Re: [patch] relayd OCSP stapling for TLS server
On Fri, Jun 21, 2019 at 01:28:03PM +0200, Reyk Floeter wrote: > On Thu, Jun 20, 2019 at 07:58:10PM +0200, Bruno Flueckiger wrote: > > Hi, > > > > The patch below adds OCSP stapling to the TLS server in relayd(8). The > > OCSP response is read from a binary encoded DER file that can be created > > using ocspcheck(8). > > > > If a file with the same name as the certificate and private key files is > > found, its content is loaded and OCSP stapling is active. If there is no > > file or loading its content fails, OCSP stapling remains disabled. > > > > relayd(8) uses the same mechanism it uses to find the certificate file, > > only the file name extension is different: .der instead of .pem > > > > I had this diff finished more than a month ago, but it had to wait for > the SNI diff to go in. It is suprisingly similar to your version > except some minor difference in relay_tls_ctx_create(), the man page, > and the fact that I've decided for using ".ocsp" instead of ".der" for > the ending (as .der could be anything). > > OK? Reads fine. Would be nice to hear that this works for Bruno, but it is ok tb
[diff] www/libressl/papers.html - add video link
The following corresponds with the events.html patch... Ross Index: papers.html === RCS file: /cvs/www/libressl/papers.html,v retrieving revision 1.16 diff -u -p -r1.16 papers.html --- papers.html 13 Jun 2019 07:34:36 - 1.16 +++ papers.html 22 Jun 2019 04:20:59 - @@ -19,7 +19,7 @@ Presentations and Papers https://www.openbsd.org/papers/bsdcan2019-tls13.pdf";>Design and verification of the TLS 1.3 handshake state machine in LibreSSL by Theo Buehler - + (https://www.youtube.com/watch?v=gvmGfpMgny4";>video) Presentation: FSec 2015
[diff] events.html - add 2 more BSDCan 2019 videos
Probably in acceptable form :-) [Patch for www/libressl/papers.html should follow.] Ross Index: events.html === RCS file: /cvs/www/events.html,v retrieving revision 1.1174 diff -u -p -r1.1174 events.html --- events.html 18 Jun 2019 15:01:52 - 1.1174 +++ events.html 22 Jun 2019 04:09:17 - @@ -68,7 +68,9 @@ May 15-18, 2019, Ottawa, Canada. (http://bhyvecon.org/";>bhyvecon Ottawa 2019) Bob Beck - https://github.com/bob-beck/libtls/blob/master/TUTORIAL.md";>libtls for beginners conference tutorial -Theo Buehler - Design and verification of the TLS 1.3 handshake state machine in LibreSSL (slides) +Theo Buehler - Design and verification of the TLS 1.3 handshake state + machine in LibreSSL (slides, + https://www.youtube.com/watch?v=MCVIBwGOwNY";>video) Florian Obser - https://man.openbsd.org/unwind.8";>unwind(8) a privilege-separated, validating DNS recursive nameserver for every laptop (slides, @@ -82,7 +84,8 @@ May 15-18, 2019, Ottawa, Canada. (slides, https://www.youtube.com/watch?v=s6rAXaHylFM";>video) Bob Beck -Unveil in OpenBSD + Unveil in OpenBSD + (https://www.youtube.com/watch?v=gvmGfpMgny4";>video) Jan Klemkow - Network booted OpenBSD Workstations (slides, https://www.youtube.com/watch?v=kFqHXfWEB4o";>video)
Re: Pump my sched: fewer SCHED_LOCK() & kill p_priority
On Fri, Jun 21, 2019 at 05:11:26PM -0300, Martin Pieuchot wrote: > On 06/06/19(Thu) 15:16, Martin Pieuchot wrote: > > On 02/06/19(Sun) 16:41, Martin Pieuchot wrote: > > > On 01/06/19(Sat) 18:55, Martin Pieuchot wrote: > > > > Diff below exists mainly for documentation and test purposes. If > > > > you're not interested about how to break the scheduler internals in > > > > pieces, don't read further and go straight to testing! > > > > > > > > - First change is to stop calling tsleep(9) at PUSER. That makes > > > > it clear that all "sleeping priorities" are smaller than PUSER. > > > > That's important to understand for the diff below. `p_priority' > > > > is currently a placeholder for the "sleeping priority" and the > > > > "runnqueue priority". Both fields are separated by this diff. > > > > > > > > - When a thread goes to sleep, the priority argument of tsleep(9) is > > > > now recorded in `p_slpprio'. This argument can be considered as part > > > > of the sleep queue. Its purpose is to place the thread into a higher > > > > runqueue when awoken. > > > > > > > > - Currently, for stopped threads, `p_priority' correspond to > > > > `p_usrpri'. > > > > So setrunnable() has been untangled to place SSTOP and SSLEEP threads > > > > in the preferred queue without having to use `p_priority'. Note that > > > > `p_usrpri' is still recalculated *after* having called setrunqueue(). > > > > This is currently fine because setrunnable() is called with > > > > SCHED_LOCK() > > > > but it will be racy when we'll split it. > > > > > > > > - A new field, `p_runprio' has been introduced. It should be considered > > > > as part of the per-CPU runqueues. It indicates where a current thread > > > > is placed. > > > > > > > > - `spc_curpriority' is now updated at every context-switch. That means > > > >need_resched() won't be called after comparing an out-of-date value. > > > >At the same time, `p_usrpri' is initialized to the highest possible > > > >value for idle threads. > > > > > > > > - resched_proc() was calling need_resched() in the following conditions: > > > >- If the SONPROC thread has a higher priority that the current > > > > running thread (itself). > > > >- Twice in setrunnable() when we know that p_priority <= p_usrpri. > > > >- If schedcpu() considered that a thread, after updating its prio, > > > > should preempt the one running on the CPU pointed by `p_cpu'. > > > > > > > > The diff below simplify all of that by calling need_resched() when: > > > >- A thread is inserted in a CPU runqueue at a higher priority than > > > > the one SONPROC. > > > >- schedcpu() decides that a thread in SRUN state should preempt the > > > > one SONPROC. > > > > > > > > - `p_estcpu' `p_usrpri' and `p_slptime' which represent the "priority" > > > > of a thread are now updated while holding a per-thread mutex. As a > > > > result schedclock() and donice() no longer takes the SCHED_LOCK(), > > > > and schedcpu() almost never take it. > > > > > > > > - With this diff top(1) and ps(1) will report the "real" `p_usrpi' value > > > > when displaying priorities. This is helpful to understand what's > > > > happening: > > > > > > > > load averages: 0.99, 0.56, 0.25 two.lab.grenadille.net > > > > 23:42:10 > > > > 70 threads: 68 idle, 2 on processor > > > > up 0:09 > > > > CPU0: 0.0% user, 0.0% nice, 51.0% sys, 2.0% spin, 0.0% intr, 47.1% > > > > idle > > > > CPU1: 2.0% user, 0.0% nice, 51.0% sys, 3.9% spin, 0.0% intr, 43.1% > > > > idle > > > > Memory: Real: 47M/1005M act/tot Free: 2937M Cache: 812M Swap: 0K/4323M > > > > > > > > PID TID PRI NICE SIZE RES STATE WAIT TIMECPU > > > > COMMAND > > > > 81000 145101 7200K 1664K sleep/1 bored 1:15 36.96% > > > > softnet > > > > 47133 244097 730 2984K 4408K sleep/1 netio 1:06 35.06% cvs > > > > 64749 522184 660 176K 148K onproc/1 - 0:55 28.81% nfsd > > > > 21615 602473 12700K 1664K sleep/0 - 7:22 0.00% > > > > idle0 > > > > 12413 606242 12700K 1664K sleep/1 - 7:08 0.00% > > > > idle1 > > > > 85778 338258 500 4936K 7308K idle select0:10 0.00% ssh > > > > > > > > 22771 575513 500 176K 148K sleep/0 nfsd 0:02 0.00% > > > > nfsd > > > > > > > > > > > > > > > > - The removal of `p_priority' and the change that makes mi_switch() > > > > always update `spc_curpriority' might introduce some changes in > > > > behavior, especially with kernel threads that were not going through > > > > tsleep(9). We currently have some situations where the priority of > > > > the running thread isn't correctly reflected. This diff changes that > > > > which means we should be able to better understand where the problems > > > > are. > > > > > > > > I'd be interested in
beep: use timeout_add_msec(9)
timeout_add(struct timeout *to, int ticks) waits `ticks / hz' seconds, which is ((period * hz) / 1000) / hz [s] = period / 1000 [s] = period [ms] in these cases. With the zero check, this perfectly matches the millisecond version. This conversion by itself also lifts the implicit expection of `period' to be evenly divisible by ten; in case it was not, integer division would truncate it. To cross check this w.r.t. `period's order of magnitude and unit, see how /usr/src/sys/wscons/wskbd.c sets it up. In particular: 254:#define WSKBD_DEFAULT_BELL_PERIOD 100 /* 100ms */ Feedback? OK? Index: arch/sparc64/dev//beep.c === RCS file: /cvs/src/sys/arch/sparc64/dev/beep.c,v retrieving revision 1.8 diff -u -p -r1.8 beep.c --- arch/sparc64/dev//beep.c8 Sep 2017 05:36:52 - 1.8 +++ arch/sparc64/dev//beep.c21 Jun 2019 19:30:08 - @@ -218,11 +218,7 @@ void beep_bell(void *vsc, u_int pitch, u_int period, u_int volume, int poll) { struct beep_softc *sc = vsc; - int s, nticks; - - nticks = (period * hz) / 1000; - if (nticks <= 0) - nticks = 1; + int s; s = spltty(); if (sc->sc_bellactive) { @@ -239,7 +235,7 @@ beep_bell(void *vsc, u_int pitch, u_int sc->sc_belltimeout = 1; bus_space_write_1(sc->sc_iot, sc->sc_ioh, BEEP_CTRL, BEEP_CTRL_ON); - timeout_add(&sc->sc_to, nticks); + timeout_add_msec(&sc->sc_to, period); } splx(s); } Index: arch/sparc64/dev//beeper.c === RCS file: /cvs/src/sys/arch/sparc64/dev/beeper.c,v retrieving revision 1.12 diff -u -p -r1.12 beeper.c --- arch/sparc64/dev//beeper.c 8 Sep 2017 05:36:52 - 1.12 +++ arch/sparc64/dev//beeper.c 21 Jun 2019 19:35:59 - @@ -147,11 +147,7 @@ beeper_bell(vsc, pitch, period, volume, int poll; { struct beeper_softc *sc = vsc; - int s, nticks; - - nticks = (period * hz) / 1000; - if (nticks <= 0) - nticks = 1; + int s; s = spltty(); if (sc->sc_bellactive) { @@ -167,7 +163,7 @@ beeper_bell(vsc, pitch, period, volume, sc->sc_bellactive = 1; sc->sc_belltimeout = 1; bus_space_write_4(sc->sc_iot, sc->sc_ioh, BEEP_REG, 1); - timeout_add(&sc->sc_to, nticks); + timeout_add_msec(&sc->sc_to, period); } splx(s); }
Re: another go at bypass support for sparc64 iommu and BUS_DMA_64BIT
> Date: Tue, 11 Jun 2019 11:51:51 +1000 > From: David Gwynne > > this is a reposting of the diff i sent out a while back. it lets sparc64 > enable iommu bypass, and then uses that bypass support for BUS_DMA_64BIT > dmamaps. > > the main benefit is around performance. without this diff on an M4000, > tcpbench can do about 70Mbps before the system is CPU bound. all that > cpu time is in the iommu tte management. with this diff and an > appropriate network driver, tcpbench does 940 Mbps and the box is mostly > idle. that is a 1300 percent improvement in network transfer speed. if > you factor the cpu time benefits it would be another order of magnitude > improvement. > > kernel build times are slightly improved with this diff on mpii. system > time is about 5 percent less, but there's also a lot less I/O when > you're mostly running a compiler. > > i hit an edge case with my previous diff that i believe is fixed with > this one. this one properly checks boundaries, segment sizes, and number > of segments for things like mbufs. i got lucky previously with the > drivers i was using. Looks mostly ok, one request below. With that fixed, ok kettenis@ > Index: dev/iommu.c > === > RCS file: /cvs/src/sys/arch/sparc64/dev/iommu.c,v > retrieving revision 1.75 > diff -u -p -r1.75 iommu.c > --- dev/iommu.c 25 May 2017 03:19:39 - 1.75 > +++ dev/iommu.c 11 Jun 2019 01:37:25 - > @@ -87,6 +87,8 @@ void iommu_dvmamap_print_map(bus_dma_tag > bus_dmamap_t); > int iommu_dvmamap_append_range(bus_dma_tag_t, bus_dmamap_t, paddr_t, > bus_size_t, int, bus_size_t); > +int iommu_dvmamap_insert(bus_dma_tag_t, bus_dmamap_t, bus_addr_t, > +bus_size_t, int, bus_size_t); > int64_t iommu_tsb_entry(struct iommu_state *, bus_addr_t); > void strbuf_reset(struct strbuf_ctl *); > int iommu_iomap_insert_page(struct iommu_map_state *, paddr_t); > @@ -100,6 +102,25 @@ void iommu_iomap_clear_pages(struct iomm > void _iommu_dvmamap_sync(bus_dma_tag_t, bus_dma_tag_t, bus_dmamap_t, > bus_addr_t, bus_size_t, int); > > +void iommu_hw_enable(struct iommu_state *); > + > +const struct iommu_hw iommu_hw_default = { > + .ihw_enable = iommu_hw_enable, > + > + .ihw_dvma_pa= IOTTE_PAMASK, > + > + .ihw_bypass = 0x3fffUL << 50, > + .ihw_bypass_nc = 0, > + .ihw_bypass_ro = 0, > +}; > + > +void > +iommu_hw_enable(struct iommu_state *is) > +{ > + IOMMUREG_WRITE(is, iommu_tsb, is->is_ptsb); > + IOMMUREG_WRITE(is, iommu_cr, IOMMUCR_EN | (is->is_tsbsize << 16)); > +} > + > /* > * Initiate an STC entry flush. > */ > @@ -125,7 +146,8 @@ iommu_strbuf_flush(struct strbuf_ctl *sb > * - create a private DVMA map. > */ > void > -iommu_init(char *name, struct iommu_state *is, int tsbsize, u_int32_t > iovabase) > +iommu_init(char *name, const struct iommu_hw *ihw, struct iommu_state *is, > +int tsbsize, u_int32_t iovabase) > { > psize_t size; > vaddr_t va; > @@ -149,13 +171,9 @@ iommu_init(char *name, struct iommu_stat >* be hard-wired, so we read the start and size from the PROM and >* just use those values. >*/ > - if (strncmp(name, "pyro", 4) == 0) { > - is->is_cr = IOMMUREG_READ(is, iommu_cr); > - is->is_cr &= ~IOMMUCR_FIRE_BE; > - is->is_cr |= (IOMMUCR_FIRE_SE | IOMMUCR_FIRE_CM_EN | > - IOMMUCR_FIRE_TE); > - } else > - is->is_cr = IOMMUCR_EN; > + > + is->is_hw = ihw; > + > is->is_tsbsize = tsbsize; > if (iovabase == (u_int32_t)-1) { > is->is_dvmabase = IOTSB_VSTART(is->is_tsbsize); > @@ -237,15 +255,6 @@ iommu_init(char *name, struct iommu_stat > mtx_init(&is->is_mtx, IPL_HIGH); > > /* > - * Set the TSB size. The relevant bits were moved to the TSB > - * base register in the PCIe host bridges. > - */ > - if (strncmp(name, "pyro", 4) == 0) > - is->is_ptsb |= is->is_tsbsize; > - else > - is->is_cr |= (is->is_tsbsize << 16); > - > - /* >* Now actually start up the IOMMU. >*/ > iommu_reset(is); > @@ -262,10 +271,7 @@ iommu_reset(struct iommu_state *is) > { > int i; > > - IOMMUREG_WRITE(is, iommu_tsb, is->is_ptsb); > - > - /* Enable IOMMU */ > - IOMMUREG_WRITE(is, iommu_cr, is->is_cr); > + (*is->is_hw->ihw_enable)(is); > > for (i = 0; i < 2; ++i) { > struct strbuf_ctl *sb = is->is_sb[i]; > @@ -280,7 +286,7 @@ iommu_reset(struct iommu_state *is) > printf(", STC%d enabled", i); > } > > - if (is->is_flags & IOMMU_FLUSH_CACHE) > + if (ISSET(is->is_hw->ihw_flags, IOMMU_HW_FLUSH_CACHE)) > IOMMUREG_WRITE(is, iommu_cache_invalidate, -1ULL); > } > > @@ -433,7 +439,7 @@ iommu_extract(struct iommu_state *is, bu > if (dva >= is->is_dvmabase && dva <= is->is_dvmaend) >
Re: pppx(4) free sizes
OK kn
Re: M_RTABLE free sizes
On Fri, Jun 21, 2019 at 05:08:15PM -0300, Martin Pieuchot wrote: > ok? OK, one comment inline. > Index: net/radix.c > === > RCS file: /cvs/src/sys/net/radix.c,v > retrieving revision 1.58 > diff -u -p -r1.58 radix.c > --- net/radix.c 20 Jun 2017 09:03:39 - 1.58 > +++ net/radix.c 21 Jun 2019 20:00:44 - > @@ -457,7 +457,7 @@ rn_addmask(void *n_arg, int search, int > tm = rn_insert(cp, mask_rnhead, &maskduplicated, tm); > if (maskduplicated) { > log(LOG_ERR, "%s: mask impossibly already in tree\n", __func__); > - free(saved_tm, M_RTABLE, 0); > + free(saved_tm, M_RTABLE, max_keylen + 2 * sizeof (*tm)); Although the same due to `saved_tm = tm', using `saved_tm' here^ is more consistent and obvious on its own. > return (tm); > } > /*
Re: Pump my sched: fewer SCHED_LOCK() & kill p_priority
On 06/06/19(Thu) 15:16, Martin Pieuchot wrote: > On 02/06/19(Sun) 16:41, Martin Pieuchot wrote: > > On 01/06/19(Sat) 18:55, Martin Pieuchot wrote: > > > Diff below exists mainly for documentation and test purposes. If > > > you're not interested about how to break the scheduler internals in > > > pieces, don't read further and go straight to testing! > > > > > > - First change is to stop calling tsleep(9) at PUSER. That makes > > > it clear that all "sleeping priorities" are smaller than PUSER. > > > That's important to understand for the diff below. `p_priority' > > > is currently a placeholder for the "sleeping priority" and the > > > "runnqueue priority". Both fields are separated by this diff. > > > > > > - When a thread goes to sleep, the priority argument of tsleep(9) is > > > now recorded in `p_slpprio'. This argument can be considered as part > > > of the sleep queue. Its purpose is to place the thread into a higher > > > runqueue when awoken. > > > > > > - Currently, for stopped threads, `p_priority' correspond to `p_usrpri'. > > > So setrunnable() has been untangled to place SSTOP and SSLEEP threads > > > in the preferred queue without having to use `p_priority'. Note that > > > `p_usrpri' is still recalculated *after* having called setrunqueue(). > > > This is currently fine because setrunnable() is called with > > > SCHED_LOCK() > > > but it will be racy when we'll split it. > > > > > > - A new field, `p_runprio' has been introduced. It should be considered > > > as part of the per-CPU runqueues. It indicates where a current thread > > > is placed. > > > > > > - `spc_curpriority' is now updated at every context-switch. That means > > >need_resched() won't be called after comparing an out-of-date value. > > >At the same time, `p_usrpri' is initialized to the highest possible > > >value for idle threads. > > > > > > - resched_proc() was calling need_resched() in the following conditions: > > >- If the SONPROC thread has a higher priority that the current > > > running thread (itself). > > >- Twice in setrunnable() when we know that p_priority <= p_usrpri. > > >- If schedcpu() considered that a thread, after updating its prio, > > > should preempt the one running on the CPU pointed by `p_cpu'. > > > > > > The diff below simplify all of that by calling need_resched() when: > > >- A thread is inserted in a CPU runqueue at a higher priority than > > > the one SONPROC. > > >- schedcpu() decides that a thread in SRUN state should preempt the > > > one SONPROC. > > > > > > - `p_estcpu' `p_usrpri' and `p_slptime' which represent the "priority" > > > of a thread are now updated while holding a per-thread mutex. As a > > > result schedclock() and donice() no longer takes the SCHED_LOCK(), > > > and schedcpu() almost never take it. > > > > > > - With this diff top(1) and ps(1) will report the "real" `p_usrpi' value > > > when displaying priorities. This is helpful to understand what's > > > happening: > > > > > > load averages: 0.99, 0.56, 0.25 two.lab.grenadille.net > > > 23:42:10 > > > 70 threads: 68 idle, 2 on processorup > > > 0:09 > > > CPU0: 0.0% user, 0.0% nice, 51.0% sys, 2.0% spin, 0.0% intr, 47.1% > > > idle > > > CPU1: 2.0% user, 0.0% nice, 51.0% sys, 3.9% spin, 0.0% intr, 43.1% > > > idle > > > Memory: Real: 47M/1005M act/tot Free: 2937M Cache: 812M Swap: 0K/4323M > > > > > > PID TID PRI NICE SIZE RES STATE WAIT TIMECPU > > > COMMAND > > > 81000 145101 7200K 1664K sleep/1 bored 1:15 36.96% > > > softnet > > > 47133 244097 730 2984K 4408K sleep/1 netio 1:06 35.06% cvs > > > 64749 522184 660 176K 148K onproc/1 - 0:55 28.81% nfsd > > > 21615 602473 12700K 1664K sleep/0 - 7:22 0.00% idle0 > > > > > > 12413 606242 12700K 1664K sleep/1 - 7:08 0.00% idle1 > > > 85778 338258 500 4936K 7308K idle select0:10 0.00% ssh > > > 22771 575513 500 176K 148K sleep/0 nfsd 0:02 0.00% nfsd > > > > > > > > > > > > - The removal of `p_priority' and the change that makes mi_switch() > > > always update `spc_curpriority' might introduce some changes in > > > behavior, especially with kernel threads that were not going through > > > tsleep(9). We currently have some situations where the priority of > > > the running thread isn't correctly reflected. This diff changes that > > > which means we should be able to better understand where the problems > > > are. > > > > > > I'd be interested in comments/tests/reviews before continuing in this > > > direction. Note that at least part of this diff are required to split > > > the accounting apart from the SCHED_LOCK() as well. > > > > > > I'll also work on exporting scheduler statistics unless somebody wants > > > to bea
M_RTABLE free sizes
ok? Index: net/pf_table.c === RCS file: /cvs/src/sys/net/pf_table.c,v retrieving revision 1.130 diff -u -p -r1.130 pf_table.c --- net/pf_table.c 10 Dec 2018 16:48:15 - 1.130 +++ net/pf_table.c 21 Jun 2019 20:04:28 - @@ -2051,9 +2051,9 @@ pfr_destroy_ktable(struct pfr_ktable *kt pfr_destroy_kentries(&addrq); } if (kt->pfrkt_ip4 != NULL) - free((caddr_t)kt->pfrkt_ip4, M_RTABLE, 0); + free(kt->pfrkt_ip4, M_RTABLE, sizeof(*kt->pfrkt_ip4)); if (kt->pfrkt_ip6 != NULL) - free((caddr_t)kt->pfrkt_ip6, M_RTABLE, 0); + free(kt->pfrkt_ip6, M_RTABLE, sizeof(*kt->pfrkt_ip6)); if (kt->pfrkt_shadow != NULL) pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr); if (kt->pfrkt_rs != NULL) { Index: net/radix.c === RCS file: /cvs/src/sys/net/radix.c,v retrieving revision 1.58 diff -u -p -r1.58 radix.c --- net/radix.c 20 Jun 2017 09:03:39 - 1.58 +++ net/radix.c 21 Jun 2019 20:00:44 - @@ -457,7 +457,7 @@ rn_addmask(void *n_arg, int search, int tm = rn_insert(cp, mask_rnhead, &maskduplicated, tm); if (maskduplicated) { log(LOG_ERR, "%s: mask impossibly already in tree\n", __func__); - free(saved_tm, M_RTABLE, 0); + free(saved_tm, M_RTABLE, max_keylen + 2 * sizeof (*tm)); return (tm); } /* Index: netinet/ip_spd.c === RCS file: /cvs/src/sys/netinet/ip_spd.c,v retrieving revision 1.99 diff -u -p -r1.99 ip_spd.c --- netinet/ip_spd.c22 Oct 2018 15:32:19 - 1.99 +++ netinet/ip_spd.c21 Jun 2019 19:59:28 - @@ -93,7 +93,8 @@ spd_table_add(unsigned int rtableid) if (spd_tables != NULL) { memcpy(p, spd_tables, sizeof(*rnh) * (spd_table_max+1)); - free(spd_tables, M_RTABLE, 0); + free(spd_tables, M_RTABLE, + sizeof(*rnh) * (spd_table_max+1)); } spd_tables = p; spd_table_max = rdomain;
pppx(4) free sizes
ok? Index: net/if_pppx.c === RCS file: /cvs/src/sys/net/if_pppx.c,v retrieving revision 1.67 diff -u -p -r1.67 if_pppx.c --- net/if_pppx.c 4 Mar 2019 18:41:40 - 1.67 +++ net/if_pppx.c 21 Jun 2019 19:57:17 - @@ -599,11 +599,11 @@ pppxclose(dev_t dev, int flags, int mode mq_purge(&pxd->pxd_svcq); - free(pxd, M_DEVBUF, 0); + free(pxd, M_DEVBUF, sizeof(*pxd)); if (LIST_EMPTY(&pppx_devs)) { pool_destroy(pppx_if_pl); - free(pppx_if_pl, M_DEVBUF, 0); + free(pppx_if_pl, M_DEVBUF, sizeof(*pppx_if_pl)); pppx_if_pl = NULL; } @@ -652,7 +652,7 @@ pppx_if_find(struct pppx_dev *pxd, int s p = NULL; rw_exit_read(&pppx_ifs_lk); - free(s, M_DEVBUF, 0); + free(s, M_DEVBUF, sizeof(*s)); return (p); }
Re: bgpd, change peer id allocation a little bit
Claudio Jeker(cje...@diehard.n-r-g.com) on 2019.06.21 10:22:23 +0200: > For a diff I'm working on I need to have a peer id that is never used. > Because of this I changed the way we allocate peer ids a little bit by > introducing a few defines and using them instead. > > OK? read ok. > -- > :wq Claudio > > Index: bgpd.h > === > RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v > retrieving revision 1.387 > diff -u -p -r1.387 bgpd.h > --- bgpd.h17 Jun 2019 21:17:04 - 1.387 > +++ bgpd.h21 Jun 2019 07:52:34 - > @@ -397,6 +397,12 @@ struct peer_config { > u_int8_t flags; > }; > > +#define PEER_ID_NONE0 > +#define PEER_ID_SELF1 > +#define PEER_ID_STATIC_MIN 2 /* exclude self */ > +#define PEER_ID_STATIC_MAX (UINT_MAX / 2) > +#define PEER_ID_DYN_MAX UINT_MAX > + > #define PEERFLAG_TRANS_AS0x01 > #define PEERFLAG_LOG_UPDATES 0x02 > > Index: parse.y > === > RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v > retrieving revision 1.391 > diff -u -p -r1.391 parse.y > --- parse.y 17 Jun 2019 13:35:42 - 1.391 > +++ parse.y 21 Jun 2019 07:49:58 - > @@ -3952,7 +3952,7 @@ find_prefixset(char *name, struct prefix > int > get_id(struct peer *newpeer) > { > - static u_int32_t id = 1; > + static u_int32_t id = PEER_ID_STATIC_MIN; > struct peer *p = NULL; > > /* check if the peer already existed before */ > @@ -3982,7 +3982,7 @@ get_id(struct peer *newpeer) > } > > /* else new one */ > - if (id < UINT_MAX / 2) { > + if (id < PEER_ID_STATIC_MAX) { > newpeer->conf.id = id++; > return (0); > } > Index: rde.c > === > RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v > retrieving revision 1.471 > diff -u -p -r1.471 rde.c > --- rde.c 20 Jun 2019 13:18:19 - 1.471 > +++ rde.c 21 Jun 2019 07:46:38 - > @@ -3322,7 +3322,7 @@ peer_init(u_int32_t hashsize) > bzero(&pc, sizeof(pc)); > snprintf(pc.descr, sizeof(pc.descr), "LOCAL"); > > - peerself = peer_add(0, &pc); > + peerself = peer_add(PEER_ID_SELF, &pc); > if (peerself == NULL) > fatalx("peer_init add self"); > > Index: session.c > === > RCS file: /cvs/src/usr.sbin/bgpd/session.c,v > retrieving revision 1.385 > diff -u -p -r1.385 session.c > --- session.c 17 Jun 2019 21:17:04 - 1.385 > +++ session.c 21 Jun 2019 07:52:53 - > @@ -2947,7 +2947,7 @@ getpeerbyip(struct bgpd_config *c, struc > if ((newpeer = malloc(sizeof(struct peer))) == NULL) > fatal(NULL); > memcpy(newpeer, loose, sizeof(struct peer)); > - for (id = UINT_MAX; id > UINT_MAX / 2; id--) { > + for (id = PEER_ID_DYN_MAX; id > PEER_ID_STATIC_MAX; id--) { > RB_FOREACH(p, peer_head, &conf->peers) > if (p->conf.id == id) > break; >
[amdgpu] IH ring buffer overflow -> ring gfx timeout -> drm is frozen
>Synopsis: ring gfx timeout, drm is frozen >Category: amdgpu >Environment: System : OpenBSD 6.5 Details : OpenBSD 6.5-current (GENERIC.MP) #0: Fri Jun 21 17:17:18 CEST 2019 charlene@yutaka.localdomain:/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 >Description: The video card is a Sapphire PULSE RX560: https://www.sapphiretech.com/en/consumer/pulse-rx-560-4g-g5-14-cu A Xorg.log can be found here: http://0x0.st/z2r8.old Here is the kernel message: drm_sched_entity_fini: stub drm_sched_entity_fini: stub drm:pid27263:tonga_ih_get_wptr *WARNING* IH ring buffer overflow (0x00083140, 0x5930, 0x3150) [drm] *ERROR* ring gfx timeout, signaled seq=91125, emitted seq=91127 (i don't know what is the best choice for debugging options, so i have just this, i would happily rebuild a kernel with the proper ones) While playing using the PPSSPP emulator (OpenGL), drm(4) sometimes freezes indefinitely. The system keeps being responsive, the game continues, but you can't access consoles and X11 is totally stuck. The only clean exit is to ssh to the box and reboot. >How-To-Repeat: There is no way to reliably reproduce the bug. It happened in the first underwater tunnel in Wipeout Pure's Vineta K track and also in Wipeout Pulse's Platinum Rush track, in the "gap". >Fix: None known. dmesg: OpenBSD 6.5-current (GENERIC.MP) #0: Fri Jun 21 17:17:18 CEST 2019 charlene@yutaka.localdomain:/sys/arch/amd64/compile/GENERIC.MP real mem = 25687126016 (24497MB) avail mem = 24896004096 (23742MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xe6b60 (64 entries) bios0: vendor American Megatrends Inc. version "1201" date 04/25/2019 bios0: ASUSTeK COMPUTER INC. PRIME B450M-A acpi0 at bios0: ACPI 6.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT SSDT SSDT MCFG HPET SSDT UEFI BGRT IVRS SSDT CRAT CDIT SSDT SSDT acpi0: wakeup devices GPP0(S4) GPP0(S4) GPP1(S4) GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) GPP7(S4) GPP8(S4) X161(S4) GPP9(S4) X162(S4) GPPA(S4) GPPB(S4) GPPC(S4) GPPD(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Ryzen 5 2600 Six-Core Processor, 3843.41 MHz, 17-08-02 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache, 16MB 64b/line 16-way L3 cache cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: AMD Ryzen 5 2600 Six-Core Processor, 3842.78 MHz, 17-08-02 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache, 16MB 64b/line 16-way L3 cache cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: AMD Ryzen 5 2600 Six-Core Processor, 3842.78 MHz, 17-08-02 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 8-way L2 cache, 16MB 64b/line 16-way L3 cache cpu2: ITLB 64 4KB
Re: more doas.1 tweaks
On Fri, Jun 21, 2019 at 12:50:06PM -0400, Ted Unangst wrote: > I think this wording clarifies what's happening. > > 1. Start by talking about creating a new environment. That's what we always > do. Everything afterwards is an operation performed on this new environment. > > 2. Move the list of magic variables out of doas.conf. I think it's better to > document this in one place. Note that setenv comes after everything else. > > 3. Add DOAS_USER to the list of variables set. > > hi. i think this is a bit clearer, and i like your new wording better. ok by me. jmc > Index: doas.1 > === > RCS file: /cvs/src/usr.bin/doas/doas.1,v > retrieving revision 1.21 > diff -u -p -r1.21 doas.1 > --- doas.119 Jun 2019 09:50:13 - 1.21 > +++ doas.121 Jun 2019 16:46:28 - > @@ -40,7 +40,7 @@ or > .Fl s > is specified. > .Pp > -By default, the environment is reset. > +By default, a new environment is created. > The variables > .Ev HOME , > .Ev LOGNAME , > @@ -51,6 +51,9 @@ and > and the > .Xr umask 2 > are set to values appropriate for the target user. > +.Ev DOAS_USER > +is set to the name of the user executing > +.Nm . > The variables > .Ev DISPLAY > and > Index: doas.conf.5 > === > RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v > retrieving revision 1.38 > diff -u -p -r1.38 doas.conf.5 > --- doas.conf.5 19 Jun 2019 09:55:55 - 1.38 > +++ doas.conf.5 21 Jun 2019 16:46:28 - > @@ -49,22 +49,11 @@ The user is not required to enter a pass > After the user successfully authenticates, do not ask for a password > again for some time. > .It Ic keepenv > -The user's environment is maintained. > -The default is to retain the variables > -.Ev DISPLAY > -and > -.Ev TERM > -from the invoking process, reset > -.Ev HOME , > -.Ev LOGNAME , > -.Ev PATH , > -.Ev SHELL , > -and > -.Ev USER > -as appropriate for the target user, and discard the rest of the environment. > +Environment variables other than those listed in > +.Xr doas 1 > +are retained when creating the environment for the new process. > .It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic } > -In addition to the variables mentioned above, keep the space-separated > -specified variables. > +Keep or set the space-separated specified variables. > Variables may also be removed with a leading > .Sq - > or set using the latter syntax. > @@ -74,6 +63,7 @@ is a > .Ql $ > then the value to be set is taken from the existing environment > variable of the indicated name. > +This option is processed after the default environment has been created. > .El > .It Ar identity > The username to match. >
more doas.1 tweaks
I think this wording clarifies what's happening. 1. Start by talking about creating a new environment. That's what we always do. Everything afterwards is an operation performed on this new environment. 2. Move the list of magic variables out of doas.conf. I think it's better to document this in one place. Note that setenv comes after everything else. 3. Add DOAS_USER to the list of variables set. Index: doas.1 === RCS file: /cvs/src/usr.bin/doas/doas.1,v retrieving revision 1.21 diff -u -p -r1.21 doas.1 --- doas.1 19 Jun 2019 09:50:13 - 1.21 +++ doas.1 21 Jun 2019 16:46:28 - @@ -40,7 +40,7 @@ or .Fl s is specified. .Pp -By default, the environment is reset. +By default, a new environment is created. The variables .Ev HOME , .Ev LOGNAME , @@ -51,6 +51,9 @@ and and the .Xr umask 2 are set to values appropriate for the target user. +.Ev DOAS_USER +is set to the name of the user executing +.Nm . The variables .Ev DISPLAY and Index: doas.conf.5 === RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v retrieving revision 1.38 diff -u -p -r1.38 doas.conf.5 --- doas.conf.5 19 Jun 2019 09:55:55 - 1.38 +++ doas.conf.5 21 Jun 2019 16:46:28 - @@ -49,22 +49,11 @@ The user is not required to enter a pass After the user successfully authenticates, do not ask for a password again for some time. .It Ic keepenv -The user's environment is maintained. -The default is to retain the variables -.Ev DISPLAY -and -.Ev TERM -from the invoking process, reset -.Ev HOME , -.Ev LOGNAME , -.Ev PATH , -.Ev SHELL , -and -.Ev USER -as appropriate for the target user, and discard the rest of the environment. +Environment variables other than those listed in +.Xr doas 1 +are retained when creating the environment for the new process. .It Ic setenv { Oo Ar variable ... Oc Oo Ar variable=value ... Oc Ic } -In addition to the variables mentioned above, keep the space-separated -specified variables. +Keep or set the space-separated specified variables. Variables may also be removed with a leading .Sq - or set using the latter syntax. @@ -74,6 +63,7 @@ is a .Ql $ then the value to be set is taken from the existing environment variable of the indicated name. +This option is processed after the default environment has been created. .El .It Ar identity The username to match.
bgpd, link prefix directly with prefix table entry
The Adj-RIB-Out is a bottleneck on route servers with many peers. The problem is that all outgoing prefixes are part of a linear list in struct rib_entry. Solving this requiers that the Adj-RIB-Out no longer uses the rib_entry pointer. So the first step is to add a pointer to the prefix table entry (the actuall IP prefix) directly into struct prefix. This diff implements this and replaces all p->re->prefix with direct p->pt references. Most of it is mechanical. I also adjusted pt_ref and pt_unref a bit to simplify the code a bit and prefix_cmp() is now calling pt_prefix_cmp directly and no longer goes via rib_compare(). OK? -- :wq Claudio Index: mrt.c === RCS file: /cvs/src/usr.sbin/bgpd/mrt.c,v retrieving revision 1.94 diff -u -p -r1.94 mrt.c --- mrt.c 7 Mar 2019 07:42:36 - 1.94 +++ mrt.c 10 Mar 2019 11:32:47 - @@ -290,7 +290,7 @@ mrt_dump_entry_mp(struct mrt *mrt, struc DUMP_SHORT(h2buf, /* ifindex */ 0); /* XXX is this for peer self? */ - aid = peer->remote_addr.aid == AID_UNSPEC ? p->re->prefix->aid : + aid = peer->remote_addr.aid == AID_UNSPEC ? p->pt->aid : peer->remote_addr.aid; switch (aid) { case AID_INET: @@ -317,7 +317,7 @@ mrt_dump_entry_mp(struct mrt *mrt, struc DUMP_SHORT(h2buf, 1); /* status */ DUMP_LONG(h2buf, p->lastchange);/* originated */ - pt_getaddr(p->re->prefix, &addr); + pt_getaddr(p->pt, &addr); n = prefix_nexthop(p); if (n == NULL) { @@ -348,7 +348,7 @@ mrt_dump_entry_mp(struct mrt *mrt, struc goto fail; } - if (prefix_writebuf(h2buf, &addr, p->re->prefix->prefixlen) == -1) { + if (prefix_writebuf(h2buf, &addr, p->pt->prefixlen) == -1) { log_warn("mrt_dump_entry_mp: prefix_writebuf error"); goto fail; } @@ -384,8 +384,8 @@ mrt_dump_entry(struct mrt *mrt, struct p u_int16_tsubtype; u_int8_t dummy; - if (p->re->prefix->aid != peer->remote_addr.aid && - p->re->prefix->aid != AID_INET && p->re->prefix->aid != AID_INET6) + if (p->pt->aid != peer->remote_addr.aid && + p->pt->aid != AID_INET && p->pt->aid != AID_INET6) /* only able to dump pure IPv4/IPv6 */ return (0); @@ -397,7 +397,7 @@ mrt_dump_entry(struct mrt *mrt, struct p nexthop = prefix_nexthop(p); if (nexthop == NULL) { bzero(&addr, sizeof(struct bgpd_addr)); - addr.aid = p->re->prefix->aid; + addr.aid = p->pt->aid; nh = &addr; } else nh = &nexthop->exit_nexthop; @@ -407,7 +407,7 @@ mrt_dump_entry(struct mrt *mrt, struct p return (-1); } len = ibuf_size(buf); - aid2afi(p->re->prefix->aid, &subtype, &dummy); + aid2afi(p->pt->aid, &subtype, &dummy); if (mrt_dump_hdr_rde(&hbuf, MSG_TABLE_DUMP, subtype, len) == -1) { ibuf_free(buf); return (-1); @@ -416,8 +416,8 @@ mrt_dump_entry(struct mrt *mrt, struct p DUMP_SHORT(hbuf, 0); DUMP_SHORT(hbuf, snum); - pt_getaddr(p->re->prefix, &addr); - switch (p->re->prefix->aid) { + pt_getaddr(p->pt, &addr); + switch (p->pt->aid) { case AID_INET: DUMP_NLONG(hbuf, addr.v4.s_addr); break; @@ -428,11 +428,11 @@ mrt_dump_entry(struct mrt *mrt, struct p } break; } - DUMP_BYTE(hbuf, p->re->prefix->prefixlen); + DUMP_BYTE(hbuf, p->pt->prefixlen); DUMP_BYTE(hbuf, 1); /* state */ DUMP_LONG(hbuf, p->lastchange); /* originated */ - switch (p->re->prefix->aid) { + switch (p->pt->aid) { case AID_INET: DUMP_NLONG(hbuf, peer->remote_addr.v4.s_addr); break; Index: rde.c === RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v retrieving revision 1.471 diff -u -p -r1.471 rde.c --- rde.c 20 Jun 2019 13:18:19 - 1.471 +++ rde.c 20 Jun 2019 13:22:20 - @@ -2234,11 +2234,11 @@ rde_dump_rib_as(struct prefix *p, struct /* announced network may have a NULL nexthop */ bzero(&rib.true_nexthop, sizeof(rib.true_nexthop)); bzero(&rib.exit_nexthop, sizeof(rib.exit_nexthop)); - rib.true_nexthop.aid = p->re->prefix->aid; - rib.exit_nexthop.aid = p->re->prefix->aid; + rib.true_nexthop.aid = p->pt->aid; + rib.exit_nexthop.aid = p->pt->aid; } - pt_getaddr(p->re->prefix, &rib.prefix); - rib.prefixlen = p->re->prefix->prefixlen; + pt_getaddr(p->pt, &rib.prefix); + rib.prefixlen = p->pt->prefixlen; rib.origin = asp->origin; rib
Re: Qt5's libtool link scripts are unusable
On Thu, Jun 20, 2019 at 09:41:23PM +0200, Rafael Sadowski wrote: > This's what Qt 5.13 doas. They use "<< endl;" instead of "<< "\n";", I > would like to prefer that. std::endl calls std::flush which synchronizes > with the underlying storage device. > > RS I agree with using endl if that's what Qt 5.13 does. But it's one specific case where you really do not give a fuck about flushing. After all you are generating a Makefile. Who cares about synchronizing after each single line ?
Re: bgpd, change peer id allocation a little bit
OK kn
Re: [patch] rsync: fix free() on uninitialized pointer with -rx and same device
On Wed, Jun 12, 2019 at 06:58:31PM +0200, Hiltjo Posthuma wrote: > On Thu, Jun 06, 2019 at 02:14:05PM +0200, Christian Weisgerber wrote: > > Björn Ketelaars: > > > > > Diff below is based on the latest diff from naddy@. Changes: > > > - reallocarray likes type_t, as such changes type of nxdev and i; > > > - use reallocarray instead of malloc as xdev is initialised as NULL. > > > > ok naddy@ > > > > -- > > Christian "naddy" Weisgerber na...@mips.inka.de > > > > Looks good to me. > > I have 2 or 3 more patches locally. It would be nice if the above patch can > get > committed so I can rebase and send a clean patch. > Hi, This patch has not been committed yet. Is it possible to commit it or does it need further work/review? If so, I'm happy to help. -- Kind regards, Hiltjo
Re: [patch] relayd OCSP stapling for TLS server
On Thu, Jun 20, 2019 at 07:58:10PM +0200, Bruno Flueckiger wrote: > Hi, > > The patch below adds OCSP stapling to the TLS server in relayd(8). The > OCSP response is read from a binary encoded DER file that can be created > using ocspcheck(8). > > If a file with the same name as the certificate and private key files is > found, its content is loaded and OCSP stapling is active. If there is no > file or loading its content fails, OCSP stapling remains disabled. > > relayd(8) uses the same mechanism it uses to find the certificate file, > only the file name extension is different: .der instead of .pem > I had this diff finished more than a month ago, but it had to wait for the SNI diff to go in. It is suprisingly similar to your version except some minor difference in relay_tls_ctx_create(), the man page, and the fact that I've decided for using ".ocsp" instead of ".der" for the ending (as .der could be anything). OK? Reyk Index: usr.sbin/relayd/config.c === RCS file: /cvs/src/usr.sbin/relayd/config.c,v retrieving revision 1.39 diff -u -p -u -p -r1.39 config.c --- usr.sbin/relayd/config.c1 Jun 2019 09:54:19 - 1.39 +++ usr.sbin/relayd/config.c21 Jun 2019 11:11:05 - @@ -903,6 +903,16 @@ config_setrelay(struct relayd *env, stru rlay->rl_conf.name); return (-1); } + if (id == PROC_RELAY && + cert->cert_ocsp_fd != -1 && + config_setrelayfd(ps, id, n, + cert->cert_id, cert->cert_relayid, + RELAY_FD_OCSP, cert->cert_ocsp_fd) == -1) { + log_warn("%s: fd passing failed for " + "`%s'", __func__, + rlay->rl_conf.name); + return (-1); + } if (id == PROC_CA && cert->cert_key_fd != -1 && config_setrelayfd(ps, id, n, @@ -992,6 +1002,10 @@ config_setrelay(struct relayd *env, stru close(cert->cert_key_fd); cert->cert_key_fd = -1; } + if (cert->cert_ocsp_fd != -1) { + close(cert->cert_ocsp_fd); + cert->cert_ocsp_fd = -1; + } } return (0); @@ -1113,6 +1127,7 @@ config_getrelayfd(struct relayd *env, st switch (crfd.type) { case RELAY_FD_CERT: case RELAY_FD_KEY: + case RELAY_FD_OCSP: if ((cert = cert_find(env, crfd.id)) == NULL) { if ((cert = cert_add(env, crfd.id)) == NULL) return (-1); @@ -1133,6 +1148,9 @@ config_getrelayfd(struct relayd *env, st break; case RELAY_FD_KEY: cert->cert_key_fd = imsg->fd; + break; + case RELAY_FD_OCSP: + cert->cert_ocsp_fd = imsg->fd; break; case RELAY_FD_CACERT: rlay->rl_tls_ca_fd = imsg->fd; Index: usr.sbin/relayd/relay.c === RCS file: /cvs/src/usr.sbin/relayd/relay.c,v retrieving revision 1.247 diff -u -p -u -p -r1.247 relay.c --- usr.sbin/relayd/relay.c 31 May 2019 15:15:37 - 1.247 +++ usr.sbin/relayd/relay.c 21 Jun 2019 11:11:06 - @@ -2130,8 +2130,8 @@ relay_tls_ctx_create(struct relay *rlay) struct relay_cert *cert; const char *fake_key; int fake_keylen, keyfound = 0; - char*buf = NULL, *cabuf = NULL; - off_tlen = 0, calen = 0; + char*buf = NULL, *cabuf = NULL, *ocspbuf = NULL; + off_tlen = 0, calen = 0, ocsplen = 0; if ((tls_cfg = tls_config_new()) == NULL) { log_warnx("unable to allocate TLS config"); @@ -2203,6 +2203,16 @@ relay_tls_ctx_create(struct relay *rlay) } cert->cert_fd = -1; + if (cert->cert_ocsp_fd != -1 && + (ocspbuf = relay_load_fd(cert->cert_ocsp_fd, + &ocsplen)) == NULL) { + log_warn("failed to load OCSP staplefile"); + goto err; + } + if (ocsplen == 0) + purge_key(&ocspbuf, ocsplen); + cert->cert_ocsp_fd = -1; + if ((fake_keylen = ssl_ctx_fake_private_key(buf, len,
bgpd, change peer id allocation a little bit
For a diff I'm working on I need to have a peer id that is never used. Because of this I changed the way we allocate peer ids a little bit by introducing a few defines and using them instead. OK? -- :wq Claudio Index: bgpd.h === RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v retrieving revision 1.387 diff -u -p -r1.387 bgpd.h --- bgpd.h 17 Jun 2019 21:17:04 - 1.387 +++ bgpd.h 21 Jun 2019 07:52:34 - @@ -397,6 +397,12 @@ struct peer_config { u_int8_t flags; }; +#definePEER_ID_NONE0 +#definePEER_ID_SELF1 +#definePEER_ID_STATIC_MIN 2 /* exclude self */ +#definePEER_ID_STATIC_MAX (UINT_MAX / 2) +#definePEER_ID_DYN_MAX UINT_MAX + #define PEERFLAG_TRANS_AS 0x01 #define PEERFLAG_LOG_UPDATES 0x02 Index: parse.y === RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v retrieving revision 1.391 diff -u -p -r1.391 parse.y --- parse.y 17 Jun 2019 13:35:42 - 1.391 +++ parse.y 21 Jun 2019 07:49:58 - @@ -3952,7 +3952,7 @@ find_prefixset(char *name, struct prefix int get_id(struct peer *newpeer) { - static u_int32_t id = 1; + static u_int32_t id = PEER_ID_STATIC_MIN; struct peer *p = NULL; /* check if the peer already existed before */ @@ -3982,7 +3982,7 @@ get_id(struct peer *newpeer) } /* else new one */ - if (id < UINT_MAX / 2) { + if (id < PEER_ID_STATIC_MAX) { newpeer->conf.id = id++; return (0); } Index: rde.c === RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v retrieving revision 1.471 diff -u -p -r1.471 rde.c --- rde.c 20 Jun 2019 13:18:19 - 1.471 +++ rde.c 21 Jun 2019 07:46:38 - @@ -3322,7 +3322,7 @@ peer_init(u_int32_t hashsize) bzero(&pc, sizeof(pc)); snprintf(pc.descr, sizeof(pc.descr), "LOCAL"); - peerself = peer_add(0, &pc); + peerself = peer_add(PEER_ID_SELF, &pc); if (peerself == NULL) fatalx("peer_init add self"); Index: session.c === RCS file: /cvs/src/usr.sbin/bgpd/session.c,v retrieving revision 1.385 diff -u -p -r1.385 session.c --- session.c 17 Jun 2019 21:17:04 - 1.385 +++ session.c 21 Jun 2019 07:52:53 - @@ -2947,7 +2947,7 @@ getpeerbyip(struct bgpd_config *c, struc if ((newpeer = malloc(sizeof(struct peer))) == NULL) fatal(NULL); memcpy(newpeer, loose, sizeof(struct peer)); - for (id = UINT_MAX; id > UINT_MAX / 2; id--) { + for (id = PEER_ID_DYN_MAX; id > PEER_ID_STATIC_MAX; id--) { RB_FOREACH(p, peer_head, &conf->peers) if (p->conf.id == id) break;