openbsd
3 months agoModify ipcp module to return a result for
yasuoka [Mon, 22 Jul 2024 09:39:23 +0000 (09:39 +0000)]
Modify ipcp module to return a result for
IMSG_RADIUSD_MODULE_IPCP_DISCONNECT and radiusctl to handle the
result.

3 months agoMake some functions "static".
yasuoka [Mon, 22 Jul 2024 09:27:16 +0000 (09:27 +0000)]
Make some functions "static".

3 months agoSwitch proc_finish_wait() to use the process as argument instead of its
claudio [Mon, 22 Jul 2024 08:18:53 +0000 (08:18 +0000)]
Switch proc_finish_wait() to use the process as argument instead of its
ps_mainproc. dowait6() needs to stop using ps_mainproc and this is the
first step.
OK guenther@

3 months agoFor AMD SEV determine C-bit position and guest mode in locore0.
bluhm [Sun, 21 Jul 2024 19:41:31 +0000 (19:41 +0000)]
For AMD SEV determine C-bit position and guest mode in locore0.

Actually determine the C-bit position if we are running as a guest
with SEV enabled.  Configure pg_crypt, pg_frame and pg_lgframe
accordingly, using the physical address bit reduction provided by
cpuid.

from hshoexer@; OK mlarkin@

3 months agoPopulate hwcap and hwcap2 based on the sanitized values of the ID register
kettenis [Sun, 21 Jul 2024 18:57:31 +0000 (18:57 +0000)]
Populate hwcap and hwcap2 based on the sanitized values of the ID register
values and the feature bits that we recognize.

ok naddy@, jca@

3 months agoExport basic HWCAP bits to let applications detect Altivec & VSX on powerpc64
jca [Sun, 21 Jul 2024 16:49:26 +0000 (16:49 +0000)]
Export basic HWCAP bits to let applications detect Altivec & VSX on powerpc64

Input from miod@ and gkoehler@, tests & ok gkoehler@

3 months agoExport basic HWCAP bits to let applications detect Altivec on powerpc
jca [Sun, 21 Jul 2024 16:46:56 +0000 (16:46 +0000)]
Export basic HWCAP bits to let applications detect Altivec on powerpc

Input from miod@ and gkoehler@, tests & ok gkoehler@

3 months agoA few manual ret-cleans. Seeing as these pertain to interrupt servicing,
deraadt [Sun, 21 Jul 2024 16:19:25 +0000 (16:19 +0000)]
A few manual ret-cleans.  Seeing as these pertain to interrupt servicing,
the stack utilization ends up near the the deep end of the stack where,
retcleans are useful. tested for a while in snaps
ok bluhm

3 months agoasn1time: indicate which comparison function failed
tb [Sun, 21 Jul 2024 13:25:11 +0000 (13:25 +0000)]
asn1time: indicate which comparison function failed

extracted from a diff by Kenjiro Nakayama

3 months agoAdd optimized character rendering case for 6 pixels wide fonts in
fcambus [Sun, 21 Jul 2024 13:18:15 +0000 (13:18 +0000)]
Add optimized character rendering case for 6 pixels wide fonts in
rasops32_putchar().

From jon (at) elytron (dot) openbsd (dot) amsterdam.

3 months agoAdd back a .
tb [Sun, 21 Jul 2024 09:24:07 +0000 (09:24 +0000)]
Add back a .

3 months agoUnify description of the obsolete ENGINE parameter
tb [Sun, 21 Jul 2024 08:36:43 +0000 (08:36 +0000)]
Unify description of the obsolete ENGINE parameter

This uses the same language in most manuals mentioning the obsolete
ENGINE parameters. Make it clear that it is always ignored and that
NULL should be passed. Always call it engine instead of a mix of e
pe, impl, eng.

3 months agoDrop ENGINE from EVP_PKEY_derive example
tb [Sun, 21 Jul 2024 08:25:33 +0000 (08:25 +0000)]
Drop ENGINE from EVP_PKEY_derive example

3 months agoGarbage collect ENGINE "use" from EVP_PKEY_decrypt() example
tb [Sun, 21 Jul 2024 08:10:17 +0000 (08:10 +0000)]
Garbage collect ENGINE "use" from EVP_PKEY_decrypt() example

3 months agoMake example slightly less terrible by dropping the ENGINE "handling"
tb [Sun, 21 Jul 2024 08:02:17 +0000 (08:02 +0000)]
Make example slightly less terrible by dropping the ENGINE "handling"

3 months agoFix golden numbers after beck broke it months ago
tb [Sat, 20 Jul 2024 18:37:38 +0000 (18:37 +0000)]
Fix golden numbers after beck broke it months ago
(why is it always me who gets to clean up this shit?)

3 months agoUnlock udp(4) somove().
mvs [Sat, 20 Jul 2024 17:26:19 +0000 (17:26 +0000)]
Unlock udp(4) somove().

Socket splicing belongs to sockets buffers. udp(4) sockets are fully
switched to fine-grained buffers locks, so use them instead of exclusive
solock().

Always schedule somove() thread to run as we do for tcp(4) case. This
brings delay to packet processing, but it is comparable wit non splicing
case where soreceive() threads are always scheduled.

So, now spliced udp(4) sockets rely on sb_lock() of `so_rcv' buffer
together with `sb_mtx' mutexes of both buffers. Shared solock() only
required around pru_send() call, so the most of somove() thread runs
simultaneously with network stack.

Also document 'sosplice' structure locking.

Feedback, tests and OK from bluhm.

3 months agoUVIDEO_DEBUG needs fcntl.h
jsg [Sat, 20 Jul 2024 12:34:52 +0000 (12:34 +0000)]
UVIDEO_DEBUG needs fcntl.h
reported by Peter J. Philipp

3 months agoFix regression introduced in previous causing HEAD requests to be
anton [Sat, 20 Jul 2024 06:54:15 +0000 (06:54 +0000)]
Fix regression introduced in previous causing HEAD requests to be
erroneously rejected as malformed.

ok chrisz@

3 months agoRemove cipher from SSL_SESSION.
jsing [Sat, 20 Jul 2024 04:04:23 +0000 (04:04 +0000)]
Remove cipher from SSL_SESSION.

For a long time SSL_SESSION has had both a cipher ID and a pointer to
an SSL_CIPHER (and not both are guaranteed to be populated). There is also
a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher
being used for this connection. Some code has been using the cipher from
SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE.

Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE
everywhere. If resuming from a session then we need to use the SSL_SESSION
cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that
we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE
cipher changes (this only occurs in a few places).

ok tb@

3 months agoUnlock sysctl net.inet.ip.redirect and net.inet6.ip6.redirect.
bluhm [Fri, 19 Jul 2024 16:58:31 +0000 (16:58 +0000)]
Unlock sysctl net.inet.ip.redirect and net.inet6.ip6.redirect.

Variable ip and ip6 sendredirects is only read once during packet
processing.  Use atomic_load_int() to access the value in exactly
one read instruction.  No memory barriers needed as there is no
correlation with other values.
Sort the ip and ip6 checks, so the difference is easier to see.
Move access to global variable to the end.

OK mvs@

3 months agoRelax socket lock assertion in UDP input and send.
bluhm [Fri, 19 Jul 2024 15:41:58 +0000 (15:41 +0000)]
Relax socket lock assertion in UDP input and send.

OK mvs@

3 months agounveil(2) /etc/gettytab.db in getty(8) to avoid possible violation.
bluhm [Fri, 19 Jul 2024 15:28:51 +0000 (15:28 +0000)]
unveil(2) /etc/gettytab.db in getty(8) to avoid possible violation.

OK deraadt@

3 months agosync
deraadt [Fri, 19 Jul 2024 14:32:56 +0000 (14:32 +0000)]
sync

3 months agoAnnotate issues with tls_session_secret_cb() related code.
jsing [Fri, 19 Jul 2024 08:56:17 +0000 (08:56 +0000)]
Annotate issues with tls_session_secret_cb() related code.

3 months agoMove client ciphers from SSL_SESSION to SSL_HANDSHAKE.
jsing [Fri, 19 Jul 2024 08:54:31 +0000 (08:54 +0000)]
Move client ciphers from SSL_SESSION to SSL_HANDSHAKE.

SSL_SESSION has a 'ciphers' member which contains a list of ciphers
that were advertised by the client. Move this from SSL_SESSION to
SSL_HANDSHAKE and rename it to match reality.

ok tb@

3 months agotest transfers in mux proxy mode too
djm [Fri, 19 Jul 2024 04:33:36 +0000 (04:33 +0000)]
test transfers in mux proxy mode too

3 months agoKeep Content-length header in HEAD responses.
chrisz [Fri, 19 Jul 2024 04:26:23 +0000 (04:26 +0000)]
Keep Content-length header in HEAD responses.

ok millert@

3 months agoSend Access-Reject when the authentication is not handled or the user
yasuoka [Thu, 18 Jul 2024 22:40:09 +0000 (22:40 +0000)]
Send Access-Reject when the authentication is not handled or the user
is not found.

3 months agounveil .db is needed. Also move pledge() earlier.
yasuoka [Thu, 18 Jul 2024 22:18:00 +0000 (22:18 +0000)]
unveil .db is needed.  Also move pledge() earlier.

3 months agoFix typos in previous commit spotted by naddy@
kettenis [Thu, 18 Jul 2024 17:18:01 +0000 (17:18 +0000)]
Fix typos in previous commit spotted by naddy@

3 months agoThe source of a link (name1) may not be a directory.
millert [Thu, 18 Jul 2024 15:38:57 +0000 (15:38 +0000)]
The source of a link (name1) may not be a directory.

POSIX says this is implementation-dependent; OpenBSD does not allow
it.  OK guenther@

3 months agoIn pfattach() pass malloc type instead of flags to cpumem_malloc().
bluhm [Thu, 18 Jul 2024 14:46:28 +0000 (14:46 +0000)]
In pfattach() pass malloc type instead of flags to cpumem_malloc().

from markus@

3 months agosync
deraadt [Thu, 18 Jul 2024 11:21:10 +0000 (11:21 +0000)]
sync

3 months agoFix memory leaks and improve id handling of iked_radserver_req.
yasuoka [Thu, 18 Jul 2024 08:58:59 +0000 (08:58 +0000)]
Fix memory leaks and improve id handling of iked_radserver_req.
original diff from markus

ok tobhe

3 months agoremove extra punctuation; from alexander arch
jmc [Thu, 18 Jul 2024 05:44:46 +0000 (05:44 +0000)]
remove extra punctuation; from alexander arch

3 months agoSince libcrypto is used to calc message authenticator, use libcrypto
yasuoka [Thu, 18 Jul 2024 02:45:31 +0000 (02:45 +0000)]
Since libcrypto is used to calc message authenticator, use libcrypto
md5 also in other places instead libc md5.

ok millert

3 months agomention mux proxy mode
djm [Thu, 18 Jul 2024 01:47:27 +0000 (01:47 +0000)]
mention mux proxy mode

3 months agoAdd a link to radiud_file(8)
yasuoka [Thu, 18 Jul 2024 00:28:53 +0000 (00:28 +0000)]
Add a link to radiud_file(8)

3 months agosed: use warn()/err() where appropriate
millert [Wed, 17 Jul 2024 20:57:15 +0000 (20:57 +0000)]
sed: use warn()/err() where appropriate

Use warn()/err() instead of sed's homegrown warning()/error() for
things other than parser problems.  The warning()/error() functions
display the file and line number in addition to the error message.
This also removes of the COMPILE/FATAL argument to error() since
now all calls to error() are for compilation/parsing issues.
OK op@ espie@

3 months agoAdd Message-Authenticator attriubte when sending Access-Request.
yasuoka [Wed, 17 Jul 2024 20:50:28 +0000 (20:50 +0000)]
Add Message-Authenticator attriubte when sending Access-Request.

ok millert

3 months agoAdd RCS id
tb [Wed, 17 Jul 2024 15:22:56 +0000 (15:22 +0000)]
Add RCS id

3 months agoClean up the cpi_id_aa64xxx variables at the end of autoconf such that
kettenis [Wed, 17 Jul 2024 15:21:59 +0000 (15:21 +0000)]
Clean up the cpi_id_aa64xxx variables at the end of autoconf such that
sysclt(2) and ID register access emulation can share the variables.

ok jca@

3 months agoEnable regress for SSL_CIPHER_get_handshake_digest()
jsing [Wed, 17 Jul 2024 15:01:22 +0000 (15:01 +0000)]
Enable regress for SSL_CIPHER_get_handshake_digest()

Turns out this is already linked statically.

3 months agosync
deraadt [Wed, 17 Jul 2024 14:57:59 +0000 (14:57 +0000)]
sync

3 months agoRework cipher find test to also provide coverage for SSL_CIPHER_*()
jsing [Wed, 17 Jul 2024 14:51:54 +0000 (14:51 +0000)]
Rework cipher find test to also provide coverage for SSL_CIPHER_*()

3 months agoBe clear that RUSAGE_CHILDREN only works for terminated children that have
claudio [Wed, 17 Jul 2024 13:29:05 +0000 (13:29 +0000)]
Be clear that RUSAGE_CHILDREN only works for terminated children that have
been waited for. If you SIG_IGN SIGCHLD or don't call any of the wait
functions then RUSAGE_CHILDREN wont report anything.
OK deraadt@ millert@

3 months agoFix some gcc warnings
yasuoka [Wed, 17 Jul 2024 11:31:46 +0000 (11:31 +0000)]
Fix some gcc warnings

3 months agominor repairs
deraadt [Wed, 17 Jul 2024 11:20:24 +0000 (11:20 +0000)]
minor repairs

3 months agoError if config parameter is unknown. This also fixes a gcc warning.
yasuoka [Wed, 17 Jul 2024 11:19:27 +0000 (11:19 +0000)]
Error if config parameter is unknown.  This also fixes a gcc warning.
spotted by deraadt

3 months agoDocument "authentication-filter".
yasuoka [Wed, 17 Jul 2024 11:13:22 +0000 (11:13 +0000)]
Document "authentication-filter".

3 months agoDecrypt "Password" attribute always before passing the packet to
yasuoka [Wed, 17 Jul 2024 11:05:11 +0000 (11:05 +0000)]
Decrypt "Password" attribute always before passing the packet to
modules.  Also, don't assume the authenticator of the packet from the
module that has no secret is valid.

3 months agoDelete log_info() line for debug.
yasuoka [Wed, 17 Jul 2024 10:15:39 +0000 (10:15 +0000)]
Delete log_info() line for debug.

3 months agoSync struct proc P_BITS with reality.
claudio [Wed, 17 Jul 2024 09:54:14 +0000 (09:54 +0000)]
Sync struct proc P_BITS with reality.

Remove "\027XX" (old systrace flag) and "\035SOFTDEP".
OK jsg@

3 months agoFix indent
yasuoka [Wed, 17 Jul 2024 08:26:19 +0000 (08:26 +0000)]
Fix indent

3 months agoDisplay an error message for "sed -i" if the file is unwritable
millert [Wed, 17 Jul 2024 03:05:19 +0000 (03:05 +0000)]
Display an error message for "sed -i" if the file is unwritable

Previously, sed would fail silently if it was unable to move the
temporary file into place.  Also allow "sed -i" on symbolic link--the
link will be broken but this matches GNU sed behavior.  From espie@
OK op@

3 months agoUpdate regress for removal of SSL_HANDSHAKE_MAC_DEFAULT.
jsing [Tue, 16 Jul 2024 14:38:59 +0000 (14:38 +0000)]
Update regress for removal of SSL_HANDSHAKE_MAC_DEFAULT.

3 months agoClean up SSL_HANDSHAKE_MAC_DEFAULT.
jsing [Tue, 16 Jul 2024 14:38:04 +0000 (14:38 +0000)]
Clean up SSL_HANDSHAKE_MAC_DEFAULT.

The handshake MAC needs to be upgraded when TLSv1.0 and TLSv1.1
ciphersuites are used with TLSv1.2. Since we no longer support TLSv1.0
and TLSv1.1, we can simply upgrade the handshake MAC in the ciphersuite
table and remove the various defines/macros/code that existed to handle
the upgrade.

ok tb@

3 months agoFix .Ox for SSL_CIPHER_get_handshake_digest()
tb [Tue, 16 Jul 2024 10:19:38 +0000 (10:19 +0000)]
Fix .Ox for SSL_CIPHER_get_handshake_digest()

3 months agosync
deraadt [Tue, 16 Jul 2024 08:25:47 +0000 (08:25 +0000)]
sync

3 months agoOnly perform the static_assert checks in C>=11 environment; unbreaks build
miod [Tue, 16 Jul 2024 06:18:20 +0000 (06:18 +0000)]
Only perform the static_assert checks in C>=11 environment; unbreaks build
on platforms using gcc.

3 months agoFix the SIGHUP signal race. ed's "event loop" operates a getchar(); check
deraadt [Tue, 16 Jul 2024 05:01:10 +0000 (05:01 +0000)]
Fix the SIGHUP signal race.  ed's "event loop" operates a getchar(); check
the hup flag before and after that call, when the buffer structures are stable
for write_file() to work.  Remove the hup handling from the SPL0() macro,
because this is run in at least one place during structure instability.
The SIGINT handler, which uses siglongjmp(), is also trusting the SPL1/SPL0
dance more than it should.
ok millert

3 months agomatch on Atom C3000
jsg [Tue, 16 Jul 2024 01:14:23 +0000 (01:14 +0000)]
match on Atom C3000
from and tested by Brendan Shanks

3 months agoSwitch the EVP_PKEY_*attr* API to LCRYPTO_UNUSED()
tb [Mon, 15 Jul 2024 18:50:42 +0000 (18:50 +0000)]
Switch the EVP_PKEY_*attr* API to LCRYPTO_UNUSED()

This would have prevented the PKCS12 oopsie.

3 months agoFix PKCS12_create()
tb [Mon, 15 Jul 2024 15:43:25 +0000 (15:43 +0000)]
Fix PKCS12_create()

This tries to copy some microsoft attributes which are not usually present
and chokes on the now disabled EVP_PKEY_*attr* API. Instead of reviving
about four layers of traps and indirection, just inline the two functions
in a way that should be more obvious.

found by anton via the ruby-openssl tests
ok jsing

3 months agoMake the touchpad on the Samsung Galaxy Book4 Edge work.
mglocker [Mon, 15 Jul 2024 15:33:54 +0000 (15:33 +0000)]
Make the touchpad on the Samsung Galaxy Book4 Edge work.

ok patrick@

3 months agoMop up TLS1_PRF* defines.
jsing [Mon, 15 Jul 2024 14:45:15 +0000 (14:45 +0000)]
Mop up TLS1_PRF* defines.

These have not been used for a long time, however SSL_CIPHER was not opaque
at the time, hence they had to stick around. Now that SSL_CIPHER is opaque
we can simply mop them up.

ok tb@

3 months agoAdd e2fs_fsmnt, and the newly defined e2fs_kbytes_written to the list of
martijn [Mon, 15 Jul 2024 13:32:50 +0000 (13:32 +0000)]
Add e2fs_fsmnt, and the newly defined e2fs_kbytes_written to the list of
fields that can differ between the primary and 1st backup superblock.

This fixes fsck issues I've encountered on my system with a shared home
partition.

OK miod@

3 months agoAdd ext4 field definitions. Taken from NetBSD, with some cosmetic
martijn [Mon, 15 Jul 2024 13:27:36 +0000 (13:27 +0000)]
Add ext4 field definitions. Taken from NetBSD, with some cosmetic
changes to keep it in line with our style.

OK miod@

3 months agofix signature of main()
anton [Mon, 15 Jul 2024 10:11:56 +0000 (10:11 +0000)]
fix signature of main()

3 months agoAdd support for the RK3588 eMMC controller. This is mostly the same, with
patrick [Mon, 15 Jul 2024 09:56:30 +0000 (09:56 +0000)]
Add support for the RK3588 eMMC controller.  This is mostly the same, with
some HS400 bits that we don't support yet.  While there, fix some constants
that weren't applied to the correct registers.

ok dlg@

3 months agoAdd RK3588 eMMC clocks and resets.
patrick [Mon, 15 Jul 2024 09:54:38 +0000 (09:54 +0000)]
Add RK3588 eMMC clocks and resets.

ok dlg@

3 months agosync PS_BITS with flags; ok claudio@
jsg [Mon, 15 Jul 2024 07:24:03 +0000 (07:24 +0000)]
sync PS_BITS with flags; ok claudio@

3 months agobioctl.8:
jmc [Mon, 15 Jul 2024 05:36:08 +0000 (05:36 +0000)]
bioctl.8:
- tweak bioctl text
- don;t repeat the device examples
- reinstate softraid device being always softraid0

usage():
- add vertical blank between two formats
- rewrap to match 80col (shorter and matches man)

feedback/ok krw kn

3 months agoenable warnings and apply a dash of knfmt
anton [Mon, 15 Jul 2024 05:24:02 +0000 (05:24 +0000)]
enable warnings and apply a dash of knfmt

3 months agoocurred -> occurred
jsg [Mon, 15 Jul 2024 00:11:59 +0000 (00:11 +0000)]
ocurred -> occurred

3 months agoThis change allows user to define table inside the anchor like that:
sashan [Sun, 14 Jul 2024 19:51:08 +0000 (19:51 +0000)]
This change allows user to define table inside the anchor like that:
anchor foo {
table <bar> { 192.168.1.1 }
pass in from <bar> to <self>
}
Without this diff one must either create table <bar> in main
ruleset (root) or use 'pfctl -a foo -t bar -T add 192.168.1.1'
This glitch is hard to notice. Not many human admins try to attach
tables to non-global anchors. Deamons which configure pf(4) automatically
at run time such as relayd(8) and spamd(8) create tables attached to
thair anchors (for example 'relayd/*') but the deamons use way similar
to pfctl(8) to add and manage those tables.

The reason why I'd like to seal this gap is that my long term goal
is to turn global `pfr_ktable` in pf(4) into member of pf_anchor.
So each ruleset will get its own tree of tables.

feedback and OK bluhm@

3 months agoAdd missing <machine/elf.h> for compound arches.
miod [Sun, 14 Jul 2024 19:33:59 +0000 (19:33 +0000)]
Add missing <machine/elf.h> for compound arches.

The spice^Wkernel must flow^Wbuild.

3 months agoUnlock IPv6 sysctl net.inet6.ip6.forwarding from net lock.
bluhm [Sun, 14 Jul 2024 18:53:39 +0000 (18:53 +0000)]
Unlock IPv6 sysctl net.inet6.ip6.forwarding from net lock.

Use atomic operations to read ip6_forwarding while processing packets
in the network stack.
To make clear where actually the router property is needed, use the
i_am_router variable based on ip6_forwarding.  It already existed
in nd6_nbr.  Move i_am_router setting up the call stack until all
users are independent.
The forwarding decisions in pf_test, pf_refragment6, ip6_input do
also not interfere.
Use a new array ipv6ctl_vars_unlocked to make transition of all the
integer sysctls easier.  Adapt IPv4 to the new style.

OK mvs@

3 months agoenable warnings and fix complaints
anton [Sun, 14 Jul 2024 18:49:32 +0000 (18:49 +0000)]
enable warnings and fix complaints

3 months agofix SEE ALSO and a word tweak;
jmc [Sun, 14 Jul 2024 18:11:18 +0000 (18:11 +0000)]
fix SEE ALSO and a word tweak;

3 months agogrammar and macro tweaks;
jmc [Sun, 14 Jul 2024 18:09:05 +0000 (18:09 +0000)]
grammar and macro tweaks;

3 months agozap a stray Nd line;
jmc [Sun, 14 Jul 2024 18:03:59 +0000 (18:03 +0000)]
zap a stray Nd line;

3 months agoAdd radiusd_file(5) and link it from radiusd.conf(5).
yasuoka [Sun, 14 Jul 2024 16:22:59 +0000 (16:22 +0000)]
Add radiusd_file(5) and link it from radiusd.conf(5).

3 months agoAdd new radiusd_eap2mschap module. It provides conversions from EAP
yasuoka [Sun, 14 Jul 2024 16:09:23 +0000 (16:09 +0000)]
Add new radiusd_eap2mschap module.  It provides conversions from EAP
to MSCHAPv2.

3 months agoShuffle verbiage to make page more general. e.g. by mentioning
krw [Sun, 14 Jul 2024 16:09:06 +0000 (16:09 +0000)]
Shuffle verbiage to make page more general. e.g. by mentioning
nvme(4).

Feedback jmc@ jmatthew@ deraadt@ kn@

ok jmc@ kn@

3 months agoRewrite EVP_PKEY_add1_attr_by_NID()
tb [Sun, 14 Jul 2024 16:06:31 +0000 (16:06 +0000)]
Rewrite EVP_PKEY_add1_attr_by_NID()

Instead of jumping through many layers that cause headache, we can achieve
the same in an entirely straightforward way without losing clarity.

ok jsing

3 months agoDisable most EVP_PKEY_*attr* API
tb [Sun, 14 Jul 2024 16:04:10 +0000 (16:04 +0000)]
Disable most EVP_PKEY_*attr* API

There is a single consumer of this entire family of function, namely
the openssl(1) pkcs12 command uses EVP_PKEY_add1_attr_by_NID, so leave
that one intact for now.

ok jsing

3 months agoForgot to annotate the TMP UGLY CAST[S] as requested by jsing
tb [Sun, 14 Jul 2024 15:56:08 +0000 (15:56 +0000)]
Forgot to annotate the TMP UGLY CAST[S] as requested by jsing

h/t to levitte

3 months agoDocument SSL_CIPHER_get_handshake_digest(3)
tb [Sun, 14 Jul 2024 15:48:24 +0000 (15:48 +0000)]
Document SSL_CIPHER_get_handshake_digest(3)

3 months agoFix source and drain confusion in socket splicing somove().
bluhm [Sun, 14 Jul 2024 15:42:23 +0000 (15:42 +0000)]
Fix source and drain confusion in socket splicing somove().

If a large mbuf in the source socket buffer does not fit into the
drain buffer, split the mbuf.  But if the drain buffer still has
some data in it, stop moving data and try again later.  This skips
a potentially expensive mbuf operation.
When looking which socket buffer has to be locked, I found that the
length of the source send buffer was checked.  Change it to drain.
As this is a performance optimization for a special corner case,
noone noticed the bug.

OK sashan@

3 months agoPrepare to provide SSL_CIPHER_get_handshake_digest()
tb [Sun, 14 Jul 2024 15:39:36 +0000 (15:39 +0000)]
Prepare to provide SSL_CIPHER_get_handshake_digest()

Needed by newer freeradius. This is a straightforward implementation that
essentially duplicates tls13_cipher_hash().

ok jsing

3 months agoMove radius_attr_{,un}hide() to radius_subr.c.
yasuoka [Sun, 14 Jul 2024 15:31:49 +0000 (15:31 +0000)]
Move radius_attr_{,un}hide() to radius_subr.c.

3 months agoAdd "authentication-filter". Add new 2 imsg types so that
yasuoka [Sun, 14 Jul 2024 15:27:57 +0000 (15:27 +0000)]
Add "authentication-filter".  Add new 2 imsg types so that
authentication modules can request the next authentication and the
next authentication can receive the result of the previous and modify
the result.

3 months agoSet length of MPPE send/recv key.
yasuoka [Sun, 14 Jul 2024 15:13:41 +0000 (15:13 +0000)]
Set length of MPPE send/recv key.

3 months agoRemove lhash_local.h.
jsing [Sun, 14 Jul 2024 14:32:45 +0000 (14:32 +0000)]
Remove lhash_local.h.

lhash_local.h was previously needed since conf/conf_api.c and
objects/obj_dat.c were fiddling with lhash internals when deleting via a
callback. Since we no longer need to do that, inline the structs in
lhash.c and remove the header.

ok tb@

3 months agoZap trailing whitespace
jca [Sun, 14 Jul 2024 14:32:02 +0000 (14:32 +0000)]
Zap trailing whitespace

Dummy commit to trigger the git exporter.

3 months agoOnly match if we can find a corresponding cpu device. This means the
jmatthew [Sun, 14 Jul 2024 14:04:16 +0000 (14:04 +0000)]
Only match if we can find a corresponding cpu device.  This means the
many extra ACPI0007 instances found in current generation servers no
longer fill up dmesg with noise.

ok kettenis@

3 months agoFor specific hids (currently only ACPI0007, acpicpu(4)), use a print
jmatthew [Sun, 14 Jul 2024 13:58:57 +0000 (13:58 +0000)]
For specific hids (currently only ACPI0007, acpicpu(4)), use a print
function that always returns QUIET so instances that don't get matched
are not reported.

ok kettenis@

3 months agoAdd radiusd_file(8) module. It provides authencation by a local file.
yasuoka [Sun, 14 Jul 2024 13:44:30 +0000 (13:44 +0000)]
Add radiusd_file(8) module.  It provides authencation by a local file.