openbsd
6 years agoRemove NULL checks before (most) libcrypto *_free() functions.
tb [Sat, 28 Jul 2018 15:25:23 +0000 (15:25 +0000)]
Remove NULL checks before (most) libcrypto *_free() functions.
From Ross L. Richardson, thanks!

ok deraadt

6 years agoMake use of PCI_FLAGS_MSI_ENABLED such that drivers for hardware with broken
kettenis [Sat, 28 Jul 2018 13:59:08 +0000 (13:59 +0000)]
Make use of PCI_FLAGS_MSI_ENABLED such that drivers for hardware with broken
MSI support can selectively disable the use of MSI.

6 years agoMove libsndio session cookie in its own $HOME/.sndio/ directory to
ratchov [Sat, 28 Jul 2018 09:11:55 +0000 (09:11 +0000)]
Move libsndio session cookie in its own $HOME/.sndio/ directory to
make libsndio easier to use with unveil(2).

"make sense" deraadt

6 years agoRename the sndiod unix domain socket to /tmp/sndio/sockN to avoid
ratchov [Sat, 28 Jul 2018 09:07:48 +0000 (09:07 +0000)]
Rename the sndiod unix domain socket to /tmp/sndio/sockN to avoid
wondering what are these "aucat" files in /tmp.

"make sense" deraadt

6 years agosync
ratchov [Sat, 28 Jul 2018 08:11:08 +0000 (08:11 +0000)]
sync

6 years agoRemove unused /dev/audio and /dev/audioctl symlinks.
ratchov [Sat, 28 Jul 2018 08:09:50 +0000 (08:09 +0000)]
Remove unused /dev/audio and /dev/audioctl symlinks.

ok deraadt

6 years agoUse the MI interrupt enable/distable API instead of the MD one on amd64 and
kettenis [Fri, 27 Jul 2018 21:11:31 +0000 (21:11 +0000)]
Use the MI interrupt enable/distable API instead of the MD one on amd64 and
remove the MD API.

ok guenther@, deraadt@, mpi@

6 years agoFull stop.
rob [Fri, 27 Jul 2018 19:14:45 +0000 (19:14 +0000)]
Full stop.

6 years agogarbage collect the unused "#define INDENT"
schwarze [Fri, 27 Jul 2018 17:47:05 +0000 (17:47 +0000)]
garbage collect the unused "#define INDENT"

6 years agosync
deraadt [Fri, 27 Jul 2018 16:29:36 +0000 (16:29 +0000)]
sync

6 years agosync
deraadt [Fri, 27 Jul 2018 14:14:40 +0000 (14:14 +0000)]
sync

6 years agolog_info -> log_debug since this is debug noise.
claudio [Fri, 27 Jul 2018 12:03:17 +0000 (12:03 +0000)]
log_info -> log_debug since this is debug noise.

6 years agoavoid expensive channel_open_message() calls; ok djm@
markus [Fri, 27 Jul 2018 12:03:17 +0000 (12:03 +0000)]
avoid expensive channel_open_message() calls; ok djm@

6 years agoEnable slaacctl(8) to print information on an advertised MTU.
bket [Fri, 27 Jul 2018 06:26:38 +0000 (06:26 +0000)]
Enable slaacctl(8) to print information on an advertised MTU.

OK florian@

6 years agoHave slaacd(8) share information on receiving a MTU advertisement with
bket [Fri, 27 Jul 2018 06:23:08 +0000 (06:23 +0000)]
Have slaacd(8) share information on receiving a MTU advertisement with
slaacctl(8).

OK florian@

6 years agoEnable slaacd(8) to set MTU on an interface.
bket [Fri, 27 Jul 2018 06:20:01 +0000 (06:20 +0000)]
Enable slaacd(8) to set MTU on an interface.

If a router advertisement message with the MTU option is received on an
interface slaacd will set the specified MTU on that interface.

Lots of help from florian@. Thank you!

OK florian@

6 years agoAdd SIOCSIFMTU to the wroute pledge.
bket [Fri, 27 Jul 2018 06:15:10 +0000 (06:15 +0000)]
Add SIOCSIFMTU to the wroute pledge.

This is required by, for example, slaacd(8) (which has been pledged) to
set MTU on an interface.

OK florian@, deraadt@

6 years agoNo need to test if pointer is NULL to call free(9). From
ratchov [Fri, 27 Jul 2018 05:48:59 +0000 (05:48 +0000)]
No need to test if pointer is NULL to call free(9). From
Michael W. Bombardieri. Thanks!

6 years agoNow that ssh can't be setuid, remove the original_real_uid and
dtucker [Fri, 27 Jul 2018 05:34:42 +0000 (05:34 +0000)]
Now that ssh can't be setuid, remove the original_real_uid and
original_effective_uid globals and replace with calls to plain getuid().
ok djm@

6 years agoremove errant Ed added in previous;
jmc [Fri, 27 Jul 2018 05:23:24 +0000 (05:23 +0000)]
remove errant Ed added in previous;

6 years agoRemove uid checks from low port binds. Now that ssh cannot be
dtucker [Fri, 27 Jul 2018 05:13:02 +0000 (05:13 +0000)]
Remove uid checks from low port binds.  Now that ssh cannot be
setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do the check. We leave
a sanity check for the !privsep case so long as the code is stil
there.  with & ok djm@

6 years agohds arrays can have more ports now, apparently; this lets theo use 4 paths
jmatthew [Fri, 27 Jul 2018 04:57:45 +0000 (04:57 +0000)]
hds arrays can have more ports now, apparently; this lets theo use 4 paths
to his array rather than just 2.

ok dlg@

6 years agossh(1) no longer supports being setuid root. Remove reference to crc32
dtucker [Fri, 27 Jul 2018 03:55:22 +0000 (03:55 +0000)]
ssh(1) no longer supports being setuid root. Remove reference to crc32
which went with protocol 1.  Pointed out by deraadt@.

6 years agoDon't double vput and panic after looking up "."
beck [Fri, 27 Jul 2018 01:44:19 +0000 (01:44 +0000)]
Don't double vput and panic after looking up "."

6 years agoadd regress for unveil of "." now that I fixed this
beck [Fri, 27 Jul 2018 01:41:39 +0000 (01:41 +0000)]
add regress for unveil of "." now that I fixed this

6 years agoMake the BYPASSUNVEIL test actually test BYPASSUNVEIL with tmppath
beck [Fri, 27 Jul 2018 01:38:02 +0000 (01:38 +0000)]
Make the BYPASSUNVEIL test actually test BYPASSUNVEIL with tmppath

6 years agonote under which circumstances ospfd uses the route priofilter
benno [Thu, 26 Jul 2018 22:03:19 +0000 (22:03 +0000)]
note under which circumstances ospfd uses the route priofilter
to not receive all route messages, thus saving cpu time.
wording as suggested by jmc@
ok remi@ jmc@ claudio@

6 years agoXr make-plist -> update-plist;
jmc [Thu, 26 Jul 2018 20:36:10 +0000 (20:36 +0000)]
Xr make-plist -> update-plist;

6 years agozap a dot;
jmc [Thu, 26 Jul 2018 20:18:11 +0000 (20:18 +0000)]
zap a dot;

6 years agozap whitespaces
mestre [Thu, 26 Jul 2018 19:33:20 +0000 (19:33 +0000)]
zap whitespaces

6 years agoreduce pledge(2) to the bare minimum:
mestre [Thu, 26 Jul 2018 19:32:52 +0000 (19:32 +0000)]
reduce pledge(2) to the bare minimum:
after dbopen(3) occurs then all operations are on fds which don't need
rpath/wpath and therefore spamdb(8) only needs stdio at all times after the DB
was already open(2)ed

great input from semarie@ OK deraadt@

6 years agosync
deraadt [Thu, 26 Jul 2018 14:49:35 +0000 (14:49 +0000)]
sync

6 years agoadd pledge(2) to quot(8):
mestre [Thu, 26 Jul 2018 13:37:40 +0000 (13:37 +0000)]
add pledge(2) to quot(8):
- rpath to traverse the filesystem(s)
- getpw to figure out who owns what

OK tb@ deraadt@

6 years agoAdd infrastructure to install lld as the default linker. The old GNU linker
kettenis [Thu, 26 Jul 2018 13:20:53 +0000 (13:20 +0000)]
Add infrastructure to install lld as the default linker.  The old GNU linker
will be installed as /usr/bin/ld.bfd on supported systems.  This allows
users to fall back on the old linker by using the -fuse-ld=bfd option on
systems where lld is the default linker.

Switch armv7 to use lld as the default linker.  On arm64 we already use lld
as the default linker.  Other platforms will keep using the GNU linker for
now.

ok patrick@, deraadt@, phessler@

6 years agoMention some missing libevent macros.
rob [Thu, 26 Jul 2018 12:50:04 +0000 (12:50 +0000)]
Mention some missing libevent macros.

ok jmc@, benno@, "yes" deraadt@

6 years agoAdd imxspi(4), a driver for the i.MX SPI controller. This is the first
patrick [Thu, 26 Jul 2018 10:59:07 +0000 (10:59 +0000)]
Add imxspi(4), a driver for the i.MX SPI controller.  This is the first
SPI controller in our tree.  Add a basic generic SPI infrastructure as
well.

ok kettenis@

6 years agoImplement calculating the SPI controller frequency in imxccm(4).
patrick [Thu, 26 Jul 2018 10:55:26 +0000 (10:55 +0000)]
Implement calculating the SPI controller frequency in imxccm(4).

ok kettenis@

6 years agoRemove CPUID insn_length check
job [Thu, 26 Jul 2018 10:05:02 +0000 (10:05 +0000)]
Remove CPUID insn_length check

Don't allow unprivileged users to crash things from ring 3

Thanks to William McCall for the patch!

OK mlarkin@

6 years agotweak previous; ok espie
jmc [Thu, 26 Jul 2018 06:49:08 +0000 (06:49 +0000)]
tweak previous; ok espie

6 years agodon't dump status iocbs twice
jmatthew [Thu, 26 Jul 2018 04:56:57 +0000 (04:56 +0000)]
don't dump status iocbs twice

6 years agoremove "bad startup mboxes" printf - it never indicates a real problem,
jmatthew [Thu, 26 Jul 2018 04:26:30 +0000 (04:26 +0000)]
remove "bad startup mboxes" printf - it never indicates a real problem,
and it always happens on 25xx controllers.

6 years agoImplement a MSGBUF control packet mechanism based on the command
patrick [Wed, 25 Jul 2018 20:47:45 +0000 (20:47 +0000)]
Implement a MSGBUF control packet mechanism based on the command
request ids.  So far we were only able to have one command in flight
at a time and race conditions could easily lead to unexpected
behaviour.  With this rework we send and enqueue a control packet
command and wait for replies to happen.  Thus we can have multiple
control packets in flight and a reply with the correct id will wake
us up.

6 years agoOn authentication we don't need to create the node before calling
patrick [Wed, 25 Jul 2018 20:37:11 +0000 (20:37 +0000)]
On authentication we don't need to create the node before calling
the network stack since the stack will create the node for us if we
pass the ibss stack.  On assocation request the node already has to
exist, so we error out if we don't have a record of the node.  Fixes
hostap on 5 GHz channels, since now the node's channel is recorded
correctly.

6 years agoProvide a harness that runs test vectors from Project Wycheproof against
jsing [Wed, 25 Jul 2018 18:04:09 +0000 (18:04 +0000)]
Provide a harness that runs test vectors from Project Wycheproof against
libcrypto. Initially this just covers RSA signatures, but can be extended
to cover other cryptographic algorithms.

This regress requires the go and wycheproof-testvector packages to be
installed, with the regress being skipped otherwise.

Discussed with beck@ and tb@

6 years agoDocument the spinning time of the CPU in systat(1) and top(1).
bluhm [Wed, 25 Jul 2018 17:24:14 +0000 (17:24 +0000)]
Document the spinning time of the CPU in systat(1) and top(1).
from Marcus MERIGHI; OK deraadt@ jmc@

6 years agoDon't redefine Makefile choices which come correct from bsd.*.mk
deraadt [Wed, 25 Jul 2018 17:12:35 +0000 (17:12 +0000)]
Don't redefine Makefile choices which come correct from bsd.*.mk
ok markus

6 years agoImplement a generic interface to forward resolver queries to the lka
eric [Wed, 25 Jul 2018 16:00:48 +0000 (16:00 +0000)]
Implement a generic interface to forward resolver queries to the lka
process.  Use it for the reverse lookups required by smtp and mta.

Until now, DNS-related lookups were implemented using ad-hoc IMSGs
between the lka and other processes. It turns out to be confusing and
difficult to maintain/extend.  So we want to replace this with a better
set of IMSGs matching the standard resolver interface.

ok gilles@

6 years agoqmail advertizes a size of 0 as "no limit on data", fix SIZE handling in
gilles [Wed, 25 Jul 2018 15:24:26 +0000 (15:24 +0000)]
qmail advertizes a size of 0 as "no limit on data", fix SIZE handling in
mta_session.c

spotted by deraadt@ and benno@

6 years agoFree operand copies after parsing.
cheloha [Wed, 25 Jul 2018 15:09:48 +0000 (15:09 +0000)]
Free operand copies after parsing.

We strdup operands before destructively parsing them to keep w(1) output
looking nice and neat, but after parsing we ought to free them.

We do need to keep copies for file paths, though, so add additional strdups
for operands if and of.

While here, use the preferred err(1, NULL) for an allocation failure.  Also
while here, don't assign `oper' to a copy of itself because it looks strange.

"sure." deraadt

6 years agofix indent; Clemens Goessnitzer
deraadt [Wed, 25 Jul 2018 13:56:23 +0000 (13:56 +0000)]
fix indent; Clemens Goessnitzer

6 years agosync
deraadt [Wed, 25 Jul 2018 13:19:28 +0000 (13:19 +0000)]
sync

6 years agoUse the caller provided (copied) pwent struct in load_public_identity_files
beck [Wed, 25 Jul 2018 13:10:56 +0000 (13:10 +0000)]
Use the caller provided (copied) pwent struct in load_public_identity_files
instead of calling getpwuid() again and discarding the argument.
This prevents a client crash where tilde_expand_filename calls getpwuid()
again before the pwent pointer is used.
Issue noticed and reported by Pierre-Olivier Martel <pom@apple.com>
ok djm@ deraadt@

6 years agodocument -e
espie [Wed, 25 Jul 2018 12:44:55 +0000 (12:44 +0000)]
document -e

6 years agodelivery to a filename should be in mbox format otherwise it will lack the
gilles [Wed, 25 Jul 2018 10:19:28 +0000 (10:19 +0000)]
delivery to a filename should be in mbox format otherwise it will lack the
^From separator and corrupt files

ok eric@

6 years agos/resolver/nameserver/ to match parse.y -r1.4
jasper [Wed, 25 Jul 2018 05:11:49 +0000 (05:11 +0000)]
s/resolver/nameserver/ to match parse.y -r1.4

6 years agoFix the prefix length of the IP address in the error message which shows
yasuoka [Wed, 25 Jul 2018 02:18:36 +0000 (02:18 +0000)]
Fix the prefix length of the IP address in the error message which shows
failure of assigning requested IP address on IPCP, it was mistakenly "-1"
on little endians.  Found by IIJ.

6 years agoAdd support for the i2c controller on the Marvell ARMADA 7K/8K SoC as well.
kettenis [Tue, 24 Jul 2018 21:53:46 +0000 (21:53 +0000)]
Add support for the i2c controller on the Marvell ARMADA 7K/8K SoC as well.

ok patrick@

6 years agoAdd clock needed to support the i2c controllers on the Marvell ARMADA 7K/8K.
kettenis [Tue, 24 Jul 2018 21:52:38 +0000 (21:52 +0000)]
Add clock needed to support the i2c controllers on the Marvell ARMADA 7K/8K.

ok patrick@

6 years agoregen
kettenis [Tue, 24 Jul 2018 21:17:25 +0000 (21:17 +0000)]
regen

6 years agoAdd SanDisk/WD Black NVMe devices.
kettenis [Tue, 24 Jul 2018 21:16:59 +0000 (21:16 +0000)]
Add SanDisk/WD Black NVMe devices.

From Bryan Vyhmeister

6 years agosync
deraadt [Tue, 24 Jul 2018 18:23:48 +0000 (18:23 +0000)]
sync

6 years agoadd rad.conf example
jasper [Tue, 24 Jul 2018 18:15:30 +0000 (18:15 +0000)]
add rad.conf example

ok florian@

6 years agoDo the same for i386 as amd64:
brynet [Tue, 24 Jul 2018 17:31:23 +0000 (17:31 +0000)]
Do the same for i386 as amd64:

Add "Mitigation G-2" per AMD's Whitepaper "Software Techniques for
Managing Speculation on AMD Processors"

By setting MSR C001_1029[1]=1, LFENCE becomes a dispatch serializing
instruction.

ok deraadt@

6 years agoThe I2C controller on the Allwinner hardware is actually a modified
patrick [Tue, 24 Jul 2018 16:11:33 +0000 (16:11 +0000)]
The I2C controller on the Allwinner hardware is actually a modified
Marvell controller.  The difference is essentially register offsets
and a clock divider calculation based on a power of two.  Also this
particular hardware needs a delay after sending a stop and before
reading the status register since apparently the data doesn't
propagate fast enough.  This makes sxitwi(4) work on the Marvell
Armada 38x.

ok kettenis@

6 years agoAdd support fotr the BCM4335/4339 SDIO chip to bwfm(4). This one is a bit
kettenis [Tue, 24 Jul 2018 15:45:52 +0000 (15:45 +0000)]
Add support fotr the BCM4335/4339 SDIO chip to bwfm(4).  This one is a bit
slow booting up, so give it a bit longer to enable the clock.

ok patrick@

6 years agoFix previous commit: the RSB refill bits change %rcx so it needed to be
guenther [Tue, 24 Jul 2018 14:49:44 +0000 (14:49 +0000)]
Fix previous commit: the RSB refill bits change %rcx so it needed to be
given an input/output ASM constraint...but I made it output-only, so the
compiler deleted the initialization.

reported by many, starting with Edd Barrett (edd(at)theunixzoo.co.uk)

6 years agoAdd some debug log messages telling which RIBs and peers get sofreconfigured
claudio [Tue, 24 Jul 2018 12:58:37 +0000 (12:58 +0000)]
Add some debug log messages telling which RIBs and peers get sofreconfigured
during reload.
OK henning@

6 years agoadd c++ symbol annotations
bcook [Tue, 24 Jul 2018 10:47:19 +0000 (10:47 +0000)]
add c++ symbol annotations

from Cameron Palmer

6 years agoUse prefix_nexthop() to access the nexthop instead of dereferencing the
claudio [Tue, 24 Jul 2018 10:10:58 +0000 (10:10 +0000)]
Use prefix_nexthop() to access the nexthop instead of dereferencing the
field in asp directly. This is a step to move the prefix from rde_aspath
to struct prefix.
OK benno@

6 years agoMove duplicate code into new helper print_addr_str()
kn [Tue, 24 Jul 2018 09:48:04 +0000 (09:48 +0000)]
Move duplicate code into new helper print_addr_str()

This simply puts the wiggle around inet_ntop() from four into one location.

OK benno

6 years agoSimplify getaddrinfo() error handling
kn [Tue, 24 Jul 2018 09:38:21 +0000 (09:38 +0000)]
Simplify getaddrinfo() error handling

`error' is not used so drop it and jump to the end.

OK sashan

6 years agoFix address calculation for _DYNAMIC. We want to address of _DYNAMIC itself,
kettenis [Tue, 24 Jul 2018 09:27:44 +0000 (09:27 +0000)]
Fix address calculation for _DYNAMIC.  We want to address of _DYNAMIC itself,
not the address of its GOT entry.  The current code mixed the high bits of
the GOT entry address with the low bits of the true address.  This only
worked by accident for small binaries where _DYNAMIC and its GOT entry
happen to reside on the same page.

ok guenther@, mortimer@

6 years agoWhen a GRE packet goes to "decline", the mbuf pointer was not updated
yasuoka [Tue, 24 Jul 2018 07:40:35 +0000 (07:40 +0000)]
When a GRE packet goes to "decline", the mbuf pointer was not updated
properly.  This had caused an panic when the mbuf pointer is updated.
Found by IIJ.

ok dlg

6 years agoAlso do RSB refilling when context switching, after vmexits, and
guenther [Tue, 24 Jul 2018 02:42:25 +0000 (02:42 +0000)]
Also do RSB refilling when context switching, after vmexits, and
when vmlaunch or vmresume fails.

Follow the lead of clang and the intel recommendation and do an lfence
after the pause in the speculation-stop path for retpoline, RSB refill,
and meltover ASM bits.

ok kettenis@ deraadt@

6 years agoUse the same order in NAME, SYNOPSIS, DESCRIPTION, and RETURN VALUES to
tb [Tue, 24 Jul 2018 02:01:34 +0000 (02:01 +0000)]
Use the same order in NAME, SYNOPSIS, DESCRIPTION, and RETURN VALUES to
improve readability and ease of maintenance.

Positive feedback jmc
Detailed suggestion & ok schwarze

6 years agoRemove defunct prototype leftover from previous code cleanup.
rob [Tue, 24 Jul 2018 01:31:20 +0000 (01:31 +0000)]
Remove defunct prototype leftover from previous code cleanup.

ok tb@, claudio@

6 years agoAdd "Mitigation G-2" per AMD's Whitepaper "Software Techniques for
brynet [Mon, 23 Jul 2018 23:25:02 +0000 (23:25 +0000)]
Add "Mitigation G-2" per AMD's Whitepaper "Software Techniques for
Managing Speculation on AMD Processors"

By setting MSR C001_1029[1]=1, LFENCE becomes a dispatch serializing
instruction.

Tested on AMD FX-4100 "Bulldozer", and Linux guest in SVM vmd(8)

ok deraadt@ mlarkin@

6 years agoDon't cast malloc(3) size to u_int.
cheloha [Mon, 23 Jul 2018 23:09:37 +0000 (23:09 +0000)]
Don't cast malloc(3) size to u_int.

Large buffer sizes on 64-bit platforms cause the sum to wrap, leading
read(2) to fail later.

We check prior to this point that all buffer sizes are <= SSIZE_MAX.
SSIZE_MAX * 2 < SIZE_MAX on all platforms, so the addition here will
not overflow and cause a similar issue.

Discovered by tobias@ a while back.

ok deraadt millert tobias

6 years agoRemove more redundant element selectors where the class selector
schwarze [Mon, 23 Jul 2018 22:51:24 +0000 (22:51 +0000)]
Remove more redundant element selectors where the class selector
is already sufficient.  John Gardner tells me that "CSS selectors
should only contain what's necessary to target their subjects".

6 years agoreplace the last instances of ex units by em;
schwarze [Mon, 23 Jul 2018 22:33:54 +0000 (22:33 +0000)]
replace the last instances of ex units by em;
recommended by John Gardner <gardnerjohng at gmail dot com>

6 years agoCoverity CID 1470233 complainst that the m != NULL check in
bluhm [Mon, 23 Jul 2018 21:14:00 +0000 (21:14 +0000)]
Coverity CID 1470233 complainst that the m != NULL check in
syn_cache_get() is not neccessary.  Also make the abort label
consistent to resetandabort and free the mbuf there.
OK mpi@

6 years agooops, failed to notice that SEE ALSO got messed up;
jmc [Mon, 23 Jul 2018 19:53:55 +0000 (19:53 +0000)]
oops, failed to notice that SEE ALSO got messed up;

6 years agoAdd missing $OpenBSD$ CVS tag.
rob [Mon, 23 Jul 2018 19:51:39 +0000 (19:51 +0000)]
Add missing $OpenBSD$ CVS tag.

6 years agoThe imxiomuxc(4) node itself can also contain a set of pins to
patrick [Mon, 23 Jul 2018 19:13:54 +0000 (19:13 +0000)]
The imxiomuxc(4) node itself can also contain a set of pins to
configure.  These are pins that should be configured to a sane
state and are not necessarily referenced by another node.

ok kettenis@

6 years agoPoint to glob in section 7 for the actual list of special characters instead
kn [Mon, 23 Jul 2018 19:02:49 +0000 (19:02 +0000)]
Point to glob in section 7 for the actual list of special characters instead
the C API in section 3.

OK millert jmc nicm, "the right idea" deraadt

6 years agoDocument tls_peer_ocsp_result() and use it in place of the non-existent
tb [Mon, 23 Jul 2018 18:30:29 +0000 (18:30 +0000)]
Document tls_peer_ocsp_result() and use it in place of the non-existent
tls_peer_ocsp_result_msg() in the documentation.

input & ok jsing
Reads fine to jmc and makes sense to schwarze

6 years agoUse BN_swap_ct() instead of BN_consttime_swap() in
tb [Mon, 23 Jul 2018 18:24:22 +0000 (18:24 +0000)]
Use BN_swap_ct() instead of BN_consttime_swap() in
ec_GF2m_montgomery_point_multiply().  The new BN_swap_ct() API is an
improved version of the public BN_consttime_swap() function: it allows
error checking, doesn't assert(), and has fewer assumptions on the input.
This diff eliminates the last use of BN_consttime_swap() in our tree.

ok inoguchi, jsing

6 years agoUse a size_t instead of an int for the byte count in BN_swap_ct().
tb [Mon, 23 Jul 2018 18:14:32 +0000 (18:14 +0000)]
Use a size_t instead of an int for the byte count in BN_swap_ct().
Since bignums use ints for the same purpose, this still uses an int
internally after an overflow check.

Suggested by and discussed with jsing.
ok inoguchi, jsing

6 years agoClean up our disgusting implementations of BN_{,u}{add,sub}(), following
tb [Mon, 23 Jul 2018 18:07:21 +0000 (18:07 +0000)]
Clean up our disgusting implementations of BN_{,u}{add,sub}(), following
changes made in OpenSSL by Davide Galassi and others, so that one can
actually follow what is going on. There is no performance impact from
this change as the code still does essentially the same thing. There's
a ton of work still to be done to make the BN code less terrible.

ok jsing, kn

6 years agoDo "Return stack refilling", based on the "Return stack underflow" discussion
guenther [Mon, 23 Jul 2018 17:54:04 +0000 (17:54 +0000)]
Do "Return stack refilling", based on the "Return stack underflow" discussion
and its associated appendix at https://support.google.com/faqs/answer/7625886
This should address at least some cases of "SpectreRSB" and earlier
Spectre variants; more commits to follow.

The refilling is done in the enter-kernel-from-userspace and
return-to-userspace-from-kernel paths, making sure to do it before
unblocking interrupts so that a successive interrupt can't get the
CPU to C code without doing this refill.  Per the link above, it
also does it immediately after mwait, apparently in case the low-power
CPU states of idle-via-mwait flush the RSB.

ok mlarkin@ deraadt@

6 years agoImplement RSASSA-PKCS1-v1_5 as specified in RFC 8017.
tb [Mon, 23 Jul 2018 17:37:17 +0000 (17:37 +0000)]
Implement RSASSA-PKCS1-v1_5 as specified in RFC 8017.
Based on an OpenSSL commit by David Benjamin.

Alex Gaynor and Paul Kehrer from the pyca/cryptography Python library
reported that more than 200 "expected to fail" signatures among Project
Wycheproof's test vectors validated on LibreSSL. This patch makes them
all fail.

ok jsing

commit 608a026494c1e7a14f6d6cfcc5e4994fe2728836
Author: David Benjamin <davidben@google.com>
Date:   Sat Aug 20 13:35:17 2016 -0400

    Implement RSASSA-PKCS1-v1_5 as specified.

    RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
    the DigestInfo struct and then compare the result against the public key
    operation result. This implies that one and only one encoding is legal.

    OpenSSL instead parses with crypto/asn1, then checks that the encoding
    round-trips, and allows some variations for the parameter. Sufficient
    laxness in this area can allow signature forgeries, as described in
    https://www.imperialviolet.org/2014/09/26/pkcs1.html

    Although there aren't known attacks against OpenSSL's current scheme,
    this change makes OpenSSL implement the algorithm as specified. This
    avoids the uncertainty and, more importantly, helps grow a healthy
    ecosystem. Laxness beyond the spec, particularly in implementations
    which enjoy wide use, risks harm to the ecosystem for all. A signature
    producer which only tests against OpenSSL may not notice bugs and
    accidentally become widely deployed. Thus implementations have a
    responsibility to honor the specification as tightly as is practical.

    In some cases, the damage is permanent and the spec deviation and
    security risk becomes a tax all implementors must forever pay, but not
    here. Both BoringSSL and Go successfully implemented and deployed
    RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
    this change should be compatible enough to pin down in future OpenSSL
    releases.

    See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00

    As a bonus, by not having to deal with sign/verify differences, this
    version is also somewhat clearer. It also more consistently enforces
    digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
    wasn't quite doing this right.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
    GH: #1474

6 years agoWhen moving between networks slaacd configures new addresses but
florian [Mon, 23 Jul 2018 17:25:52 +0000 (17:25 +0000)]
When moving between networks slaacd configures new addresses but
leaves old ones behind. The IPv6 RFCs don't seem to offer guidance on
what to do in this case. (RFC 5220 discusses related issues, but not
exactly this.)

It seems a bit harsh to just delete old addresses - a naive
implementation can easily lead to flip-flopping between two prefixes.

Instead set the preferred lifetime to 0 for all addresses on an
interface when the link goes down, thus marking addresses as
deprecated but still usable. When the link comes back send a router
solicitation. If we are still on the old network and receive a router
advertisement the preferred lifetime will increase and the addresses
will no longer be deprecated.

If we moved to a new network we will get new router advertisements and
form new addresses. The old ones will stay deprecated and the address
selection algorithm will prefer new addresses.

Problem reported by many.

testing & OK phessler

6 years agoavoid using argv[0] for printing to stderr
tb [Mon, 23 Jul 2018 17:15:21 +0000 (17:15 +0000)]
avoid using argv[0] for printing to stderr

6 years agoadd _rad user
florian [Mon, 23 Jul 2018 14:15:14 +0000 (14:15 +0000)]
add _rad user
OK tb, claudio

6 years agoRemove rtadvd(8) rc script.
florian [Mon, 23 Jul 2018 12:05:50 +0000 (12:05 +0000)]
Remove rtadvd(8) rc script.

6 years agoRemove rtadvd(8), it's time to switch to rad(8).
florian [Mon, 23 Jul 2018 12:04:46 +0000 (12:04 +0000)]
Remove rtadvd(8), it's time to switch to rad(8).

6 years agosync
florian [Mon, 23 Jul 2018 11:57:56 +0000 (11:57 +0000)]
sync

6 years agoRemove rtadvd(8) leftovers in etc.
florian [Mon, 23 Jul 2018 11:57:17 +0000 (11:57 +0000)]
Remove rtadvd(8) leftovers in etc.
OK deraadt, phessler

6 years agoIt's time to switch to rad(8); tested by many.
florian [Mon, 23 Jul 2018 11:56:02 +0000 (11:56 +0000)]
It's time to switch to rad(8); tested by many.
Unhook rtadvd from build.
OK deraadt, phessler

6 years agoIt's time to switch to rad(8); tested by many.
florian [Mon, 23 Jul 2018 11:54:49 +0000 (11:54 +0000)]
It's time to switch to rad(8); tested by many.
Remove rtadvd(8) from rc(8).
OK deraadt, phessler