openbsd
2 years agoRetire the F_KERNEL flag, it got superseded by route priority and RTP_MINE.
claudio [Fri, 22 Jul 2022 11:17:48 +0000 (11:17 +0000)]
Retire the F_KERNEL flag, it got superseded by route priority and RTP_MINE.

Only problem is when route(8) is used to modify/delete a bgpd owned route.
Exact behaviour for that is still a bit unclear but F_KERNEL does not help
in this case either. In the kr_fib_delete/change remove F_BGPD_INSERTED
in that case as a first step.
OK tb@

2 years agofix use after free in debug path
jsg [Fri, 22 Jul 2022 09:04:44 +0000 (09:04 +0000)]
fix use after free in debug path
ok jan@ miod@

2 years agoClear marks when the search string changes. From Anindya Mukherjee,
nicm [Fri, 22 Jul 2022 07:14:07 +0000 (07:14 +0000)]
Clear marks when the search string changes. From Anindya Mukherjee,
GitHub issue 3255.

2 years agodrm/aperture: Run fbdev removal before internal helpers
jsg [Fri, 22 Jul 2022 06:21:51 +0000 (06:21 +0000)]
drm/aperture: Run fbdev removal before internal helpers

From Thomas Zimmermann
31f351eb534e889d11cd149de547d99eb5a15c64 in linux 5.15.y/5.15.56
bf43e4521ff3223a613f3a496991a22a4d78e04b in mainline linux

2 years agodrm/amd/pm: Prevent divide by zero
jsg [Fri, 22 Jul 2022 06:19:59 +0000 (06:19 +0000)]
drm/amd/pm: Prevent divide by zero

From Yefim Barashkin
8c37e7a2000d795aaad7256950f43c25f2aac67f in linux 5.15.y/5.15.56
0638c98c17aa12fe914459c82cd178247e21fb2b in mainline linux

2 years agodrm/amd/display: Only use depth 36 bpp linebuffers on DCN display engines.
jsg [Fri, 22 Jul 2022 06:18:21 +0000 (06:18 +0000)]
drm/amd/display: Only use depth 36 bpp linebuffers on DCN display engines.

From Mario Kleiner
cded1186f7e930045fb4ee17dbfa6bae41f3882c in linux 5.15.y/5.15.56
add61d3c31de6a4b5e11a2ab96aaf4c873481568 in mainline linux

2 years agodrm/i915: Require the vm mutex for i915_vma_bind()
jsg [Fri, 22 Jul 2022 06:16:07 +0000 (06:16 +0000)]
drm/i915: Require the vm mutex for i915_vma_bind()

From Thomas Hellstrom
a6cecaf058c48c6def2548473d814a2d54cb3667 in linux 5.15.y/5.15.56
c2ea703dcafccf18d7d77d8b68fb08c2d9842b7a in mainline linux

2 years agodrm/i915/uc: correctly track uc_fw init failure
jsg [Fri, 22 Jul 2022 06:13:09 +0000 (06:13 +0000)]
drm/i915/uc: correctly track uc_fw init failure

From Daniele Ceraolo Spurio
60d1bb301ea5a4be3e1071d3d0c179140b270ef8 in linux 5.15.y/5.15.56
35d4efec103e1afde968cfc9305f00f9aceb19cc in mainline linux

2 years agodrm/i915/gt: Serialize TLB invalidates with GT resets
jsg [Fri, 22 Jul 2022 06:10:27 +0000 (06:10 +0000)]
drm/i915/gt: Serialize TLB invalidates with GT resets

From Chris Wilson
86062ca5edf1c2acc4de26452a34ba001e9b6a68 in linux 5.15.y/5.15.56
a1c5a7bf79c1faa5633b918b5c0666545e84c4d1 in mainline linux

2 years agodrm/i915/gt: Serialize GRDOM access between multiple engine resets
jsg [Fri, 22 Jul 2022 06:08:40 +0000 (06:08 +0000)]
drm/i915/gt: Serialize GRDOM access between multiple engine resets

From Chris Wilson
0ee5874dad61d2b154a9e3db196fc33e8208ce1b in linux 5.15.y/5.15.56
b24dcf1dc507f69ed3b5c66c2b6a0209ae80d4d4 in mainline linux

2 years agodrm/i915/dg2: Add Wa_22011100796
jsg [Fri, 22 Jul 2022 06:06:27 +0000 (06:06 +0000)]
drm/i915/dg2: Add Wa_22011100796

From Bruce Chang
f8ba02531476196f44a486df178b4f1fec178234 in linux 5.15.y/5.15.56
154cfae6158141b18d65abb0db679bb51a8294e7 in mainline linux

2 years agodrm/i915/selftests: fix a couple IS_ERR() vs NULL tests
jsg [Fri, 22 Jul 2022 06:04:44 +0000 (06:04 +0000)]
drm/i915/selftests: fix a couple IS_ERR() vs NULL tests

From Dan Carpenter
40c12fc520234b0145bb776f38642507180dfad8 in linux 5.15.y/5.15.56
896dcabd1f8f613c533d948df17408c41f8929f5 in mainline linux

2 years agodrm/i915/gvt: IS_ERR() vs NULL bug in intel_gvt_update_reg_whitelist()
jsg [Fri, 22 Jul 2022 06:02:46 +0000 (06:02 +0000)]
drm/i915/gvt: IS_ERR() vs NULL bug in intel_gvt_update_reg_whitelist()

From Dan Carpenter
f6e3ced9c60f3cab517cfb748572c26576573715 in linux 5.15.y/5.15.56
e87197fbd137c888fd6c871c72fe7e89445dd015 in mainline linux

2 years agodrm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()
jsg [Fri, 22 Jul 2022 06:00:45 +0000 (06:00 +0000)]
drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()

From Hangyu Hua
505114dda5bbfd07f4ce9a2df5b7d8ef5f2a1218 in linux 5.15.y/5.15.56
85144df9ff4652816448369de76897c57cbb1b93 in mainline linux

2 years agoavoid use after free
jsg [Fri, 22 Jul 2022 05:55:05 +0000 (05:55 +0000)]
avoid use after free
ok deraadt@

2 years agorepair error section; Martin Vahlensieck
deraadt [Thu, 21 Jul 2022 22:45:06 +0000 (22:45 +0000)]
repair error section; Martin Vahlensieck

2 years agosync
deraadt [Thu, 21 Jul 2022 21:42:49 +0000 (21:42 +0000)]
sync

2 years agoAdd support for the new DART variant found on the Apple M2 SoC. Untested,
kettenis [Thu, 21 Jul 2022 18:24:24 +0000 (18:24 +0000)]
Add support for the new DART variant found on the Apple M2 SoC.  Untested,
but hopefully this will encourage someone with the hardware to test a snap.

ok jsg@

2 years agofix dow
deraadt [Thu, 21 Jul 2022 16:51:51 +0000 (16:51 +0000)]
fix dow

2 years ago7.3 packages key
naddy [Thu, 21 Jul 2022 13:47:00 +0000 (13:47 +0000)]
7.3 packages key

2 years agoRelax the config of add-path send and rde evaluate all
claudio [Thu, 21 Jul 2022 12:34:19 +0000 (12:34 +0000)]
Relax the config of add-path send and rde evaluate all

add-path send is kind of like rde evaluate all (at least if plus is used)
and so it kind of implies 'rde evaluate all' in that case. Removing the
check in neighbor_consistent() allows to setup sessions so that 'either or'
are used. This makes sense since peers may opt out of add-path by disabling
the capability on their side.
Based on report from Pier Carlo Chiodi
OK tb@
cvs: ----------------------------------------------------------------------

2 years agoadd 7.3 firmware key
sthen [Thu, 21 Jul 2022 12:31:07 +0000 (12:31 +0000)]
add 7.3 firmware key

2 years agoZap unused global keypair_counter
kn [Thu, 21 Jul 2022 11:26:50 +0000 (11:26 +0000)]
Zap unused global keypair_counter

There since import.

OK sthen

2 years agoMake kr_redistribute() and kroute_insert() AID independent and use
claudio [Thu, 21 Jul 2022 10:22:43 +0000 (10:22 +0000)]
Make kr_redistribute() and kroute_insert() AID independent and use
struct kroute_full. This removes some of the duplicated code.
OK tb@

2 years agoMention veb(4) next to bridge(4)
kn [Thu, 21 Jul 2022 08:00:31 +0000 (08:00 +0000)]
Mention veb(4) next to bridge(4)

OK jmc

2 years agoSet the default pool size for the new anchors pool otherwise it's set to 0.
mbuhl [Thu, 21 Jul 2022 05:26:10 +0000 (05:26 +0000)]
Set the default pool size for the new anchors pool otherwise it's set to 0.

2 years agoMake test table based, extend it a little
tb [Thu, 21 Jul 2022 03:59:04 +0000 (03:59 +0000)]
Make test table based, extend it a little

2 years agosync
deraadt [Thu, 21 Jul 2022 03:29:05 +0000 (03:29 +0000)]
sync

2 years agosync
deraadt [Thu, 21 Jul 2022 03:12:36 +0000 (03:12 +0000)]
sync

2 years ago7.3 base key
deraadt [Thu, 21 Jul 2022 03:07:53 +0000 (03:07 +0000)]
7.3 base key

2 years agoAdd size to free(9) call
kn [Wed, 20 Jul 2022 21:03:10 +0000 (21:03 +0000)]
Add size to free(9) call

Without any later realloactions, size is taken from vnet_dring_alloc().

OK kettenis

2 years agobe a bit more forceful explaining that 'make update' is best effort
espie [Wed, 20 Jul 2022 16:37:49 +0000 (16:37 +0000)]
be a bit more forceful explaining that 'make update' is best effort
and not guaranteed to work (yet useful for porters!)

okay jca@

2 years agoSimplify tlsext_supported_groups_server_parse
tb [Wed, 20 Jul 2022 15:16:06 +0000 (15:16 +0000)]
Simplify tlsext_supported_groups_server_parse

Add an early return in the s->internal->hit case so that we can unindent
a lot of this code. In the HRR case, we do not need to check that the list
of supported groups is unmodified from the first CH. The CH extension
hashing already does that for us.

ok jsing

2 years agomove to 7.2-beta. this gets done very early, to avoid finding out
deraadt [Wed, 20 Jul 2022 15:13:44 +0000 (15:13 +0000)]
move to 7.2-beta.  this gets done very early, to avoid finding out
version number issues close to release

2 years agomove to 7.2-beta. this gets done very early, to avoid finding out
deraadt [Wed, 20 Jul 2022 15:12:38 +0000 (15:12 +0000)]
move to 7.2-beta.  this gets done very early, to avoid finding out
version number issues close to release

2 years agolink ssl_set_alpn_protos to regress
tb [Wed, 20 Jul 2022 14:50:31 +0000 (14:50 +0000)]
link ssl_set_alpn_protos to regress

2 years agoAdd a quick and dirty regress for SSL{_CTX,}_set_alpn_protos()
tb [Wed, 20 Jul 2022 14:50:03 +0000 (14:50 +0000)]
Add a quick and dirty regress for SSL{_CTX,}_set_alpn_protos()

2 years agoThis no longer needs the inet pledge. sysconf(3) was modified to report
claudio [Wed, 20 Jul 2022 14:23:13 +0000 (14:23 +0000)]
This no longer needs the inet pledge. sysconf(3) was modified to report
_POSIX_IPV6 without opening a socket using a method that is allowed by
the vminfo plegde.
OK sthen@ deraadt@

2 years agoDrop some unnecessary parentheses.
tb [Wed, 20 Jul 2022 14:15:50 +0000 (14:15 +0000)]
Drop some unnecessary parentheses.

ok jsing

2 years agoCopy alpn_selected using CBS
tb [Wed, 20 Jul 2022 14:14:34 +0000 (14:14 +0000)]
Copy alpn_selected using CBS

ok jsing

2 years agoCopy alpn_client_proto_list using CBS in SSL_new()
tb [Wed, 20 Jul 2022 14:13:13 +0000 (14:13 +0000)]
Copy alpn_client_proto_list using CBS in SSL_new()

This makes the code both shorter and safer since freeing, allocation,
and copying are handled by CBS_stow() internally.

ok jsing

2 years agoValidate protocols in SSL{_CTX,}_set_alpn_protos()
tb [Wed, 20 Jul 2022 14:08:49 +0000 (14:08 +0000)]
Validate protocols in SSL{_CTX,}_set_alpn_protos()

This wonderful API requires users to pass the protocol list in wire
format. This list is then sent as part of the ClientHello. Validate
it to be of the correct form. This reuses tlsext_alpn_check_format()
that was split out of tlsext_alpn_server_parse().

Similar checks were introduced in OpenSSL 86a90dc7

ok jsing

2 years agoRewrite SSL{_CTX,}_set_alpn_protos() using CBS
tb [Wed, 20 Jul 2022 13:57:49 +0000 (13:57 +0000)]
Rewrite SSL{_CTX,}_set_alpn_protos() using CBS

This simplifies the freeing, assigning and copying of the passed
protocols by replacing all that code with a pair of CBS_init() and
CBS_stow(). In addition, this aligns the behavior with OpenSSL,
which no longer errors on NULL proto or 0 proto_len since 86a90dc7.

ok jsing

2 years agoChange various ALPN related internal struct members
tb [Wed, 20 Jul 2022 13:43:33 +0000 (13:43 +0000)]
Change various ALPN related internal struct members

Change alpn_client_proto_list and alpn_selected from unsigned char *
to uint8_t and change alpn_client_proto_list_len to be a size_t instead
of an unsigned int.

ok jsing

2 years agoFactor out ALPN extension format check
tb [Wed, 20 Jul 2022 13:35:05 +0000 (13:35 +0000)]
Factor out ALPN extension format check

The ALPN extension must contain a non-empty list of protocol names.
Split a check of this out of tlsext_alpn_server_parse() so that it
can be reused elsewhere in the library.

ok jsing

2 years agoCleanup and fix the network code.
claudio [Wed, 20 Jul 2022 12:43:27 +0000 (12:43 +0000)]
Cleanup and fix the network code.

- introduce network_free() to properly free a network struct including
  the possible rtlabel reference.
- change expand_networks() and the reload code to not only expand the
  main network config but also the network configs inside L3VPN sections.
- adjust reload logic to properly match any kind of network struct.
  Up until now rtlabel and priority network statememnts were not correctly
  reloaded.
OK tb@

2 years agosync
tb [Wed, 20 Jul 2022 11:36:53 +0000 (11:36 +0000)]
sync

2 years agobump major due to struct size change on ILP32 architectures
tb [Wed, 20 Jul 2022 11:36:15 +0000 (11:36 +0000)]
bump major due to struct size change on ILP32 architectures

2 years agoRevert zlib.h r1.7
tb [Wed, 20 Jul 2022 11:35:36 +0000 (11:35 +0000)]
Revert zlib.h r1.7

The change from uLong to z_off_t was made due to a bug in gzip(1) which
was fixed by gkoehler in gzopen.c r1.35. The trouble with the z_off_t
change is that it is an ABI break and that it does not play well with
various ffi interfaces. For example, Perl and Rust break on ILP32 arches
with the system zlib.

Run through an i386 bulk by sthen and an i386 regress by bluhm, thanks.

ok bluhm

2 years agoAdd a pool for the allocation of the pf_anchor struct.
mbuhl [Wed, 20 Jul 2022 09:33:11 +0000 (09:33 +0000)]
Add a pool for the allocation of the pf_anchor struct.
It was possible to exhaust kernel memory by repeatedly calling
pfioctl DIOCXBEGIN with different anchor names.
OK bluhm@
Reported-by: syzbot+9dd98cbce69e26f0fc11@syzkaller.appspotmail.com
2 years agoRemove tls_buffer_set_data() and remove/revise callers.
jsing [Wed, 20 Jul 2022 06:32:24 +0000 (06:32 +0000)]
Remove tls_buffer_set_data() and remove/revise callers.

There is no way that tls_buffer_set_data() can currently work in
conjunction with tls_buffer_expand(). This fact is currently hidden by the
way that PHH works, which reads the same data from the record layer (which
it needs to do anyway, since we may not have all of the handshake message
in a single record).

Since this is broken, mop it up and change the PHH callback to not provide
the record data.

ok beck@ tb@

2 years agoCorrect server-side handling of TLSv1.3 key updates.
jsing [Wed, 20 Jul 2022 06:20:44 +0000 (06:20 +0000)]
Correct server-side handling of TLSv1.3 key updates.

The existing code updates the correct secret, however then sets it for the
wrong direction. Fix this, while untangling the code and consistenly using
'read' and 'write' rather than 'local' and 'peer'.

ok beck@ tb@

2 years agothe _pad_ system calls from 2021/12/23 can go away
deraadt [Wed, 20 Jul 2022 05:56:34 +0000 (05:56 +0000)]
the _pad_ system calls from 2021/12/23 can go away
ok guenther

2 years agosync
deraadt [Wed, 20 Jul 2022 05:55:38 +0000 (05:55 +0000)]
sync

2 years agothe _pad_ system calls from 2021/12/23 can go away
deraadt [Wed, 20 Jul 2022 05:55:08 +0000 (05:55 +0000)]
the _pad_ system calls from 2021/12/23 can go away
ok guenther

2 years agossh-keygen: fix touch prompt, pin retries;
djm [Wed, 20 Jul 2022 03:33:22 +0000 (03:33 +0000)]
ssh-keygen: fix touch prompt, pin retries;

part of GHPR329 from Pedro Martelletto

2 years agosk-usbhid: preserve error code returned by key_lookup()
djm [Wed, 20 Jul 2022 03:31:42 +0000 (03:31 +0000)]
sk-usbhid: preserve error code returned by key_lookup()
it conveys useful information, such as the supplied pin being wrong.

Part of GHPR329 from Pedro Martelletto

2 years agocrank SSH_SK_VERSION_MAJOR to match
djm [Wed, 20 Jul 2022 03:29:43 +0000 (03:29 +0000)]
crank SSH_SK_VERSION_MAJOR to match

2 years agowhen enrolling a resident key on a security token, check if a
djm [Wed, 20 Jul 2022 03:29:14 +0000 (03:29 +0000)]
when enrolling a resident key on a security token, check if a
credential with matching application and user ID strings already
exists. if so, prompt the user for confirmation before overwriting
the credential.

patch from Pedro Martelletto via GHPR329

NB. cranks SSH_SK_VERSION_MAJOR, so any third-party FIDO middleware
implementations will need to adjust

2 years agopull passphrase reading and confirmation into a separate function
djm [Wed, 20 Jul 2022 03:13:04 +0000 (03:13 +0000)]
pull passphrase reading and confirmation into a separate function
so it can be used for FIDO2 PINs; no functional change

2 years agoFix up tx ring slot calculations so we store the mbuf and dma map with
jmatthew [Tue, 19 Jul 2022 21:49:22 +0000 (21:49 +0000)]
Fix up tx ring slot calculations so we store the mbuf and dma map with
the last slot of the packet rather than the first slot of the next.

ok dlg@

2 years agozap trailing spaces
tb [Tue, 19 Jul 2022 20:16:50 +0000 (20:16 +0000)]
zap trailing spaces

2 years agofix indent
tb [Tue, 19 Jul 2022 20:15:19 +0000 (20:15 +0000)]
fix indent

2 years agoObjects are only set to ready if both their parent region and their
martijn [Tue, 19 Jul 2022 19:25:42 +0000 (19:25 +0000)]
Objects are only set to ready if both their parent region and their
(optional) indices are ready. However, indices in another region than the
object can be made ready at a later time. These indices should then trigger
the ready state in their related objects.

This didn't happen for dynamic indices.

OK sthen@

2 years agoRegenerate golden numbers due to RC4-MD5 now being disabled by default.
tb [Tue, 19 Jul 2022 18:56:12 +0000 (18:56 +0000)]
Regenerate golden numbers due to RC4-MD5 now being disabled by default.

2 years agoDisallow MD5 and SHA-1 HMACs depending on the security level
tb [Tue, 19 Jul 2022 18:55:12 +0000 (18:55 +0000)]
Disallow MD5 and SHA-1 HMACs depending on the security level

Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and
using a SHA-1 HMAC is disallowed on security levels >= 4. This disables
RC4-MD5 by default.

ok jsing

2 years agoAdd log_debug() and pt_getaddr() dummy functions because prefix_set_dmetric()
claudio [Tue, 19 Jul 2022 16:27:59 +0000 (16:27 +0000)]
Add log_debug() and pt_getaddr() dummy functions because prefix_set_dmetric()
depends on them. Not ideal but I hope to fix the real issue in the near future.
Noticed by anton@

2 years agoAvoid unnecessary loops in BN_generate_prime_ex()
tb [Tue, 19 Jul 2022 16:19:19 +0000 (16:19 +0000)]
Avoid unnecessary loops in BN_generate_prime_ex()

Since there is nothing randomized in bn_is_prime_bpsw(), the concept
of rounds makes no sense. Apply a minimal change for now that avoids
expensive loops that won't change the outcome in case we found a
probable prime.

ok jsing

2 years agoDocument -tls1_{1,2,3} in openssl ciphers
tb [Tue, 19 Jul 2022 16:08:09 +0000 (16:08 +0000)]
Document -tls1_{1,2,3} in openssl ciphers

ok jsing

2 years agoAllow displaying ciphers according to protocol version
tb [Tue, 19 Jul 2022 16:07:35 +0000 (16:07 +0000)]
Allow displaying ciphers according to protocol version

Instead of only using the default client method, allow selecting a
specific protocol version and display the supported ciphers accordingly.
This removes the noop status of -tls1 and adds -tls1_{1,2,3} as in
other commands.

ok jsing

2 years agoDo a minimal check that the passed in option is inside the ASPATH segment.
claudio [Tue, 19 Jul 2022 13:03:09 +0000 (13:03 +0000)]
Do a minimal check that the passed in option is inside the ASPATH segment.
Check both for negative pos and for pos bigger or equal to the segment length
With and OK tb@

2 years agoUse kf for all struct kroute_full variables. Makes code more consistent.
claudio [Tue, 19 Jul 2022 10:26:19 +0000 (10:26 +0000)]
Use kf for all struct kroute_full variables. Makes code more consistent.
OK tb@

2 years agoUse sysctl CTL_NET.PF_INET6 to check if IPv6 is available or not.
claudio [Tue, 19 Jul 2022 09:25:44 +0000 (09:25 +0000)]
Use sysctl CTL_NET.PF_INET6 to check if IPv6 is available or not.
With this sysconf(3) no longer needs the inet pledge.
The kernel has been updated for this for a while now.
OK sthen@ deraadt@

2 years agoDo not ignore the "off" flag when checking if a pane should be stopped,
nicm [Tue, 19 Jul 2022 07:10:13 +0000 (07:10 +0000)]
Do not ignore the "off" flag when checking if a pane should be stopped,
GitHub issue 3250.

2 years agoProcess modifiers as bits rather than using a switch, from Koichi Murase.
nicm [Tue, 19 Jul 2022 06:51:31 +0000 (06:51 +0000)]
Process modifiers as bits rather than using a switch, from Koichi Murase.

2 years agoFix memory leak, from Gabriel Souza Franco.
nicm [Tue, 19 Jul 2022 06:46:57 +0000 (06:46 +0000)]
Fix memory leak, from Gabriel Souza Franco.

2 years agouse syntax which more acceptable to older compilers
deraadt [Mon, 18 Jul 2022 23:09:44 +0000 (23:09 +0000)]
use syntax which more acceptable to older compilers
discussed with tb

2 years agoCheck if there is a locally cached nameserver to send before responding
tobhe [Mon, 18 Jul 2022 19:32:16 +0000 (19:32 +0000)]
Check if there is a locally cached nameserver to send before responding
to RTP_PROPOSAL_SOLICIT.  Fixes a crash when resolvd is restarted but
no name server is set.

2 years agoRestrict pledge("vminfo") callers to read-only swapctl(2) operations.
jca [Mon, 18 Jul 2022 18:02:27 +0000 (18:02 +0000)]
Restrict pledge("vminfo") callers to read-only swapctl(2) operations.

Those are the read-only operations allowed for non-root users:
SWAP_NSWAP and SWAP_STATS.  Users of pledge("vminfo") in base which also
call swapctl(2) with said commands: top(1) and pstat(8).

No regression spotted with top(1) and pstat(8) -s/-T.

ok deraadt@

2 years agoDelete the YPACTIVE toggling code when "getpw" code access/open are done to
deraadt [Mon, 18 Jul 2022 17:45:46 +0000 (17:45 +0000)]
Delete the YPACTIVE toggling code when "getpw" code access/open are done to
/var/run/ypbind.lock.  "getpw" is now only allows ypconnect(2) and the minimum
unveil bypasses.
Still allow open/acesss to file for a little while, because getpwent/getgrent/etc
were opening it unconditionally to hint for YPACTIVE.
That code should be deleted before 7.2

2 years agoSynch 'help' command descriptions with man page descriptions.
krw [Mon, 18 Jul 2022 15:06:22 +0000 (15:06 +0000)]
Synch 'help' command descriptions with man page descriptions.

Put 'setpid' description in correct place in COMMAND MODE
command list. i.e. in same order as ask_cmd() will parse
it.

Simplify ask_cmd() by displaying prompt in edit loop
rather than passing editlevel to ask_cmd().

No intentional functional change.

2 years agoRemove warning messages that add nothing in the situation they occure.
claudio [Mon, 18 Jul 2022 13:56:41 +0000 (13:56 +0000)]
Remove warning messages that add nothing in the situation they occure.

If the RDE dies this is logged before but the error messages from
imsg_rde() may be called a couple of times before the SE has a chance
to exit.
OK tb@

2 years ago'quit' and 'exit' descriptions were reversed.
krw [Mon, 18 Jul 2022 13:46:19 +0000 (13:46 +0000)]
'quit' and 'exit' descriptions were reversed.

Tweak 'abort' description to emphasize discarding
of changes.

2 years agoCompile octeon kernels with -march=mips64r2
visa [Mon, 18 Jul 2022 12:48:35 +0000 (12:48 +0000)]
Compile octeon kernels with -march=mips64r2

Even though -march=octeon seems to work, avoid it for now. It is
not entirely certain that the compiler will not use cnMIPS special
registers accidentally in normal kernel code.

Discussed with and OK miod@

2 years agoRemove locks description duplicate. No functional changes.
mvs [Mon, 18 Jul 2022 10:55:20 +0000 (10:55 +0000)]
Remove locks description duplicate. No functional changes.

2 years agoDo not fatalx() when calculating the dmetric and the result is negative.
claudio [Mon, 18 Jul 2022 09:42:46 +0000 (09:42 +0000)]
Do not fatalx() when calculating the dmetric and the result is negative.

The list of invalid prefixes is not properly sorted and when those prefixes
all become valid the list is not properly sorted until the nexthop update
pass is done. Found the hard way by myself.
OK tb@ benno@

2 years agoRevert accidental commit
tb [Mon, 18 Jul 2022 09:17:44 +0000 (09:17 +0000)]
Revert accidental commit

2 years agoAdd comments to explain the magic numbers 57 and 58
tb [Mon, 18 Jul 2022 09:15:08 +0000 (09:15 +0000)]
Add comments to explain the magic numbers 57 and 58

2 years agoAvoid sending the QUIC transport parameters extension now that we
tb [Mon, 18 Jul 2022 08:36:47 +0000 (08:36 +0000)]
Avoid sending the QUIC transport parameters extension now that we
send an unsupported extension alert.

Noted by anton

2 years agothe domainname is under root control, but because we are producing a path
deraadt [Mon, 18 Jul 2022 04:42:37 +0000 (04:42 +0000)]
the domainname is under root control, but because we are producing a path
inside ypconnect(), it is best if we prevent "../" problems.  so reject
domainnames containing '/.
discussed with jca

2 years agoFor opening up the bindings file in ypconnect(2), bail out early
deraadt [Mon, 18 Jul 2022 03:02:05 +0000 (03:02 +0000)]
For opening up the bindings file in ypconnect(2), bail out early
if chrooted
issue pointed out by semarie

2 years agoypbinding should not be intrude to application namespace.
deraadt [Mon, 18 Jul 2022 02:32:11 +0000 (02:32 +0000)]
ypbinding should not be intrude to application namespace.
spotted by guenther

2 years agouse same way of reporting error as yp_bind.c
deraadt [Mon, 18 Jul 2022 02:31:19 +0000 (02:31 +0000)]
use same way of reporting error as yp_bind.c
Though really, should we be splatting to stdout/stderr?  The mysteries
of ancient code...

2 years agoHandle X509_check_purpose(3) and EVP_get_digestbyobj(3)
kn [Sun, 17 Jul 2022 19:40:38 +0000 (19:40 +0000)]
Handle X509_check_purpose(3) and EVP_get_digestbyobj(3)

OK tb

2 years agoRevert the changes made in rev 1.82. It is important to use pmap_enter(9)
kettenis [Sun, 17 Jul 2022 17:59:35 +0000 (17:59 +0000)]
Revert the changes made in rev 1.82.  It is important to use pmap_enter(9)
and pmap_remove(9) here since we're dealing with managed pages here.  Found
out the hard way by deraadt@ on landisk where we're running into issues
with virtual cache aliases because multiple mappings exist for the
pages we're dealing with here.  The pmap_enter(9) and pmap_remove(9)
functions handle conflicting cache aliases, whereas pmap_map_direct(9) and
pmap_kenter_pa(9) assume that the pages is exclusively mapped in the kernel
pmap.

ok deraadt@

2 years agoAdd initial support for ESSCertIDv2 verification
kn [Sun, 17 Jul 2022 17:00:44 +0000 (17:00 +0000)]
Add initial support for ESSCertIDv2 verification

Based on OpenSSL commit f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2
"Added support for ESSCertIDv2".

This makes TS validation work in the new security/libdigidocpp port.

Input OK tb

2 years agoDisable TLSv1.3 middlebox compatibility mode for QUIC connections.
jsing [Sun, 17 Jul 2022 15:51:06 +0000 (15:51 +0000)]
Disable TLSv1.3 middlebox compatibility mode for QUIC connections.

This is required by RFC 9001.

ok tb@

2 years agoPass SSL pointer to tls13_ctx_new().
jsing [Sun, 17 Jul 2022 15:49:20 +0000 (15:49 +0000)]
Pass SSL pointer to tls13_ctx_new().

struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can
set up various pointers, rather than duplicating this in
tls13_legacy_accept() and tls13_legacy_connect().

ok tb@

2 years agoRevise regress for QUIC transport parameters TLS extension.
jsing [Sun, 17 Jul 2022 14:57:05 +0000 (14:57 +0000)]
Revise regress for QUIC transport parameters TLS extension.

2 years agoCorrect handling of QUIC transport parameters extension.
jsing [Sun, 17 Jul 2022 14:54:10 +0000 (14:54 +0000)]
Correct handling of QUIC transport parameters extension.

Remove duplicate U16 length prefix, since tlsext_build() already adds this
for us. Condition on SSL_is_quic() rather than TLS version - RFC 9001 is
clear that this extension is only permitted on QUIC transport and an
fatal unsupported extension alert is required if used elsewhere.
Additionally, at the point where extensions are parsed, we do not
necessarily know what TLS version has been negotiated.

ok beck@ tb@