CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: o...@cvs.openbsd.org2019/11/14 23:08:21 Modified files: sbin/unwind: resolver.c Log message: Improve readability by using a typedef for the callback type; ok florian@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 23:00:20 Modified files: usr.bin/ssh: moduli.c sk-usbhid.c sshbuf-getput-crypto.c sshkey.c Log message: remove most uses of BN_CTX We weren't following the rules re BN_CTX_start/BN_CTX_end and the places we were using it didn't benefit from its use anyway. ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 22:37:27 Modified files: usr.bin/ssh: ssh-agent.c Log message: unshield security key privkey before attempting signature in agent. spotted by dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2019/11/14 22:26:56 Modified files: usr.bin/ssh: sk-usbhid.c Log message: rewrite c99-ism
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2019/11/14 22:25:52 Modified files: usr.bin/ssh: Makefile.inc Log message: only clang understands those new -W options
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2019/11/14 21:23:25 Modified files: share/man/man3 : intro.3 Log message: add libcbor and libfido2 ok djm@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 21:12:32 Modified files: usr.bin/ssh: ssh-agent.c Log message: don't consult dlopen whitelist for internal security key provider; spotted by dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 20:41:57 Modified files: usr.bin/ssh: sk-usbhid.c Log message: U2F tokens may return FIDO_ERR_USER_PRESENCE_REQUIRED when probed to see if they own a key handle. Handle this case so the find_device() look can work for them. Reported by Michael Forney
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2019/11/14 20:19:40 Modified files: lib/libcbor: Makefile lib/libfido2 : Makefile Log message: our older gcc requires forced -std=c99
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2019/11/14 20:18:45 Modified files: distrib/sets/lists/comp: mi Log message: sync
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2019/11/14 20:10:21 Modified files: etc/etc.amd64 : disktab distrib/amd64/iso: Makefile Log message: grow an install media
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 19:38:07 Modified files: usr.bin/ssh: ssh-agent.c Log message: show the "please touch your security key" notifier when using the (default) build-in security key support.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 19:37:24 Modified files: usr.bin/ssh: sshconnect2.c Log message: close the "touch your security key" notifier on the error path too
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 19:20:06 Modified files: usr.bin/ssh: sk-usbhid.c Log message: correct function name in debug message
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 17:32:40 Modified files: usr.bin/ssh: readpass.c Log message: follow existing askpass logic for security key notifier: fall back to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable is set.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2019/11/14 17:06:46 Modified files: usr.bin/usbhidctl: Makefile share/mk : bsd.README bsd.prog.mk Log message: libusb was renamed to libusbhid in 2001 but the old DPADD var name was kept. Rename LIBUSB to LIBUSBHID as there is only one LIBUSB use and many more attempts to refer to LIBUSBHID.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2019/11/14 16:48:37 Modified files: usr.bin/ftp: fetch.c Log message: HTTP/1.1 for ftp(1) Some sites in ports start to reject HTTP/1.0 requests. Let's move on and implement HTTP/1.1. Should fit in ramdisks. ok sthen@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2019/11/14 16:44:26 Modified files: share/mk : bsd.prog.mk bsd.README Log message: add LIBCBOR and LIBFIDO2
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 15:23:31 Modified files: lib/libfido2 : Makefile Log message: LDADD for libcbor and libusbhid
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2019/11/14 15:07:28 Modified files: etc: group master.passwd Log message: uid/gid 70 is _rpki-client for privdrop; ok benno
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 14:56:52 Modified files: usr.bin/ssh: Makefile.inc Log message: remove debugging goop that snuck in to last commit
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2019/11/14 14:31:31 Modified files: lib/libcbor: shlib_version lib/libfido2 : shlib_version Log message: extra whitespace
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2019/11/14 14:31:07 Modified files: distrib/sets/lists/base: mi distrib/sets/lists/comp: mi Log message: sync
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 14:27:31 Modified files: usr.bin/ssh: Makefile.inc readconf.c ssh-add.1 ssh-add.c ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh-sk.c ssh.1 ssh_config.5 usr.bin/ssh/ssh: Makefile usr.bin/ssh/ssh-add: Makefile usr.bin/ssh/ssh-agent: Makefile usr.bin/ssh/ssh-keygen: Makefile usr.bin/ssh/ssh-keyscan: Makefile usr.bin/ssh/ssh-keysign: Makefile usr.bin/ssh/ssh-pkcs11-helper: Makefile usr.bin/ssh/ssh-sk-helper: Makefile usr.bin/ssh/sshd: Makefile Added files: usr.bin/ssh: sk-usbhid.c Log message: directly support U2F/FIDO2 security keys in OpenSSH by linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: an...@cvs.openbsd.org 2019/11/14 14:17:00 Modified files: regress/sys/kern/pipe: test-run-down.c test-thundering-herd.c Log message: increase pipe size in order to exercise big pipe allocations
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 14:14:53 Modified files: include: Makefile Log message: RDIRS for libcbor and libfido2
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 14:14:35 Modified files: lib: Makefile Log message: add libcbor and libfido2
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 14:14:10 Added files: lib/libfido2 : LICENSE Makefile README.openbsd shlib_version lib/libfido2/man: eddsa_pk.3 es256_pk.3 fido.3 fido2-assert.1 fido2-cred.1 fido2-token.1 fido_assert.3 fido_assert_allow_cred.3 fido_assert_set.3 fido_assert_verify.3 fido_bio_dev.3 fido_bio_enroll.3 fido_bio_info.3 fido_bio_template.3 fido_cbor_info.3 fido_cred.3 fido_cred_exclude.3 fido_cred_set.3 fido_cred_verify.3 fido_credman.3 fido_dev_get_assert.3 fido_dev_info_manifest.3 fido_dev_make_cred.3 fido_dev_open.3 fido_dev_set_io_functions.3 fido_dev_set_pin.3 fido_strerr.3 rs256_pk.3 lib/libfido2/src: aes256.c assert.c authkey.c bio.c blob.c blob.h buf.c cbor.c cred.c credman.c dev.c ecdh.c eddsa.c err.c es256.c export.llvm extern.h fido.h hid.c hid_openbsd.c info.c io.c iso7816.c iso7816.h log.c packed.h pin.c reset.c rs256.c types.h u2f.c lib/libfido2/src/fido: bio.h credman.h eddsa.h err.h es256.h param.h rs256.h Log message: import libfido2 (git HEAD). This library allows communication with U2F/FIDO2 devices over USB. feedback and "start the churn" deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2019/11/14 14:13:58 Modified files: sys/dev/ic : mpi.c Log message: Unleash all the available openings and let the midlayer sort things out like other "modern" devices. ok dlg@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2019/11/14 14:11:35 Added files: lib/libcbor: LICENSE.md Makefile README.md README.openbsd shlib_version lib/libcbor/src: allocators.c cbor.c cbor.h lib/libcbor/src/cbor: arrays.c arrays.h bytestrings.c bytestrings.h callbacks.c callbacks.h common.c common.h configuration.h configuration.h.in data.h encoding.c encoding.h floats_ctrls.c floats_ctrls.h ints.c ints.h maps.c maps.h serialization.c serialization.h streaming.c streaming.h strings.c strings.h tags.c tags.h lib/libcbor/src/cbor/internal: builder_callbacks.c builder_callbacks.h encoders.c encoders.h loaders.c loaders.h memory_utils.c memory_utils.h stack.c stack.h unicode.c unicode.h Log message: Add libcbor; an implementation of the Concise Binary Object Representation (CBOR) encoding format defined in RFC7049. This is a dependency of libfido2, that we'll use for U2F/FIDO support in OpenSSH. feedback and "Looks good enough to me" deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: mill...@cvs.openbsd.org 2019/11/14 13:48:48 Modified files: lib/libssl/man : SSL_CTX_use_certificate.3 Log message: Add missing cross-reference to NOTES section. OK kn@ tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: bl...@cvs.openbsd.org 2019/11/14 13:41:46 Modified files: sbin/isakmpd : monitor.c Log message: Do not print misleading error message about permission error for non existing isakmpd.conf(5) file. This was a result of the changed realpath(3) behavior. Now isakmpd(8) uses the errno from the system. reported by igor kos; OK deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: to...@cvs.openbsd.org 2019/11/14 11:40:23 Modified files: regress/sbin/iked/parser: common.c Log message: Fix undefined symbol for ikev2_ike_sa_setreason.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2019/11/14 11:24:21 Modified files: sys/net80211 : Tag: OPENBSD_6_6 ieee80211_ioctl.c Log message: Prevent a NULL deref in ieee80211_node2req() which could be triggered by an ioctl if the driver had not yet initialized the channel map. Crash reported by nayden@ ok sthen@ OpenBSD 6.6 errata 004
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: s...@cvs.openbsd.org2019/11/14 11:23:08 Modified files: sys/net80211 : Tag: OPENBSD_6_5 ieee80211_ioctl.c Log message: Prevent a NULL deref in ieee80211_node2req() which could be triggered by an ioctl if the driver had not yet initialized the channel map. Crash reported by nayden@ ok sthen@ OpenBSD 6.5 errata 015
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: bl...@cvs.openbsd.org 2019/11/14 11:21:43 Modified files: usr.sbin/sysupgrade: Tag: OPENBSD_6_5 sysupgrade.sh Log message: Opportunisticly run fw_update before rebooting to run the upgrade. Warn if it fails, but allow the upgrade to continue for now. discussed with many, refinements by naddy@ sthen@ from beck@ benno@; OK deraadt@ OpenBSD 6.5 errata 016
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: bl...@cvs.openbsd.org 2019/11/14 11:19:25 Modified files: usr.sbin/sysupgrade: Tag: OPENBSD_6_6 sysupgrade.sh Log message: Opportunisticly run fw_update before rebooting to run the upgrade. Warn if it fails, but allow the upgrade to continue for now. discussed with many, refinements by naddy@ sthen@ from beck@ benno@; OK deraadt@ OpenBSD 6.6 errata 005
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: bl...@cvs.openbsd.org 2019/11/14 11:07:27 Modified files: sys/dev/ic : Tag: OPENBSD_6_5 an.c sys/net: Tag: OPENBSD_6_5 if.c if_spppsubr.c Log message: Only root is allowed to set the WEP key. Add an suser() check to enforce this for the an(4) wireless network device. found by Ilja Van Sprundel; from bluhm@; OK dlg@ deraadt@ mpi@ SIOCDVNETID mutates state, so should only be run by root. found by Ilja Van Sprundel; from dlg@; OK deraadt@ mpi@ bluhm@ check for privileged bridges ioctls next to the other privileged ioctls. there's now a bunch of drivers that implement the bridge ioctls, but they're inconsistent at checking privilege. doing it up front once means less code duplication, and more consistent application of the checks. found by Ilja Van Sprundel; from dlg@; OK bluhm@ deraadt@ unbreak ramdisks from deraadt@ Non root user must not use ioctl(2) to mess around with the address of a network interface. from bluhm@; OK deraadt@ claudio@ Non root users must not set the parameters of pppoe(4) interfaces. found by Ilja Van Sprundel; from bluhm@; OK deraadt@ dlg@ OpenBSD 6.5 errata 017
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: bl...@cvs.openbsd.org 2019/11/14 11:06:29 Modified files: sys/dev/ic : Tag: OPENBSD_6_6 an.c sys/net: Tag: OPENBSD_6_6 if.c if_spppsubr.c Log message: Only root is allowed to set the WEP key. Add an suser() check to enforce this for the an(4) wireless network device. found by Ilja Van Sprundel; from bluhm@; OK dlg@ deraadt@ mpi@ SIOCDVNETID mutates state, so should only be run by root. found by Ilja Van Sprundel; from dlg@; OK deraadt@ mpi@ bluhm@ check for privileged bridges ioctls next to the other privileged ioctls. there's now a bunch of drivers that implement the bridge ioctls, but they're inconsistent at checking privilege. doing it up front once means less code duplication, and more consistent application of the checks. found by Ilja Van Sprundel; from dlg@; OK bluhm@ deraadt@ unbreak ramdisks from deraadt@ Non root user must not use ioctl(2) to mess around with the address of a network interface. from bluhm@; OK deraadt@ claudio@ Non root users must not set the parameters of pppoe(4) interfaces. found by Ilja Van Sprundel; from bluhm@; OK deraadt@ dlg@ OpenBSD 6.6 errata 006
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: t...@cvs.openbsd.org2019/11/14 10:59:51 Modified files: . : errata65.html Log message: frag6ecn is for all architectures, not just amd64
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: n...@cvs.openbsd.org2019/11/14 09:23:23 Modified files: usr.bin/tmux : options-table.c Log message: Change window-size default from smallest to latest.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: n...@cvs.openbsd.org2019/11/14 08:37:20 Modified files: usr.bin/tmux : cmd-kill-pane.c tmux.h tty-keys.c Log message: Fix parsing of DA with only one argument in the response and add 65 for VT520.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: abie...@cvs.openbsd.org 2019/11/14 06:50:55 Modified files: sys/dev/usb: if_cdce.c Log message: Remove hardcoding of NetChip vendor/product id so that urndis(4) can attach when Linux has g_ether configured as RNDIS. OK patrick@, sthen@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: flor...@cvs.openbsd.org 2019/11/14 01:34:17 Modified files: sbin/unwind: resolver.c unwind.c unwind.h Log message: With the stub resolver we have since some time we can resolve the captive portal host internaly via the resolver process. deraadt and me observed weird captive portal checking hangs inside of unwind if only 127.0.0.1 was listed as a nameserver in resolv.conf with the old code.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: flor...@cvs.openbsd.org 2019/11/14 01:32:30 Modified files: sbin/unwind: resolver.c Log message: Checking a resolver that we are already checking can lead to a self-DoS under high query rate and constant failures.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: flor...@cvs.openbsd.org 2019/11/14 01:30:10 Modified files: sbin/unwind: resolver.c unwind.h Log message: Since resolve() switched to a callback mechanism all uw_resolver objects pass through resolve() and either asr_resolve_done() or ub_resolve_done(). With that we can pull resolver_ref() and resolver_unref() into those functions to make the reference counting easier. Only check_resolver is special since it needs to refcount the to be checked resolver. But the resolver doing the actual work is automatically refcounted by resolve() and *_resolve_done(). One last piece of the puzzle is to track the uw_resolver object in cb_data so that the *_resolve_done() functions have access to it. This also allowes us to remove the ad-hoc passing of the resolver in query_imsg. Since the callback functions all need access to the resolver that did the work we pass it in as first argument. OK otto
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: n...@cvs.openbsd.org2019/11/14 01:00:30 Modified files: usr.bin/tmux : cmd-new-session.c input.c Log message: Change new-session -A without a session name (that is, no -s option also) to attach to the best existing session like attach-session rather than creating a new one.