date:20191114

CVS: cvs.openbsd.org: src

2019-11-14 Thread Otto Moerbeek

CVSROOT:/cvs
Module name:src
Changes by: o...@cvs.openbsd.org2019/11/14 23:08:21

Modified files:
sbin/unwind: resolver.c 

Log message:
Improve readability by using a typedef for the callback type; ok florian@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 23:00:20

Modified files:
usr.bin/ssh: moduli.c sk-usbhid.c sshbuf-getput-crypto.c 
 sshkey.c 

Log message:
remove most uses of BN_CTX

We weren't following the rules re BN_CTX_start/BN_CTX_end and the places
we were using it didn't benefit from its use anyway. ok dtucker@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 22:37:27

Modified files:
usr.bin/ssh: ssh-agent.c 

Log message:
unshield security key privkey before attempting signature in
agent. spotted by dtucker@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Theo de Raadt

CVSROOT:/cvs
Module name:src
Changes by: dera...@cvs.openbsd.org 2019/11/14 22:26:56

Modified files:
usr.bin/ssh: sk-usbhid.c 

Log message:
rewrite c99-ism

CVS: cvs.openbsd.org: src

2019-11-14 Thread Theo de Raadt

CVSROOT:/cvs
Module name:src
Changes by: dera...@cvs.openbsd.org 2019/11/14 22:25:52

Modified files:
usr.bin/ssh: Makefile.inc 

Log message:
only clang understands those new -W options

CVS: cvs.openbsd.org: src

2019-11-14 Thread Jonathan Gray

CVSROOT:/cvs
Module name:src
Changes by: j...@cvs.openbsd.org2019/11/14 21:23:25

Modified files:
share/man/man3 : intro.3 

Log message:
add libcbor and libfido2
ok djm@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 21:12:32

Modified files:
usr.bin/ssh: ssh-agent.c 

Log message:
don't consult dlopen whitelist for internal security key provider;
spotted by dtucker@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 20:41:57

Modified files:
usr.bin/ssh: sk-usbhid.c 

Log message:
U2F tokens may return FIDO_ERR_USER_PRESENCE_REQUIRED when probed to
see if they own a key handle. Handle this case so the find_device()
look can work for them. Reported by Michael Forney

CVS: cvs.openbsd.org: src

2019-11-14 Thread Theo de Raadt

CVSROOT:/cvs
Module name:src
Changes by: dera...@cvs.openbsd.org 2019/11/14 20:19:40

Modified files:
lib/libcbor: Makefile 
lib/libfido2   : Makefile 

Log message:
our older gcc requires forced -std=c99

CVS: cvs.openbsd.org: src

2019-11-14 Thread Theo de Raadt

CVSROOT:/cvs
Module name:src
Changes by: dera...@cvs.openbsd.org 2019/11/14 20:18:45

Modified files:
distrib/sets/lists/comp: mi 

Log message:
sync

CVS: cvs.openbsd.org: src

2019-11-14 Thread Theo de Raadt

CVSROOT:/cvs
Module name:src
Changes by: dera...@cvs.openbsd.org 2019/11/14 20:10:21

Modified files:
etc/etc.amd64  : disktab 
distrib/amd64/iso: Makefile 

Log message:
grow an install media

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 19:38:07

Modified files:
usr.bin/ssh: ssh-agent.c 

Log message:
show the "please touch your security key" notifier when using the
(default) build-in security key support.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 19:37:24

Modified files:
usr.bin/ssh: sshconnect2.c 

Log message:
close the "touch your security key" notifier on the error path too

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 19:20:06

Modified files:
usr.bin/ssh: sk-usbhid.c 

Log message:
correct function name in debug message

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 17:32:40

Modified files:
usr.bin/ssh: readpass.c 

Log message:
follow existing askpass logic for security key notifier: fall back
to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable
is set.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Jonathan Gray

CVSROOT:/cvs
Module name:src
Changes by: j...@cvs.openbsd.org2019/11/14 17:06:46

Modified files:
usr.bin/usbhidctl: Makefile 
share/mk   : bsd.README bsd.prog.mk 

Log message:
libusb was renamed to libusbhid in 2001 but the old DPADD var name was
kept.  Rename LIBUSB to LIBUSBHID as there is only one LIBUSB use and
many more attempts to refer to LIBUSBHID.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Jeremie Courreges-Anglas

CVSROOT:/cvs
Module name:src
Changes by: j...@cvs.openbsd.org2019/11/14 16:48:37

Modified files:
usr.bin/ftp: fetch.c 

Log message:
HTTP/1.1 for ftp(1)

Some sites in ports start to reject HTTP/1.0 requests.  Let's move on
and implement HTTP/1.1.  Should fit in ramdisks.

ok sthen@ tb@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Jonathan Gray

CVSROOT:/cvs
Module name:src
Changes by: j...@cvs.openbsd.org2019/11/14 16:44:26

Modified files:
share/mk   : bsd.prog.mk bsd.README 

Log message:
add LIBCBOR and LIBFIDO2

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 15:23:31

Modified files:
lib/libfido2   : Makefile 

Log message:
LDADD for libcbor and libusbhid

CVS: cvs.openbsd.org: src

2019-11-14 Thread Theo de Raadt

CVSROOT:/cvs
Module name:src
Changes by: dera...@cvs.openbsd.org 2019/11/14 15:07:28

Modified files:
etc: group master.passwd 

Log message:
uid/gid 70 is _rpki-client for privdrop; ok benno

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 14:56:52

Modified files:
usr.bin/ssh: Makefile.inc 

Log message:
remove debugging goop that snuck in to last commit

CVS: cvs.openbsd.org: src

2019-11-14 Thread Theo de Raadt

CVSROOT:/cvs
Module name:src
Changes by: dera...@cvs.openbsd.org 2019/11/14 14:31:31

Modified files:
lib/libcbor: shlib_version 
lib/libfido2   : shlib_version 

Log message:
extra whitespace

CVS: cvs.openbsd.org: src

2019-11-14 Thread Theo de Raadt

CVSROOT:/cvs
Module name:src
Changes by: dera...@cvs.openbsd.org 2019/11/14 14:31:07

Modified files:
distrib/sets/lists/base: mi 
distrib/sets/lists/comp: mi 

Log message:
sync

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 14:27:31

Modified files:
usr.bin/ssh: Makefile.inc readconf.c ssh-add.1 ssh-add.c 
 ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh-sk.c 
 ssh.1 ssh_config.5 
usr.bin/ssh/ssh: Makefile 
usr.bin/ssh/ssh-add: Makefile 
usr.bin/ssh/ssh-agent: Makefile 
usr.bin/ssh/ssh-keygen: Makefile 
usr.bin/ssh/ssh-keyscan: Makefile 
usr.bin/ssh/ssh-keysign: Makefile 
usr.bin/ssh/ssh-pkcs11-helper: Makefile 
usr.bin/ssh/ssh-sk-helper: Makefile 
usr.bin/ssh/sshd: Makefile 
Added files:
usr.bin/ssh: sk-usbhid.c 

Log message:
directly support U2F/FIDO2 security keys in OpenSSH by linking
against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for
Bluetooth, NFC and test/debugging.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Anton Lindqvist

CVSROOT:/cvs
Module name:src
Changes by: an...@cvs.openbsd.org   2019/11/14 14:17:00

Modified files:
regress/sys/kern/pipe: test-run-down.c test-thundering-herd.c 

Log message:
increase pipe size in order to exercise big pipe allocations

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 14:14:53

Modified files:
include: Makefile 

Log message:
RDIRS for libcbor and libfido2

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 14:14:35

Modified files:
lib: Makefile 

Log message:
add libcbor and libfido2

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 14:14:10

Added files:
lib/libfido2   : LICENSE Makefile README.openbsd shlib_version 
lib/libfido2/man: eddsa_pk.3 es256_pk.3 fido.3 fido2-assert.1 
  fido2-cred.1 fido2-token.1 fido_assert.3 
  fido_assert_allow_cred.3 fido_assert_set.3 
  fido_assert_verify.3 fido_bio_dev.3 
  fido_bio_enroll.3 fido_bio_info.3 
  fido_bio_template.3 fido_cbor_info.3 
  fido_cred.3 fido_cred_exclude.3 
  fido_cred_set.3 fido_cred_verify.3 
  fido_credman.3 fido_dev_get_assert.3 
  fido_dev_info_manifest.3 fido_dev_make_cred.3 
  fido_dev_open.3 fido_dev_set_io_functions.3 
  fido_dev_set_pin.3 fido_strerr.3 rs256_pk.3 
lib/libfido2/src: aes256.c assert.c authkey.c bio.c blob.c 
  blob.h buf.c cbor.c cred.c credman.c dev.c 
  ecdh.c eddsa.c err.c es256.c export.llvm 
  extern.h fido.h hid.c hid_openbsd.c info.c 
  io.c iso7816.c iso7816.h log.c packed.h pin.c 
  reset.c rs256.c types.h u2f.c 
lib/libfido2/src/fido: bio.h credman.h eddsa.h err.h es256.h 
   param.h rs256.h 

Log message:
import libfido2 (git HEAD). This library allows communication with
U2F/FIDO2 devices over USB.

feedback and "start the churn" deraadt@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Kenneth R Westerback

CVSROOT:/cvs
Module name:src
Changes by: k...@cvs.openbsd.org2019/11/14 14:13:58

Modified files:
sys/dev/ic : mpi.c 

Log message:
Unleash all the available openings and let the midlayer sort things
out like other "modern" devices.

ok dlg@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Damien Miller

CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org2019/11/14 14:11:35

Added files:
lib/libcbor: LICENSE.md Makefile README.md README.openbsd 
 shlib_version 
lib/libcbor/src: allocators.c cbor.c cbor.h 
lib/libcbor/src/cbor: arrays.c arrays.h bytestrings.c 
  bytestrings.h callbacks.c callbacks.h 
  common.c common.h configuration.h 
  configuration.h.in data.h encoding.c 
  encoding.h floats_ctrls.c floats_ctrls.h 
  ints.c ints.h maps.c maps.h 
  serialization.c serialization.h 
  streaming.c streaming.h strings.c 
  strings.h tags.c tags.h 
lib/libcbor/src/cbor/internal: builder_callbacks.c 
   builder_callbacks.h encoders.c 
   encoders.h loaders.c loaders.h 
   memory_utils.c memory_utils.h 
   stack.c stack.h unicode.c 
   unicode.h 

Log message:
Add libcbor; an implementation of the Concise Binary Object
Representation (CBOR) encoding format defined in RFC7049.

This is a dependency of libfido2, that we'll use for U2F/FIDO
support in OpenSSH.

feedback and "Looks good enough to me" deraadt@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Todd C . Miller

CVSROOT:/cvs
Module name:src
Changes by: mill...@cvs.openbsd.org 2019/11/14 13:48:48

Modified files:
lib/libssl/man : SSL_CTX_use_certificate.3 

Log message:
Add missing cross-reference to NOTES section.
OK kn@ tb@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Alexander Bluhm

CVSROOT:/cvs
Module name:src
Changes by: bl...@cvs.openbsd.org   2019/11/14 13:41:46

Modified files:
sbin/isakmpd   : monitor.c 

Log message:
Do not print misleading error message about permission error for
non existing isakmpd.conf(5) file.  This was a result of the changed
realpath(3) behavior.  Now isakmpd(8) uses the errno from the system.
reported by igor kos; OK deraadt@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Tobias Heider

CVSROOT:/cvs
Module name:src
Changes by: to...@cvs.openbsd.org   2019/11/14 11:40:23

Modified files:
regress/sbin/iked/parser: common.c 

Log message:
Fix undefined symbol for ikev2_ike_sa_setreason.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Stefan Sperling

CVSROOT:/cvs
Module name:src
Changes by: s...@cvs.openbsd.org2019/11/14 11:24:21

Modified files:
sys/net80211   : Tag: OPENBSD_6_6 ieee80211_ioctl.c 

Log message:
Prevent a NULL deref in ieee80211_node2req() which could be triggered
by an ioctl if the driver had not yet initialized the channel map.
Crash reported by nayden@
ok sthen@

OpenBSD 6.6 errata 004

CVS: cvs.openbsd.org: src

2019-11-14 Thread Stefan Sperling

CVSROOT:/cvs
Module name:src
Changes by: s...@cvs.openbsd.org2019/11/14 11:23:08

Modified files:
sys/net80211   : Tag: OPENBSD_6_5 ieee80211_ioctl.c 

Log message:
Prevent a NULL deref in ieee80211_node2req() which could be triggered
by an ioctl if the driver had not yet initialized the channel map.
Crash reported by nayden@
ok sthen@

OpenBSD 6.5 errata 015

CVS: cvs.openbsd.org: src

2019-11-14 Thread Alexander Bluhm

CVSROOT:/cvs
Module name:src
Changes by: bl...@cvs.openbsd.org   2019/11/14 11:21:43

Modified files:
usr.sbin/sysupgrade: Tag: OPENBSD_6_5 sysupgrade.sh 

Log message:
Opportunisticly run fw_update before rebooting to run the upgrade.
Warn if it fails, but allow the upgrade to continue for now.
discussed with many, refinements by naddy@ sthen@
from beck@ benno@; OK deraadt@

OpenBSD 6.5 errata 016

CVS: cvs.openbsd.org: src

2019-11-14 Thread Alexander Bluhm

CVSROOT:/cvs
Module name:src
Changes by: bl...@cvs.openbsd.org   2019/11/14 11:19:25

Modified files:
usr.sbin/sysupgrade: Tag: OPENBSD_6_6 sysupgrade.sh 

Log message:
Opportunisticly run fw_update before rebooting to run the upgrade.
Warn if it fails, but allow the upgrade to continue for now.
discussed with many, refinements by naddy@ sthen@
from beck@ benno@; OK deraadt@

OpenBSD 6.6 errata 005

CVS: cvs.openbsd.org: src

2019-11-14 Thread Alexander Bluhm

CVSROOT:/cvs
Module name:src
Changes by: bl...@cvs.openbsd.org   2019/11/14 11:07:27

Modified files:
sys/dev/ic : Tag: OPENBSD_6_5 an.c 
sys/net: Tag: OPENBSD_6_5 if.c if_spppsubr.c 

Log message:
Only root is allowed to set the WEP key.  Add an suser() check to
enforce this for the an(4) wireless network device.
found by Ilja Van Sprundel; from bluhm@; OK dlg@ deraadt@ mpi@

SIOCDVNETID mutates state, so should only be run by root.
found by Ilja Van Sprundel; from dlg@; OK deraadt@ mpi@ bluhm@

check for privileged bridges ioctls next to the other privileged ioctls.
there's now a bunch of drivers that implement the bridge ioctls,
but they're inconsistent at checking privilege. doing it up front
once means less code duplication, and more consistent application
of the checks.
found by Ilja Van Sprundel; from dlg@; OK bluhm@ deraadt@

unbreak ramdisks
from deraadt@

Non root user must not use ioctl(2) to mess around with the address
of a network interface.
from bluhm@; OK deraadt@ claudio@

Non root users must not set the parameters of pppoe(4) interfaces.
found by Ilja Van Sprundel; from bluhm@; OK deraadt@ dlg@

OpenBSD 6.5 errata 017

CVS: cvs.openbsd.org: src

2019-11-14 Thread Alexander Bluhm

CVSROOT:/cvs
Module name:src
Changes by: bl...@cvs.openbsd.org   2019/11/14 11:06:29

Modified files:
sys/dev/ic : Tag: OPENBSD_6_6 an.c 
sys/net: Tag: OPENBSD_6_6 if.c if_spppsubr.c 

Log message:
Only root is allowed to set the WEP key.  Add an suser() check to
enforce this for the an(4) wireless network device.
found by Ilja Van Sprundel; from bluhm@; OK dlg@ deraadt@ mpi@

SIOCDVNETID mutates state, so should only be run by root.
found by Ilja Van Sprundel; from dlg@; OK deraadt@ mpi@ bluhm@

check for privileged bridges ioctls next to the other privileged ioctls.
there's now a bunch of drivers that implement the bridge ioctls,
but they're inconsistent at checking privilege. doing it up front
once means less code duplication, and more consistent application
of the checks.
found by Ilja Van Sprundel; from dlg@; OK bluhm@ deraadt@

unbreak ramdisks
from deraadt@

Non root user must not use ioctl(2) to mess around with the address
of a network interface.
from bluhm@; OK deraadt@ claudio@

Non root users must not set the parameters of pppoe(4) interfaces.
found by Ilja Van Sprundel; from bluhm@; OK deraadt@ dlg@

OpenBSD 6.6 errata 006

CVS: cvs.openbsd.org: www

2019-11-14 Thread Theo Buehler

CVSROOT:/cvs
Module name:www
Changes by: t...@cvs.openbsd.org2019/11/14 10:59:51

Modified files:
.  : errata65.html 

Log message:
frag6ecn is for all architectures, not just amd64

CVS: cvs.openbsd.org: src

2019-11-14 Thread Nicholas Marriott

CVSROOT:/cvs
Module name:src
Changes by: n...@cvs.openbsd.org2019/11/14 09:23:23

Modified files:
usr.bin/tmux   : options-table.c 

Log message:
Change window-size default from smallest to latest.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Nicholas Marriott

CVSROOT:/cvs
Module name:src
Changes by: n...@cvs.openbsd.org2019/11/14 08:37:20

Modified files:
usr.bin/tmux   : cmd-kill-pane.c tmux.h tty-keys.c 

Log message:
Fix parsing of DA with only one argument in the response and add 65 for VT520.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Aaron Bieber

CVSROOT:/cvs
Module name:src
Changes by: abie...@cvs.openbsd.org 2019/11/14 06:50:55

Modified files:
sys/dev/usb: if_cdce.c 

Log message:
Remove hardcoding of NetChip vendor/product id so that urndis(4) can attach
when Linux has g_ether configured as RNDIS.

OK patrick@, sthen@

CVS: cvs.openbsd.org: src

2019-11-14 Thread Florian Obser

CVSROOT:/cvs
Module name:src
Changes by: flor...@cvs.openbsd.org 2019/11/14 01:34:17

Modified files:
sbin/unwind: resolver.c unwind.c unwind.h 

Log message:
With the stub resolver we have since some time we can resolve the
captive portal host internaly via the resolver process.

deraadt and me observed weird captive portal checking hangs inside of
unwind if only 127.0.0.1 was listed as a nameserver in resolv.conf
with the old code.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Florian Obser

CVSROOT:/cvs
Module name:src
Changes by: flor...@cvs.openbsd.org 2019/11/14 01:32:30

Modified files:
sbin/unwind: resolver.c 

Log message:
Checking a resolver that we are already checking can lead to a
self-DoS under high query rate and constant failures.

CVS: cvs.openbsd.org: src

2019-11-14 Thread Florian Obser

CVSROOT:/cvs
Module name:src
Changes by: flor...@cvs.openbsd.org 2019/11/14 01:30:10

Modified files:
sbin/unwind: resolver.c unwind.h 

Log message:
Since resolve() switched to a callback mechanism all uw_resolver objects
pass through resolve() and either asr_resolve_done() or
ub_resolve_done().
With that we can pull resolver_ref() and resolver_unref() into those
functions to make the reference counting easier.
Only check_resolver is special since it needs to refcount the to be
checked resolver. But the resolver doing the actual work is
automatically refcounted by resolve() and *_resolve_done().
One last piece of the puzzle is to track the uw_resolver object in
cb_data so that the *_resolve_done() functions have access to it.
This also allowes us to remove the ad-hoc passing of the resolver in
query_imsg. Since the callback functions all need access to the
resolver that did the work we pass it in as first argument.

OK otto

CVS: cvs.openbsd.org: src

2019-11-14 Thread Nicholas Marriott

CVSROOT:/cvs
Module name:src
Changes by: n...@cvs.openbsd.org2019/11/14 01:00:30

Modified files:
usr.bin/tmux   : cmd-new-session.c input.c 

Log message:
Change new-session -A without a session name (that is, no -s option
also) to attach to the best existing session like attach-session rather
than creating a new one.

47 matches

Mail list logo