Re: smtpd: move authentication to table backends
On 21/10/08 05:34PM, aisha wrote:
> Hi all,
> I am still working on the table-procexec for opensmtpd
> and while there, I was thinking of how to do authentication
> using LDAP, which the current table-ldap from ports does not
> support.
> The primary reason for that, I believe, is that LDAP
> authentication should be done by bind and not by returning
> the userPassword and us doing the authentication with
> crypt_checkpass. That kind of defeats one of the uses of LDAP.
>
> Here I've added a patch which pushes the authentication step
> to the table backend and it only returns the final AUTH/NOAUTH
> kind of values.
>
> While here, I also made another small change with mailaddrmap,
> where instead of returning ALL possible aliases that a user
> may use, we now pass the current mailaddr to the table, so
> it can now return a smaller set of addresses.
>
> It should not affect any workflow, so testing from others
> would be appreciated.
>
> Cheers,
> Aisha
>
Same patch but change my horrible enums representation to bitshifts
diff --git a/usr.sbin/smtpd/aliases.c b/usr.sbin/smtpd/aliases.c
index a473aeca189..8e3835f78a6 100644
--- a/usr.sbin/smtpd/aliases.c
+++ b/usr.sbin/smtpd/aliases.c
@@ -45,7 +45,7 @@ aliases_get(struct expand *expand, const char *username)
/* first, check if entry has a user-part tag */
pbuf = strchr(buf, *env->sc_subaddressing_delim);
if (pbuf) {
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -54,7 +54,7 @@ aliases_get(struct expand *expand, const char *username)
}
/* no user-part tag, try looking up user */
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret <= 0)
return ret;
@@ -116,7 +116,7 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
if (!bsnprintf(buf, sizeof(buf), "%s%c%s@%s",
user, *env->sc_subaddressing_delim, tag, domain))
return 0;
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -126,7 +126,7 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
/* then, check if entry exists without user-part tag */
if (!bsnprintf(buf, sizeof(buf), "%s@%s", user, domain))
return 0;
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -137,7 +137,7 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
if (!bsnprintf(buf, sizeof(buf), "%s%c%s",
user, *env->sc_subaddressing_delim, tag))
return 0;
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -147,7 +147,7 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
/* Failed ? We lookup for username only */
if (!bsnprintf(buf, sizeof(buf), "%s", user))
return 0;
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -160,14 +160,14 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
if (!bsnprintf(buf, sizeof(buf), "@%s", domain))
return 0;
/* Failed ? We lookup for catch all for virtual domain */
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
goto expand;
/* Failed ? We lookup for a *global* catch all */
- ret = table_lookup(mapping, K_ALIAS, "@", );
+ ret = table_lookup(mapping, K_ALIAS, "@", NULL, );
if (ret <= 0)
return (ret);
diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c
index 764130d6078..3354ccde7d7 100644
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c
@@ -268,7 +268,7 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
if (domain == NULL)
ret = table_fetch(table, K_RELAYHOST, );
else
- ret = table_lookup(table, K_RELAYHOST, domain,
);
+ ret = table_lookup(table, K_RELAYHOST, domain,
NULL, );
if (ret == -1)
smtpd: move authentication to table backends
Hi all,
I am still working on the table-procexec for opensmtpd
and while there, I was thinking of how to do authentication
using LDAP, which the current table-ldap from ports does not
support.
The primary reason for that, I believe, is that LDAP
authentication should be done by bind and not by returning
the userPassword and us doing the authentication with
crypt_checkpass. That kind of defeats one of the uses of LDAP.
Here I've added a patch which pushes the authentication step
to the table backend and it only returns the final AUTH/NOAUTH
kind of values.
While here, I also made another small change with mailaddrmap,
where instead of returning ALL possible aliases that a user
may use, we now pass the current mailaddr to the table, so
it can now return a smaller set of addresses.
It should not affect any workflow, so testing from others
would be appreciated.
Cheers,
Aisha
diff --git a/usr.sbin/smtpd/aliases.c b/usr.sbin/smtpd/aliases.c
index a473aeca189..8e3835f78a6 100644
--- a/usr.sbin/smtpd/aliases.c
+++ b/usr.sbin/smtpd/aliases.c
@@ -45,7 +45,7 @@ aliases_get(struct expand *expand, const char *username)
/* first, check if entry has a user-part tag */
pbuf = strchr(buf, *env->sc_subaddressing_delim);
if (pbuf) {
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -54,7 +54,7 @@ aliases_get(struct expand *expand, const char *username)
}
/* no user-part tag, try looking up user */
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret <= 0)
return ret;
@@ -116,7 +116,7 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
if (!bsnprintf(buf, sizeof(buf), "%s%c%s@%s",
user, *env->sc_subaddressing_delim, tag, domain))
return 0;
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -126,7 +126,7 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
/* then, check if entry exists without user-part tag */
if (!bsnprintf(buf, sizeof(buf), "%s@%s", user, domain))
return 0;
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -137,7 +137,7 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
if (!bsnprintf(buf, sizeof(buf), "%s%c%s",
user, *env->sc_subaddressing_delim, tag))
return 0;
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -147,7 +147,7 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
/* Failed ? We lookup for username only */
if (!bsnprintf(buf, sizeof(buf), "%s", user))
return 0;
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
@@ -160,14 +160,14 @@ aliases_virtual_get(struct expand *expand, const struct
mailaddr *maddr)
if (!bsnprintf(buf, sizeof(buf), "@%s", domain))
return 0;
/* Failed ? We lookup for catch all for virtual domain */
- ret = table_lookup(mapping, K_ALIAS, buf, );
+ ret = table_lookup(mapping, K_ALIAS, buf, NULL, );
if (ret < 0)
return (-1);
if (ret)
goto expand;
/* Failed ? We lookup for a *global* catch all */
- ret = table_lookup(mapping, K_ALIAS, "@", );
+ ret = table_lookup(mapping, K_ALIAS, "@", NULL, );
if (ret <= 0)
return (ret);
diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c
index 764130d6078..3354ccde7d7 100644
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c
@@ -268,7 +268,7 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
if (domain == NULL)
ret = table_fetch(table, K_RELAYHOST, );
else
- ret = table_lookup(table, K_RELAYHOST, domain,
);
+ ret = table_lookup(table, K_RELAYHOST, domain,
NULL, );
if (ret == -1)
m_add_int(p, LKA_TEMPFAIL);
@@ -729,7 +729,7 @@ lka_authenticate(const char *tablename, const char *user,
const char *password)
[Patch] httpd handling of HEAD requests to CGI w.r.t. Content-Length
This is a rewording of my later posts to bugs@ in:
https://marc.info/?t=16330937691=1=2
RFC 7231 [HTTP 1.1] states that, for a HEAD request, the server SHOULD
send the same header fields in response to HEAD as it would for GET,
except that payload headers MAY be omitted. Content-Length is such
a header field.
The CGI on beta.undeadly.org has been updated (to be RFC-compliant)
such that it does not send a body in response to HEAD requests.
We now how:
www.undeadly.org ##
$ printf "HEAD /cgi?action=front HTTP/1.0\r\nHost: www.undeadly.org\r\n\r\n" \
| nc -c www.undeadly.org https \
| head
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Date: Wed, 06 Oct 2021 10:24:59 GMT
Server: OpenBSD httpd
Strict-Transport-Security: max-age=31536000; preload
beta.undeadly.org #
$ printf "HEAD /cgi?action=front HTTP/1.0\r\nHost: beta.undeadly.org\r\n\r\n" \
| nc -c beta.undeadly.org https
HTTP/1.0 200 OK
Connection: close
Content-Length: 0
Content-Type: text/html
Date: Wed, 06 Oct 2021 10:25:01 GMT
Server: OpenBSD httpd
Strict-Transport-Security: max-age=31536000; preload
So, if the CGI treats HEAD the same way as GET [and returns a body],
httpd does not add a Content-Length header. However, if the CGI behaves
correctly, and does not include the body in the response, httpd _does_
add a Content-Type header. That's clearly wrong/unhelpful.
I'm insufficiently familiar with the httpd code to be certain that the
patch below is correct, but it fixes the problem in light testing.
Ross
Index: server_fcgi.c
===
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.88
diff -u -p -r1.88 server_fcgi.c
--- server_fcgi.c 20 May 2021 15:12:10 - 1.88
+++ server_fcgi.c 7 Oct 2021 02:56:07 -
@@ -621,12 +621,14 @@ server_fcgi_header(struct client *clt, u
/* Can't chunk encode an empty body. */
clt->clt_fcgi.chunked = 0;
- /* But then we need a Content-Length... */
- key.kv_key = "Content-Length";
- if ((kv = kv_find(>http_headers, )) == NULL) {
- if (kv_add(>http_headers,
- "Content-Length", "0") == NULL)
- return (-1);
+ /* But then we need a Content-Length unless method is HEAD... */
+ if (desc->http_method != HTTP_METHOD_HEAD) {
+ key.kv_key = "Content-Length";
+ if ((kv = kv_find(>http_headers, )) == NULL) {
+ if (kv_add(>http_headers,
+ "Content-Length", "0") == NULL)
+ return (-1);
+ }
}
}
Re: [PATCH] /etc/netstart: unquoted command substitution inside arithmetic expression
Philip Guenther wrote: > On Fri, Oct 8, 2021 at 8:57 AM Theo de Raadt wrote: > > Philip Guenther wrote: > > > On Thu, Oct 7, 2021 at 5:57 PM bm1les wrote: > > > > > --- netstart2 Sep 2021 19:38:20 - 1.216 > > > +++ netstart8 Oct 2021 02:43:30 - > > > @@ -365,7 +365,7 @@ ifmstart "tun tap gif etherip gre egre p > > > if [[ $ip6kernel == YES ]]; then > > > # Ensure IPv6 Duplicate Address Detection (DAD) is completed. > > > count=0 > > > - while ((count++ < 10 && $(sysctl -n net.inet6.ip6.dad_pending) != > > > 0)); do > > > + while ((count++ < 10 && "$(sysctl -n net.inet6.ip6.dad_pending)" > > > != 0)); do > > > sleep 1 > > > done > > > fi > > > > > > > I can't figure out what problem you think this could solve. Can you > > explain the circumstances under which those quotes could make a difference? > > Not the OP's issue, but I think a kernels compiled without option INET6 > will return an errno, and I cannot tell if sysctl prints out an error message > or converts to "", the empty string, which would conceivably mis-parse. > > AFAICT, an empty quoted string there results in the exact same error. As I > wrote > off-list to the original submitter: > > Can you be clearer about how the quoting makes the result any better when run > under bsd.rd? Doesn't it fail in the same way? Testing with 'echo' instead > would > seem to indicate so: > : bleys; (( 1 < 10 && $(echo) != 0 )); echo $? > /bin/ksh: 1 < 10 && != 0 : unexpected `!=' > 2 > : bleys; (( 1 < 10 && $(echo -n) != 0 )); echo $? > /bin/ksh: 1 < 10 && != 0 : unexpected `!=' > 2 > : bleys; (( 1 < 10 && "$(echo)" != 0 )); echo $? > /bin/ksh: 1 < 10 && != 0 : unexpected `!=' > 2 > : bleys; (( 1 < 10 && "$(echo -n)" != 0 )); echo $? > /bin/ksh: 1 < 10 && != 0 : unexpected `!=' > 2 > : bleys; Well, netstart can do better, and should not emit low-level parsing errors
Re: [PATCH] /etc/netstart: unquoted command substitution inside arithmetic expression
On Fri, Oct 8, 2021 at 8:57 AM Theo de Raadt wrote: > Philip Guenther wrote: > > > On Thu, Oct 7, 2021 at 5:57 PM bm1les wrote: > > > > > --- netstart2 Sep 2021 19:38:20 - 1.216 > > > +++ netstart8 Oct 2021 02:43:30 - > > > @@ -365,7 +365,7 @@ ifmstart "tun tap gif etherip gre egre p > > > if [[ $ip6kernel == YES ]]; then > > > # Ensure IPv6 Duplicate Address Detection (DAD) is completed. > > > count=0 > > > - while ((count++ < 10 && $(sysctl -n net.inet6.ip6.dad_pending) > != > > > 0)); do > > > + while ((count++ < 10 && "$(sysctl -n > net.inet6.ip6.dad_pending)" > > > != 0)); do > > > sleep 1 > > > done > > > fi > > > > > > > I can't figure out what problem you think this could solve. Can you > > explain the circumstances under which those quotes could make a > difference? > > Not the OP's issue, but I think a kernels compiled without option INET6 > will return an errno, and I cannot tell if sysctl prints out an error > message > or converts to "", the empty string, which would conceivably mis-parse. > AFAICT, an empty quoted string there results in the exact same error. As I wrote off-list to the original submitter: Can you be clearer about how the quoting makes the result any better when > run under bsd.rd? Doesn't it fail in the same way? Testing with 'echo' > instead would seem to indicate so: > : bleys; (( 1 < 10 && $(echo) != 0 )); echo $? > /bin/ksh: 1 < 10 && != 0 : unexpected `!=' > 2 > : bleys; (( 1 < 10 && $(echo -n) != 0 )); echo $? > /bin/ksh: 1 < 10 && != 0 : unexpected `!=' > 2 > : bleys; (( 1 < 10 && "$(echo)" != 0 )); echo $? > /bin/ksh: 1 < 10 && != 0 : unexpected `!=' > 2 > : bleys; (( 1 < 10 && "$(echo -n)" != 0 )); echo $? > /bin/ksh: 1 < 10 && != 0 : unexpected `!=' > 2 > : bleys; Philip
Re: [PATCH] /etc/netstart: unquoted command substitution inside arithmetic expression
Philip Guenther wrote: > On Thu, Oct 7, 2021 at 5:57 PM bm1les wrote: > > > --- netstart2 Sep 2021 19:38:20 - 1.216 > > +++ netstart8 Oct 2021 02:43:30 - > > @@ -365,7 +365,7 @@ ifmstart "tun tap gif etherip gre egre p > > if [[ $ip6kernel == YES ]]; then > > # Ensure IPv6 Duplicate Address Detection (DAD) is completed. > > count=0 > > - while ((count++ < 10 && $(sysctl -n net.inet6.ip6.dad_pending) != > > 0)); do > > + while ((count++ < 10 && "$(sysctl -n net.inet6.ip6.dad_pending)" > > != 0)); do > > sleep 1 > > done > > fi > > > > I can't figure out what problem you think this could solve. Can you > explain the circumstances under which those quotes could make a difference? Not the OP's issue, but I think a kernels compiled without option INET6 will return an errno, and I cannot tell if sysctl prints out an error message or converts to "", the empty string, which would conceivably mis-parse.
bsd.port.mk.5 typo
Index: bsd.port.mk.5 === RCS file: /cvs/src/share/man/man5/bsd.port.mk.5,v retrieving revision 1.545 diff -u -p -r1.545 bsd.port.mk.5 --- bsd.port.mk.5 2 May 2021 06:13:57 - 1.545 +++ bsd.port.mk.5 8 Oct 2021 00:02:30 - @@ -3575,7 +3575,7 @@ Port uses .Ev DEBUG_PACKAGES so the .Xr build-debug-info 1 -script excepts debug information on all binaries and libraries. +script expects debug information on all binaries and libraries. Most probably, the build machinery for that specific port omitted -g somewhere, or it runs strips during fake anyway. It can also occur if
Re: [PATCH] [www] - spell 'X.509' consistently when talking about the standard
Could someone "do it", please? ;^) Regards, Raf On Fri, Oct 08, 2021 at 04:13:16PM BST, Theo de Raadt wrote: > do it > > Raf Czlonka wrote: > > > On Wed, Oct 06, 2021 at 11:50:01PM BST, Raf Czlonka wrote: > > > Hello, > > > > > > Outside of X509_* functions, filenames, openssl(1) commands, etc. > > > there are places where the spelling of 'X.509' could be made > > > consistent when talking about the standard. > > > > I realise the patch might have been too long so how about only the > > upcoming release page for now? > > > > Cheers, > > > > Raf > > > > Index: 70.html > > === > > RCS file: /cvs/www/70.html,v > > retrieving revision 1.82 > > diff -u -p -r1.82 70.html > > --- 70.html 8 Oct 2021 03:44:52 - 1.82 > > +++ 70.html 8 Oct 2021 09:11:34 - > > @@ -567,7 +567,7 @@ to 7.0. > > roa-sets. > > In RRDP, limited the number of deltas to 300 per repo. If more > > deltas > >exist, downloading a full snapshot is faster. > > - Limited the validation depth of X509 certificate chains to 12, > > double > > + Limited the validation depth of X.509 certificate chains to 12, > > double > >the current depth seen in RPKI. > > > > > > @@ -687,7 +687,7 @@ to 7.0. > > New Features > > > >Added support for OpenSSL 1.1.1 TLSv1.3 APIs. > > - Enabled the new x509 validator to allow verification of modern > > certificate chains. > > + Enabled the new X.509 validator to allow verification of modern > > certificate chains. > > > > > > Portable Improvements > > @@ -750,12 +750,12 @@ to 7.0. > > > >Added additional state machine test coverage. > >Improved integration test support with ruby/openssl tests. > > - Error codes and callback support in new x509 validator made > > compatible with p5-Net_SSLeay tests. > > + Error codes and callback support in new X.509 validator made > > compatible with p5-Net_SSLeay tests. > > > > > > Internal Improvements > > > > - Numerous fixes and improvements to the new X509 validator to > > ensure compatible error codes > > + Numerous fixes and improvements to the new X.509 validator to > > ensure compatible error codes > > and callback support compatible with the legacy OpenSSL validator. > > > > > >
Re: hostctl does not work on Xen
I can see from the Ubuntu dmesg that it’s Xen 4.11.4. What mode are you running the OpenBSD vm in (PVH or HVM)? Provide your config file for the vm to help answer that. > On Oct 8, 2021, at 12:41 AM, Masato Asou wrote: > > Attached obsd69-dmesg.txt and ubuntu-dmesg.txt. > > regards. > -- > ASOU Masato > > From: Brian Brombacher > Date: Thu, 7 Oct 2021 23:21:59 -0400 > On Oct 7, 2021, at 9:46 PM, Masato Asou wrote: >>> >>> How can I use the hostctl command on Xen virtual machine? >>> >>> The hostctl command doesn't work on my Ubuntu (bear metal PC) + Xen + >>> OpenBSD 6.9 release as follows: >>> $ hostctl device >>> hostctl: open: /dev/pvbus0: Operation not supported by device >>> $ doas hostctl device >>> doas (a...@obsd69.my.domain) password: >>> hostctl: open: /dev/pvbus0: Operation not supported by device >>> $ ls -l /dev/pvbus0 >>> crw-r- 1 root wheel 95, 0 Oct 7 04:21 /dev/pvbus0 >>> $ >>> >>> Could not found pvbus as follows: >>> $ dmesg | grep pvbus >>> $ >>> >>> >>> On the other hand, hostctl command works correctly for OpenBSD 6.9 >>> release on ESXi and Hyper-V. >>> >>> On ESXi as follows: >>> $ hostctl guestinfo.ip >>> 192.168.10.113 >>> $ dmesg | egrep '(pvbus|vmt)' >>> pvbus0 at mainbus0: VMware >>> vmt0 at pvbus0 >>> $ >>> >>> On Hyper-V as follows: >>> $ hostctl GUest/Parameters/HostName >>> DESKTOP-4AL1JIR >>> $ dmesg | egrep '(pvbus|hyperv)' >>> pvbus0 at mainbus0: Hyper-V 10.0 >>> hyperv0 at pvbus0: protocol 4.0, features 0x2e7f >>> hyperv0: heartbeat, kvp, shutdown, timesync >>> hvs0 at hyperv0 channel 2: ide, protocol 6.2 >>> hvs1 at hyperv0 channel 15: scsi, protocol 6.2 >>> hvn0 at hyperv0 channel 14: NVS 5.0 NDIS 6.30, address >>> 00:15:5d:0a:80:00 >>> $ >>> -- >>> ASOU Masato >>> >> >> Provide a dmesg >> > > OpenBSD 6.9 (GENERIC.MP) #473: Mon Apr 19 10:40:28 MDT 2021 >dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 4278026240 (4079MB) > avail mem = 4132995072 (3941MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xbd80 (13 entries) > bios0: vendor SeaBIOS version "1.13.0-1ubuntu1.1" date 04/01/2014 > bios0: QEMU Standard PC (i440FX + PIIX, 1996) > acpi0 at bios0: ACPI 1.0 > acpi0: sleep states S5 > acpi0: tables DSDT FACP APIC > acpi0: wakeup devices > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: AMD EPYC Processor, 3194.29 MHz, 17-01-02 > cpu0: > FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,RDRAND,HV,NXE,MMXX,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,SVM,AMCR8,ABM,SSE4A,FSGSBASE,BMI1,SMEP,BMI2,ERMS,MPX,ADX,SMAP,PCOMMIT,CLFLUSHOPT,CLWB,PKU,XSAVEOPT,XGETBV1 > cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 999MHz > cpu0: mwait min=0, max=0, IBE (bogus) > cpu1 at mainbus0: apid 1 (application processor) > cpu1: AMD EPYC Processor, 3194.40 MHz, 17-01-02 > cpu1: > FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,RDRAND,HV,NXE,MMXX,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,SVM,AMCR8,ABM,SSE4A,FSGSBASE,BMI1,SMEP,BMI2,ERMS,MPX,ADX,SMAP,PCOMMIT,CLFLUSHOPT,CLWB,PKU,XSAVEOPT,XGETBV1 > cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu1: disabling user TSC (skew=-23997) > cpu1: smt 0, core 0, package 1 > cpu2 at mainbus0: apid 2 (application processor) > cpu2: AMD EPYC Processor, 3192.81 MHz, 17-01-02 > cpu2: > FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,RDRAND,HV,NXE,MMXX,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,SVM,AMCR8,ABM,SSE4A,FSGSBASE,BMI1,SMEP,BMI2,ERMS,MPX,ADX,SMAP,PCOMMIT,CLFLUSHOPT,CLWB,PKU,XSAVEOPT,XGETBV1 > cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB > 64b/line 8-way L2 cache > cpu2: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu2: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu2: smt 0, core 0, package 2 > cpu3 at mainbus0: apid 3 (application processor) > cpu3: AMD EPYC Processor, 3192.23 MHz, 17-01-02 > cpu3: >
Re: bsd.port.mk.5 typo
ha...@sdf.org wrote: > Index: bsd.port.mk.5 > === > RCS file: /cvs/src/share/man/man5/bsd.port.mk.5,v > retrieving revision 1.545 > diff -u -p -r1.545 bsd.port.mk.5 > --- bsd.port.mk.5 2 May 2021 06:13:57 - 1.545 > +++ bsd.port.mk.5 8 Oct 2021 00:02:30 - > @@ -3575,7 +3575,7 @@ Port uses > .Ev DEBUG_PACKAGES > so the > .Xr build-debug-info 1 > -script excepts debug information on all binaries and libraries. > +script expects debug information on all binaries and libraries. > Most probably, the build machinery for that specific port omitted -g > somewhere, or it runs strips during fake anyway. > It can also occur if commited with OK solene@ Thanks and best regards, Stefan
iwx: remove support for old firmware versions
This patch removes code which is only required for running with older
firmware versions (older than -63). This will make it easier to add
new features, such as 40MHz support. Some code removed here would
otherwise need to be updated as well, which is pointless extra work.
I have tested on AX200/AX201 devices which use the following images:
/etc/firmware/iwx-cc-a0-63
/etc/firmware/iwx-QuZ-a0-hr-b0-63
It would be great to get at least one pre-commit test report for
devices which use this image:
/etc/firmware/iwx-Qu-c0-hr-b0-63
Such devices show up with 'Product ID: 0x34f0' in pcidump(8).
I do not have such hardware. Can someone help out?
ok?
diff 2611d0ab4f1e42a3f2c5db88a7a8cf0f1d94ef39
e2fce28332a64af2eb947d764f33d3255719ec95
blob - 2cb39f6f37c89487e80cae7c423309688622031f
blob + f317cea613e3fb89360340cf90c918dac986d863
--- sys/dev/pci/if_iwx.c
+++ sys/dev/pci/if_iwx.c
@@ -301,9 +301,6 @@ int iwx_enable_txq(struct iwx_softc *, int, int, int,
void iwx_post_alive(struct iwx_softc *);
intiwx_schedule_session_protection(struct iwx_softc *, struct iwx_node *,
uint32_t);
-void iwx_protect_session(struct iwx_softc *, struct iwx_node *, uint32_t,
- uint32_t);
-void iwx_unprotect_session(struct iwx_softc *, struct iwx_node *);
void iwx_init_channel_map(struct iwx_softc *, uint16_t *, uint32_t *, int);
void iwx_setup_ht_rates(struct iwx_softc *);
intiwx_mimo_enabled(struct iwx_softc *);
@@ -366,8 +363,6 @@ int iwx_phy_ctxt_cmd_uhb_v3(struct iwx_softc *, struct
uint8_t, uint32_t);
intiwx_phy_ctxt_cmd_v3(struct iwx_softc *, struct iwx_phy_ctxt *, uint8_t,
uint8_t, uint32_t);
-intiwx_phy_ctxt_cmd_uhb(struct iwx_softc *, struct iwx_phy_ctxt *, uint8_t,
- uint8_t, uint32_t, uint32_t);
intiwx_phy_ctxt_cmd(struct iwx_softc *, struct iwx_phy_ctxt *, uint8_t,
uint8_t, uint32_t, uint32_t);
intiwx_send_cmd(struct iwx_softc *, struct iwx_host_cmd *);
@@ -397,12 +392,10 @@ int iwx_power_update_device(struct iwx_softc *);
intiwx_enable_beacon_filter(struct iwx_softc *, struct iwx_node *);
intiwx_disable_beacon_filter(struct iwx_softc *);
intiwx_add_sta_cmd(struct iwx_softc *, struct iwx_node *, int);
-intiwx_add_aux_sta(struct iwx_softc *);
intiwx_rm_sta_cmd(struct iwx_softc *, struct iwx_node *);
intiwx_rm_sta(struct iwx_softc *, struct iwx_node *);
intiwx_fill_probe_req(struct iwx_softc *, struct iwx_scan_probe_req *);
intiwx_config_umac_scan_reduced(struct iwx_softc *);
-intiwx_config_umac_scan(struct iwx_softc *);
uint16_t iwx_scan_umac_flags_v2(struct iwx_softc *, int);
void iwx_scan_umac_dwell_v10(struct iwx_softc *,
struct iwx_scan_general_params_v10 *, int);
@@ -411,7 +404,6 @@ voidiwx_scan_umac_fill_general_p_v10(struct
iwx_softc
void iwx_scan_umac_fill_ch_p_v6(struct iwx_softc *,
struct iwx_scan_channel_params_v6 *, uint32_t, int, int);
intiwx_umac_scan_v14(struct iwx_softc *, int);
-intiwx_umac_scan(struct iwx_softc *, int);
void iwx_mcc_update(struct iwx_softc *, struct iwx_mcc_chub_notif *);
uint8_tiwx_ridx2rate(struct ieee80211_rateset *, int);
intiwx_rval2ridx(int);
@@ -422,7 +414,6 @@ voidiwx_mac_ctxt_cmd_fill_sta(struct iwx_softc *,
str
struct iwx_mac_data_sta *, int);
intiwx_mac_ctxt_cmd(struct iwx_softc *, struct iwx_node *, uint32_t, int);
intiwx_clear_statistics(struct iwx_softc *);
-intiwx_update_quotas(struct iwx_softc *, struct iwx_node *, int);
void iwx_add_task(struct iwx_softc *, struct taskq *, struct task *);
void iwx_del_task(struct iwx_softc *, struct taskq *, struct task *);
intiwx_scan(struct iwx_softc *);
@@ -2670,64 +2661,6 @@ iwx_schedule_session_protection(struct iwx_softc *sc,
return iwx_send_cmd_pdu(sc, cmd_id, 0, sizeof(cmd), );
}
-void
-iwx_protect_session(struct iwx_softc *sc, struct iwx_node *in,
-uint32_t duration, uint32_t max_delay)
-{
- struct iwx_time_event_cmd time_cmd;
-
- /* Do nothing if a time event is already scheduled. */
- if (sc->sc_flags & IWX_FLAG_TE_ACTIVE)
- return;
-
- memset(_cmd, 0, sizeof(time_cmd));
-
- time_cmd.action = htole32(IWX_FW_CTXT_ACTION_ADD);
- time_cmd.id_and_color =
- htole32(IWX_FW_CMD_ID_AND_COLOR(in->in_id, in->in_color));
- time_cmd.id = htole32(IWX_TE_BSS_STA_AGGRESSIVE_ASSOC);
-
- time_cmd.apply_time = htole32(0);
-
- time_cmd.max_frags = IWX_TE_V2_FRAG_NONE;
- time_cmd.max_delay = htole32(max_delay);
- /* TODO: why do we need to interval = bi if it is not periodic? */
- time_cmd.interval = htole32(1);
- time_cmd.duration = htole32(duration);
- time_cmd.repeat = 1;
- time_cmd.policy
- = htole16(IWX_TE_V2_NOTIF_HOST_EVENT_START |
- IWX_TE_V2_NOTIF_HOST_EVENT_END |
-
Re: [PATCH] /etc/netstart: unquoted command substitution inside arithmetic expression
Since you obviously care enough to reply and wonder about what I'm doing, I can happily let you know. I was trying to configure the network while running bsd.rd. I figured I could reuse netstart when I spotted this bug. The bug is that the second part of the expression breaks when sysctl returns nothing. The solution could be to split just that expression out and use test. Now that I have explained the bug and the solution, it's on you to fix it. I have already moved on. Cheers. ‐‐‐ Original Message ‐‐‐ On Friday, October 8th, 2021 at 12:48 AM, Klemens Nanni wrote: > On Fri, Oct 08, 2021 at 05:15:36AM +, bm1les wrote: > > > The first problem is the lack of correctness; that should be enough. > > > > The second problem is that such command actually breaks when run using > > bsd.rd. > > netstart(8) has nothing to do in or with bsd.rd, whatever you do: > > you own all the pieces. > > Either you manually run /etc/netstart during the installer (who knows > > why) and/or you run a kernel without IPv6 support. > > At this point, we don't care -- don't waste time with such mails lacking > > any trace of reasoning, justification or explanation.
Re: [PATCH] /etc/netstart: unquoted command substitution inside arithmetic expression
The first problem is the lack of correctness; that should be enough. The second problem is that such command actually breaks when run using bsd.rd. ‐‐‐ Original Message ‐‐‐ On Friday, October 8th, 2021 at 12:11 AM, Philip Guenther wrote: > On Thu, Oct 7, 2021 at 5:57 PM bm1les wrote: > >> --- netstart 2 Sep 2021 19:38:20 - 1.216 >> +++ netstart 8 Oct 2021 02:43:30 - >> @@ -365,7 +365,7 @@ ifmstart "tun tap gif etherip gre egre p >> if [[ $ip6kernel == YES ]]; then >> # Ensure IPv6 Duplicate Address Detection (DAD) is completed. >> count=0 >> - while ((count++ < 10 && $(sysctl -n net.inet6.ip6.dad_pending) != 0)); do >> + while ((count++ < 10 && "$(sysctl -n net.inet6.ip6.dad_pending)" != 0)); do >> sleep 1 >> done >> fi > > I can't figure out what problem you think this could solve. Can you explain > the circumstances under which those quotes could make a difference? > > Philip Guenther
Re: [PATCH] [www] - spell 'X.509' consistently when talking about the standard
On Wed, Oct 06, 2021 at 11:50:01PM BST, Raf Czlonka wrote: > Hello, > > Outside of X509_* functions, filenames, openssl(1) commands, etc. > there are places where the spelling of 'X.509' could be made > consistent when talking about the standard. I realise the patch might have been too long so how about only the upcoming release page for now? Cheers, Raf Index: 70.html === RCS file: /cvs/www/70.html,v retrieving revision 1.82 diff -u -p -r1.82 70.html --- 70.html 8 Oct 2021 03:44:52 - 1.82 +++ 70.html 8 Oct 2021 09:11:34 - @@ -567,7 +567,7 @@ to 7.0. roa-sets. In RRDP, limited the number of deltas to 300 per repo. If more deltas exist, downloading a full snapshot is faster. - Limited the validation depth of X509 certificate chains to 12, double + Limited the validation depth of X.509 certificate chains to 12, double the current depth seen in RPKI. @@ -687,7 +687,7 @@ to 7.0. New Features Added support for OpenSSL 1.1.1 TLSv1.3 APIs. - Enabled the new x509 validator to allow verification of modern certificate chains. + Enabled the new X.509 validator to allow verification of modern certificate chains. Portable Improvements @@ -750,12 +750,12 @@ to 7.0. Added additional state machine test coverage. Improved integration test support with ruby/openssl tests. - Error codes and callback support in new x509 validator made compatible with p5-Net_SSLeay tests. + Error codes and callback support in new X.509 validator made compatible with p5-Net_SSLeay tests. Internal Improvements - Numerous fixes and improvements to the new X509 validator to ensure compatible error codes + Numerous fixes and improvements to the new X.509 validator to ensure compatible error codes and callback support compatible with the legacy OpenSSL validator.
iwx: stop Rx BA sessions before switching AP
Before roaming to another AP we should explicitly stop Rx BA sessions
by sending the appropriate 'ADD_STA' commands to firmware, in addition
to clearing Rx BA buffers. This is similar to a recent change in iwm(4).
See the iwm patch description for testing instructions:
https://marc.info/?l=openbsd-tech=163329420019842=2
It seems there is no need to stop Tx BA sessions in this driver.
Note that Tx aggregation sessions are handled entirely in firmware on
iwx(4) devices, which is substantially different from iwm(4).
I have already tried sending commands to disable Tx aggregation queues,
like iwm(4) will do now. This causes fatal firmware errors on iwx.
And everything seems to be working fine with Tx queues left enabled.
While here, remove a pointless STA_ACTIVE check; if we are in RUN state
then our firmware station (which represents the AP) is active by definition.
ok?
diff 58be466d62dc3469b7024e02971f96cadae4041e
2611d0ab4f1e42a3f2c5db88a7a8cf0f1d94ef39
blob - 55d0375ff3f9ff3ec8c1c37fc03de2eb4f9e5bff
blob + 2cb39f6f37c89487e80cae7c423309688622031f
--- sys/dev/pci/if_iwx.c
+++ sys/dev/pci/if_iwx.c
@@ -7531,19 +7531,34 @@ iwx_run_stop(struct iwx_softc *sc)
{
struct ieee80211com *ic = >sc_ic;
struct iwx_node *in = (void *)ic->ic_bss;
- int err;
+ struct ieee80211_node *ni = >in_ni;
+ int err, i;
splassert(IPL_NET);
- if (sc->sc_flags & IWX_FLAG_STA_ACTIVE) {
- err = iwx_flush_sta(sc, in);
- if (err) {
- printf("%s: could not flush Tx path (error %d)\n",
- DEVNAME(sc), err);
- return err;
- }
+ err = iwx_flush_sta(sc, in);
+ if (err) {
+ printf("%s: could not flush Tx path (error %d)\n",
+ DEVNAME(sc), err);
+ return err;
}
+ /*
+* Stop Rx BA sessions now. We cannot rely on the BA task
+* for this when moving out of RUN state since it runs in a
+* separate thread.
+* Note that in->in_ni (struct ieee80211_node) already represents
+* our new access point in case we are roaming between APs.
+* This means we cannot rely on struct ieee802111_node to tell
+* us which BA sessions exist.
+*/
+ for (i = 0; i < nitems(sc->sc_rxba_data); i++) {
+ struct iwx_rxba_data *rxba = >sc_rxba_data[i];
+ if (rxba->baid == IWX_RX_REORDER_DATA_INVALID_BAID)
+ continue;
+ iwx_sta_rx_agg(sc, ni, rxba->tid, 0, 0, 0, 0);
+ }
+
err = iwx_sf_config(sc, IWX_SF_INIT_OFF);
if (err)
return err;
@@ -7869,7 +7884,6 @@ iwx_newstate(struct ieee80211com *ic, enum ieee80211_s
{
struct ifnet *ifp = IC2IFP(ic);
struct iwx_softc *sc = ifp->if_softc;
- int i;
/*
* Prevent attemps to transition towards the same state, unless
@@ -7887,10 +7901,6 @@ iwx_newstate(struct ieee80211com *ic, enum ieee80211_s
memset(sc->setkey_arg, 0, sizeof(sc->setkey_arg));
sc->setkey_cur = sc->setkey_tail = sc->setkey_nkeys = 0;
iwx_del_task(sc, systq, >mac_ctxt_task);
- for (i = 0; i < nitems(sc->sc_rxba_data); i++) {
- struct iwx_rxba_data *rxba = >sc_rxba_data[i];
- iwx_clear_reorder_buffer(sc, rxba);
- }
}
sc->ns_nstate = nstate;
[PATCH] /etc/netstart: unquoted command substitution inside arithmetic expression
Index: netstart === RCS file: /cvs/src/etc/netstart,v retrieving revision 1.216 diff -u -p -u -r1.216 netstart --- netstart2 Sep 2021 19:38:20 - 1.216 +++ netstart8 Oct 2021 02:43:30 - @@ -365,7 +365,7 @@ ifmstart "tun tap gif etherip gre egre p if [[ $ip6kernel == YES ]]; then # Ensure IPv6 Duplicate Address Detection (DAD) is completed. count=0 - while ((count++ < 10 && $(sysctl -n net.inet6.ip6.dad_pending) != 0)); do + while ((count++ < 10 && "$(sysctl -n net.inet6.ip6.dad_pending)" != 0)); do sleep 1 done fi
