openbsd
6 years agoUse IP6_SOIIKEY_LEN instead of hardcoded value.
mpi [Mon, 12 Feb 2018 15:53:05 +0000 (15:53 +0000)]
Use IP6_SOIIKEY_LEN instead of hardcoded value.

from semarie@, ok benno@

6 years agoAlways destroy all interfaces before starting a new test.
mpi [Mon, 12 Feb 2018 15:48:58 +0000 (15:48 +0000)]
Always destroy all interfaces before starting a new test.

This should make tests following a failing test pass.

6 years agoAdd the missing RETURN VALUES section and reorder the content
schwarze [Mon, 12 Feb 2018 15:45:12 +0000 (15:45 +0000)]
Add the missing RETURN VALUES section and reorder the content
accordingly.  Make some statements more precise, and point out
some dangerous traps in these ill-designed interfaces.
Also do some minor polishing while here.

Triggered by OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800
by Paul Yang, but not using most of his wording because that is in
part redundant, in part incomplete, and in part outright wrong.

6 years agoPass '-inet6' to the default loopback before each test.
mpi [Mon, 12 Feb 2018 15:36:40 +0000 (15:36 +0000)]
Pass '-inet6' to the default loopback before each test.

In order to have reproducible tests route entries must not stay.  Otherwise
the 'Use' counter keeps growing.

6 years agoNow that the default loopback interface is brough UP when rdomain 5
mpi [Mon, 12 Feb 2018 15:29:28 +0000 (15:29 +0000)]
Now that the default loopback interface is brough UP when rdomain 5
is created, it gets default IPv6 addresses.  So reflect that change
in netinet6 outputs.

6 years agoRevert previous, the changed has been backed out and I wasn't running
mpi [Mon, 12 Feb 2018 15:22:52 +0000 (15:22 +0000)]
Revert previous, the changed has been backed out and I wasn't running
the last snaphot.

6 years agoFix most outputs now that lo5 is getting 127.0.0.1 automagically.
mpi [Mon, 12 Feb 2018 14:25:17 +0000 (14:25 +0000)]
Fix most outputs now that lo5 is getting 127.0.0.1 automagically.

6 years agorestore the previous semantics wrt if up, tunnel, and address config.
dlg [Mon, 12 Feb 2018 03:30:24 +0000 (03:30 +0000)]
restore the previous semantics wrt if up, tunnel, and address config.

this is a port of the change made to if_etherip.c r1.35 to allow
addresses to be configured before the tunnel is configured.

6 years agorestore the previous semantics wrt if up, tunnel, and address config.
dlg [Mon, 12 Feb 2018 03:15:32 +0000 (03:15 +0000)]
restore the previous semantics wrt if up, tunnel, and address config.

this is a port of the change made to if_etherip.c r1.35 to allow
addresses to be configured before the tunnel is configured.

this rollback is particularly annoying on gre with keepalives.
keepalives rely on the interface rdomain and tunnel rdomain to be
the same, which the rolled back semantics checked. now it is possible
to create an invalid configuration and not get any feedback about
it.

6 years agorestore the previous semantics wrt if up, tunnel, and address config.
dlg [Mon, 12 Feb 2018 02:55:40 +0000 (02:55 +0000)]
restore the previous semantics wrt if up, tunnel, and address config.

this is a port of the change made to if_etherip.c r1.35 to allow
addresses to be configured before the tunnel is configured.

6 years agouse a mobileip_tunnel struct to represent the interfaces tunnel info.
dlg [Mon, 12 Feb 2018 02:33:50 +0000 (02:33 +0000)]
use a mobileip_tunnel struct to represent the interfaces tunnel info.

this avoids allocating a mobileip_softc on the stack to build a key
for looking up interfaces with on packet input. struct ifnet inside
mobileip_softc is "quite large", and may blow the 2k limit one day.

6 years agorestore the previous semantics wrt if up, tunnel, and address config.
dlg [Mon, 12 Feb 2018 01:43:42 +0000 (01:43 +0000)]
restore the previous semantics wrt if up, tunnel, and address config.

our network drivers have a feature where if you configure an address
on the interface, it implicitly brings the interface up. i changed
etherip so you could only change the tunnel configuration while it
down, but maintained the implicit up behaviour. bringing the tunnel
up also relied on having valid configuration, ie, tunnel addreses
must be configured otherwise up will fail.

this means people who have address config in their hostname.etherip
files before config for the tunnel addresses will have problems.
firstly, the address wont be configured because falling through to
the interface up fails because the tunnel isnt configured correctly,
and that error makes the address config roll back. secondly, config
that relies on configuring the address to bring the interface up
will fail because there's no explicit up after the tunnel config.

this diff rolls the tunnel config back to keeping the interface on
a list, and allowing config at any time. the caveat to this is that
it makes mpsafety hard because inconsistent intermediate states are
visible when packets are being processed.

6 years agoSimplify documentation of split-screen mode, avoiding abuse of []
schwarze [Mon, 12 Feb 2018 01:10:46 +0000 (01:10 +0000)]
Simplify documentation of split-screen mode, avoiding abuse of []
to sometimes mean "character set", which conflicts with the normal
meaning of "optional element" in manual pages.  While here, add a
few related clarifications and tweak a few details.
Triggered by a minor bug report from <trondd at kagu-tsuchi dot com>,
and by bentley@ subsequently pointing out the abuse of [].
Patch using input from jmc@, who also agreed with some previous versions.

6 years agoTypo in a comment (CR$_VMXE instead of CR4_VMXE). No functional change.
mlarkin [Mon, 12 Feb 2018 00:59:28 +0000 (00:59 +0000)]
Typo in a comment (CR$_VMXE instead of CR4_VMXE). No functional change.

6 years ago; ends c statements, not ;;
dlg [Mon, 12 Feb 2018 00:09:39 +0000 (00:09 +0000)]
; ends c statements, not ;;

6 years agodont handle SIOCSIFRDOMAIN twice, egre isn't supposed to filter it.
dlg [Mon, 12 Feb 2018 00:07:53 +0000 (00:07 +0000)]
dont handle SIOCSIFRDOMAIN twice, egre isn't supposed to filter it.

6 years agoOoops. After getting a NAK in response to a renewal REQUEST, we delete
krw [Sun, 11 Feb 2018 22:00:19 +0000 (22:00 +0000)]
Ooops. After getting a NAK in response to a renewal REQUEST, we delete
the interface's address and thus the cached configuration data becomes
invalid and must be discarded.

Issue found & fix tested by Christer Solskogen. Thanks!

6 years agoRevert rev 1.163. Causes network issues in Firefox.
matthieu [Sun, 11 Feb 2018 21:53:57 +0000 (21:53 +0000)]
Revert rev 1.163. Causes network issues in Firefox.

ok mpi@ who will investigate.

6 years agoDon't reset signal handlers inside handlers.
dtucker [Sun, 11 Feb 2018 21:16:56 +0000 (21:16 +0000)]
Don't reset signal handlers inside handlers.

The signal handlers from the original ssh1 code on which OpenSSH
is based assume unreliable signals and reinstall their handlers.
Since OpenBSD (and pretty much every current system) has reliable
signals this is not needed.  In the unlikely even that -portable
is still being used on such systems we will deal with it in the
compat layer.  ok deraadt@

6 years agoUse the new APIs for setting block lengths and reading from/writing to
patrick [Sun, 11 Feb 2018 21:10:03 +0000 (21:10 +0000)]
Use the new APIs for setting block lengths and reading from/writing to
memory regions.

6 years agoMove .openbsd.randomdata into .rodata. This makes things more
patrick [Sun, 11 Feb 2018 21:07:08 +0000 (21:07 +0000)]
Move .openbsd.randomdata into .rodata.  This makes things more
consistent across architectures.

Requested by deraadt@
ok kettenis@

6 years agoRework the DDB trace handling for armv7. By switching to clang the
patrick [Sun, 11 Feb 2018 21:04:13 +0000 (21:04 +0000)]
Rework the DDB trace handling for armv7.  By switching to clang the
stack frame format has changed.  Apparently AAPCS doesn't specify
at all what a stack frame looks like.  We end up with much simpler
code, but also with a lot less information in the trace.

ok kettenis@

6 years agoDocument three more functions recently made public by jsing@
schwarze [Sun, 11 Feb 2018 20:59:30 +0000 (20:59 +0000)]
Document three more functions recently made public by jsing@
as requested by jsing@, and also document six more related functions
that have already been public before that.
OpenSSL fails to document any of these.

6 years agoAdd sdmmc_io_set_blocklen() which allows to set the block length of an
patrick [Sun, 11 Feb 2018 20:58:40 +0000 (20:58 +0000)]
Add sdmmc_io_set_blocklen() which allows to set the block length of an
SDIO function.  This is necessary for some SDIO cards that need to be
talked with using smaller block lengths than the maximum supported by
the host controller.

ok kettenis@

6 years agoAdd sdmmc_io_read_region_1() and sdmmc_io_write_region_1() as an
patrick [Sun, 11 Feb 2018 20:57:57 +0000 (20:57 +0000)]
Add sdmmc_io_read_region_1() and sdmmc_io_write_region_1() as an
interface for "reading memory" akin to the bus_space(9) API.  The
already existing multi interface is used for "reading FIFOs".  The
technical difference is that one always reads from the same address
(FIFO) while the other increments the address while reading (memory).

ok kettenis@

6 years agotypo in output string; from edgar pettijohn
jmc [Sun, 11 Feb 2018 20:03:10 +0000 (20:03 +0000)]
typo in output string; from edgar pettijohn

6 years agofix madvise(2) flags matching; ok deraadt@ tom@
otto [Sun, 11 Feb 2018 18:45:51 +0000 (18:45 +0000)]
fix madvise(2) flags matching; ok deraadt@ tom@

6 years agoMake sorting in the pcache view work. This allows us to sort on all
martijn [Sun, 11 Feb 2018 09:47:33 +0000 (09:47 +0000)]
Make sorting in the pcache view work. This allows us to sort on all
shown columns. There's still parts that could do with a good polishing,
but it's an improvement.

OK tedu@

6 years agoMove landisk to MI mutex.
mpi [Sun, 11 Feb 2018 09:30:12 +0000 (09:30 +0000)]
Move landisk to MI mutex.

ok dlg@

6 years agomacro fix;
jmc [Sun, 11 Feb 2018 07:30:59 +0000 (07:30 +0000)]
macro fix;

6 years agoCopy the scan results into a new buffer to re-align the data so that we
patrick [Sun, 11 Feb 2018 05:33:12 +0000 (05:33 +0000)]
Copy the scan results into a new buffer to re-align the data so that we
don't fault on strict alignment architectures.

6 years agoSince the BCDC header has a variable data offset, so the ethernet packet
patrick [Sun, 11 Feb 2018 05:13:07 +0000 (05:13 +0000)]
Since the BCDC header has a variable data offset, so the ethernet packet
alignment can be variable, it's better to move taking care of alignment
into the BCDC receive code.

6 years agooops, typo
deraadt [Sun, 11 Feb 2018 05:11:50 +0000 (05:11 +0000)]
oops, typo

6 years agoUpdate the packet header length as well as the mbuf length on
patrick [Sun, 11 Feb 2018 05:07:36 +0000 (05:07 +0000)]
Update the packet header length as well as the mbuf length on
receive.  Did that everywhere else but missed it here.

6 years agoDocument how MAP_STACK will be used. All stacks must be mmap'd with
deraadt [Sun, 11 Feb 2018 04:50:25 +0000 (04:50 +0000)]
Document how MAP_STACK will be used.  All stacks must be mmap'd with
this attribute.  The kernel does so for main-process stacks at execve() time,
pthread stack functions do so for new stacks, and stacks provided to
sigaltstack() and other user-provided stacks will need to be allocated
in that way.
Not required yet, but paving the way.
Work done with stefan

6 years agolight documentation for MAP_STACK
deraadt [Sun, 11 Feb 2018 04:39:15 +0000 (04:39 +0000)]
light documentation for MAP_STACK

6 years agoSDIO support for bwfm(4) is good enough now that we can remove the
patrick [Sun, 11 Feb 2018 04:23:02 +0000 (04:23 +0000)]
SDIO support for bwfm(4) is good enough now that we can remove the
claim saying it is not supported.  It's slowly getting on par with
the other busses but there's still more work to do.

Prompted by tb@

6 years agoMake "invalid host name" messages log_debug() since the invalid host
krw [Sun, 11 Feb 2018 04:16:58 +0000 (04:16 +0000)]
Make "invalid host name" messages log_debug() since the invalid host
name does not cause the lease to be rejected. It just causes the
containing option or field to be ignored.

6 years agoStart mapping thread stacks with MAP_STACK. mmap() currently ignores
deraadt [Sun, 11 Feb 2018 04:12:22 +0000 (04:12 +0000)]
Start mapping thread stacks with MAP_STACK.  mmap() currently ignores
the flag, but some problem identification can begin.

6 years agoCan mask MAP_STACK by name rather than number
deraadt [Sun, 11 Feb 2018 04:09:48 +0000 (04:09 +0000)]
Can mask MAP_STACK by name rather than number

6 years agoAdd MAP_STACK flag. Currently masked by mmap()
deraadt [Sun, 11 Feb 2018 04:09:19 +0000 (04:09 +0000)]
Add MAP_STACK flag.  Currently masked by mmap()

6 years agoMerge documentation from OpenSSL for seven functions
schwarze [Sun, 11 Feb 2018 03:33:21 +0000 (03:33 +0000)]
Merge documentation from OpenSSL for seven functions
that jsing@ recently exposed publicly in libcrypto.
Requested by jsing@.

6 years agoUse the new route filter ROUTE_PRIOFILTER in ospfd. Usually we only
benno [Sun, 11 Feb 2018 02:27:33 +0000 (02:27 +0000)]
Use the new route filter ROUTE_PRIOFILTER in ospfd. Usually we only
need to see routes with a higher priority (lower value) than ospfds
own routes.
ok claudio, ok henning previous version, feedback from sthen

6 years agoAdd a ROUTE_PRIOFILTER socket option for roueing sockets that
benno [Sun, 11 Feb 2018 02:26:55 +0000 (02:26 +0000)]
Add a ROUTE_PRIOFILTER socket option for roueing sockets that
allows filtering on the priority of the route. All routes up to
the specified value will be passed.
ok claudio, ok henning previous version, feedback and manpage from
sthen.

6 years agoif an interface is added to the bridge that doesn't exist, try to create it
henning [Sun, 11 Feb 2018 02:17:46 +0000 (02:17 +0000)]
if an interface is added to the bridge that doesn't exist, try to create it
triggered by djm's dhclient on vether on bridge setup
ok djm benno claudio

6 years agosysctl.h is no longer needed
tb [Sun, 11 Feb 2018 01:23:40 +0000 (01:23 +0000)]
sysctl.h is no longer needed

ok tedu

6 years agolist M_IPV6_DF_OUT
dlg [Sun, 11 Feb 2018 00:27:10 +0000 (00:27 +0000)]
list M_IPV6_DF_OUT

6 years agoadd an ipv6 "don't fragment" flag to mbufs for ip6_output to use.
dlg [Sun, 11 Feb 2018 00:24:13 +0000 (00:24 +0000)]
add an ipv6 "don't fragment" flag to mbufs for ip6_output to use.

if you need to send an ipv6 packet with ip6_send(), there's no DF
bit in an ipv6 packet and no way to pass the ip6 options to ip6_output
to tell it to not allow fragmentation. this adds an M_IPV6_DF_OUT
"checksum" flag so something creating ipv6 packets a long way from
ip6_output can easily tell it to not allow fragmentation.

grumbling and ok claudio@

6 years agoFix 'ignore ;' so that it really does reset the ignore list.
krw [Sat, 10 Feb 2018 23:25:15 +0000 (23:25 +0000)]
Fix 'ignore ;' so that it really does reset the ignore list.

Mkae 'ignore', 'request' and 'require' cumulative so all
options don't have to be jammed into one line.

6 years agoShift top-of-stack down so that the random==0 case doesn't leave stack
deraadt [Sat, 10 Feb 2018 22:59:02 +0000 (22:59 +0000)]
Shift top-of-stack down so that the random==0 case doesn't leave stack
pointer beyond the space.
ok stefan, tedu

6 years agoEnable axppmic(4).
kettenis [Sat, 10 Feb 2018 22:32:32 +0000 (22:32 +0000)]
Enable axppmic(4).

6 years agoAdd AXP803 support.
kettenis [Sat, 10 Feb 2018 22:32:01 +0000 (22:32 +0000)]
Add AXP803 support.

6 years agoMore Allwinner A64 clocks.
kettenis [Sat, 10 Feb 2018 22:31:34 +0000 (22:31 +0000)]
More Allwinner A64 clocks.

6 years agoCap wait/interval at 100 million seconds.
cheloha [Sat, 10 Feb 2018 19:49:50 +0000 (19:49 +0000)]
Cap wait/interval at 100 million seconds.

Keeps nanosleep(2) from choking.

While here, call the argument to the -w flag "wait" in the
error message to match up with documentation and usage().

ok tedu@ deraadt@ tb@

6 years agoPledge monitoring process; ok tedu@
anton [Sat, 10 Feb 2018 17:51:37 +0000 (17:51 +0000)]
Pledge monitoring process; ok tedu@

6 years agoMerge license blocks now that they are identical.
mpi [Sat, 10 Feb 2018 12:59:24 +0000 (12:59 +0000)]
Merge license blocks now that they are identical.

6 years agoArtur Grabowski agreed to relicense his C mutex implementation under ISC.
mpi [Sat, 10 Feb 2018 12:53:22 +0000 (12:53 +0000)]
Artur Grabowski agreed to relicense his C mutex implementation under ISC.

This will prevent a copyright-o-rama in kern_lock.c

6 years agoConvert armv7 to MI mutex.
mpi [Sat, 10 Feb 2018 12:44:20 +0000 (12:44 +0000)]
Convert armv7 to MI mutex.

Tested by jsg@, ok patrick@

6 years agoless macro; ok benno
jmc [Sat, 10 Feb 2018 11:19:09 +0000 (11:19 +0000)]
less macro; ok benno

6 years agoimplement the use of new ftp -S session=... for https
espie [Sat, 10 Feb 2018 10:35:09 +0000 (10:35 +0000)]
implement the use of new ftp -S session=... for https
- add a setup_session hook that creates an anonymous tempfile in the ::HTTPS
class
- parse tls connection resumed messages and tell on servers that do not
support this
- remove the CLOEXE flag on the fd just before running ftp, so that other
processes do not see it at all.

This makes https somewhat more bearable, though still slower than http... :(

thanks to jsing@ et al  for the design of session

6 years agoMove cleanup job control bits to their own function.
mpi [Sat, 10 Feb 2018 10:32:51 +0000 (10:32 +0000)]
Move cleanup job control bits to their own function.

Part of the larger 'proctreelk' diff from guenther@

No functional change, ok benno@, tedu@

6 years agoRevert previous & incorrect NULL dereference fix.
mpi [Sat, 10 Feb 2018 10:25:44 +0000 (10:25 +0000)]
Revert previous & incorrect NULL dereference fix.

This unbreak backtrace across interrupt frames.

6 years agorewrite file around fh_file, temp file creation with signal protection,
espie [Sat, 10 Feb 2018 10:08:05 +0000 (10:08 +0000)]
rewrite file around fh_file, temp file creation with signal protection,
to be used to get anon temp files for https

6 years agoprint etherip on ipv6.
dlg [Sat, 10 Feb 2018 10:00:32 +0000 (10:00 +0000)]
print etherip on ipv6.

6 years agoReplace two spaces indents with tabs. Makes it easier to read and
patrick [Sat, 10 Feb 2018 09:53:47 +0000 (09:53 +0000)]
Replace two spaces indents with tabs.  Makes it easier to read and
especially makes it easier to diff against our other linker scripts.

ok jsg@

6 years agoAdditional AMD CPUID bits documented in
jsg [Sat, 10 Feb 2018 09:46:58 +0000 (09:46 +0000)]
Additional AMD CPUID bits documented in
"Processor Programming Reference (PPR) for AMD Family 17h
Model 01h, Revision B1 Processors"

ok mlarkin@ deraadt@

6 years agoThere is a problem with assigning 127.0.0.1 here. Revert the call
claudio [Sat, 10 Feb 2018 09:32:54 +0000 (09:32 +0000)]
There is a problem with assigning 127.0.0.1 here. Revert the call
to in_up_loopback(). There is an issue when doing ifconfig lo0 127.0.0.1/8
the system ends up with 2 127.0.0.1 routes which breaks things like smptd.
Found by tb@

6 years agoconstify some private key-related functions; based on
djm [Sat, 10 Feb 2018 09:25:34 +0000 (09:25 +0000)]
constify some private key-related functions; based on
https://github.com/openssh/openssh-portable/pull/56 by Vincent Brillault

6 years agoRemove now unused assembly mutex code.
mpi [Sat, 10 Feb 2018 09:21:12 +0000 (09:21 +0000)]
Remove now unused assembly mutex code.

ok mlarkin@, deraadt@

6 years agoIf the kernel fails to clone an entry, report rtrequest(9) error.
mpi [Sat, 10 Feb 2018 09:17:56 +0000 (09:17 +0000)]
If the kernel fails to clone an entry, report rtrequest(9) error.

ok claudio@, jmatthew@

6 years agoMention ServerAliveTimeout in context of TCPKeepAlives; prompted by
djm [Sat, 10 Feb 2018 09:03:54 +0000 (09:03 +0000)]
Mention ServerAliveTimeout in context of TCPKeepAlives; prompted by
Christoph Anton Mitterer via github

6 years agoKill unneeded caddr_t cast.
claudio [Sat, 10 Feb 2018 08:47:37 +0000 (08:47 +0000)]
Kill unneeded caddr_t cast.

6 years agoRemove some special IPv4 in IPv6 mapped prefixes that are already rejected
claudio [Sat, 10 Feb 2018 08:46:10 +0000 (08:46 +0000)]
Remove some special IPv4 in IPv6 mapped prefixes that are already rejected
by the ::0.0.0.0/96 reject route added to deny all IPv4 mapped addresses.
Makes the inet6 routing table almost fit in one screen.
OK benno@

6 years agorework gif to be more consistent.
dlg [Sat, 10 Feb 2018 08:12:01 +0000 (08:12 +0000)]
rework gif to be more consistent.

while here, give us support for mpls in gif on ipv6.

this moves all the gif handling into if_gif, eg, the mpls handling
is no longer in ip_etherip.c.

ok claudio@

6 years agozap trailing whitespace;
jmc [Sat, 10 Feb 2018 07:54:34 +0000 (07:54 +0000)]
zap trailing whitespace;

6 years agoSupplying entropy from etext has created a regression on arm where we
patrick [Sat, 10 Feb 2018 07:02:21 +0000 (07:02 +0000)]
Supplying entropy from etext has created a regression on arm where we
get an alignment fault while copying the data.  Turns out that since we
have .rodata in the text segment, it's very easily possible that etext
remains unaligned.  Work around this by word-aligning etext.  The next
step is to split .rodata out of the text segment.

ok deraadt@

6 years agoclarify IgnoreUserKnownHosts; based on github PR from
djm [Sat, 10 Feb 2018 06:54:38 +0000 (06:54 +0000)]
clarify IgnoreUserKnownHosts; based on github PR from
Christoph Anton Mitterer.

6 years agoPut the ldscript parts into a single file instead of storing it as head
patrick [Sat, 10 Feb 2018 06:52:47 +0000 (06:52 +0000)]
Put the ldscript parts into a single file instead of storing it as head
and tail and cat(1) it together.  It was maybe needed when ports needed
different contents, but now it's just a headache.

ok deraadt@

6 years agoShorter, more accurate explanation of NoHostAuthenticationForLocalhost
djm [Sat, 10 Feb 2018 06:40:28 +0000 (06:40 +0000)]
Shorter, more accurate explanation of NoHostAuthenticationForLocalhost
without the confusing example. Prompted by Christoph Anton Mitterer
via github and bz#2293.

6 years agosync
deraadt [Sat, 10 Feb 2018 06:37:12 +0000 (06:37 +0000)]
sync

6 years agoAdd TLS session support to ftp(1).
jsing [Sat, 10 Feb 2018 06:25:16 +0000 (06:25 +0000)]
Add TLS session support to ftp(1).

If a session file is specified via the `-S session=...', ftp(1) will
attempt to resume TLS sessions based on the session data contained within
this file. Upon completion of a successful TLS handshake the session file
will be updated with new session data, if available.

Discussed with deraadt@ and beck@.

Requested by and input from espie@.

6 years agoDisable RemoteCommand and RequestTTY in the ssh session started by
djm [Sat, 10 Feb 2018 06:15:12 +0000 (06:15 +0000)]
Disable RemoteCommand and RequestTTY in the ssh session started by
scp. sftp is already doing this. From Camden Narzt via github;
ok dtucker

6 years agoBe more specific about when the session file will be updated.
jsing [Sat, 10 Feb 2018 06:07:43 +0000 (06:07 +0000)]
Be more specific about when the session file will be updated.

6 years agombufs and mbuf clusters are now backed by large pools. Because of this
claudio [Sat, 10 Feb 2018 06:00:06 +0000 (06:00 +0000)]
mbufs and mbuf clusters are now backed by large pools. Because of this
we can relax the oversubscribe limit of socketbuffers a fair bit.
Instead of maxing out as sb_max * 1.125 or 2 * sb_hiwat the maximum is
increased to 8 * sb_hiwat -- which seems to be a good compromise between
memory waste and better socket buffer usage.
OK deraadt@

6 years agoinstaller bits for RFC 7217 support
florian [Sat, 10 Feb 2018 05:59:06 +0000 (05:59 +0000)]
installer bits for RFC 7217 support

OK rpe, tb, naddy, sthen

6 years agoRFC 7217 support for slaacd
florian [Sat, 10 Feb 2018 05:57:59 +0000 (05:57 +0000)]
RFC 7217 support for slaacd

OK naddy, sthen

6 years agoLoad RFC 7217 key material and generate if it does not already exist.
florian [Sat, 10 Feb 2018 05:56:47 +0000 (05:56 +0000)]
Load RFC 7217 key material and generate if it does not already exist.

Add soii.key to changelist (pointed out by semarie) and mtree/special
(suggest by Craig Skinner).

OK naddy, sthen, rpe, tb

6 years agoifconfig can be used to to set interface flag to not do RFC 7217.
florian [Sat, 10 Feb 2018 05:55:26 +0000 (05:55 +0000)]
ifconfig can be used to to set interface flag to not do RFC 7217.

OK naddy, sthen
man page bits input & OK jmc

6 years agoFollow rfc8277 more closely and make make sure bgpd is encoding VPNv4
claudio [Sat, 10 Feb 2018 05:54:31 +0000 (05:54 +0000)]
Follow rfc8277 more closely and make make sure bgpd is encoding VPNv4
withdraws they way other systems are doing it. Interop problem discovered
by Andrew Thrift. Tested by Andrew and job@.

6 years agoadd support for binary sysctl payloads by handling them as hex
florian [Sat, 10 Feb 2018 05:53:58 +0000 (05:53 +0000)]
add support for binary sysctl payloads by handling them as hex
strings.

this was part of a demo showing how to implement the kernel side of
sysctl(3) for setting Semantically Opaque Interface Identifier key
material (for RFC 7217), but it seems to be the most straightforward
path toward integrating soiikey handling and rc.

Originally written by dlg, who commited it some time ago on my request.
I then backed it out again, now it's time to put it back in.

ok florian@ sthen@ naddy@ tb@

Man page bits tweaked & OK jmc

6 years agoImplement RFC 7217: "A Method for Generating Semantically Opaque
florian [Sat, 10 Feb 2018 05:52:08 +0000 (05:52 +0000)]
Implement RFC 7217: "A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Autoconfiguration."

"An IPv6 address configured using this method is stable within each
subnet, but the corresponding Interface Identifier changes when the
host moves from one network to another. This method is meant to be an
alternative to generating Interface Identifiers based on hardware
addresses."

OK naddy, sthen

6 years agoRefuse to create a certificate with an unusable number of principals;
djm [Sat, 10 Feb 2018 05:48:46 +0000 (05:48 +0000)]
Refuse to create a certificate with an unusable number of principals;
Prompted by gdestuynder via github

6 years agofatal if we're unable to write all the public key; previously we
djm [Sat, 10 Feb 2018 05:43:26 +0000 (05:43 +0000)]
fatal if we're unable to write all the public key; previously we
would silently ignore errors writing the comment and terminating
newline. Prompted by github PR from WillerZ; ok dtucker

6 years agoSimilar to the IPv6 case create 127.0.0.1/8 on lo(4) interfaces which act
claudio [Sat, 10 Feb 2018 05:32:21 +0000 (05:32 +0000)]
Similar to the IPv6 case create 127.0.0.1/8 on lo(4) interfaces which act
as loopback interfaces for each rdomain (including lo0). This is done when
the interface is brought up. This is now also done by default (either on
attach of lo0 or when creating the rdomain).
OK mpi@

6 years agoSyncronize filesystems to disk when suspending. Each mountpoint's vnodes
deraadt [Sat, 10 Feb 2018 05:24:23 +0000 (05:24 +0000)]
Syncronize filesystems to disk when suspending.  Each mountpoint's vnodes
are pushed to disk.  Dangling vnodes (unlinked files still in use) and
vnodes undergoing change by long-running syscalls are identified -- and
such filesystems are marked dirty on-disk while we are suspended (in case
power is lost, a fsck will be required).  Filesystems without dangling or
busy vnodes are marked clean, resulting in faster boots following
"battery died" circumstances.
Tested by numerous developers, thanks for the feedback.

6 years agofix build with SDHC_DEBUG defined, no binary change otherwise
jmatthew [Sat, 10 Feb 2018 05:21:13 +0000 (05:21 +0000)]
fix build with SDHC_DEBUG defined, no binary change otherwise

6 years agoAdd a mapping from grandparent driver name to hibernate io function to reduce
jmatthew [Sat, 10 Feb 2018 05:11:06 +0000 (05:11 +0000)]
Add a mapping from grandparent driver name to hibernate io function to reduce
the number of ->dv_parent->dv_parent chains and make this more readable.

ok deraadt@ phessler@

6 years agoBump TLS API version since we've added more functionality.
jsing [Sat, 10 Feb 2018 04:58:08 +0000 (04:58 +0000)]
Bump TLS API version since we've added more functionality.

6 years agoMove the keypair pubkey hash handling code to during config.
jsing [Sat, 10 Feb 2018 04:57:35 +0000 (04:57 +0000)]
Move the keypair pubkey hash handling code to during config.

The keypair pubkey hash was being generated and set in the keypair when the
TLS context was being configured. This code should not be messing around
with the keypair contents, since it is part of the config (and not the
context).

Instead, generate the pubkey hash and store it in the keypair when the
certificate is configured. This means that we are guaranteed to have the
pubkey hash and as a side benefit, we identify bad certificate content
when it is provided, instead of during the context configuration.

ok beck@

6 years agoTidy/standardise some code.
jsing [Sat, 10 Feb 2018 04:48:44 +0000 (04:48 +0000)]
Tidy/standardise some code.