lex: malloc+memset -> calloc
Hello, Two instances of memset() can be removed in lex if calloc() is used instead of malloc(). - Michael Index: filter.c === RCS file: /cvs/src/usr.bin/lex/filter.c,v retrieving revision 1.7 diff -u -p -u -r1.7 filter.c --- filter.c18 Dec 2016 06:11:23 - 1.7 +++ filter.c17 Aug 2017 05:46:13 - @@ -50,10 +50,9 @@ filter_create_ext(struct filter * chain, va_list ap; /* allocate and initialize new filter */ - f = malloc(sizeof(struct filter)); + f = calloc(sizeof(struct filter), 1); if (!f) - flexerror(_("malloc failed (f) in filter_create_ext")); - memset(f, 0, sizeof(*f)); + flexerror(_("calloc failed (f) in filter_create_ext")); f->filter_func = NULL; f->extra = NULL; f->next = NULL; @@ -103,10 +102,9 @@ filter_create_int(struct filter * chain, struct filter *f; /* allocate and initialize new filter */ - f = malloc(sizeof(struct filter)); + f = calloc(sizeof(struct filter), 1); if (!f) - flexerror(_("malloc failed in filter_create_int")); - memset(f, 0, sizeof(*f)); + flexerror(_("calloc failed in filter_create_int")); f->next = NULL; f->argc = 0; f->argv = NULL;
Re: Improve the accuracy of the TSC frequency calibration (Was: Calculate the frequency of the tsc timecounter)
On Tue, Aug 8, 2017 at 10:12 PM, Mike Belopuhov wrote: > On Tue, Aug 08, 2017 at 08:18 +0800, Adam Steen wrote: >> On Mon, Jul 31, 2017 at 3:58 PM, Mike Belopuhov wrote: >> > On Mon, Jul 31, 2017 at 09:48 +0800, Adam Steen wrote: >> >> Ted Unangst wrote: >> >> > we don't currently export this info, but we could add some sysctls. >> >> > there's >> >> > some cpufeatures stuff there, but generally stuff isn't exported until >> >> > somebody finds a use for it... it shouldn't be too hard to add >> >> > something to >> >> > amd64/machdep.c sysctl if you're interested. >> >> >> >> I am interested, as i need the info, i will look into it and hopefully >> >> come back with a patch. >> > >> > This is a bad idea because TSC as the time source is only usable >> > by OpenBSD on Skylake and Kaby Lake CPUs since they encode the TSC >> > frequency in the CPUID. All older CPUs have their TSCs measured >> > against the PIT. Currently the measurement done by the kernel isn't >> > very precise and if TSC is selected as a timecounter, the machine >> > would be gaining time on a pace that cannot be corrected by our NTP >> > daemon. (IIRC, about an hour a day on my Haswell running with NTP). >> > >> > To be able to use TSC as a timecounter source on OpenBSD or Solo5 >> > you'd have to improve the in-kernel measurement of the TSC frequency >> > first. I've tried to perform 10 measurements and take an average and >> > it does improve accuracy, however I believe we need to poach another >> > bit from Linux and re-calibrate TSC via HPET: >> > >> > >> > http://elixir.free-electrons.com/linux/v4.12.4/source/arch/x86/kernel/tsc.c#L409 >> > >> > I think this is the most sane thing we can do. Here's a complete >> > procedure that Linux kernel undertakes: >> > >> > >> > http://elixir.free-electrons.com/linux/v4.12.4/source/arch/x86/kernel/tsc.c#L751 >> > >> > Regards, >> > Mike >> >> Hi Mike/All >> >> I would like to improve the accuracy of TSC frequency calibration as >> Mike B. describes above. >> >> I initially thought the calibration would take place at line 470 of >> amd64/identcpu.c >> (https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/amd64/amd64/identcpu.c?annotate=1.87) >> > > Indeed, it cannot happen there simply because you don't know at > that point whether or not HPET actually exists. > >> But I looked into using the acpihpet directly but it is never exposed >> outside of acpihpet.c. >> > > And it shouldn't be. > >> Could someone point me to were if would be appropriate to complete >> this calibration and how to use the acpihpet? > > The way I envision this is a multi-step approach: > > 1) TSC frequency is approximated with the PIT (possibly performing > multiple measurements and averaging them out; also keep in mind that > doing it 8 times means you can shift the sum right by 3 instead of > using actual integer division). This is what should happen around > the line 470 of identcpu.c > > 2) A function can be provided by identcpu.c to further adjust the > TSC frequency once acpitimer(4) (this is a PM timer) and acpihpet(4) > (or any other timer for that matter) are attached. > > 3) Once acpitimer(4) or acpihpet(4) or any other timecounter source > are attached and are verified to be operating correctly, they can > perform TSC re-calibration and update the TSC frequency with their > measurements. The idea here is that the function (or functions) that > facilitate this must abstract enough logic so that you don't have to > duplicate it in the acpitimer or acpihpet themselves. > >> (Will it need to be >> exposed like i8254_delay/delay_func/delay in machdep.c and cpu.h) >> > > No it won't. > >> Lastly should the calibration be done using both delay(i8254 pit) and >> hpet timers similar to Linux described above or just using the hpet? >> > > Well, that's what I was arguing for. As I said in my initial mail > on misc (not quoted here), the TSC must be calibrated using separate > known clocks sources. Hi Mike Please see the below diff to improve the accuracy of the TSC frequency. It is model after the linux calibration you linked to earlier. https://marc.info/?l=openbsd-misc&m=150148792804747&w=2 I feel like i don't know enough about the kernel internals, the consistency of the results across reboots are not as close as i would have liked, i feel the call to do the actual calibration should be later in the boot cycle, when things have calmed down a little, but couldn't figure out the best way of doing this. please bear with me i haven't been programming c for long, but the only way to get things done is to do it your self. Cheers Adam Index: sys/arch/amd64/amd64/acpi_machdep.c === RCS file: /cvs/src/sys/arch/amd64/amd64/acpi_machdep.c,v retrieving revision 1.78 diff -u -p -u -p -r1.78 acpi_machdep.c --- sys/arch/amd64/amd64/acpi_machdep.c 27 Mar 2017 18:32:53 - 1.78 +++ sys/arch/amd64/amd64/acpi_machdep.c 17 Aug 2017 04:07:25 - @@ -69,6
Re: CID 1452946, 1452957: Uninitialized scalar variable (bridge_ipsec)
On Wed, Aug 16, 2017 at 05:18:09PM +0200, Mike Belopuhov wrote: > Hi, > > In may this year, the condition that would make this break do the > right thing got removed and now if a short packet is sent to an > ipsec-enabled bridge, various things like 'spi' and 'off' are left > uninitialized, but thankfully the gettdb call that follows will > most likely fail when presented with a random spi value. But it's > a nasty bug nevertheless. > > OK? OK bluhm@ > > diff --git sys/net/if_bridge.c sys/net/if_bridge.c > index 0e048205475..33d4753fd6b 100644 > --- sys/net/if_bridge.c > +++ sys/net/if_bridge.c > @@ -1404,11 +1404,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet > *ifp, > > if (dir == BRIDGE_IN) { > switch (af) { > case AF_INET: > if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) > - break; > + goto skiplookup; > > ip = mtod(m, struct ip *); > proto = ip->ip_p; > off = offsetof(struct ip, ip_p); > > @@ -1425,11 +1425,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet > *ifp, > > break; > #ifdef INET6 > case AF_INET6: > if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) > - break; > + goto skiplookup; > > ip6 = mtod(m, struct ip6_hdr *); > > /* XXX We should chase down the header chain */ > proto = ip6->ip6_nxt;
tftp: use monotonic clock for statistics summary
Hi, Same deal here as in dd(1). We display the elapsed time so we want a monotonic clock. -- Scott Cheloha Index: usr.bin/tftp/tftp.c === RCS file: /cvs/src/usr.bin/tftp/tftp.c,v retrieving revision 1.24 diff -u -p -r1.24 tftp.c --- usr.bin/tftp/tftp.c 21 Oct 2014 06:15:16 - 1.24 +++ usr.bin/tftp/tftp.c 17 Aug 2017 01:44:46 - @@ -52,6 +52,7 @@ #include #include #include +#include #include #include @@ -83,8 +84,8 @@ extern int opt_tsize; extern int opt_tout; extern int opt_blksize; -struct timeval tstart; -struct timeval tstop; +struct timespectstart; +struct timespectstop; unsigned int segment_size = SEGSIZE; unsigned int packet_size = SEGSIZE + 4; @@ -548,13 +549,13 @@ tpacket(const char *s, struct tftphdr *t static void startclock(void) { - (void)gettimeofday(&tstart, NULL); + clock_gettime(CLOCK_MONOTONIC, &tstart); } static void stopclock(void) { - (void)gettimeofday(&tstop, NULL); + clock_gettime(CLOCK_MONOTONIC, &tstop); } static void @@ -563,8 +564,8 @@ printstats(const char *direction, unsign double delta; /* compute delta in 1/10's second units */ - delta = ((tstop.tv_sec * 10.) + (tstop.tv_usec / 10)) - - ((tstart.tv_sec * 10.) + (tstart.tv_usec / 10)); + delta = ((tstop.tv_sec * 10.) + (tstop.tv_nsec / 1)) - + ((tstart.tv_sec * 10.) + (tstart.tv_nsec / 1)); delta = delta / 10.;/* back to seconds */ printf("%s %lu bytes in %.1f seconds", direction, amount, delta); if (verbose)
Re: hfsc_deferred race
On Tue, Aug 15, 2017 at 17:14 +0200, Mike Belopuhov wrote: > Hi, > > I've just triggered an assert in hfsc_deferred (a callout) on an > MP kernel running on an SP virtual machine: > > panic: kernel diagnostic assertion "HFSC_ENABLED(ifq)" failed: file > "/home/mike/src/openbsd/sys/net/hfsc.c", line 950 > Stopped at db_enter+0x9: leave > TIDPIDUID PRFLAGS PFLAGS CPU COMMAND > *247463 28420 0 0x3 00 pfctl > db_enter() at db_enter+0x9 > > panic(817f78f0,4,81a3ffc0,8110c140,800c2060,fff > f81598b1c) at panic+0x102 > __assert(81769d93,817d7350,3b6,817d72bd) at > __assert+0x > 35 > hfsc_deferred(800c2060) at hfsc_deferred+0x9e > timeout_run(8004adc8) at timeout_run+0x4c > softclock(0) at softclock+0x146 > softintr_dispatch(0) at softintr_dispatch+0x9f > Xsoftclock() at Xsoftclock+0x1f > --- interrupt --- > end of kernel > end trace frame: 0x728d481974c08548, count: 7 > 0x2cfe9c031c9: > https://www.openbsd.org/ddb.html describes the minimum info required in bug > reports. Insufficient info makes it difficult to find and fix bugs. > ddb{0}> ps > PID TID PPIDUID S FLAGS WAIT COMMAND > *28420 247463 5000 0 7 0x3pfctl > > > pfctl runs in the loop reloading the ruleset. So at some point we > disable HFSC on the interface but lose a race with hfsc_deferred > before re-enabling it. > > IFQ has a mechanism to lock the underlying object and I believe this > is the right tool for this job. Any other ideas? > > I don't think it's a good idea to hold the mutex (ifq_q_enter and > ifq_q_leave effectively lock and unlock it) during the ifq_start, > so we have to make a concession and run the ifq_start before knowing > whether or not HFSC is attached. IMO, it's a small price to pay to > avoide clutter. Kernel lock assertion is pointless at this point. > > OK? > I've been running with this while debugging the issue with the active class list ("panic: kernel diagnostic assertion" from Aug 12 on bugs@) and I'm quite confident that this works and I don't observe the race anymore. In addition, I've figured we can keep the HFSC_ENABLED check as there is no issue with bailing early here: diff --git sys/net/hfsc.c sys/net/hfsc.c index 12504267dc5..c51f1406a0b 100644 --- sys/net/hfsc.c +++ sys/net/hfsc.c @@ -950,10 +950,13 @@ hfsc_deferred(void *arg) { struct ifnet *ifp = arg; struct ifqueue *ifq = &ifp->if_snd; struct hfsc_if *hif; + if (!HFSC_ENABLED(ifq)) + return; + if (!ifq_empty(ifq)) ifq_start(ifq); hif = ifq_q_enter(&ifp->if_snd, ifq_hfsc_ops); if (hif == NULL) > diff --git sys/net/hfsc.c sys/net/hfsc.c > index 410bea733c6..3c5b6f6ef78 100644 > --- sys/net/hfsc.c > +++ sys/net/hfsc.c > @@ -944,20 +944,19 @@ hfsc_deferred(void *arg) > { > struct ifnet *ifp = arg; > struct ifqueue *ifq = &ifp->if_snd; > struct hfsc_if *hif; > > - KERNEL_ASSERT_LOCKED(); > - KASSERT(HFSC_ENABLED(ifq)); > - > if (!ifq_empty(ifq)) > ifq_start(ifq); > > - hif = ifq->ifq_q; > - > + hif = ifq_q_enter(&ifp->if_snd, ifq_hfsc_ops); > + if (hif == NULL) > + return; > /* XXX HRTIMER nearest virtual/fit time is likely less than 1/HZ. */ > timeout_add(&hif->hif_defer, 1); > + ifq_q_leave(&ifp->if_snd, hif); > } > > void > hfsc_cl_purge(struct hfsc_if *hif, struct hfsc_class *cl, struct mbuf_list > *ml) > {
Re: qemu vmm 6.0 / 6.1
On Wed, Aug 16, 2017 at 11:09:57AM -0400, sven falempin wrote: > 6.1 got a firmware (ewww) for seabios > if you dont like this you are free to delete it and use the -b option in vmctl instead. You just don't get non-openbsd guests. your choice. -ml > i mean this : /usr/ports/sysutils/firmware/vmm > > If i compile this ports on 6.0 do i have any chance it does something right > or i am just digging my grave deeper ? > > Best, > > > -- > -- > - > Knowing is not enough; we must apply. Willing is not enough; we must do
Re: qemu vmm 6.0 / 6.1
On Wed, Aug 16, 2017 at 11:09:57AM -0400, sven falempin wrote: > 6.1 got a firmware (ewww) for seabios > > i mean this : /usr/ports/sysutils/firmware/vmm > > If i compile this ports on 6.0 do i have any chance it does something right > or i am just digging my grave deeper ? > > Best, > > > -- > -- > - > Knowing is not enough; we must apply. Willing is not enough; we must do > What exactly are you asking? OpenBSD 6.0 didn't even have vmm(4)/vmd(8), it first appeared in 6.1.. The firmware port doesn't have anything to do with QEMU, so no, there is no chance that is does anything at all on 6.0. -Bryan.
CID 1453358: Out-of-bounds read (bufq_init)
There's only two disk elevator disciplines 0 - fifo and 1 - nscan. BUFQ_HOWMANY is 2, but the 'type' should be checked against (BUFQ_HOWMANY - 1) as it's used as an index. OK? diff --git sys/kern/kern_bufq.c sys/kern/kern_bufq.c index 7ed83470e58..ad9558e0d53 100644 --- sys/kern/kern_bufq.c +++ sys/kern/kern_bufq.c @@ -76,11 +76,11 @@ const struct bufq_impl bufq_impls[BUFQ_HOWMANY] = { int bufq_init(struct bufq *bq, int type) { u_int hi = BUFQ_HI, low = BUFQ_LOW; - if (type > BUFQ_HOWMANY) + if (type >= BUFQ_HOWMANY) panic("bufq_init: type %i unknown", type); /* * Ensure that writes can't consume the entire amount of kva * available the buffer cache if we only have a limited amount
CID 1452946, 1452957: Uninitialized scalar variable (bridge_ipsec)
Hi, In may this year, the condition that would make this break do the right thing got removed and now if a short packet is sent to an ipsec-enabled bridge, various things like 'spi' and 'off' are left uninitialized, but thankfully the gettdb call that follows will most likely fail when presented with a random spi value. But it's a nasty bug nevertheless. OK? diff --git sys/net/if_bridge.c sys/net/if_bridge.c index 0e048205475..33d4753fd6b 100644 --- sys/net/if_bridge.c +++ sys/net/if_bridge.c @@ -1404,11 +1404,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp, if (dir == BRIDGE_IN) { switch (af) { case AF_INET: if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) - break; + goto skiplookup; ip = mtod(m, struct ip *); proto = ip->ip_p; off = offsetof(struct ip, ip_p); @@ -1425,11 +1425,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp, break; #ifdef INET6 case AF_INET6: if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t)) - break; + goto skiplookup; ip6 = mtod(m, struct ip6_hdr *); /* XXX We should chase down the header chain */ proto = ip6->ip6_nxt;
Re: qemu vmm 6.0 / 6.1
> 6.1 got a firmware (ewww) for seabios > > i mean this : /usr/ports/sysutils/firmware/vmm > > If i compile this ports on 6.0 do i have any chance it does something right > or i am just digging my grave deeper ? If you do all the work, you can perform magic. But if you are asking others to help, nope.
qemu vmm 6.0 / 6.1
6.1 got a firmware (ewww) for seabios i mean this : /usr/ports/sysutils/firmware/vmm If i compile this ports on 6.0 do i have any chance it does something right or i am just digging my grave deeper ? Best, -- -- - Knowing is not enough; we must apply. Willing is not enough; we must do
Additional media options for ix(4) [again]
Hi, I haven't gotten any feedback on the following diff but I think there's still hope. Please test. Original mail: I won't mind some broad testing of the following diff which adds some additional media options to ix(4) from FreeBSD and includes a fix for changing media from Masanobu SAITOH. The fix makes sure that when the media operation speed is selected manually, the device doesn't additionally advertise other (slower) modes. diff --git sys/dev/pci/if_ix.c sys/dev/pci/if_ix.c index 339ba2bc4f1..8fca8742f7f 100644 --- sys/dev/pci/if_ix.c +++ sys/dev/pci/if_ix.c @@ -1028,62 +1028,115 @@ ixgbe_intr(void *arg) * This routine is called whenever the user queries the status of * the interface using ifconfig. * **/ void -ixgbe_media_status(struct ifnet * ifp, struct ifmediareq *ifmr) +ixgbe_media_status(struct ifnet *ifp, struct ifmediareq *ifmr) { struct ix_softc *sc = ifp->if_softc; + int layer; + + layer = sc->hw.mac.ops.get_supported_physical_layer(&sc->hw); ifmr->ifm_active = IFM_ETHER; ifmr->ifm_status = IFM_AVALID; INIT_DEBUGOUT("ixgbe_media_status: begin"); ixgbe_update_link_status(sc); - if (LINK_STATE_IS_UP(ifp->if_link_state)) { - ifmr->ifm_status |= IFM_ACTIVE; + if (!LINK_STATE_IS_UP(ifp->if_link_state)) + return; + + ifmr->ifm_status |= IFM_ACTIVE; + if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_T || + layer & IXGBE_PHYSICAL_LAYER_1000BASE_T || + layer & IXGBE_PHYSICAL_LAYER_100BASE_TX) switch (sc->link_speed) { + case IXGBE_LINK_SPEED_10GB_FULL: + ifmr->ifm_active |= IFM_10G_T | IFM_FDX; + break; + case IXGBE_LINK_SPEED_1GB_FULL: + ifmr->ifm_active |= IFM_1000_T | IFM_FDX; + break; case IXGBE_LINK_SPEED_100_FULL: ifmr->ifm_active |= IFM_100_TX | IFM_FDX; break; + } + if (layer & IXGBE_PHYSICAL_LAYER_SFP_PLUS_CU || + layer & IXGBE_PHYSICAL_LAYER_SFP_ACTIVE_DA) + switch (sc->link_speed) { + case IXGBE_LINK_SPEED_10GB_FULL: + ifmr->ifm_active |= IFM_10G_SFP_CU | IFM_FDX; + break; + } + if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_LR) + switch (sc->link_speed) { + case IXGBE_LINK_SPEED_10GB_FULL: + ifmr->ifm_active |= IFM_10G_LR | IFM_FDX; + break; case IXGBE_LINK_SPEED_1GB_FULL: - switch (sc->optics) { - case IFM_10G_SR: /* multi-speed fiber */ - ifmr->ifm_active |= IFM_1000_SX | IFM_FDX; - break; - case IFM_10G_LR: /* multi-speed fiber */ - ifmr->ifm_active |= IFM_1000_LX | IFM_FDX; - break; - default: - ifmr->ifm_active |= sc->optics | IFM_FDX; - break; - } + ifmr->ifm_active |= IFM_1000_LX | IFM_FDX; break; + } + if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_LRM) + switch (sc->link_speed) { case IXGBE_LINK_SPEED_10GB_FULL: - ifmr->ifm_active |= sc->optics | IFM_FDX; + ifmr->ifm_active |= IFM_10G_LRM | IFM_FDX; + break; + case IXGBE_LINK_SPEED_1GB_FULL: + ifmr->ifm_active |= IFM_1000_LX | IFM_FDX; break; } - - switch (sc->hw.fc.current_mode) { - case ixgbe_fc_tx_pause: - ifmr->ifm_active |= IFM_FLOW | IFM_ETH_TXPAUSE; + if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_SR || + layer & IXGBE_PHYSICAL_LAYER_1000BASE_SX) + switch (sc->link_speed) { + case IXGBE_LINK_SPEED_10GB_FULL: + ifmr->ifm_active |= IFM_10G_SR | IFM_FDX; + break; + case IXGBE_LINK_SPEED_1GB_FULL: + ifmr->ifm_active |= IFM_1000_SX | IFM_FDX; break; - case ixgbe_fc_rx_pause: - ifmr->ifm_active |= IFM_FLOW | IFM_ETH_RXPAUSE; + } + if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_CX4) + switch (sc->link_speed) { + case IXGBE_LINK_SPEED_10GB_FULL: + ifmr->ifm_active |= IFM_10G_CX4 | IFM_FDX; break; - case ixgbe_fc_full: - ifmr->ifm_active |= IFM_FLOW | IFM_ETH_RXP
[patch] make cipher list preference configurable in httpd
The following patch makes the TLS cipher list preference (server vs. client) configurable in httpd (like in relayd): Index: src/usr.sbin/httpd/config.c === RCS file: /cvs/src/usr.sbin/httpd/config.c,v retrieving revision 1.53 diff -u -p -u -r1.53 config.c --- src/usr.sbin/httpd/config.c 19 Jul 2017 17:36:25 - 1.53 +++ src/usr.sbin/httpd/config.c 16 Aug 2017 12:40:59 - @@ -472,6 +472,8 @@ config_getserver_config(struct httpd *en srv_conf->hsts_max_age = parent->hsts_max_age; srv_conf->hsts_flags = parent->hsts_flags; + srv_conf->tls_flags = parent->tls_flags; + memcpy(&srv_conf->timeout, &parent->timeout, sizeof(srv_conf->timeout)); srv_conf->maxrequests = parent->maxrequests; Index: src/usr.sbin/httpd/httpd.conf.5 === RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v retrieving revision 1.84 diff -u -p -u -r1.84 httpd.conf.5 --- src/usr.sbin/httpd/httpd.conf.5 11 Aug 2017 20:30:45 - 1.84 +++ src/usr.sbin/httpd/httpd.conf.5 16 Aug 2017 12:40:59 - @@ -518,6 +518,10 @@ The should contain a PEM encoded certificate. The default is .Pa /etc/ssl/server.crt . +.It Oo Ic no Oc Ic cipher-server-preference +Prefer the server's cipher list over the client's preferences when +choosing a cipher for the connection. +This is enabled by default. .It Ic ciphers Ar string Specify the TLS cipher string. If not specified, the default value Index: src/usr.sbin/httpd/httpd.h === RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v retrieving revision 1.134 diff -u -p -u -r1.134 httpd.h --- src/usr.sbin/httpd/httpd.h 11 Aug 2017 18:48:56 - 1.134 +++ src/usr.sbin/httpd/httpd.h 16 Aug 2017 12:40:59 - @@ -416,6 +416,8 @@ SPLAY_HEAD(client_tree, client); "\10\01NODELAY\02NO_NODELAY\03SACK\04NO_SACK" \ "\05SOCKET_BUFFER_SIZE\06IP_TTL\07IP_MINTTL\10NO_SPLICE" +#define TLSFLAG_CIPHER_SERVER_PREF 0x01 + #define HSTSFLAG_SUBDOMAINS0x01 #define HSTSFLAG_PRELOAD 0x02 #define HSTSFLAG_BITS "\10\01SUBDOMAINS\02PRELOAD" @@ -514,6 +516,8 @@ struct server_config { int hsts_max_age; uint8_t hsts_flags; + + uint8_t tls_flags; TAILQ_ENTRY(server_config) entry; }; Index: src/usr.sbin/httpd/parse.y === RCS file: /cvs/src/usr.sbin/httpd/parse.y,v retrieving revision 1.91 diff -u -p -u -r1.91 parse.y --- src/usr.sbin/httpd/parse.y 11 Aug 2017 18:48:56 - 1.91 +++ src/usr.sbin/httpd/parse.y 16 Aug 2017 12:40:59 - @@ -129,12 +129,13 @@ typedef struct { %} -%token ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON -%token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LIFETIME -%token LISTEN LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY OCSP ON PORT PREFORK -%token PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TICKET -%token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST -%token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS +%token ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERSRVPREF +%token CIPHERS COMMON COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX +%token IP KEY LIFETIME LISTEN LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY +%token OCSP ON PORT PREFORK PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP +%token STYLE SYSLOG TCP TICKET TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS +%token DEFAULT PRELOAD REQUEST ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP +%token RETURN PASS %token STRING %token NUMBER %typeport @@ -260,6 +261,7 @@ server : SERVER optmatch STRING{ if ((s->srv_conf.tls_key_file = strdup(HTTPD_TLS_KEY)) == NULL) fatal("out of memory"); + s->srv_conf.tls_flags = TLSFLAG_CIPHER_SERVER_PREF; strlcpy(s->srv_conf.tls_ciphers, HTTPD_TLS_CIPHERS, sizeof(s->srv_conf.tls_ciphers)); @@ -727,6 +729,12 @@ tlsopts: CERTIFICATE STRING{ fatal("out of memory"); free($2); } + | CIPHERSRVPREF { + srv_conf->tls_flags |= TLSFLAG_CIPHER_SERVER_PREF; + } + | NO CIPHERSRVPREF { + srv_conf->tls_flags &= ~TLSFLAG_CIPHER_SERVER_PREF; + } | CIPHERS STRING{ if (strlcpy(srv_conf->tls_ciphers, $2,
Re: [patch] Add -z and -Z to apmd for automatic suspend/hibernate
On Tue, Aug 15, 2017 at 07:24:47PM -0400, Ted Unangst wrote: > this looks good. will commit soon. > > (one nit, i'll correct, is man page options are upper case first.) Noted for future reference. Thanks!