| Age | Commit message (Collapse) | Author |
|---|
|
ok deraadt@
|
|
|
|
|
|
access to netlock protected data.
ok kn@ bluhm@
|
|
|
|
and the block devices work just fine.
|
|
works enough to get a console on qemu with more work to come from
others
feedback from miod
ok patrick
|
|
|
|
While it may have been reasonable to use VisibleString back when this
code was written, it's an anachronism nowadays. In particular, configuring
BoringSSL reports that they have seen malformed certificates with exactly
the issue caused by this unfortuante default.
Reported by Alex Gaynor in OpenSSL issue 20772
ok jsing
|
|
|
|
|
|
These functions convert strings to internal objects and vice versa.
This is a best effort, probably with a lot of room for improvement,
which can happen in tree if anyone cares. It's better than nothing.
Nothing in turn would be significantly better than the utter garbage
a related project has managed to land as part of their efforts towards
significant documentation improvements in a recent major relase.
This leaves a dangling reference to the misnamed X509V3_METHOD_get_nid(3)
which I may or may not fill in the future.
I am unsure about the HISTORY section's precision, but that's what I got
from cvs history. All these functions are about a quarter century old
(and it shows), so I don't think it matters very much.
|
|
ASPA provider AS sets can include optional limitations to inet/inet6 these
limits are represented in the TAS_AID bit masks (2bits per AS).
Introduce a TAS_AID_SIZE() makro that returns the size in bytes of this
bit mask (rounded to the next uint32_t).
Without this change aspa objects with AID specific elements trigger a
fatal error condition when the config is loaded.
OK tb@ job@
|
|
|
|
other AFI
OK claudio@
|
|
The CL_SCHEDCLOCK flag is set when schedhz is non-zero. It's
redundant. We can just check the value of schedhz directly.
|
|
This uses the flowspec.c file from bgpd and implements the output
for flowspec only for the text printer for now. That code uses a lot
of code from printconf.c
OK tb@
|
|
IMSG_FLOWSPEC_ADD and IMSG_FLOWSPEC_REMOVE received from bgpctl via SE.
OK tb@
|
|
Input and OK jmc@ tb@
|
|
it might be NULL in uhid_intr.
fixes "b_to_q: tty has no clist" panic hit by namn@
tested by thfr@ and namn@
ok anton@
|
|
|
|
Allowing the intrclock to fire in the midst of clockintr_cpu_init()
would complicate the function a lot. However, in a future patch we
will need to enable intrclock operations in clockintr_advance(),
clockintr_cancel(), and clockintr_schedule().
We can avoid this conflict by masking CQ_INTRCLOCK while we're
updating the internal clockintrs in clockintr_cpu_init(). When we no
longer need clockintr_cpu_init(), this workaround will disappear.
|
|
|
|
|
|
the user has a restrictive mask, various items (new directories, @sample'd
files, /var/db/pkg entries, mandoc databases) end up not readable.
feedback/ok espie@
|
|
and shared netlock respectively.
OK kn@ mvs@
|
|
|
|
the -z nobtcfi option.
ok deraadt@
|
|
should not enforce branch target control flow integrety for a binary.
This works analoguous to PT_OPENBSD_WXNEEDED in that we will set it on
binaries that don't have the necessary landing pads (yet). The kernel
will enforce branch target CFI by default in the near future!
This is a better match for what we want to achieve than the GNU property
note mechanism that the Linux folks came up with. We can still use the
GNU property notes for diagnostic purposes so we won't disable their
generation in the toolchain. But ports will need to pass an explicit
-Wl,-z,nobtcfi option to disable branch target CFI.
Like with PT_OPENBSD_WXNEEDED we convert the presence of PT_OPENBSD_NOBTCFI
into a flag in struct exec_package. From there MD code can pick it up
and set a struct process flag or take action in setregs().
ok deraadt@
|
|
A few years back beck introduced REGRESS_SKIP_SLOW dances with the idea
that this should speed up the interop tests for us devs because this also
checked interop between opensslX and opensslY, which we don't particularly
care about. This never really worked. On a mac m1 mini the result is this:
REGRESS_SKIP_SLOW unset
9m56.69s real 3m42.24s user 3m00.70s system
REGRESS_SKIP_SLOW=yes
11m04.61s real 7m29.61s user 1m40.29s system
The problem is that REGRESS_SKIP_SLOW simply wasn't designed to handle
the huge number of tests we have here. There are many nested .for loops
resulting in several thousand tests. Each test has a name of length ~80.
REGRESS_SKIP_SLOW concatenates them into a several hundred kilobytes
long string in REGRESS_SKIP_TARGETS, iterates over all regress targets and
tests with ".if ${REGRESS_SKIP_TARGETS:M${RT}}" if it should skip them.
This means that during a regress run, make spends a lot of time linearly
scanning a huge string.
I ran into this when I added OpenSSL 3.0 tests to the already existing
1.0.2 and 1.1 tests with the result that with REGRESS_SLOW_TARGTS set
it took the better part of an hour while without it it took about 15 min.
The hack here is simply to avoid using REGRESS_SLOW_TARGTES here and
handle the situation differently.
patch, REGRESS_SKIP_SLOW=yes
5m42.32s real 2m09.98s user 1m45.21s system
The real solution would be to fix this in bsd.regress.mk, which someone
who understands make well is very welcome to do. For now, I'm happy with
this.
Debugged with jsing a few months ago
|
|
order.
|
|
The CL_CPU_* flags were originally so-named because they were set from
clockintr_cpu_init(), which was itself named before I had named the
clockintr_queue struct. It makes more for the flag namespace to match
the struct namespace, so CQ_* is a better flag prefix than CL_CPU_*.
While we're at it, move the CQ_* flag definitions up so they
immediately follow the clockintr_queue structure definition in
sys/clockintr.h.
|
|
|
|
|
|
and Loc-RIB. Flowspec objects are collected in a single flowrib RIB
and then directly distributed into the various Adj-RIB-Outs.
For this to work add a bypass in the filter logic (flowspec AFI/SAFI
are currently accepted without any rule). The filter language lacks
a way to allow prefixes based on AFI/SAFI which is the minimum needed.
OK tb@
|
|
|
|
feedback tb@
|
|
ok tb@
|
|
that are no longer built.
ok miod@
|
|
ok tb@
|
|
|
|
No functional change.
|
|
|
|
This removes a bunch of incomplete and scary code, which potentially leaks
secrets and is not constant time. A performance gain is achieved on arm64
for sizes that we care about, while a minimal decrease in performance is
noted for larger sizes on some other platforms.
While we will potentially reimplement Karatsuba (or Toom-Cook) at a later
date, it will be easier and safer to do it from a clean slate.
ok tb@
|
|
In flowspec_cmp() make sure a deterministic sort is possible. Most error
cases are unreachable if flowspec NLRI are validated first (flowspec_valid).
In flowspec_valid() replace the assert like check with an error return.
OK tb@
|
|
In general people should use table-v2 which handles flowspec just fine.
OK tb@
|
|
Flowspec has no nexthop so adjust up_prep_adjout() to handle a NULL nexthop.
Add the MP_REACH encoding in up_generate_mp_reach for flowspec.
OK tb@
|
|
process tracks which prefixes are added / removed and issues the
corresponding imsg calls.
Right now the RDE does nothing with the received information.
OK tb@
|
|
Introduce pt_get_flow() and pt_add_flow() to lookup and insert flowspec
objects. Add pt_getflowspec() which works somewhat similar to pt_getaddr()
to extract the flowspec NLRI from a pt_entry.
Make pt_getaddr() to return the destination prefix of the flowspec rule and
handle flowspec in pt_write().
OK tb@
|
|
|
