CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/01/17 23:55:32 Modified files: usr.bin/ssh: sshd_config.5 Log message: tweak previous; ok djm
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/01/17 22:29:48 Modified files: lib/libcrypto/bn: bn_div.c Log message: Bring in a description of bn_words_3_div(). This comes from OpenSSL commit 3da2e9c4ee45989a426ff513dc6c6250d1e460de. ok tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: js...@cvs.openbsd.org 2023/01/17 22:27:30 Modified files: lib/libcrypto/bn: bn_div.c Log message: Start cleaning up BN_div_internal(). Always provide a bn_div_3_words() function, rather than having deeply nested compiler conditionals. Use readable variable names, clean up formatting and use a single exit path. Tested on various platforms by miod@ ok tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2023/01/17 22:06:44 Modified files: sys/arch/i386/i386: trap.c Log message: Do on i386 as we do on amd64. This is done on variable cpu_pae, which indicates the "PAE" pmap is being used, which only happens if the cpu has both PAE and NX. On i386 machines without the NX feature enabled, we can't distinguish between page faults as a result of instruction fetches or normal data access. Handle this in the same way as we do on landisk: if handling the fault with access type PROT_READ fails, retry with PROT_EXEC. Fortunately we know whether NX is enabled or nor so only do this when it isn't. ok kettenis, jsg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/01/17 19:00:10 Modified files: usr.bin/ssh: channels.c channels.h Log message: when restoring non-blocking mode to stdio fds, restore exactly the flags that ssh started with and don't just clobber them with zero, as this could also remove the append flag from the set; bz3523; ok dtucker@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: mill...@cvs.openbsd.org 2023/01/17 18:50:21 Modified files: usr.bin/ssh: sshd.8 sshd.c Log message: Add a -V (version) option to sshd like the ssh client has. OK markus@ deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/01/17 17:48:15 Modified files: sbin/disklabel : editor.c Log message: Use ROUNDUP() to round up to cylinder boundary.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/01/17 17:27:10 Modified files: usr.sbin/rpki-client: validate.c Log message: rpki-client: explicitly enable policy checks In x509_verify.c r1.62, beck disabled policy checks by default in the new X.509 verifier to match the behavior of the legacy validator and OpenSSL. In order to keep policy checks as mandated by RFC 7318, we need to opt into them explicitly. ok beck
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/01/17 16:56:51 Modified files: sbin/disklabel : editor.c Log message: Nuke unused MAXIMUM(). Add ROUNDUP() and ROUNDDOWN().
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: b...@cvs.openbsd.org2023/01/17 16:49:28 Modified files: lib/libcrypto/x509: x509_verify.c Log message: Don't do policy checking unless we were asked to do so. ok tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/01/17 16:39:30 Modified files: sys/arch/i386/pci: pcib.c Log message: include isadma.h not isa.h missed in rev 1.5 when #if NISA became #if NISADMA not a problem in practice as isavar.h includes isadma.h ok miod@ deraadt@ millert@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/01/17 16:12:37 Modified files: sys/arch/i386/i386: hibernate_machdep.c Log message: test NSDMMC not SDMMC ok miod@ deraadt@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dera...@cvs.openbsd.org 2023/01/17 12:51:37 Modified files: distrib/sets/lists/man: mi Log message: sync
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: kette...@cvs.openbsd.org2023/01/17 12:29:09 Modified files: sys/arch/amd64/include: pmap.h Log message: Simplify and clarify the implementation of the pmap_page_protect(9) API. This function is only ever called with PROT_NONE or PROT_READ where PROT_NONE removes the mapping from the page tables and PROT_READ takes away write permission. Add a KASSERT to make sure no other values are passed. This KASSERT should be optimized away by any decent compiler. ok deraadt@, mpi@, guenther@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: mill...@cvs.openbsd.org 2023/01/17 11:52:44 Modified files: usr.bin/ssh: ssh.c Log message: For "ssh -V" always exit 0, there is no need to check opt again. This was missed when the fallthrough in the switch case above it was removed. OK deraadt@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: bl...@cvs.openbsd.org 2023/01/17 09:33:29 Modified files: . : errata71.html errata72.html Log message: Release libxpm errata.
CVS: cvs.openbsd.org: xenocara
CVSROOT:/cvs Module name:xenocara Changes by: bl...@cvs.openbsd.org 2023/01/17 09:31:48 Modified files: lib/libXpm : Tag: OPENBSD_7_1 Makefile.in config.h.in configure configure.ac lib/libXpm/cxpm: Tag: OPENBSD_7_1 Makefile.in lib/libXpm/doc : Tag: OPENBSD_7_1 Makefile.in lib/libXpm/include: Tag: OPENBSD_7_1 Makefile.in lib/libXpm/man : Tag: OPENBSD_7_1 Makefile.in lib/libXpm/src : Tag: OPENBSD_7_1 Makefile.in RdFToI.c WrFFrI.c create.c data.c parse.c lib/libXpm/sxpm: Tag: OPENBSD_7_1 Makefile.in Log message: Fix several issues in libXpm : CVE-2022-46285: Infinite loop on unclosed comments CVE-2022-44617: Runaway loop on width of 0 and enormous height CVE-2022-4883: compression commands depend on $PATH from matthieu@ this is errata/7.1/019_libxpm.patch.sig
CVS: cvs.openbsd.org: xenocara
CVSROOT:/cvs Module name:xenocara Changes by: bl...@cvs.openbsd.org 2023/01/17 09:31:20 Modified files: lib/libXpm : Tag: OPENBSD_7_2 Makefile.in config.h.in configure configure.ac lib/libXpm/cxpm: Tag: OPENBSD_7_2 Makefile.in lib/libXpm/doc : Tag: OPENBSD_7_2 Makefile.in lib/libXpm/include: Tag: OPENBSD_7_2 Makefile.in lib/libXpm/man : Tag: OPENBSD_7_2 Makefile.in lib/libXpm/src : Tag: OPENBSD_7_2 Makefile.in RdFToI.c WrFFrI.c create.c data.c parse.c lib/libXpm/sxpm: Tag: OPENBSD_7_2 Makefile.in Log message: Fix several issues in libXpm : CVE-2022-46285: Infinite loop on unclosed comments CVE-2022-44617: Runaway loop on width of 0 and enormous height CVE-2022-4883: compression commands depend on $PATH from matthieu@ this is errata/7.2/014_libxpm.patch.sig
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/01/17 09:22:56 Modified files: distrib/miniroot: install.sub Log message: Add debug FUNCS_ONLY knob Hacking on the installer while running it is a lot easier when you can inspect or run functions directly without paging the whole script or poking around in it with ed. install.sub is already structured so that all functions come first, then MD code, then actual commands. Copy FUNCS_ONLY from rc.subr(8) so you can drop out any time and hack around more conveniently: Available disks are: sd0 sd1. Which disk is the root disk? ('?' for details) [sd0] ! Type 'exit' to return to install. test# FUNCS_ONLY=1 . /install.sub test# typeset -f get_dkdevs get_dkdevs() { echo $(scan_disknames "${MDDKDEVS:-/^[sw]d[0-9][0-9]* /s/ .*//p}") } test# get_dkdevs sd0 sd1 test# This requires the sourcing shell to be ksh(1) or sh(1) with 'strict Bourne shell mode' disabled. '!' is ksh now, but the initial (S)hell answer still lands in a strict (default) sh(1) -- that can/should be fixed separately. OK deraadt
CVS: cvs.openbsd.org: xenocara
CVSROOT:/cvs Module name:xenocara Changes by: matth...@cvs.openbsd.org2023/01/17 09:21:24 Modified files: lib/libXpm : Makefile.in config.h.in configure configure.ac lib/libXpm/cxpm: Makefile.in lib/libXpm/doc : Makefile.in lib/libXpm/include: Makefile.in lib/libXpm/man : Makefile.in lib/libXpm/src : Makefile.in RdFToI.c WrFFrI.c create.c data.c parse.c lib/libXpm/sxpm: Makefile.in Log message: Fix several issues in libXpm : CVE-2022-46285: Infinite loop on unclosed comments CVE-2022-44617: Runaway loop on width of 0 and enormous height CVE-2022-4883: compression commands depend on $PATH
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2023/01/17 09:20:28 Modified files: bin/pax: options.c Log message: pax: Switch a function definition from K&R to ANSI.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/01/17 09:14:23 Modified files: distrib/miniroot: install.sub Log message: Skip all interface config questions when there are none Even without any interfaces the installer still asks for one and only continues when the only possible answer 'done' is provided. That means one mandatory but useless answer during installations like # vmctl start -c -d ./install72.img -d ./disk.img test ... System hostname? (short form, e.g. 'foo') test Available network interfaces are: . Network interface to configure? (name, lladdr, '?', or 'done') A response is required. Network interface to configure? (name, lladdr, '?', or 'done') ? Available network interfaces are: . Network interface to configure? (name, lladdr, '?', or 'done') done DNS domain name? (e.g. 'example.com') [my.domain] ... Skip it when there is no viable answer: # vmctl start -c -d ./install72.img -d ./disk.img test ... System hostname? (short form, e.g. 'foo') test DNS domain name? (e.g. 'example.com') [my.domain] ... OK deraadt
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: clau...@cvs.openbsd.org 2023/01/17 09:11:52 Modified files: regress/usr.sbin/bgpd/unittests: rde_aspa_test.c Log message: Add a dummy stub for getmonotime(). Reminded by tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: clau...@cvs.openbsd.org 2023/01/17 09:09:34 Modified files: usr.sbin/bgpctl: bgpctl.c output.c output_json.c Log message: Teach bgpctl about ASPA tables. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: clau...@cvs.openbsd.org 2023/01/17 09:09:01 Modified files: usr.sbin/bgpd : bgpd.h rde.c rde.h rde_aspa.c rtr.c Log message: Add the needed logic to load the ASPA table from the rtr process into the RDE. The actual reload logic is missing to keep the diff small. OK tb@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: m...@cvs.openbsd.org2023/01/17 08:04:27 Modified files: lib/libcrypto : ppccap.c sparccpuid.S x86_64cpuid.pl x86cpuid.pl lib/libcrypto/arch/alpha: Makefile.inc lib/libcrypto/arch/arm: armv4cpuid.S lib/libcrypto/arch/hppa: Makefile.inc lib/libcrypto/arch/powerpc: Makefile.inc lib/libcrypto/arch/powerpc64: Makefile.inc Removed files: lib/libcrypto : alphacpuid.pl pariscid.pl ppccpuid.pl Log message: Remove non-visible and unused OPENSSL_wipe_cpu and OPENSSL_atomic_add interfaces, and remove empty assembly OPENSSL_cpuid_setup routines - the default empty C fallback will work as good. ok jsing@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: es...@cvs.openbsd.org 2023/01/17 07:00:33 Modified files: . : events.html Added files: papers : lre2023-espie-mitigation.pdf Log message: I gave a talk (in french) about mitigation techniques deployed in OpenBSD at my school.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: k...@cvs.openbsd.org2023/01/17 06:03:22 Modified files: usr.bin/make : main.c make.1 Log message: Arguments may contain more than one variable assignment `make FOO=1 BAR=2 ...' works as expected and lots of things wouldn't work if make only accepted a single assignment, as currently documented. Fix SYNOPSIS and usage to match reality and POSIX spec (thanks jmc). OK jmc
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: n...@cvs.openbsd.org2023/01/17 03:40:51 Modified files: usr.bin/tmux : cmd-list-keys.c Log message: Support -1 without -N for list-keys.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/01/17 03:15:10 Modified files: regress/usr.bin/ssh: connection-timeout.sh Log message: also check that an active session inhibits UnusedConnectionTimeout idea markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2023/01/17 03:10:11 Modified files: share/man/man4/man4.i386: Makefile share/man/man4 : gpio.4 pci.4 share/man/man9 : tc_init.9 sys/arch/i386/conf: GENERIC files.i386 Removed files: share/man/man4/man4.i386: elansc.4 sys/arch/i386/pci: elan520.c elan520reg.h Log message: remove elansc(4) driver for AMD Elan SC520 System Controller AMD Elan SC520 has a Am5x86, 486-class processor. We require a 586-class processor. feedback from jmc@ ok miod@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/01/17 03:02:34 Modified files: regress/usr.bin/ssh: Makefile Added files: regress/usr.bin/ssh: connection-timeout.sh Log message: regression test for UnusedConnectionTimeout
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2023/01/17 02:44:48 Modified files: usr.bin/ssh: servconf.c servconf.h serverloop.c sshd_config.5 Log message: Add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for some length of time. This complements the recently-added ChannelTimeout option that terminates inactive channels after a timeout. ok markus@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: kette...@cvs.openbsd.org2023/01/17 01:03:51 Modified files: sys/arch/amd64/amd64: trap.c Log message: On amd64 machines without the NX feature enabled, we can't distinguish between page faults as a result of instruction fetches or normal data access. Handle this in the same way as we do on landisk: if handling the fault with access type PROT_READ fails, retry with PROT_EXEC. Fortunately we know whether NX is enabled or nor so only do this when it isn't. Nobody should be running an amd64 machine without NX! ok deraadt@, miod@