openbsd
2 years agoAdd a security check to ssl_set_cert()
tb [Wed, 29 Jun 2022 21:16:30 +0000 (21:16 +0000)]
Add a security check to ssl_set_cert()

ok beck jsing

2 years agoMake ssl_set_{cert,pkey} take an ssl/ctx
tb [Wed, 29 Jun 2022 21:13:34 +0000 (21:13 +0000)]
Make ssl_set_{cert,pkey} take an ssl/ctx

ok beck jsing

2 years agoRefactor use_certificate_chain_* to take ssl/ctx instead of a cert
tb [Wed, 29 Jun 2022 21:12:19 +0000 (21:12 +0000)]
Refactor use_certificate_chain_* to take ssl/ctx instead of a cert

ok beck jsing

2 years agoAdd functions that check security level in certs and cert chains.
tb [Wed, 29 Jun 2022 21:10:20 +0000 (21:10 +0000)]
Add functions that check security level in certs and cert chains.

ok beck jsing

2 years agoMake sure the verifier checks the security level in cert chains
tb [Wed, 29 Jun 2022 21:08:07 +0000 (21:08 +0000)]
Make sure the verifier checks the security level in cert chains

ok beck jsing

2 years agoRemove a confusing comment
tb [Wed, 29 Jun 2022 20:06:55 +0000 (20:06 +0000)]
Remove a confusing comment

discussed with jsing

2 years agoParse the @SECLEVEL=n annotation in cipher strings
tb [Wed, 29 Jun 2022 20:04:28 +0000 (20:04 +0000)]
Parse the @SECLEVEL=n annotation in cipher strings

To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.

ok beck jsing

2 years agoManual page improvements from Leon Fischer
job [Wed, 29 Jun 2022 18:57:30 +0000 (18:57 +0000)]
Manual page improvements from Leon Fischer

yep jmc@

2 years agovmd(8): fix off by one in vm memory range check
dv [Wed, 29 Jun 2022 17:39:54 +0000 (17:39 +0000)]
vmd(8): fix off by one in vm memory range check

When inspecting if a gpa falls into a known memory range, vmd was
considering it valid 1 byte past the end resulting in selecting the
wrong starting range for the search.

ok mlarkin@

2 years agoAdd support for sending QUIC transport parameters
beck [Wed, 29 Jun 2022 17:39:20 +0000 (17:39 +0000)]
Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

2 years agosync
job [Wed, 29 Jun 2022 17:35:44 +0000 (17:35 +0000)]
sync

2 years agoClarify the shorter default format string only applies to -i and -s
job [Wed, 29 Jun 2022 16:06:22 +0000 (16:06 +0000)]
Clarify the shorter default format string only applies to -i and -s

2 years agoRemove switch(4) remains.
mvs [Wed, 29 Jun 2022 16:04:49 +0000 (16:04 +0000)]
Remove switch(4) remains.

ok claudio@ mpi@

2 years agoAdd -m option to ts(1)
job [Wed, 29 Jun 2022 16:01:10 +0000 (16:01 +0000)]
Add -m option to ts(1)

OK claudio@

2 years agoUse relative paths so beck can run regress in his git tree and have
tb [Wed, 29 Jun 2022 15:06:18 +0000 (15:06 +0000)]
Use relative paths so beck can run regress in his git tree and have
the correct ssl_local.h etc be picked up.

2 years agoremove archaic comment from original import of i386 pmap
dv [Wed, 29 Jun 2022 14:24:29 +0000 (14:24 +0000)]
remove archaic comment from original import of i386 pmap

This comment hasn't been relevant for at least 11 years as there's
no such lock. NetBSD removed the comment 11 years ago. No functional
change.

Discussed with mlarkin@

2 years agoRegen syscalls files as they were meant to be, correcting the "created from:" info
jca [Wed, 29 Jun 2022 13:07:19 +0000 (13:07 +0000)]
Regen syscalls files as they were meant to be, correcting the "created from:" info

Cluebat from miod@

2 years agoUnlock the pledge(2) system call
jca [Wed, 29 Jun 2022 12:17:31 +0000 (12:17 +0000)]
Unlock the pledge(2) system call

Protect the ps_pledge/ps_execpledge fields with ps_mtx.  Shuffle the
code to call unveil_destroy() outside the critical section.  Only writes
to those fields are protected.  Since we may only remove bits from those
fields, garbage values should do no harm even when a read crosses
a write on 32 bits systems.

Input claudio@ kettenis@ deraadt@, ok deraadt@

2 years agoSimplify the locking dance around pledge_syscall()
jca [Wed, 29 Jun 2022 12:06:11 +0000 (12:06 +0000)]
Simplify the locking dance around pledge_syscall()

It doesn't make sense to wrap this function with the kernel lock only
when the syscall to be executed is itself locked.  Instead
pledge_syscall() should be always safe to execute without the kernel
lock.

"looks good" kettenis@, ok deraadt@

2 years agowhitespace nit
tb [Wed, 29 Jun 2022 12:03:38 +0000 (12:03 +0000)]
whitespace nit

2 years agoUse READ_ONCE() when saving pr->ps_pledge to a local variable
jca [Wed, 29 Jun 2022 12:01:22 +0000 (12:01 +0000)]
Use READ_ONCE() when saving pr->ps_pledge to a local variable

This prevents the compiler from reloading a possibly different value
from memory.  Even if it doesn't matter in this code it's just better
practice.  Discussed with kettenis@ and deraadt@, ok deraadt@

2 years agomissing blank line
tb [Wed, 29 Jun 2022 11:59:23 +0000 (11:59 +0000)]
missing blank line

2 years agoPass down the pointer to mbuf pointer into ip6_hbhchcheck(). This
bluhm [Wed, 29 Jun 2022 11:22:10 +0000 (11:22 +0000)]
Pass down the pointer to mbuf pointer into ip6_hbhchcheck().  This
allows to set the mbuf to NULL and keep it consistent in the caller,
instead of having dangling pointer after free.
OK sashan@

2 years agoMove the deep check back into the loop. There are ways that even though
claudio [Wed, 29 Jun 2022 10:48:22 +0000 (10:48 +0000)]
Move the deep check back into the loop. There are ways that even though
we're deep the code will SSTOP and sleep and then on wakeup we need to
recheck the deep conditions.
Issue analyzed and OK by mpi@

Reported-by: syzbot+f7634539e73108238c2a@syzkaller.appspotmail.com
2 years agodrm/i915: Implement w/a 22010492432 for adl-s
jsg [Wed, 29 Jun 2022 10:04:22 +0000 (10:04 +0000)]
drm/i915: Implement w/a 22010492432 for adl-s

From Ville Syrjala
0895a2235bae6671077c2de94268cccc346005d6 in linux 5.15.y/5.15.51
13bd259b64bb58ae130923ada42ebc19bf3f2fa2 in mainline linux

2 years agocorrect vararg use in kasprintf/kvasprintf
jsg [Wed, 29 Jun 2022 09:52:23 +0000 (09:52 +0000)]
correct vararg use in kasprintf/kvasprintf
fixes names of some encoders

2 years agosync
sthen [Wed, 29 Jun 2022 09:33:18 +0000 (09:33 +0000)]
sync

2 years agoUse strncasecmp instead of strncmp when comparing the password scheme.
martijn [Wed, 29 Jun 2022 09:10:13 +0000 (09:10 +0000)]
Use strncasecmp instead of strncmp when comparing the password scheme.
This change could theoretically affect some people who actually have one
of the scheme's in lower case in their password, but this is extremely
unlikely in the real world.

Pointed out by David Diggles (david <at> elven <dot> com <dot> au)
OK sthen@

2 years agoether_input() called with shared netlock, but pppoe(4) wants it to be
mvs [Wed, 29 Jun 2022 09:08:07 +0000 (09:08 +0000)]
ether_input() called with shared netlock, but pppoe(4) wants it to be
exclusive. Do the pppoe(4) input within netisr handler with exclusive
netlok held and remove kernel lock hack from ether_input().

This is the step back, but it makes ether_input() path better then it
is now.

Tested by Hrvoje Popovski.

ok bluhm@ claudio@

2 years agoNullify `ipsecflowinfo' when mbuf(9) has no ipsec flowinfo data.
mvs [Wed, 29 Jun 2022 09:01:48 +0000 (09:01 +0000)]
Nullify `ipsecflowinfo' when mbuf(9) has no ipsec flowinfo data.
Otherwise we use `ipsecflowinfo' obtained from previous packet.

ok claudio@

2 years agoRefactor asn1 time parsing to use CBS - enforce valid times in ASN.1 parsing.
beck [Wed, 29 Jun 2022 08:56:44 +0000 (08:56 +0000)]
Refactor asn1 time parsing to use CBS - enforce valid times in ASN.1 parsing.

While we're here enforce valid days for months and leap years.

Inspired by same in boringssl.

ok jsing@

2 years agoImport ts(1) - a timestamp utility
job [Wed, 29 Jun 2022 08:39:49 +0000 (08:39 +0000)]
Import ts(1) - a timestamp utility

A from scratch & pledged implementation of the perl 'ts' utility found
in the moreutils collection.

With help from florian@, tb@, and deraadt@

OK deraadt@

2 years agoAlso check the security level in SSL_get1_supported_ciphers
tb [Wed, 29 Jun 2022 08:39:08 +0000 (08:39 +0000)]
Also check the security level in SSL_get1_supported_ciphers

ok beck jsing

2 years agoCheck security level when convertin a cipher list to bytes
tb [Wed, 29 Jun 2022 08:38:01 +0000 (08:38 +0000)]
Check security level when convertin a cipher list to bytes

ok beck jsing

2 years agoAlso check the security level when choosing a shared cipher
tb [Wed, 29 Jun 2022 08:37:18 +0000 (08:37 +0000)]
Also check the security level when choosing a shared cipher

ok beck jsing

2 years agoThere's tentacles, tentacles everywhere
tb [Wed, 29 Jun 2022 08:34:04 +0000 (08:34 +0000)]
There's tentacles, tentacles everywhere

ok beck jsing

2 years agoAlso check the security level of the 'tmp dh'
tb [Wed, 29 Jun 2022 08:30:04 +0000 (08:30 +0000)]
Also check the security level of the 'tmp dh'

ok beck jsing

2 years agoCheck the security of DH key shares
tb [Wed, 29 Jun 2022 08:27:51 +0000 (08:27 +0000)]
Check the security of DH key shares

ok beck, looks good to jsing

2 years agoRename one s to ssl for consistency
tb [Wed, 29 Jun 2022 07:59:14 +0000 (07:59 +0000)]
Rename one s to ssl for consistency

2 years agoCheck sigalg security level when selecting them.
tb [Wed, 29 Jun 2022 07:55:59 +0000 (07:55 +0000)]
Check sigalg security level when selecting them.

ok beck jsing

2 years agoCheck the security bits of the sigalgs' pkey
tb [Wed, 29 Jun 2022 07:54:54 +0000 (07:54 +0000)]
Check the security bits of the sigalgs' pkey

ok beck jsing

2 years agoCheck the security level when building sigalgs
tb [Wed, 29 Jun 2022 07:53:58 +0000 (07:53 +0000)]
Check the security level when building sigalgs

ok beck jsing

2 years agoAnnotate sigalgs with their security level.
tb [Wed, 29 Jun 2022 07:53:00 +0000 (07:53 +0000)]
Annotate sigalgs with their security level.

ok beck jsing

2 years agoAdd support for using non-standard UARTs (such as the Synopsys DesignWare
kettenis [Wed, 29 Jun 2022 07:51:54 +0000 (07:51 +0000)]
Add support for using non-standard UARTs (such as the Synopsys DesignWare
UART found on AMD's Ryzen Embedded V1000 family) as an early console.
This requires additional parameters to be passed by the bootloader to the
kernel so it changes the struct for the BOOTARG_CONSDEV boot argument.
The old struct will still be supported until OpenBSD 7.3 has been released
such that new kernels boot with the old bootloader.

ok anton@, deraadt@

2 years agoMake bus_space_map(9) work before the pmap is initialized for addresses
kettenis [Wed, 29 Jun 2022 07:44:10 +0000 (07:44 +0000)]
Make bus_space_map(9) work before the pmap is initialized for addresses
below 4G by using the direct map.

ok anton@, deraadt@

2 years agocope with rtentry refcnt changes
anton [Wed, 29 Jun 2022 04:49:51 +0000 (04:49 +0000)]
cope with rtentry refcnt changes

2 years agomatch on Alder Lake-P
jsg [Wed, 29 Jun 2022 01:05:18 +0000 (01:05 +0000)]
match on Alder Lake-P
ok deraadt@ kettenis@

2 years agoconstify miscellaneous arm64 pin and clock tables
naddy [Tue, 28 Jun 2022 23:43:12 +0000 (23:43 +0000)]
constify miscellaneous arm64 pin and clock tables

ok miod@

2 years agoAdd prototypes for ssl{_ctx,}_security()
tb [Tue, 28 Jun 2022 21:14:32 +0000 (21:14 +0000)]
Add prototypes for ssl{_ctx,}_security()

ok beck jsing sthen

2 years agoAdd support for the Synopsys DesignWare UART found on the Ryzen Embedded
kettenis [Tue, 28 Jun 2022 21:02:14 +0000 (21:02 +0000)]
Add support for the Synopsys DesignWare UART found on the Ryzen Embedded
V1000 SoCs.

ok anton@

2 years agoAdd error code defins
tb [Tue, 28 Jun 2022 20:57:33 +0000 (20:57 +0000)]
Add error code defins

ok beck jsing sthen

2 years agoAdd a period to a comment
tb [Tue, 28 Jun 2022 20:54:16 +0000 (20:54 +0000)]
Add a period to a comment

Pointed out by jsing

2 years agoSecurity level >= 3 requires a ciphersuite with PFS
tb [Tue, 28 Jun 2022 20:53:32 +0000 (20:53 +0000)]
Security level >= 3 requires a ciphersuite with PFS

ok beck jsing sthen

2 years agoAdd a secop handler for tmp_dh
tb [Tue, 28 Jun 2022 20:49:16 +0000 (20:49 +0000)]
Add a secop handler for tmp_dh

This disallows DHE keys weaker than 1024 bits at level 0 to match
OpenSSL behavior.

ok beck jsing sthen

2 years agoAdd security level related error codes.
tb [Tue, 28 Jun 2022 20:46:45 +0000 (20:46 +0000)]
Add security level related error codes.

ok beck jsing sthen

2 years agoSort error strings
tb [Tue, 28 Jun 2022 20:46:05 +0000 (20:46 +0000)]
Sort error strings

ok beck jsing sthen

2 years agoImplement ssl{,_ctx}_security()
tb [Tue, 28 Jun 2022 20:44:49 +0000 (20:44 +0000)]
Implement ssl{,_ctx}_security()

ok beck jsing sthen

2 years agoCopy the security level stuff in ssl_cert_dup()
tb [Tue, 28 Jun 2022 20:43:21 +0000 (20:43 +0000)]
Copy the security level stuff in ssl_cert_dup()

ok beck jsing sthen

2 years agoSet up the default callback in SSL_CERT
tb [Tue, 28 Jun 2022 20:42:22 +0000 (20:42 +0000)]
Set up the default callback in SSL_CERT

ok beck jsing sthen

2 years agoImplement the default security level callback
tb [Tue, 28 Jun 2022 20:40:24 +0000 (20:40 +0000)]
Implement the default security level callback

And here is where the fun starts. The tentacles will grow everywhere.

ok beck jsing sthen

2 years agoProvide OPENSSL_TLS_SECURITY_LEVEL define
tb [Tue, 28 Jun 2022 20:36:55 +0000 (20:36 +0000)]
Provide OPENSSL_TLS_SECURITY_LEVEL define

ok beck jsing sthen

2 years agoImplement SSL_{CTX_}_{g,s}et_security_level(3)
tb [Tue, 28 Jun 2022 20:34:17 +0000 (20:34 +0000)]
Implement SSL_{CTX_}_{g,s}et_security_level(3)

ok beck jsing sthen

2 years agoAdd security callback, level and ex_data fields to SSL_CERT
tb [Tue, 28 Jun 2022 20:31:43 +0000 (20:31 +0000)]
Add security callback, level and ex_data fields to SSL_CERT

ok beck jsing sthen

2 years agoAdd #defines and prototypes for security level API
tb [Tue, 28 Jun 2022 20:29:27 +0000 (20:29 +0000)]
Add #defines and prototypes for security level API

This marks the start of one of the worst API additions in the history of
this library. And as everybody knows the bar is high. Very high.

ok beck jsing sthen

2 years agoAdd missing colon. Noticed by jmc@
claudio [Tue, 28 Jun 2022 20:13:03 +0000 (20:13 +0000)]
Add missing colon. Noticed by jmc@

2 years agoOn the x13s, using the EfiLoaderData memory type for the memory block
kettenis [Tue, 28 Jun 2022 19:55:22 +0000 (19:55 +0000)]
On the x13s, using the EfiLoaderData memory type for the memory block
that we load the kernel into doesn't work.  But changing it to EfiLoaderCode
makes it work.  Presumably the firmware creates a mapping with executable
permissions in that case, which is obviously needed for executing kernel
code.

ok patrick@, mlarkin@

2 years agoThe x13s uses Memory32Fixed() to describe the windows forwarded by the
kettenis [Tue, 28 Jun 2022 19:50:40 +0000 (19:50 +0000)]
The x13s uses Memory32Fixed() to describe the windows forwarded by the
host bridges.  Add support for this.

ok mlarkin@, patrick@

2 years agoNegate unsigned then cast to signed.
jsing [Tue, 28 Jun 2022 19:44:28 +0000 (19:44 +0000)]
Negate unsigned then cast to signed.

Avoid undefined behaviour by negating the unsigned value, before casting
to int64_t, rather than casting to int64_t then negating.

Fixes oss-fuzz #48499

ok tb@

2 years agoMake sure uvm_swap_get() always sleep and do not return and error.
mpi [Tue, 28 Jun 2022 19:39:54 +0000 (19:39 +0000)]
Make sure uvm_swap_get() always sleep and do not return and error.

If no memory was immediately available to decrypt (bounce) a page from swap
an error was returned to the fault handler which would result in processes
dying when a lot of memory pressure was applied to a system.

Note that reading from swap is always done synchronously.

ok beck@, kettenis@

2 years agoConsider pmemrange regions when trying to free pages from the inactive list.
mpi [Tue, 28 Jun 2022 19:31:30 +0000 (19:31 +0000)]
Consider pmemrange regions when trying to free pages from the inactive list.

Instead of starting with the first page on the inactive list pick the first
one that fits in the range of a given pmemrange region.

Fix an issue where the page daemon would be hogging a CPU without freeing any
page because the global limits are satisfied.

The algorithm could certainly be revisited, the LRU is not really working and
there is a huge delay before recovering when the first pages need to be swapped and the system is in OOM situation but at least there is no starvation and the
system now recovers.

ok beck@, kettenis@

2 years agoUse new & shiny define for the maximum number of pages of a swap cluster.
mpi [Tue, 28 Jun 2022 19:23:08 +0000 (19:23 +0000)]
Use new & shiny define for the maximum number of pages of a swap cluster.

ok beck@, kettenis@

2 years agoPre-allocate pages in DMA-reachable region to ensure progress in the swapper.
mpi [Tue, 28 Jun 2022 19:19:34 +0000 (19:19 +0000)]
Pre-allocate pages in DMA-reachable region to ensure progress in the swapper.

Currently swap encryption is not done in place and some architectures need to
bounce pages into a DMA-reachable region for I/Os, for that uvm_swap_io() needs
to allocate at most 64K to write a swap cluster to disk.  Pre-allocate such
amount of memory to be sure the page daemon can make progress in OOM situation.

Also introduce a sleeping point to wait for the previous asynchronous I/O
holding the pre-allocated pages, there's no point in building clusters if no
progress can be made.

ok beck@, kettenis@

2 years agoReserve a second segment for the page daemon.
mpi [Tue, 28 Jun 2022 19:07:40 +0000 (19:07 +0000)]
Reserve a second segment for the page daemon.

This ensures uvm_swap_io() can succeeds even in OOM situations because two
uvm_pagermapin() allocations, requiring a segment each, are needed to bounce
or encrypt a swap cluster.

ok beck@, kettenis@

2 years agoHook up bgplgd into the build
claudio [Tue, 28 Jun 2022 18:47:54 +0000 (18:47 +0000)]
Hook up bgplgd into the build

2 years agoHook up bgplgd. Uses _bgplgd user with id 71:71 add a rc.d script and
claudio [Tue, 28 Jun 2022 18:46:00 +0000 (18:46 +0000)]
Hook up bgplgd. Uses _bgplgd user with id 71:71 add a rc.d script and
all the other rc plumbing.
OK deraadt@

2 years agoFix manpage from jmc@ but also fix the privdrop user to _bgplgd
claudio [Tue, 28 Jun 2022 16:56:29 +0000 (16:56 +0000)]
Fix manpage from jmc@ but also fix the privdrop user to _bgplgd

2 years agoA com_acpi_softc pointer is used as the interrupt callback cookie which
anton [Tue, 28 Jun 2022 16:29:56 +0000 (16:29 +0000)]
A com_acpi_softc pointer is used as the interrupt callback cookie which
is later on interpreted as a com_softc pointer. This is not a problem in
practice as a com_softc structure is the first member of the
com_acpi_softc structure.

Using the actual types consistently yields a better symmetry in my
opinion between registering the interrupt and the corresponding
interrupt handler.

ok deraadt@ kettenis@

2 years agoNo need to pass a copy of the bcmdmac_channel structure to predicate
anton [Tue, 28 Jun 2022 16:29:03 +0000 (16:29 +0000)]
No need to pass a copy of the bcmdmac_channel structure to predicate
routines.

ok deraadt@ kettenis@

2 years agoRemove commented out variables and excessive blank lines in
anton [Tue, 28 Jun 2022 16:28:08 +0000 (16:28 +0000)]
Remove commented out variables and excessive blank lines in
pluart_param().

2 years agoAdd bgplgd a fastcgi daemon that provide a REST JSON api to bgpctl.
claudio [Tue, 28 Jun 2022 16:11:30 +0000 (16:11 +0000)]
Add bgplgd a fastcgi daemon that provide a REST JSON api to bgpctl.
Most code stolen from slowcgi, it just exec bgpctl with -j.
Put it in tb@ deraadt@

2 years agoDon't call pipex_rele_session() when `session' is NULL.
mvs [Tue, 28 Jun 2022 16:10:43 +0000 (16:10 +0000)]
Don't call pipex_rele_session() when `session' is NULL.

Reported by Hrvoje Popovski. ok bluhm@

2 years agoTake away bogus error assignment before callback call.
beck [Tue, 28 Jun 2022 16:05:42 +0000 (16:05 +0000)]
Take away bogus error assignment before callback call.

Keep the depth which was needed.

This went an error too far, and broke openssl-ruby's callback
and error code sensitivity in it's tests.

With this removed, both my newly committed regress to verify
the same error codes and depths in the callback, and
openssl-ruby's tests pass again.

ok tb@

2 years agoBotan 2.19.2 has removed support for the OpenSSL crypto provider.
bluhm [Tue, 28 Jun 2022 15:46:07 +0000 (15:46 +0000)]
Botan 2.19.2 has removed support for the OpenSSL crypto provider.
It was incompatible with OpenSSL 3.0.  Remove the regression test
to check that LibreSSL crypto works with Botan tests.  This is
better than to keep an outdated Botan in ports.
discussed with tb@ beck@

2 years agoMove debug-only variable 'i' to be with the other debug-only
krw [Tue, 28 Jun 2022 15:35:24 +0000 (15:35 +0000)]
Move debug-only variable 'i' to be with the other debug-only
variables inside the #ifdef DEBUG block using them.

2 years agoAdapt netstat kvm code to ref count change in struct rtentry.
bluhm [Tue, 28 Jun 2022 15:17:23 +0000 (15:17 +0000)]
Adapt netstat kvm code to ref count change in struct rtentry.
found by otto@ the hard way

2 years agoFree ciphers before assigning to them
tb [Tue, 28 Jun 2022 14:51:37 +0000 (14:51 +0000)]
Free ciphers before assigning to them

While this is not a leak currently, it definitely looks like one.
Pointed out by jsing on review of a diff that touched the vicinity
a while ago.

ok jsing

2 years agoRemove unused field d_poll from struct cdevsw.
visa [Tue, 28 Jun 2022 14:43:50 +0000 (14:43 +0000)]
Remove unused field d_poll from struct cdevsw.

OK miod@ mpi@

2 years agofix syncookies in conjunction with tcp fast port reuse.
henning [Tue, 28 Jun 2022 13:48:06 +0000 (13:48 +0000)]
fix syncookies in conjunction with tcp fast port reuse.
This really pointed out that the place syncookies were hooked in was almost,
but not completely right. The way it was the special case for tcp fast port
reuse in pf_test_state wasn't hit, because the first packet
hitting that was the ACK from the peer finishing the 3WHS, and the
reconstructed SYN came after. We're now doing pf_find_state (and *only* that)
first, then syncookies, then going on so that the old state is thrown away
properly and we get a new one with the sequence number modulator set up
correctly
Bonus: -11 lines of code
tracked down (that took a while) + fixed under contract with Hush
Communications Canada; special thanks to Lyndon
ok sashan

2 years agounbreak build; found the hard way by stsp
florian [Tue, 28 Jun 2022 13:35:42 +0000 (13:35 +0000)]
unbreak build; found the hard way by stsp

2 years agosync
deraadt [Tue, 28 Jun 2022 13:06:21 +0000 (13:06 +0000)]
sync

2 years agoa start at qualcomm products
deraadt [Tue, 28 Jun 2022 13:05:42 +0000 (13:05 +0000)]
a start at qualcomm products

2 years agorewrite amd64 printing of cache details
jsg [Tue, 28 Jun 2022 12:11:41 +0000 (12:11 +0000)]
rewrite amd64 printing of cache details

Previously we looked at cpuid 0x80000005 for L1/TLB details
which Intel documents as reserved.
And cpuid 0x80000006 for L2 details.

Intel also encode cache details in cpuid 4.
AMD have mostly the same encoding with cpuid 0x8000001d
0x80000005/0x80000006 is used as a fallback.

Prompted by Intel Tiger Lake and Alder Lake machines
returning an associativity value of 7 from cpuid 0x80000006.
The previous code would print "disabled L2 cache", 7 is
documented by Intel as "See CPUID leaf 04H, sub-leaf 2".

tested by Hrvoje Popovski on EPYC 7413, and myself on various machines
ok mlarkin@

2 years agoMove the guts of uvm_aio_aiodone() into a separate function.
mpi [Tue, 28 Jun 2022 12:10:37 +0000 (12:10 +0000)]
Move the guts of uvm_aio_aiodone() into a separate function.

This will help dealing with error cases.

No functionnal changes.

2 years agoDon't ask the vlan question unless another network interface exists. ok deraadt
sthen [Tue, 28 Jun 2022 12:10:08 +0000 (12:10 +0000)]
Don't ask the vlan question unless another network interface exists. ok deraadt

Avoids a confusing question when no supported network devices is found, i.e.

"Available network interfaces are: vlan0.
Which network interface do you wish to configure? (or 'done') [vlan0]"

2 years agoCleanup the sleep loop in single_thread_check_locked(). The deep checks
claudio [Tue, 28 Jun 2022 12:08:17 +0000 (12:08 +0000)]
Cleanup the sleep loop in single_thread_check_locked(). The deep checks
only matter on entry and the pr->ps_single check is done in the while body.
With and OK mpi@

2 years agoTry to document 'announce policy' and add RFC 9234 to the list in bgpd.8
claudio [Tue, 28 Jun 2022 11:52:24 +0000 (11:52 +0000)]
Try to document 'announce policy' and add RFC 9234 to the list in bgpd.8
How RFC 9234 support will work in the long run may still change but
for now at least tell people how to use it.

2 years agoThe default state of enhanced refresh is no. So flip logic.
claudio [Tue, 28 Jun 2022 11:46:05 +0000 (11:46 +0000)]
The default state of enhanced refresh is no. So flip logic.
Fixes config regress. Found by anton@, discussed with tb@

2 years agoCheck for entries in the suberror names arrays that are NULL. Handle them
claudio [Tue, 28 Jun 2022 11:42:41 +0000 (11:42 +0000)]
Check for entries in the suberror names arrays that are NULL. Handle them
like other unknown ones. Also KNF the code a bit.
Was OK tb@ some time ago

2 years agoDo not clean PG_BUSY before calling uvm_anon_release().
mpi [Tue, 28 Jun 2022 10:45:55 +0000 (10:45 +0000)]
Do not clean PG_BUSY before calling uvm_anon_release().

Fix an assertion reported by gkoehler@.

ok kettenis@

2 years agoDo not consider adjacent pages when doing a CoW.
mpi [Tue, 28 Jun 2022 10:38:55 +0000 (10:38 +0000)]
Do not consider adjacent pages when doing a CoW.

Those pages should already be entered, this speeds up CoW faults.

Stolen from NetBSD.

ok miod@, kettenis@