to create an offset instead of illegal unaligned pointers
ok guenther

8 years agoNot all i.MX6 devices have a pinctrl property in their device nodes.
patrick [Sun, 10 Jul 2016 20:53:04 +0000 (20:53 +0000)]
Not all i.MX6 devices have a pinctrl property in their device nodes.
In that case, soft fail and return instead of allocating buffer with
a bogus size.

ok kettenis@

8 years agoPay attention to Processor Local X2APIC structures. ACPI 6.0 allows these
kettenis [Sun, 10 Jul 2016 20:41:19 +0000 (20:41 +0000)]
Pay attention to Processor Local X2APIC structures.  ACPI 6.0 allows these
even for APIC ID values less than 255.  Makes secondary CPUs attach on the
HP DL360 gen 9.

tested by jung@
ok guenther@

8 years agoRename apic_proc_uid field to acpi_proc_uid in the acpi_madt_x2apic struct.
kettenis [Sun, 10 Jul 2016 20:36:41 +0000 (20:36 +0000)]
Rename apic_proc_uid field to acpi_proc_uid in the acpi_madt_x2apic struct.
It is the ACPI processor UID that is stored here.

ok guenther@

8 years agoregen
kettenis [Sun, 10 Jul 2016 20:18:56 +0000 (20:18 +0000)]
regen

8 years agoAdd MICREL KSZ9021 and KSZ9031.
kettenis [Sun, 10 Jul 2016 20:18:15 +0000 (20:18 +0000)]
Add MICREL KSZ9021 and KSZ9031.

8 years agoFix typo. Pointed out by patrick@
kettenis [Sun, 10 Jul 2016 17:17:22 +0000 (17:17 +0000)]
Fix typo.  Pointed out by patrick@

8 years agoBuild firmware for USB devices on octeon.
visa [Sun, 10 Jul 2016 15:16:15 +0000 (15:16 +0000)]
Build firmware for USB devices on octeon.

ok deraadt@

8 years agopledge: use uint64_t instead of int for temporary storing a 64bit integer
semarie [Sun, 10 Jul 2016 14:21:24 +0000 (14:21 +0000)]
pledge: use uint64_t instead of int for temporary storing a 64bit integer

affects only 32 bits platform (like i386).

problem spotted and diff from pelikan@

ok deraadt@ jca@

8 years agoDynamically attach imxgpio(4) using the FDT.
kettenis [Sun, 10 Jul 2016 14:01:10 +0000 (14:01 +0000)]
Dynamically attach imxgpio(4) using the FDT.

8 years agoconsistent spelling of "Moscow"; Ilya dot Kaliman at gmail dot com
schwarze [Sun, 10 Jul 2016 13:52:27 +0000 (13:52 +0000)]
consistent spelling of "Moscow"; Ilya dot Kaliman at gmail dot com

8 years agoFix a nasty typo that prevented .so links to gziped manuals
schwarze [Sun, 10 Jul 2016 13:33:50 +0000 (13:33 +0000)]
Fix a nasty typo that prevented .so links to gziped manuals
from working in the absence of a mandoc.db(5) database.
Found the hard way by Svyatoslav Mishyn on Crux Linux.

8 years agoAdd support for handling pinctrl device tree bindings to imxiomuxc(4).
kettenis [Sun, 10 Jul 2016 11:46:28 +0000 (11:46 +0000)]
Add support for handling pinctrl device tree bindings to imxiomuxc(4).
These are used to do board-specific setup of mux settings and pad
configuration.

ok jsg@, patrick@

8 years agoUse the synciobdma instruction instead of the sync instruction for
visa [Sun, 10 Jul 2016 10:18:58 +0000 (10:18 +0000)]
Use the synciobdma instruction instead of the sync instruction for
flushing any pending local IOBDMA operations. The sync instruction is
overkill because it implies a full memory barrier.

ok jasper@ (long time ago)

8 years agoSimplify the code and the server setup by deleting the pseudo-manpath
schwarze [Sun, 10 Jul 2016 10:03:15 +0000 (10:03 +0000)]
Simplify the code and the server setup by deleting the pseudo-manpath
"mandoc" that was used for man.cgi(8) documentation and by assuming
that the apropos(1) and man.cgi(8) manuals are simply installed in
the default manpath.  Even though man.cgi(8) is not installed by
default when installing OpenBSD, it is easy to copy it into the
default manpath used for man.cgi(8).

Idea found when considering a question asked by wrant dot com.

8 years agoFix detection of /usr/lib on NFS.
rpe [Sun, 10 Jul 2016 09:08:18 +0000 (09:08 +0000)]
Fix detection of /usr/lib on NFS.
Found by Frank Scheiner, thanks for reporting this.

OK krw, halex
'cool' deraadt

8 years agorename variable for consistency
tedu [Sun, 10 Jul 2016 03:24:31 +0000 (03:24 +0000)]
rename variable for consistency

8 years agoInstead of attaching the omap device based on board ids follow imx
jsg [Sun, 10 Jul 2016 03:04:00 +0000 (03:04 +0000)]
Instead of attaching the omap device based on board ids follow imx
and match based on the compatible property of the root node in the fdt.

Each of am33xx, omap3, and omap4 have their own list of devices to
attach.

8 years agoRemove now unused definitions for drivers that have been converted to
jsg [Sun, 10 Jul 2016 02:55:15 +0000 (02:55 +0000)]
Remove now unused definitions for drivers that have been converted to
use the fdt.

8 years agoDocument that SIGTTOU is sent if the process is in the background.
millert [Sun, 10 Jul 2016 00:48:21 +0000 (00:48 +0000)]
Document that SIGTTOU is sent if the process is in the background.
Adapted from text from tcsetattr(3).

8 years agoPOSIX specifies that if a processing calling tcsetpgrp() is in the
millert [Sun, 10 Jul 2016 00:39:31 +0000 (00:39 +0000)]
POSIX specifies that if a processing calling tcsetpgrp() is in the
background it shall receive SIGTTOU.  Handle TIOCSPGRP like we do
the other tty ioctls that change the terminal.  OK deraadt@ guenther@

8 years agoParanoia: check KTRPOINT() before calling ktrpledge() to guarantee we
guenther [Sun, 10 Jul 2016 00:39:23 +0000 (00:39 +0000)]
Paranoia: check KTRPOINT() before calling ktrpledge() to guarantee we
can't (in the future) loop from ktrace writing hitting a pledge condition.

diff from Michal Mazurek (akfaew (at) jasminek.net)

8 years agoattempt to improve clarity by reducing forward references and more
tedu [Sun, 10 Jul 2016 00:15:39 +0000 (00:15 +0000)]
attempt to improve clarity by reducing forward references and more
directly documenting each option's effect.

8 years agospelling; from Ilya dot Kaliman at gmail dot com
schwarze [Sat, 9 Jul 2016 23:32:51 +0000 (23:32 +0000)]
spelling; from Ilya dot Kaliman at gmail dot com

8 years agoonly print one error, not multiple misleading messages
tedu [Sat, 9 Jul 2016 20:39:17 +0000 (20:39 +0000)]
only print one error, not multiple misleading messages

8 years agoDo not treat PATH_INFO as a complete path if it doesn't contain
schwarze [Sat, 9 Jul 2016 19:44:52 +0000 (19:44 +0000)]
Do not treat PATH_INFO as a complete path if it doesn't contain
a manpath.  For example, this makes http://man.openbsd.org/mandoc
work as expected.
Bug reported by tb@, reminded by Svyatoslav Mishyn.

8 years agoSimplify the i.MX6 platform code. The list of board devices is now
kettenis [Sat, 9 Jul 2016 18:14:18 +0000 (18:14 +0000)]
Simplify the i.MX6 platform code.  The list of board devices is now
(essentially) the same for all boards, so we can use a single list and
match based on the compatible property of the root node in the device tree.

ok jsg@

8 years agoFix bugs introduced with the amap rework
stefan [Sat, 9 Jul 2016 17:13:05 +0000 (17:13 +0000)]
Fix bugs introduced with the amap rework

- The number of slots must be initialized in the chunk of a small amap,
  otherwise unmapping() part of a mmap()'d range would delay freeing
  of vm_anons for small amaps
- If the first chunk of a bucket is freed, check if the next chunk in
  the list has to become the new first chunk
- Use a separate loop for each type of traversal (small amap, by bucket
  by list) in amap_wiperange(). This makes the code easier to follow and
  also fixes a bug where too many chunks were wiped out when traversing
  by list

However, the last two bugs should happen only when turning a previously
private mapping into a shared one, then forking, and then having
both processes unmap a part of the mapping.

snap and ports build tested by krw@, review by kettenis@

8 years agoInitialize the mii_oui field such that fec(4) can look at it.
kettenis [Sat, 9 Jul 2016 15:59:22 +0000 (15:59 +0000)]
Initialize the mii_oui field such that fec(4) can look at it.

ok jsg@

8 years agogetopt(3) is declared in <unistd.h>, and <getopt.h> is not needed;
schwarze [Sat, 9 Jul 2016 15:23:36 +0000 (15:23 +0000)]
getopt(3) is declared in <unistd.h>, and <getopt.h> is not needed;
from Joerg Sonnenberger via Thomas Klausner, NetBSD.

8 years agoehci no longer attaches to imx
jsg [Sat, 9 Jul 2016 13:30:14 +0000 (13:30 +0000)]
ehci no longer attaches to imx

8 years agoPerform PHY-specific initialization based on the PHY ID instead of the
kettenis [Sat, 9 Jul 2016 12:39:28 +0000 (12:39 +0000)]
Perform PHY-specific initialization based on the PHY ID instead of the
board ID for the AR8031/AR8035.

ok jsg@

8 years agoDynamically attach i.MX6 ehci(4) using the FDT.
kettenis [Sat, 9 Jul 2016 12:32:50 +0000 (12:32 +0000)]
Dynamically attach i.MX6 ehci(4) using the FDT.

ok jsg@

8 years agoAdd interfaces to look up a device tree node by phandle.
kettenis [Sat, 9 Jul 2016 12:31:05 +0000 (12:31 +0000)]
Add interfaces to look up a device tree node by phandle.

ok patrick@, jsg@, visa@

8 years agoPrepare vionet to be handled asynchronously to the VCPU thread
stefan [Sat, 9 Jul 2016 09:06:22 +0000 (09:06 +0000)]
Prepare vionet to be handled asynchronously to the VCPU thread

This splits the handling of received data into a separate function
that can later be called in parallel to the VCPU thread instead of
handling received packets on VCPU exits only.

It also makes virtq accesses in the rx path safe to run in parallel
to the VCPU thread: the last index into the 'avail' ring the driver
has notified to the host is kept track of. It also makes sure that
the host only writes back to the 'avail' ring instead of modifying
the whole receive virtq.

While there, describe what virtio_vq_info and virtio_io_cfg are used
for, as suggested by mlarkin@

ok mlarkin@

8 years agoMention the EFI and DTB requirement. List U-Boot 2016.07 as 2016.05
jsg [Sat, 9 Jul 2016 07:19:52 +0000 (07:19 +0000)]
Mention the EFI and DTB requirement.  List U-Boot 2016.07 as 2016.05
needs a patch to work with efiboot on non imx platforms that is
included in ports/packages but might not be present otherwise.

While U-Boot 2016.07 final is not released yet the
"efi_loader: Don't allocate from memory holes" patch is included
in rc1/rc2/rc3 and should make the final release.

8 years agoUse mac address and phy id from the fdt. Store settings for a second
jsg [Sat, 9 Jul 2016 04:25:44 +0000 (04:25 +0000)]
Use mac address and phy id from the fdt.  Store settings for a second
port as well, though we still only handle a single port for now.
ok kettenis@

8 years agoISO C99 7.19.2.5 doesn't like mixing putchar(3) and putwchar(3) on
schwarze [Fri, 8 Jul 2016 22:27:58 +0000 (22:27 +0000)]
ISO C99 7.19.2.5 doesn't like mixing putchar(3) and putwchar(3) on
the same stream, and actually, it fails spectacularly on glibc.
Portability issue pointed out by Svyatoslav Mishyn <juef at openmailbox
dot org> after testing on Void Linux.

8 years agoPOSIX requires that a process calling tcsetpgrp(3) from the background
schwarze [Fri, 8 Jul 2016 20:41:13 +0000 (20:41 +0000)]
POSIX requires that a process calling tcsetpgrp(3) from the background
gets a SIGTTOU signal.  In that case, do not stop.
Portability issue found while testing on commercial Solaris 9/10/11.
Thanks to opencsw.org for providing me with a testing environment.

8 years agoWhen making a copy of svc_pollfd, use the correct size.
millert [Fri, 8 Jul 2016 19:32:26 +0000 (19:32 +0000)]
When making a copy of svc_pollfd, use the correct size.
Also pass the correct fd count to svc_getreq_poll().
OK jca@

8 years agoFix check for "name" property. Restores synthesised "name" proprties in
kettenis [Fri, 8 Jul 2016 18:20:48 +0000 (18:20 +0000)]
Fix check for "name" property.  Restores synthesised "name" proprties in
eeprom -p output that were lost in revision 1.13.

8 years agoPass errret pointer to setupterm() to prevent setupterm()
millert [Fri, 8 Jul 2016 15:23:44 +0000 (15:23 +0000)]
Pass errret pointer to setupterm() to prevent setupterm()
from calling exit() when given an unknown terminal type.
From Anton Lindqvist, who also upstreamed the fix.

8 years agoThe XSLoader issue has been assigned CVE-2016-6185
millert [Fri, 8 Jul 2016 14:26:04 +0000 (14:26 +0000)]
The XSLoader issue has been assigned CVE-2016-6185

8 years agoregen
kettenis [Fri, 8 Jul 2016 08:30:53 +0000 (08:30 +0000)]
regen

8 years agoThe Atheros PHYs with model ID 7 are the AR8031/AR8033/AR8035 family.
kettenis [Fri, 8 Jul 2016 08:30:06 +0000 (08:30 +0000)]
The Atheros PHYs with model ID 7 are the AR8031/AR8033/AR8035 family.
Identify as AR8035 since that one has the lowest revision number.

ok mlarkin@, millert@

8 years agoReturn 0 on read from PIT control port. Intel explicitly says this is not
mlarkin [Fri, 8 Jul 2016 06:35:12 +0000 (06:35 +0000)]
Return 0 on read from PIT control port. Intel explicitly says this is not
supported, and it looks like other emulators/hypervisors do a variety of
different things here. Most return 0, but at least one might return random
garbage. Returning 0 seems safest here, but leave a warning in place for
the logs in case a guest VM does this.

8 years agoImprove crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.
djm [Fri, 8 Jul 2016 03:44:42 +0000 (03:44 +0000)]
Improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms.

Previously we were computing the MAC, decrypting the packet and then
checking the MAC. This gave rise to the possibility of creating a
side-channel oracle in the decryption step, though no such oracle has
been identified.

This adds a mac_check() function that computes and checks the MAC in
one pass, and uses it to advance MAC checking for EtM algorithms to
before payload decryption.

Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and
Martin Albrecht. feedback and ok markus@

8 years agoUpdated the ldpd.conf man page examples
rzalamena [Thu, 7 Jul 2016 19:56:27 +0000 (19:56 +0000)]
Updated the ldpd.conf man page examples

The man page already contains the definition of the new neighbor-addr and
neighbor-id, but the examples were outdated. Now we may have an LSR-ID that
is different from its address.

ok renato@

8 years agoApply http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
millert [Thu, 7 Jul 2016 19:16:15 +0000 (19:16 +0000)]
Apply perl5.git.perl.org/perl.git/commitdiff/08e3451d7
This fixes a bug where XSLoader could try to load from a subdir
of the cwd when called via eval.  OK afresh1@

8 years agosync
deraadt [Thu, 7 Jul 2016 16:11:47 +0000 (16:11 +0000)]
sync

8 years agosync with mdocml.bsd.lv: mention httpd(8) and slowcgi(8)
schwarze [Thu, 7 Jul 2016 14:32:24 +0000 (14:32 +0000)]
sync with mdocml.bsd.lv: mention httpd(8) and slowcgi(8)

8 years agoRevert previous since the libtls change has been reverted.
jsing [Thu, 7 Jul 2016 14:09:44 +0000 (14:09 +0000)]
Revert previous since the libtls change has been reverted.

8 years agoRevert previous - it introduces problems with a common privsep use case.
jsing [Thu, 7 Jul 2016 14:09:03 +0000 (14:09 +0000)]
Revert previous - it introduces problems with a common privsep use case.

8 years agoadd ca cert error check and make the path configurable
bcook [Thu, 7 Jul 2016 13:25:37 +0000 (13:25 +0000)]
add ca cert error check and make the path configurable

from Kinichiro Inoguchi

8 years agocall BN_init on temporaries to avoid use-before-set warnings
bcook [Thu, 7 Jul 2016 11:53:12 +0000 (11:53 +0000)]
call BN_init on temporaries to avoid use-before-set warnings

ok beck@

8 years agobiff, mesg, vi: only consider ACCESSPERMS for setting tty mode.
semarie [Thu, 7 Jul 2016 09:26:25 +0000 (09:26 +0000)]
biff, mesg, vi: only consider ACCESSPERMS for setting tty mode.

it explicitly removes any S_ISUID|S_ISGID|S_ISTXT bits, instead of letting
pledge(2) silenciously remove them.

ok beck@ deraadt@

8 years agotmux: only consider ACCESSPERMS for setting mode on socket_path.
semarie [Thu, 7 Jul 2016 09:24:09 +0000 (09:24 +0000)]
tmux: only consider ACCESSPERMS for setting mode on socket_path.

it explicitly removes any S_ISUID|S_ISGID|S_ISTXT bits, instead of letting
pledge(2) silenciously remove them.

ok nicm@ beck@ deraadt@

8 years agoAdd man page for the maxrtc(4) I2C driver.
mglocker [Thu, 7 Jul 2016 08:08:02 +0000 (08:08 +0000)]
Add man page for the maxrtc(4) I2C driver.

8 years agosanity check vm create and run args earlier
mlarkin [Thu, 7 Jul 2016 00:58:31 +0000 (00:58 +0000)]
sanity check vm create and run args earlier

8 years agoNow libtls is always reading cert.pem during tls_config_new().
bluhm [Wed, 6 Jul 2016 21:30:21 +0000 (21:30 +0000)]
Now libtls is always reading cert.pem during tls_config_new().
Adapt ktrace count in syslogd test.

8 years agoJ/j is a three valued option, document and fix code to actuall support that
otto [Wed, 6 Jul 2016 20:32:02 +0000 (20:32 +0000)]
J/j is a three valued option, document and fix code to actuall support that
with a little help from jmc@ for the man page bits
ok jca@  and a reluctant tedu@

8 years agoAllow space-deliminated fields in syslog.conf in addition to
millert [Wed, 6 Jul 2016 19:29:13 +0000 (19:29 +0000)]
Allow space-deliminated fields in syslog.conf in addition to
traditional tabs-deliminated fields.  This is consistent with what
FreeBSD, NetBSD and Linux do.  Adapted from FreeBSD.

8 years agoReturn EINVAL for mknod/mknodat when dev is -1 (aka VNOVAL).
millert [Wed, 6 Jul 2016 19:26:35 +0000 (19:26 +0000)]
Return EINVAL for mknod/mknodat when dev is -1 (aka VNOVAL).
OK beck@ tedu@

8 years agoCheck that the given ciphers string is syntactically valid and results in
jsing [Wed, 6 Jul 2016 16:47:18 +0000 (16:47 +0000)]
Check that the given ciphers string is syntactically valid and results in
at least one matching cipher suite.

ok doug@