mpi [Fri, 6 Sep 2024 08:00:36 +0000 (08:00 +0000)]
Regression for '%c'.
From Christian Ludwig.
mpi [Fri, 6 Sep 2024 07:58:50 +0000 (07:58 +0000)]
Interpret the argument of '%c' as an integer instead of a string.
From Christian Ludwig.
tb [Fri, 6 Sep 2024 07:48:20 +0000 (07:48 +0000)]
Adjust documentation to work without X509_LOOKUP_by_subject()
X509_LOOKUP_by_subject() was made internal a while back. Its documentation
was very detailed, so this was a bit of a tangle to undo.
miod [Fri, 6 Sep 2024 06:31:11 +0000 (06:31 +0000)]
Repair build with gcc.
anton [Fri, 6 Sep 2024 04:11:26 +0000 (04:11 +0000)]
sync
jsg [Fri, 6 Sep 2024 03:52:38 +0000 (03:52 +0000)]
match on Lunar Lake
jsg [Fri, 6 Sep 2024 03:48:52 +0000 (03:48 +0000)]
regen
jsg [Fri, 6 Sep 2024 03:48:20 +0000 (03:48 +0000)]
add Intel Lunar Lake ids
from:
Intel Core Ultra 200V Series Processors
Datasheet, Volume 1 of 2, Doc. No.: 829568, Rev.: 001
additional graphics ids from Mesa
djm [Fri, 6 Sep 2024 02:30:44 +0000 (02:30 +0000)]
make parsing user@host consistently look for the last '@' in the
string rather than the first. This makes it possible to use usernames
that contain '@' characters.
Prompted by Max Zettlmeißl; feedback/ok millert@
claudio [Thu, 5 Sep 2024 20:28:42 +0000 (20:28 +0000)]
Bump version
tb [Thu, 5 Sep 2024 16:17:56 +0000 (16:17 +0000)]
sync with base
tb [Thu, 5 Sep 2024 16:16:54 +0000 (16:16 +0000)]
Avoid out-of-bounds pointer arithmetic in inflateCopy().
from upstream, no ABI or API change.
ok beck deraadt
bluhm [Thu, 5 Sep 2024 08:52:27 +0000 (08:52 +0000)]
In ddb(4) print mbuf chain and packet list.
For debugging hardware offloading, DMA requirements, bounce buffers,
and performance optimizations, knowing the memory layout of mbuf
content helps.
Implement /c and /p modifiers in ddb show mbuf. It traverses the
pointer m_next for mbuf chain or m_nextpkt for packet list. Show
mbuf type, data offset, mbuf length, packet length, cluster size,
and total number of elements, length and size.
OK claudio@ mvs@
florian [Thu, 5 Sep 2024 08:22:46 +0000 (08:22 +0000)]
Sync to unbound 1.21.0; heavy lifting by sthen
parse_edns_from_query_pkt() grew a parameter to handle cookies, which
we don't use.
bluhm [Thu, 5 Sep 2024 07:57:14 +0000 (07:57 +0000)]
Update libexpat to version 2.6.3.
Relevant for OpenBSD are security fixes #887 #890 #888 #891 #889
#892, other changes #886 #885, infrastructure #880. No library
bump necessary. CVE-2024-45490 CVE-2024-45491 CVE-2024-45492
OK tb@ deraadt@
jmc [Thu, 5 Sep 2024 06:39:53 +0000 (06:39 +0000)]
have sysmerge and sysupgrade Xr each other;
diff originally from peter n. m. hansteen
ok ajacoutot
jmc [Thu, 5 Sep 2024 06:33:04 +0000 (06:33 +0000)]
note that "|" and ":include:" are disallowed for root;
prompted by mail from illya meyer
ok gilles
jmc [Thu, 5 Sep 2024 06:30:52 +0000 (06:30 +0000)]
retire this older version of forward(5) to the attic
(whilst retaining the smtpd copy);
ok op gilles
jmc [Thu, 5 Sep 2024 05:51:46 +0000 (05:51 +0000)]
remove note falsely claiming that :include: is disallowed
(it is, but only for root, which i'll address in separate commit);
ok mp gilles
jsg [Thu, 5 Sep 2024 04:31:26 +0000 (04:31 +0000)]
drm/amd/display: avoid using null object of framebuffer
From Ma Ke
f6f5e39a3fe7cbdba190f42b28b40bdff03c8cf0 in linux-6.6.y/6.6.49
3b9a33235c773c7a3768060cf1d2cf8a9153bc37 in mainline linux
jsg [Thu, 5 Sep 2024 04:29:04 +0000 (04:29 +0000)]
drm/amdgpu/swsmu: always force a state reprogram on init
From Alex Deucher
39defab0ebf0872b7a84deafbe903c8e30da7748 in linux-6.6.y/6.6.49
d420c857d85777663e8d16adfc24463f5d5c2dbc in mainline linux
jsg [Thu, 5 Sep 2024 04:27:10 +0000 (04:27 +0000)]
drm/amdgpu: align pp_power_profile_mode with kernel docs
From Alex Deucher
11182b33faf3ee80f5ea042a465b26a23e257f8a in linux-6.6.y/6.6.49
8f614469de248a4bc55fb07e55d5f4c340c75b11 in mainline linux
dlg [Wed, 4 Sep 2024 23:57:20 +0000 (23:57 +0000)]
regen
dlg [Wed, 4 Sep 2024 23:56:43 +0000 (23:56 +0000)]
add PLX PEX 8718 and SK hynix PC601 devices.
The PEX 8718 is used on a QNAP QM2-2P-something card, and we have
a couple of pc601 nvme ssds plugged into it.
hastings [Wed, 4 Sep 2024 21:39:18 +0000 (21:39 +0000)]
Push acpi(4) _CRS parsing down after matching skippable and ISA hardware IDs.
ok kettenis@
beck [Wed, 4 Sep 2024 17:00:08 +0000 (17:00 +0000)]
Work around vnode reuse bug resulting in a panic: vop_generic_badop
Joel hit this frequently on the go builder, and this was
also found by szykiller
https://syzkaller.appspot.com/bug?extid=
58bdde9f7a1a407514a7
https://syzkaller.appspot.com/bug?extid=
5779bc64fc4fdd0a5140
This is based on a workaround originally done by visa@ and mbuhl@
but not committed or widely distributed.
Realistically this should be fixed more like the previous attempt
with vdoom, but my attempts to do this at the moment are colliding
with finding all sources of similar races, now that kernel unlocking
is exposing these previously existing bugs
for now, let's put in this ugly workaround
ok deraadt@
dv [Wed, 4 Sep 2024 16:12:40 +0000 (16:12 +0000)]
vmm: set highest cpuid feature leaf based on host cpu.
Fixes Linux guests on older Intel hardware. vmm was reporting a
value that doesn't match the host. Cap it at the highest value vmm
currently emulates.
ok bluhm@, ratchov@
job [Wed, 4 Sep 2024 15:46:43 +0000 (15:46 +0000)]
Remove deprecated '-r' command line option
OK tb@ claudio@
claudio [Wed, 4 Sep 2024 15:06:36 +0000 (15:06 +0000)]
Qualifying nexthops via BGP does not properly work since nexthops need
to be rechecked when a BGP route is added (or changed).
We need to revalidate nexthops on inserts (kroute_insert) and
on change (krX_change but only for AID_INET and AID_INET6 -- no nexthops
in the other tables) the nexthop needs to be updated.
Only validate nexthops if 'nexthop qualify via bgp' is enabled. For route
changes the code can depend on the F_NEXTHOP flag.
Fix for: https://github.com/openbgpd-portable/openbgpd-portable/issues/81
OK tb@
jsg [Wed, 4 Sep 2024 14:24:10 +0000 (14:24 +0000)]
list the other doc pspvar.h mentions, add publication numbers
ok jmc@
deraadt [Wed, 4 Sep 2024 14:18:36 +0000 (14:18 +0000)]
correct .OBJDIR use; from Denis Bodor
jsg [Wed, 4 Sep 2024 13:45:25 +0000 (13:45 +0000)]
regen
claudio [Wed, 4 Sep 2024 13:30:10 +0000 (13:30 +0000)]
Call pfkey_remove() only after the Session Engine finished reloading its
configuration. Doing so before could result in some messages being sent
out without proper TCP-MD5 signature.
Fix for: https://github.com/openbgpd-portable/openbgpd-portable/issues/82
OK tb@
jsg [Wed, 4 Sep 2024 11:12:53 +0000 (11:12 +0000)]
add psp(4) manual page
ok jmc@ bluhm@
sthen [Wed, 4 Sep 2024 09:36:40 +0000 (09:36 +0000)]
merge unbound 1.21.0
sthen [Wed, 4 Sep 2024 09:35:34 +0000 (09:35 +0000)]
import unbound 1.21.0, ok phessler florian
sf [Wed, 4 Sep 2024 09:12:55 +0000 (09:12 +0000)]
vio: put enqueue and dmasync into a function
Before we enqueue with VIO_DMAMEM_ENQUEUE(), we always sync with
VIO_DMAMEM_SYNC(). In order to reduce verbosity, create a function that
does both.
ok bluhm@
sthen [Wed, 4 Sep 2024 09:07:03 +0000 (09:07 +0000)]
Update bsd.port.mk(5) DISTFILES* description - it no longer uses :0 to :9
to select different SITES, the mechanism changed to SITES.somename /
DISTFILES.somename.
jsg [Wed, 4 Sep 2024 08:14:18 +0000 (08:14 +0000)]
wrap long lines
mglocker [Wed, 4 Sep 2024 07:54:51 +0000 (07:54 +0000)]
Fix some spelling.
Input and ok jmc@, jsg@
tb [Wed, 4 Sep 2024 07:52:45 +0000 (07:52 +0000)]
Missing RCSID
jsg [Wed, 4 Sep 2024 07:47:21 +0000 (07:47 +0000)]
remove unused timeout from softc
jsg [Wed, 4 Sep 2024 07:45:08 +0000 (07:45 +0000)]
make psp attach to ccp as a different driver
'fine with me' hshoexer, ok bluhm@
sf [Wed, 4 Sep 2024 06:36:33 +0000 (06:36 +0000)]
vio: style fixes
ok bluhm@
sf [Wed, 4 Sep 2024 06:34:08 +0000 (06:34 +0000)]
vio: Re-arrange structs for multi-queue
Move per-queue data structures into a new struct vio_queue and adjust
mem allocation. Only one queue is allocated for now.
ok bluhm@
djm [Wed, 4 Sep 2024 05:33:34 +0000 (05:33 +0000)]
be more strict in parsing key type names. Only allow shortnames (e.g
"rsa") in user-interface code and require full SSH protocol names (e.g.
"ssh-rsa") everywhere else.
Prompted by bz3725; ok markus@
djm [Wed, 4 Sep 2024 05:11:33 +0000 (05:11 +0000)]
fix RCSID in output
tb [Wed, 4 Sep 2024 04:36:14 +0000 (04:36 +0000)]
Remove openssl 1.1 regress
tb [Wed, 4 Sep 2024 04:35:30 +0000 (04:35 +0000)]
Unlink OpenSSL 1.1 regress
tb [Wed, 4 Sep 2024 04:35:05 +0000 (04:35 +0000)]
Link openssl 3.2 regress to build
tb [Wed, 4 Sep 2024 04:34:14 +0000 (04:34 +0000)]
Add regress against OpenSSL 3.2
OpenSSL 1.1 is dead. This directory will use the default version in ports
(currently 3.2) for regress testing.
op [Tue, 3 Sep 2024 18:27:04 +0000 (18:27 +0000)]
fix some typos; courtesy of codespell; ok gilles@
op [Tue, 3 Sep 2024 18:21:55 +0000 (18:21 +0000)]
typo in comment; Effectivly -> Effectively; ok gilles@
op [Tue, 3 Sep 2024 18:20:35 +0000 (18:20 +0000)]
typo in comment; saveguard -> safeguard; ok gilles@
bluhm [Tue, 3 Sep 2024 17:19:53 +0000 (17:19 +0000)]
For virtual addresses use fixed page frame without AMD SEV reduction.
When running as a SEV guest, page frame mask is calculated from the
CPUID provided "physical address bit reduction". The amd64 pmap
code uses the variable pg_frame instead of the defined PG_FRAME
0x000ffffffffff000.
There was one instance in pmap code where pg_frame was applied to
virtual address, not physical address. On some machines the address
bit reduction is rather large with six bits. So the calculated
pg_frame is 0x00003fffffe00000. However, on amd64 VM_MAX_ADDRESS
is defined as 0x00007fbfdfeff000. Masking a such large address
with pg_frame caused havoc. Therefore, when masking virtual
addresses, still use PG_FRAME.
from hshoexer@
deraadt [Tue, 3 Sep 2024 17:05:59 +0000 (17:05 +0000)]
wild white space
tb [Tue, 3 Sep 2024 15:37:03 +0000 (15:37 +0000)]
Make state file parsing errors more explicit. Also don't leak the deltas.
joint effort with/ok claudio
deraadt [Tue, 3 Sep 2024 15:28:58 +0000 (15:28 +0000)]
sync
job [Tue, 3 Sep 2024 15:04:48 +0000 (15:04 +0000)]
Also gate SPL statistics behind 'experimental' command line option
This changes the JSON output, without -x some keys are missing from 'metadata'
OK tb@
dv [Tue, 3 Sep 2024 13:36:19 +0000 (13:36 +0000)]
vmm(4)/vmx: avoid VPID leakage by allocating at vcpu init.
VPID allocation being dependent on the host and guest config
(consequently pushing it into the reset register handler) creates
a leak where previous VPIDs are not freed if the hypervisor program
resets a vcpu's registers.
Recent SVM related changes pulled the VPID (ASID in AMD world)
allocation up into vcpu initialization. This change does the same
for VMX and cleans up appropriate logic. Minor changes to keep SVM
and VMX styles in line with each other.
ok bluhm@
claudio [Tue, 3 Sep 2024 13:31:31 +0000 (13:31 +0000)]
In rrdp_session_parse() set the last_reset time to now if the .state file
does not exist.
OK tb@
gilles [Tue, 3 Sep 2024 12:07:40 +0000 (12:07 +0000)]
bump version
bluhm [Tue, 3 Sep 2024 09:36:12 +0000 (09:36 +0000)]
regen
bluhm [Tue, 3 Sep 2024 09:35:46 +0000 (09:35 +0000)]
For AMD SEV create /dev/psp.
To call ioctl(2) for the platform security processor (PSP), vmd(8)
needs a device file. It is currently linked to the cryptographic
co-processor ccp(4). We may split this into a separate psp(4)
device.
from hshoexer@; input jsg@
tb [Tue, 3 Sep 2024 08:49:16 +0000 (08:49 +0000)]
check_sym: adjust logic not to exit 1 in the default dynamic mode
ok guenther
jmc [Tue, 3 Sep 2024 06:17:48 +0000 (06:17 +0000)]
envrionment -> environment;
djm [Tue, 3 Sep 2024 05:58:56 +0000 (05:58 +0000)]
regression test for Include variable expansion
djm [Tue, 3 Sep 2024 05:29:55 +0000 (05:29 +0000)]
allow the "Include" directive to expand the same set of %-tokens
that "Match Exec" and environment variables.
ok dtucker@
anton [Tue, 3 Sep 2024 04:59:03 +0000 (04:59 +0000)]
Fix test_fork() prototype.
anton [Tue, 3 Sep 2024 04:58:30 +0000 (04:58 +0000)]
Stop invoking diff(1) from C in access unveil regress, instead perform
the diffing from the make target.
anton [Tue, 3 Sep 2024 04:58:00 +0000 (04:58 +0000)]
Adjust expected output after recent X_OK changes.
jsg [Tue, 3 Sep 2024 00:23:05 +0000 (00:23 +0000)]
move psp functions to psp.c and remove the ifdefs
ok bluhm@ hshoexer@
deraadt [Mon, 2 Sep 2024 16:39:03 +0000 (16:39 +0000)]
sync
deraadt [Mon, 2 Sep 2024 16:37:58 +0000 (16:37 +0000)]
In our fight against the cosmos, in the chaos of the source tree, we
deleted the greek quiz. Some people felt trauma, and called out our
hubris. At my request, Carson Harding performed a metamorphosis of
the quiz -- kudos to him! After playing, I consider it the acme of
quizzes.
ok jmc mglocker
deraadt [Mon, 2 Sep 2024 16:34:44 +0000 (16:34 +0000)]
In our fight against the cosmos, in the chaos of the source tree, we
deleted the greek quiz. Some people felt trauma, and called out our
hubris. At my request, Carson Harding performed a metamorphosis of
the quiz -- kudos to him! After playing, I consider it the acme of
quizzes.
ok jmc mglocker
djm [Mon, 2 Sep 2024 12:18:35 +0000 (12:18 +0000)]
missing ifdef
djm [Mon, 2 Sep 2024 12:13:56 +0000 (12:13 +0000)]
Add experimental support for hybrid post-quantum key exchange
ML-KEM768 with ECDH/X25519 from the Internet-draft:
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This is based on previous patches from markus@ but adapted to use the
final FIPS203 standard ML-KEM using a formally-verified implementation
from libcrux.
Note this key exchange method is still a draft and thus subject to
change. It is therefore disabled by default; set MLKEM=yes to build it.
We're making it available now to make it easy for other SSH
implementations to test against it.
ok markus@ deraadt@
job [Mon, 2 Sep 2024 11:56:22 +0000 (11:56 +0000)]
Increase number of concurrent RRDP session handler slots
OK claudio@
jsg [Mon, 2 Sep 2024 11:08:41 +0000 (11:08 +0000)]
simplify ccp ifdef; ok bluhm@
sf [Mon, 2 Sep 2024 08:26:26 +0000 (08:26 +0000)]
virtio: Move interrupt setup into separate function
Put the MSIX vector into struct virtqueue and create a transport
specific function that feeds the vectors to the device. This will allow
child devices to influence which vectors are used for which virtqueues.
This will be used by multi-queue vio(4) to route corresponding rx/tx
queue interrupts to the same cpu.
The setup_intrs() function also sets the config interrupt MSIX vector
which fixes a bug that virtio_pci_set_msix_config_vector() would not
be called after a device reset.
OK bluhm@
sf [Mon, 2 Sep 2024 08:22:08 +0000 (08:22 +0000)]
virtio_pci: Improve interrupt names
Make interrupt strings according to the child device. This gives names
like vio0:1, vioblk0 instead of virtio0, virtio1. Also allocate array
of interrupt handlers dynamically. The current size will be too small
for vio multi-queue.
OK bluhm@
tb [Mon, 2 Sep 2024 08:05:18 +0000 (08:05 +0000)]
sync
tb [Mon, 2 Sep 2024 08:04:32 +0000 (08:04 +0000)]
Remove X509_check_trust documentation
tb [Mon, 2 Sep 2024 07:58:05 +0000 (07:58 +0000)]
sync
tb [Mon, 2 Sep 2024 07:57:27 +0000 (07:57 +0000)]
The X509at_* manuals are no longer needed
tb [Mon, 2 Sep 2024 07:56:28 +0000 (07:56 +0000)]
Also remove .Xr to X509at_*
tb [Mon, 2 Sep 2024 07:55:26 +0000 (07:55 +0000)]
Excise X509at_* from X509_REQ_* documentation
tb [Mon, 2 Sep 2024 07:54:21 +0000 (07:54 +0000)]
Rename lastpos to start_after to match other, similar manuals
tb [Mon, 2 Sep 2024 07:45:09 +0000 (07:45 +0000)]
More X509at_* removal
tb [Mon, 2 Sep 2024 07:43:07 +0000 (07:43 +0000)]
Remove mention of the no longer public X509at_* functions
tb [Mon, 2 Sep 2024 07:20:21 +0000 (07:20 +0000)]
Adjust function signatures for const X509_LOOKUP_METHOD
yasuoka [Mon, 2 Sep 2024 04:45:22 +0000 (04:45 +0000)]
Coding of the handling of errors for <sequence number> hadn't be completed.
yasuoka [Mon, 2 Sep 2024 04:00:51 +0000 (04:00 +0000)]
regen
yasuoka [Mon, 2 Sep 2024 03:59:40 +0000 (03:59 +0000)]
Add Intel X540 X550 virtual function devices. From Yuichiro NAITO.
ok jmatthew
deraadt [Sun, 1 Sep 2024 23:26:10 +0000 (23:26 +0000)]
Regarding previous commit, X_OK on unveil-permitted directories does
not map nicely to UNVEIL_EXEC. But we don't know before calling
namei() if the path is a directory. Oh well, stick to UNVEIL_READ
for that case, it is going to be good enough for the typical case.
Worked out with jeremy after chrome/firefox Downloads directory issue.
tb [Sun, 1 Sep 2024 20:24:42 +0000 (20:24 +0000)]
dhcpleased: fix a sizeof for IMSG_REQUEST_REBOOT.
"fatal in engine: engine_dispatch_frontend: invalid IMSG_REQUEST_REBOOT"
reported by qwer.ty tuta io
ok florian kn
bluhm [Sun, 1 Sep 2024 19:32:48 +0000 (19:32 +0000)]
For AMD SEV mention platform security processor in ccp(4) map page.
from hshoexer@; input jsg@; ok mlarkin@
bluhm [Sun, 1 Sep 2024 19:25:06 +0000 (19:25 +0000)]
For AMD SEV provide ioctl(2) in cpp(4) to shutdown guest.
To shutdown a SEV-enabled guest, first deactivate the guest context
in ccp(4), then decommission the guest context. Combine these two
operations in a single ioctl to simplify guest shutdown for vmd(8).
As this ioctl does not directly map to a single ccp command, use a
high number for the ioctl. More ioctls like this one will come.
from hshoexer@; OK mlarkin@
tb [Sun, 1 Sep 2024 17:20:37 +0000 (17:20 +0000)]
symbols: remove special case for cpuid_setup and cpu_caps
The former is gone and the latter is available in crypto.h.
bluhm [Sun, 1 Sep 2024 17:13:46 +0000 (17:13 +0000)]
Pledge "vmm" for ccp(4) ioctl(2).
Limit ccp ioctls to processes that pledge vmm. Specific psp device
ioctls for AMD SEV will allowed for vmd(8).
from hshoexer@; input deraadt@ jsg@