tb [Fri, 28 Apr 2023 15:16:48 +0000 (15:16 +0000)]
Deassert x509_policy_new()
Turn the check into an error which will make all callers error.
with beck
ok jsing
job [Fri, 28 Apr 2023 15:12:51 +0000 (15:12 +0000)]
Rearrange freeing of memory in the regress test
schwarze [Fri, 28 Apr 2023 15:04:33 +0000 (15:04 +0000)]
Reorder the text such that every function is discussed only once
instead of discussing some of them at two different places.
Also follow a more logical order: initialization first, then reading
and writing, then retrieving the digest and reinitialization.
Leave context handling and chain duplication at the end because
both are rarely needed.
While here, also tweak the wording of the shuffled text
and add some precision in a few places.
tb [Fri, 28 Apr 2023 14:45:51 +0000 (14:45 +0000)]
make the policy test compile on sparc64
phessler [Fri, 28 Apr 2023 14:09:06 +0000 (14:09 +0000)]
Inbound portion of RFC9131. Routers can create new neighbor cache entries
when receiving a valid Neighbor Advertisement.
OK florian@ kn@
sashan [Fri, 28 Apr 2023 14:08:38 +0000 (14:08 +0000)]
This change speeds up DIOCGETRULE ioctl(2) which pfctl(8) uses to
retrieve rules from kernel. The current implementation requires
like O((n^2)/2) operation to read the complete rule set, because
each DIOCGETRULE operation must iterate over previous n
rules to find (n + 1)-th rule to read.
To address the issue diff introduces a pf_trans structure to keep
pointer to next rule to read, thus reading process does not need
to iterate from beginning of rule set to reach the next rule.
All transactions opened by process get closed either when process
is done (reads all rules) or when /dev/pf device is closed.
the diff also comes with lots of improvements from dlg@ and kn@
OK dlg@, kn@
phessler [Fri, 28 Apr 2023 14:08:34 +0000 (14:08 +0000)]
Relax the "pass all" rule so all forms of neighbor advertisements are allowed
in either direction.
This more closely matches the IPv4 ARP behaviour.
From sashan@
discussed with kn@ deraadt@
job [Fri, 28 Apr 2023 13:48:38 +0000 (13:48 +0000)]
Add X509_REQ_add_extensions and to X509_REQ_add1_attr to DER cache test
These new tests won't bubble up a non-zero error exit code because
other libcrypto bits still need to land first.
claudio [Fri, 28 Apr 2023 13:24:25 +0000 (13:24 +0000)]
Same change as in bgpd:
Add explicit default labels in switch() statements with error handling.
Right now these are not reachable. Should also clear some gcc warnings.
OK tb@
claudio [Fri, 28 Apr 2023 13:23:52 +0000 (13:23 +0000)]
Add explicit default labels in switch() statements with error handling.
Right now these are not reachable. Should also clear some gcc warnings.
OK tb@
bluhm [Fri, 28 Apr 2023 12:53:42 +0000 (12:53 +0000)]
Add a membar_consumer() for the taskq_create() in sosplice(). Membar
producer and consumer must come in pair and the latter was missing.
Also move the code a bit to make clear which check is needed for
what.
OK mvs@
krw [Fri, 28 Apr 2023 12:26:43 +0000 (12:26 +0000)]
Move FSDISKTYPE uses from disklabel(8) invocations to vnconfig(8)
invocations, making the geometry information written to the
disklabel a bit more logically related to the disktab information
from whence it came. Also makes FSDISKTYPE usage consistent.
Flip the disklabel(8) invocations to the "echo '/ *'"
idiom to make it obvious that the desire is to create a single
'a' partition containing all free space.
No intentional functional change. MBRs, disklabels and newfs
outputs appear identical.
reads good to kn@
gnezdo [Fri, 28 Apr 2023 12:03:49 +0000 (12:03 +0000)]
Enable kernel-address sanitizer for clang openbsd target
OK deraadt@
claudio [Fri, 28 Apr 2023 10:24:38 +0000 (10:24 +0000)]
Implement --size-only and --ignore-times
Flags are passed to the remote system but --size-only is only set
if local system is sender since this is the behaviour of rsync.
Initial diff from Martin Cracauer but mostly reimplemented and extended
by myself.
OK kn@
kn [Fri, 28 Apr 2023 10:19:35 +0000 (10:19 +0000)]
Remove net lock from DIOCGETQUEUES
Both ticket and number of queues stem from the pf_queues_active list which
is effectively static to pf_ioctl.c and fully protected by the pf lock.
OK sashan
patrick [Fri, 28 Apr 2023 10:19:07 +0000 (10:19 +0000)]
Fix memory constraints in the inline-assembly stub that calls into secure
mode. Without this change the compiler doesn't realize that the memory
behind the array that contains the return values might have changed and
optimizes the access away. With this change it properly access the array
to retrieve the returned values.
ok drahn@
bluhm [Fri, 28 Apr 2023 10:18:57 +0000 (10:18 +0000)]
Remove error handling around mallocarray(9). I cannot fail when
called with M_WAITOK.
OK kevlo@
op [Fri, 28 Apr 2023 10:02:03 +0000 (10:02 +0000)]
fix lfindent (newline-and-indent) comment and description in the man page
for a while it has used only spaces when no-tab-mode is enabled and respected
the current buffer tab width.
tb [Fri, 28 Apr 2023 09:56:09 +0000 (09:56 +0000)]
Cleanup pass over x509_check_policy.c
This hoists variable declarations to the top and compiles with -Wshadow.
ok beck
op [Fri, 28 Apr 2023 09:50:50 +0000 (09:50 +0000)]
mark up all commands in the man page
beck [Fri, 28 Apr 2023 09:11:35 +0000 (09:11 +0000)]
Hook up the the x509 policy regression tests to x509 regress.
These were adapted from BoringSSL's regress tests for x509
policy. They are currently marked as expected to fail as
we have not enabled LIBRESSL_HAS_POLICY_DAG by default yet, and
the old tree based policy code from OpenSSL is special.
These tests pass when we build with LIBRESSL_HAS_POLICY_DAG.
beck [Fri, 28 Apr 2023 09:02:04 +0000 (09:02 +0000)]
Fix copyright, convert boringssl comments to C style
beck [Fri, 28 Apr 2023 08:53:20 +0000 (08:53 +0000)]
KNF
ok knfmt
beck [Fri, 28 Apr 2023 08:50:08 +0000 (08:50 +0000)]
remove unused code.
beck [Fri, 28 Apr 2023 08:45:50 +0000 (08:45 +0000)]
remove debugging printf
krw [Fri, 28 Apr 2023 08:45:24 +0000 (08:45 +0000)]
Retire -E's "expert" mode. Introduced 23 years ago to avoid
confusing users with FFS attributes that only experts should
fiddle with. Actual use has withered away with functionality
rendered moot or moved elsewhere.
'-e' remains for the truly obscure corner cases.
Simply excise the code for now to see if hidden users/uses are
exposed. Further simplifications are possible if no such
users/uses surface.
ok with sthen@ millert@ kn@ otto@
beck [Fri, 28 Apr 2023 08:43:18 +0000 (08:43 +0000)]
This test should not have V_EXPLICIT_POLICY set. with this
corrected we pass
beck [Fri, 28 Apr 2023 08:15:11 +0000 (08:15 +0000)]
Add the rest of the boringssl policy unit tests.
We currently still fail two of these, looks like one more bug in
extracting the depth for require policy from the certificate..
jmc [Fri, 28 Apr 2023 06:21:42 +0000 (06:21 +0000)]
escape the "D1" revisions, as mandoc thinks this is a macro call;
nicm [Fri, 28 Apr 2023 06:12:27 +0000 (06:12 +0000)]
Add options to change the confirm key and default behaviour of
confirm-before. From Elias Assaf in GitHub issue 3548; prompted by an
earlier change from Yutaro Yoshii in GitHub issue 3496.
nicm [Fri, 28 Apr 2023 05:59:35 +0000 (05:59 +0000)]
Do not fatal if tparm fails, instead just log it (not working sequences
are better than exiting).
phessler [Fri, 28 Apr 2023 05:13:37 +0000 (05:13 +0000)]
Add a driver for the Qualcomm rng device found on the Thinkpad X13s, based on
kettenis's amlrng driver.
suggestions and OK patrick@
kevlo [Fri, 28 Apr 2023 01:25:51 +0000 (01:25 +0000)]
sync
kevlo [Fri, 28 Apr 2023 01:24:51 +0000 (01:24 +0000)]
regen
kevlo [Fri, 28 Apr 2023 01:24:14 +0000 (01:24 +0000)]
Add support for RTL8188FTV chip to urtwn(4).
Tested with Comfast CF-WU710N v4.
"go ahead" deraadt@
OK stsp@
gnezdo [Thu, 27 Apr 2023 23:16:18 +0000 (23:16 +0000)]
Use __size_t which is available in syslog.h
Directly including sys/syslog.h would fail due to size_t
being unknown.
OK millert, miod
dv [Thu, 27 Apr 2023 22:47:27 +0000 (22:47 +0000)]
vmd(8): introduce multi-process model for virtio devices.
Isolate virtio network and block device emulation in dedicated
processes, forked and exec'd from the vm process. This allows for
tightening pledge promises to just "stdio".
Communication between the vcpu's and these devices now occurs via
imsg channels, which adds the benefit of not always blocking the
vcpu thread while emulating the device.
With this commit, it's possible that vmd is the first open source
hypervisor that *defaults* to a multi-process device emulation
model without requiring any additional configuration from the
operator.
Testing help from phessler@ and Mischa Peters.
ok mlarkin@
jmc [Thu, 27 Apr 2023 20:35:16 +0000 (20:35 +0000)]
add missing entries; ok miod
jmc [Thu, 27 Apr 2023 19:26:06 +0000 (19:26 +0000)]
add missing entries; ok miod
jmc [Thu, 27 Apr 2023 19:10:53 +0000 (19:10 +0000)]
add missing entries;
remove Tn macro usage;
feedback/ok miod
miod [Thu, 27 Apr 2023 19:06:57 +0000 (19:06 +0000)]
Mark the fan speed sensor as invalid when it reports -1 RPM. This happens for
a short while after suspend.
ok deraadt@ kn@
miod [Thu, 27 Apr 2023 19:01:01 +0000 (19:01 +0000)]
Better pcic(4) description.
robert [Thu, 27 Apr 2023 18:21:44 +0000 (18:21 +0000)]
add support for I/O statistics so that tape speeds can be observed with
iostat(8)
jmc [Thu, 27 Apr 2023 17:18:40 +0000 (17:18 +0000)]
sort options;
caspar [Thu, 27 Apr 2023 17:04:17 +0000 (17:04 +0000)]
arm64 install.md: fix softraid crypto installation on Mac
Make sure we don't newfs the EFI Sys partition on systems that have an
"apfsisc" partition in the case we're installing with softraid crypto.
Debugged with help from and came up with a fix with kn@
"go ahead" kettenis@
"no objections" krw@
OK kn@
phessler [Thu, 27 Apr 2023 16:56:52 +0000 (16:56 +0000)]
RFC 9096 changes the default timers for prefix preferred and valid lifetimes,
so update rad(8) to the new ones.
OK florian@
schwarze [Thu, 27 Apr 2023 16:48:53 +0000 (16:48 +0000)]
tiny wording tweak from Ted Bullock to make misunderstandings less likely;
OK jmc@
claudio [Thu, 27 Apr 2023 16:28:18 +0000 (16:28 +0000)]
Implement -V as an alias to --version.
From Martin Cracauer
OK kn@
beck [Thu, 27 Apr 2023 16:12:08 +0000 (16:12 +0000)]
Convert size_t's used in conjuction with sk_X509_num back to int.
The lets the regress in x509/policy pass instead of infinite looping.
The changes are necessry because our sk_num() returns an int with
0 for empty and -1 for NULL, wheras BoringSSL's returns a size_t with
0 for both an empty stack and a NULL stack.
pair work with tb@
ok tb@ jsing@
schwarze [Thu, 27 Apr 2023 16:10:11 +0000 (16:10 +0000)]
various markup tweaks, no content change; OK jmc@
schwarze [Thu, 27 Apr 2023 15:44:36 +0000 (15:44 +0000)]
various minor content corrections and improvements;
feedback and OK jmc@ and Ted Bullock
kettenis [Thu, 27 Apr 2023 15:06:35 +0000 (15:06 +0000)]
Remove efi32 and efi64. These are leftovers from a project that didn't go
very far and the presence of these directories just confuse people and
make them do more work than necessary.
ok patrick@, kn@, mlarkin@
schwarze [Thu, 27 Apr 2023 14:44:33 +0000 (14:44 +0000)]
Also list the command constants not associated with any macros,
and point to their documentation.
mvs [Thu, 27 Apr 2023 14:41:09 +0000 (14:41 +0000)]
Remove kernel lock from rtfree(9).
Route timers and route labels protected by corresponding mutexes. `ifa'
uses references counting for protection. rt_mpls_clear() could be called
lockless because this is the last reference of `rt'.
ok bluhm@ kn@
krw [Thu, 27 Apr 2023 14:19:28 +0000 (14:19 +0000)]
Retire -E's "expert" mode. Introduced 23 years ago to avoid
confusing users with FFS attributes that only experts should
fiddle with. Actual use has withered away with functionality
rendered moot or moved elsewhere.
'-e' remains for the truly obscure corner cases.
Simply excise the code for now to see if hidden users/uses are
exposed. Further simplifications are possible if no such
users/uses surface.
ok with sthen@ millert@ kn@ otto@
krw [Thu, 27 Apr 2023 13:52:58 +0000 (13:52 +0000)]
Temporarily workaround double calls into vioscsi_req_done()
causing NULL de-reference.
Reported, initial patch and tests by Antun Matanovic. Thanks!
ok miod@
beck [Thu, 27 Apr 2023 13:26:57 +0000 (13:26 +0000)]
correct test cases to add expected errors.
robert [Thu, 27 Apr 2023 12:27:56 +0000 (12:27 +0000)]
revert cache lookup for full pathnames
beck [Thu, 27 Apr 2023 12:23:31 +0000 (12:23 +0000)]
Start of an x509 policy regress test. test cases from BoringSSL.
Still a work in progress adapting tests from boringssl x509_test.cc
but dropping in here for tb to be able to look at and run as well
since the new stuff still has bugs.
kn [Thu, 27 Apr 2023 12:10:30 +0000 (12:10 +0000)]
Remove net lock from DIOCGETTIMEOUT
'pfctl -s timeouts' values are only used inside of pf, entirely protected
by the pf lock through the ioctl interface; the net lock is useless.
Previous attempts to remove net lock usage showed that the pf lock cannot
yet entirely replace it, so start with small pieces like this one.
Contrary to IPv4/6 read-only ioctls, some pf ioctls without FWRITE flag do
modify internal pf state, which is not entirely obvious when approached
from the ioctl layer.
OK sashan dlg
mvs [Thu, 27 Apr 2023 11:11:04 +0000 (11:11 +0000)]
Add `rttimer_mtx' to the locking description.
No functional changes.
tb [Thu, 27 Apr 2023 10:53:58 +0000 (10:53 +0000)]
tlsexttest: check additional logic in tlsext randomization
This verifies that we put PSK always last and that the Apache 2 special
does what it is supposed to do. There is also some weak validation of
the Fisher-Yates shuffle that will likely catch errors introduced in
tlsext_randomize_build_order()
kn [Thu, 27 Apr 2023 10:51:27 +0000 (10:51 +0000)]
zap APM_CANCEL, dead since import; OK tb
tb [Thu, 27 Apr 2023 10:50:37 +0000 (10:50 +0000)]
ssl_tlsext.c: Add an accessor for the tls extension type.
Needed for the tlsexttest.c
ok jsing
tb [Thu, 27 Apr 2023 10:43:47 +0000 (10:43 +0000)]
Somehow I managed not to bump LIBRESSL_VERSION_NUMBER
reported by aja
kn [Thu, 27 Apr 2023 10:03:49 +0000 (10:03 +0000)]
Treat crypto disk like the root disk, both are boot disks
Chosing [W]hole on a GPT disk means it needs non-default `-b' fdisk(8)
to account for existing EFI Sys partitions, whether it modifies an existing
GPT (Apple APFS ISC) or writing a new one.
With 'Encrypt the root disk?' answered postively, the crypto disk instead of
the root disk becomes the boot disk.
Extend the logic to both crypto and root disk, really asking
"is this a boot disk?".
with caspar
tb [Thu, 27 Apr 2023 09:49:44 +0000 (09:49 +0000)]
EC_KEY_{get,insert}_key_method_data() are no longer available
tb [Thu, 27 Apr 2023 09:47:03 +0000 (09:47 +0000)]
One more reciprocal thing hid in here (yay for consistent naming)
tb [Thu, 27 Apr 2023 09:45:56 +0000 (09:45 +0000)]
Remove stale references to BN reciprocal stuff
tb [Thu, 27 Apr 2023 09:44:40 +0000 (09:44 +0000)]
sync
tb [Thu, 27 Apr 2023 09:43:55 +0000 (09:43 +0000)]
Remove documentation of reciprocal BN which is now internal only
tb [Thu, 27 Apr 2023 09:39:52 +0000 (09:39 +0000)]
Remove documentation of GF2m point stuff
tb [Thu, 27 Apr 2023 09:35:20 +0000 (09:35 +0000)]
EC_GROUP_new() Strip out complications due to binary curves.
tb [Thu, 27 Apr 2023 09:11:40 +0000 (09:11 +0000)]
Remove stale reference to BN_GF2m_add()
tb [Thu, 27 Apr 2023 09:08:48 +0000 (09:08 +0000)]
sync
tb [Thu, 27 Apr 2023 09:08:08 +0000 (09:08 +0000)]
Remove BN_GF2m_add.3
kettenis [Thu, 27 Apr 2023 09:03:06 +0000 (09:03 +0000)]
Add support for (one of) the PCIe controllers on the RK3588 SoC. Since
MSIs don't work (yet) on this SoC, implement support for legacy interrupts
for the Rockchip SoCs. Also drop the restrictions on the bus number range
as the device tree I'm using has bus numbers start at 64 for the controller
in question.
ok patrick@, dlg@`
kettenis [Thu, 27 Apr 2023 09:00:03 +0000 (09:00 +0000)]
Fix config space access for the root bus of a dwpcie(4) controller when
the root bus number isn't zero.
ok patrick@, dlg@
kettenis [Thu, 27 Apr 2023 08:56:39 +0000 (08:56 +0000)]
Add RK3588 support.
ok patrick@, dlg@
kettenis [Thu, 27 Apr 2023 08:55:59 +0000 (08:55 +0000)]
Add some RK3588 PCIe related clocks.
Also add some RK3588 resets. Whoever reviewed the bindings on Linux gave
the brilliant advice that clock IDs and reset IDs should not in any way
have a sane mapping to the hardware registers, even though that is the
case on all older Rockchip SoCs and greatly simplifies the driver. So
now we need to implement pointless lookup code.
ok patrick@, dlg@
tb [Thu, 27 Apr 2023 08:47:04 +0000 (08:47 +0000)]
Remove mention of EC_GFp_nist_method and add back a .Pp that was
accidentally dropped
beck [Thu, 27 Apr 2023 08:37:53 +0000 (08:37 +0000)]
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
gerhard [Thu, 27 Apr 2023 08:33:59 +0000 (08:33 +0000)]
The ASIX AX88179A chipset does not work properly with the axen(4) driver.
For now switch it to cdce(4) until native support is provided by axen(4).
ok bentley@ stsp@
tb [Thu, 27 Apr 2023 08:07:26 +0000 (08:07 +0000)]
Remove braces around single lines statements using knfmt -s
Pointed out by anton
tb [Thu, 27 Apr 2023 08:04:40 +0000 (08:04 +0000)]
Rework simple allocation and free functions in x509_policy.c
Use calloc() instead of malloc/memset and make free functions look the
same as elsewhere in the tree.
ok beck jsing
claudio [Thu, 27 Apr 2023 07:57:25 +0000 (07:57 +0000)]
Reimplement output-json.c using json.c from bgpctl.
Much rejoice from tb@ and job@
OK tb@
tb [Thu, 27 Apr 2023 07:22:22 +0000 (07:22 +0000)]
Remove dangling references to BN_get0_nist_prime_521(3)
tb [Thu, 27 Apr 2023 07:10:05 +0000 (07:10 +0000)]
Move EC_POINT_{get,set}_Jprojective_coordinates to ec_local.h
tb [Thu, 27 Apr 2023 07:04:23 +0000 (07:04 +0000)]
Nuke doxygen noise
tb [Thu, 27 Apr 2023 07:01:45 +0000 (07:01 +0000)]
Remove documentation of no longer supported EC methods
tb [Thu, 27 Apr 2023 06:57:10 +0000 (06:57 +0000)]
Remove NIST prime documentation
tb [Thu, 27 Apr 2023 06:55:19 +0000 (06:55 +0000)]
sync
tb [Thu, 27 Apr 2023 06:54:09 +0000 (06:54 +0000)]
Stop installing NIST prime documentation
tb [Thu, 27 Apr 2023 06:48:47 +0000 (06:48 +0000)]
Remove a useless doxygen comment
claudio [Thu, 27 Apr 2023 06:11:43 +0000 (06:11 +0000)]
Unbreak regress after yesterdays churn.
Friendly reminder from anton@
anton [Thu, 27 Apr 2023 05:42:44 +0000 (05:42 +0000)]
cope with recent vmm changes
jmc [Thu, 27 Apr 2023 05:41:11 +0000 (05:41 +0000)]
- list some missing pci entries. dlg noticed some missing ones, and miod
worked out what was missing
- remove commented out entry to non-existent en(4) driver
- remove all instances of .Tn
ok miod dlg
kevlo [Thu, 27 Apr 2023 03:28:34 +0000 (03:28 +0000)]
Fix logic error in rtwn_r92e_get_txpower().
The RTL8192EU is up to two stream TX/RX (so MCS0->15).
ok stsp@
kevlo [Thu, 27 Apr 2023 03:19:45 +0000 (03:19 +0000)]
Whitespace fix
deraadt [Thu, 27 Apr 2023 03:06:17 +0000 (03:06 +0000)]
sync