jasper [Wed, 1 Sep 2021 09:26:32 +0000 (09:26 +0000)]
remove manual fiddling with MALLOC_OPTIONS from libc regress tests
these options should be set globally (sysctl) when running regress as opposed to having
individual tests set it, barring a few specific exceptions.
ok bluhm@
claudio [Wed, 1 Sep 2021 08:17:37 +0000 (08:17 +0000)]
Document the http_proxy environment variable
deraadt [Wed, 1 Sep 2021 08:15:53 +0000 (08:15 +0000)]
quietly attempt mounting of /var/log early, in case someone creates such
a partition to avoid /var overflow issues
ok benno beck
beck [Wed, 1 Sep 2021 08:12:15 +0000 (08:12 +0000)]
Add a regression test to verify that we call the callback in the same
order on success for both the legacy and the new verifier, This avoids
problems as seen in perl's regression tests for some of the crazy things
net:ssleay does.
This is currently marked as expected to fail, it will be expected to
succeed after a forthcoming commit from me.
claudio [Wed, 1 Sep 2021 08:09:41 +0000 (08:09 +0000)]
Add http_proxy support to rpki-client's http handler.
OK tb@
mpi [Wed, 1 Sep 2021 08:06:49 +0000 (08:06 +0000)]
Imitate how free(3) behaves and make map_clear() works on NULL map.
mpi [Wed, 1 Sep 2021 08:01:09 +0000 (08:01 +0000)]
Always print non-empty map & hist on exit even if there's an END rule.
Match bpftrace behavior.
mpi [Wed, 1 Sep 2021 07:35:21 +0000 (07:35 +0000)]
Support for insert pid/tid/cpu builtins in map/hist.
dtucker [Wed, 1 Sep 2021 03:16:06 +0000 (03:16 +0000)]
Fix ssh-rsa fallback for old PuTTY interop tests.
dtucker [Wed, 1 Sep 2021 00:50:27 +0000 (00:50 +0000)]
Add a function to skip remaining tests. Many tests skip tests for
various reasons but not in a consistent way and don't always clean
up, so add that and switch the tests that do that over.
kn [Tue, 31 Aug 2021 23:53:42 +0000 (23:53 +0000)]
Honour netinet6 when generating symlinks to tags files
"make tags" needs "make links" to have tags available in subdirectories and
netinet6 has been missing all the time.
OK tb
bluhm [Tue, 31 Aug 2021 23:33:05 +0000 (23:33 +0000)]
Make include bsd.prog.mk is supporting PROGS for a while. Allow
multiple programs also in bsd.regress.mk for consistency.
OK anton@
patrick [Tue, 31 Aug 2021 23:05:11 +0000 (23:05 +0000)]
Implement suspend/resume for bwfm(4) with PCIe backend. We try to send the
device into D3 and do a hot-resume if possible. Otherwise we need to clean
up the resources to allow complete HW re-initialization to take place.
jmatthew [Tue, 31 Aug 2021 22:56:24 +0000 (22:56 +0000)]
regen
jmatthew [Tue, 31 Aug 2021 22:55:56 +0000 (22:55 +0000)]
Add Aquantia USB ethernet devices
from Brad originally
patrick [Tue, 31 Aug 2021 21:46:00 +0000 (21:46 +0000)]
Clean up the list of chips upon detach and mark us uninitialized.
patrick [Tue, 31 Aug 2021 21:13:24 +0000 (21:13 +0000)]
Properly deallocate some more structures upon detach, and make sure we're
not considered initialized anymore.
patrick [Tue, 31 Aug 2021 21:02:09 +0000 (21:02 +0000)]
Initialize some struct variables to make sure that upon reinit, caused by
a suspend/resume cycle, the values are set to a sane default.
patrick [Tue, 31 Aug 2021 20:58:51 +0000 (20:58 +0000)]
Initialize ring read/write pointers to make sure that upon reinit, caused
by a suspend/resume cycle, the pointers are set to a sane default.
kn [Tue, 31 Aug 2021 20:28:45 +0000 (20:28 +0000)]
Adjust .Bl width
kn [Tue, 31 Aug 2021 20:18:03 +0000 (20:18 +0000)]
Say autoconf not dhcp
Do not abuse "dhcp" to say "DHCP and SLAAC".
unwind.conf(5) does so but unwindctl(8) does not; in fact, the latter
already has `status autoconf' to
Show nameservers learned from dhclient(8), dhcpleased(8) or slaacd(8).
Adjust unwind's config manual and internal code accordingly; still accept
the old keyword but do not document it.
hostname.if(5) already advises for `inet[6] autoconf' instead of `dhcp' and
other related daemons don't abuse the word "dhcp" like unwind does.
Feedback sthen
OK florian
tb [Tue, 31 Aug 2021 20:14:40 +0000 (20:14 +0000)]
Remove some dead code that was missed in an earlier cleanup and
fix a stale comment.
Found by mortimer with clang 13's -Wunused-but-set-variable.
ok beck
florian [Tue, 31 Aug 2021 18:12:47 +0000 (18:12 +0000)]
Make includes follow style(9).
dv [Tue, 31 Aug 2021 17:40:59 +0000 (17:40 +0000)]
vmm(4): add ipi for vmclear, unlock kernel
On Intel VMX hosts, when a guest migrates cpus, VMCS state needs
to be flushed to physical memory before being reloaded on the new
cpu. This diff adds a new ipi to allow a guest resuming on a new
cpu to signal to the old that it needs to vmclear.
To better surface the potential race conditions, unlock the kernel
after handling the ioctl to vmm and simplify the run loops for both
vmx and svm. This requires a new vcpu lock.
Tested by some on tech@. "go for it" @mlarkin
patrick [Tue, 31 Aug 2021 15:53:36 +0000 (15:53 +0000)]
Only use the i8254 delay code if we are specifically using the i8254 as
delay func. Otherwise simply delay for a second to calibrate the LAPIC.
Install the lapic delay func only if we were using the i8254 before as
delay func.
Discussed with the hackroom
ok kettenis@
patrick [Tue, 31 Aug 2021 15:52:59 +0000 (15:52 +0000)]
Identify the paravirtual bus earlier, as we need to make sure that we have
a working delay func ready before the first occurence of delay(). This is
necessary on Hyper-V Gen 2 VMs where we don't use the TSC.
Discussed with the hackroom
ok kettenis@
patrick [Tue, 31 Aug 2021 15:52:10 +0000 (15:52 +0000)]
When running on Hyper-V, make use of its timecounter as delay func in case
we're still using the i8254 for that. On Hyper-V Gen 2 VMs there is no
i8254 we can trust, so we need some kind of fallback, especially if there
is no TSC either.
Discussed with the hackroom
ok kettenis@
kettenis [Tue, 31 Aug 2021 15:37:40 +0000 (15:37 +0000)]
aplpinctrl(4)
claudio [Tue, 31 Aug 2021 15:31:28 +0000 (15:31 +0000)]
Swap lock flags so that LK_EXCLUSIVE is first like in all other places.
kettenis [Tue, 31 Aug 2021 15:21:19 +0000 (15:21 +0000)]
Do pinctrl stuff.
ok patrick@
kettenis [Tue, 31 Aug 2021 15:20:06 +0000 (15:20 +0000)]
Add aplpinctrl(4), a driver for the Apple GPIO controller found on M1 SoCs.
ok patrick@
claudio [Tue, 31 Aug 2021 15:18:53 +0000 (15:18 +0000)]
memset the pfds array in the poll loop and not only at the start.
kettenis [Tue, 31 Aug 2021 15:11:54 +0000 (15:11 +0000)]
Use the TSC delay(9) backend earlier on machines where we can. Also use
the TSC for delays even if there is a skew between the TSCs of the cores
as this doesn't matter for delay(9).
Gets rid of te unreasonable clock speed reports on Intel Tiget Lake CPUs
where the i8254 behaves in weird ways.
ok patrick@, deraadt@, mlarkin@
deraadt [Tue, 31 Aug 2021 14:45:25 +0000 (14:45 +0000)]
printing the hibernate image size in MB is easier on the eyes
ok mlarkin
mlarkin [Tue, 31 Aug 2021 14:37:49 +0000 (14:37 +0000)]
Add "machine sysregs" command to DDB
From Alex Wilson, Thanks!
jsing [Tue, 31 Aug 2021 13:34:55 +0000 (13:34 +0000)]
Defragment DTLS.
In normal TLS, it is possible for record fragments to be sent that contain
one byte of alert or handshake message payload. In this case we have to
read and collate multiple message fragments before we can decide what to
do with the record.
However, in the case of DTLS, one record is effectively one packet and
while it is possible to send handshake messages across multiple
records/packets, the minimum payload is the DTLS handshake message header
(plus one byte of data if the handshake message has a payload) - without
this, there is insufficient information available to be able to reassemble
the handshake message. Likewise, splitting an alert across multiple DTLS
records simply does not work, as we have no way of knowing if we're
collating the same alert or two different alerts that we lost half of each
from (unfortunately, these details are not really specified in the DTLS
RFC).
This means that for DTLS we can expect to receive a full alert message
(a whole two bytes) or a handshake record with at least the handshake
message header (12 bytes). If we receive messages with less than these
lengths we discard them and carry on (which is what the DTLS code already
does).
Remove all of the pointless fragment handling code from DTLS, while also
fixing an issue where one case used rr->data instead of the handshake
fragment.
ok inoguchi@ tb@
stsp [Tue, 31 Aug 2021 13:19:32 +0000 (13:19 +0000)]
Fix use of wrong pointer argument when freeing firmware paging info in iwx(4).
Found by mpi@ and gnezdo@
ok gnezdo@
martijn [Tue, 31 Aug 2021 13:19:29 +0000 (13:19 +0000)]
Make "relayctl reload" when agentx enabling is toggled in relayd.conf work
consistently.
OK benno@
jsing [Tue, 31 Aug 2021 13:14:43 +0000 (13:14 +0000)]
Remove a nonsensical s->version == TLS1_VERSION from DTLS code.
ok inoguchi@ tb@ (as part of a larger diff)
mpi [Tue, 31 Aug 2021 12:51:56 +0000 (12:51 +0000)]
'if' tests.
mpi [Tue, 31 Aug 2021 12:51:24 +0000 (12:51 +0000)]
Basic test, if (no else atm), support with a single statement.
jan [Tue, 31 Aug 2021 12:24:15 +0000 (12:24 +0000)]
Using suser() instead of doing it manually.
ok patrick@
mpi [Tue, 31 Aug 2021 11:30:21 +0000 (11:30 +0000)]
Support storing syscall arguments in a map/hist.
tb [Tue, 31 Aug 2021 11:19:19 +0000 (11:19 +0000)]
whitespace
claudio [Tue, 31 Aug 2021 10:54:40 +0000 (10:54 +0000)]
Adjust rde_decide test vectors to the fact that struct prefix got changed.
Reminded by bluhm@ that bgpd regress tests failed
jasper [Tue, 31 Aug 2021 09:58:17 +0000 (09:58 +0000)]
enter uuid/
jasper [Tue, 31 Aug 2021 09:57:27 +0000 (09:57 +0000)]
add initial tests for uuid_from_string, uuid_to_string, uuid_create_nil
prompted by the bug krw@ fixed yesterday in uuid_from_string()
deraadt [Tue, 31 Aug 2021 09:56:12 +0000 (09:56 +0000)]
shorten some code
claudio [Tue, 31 Aug 2021 09:51:25 +0000 (09:51 +0000)]
Spacing. OK tb@
mpi [Tue, 31 Aug 2021 08:39:46 +0000 (08:39 +0000)]
Test for operator precedence
mpi [Tue, 31 Aug 2021 08:39:26 +0000 (08:39 +0000)]
Rewrite grammar to implement operator precedence without using %right or %prec.
Arithmetic operator should now behave as expeted and tests can now be written
without superfluous parenthesis, for example:
syscall:select:entry
/($1 == 0) || (pid == $1)/
{
}
Can now be written:
syscall:select:entry
/$1 == 0 || pid == $1/
{
}
While here improve filter debugging support.
jasper [Tue, 31 Aug 2021 08:06:56 +0000 (08:06 +0000)]
remove empty forward structs fro bge_ring_data as found with ctfconv.
tested by and ok jmatthew@
dtucker [Tue, 31 Aug 2021 07:13:59 +0000 (07:13 +0000)]
Specify path to PuTTY keys. Portable needs this and it makes no
difference on OpenBSD, so resync them.
dtucker [Tue, 31 Aug 2021 06:13:23 +0000 (06:13 +0000)]
When running PuTTY interop tests and using a PuTTY version older than
0.76, re-enable the ssh-rsa host key algorithm (the 256 and 512 variants
of RSA were added some time between 0.73 and 0.76).
robert [Tue, 31 Aug 2021 05:29:55 +0000 (05:29 +0000)]
add support for obtaining sense status and source slot of a media
this fixes a bug in bacula where the catalog was not properly kept
up-to-date if a tape was in a drive becuse its source slot was
unknown
based on code from FreeBSD; ok krw@
picker 0: sense: <0x00/0x00> voltag: <:0> avoltag: <:0> source: <>
slot 0: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1168L1:0> avoltag: <:0> source: <slot 0>
slot 1: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1187L1:0> avoltag: <:0> source: <slot 1>
slot 2: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1184L1:0> avoltag: <:0> source: <slot 2>
slot 3: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1195L1:0> avoltag: <:0> source: <slot 3>
slot 4: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1037L1:0> avoltag: <:0> source: <slot 4>
slot 5: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1038L1:0> avoltag: <:0> source: <slot 5>
slot 6: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1166L1:0> avoltag: <:0> source: <slot 6>
slot 7: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1167L1:0> avoltag: <:0> source: <slot 7>
slot 8: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1180L1:0> avoltag: <:0> source: <slot 8>
slot 9: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1186L1:0> avoltag: <:0> source: <slot 9>
slot 10: <ACCESS> sense: <0x00/0x00> voltag: <:0> avoltag: <:0> source: <picker 0>
slot 11: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1182L1:0> avoltag: <:0> source: <slot 11>
slot 12: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1181L1:0> avoltag: <:0> source: <slot 12>
slot 13: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1196L1:0> avoltag: <:0> source: <slot 13>
slot 14: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1169L1:0> avoltag: <:0> source: <slot 14>
slot 15: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1197L1:0> avoltag: <:0> source: <slot 15>
slot 16: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1165L1:0> avoltag: <:0> source: <slot 16>
slot 17: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1199L1:0> avoltag: <:0> source: <slot 17>
slot 18: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1189L1:0> avoltag: <:0> source: <slot 18>
slot 19: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1185L1:0> avoltag: <:0> source: <slot 19>
slot 20: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1198L1:0> avoltag: <:0> source: <slot 20>
slot 21: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1039L1:0> avoltag: <:0> source: <slot 21>
slot 22: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1035L1:0> avoltag: <:0> source: <slot 22>
slot 23: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1188L1:0> avoltag: <:0> source: <slot 23>
drive 0: <ACCESS,FULL> sense: <0x00/0x00> voltag: <XX1183L1:0> avoltag: <:0> source: <slot 10>
anton [Tue, 31 Aug 2021 05:17:49 +0000 (05:17 +0000)]
In enumerating mode, calculate the bit offset using the HID input
location as the product of the corresponding Report Count and Report
Size can be greater than one.
Fixes Richard Toohey's <richardjtoohey at gmail dot com> Dell keyboard.
anton [Tue, 31 Aug 2021 05:16:45 +0000 (05:16 +0000)]
Protect against missing bit to key symbols in ucc_bit_to_sym(). This can
only happen if ucc_hid_parse() has a bug, better play it safe.
dlg [Tue, 31 Aug 2021 04:21:04 +0000 (04:21 +0000)]
sprinkle barriers and dmamem_syncs around the hibernate io path.
at the very least it stops the compiler omgoptimising away important
code.
tested by and ok deraadt@ jmatthew@
jsg [Tue, 31 Aug 2021 01:54:12 +0000 (01:54 +0000)]
revert change to use single rockchip U-Boot image in rev 1.13
abieber@ reports it fails to boot on pinebook-pro-rk3399
dtucker [Tue, 31 Aug 2021 01:25:27 +0000 (01:25 +0000)]
Specify hostkeyalgorithms in sshd's default set for the SSHFP test,
from djm@. Make the reason for when the test is skipped a bit clearer.
krw [Mon, 30 Aug 2021 20:41:33 +0000 (20:41 +0000)]
Make uuid_from_string() reject a string of the correct length but having a
non-hex digit in the last character.
Inspired by code in uuid_parse() from Ted Ts'o.
ok millert@
job [Mon, 30 Aug 2021 20:25:24 +0000 (20:25 +0000)]
Document new include*/exclude* options in the man page
job [Mon, 30 Aug 2021 20:25:01 +0000 (20:25 +0000)]
Add include/exclude to usage()
OK claudio@
jsing [Mon, 30 Aug 2021 19:25:43 +0000 (19:25 +0000)]
Clean up and simplify info and msg callbacks.
The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.
ok inoguchi@ tb@
kn [Mon, 30 Aug 2021 19:14:30 +0000 (19:14 +0000)]
Accept dns proposals for the loopback addresses
Don't reserve^Wignore them for unwind(8); there are non-unwind use-cases
and so far resolvd(8) always seems to do the right thing when proposing
localhost while unwind is running.
OK benno
jsing [Mon, 30 Aug 2021 19:12:25 +0000 (19:12 +0000)]
Replace DTLS r_epoch with the read epoch from the TLSv1.2 record layer.
ok inoguchi@ tb@
jsing [Mon, 30 Aug 2021 19:00:49 +0000 (19:00 +0000)]
Move to an AEAD nonce allocated in the TLSv1.2 record layer.
There is little to gain by mallocing and freeing the AEAD nonce for each
record - move to an AEAD nonce allocated for the record layer, which
matches what we do for TLSv1.3.
ok inoguchi@ tb@
kn [Mon, 30 Aug 2021 18:49:19 +0000 (18:49 +0000)]
Fix max nameserver proposals limit
Count the total number of proposals and not five per address family each.
Don't print ignored addresses by default anymore and leave that to `-v'.
OK benno
kettenis [Mon, 30 Aug 2021 18:40:19 +0000 (18:40 +0000)]
Remove magic offset from data structures. This makes it much easier to
compare the data structures with the Linux code which unfortunately is
the only documentation we have for the pin numbers used by ACPI.
While there make the data structures const.
ok jcs@
schwarze [Mon, 30 Aug 2021 18:18:16 +0000 (18:18 +0000)]
sync with OpenSSL 1.1.1, which is still under a free license;
in particular, this includes new text by Matt Caswell
from OpenSSL commit
721eb8f6 Nov 28 12:03:00 2019 +0000
and corrects a wrong argument type that i introduced into the SYNOPSIS;
requested by tb@
tb [Mon, 30 Aug 2021 17:50:05 +0000 (17:50 +0000)]
Remove tests that are now covered by regress/lib/libssl/verify
tb [Mon, 30 Aug 2021 17:34:32 +0000 (17:34 +0000)]
hook verify regress test to build
tb [Mon, 30 Aug 2021 17:34:01 +0000 (17:34 +0000)]
Revert accidental commit
tb [Mon, 30 Aug 2021 17:28:46 +0000 (17:28 +0000)]
link verify regress tests to build
tb [Mon, 30 Aug 2021 17:27:45 +0000 (17:27 +0000)]
Reimplement part of the openssl/x509 regress tests in C
Instead of using s_client and s_server and complicated shell scripts,
we can reuse the framework from the ssl_get_shared_cipher() regress
test and inspect the verify return value directly.
Discussed with beck jan jsing
deraadt [Mon, 30 Aug 2021 17:07:47 +0000 (17:07 +0000)]
Document that %n has been neutered -- it now does syslog+abort.
ok ingo
mpi [Mon, 30 Aug 2021 16:59:17 +0000 (16:59 +0000)]
Fix a locking assertion in error path.
In amap_copy() make the new amap share the source amap's lock right in
the begining and only allocate a new one if no anon have been referenced.
Issue reported by Thomas L. <tom.longshine at web dot de> on bugs@.
ok tb@
bluhm [Mon, 30 Aug 2021 16:58:52 +0000 (16:58 +0000)]
Improve dubgging in /etc/netstart. Enable print only in ifcreate.
Add debugging output for ipv6 routes. Make localhost and multicast
code aware of the print only switch. Allow netstart -n to work
also if no interface is given.
OK kn@
tb [Mon, 30 Aug 2021 16:50:23 +0000 (16:50 +0000)]
Ignore warning alert returns from servername callback in TLSv1.3
If a servername callback returns SSL_TLSEXT_ERR_ALERT_WARNING, this
results in a fatal error in TLSv1.3 since alert levels are implicit
in the alert type and neither close_notify nor user_canceled make
sense in this context. OpenSSL chose to ignore this, so we need to
follow suit.
Found via a broken servername callback in p5-IO-Socket-SSL which
returns a Boolean instead of SSL_TLSEXT_ERR_*. This happened to
have worked before TLSv1.3 since warning alerts are often ignored.
This "fixes" sni.t and sni-verify.t in p5-IO-Socket-SSL.
ok beck jsing
job [Mon, 30 Aug 2021 16:05:55 +0000 (16:05 +0000)]
Properly account entity_queue when the file has already been seen
Thanks to Ben Maddison for helping create a test case
OK claudio@
kn [Mon, 30 Aug 2021 15:46:07 +0000 (15:46 +0000)]
Clarify how dns proposals are replaced not added per interface
OK benno
jasper [Mon, 30 Aug 2021 14:44:39 +0000 (14:44 +0000)]
remove a bunch of forward-only structs that were found with ctfconv.
ok mpi@
job [Mon, 30 Aug 2021 12:44:02 +0000 (12:44 +0000)]
Remove unused files
OK deraadt@
inoguchi [Mon, 30 Aug 2021 12:25:54 +0000 (12:25 +0000)]
Clean up end of do_body in openssl(1) ca
suggested from tb@
inoguchi [Mon, 30 Aug 2021 12:12:11 +0000 (12:12 +0000)]
Remove NULL check before free in openssl(1) ca
ok tb@
mpi [Mon, 30 Aug 2021 11:57:45 +0000 (11:57 +0000)]
Implement '<' and '>' operators in filters.
Based on a diff from and ok dv@
deraadt [Mon, 30 Aug 2021 11:16:49 +0000 (11:16 +0000)]
jca and I converted %n to a syslog warning about a year ago, and the ports
ecosystem experienced a very good cleanup. Time has arrived to switch (as
planned) to syslog + abort, which will result in a coredump thus identifying
the remaining culprits in a more visible fashion.
vfprintf(3) and vfwprintf(3) man pages still require documentation changes.
with jca
kn [Mon, 30 Aug 2021 11:09:58 +0000 (11:09 +0000)]
INADDR_LOOPBACK check needs htonl(3) to work
Found in resolvd(8) which uses the same code.
kn [Mon, 30 Aug 2021 11:04:50 +0000 (11:04 +0000)]
INADDR_LOOPBACK check needs htonl(3) to work
deraadt [Mon, 30 Aug 2021 09:45:29 +0000 (09:45 +0000)]
increase hibernate writeout speed a little. modern machines have vast
tracts of unused memory, and the empty-space RLE scanner (uvm_page_rle)
would rescan for empty space needlessly wasting excessive cpu time
16G machine, 100sec -> 9sec
40G machine, 325sec -> 28sec
with kettenis mlarkin
claudio [Mon, 30 Aug 2021 09:09:21 +0000 (09:09 +0000)]
Test for the pathetic case that the 2nd unveil in
unveil(NULL, NULL); if (fork() == 0) unveil("/", "rwx")
fails with EPERM.
beck [Mon, 30 Aug 2021 09:06:04 +0000 (09:06 +0000)]
Admit that we return error 20 in the failure case here. Changing
our verifier to return 21 results in other regress failures in
ruby and perl.
claudio [Mon, 30 Aug 2021 09:05:44 +0000 (09:05 +0000)]
Make sure unveil remains locked over fork even in the case where the
parent just called unveil(NULL, NULL) and nothing else.
With and OK beck@
beck [Mon, 30 Aug 2021 08:59:33 +0000 (08:59 +0000)]
Revert previous change that changed our default return for unable to
find leaf cert issuers. This breaks perl and ruby regress, as noticed
by tb that "we tried this before".
Jan's regress that cares about 21 vs 20 needs to change
ok tb@
jasper [Mon, 30 Aug 2021 08:11:12 +0000 (08:11 +0000)]
Remove typedef of db_addr_t; mpi converted the users of it to vaddr_t already
back in 2019.
ok mpi@
claudio [Mon, 30 Aug 2021 08:07:22 +0000 (08:07 +0000)]
Check that fchdir() works. The problem in unveil was fixed some time ago.
claudio [Mon, 30 Aug 2021 08:06:02 +0000 (08:06 +0000)]
Make lines not wrap on 80 char terminals. Code gets more readable.
beck [Mon, 30 Aug 2021 06:51:36 +0000 (06:51 +0000)]
Fix Jan's regress in openssl/x509 to do what it says it does,
then fix the only thing it still has complaints about which
is that we don't return the leaf version of the error code
when we can't verify the leaf (as opposed to the rest of the chain)
ok jan@ tb@
djm [Mon, 30 Aug 2021 01:15:45 +0000 (01:15 +0000)]
adapt to RSA/SHA1 deprectation
djm [Sun, 29 Aug 2021 23:53:10 +0000 (23:53 +0000)]
After years of forewarning, disable the RSA/SHA-1 signature algorithm
by default. It is feasible to create colliding SHA1 hashes, so we
need to deprecate its use.
RSA/SHA-256/512 remains available and will be transparently selected
instead of RSA/SHA1 for most SSH servers released in the last five+
years. There is no need to regenerate RSA keys.
The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the
PubkeyAcceptedAlgorithms directives on the client and server.
ok dtucker deraadt
projects / openbsd / log