summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-03-02Do not open a subsection for each and every macro.Ingo Schwarze
Instead, use a tagged list and the canonical .Ic macro as it is natural for such purposes. While here, also delete heaps of needless escaping.
2019-03-02On upgrade, only clean up the library relinking kits when we knowTheo Buehler
that a new one will be installed (i.e., base*.tgz was selected). 'makes sense' deraadt
2019-03-02Fix OID for sm3WithRSAEncryption which was apparently mixed upTheo Buehler
with the OID for SM2 signing with SM3. From Daniel Wyatt
2019-03-02Represent multiple subsequent .IP blocks having a consistentIngo Schwarze
head argument of *, \-, or \(bu as <ul> rather than as <dl>, using a bit of heuristics. Basic idea suggested by Dagfinn Ilmari Mannsaker <ilmari at github> in https://github.com/Debian/debiman/issues/67 and independently by <Pali dot Rohar at gmail dot com> on <discuss at mandoc dot bsd dot lv>.
2019-03-02Unfortunately we cannot use unveil in the main process since thisFlorian Obser
breaks config reload. We cannot simply unveil the config file since it might appear after startup and the config file syntax allows to include other files. This is a problem with all the other parse.y based privsep'ed daemons as well. pledge("rpath") has to be enough for now.
2019-03-02Bump VMM_MAX_NAME_LEN to 64 to allow for longer vm names.Antoine Jacoutot
ok mlarkin@
2019-03-02Limited the number of allowed stacked wsmux devices. A sufficiently long chainanton
of such devices can exhaust the kernel stack due to wsmux_do_open() being recursive. While here, serialize the operation of stacking a wsmux device. Joint effort with and ok visa@
2019-03-02Introduce the IMSG_DATA_SIZE() macro to replace recurring math onpamela
imsg.hdr.len to shorten and simplify code. correction and OK florian@
2019-03-02Introduce the IMSG_DATA_SIZE() macro to replace recurring math on ↵pamela
imsg.hdr.len to shorten and simplify code. OK florian@
2019-03-01Since ring->index points to the next free slot, once we reach index zeroPatrick Wildt
we know that the last non-link TRB has been written and we can look at the flags to set the chain bit in the link TRB. Since we will now toggle the cycle bit on the first TRB of a ring, set it on the ring reset. Tested by jcs@, jsg@ and visa@ "commit it" jcs@
2019-03-01usage if there's extra arguments. ok knTed Unangst
2019-03-01Fix a crash: don't assume that all input files are ELF objectsJeremie Courreges-Anglas
ld(1) would try to free uninitialized memory when used with -r -b binary <fontfile> by ports/textproc/mupdf. Perform the same bfd type check as bfd_elf_match_symbols_in_sections(). Fix found the hard way, cheese and wine sponsor: miod. Almost identical fix already present upstream. Also set the freed pointer to NULL, just in case. ok tb@ sthen@
2019-03-01de-obfuscate by expanding three useless macros; no functional change;Ingo Schwarze
tweak and OK millert@
2019-03-01trailing whitespaceFlorian Obser
2019-03-01Start UTF-8 cleanup of store_char(), in particular getting rid ofIngo Schwarze
a call to the flawed function step_char(-1), using the standard function mbtowc(3) instead. Merge in in_ansi_esc_seq(), simplifying the code, and make the related functions is_ansi_end() and is_ascii_char() static because they are used in line.c only. OK nicm@, and no opposition when shown on tech@
2019-03-01Fix previous extra arguments commitkn
I blatantly missed the argc/argv adjustments after getopt(3), resulting in valid commands like `vmctl create a -s 1G' to fail. Noticed by ajacoutot the hard way. OK ajacoutot jca
2019-03-01Wrap .Sh/.SH sections and .Ss/.SS subsections in HTML <section> elementsIngo Schwarze
as recommended for accessibility by the HTML 5 standard. Triggered by a similar, but slightly different suggestion from Laura Morales <lauretas at mail dot com>.
2019-03-01Print usage on extra create, start and stop argumentskn
OK mlarkin
2019-03-01use a timeout to refill the rx ring when it's empty.David Gwynne
em had rxr, but didn't use a timeout cos it claimed to generate an RX overflow interrupt when packets fell off slots in the ring. turns out that's a lie on at least one chip, so add the timeout like other drivers. this was hit by mlarkin@, who had nfs and bufs steal all the packets and memory for packets from em, which didn't recover after the memory had been released back to the system.
2019-03-01use ifiq_input instead of if_inputDavid Gwynne
call if_rxr_livelocked if ifiq_input says to slow down
2019-03-01Need to be more careful in kr_net_redist_add() when adding an alreadyClaudio Jeker
present network to the list of announcements. Until now this leaked non-dynamic objects on config reload. Noticed and reported by florian@ Looks good benno@
2019-03-01Improve handling of HT protection for 'mode 11n' hostap.Stefan Sperling
Consider the mere presence of HTCAP IEs as indicator of 11n support, rather than checking advertised Rx MCS. Fixes some devices being misclassified as 11a/g, causing HT protection to be enabled even though it is not needed. Use CTS-to-self frames for HT protection instead of RTS/CTS. These changes make my athn(4) AR9280 hostap perform much better. ok phessler@
2019-03-01Pick up the AP's 11g ERP protection setting properly in 11n client mode.Stefan Sperling
ok phessler@
2019-03-01Due to the way we build libunbound inside of unwind .o files collide inFlorian Obser
the obj directory. Previously this was solved by keeping the libunbound file name (to be able to keep in sync with upstream) and prefixing the source filename of colliding .o files in unwind with uw_. However, these files are shared through out our tree (namely parse.y, log.c and log.h) and we try to keep them in sync. Move files back to their original name and instead symlink colliding source files in libunbound to unique filenames by prefixing them with the directory they live in: obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c Idea to use symlinks deraadt@ via jsg@ OK benno
2019-03-01Make athn(4) configure timing of control frames explicitly.Stefan Sperling
We now update the chip with values for SIFS interval and ACK/RTS/CTS timeout when configuration changes occur, like Linux ath9k does. Tested by myself, juanfra@, jmc@ on AR9280 and AR9271.
2019-03-01vmd(8): remove some i386 remnants that missed the original cleanupMike Larkin
ok pd, kn, deraadt
2019-03-01update currency exchange rates;Jason McIntyre
2019-03-01bus_dmamap_sync when we fill the rx ring, not for ever slot on the ring.David Gwynne
2019-03-01rework how ifiq_input decides the stack is busy and whether it should dropDavid Gwynne
previously ifiq_input uses the traditional backpressure or defense mechanism and counts packets to decide when to shed load by dropping. currently it ends up waiting for 10240 packets to get queued on the stack before it would decide to drop packets. this may be ok for some machines, but for a lot this was too much. this diff reworks how ifiqs measure how busy the stack is by introducing an ifiq_pressure counter that is incremented when ifiq_input is called, and cleared when ifiq_process calls the network stack to process the queue. if ifiq_input is called multiple times before ifiq_process in a net taskq runs, ifiq_pressure goes up, and ifiq_input uses a high value to decide the stack is busy and it should drop. i was hoping there would be no performance impact from this change, but hrvoje popovski notes a slight bump in forwarding performance. my own testing shows that the ifiq input list length grows to a fraction of the 10240 it used to get to, which means the maximum burst of packets through the stack is smoothed out a bit. instead of big lists of packets followed by big periods of drops, we get relatively small bursts of packets with smaller gaps where we drop. the follow-on from this is to make drivers implementing rx ring moderation to use the return value of ifiq_input to scale the ring allocation down, allowing the hardware to drop packets so software doesnt have to.
2019-03-01in ssh_set_newkeys(), mention the direction that we're keying in debugDamien Miller
messages. Previously it would be difficult to tell which direction it was talking about
2019-03-01Fix two race conditions in sshd relating to SIGHUP:Damien Miller
1. Recently-forked child processes will briefly remain listening to listen_socks. If the main server sshd process completes its restart via execv() before these sockets are closed by the child processes then it can fail to listen at the desired addresses/ports and/or fail to restart. 2. When a SIGHUP is received, there may be forked child processes that are awaiting their reexecution state. If the main server sshd process restarts before passing this state, these child processes will yield errors and use a fallback path of reading the current sshd_config from the filesystem rather than use the one that sshd was started with. To fix both of these cases, we reuse the startup_pipes that are shared between the main server sshd and forked children. Previously this was used solely to implement tracking of pre-auth child processes for MaxStartups, but this extends the messaging over these pipes to include a child->parent message that the parent process is safe to restart. This message is sent from the child after it has completed its preliminaries: closing listen_socks and receiving its reexec state. bz#2953, reported by Michal Koutný; ok markus@ dtucker@
2019-03-01mention PKCS11Provide=none, reword a little and remove mention ofDamien Miller
RSA keys only (since we support ECDSA now and might support others in the future). Inspired by Jakub Jelen via bz#2974
2019-03-01let PKCS11Provider=none do what users expectDamien Miller
print PKCS11Provider instead of obsolete SmartcardDevice in config dump. bz#2974 ok dtucker@
2019-03-01Background init progress and consistency check progress are reported inJonathan Matthew
different fields. Use the background init progress when that's the active task. lack of progress data noticed by deraadt@ tested on SAS2208 and SAS3508 ok dlg@
2019-03-01New mmap(2) flag: MAP_CONCEAL.cheloha
MAP_CONCEAL'd memory is not written to disk in the event of a core dump. It may grow other qualities in the future. Wanted by libressl, probably useful elsewhere, too. Prompted by deraadt@, concept from deraadt@/kettenis@. With input from deraadt@, cjeker@, kettenis@, otto@, bcook@, matthew@, guenther@, djm@, and tedu@. ok otto@ deraadt@
2019-02-28IPv6 fragments with malformed extension headers could be erroneouslyAlexander Bluhm
passed by pf or cause a panic in pf. fix from sashan@; OK bluhm@ claudio@ bug found by Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
2019-02-28Implement non-SSL_MODE_ENABLE_PARTIAL_WRITE in tls13_legacy_write_bytes().Joel Sing
In non-SSL_MODE_ENABLE_PARTIAL_WRITE mode we have to write out all the things and only return success once all of the data has been sent. ok inoguchi@ tb@
2019-02-28Automatically complete the handshake from tls13_legacy_{read,write}_bytes()Joel Sing
If the TLS handshake has not been completed, automatically complete the handshake as part of the read/write call, implementing the current SSL_read()/SSL_write() behaviour. Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT back up to the caller, since some applications appear to incorrectly call SSL_read() or SSL_write(), rather than repeating the previous call. This can lead to attempts to read data that does not exist, since the WANT_POLLIN was actually triggered as part of the handshake. ok inoguchi@ tb@
2019-02-28Set the SSL state as part of tls13_legacy_connect().Joel Sing
Set the SSL state to SSL_ST_CONNECT during the TLSv1.3 handshake and to SSL_ST_OK once the handshake completes, since some applications currently rely on this information to function correctly. ok inoguchi@ tb@
2019-02-28Add appropriate length checks to tls13_legacy_{read,write}_bytes()Joel Sing
ok inoguchi@ tb@
2019-02-28Remove unused record_type from TLSv1.3 handshake actions.Joel Sing
ok tb@
2019-02-28Format multiple subsequent .IP or multiple subsequent .TP/.TQIngo Schwarze
as a single <dl> list rather than opening a new list for each item; feature suggested by Pali dot Rohar at gmail dot com.
2019-02-28bump smtpd versionEric Faurot
on behalf of gilles@
2019-02-28list mpls as a depend for mpe and mpw, dont require bridge to build mpwDavid Gwynne
mpe doesnt need ether as a depend while im here.
2019-02-28add mpip(4)David Gwynne
ok claudio@
2019-02-28Add mpip(4), an IP tunnel interface for "IP Layer 2" over MPLS pseudowiresDavid Gwynne
This is basically mpw(4), but it carries IP directly instead of Ethernet. On the wire it can look the same as what IP over MPLS looks like, but because it is a pseudowire you can configure a control word or the FAT label to improve load balancing. It can be used to quickly set up an IP tunnel over an MPLS fabric without the need to configure bgpd and mpe(4) interfaces. Because It implements the same pwe3 ioctls that mpw(4) uses ifconfig already supports configuration of mpip(4) interfaces. ldpd will grow support for this in the near future. This is not hooked up to the build yet discussed with claduio@ at ak219 ok claudio@
2019-02-27dup stdout/in for proxycommand=-, otherwise stdout might beMarkus Friedl
redirected to /dev/null; ok djm@
2019-02-27Make iwm(4) use CTS-to-self for HT protection if the AP requests this,Stefan Sperling
rather than always using RTS for HT protection.
2019-02-27update RFC references, from tobias_heider at genua.de, ok claudio@Stuart Henderson
2019-02-27Back in 2016 we enabled RTS threshold by default because it apparentlyStefan Sperling
helped us on a loaded hackathon wifi network. In 11n mode we are now using a heuristic for this. Disable RTS threshold for all other modes again because it can do more harm than good in many situations. This change may increase Tx throughput in 11a/g modes, though results depend on the driver. Some drivers, e.g. urtwn(4), keep using RTS regardless for unknown reasons and may need to be fixed separately. And we will keep using RTS if the AP enables 11g protection while 11b clients are around.