openbsd
20 months agooops, overridden has two d's; apologies ajacoutot for not spotting that.
jmc [Sun, 5 Mar 2023 12:55:36 +0000 (12:55 +0000)]
oops, overridden has two d's; apologies ajacoutot for not spotting that.

20 months agoadjust documentation to explain tags, which are still there just in case
espie [Sun, 5 Mar 2023 10:41:59 +0000 (10:41 +0000)]
adjust documentation to explain tags, which are still there just in case

20 months agoValues for categories that are not set in the environment or that are overriden
ajacoutot [Sun, 5 Mar 2023 10:11:29 +0000 (10:11 +0000)]
Values for categories that are not set in the environment or that are overriden
by LANG or LC_ALL are displayed between double quotes.

wording by guenther@
ok kn@ jmc@

20 months agoAdd RK356x-specific initialization. Also initialize a few auto mode
kettenis [Sun, 5 Mar 2023 09:57:32 +0000 (09:57 +0000)]
Add RK356x-specific initialization.  Also initialize a few auto mode
related registers on all supported SoCs.  Makes rktemp(4) work on
RK356x with U-Boot.

ok jmatthew@

20 months agoFix mem and FILE leaks in moduli screening.
dtucker [Sun, 5 Mar 2023 09:24:35 +0000 (09:24 +0000)]
Fix mem and FILE leaks in moduli screening.

If multiple -Ocheckpoint= options are passed, the earlier ones would
be overwritten and leaked.  If we use an input file that wasn't stdin,
close that.  From Coverity CIDs 291884 and 291894.

20 months agoPlug mem leak in moduli checkpoint option parsing.
dtucker [Sun, 5 Mar 2023 08:18:58 +0000 (08:18 +0000)]
Plug mem leak in moduli checkpoint option parsing.
From Coverity CID 291894.

20 months agoRemove unused compat.h includes. We've previously removed a lot
dtucker [Sun, 5 Mar 2023 05:34:09 +0000 (05:34 +0000)]
Remove unused compat.h includes.  We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

20 months agoMask off IPL flags before storing the IPL for an interrupt.
jmatthew [Sun, 5 Mar 2023 04:30:08 +0000 (04:30 +0000)]
Mask off IPL flags before storing the IPL for an interrupt.
This fixes the IPL calculations in mpic_calc_mask() in the presence
of IPL_MPSAFE interrupts such as mvneta(4).

ok patrick@ kettenis@ dlg@

20 months agoXt -> Xr
jsg [Sun, 5 Mar 2023 03:17:04 +0000 (03:17 +0000)]
Xt -> Xr

20 months agoAdd ytphy(4); pointed out by jmc@
kettenis [Sat, 4 Mar 2023 23:32:40 +0000 (23:32 +0000)]
Add ytphy(4); pointed out by jmc@

20 months agoDon't whine about invalid start/end values when
krw [Sat, 4 Mar 2023 23:09:15 +0000 (23:09 +0000)]
Don't whine about invalid start/end values when
starting to edit an unused GPT partition.

20 months agoTurns out the RK3566 has a different value in the GPIO_VER_ID register
kettenis [Sat, 4 Mar 2023 22:54:35 +0000 (22:54 +0000)]
Turns out the RK3566 has a different value in the GPIO_VER_ID register
than advertised in the RK3568.  This value is present in the Linux
driver and implies the new register layout.  So handle both values.
This makes GPIOs on the RK3566 actually work.

ok patrick@

20 months agoOn RK356x many devices need to be explicitly routed to use alternative pin
kettenis [Sat, 4 Mar 2023 22:51:12 +0000 (22:51 +0000)]
On RK356x many devices need to be explicitly routed to use alternative pin
muxings.  Implement support for this.

ok patrick@

20 months agoEnable ytphy(4) here too.
kettenis [Sat, 4 Mar 2023 22:48:00 +0000 (22:48 +0000)]
Enable ytphy(4) here too.

20 months agoytphy(4)
kettenis [Sat, 4 Mar 2023 22:44:27 +0000 (22:44 +0000)]
ytphy(4)

20 months agoAdd ytphy(4) to files.mii (forgotten in the previous commit).
kettenis [Sat, 4 Mar 2023 22:40:37 +0000 (22:40 +0000)]
Add ytphy(4) to files.mii (forgotten in the previous commit).
Fix year on my copyright.

20 months agoenable ytphy(4)
kettenis [Sat, 4 Mar 2023 22:36:15 +0000 (22:36 +0000)]
enable ytphy(4)

20 months agoAdd ytphy(4), a driver for the MotorComm YT8511 PHY.
kettenis [Sat, 4 Mar 2023 22:35:28 +0000 (22:35 +0000)]
Add ytphy(4), a driver for the MotorComm YT8511 PHY.

ok deraadt@

20 months agoUse ISC licence.
kettenis [Sat, 4 Mar 2023 22:34:37 +0000 (22:34 +0000)]
Use ISC licence.

ok deraadt@

20 months agoSync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
tobhe [Sat, 4 Mar 2023 22:22:50 +0000 (22:22 +0000)]
Sync proc.c from vmd(8) to enabled fork + exec for all processes. This gives
each process a fresh and unique address space to further improve randomization
of ASLR and stack protector.

ok bluhm@ patrick@

20 months agoopenssl enc doesn't really support AEAD ciphers and XTS mode
tb [Sat, 4 Mar 2023 21:58:54 +0000 (21:58 +0000)]
openssl enc doesn't really support AEAD ciphers and XTS mode

Do not display such ciphers in the usage display and error out if
they are given. As pointed out by Pauli Dale, the current situation
is confusing.

Fixes GH issues #786 and #819

ok jsing

20 months agoSimplify the consistency checks in old_dsa_priv_decode()
tb [Sat, 4 Mar 2023 21:42:49 +0000 (21:42 +0000)]
Simplify the consistency checks in old_dsa_priv_decode()

We have long had expensive checks for DSA domain parameters in
old_dsa_priv_decode(). These were implemented in a more complicated
way than necesary.

ok beck jsing

20 months agoEnforce a lower bound of of EC group order so 80 bits for ECDSA
tb [Sat, 4 Mar 2023 21:39:34 +0000 (21:39 +0000)]
Enforce a lower bound of of EC group order so 80 bits for ECDSA

This makes sure that the elliptic curve is not completely stupid.
This is conservative enough: the smallest named groups that we support
have an order of 112 bits.

ok beck jsing

20 months agoCap the number of iterations in ECDSA signing
tb [Sat, 4 Mar 2023 21:37:37 +0000 (21:37 +0000)]
Cap the number of iterations in ECDSA signing

ECDSA is essentially the same thing as DSA, except that it is slightly
less stupid. Signing specifies an infinite loop, which is only possible
with arbitrary ECDSA domain parameters. Fortunately, most use of ECDSA
in the wild is based on well-known groups, so it is known a priori that
the loop is not infinite. Still, infinite loops are bad. A retry is
unlikely, 32 retries have a probability of ~2^-8000. So it's pretty
safe to error out.

ok beck jsing

20 months agoCap the number of iterations in DSA signing
tb [Sat, 4 Mar 2023 21:30:23 +0000 (21:30 +0000)]
Cap the number of iterations in DSA signing

The DSA standard specifies an infinite loop: if either r or s is zero
in the signature calculation, a new random number k shall be generated
and the whole thing is to be redone. The rationale is that, as the
standard puts it, "[i]t is extremely unlikely that r = 0 or s = 0 if
signatures are generated properly."

The problem is... There is no cheap way to know that the DSA domain
parameters we are handed are actually DSA domain parameters, so even
if all our calculations are carefully done to do all the checks needed,
we cannot know if we generate the signatures properly. For this we would
need to do two primality checks as well as various congruences and
divisibility properties. Doing this easily leads to DoS, so nobody does
it.

Unfortunately, it is relatively easy to generate parameters that pass
all sorts of sanity checks and will always compute s = 0 since g
is nilpotent. Thus, as unlikely as it is, if we are in the mathematical
model, in practice it is very possible to ensure that s = 0.

Read David Benjamin's glorious commit message for more information
https://boringssl-review.googlesource.com/c/boringssl/+/57228

Thanks to Guido Vranken for reporting this issue, also thanks to
Hanno Boeck who apparently found and reported similar problems earlier.

ok beck jsing

20 months agoUse nitems() in the simple iterations over mbr->mbr_prt[].
krw [Sat, 4 Mar 2023 21:22:51 +0000 (21:22 +0000)]
Use nitems() in the simple iterations over mbr->mbr_prt[].

No intentional functional change.

20 months agoSmall readability tweak in old_dsa_priv_decode()
tb [Sat, 4 Mar 2023 21:08:14 +0000 (21:08 +0000)]
Small readability tweak in old_dsa_priv_decode()

Explicitly check against NULL and turn early return into goto err.

ok beck jsing

20 months agoCall dsa_check_keys() before signing or verifying
tb [Sat, 4 Mar 2023 21:06:17 +0000 (21:06 +0000)]
Call dsa_check_keys() before signing or verifying

We already had some checks on both sides, but they were less precise
and differed between the functions. The code here is messy enough, so
any simplification is helpful...

ok beck jsing

20 months agoAdd dsa_check_key() calls on DSA decoding
tb [Sat, 4 Mar 2023 21:02:21 +0000 (21:02 +0000)]
Add dsa_check_key() calls on DSA decoding

When decoding a public or a private key, use dsa_check_key() to ensure
consistency of the DSA parameters. We do not always have sufficient
information to do that, so this is not always possible.

This adds new checks and replaces incomplete existing ones. On decoding
the private key we will now only calculate the corresponding public key,
if the sizes are sensible. This avoids potentially expensive operations.

ok beck jsing

20 months agoProvide dsa_check_key()
tb [Sat, 4 Mar 2023 20:54:52 +0000 (20:54 +0000)]
Provide dsa_check_key()

This is a cheap check that ensures basid parameter consistency per
FIPS 186-4: 1 < g < q, that q has the allowed bit sizes 160, 224, 256
and that p is neither too small nor too large. Unfortunately, enforcing
the three allowed sizes for p is not possible since the default dsa key
generation has not respected this limitation.

Instead of checking that p and q are prime, we only check that they
are odd. Check that public and private keys, if set, are in the proper
range. In particular, disallow zero values.

Various versions of these checks have been added to the dsa code
over time. This consolidates and extends them and in a subsequent
commit wewill replace the incomplete checks. BoringSSL has a similar
function of the same name, thanks to David Benjamin for pointing it
out.

ok beck jsing

20 months agoProvide DSA_R_INVALID_PARAMETERS error code
tb [Sat, 4 Mar 2023 20:47:04 +0000 (20:47 +0000)]
Provide DSA_R_INVALID_PARAMETERS error code

This has been missing for a while already and will be used in a
few upcoming commits.

ok beck jsing

20 months agosync
deraadt [Sat, 4 Mar 2023 19:56:48 +0000 (19:56 +0000)]
sync

20 months agoMop up ECP_NISTZ256_ASM and OPENSSL_NO_EC_NISTP_64_GCC_128 leftovers.
jsing [Sat, 4 Mar 2023 14:53:23 +0000 (14:53 +0000)]
Mop up ECP_NISTZ256_ASM and OPENSSL_NO_EC_NISTP_64_GCC_128 leftovers.

This is `unifdef -m -DOPENSSL_NO_EC_NISTP_64_GCC_128 -UECP_NISTZ256_ASM`
and some manual tidy up.

20 months agomove to 7.3-beta
deraadt [Sat, 4 Mar 2023 14:49:36 +0000 (14:49 +0000)]
move to 7.3-beta

20 months agoToss in some const's to ensure that static data pointed to
krw [Sat, 4 Mar 2023 14:47:18 +0000 (14:47 +0000)]
Toss in some const's to ensure that static data pointed to
by function return values is not fiddled with.

No intentional functional change.

20 months agoRename field_data1 and field_data2.
jsing [Sat, 4 Mar 2023 14:38:00 +0000 (14:38 +0000)]
Rename field_data1 and field_data2.

Rather than pretending that these "generic" variables are used for multiple
things, rename them to reflect their actual usage and use appropriate types
instead of void *.

ok tb@

20 months agobio_chain test: fix error message
tb [Sat, 4 Mar 2023 12:13:11 +0000 (12:13 +0000)]
bio_chain test: fix error message

20 months agoexpand Nd (missed in previous); ok claudio
jmc [Sat, 4 Mar 2023 12:02:07 +0000 (12:02 +0000)]
expand Nd (missed in previous); ok claudio

20 months agoAvoid infinite loop in bio_asn1 state machine
tb [Sat, 4 Mar 2023 11:58:29 +0000 (11:58 +0000)]
Avoid infinite loop in bio_asn1 state machine

If the BIO_write() in the ASN1_STATE_DATA_COPY state fails, incorrect
error handling will break out of the switch without changing the state,
and the infinite for loop will immediately try the same write again,
which is unlikely to succeed... Clearly this code intended to break out
of the loop instead.

Via OpenSSL 1.1 commit 723f616df81ea05f31407f7417f49eea89bb459a

ok millert

20 months agopf(4) should be enforcing TTL=1 to packets sent to 224.0.0.1 only.
sashan [Sat, 4 Mar 2023 10:55:37 +0000 (10:55 +0000)]
pf(4) should be enforcing TTL=1 to packets sent to 224.0.0.1 only.
Issue found and kindly reported by Luca Di Gregorio <lucdig _at_ gmail>

OK bluhm@

20 months agoAdd mvortc(4) and mvodog(4) here too
jmatthew [Sat, 4 Mar 2023 10:42:26 +0000 (10:42 +0000)]
Add mvortc(4) and mvodog(4) here too

20 months agoproperly initialise LIST head
kn [Sat, 4 Mar 2023 09:03:34 +0000 (09:03 +0000)]
properly initialise LIST head

This worked because the global head variable is zero-initialised,
but one must not rely on that.

OK mvs claudio

20 months agoopenssl/req: garbage collect a pointless EVP_MD_CTX_init()
tb [Sat, 4 Mar 2023 06:25:42 +0000 (06:25 +0000)]
openssl/req: garbage collect a pointless EVP_MD_CTX_init()

Before do_sign_init(), the ctx is always allocated by EVP_MD_CTX_new()
aka calloc(). There is no point in doing EVP_MD_CTX_init(), aka bzero().

ok jsing

20 months agoUse time_t instead of u_int for remaining x11 timeout checks for 64bit
dtucker [Sat, 4 Mar 2023 03:22:59 +0000 (03:22 +0000)]
Use time_t instead of u_int for remaining x11 timeout checks for 64bit
time_t safety.  From Coverity CIDs 405197 and 405028, ok djm@

20 months agohandle polling when cold in tipmic_thermal_opreg_handler().
dlg [Sat, 4 Mar 2023 01:23:40 +0000 (01:23 +0000)]
handle polling when cold in tipmic_thermal_opreg_handler().

this allows me to boot if acpitz is using tipmic instead of getting
stuck. tipmic would spin on tsleep, which returns immediately with
0 when cold, waiting for a value to be set by the tipmic interrupt
handler. cos the box is cold the interrupt is masked, so the tsleep
loop never ended.

patrick@ helped me find this
ok kettenis@

20 months agotee(1): explicitly check read(2) return value for 0 and -1
cheloha [Sat, 4 Mar 2023 00:00:25 +0000 (00:00 +0000)]
tee(1): explicitly check read(2) return value for 0 and -1

20 months agoinitclocks: don't reinitialize ticks, jiffies at runtime
cheloha [Fri, 3 Mar 2023 20:16:44 +0000 (20:16 +0000)]
initclocks: don't reinitialize ticks, jiffies at runtime

Various drivers use ticks/jiffies before initclocks().  It isn't
generally safe to reinitialize them at runtime.  Hoist the conditional
definition of HZ from param.c into sys/kernel.h so we can see it from
kern_clock.c and statically initialize ticks/jiffies to the desired
offset.

With this change, timeouts scheduled before initclocks() do not all
fire immediately during the first softclock().

With input from kettenis@.

Link: https://marc.info/?l=openbsd-tech&m=167753870803378&w=2
20 months agoProcess accounting and lastcomm(1) can detect execve(2) violations
bluhm [Fri, 3 Mar 2023 16:22:57 +0000 (16:22 +0000)]
Process accounting and lastcomm(1) can detect execve(2) violations
of pinsyscall(2) policy.  Report such findings in daily mail like
other security violations.  User has to turn on accounting=YES in
rc.conf.local to utilize this feature.
OK deraadt@

20 months agoIn filemode, print the certification path towards the Trust Anchor
job [Fri, 3 Mar 2023 16:19:05 +0000 (16:19 +0000)]
In filemode, print the certification path towards the Trust Anchor

with and OK tb@

20 months agoUse EXTRACT_16BITS() in default_print() instead of handrolling it.
claudio [Fri, 3 Mar 2023 13:03:29 +0000 (13:03 +0000)]
Use EXTRACT_16BITS() in default_print() instead of handrolling it.
OK bluhm@

20 months agoEnsure ms_remain is always initialized, similar to what we do in
dtucker [Fri, 3 Mar 2023 10:23:42 +0000 (10:23 +0000)]
Ensure ms_remain is always initialized, similar to what we do in
ssh_packet_write_wait.  bz#2687, from jjelen at redhat.com.

20 months agoCheck for non-NULL before string comparison. From jjelen at redhat.com
dtucker [Fri, 3 Mar 2023 09:48:51 +0000 (09:48 +0000)]
Check for non-NULL before string comparison.  From jjelen at redhat.com
via bz#2687.

20 months agonamservers -> nameservers
jsg [Fri, 3 Mar 2023 08:08:15 +0000 (08:08 +0000)]
namservers -> nameservers

20 months agoguard against getsockname(-1, ...) from Coverity CID 291832
djm [Fri, 3 Mar 2023 05:00:34 +0000 (05:00 +0000)]
guard against getsockname(-1, ...) from Coverity CID 291832

20 months agosome options are not first-match-wins. Mention that there are
djm [Fri, 3 Mar 2023 04:36:20 +0000 (04:36 +0000)]
some options are not first-match-wins. Mention that there are
exceptions at the start of the manpage and label some of them in
the option description.

20 months agoactually print "channeltimeout none" in config dump mode;
djm [Fri, 3 Mar 2023 04:34:49 +0000 (04:34 +0000)]
actually print "channeltimeout none" in config dump mode;
spotted via Coverity CID 405022

20 months agoCheck return values of dup2. Spotted by Coverity, ok djm@
dtucker [Fri, 3 Mar 2023 03:12:24 +0000 (03:12 +0000)]
Check return values of dup2.  Spotted by Coverity, ok djm@

20 months agoUse time_t for x11_refuse_time timeout. We need SSH_TIME_T_MAX for
dtucker [Fri, 3 Mar 2023 02:37:58 +0000 (02:37 +0000)]
Use time_t for x11_refuse_time timeout.  We need SSH_TIME_T_MAX for
this, so move from misc.c to misc.h so it's available.  Fixes a Coverity
warning for 64bit time_t safety, ok djm@

20 months agoCheck return value from fctnl and warn on failure. Spotted by Coverity,
dtucker [Fri, 3 Mar 2023 02:34:29 +0000 (02:34 +0000)]
Check return value from fctnl and warn on failure.  Spotted by Coverity,
ok djm@

20 months agoSimplify the ct Makefile slightly
tb [Thu, 2 Mar 2023 21:17:35 +0000 (21:17 +0000)]
Simplify the ct Makefile slightly

20 months agoClean up the x509 regress make file a little
tb [Thu, 2 Mar 2023 21:15:14 +0000 (21:15 +0000)]
Clean up the x509 regress make file a little

20 months agoRemove a few more unnecessary line continuations
tb [Thu, 2 Mar 2023 21:08:14 +0000 (21:08 +0000)]
Remove a few more unnecessary line continuations

20 months agoNitpick error checks of BN_get_mem_data()
tb [Thu, 2 Mar 2023 21:07:21 +0000 (21:07 +0000)]
Nitpick error checks of BN_get_mem_data()

BN_get_mem_data() returns a non-positive long on error, so assigning
it to a size_t and displaying that in error messages is incorrect.

20 months agoSome more Makefile cosmetics
tb [Thu, 2 Mar 2023 20:45:11 +0000 (20:45 +0000)]
Some more Makefile cosmetics

The verbose evp test actually depends on the evptest binary. Use consistent
spacing and indentation.

20 months agoThe evp_ecx_test no longer needs static linking
tb [Thu, 2 Mar 2023 20:27:54 +0000 (20:27 +0000)]
The evp_ecx_test no longer needs static linking

20 months agoHide the hexdumps behind a verbose flags. Should have been part of
tb [Thu, 2 Mar 2023 20:24:51 +0000 (20:24 +0000)]
Hide the hexdumps behind a verbose flags. Should have been part of
the previous commit.

20 months agoSimplify evp test Makefile.
tb [Thu, 2 Mar 2023 20:22:46 +0000 (20:22 +0000)]
Simplify evp test Makefile.

Make evptest silent by default: these pages of hexdumps are useless noise.
Add a verbose target for debugging.

20 months agoevp_pkey_check: make this test silent on success
tb [Thu, 2 Mar 2023 20:18:40 +0000 (20:18 +0000)]
evp_pkey_check: make this test silent on success

20 months agoRemove a few unnecessary line continuations
tb [Thu, 2 Mar 2023 20:04:42 +0000 (20:04 +0000)]
Remove a few unnecessary line continuations

20 months agorestructure the page into one single list for all routing commands;
jmc [Thu, 2 Mar 2023 17:11:33 +0000 (17:11 +0000)]
restructure the page into one single list for all routing commands;
while there, whack anything either out of date or not useful

joint work with claudio

20 months agoimprove the Nd lines such that the format is consistent for the
jmc [Thu, 2 Mar 2023 17:09:52 +0000 (17:09 +0000)]
improve the Nd lines such that the format is consistent for the
various *d, *conf, *ctl files (where relevant) and simple;

also makes "man -k routing" more useful;

help from claudio and florian
ok claudio florian millert

20 months agosync
deraadt [Thu, 2 Mar 2023 17:08:02 +0000 (17:08 +0000)]
sync

20 months agoNo need to protect exports from SIGHUP, the handler just sets a flag.
millert [Thu, 2 Mar 2023 16:58:43 +0000 (16:58 +0000)]
No need to protect exports from SIGHUP, the handler just sets a flag.
The signal handlers in mountd.c were made safe in rev 1.34 from 2001.
OK bluhm@ kn@

20 months agoWhen parsing %s, the result should be in the local time zone.
millert [Thu, 2 Mar 2023 16:21:51 +0000 (16:21 +0000)]
When parsing %s, the result should be in the local time zone.
Based on a patch from enh@google.  OK tb@

20 months agorad_recv: verify length field in received auth_hdr_t before using it.
millert [Thu, 2 Mar 2023 16:13:57 +0000 (16:13 +0000)]
rad_recv: verify length field in received auth_hdr_t before using it.
Reported by Peter J. Philipp.  OK deraadt@

20 months agoadd arch to Dt
jsg [Thu, 2 Mar 2023 11:56:25 +0000 (11:56 +0000)]
add arch to Dt

20 months agomention eephy(4)
jsg [Thu, 2 Mar 2023 11:49:45 +0000 (11:49 +0000)]
mention eephy(4)
ok jmatthew@

20 months agoRemove SUDO in proxy command wrapper. Anything that needs sudo is
dtucker [Thu, 2 Mar 2023 11:10:27 +0000 (11:10 +0000)]
Remove SUDO in proxy command wrapper.  Anything that needs sudo is
already run by it, and it breaks if root isn't in sudoers.

20 months agomvodog(4) and mvortc(4)
jmatthew [Thu, 2 Mar 2023 10:07:18 +0000 (10:07 +0000)]
mvodog(4) and mvortc(4)

20 months agoEnable mvodog(4) and mvortc(4)
jmatthew [Thu, 2 Mar 2023 09:59:29 +0000 (09:59 +0000)]
Enable mvodog(4) and mvortc(4)

20 months agoAdd mvortc(4), a driver for the RTC on the ARMADA 38x series.
jmatthew [Thu, 2 Mar 2023 09:57:43 +0000 (09:57 +0000)]
Add mvortc(4), a driver for the RTC on the ARMADA 38x series.

ok kettenis@ patrick@

20 months agoAdd mvodog(4), a driver for the watchdog on the ARMADA 38x series.
jmatthew [Thu, 2 Mar 2023 09:56:52 +0000 (09:56 +0000)]
Add mvodog(4), a driver for the watchdog on the ARMADA 38x series.

ok kettenis@ patrick@

20 months agoAdd eephy(4), found on the Turris Omnia's WAN port
jmatthew [Thu, 2 Mar 2023 09:39:45 +0000 (09:39 +0000)]
Add eephy(4), found on the Turris Omnia's WAN port

20 months agoFix breakage on dhgex test.
dtucker [Thu, 2 Mar 2023 08:24:41 +0000 (08:24 +0000)]
Fix breakage on dhgex test.

This was due to the sshd logs being written to the wrong log file.
While there, make save_debug_logs less verbose, write the name of the
tarball to regress.log and use $SUDO to remove the old symlinks (which
shouldn't be needed, but won't hurt).  Initial problem spotted by anton@.

20 months agoQuote grep and log message better.
dtucker [Thu, 2 Mar 2023 08:14:52 +0000 (08:14 +0000)]
Quote grep and log message better.

20 months agoEnsure we always call fclose when writing checkpoints. In the case of
dtucker [Thu, 2 Mar 2023 06:41:56 +0000 (06:41 +0000)]
Ensure we always call fclose when writing checkpoints.   In the case of
an fprintf failure we would not call fclose which would leak the FILE
pointer.  While we're there, try to clean up the temp file on failure.
Spotted by Coverity, ok djm@

20 months agoFix potentially uninitialized use of variable fsb on error.
millert [Wed, 1 Mar 2023 23:27:46 +0000 (23:27 +0000)]
Fix potentially uninitialized use of variable fsb on error.
OK mbuhl@

20 months ago/etc/examples/iked.conf tweaks:
sthen [Wed, 1 Mar 2023 22:45:25 +0000 (22:45 +0000)]
/etc/examples/iked.conf tweaks:

- show a demo of a strong random string for psk, for some types of
configuration psk makes sense. the previous example hinted at.not
using it.

- change the EAP MSCHAPv2 example so that more than one client can
connect (previous used address config but with only a single address not
a pool), and use the newer keywords to show how to route all traffic
from dynamic-ip clients over the tunnel

ok tobhe@

20 months agoRemove old log symlinks before creating new ones. In -portable some
dtucker [Wed, 1 Mar 2023 21:54:50 +0000 (21:54 +0000)]
Remove old log symlinks before creating new ones.  In -portable some
platforms don't like overwriting existing symlinks.

20 months agoBogus full stop.
ajacoutot [Wed, 1 Mar 2023 17:27:45 +0000 (17:27 +0000)]
Bogus full stop.

20 months agoComment out glob for JSON webcrypto tests for now
tb [Wed, 1 Mar 2023 12:34:12 +0000 (12:34 +0000)]
Comment out glob for JSON webcrypto tests for now

Allows test to pass with the old version of the wycheproof-testvectors
package.

20 months agoLink evp/cipher_method_lib.c to the build
tb [Wed, 1 Mar 2023 11:28:30 +0000 (11:28 +0000)]
Link evp/cipher_method_lib.c to the build

ok jsing

20 months agoConvert EVP_CIPHER_meth_dup() to using calloc()
tb [Wed, 1 Mar 2023 11:27:37 +0000 (11:27 +0000)]
Convert EVP_CIPHER_meth_dup() to using calloc()

There is no reason for this to call EVP_CIPHER_meth_new(), as the flags
will be copied a line later anyway. Simplify this.

Requested by jsing

20 months agoMake cipher_method_lib.c compile with LibreSSL
tb [Wed, 1 Mar 2023 11:25:25 +0000 (11:25 +0000)]
Make cipher_method_lib.c compile with LibreSSL

OPENSSL_zalloc() -> calloc(), OPENSSL_free() -> free() and a few assorted
cosmetic tweaks to match our style better.

ok jsing

20 months agoAdd EVP_CIPHER_meth_* prototypes to evp.h
tb [Wed, 1 Mar 2023 11:17:22 +0000 (11:17 +0000)]
Add EVP_CIPHER_meth_* prototypes to evp.h

As usual, this will be guarded by LIBRESSL_INTERNAL || LIBRESSL_NEXT_API
until the next bump.

ok jsing

20 months agoMake the cleanup() method return an int again
tb [Wed, 1 Mar 2023 11:16:06 +0000 (11:16 +0000)]
Make the cleanup() method return an int again

This partially reverts jsing's OpenBSD commit b8185953, but without adding
back the error check that potentialy results in dumb leaks. No cleanup()
method in the wild returns anything but 1. Since that's the signature in
the EVP_CIPHER_meth_* API, we have no choice...

ok jsing

20 months agoFix line wrapping of function pointer arguments
tb [Wed, 1 Mar 2023 11:08:37 +0000 (11:08 +0000)]
Fix line wrapping of function pointer arguments

ok jsing

20 months agoFirst KNF approximation as per knfmt(1)
tb [Wed, 1 Mar 2023 11:07:25 +0000 (11:07 +0000)]
First KNF approximation as per knfmt(1)

ok jsing

20 months agoDrop the EVP_CIPHER_METH_get_* functions
tb [Wed, 1 Mar 2023 11:06:23 +0000 (11:06 +0000)]
Drop the EVP_CIPHER_METH_get_* functions

Nothing interesting uses them. There's a Debian SSH-1 module and
corresponding ncrack bits. That's not reason enough to have this
garbage.

ok jsing

20 months agoAdd RCS tag
tb [Wed, 1 Mar 2023 11:04:17 +0000 (11:04 +0000)]
Add RCS tag