Driver request for the NeuG TRNG

[physkets]

Hi,

I was directed this way from the IRC. I would like to make a request to anyone 
who is interested and has the free-time to look into writing a driver for this 
device.

This is a link to the README at NeuG's git: 
http://git.gniibe.org/gitweb/?p=gnuk/neug.git;a=blob;f=README

I had made a related post on reddit that has a little bit of a discussion that 
might help:
https://www.reddit.com/r/openbsd/comments/5sfi09/will_a_usb_trng_improve_security

There is a FreeBSD driver, if that helps: 
https://github.com/jj1bdx/freebsd-dev-trng

Thanks!
physkets

Re: inteldrm: setup backlight pwm alternate increment on backlight enable

[Jonathan Gray]

On Thu, Feb 09, 2017 at 06:39:13PM -0600, joshua stein wrote:
> I have no idea why there are chickens involved, but this fixes the
> problem on at least the MacBookAir7,1 (Broadwell) where upon S3
> resume, the backlight value is treated as 0 or 100 despite reporting
> intermediate values, so if the backlight value was anything other
> than 100 at suspend time, the screen will stay off upon resume.

Chicken bits are overrides for functions like clock gating, if it turns
out there is a hardware bug in a particular feature these bits are used
to disable them.

This diff seems reasonable but it would be nice to get some tests
on non-apple broadwell hardware.

> 
> This is backported from Linux commits
> 32b421e79e6b546da1d469f1229403ac9142d695 and
> e29aff05f239f8dd24e9ee7816fd96726e20105a which were noted in
> freedesktop.org bug 67454.
> 
> This and the previous ACPI diff get suspend and resume working on
> the MacBook Air.
> 
> 
> Index: sys/dev/pci/drm/i915/i915_reg.h
> ===
> RCS file: /cvs/src/sys/dev/pci/drm/i915/i915_reg.h,v
> retrieving revision 1.11
> diff -u -p -u -p -r1.11 i915_reg.h
> --- sys/dev/pci/drm/i915/i915_reg.h   25 Sep 2015 16:15:19 -  1.11
> +++ sys/dev/pci/drm/i915/i915_reg.h   10 Feb 2017 00:39:02 -
> @@ -4540,9 +4540,11 @@
>  #define  FDI_PHASE_SYNC_OVR(pipe) (1<<(FDIA_PHASE_SYNC_SHIFT_OVR - ((pipe) * 
> 2)))
>  #define  FDI_PHASE_SYNC_EN(pipe) (1<<(FDIA_PHASE_SYNC_SHIFT_EN - ((pipe) * 
> 2)))
>  #define  FDI_BC_BIFURCATION_SELECT   (1 << 12)
> +#define  SPT_PWM_GRANULARITY (1<<0)
>  #define SOUTH_CHICKEN2   0xc2004
>  #define  FDI_MPHY_IOSFSB_RESET_STATUS(1<<13)
>  #define  FDI_MPHY_IOSFSB_RESET_CTL   (1<<12)
> +#define  LPT_PWM_GRANULARITY (1<<5)
>  #define  DPLS_EDP_PPS_FIX_DIS(1<<0)
>  
>  #define _FDI_RXA_CHICKEN 0xc200c
> Index: sys/dev/pci/drm/i915/intel_drv.h
> ===
> RCS file: /cvs/src/sys/dev/pci/drm/i915/intel_drv.h,v
> retrieving revision 1.9
> diff -u -p -u -p -r1.9 intel_drv.h
> --- sys/dev/pci/drm/i915/intel_drv.h  9 Dec 2015 05:17:44 -   1.9
> +++ sys/dev/pci/drm/i915/intel_drv.h  10 Feb 2017 00:39:02 -
> @@ -168,6 +168,7 @@ struct intel_panel {
>   bool enabled;
>   bool combination_mode;  /* gen 2/4 only */
>   bool active_low_pwm;
> + bool alternate_pwm_increment;   /* lpt+ */
>   struct backlight_device *device;
>   } backlight;
>  };
> Index: sys/dev/pci/drm/i915/intel_panel.c
> ===
> RCS file: /cvs/src/sys/dev/pci/drm/i915/intel_panel.c,v
> retrieving revision 1.11
> diff -u -p -u -p -r1.11 intel_panel.c
> --- sys/dev/pci/drm/i915/intel_panel.c23 Sep 2015 23:12:12 -  
> 1.11
> +++ sys/dev/pci/drm/i915/intel_panel.c10 Feb 2017 00:39:02 -
> @@ -611,7 +611,7 @@ static void bdw_enable_backlight(struct 
>   struct drm_device *dev = connector->base.dev;
>   struct drm_i915_private *dev_priv = dev->dev_private;
>   struct intel_panel *panel = >panel;
> - u32 pch_ctl1, pch_ctl2;
> + u32 pch_ctl1, pch_ctl2, schicken;
>  
>   pch_ctl1 = I915_READ(BLC_PWM_PCH_CTL1);
>   if (pch_ctl1 & BLM_PCH_PWM_ENABLE) {
> @@ -620,6 +620,22 @@ static void bdw_enable_backlight(struct 
>   I915_WRITE(BLC_PWM_PCH_CTL1, pch_ctl1);
>   }
>  
> + if (HAS_PCH_LPT(dev)) {
> + schicken = I915_READ(SOUTH_CHICKEN2);
> + if (panel->backlight.alternate_pwm_increment)
> + schicken |= LPT_PWM_GRANULARITY;
> + else
> + schicken &= ~LPT_PWM_GRANULARITY;
> + I915_WRITE(SOUTH_CHICKEN2, schicken);
> + } else {
> + schicken = I915_READ(SOUTH_CHICKEN1);
> + if (panel->backlight.alternate_pwm_increment)
> + schicken |= SPT_PWM_GRANULARITY;
> + else
> + schicken &= ~SPT_PWM_GRANULARITY;
> + I915_WRITE(SOUTH_CHICKEN1, schicken);
> + }
> +
>   pch_ctl2 = panel->backlight.max << 16;
>   I915_WRITE(BLC_PWM_PCH_CTL2, pch_ctl2);
>  
> @@ -956,6 +972,13 @@ static int bdw_setup_backlight(struct in
>   struct drm_i915_private *dev_priv = dev->dev_private;
>   struct intel_panel *panel = >panel;
>   u32 pch_ctl1, pch_ctl2, val;
> + bool alt;
> +
> + if (HAS_PCH_LPT(dev))
> + alt = I915_READ(SOUTH_CHICKEN2) & LPT_PWM_GRANULARITY;
> + else
> + alt = I915_READ(SOUTH_CHICKEN1) & SPT_PWM_GRANULARITY;
> + panel->backlight.alternate_pwm_increment = alt;
>  
>   pch_ctl1 = I915_READ(BLC_PWM_PCH_CTL1);
>   panel->backlight.active_low_pwm = pch_ctl1 & BLM_PCH_POLARITY;
> 

asmc: restore keyboard backlight on resume

[joshua stein]

After resume, the keyboard backlight is still off, so restore it
(this was also helpful to figure out the machine was actually
resuming).


Index: sys/dev/isa/asmc.c
===
RCS file: /cvs/src/sys/dev/isa/asmc.c,v
retrieving revision 1.30
diff -u -p -u -p -r1.30 asmc.c
--- sys/dev/isa/asmc.c  22 Apr 2016 20:45:53 -  1.30
+++ sys/dev/isa/asmc.c  10 Feb 2017 00:40:15 -
@@ -92,6 +92,7 @@ void  asmc_update(void *);
 intasmc_match(struct device *, void *, void *);
 void   asmc_attach(struct device *, struct device *, void *);
 intasmc_detach(struct device *, int);
+intasmc_activate(struct device *, int);
 
 /* wskbd hook functions */
 void   asmc_backlight(void *);
@@ -101,7 +102,7 @@ extern int (*wskbd_get_backlight)(struct
 extern int (*wskbd_set_backlight)(struct wskbd_backlight *);
 
 const struct cfattach asmc_ca = {
-   sizeof(struct asmc_softc), asmc_match, asmc_attach
+   sizeof(struct asmc_softc), asmc_match, asmc_attach, NULL, asmc_activate
 };
 
 struct cfdriver asmc_cd = {
@@ -355,6 +356,20 @@ asmc_detach(struct device *self, int fla
 
task_del(systq, >sc_task_backlight);
asmc_try(sc, ASMC_WRITE, "LKSB", buf, 2);
+   return 0;
+}
+
+int
+asmc_activate(struct device *self, int act)
+{
+   struct asmc_softc *sc = (struct asmc_softc *)self;
+
+   switch (act) {
+   case DVACT_WAKEUP:
+   asmc_backlight(sc);
+   break;
+   }
+
return 0;
 }
 

inteldrm: setup backlight pwm alternate increment on backlight enable

[joshua stein]

I have no idea why there are chickens involved, but this fixes the
problem on at least the MacBookAir7,1 (Broadwell) where upon S3
resume, the backlight value is treated as 0 or 100 despite reporting
intermediate values, so if the backlight value was anything other
than 100 at suspend time, the screen will stay off upon resume.

This is backported from Linux commits
32b421e79e6b546da1d469f1229403ac9142d695 and
e29aff05f239f8dd24e9ee7816fd96726e20105a which were noted in
freedesktop.org bug 67454.

This and the previous ACPI diff get suspend and resume working on
the MacBook Air.


Index: sys/dev/pci/drm/i915/i915_reg.h
===
RCS file: /cvs/src/sys/dev/pci/drm/i915/i915_reg.h,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 i915_reg.h
--- sys/dev/pci/drm/i915/i915_reg.h 25 Sep 2015 16:15:19 -  1.11
+++ sys/dev/pci/drm/i915/i915_reg.h 10 Feb 2017 00:39:02 -
@@ -4540,9 +4540,11 @@
 #define  FDI_PHASE_SYNC_OVR(pipe) (1<<(FDIA_PHASE_SYNC_SHIFT_OVR - ((pipe) * 
2)))
 #define  FDI_PHASE_SYNC_EN(pipe) (1<<(FDIA_PHASE_SYNC_SHIFT_EN - ((pipe) * 2)))
 #define  FDI_BC_BIFURCATION_SELECT (1 << 12)
+#define  SPT_PWM_GRANULARITY   (1<<0)
 #define SOUTH_CHICKEN2 0xc2004
 #define  FDI_MPHY_IOSFSB_RESET_STATUS  (1<<13)
 #define  FDI_MPHY_IOSFSB_RESET_CTL (1<<12)
+#define  LPT_PWM_GRANULARITY   (1<<5)
 #define  DPLS_EDP_PPS_FIX_DIS  (1<<0)
 
 #define _FDI_RXA_CHICKEN 0xc200c
Index: sys/dev/pci/drm/i915/intel_drv.h
===
RCS file: /cvs/src/sys/dev/pci/drm/i915/intel_drv.h,v
retrieving revision 1.9
diff -u -p -u -p -r1.9 intel_drv.h
--- sys/dev/pci/drm/i915/intel_drv.h9 Dec 2015 05:17:44 -   1.9
+++ sys/dev/pci/drm/i915/intel_drv.h10 Feb 2017 00:39:02 -
@@ -168,6 +168,7 @@ struct intel_panel {
bool enabled;
bool combination_mode;  /* gen 2/4 only */
bool active_low_pwm;
+   bool alternate_pwm_increment;   /* lpt+ */
struct backlight_device *device;
} backlight;
 };
Index: sys/dev/pci/drm/i915/intel_panel.c
===
RCS file: /cvs/src/sys/dev/pci/drm/i915/intel_panel.c,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 intel_panel.c
--- sys/dev/pci/drm/i915/intel_panel.c  23 Sep 2015 23:12:12 -  1.11
+++ sys/dev/pci/drm/i915/intel_panel.c  10 Feb 2017 00:39:02 -
@@ -611,7 +611,7 @@ static void bdw_enable_backlight(struct 
struct drm_device *dev = connector->base.dev;
struct drm_i915_private *dev_priv = dev->dev_private;
struct intel_panel *panel = >panel;
-   u32 pch_ctl1, pch_ctl2;
+   u32 pch_ctl1, pch_ctl2, schicken;
 
pch_ctl1 = I915_READ(BLC_PWM_PCH_CTL1);
if (pch_ctl1 & BLM_PCH_PWM_ENABLE) {
@@ -620,6 +620,22 @@ static void bdw_enable_backlight(struct 
I915_WRITE(BLC_PWM_PCH_CTL1, pch_ctl1);
}
 
+   if (HAS_PCH_LPT(dev)) {
+   schicken = I915_READ(SOUTH_CHICKEN2);
+   if (panel->backlight.alternate_pwm_increment)
+   schicken |= LPT_PWM_GRANULARITY;
+   else
+   schicken &= ~LPT_PWM_GRANULARITY;
+   I915_WRITE(SOUTH_CHICKEN2, schicken);
+   } else {
+   schicken = I915_READ(SOUTH_CHICKEN1);
+   if (panel->backlight.alternate_pwm_increment)
+   schicken |= SPT_PWM_GRANULARITY;
+   else
+   schicken &= ~SPT_PWM_GRANULARITY;
+   I915_WRITE(SOUTH_CHICKEN1, schicken);
+   }
+
pch_ctl2 = panel->backlight.max << 16;
I915_WRITE(BLC_PWM_PCH_CTL2, pch_ctl2);
 
@@ -956,6 +972,13 @@ static int bdw_setup_backlight(struct in
struct drm_i915_private *dev_priv = dev->dev_private;
struct intel_panel *panel = >panel;
u32 pch_ctl1, pch_ctl2, val;
+   bool alt;
+
+   if (HAS_PCH_LPT(dev))
+   alt = I915_READ(SOUTH_CHICKEN2) & LPT_PWM_GRANULARITY;
+   else
+   alt = I915_READ(SOUTH_CHICKEN1) & SPT_PWM_GRANULARITY;
+   panel->backlight.alternate_pwm_increment = alt;
 
pch_ctl1 = I915_READ(BLC_PWM_PCH_CTL1);
panel->backlight.active_low_pwm = pch_ctl1 & BLM_PCH_POLARITY;

acpi: pretend to be Darwin on Apple hardware

[joshua stein]

When running on machines with a hw_vendor of "Apple Inc." or "Apple
Computer, Inc.", only return 1 for an OSI check of "Darwin" and not
the other Windows variants.

Code in the AML of the MacBookAir7,1 (most likely all Macs) does
much different things when running on Darwin systems, but the AML
that checks for Darwin does this:

OSYS = 0x07DC
If (CondRefOf (\_OSI, Local0))
{
If (_OSI ("Darwin"))
{
OSYS = 0x2710
}

If (\_OSI ("Linux"))
{
OSYS = 0x03E8
}

If (\_OSI ("Windows 2009"))
{
OSYS = 0x07D9
}
[...]

So we can't just add Darwin to aml_valid_osi.

Without this, my MacBook Air won't suspend properly (hangs calling
_PTS) and a similar change in Linux from 2014 (commit
7bc5a2bad0b8d9d1ac9f7b8b33150e4ddf197334) notes that upon resume,
the Thunderbolt ports won't be powered up without pretending to be
Darwin.

I tested this with a Thunderbolt ethernet device and it works
properly before and after suspend.  Hot-plugging the Thunderbolt
ethernet device after boot no longer prints these messages:

ppb5 at pci4 dev 0 function 0 vendor "Intel", unknown product 0x156b rev 
0x00
pci6 at ppb5 bus 6
ppb6 at pci6 dev 0 function 0 vendor "Intel", unknown product 0x156b rev 
0x00: not configured by system firmware
ppb7 at pci6 dev 3 function 0 vendor "Intel", unknown product 0x156b rev 
0x00: not configured by system firmware
ppb8 at pci6 dev 4 function 0 vendor "Intel", unknown product 0x156b rev 
0x00: not configured by system firmware
ppb9 at pci6 dev 5 function 0 vendor "Intel", unknown product 0x156b rev 
0x00: not configured by system firmware
ppb10 at pci6 dev 6 function 0 vendor "Intel", unknown product 0x156b rev 
0x00: not configured by system firmware


Index: sys/dev/acpi/dsdt.c
===
RCS file: /cvs/src/sys/dev/acpi/dsdt.c,v
retrieving revision 1.230
diff -u -p -u -p -r1.230 dsdt.c
--- sys/dev/acpi/dsdt.c 14 Jan 2017 11:32:00 -  1.230
+++ sys/dev/acpi/dsdt.c 10 Feb 2017 00:31:02 -
@@ -106,6 +106,8 @@ void_aml_die(const char *fn, int 
line
 void aml_notify_task(void *, int);
 void acpi_poll_notify_task(void *, int);
 
+extern char*hw_vendor;
+
 /*
  * @@@: Global variables
  */
@@ -1505,6 +1507,21 @@ aml_callosi(struct aml_scope *scope, str
struct aml_value *fa;
 
fa = aml_getstack(scope, AMLOP_ARG0);
+
+   if (hw_vendor != NULL &&
+   (strcmp(hw_vendor, "Apple Inc.") == 0 ||
+   strcmp(hw_vendor, "Apple Computer, Inc.") == 0)) {
+   if (strcmp(fa->v_string, "Darwin") == 0) {
+   dnprintf(10,"osi: returning 1 for %s on %s hardware\n",
+   fa->v_string, hw_vendor);
+   result = 1;
+   } else
+   dnprintf(10,"osi: on %s hardware, but ignoring %s\n",
+   hw_vendor, fa->v_string);
+
+   return aml_allocvalue(AML_OBJTYPE_INTEGER, result, NULL);
+   }
+
for (idx=0; !result && aml_valid_osi[idx] != NULL; idx++) {
dnprintf(10,"osi: %s,%s\n", fa->v_string, aml_valid_osi[idx]);
result = !strcmp(fa->v_string, aml_valid_osi[idx]);

Re: netcat -U -z exit status

[Jeremie Courreges-Anglas]

Alexander Bluhm  writes:

> Hi,
>
> When netcat is started with -Uz, the exit status is always 1.  If
> the unix connect is successful, netcat should exit with 0 and close
> the socket.
>
> ok?

Makes sense, ok.

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

netcat -U -z exit status

[Alexander Bluhm]

Hi,

When netcat is started with -Uz, the exit status is always 1.  If
the unix connect is successful, netcat should exit with 0 and close
the socket.

ok?

bluhm

Index: usr.bin/nc/netcat.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.176
diff -u -p -r1.176 netcat.c
--- usr.bin/nc/netcat.c 9 Feb 2017 20:14:41 -   1.176
+++ usr.bin/nc/netcat.c 9 Feb 2017 21:17:59 -
@@ -597,8 +597,9 @@ main(int argc, char *argv[])
} else if (family == AF_UNIX) {
ret = 0;
 
-   if ((s = unix_connect(host)) > 0 && !zflag) {
-   readwrite(s, NULL);
+   if ((s = unix_connect(host)) > 0) {
+   if (!zflag)
+   readwrite(s, NULL);
close(s);
} else
ret = 1;

Re: add empty /root/.ssh/authorized_keys to mtree/sets ?

[Theo Buehler]

On Thu, Feb 09, 2017 at 06:19:54PM +0100, Landry Breuil wrote:
> On Sun, Feb 05, 2017 at 08:37:31PM +, Stuart Henderson wrote:
> > On 2017/02/05 09:53, Robert Peichaer wrote:
> > > On Sun, Feb 05, 2017 at 10:46:41AM +0100, Landry Breuil wrote:
> > > > Hi,
> > > > 
> > > > when installing 'throwaway' VMs (manually, not always using autoinstall 
> > > > for
> > > > $REASONS) i've often found myself having to do right after the install:
> > > > install -d -m 700 /root/.ssh
> > > > install -m 600 /dev/null /root/.ssh/authorized_keys
> > > > (or touch /root/.ssh/authorized_keys && chmod 600
> > > > /root/.ssh/authorized_keys, ymmv)
> > > > 
> > > > those are present in /etc/skel for "real" users, so why not creating
> > > > them for the root account ? install.sub also creates /mnt/root/.ssh when
> > > > using autoinstall and giving an ssh pubkey, so that'll be one less step
> > > > to do there.
> > > > 
> > > > We advise ppl to set prohibit-password for PermitRootLogin, so why not 
> > > > make it
> > > > easier to use it ? This ways, the correct modes are set.. i often 
> > > > fat-fingered
> > > > this, to see sshd complaining (rightly!) about bad modes on 
> > > > .ssh/authorized_keys.
> > > 
> > > Conceptually I'd like this going in.
> > 
> > +1. (On "managed" systems I use root-owned authorized_keys in a system 
> > directory,
> > but this doesn't get in the way, and it makes things easier on ad-hoc 
> > installed
> > systems).
> 
> Finally built a release with this, the empty file is created in
> /var/sysmerge/etc.tgz, and sysmerge didnt overwrite my own
> /root/.ssh/authorized_keys - so i think i can now explicitely ask for okays.
> dtucker@ mentioned that in ${INSTALL} -c idiom the -c was a noop, but i kept 
> it
> for consistency.

Agree with that.

> Hopefully more ppl can chime in and think of potential drawbacks this
> diff exposes...

FWIW, I don't see a downside to this diff. 

> Sets diff added too, modeled after what's done for
> /etc/skel/.ssh/authorized_keys - dunno if it should be commited along the etc/
> change.

Yes, please commit the sets diff at the same time as the etc/Makefile
and the mtree diff, otherwise sysmerge won't pick it up. Also, please
commit this trivial diff for the installer at the same time so people
won't complain about autinstall warnings.

with that

ok tb

Index: install.sub
===
RCS file: /var/cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.969
diff -u -p -r1.969 install.sub
--- install.sub 8 Feb 2017 23:13:02 -   1.969
+++ install.sub 9 Feb 2017 19:25:09 -
@@ -2868,7 +2868,6 @@ do_install(){
# During autoinstall, add root user's public ssh key to authorized_keys.
[[ -n "$_rootkey" ]] && (
umask 077
-   mkdir /mnt/root/.ssh
print -r -- "$_rootkey" >>/mnt/root/.ssh/authorized_keys
)
 

Re: rip6 and icmp6stat percpu counters

[Alexander Bluhm]

On Thu, Feb 09, 2017 at 08:39:42PM +0100, Jeremie Courreges-Anglas wrote:
> Initial diff committed.  The diff below should save a few bytes.
> 
> ok?

OK bluhm@

> Index: icmp6.c
> ===
> RCS file: /d/cvs/src/sys/netinet6/icmp6.c,v
> retrieving revision 1.200
> diff -u -p -p -u -r1.200 icmp6.c
> --- icmp6.c   9 Feb 2017 15:23:35 -   1.200
> +++ icmp6.c   9 Feb 2017 18:55:52 -
> @@ -156,57 +156,60 @@ icmp6_init(void)
>  void
>  icmp6_errcount(int type, int code)
>  {
> + enum icmp6stat_counters c = icp6s_ounknown;
> +
>   switch (type) {
>   case ICMP6_DST_UNREACH:
>   switch (code) {
>   case ICMP6_DST_UNREACH_NOROUTE:
> - icmp6stat_inc(icp6s_odst_unreach_noroute);
> - return;
> + c = icp6s_odst_unreach_noroute;
> + break;
>   case ICMP6_DST_UNREACH_ADMIN:
> - icmp6stat_inc(icp6s_odst_unreach_admin);
> - return;
> + c = icp6s_odst_unreach_admin;
> + break;
>   case ICMP6_DST_UNREACH_BEYONDSCOPE:
> - icmp6stat_inc(icp6s_odst_unreach_beyondscope);
> - return;
> + c = icp6s_odst_unreach_beyondscope;
> + break;
>   case ICMP6_DST_UNREACH_ADDR:
> - icmp6stat_inc(icp6s_odst_unreach_addr);
> - return;
> + c = icp6s_odst_unreach_addr;
> + break;
>   case ICMP6_DST_UNREACH_NOPORT:
> - icmp6stat_inc(icp6s_odst_unreach_noport);
> - return;
> + c = icp6s_odst_unreach_noport;
> + break;
>   }
>   break;
>   case ICMP6_PACKET_TOO_BIG:
> - icmp6stat_inc(icp6s_opacket_too_big);
> - return;
> + c = icp6s_opacket_too_big;
> + break;
>   case ICMP6_TIME_EXCEEDED:
>   switch (code) {
>   case ICMP6_TIME_EXCEED_TRANSIT:
> - icmp6stat_inc(icp6s_otime_exceed_transit);
> - return;
> + c = icp6s_otime_exceed_transit;
> + break;
>   case ICMP6_TIME_EXCEED_REASSEMBLY:
> - icmp6stat_inc(icp6s_otime_exceed_reassembly);
> - return;
> + c = icp6s_otime_exceed_reassembly;
> + break;
>   }
>   break;
>   case ICMP6_PARAM_PROB:
>   switch (code) {
>   case ICMP6_PARAMPROB_HEADER:
> - icmp6stat_inc(icp6s_oparamprob_header);
> - return;
> + c = icp6s_oparamprob_header;
> + break;
>   case ICMP6_PARAMPROB_NEXTHEADER:
> - icmp6stat_inc(icp6s_oparamprob_nextheader);
> - return;
> + c = icp6s_oparamprob_nextheader;
> + break;
>   case ICMP6_PARAMPROB_OPTION:
> - icmp6stat_inc(icp6s_oparamprob_option);
> - return;
> + c = icp6s_oparamprob_option;
> + break;
>   }
>   break;
>   case ND_REDIRECT:
> - icmp6stat_inc(icp6s_oredirect);
> - return;
> + c = icp6s_oredirect;
> + break;
>   }
> - icmp6stat_inc(icp6s_ounknown);
> +
> + icmp6stat_inc(c);
>  }
>  
>  /*
> 
> -- 
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: rip6 and icmp6stat percpu counters

[Jeremie Courreges-Anglas]

Jeremie Courreges-Anglas  writes:

> In icmp6_errcount() we could save a few function calls but I preferred
> to keep the conversion as mechanical as possible.

Initial diff committed.  The diff below should save a few bytes.

ok?


Index: icmp6.c
===
RCS file: /d/cvs/src/sys/netinet6/icmp6.c,v
retrieving revision 1.200
diff -u -p -p -u -r1.200 icmp6.c
--- icmp6.c 9 Feb 2017 15:23:35 -   1.200
+++ icmp6.c 9 Feb 2017 18:55:52 -
@@ -156,57 +156,60 @@ icmp6_init(void)
 void
 icmp6_errcount(int type, int code)
 {
+   enum icmp6stat_counters c = icp6s_ounknown;
+
switch (type) {
case ICMP6_DST_UNREACH:
switch (code) {
case ICMP6_DST_UNREACH_NOROUTE:
-   icmp6stat_inc(icp6s_odst_unreach_noroute);
-   return;
+   c = icp6s_odst_unreach_noroute;
+   break;
case ICMP6_DST_UNREACH_ADMIN:
-   icmp6stat_inc(icp6s_odst_unreach_admin);
-   return;
+   c = icp6s_odst_unreach_admin;
+   break;
case ICMP6_DST_UNREACH_BEYONDSCOPE:
-   icmp6stat_inc(icp6s_odst_unreach_beyondscope);
-   return;
+   c = icp6s_odst_unreach_beyondscope;
+   break;
case ICMP6_DST_UNREACH_ADDR:
-   icmp6stat_inc(icp6s_odst_unreach_addr);
-   return;
+   c = icp6s_odst_unreach_addr;
+   break;
case ICMP6_DST_UNREACH_NOPORT:
-   icmp6stat_inc(icp6s_odst_unreach_noport);
-   return;
+   c = icp6s_odst_unreach_noport;
+   break;
}
break;
case ICMP6_PACKET_TOO_BIG:
-   icmp6stat_inc(icp6s_opacket_too_big);
-   return;
+   c = icp6s_opacket_too_big;
+   break;
case ICMP6_TIME_EXCEEDED:
switch (code) {
case ICMP6_TIME_EXCEED_TRANSIT:
-   icmp6stat_inc(icp6s_otime_exceed_transit);
-   return;
+   c = icp6s_otime_exceed_transit;
+   break;
case ICMP6_TIME_EXCEED_REASSEMBLY:
-   icmp6stat_inc(icp6s_otime_exceed_reassembly);
-   return;
+   c = icp6s_otime_exceed_reassembly;
+   break;
}
break;
case ICMP6_PARAM_PROB:
switch (code) {
case ICMP6_PARAMPROB_HEADER:
-   icmp6stat_inc(icp6s_oparamprob_header);
-   return;
+   c = icp6s_oparamprob_header;
+   break;
case ICMP6_PARAMPROB_NEXTHEADER:
-   icmp6stat_inc(icp6s_oparamprob_nextheader);
-   return;
+   c = icp6s_oparamprob_nextheader;
+   break;
case ICMP6_PARAMPROB_OPTION:
-   icmp6stat_inc(icp6s_oparamprob_option);
-   return;
+   c = icp6s_oparamprob_option;
+   break;
}
break;
case ND_REDIRECT:
-   icmp6stat_inc(icp6s_oredirect);
-   return;
+   c = icp6s_oredirect;
+   break;
}
-   icmp6stat_inc(icp6s_ounknown);
+
+   icmp6stat_inc(c);
 }
 
 /*

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: ldpad(8): fix deletion of individual attribute values

[Matthew Weigel]

On 2017-02-06 1:31, Robert Klein wrote:

TL;DR: OpenBSD's ldapd(8) has issues when deleting individual attribute
values.  Patch below.


I am not an OpenBSD developer, so take what I have to say with that in
mind...

I haven't had a chance to test this yet, but looking at your code and
reading the explanation makes sense.  I did notice it looked like one
line had spaces creep in instead of tabs ("next = v->be_next;"), and
the comment for case LDAP_MOD_DELETE doesn't have a column of asterisks
(or the general style guideline of "Make them real sentences.").



ZHANG Huangbin reported a misbehaviour in ldapd(8)'s MOD_DELETE
operation when connecting to ldapd(8) with the python-ldap library.
In ldapd(8) The MOD_DELETE operation always deletes all values of an
attribute and not only those specified in the request.  (Mails from
Zhang Huangbin to bugs@ on May 18, 2016 and December 30, 2016).

I reproduced this issue connecting to ldapd(8) with the openLDAP client
tools (instead of the pyton-ldap library).

To illustrate the issue, lets take this LDAP entry (take note of the
"memberUID" attribute and its values):


dn: cn=detectives,ou=Group,dc=example,dc=org
objectClass: posixGroup
cn: detectives
gidNumber: 1012
memberUID: dasinger
memberUID: wergard
memberUID: gems
memberUID: amberdon
description: Detectives of the Kyth Interstaller Detective Agency


To delete the memberUID value of "amberdon" from this entry you submit
the following LDIF to the ldapd server:


dn: cn=detectives,ou=group,dc=example,dc=org
changeType: modify
delete: memberUid
memberUid: amberdon


I'm using the openLDAP command line tool "ldapmodify" for this.  The
LDIF above is the contents of a file "del_amberdon.ldif":


ldapmodify -x -h $HOST -p 389 -D $BINDDN -w $PASSWD del_amberdon.ldif


The expected result would be a "detectives" group of:


dn: cn=detectives,ou=Group,dc=example,dc=org
objectClass: posixGroup
cn: detectives
gidNumber: 1012
memberUID: dasinger
memberUID: wergard
memberUID: gems
description: Detectives of the Kyth Interstaller Detective Agency


However, ldapd(8) now has removed all values for the "memberUID"
attribute (in LDAP parlance "the entire attribute is removed") and you
get the following entry::


dn: cn=detectives,ou=Group,dc=example,dc=org
objectClass: posixGroup
cn: detectives
gidNumber: 1012
description: Detectives of the Kyth Interstaller Detective Agency



Looking at the source, I found these issues (suggested fixes in
parentheses, tentative patch attached):

- in modify.c:ldap_modify(), lines 298 ff., in case LDAP_MOD_DELETE
  there was a check for BER_TYPE_SET, however

  1. AttributeValues are always in a set, even if it is empty
 (PartialAttribute, see RFC4511, Section 4.1.7), so that check
 couldn't have worked, even if the right variable had been checked
 --- see next point.

  2. The `vals' variable has a value of SET, however the variable
 checked, `vals->be_sup' is already an element of the set, that is,
 either it has a type of EOC (when there are no attribute values),
 or it has a type of OCTETSTRING and contains the first attribute
 value. (Look for a type of BER_TYPE_OCTETSTRING instead).




- in attributes.c:ldap_del_values(), lines 222 ff.

  1. the elements inspected (variables `vk' and `xk') are not those
 containing the attribute values; the attribute values are in `v'
 and `x', `xk' and `vk' are (probably) uninitialized.  (Use `v' and
 `x' instead.)

  2. When freeing the element found, current `v' is freed, and
 `v->be_next' has no meaning anymore. (Use `next' variable to save
 the pointer.)

  3. Setting `prev' to `v' is wrong when an element has been
 removed. (Set a flag if element is removed and re-set `prev' only
 if the flag isn't set.)


- in ber.c:ber_free_elements() the current and all following elements
  are freed.  (Add ber_free_element() which frees only the current
  element and use this function in attributes.c:ldap_del_values().)


Index: attributes.c
===
RCS file: /cvs/src/usr.sbin/ldapd/attributes.c,v
retrieving revision 1.4
diff -u -p -r1.4 attributes.c
--- attributes.c20 Jan 2017 11:55:08 -  1.4
+++ attributes.c1 Feb 2017 14:34:42 -
@@ -207,9 +207,9 @@ int
 ldap_del_values(struct ber_element *elm, struct ber_element *vals)
 {
char*attr;
-   struct ber_element  *old_vals, *v, *x, *vk, *xk, *prev;
+   struct ber_element  *old_vals, *v, *x, *prev, *next;
struct ber_element  *removed;
-
+   int removed_p;
assert(elm);
assert(vals);
assert(vals->be_sub);
@@ -220,19 +220,25 @@ ldap_del_values(struct ber_element *elm,
}

prev = old_vals;
-   for (v = old_vals->be_sub; v; v = v->be_next) {
-   vk = v->be_sub;
+   removed_p = 0;
+   for (v = old_vals->be_sub; v; v = next) {
+

Re: add empty /root/.ssh/authorized_keys to mtree/sets ?

[Landry Breuil]

On Thu, Feb 09, 2017 at 06:19:54PM +0100, Landry Breuil wrote:
> On Sun, Feb 05, 2017 at 08:37:31PM +, Stuart Henderson wrote:
> > On 2017/02/05 09:53, Robert Peichaer wrote:
> > > On Sun, Feb 05, 2017 at 10:46:41AM +0100, Landry Breuil wrote:
> > > > Hi,
> > > > 
> > > > when installing 'throwaway' VMs (manually, not always using autoinstall 
> > > > for
> > > > $REASONS) i've often found myself having to do right after the install:
> > > > install -d -m 700 /root/.ssh
> > > > install -m 600 /dev/null /root/.ssh/authorized_keys
> > > > (or touch /root/.ssh/authorized_keys && chmod 600
> > > > /root/.ssh/authorized_keys, ymmv)
> > > > 
> > > > those are present in /etc/skel for "real" users, so why not creating
> > > > them for the root account ? install.sub also creates /mnt/root/.ssh when
> > > > using autoinstall and giving an ssh pubkey, so that'll be one less step
> > > > to do there.
> > > > 
> > > > We advise ppl to set prohibit-password for PermitRootLogin, so why not 
> > > > make it
> > > > easier to use it ? This ways, the correct modes are set.. i often 
> > > > fat-fingered
> > > > this, to see sshd complaining (rightly!) about bad modes on 
> > > > .ssh/authorized_keys.
> > > 
> > > Conceptually I'd like this going in.
> > 
> > +1. (On "managed" systems I use root-owned authorized_keys in a system 
> > directory,
> > but this doesn't get in the way, and it makes things easier on ad-hoc 
> > installed
> > systems).
> 
> Finally built a release with this, the empty file is created in
> /var/sysmerge/etc.tgz, and sysmerge didnt overwrite my own
> /root/.ssh/authorized_keys - so i think i can now explicitely ask for okays.
> dtucker@ mentioned that in ${INSTALL} -c idiom the -c was a noop, but i kept 
> it
> for consistency.
> Hopefully more ppl can chime in and think of potential drawbacks this
> diff exposes...

One of the drawbacks i see is that ppl *might* get a security alert from
changelist if the (empty) file suddenly appears after an upgrade... but
i think we can/should live with that ?

Landry

Re: add empty /root/.ssh/authorized_keys to mtree/sets ?

[Landry Breuil]

On Sun, Feb 05, 2017 at 08:37:31PM +, Stuart Henderson wrote:
> On 2017/02/05 09:53, Robert Peichaer wrote:
> > On Sun, Feb 05, 2017 at 10:46:41AM +0100, Landry Breuil wrote:
> > > Hi,
> > > 
> > > when installing 'throwaway' VMs (manually, not always using autoinstall 
> > > for
> > > $REASONS) i've often found myself having to do right after the install:
> > > install -d -m 700 /root/.ssh
> > > install -m 600 /dev/null /root/.ssh/authorized_keys
> > > (or touch /root/.ssh/authorized_keys && chmod 600
> > > /root/.ssh/authorized_keys, ymmv)
> > > 
> > > those are present in /etc/skel for "real" users, so why not creating
> > > them for the root account ? install.sub also creates /mnt/root/.ssh when
> > > using autoinstall and giving an ssh pubkey, so that'll be one less step
> > > to do there.
> > > 
> > > We advise ppl to set prohibit-password for PermitRootLogin, so why not 
> > > make it
> > > easier to use it ? This ways, the correct modes are set.. i often 
> > > fat-fingered
> > > this, to see sshd complaining (rightly!) about bad modes on 
> > > .ssh/authorized_keys.
> > 
> > Conceptually I'd like this going in.
> 
> +1. (On "managed" systems I use root-owned authorized_keys in a system 
> directory,
> but this doesn't get in the way, and it makes things easier on ad-hoc 
> installed
> systems).

Finally built a release with this, the empty file is created in
/var/sysmerge/etc.tgz, and sysmerge didnt overwrite my own
/root/.ssh/authorized_keys - so i think i can now explicitely ask for okays.
dtucker@ mentioned that in ${INSTALL} -c idiom the -c was a noop, but i kept it
for consistency.
Hopefully more ppl can chime in and think of potential drawbacks this
diff exposes...

Sets diff added too, modeled after what's done for
/etc/skel/.ssh/authorized_keys - dunno if it should be commited along the etc/
change.

Landry

Index: etc/Makefile
===
RCS file: /cvs/src/etc/Makefile,v
retrieving revision 1.449
diff -u -r1.449 Makefile
--- etc/Makefile2 Feb 2017 21:35:05 -   1.449
+++ etc/Makefile9 Feb 2017 17:13:00 -
@@ -110,6 +110,8 @@
${DESTDIR}/root/.Xdefaults; \
${INSTALL} -c -o root -g wheel -m 644 dot.cvsrc \
${DESTDIR}/root/.cvsrc; \
+   ${INSTALL} -c -o root -g wheel -m 600 /dev/null \
+   ${DESTDIR}/root/.ssh/authorized_keys; \
rm -f ${DESTDIR}/.cshrc ${DESTDIR}/.profile; \
${INSTALL} -c -o root -g wheel -m 644 dot.cshrc \
${DESTDIR}/.cshrc; \
Index: etc/mtree/4.4BSD.dist
===
RCS file: /cvs/src/etc/mtree/4.4BSD.dist,v
retrieving revision 1.293
diff -u -r1.293 4.4BSD.dist
--- etc/mtree/4.4BSD.dist   27 Dec 2016 09:17:52 -  1.293
+++ etc/mtree/4.4BSD.dist   9 Feb 2017 17:13:00 -
@@ -118,6 +118,8 @@
 mnt
 ..
 root   mode=0700
+.ssh   uname=root mode=0700
+..
 ..
 sbin
 ..


Index: distrib/sets/lists/base/mi
===
RCS file: /cvs/src/distrib/sets/lists/base/mi,v
retrieving revision 1.820
diff -u -r1.820 mi
--- distrib/sets/lists/base/mi  7 Feb 2017 21:32:48 -   1.820
+++ distrib/sets/lists/base/mi  9 Feb 2017 17:12:42 -
@@ -232,6 +232,7 @@
 ./home
 ./mnt
 ./root
+./root/.ssh
 ./sbin
 ./sbin/atactl
 ./sbin/badsect
Index: distrib/sets/lists/etc/mi
===
RCS file: /cvs/src/distrib/sets/lists/etc/mi,v
retrieving revision 1.211
diff -u -r1.211 mi
--- distrib/sets/lists/etc/mi   1 Oct 2016 16:58:29 -   1.211
+++ distrib/sets/lists/etc/mi   9 Feb 2017 17:12:42 -
@@ -50,6 +50,7 @@
 ./root/.cvsrc
 ./root/.login
 ./root/.profile
+./root/.ssh/authorized_keys
 ./var/crash/minfree
 ./var/cron/at.deny
 ./var/cron/cron.deny

Re: Test wanted: free unix domain (a.k.a SOCKET_LOCK())

[Todd C. Miller]

On Thu, 09 Feb 2017 08:27:51 -0700, "Todd C. Miller" wrote:

> On Thu, 09 Feb 2017 12:36:44 +0100, Martin Pieuchot wrote:
> 
> > dtucker@ reported an interesting recursion [0]. His trace shows that
> > a thread executing unp_detach() MUST NOT be holding the NET_LOCK().
> > 
> > So here's a new version of my SOCKET_LOCK() diff that does exactly
> > that.  That means sofree(9) won't grab the NET_LOCK() for unix sockets
> > which makes uipc_usrreq() completely NET_LOCK() free.
> 
> The NET_ASSERT_UNLOCKED() in the PRU_BIND case in uipc_usrreq()
> appears to be superfluous since you've added an assert before the
> switch() too.

Also, since unp_connect() is only called via uipc_usrreq() there
is no need for NET_ASSERT_UNLOCKED() in unp_connect().

 - todd

unbound 1.6.1rc1

[Stuart Henderson]

Here's an update to the release candidate for 1.6.1. Tests/feedback welcome.
Diff is 600K so it's at https://junkpile.org/unbound-1.6.1rc1.diff rather
than inline.

Small change compared to upstream, we don't install the library so
autoconf has been edited to avoid requiring contrib/libunbound.pc.in.

Here's the changelog since the last version we have (1.5.9), there were
one or two things backported already but not much.


9 February 2017: Wouter
- tag 1.6.1rc1.

8 February 2017: Wouter
- Fix for type name change and fix warning on windows compile.

7 February 2017: Wouter
- Include root trust anchor id 20326 in unbound-anchor.

6 February 2017: Wouter
- Fix compile on solaris of the fix to use $host detect.

4 February 2017: Wouter
- fix root_anchor test for updated icannbundle.pem lower certificates.

26 January 2017: Wouter
- Fix 1211: Fix can't enable interface-automatic if no IPv6 with
  more helpful error message.

20 January 2017: Wouter
- Increase MAX_MODULE to 16.

19 January 2017: Wouter
- Fix to Rename ub_callback_t to ub_callback_type, because POSIX
  reserves _t typedefs.
- Fix to rename internally used types from _t to _type, because _t
  type names are reserved by POSIX.
- iana portlist update

12 January 2017: Wouter
- Fix to also block meta types 128 through to 248 with formerr. 
- Fix #1206: Some view-related commands are missing from 
'unbound-control -h'

9 January 2017: Wouter
- Fix #1202: Fix code comment that packed_rrset_data is not always
  'packed'.

6 January 2017: Wouter
- Fix #1201: Fix missing unlock in answer_from_cache error condition.

5 January 2017: Wouter
- Fix to return formerr for queries for meta-types, to avoid
  packet amplification if this meta-type is sent on to upstream.
- Fix #1184: Log DNS replies. This includes the same logging
  information that DNS queries and response code and response size,
  patch from Larissa Feng.
- Fix #1185: Source IP rate limiting, patch from Larissa Feng.

3 January 2017: Wouter
- configure --enable-systemd and lets unbound use systemd sockets if
  you enable use-systemd: yes in unbound.conf.
  Also there are contrib/unbound.socket and contrib/unbound.service:
  systemd files for unbound, install them in /usr/lib/systemd/system.
  Contributed by Sami Kerola and Pavel Odintsov.
- Fix reload chdir failure when also chrooted to that directory.

2 January 2017: Wouter
- Fix #1194: Cross build fails when $host isn't `uname` for getentropy.

23 December 2016: Ralph
- Fix #1190: Do not echo back EDNS options in local-zone error response.
- iana portlist update

21 December 2016: Ralph
- Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
  with Nettle

19 December 2016: Ralph
- Fix #1191: remove comment about view deletion.

15 December 2016: Wouter
- iana portlist update
- 64bit is default for windows builds.
- Fix inet_ntop and inet_pton warnings in windows compile.

14 December 2016: Wouter
- Fix #1178: attempt to fix setup error at end, pop result values
  at end of install.

13 December 2016: Wouter
- Fix #1182: Fix Resource leak (socket), at startup.
- Fix unbound-control and ipv6 only.

9 December 2016: Wouter
- Fix #1176: stack size too small for Alpine Linux.

8 December 2016: Wouter
- Fix downcast warnings from visual studio in sldns code.
- tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.

7 December 2016: Ralph
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL

6 December 2016: George
- Added generic EDNS code for registering known EDNS option codes,
  bypassing the cache response stage and uniquifying mesh states. Four 
EDNS
  option lists were added to module_qstate (module_qstate.edns_opts_*) 
to
  store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store) 
that
  control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
  functions can be called just before replying with local data or Chaos,
  replying from cache, replying with SERVFAIL, replying with a resolved
  query, sending a query to a nameserver. The functions can inspect the
  available data and maybe change response/query related data (i.e. 
append
  EDNS options).
- Updated Python module for the above.
- Updated Python documentation.

5 December 2016: Ralph
- Fix #1173: differ local-zone type deny from unset
  tag_actions element.

5 December 2016: Wouter
- Fix #1170: document that 

Re: Test wanted: free unix domain (a.k.a SOCKET_LOCK())

[Todd C. Miller]

On Thu, 09 Feb 2017 12:36:44 +0100, Martin Pieuchot wrote:

> dtucker@ reported an interesting recursion [0]. His trace shows that
> a thread executing unp_detach() MUST NOT be holding the NET_LOCK().
> 
> So here's a new version of my SOCKET_LOCK() diff that does exactly
> that.  That means sofree(9) won't grab the NET_LOCK() for unix sockets
> which makes uipc_usrreq() completely NET_LOCK() free.

The NET_ASSERT_UNLOCKED() in the PRU_BIND case in uipc_usrreq()
appears to be superfluous since you've added an assert before the
switch() too.

 - todd

OSPFd stucks in EXCHG/EXSTA

[Maxim Bourmistrov]

Hey,

ospfd on 6.0-stable stucks in EXCHG/EXSTA while neighboring with Dell N3048 
switch.
According to some documentation around, this is due to MTU mismatch.

This is not in my case.

N3048:
system jumbo mtu 1512

obsd:
trunk1: flags=8943 mtu 1500
lladdr 00:25:90:78:62:b6
description: HW_INTERNAL
index 12 priority 0 llprio 3
trunk: trunkproto lacp
trunk id: [(8000,00:25:90:78:62:b6,4064,,),
 (0001,f8:b1:56:61:a1:e4,02AE,,)]
trunkport bnx1 active,collecting,distributing
trunkport em1 active,collecting,distributing
groups: trunk
media: Ethernet autoselect
status: active
inet 10.4.255.27 netmask 0xffe0 broadcast 10.4.255.31

ping with diff size of pkts and tcpdump reveals that there is no MTU mismatch.

Restart of ospfd does not helps, only REBOOT.

I decided to dig into this and found that changing MTU size on trunk1 can 
reproduce this 100%.
Actually value does not changes, but problem with ospfd can be triggered this 
way:

# ifconfig trunk1 mtu 1500
# rcctl restart ospfd

and now ospfd will be stuck in EXCHG/EXSTA. Reboot helps always.

Then I tried to put mtu for each face involved in trunk1. Result is then same - 
triggered with ’ifconfig trunk1 mtu 1500’.

# cat /etc/hostname.bnx1
up mtu 1500

# cat /etc/hostname.em1
up mtu 1500

Any ideas?

Br
mxb

Re: [WWW] faq/current.html - acme.conf -> acme-client.conf

[Theo Buehler]

On Thu, Feb 09, 2017 at 12:53:53PM +, Raf Czlonka wrote:
> Hi all,
> 
> There a typo in the acme-client config file name in faq/current.html[0]
> 
> Patch below?

Applied. Thanks.

> 
> [0] https://www.openbsd.org/faq/current.html
> 
> Cheers,
> 
> Raf
> 
> P.S. Given that the config file supports includes, what do people
> think of changing it to something along the lines of:
> 
> It is recommended that you leave all current content of the
> new /etc/acme-client.conf untouched, put your domain { }
> sections in separate files and use the _include_ keyword.
> This will make future upgrades easier.

Isn't this overkill? The domain rules are only a few lines.

Test wanted: free unix domain (a.k.a SOCKET_LOCK())

[Martin Pieuchot]

dtucker@ reported an interesting recursion [0]. His trace shows that
a thread executing unp_detach() MUST NOT be holding the NET_LOCK().

So here's a new version of my SOCKET_LOCK() diff that does exactly
that.  That means sofree(9) won't grab the NET_LOCK() for unix sockets
which makes uipc_usrreq() completely NET_LOCK() free.

Please test and report back.

[0] https://marc.info/?l=openbsd-misc=148661605114230=2

Index: kern/sys_socket.c
===
RCS file: /cvs/src/sys/kern/sys_socket.c,v
retrieving revision 1.28
diff -u -p -r1.28 sys_socket.c
--- kern/sys_socket.c   31 Jan 2017 12:16:20 -  1.28
+++ kern/sys_socket.c   9 Feb 2017 11:21:44 -
@@ -38,6 +38,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -127,10 +128,10 @@ soo_ioctl(struct file *fp, u_long cmd, c
}
if (IOCGROUP(cmd) == 'r')
return (EOPNOTSUPP);
-   NET_LOCK(s);
+   SOCKET_LOCK(so, s);
error = ((*so->so_proto->pr_usrreq)(so, PRU_CONTROL, 
(struct mbuf *)cmd, (struct mbuf *)data, (struct mbuf *)NULL, p));
-   NET_UNLOCK(s);
+   SOCKET_UNLOCK(s);
 
return (error);
 }
@@ -187,10 +188,10 @@ soo_stat(struct file *fp, struct stat *u
ub->st_mode |= S_IWUSR | S_IWGRP | S_IWOTH;
ub->st_uid = so->so_euid;
ub->st_gid = so->so_egid;
-   NET_LOCK(s);
+   SOCKET_LOCK(so, s);
(void) ((*so->so_proto->pr_usrreq)(so, PRU_SENSE,
(struct mbuf *)ub, NULL, NULL, p));
-   NET_UNLOCK(s);
+   SOCKET_UNLOCK(s);
return (0);
 }
 
Index: kern/uipc_socket.c
===
RCS file: /cvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.176
diff -u -p -r1.176 uipc_socket.c
--- kern/uipc_socket.c  1 Feb 2017 20:59:47 -   1.176
+++ kern/uipc_socket.c  9 Feb 2017 11:21:44 -
@@ -135,16 +135,16 @@ socreate(int dom, struct socket **aso, i
so->so_egid = p->p_ucred->cr_gid;
so->so_cpid = p->p_p->ps_pid;
so->so_proto = prp;
-   NET_LOCK(s);
+   SOCKET_LOCK(so, s);
error = (*prp->pr_usrreq)(so, PRU_ATTACH, NULL,
(struct mbuf *)(long)proto, NULL, p);
if (error) {
so->so_state |= SS_NOFDREF;
sofree(so);
-   NET_UNLOCK(s);
+   SOCKET_UNLOCK(s);
return (error);
}
-   NET_UNLOCK(s);
+   SOCKET_UNLOCK(s);
*aso = so;
return (0);
 }
@@ -154,9 +154,9 @@ sobind(struct socket *so, struct mbuf *n
 {
int s, error;
 
-   NET_LOCK(s);
+   SOCKET_LOCK(so, s);
error = (*so->so_proto->pr_usrreq)(so, PRU_BIND, NULL, nam, NULL, p);
-   NET_UNLOCK(s);
+   SOCKET_UNLOCK(s);
return (error);
 }
 
@@ -171,11 +171,11 @@ solisten(struct socket *so, int backlog)
if (isspliced(so) || issplicedback(so))
return (EOPNOTSUPP);
 #endif /* SOCKET_SPLICE */
-   NET_LOCK(s);
+   SOCKET_LOCK(so, s);
error = (*so->so_proto->pr_usrreq)(so, PRU_LISTEN, NULL, NULL, NULL,
curproc);
if (error) {
-   NET_UNLOCK(s);
+   SOCKET_UNLOCK(s);
return (error);
}
if (TAILQ_FIRST(>so_q) == NULL)
@@ -185,15 +185,13 @@ solisten(struct socket *so, int backlog)
if (backlog < sominconn)
backlog = sominconn;
so->so_qlimit = backlog;
-   NET_UNLOCK(s);
+   SOCKET_UNLOCK(s);
return (0);
 }
 
 void
 sofree(struct socket *so)
 {
-   NET_ASSERT_LOCKED();
-
if (so->so_pcb || (so->so_state & SS_NOFDREF) == 0)
return;
if (so->so_head) {
@@ -232,7 +230,7 @@ soclose(struct socket *so)
struct socket *so2;
int s, error = 0;
 
-   NET_LOCK(s);
+   SOCKET_LOCK(so, s);
if (so->so_options & SO_ACCEPTCONN) {
while ((so2 = TAILQ_FIRST(>so_q0)) != NULL) {
(void) soqremque(so2, 0);
@@ -256,7 +254,7 @@ soclose(struct socket *so)
(so->so_state & SS_NBIO))
goto drop;
while (so->so_state & SS_ISCONNECTED) {
-   error = rwsleep(>so_timeo, ,
+   error = sosleep(so, >so_timeo,
PSOCK | PCATCH, "netcls",
so->so_linger * hz);
if (error)
@@ -276,7 +274,7 @@ discard:
panic("soclose NOFDREF: so %p, so_type %d", so, so->so_type);
so->so_state |= SS_NOFDREF;
sofree(so);
-   NET_UNLOCK(s);
+   SOCKET_UNLOCK(s);
return (error);
 }
 
@@ -294,7 +292,7 @@ soaccept(struct socket *so, struct mbuf 
 {
int error = 0;
 
-   NET_ASSERT_LOCKED();
+   SOCKET_ASSERT_LOCKED(so);
 
if 

Fix config -p

[Martin Pieuchot]

One of the last build system changes broke 'config -p'.  Currently you
get:

$ cd /sys/arch/amd64/conf/
$ config -p GENERIC.MP
config -b /usr/src/sys/arch/amd64/compile/GENERIC.MP.PROF/obj -s
/usr/src/sys /usr/src/sys/arch/amd64/conf/GENERIC.MP.PROF
config: cannot read /usr/src/sys/arch/amd64/conf/GENERIC.MP.PROF: No
such file or directory
*** Error 2 in /usr/src/sys/arch/amd64/compile/GENERIC.MP.PROF
(../Makefile.inc:12 'config')

Diff below fixes that, ok?

Index: alpha/compile/Makefile.inc
===
RCS file: /cvs/src/sys/arch/alpha/compile/Makefile.inc,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile.inc
--- alpha/compile/Makefile.inc  5 Nov 2016 15:48:52 -   1.3
+++ alpha/compile/Makefile.inc  9 Feb 2017 10:13:53 -
@@ -9,7 +9,7 @@ config:
 .else
 .PHONY: config clean
 config:
-   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T}
+   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T:S/.PROF$//}
 .endif
 
 cleandir clean:
Index: amd64/compile/Makefile.inc
===
RCS file: /cvs/src/sys/arch/amd64/compile/Makefile.inc,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile.inc
--- amd64/compile/Makefile.inc  5 Nov 2016 15:48:53 -   1.3
+++ amd64/compile/Makefile.inc  9 Feb 2017 10:13:51 -
@@ -9,7 +9,7 @@ config:
 .else
 .PHONY: config clean
 config:
-   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T}
+   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T:S/.PROF$//}
 .endif
 
 cleandir clean:
Index: arm64/compile/Makefile.inc
===
RCS file: /cvs/src/sys/arch/arm64/compile/Makefile.inc,v
retrieving revision 1.1
diff -u -p -r1.1 Makefile.inc
--- arm64/compile/Makefile.inc  17 Dec 2016 23:38:33 -  1.1
+++ arm64/compile/Makefile.inc  9 Feb 2017 10:13:53 -
@@ -9,7 +9,7 @@ config:
 .else
 .PHONY: config clean
 config:
-   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T}
+   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T:S/.PROF$//}
 .endif
 
 cleandir clean:
Index: armv7/compile/Makefile.inc
===
RCS file: /cvs/src/sys/arch/armv7/compile/Makefile.inc,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile.inc
--- armv7/compile/Makefile.inc  5 Nov 2016 15:48:53 -   1.3
+++ armv7/compile/Makefile.inc  9 Feb 2017 10:13:53 -
@@ -9,7 +9,7 @@ config:
 .else
 .PHONY: config clean
 config:
-   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T}
+   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T:S/.PROF$//}
 .endif
 
 cleandir clean:
Index: hppa/compile/Makefile.inc
===
RCS file: /cvs/src/sys/arch/hppa/compile/Makefile.inc,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile.inc
--- hppa/compile/Makefile.inc   5 Nov 2016 15:48:53 -   1.3
+++ hppa/compile/Makefile.inc   9 Feb 2017 10:13:53 -
@@ -9,7 +9,7 @@ config:
 .else
 .PHONY: config clean
 config:
-   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T}
+   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T:S/.PROF$//}
 .endif
 
 cleandir clean:
Index: i386/compile/Makefile.inc
===
RCS file: /cvs/src/sys/arch/i386/compile/Makefile.inc,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile.inc
--- i386/compile/Makefile.inc   5 Nov 2016 15:48:53 -   1.3
+++ i386/compile/Makefile.inc   9 Feb 2017 10:13:53 -
@@ -9,7 +9,7 @@ config:
 .else
 .PHONY: config clean
 config:
-   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T}
+   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T:S/.PROF$//}
 .endif
 
 cleandir clean:
Index: landisk/compile/Makefile.inc
===
RCS file: /cvs/src/sys/arch/landisk/compile/Makefile.inc,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile.inc
--- landisk/compile/Makefile.inc5 Nov 2016 15:48:53 -   1.3
+++ landisk/compile/Makefile.inc9 Feb 2017 10:13:53 -
@@ -9,7 +9,7 @@ config:
 .else
 .PHONY: config clean
 config:
-   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T}
+   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T:S/.PROF$//}
 .endif
 
 cleandir clean:
Index: loongson/compile/Makefile.inc
===
RCS file: /cvs/src/sys/arch/loongson/compile/Makefile.inc,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile.inc
--- loongson/compile/Makefile.inc   5 Nov 2016 15:48:53 -   1.3
+++ loongson/compile/Makefile.inc   9 Feb 2017 10:13:53 -
@@ -9,7 +9,7 @@ config:
 .else
 .PHONY: config clean
 config:
-   config -b ${.OBJDIR} -s ${SYSDIR} ${CONFDIR}/${.CURDIR:T}
+   config -b ${.OBJDIR} -s