Re: AMRR improvements for rt2860
On Sun, Apr 24, 2016 at 01:25:31PM +0800, Nathanael Rensen wrote: > I have been using an rt2860 hostap for a few years and I have discovered > that AMRR does not work properly for this driver. The symptom is that > some stations get stuck at 1 Mbps and do not progress up to faster rates. > > Unlike many drivers, rt2860 does not keep the ieee80211_amrr_node on its > rt2860_node. Instead it maintains an array of ieee80211_amrr_nodes on > rt2860_softc indexed by WCID. > > This approach runs into trouble when a non-active node (e.g. when in > IEEE80211_STA_COLLECT) exists with the same WCID as an active node. > If during rt2860_updatestats() the non-active node is encountered prior > to the active node, ieee80211_amrr_choose() performs the rate adjustment > against the non-active node. The counters in the ieee80211_amrr_node > structure get reset and then when the active node does show up in the > iteration it doesn't get its rate adjusted. > > The approach that the diff below takes is to move the ieee80211_amrr_node > onto the rt2860_node and maintain a WCID to rt2860_node mapping on > rt2860_softc. This improves consistency with other drivers such as athn(4), > bwi(4), iwn(4), rt2560 and others, which maintain the ieee80211_amrr_node > on the device node respectively. Interesting. It seems wrong to allow an aid to be reallocated while another node that's using this aid is still cached. We'll run out of space in the node cache long before AIDs are exhausted so the current AID recycling behaviour makes no sense at all. I'd like to know if the diff below also fixes the issue for you, independently of your driver diff. I can't test this myself right now, though, so if this diff just blows up your system or something, don't be surprised :) The idea is to prevent an aid from being reallocated until the corresponding node is actually purged from the cache. Index: ieee80211_node.c === RCS file: /cvs/src/sys/net80211/ieee80211_node.c,v retrieving revision 1.101 diff -u -p -r1.101 ieee80211_node.c --- ieee80211_node.c12 Apr 2016 14:33:27 - 1.101 +++ ieee80211_node.c24 Apr 2016 06:22:03 - @@ -1699,8 +1699,6 @@ ieee80211_node_leave(struct ieee80211com if (ic->ic_node_leave != NULL) (*ic->ic_node_leave)(ic, ni); - IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); - ni->ni_associd = 0; ieee80211_node_newstate(ni, IEEE80211_STA_COLLECT); #if NBRIDGE > 0 Your driver changes are interesting nevertheless. I won't be able to test them myself during the coming week, so I'll look at them later. > The diff below also introduces dedicated timers for AMRR and for scan > instead of using the RT2860 GP interrupt, which also improves consistency > with the way other drivers manage AMRR. Can you please split your diff into separate submissions, one per topic? That would make review and testing a lot easier.
Re: [PATCH]: remove references to "outlen" from tls_init.3.
On Sat, Apr 23, 2016 at 06:24:58PM +0200, Remco wrote: > Index: tls_init.3 > > === > i think your diff is correct - in -r1.33 beck altered this to "document changed tls_read and tls_write semantics". i'm less convinced about stating that it may return an error code - nothing else is documented that way, and i think it's obvious anyway. to be fair, i can;t honestly tell by looking at the code if it returns anything at all, so i'm guessing that hasn't changed. so, i'll commit the diff below soon, unless i hear it's wrong. jmc Index: tls_init.3 === RCS file: /cvs/src/lib/libtls/tls_init.3,v retrieving revision 1.55 diff -u -r1.55 tls_init.3 --- tls_init.3 24 Apr 2016 07:02:07 - 1.55 +++ tls_init.3 24 Apr 2016 07:03:13 - @@ -550,8 +550,7 @@ .Fa buflen bytes of data from the socket into .Fa buf . -The amount of data read is returned in -.Fa outlen . +It returns the amount of data read. .It .Fn tls_write writes @@ -559,8 +558,7 @@ bytes of data from .Fa buf to the socket. -The amount of data written is returned in -.Fa outlen . +It returns the amount of data written. .It .Fn tls_close closes a connection after use.
match RTS522A in rtsx(4)
Device id appears on the latest generation of thinkpads. It looks like it should be compatible with the others? This requires the pcidevs changes I just committed. Index: sys/dev/pci/rtsx_pci.c === RCS file: /cvs/src/sys/dev/pci/rtsx_pci.c,v retrieving revision 1.12 diff -u -p -r1.12 rtsx_pci.c --- sys/dev/pci/rtsx_pci.c 28 Apr 2015 07:55:13 - 1.12 +++ sys/dev/pci/rtsx_pci.c 24 Apr 2016 06:54:39 - @@ -59,6 +59,7 @@ rtsx_pci_match(struct device *parent, vo if (PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_REALTEK_RTS5209 || PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_REALTEK_RTS5227 || PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_REALTEK_RTS5229 || + PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_REALTEK_RTS522A || PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_REALTEK_RTS5249 || PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_REALTEK_RTL8402 || PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_REALTEK_RTL8411 || Index: share/man/man4/rtsx.4 === RCS file: /cvs/src/share/man/man4/rtsx.4,v retrieving revision 1.8 diff -u -p -r1.8 rtsx.4 --- share/man/man4/rtsx.4 27 Apr 2015 09:07:49 - 1.8 +++ share/man/man4/rtsx.4 24 Apr 2016 06:55:07 - @@ -16,7 +16,7 @@ The .Nm driver provides support for the Realtek RTS5209, RTS5227, RTS5229, -RTS5249, RTL8402, RTL8411, and RTL8411B SD card readers. +RTS522A, RTS5249, RTL8402, RTL8411, and RTL8411B SD card readers. .Pp The .Xr sdmmc 4
Re: [PATCH]: remove references to "outlen" from tls_init.3.
yes, that is correct - ok bcook@ On Sun, Apr 24, 2016 at 2:06 AM, Jason McIntyre wrote: > On Sat, Apr 23, 2016 at 06:24:58PM +0200, Remco wrote: > > Index: tls_init.3 > > > > === > > > > i think your diff is correct - in -r1.33 beck altered this to "document > changed tls_read and tls_write semantics". > > i'm less convinced about stating that it may return an error code - > nothing else is documented that way, and i think it's obvious anyway. to > be fair, i can;t honestly tell by looking at the code if it returns > anything at all, so i'm guessing that hasn't changed. > > so, i'll commit the diff below soon, unless i hear it's wrong. > jmc > > Index: tls_init.3 > === > RCS file: /cvs/src/lib/libtls/tls_init.3,v > retrieving revision 1.55 > diff -u -r1.55 tls_init.3 > --- tls_init.3 24 Apr 2016 07:02:07 - 1.55 > +++ tls_init.3 24 Apr 2016 07:03:13 - > @@ -550,8 +550,7 @@ > .Fa buflen > bytes of data from the socket into > .Fa buf . > -The amount of data read is returned in > -.Fa outlen . > +It returns the amount of data read. > .It > .Fn tls_write > writes > @@ -559,8 +558,7 @@ > bytes of data from > .Fa buf > to the socket. > -The amount of data written is returned in > -.Fa outlen . > +It returns the amount of data written. > .It > .Fn tls_close > closes a connection after use. > >
Re: numerous statfs bugs
Martin Natano wrote:
> There seem to be a number of issues with statfs related code in the
> kernel. The first issue is inside of the copy_statfs_info() function
> which is designed to be used by the filesystem's .vfs_statfs
> implementations to copy data from mp->mnt_stat to the target stat
> buffer. copy_statfs_info() always copies the ufs_args from the
> mount_info union, although the function is also used by non-ufs
> filesystems. Copying the whole union instead of just one member should
> do the trick for the general case.
>
> statfs(2) returns incomplete information for most filesystems: cd9660,
> udf, msdosfs and nfsv2 don't set f_namemax. ntfs and ext2fs don't set
> f_namemeax and f_favail. fusefs doesn't set f_mntfromspec, f_favail and
> f_iosize.
>
> In sys_statfs(), the mount point specific &mp->mnt_stat structure is
> passed as the stat buffer to VFS_STATFS. When looking at the case where
> (sb != &mp->mnt-stat), the situation is even worse. cd9660, udf, fusefs,
> msdosfs, ntfs and ext2fs don't use copy_statfs_info(), so there is a lot
> of unset members in the stat buffer (f_fsid, f_owner, f_flags,
> f_syncwrites, f_asyncwrites, f_syncreads, f_asyncreads, f_mntonname,
> f_mntfromname and f_mntfromspec).
>
> nfs copies MNAMELEN bytes from a smaller buffer into f_mntonname, so
> there is garbage after the null byte.
>
> Diff below fixes all those issues. Ok?
Diff reads good to me. Any reason why you changed setting f_mntfromname
from "fusefs" to "fuse"?
> natano
>
>
> Index: isofs/cd9660/cd9660_vfsops.c
> ===
> RCS file: /cvs/src/sys/isofs/cd9660/cd9660_vfsops.c,v
> retrieving revision 1.77
> diff -u -p -r1.77 cd9660_vfsops.c
> --- isofs/cd9660/cd9660_vfsops.c 27 Mar 2016 11:39:37 - 1.77
> +++ isofs/cd9660/cd9660_vfsops.c 19 Apr 2016 18:52:52 -
> @@ -383,6 +383,7 @@ iso_mountfs(devvp, mp, p, argp)
> mp->mnt_data = (qaddr_t)isomp;
> mp->mnt_stat.f_fsid.val[0] = (long)dev;
> mp->mnt_stat.f_fsid.val[1] = mp->mnt_vfc->vfc_typenum;
> + mp->mnt_stat.f_namemax = NAME_MAX;
> mp->mnt_flag |= MNT_LOCAL;
> isomp->im_mountp = mp;
> isomp->im_dev = dev;
> @@ -650,13 +651,9 @@ cd9660_statfs(mp, sbp, p)
> sbp->f_bavail = 0; /* blocks free for non superuser */
> sbp->f_files = 0; /* total files */
> sbp->f_ffree = 0; /* free file nodes */
> - if (sbp != &mp->mnt_stat) {
> - bcopy(mp->mnt_stat.f_mntonname, sbp->f_mntonname, MNAMELEN);
> - bcopy(mp->mnt_stat.f_mntfromname, sbp->f_mntfromname,
> - MNAMELEN);
> - bcopy(&mp->mnt_stat.mount_info.iso_args,
> - &sbp->mount_info.iso_args, sizeof(struct iso_args));
> - }
> + sbp->f_favail = 0; /* file nodes free for non superuser */
> + copy_statfs_info(sbp, mp);
> +
> return (0);
> }
>
> Index: isofs/udf/udf_vfsops.c
> ===
> RCS file: /cvs/src/sys/isofs/udf/udf_vfsops.c,v
> retrieving revision 1.49
> diff -u -p -r1.49 udf_vfsops.c
> --- isofs/udf/udf_vfsops.c27 Mar 2016 11:39:37 - 1.49
> +++ isofs/udf/udf_vfsops.c19 Apr 2016 18:52:52 -
> @@ -264,6 +264,7 @@ udf_mountfs(struct vnode *devvp, struct
> mp->mnt_data = (qaddr_t) ump;
> mp->mnt_stat.f_fsid.val[0] = devvp->v_rdev;
> mp->mnt_stat.f_fsid.val[1] = mp->mnt_vfc->vfc_typenum;
> + mp->mnt_stat.f_namemax = NAME_MAX;
> mp->mnt_flag |= MNT_LOCAL;
>
> ump->um_mountp = mp;
> @@ -542,6 +543,8 @@ udf_statfs(struct mount *mp, struct stat
> sbp->f_bavail = 0;
> sbp->f_files = 0;
> sbp->f_ffree = 0;
> + sbp->f_favail = 0;
> + copy_statfs_info(sbp, mp);
>
> return (0);
> }
> Index: kern/vfs_subr.c
> ===
> RCS file: /cvs/src/sys/kern/vfs_subr.c,v
> retrieving revision 1.244
> diff -u -p -r1.244 vfs_subr.c
> --- kern/vfs_subr.c 7 Apr 2016 09:58:11 - 1.244
> +++ kern/vfs_subr.c 19 Apr 2016 18:52:52 -
> @@ -2276,6 +2276,6 @@ copy_statfs_info(struct statfs *sbp, con
> memcpy(sbp->f_mntonname, mp->mnt_stat.f_mntonname, MNAMELEN);
> memcpy(sbp->f_mntfromname, mp->mnt_stat.f_mntfromname, MNAMELEN);
> memcpy(sbp->f_mntfromspec, mp->mnt_stat.f_mntfromspec, MNAMELEN);
> - memcpy(&sbp->mount_info.ufs_args, &mp->mnt_stat.mount_info.ufs_args,
> - sizeof(struct ufs_args));
> + memcpy(&sbp->mount_info, &mp->mnt_stat.mount_info,
> + sizeof(union mount_info));
> }
> Index: miscfs/fuse/fuse_vfsops.c
> ===
> RCS file: /cvs/src/sys/miscfs/fuse/fuse_vfsops.c,v
> retrieving revision 1.20
> diff -u -p -r1.20 fuse_vfsops.c
> --- miscfs/fuse/fuse_vfsops.c 27 Mar 2016 11:39:37 - 1.20
> +++ miscfs/fuse/fuse_vfsops.c 19 Apr 2016 18:52:52 -
> @@ -111,7 +111,9 @@
MP-safe TX for cnmac(4)
This adds MP-safe TX for cnmac(4). OK?
Index: arch/octeon/dev/if_cnmac.c
===
RCS file: src/sys/arch/octeon/dev/if_cnmac.c,v
retrieving revision 1.38
diff -u -p -r1.38 if_cnmac.c
--- arch/octeon/dev/if_cnmac.c 13 Apr 2016 11:34:00 - 1.38
+++ arch/octeon/dev/if_cnmac.c 24 Apr 2016 15:35:04 -
@@ -285,6 +285,7 @@ octeon_eth_attach(struct device *parent,
octeon_eth_gsc[sc->sc_port] = sc;
ml_init(&sc->sc_sendq);
+ mtx_init(&sc->sc_sendq_mtx, IPL_NET);
sc->sc_soft_req_thresh = 15/* XXX */;
sc->sc_ext_callback_cnt = 0;
@@ -317,6 +318,7 @@ octeon_eth_attach(struct device *parent,
strncpy(ifp->if_xname, sc->sc_dev.dv_xname, sizeof(ifp->if_xname));
ifp->if_softc = sc;
ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
+ ifp->if_xflags = IFXF_MPSAFE;
ifp->if_ioctl = octeon_eth_ioctl;
ifp->if_start = octeon_eth_start;
ifp->if_watchdog = octeon_eth_watchdog;
@@ -742,7 +744,7 @@ octeon_eth_ioctl(struct ifnet *ifp, u_lo
error = 0;
}
- octeon_eth_start(ifp);
+ if_start(ifp);
splx(s);
return (error);
@@ -959,18 +961,19 @@ octeon_eth_start(struct ifnet *ifp)
struct octeon_eth_softc *sc = ifp->if_softc;
struct mbuf *m;
+ if (__predict_false(!cn30xxgmx_link_status(sc->sc_gmx_port))) {
+ IFQ_PURGE(&ifp->if_snd);
+ return;
+ }
+
+ mtx_enter(&sc->sc_sendq_mtx);
+
/*
* performance tuning
* presend iobdma request
*/
octeon_eth_send_queue_flush_prefetch(sc);
- if (!(ifp->if_flags & IFF_RUNNING) || ifq_is_oactive(&ifp->if_snd))
- goto last;
-
- if (__predict_false(!cn30xxgmx_link_status(sc->sc_gmx_port)))
- goto last;
-
for (;;) {
octeon_eth_send_queue_flush_fetch(sc); /* XXX */
@@ -980,13 +983,16 @@ octeon_eth_start(struct ifnet *ifp)
* and bail out.
*/
if (octeon_eth_send_queue_is_full(sc)) {
+ mtx_leave(&sc->sc_sendq_mtx);
return;
}
/* XXX */
IFQ_DEQUEUE(&ifp->if_snd, m);
- if (m == NULL)
+ if (m == NULL) {
+ mtx_leave(&sc->sc_sendq_mtx);
return;
+ }
OCTEON_ETH_TAP(ifp, m, BPF_DIRECTION_OUT);
@@ -1008,8 +1014,9 @@ octeon_eth_start(struct ifnet *ifp)
octeon_eth_send_queue_flush_prefetch(sc);
}
-last:
octeon_eth_send_queue_flush_fetch(sc);
+
+ mtx_leave(&sc->sc_sendq_mtx);
}
void
@@ -1025,7 +1032,7 @@ octeon_eth_watchdog(struct ifnet *ifp)
ifq_clr_oactive(&ifp->if_snd);
ifp->if_timer = 0;
- octeon_eth_start(ifp);
+ if_start(ifp);
}
int
@@ -1066,6 +1073,8 @@ octeon_eth_stop(struct ifnet *ifp, int d
{
struct octeon_eth_softc *sc = ifp->if_softc;
+ CLR(ifp->if_flags, IFF_RUNNING);
+
timeout_del(&sc->sc_tick_misc_ch);
timeout_del(&sc->sc_tick_free_ch);
timeout_del(&sc->sc_resume_ch);
@@ -1074,13 +1083,12 @@ octeon_eth_stop(struct ifnet *ifp, int d
cn30xxgmx_port_enable(sc->sc_gmx_port, 0);
- /* Mark the interface as down and cancel the watchdog timer. */
- CLR(ifp->if_flags, IFF_RUNNING);
+ intr_barrier(octeon_eth_pow_recv_ih);
+ ifq_barrier(&ifp->if_snd);
+
ifq_clr_oactive(&ifp->if_snd);
ifp->if_timer = 0;
- intr_barrier(octeon_eth_pow_recv_ih);
-
return 0;
}
@@ -1372,9 +1380,8 @@ octeon_eth_tick_free(void *arg)
{
struct octeon_eth_softc *sc = arg;
int timo;
- int s;
- s = splnet();
+ mtx_enter(&sc->sc_sendq_mtx);
/* XXX */
if (ml_len(&sc->sc_sendq) > 0) {
octeon_eth_send_queue_flush_prefetch(sc);
@@ -1389,7 +1396,7 @@ octeon_eth_tick_free(void *arg)
timo = 10;
timeout_add_msec(&sc->sc_tick_free_ch, 1000 * timo / hz);
/* XXX */
- splx(s);
+ mtx_leave(&sc->sc_sendq_mtx);
}
/*
Index: arch/octeon/dev/if_cnmacvar.h
===
RCS file: src/sys/arch/octeon/dev/if_cnmacvar.h,v
retrieving revision 1.7
diff -u -p -r1.7 if_cnmacvar.h
--- arch/octeon/dev/if_cnmacvar.h 8 Oct 2015 14:24:32 - 1.7
+++ arch/octeon/dev/if_cnmacvar.h 24 Apr 2016 15:35:04 -
@@ -80,6 +80,7 @@ struct octeon_eth_softc {
int64_t sc_hard_done_cnt;
int sc_prefetch;
struct mbuf_listsc_sendq;
+ struct mutexsc_sendq_mtx;
uint64_tsc_ext_callback_cnt;
uint32_tsc_port;
Re: [patch] login_yubikey: delete keys
frit...@alokat.org(frit...@alokat.org) on 2016.03.31 23:43:54 +0200: > On Thu, Mar 31, 2016 at 10:17:45PM +0200, Sebastian Benoit wrote: > > Hi Fritjof, > > > > frit...@alokat.org(frit...@alokat.org) on 2016.03.31 11:43:58 +0200: > > > Wipe out the key from "user.key". > > > > > > --f. > > > > > The while loop above has return(AUTH_FAILED) so you dont zero in those > > cases. Can you change that? > > > > Yeah, sure. See patch below. > > > > > Also your diff does not apply, i think it has tab vs space issues. > > > > Ah, shit. Should work now. Thanks. ok benno@ > Index: login_yubikey.c > === > RCS file: /cvs/src/libexec/login_yubikey/login_yubikey.c,v > retrieving revision 1.13 > diff -u -r1.13 login_yubikey.c > --- login_yubikey.c 22 Oct 2015 23:56:30 - 1.13 > +++ login_yubikey.c 31 Mar 2016 21:35:28 - > @@ -228,6 +228,8 @@ > yubikey_hex_decode(uid, hexuid, YUBIKEY_UID_SIZE); > yubikey_hex_decode(key, hexkey, YUBIKEY_KEY_SIZE); > > + explicit_bzero(hexkey, sizeof(hexkey)); > + > /* >* Cycle through the key mapping table. > * XXX brute force, unoptimized; a lookup table for valid mappings > may > @@ -239,6 +241,7 @@ > case EMSGSIZE: > syslog(LOG_INFO, "user %s failed: password too short.", > username); > + explicit_bzero(key, sizeof(key)); > return (AUTH_FAILED); > case EINVAL:/* keyboard mapping invalid */ > continue; > @@ -264,14 +267,18 @@ > syslog(LOG_INFO, "user %s: could not decode password " > "with any keymap (%d crc ok)", > username, crcok); > + explicit_bzero(key, sizeof(key)); > return (AUTH_FAILED); > default: > syslog(LOG_DEBUG, "user %s failed: %s", > username, strerror(r)); > + explicit_bzero(key, sizeof(key)); > return (AUTH_FAILED); > } > break; /* only reached through the bottom of case 0 */ > } > + > + explicit_bzero(key, sizeof(key)); > > syslog(LOG_INFO, "user %s uid %s: %d matching keymaps (%d checked), " > "%d crc ok", username, hexuid, mapok, i, crcok); > --
Re: use libtls in ldapd
Jonathan Matthew(jonat...@d14n.org) on 2016.04.18 07:17:55 +1000:
> On Sun, Apr 10, 2016 at 04:36:15PM +1000, Jonathan Matthew wrote:
> > A while back (s2k15?), reyk@ suggested I take a look at converting ldapd to
> > use
> > libtls rather than the openssl api. Today I finally got around to it,
> > resulting in the diff below. Most of the diff just removes ssl.c and
> > ssl_privsep.c, and replaces some of it with evbuffer_tls.c (copied from
> > syslogd, unmodified). A reasonable amount of code just went away because
> > libtls is sensible. The few remaining bits of ssl.c moved to wherever
> > seemed
> > most suitable.
> >
> > I've tested a few things with the openldap clients, which apparently only do
> > starttls, and otherwise checked that it negotiates ssl successfully.
> >
> > ok?
>
> ldapd is too boring?
:)
ok from me, but i cant test it.
>
> >
> >
> > Index: Makefile
> > ===
> > RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
> > retrieving revision 1.12
> > diff -u -p -u -p -r1.12 Makefile
> > --- Makefile16 Jul 2014 20:07:03 - 1.12
> > +++ Makefile10 Apr 2016 06:15:50 -
> > @@ -5,11 +5,11 @@ MAN= ldapd.8 ldapd.conf.5
> > SRCS= ber.c log.c control.c \
> > util.c ldapd.c ldape.c conn.c attributes.c namespace.c \
> > btree.c filter.c search.c parse.y \
> > - auth.c modify.c index.c ssl.c ssl_privsep.c \
> > + auth.c modify.c index.c evbuffer_tls.c \
> > validate.c uuid.c schema.c imsgev.c syntax.c matching.c
> >
> > -LDADD= -levent -lssl -lcrypto -lz -lutil
> > -DPADD= ${LIBEVENT} ${LIBCRYPTO} ${LIBSSL} ${LIBZ} ${LIBUTIL}
> > +LDADD= -ltls -levent -lz -lutil
> > +DPADD= ${LIBEVENT} ${LIBTLS} ${LIBCRYPTO} ${LIBSSL} ${LIBZ}
> > ${LIBUTIL}
> > CFLAGS+= -I${.CURDIR} -g
> > CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes
> > CFLAGS+= -Wmissing-declarations
> > Index: btree.c
> > ===
> > RCS file: /cvs/src/usr.sbin/ldapd/btree.c,v
> > retrieving revision 1.36
> > diff -u -p -u -p -r1.36 btree.c
> > --- btree.c 20 Mar 2016 00:01:22 - 1.36
> > +++ btree.c 10 Apr 2016 06:15:51 -
> > @@ -34,6 +34,8 @@
> > #include
> > #include
> >
> > +#include
> > +
> > #include "btree.h"
> >
> > /* #define DEBUG */
> > Index: btree.h
> > ===
> > RCS file: /cvs/src/usr.sbin/ldapd/btree.h,v
> > retrieving revision 1.6
> > diff -u -p -u -p -r1.6 btree.h
> > --- btree.h 2 Jul 2010 01:43:00 - 1.6
> > +++ btree.h 10 Apr 2016 06:15:51 -
> > @@ -19,8 +19,6 @@
> > #ifndef _btree_h_
> > #define _btree_h_
> >
> > -#include
> > -
> > struct mpage;
> > struct cursor;
> > struct btree_txn;
> > Index: conn.c
> > ===
> > RCS file: /cvs/src/usr.sbin/ldapd/conn.c,v
> > retrieving revision 1.12
> > diff -u -p -u -p -r1.12 conn.c
> > --- conn.c 2 Nov 2015 06:32:51 - 1.12
> > +++ conn.c 10 Apr 2016 06:15:51 -
> > @@ -26,6 +26,7 @@
> > #include "ldapd.h"
> >
> > int conn_dispatch(struct conn *conn);
> > +int conn_tls_init(struct conn *);
> > unsigned long ldap_application(struct ber_element *elm);
> >
> > struct conn_listconn_list;
> > @@ -61,7 +62,7 @@ conn_close(struct conn *conn)
> > /* Cancel any queued requests on this connection. */
> > namespace_cancel_conn(conn);
> >
> > - ssl_session_destroy(conn);
> > + tls_free(conn->tls);
> >
> > TAILQ_REMOVE(&conn_list, conn, next);
> > ber_free(&conn->ber);
> > @@ -225,9 +226,8 @@ conn_write(struct bufferevent *bev, void
> > conn_close(conn);
> > else if (conn->s_flags & F_STARTTLS) {
> > conn->s_flags &= ~F_STARTTLS;
> > - bufferevent_free(conn->bev);
> > - conn->bev = NULL;
> > - ssl_session_init(conn);
> > + if (conn_tls_init(conn) == -1)
> > + conn_close(conn);
> > }
> > }
> >
> > @@ -296,24 +296,22 @@ conn_accept(int fd, short event, void *d
> > goto giveup;
> > }
> > conn->ber.fd = -1;
> > - conn->s_l = l;
> > ber_set_application(&conn->ber, ldap_application);
> > conn->fd = afd;
> > conn->listener = l;
> >
> > - if (l->flags & F_LDAPS) {
> > - ssl_session_init(conn);
> > - } else {
> > - conn->bev = bufferevent_new(afd, conn_read, conn_write,
> > - conn_err, conn);
> > - if (conn->bev == NULL) {
> > - log_warn("conn_accept: bufferevent_new");
> > - free(conn);
> > - goto giveup;
> > - }
> > - bufferevent_enable(conn->bev, EV_READ);
> > - buf
Re: use libtls in ldapd
just go for it. see who screams
ok beck@
On Sunday, 24 April 2016, Sebastian Benoit wrote:
> Jonathan Matthew(jonat...@d14n.org ) on 2016.04.18 07:17:55
> +1000:
> > On Sun, Apr 10, 2016 at 04:36:15PM +1000, Jonathan Matthew wrote:
> > > A while back (s2k15?), reyk@ suggested I take a look at converting
> ldapd to use
> > > libtls rather than the openssl api. Today I finally got around to it,
> > > resulting in the diff below. Most of the diff just removes ssl.c and
> > > ssl_privsep.c, and replaces some of it with evbuffer_tls.c (copied from
> > > syslogd, unmodified). A reasonable amount of code just went away
> because
> > > libtls is sensible. The few remaining bits of ssl.c moved to wherever
> seemed
> > > most suitable.
> > >
> > > I've tested a few things with the openldap clients, which apparently
> only do
> > > starttls, and otherwise checked that it negotiates ssl successfully.
> > >
> > > ok?
> >
> > ldapd is too boring?
>
> :)
>
> ok from me, but i cant test it.
>
> >
> > >
> > >
> > > Index: Makefile
> > > ===
> > > RCS file: /cvs/src/usr.sbin/ldapd/Makefile,v
> > > retrieving revision 1.12
> > > diff -u -p -u -p -r1.12 Makefile
> > > --- Makefile16 Jul 2014 20:07:03 - 1.12
> > > +++ Makefile10 Apr 2016 06:15:50 -
> > > @@ -5,11 +5,11 @@ MAN= ldapd.8 ldapd.conf.5
> > > SRCS= ber.c log.c control.c \
> > > util.c ldapd.c ldape.c conn.c attributes.c namespace.c \
> > > btree.c filter.c search.c parse.y \
> > > - auth.c modify.c index.c ssl.c ssl_privsep.c \
> > > + auth.c modify.c index.c evbuffer_tls.c \
> > > validate.c uuid.c schema.c imsgev.c syntax.c matching.c
> > >
> > > -LDADD= -levent -lssl -lcrypto -lz -lutil
> > > -DPADD= ${LIBEVENT} ${LIBCRYPTO} ${LIBSSL} ${LIBZ}
> ${LIBUTIL}
> > > +LDADD= -ltls -levent -lz -lutil
> > > +DPADD= ${LIBEVENT} ${LIBTLS} ${LIBCRYPTO} ${LIBSSL}
> ${LIBZ} ${LIBUTIL}
> > > CFLAGS+= -I${.CURDIR} -g
> > > CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes
> > > CFLAGS+= -Wmissing-declarations
> > > Index: btree.c
> > > ===
> > > RCS file: /cvs/src/usr.sbin/ldapd/btree.c,v
> > > retrieving revision 1.36
> > > diff -u -p -u -p -r1.36 btree.c
> > > --- btree.c 20 Mar 2016 00:01:22 - 1.36
> > > +++ btree.c 10 Apr 2016 06:15:51 -
> > > @@ -34,6 +34,8 @@
> > > #include
> > > #include
> > >
> > > +#include
> > > +
> > > #include "btree.h"
> > >
> > > /* #define DEBUG */
> > > Index: btree.h
> > > ===
> > > RCS file: /cvs/src/usr.sbin/ldapd/btree.h,v
> > > retrieving revision 1.6
> > > diff -u -p -u -p -r1.6 btree.h
> > > --- btree.h 2 Jul 2010 01:43:00 - 1.6
> > > +++ btree.h 10 Apr 2016 06:15:51 -
> > > @@ -19,8 +19,6 @@
> > > #ifndef _btree_h_
> > > #define _btree_h_
> > >
> > > -#include
> > > -
> > > struct mpage;
> > > struct cursor;
> > > struct btree_txn;
> > > Index: conn.c
> > > ===
> > > RCS file: /cvs/src/usr.sbin/ldapd/conn.c,v
> > > retrieving revision 1.12
> > > diff -u -p -u -p -r1.12 conn.c
> > > --- conn.c 2 Nov 2015 06:32:51 - 1.12
> > > +++ conn.c 10 Apr 2016 06:15:51 -
> > > @@ -26,6 +26,7 @@
> > > #include "ldapd.h"
> > >
> > > int conn_dispatch(struct conn *conn);
> > > +int conn_tls_init(struct conn *);
> > > unsigned long ldap_application(struct ber_element *elm);
> > >
> > > struct conn_listconn_list;
> > > @@ -61,7 +62,7 @@ conn_close(struct conn *conn)
> > > /* Cancel any queued requests on this connection. */
> > > namespace_cancel_conn(conn);
> > >
> > > - ssl_session_destroy(conn);
> > > + tls_free(conn->tls);
> > >
> > > TAILQ_REMOVE(&conn_list, conn, next);
> > > ber_free(&conn->ber);
> > > @@ -225,9 +226,8 @@ conn_write(struct bufferevent *bev, void
> > > conn_close(conn);
> > > else if (conn->s_flags & F_STARTTLS) {
> > > conn->s_flags &= ~F_STARTTLS;
> > > - bufferevent_free(conn->bev);
> > > - conn->bev = NULL;
> > > - ssl_session_init(conn);
> > > + if (conn_tls_init(conn) == -1)
> > > + conn_close(conn);
> > > }
> > > }
> > >
> > > @@ -296,24 +296,22 @@ conn_accept(int fd, short event, void *d
> > > goto giveup;
> > > }
> > > conn->ber.fd = -1;
> > > - conn->s_l = l;
> > > ber_set_application(&conn->ber, ldap_application);
> > > conn->fd = afd;
> > > conn->listener = l;
> > >
> > > - if (l->flags & F_LDAPS) {
> > > - ssl_session_init(conn);
> > > - } else {
> > > - conn->bev = bufferevent_new(afd, conn_read, c
