Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| 460b07dc | 2024-11-01 11:19:13 | Don't lowercase cert subjects when sorting; combined with perl foreach over a hash returning entries in random order, the order of "COMODO CA Limited" and "Comodo CA Limited" was switching randomly. This results in a bigger change of sort order now, but means that future changes will then be in a repeatable order. ok tb@ | ||
| 1ec25302 | 2024-11-01 10:05:18 | KNF | ||
| ebef3bc1 | 2024-11-01 09:30:12 | In sleep_finish() is the process state is SSTOP force a mi_switch(). A SIGSTOP delivered between sleep_setup() and sleep_finish() will just change the proc state to SSTOP and sleep_finis() needs to respect that and make sure the thread stays stopped until a SIGCONT is issued. OK mpi@ | ||
| 3612e128 | 2024-11-01 08:27:49 | Simplify name/prefix markup, readability tweak and cleanup Leave the notion of repition to ... and markup optional prefixes as such; 'name/prefix [name/prefix ...]' becomes 'name[/prefix] ...'. Also sync with unwind.conf.5 to fix curly braces and indentation. OK florian Input OK jmc | ||
| b71c73ce | 2024-11-01 05:20:58 | Move point_conversion_t conversion to API boundary EC_POINT_oct2point() is the only API that needs detailed knowledge about this incomplete enum. [Arguably, the setters for the EC_KEY and EC_GROUP member of that type would also need to be able to validate what's being set, but they can't since they can't fail.] Anyway. Add a helper that lets EC_POINT_oct2point() translate that enum to its internal representation at the API boundary and add a check that ensures that we only encode the point at infinity as the point at infinity. ok jsing | ||
| 5cae5e37 | 2024-11-01 05:10:40 | Garbage collect field_div() member. It was only used by EC2M. | ||
| a9b66696 | 2024-11-01 03:10:09 | sort | ||
| c2596b38 | 2024-11-01 02:52:22 | drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too From Mario Limonciello c79e0a18e4b301401bb745702830be9041cfbf04 in linux-6.6.y/6.6.59 ba1959f71117b27f3099ee789e0815360b4081dd in mainline linux | ||
| 20002c28 | 2024-11-01 02:49:27 | drm/amd: Guard against bad data for ATIF ACPI method From Mario Limonciello 975ede2a7bec52b5da1428829b3439667c8a234b in linux-6.6.y/6.6.59 bf58f03931fdcf7b3c45cb76ac13244477a60f44 in mainline linux | ||
| 6d0c4409 | 2024-11-01 02:47:51 | drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring From Srinivasan Shanmugam 65ca9f8ddc0d1e66770cd5c4a7555a7169dac0d8 in linux-6.6.y/6.6.59 e7457532cb7167516263150ceae86f36d6ef9683 in mainline linux | ||
| f5210b0e | 2024-11-01 02:07:14 | remove unused local variable | ||
| 9923fb39 | 2024-10-31 22:14:04 | track dhcp6leased uuid; OK florian | ||
| df04220d | 2024-10-31 15:42:47 | Drop the _oct from the function prefixes With the functions living in ec_convert now, the oct makes little sense. And ec_oct_oct2point() was too much for poor jsing to bear. requested by jsing | ||
| 9c3d9712 | 2024-10-31 15:37:53 | Retire the oct2point and point2oct EC_METHOD members Both our remaining EC_METHODs use the methods that used to be called ec_GFp_simple_{oct2point,point2oct}() so there's no need for the function pointer indirection. Make the public API call them directly. ok jsing | ||
| 86f778b9 | 2024-10-31 15:26:05 | Clean up the mess in i2d_EC_PRIVATEKEY() Use a few local variables to make the checks at the start slightly less unappealing. Use those to simplify the conditionals a bit and avoid a particularly silly exit code. ok is set unless ret is 0, so what do you think 'return (ok ? ret : 0);' returns? By the way, ret < 0 is an error as well. While most of the stuff in this file could use a lot more cleanup, I think the first layer of cockroaches has been exterminated and there's even some faint golden glimmer between the turds. Let's shelve the biohazard warnings for now. ok jsing | ||
| 90c07908 | 2024-10-31 15:07:49 | Clean up o2i_ECPublicKey() a is a stupid name for an EC_key, so is ret. Pull apart the tests at the start and check the length for negativity (long is always the wrong type). Switch to ec_point_from_octets() and let it determine the point conversion form rather than having yet another copy of the same ugly stanza. Set the form on the key using EC_KEY_set_conv_form() (which also affects the group on the key, so this is a slight change of behavior). Why on earth this function returns the EC_KEY passed in, I'll never know. ok jsing | ||
| 6c6bfa3c | 2024-10-31 14:58:22 | Rewrite i2o_ECPublicKey() Turn the function into single exit and use ec_point_to_octets() to avoid the point2oct dance. Ensure that the buf_len size_t doesn't get truncated by the int return. While we could avoid an allocation in case out == NULL, we don't do so. In case out != NULL and *out != NULL this API assumes *out has sufficient room, copies the result into it and advances *out past it. This is just asking for trouble (of course, i2d has the same misfeature). Don't use this if you can help it. Unfortunately, OpenSSH couldn't help it in at least one spot (that one's on BoringSSL's allocator not returning an allocated pointer that you can pass to free). We had to do it lest people run RedHat patches of dubious quality. For: FIPS the monkey must be pleased at all cost. ok jsing | ||
| 51d8761d | 2024-10-31 13:55:21 | Stop abusing ufs inodes and with it the ufs_ihash. Instead extend fusefs_node with the few required fields. Tested by kirill@ with input from miod@ OK beck@ | ||
| f4d46194 | 2024-10-31 13:37:44 | Use imsg_get_fd() to extract the fd from an imsg. OK tb@ | ||
| 030c498c | 2024-10-31 12:51:55 | No need to set pkthdr fields to 0 that are already 0. MGETHDR() does that. OK dlg@ | ||
| c0619985 | 2024-10-31 12:33:11 | Rewrite mbuf handling in wg(4). . Use m_align() to ensure that mbufs are packed towards the end so that additional headers don't require costly m_prepends. . Stop using m_copyback(), the way it was used there was actually wrong, instead just use memcpy since this is just a single mbuf. . Kill all usage of m_calchdrlen(), again this is not needed or can simply be m->m_pkthdr.len = m->m_len since all this code uses a single buffer. . In wg_encap() remove the min() with t->t_mtu when calculating plaintext_len and out_len. The code does not correctly cope with this min() at all with severe consequences. Initial diff by dhill@ who found the m_prepend() issue. Tested by various people. OK dhill@ mvs@ bluhm@ sthen@ | ||
| da76ba4d | 2024-10-31 11:41:31 | Drop forgotten backslashes within vxlan_input(). Seems they are stalled from macro copy-paste. No functional changes. ok mpi dlg | ||
| 78b7da88 | 2024-10-31 10:06:51 | Unlock fs_sysctl(). It is the only `suid_clear' variable - atomically accessed integer. ok bluhm | ||
| 16df6568 | 2024-10-31 07:40:34 | When decoding SVCB or HTTPS do not skip reading params in alias mode. According to the RFC, client shoud ignore them (which means actively skipping), but for dig it make sense to print them anyway. ok florian@ | ||
| dd517d5d | 2024-10-31 07:37:35 | Correct display stack pointer of the kernel core. From Yuichiro NAITO. ok asou | ||
| e2ea60ed | 2024-10-31 05:47:37 | ecp_oct.c no longer needs bytestring and stdint | ||
| 6201ced0 | 2024-10-31 05:03:57 | ec_point_to_octets: move out_len initialization up a bit | ||
| 713a145f | 2024-10-31 05:00:00 | try to simplify the locking code around busy maps. this is src/sys/uvm/uvm_map.c r1.331 again with a small fix to pass the right mutex to msleep when waiting for the busy proc pointer. vm_maps have a "feature" where they can mark that they're being operated on by a specific proc, and then release the rwlock protecting their state. to relock, you have to be the same proc that marked it busy. this diff tries to simplify it a bit. it basically has threads check the busy field up front and rechecks the busy field inside the rwlock. if you can sleep, it will sleep up front for the busy field to become clear, rather than sleep on either the busy field or the rwlock. some code paths clear the busy field without holding the rwlock, so it doesn't make sense to me to be waiting for the busy field but sleeping somewhere else. ok claudio@ | ||
| 5adad298 | 2024-10-30 20:00:13 | Expand the introductory comment with references to X9.62 and SEC 1 | ||
| 3c6d599c | 2024-10-30 18:33:26 | For AMD SEV automatically load psp(4) firmware during vmd(4) startup. When opening /dev/psp for the first time, load the SEV firmware located in /etc/firmware/amdsev/ optained via fw_update(8). The relevant file is determined by CPU family and model. If firmware files are not installed or the correct file could not be determined, PSP will be initialized using the on-chip firmware. Alternatively a BIOS upgrade could install a newer version. from hshoexer@; OK mlarkin@ | ||
| a2995a72 | 2024-10-30 18:21:12 | Move the point2bn and point2hex API to ec_convert.c discussed with jsing | ||
| 7eb727b1 | 2024-10-30 18:18:35 | Replace hardcoded 1U with EC_OCT_YBIT | ||
| bfe17d7b | 2024-10-30 18:16:34 | Move the GFp-specific point <-> octets functions to ec_convert.c discussed with jsing | ||
| 0d9d3ed1 | 2024-10-30 18:14:49 | Move public point <-> octets API to a new ec_convert.c discussed with jsing | ||
| 60b8dade | 2024-10-30 18:02:45 | readd IFCAP_VLAN_MTU and NVLAN checks ok bluhm@ | ||
| 5fc1fb23 | 2024-10-30 18:01:52 | Rewrite EC_POINT_bn2point() This is slightly asymmetric with EC_POINT_point2bn() and different from the other "print" functions since it has to deal with the asymmetry between BN_bin2bn() and BN_bn2bin() and allocate itself. Still, we can make this substantially shorter than it previously was. ok jsing | ||
| c3d44824 | 2024-10-30 17:54:54 | Add ec_point_from_asn1_bit_string() This is inverse to ec_point_to_asn1_bit_string(). Use it to simplify the ec_key_set_public_key() helper. ok jsing | ||
| 16c0f9f2 | 2024-10-30 17:53:28 | Add ec_point_from_asn1_octet_string() This is inverse to ec_point_to_asn1_octet_string() but again a lot simpler. Simplify ec_asn1_set_group_parameters() by using it. ok jsing | ||
| 36a0e83f | 2024-10-30 17:52:34 | Provide ec_point_from_octets() This is a wrapper that is the reverse of ec_point_to_octets(). It is a bit simpler since EC_POINT_oct2point() expects the point to be allocated already. It also hands back the correctly parsed point conversion form so that we don't have to do this by hand in a few places. ok jsing | ||
| 5f0f96a0 | 2024-10-30 17:51:35 | Rewrite BN_hex2point() This can do the reverse dance: chain BN_hex2bn() with EC_POINT_bn2point(). ok jsing | ||
| 52c926a1 | 2024-10-30 17:51:12 | For AMD SEV implement psp(4) download firmware command. Implement the command to load new firmware onto the chip. Will be used for automatic firmware loading. from hshoexer@; OK mlarkin@ | ||
| 32ba3905 | 2024-10-30 17:49:27 | Rewrite EC_POINT_point2hex() Instead of doing everything by hand, this can use EC_POINT_point2bn() and chain it with BN_bn2hex(), slashing the number of lines in half. This removes one of the ten remaining "01234567890ABCDEF" strings from libcrypto. Unfortunately, none of the nine others is used in an API that could convert the octet string directly, so we use that ugly detour via a bignum. Still it's better than what was there. ok jsing | ||
| a408a6f5 | 2024-10-30 17:36:22 | Rewrite EC_POINT_point2bn() While it makes little sens to place either one of the uncompressed, the compressed or the hybrid X9.62 octet string encoding of an elliptic curve point into a BIGNUM, it is what this API does. It's ec_point_to_octets() followed by BN_bin2bn(). ok jsing | ||
| be0e8945 | 2024-10-30 17:01:28 | Document /var/db/dhcp6leased/uuid. Input & OK kn, jmc, sthen | ||
| fbfcabea | 2024-10-30 16:22:33 | Install a copy of the UEFI bootloader in /efi/openbsd on the EFI system partition. This will allow us to create boot options for the firmware boot manager that other OSes won't interfere with. ok phessler@, tobhe@, kn@ | ||
| 71c71643 | 2024-10-30 15:00:12 | nope, gcc does not like the change | ||
| d87a8aba | 2024-10-30 10:36:28 | print pppoe tags as hex dumps rather than strvis-a-like'd text, unless they're tags where text is likely. strvis on random cookies is hard to read and compare, and it's easier to convert 0x05dc than \005\334 to 1500 for PPP-Max-Payload. ok claudio dlg | ||
| a910e6e5 | 2024-10-30 09:16:24 | Don't run through time checks when entry is definitely oversized. This leads to newsyslog rotating on (size OR time) if both are specified. Reported from Matthias Pitzl. with tweak from bluhm@ ok millert@ | ||
| e22ff83a | 2024-10-30 07:28:17 | remove unneeded conf.h include | ||
| 8ed3f981 | 2024-10-30 06:44:34 | ec_asn1_group2parameters: some spring cleaning Garbage collect the ok variable and some comments from captain obvious, wrap a long line and tidy up the exit path. | ||
| ed6382c6 | 2024-10-30 06:41:33 | ec_asn1_group2parameters: replace point with generator | ||
| b6e97aab | 2024-10-30 06:40:41 | ec_asn1_group2parameters: mechanically replace ret with parameters | ||
| a74a190b | 2024-10-30 06:16:27 | directly use dev_t for swdevt[], remove struct swdevt ok mpi@ miod@ | ||
| 47b15758 | 2024-10-30 06:12:47 | Provide ec_point_to_asn1_bit_string() This adds a specialized helper for creating an ASN.1 bit string out of an elliptic curve point (the public key) and use it in i2d_ECPrivateKey(). ok jsing | ||
| 3b23e801 | 2024-10-30 06:11:50 | Provide ec_point_to_asn1_octet_string() This adds a specialized helper for creating an ASN.1 octet string out of an elliptic curve point (the generator). Use this to simplify ec_asn1_group2parameters(). ok jsing | ||
| 08745fcb | 2024-10-30 06:10:35 | Add a convenience wrapper for EC_POINT_point2oct() EC_POING_point2oct() is annoying to use since its invocation involves two calls: one to determine the space to allocate and one to pass the buffer and perform the actual conversion. Wrap this dance in a helper with the correct signature. ok jsing | ||
| ae848adc | 2024-10-30 05:24:38 | CTL_VM defines moved from uvm_param.h to uvmexp.h | ||
| 4cfb78b5 | 2024-10-30 00:04:46 | Add fw_update pattern for AMD SEV firmware used with psp(4). from hshoexer@; input deraadt@ | ||
| 5641e477 | 2024-10-29 23:57:54 | move hfsc to using nanoseconds for keeping times. before it was using 256000000 things per second, so this isn't a huge change, but it can use nsecuptime() to get the time. kjc and cheloa like it ok claudio@ | ||
| 5873c738 | 2024-10-29 23:25:45 | use nsecuptime instead of using nanouptime and doing a bunch of maths. ok claudio@ | ||
| 44aabc17 | 2024-10-29 21:19:25 | We should always set the AP power state, so fold the rtkit_set_ap_pwrstate() call into rtkit_boot(). ok patrick@, tobhe@ | ||
| ff28563e | 2024-10-29 21:16:36 | Move psp(4) initialization from attach to device open. In preparation for automatic loading of the AMD SEV firmware, factor out the code that initializes the PSP. As the firmware must be loaded before the initialization, delay initialization to first use of the PSP. Initialization is triggered by opening /dev/psp for the first time. A later diff will add firmware loading in a similar way. Also provide a ioctl(2) for initialization. Not used right now. Will be later used by vmd(8) to reset the PSP. from hshoexer@; OK mlarkin@ | ||
| 1b590ae1 | 2024-10-29 21:03:09 | Include cdXX.iso in MDEXT on arm64 ok deraadt@ | ||
| 5ca31ee3 | 2024-10-29 13:19:22 | Split ec_key_test_point_encoding() into chunks of saner size | ||
| 3e38f438 | 2024-10-29 12:40:17 | remove unneeded includes | ||
| baad1f5d | 2024-10-29 12:35:37 | Fix logic to return CTL_RES_NOSUCHPEER. The RB_EMPTY check needs to be reversed since no error should be printed if there are no neighbors configured (yet). OK tb@ | ||
| 5e7f900d | 2024-10-29 08:42:05 | virtio_pci: Negotiate ACCESS_PLATTFORM feature Accepting VIRTIO_F_ACCESS_PLATFORM is required for SEV on KVM/qemu. We always use the standard pci access mechanisms of the architecture/platform we are running on. Therefore we should negotiate the VIRTIO_F_ACCESS_PLATFORM feature if it is offered. Strictly speaking we should bypass any existing IOMMUs if the host does not offer this feature, but this no regression and can be fixed later. feedback from kettenis@ | ||
| 2cbb9430 | 2024-10-29 08:23:07 | Change uvm_swapout_threads() to return the amound of freed pages. Note that currently that amount is calculated using the `uvmexp.free' global and might include pages freed by other threads. A better solution would be to modify pmap_collect(9) on all architectures that support it to return the number of reclaimed pages. ok kettenis@ | ||
| d08adcf0 | 2024-10-29 06:36:58 | eckey_compute_pubkey: don't leak the public key EC_KEY_set_public_key() sets a copy, so it doesn't take ownership and hence pub_key must not be nulled out on success. | ||
| 623f0795 | 2024-10-29 06:34:18 | ec_asn1_test: point doubling is fine, the leak is elsewhere (will be fixed shortly). | ||
| 472497ce | 2024-10-29 05:21:31 | Disable point doubling for now, it leaks due to a doc bug. Can't replace it with adding the point to itself since that also leaks (another doc bug). Who would've thought. | ||
| f1e51771 | 2024-10-29 04:57:33 | ec_asn1: zap an empty line | ||
| a89d01bb | 2024-10-29 03:17:10 | remove unused DPSECT DPCYL defines; ok deraadt@ | ||
| 2387e74e | 2024-10-28 21:20:30 | unifdef -m -DCORRECT_PRIV_KEY_PADDING=1 ec_asn1_test.c | ||
| 33a257f8 | 2024-10-28 19:58:23 | It helps to commit the actual test scripts... | ||
| d2ef00f2 | 2024-10-28 19:57:02 | relayd: add regress coverage for client certs From Sören Tempel | ||
| 92388dee | 2024-10-28 19:56:18 | relayd: add support for client certificates This feature has been requested many times over the years. Various patches were provided by Asherah Connor, Rivo Nurges, Markus Läll and maybe others. These patches always stalled for various reasons. From Sören Tempel, mostly based on Asherah's latest patch. ok florian tb | ||
| 80a776f5 | 2024-10-28 19:48:37 | share/man/man5/python-module.5: document MODPY_TEST_LINK_SO | ||
| 7216a88f | 2024-10-28 18:44:12 | Enable the tests that depend on correct private key padding | ||
| 105db4a9 | 2024-10-28 18:15:53 | Fix private key encoding in i2d_ECPrivateKey() The private key is a random integer between 1 and order - 1. As such it requires at most as many bytes as the order to encode. SEC 1, Section C.4 is very explicit about padding it to this length: The component privateKey is the private key defined to be the octet string of length [ceil(log_2 n/8)] (where n is the order of the curve) obtained from the unsigned integer via the encoding of Section 2.3.7. Fix this by generalizing a similar fix for field elements. ok jsing | ||
| 8ed1eeb6 | 2024-10-28 18:03:34 | d2i_ECPrivateKey: split public key setting into a helper If the public key is not part of the ECPrivateKey, it needs to be computed. Rather than doing this ad hoc inline, use the function from the ameth that already does this. If it is present, decode it after checking that its unused bits octet is zero. Again use the dedicated setter API to honor an eventual EC_KEY_METHOD. There remains a gross bit reading the point point conversion form out of the first octet of the bit string. This will go away in a later commit. ok jsing | ||
| 5cd26479 | 2024-10-28 18:01:26 | Expose eckey_compute_key() from ec_ameth This helper will be needed in a subsequent commit. ok jsing | ||
| db3d9c1a | 2024-10-28 17:59:45 | d2i_ECPrivateKey: split private key setting into a helper Contrary to domain parameters and public key, the private key most be part of the DER. Convert that to a BIGNUM and set it on the EC_KEY. Use the dedicated setter for this (which will possibly call the handler of the EC_KEY_METHOD) rather than doing this by hand. ok jsing | ||
| 640e7ef1 | 2024-10-28 17:58:18 | d2i_ECPrivateKey: split parameter setting into a helper In order to decode a private key, the group must be known in some way. Typically, the group is encoded in the EC domain parameters, preferably as a named curve (this is mandatory in PKIX per RFC 5480). However, the group could be absent because the domain parameters are OPTIONAL in the ECPrivateKey SEQUENCE. In that case the code falls back to the group that may already be set on the EC_KEY. Now there is no way to tell whether that group is the right one... In any case. Split this thing out of the body of d2i_ECPrivateKey() to make that function a bit less of an eyesore. ok jsing | ||
| 4657f7d8 | 2024-10-28 17:40:46 | Rename the EC_KEY in i2o_ECPublicKey() to ec_key | ||
| 30b07c58 | 2024-10-28 17:39:57 | Rename the EC_KEY in i2d_ECPrivateKey() to ec_key | ||
| e33374f9 | 2024-10-28 17:00:51 | ec_print.c: fix includes. It doesn't currently need ec_local.h, but it will soon, so leave it there. | ||
| 5bf24759 | 2024-10-28 16:27:14 | c2sp: run test against openssl/3.4 if it is installed | ||
| 3900f411 | 2024-10-28 14:16:39 | Set AP power state. Fixes the SMC initialization on (at least) the M1 MacBook with the latest system firmware. ok patrick@, jsg@ | ||
| 1760008a | 2024-10-28 14:14:04 | Improve RK_DEBUG debug code to also print the mailbox messages that we send. ok tobhe@ | ||
| 63555c12 | 2024-10-28 12:11:05 | Remove unnecessary pfctl cleanup in error_notify() | ||
| ca11a73e | 2024-10-28 12:06:14 | Add a dummy bgpctl command to check that bgpd is still running. This would have detected the pt_fill regression I introduced some time ago. | ||
| 8045fa89 | 2024-10-28 12:05:00 | Remove two fatalx calls in pt_fill since they are wrong. L3VPN withdraws don't carry a labelstack (see util.c::nlri_get_vpn4()). OK tb@ | ||
| 64293e57 | 2024-10-28 10:18:02 | Unlock KERN_ALLOWKMEM. The `allowkmem' is atomically accessed integer. Also use atomic_load_int(9) to load `securelevel'. sysctl_securelevel() is mp-safe, but will be under kernel lock until all existing `securelevel' loading became mp-safe too. ok mpi | ||
| e451d413 | 2024-10-28 08:25:32 | Change uvm_swapout_threads() to return the amound of freed pages. Note that currently that amount is calculated using the `uvmexp.free' global and might include pages freed by other threads. A better solution would be to modify pmap_collect(9) on all architectures that support it to return the number of reclaimed pages. ok kettenis@ | ||
| ad322953 | 2024-10-28 08:16:51 | Match tab cells when searching, from Alexander Arch in GitHub issue 4201. | ||
| 7a5fb1a8 | 2024-10-28 08:16:06 | Treat tabs as a word separator, from Alexander Arch in GitHub issue 4201. | ||
| 0460263c | 2024-10-28 08:11:59 | Fix issues in the command prompt: set PROMPT_QUOTENEXT after quoting than before, meaning that accidentally scrolling the mouse wheel doesn't break quoting; and move the cursor correctly over wide characters. From Alexander Arch in GitHub issue 4212. | ||
| 298e3ffd | 2024-10-27 22:08:25 | remove unused MSQID defines; ok mpi@ miod@ | ||
| 2fbfb15d | 2024-10-27 15:42:48 | Remove KERNEL_LOCK() dance around km_alloc(9) & km_free(9). Allocating VAs is done via uvm_map(9) which is safe to call without KERNEL_LOCK() since mmap(2) & friends have been marked NOLOCK. ok mvs@ |