lex: malloc+memset -> calloc

[Michael W. Bombardieri]

Hello,

Two instances of memset() can be removed in lex if calloc() is
used instead of malloc().

- Michael


Index: filter.c
===
RCS file: /cvs/src/usr.bin/lex/filter.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 filter.c
--- filter.c18 Dec 2016 06:11:23 -  1.7
+++ filter.c17 Aug 2017 05:46:13 -
@@ -50,10 +50,9 @@ filter_create_ext(struct filter * chain,
va_list ap;
 
/* allocate and initialize new filter */
-   f = malloc(sizeof(struct filter));
+   f = calloc(sizeof(struct filter), 1);
if (!f)
-   flexerror(_("malloc failed (f) in filter_create_ext"));
-   memset(f, 0, sizeof(*f));
+   flexerror(_("calloc failed (f) in filter_create_ext"));
f->filter_func = NULL;
f->extra = NULL;
f->next = NULL;
@@ -103,10 +102,9 @@ filter_create_int(struct filter * chain,
struct filter *f;
 
/* allocate and initialize new filter */
-   f = malloc(sizeof(struct filter));
+   f = calloc(sizeof(struct filter), 1);
if (!f)
-   flexerror(_("malloc failed in filter_create_int"));
-   memset(f, 0, sizeof(*f));
+   flexerror(_("calloc failed in filter_create_int"));
f->next = NULL;
f->argc = 0;
f->argv = NULL;

Re: Improve the accuracy of the TSC frequency calibration (Was: Calculate the frequency of the tsc timecounter)

[Adam Steen]

On Tue, Aug 8, 2017 at 10:12 PM, Mike Belopuhov  wrote:
> On Tue, Aug 08, 2017 at 08:18 +0800, Adam Steen wrote:
>> On Mon, Jul 31, 2017 at 3:58 PM, Mike Belopuhov  wrote:
>> > On Mon, Jul 31, 2017 at 09:48 +0800, Adam Steen wrote:
>> >> Ted Unangst  wrote:
>> >> > we don't currently export this info, but we could add some sysctls. 
>> >> > there's
>> >> > some cpufeatures stuff there, but generally stuff isn't exported until
>> >> > somebody finds a use for it... it shouldn't be too hard to add 
>> >> > something to
>> >> > amd64/machdep.c sysctl if you're interested.
>> >>
>> >> I am interested, as i need the info, i will look into it and hopefully
>> >> come back with a patch.
>> >
>> > This is a bad idea because TSC as the time source is only usable
>> > by OpenBSD on Skylake and Kaby Lake CPUs since they encode the TSC
>> > frequency in the CPUID. All older CPUs have their TSCs measured
>> > against the PIT. Currently the measurement done by the kernel isn't
>> > very precise and if TSC is selected as a timecounter, the machine
>> > would be gaining time on a pace that cannot be corrected by our NTP
>> > daemon. (IIRC, about an hour a day on my Haswell running with NTP).
>> >
>> > To be able to use TSC as a timecounter source on OpenBSD or Solo5
>> > you'd have to improve the in-kernel measurement of the TSC frequency
>> > first. I've tried to perform 10 measurements and take an average and
>> > it does improve accuracy, however I believe we need to poach another
>> > bit from Linux and re-calibrate TSC via HPET:
>> >
>> >  
>> > http://elixir.free-electrons.com/linux/v4.12.4/source/arch/x86/kernel/tsc.c#L409
>> >
>> > I think this is the most sane thing we can do. Here's a complete
>> > procedure that Linux kernel undertakes:
>> >
>> >  
>> > http://elixir.free-electrons.com/linux/v4.12.4/source/arch/x86/kernel/tsc.c#L751
>> >
>> > Regards,
>> > Mike
>>
>> Hi Mike/All
>>
>> I would like to improve the accuracy of TSC frequency calibration as
>> Mike B. describes above.
>>
>> I initially thought the calibration would take place at line 470 of
>> amd64/identcpu.c
>> (https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/amd64/amd64/identcpu.c?annotate=1.87)
>>
>
> Indeed, it cannot happen there simply because you don't know at
> that point whether or not HPET actually exists.
>
>> But I looked into using the acpihpet directly but it is never exposed
>> outside of acpihpet.c.
>>
>
> And it shouldn't be.
>
>> Could someone point me to were if would be appropriate to complete
>> this calibration and how to use the acpihpet?
>
> The way I envision this is a multi-step approach:
>
> 1) TSC frequency is approximated with the PIT (possibly performing
> multiple measurements and averaging them out; also keep in mind that
> doing it 8 times means you can shift the sum right by 3 instead of
> using actual integer division).  This is what should happen around
> the line 470 of identcpu.c
>
> 2) A function can be provided by identcpu.c to further adjust the
> TSC frequency once acpitimer(4) (this is a PM timer) and acpihpet(4)
> (or any other timer for that matter) are attached.
>
> 3) Once acpitimer(4) or acpihpet(4) or any other timecounter source
> are attached and are verified to be operating correctly, they can
> perform TSC re-calibration and update the TSC frequency with their
> measurements.  The idea here is that the function (or functions) that
> facilitate this must abstract enough logic so that you don't have to
> duplicate it in the acpitimer or acpihpet themselves.
>
>> (Will it need to be
>> exposed like i8254_delay/delay_func/delay in machdep.c and cpu.h)
>>
>
> No it won't.
>
>> Lastly should the calibration be done using both delay(i8254 pit) and
>> hpet timers similar to Linux described above or just using the hpet?
>>
>
> Well, that's what I was arguing for.  As I said in my initial mail
> on misc (not quoted here), the TSC must be calibrated using separate
> known clocks sources.

Hi Mike

Please see the below diff to improve the accuracy of the TSC
frequency. It is model after the linux calibration you linked to
earlier. https://marc.info/?l=openbsd-misc=150148792804747=2

I feel like i don't know enough about the kernel internals, the
consistency of the results across reboots are not as close as i would
have liked, i feel the call to do the actual calibration should be
later in the boot cycle, when things have calmed down a little, but
couldn't figure out the best way of doing this.

please bear with me i haven't been programming c for long, but the
only way to get things done is to do it your self.

Cheers
Adam

Index: sys/arch/amd64/amd64/acpi_machdep.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/acpi_machdep.c,v
retrieving revision 1.78
diff -u -p -u -p -r1.78 acpi_machdep.c
--- sys/arch/amd64/amd64/acpi_machdep.c 27 Mar 2017 18:32:53 - 1.78
+++ sys/arch/amd64/amd64/acpi_machdep.c 

Re: CID 1452946, 1452957: Uninitialized scalar variable (bridge_ipsec)

[Alexander Bluhm]

On Wed, Aug 16, 2017 at 05:18:09PM +0200, Mike Belopuhov wrote:
> Hi,
> 
> In may this year, the condition that would make this break do the
> right thing got removed and now if a short packet is sent to an
> ipsec-enabled bridge, various things like 'spi' and 'off' are left
> uninitialized, but thankfully the gettdb call that follows will
> most likely fail when presented with a random spi value.  But it's
> a nasty bug nevertheless.
> 
> OK?

OK bluhm@

> 
> diff --git sys/net/if_bridge.c sys/net/if_bridge.c
> index 0e048205475..33d4753fd6b 100644
> --- sys/net/if_bridge.c
> +++ sys/net/if_bridge.c
> @@ -1404,11 +1404,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet 
> *ifp,
>  
>   if (dir == BRIDGE_IN) {
>   switch (af) {
>   case AF_INET:
>   if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t))
> - break;
> + goto skiplookup;
>  
>   ip = mtod(m, struct ip *);
>   proto = ip->ip_p;
>   off = offsetof(struct ip, ip_p);
>  
> @@ -1425,11 +1425,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet 
> *ifp,
>  
>   break;
>  #ifdef INET6
>   case AF_INET6:
>   if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t))
> - break;
> + goto skiplookup;
>  
>   ip6 = mtod(m, struct ip6_hdr *);
>  
>   /* XXX We should chase down the header chain */
>   proto = ip6->ip6_nxt;

tftp: use monotonic clock for statistics summary

[Scott Cheloha]

Hi,

Same deal here as in dd(1).  We display the elapsed time so we want
a monotonic clock.

--
Scott Cheloha

Index: usr.bin/tftp/tftp.c
===
RCS file: /cvs/src/usr.bin/tftp/tftp.c,v
retrieving revision 1.24
diff -u -p -r1.24 tftp.c
--- usr.bin/tftp/tftp.c 21 Oct 2014 06:15:16 -  1.24
+++ usr.bin/tftp/tftp.c 17 Aug 2017 01:44:46 -
@@ -52,6 +52,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 
@@ -83,8 +84,8 @@ extern int opt_tsize;
 extern int  opt_tout;
 extern int  opt_blksize;
 
-struct timeval tstart;
-struct timeval tstop;
+struct timespectstart;
+struct timespectstop;
 unsigned int   segment_size = SEGSIZE;
 unsigned int   packet_size = SEGSIZE + 4;
 
@@ -548,13 +549,13 @@ tpacket(const char *s, struct tftphdr *t
 static void
 startclock(void)
 {
-   (void)gettimeofday(, NULL);
+   clock_gettime(CLOCK_MONOTONIC, );
 }
 
 static void
 stopclock(void)
 {
-   (void)gettimeofday(, NULL);
+   clock_gettime(CLOCK_MONOTONIC, );
 }
 
 static void
@@ -563,8 +564,8 @@ printstats(const char *direction, unsign
double  delta;
 
/* compute delta in 1/10's second units */
-   delta = ((tstop.tv_sec * 10.) + (tstop.tv_usec / 10)) -
-   ((tstart.tv_sec * 10.) + (tstart.tv_usec / 10));
+   delta = ((tstop.tv_sec * 10.) + (tstop.tv_nsec / 1)) -
+   ((tstart.tv_sec * 10.) + (tstart.tv_nsec / 1));
delta = delta / 10.;/* back to seconds */
printf("%s %lu bytes in %.1f seconds", direction, amount, delta);
if (verbose)

Re: hfsc_deferred race

[Mike Belopuhov]

On Tue, Aug 15, 2017 at 17:14 +0200, Mike Belopuhov wrote:
> Hi,
> 
> I've just triggered an assert in hfsc_deferred (a callout) on an
> MP kernel running on an SP virtual machine:
> 
>   panic: kernel diagnostic assertion "HFSC_ENABLED(ifq)" failed: file 
> "/home/mike/src/openbsd/sys/net/hfsc.c", line 950
>   Stopped at  db_enter+0x9:   leave
>   TIDPIDUID PRFLAGS PFLAGS  CPU  COMMAND
>   *247463  28420  0 0x3  00  pfctl
>   db_enter() at db_enter+0x9
>   
> panic(817f78f0,4,81a3ffc0,8110c140,800c2060,fff
>   f81598b1c) at panic+0x102
>   __assert(81769d93,817d7350,3b6,817d72bd) at 
> __assert+0x
>   35
>   hfsc_deferred(800c2060) at hfsc_deferred+0x9e
>   timeout_run(8004adc8) at timeout_run+0x4c
>   softclock(0) at softclock+0x146
>   softintr_dispatch(0) at softintr_dispatch+0x9f
>   Xsoftclock() at Xsoftclock+0x1f
>   --- interrupt ---
>   end of kernel
>   end trace frame: 0x728d481974c08548, count: 7
>   0x2cfe9c031c9:
>   https://www.openbsd.org/ddb.html describes the minimum info required in bug
>   reports.  Insufficient info makes it difficult to find and fix bugs.
>   ddb{0}> ps
>  PID TID   PPIDUID  S   FLAGS  WAIT  COMMAND
>   *28420  247463   5000  0  7 0x3pfctl
> 
> 
> pfctl runs in the loop reloading the ruleset.  So at some point we
> disable HFSC on the interface but lose a race with hfsc_deferred
> before re-enabling it.
> 
> IFQ has a mechanism to lock the underlying object and I believe this
> is the right tool for this job.  Any other ideas?
> 
> I don't think it's a good idea to hold the mutex (ifq_q_enter and
> ifq_q_leave effectively lock and unlock it) during the ifq_start,
> so we have to make a concession and run the ifq_start before knowing
> whether or not HFSC is attached.  IMO, it's a small price to pay to
> avoide clutter.  Kernel lock assertion is pointless at this point.
> 
> OK?
>

I've been running with this while debugging the issue with the active
class list ("panic: kernel diagnostic assertion" from Aug 12 on bugs@)
and I'm quite confident that this works and I don't observe the race
anymore.

In addition, I've figured we can keep the HFSC_ENABLED check as there
is no issue with bailing early here:

diff --git sys/net/hfsc.c sys/net/hfsc.c
index 12504267dc5..c51f1406a0b 100644
--- sys/net/hfsc.c
+++ sys/net/hfsc.c
@@ -950,10 +950,13 @@ hfsc_deferred(void *arg)
 {
struct ifnet *ifp = arg;
struct ifqueue *ifq = >if_snd;
struct hfsc_if *hif;
 
+   if (!HFSC_ENABLED(ifq))
+   return;
+
if (!ifq_empty(ifq))
ifq_start(ifq);
 
hif = ifq_q_enter(>if_snd, ifq_hfsc_ops);
if (hif == NULL)


> diff --git sys/net/hfsc.c sys/net/hfsc.c
> index 410bea733c6..3c5b6f6ef78 100644
> --- sys/net/hfsc.c
> +++ sys/net/hfsc.c
> @@ -944,20 +944,19 @@ hfsc_deferred(void *arg)
>  {
>   struct ifnet *ifp = arg;
>   struct ifqueue *ifq = >if_snd;
>   struct hfsc_if *hif;
>  
> - KERNEL_ASSERT_LOCKED();
> - KASSERT(HFSC_ENABLED(ifq));
> -
>   if (!ifq_empty(ifq))
>   ifq_start(ifq);
>  
> - hif = ifq->ifq_q;
> -
> + hif = ifq_q_enter(>if_snd, ifq_hfsc_ops);
> + if (hif == NULL)
> + return;
>   /* XXX HRTIMER nearest virtual/fit time is likely less than 1/HZ. */
>   timeout_add(>hif_defer, 1);
> + ifq_q_leave(>if_snd, hif);
>  }
>  
>  void
>  hfsc_cl_purge(struct hfsc_if *hif, struct hfsc_class *cl, struct mbuf_list 
> *ml)
>  {

Re: qemu vmm 6.0 / 6.1

[Mike Larkin]

On Wed, Aug 16, 2017 at 11:09:57AM -0400, sven falempin wrote:
> 6.1 got a firmware (ewww) for seabios
> 

if you dont like this you are free to delete it and use the -b option in
vmctl instead. You just don't get non-openbsd guests. your choice.

-ml

> i mean this : /usr/ports/sysutils/firmware/vmm
> 
> If i compile this ports on 6.0 do i have any chance it does something right
> or i am just digging my grave deeper ?
> 
> Best,
> 
> 
> -- 
> --
> -
> Knowing is not enough; we must apply. Willing is not enough; we must do

Re: qemu vmm 6.0 / 6.1

[Bryan Steele]

On Wed, Aug 16, 2017 at 11:09:57AM -0400, sven falempin wrote:
> 6.1 got a firmware (ewww) for seabios
> 
> i mean this : /usr/ports/sysutils/firmware/vmm
> 
> If i compile this ports on 6.0 do i have any chance it does something right
> or i am just digging my grave deeper ?
> 
> Best,
> 
> 
> -- 
> --
> -
> Knowing is not enough; we must apply. Willing is not enough; we must do
> 

What exactly are you asking? OpenBSD 6.0 didn't even have vmm(4)/vmd(8),
it first appeared in 6.1..

The firmware port doesn't have anything to do with QEMU, so no, there is
no chance that is does anything at all on 6.0.

-Bryan.

CID 1453358: Out-of-bounds read (bufq_init)

[Mike Belopuhov]

There's only two disk elevator disciplines 0 - fifo and 1 - nscan.
BUFQ_HOWMANY is 2, but the 'type' should be checked against
(BUFQ_HOWMANY - 1) as it's used as an index.

OK?

diff --git sys/kern/kern_bufq.c sys/kern/kern_bufq.c
index 7ed83470e58..ad9558e0d53 100644
--- sys/kern/kern_bufq.c
+++ sys/kern/kern_bufq.c
@@ -76,11 +76,11 @@ const struct bufq_impl bufq_impls[BUFQ_HOWMANY] = {
 int
 bufq_init(struct bufq *bq, int type)
 {
u_int hi = BUFQ_HI, low = BUFQ_LOW;
 
-   if (type > BUFQ_HOWMANY)
+   if (type >= BUFQ_HOWMANY)
panic("bufq_init: type %i unknown", type);
 
/*
 * Ensure that writes can't consume the entire amount of kva
 * available the buffer cache if we only have a limited amount

CID 1452946, 1452957: Uninitialized scalar variable (bridge_ipsec)

[Mike Belopuhov]

Hi,

In may this year, the condition that would make this break do the
right thing got removed and now if a short packet is sent to an
ipsec-enabled bridge, various things like 'spi' and 'off' are left
uninitialized, but thankfully the gettdb call that follows will
most likely fail when presented with a random spi value.  But it's
a nasty bug nevertheless.

OK?

diff --git sys/net/if_bridge.c sys/net/if_bridge.c
index 0e048205475..33d4753fd6b 100644
--- sys/net/if_bridge.c
+++ sys/net/if_bridge.c
@@ -1404,11 +1404,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 
if (dir == BRIDGE_IN) {
switch (af) {
case AF_INET:
if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t))
-   break;
+   goto skiplookup;
 
ip = mtod(m, struct ip *);
proto = ip->ip_p;
off = offsetof(struct ip, ip_p);
 
@@ -1425,11 +1425,11 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 
break;
 #ifdef INET6
case AF_INET6:
if (m->m_pkthdr.len - hlen < 2 * sizeof(u_int32_t))
-   break;
+   goto skiplookup;
 
ip6 = mtod(m, struct ip6_hdr *);
 
/* XXX We should chase down the header chain */
proto = ip6->ip6_nxt;

Re: qemu vmm 6.0 / 6.1

[Theo de Raadt]

> 6.1 got a firmware (ewww) for seabios
> 
> i mean this : /usr/ports/sysutils/firmware/vmm
> 
> If i compile this ports on 6.0 do i have any chance it does something right
> or i am just digging my grave deeper ?

If you do all the work, you can perform magic.

But if you are asking others to help, nope.

qemu vmm 6.0 / 6.1

[sven falempin]

6.1 got a firmware (ewww) for seabios

i mean this : /usr/ports/sysutils/firmware/vmm

If i compile this ports on 6.0 do i have any chance it does something right
or i am just digging my grave deeper ?

Best,


-- 
--
-
Knowing is not enough; we must apply. Willing is not enough; we must do

Additional media options for ix(4) [again]

[Mike Belopuhov]

Hi,

I haven't gotten any feedback on the following diff
but I think there's still hope.  Please test.

Original mail:

I won't mind some broad testing of the following diff
which adds some additional media options to ix(4) from
FreeBSD and includes a fix for changing media from
Masanobu SAITOH.

The fix makes sure that when the media operation speed
is selected manually, the device doesn't additionally
advertise other (slower) modes.


diff --git sys/dev/pci/if_ix.c sys/dev/pci/if_ix.c
index 339ba2bc4f1..8fca8742f7f 100644
--- sys/dev/pci/if_ix.c
+++ sys/dev/pci/if_ix.c
@@ -1028,62 +1028,115 @@ ixgbe_intr(void *arg)
  *  This routine is called whenever the user queries the status of
  *  the interface using ifconfig.
  *
  **/
 void
-ixgbe_media_status(struct ifnet * ifp, struct ifmediareq *ifmr)
+ixgbe_media_status(struct ifnet *ifp, struct ifmediareq *ifmr)
 {
struct ix_softc *sc = ifp->if_softc;
+   int layer;
+
+   layer = sc->hw.mac.ops.get_supported_physical_layer(>hw);
 
ifmr->ifm_active = IFM_ETHER;
ifmr->ifm_status = IFM_AVALID;
 
INIT_DEBUGOUT("ixgbe_media_status: begin");
ixgbe_update_link_status(sc);
 
-   if (LINK_STATE_IS_UP(ifp->if_link_state)) {
-   ifmr->ifm_status |= IFM_ACTIVE;
+   if (!LINK_STATE_IS_UP(ifp->if_link_state))
+   return;
+
+   ifmr->ifm_status |= IFM_ACTIVE;
 
+   if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_T ||
+   layer & IXGBE_PHYSICAL_LAYER_1000BASE_T ||
+   layer & IXGBE_PHYSICAL_LAYER_100BASE_TX)
switch (sc->link_speed) {
+   case IXGBE_LINK_SPEED_10GB_FULL:
+   ifmr->ifm_active |= IFM_10G_T | IFM_FDX;
+   break;
+   case IXGBE_LINK_SPEED_1GB_FULL:
+   ifmr->ifm_active |= IFM_1000_T | IFM_FDX;
+   break;
case IXGBE_LINK_SPEED_100_FULL:
ifmr->ifm_active |= IFM_100_TX | IFM_FDX;
break;
+   }
+   if (layer & IXGBE_PHYSICAL_LAYER_SFP_PLUS_CU ||
+   layer & IXGBE_PHYSICAL_LAYER_SFP_ACTIVE_DA)
+   switch (sc->link_speed) {
+   case IXGBE_LINK_SPEED_10GB_FULL:
+   ifmr->ifm_active |= IFM_10G_SFP_CU | IFM_FDX;
+   break;
+   }
+   if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_LR)
+   switch (sc->link_speed) {
+   case IXGBE_LINK_SPEED_10GB_FULL:
+   ifmr->ifm_active |= IFM_10G_LR | IFM_FDX;
+   break;
case IXGBE_LINK_SPEED_1GB_FULL:
-   switch (sc->optics) {
-   case IFM_10G_SR: /* multi-speed fiber */
-   ifmr->ifm_active |= IFM_1000_SX | IFM_FDX;
-   break;
-   case IFM_10G_LR: /* multi-speed fiber */
-   ifmr->ifm_active |= IFM_1000_LX | IFM_FDX;
-   break;
-   default:
-   ifmr->ifm_active |= sc->optics | IFM_FDX;
-   break;
-   }
+   ifmr->ifm_active |= IFM_1000_LX | IFM_FDX;
break;
+   }
+   if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_LRM)
+   switch (sc->link_speed) {
case IXGBE_LINK_SPEED_10GB_FULL:
-   ifmr->ifm_active |= sc->optics | IFM_FDX;
+   ifmr->ifm_active |= IFM_10G_LRM | IFM_FDX;
+   break;
+   case IXGBE_LINK_SPEED_1GB_FULL:
+   ifmr->ifm_active |= IFM_1000_LX | IFM_FDX;
break;
}
-
-   switch (sc->hw.fc.current_mode) {
-   case ixgbe_fc_tx_pause:
-   ifmr->ifm_active |= IFM_FLOW | IFM_ETH_TXPAUSE;
+   if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_SR ||
+   layer & IXGBE_PHYSICAL_LAYER_1000BASE_SX)
+   switch (sc->link_speed) {
+   case IXGBE_LINK_SPEED_10GB_FULL:
+   ifmr->ifm_active |= IFM_10G_SR | IFM_FDX;
+   break;
+   case IXGBE_LINK_SPEED_1GB_FULL:
+   ifmr->ifm_active |= IFM_1000_SX | IFM_FDX;
break;
-   case ixgbe_fc_rx_pause:
-   ifmr->ifm_active |= IFM_FLOW | IFM_ETH_RXPAUSE;
+   }
+   if (layer & IXGBE_PHYSICAL_LAYER_10GBASE_CX4)
+   switch (sc->link_speed) {
+   case IXGBE_LINK_SPEED_10GB_FULL:
+   ifmr->ifm_active |= IFM_10G_CX4 | IFM_FDX;
break;
-   case ixgbe_fc_full:
-   ifmr->ifm_active |= IFM_FLOW | 

[patch] make cipher list preference configurable in httpd

[Andreas Bartelt]

The following patch makes the TLS cipher list preference (server vs. 
client) configurable in httpd (like in relayd):



Index: src/usr.sbin/httpd/config.c
===
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.53
diff -u -p -u -r1.53 config.c
--- src/usr.sbin/httpd/config.c 19 Jul 2017 17:36:25 -  1.53
+++ src/usr.sbin/httpd/config.c 16 Aug 2017 12:40:59 -
@@ -472,6 +472,8 @@ config_getserver_config(struct httpd *en
srv_conf->hsts_max_age = parent->hsts_max_age;
srv_conf->hsts_flags = parent->hsts_flags;

+   srv_conf->tls_flags = parent->tls_flags;
+
memcpy(_conf->timeout, >timeout,
sizeof(srv_conf->timeout));
srv_conf->maxrequests = parent->maxrequests;
Index: src/usr.sbin/httpd/httpd.conf.5
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.84
diff -u -p -u -r1.84 httpd.conf.5
--- src/usr.sbin/httpd/httpd.conf.5 11 Aug 2017 20:30:45 -  1.84
+++ src/usr.sbin/httpd/httpd.conf.5 16 Aug 2017 12:40:59 -
@@ -518,6 +518,10 @@ The
 should contain a PEM encoded certificate.
 The default is
 .Pa /etc/ssl/server.crt .
+.It Oo Ic no Oc Ic cipher-server-preference
+Prefer the server's cipher list over the client's preferences when
+choosing a cipher for the connection.
+This is enabled by default.
 .It Ic ciphers Ar string
 Specify the TLS cipher string.
 If not specified, the default value
Index: src/usr.sbin/httpd/httpd.h
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.134
diff -u -p -u -r1.134 httpd.h
--- src/usr.sbin/httpd/httpd.h  11 Aug 2017 18:48:56 -  1.134
+++ src/usr.sbin/httpd/httpd.h  16 Aug 2017 12:40:59 -
@@ -416,6 +416,8 @@ SPLAY_HEAD(client_tree, client);
"\10\01NODELAY\02NO_NODELAY\03SACK\04NO_SACK" \
"\05SOCKET_BUFFER_SIZE\06IP_TTL\07IP_MINTTL\10NO_SPLICE"

+#define TLSFLAG_CIPHER_SERVER_PREF 0x01
+
 #define HSTSFLAG_SUBDOMAINS0x01
 #define HSTSFLAG_PRELOAD   0x02
 #define HSTSFLAG_BITS  "\10\01SUBDOMAINS\02PRELOAD"
@@ -514,6 +516,8 @@ struct server_config {

int  hsts_max_age;
uint8_t  hsts_flags;
+
+   uint8_t  tls_flags;

TAILQ_ENTRY(server_config) entry;
 };
Index: src/usr.sbin/httpd/parse.y
===
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.91
diff -u -p -u -r1.91 parse.y
--- src/usr.sbin/httpd/parse.y  11 Aug 2017 18:48:56 -  1.91
+++ src/usr.sbin/httpd/parse.y  16 Aug 2017 12:40:59 -
@@ -129,12 +129,13 @@ typedef struct {

 %}

-%token	ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS 
COMMON
-%token	COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY 
LIFETIME
-%token	LISTEN LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY OCSP ON PORT 
PREFORK
-%token	PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG 
TCP TICKET
-%token	TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD 
REQUEST

-%token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS
+%token	ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT 
CIPHERSRVPREF
+%token	CIPHERS COMMON COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI 
INDEX

+%token IP KEY LIFETIME LISTEN LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY
+%token	OCSP ON PORT PREFORK PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET 
STRIP
+%token	STYLE SYSLOG TCP TICKET TIMEOUT TLS TYPE TYPES HSTS MAXAGE 
SUBDOMAINS

+%token DEFAULT PRELOAD REQUEST ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP
+%token RETURN PASS
 %token STRING
 %token NUMBER
 %typeport
@@ -260,6 +261,7 @@ server  : SERVER optmatch STRING{
if ((s->srv_conf.tls_key_file =
strdup(HTTPD_TLS_KEY)) == NULL)
fatal("out of memory");
+   s->srv_conf.tls_flags = TLSFLAG_CIPHER_SERVER_PREF;
strlcpy(s->srv_conf.tls_ciphers,
HTTPD_TLS_CIPHERS,
sizeof(s->srv_conf.tls_ciphers));
@@ -727,6 +729,12 @@ tlsopts: CERTIFICATE STRING{
fatal("out of memory");
free($2);
}
+   | CIPHERSRVPREF {
+   srv_conf->tls_flags |= TLSFLAG_CIPHER_SERVER_PREF;
+   }
+   | NO CIPHERSRVPREF  {
+   srv_conf->tls_flags &= ~TLSFLAG_CIPHER_SERVER_PREF;
+   }
| CIPHERS STRING{
if (strlcpy(srv_conf->tls_ciphers, $2,

Re: [patch] Add -z and -Z to apmd for automatic suspend/hibernate

[Jesper Wallin]

On Tue, Aug 15, 2017 at 07:24:47PM -0400, Ted Unangst wrote:
> this looks good. will commit soon.
> 
> (one nit, i'll correct, is man page options are upper case first.)

Noted for future reference. Thanks!