IABSD.fr/src

Branch :


Log

Author Commit Date CI Message
cead3da4 2024-12-09 12:49:15 sync
33885c32 2024-12-09 12:45:21 Mark four "struct *_st" types declared in evp.h as intentionally undocumented because they are intended as internal, and applications are supposed to use the documented aliases DH, DSA, EC_KEY, and RSA from ossl_typ.h instead.
9fcb7bae 2024-12-09 12:30:23 Mark four EVP_PKEY_GOST* constants as intentionally undocumented because they are completely unused by anything.
407e2246 2024-12-09 12:24:01 Implement RESINFO (RFC 9606) This is more or less a copy of txt_16.c. OK caspar
6b76ac2e 2024-12-09 12:18:38 Mark two symbols as intentionally undocumented that are obsolete after PBE was mostly removed from LibreSSL.
f0955a9c 2024-12-09 11:55:52 insert a forgotten .Dv macro
1b6b588e 2024-12-09 11:41:44 Mark four EVP control constants as intentionally undocumented that are only used for GOST.
49f9fe9c 2024-12-09 11:38:38 increaded -> increased
4594425f 2024-12-09 11:25:25 Mark the constants EVP_PK_*, EVP_PKS_*, and EVP_PKT_* as intentionally undocumented because they are only used by the function X509_certificate_type() which is deprecated and will eventually be deleted.
03bc5c0e 2024-12-09 10:53:54 Extend maxattr regress to also check RFC8654 extended messages.
82293aeb 2024-12-09 10:52:27 Bits for the new extended message capability (RFC8654). OK tb@
25cbba3a 2024-12-09 10:51:46 Add support for extended messages (RFC8654) This extends the maximum message size of BGP from 4096 to 65535. This mostly follows rfc8654 with the following differences: - NOTIFICATIONS are always truncated to fit in 4096 bytes. - There is no message reduction using "attribute discard" in case of overflow. - Large messages are only sent if both sides announced extended message support. OK tb@
aea0cfdd 2024-12-09 10:50:43 Mark EVP_CTRL constants for RC5 as intentionally undocumented because LibreSSL does not support RC5 and because these constants are almost unused in the wild.
eb49c7f0 2024-12-09 09:35:33 Further alignment with ath12k, including addition of bank profiles, removal of shadow timer, cookie configuration, updates to WMI and start of updates for buffer handling. This brings us forward: qwz0: wcn7850 hw2.0 fw 0x100301e1 address xx:xx:xx:xx:xx:xx qwz_dp_htt_htc_t2h_msg_handler: htt event 48 not handled
ca79b5ce 2024-12-09 04:46:11 Fix regdb firmware load. So far the code placed the board data as the regdb, which the firmware did not like. This adjusts the way we load and cache FW, and places the right data for the chip. This allows the WLAN FW to boot up properly.
09a673e5 2024-12-09 04:43:15 Minor cleanup of qwx(4) supported chips, some renaming.
380ecedd 2024-12-08 17:41:23 Move the algorithm-specific functions EVP_rc2_*(3) out of EVP_EncryptInit(3) and document them properly in their own manual page, including the control commands EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS that were so far undocumented. Arguably, the main benefit is another small step making the important, but still obese EVP_EncryptInit(3) manual page more palatable.
7afc621a 2024-12-07 21:12:22 Implement two-level (indirect) Device Table support to increase the range of DeviceIDs we can set up for translation. Peripherals capable of doing DMA/MSIs are supposed to show up with unique DeviceIDs. The Device Table maps the DeviceID to a Interrupt Translation Table. So far we only used a single contiguous block for the Device Table, but on some machines this does not cover the whole range of physical devices. Using the GIC's indirect mode allows to move to a two-level setup to increase the range. ok kettenis@
18d3f3c5 2024-12-07 20:48:32 MSIs don't work on the Qualcomm X1E machines in ACPI. So prevent agintcmsi(4) from attaching in this case such that an upcoming change to make it work (with DTB) on this hardware doesn't break the initial install. ok patrick@
60c30615 2024-12-07 19:22:15 Document the low-level rc2.h API. Not that this would be particularly important, but i had to look at the code anyway while completing the EVP documentation.
33d389b5 2024-12-07 17:23:27 sys/uvideo: add missed usbd_get_xfer_status Without usbd_get_xfer_status the code is built on the assumption that usbd_transfer always reads dwMaxPayloadTransferSize bytes from a device. If this assumption doesn't hold, it produces broken frames which has unexpected zeros. OK mglocker@ kn@
4ccb4605 2024-12-07 13:49:43 ec_mult: forgot to make one helper static
08f8d319 2024-12-07 13:32:07 Move initialization of sign out of the middle of bits handling
84a23681 2024-12-07 10:12:19 replace bespoke logging of MaxSessions enforcement with new ratelimited logging infrastructure. Add ratelimits to logging of connections dropped by PerSourcePenalties ok dtucker
cc7fda5d 2024-12-07 10:05:36 add infrastructure for ratelimited logging; feedback/ok dtucker
28676b80 2024-12-07 02:00:25 sync
f02897e8 2024-12-07 01:14:45 Embed scope-id when sending NA. Also, do it when the link state is up because the routing entry to the mutlicast address is not ready yet when the carp becomes master. ok florian
e6fc4d34 2024-12-06 16:25:58 use glob(3) wildcards in AuthorizedKeys/PrincipalsFile tests to exercise this feature; ok dtucker
747ebeda 2024-12-06 16:24:27 allow glob(3) patterns for sshd_config AuthorizedKeysFile and AuthorizedPrincipalsFile directives; bz2755 ok dtucker
5b6bbb3d 2024-12-06 16:21:48 support VersionAddendum in the client, mirroring the option of the same name in the server; bz2745 ok dtucker@
581c1d79 2024-12-06 16:02:12 clarify encoding of options/extensions; bz2389
9d4c47a8 2024-12-06 15:49:37 Rename ec_wNAF_mul() to ec_wnaf_mul() discussed with jsing
2380456e 2024-12-06 15:39:59 ec_mult: manage wNAF data in a struct This refactors the wNAF multiplication further and introduces a small API that manages the wNAF digits for bn and the multiples of digit * point in a single struct that is initialized and freed in two API calls in the main function, ec_wNAF_mul(). This way the main algorithm is no longer cluttered with logic to keep various arrays in sync, helper functions calculating the wNAF splitting of bn and multiples of the point do not need to deal with memory management, and a pair of accessors obviates previously missing bounds checking. At this point we have reached a relatively clean and straightforward wNAF implementation that fits precisely the purpose needed in libcrypto, i.e., ECDSA verification instead of being generalized and optimized to the max for no good reason apart from endowing the author with an academic degree. Popper's famous maxim "if you can't say it clearly, keep quiet, and keep working until you can" very much applies to code as well. In other words, shut up and hack (and don't pour too much energy into commit messages, tb). ok jsing
976a9bf1 2024-12-06 15:17:15 ignore SIGPIPE here; some downstreams have had this for years...
31527a04 2024-12-06 15:12:56 sync -o option lists with ssh.1; requested jmc@
3f6360fc 2024-12-06 15:01:01 Adjust the return type and value of EVP_MD_CTX_init(3) and EVP_CIPHER_CTX_init(3) after tb@ changed these to OpenSSL 1.1 semantics in evp.h rev. 1.124 on March 2 this year.
f1c41952 2024-12-06 14:27:49 Delete the manual pages EVP_PKEY_meth_new(3) and EVP_PKEY_meth_get0_info(3) because tb@ deleted almost all functions documented there from the API in evp.h 1.127 on March 2 this year, but move the functions EVP_PKEY_CTX_set_data(3) and EVP_PKEY_CTX_get_data(3) that we still support to EVP_PKEY_keygen(3), because that page already documents EVP_PKEY_CTX_set_app_data(3) and EVP_PKEY_CTX_get_app_data(3).
cb0afab4 2024-12-06 13:10:43 Delete the manual page EVP_PKEY_check(3). All three functions documented in this page were deleted from the API by tb@ in evp.h rev. 1.136 on August 31 this year.
957fef74 2024-12-06 12:51:13 Delete the manual page EVP_PKEY_asn1_new(3). All the functions documented in this page were deleted from the API by tb@ in evp.h rev. 1.126 on March 2 this year.
90c5a28a 2024-12-06 11:57:17 Provide a SHA-1 assembly implementation for amd64 using SHA-NI. This provides a SHA-1 assembly implementation for amd64, which uses the Intel SHA Extensions (aka SHA New Instructions or SHA-NI). This provides a 2-2.5x performance gain on some Intel CPUs and many AMD CPUs. ok tb@
0afdf006 2024-12-06 11:56:21 Explain what "EVP" is supposed to mean. It's so non-obvious that even i had to do some research to find out. Source: The file "doc/ssleay.doc" from SSLeay 0.8.1b, see for example OpenSSL commit d02b48c6 on Dec 21, 1998.
eb7387f6 2024-12-06 10:37:42 implement attestation verification for ED25519 keys
95980d08 2024-12-06 09:07:40 Preserve modifiers on backspace.
a1f482fe 2024-12-06 09:06:56 Do not write bracketed paste keys themselves if the pane has not asked for them.
59c41a17 2024-12-06 07:10:20 Fix previous and thus regress failures reported by anton Looks like I applied the diff to a dirty tree and didn't notice.
f6b91270 2024-12-06 07:05:54 Expand $SSH to absolute path if it's not already. Prevents problem later in increase_datafile_size if ssh is not in the path. Patch from quaresmajose via GHPR#510.
c05259c4 2024-12-06 06:55:28 Change "login again" to "log in again" in password change message. From ThinLinc-Zeijlon via github PR#532.
ce5fd5cb 2024-12-06 05:13:35 ec_asn1: update a comment to match reality
c9c3f1d6 2024-12-06 04:35:03 Set nid on group decoded from EC parameters We match curve parameters against the builtin curves and only accept them if they're encoding a curve known to us. After getting rid of the wtls curves, some of which used to coincide with secp curves (sometimes the wrong ones), the nid is unambiguous. Setting the nid has no direct implications on the encoding. This helps ssh avoid doing ugly computations during the key exchange for PEM keys using this encoding. ok djm joshua jsing
b56918e3 2024-12-05 22:45:03 catch up documentation: AES-GCM is preferred to AES-CTR
47e19253 2024-12-05 21:35:39 Query hardware for the button state such that we can detect the release even if we miss the press event. Change the driver such that wakeup is signalled when the button is pressed such that it matches what happens when wakeup is handled by the PMIC. ok patrick@
f88101f6 2024-12-05 19:57:37 Zap a trailing space
fa7ea966 2024-12-05 19:34:46 Make the DSS_prime_checks macro internal Rename it to DSA_prime_checks and add an XXX comment mentioning that we could reduce the number of rounds thanks to BPSW. There are no plans of changing that as DSA is on its way out. discussed with miod
66be9a58 2024-12-05 19:29:08 Remove the undocumented DSA_is_prime() macro It aliases BN_is_prime(), which was removed in April 2023. makes sense to miod
95240d2f 2024-12-05 15:12:37 document the #define'd constant PKCS5_SALT_LEN
50ad0749 2024-12-05 15:06:27 drop comments asking for documentation of three ASN1_PKEY_CTRL_CMS_* constants after these have been marked as intentionally undocumented; they are internal to the library and unused in the wild
3edd791e 2024-12-05 14:53:55 cursig() can return a normally ignored signal if the process is ptraced. So make sure that sleep_signal_check() returns ERESTART in that case so that the syscall is retried once ptrace intercepted the signal. This should fix unexpected EINTR returns of waitpid for precesses that left SIGCHLD ignored (default). Not the perfect fix but a good enough bandaid to allow people to debug processes doing forks and waitpid calls. Problem reported and fix tested by stsp@ OK kettenis@ stsp@
c9baf540 2024-12-05 14:28:39 Add key expiry test in the 64bit time_t range for additional coverage. From Alexander Kanavin via bz#3684.
10e3f8f4 2024-12-05 14:01:59 Mark three EVP_PKEY control constants for CMS as intentionally undocumented that are internal to the library and unused in the wild
22653340 2024-12-05 10:58:12 mark three more EVP_PKEY control constants as intentionally undocumented that are only intended for internal use and unused in the wild
ca8f9820 2024-12-05 10:52:45 ignore DECLARE_PKCS12_STACK_OF such that pkcs12.h can be parsed
fa261809 2024-12-05 09:55:50 add missing vlan.h header to ice(4) and fix build; spotted by jsg@ tested with vlan(4) on top of ice(4) between openbsd and freebsd ok jsg@
54c49492 2024-12-05 07:35:46 Apply a little bit of lipstick to PKCS7 Makes the setting and getting of detached signatures more symmetric and avoids a NULL access. ok jsing
14d17660 2024-12-05 06:49:26 De-magic the x11 base port number into a define. ok djm@
0a9ac282 2024-12-05 06:47:00 Prevent integer overflow in x11 port handling. These are theoretically possible if the admin misconfigures X11DisplayOffset or the user misconfigures their own $DISPLAY, but don't happen in normal operation. From Suhov Roman via bz#3730, ok djm@
dac6e075 2024-12-04 22:48:41 Push locking down to udp_sysctl(). No locks required for per-CPU counters based protocol statistics. Atomically accessed `udpctl_vars' variables are already moved from the net lock, sysctl(2) related locks are useless for them. Complicated UDPCTL_BADDYNAMIC and UDPCTL_ROOTONLY cases were left as is. ok bluhm
854a7367 2024-12-04 22:24:11 Push locking down to icmp_sysctl(). Keep locking only for ICMPCTL_REDIRTIMEOUT case. It is complicated, so left it as is. ICMPCTL_STATS loads per-CPU counters into local data, so no locking required. `icmpctl_vars' are atomically accessed integers. Except `icmperrppslim' they are simply booleans, so nothing special required. Used the local `icmperrppslim_local' variable to load `icmperrppslim' value because it it could have negative values. claudio@ proposed to always load such values to local variables, so I want to try this notation. ok bluhm
aaa88f3d 2024-12-04 20:07:16 Use ASIdentifiers rather than struct ASIdentifiers_st This matches the other members of X509 and is what's used everywhere else. ok miod
6338d89d 2024-12-04 19:11:15 Fix backspace option for new key format, GitHub issue 4284.
b9b60940 2024-12-04 18:20:46 Unlock gre_sysctl(). Both `gre_allow' and `gre_wccp' are atomically accessed integers. They could have only '0' and '1' values, so no extra dances around atomic_load_int(9) required. ok bluhm
a8b9d729 2024-12-04 16:42:49 add a work-in-progress tool to verify FIDO attestation blobs that ssh-keygen can write when enrolling FIDO keys.
b5d1cb3f 2024-12-04 16:17:31 Update references for recent RPKI specifications
8823bb00 2024-12-04 14:37:55 sync the list of options accepted by -o with ssh_config.5 prompted by bz3455
e2c061ec 2024-12-04 14:24:20 don't screw up ssh-keygen -l output when the file contains CR characters; GHPR236 bz3385, fix from Dmitry Belyavskiy
52e728d0 2024-12-04 13:16:26 use kmem(4) instead of "all memory" which has more information about what exactly is allowed, and specifically refers to allowkmem (and that it permits both /dev/mem and /dev/kmem). discussed with deraadt
550a1cbd 2024-12-04 13:14:45 Another now unused perlasm script can bite the dust.
a61493a0 2024-12-04 13:13:33 Provide a replacement assembly implementation for SHA-1 on amd64. As already done for SHA-256 and SHA-512, replace the perlasm generated SHA-1 assembly implementation with one that is actually readable. Call the assembly implementation from a C wrapper that can, in the future, dispatch to alternate implementations. On a modern CPU the performance is around 5% faster than the base implementation generated by sha1-x86_64.pl, however it is around 15% slower than the excessively complex SSSE2/AVX version that is also generated by the same script (a SHA-NI version will greatly outperform this and is much cleaner/simpler). ok tb@
960594bd 2024-12-04 10:51:13 Don't assume existence of SK provider in test. Patch from balu.gajjala at gmail via bz#3402.
9b8b48b5 2024-12-04 10:14:14 Mention kern.allowdt and kern.allowkmem in examples/sysctl.conf. From espie, ok claudio mpi
04521d92 2024-12-04 09:50:52 Annotate WTLS7 as being wrong This should really have been using SECP 160R2, not SECP 160R1. Of course this means in particular that nobody ever used this curve, at least not against another implementation than OpenSSL. Quasi-monocultures are poisonous whether the monopolist is benevolent and competent or not.
8ce4994e 2024-12-04 09:37:33 Disallow enabling the same probe multiple times. From Christian Ludwig.
28965832 2024-12-04 09:35:21 Regression for multiple probes.
ffce2a54 2024-12-04 09:33:41 Disallows registering multiple probes of the same type. If a bt(5) script uses the same probe multiple times (like interval:hz), btrace(8) has currently no knowledge of which rule to execute when it parses events read from the kernel. Disable the funcitonnality until someone in need of such feature comes up with a nice implementation. From Christian Ludwig.
07c549d8 2024-12-04 09:21:06 Document that the original page during a CoW can be unlocked earlier. ok tb@
335383c9 2024-12-04 09:19:11 Pass the rw_enter(9) type to amap_lock() in preparation for using shared locks. ok tb@
e8e63f68 2024-12-04 08:14:34 Fix up authority and subject key identifiers in force pubkey mode Upstream decided that this nonsense was worth an ABI break and added stuff to the X509_CTX so they could hang the issuer's public key off it so that they could adjust the key identifiers as needed. Let's avoid that and do it the slightly less nasty way by updating the AKI and SKI as needed. We only do this when force pubkey is in place so we don't change the semantics of the batshit crazy config language that nobody understands. ok job
ddff58c9 2024-12-04 07:58:51 Fix debug output for http headers from Kenjiro Nakayama
ca433cef 2024-12-04 06:01:23 Bump datasize-cur for the pbuild user on sparc64 so that we can build llvm 18. ok sthen
3bb7d5b0 2024-12-03 22:30:03 spelling; ok djm@
ff0ccef3 2024-12-03 19:14:40 vio: Unlock, switch to qstart function Run without kernel lock. Use the network stack functions used for multiqueue, but still only run on one queue. Add a virtio interface for an interrupt barrier. This is the reverted diff plus a missing chunk. Tested by dtucker, bluhm, sf
8aa1e807 2024-12-03 16:27:53 Remove fallback to compiled-in gropup for dhgex when the moduli file exists, but does not contain moduli within the client-requested range. The fallback behaviour remains for the case where the moduli file does not exist (typically, running tests prior to installing). From bz#2793, based in part on patch from Joe Testa, ok djm@
773a7280 2024-12-03 15:53:51 Remove redundant field of definition check This will allow us to get rid of EC_GROUP_method_of() in the near future. ok djm
dab7a176 2024-12-03 14:51:09 Add more checks for router keys OK tb@
7aa51159 2024-12-03 14:41:45 Remove the FUSE hack in ufs_ihashget() it is no longer needed. FUSE switched away from the horrible ufs inode abuse and so this is no longer reached. OK millert@ tb@ miod@
b67e94d2 2024-12-03 14:12:47 Improve description of KbdInteractiveAuthentication. Based on bz#3658, fixes jmc@ ok markus@ djm@.
3a99c822 2024-12-03 13:46:53 Only set the SO_RCVBUF and SO_SNDBUF on the socketpair to what we want. Do not retry if that fails hoping for a different result. OK tb@ kn@
4cbd027d 2024-12-03 12:50:16 Revert the new rwlock implementation for now. vfs_busy() uses RW_SLEEPFAIL in a broken way. It is possible that the object holding the rwlock is freed while other processes are sleeping on this lock. This worked before by luck and no longer does now since part of the struct needs to be updated after the sleep. vfs_busy() needs to be fixed but that will take a bit of time. OK dlg@
ac44f262 2024-12-03 11:18:34 M-1 to M-7 for 7 preset layouts; from bunkmate ok nicm
f934cab5 2024-12-03 11:15:44 refer to glob(7) rather than fnmatch(3); from evan silberman ok sthen semarie millert nicm
5ffbcedb 2024-12-03 10:38:06 Add /rib/in and /rib/out as endpoints to query the Adj-RIB-In and Adj-RIB-Out respectively. Also fix the rib query parameter to properly work. bgpctl calls this table. OK sthen@