openbsd
3 years agoRevery previous hash alignment fix
afresh1 [Tue, 16 Feb 2021 15:13:15 +0000 (15:13 +0000)]
Revery previous hash alignment fix

Unintentionally changes ABI and breaks perl ports

3 years agosync
deraadt [Tue, 16 Feb 2021 14:21:53 +0000 (14:21 +0000)]
sync

3 years agoEnable multiple opens of a video(4) device as described in the V4L2
mglocker [Tue, 16 Feb 2021 13:50:46 +0000 (13:50 +0000)]
Enable multiple opens of a video(4) device as described in the V4L2
specification:

https://www.kernel.org/doc/html/v5.10/userspace-api/media/v4l/open.html#f1

The discussion has been started by jca@, who has implemented this
behavior recently, but limited to the same process.  This diff extends
this behavior to any process.  The first process which opens a stream
will become the device owner.  Other processes are still allowed to call
certain ioctls, but none which are related to the start/stop of a
stream, or manipulation of the streaming buffers.  At the moment only
VIDIOC_G_CTRL and VIDIOC_S_CTRL are supported to be called by non-
device owner processes, which should be extended further in the future.

There is no additional kernel locking implemented at the moment, since
video(4) already runs under the KERNEL_LOCK(), which we expect to be
sufficient for now (as discussed with claudio@).

A lot of improvement input received from anton@.

ok anton@

3 years agoIntroduce BUS_SPACE_MAP_POSTED such that we can distinguish between
kettenis [Tue, 16 Feb 2021 12:33:22 +0000 (12:33 +0000)]
Introduce BUS_SPACE_MAP_POSTED such that we can distinguish between
posted and non-posted device memory mappings and set the right memory
attributes for them.  Needed because on the Apple M1 using the wrong
mapping will fault.

ok patrick@, dlg@

3 years agoComments & style cleanup, no functional change intended.
mpi [Tue, 16 Feb 2021 09:10:17 +0000 (09:10 +0000)]
Comments & style cleanup, no functional change intended.

- Sync comments with NetBSD including locking details.
- Remove superfluous parenthesis and spaces.
- Add brackets, even if questionable, to reduce diff with NetBSD
- Use for (;;) instead of while(1)
- Rename a variable from 'result' into 'error'.
- Move uvm_fault() and uvm_fault_upper_lookup()
- Add an locking assert in uvm_fault_upper_lookup()

ok tb@, mlarkin@

3 years agoPrint AIA in rpki-client test utility
job [Tue, 16 Feb 2021 08:53:53 +0000 (08:53 +0000)]
Print AIA in rpki-client test utility

3 years agoRework the repository handling. Split the handling of trust anchors into
claudio [Tue, 16 Feb 2021 08:52:00 +0000 (08:52 +0000)]
Rework the repository handling. Split the handling of trust anchors into
ta_lookup() while regular repositories (to fetch .mft files) are handled
by repo_lookup(). Also the cache directory layout changed; moving the
trust anchors to ./ta/{tal basename}/ the other repositories end up in
./rsync/
OK tb@

3 years agoAdd `bgpctl show rtr` to display basic information about RTR sessions.
claudio [Tue, 16 Feb 2021 08:30:21 +0000 (08:30 +0000)]
Add `bgpctl show rtr` to display basic information about RTR sessions.
OK job@

3 years agoAdd RTR support to OpenBGPD. Add basic support for the protocol.
claudio [Tue, 16 Feb 2021 08:29:16 +0000 (08:29 +0000)]
Add RTR support to OpenBGPD. Add basic support for the protocol.
The RTR client runs in a new process where the protocol handling is done
and when new data is available all sources are merged into one ROA set
which is then loaded into the RDE. The roa-set from the config is also
handled by the new RTR engine.
Tested by and ok job@

3 years agoget Authority Information Access (AIA) from CA & EE certs
job [Tue, 16 Feb 2021 07:58:30 +0000 (07:58 +0000)]
get Authority Information Access (AIA) from CA & EE certs

In the context of the RPKI, the AIA extension identifies the publication
point of the certificate of the issuer of the certificate in which the
extension appears. A single reference to the publication point of the
immediate superior certificate MUST be present, except for a
"self-signed" certificate.

Thanks tb@ for review

OK claudio@

3 years agouse rtalloc_mpath in pf_route and pf_route6.
dlg [Tue, 16 Feb 2021 03:12:32 +0000 (03:12 +0000)]
use rtalloc_mpath in pf_route and pf_route6.

if you have multiple links to the same destination, this will let
you use them with route-to/reply-to/dup-to.

ok claudio@

3 years agoBackport upstream perl 64bit hash alignment fixes
afresh1 [Tue, 16 Feb 2021 02:12:52 +0000 (02:12 +0000)]
Backport upstream perl 64bit hash alignment fixes

Different flags triggering new compiler optimizations means that
luck has run out on this working by chance with the strict alignment
of octeon.

Upstream issue:
https://github.com/Perl/perl5/issues/18555

This is a combination of three commits from upstream.
https://github.com/Perl/perl5/commit/d18575f18c6ee61ce80492e82cae7361358d570a
https://github.com/Perl/perl5/commit/6027b190154088fbbcbde08a80c49531e4e4c012
https://github.com/Perl/perl5/commit/f43079cb514e3d0be0036424695438ae3fb58451

works on all arch deraadt@

3 years agosome phy are not needed anymore since the ethernet drivers went away
deraadt [Tue, 16 Feb 2021 00:03:54 +0000 (00:03 +0000)]
some phy are not needed anymore since the ethernet drivers went away

3 years agoFix invalid config error in run-psk-fail.
tobhe [Mon, 15 Feb 2021 20:53:24 +0000 (20:53 +0000)]
Fix invalid config error in run-psk-fail.

3 years agoWhile it should be possible to use "normal uncachable" mappings for
kettenis [Mon, 15 Feb 2021 20:44:08 +0000 (20:44 +0000)]
While it should be possible to use "normal uncachable" mappings for
write-combining on arm64 as Linux does, this doesn't seem to work on
NXP's LX2160A SoC.  So switch to using "device" mappings for now to
make amdgpu(4) work better.

ok patrick@

3 years agossh: add PermitRemoteOpen for remote dynamic forwarding with SOCKS
markus [Mon, 15 Feb 2021 20:43:15 +0000 (20:43 +0000)]
ssh: add PermitRemoteOpen for remote dynamic forwarding with SOCKS
ok djm@, dtucker@

3 years agofactor out opt_array_append; ok djm@
markus [Mon, 15 Feb 2021 20:36:35 +0000 (20:36 +0000)]
factor out opt_array_append; ok djm@

3 years agoExtraneous blank line.
krw [Mon, 15 Feb 2021 19:33:21 +0000 (19:33 +0000)]
Extraneous blank line.

3 years agoSimplify error path in in route_attach(). We always call it in thread
mvs [Mon, 15 Feb 2021 19:01:30 +0000 (19:01 +0000)]
Simplify error path in in route_attach(). We always call it in thread
context so we always have `curproc' Also protocol control block is not
required for soreserve() so we can do it before `rop' allocation.

ok bluhm@

3 years agoOnly print the certificate file once on verifification failure.
jsing [Mon, 15 Feb 2021 17:57:58 +0000 (17:57 +0000)]
Only print the certificate file once on verifification failure.

Noted by Steffen Ullrich.

ok tb@

3 years agoMake SGR 6 (rapid blink) the same as SGR 5 (blink) and make SGR 21 to
nicm [Mon, 15 Feb 2021 14:22:35 +0000 (14:22 +0000)]
Make SGR 6 (rapid blink) the same as SGR 5 (blink) and make SGR 21 to
the same as SGR 4:2, it is an old alternative. GitHub issue 2567.

3 years agoRework tick_msg() to make messages displayed during startup more
krw [Mon, 15 Feb 2021 14:20:11 +0000 (14:20 +0000)]
Rework tick_msg() to make messages displayed during startup more
reliable and consistant.

Eliminate unused time_t parameter since we only tick during the first
link_timeout seconds. Replace it with 'action' parameter to clearly
indicated what tick_msg() is supposed to do.

Fix issuance of '\n' before log_debug() messages. Properly
reinitialize static variables.

Use more precise 'timespec' timers, hewing to idiom suggested by
cheloha@.

3 years agoFix double unlock in uvmfault_anonget().
mpi [Mon, 15 Feb 2021 12:12:54 +0000 (12:12 +0000)]
Fix double unlock in uvmfault_anonget().

Reported by and ok jsg@

3 years agoBack-out USB data toggle fix for HID devices, since we received multiple
mglocker [Mon, 15 Feb 2021 11:26:00 +0000 (11:26 +0000)]
Back-out USB data toggle fix for HID devices, since we received multiple
reports about broken devices, e.g. for ukbd(4) and fido(4).

ok mpi@

3 years agoProxyJump takes "none" to disable processing like ProxyCommand does
dlg [Mon, 15 Feb 2021 11:09:22 +0000 (11:09 +0000)]
ProxyJump takes "none" to disable processing like ProxyCommand does

ok djm@ jmc@

3 years agoSupport X11 colour names and some other variations for OSC 10/11, also
nicm [Mon, 15 Feb 2021 09:39:37 +0000 (09:39 +0000)]
Support X11 colour names and some other variations for OSC 10/11, also
add OSC 110 and 111. GitHub issue 2567.

3 years agoMove single_thread_set() out of KERNEL_LOCK().
mpi [Mon, 15 Feb 2021 09:35:59 +0000 (09:35 +0000)]
Move single_thread_set() out of KERNEL_LOCK().

Use the SCHED_LOCK() to ensure `ps_thread' isn't being modified by a sibling
when entering tsleep(9) w/o KERNEL_LOCK().

ok visa@

3 years agodistrib: arm64: avoid customization in mr.fs target
semarie [Mon, 15 Feb 2021 07:06:03 +0000 (07:06 +0000)]
distrib: arm64: avoid customization in mr.fs target

arm64 ramdisk has customization in mr.fs target, in order to create
usr/mdec/pine64 and usr/mdec/rpi directories (files will be copied
inside them by runlist.sh).

uses MKDIR directive to create these directories instead of.

it put back mr.fs target identical to others archs.

ok deraadt@

3 years agoThings are too tight. Retaining even those two symbols is too much.
deraadt [Mon, 15 Feb 2021 06:59:03 +0000 (06:59 +0000)]
Things are too tight.  Retaining even those two symbols is too much.
When dealing with install floppies, the Makefiles will need to carry
some differences.

3 years agomove the rearming of the cq after the refill of the rq.
dlg [Mon, 15 Feb 2021 03:42:00 +0000 (03:42 +0000)]
move the rearming of the cq after the refill of the rq.

this is the only real diff we have left outstanding on a box that
experienced rx lockups. since adding this change it's been happy
for the last 4 weeks and counting so far.

ok jmatthew@

3 years agoEnable clocks and adjust for removal of subnodes in upstream Linux
kettenis [Sun, 14 Feb 2021 19:24:38 +0000 (19:24 +0000)]
Enable clocks and adjust for removal of subnodes in upstream Linux
device trees.

3 years agoEnable clocks.
kettenis [Sun, 14 Feb 2021 19:23:58 +0000 (19:23 +0000)]
Enable clocks.

3 years agoRaise match priority to beat syscon(4).
kettenis [Sun, 14 Feb 2021 19:22:44 +0000 (19:22 +0000)]
Raise match priority to beat syscon(4).
Use the right clock for the Cortex-A7 cores.
Support CPU clocks and remove exclock_cpuspeed().

ok patrick@

3 years agoregen
kettenis [Sun, 14 Feb 2021 17:21:16 +0000 (17:21 +0000)]
regen

3 years agoAdd a few more devices that show up on the Apple M1 mini.
kettenis [Sun, 14 Feb 2021 17:20:47 +0000 (17:20 +0000)]
Add a few more devices that show up on the Apple M1 mini.

ok patrick@, deraadt@

3 years agodistrib: restore rdsetroot -x usage (extract the disk.fs image) on stripped bsd.rd
semarie [Sun, 14 Feb 2021 17:14:42 +0000 (17:14 +0000)]
distrib: restore rdsetroot -x usage (extract the disk.fs image) on stripped bsd.rd

It passes options to keep rd_root_size and rd_root_image symbols while
stripping. These symbols are the ones used by rdsetroot to insert or
extract disk image into RAMDISK.

ok danj@ deraadt@

3 years agodistrib: use ${MACHINE} instead of hardcoded value
semarie [Sun, 14 Feb 2021 17:11:02 +0000 (17:11 +0000)]
distrib: use ${MACHINE} instead of hardcoded value

ok deraadt@

3 years agoShuffle how lldb register contexts are built.
mortimer [Sun, 14 Feb 2021 16:16:02 +0000 (16:16 +0000)]
Shuffle how lldb register contexts are built.

Instead of using #if defined(__arch__) to include / exclude the entire contents
of the NativeRegisterContext implementations, use a single NativeRegisterContextOpenBSD_arch
which includes the right arch specific register context, and provides a dummy implementation
for unsupported architectures.

This allows building lldb on architectures which do not have a register context implementation
so it can be used as a remote client.

ok patrick@

3 years agoPostpone installation of the periodic sensor task until at least one
anton [Sun, 14 Feb 2021 14:41:35 +0000 (14:41 +0000)]
Postpone installation of the periodic sensor task until at least one
device has connected.

3 years agoBail out earlier during attach if no devices are paired with the
anton [Sun, 14 Feb 2021 14:40:38 +0000 (14:40 +0000)]
Bail out earlier during attach if no devices are paired with the
receiver.

3 years agoEnumerate all features supported by a device on connect.
anton [Sun, 14 Feb 2021 14:39:25 +0000 (14:39 +0000)]
Enumerate all features supported by a device on connect.
Should help diagnose various reports regarding missing battery sensors.

3 years agoIntroduce variables to deal with bit layout differences in the UFSTAT
kettenis [Sun, 14 Feb 2021 13:39:24 +0000 (13:39 +0000)]
Introduce variables to deal with bit layout differences in the UFSTAT
register.  Use 32-bit reads and writes to access the URXH and UTXH
registers.  They're documented as 32-bit registers in the Exynos 4 and
Exynos 5 User Manuals and accessing URXH with an 8-bit read triggers a
fault on Apple's M1 SoC.

ok patrick@

3 years agoRecent device trees have the syscon-reboot and syscon-poweroff nodes as
kettenis [Sun, 14 Feb 2021 10:57:40 +0000 (10:57 +0000)]
Recent device trees have the syscon-reboot and syscon-poweroff nodes as
children of the node claimed by expower(4).  That node also fained a
"syscon" compatible in the process.  Deal with these changes,

ok patrick@

3 years agocorrect drm work flush behaviour
jsg [Sun, 14 Feb 2021 03:42:55 +0000 (03:42 +0000)]
correct drm work flush behaviour

Don't set taskq to system_wq in INIT_WORK().  Test if taskq pointer is
non-NULL before calling taskq_barrier() in flush functions.

fixes a black screen on boot problem with 5.10.y drm using nano x1
bisected by jcs@ to
'drm/i915: Always flush the active worker before returning from the wait'

3 years agoCleanup lldb amd64 support.
mortimer [Sat, 13 Feb 2021 21:33:54 +0000 (21:33 +0000)]
Cleanup lldb amd64 support.

- Remove watchpoint support since we do not support hardware watchpoints.

- Support floating point regsisters in the ReadAll/WriteAll interface.

- Standardize the sizes used in GerGPRSize() and GetFPRSize() to correspond
  to the sizes we get from ptrace.

- Fix the r/w of the mmx registers to map onto the st fp registers instead
  of xmm registers.

- Normalize some variable names to be architecture neutral.

ok patrick@

3 years agodistrib: remove .comment section systematically
semarie [Sat, 13 Feb 2021 18:52:08 +0000 (18:52 +0000)]
distrib: remove .comment section systematically

remove this section as part of crunchgen generated commands.
it avoids calling "strip -R .comment" for some but not all architectures.

ok deraadt@ danj@

3 years agodistrib: remove .SUNW_ctf only on kernels
semarie [Sat, 13 Feb 2021 18:48:23 +0000 (18:48 +0000)]
distrib: remove .SUNW_ctf only on kernels

the .SUNW_ctf section is added by ctfstrip(1), which is only used for kernels.

ok deraadt@ danj@

3 years agodistrib: merge "cp a b; strip b" to "objcopy -S a b"
semarie [Sat, 13 Feb 2021 18:46:52 +0000 (18:46 +0000)]
distrib: merge "cp a b; strip b" to "objcopy -S a b"

ok deraadt@ danj@

3 years agodistrib: remove duplicate strip(1) calls
semarie [Sat, 13 Feb 2021 18:44:17 +0000 (18:44 +0000)]
distrib: remove duplicate strip(1) calls

"strip -R section" command run "strip" (without option) as well.
there is no need to call both.

(binaries checked with sha1)

original diff from danj@

ok deraadt@

3 years agodistrib: merge objcopy -Sg and strip commands
semarie [Sat, 13 Feb 2021 18:41:52 +0000 (18:41 +0000)]
distrib: merge objcopy -Sg and strip commands

in the command "objcopy -Sg", the -g option (STRIP_DEBUG) overrides
the -S option (STRIP_ALL). so it is the same as "objcopy -g".

"strip" command without option is doing STRIP_ALL.

merge the both commands to "objcopy -S"

ok deraadt@ danj@

3 years agodistrib: remove STRIPOPTS variable from alpha and sparc64 Makefile
semarie [Sat, 13 Feb 2021 18:39:40 +0000 (18:39 +0000)]
distrib: remove STRIPOPTS variable from alpha and sparc64 Makefile

ok deraadt@ danj@

3 years agoRevise cnmac(4)'s address filter setup
visa [Sat, 13 Feb 2021 17:12:38 +0000 (17:12 +0000)]
Revise cnmac(4)'s address filter setup

Set up the DMAC filter in one go instead of doing it separately for
unicast and multicast DMACs. This attempts to make the code a little
more readable. The setup should now run a bit faster as well because
it now does fewer register accesses.

Tested on CN5020, CN6120 and CN7130.

3 years agoAdd dynamic address configuration for roadwarrior clients.
tobhe [Sat, 13 Feb 2021 16:14:12 +0000 (16:14 +0000)]
Add dynamic address configuration for roadwarrior clients.
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.

Input from sthen@ and claudio@
ok patrick@

3 years ago-h does not display version; from larry hynes
jmc [Sat, 13 Feb 2021 08:07:48 +0000 (08:07 +0000)]
-h does not display version; from larry hynes

3 years agoreadability fixes; from larry hynes
jmc [Sat, 13 Feb 2021 08:05:57 +0000 (08:05 +0000)]
readability fixes; from larry hynes

3 years agovarious readability fixes; from larry hynes
jmc [Sat, 13 Feb 2021 07:59:54 +0000 (07:59 +0000)]
various readability fixes; from larry hynes

3 years agoFix some wrong comments and KNF/long line wraps
mlarkin [Sat, 13 Feb 2021 07:56:26 +0000 (07:56 +0000)]
Fix some wrong comments and KNF/long line wraps

3 years agoFix a comment
mlarkin [Sat, 13 Feb 2021 07:55:38 +0000 (07:55 +0000)]
Fix a comment

3 years agoRemove trailing whitespace
mlarkin [Sat, 13 Feb 2021 07:47:37 +0000 (07:47 +0000)]
Remove trailing whitespace

No code/functional change

3 years agoRemove trailing whitespace
mlarkin [Sat, 13 Feb 2021 07:46:44 +0000 (07:46 +0000)]
Remove trailing whitespace

No code/functional change

3 years agovarious readability fixes; from larry hynes
jmc [Sat, 13 Feb 2021 07:37:13 +0000 (07:37 +0000)]
various readability fixes; from larry hynes

3 years agoadd some missing articles; from larry hynes
jmc [Sat, 13 Feb 2021 07:28:50 +0000 (07:28 +0000)]
add some missing articles; from larry hynes

3 years agoreadability fix; from larry hynes
jmc [Sat, 13 Feb 2021 07:26:18 +0000 (07:26 +0000)]
readability fix; from larry hynes

3 years agocomma swap; from larry hynes
jmc [Sat, 13 Feb 2021 07:20:49 +0000 (07:20 +0000)]
comma swap; from larry hynes

3 years agochange documented drm nodes to /dev/dri/ and mention powerpc64
jsg [Sat, 13 Feb 2021 02:29:39 +0000 (02:29 +0000)]
change documented drm nodes to /dev/dri/ and mention powerpc64

3 years agoFix local and peer addresses in policy lookup for dangling SAs
tobhe [Fri, 12 Feb 2021 19:30:34 +0000 (19:30 +0000)]
Fix local and peer addresses in policy lookup for dangling SAs
after ikectl reload.

ok patrick@

3 years agosync
deraadt [Fri, 12 Feb 2021 19:01:45 +0000 (19:01 +0000)]
sync

3 years agoSome people still argue that rand(3) and random(3) have suitable deterministic
deraadt [Fri, 12 Feb 2021 17:03:51 +0000 (17:03 +0000)]
Some people still argue that rand(3) and random(3) have suitable deterministic
use cases, so explain the situation a bit more.  Since the 80's, I estimate
around 5 algorithm changes, so any chosen seed is unrepeatable UB.

+The deterministic sequence algorithm changed a number of times since
+original development, is underspecified, and should not be relied upon to
+remain consistent between platforms and over time.

ok jmc kettenis

3 years agopf_remove_divert_state() is an entry point into pf, modifying the pf state
patrick [Fri, 12 Feb 2021 16:16:10 +0000 (16:16 +0000)]
pf_remove_divert_state() is an entry point into pf, modifying the pf state
table.  Hence we have to grab both the pf lock and the pf state lock.

Found by dlg@
ok bluhm@ sashan@

3 years agoXr to ssl(8) which has clues about EC key generation that are still useful
sthen [Fri, 12 Feb 2021 14:20:15 +0000 (14:20 +0000)]
Xr to ssl(8) which has clues about EC key generation that are still useful
to acme-client users.

3 years agoTweak ssl(8)'s text about EC generation. Streamline by using "ecparam
sthen [Fri, 12 Feb 2021 14:19:11 +0000 (14:19 +0000)]
Tweak ssl(8)'s text about EC generation. Streamline by using "ecparam
-genkey" rather than separately generating parameters and key. Give a
clue that some CAs accept only prime256v1. Show the user where to stop
if they're just generating a private key for acme-client and therefore
don't need to generate a csr or cert manually. Add xr to acme-client(1)
suggest by tb@.

ok jmc tb

3 years agoFix null pointer dereference in pf_route6(). Embedding scope into
bluhm [Fri, 12 Feb 2021 13:48:31 +0000 (13:48 +0000)]
Fix null pointer dereference in pf_route6().  Embedding scope into
addresses that come from pf cannot be right, so remove the code.
Coverity CID 1501718
OK dlg@ claudio@

3 years agoSync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@
sthen [Fri, 12 Feb 2021 12:16:53 +0000 (12:16 +0000)]
Sync cert.pem with Mozilla NSS root CAs, except "GeoTrust Global CA", ok tb@

Notably this update removes various old Symantec roots (GeoTrust,
thawte, VeriSign) that were set in NSS to be distrusted on 1/1/2021.
Nobody should have been using these for years; only certain subCAs
signed by these were valid in NSS in that time due to an exemption:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec
Notably Apple's "Apple IST CA 2 - G1" which is still in use for
some endpoints (it is cross signed by another CA too but these
endpoints are publishing the GeoTrust intermediate cert).

So for now I have skipped removal of "GeoTrust Global CA" to avoid
affecting these sites. Debian ran into this when they updated their
cert database and had to back this part out, affected sites are
not reachable on Android Firefox and maybe other newer Firefoxes.
Some sites that were affected have moved to a different CA in the
last few days but others, notably api.push.apple.com, remain
(I can only guess that there is a complicated problem involved,
possibly cert pinning on old devices - the clock is ticking though
as this expires in May 2022 anyway ;)

Additions:

/C=RO/O=CERTSIGN SA/OU=certSIGN ROOT CA G2
/C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno Root CA 2017
/C=KR/O=NAVER BUSINESS PLATFORM Corp./CN=NAVER Global Root Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority
/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority

Removals:

/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=TW/O=Government Root Certification Authority
/C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2
/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
/C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA

3 years agoA few more flag combo's to test
otto [Fri, 12 Feb 2021 12:03:39 +0000 (12:03 +0000)]
A few more flag combo's to test

3 years agosync
jsg [Fri, 12 Feb 2021 10:28:55 +0000 (10:28 +0000)]
sync

3 years agocreate /dev/ drm nodes with the same names as linux
jsg [Fri, 12 Feb 2021 10:26:33 +0000 (10:26 +0000)]
create /dev/ drm nodes with the same names as linux

This was proposed by Emil Velikov to simplify libdrm and will remove the
need for some patches in ports.

/dev/drm0 -> /dev/dri/card0
/dev/drmR128 -> /dev/dri/renderD128

The previous names will remain for a period of time and will later be
removed.  Major and minor numbers remain the same.

libdrm will not be changed to use the new names until known privsep
and sandbox use has been updated to allow the new names.

ok deraadt@

3 years agodo not need 66 keys anymore
deraadt [Fri, 12 Feb 2021 08:17:33 +0000 (08:17 +0000)]
do not need 66 keys anymore

3 years agoDo not care about the server socket closing if exiting anyway.
nicm [Fri, 12 Feb 2021 06:52:48 +0000 (06:52 +0000)]
Do not care about the server socket closing if exiting anyway.

3 years agosftp: add missing lsetstat@openssh.com documentation
djm [Fri, 12 Feb 2021 03:49:09 +0000 (03:49 +0000)]
sftp: add missing lsetstat@openssh.com documentation
patch from Mike Frysinger

3 years agofactor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own function
djm [Fri, 12 Feb 2021 03:14:18 +0000 (03:14 +0000)]
factor SSH_AGENT_CONSTRAIN_EXTENSION parsing into its own function
and remove an unused variable; ok dtucker@

3 years agoCall exuart(4) early attach on arm64.
patrick [Thu, 11 Feb 2021 23:55:48 +0000 (23:55 +0000)]
Call exuart(4) early attach on arm64.

ok kettenis@

3 years agoEnable exuart(4).
patrick [Thu, 11 Feb 2021 23:54:40 +0000 (23:54 +0000)]
Enable exuart(4).

ok kettenis@

3 years agoDon't hardcode com(4)'s major number in exuart(4).
patrick [Thu, 11 Feb 2021 23:53:42 +0000 (23:53 +0000)]
Don't hardcode com(4)'s major number in exuart(4).

ok kettenis@

3 years agoExplicitly unset IKED_REQ_CERTVALID before sending cert to ca process.
tobhe [Thu, 11 Feb 2021 22:02:41 +0000 (22:02 +0000)]
Explicitly unset IKED_REQ_CERTVALID before sending cert to ca process.

ok markus@

3 years agoMore route-to fallout in pfctl regress.
bluhm [Thu, 11 Feb 2021 21:09:56 +0000 (21:09 +0000)]
More route-to fallout in pfctl regress.

3 years agosbdrop(): use NULL instead of 0 in pointer assignment
mvs [Thu, 11 Feb 2021 20:28:57 +0000 (20:28 +0000)]
sbdrop(): use NULL instead of 0 in pointer assignment

ok bluhm@

3 years agoWe link `ifp' to `if_list' before we perform if_attachsetup(). It is not
mvs [Thu, 11 Feb 2021 20:28:01 +0000 (20:28 +0000)]
We link `ifp' to `if_list' before we perform if_attachsetup(). It is not
fully initialized because we initialize `if_groups' after linking. It's
not triggered because if_attach() and if_unit(9) are serialized by
kernel lock and `ifp' is often filled by nulls. Move `if_groups'
initialization to if_attach_common() to prevent this.

ok bluhm@ claudio@ deraadt@

3 years agoLink isakmpd dynamically. Mount /usr on NFS via IPsec does not
bluhm [Thu, 11 Feb 2021 19:41:05 +0000 (19:41 +0000)]
Link isakmpd dynamically.  Mount /usr on NFS via IPsec does not
work anyway.  Dynamic binaries help building errata, reduce disk
usage and make ROP harder.  Also remove an unused bsd.subdir.mk
include.
OK sthen@ mvs@ deraadt@ tobhe@ patrick@

3 years agoWhen clang was changed to -fcommon, perl's P_hash_{seed,state} variables
deraadt [Thu, 11 Feb 2021 17:02:39 +0000 (17:02 +0000)]
When clang was changed to -fcommon, perl's P_hash_{seed,state} variables
moved into BSS in the .o, with padding rules following the types -- they
are both char[].  Since P_hash_seed is (system-dependent) not a multiple of 8,
P_hash_state gets layed out misaligned, which sucks because the hash functions
demand 64-bit alignment for both variables.  There is the possibility of using
misalignment macros, but this is not cheap.  Could also use kernel-trap fault
repair, but the performance would really suck for something so crucial.
The correct fix would be for upstream to declare these types as uint64[],
we have requested that in https://github.com/Perl/perl5/issues/18555
In the meantime, carry a diff to roundup P_hash_seed to 64-bit alignment so that
P_hash_state will land aligned.
ok afresh1

3 years agoAdd missing break in switch statement of rge_activate().
stsp [Thu, 11 Feb 2021 16:22:06 +0000 (16:22 +0000)]
Add missing break in switch statement of rge_activate().

CID 1501716

ok kevlo@
and mestre@ had the same diff

3 years agoLeave out gp initialization from kernel entry on mips64
visa [Thu, 11 Feb 2021 14:44:13 +0000 (14:44 +0000)]
Leave out gp initialization from kernel entry on mips64

On OpenBSD/mips64, the kernel is compiled with -mno-abicalls. This
disables gp-relative addressing and essentially makes gp a spare
register in the kernel. Hence it is unnecessary to initialize gp when
entering the kernel. The _gp symbol is not needed either.

Suggested by miod@

3 years ago"proc: table is full" actually means thread table is full; ok mpi@ sthen@
otto [Thu, 11 Feb 2021 13:40:28 +0000 (13:40 +0000)]
"proc: table is full" actually means thread table is full; ok mpi@ sthen@

3 years agoIn the various open functions reduce the fdplock() to only span over the
claudio [Thu, 11 Feb 2021 12:08:21 +0000 (12:08 +0000)]
In the various open functions reduce the fdplock() to only span over the
function which need the lock (falloc, fdinsert, fdremove). In most cases
it is not correct to hold the lock while calling VFS functions or e.g.
closef since those aquire or release long lived VFS locks.
OK visa@ mvs@

3 years agoInitialize var since it's used in a condition a little bit afterwards.
mestre [Thu, 11 Feb 2021 11:57:32 +0000 (11:57 +0000)]
Initialize var since it's used in a condition a little bit afterwards.

CID 1501713

ok jmatthew@

3 years agoInitialize the stack local device id variable correctly.
anton [Thu, 11 Feb 2021 11:03:57 +0000 (11:03 +0000)]
Initialize the stack local device id variable correctly.

CID 1501705

3 years agoSwap faddr/laddr and fport/lport arguments in call to stoeplitz_ipXport().
patrick [Thu, 11 Feb 2021 10:41:19 +0000 (10:41 +0000)]
Swap faddr/laddr and fport/lport arguments in call to stoeplitz_ipXport().
Technically the whole point of the stoeplitz API is that it's symmetric,
meaning that the order of addresses and ports doesn't matter and will produce
the same hash value.

Coverity CID 1501717
ok dlg@

3 years agoAdd a couple of helper functions, and flush imsgs on exit.
nicm [Thu, 11 Feb 2021 09:39:29 +0000 (09:39 +0000)]
Add a couple of helper functions, and flush imsgs on exit.

3 years agoO_TRUNC is needed in case file exists.
nicm [Thu, 11 Feb 2021 09:03:38 +0000 (09:03 +0000)]
O_TRUNC is needed in case file exists.

3 years agoMove file handling protocol stuff all into file.c so it can be reused
nicm [Thu, 11 Feb 2021 08:28:45 +0000 (08:28 +0000)]
Move file handling protocol stuff all into file.c so it can be reused
more easily.

3 years agoMake room for handling of HID++ 1.0 devices. No functional change.
anton [Thu, 11 Feb 2021 07:26:03 +0000 (07:26 +0000)]
Make room for handling of HID++ 1.0 devices. No functional change.