openbsd
5 weeks agofix regression introduced when I switched the "Match" criteria tokeniser
djm [Wed, 25 Sep 2024 01:24:04 +0000 (01:24 +0000)]
fix regression introduced when I switched the "Match" criteria tokeniser
to a more shell-like one. Apparently the old tokeniser (accidentally?)
allowed "Match criteria=argument" as well as the "Match criteria argument"
syntax that we tested for.

People were using this syntax so this adds back support for
"Match criteria=argument"

bz3739 ok dtucker

5 weeks ago- VM(s) -> VMs
jmc [Tue, 24 Sep 2024 20:02:39 +0000 (20:02 +0000)]
- VM(s) -> VMs
- simpler tense
- fix the -width parameter
- add -nosplit to AUTHORS

5 weeks agovmd(8) manpage change for shutdown behaviour
mlarkin [Tue, 24 Sep 2024 19:34:01 +0000 (19:34 +0000)]
vmd(8) manpage change for shutdown behaviour

Document the shutdown behaviour for vmd(8). Suggested via bugs@
via eric at mulh.net.

ok jmc@, bluhm@

5 weeks agobackout scanner.l strtonum commits; they restrict numbers to INT_MAX,
sthen [Tue, 24 Sep 2024 14:20:31 +0000 (14:20 +0000)]
backout scanner.l strtonum commits; they restrict numbers to INT_MAX,
breaking filter expressions like "ether[14:4]=0xaaaa0300". ok op@ deraadt@

-/--------------------------
revision 1.32
date: 2024/08/29 07:33:50;  author: anton;  state: Exp;  lines: +2 -2;  commitid: ZYtBn8qrrNNh87on;
Fix regression introduced in previous migration to strtol() by
correcting the error condition, making it on par with the example in the
manual.

ok op@
-/--------------------------
revision 1.31
date: 2024/08/28 11:40:33;  author: op;  state: Exp;  lines: +13 -31;  commitid: RirJPBPfGo9NeSE6;
libpcap: replace hand-rolled number parser with strtol

can't use strtonum here since it needs to handle octal and hex
notations as well.  Part of a larger diff that's ok beck@
-/--------------------------

5 weeks agoFix sleeping race during malloc in sysctl hw.disknames.
bluhm [Tue, 24 Sep 2024 12:37:11 +0000 (12:37 +0000)]
Fix sleeping race during malloc in sysctl hw.disknames.

When mallocarray(9) sleeps, disk_count can change, and diskstatslen
gets inconsistent.  This caused free(9) to panic.

Reported-by: syzbot+36e1f3b306f721f90c72@syzkaller.appspotmail.com
OK deraadt@ mpi@

5 weeks agoRemove -r toggle and generally be less smart.
florian [Tue, 24 Sep 2024 07:33:35 +0000 (07:33 +0000)]
Remove -r toggle and generally be less smart.

The default is to install the next release. Snapshots are only
installed when invoked with -s.

The logic on what to do per default got out of hand and it was very
difficult to reason about what sysupgrade(8) actually did. deraadt@
then suggested that we should dumb it all down, sysupgrade(8) is there
to upgrade from one release to the next. More advance usage needs to
be requested by the user.

With all this simplification we can now be a bit more smart to work
out what the next release is. With that, snapshots right before a
release can be sysupgrade(8)'ed to the official release.

OK sthen on a previous version that was much more complicated but
allowed shortly-before-release -> release upgrade

testing sthen on this version

Guidance, prodding & OK deraadt

5 weeks agosome extra paranoia, reminded by jsg@
djm [Tue, 24 Sep 2024 02:28:17 +0000 (02:28 +0000)]
some extra paranoia, reminded by jsg@

5 weeks ago___linux__ -> __linux__
jsg [Tue, 24 Sep 2024 02:25:20 +0000 (02:25 +0000)]
___linux__ -> __linux__

5 weeks agofor sysctl on arm64, handle CPU_ID_AA64ISAR1 same as CPU_ID_AA64ISAR0
deraadt [Tue, 24 Sep 2024 02:22:42 +0000 (02:22 +0000)]
for sysctl on arm64, handle CPU_ID_AA64ISAR1 same as CPU_ID_AA64ISAR0
ok sthen

5 weeks agoIf during parsing lines in the script, ksh finds a NUL byte on the
deraadt [Mon, 23 Sep 2024 21:18:33 +0000 (21:18 +0000)]
If during parsing lines in the script, ksh finds a NUL byte on the
line, it should abort ("syntax error: NUL byte unexpected").  There
appears to be one piece of software which is misinterpreting guidance
of this, and trying to depend upon embedded NUL.  During research,
every shell we tested has one or more cases where a NUL byte in the
input or inside variable contents will create divergent behaviour from
other shells.  (ie. gets converted to a space, is silently skipped, or
aborts script parsing or later execution).  All the shells are written
in C, and majority of them use C strings for everything, which means
they cannot embed a NUL, so this is not surprising.  It is quite
unbelievable there are people trying to rewrite history on a lark, and
expecting the world to follow alone.

If there is ONE THING the Unix world needs, it is for bash/ksh/sh to
stop diverging further by permitting STUPID INPUT that cannot
plausibly work in all other shells.  We are in a post-Postel world.

It remains possible to put arbitrary bytes *AFTER* the parts of the
shell script that get parsed & executed (like some Solaris patch files
do).  But you can't put arbirary bytes in the middle, ahead of shell
script parsed lines, because shells can't jump to arbitrary offsets
inside the input file, they go THROUGH all the 'valid shell script
text lines' to get there.

This was in snapshots for more than 2 months, and only spotted one
other program depending on the behaviour (and that test program did
not observe that it was therefore depending in incorrect behaviour!!)

ok ingo.  Softer ok's from various others.

5 weeks agonow hacking on 7.6-current
deraadt [Mon, 23 Sep 2024 21:05:28 +0000 (21:05 +0000)]
now hacking on 7.6-current
(corrected)

5 weeks agoReplace `&&' with `if' for proper $? handling; OK lucas
kn [Mon, 23 Sep 2024 20:54:01 +0000 (20:54 +0000)]
Replace `&&' with `if' for proper $? handling;  OK lucas

iked and isakmpd guard against themselves with "return 0" as rc.subr(8)
checks rc_pre()'s return code and aborts daemo start iff non-zero, but
that isn't needed if we use ksh properly.

5 weeks agonow hacking on 7.6-current
deraadt [Mon, 23 Sep 2024 20:50:47 +0000 (20:50 +0000)]
now hacking on 7.6-current

5 weeks agozap redundant "|| return 1"; OK lucas
kn [Mon, 23 Sep 2024 20:44:24 +0000 (20:44 +0000)]
zap redundant "|| return 1";  OK lucas

unbound-checkconf(8) itself exits 1 on error already.

5 weeks agodocument SIOCSIFMTU; OK jmc
kn [Mon, 23 Sep 2024 20:38:49 +0000 (20:38 +0000)]
document SIOCSIFMTU;  OK jmc

5 weeks agosync struct defintions from headers; OK jmc
kn [Mon, 23 Sep 2024 20:37:42 +0000 (20:37 +0000)]
sync struct defintions from headers; OK jmc

5 weeks agorecognise Neoverse V3AE (Poseidon AE)
jsg [Mon, 23 Sep 2024 13:50:33 +0000 (13:50 +0000)]
recognise Neoverse V3AE (Poseidon AE)

5 weeks agoregen
jsg [Mon, 23 Sep 2024 03:59:43 +0000 (03:59 +0000)]
regen

5 weeks agoadd more Navi 32 and Navi 33 device ids
jsg [Mon, 23 Sep 2024 03:59:03 +0000 (03:59 +0000)]
add more Navi 32 and Navi 33 device ids

7460 rev 00 is Radeon Pro V710
7461 rev 00 is Radeon Pro V710
7499 rev 00 is Radeon Pro W7400
7499 rev c0 is Radeon RX 7400
7499 rev c1 is Radeon RX 7300
found in ROCm 6.2.1 libdrm-amdgpu-common

5 weeks agoadd device tree mapping for HP OmniBook X 14
jsg [Mon, 23 Sep 2024 00:10:04 +0000 (00:10 +0000)]
add device tree mapping for HP OmniBook X 14
ok patrick@ kettenis@

5 weeks agoReinstate bounds check accidentally disabled when defining OPENSSL_NO_DTLS1
tb [Sun, 22 Sep 2024 14:59:48 +0000 (14:59 +0000)]
Reinstate bounds check accidentally disabled when defining OPENSSL_NO_DTLS1

From Kenjiro Nakayama
Closes https://github.com/libressl/portable/issues/1097

5 weeks agoremove some unused defines; ok djm@
jsg [Sun, 22 Sep 2024 12:56:21 +0000 (12:56 +0000)]
remove some unused defines; ok djm@

5 weeks agoFor compatibility with groff, the .In macro has been callable and parsed
schwarze [Sun, 22 Sep 2024 10:32:28 +0000 (10:32 +0000)]
For compatibility with groff, the .In macro has been callable and parsed
since mandoc-1.7.24 = mdoc_macro.c rev. 1.11 (July 12, 2009).
Match the documentation to the implementation.
Patch from Evan Silberman <evan at jklol dot net>.

5 weeks agoTalk less about "Single UNIX" because it has a confusing numbering
schwarze [Sun, 22 Sep 2024 10:13:03 +0000 (10:13 +0000)]
Talk less about "Single UNIX" because it has a confusing numbering
scheme.  Instead, stick to the XPG/POSIX numbering scheme that has
clearly won: earlier this year, POSIX Issue 8 has been released,
and nobody calls it "Single UNIX version 5".

The XPG/POSIX numbering scheme is also preferable because it can
be used for the entire history leading up to the current POSIX
standard (1988-2024), whereas the Single UNIX numbering scheme
only works for the period from XPG4.2 to POSIX Issue 7 (1994-2008).

This patch mostly changes (informational) paragraph headers
and corrects two instances of the incorrect term "XPG version"
to the correct term "XPG Issue".  The (normative) .St argument
definitions remain unchanged, and all supported .St arguments
remain documented, including the deprecated arguments -susv1 to -susv4.

No objections when shown on tech@ a few months ago.

5 weeks agoIncrease the default buffer size for AF_UNIX from 8192 to 32768.
claudio [Sun, 22 Sep 2024 08:40:37 +0000 (08:40 +0000)]
Increase the default buffer size for AF_UNIX from 8192 to 32768.

Using 8k for socketpairs was always on the low end side. Also this
avoid a fatal error in sshd that can be triggered when the network
stack is pushed hard enough to consume most of the allowed memory.
By increasing the default buffer size a bit the error in sshd is
avoided which is good enough for now.

Long term a better solution for sonewconn() and especially sbchecklowmem()
needs to be found. m_pool_used() returns not the right information for
them.

OK deraadt@ otto@

5 weeks agoremove BACK_CHANNEL define, unused since YP bits removed in rev 1.20
jsg [Sun, 22 Sep 2024 04:19:22 +0000 (04:19 +0000)]
remove BACK_CHANNEL define, unused since YP bits removed in rev 1.20

5 weeks agoWe aren't ready to choose S0-over-S3 based upon the S0ix bit in FADT.
deraadt [Sat, 21 Sep 2024 19:06:06 +0000 (19:06 +0000)]
We aren't ready to choose S0-over-S3 based upon the S0ix bit in FADT.
Some machines which work great in S3, don't work great in S0.

Some people want to be able to force S0, mostly for testing purposes
(or to notice improvements as changes are made in the tree).  Provide
a TEMPORARY method via machdep.lidaction=-1 which will be S0-suspend
while =1 remains S3 suspend.  This button will not remain long-term,
but for now, and during 7.6, it will be better than nothing.
ok ratchov kettenis

5 weeks agoCheck that .In is callable and parsed.
schwarze [Sat, 21 Sep 2024 11:56:36 +0000 (11:56 +0000)]
Check that .In is callable and parsed.
Triggered by a documentation patch from Evan Silberman <evan at jklol dot net>.

I'm not testing yet whether the same applies in the SYNOPSIS section
because there are multiple parsing and formatting differences with groff
in that section.

5 weeks agoadd route-to example
aisha [Sat, 21 Sep 2024 05:37:26 +0000 (05:37 +0000)]
add route-to example

ok benno@

5 weeks agovmm(4): remove EPT mprotect ioctl
mlarkin [Sat, 21 Sep 2024 04:36:28 +0000 (04:36 +0000)]
vmm(4): remove EPT mprotect ioctl

This old ioctl isn't used by vmd(8) and is getting in the way of some
improvements we want to do. It was used by solo5 but the person who was
helping maintain this is no longer involved with that project.

ok dv

5 weeks agovmm.h is a needed include now
mlarkin [Sat, 21 Sep 2024 04:12:18 +0000 (04:12 +0000)]
vmm.h is a needed include now

5 weeks agoAdd device tree mapping for Lenovo ThinkPad T14s.
kettenis [Fri, 20 Sep 2024 19:12:50 +0000 (19:12 +0000)]
Add device tree mapping for Lenovo ThinkPad T14s.

ok tobhe@, mlarkin@

5 weeks agoAvoid use after free when retrying the -o file
tb [Fri, 20 Sep 2024 12:52:37 +0000 (12:52 +0000)]
Avoid use after free when retrying the -o file

This is horrible code and at least file leaks in various paths, but that's
for someone else to fix.

found by & ok jsg

5 weeks agogdb: fix path to ex
tb [Fri, 20 Sep 2024 11:41:15 +0000 (11:41 +0000)]
gdb: fix path to ex

from Nir Lichtman
ok pascal sthen
(they okayed the ports version which I take to be an agreement with this).

5 weeks agocorrect format string in debug printf
jsg [Fri, 20 Sep 2024 02:20:44 +0000 (02:20 +0000)]
correct format string in debug printf

5 weeks agoremove unneeded semicolon
jsg [Fri, 20 Sep 2024 02:15:53 +0000 (02:15 +0000)]
remove unneeded semicolon

5 weeks agoremove unneeded semicolons; checked by millert@
jsg [Fri, 20 Sep 2024 02:00:46 +0000 (02:00 +0000)]
remove unneeded semicolons; checked by millert@

5 weeks agofix up the ip address config in the example config.
dlg [Fri, 20 Sep 2024 01:15:53 +0000 (01:15 +0000)]
fix up the ip address config in the example config.

you're supposed to configure the IP addresses inside the tunnel,
sec doesn't support configuration of the tunnel endpoint addresses
because that's handled by SAs via ike config.

hit by Luca Di Gregorio on misc@

5 weeks agoopenssh-9.9
djm [Thu, 19 Sep 2024 22:17:44 +0000 (22:17 +0000)]
openssh-9.9

5 weeks agoShift 1U rather than 1 to avoid -Wsign-compare whining
tb [Thu, 19 Sep 2024 20:48:36 +0000 (20:48 +0000)]
Shift 1U rather than 1 to avoid -Wsign-compare whining

claudio agress

5 weeks agoMove rpki-client to 9.3
job [Thu, 19 Sep 2024 13:45:07 +0000 (13:45 +0000)]
Move rpki-client to 9.3

requested by tb@

5 weeks agofixup! drm/apple: Add support for the macOS 13.2 DCP firmware
jsg [Thu, 19 Sep 2024 09:44:36 +0000 (09:44 +0000)]
fixup! drm/apple: Add support for the macOS 13.2 DCP firmware

From Janne Grunau in asahi bits/200-dcp

puts logging of power state changes under DRMDEBUG
ok kettenis@

5 weeks agoRemove spaces before EOL.
claudio [Thu, 19 Sep 2024 08:55:22 +0000 (08:55 +0000)]
Remove spaces before EOL.

5 weeks agovio: allow longer tx chains
sf [Thu, 19 Sep 2024 06:23:38 +0000 (06:23 +0000)]
vio: allow longer tx chains

When TCP segmentation offload is supported, we may get larger packets
with more dma segments. Allocate more segments in the busdma_map in this
case, so that we need to defragment less often.

ok jan@

5 weeks agovirtio_pci: Fix off-by-one in interrupt setup
sf [Thu, 19 Sep 2024 06:19:05 +0000 (06:19 +0000)]
virtio_pci: Fix off-by-one in interrupt setup

This was introduced by "virtio: Move interrupt setup into separate
function".

ok jan@

5 weeks agodocument how to add a restricted socket
denis [Thu, 19 Sep 2024 06:12:46 +0000 (06:12 +0000)]
document how to add a restricted socket

OK claudio@

5 weeks agodon't warn when returning early in hdcp functions
jsg [Thu, 19 Sep 2024 05:08:10 +0000 (05:08 +0000)]
don't warn when returning early in hdcp functions

5 weeks agodrm/i915/guc: prevent a possible int overflow in wq offsets
jsg [Thu, 19 Sep 2024 04:26:25 +0000 (04:26 +0000)]
drm/i915/guc: prevent a possible int overflow in wq offsets

From Nikita Zhandarovich
86238603c8f4df09b2a926617511310fd550737c in linux-6.6.y/6.6.52
d3d37f74683e2f16f2635ee265884f7ca69350ae in mainline linux

5 weeks agodrm/amd/amdgpu: apply command submission parser for JPEG v1
jsg [Thu, 19 Sep 2024 04:24:20 +0000 (04:24 +0000)]
drm/amd/amdgpu: apply command submission parser for JPEG v1

From David (Ming Qiang) Wu
ff65ae25d3cbcd8737e5971230031f0826a33250 in linux-6.6.y/6.6.52
8409fb50ce48d66cf9dc5391f03f05c56c430605 in mainline linux

5 weeks agodrm/amdgpu/atomfirmware: Silence UBSAN warning
jsg [Thu, 19 Sep 2024 04:21:53 +0000 (04:21 +0000)]
drm/amdgpu/atomfirmware: Silence UBSAN warning

From Alex Deucher
54268468399e5d1b23e76e43d06ff49ccad5fd4d in linux-6.6.y/6.6.52
17ea4383649fdeaff3181ddcf1ff03350d42e591 in mainline linux

5 weeks agodrm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl
jsg [Thu, 19 Sep 2024 04:19:44 +0000 (04:19 +0000)]
drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl

From T.J. Mercier
8e1ffb257982974352e9153eddcbaf01f949f700 in linux-6.6.y/6.6.52
8c7c44be57672e1474bf15a451011c291e85fda4 in mainline linux

5 weeks agodrm/amd/display: Fix FEC_READY write on DP LT
jsg [Thu, 19 Sep 2024 04:17:11 +0000 (04:17 +0000)]
drm/amd/display: Fix FEC_READY write on DP LT

From Ilya Bakoulin
7853c146f8b45107bea25dcc1870c4dc3a042540 in linux-6.6.y/6.6.52
a8baec4623aedf36d50767627f6eae5ebf07c6fb in mainline linux

5 weeks agodrm/amd/display: Disable error correction if it's not supported
jsg [Thu, 19 Sep 2024 04:15:37 +0000 (04:15 +0000)]
drm/amd/display: Disable error correction if it's not supported

From Cruise
27bbf0b1cac9866666878421d57c15a78867f7cd in linux-6.6.y/6.6.52
a8ac994cf0693a1ce59410995594e56124a1c79f in mainline linux

5 weeks agodrm: panel-orientation-quirks: Add quirk for Ayn Loki Max
jsg [Thu, 19 Sep 2024 04:13:21 +0000 (04:13 +0000)]
drm: panel-orientation-quirks: Add quirk for Ayn Loki Max

From Bouke Sybren Haarsma
31b9fc3d0c1078a7ca5982de45a3f29ac2e7d711 in linux-6.6.y/6.6.52
2c71c8459c8ca66bd8f597effaac892ee8448a9f in mainline linux

5 weeks agodrm: panel-orientation-quirks: Add quirk for Ayn Loki Zero
jsg [Thu, 19 Sep 2024 04:11:20 +0000 (04:11 +0000)]
drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero

From Bouke Sybren Haarsma
7d42d19973cbe1fa30b6f2aad7d06189ec0ef2e8 in linux-6.6.y/6.6.52
b86aa4140f6a8f01f35bfb05af60e01a55b48803 in mainline linux

5 weeks agocorrect indentation
jsg [Thu, 19 Sep 2024 01:05:48 +0000 (01:05 +0000)]
correct indentation

5 weeks agoEnable large number of extension tests and stop skippking QUIC transport
tb [Wed, 18 Sep 2024 19:12:37 +0000 (19:12 +0000)]
Enable large number of extension tests and stop skippking QUIC transport
parameter extension which we now know about

5 weeks agozic: cherrypick support for %z in time zone formats
millert [Wed, 18 Sep 2024 17:05:50 +0000 (17:05 +0000)]
zic: cherrypick support for %z in time zone formats

This extends the zic input format to add support for %z, which
expands to a UTC offset in as-short-as-possible ISO 8601 format.
It's intended to better support zones that do not have an established
abbreviation already.  tzdata2024b and higher require a version of
zic that supports the %z format.  From upstream tzcode.  OK beck@

6 weeks agomove common lines to mi
jsg [Wed, 18 Sep 2024 14:29:10 +0000 (14:29 +0000)]
move common lines to mi

6 weeks agoback to previous plan
deraadt [Wed, 18 Sep 2024 11:29:55 +0000 (11:29 +0000)]
back to previous plan

6 weeks agoFix a memory leak
job [Wed, 18 Sep 2024 10:22:36 +0000 (10:22 +0000)]
Fix a memory leak

Found by Martin Cracauer

"look right" tb@

6 weeks agoremove unneeded semicolons after switch statements
jsg [Wed, 18 Sep 2024 05:21:19 +0000 (05:21 +0000)]
remove unneeded semicolons after switch statements

6 weeks agoadjust date
deraadt [Wed, 18 Sep 2024 02:43:54 +0000 (02:43 +0000)]
adjust date

6 weeks agoRemove the MSI blacklist. Now that we use MSI-X interrupts for nvme(4),
jmatthew [Wed, 18 Sep 2024 00:03:19 +0000 (00:03 +0000)]
Remove the MSI blacklist.  Now that we use MSI-X interrupts for nvme(4),
the one device we ever found that needed this treatment, the obsolete Intel
Optane Memory series, doesn't need it any more.

ok kettenis@ dlg@

6 weeks agodisable POOL_DEBUG for release
jsg [Tue, 17 Sep 2024 13:45:49 +0000 (13:45 +0000)]
disable POOL_DEBUG for release
ok deraadt@

6 weeks agohead into release
deraadt [Tue, 17 Sep 2024 13:39:17 +0000 (13:39 +0000)]
head into release

6 weeks agogetdents(2) was pushed into rpath because it exposes pathname
deraadt [Tue, 17 Sep 2024 12:53:15 +0000 (12:53 +0000)]
getdents(2) was pushed into rpath because it exposes pathname
information, similar to getcwd(2).  Move it to the right place, and
also say why.
report from henryfordkjv@gmail.com

6 weeks agoupdate install.md path
jsg [Tue, 17 Sep 2024 10:19:54 +0000 (10:19 +0000)]
update install.md path

6 weeks agoupdate list file paths
jsg [Tue, 17 Sep 2024 10:13:50 +0000 (10:13 +0000)]
update list file paths

6 weeks agovio: Reduce code duplication in control queue handling
sf [Tue, 17 Sep 2024 09:00:14 +0000 (09:00 +0000)]
vio: Reduce code duplication in control queue handling

Pull the common parts of all the control queue operations into separate
functions.

While there, avoid setting sc_ctrl_inuse FREE if it was RESET, except in
vio_stop. Doing so could lead to more race conditions.

ok bluhm@

6 weeks agotlsfuzzer: add a start-server convenience target for interactive testing
tb [Tue, 17 Sep 2024 08:47:37 +0000 (08:47 +0000)]
tlsfuzzer: add a start-server convenience target for interactive testing

6 weeks agoReplace OpenSSL 3.1 (which no longer is in ports) with 3.3
tb [Tue, 17 Sep 2024 06:12:06 +0000 (06:12 +0000)]
Replace OpenSSL 3.1 (which no longer is in ports) with 3.3

6 weeks agospelling
jsg [Tue, 17 Sep 2024 04:12:57 +0000 (04:12 +0000)]
spelling

6 weeks agoMention psp(4) in vm.conf(5) man page.
bluhm [Mon, 16 Sep 2024 22:30:01 +0000 (22:30 +0000)]
Mention psp(4) in vm.conf(5) man page.

from hshoexer@; OK mlarkin@

6 weeks agoDocument ioctl(2) interface provided by psp(4) device.
bluhm [Mon, 16 Sep 2024 22:15:43 +0000 (22:15 +0000)]
Document ioctl(2) interface provided by psp(4) device.

from hshoexer@; OK mlarkin@

6 weeks agoAdd copy mode commands which were missed when descriptions were added,
nicm [Mon, 16 Sep 2024 20:46:58 +0000 (20:46 +0000)]
Add copy mode commands which were missed when descriptions were added,
from Julian Prein, GitHub issue 4121.

6 weeks agoChange the behaviour of extended-keys always slightly so that
nicm [Mon, 16 Sep 2024 20:38:48 +0000 (20:38 +0000)]
Change the behaviour of extended-keys always slightly so that
applications can still enter mode 2 if they want, they just cannot turn
extended keys off entirely. From Stanislav Kljuhhin.

6 weeks agoAdd a prefix timeout option, from Conor Taylor in GitHub issue 4108.
nicm [Mon, 16 Sep 2024 20:28:22 +0000 (20:28 +0000)]
Add a prefix timeout option, from Conor Taylor in GitHub issue 4108.

6 weeks agoClose correct file descriptor.
florian [Mon, 16 Sep 2024 07:34:49 +0000 (07:34 +0000)]
Close correct file descriptor.

Instead of closing the just received UDP socket we closed the imsg fd
thus cleanly shutting down dhcpleased(8).

Problem triggered by sf@ with something like
while :; do ifconfig vio0 -inet; done
while :; do ifconfig vio0 inet autoconf; done

The problem triggers when dhcpleased configured a lease and in just
the right moment the autoconf flag gets removed. The main process
opens a udp socket and sends it to the frontend. At the same time the
frontend learned (from the route socket), that the interface lost its
autoconf flag. When the frontend then receives the udp socket via fd
passing it tries to close it. Due to a typo it would instead close the
imsg file descriptor.

Found by me after lots of head scratching.
OK tb

6 weeks agouse 64 bit math to avoid signed underflow. upstream code relies on
djm [Mon, 16 Sep 2024 05:37:05 +0000 (05:37 +0000)]
use 64 bit math to avoid signed underflow. upstream code relies on
using -fwrapv to provide defined over/underflow behaviour, but we use
-ftrapv to catch integer errors and abort the program. ok dtucker@

6 weeks agoInvalid pintables in ELF binaries can crash the kernel.
deraadt [Sun, 15 Sep 2024 23:13:19 +0000 (23:13 +0000)]
Invalid pintables in ELF binaries can crash the kernel.
Fix from yufeng.gao@uq.edu.au

6 weeks agoDocument when vmd(8) VMs are stopped; OK mlarkin
kn [Sun, 15 Sep 2024 19:39:26 +0000 (19:39 +0000)]
Document when vmd(8) VMs are stopped;  OK mlarkin

Useful to know in setups where pkg daemons and VMs depend on each other.

6 weeks agoAdd handling of "Class" attribute. diff from markus
yasuoka [Sun, 15 Sep 2024 11:08:50 +0000 (11:08 +0000)]
Add handling of "Class" attribute.  diff from markus

ok markus

6 weeks agominor grammar/sort fixes for refuseconnection; ok djm
jmc [Sun, 15 Sep 2024 08:27:38 +0000 (08:27 +0000)]
minor grammar/sort fixes for refuseconnection; ok djm

6 weeks agoremove unused variables
jsg [Sun, 15 Sep 2024 07:14:58 +0000 (07:14 +0000)]
remove unused variables

6 weeks ago__STDC_VERSION__ not __STDC_VERSION; ok miod@
jsg [Sun, 15 Sep 2024 05:49:05 +0000 (05:49 +0000)]
__STDC_VERSION__ not __STDC_VERSION; ok miod@

6 weeks agoImprove the log messages and white spaces.
yasuoka [Sun, 15 Sep 2024 05:31:23 +0000 (05:31 +0000)]
Improve the log messages and white spaces.

6 weeks agoKeep the number of requests for a DAE server below 64 to avoid
yasuoka [Sun, 15 Sep 2024 05:29:11 +0000 (05:29 +0000)]
Keep the number of requests for a DAE server below 64 to avoid
congestion.

6 weeks agoAdd "delete" command to "radiusctl ipcp". Also, send "stop" that was
yasuoka [Sun, 15 Sep 2024 05:26:05 +0000 (05:26 +0000)]
Add "delete" command to "radiusctl ipcp".  Also, send  "stop" that was
missing when disconnecting all when acct-{on,off} received.

6 weeks agoHandle EAGAIN properly and fix the log when disconnected.
yasuoka [Sun, 15 Sep 2024 05:14:32 +0000 (05:14 +0000)]
Handle EAGAIN properly and fix the log when disconnected.

6 weeks agobad whitespace in config dump output
djm [Sun, 15 Sep 2024 03:09:44 +0000 (03:09 +0000)]
bad whitespace in config dump output

6 weeks agoupdate the Streamlined NTRU Prime code from the "ref" implementation
djm [Sun, 15 Sep 2024 02:20:51 +0000 (02:20 +0000)]
update the Streamlined NTRU Prime code from the "ref" implementation
in SUPERCOP 20201130 to the "compact" implementation in SUPERCOP
20240808. The new version is substantially faster.
Thanks to Daniel J Bernstein for pointing out the new implementation
(and of course for writing it).

tested in snaps/ok deraadt@

6 weeks agodocument Match invalid-user
djm [Sun, 15 Sep 2024 01:19:56 +0000 (01:19 +0000)]
document Match invalid-user

6 weeks agoadd a "Match invalid-user" predicate to sshd_config Match options.
djm [Sun, 15 Sep 2024 01:18:26 +0000 (01:18 +0000)]
add a "Match invalid-user" predicate to sshd_config Match options.

This allows writing Match conditions that trigger for invalid username.
E.g.

PerSourcePenalties refuseconnection:90s
Match invalid-user
  RefuseConnection yes

Will effectively penalise bots try to guess passwords for bogus accounts,
at the cost of implicitly revealing which accounts are invalid.

feedback markus@

6 weeks agoAdd a "refuseconnection" penalty class to sshd_config
djm [Sun, 15 Sep 2024 01:11:26 +0000 (01:11 +0000)]
Add a "refuseconnection" penalty class to sshd_config
PerSourcePenalties

This allows penalising connection sources that have had connections
dropped by the RefuseConnection option. ok markus@

6 weeks agoAdd a sshd_config "RefuseConnection" option
djm [Sun, 15 Sep 2024 01:09:40 +0000 (01:09 +0000)]
Add a sshd_config "RefuseConnection" option

If set, this will terminate the connection at the first authentication
request (this is the earliest we can evaluate sshd_config Match blocks)

ok markus@

6 weeks agoswitch sshd_config Match processing to the argv tokeniser too;
djm [Sun, 15 Sep 2024 00:58:01 +0000 (00:58 +0000)]
switch sshd_config Match processing to the argv tokeniser too;
ok markus@

6 weeks agoswitch "Match" directive processing over to the argv string
djm [Sun, 15 Sep 2024 00:57:36 +0000 (00:57 +0000)]
switch "Match" directive processing over to the argv string
tokeniser, making it possible to use shell-like quoting in Match
directives, particularly "Match exec". ok markus@

6 weeks agoinclude pathname in some of the ssh-keygen passphrase prompts. Helps
djm [Sun, 15 Sep 2024 00:47:01 +0000 (00:47 +0000)]
include pathname in some of the ssh-keygen passphrase prompts. Helps
the user know what's going on when ssh-keygen is invoked via other
tools. Requested in GHPR503

6 weeks agoDo not apply authorized_keys options when signature verification
djm [Sun, 15 Sep 2024 00:41:18 +0000 (00:41 +0000)]
Do not apply authorized_keys options when signature verification
fails. Prevents restrictive key options being incorrectly applied
to subsequent keys in authorized_keys. bz3733, ok markus@