| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
ok krw@
|
|
ok deraadt@ krw@
|
|
providing the DKF_NOLABELREAD flag is not set. This provides the kernel
with the actual disklabel which includes the disklabel UID.
ok deraadt@ miod@ krw@
|
|
automatic reading of disklabel on attach.
ok deraadt@ miod@ krw@
|
|
|
|
prompted by reyk
|
|
OK reyk
|
|
|
|
ok claudio@
|
|
|
|
instead of letting hardware rings grow on every interrupt, restrict
it so it can only grow once per softclock tick. we can only punish
the rings on softclock ticks, so it make sense to only grow on
softclock tick boundaries too.
the rings are now punished after >1 lost softclock tick rather than
>2. mclgeti is now more aggressive at detecting livelock.
the rings get punished by an 8th, rather than by half.
we now allow the rings to be punished again even if the system is
already considered in livelock.
without this diff a livelocked system will have its rx ring sizes
scale up and down very rapidly, while holding the rings low for too
long. this affected throughput significantly.
discussed and tested heavily at j2k10. there are still some games
with softnet we can play, but this is a good first step.
"put it in" and ok deraadt@
ok claudio@ krw@ henning@ mcbride@
if we find out that it sucks we can pull it out again later. till then
we'll run with it and see how it goes.
|
|
netatalk enabled.
|
|
becaue it skips a wakeup() later on. this is the only error condition
that returns before the wakeup. not sure why this particular case is
handled differently, and not certain what the error code should be, but
this is better than breaking all of usb because of a problem on one port.
dicussed with deraadt
|
|
* usbd_device_handle dev - the device responsible for the task. use
this to not run the task if the device's hub is dying.
* int running - a flag to be set when the task is running.
add usb_rem_wait_task(), a wrapper for usb_rem_task() that waits for
the task to complete if the task is already running.
s/usb_rem_task/usb_rem_wait_task/ in usb_detach(). probably most
drivers using usb_tasks should do this as well. although device
attach/detach is serialized in normal cases, in the special case
where the usb bus is hotpluggable (like cardbus/pcmcia), devices
are not detached in the task thread.
|
|
is dying, instead of setting a flag in struct usb_softc. as
usbd_device_handle has a pointer to the usbd_bus it's attached to,
usb devices, and functions they run or functions run on their behalf,
can now easily check if their bus is dying. use this to stop
usbd_do_request* from running and the usb task thread from adding
new tasks when a device's bus is dying.
|
|
hubs before their first port explore, check how long it's actually
been since power up and only wait as necessary. saves a little time
on boot, especially now that explore tasks are serialized.
ok yuo@
|
|
OK dlg@
|
|
USB bus, make usb_explore() a usb_task. reduces races during normal
USB device detach, since now usb_tasks and detach happen in the same
process.
ok yuo@, matthew@ helped with the task thread loop
|
|
|
|
|
|
ok yasuoka@
|
|
"yup" deraadt@
|
|
support by pipex.
OK henning@, "Carry on" blambert@
|
|
was not enabled, we use a kernel routing socket for such things.
ok yasuoka@ claudio@
|
|
just use the filesystem permissions now.
Pointed out by stsp@.
|
|
OK krw
|
|
factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism
add a bandwidth limit option to sftp(1) using the above
"very nice" markus@
|
|
suspend/resume support
|
|
|
|
|
|
in mandoc, if we ever get to that point. Even less so with variable
arguments and using a single non-alphabetic character (here, '`') as the
macro identifier. In the meantime, refrain from using .de in cvs(1).
Patch generated by running #!/usr/bin/perl
while(<>){s/^\.\` "(.*)"(.*)/.RB \` "\\|$1\\|" \'$2/;print;}
followed by some hand-polishing.
Repeatedly prodded by many (e.g. halex@, weerd@) and repeatedly forgotten.
"yes. at least people will be able to read the page." jmc@
|
|
ok jsg@
|
|
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
|
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
|
RFC 4106 and 4543.
Authentication hash key is set to be the same as an encryption key.
The length that is specified for the authentication hash descriptor
denotes the the length of Additional Authentication Data (AAD).
The encryption transformation descriptor length denotes the length
of the payload (to be encrypted and authenticated).
ENCR_NULL_AUTH_AES_GMAC treats all input as AAD, thus the encryption
length is set to zero.
This also fixes padding for stream ciphers, so that payload will
be 4-byte aligned.
|
|
|
|
and pipex. pppx(4) creates an interface whenever a session is created
so that altq and pf can work on these.
Started by dlg@ debugged and made usable by myself
OK dlg@ yasuoka@ deraadt@
|
|
Lots of agreement.
|
|
RFC 4106 and 4543.
Please note that although IKEv1 and IKEv2 identifiers are
different for ESP_NULL_AUTH_AES-GMAC (SADB_X_EALG_AESGMAC),
we use the IKEv2 one only (which is 21). ipsecctl(8) will
be taught to handle exported SA correctly.
|
|
tc_intr_disestablish() prototype is changed to carry information whether the
counter needs to be detached or not.
This does not matter much since no driver ever calls tc_intr_disestablish().
|
|
|
|
to NIST (gcm-spec.pdf) and draft-mcgrew-gcm-test-01.txt.
|
|
described in FIPS SP 800-38D.
This implementation supports 16 byte authentication tag only,
splitting transformation into two parts: encryption and
authentication. Encryption is handled by the existing
AES-CTR implementation, while authentication requires new
AES_GMAC hash function.
Additional routine is added to the software crypto driver
to deal with peculiarities of a combined authentication-
encryption transformation.
With suggestions from reyk, naddy and toby.
|
|
copy sbin/iked/chap_ms.[ch] and fixed chap.c and eap.c to compile with it.
|
|
interrupts, since inspecting the code, they seem to always attach
anyway. This fixes compiler fallout from my evcount simplification.
build error reported by naddy@; "seems sensible" deraadt@
|
|
``Go ahead, its free'' deraadt@.
|
|
bounds file is empty.
ok deraadt@ henning@
|
|
the initiator chose wrong D-H group. in this case we throw away our
SA and start over with a proper group.
makes iked work as an initiator with strongswan/charon without any
specific "ikesa" (phase 1) configuration.
ok reyk
|
