From owner-svn-src-stable-11@freebsd.org Mon May 27 13:12:52 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A40561581DC5; Mon, 27 May 2019 13:12:52 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 344D96C944; Mon, 27 May 2019 13:12:52 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 059473750; Mon, 27 May 2019 13:12:52 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4RDCpOW066096; Mon, 27 May 2019 13:12:51 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4RDCpHP066095; Mon, 27 May 2019 13:12:51 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <201905271312.x4RDCpHP066095@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Mon, 27 May 2019 13:12:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348304 - in stable/11: lib/libjail sbin/bectl/tests X-SVN-Group: stable-11 X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: in stable/11: lib/libjail sbin/bectl/tests X-SVN-Commit-Revision: 348304 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 344D96C944 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.976,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2019 13:12:52 -0000 Author: kevans Date: Mon May 27 13:12:51 2019 New Revision: 348304 URL: https://svnweb.freebsd.org/changeset/base/348304 Log: MFC r348215, r348219: fix bectl(8) jail w/ numeric BE names r348215: jail_getid(3): validate jid string input Currently, if jail_getid(3) is passed in a numeric string, it assumes that this is a jid string and passes it back converted to an int without checking that it's a valid/existing jid. This breaks consumers that might use jail_getid(3) to see if it can trivially grab a jid from a name if that name happens to be numeric but not actually the name/jid of the jail. Instead of returning -1 for the jail not existing, it'll return the int version of the input and the consumer will not fallback to trying other methods. Pass the numeric input to jail_get(2) as the jid for validation, rather than the name. This works well- the kernel enforces that jid=name if name is numeric, so doing the safe thing and checking numeric input as a jid will still DTRT based on the description of jail_getid. r348219: bectl(8): Add a test for jail/unjail of numeric BE names Fixed by r348215, bectl ujail first attempts the trivial fetch of a jid by passing the first argument to 'ujail' to jail_getid(3) in case a jid/name have been passed in instead of a BE name. For numerically named BEs, this was doing the wrong thing: instead of failing to locate the jid specified and falling back to mountpath search, jail_getid(3) would return the input as-is. While here, I've fixed bectl_jail_cleanup which still used a hard-coded pool name that was overlooked w.r.t. other work that was in-flight around the same time. Approved by: re (marius) Modified: stable/11/lib/libjail/jail_getid.c stable/11/sbin/bectl/tests/bectl_test.sh Directory Properties: stable/11/ (props changed) Modified: stable/11/lib/libjail/jail_getid.c ============================================================================== --- stable/11/lib/libjail/jail_getid.c Mon May 27 12:41:41 2019 (r348303) +++ stable/11/lib/libjail/jail_getid.c Mon May 27 13:12:51 2019 (r348304) @@ -51,13 +51,18 @@ jail_getid(const char *name) struct iovec jiov[4]; jid = strtoul(name, &ep, 10); - if (*name && !*ep) - return jid; - jiov[0].iov_base = __DECONST(char *, "name"); - jiov[0].iov_len = sizeof("name"); - jiov[1].iov_len = strlen(name) + 1; - jiov[1].iov_base = alloca(jiov[1].iov_len); - strcpy(jiov[1].iov_base, name); + if (*name && !*ep) { + jiov[0].iov_base = __DECONST(char *, "jid"); + jiov[0].iov_len = sizeof("jid"); + jiov[1].iov_base = &jid; + jiov[1].iov_len = sizeof(jid); + } else { + jiov[0].iov_base = __DECONST(char *, "name"); + jiov[0].iov_len = sizeof("name"); + jiov[1].iov_len = strlen(name) + 1; + jiov[1].iov_base = alloca(jiov[1].iov_len); + strcpy(jiov[1].iov_base, name); + } jiov[2].iov_base = __DECONST(char *, "errmsg"); jiov[2].iov_len = sizeof("errmsg"); jiov[3].iov_base = jail_errmsg; Modified: stable/11/sbin/bectl/tests/bectl_test.sh ============================================================================== --- stable/11/sbin/bectl/tests/bectl_test.sh Mon May 27 12:41:41 2019 (r348303) +++ stable/11/sbin/bectl/tests/bectl_test.sh Mon May 27 13:12:51 2019 (r348304) @@ -294,9 +294,16 @@ bectl_jail_body() atf_check cp /rescue/rescue ${root}/rescue/rescue atf_check bectl -r ${zpool}/ROOT umount default - # Prepare a second boot environment + # Prepare some more boot environments atf_check -o empty -s exit:0 bectl -r ${zpool}/ROOT create -e default target + atf_check -o empty -s exit:0 bectl -r ${zpool}/ROOT create -e default 1234 + # Attempt to unjail a BE with numeric name; jail_getid at one point + # did not validate that the input was a valid jid before returning the + # jid. + atf_check -o empty -s exit:0 bectl -r ${zpool}/ROOT jail -b 1234 + atf_check -o empty -s exit:0 bectl -r ${zpool}/ROOT unjail 1234 + # When a jail name is not explicit, it should match the jail id. atf_check -o empty -s exit:0 bectl -r ${zpool}/ROOT jail -b -o jid=233637 default atf_check -o inline:"233637\n" -s exit:0 -x "jls -j 233637 name" @@ -340,9 +347,10 @@ bectl_jail_body() # attempts to destroy the zpool. bectl_jail_cleanup() { - for bootenv in "default" "target"; do + zpool=$(get_zpool_name) + for bootenv in "default" "target" "1234"; do # mountpoint of the boot environment - mountpoint="$(bectl -r bectl_test/ROOT list -H | grep ${bootenv} | awk '{print $3}')" + mountpoint="$(bectl -r ${zpool}/ROOT list -H | grep ${bootenv} | awk '{print $3}')" # see if any jail paths match the boot environment mountpoint jailid="$(jls | grep ${mountpoint} | awk '{print $1}')" @@ -353,7 +361,7 @@ bectl_jail_cleanup() jail -r ${jailid} done; - bectl_cleanup $(get_zpool_name) + bectl_cleanup ${zpool} } atf_init_test_cases() From owner-svn-src-stable-11@freebsd.org Mon May 27 13:14:23 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9A4811581E59; Mon, 27 May 2019 13:14:23 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 383EF6CA95; Mon, 27 May 2019 13:14:23 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1204D3751; Mon, 27 May 2019 13:14:23 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4RDEM96066259; Mon, 27 May 2019 13:14:22 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4RDEMoW066258; Mon, 27 May 2019 13:14:22 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <201905271314.x4RDEMoW066258@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Mon, 27 May 2019 13:14:22 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348305 - stable/11/sbin/bectl X-SVN-Group: stable-11 X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: stable/11/sbin/bectl X-SVN-Commit-Revision: 348305 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 383EF6CA95 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.974,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2019 13:14:24 -0000 Author: kevans Date: Mon May 27 13:14:22 2019 New Revision: 348305 URL: https://svnweb.freebsd.org/changeset/base/348305 Log: MFC r348127: bectl(8): add description for create subcommand In commit r345845, a portion of documentation for the create subcommand was removed. Specifically, for creating a snapshot of an existing boot environment. bectl even has a test-case for this functionality. Removing the sub-command description was discussed in PR 235850. This patch brings back the second "create" description that was originally in place. Albeit, with a few wording/clarifying changes. Approved by: re (marius) Modified: stable/11/sbin/bectl/bectl.8 Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/bectl/bectl.8 ============================================================================== --- stable/11/sbin/bectl/bectl.8 Mon May 27 13:12:51 2019 (r348304) +++ stable/11/sbin/bectl/bectl.8 Mon May 27 13:14:22 2019 (r348305) @@ -18,7 +18,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 3, 2019 +.Dd May 12, 2019 .Dt BECTL 8 .Os .Sh NAME @@ -35,6 +35,10 @@ .Op Fl e Brq Ar nonActiveBe | Ar beName Ns Cm @ Ns Ar snapshot .Ar newBeName .Nm +.Cm create +.Op Fl r +.Ar beName@snapshot +.Nm .Cm destroy .Op Fl \&Fo .Ar beName Ns Op Cm @ Ns Ar snapshot @@ -120,6 +124,20 @@ Otherwise, the new environment will be created from th If .Nm is creating from another boot environment, a snapshot of that boot environment will be created to clone from. +.It Xo +.Cm create +.Op Fl r +.Ar beName@snapshot +.Xc +Create a snapshot of the boot environment named +.Ar beName . +.Pp +If the +.Fl r +flag is given, a recursive snapshot of the boot environment will be created. +A snapshot is created for each descendant dataset of the boot environment. +.Pp +No new boot environment is created with this command. .It Xo .Cm destroy .Op Fl \&Fo From owner-svn-src-stable-11@freebsd.org Wed May 29 00:00:58 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D77415B0693; Wed, 29 May 2019 00:00:58 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 01215708A2; Wed, 29 May 2019 00:00:58 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 84079219D8; Wed, 29 May 2019 00:00:57 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4T00vQu081611; Wed, 29 May 2019 00:00:57 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4T00qcu081586; Wed, 29 May 2019 00:00:52 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201905290000.x4T00qcu081586@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Wed, 29 May 2019 00:00:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348343 - in stable/11: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/dh crypto/openssl/crypto/dsa crypto/openssl/crypto/ec crypto/openssl/crypto/ecdh c... X-SVN-Group: stable-11 X-SVN-Commit-Author: jkim X-SVN-Commit-Paths: in stable/11: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/dh crypto/openssl/crypto/dsa crypto/openssl/crypto/ec crypto/openssl/crypto/ecdh crypto/openssl/crypto/err ... X-SVN-Commit-Revision: 348343 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 01215708A2 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.95)[-0.952,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2019 00:00:58 -0000 Author: jkim Date: Wed May 29 00:00:52 2019 New Revision: 348343 URL: https://svnweb.freebsd.org/changeset/base/348343 Log: Merge OpenSSL 1.0.2s. Approved by: re (kib) Modified: stable/11/crypto/openssl/CHANGES stable/11/crypto/openssl/Configure stable/11/crypto/openssl/Makefile stable/11/crypto/openssl/README stable/11/crypto/openssl/apps/CA.pl stable/11/crypto/openssl/config stable/11/crypto/openssl/crypto/dh/dh_pmeth.c stable/11/crypto/openssl/crypto/dsa/dsa_pmeth.c stable/11/crypto/openssl/crypto/ec/ec2_oct.c stable/11/crypto/openssl/crypto/ec/ec_lib.c stable/11/crypto/openssl/crypto/ec/ec_mult.c stable/11/crypto/openssl/crypto/ec/ecp_nistp521.c stable/11/crypto/openssl/crypto/ec/ecp_oct.c stable/11/crypto/openssl/crypto/ec/ectest.c stable/11/crypto/openssl/crypto/ecdh/ech_ossl.c stable/11/crypto/openssl/crypto/err/err.c stable/11/crypto/openssl/crypto/err/err.h stable/11/crypto/openssl/crypto/opensslv.h stable/11/crypto/openssl/crypto/rsa/rsa_eay.c stable/11/crypto/openssl/crypto/rsa/rsa_oaep.c stable/11/crypto/openssl/crypto/rsa/rsa_pk1.c stable/11/crypto/openssl/crypto/rsa/rsa_pmeth.c stable/11/crypto/openssl/crypto/rsa/rsa_ssl.c stable/11/crypto/openssl/doc/apps/genpkey.pod stable/11/crypto/openssl/ssl/d1_pkt.c stable/11/crypto/openssl/ssl/s3_pkt.c stable/11/secure/lib/libcrypto/Makefile.inc stable/11/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 stable/11/secure/lib/libcrypto/man/ASN1_STRING_length.3 stable/11/secure/lib/libcrypto/man/ASN1_STRING_new.3 stable/11/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 stable/11/secure/lib/libcrypto/man/ASN1_TIME_set.3 stable/11/secure/lib/libcrypto/man/ASN1_generate_nconf.3 stable/11/secure/lib/libcrypto/man/BIO_ctrl.3 stable/11/secure/lib/libcrypto/man/BIO_f_base64.3 stable/11/secure/lib/libcrypto/man/BIO_f_buffer.3 stable/11/secure/lib/libcrypto/man/BIO_f_cipher.3 stable/11/secure/lib/libcrypto/man/BIO_f_md.3 stable/11/secure/lib/libcrypto/man/BIO_f_null.3 stable/11/secure/lib/libcrypto/man/BIO_f_ssl.3 stable/11/secure/lib/libcrypto/man/BIO_find_type.3 stable/11/secure/lib/libcrypto/man/BIO_new.3 stable/11/secure/lib/libcrypto/man/BIO_new_CMS.3 stable/11/secure/lib/libcrypto/man/BIO_push.3 stable/11/secure/lib/libcrypto/man/BIO_read.3 stable/11/secure/lib/libcrypto/man/BIO_s_accept.3 stable/11/secure/lib/libcrypto/man/BIO_s_bio.3 stable/11/secure/lib/libcrypto/man/BIO_s_connect.3 stable/11/secure/lib/libcrypto/man/BIO_s_fd.3 stable/11/secure/lib/libcrypto/man/BIO_s_file.3 stable/11/secure/lib/libcrypto/man/BIO_s_mem.3 stable/11/secure/lib/libcrypto/man/BIO_s_null.3 stable/11/secure/lib/libcrypto/man/BIO_s_socket.3 stable/11/secure/lib/libcrypto/man/BIO_set_callback.3 stable/11/secure/lib/libcrypto/man/BIO_should_retry.3 stable/11/secure/lib/libcrypto/man/BN_BLINDING_new.3 stable/11/secure/lib/libcrypto/man/BN_CTX_new.3 stable/11/secure/lib/libcrypto/man/BN_CTX_start.3 stable/11/secure/lib/libcrypto/man/BN_add.3 stable/11/secure/lib/libcrypto/man/BN_add_word.3 stable/11/secure/lib/libcrypto/man/BN_bn2bin.3 stable/11/secure/lib/libcrypto/man/BN_cmp.3 stable/11/secure/lib/libcrypto/man/BN_copy.3 stable/11/secure/lib/libcrypto/man/BN_generate_prime.3 stable/11/secure/lib/libcrypto/man/BN_mod_inverse.3 stable/11/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 stable/11/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 stable/11/secure/lib/libcrypto/man/BN_new.3 stable/11/secure/lib/libcrypto/man/BN_num_bytes.3 stable/11/secure/lib/libcrypto/man/BN_rand.3 stable/11/secure/lib/libcrypto/man/BN_set_bit.3 stable/11/secure/lib/libcrypto/man/BN_swap.3 stable/11/secure/lib/libcrypto/man/BN_zero.3 stable/11/secure/lib/libcrypto/man/CMS_add0_cert.3 stable/11/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 stable/11/secure/lib/libcrypto/man/CMS_add1_signer.3 stable/11/secure/lib/libcrypto/man/CMS_compress.3 stable/11/secure/lib/libcrypto/man/CMS_decrypt.3 stable/11/secure/lib/libcrypto/man/CMS_encrypt.3 stable/11/secure/lib/libcrypto/man/CMS_final.3 stable/11/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 stable/11/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 stable/11/secure/lib/libcrypto/man/CMS_get0_type.3 stable/11/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 stable/11/secure/lib/libcrypto/man/CMS_sign.3 stable/11/secure/lib/libcrypto/man/CMS_sign_receipt.3 stable/11/secure/lib/libcrypto/man/CMS_uncompress.3 stable/11/secure/lib/libcrypto/man/CMS_verify.3 stable/11/secure/lib/libcrypto/man/CMS_verify_receipt.3 stable/11/secure/lib/libcrypto/man/CONF_modules_free.3 stable/11/secure/lib/libcrypto/man/CONF_modules_load_file.3 stable/11/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 stable/11/secure/lib/libcrypto/man/DH_generate_key.3 stable/11/secure/lib/libcrypto/man/DH_generate_parameters.3 stable/11/secure/lib/libcrypto/man/DH_get_ex_new_index.3 stable/11/secure/lib/libcrypto/man/DH_new.3 stable/11/secure/lib/libcrypto/man/DH_set_method.3 stable/11/secure/lib/libcrypto/man/DH_size.3 stable/11/secure/lib/libcrypto/man/DSA_SIG_new.3 stable/11/secure/lib/libcrypto/man/DSA_do_sign.3 stable/11/secure/lib/libcrypto/man/DSA_dup_DH.3 stable/11/secure/lib/libcrypto/man/DSA_generate_key.3 stable/11/secure/lib/libcrypto/man/DSA_generate_parameters.3 stable/11/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 stable/11/secure/lib/libcrypto/man/DSA_new.3 stable/11/secure/lib/libcrypto/man/DSA_set_method.3 stable/11/secure/lib/libcrypto/man/DSA_sign.3 stable/11/secure/lib/libcrypto/man/DSA_size.3 stable/11/secure/lib/libcrypto/man/EC_GFp_simple_method.3 stable/11/secure/lib/libcrypto/man/EC_GROUP_copy.3 stable/11/secure/lib/libcrypto/man/EC_GROUP_new.3 stable/11/secure/lib/libcrypto/man/EC_KEY_new.3 stable/11/secure/lib/libcrypto/man/EC_POINT_add.3 stable/11/secure/lib/libcrypto/man/EC_POINT_new.3 stable/11/secure/lib/libcrypto/man/ERR_GET_LIB.3 stable/11/secure/lib/libcrypto/man/ERR_clear_error.3 stable/11/secure/lib/libcrypto/man/ERR_error_string.3 stable/11/secure/lib/libcrypto/man/ERR_get_error.3 stable/11/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 stable/11/secure/lib/libcrypto/man/ERR_load_strings.3 stable/11/secure/lib/libcrypto/man/ERR_print_errors.3 stable/11/secure/lib/libcrypto/man/ERR_put_error.3 stable/11/secure/lib/libcrypto/man/ERR_remove_state.3 stable/11/secure/lib/libcrypto/man/ERR_set_mark.3 stable/11/secure/lib/libcrypto/man/EVP_BytesToKey.3 stable/11/secure/lib/libcrypto/man/EVP_DigestInit.3 stable/11/secure/lib/libcrypto/man/EVP_DigestSignInit.3 stable/11/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 stable/11/secure/lib/libcrypto/man/EVP_EncodeInit.3 stable/11/secure/lib/libcrypto/man/EVP_EncryptInit.3 stable/11/secure/lib/libcrypto/man/EVP_OpenInit.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_derive.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_meth_new.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_new.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_sign.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify.3 stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 stable/11/secure/lib/libcrypto/man/EVP_SealInit.3 stable/11/secure/lib/libcrypto/man/EVP_SignInit.3 stable/11/secure/lib/libcrypto/man/EVP_VerifyInit.3 stable/11/secure/lib/libcrypto/man/OBJ_nid2obj.3 stable/11/secure/lib/libcrypto/man/OPENSSL_Applink.3 stable/11/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 stable/11/secure/lib/libcrypto/man/OPENSSL_config.3 stable/11/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 stable/11/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3 stable/11/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 stable/11/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 stable/11/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 stable/11/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 stable/11/secure/lib/libcrypto/man/PKCS12_create.3 stable/11/secure/lib/libcrypto/man/PKCS12_parse.3 stable/11/secure/lib/libcrypto/man/PKCS7_decrypt.3 stable/11/secure/lib/libcrypto/man/PKCS7_encrypt.3 stable/11/secure/lib/libcrypto/man/PKCS7_sign.3 stable/11/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 stable/11/secure/lib/libcrypto/man/PKCS7_verify.3 stable/11/secure/lib/libcrypto/man/RAND_add.3 stable/11/secure/lib/libcrypto/man/RAND_bytes.3 stable/11/secure/lib/libcrypto/man/RAND_cleanup.3 stable/11/secure/lib/libcrypto/man/RAND_egd.3 stable/11/secure/lib/libcrypto/man/RAND_load_file.3 stable/11/secure/lib/libcrypto/man/RAND_set_rand_method.3 stable/11/secure/lib/libcrypto/man/RSA_blinding_on.3 stable/11/secure/lib/libcrypto/man/RSA_check_key.3 stable/11/secure/lib/libcrypto/man/RSA_generate_key.3 stable/11/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 stable/11/secure/lib/libcrypto/man/RSA_new.3 stable/11/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 stable/11/secure/lib/libcrypto/man/RSA_print.3 stable/11/secure/lib/libcrypto/man/RSA_private_encrypt.3 stable/11/secure/lib/libcrypto/man/RSA_public_encrypt.3 stable/11/secure/lib/libcrypto/man/RSA_set_method.3 stable/11/secure/lib/libcrypto/man/RSA_sign.3 stable/11/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 stable/11/secure/lib/libcrypto/man/RSA_size.3 stable/11/secure/lib/libcrypto/man/SMIME_read_CMS.3 stable/11/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 stable/11/secure/lib/libcrypto/man/SMIME_write_CMS.3 stable/11/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 stable/11/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 stable/11/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 stable/11/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 stable/11/secure/lib/libcrypto/man/X509_NAME_print_ex.3 stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 stable/11/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 stable/11/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 stable/11/secure/lib/libcrypto/man/X509_check_host.3 stable/11/secure/lib/libcrypto/man/X509_check_private_key.3 stable/11/secure/lib/libcrypto/man/X509_cmp_time.3 stable/11/secure/lib/libcrypto/man/X509_new.3 stable/11/secure/lib/libcrypto/man/X509_verify_cert.3 stable/11/secure/lib/libcrypto/man/bio.3 stable/11/secure/lib/libcrypto/man/blowfish.3 stable/11/secure/lib/libcrypto/man/bn.3 stable/11/secure/lib/libcrypto/man/bn_internal.3 stable/11/secure/lib/libcrypto/man/buffer.3 stable/11/secure/lib/libcrypto/man/crypto.3 stable/11/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 stable/11/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3 stable/11/secure/lib/libcrypto/man/d2i_DHparams.3 stable/11/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 stable/11/secure/lib/libcrypto/man/d2i_ECPKParameters.3 stable/11/secure/lib/libcrypto/man/d2i_ECPrivateKey.3 stable/11/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 stable/11/secure/lib/libcrypto/man/d2i_PrivateKey.3 stable/11/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 stable/11/secure/lib/libcrypto/man/d2i_X509.3 stable/11/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 stable/11/secure/lib/libcrypto/man/d2i_X509_CRL.3 stable/11/secure/lib/libcrypto/man/d2i_X509_NAME.3 stable/11/secure/lib/libcrypto/man/d2i_X509_REQ.3 stable/11/secure/lib/libcrypto/man/d2i_X509_SIG.3 stable/11/secure/lib/libcrypto/man/des.3 stable/11/secure/lib/libcrypto/man/dh.3 stable/11/secure/lib/libcrypto/man/dsa.3 stable/11/secure/lib/libcrypto/man/ec.3 stable/11/secure/lib/libcrypto/man/ecdsa.3 stable/11/secure/lib/libcrypto/man/engine.3 stable/11/secure/lib/libcrypto/man/err.3 stable/11/secure/lib/libcrypto/man/evp.3 stable/11/secure/lib/libcrypto/man/hmac.3 stable/11/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 stable/11/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 stable/11/secure/lib/libcrypto/man/lh_stats.3 stable/11/secure/lib/libcrypto/man/lhash.3 stable/11/secure/lib/libcrypto/man/md5.3 stable/11/secure/lib/libcrypto/man/mdc2.3 stable/11/secure/lib/libcrypto/man/pem.3 stable/11/secure/lib/libcrypto/man/rand.3 stable/11/secure/lib/libcrypto/man/rc4.3 stable/11/secure/lib/libcrypto/man/ripemd.3 stable/11/secure/lib/libcrypto/man/rsa.3 stable/11/secure/lib/libcrypto/man/sha.3 stable/11/secure/lib/libcrypto/man/threads.3 stable/11/secure/lib/libcrypto/man/ui.3 stable/11/secure/lib/libcrypto/man/ui_compat.3 stable/11/secure/lib/libcrypto/man/x509.3 stable/11/secure/lib/libssl/man/SSL_CIPHER_get_name.3 stable/11/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 stable/11/secure/lib/libssl/man/SSL_CONF_CTX_new.3 stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3 stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3 stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3 stable/11/secure/lib/libssl/man/SSL_CONF_cmd.3 stable/11/secure/lib/libssl/man/SSL_CONF_cmd_argv.3 stable/11/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3 stable/11/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 stable/11/secure/lib/libssl/man/SSL_CTX_add_session.3 stable/11/secure/lib/libssl/man/SSL_CTX_ctrl.3 stable/11/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 stable/11/secure/lib/libssl/man/SSL_CTX_free.3 stable/11/secure/lib/libssl/man/SSL_CTX_get0_param.3 stable/11/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 stable/11/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 stable/11/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 stable/11/secure/lib/libssl/man/SSL_CTX_new.3 stable/11/secure/lib/libssl/man/SSL_CTX_sess_number.3 stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_sessions.3 stable/11/secure/lib/libssl/man/SSL_CTX_set1_curves.3 stable/11/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_mode.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_options.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_timeout.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 stable/11/secure/lib/libssl/man/SSL_CTX_set_verify.3 stable/11/secure/lib/libssl/man/SSL_CTX_use_certificate.3 stable/11/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 stable/11/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3 stable/11/secure/lib/libssl/man/SSL_SESSION_free.3 stable/11/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 stable/11/secure/lib/libssl/man/SSL_SESSION_get_time.3 stable/11/secure/lib/libssl/man/SSL_accept.3 stable/11/secure/lib/libssl/man/SSL_alert_type_string.3 stable/11/secure/lib/libssl/man/SSL_check_chain.3 stable/11/secure/lib/libssl/man/SSL_clear.3 stable/11/secure/lib/libssl/man/SSL_connect.3 stable/11/secure/lib/libssl/man/SSL_do_handshake.3 stable/11/secure/lib/libssl/man/SSL_export_keying_material.3 stable/11/secure/lib/libssl/man/SSL_free.3 stable/11/secure/lib/libssl/man/SSL_get_SSL_CTX.3 stable/11/secure/lib/libssl/man/SSL_get_ciphers.3 stable/11/secure/lib/libssl/man/SSL_get_client_CA_list.3 stable/11/secure/lib/libssl/man/SSL_get_current_cipher.3 stable/11/secure/lib/libssl/man/SSL_get_default_timeout.3 stable/11/secure/lib/libssl/man/SSL_get_error.3 stable/11/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 stable/11/secure/lib/libssl/man/SSL_get_ex_new_index.3 stable/11/secure/lib/libssl/man/SSL_get_fd.3 stable/11/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 stable/11/secure/lib/libssl/man/SSL_get_peer_certificate.3 stable/11/secure/lib/libssl/man/SSL_get_psk_identity.3 stable/11/secure/lib/libssl/man/SSL_get_rbio.3 stable/11/secure/lib/libssl/man/SSL_get_session.3 stable/11/secure/lib/libssl/man/SSL_get_verify_result.3 stable/11/secure/lib/libssl/man/SSL_get_version.3 stable/11/secure/lib/libssl/man/SSL_library_init.3 stable/11/secure/lib/libssl/man/SSL_load_client_CA_file.3 stable/11/secure/lib/libssl/man/SSL_new.3 stable/11/secure/lib/libssl/man/SSL_pending.3 stable/11/secure/lib/libssl/man/SSL_read.3 stable/11/secure/lib/libssl/man/SSL_rstate_string.3 stable/11/secure/lib/libssl/man/SSL_session_reused.3 stable/11/secure/lib/libssl/man/SSL_set_bio.3 stable/11/secure/lib/libssl/man/SSL_set_connect_state.3 stable/11/secure/lib/libssl/man/SSL_set_fd.3 stable/11/secure/lib/libssl/man/SSL_set_session.3 stable/11/secure/lib/libssl/man/SSL_set_shutdown.3 stable/11/secure/lib/libssl/man/SSL_set_verify_result.3 stable/11/secure/lib/libssl/man/SSL_shutdown.3 stable/11/secure/lib/libssl/man/SSL_state_string.3 stable/11/secure/lib/libssl/man/SSL_want.3 stable/11/secure/lib/libssl/man/SSL_write.3 stable/11/secure/lib/libssl/man/d2i_SSL_SESSION.3 stable/11/secure/lib/libssl/man/ssl.3 stable/11/secure/usr.bin/openssl/man/CA.pl.1 stable/11/secure/usr.bin/openssl/man/asn1parse.1 stable/11/secure/usr.bin/openssl/man/ca.1 stable/11/secure/usr.bin/openssl/man/ciphers.1 stable/11/secure/usr.bin/openssl/man/cms.1 stable/11/secure/usr.bin/openssl/man/crl.1 stable/11/secure/usr.bin/openssl/man/crl2pkcs7.1 stable/11/secure/usr.bin/openssl/man/dgst.1 stable/11/secure/usr.bin/openssl/man/dhparam.1 stable/11/secure/usr.bin/openssl/man/dsa.1 stable/11/secure/usr.bin/openssl/man/dsaparam.1 stable/11/secure/usr.bin/openssl/man/ec.1 stable/11/secure/usr.bin/openssl/man/ecparam.1 stable/11/secure/usr.bin/openssl/man/enc.1 stable/11/secure/usr.bin/openssl/man/errstr.1 stable/11/secure/usr.bin/openssl/man/gendsa.1 stable/11/secure/usr.bin/openssl/man/genpkey.1 stable/11/secure/usr.bin/openssl/man/genrsa.1 stable/11/secure/usr.bin/openssl/man/nseq.1 stable/11/secure/usr.bin/openssl/man/ocsp.1 stable/11/secure/usr.bin/openssl/man/openssl.1 stable/11/secure/usr.bin/openssl/man/passwd.1 stable/11/secure/usr.bin/openssl/man/pkcs12.1 stable/11/secure/usr.bin/openssl/man/pkcs7.1 stable/11/secure/usr.bin/openssl/man/pkcs8.1 stable/11/secure/usr.bin/openssl/man/pkey.1 stable/11/secure/usr.bin/openssl/man/pkeyparam.1 stable/11/secure/usr.bin/openssl/man/pkeyutl.1 stable/11/secure/usr.bin/openssl/man/rand.1 stable/11/secure/usr.bin/openssl/man/req.1 stable/11/secure/usr.bin/openssl/man/rsa.1 stable/11/secure/usr.bin/openssl/man/rsautl.1 stable/11/secure/usr.bin/openssl/man/s_client.1 stable/11/secure/usr.bin/openssl/man/s_server.1 stable/11/secure/usr.bin/openssl/man/s_time.1 stable/11/secure/usr.bin/openssl/man/sess_id.1 stable/11/secure/usr.bin/openssl/man/smime.1 stable/11/secure/usr.bin/openssl/man/speed.1 stable/11/secure/usr.bin/openssl/man/spkac.1 stable/11/secure/usr.bin/openssl/man/ts.1 stable/11/secure/usr.bin/openssl/man/tsget.1 stable/11/secure/usr.bin/openssl/man/verify.1 stable/11/secure/usr.bin/openssl/man/version.1 stable/11/secure/usr.bin/openssl/man/x509.1 stable/11/secure/usr.bin/openssl/man/x509v3_config.1 Modified: stable/11/crypto/openssl/CHANGES ============================================================================== --- stable/11/crypto/openssl/CHANGES Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/CHANGES Wed May 29 00:00:52 2019 (r348343) @@ -7,6 +7,23 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.0.2r and 1.0.2s [28 May 2019] + + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. + This changes the size when using the genpkey app when no size is given. It + fixes an omission in earlier changes that changed all RSA, DSA and DH + generation apps to use 2048 bits by default. + [Kurt Roeckx] + + *) Add FIPS support for Android Arm 64-bit + + Support for Android Arm 64-bit was added to the OpenSSL FIPS Object + Module in Version 2.0.10. For some reason, the corresponding target + 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be + built with FIPS support on Android Arm 64-bit. This omission has been + fixed. + [Matthias St. Pierre] + Changes between 1.0.2q and 1.0.2r [26 Feb 2019] *) 0-byte record padding oracle Modified: stable/11/crypto/openssl/Configure ============================================================================== --- stable/11/crypto/openssl/Configure Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/Configure Wed May 29 00:00:52 2019 (r348343) @@ -475,6 +475,7 @@ my %table=( "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"android64-aarch64","gcc:-mandroid -fPIC -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-pie%-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### *BSD [do see comment about ${BSDthreads} above!] "BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Modified: stable/11/crypto/openssl/Makefile ============================================================================== --- stable/11/crypto/openssl/Makefile Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/Makefile Wed May 29 00:00:52 2019 (r348343) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2r +VERSION=1.0.2s MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -70,7 +70,7 @@ AR= ar $(ARFLAGS) r RANLIB= /usr/bin/ranlib RC= windres NM= nm -PERL= /usr/bin/perl +PERL= /usr/local/bin/perl TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG= gcc Modified: stable/11/crypto/openssl/README ============================================================================== --- stable/11/crypto/openssl/README Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/README Wed May 29 00:00:52 2019 (r348343) @@ -1,7 +1,7 @@ - OpenSSL 1.0.2r 26 Feb 2019 + OpenSSL 1.0.2s 28 May 2019 - Copyright (c) 1998-2018 The OpenSSL Project + Copyright (c) 1998-2019 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. Modified: stable/11/crypto/openssl/apps/CA.pl ============================================================================== --- stable/11/crypto/openssl/apps/CA.pl Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/apps/CA.pl Wed May 29 00:00:52 2019 (r348343) @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes Modified: stable/11/crypto/openssl/config ============================================================================== --- stable/11/crypto/openssl/config Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/config Wed May 29 00:00:52 2019 (r348343) @@ -871,6 +871,7 @@ case "$GUESSOS" in *-*-qnx6) OUT="QNX6" ;; x86-*-android|i?86-*-android) OUT="android-x86" ;; armv[7-9]*-*-android) OUT="android-armv7" ;; + aarch64-*-android) OUT="android64-aarch64" ;; *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;; esac Modified: stable/11/crypto/openssl/crypto/dh/dh_pmeth.c ============================================================================== --- stable/11/crypto/openssl/crypto/dh/dh_pmeth.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/dh/dh_pmeth.c Wed May 29 00:00:52 2019 (r348343) @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -101,7 +101,7 @@ static int pkey_dh_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DH_PKEY_CTX)); if (!dctx) return 0; - dctx->prime_len = 1024; + dctx->prime_len = 2048; dctx->subprime_len = -1; dctx->generator = 2; dctx->use_dsa = 0; Modified: stable/11/crypto/openssl/crypto/dsa/dsa_pmeth.c ============================================================================== --- stable/11/crypto/openssl/crypto/dsa/dsa_pmeth.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/dsa/dsa_pmeth.c Wed May 29 00:00:52 2019 (r348343) @@ -3,7 +3,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -69,8 +69,8 @@ typedef struct { /* Parameter gen parameters */ - int nbits; /* size of p in bits (default: 1024) */ - int qbits; /* size of q in bits (default: 160) */ + int nbits; /* size of p in bits (default: 2048) */ + int qbits; /* size of q in bits (default: 224) */ const EVP_MD *pmd; /* MD for parameter generation */ /* Keygen callback info */ int gentmp[2]; @@ -84,8 +84,8 @@ static int pkey_dsa_init(EVP_PKEY_CTX *ctx) dctx = OPENSSL_malloc(sizeof(DSA_PKEY_CTX)); if (!dctx) return 0; - dctx->nbits = 1024; - dctx->qbits = 160; + dctx->nbits = 2048; + dctx->qbits = 224; dctx->pmd = NULL; dctx->md = NULL; Modified: stable/11/crypto/openssl/crypto/ec/ec2_oct.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec2_oct.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/ec/ec2_oct.c Wed May 29 00:00:52 2019 (r348343) @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -299,7 +299,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC BN_CTX *ctx) { point_conversion_form_t form; - int y_bit; + int y_bit, m; BN_CTX *new_ctx = NULL; BIGNUM *x, *y, *yxi; size_t field_len, enc_len; @@ -332,7 +332,8 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC return EC_POINT_set_to_infinity(group, point); } - field_len = (EC_GROUP_get_degree(group) + 7) / 8; + m = EC_GROUP_get_degree(group); + field_len = (m + 7) / 8; enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len; @@ -357,7 +358,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC if (!BN_bin2bn(buf + 1, field_len, x)) goto err; - if (BN_ucmp(x, &group->field) >= 0) { + if (BN_num_bits(x) > m) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } @@ -369,7 +370,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC } else { if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err; - if (BN_ucmp(y, &group->field) >= 0) { + if (BN_num_bits(y) > m) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING); goto err; } @@ -382,14 +383,12 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC } } + /* + * EC_POINT_set_affine_coordinates_GF2m is responsible for checking that + * the point is on the curve. + */ if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err; - } - - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); - goto err; } ret = 1; Modified: stable/11/crypto/openssl/crypto/ec/ec_lib.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec_lib.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/ec/ec_lib.c Wed May 29 00:00:52 2019 (r348343) @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -872,7 +872,15 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, + EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #ifndef OPENSSL_NO_EC2M @@ -890,7 +898,15 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROU EC_R_INCOMPATIBLE_OBJECTS); return 0; } - return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); + if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) + return 0; + + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, + EC_R_POINT_IS_NOT_ON_CURVE); + return 0; + } + return 1; } #endif Modified: stable/11/crypto/openssl/crypto/ec/ec_mult.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ec_mult.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/ec/ec_mult.c Wed May 29 00:00:52 2019 (r348343) @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -519,7 +519,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_ ret = 1; err: - EC_POINT_free(s); + EC_POINT_clear_free(s); BN_CTX_end(ctx); BN_CTX_free(new_ctx); Modified: stable/11/crypto/openssl/crypto/ec/ecp_nistp521.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ecp_nistp521.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/ec/ecp_nistp521.c Wed May 29 00:00:52 2019 (r348343) @@ -356,10 +356,15 @@ static void felem_diff64(felem out, const felem in) static void felem_diff_128_64(largefelem out, const felem in) { /* - * In order to prevent underflow, we add 0 mod p before subtracting. + * In order to prevent underflow, we add 64p mod p (which is equivalent + * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521 + * digit number with all bits set to 1. See "The representation of field + * elements" comment above for a description of how limbs are used to + * represent a number. 64p is represented with 8 limbs containing a number + * with 58 bits set and one limb with a number with 57 bits set. */ - static const limb two63m6 = (((limb) 1) << 62) - (((limb) 1) << 5); - static const limb two63m5 = (((limb) 1) << 62) - (((limb) 1) << 4); + static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6); + static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5); out[0] += two63m6 - in[0]; out[1] += two63m5 - in[1]; Modified: stable/11/crypto/openssl/crypto/ec/ecp_oct.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ecp_oct.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/ec/ecp_oct.c Wed May 29 00:00:52 2019 (r348343) @@ -5,7 +5,7 @@ * OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -408,14 +408,12 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_ } } + /* + * EC_POINT_set_affine_coordinates_GFp is responsible for checking that + * the point is on the curve. + */ if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err; - } - - /* test required by X9.62 */ - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); - goto err; } ret = 1; Modified: stable/11/crypto/openssl/crypto/ec/ectest.c ============================================================================== --- stable/11/crypto/openssl/crypto/ec/ectest.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/ec/ectest.c Wed May 29 00:00:52 2019 (r348343) @@ -3,7 +3,7 @@ * Originally written by Bodo Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -325,7 +325,7 @@ static void prime_field_tests(void) EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; EC_POINT *P, *Q, *R; - BIGNUM *x, *y, *z; + BIGNUM *x, *y, *z, *yplusone; unsigned char buf[100]; size_t i, len; int k; @@ -405,7 +405,8 @@ static void prime_field_tests(void) x = BN_new(); y = BN_new(); z = BN_new(); - if (!x || !y || !z) + yplusone = BN_new(); + if (x == NULL || y == NULL || z == NULL || yplusone == NULL) ABORT; if (!BN_hex2bn(&x, "D")) @@ -542,6 +543,14 @@ static void prime_field_tests(void) ABORT; if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; if (EC_POINT_is_on_curve(group, P, ctx) <= 0) @@ -613,6 +622,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 192) ABORT; @@ -668,6 +686,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 224) ABORT; @@ -728,6 +755,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 256) ABORT; @@ -783,6 +819,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 384) ABORT; @@ -844,6 +889,15 @@ static void prime_field_tests(void) if (0 != BN_cmp(y, z)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx)) + ABORT; + fprintf(stdout, "verify degree ..."); if (EC_GROUP_get_degree(group) != 521) ABORT; @@ -858,6 +912,10 @@ static void prime_field_tests(void) /* more tests using the last curve */ + /* Restore the point that got mangled in the (x, y + 1) test. */ + if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) + ABORT; + if (!EC_POINT_copy(Q, P)) ABORT; if (EC_POINT_is_at_infinity(group, Q)) @@ -987,6 +1045,7 @@ static void prime_field_tests(void) BN_free(x); BN_free(y); BN_free(z); + BN_free(yplusone); if (P_160) EC_GROUP_free(P_160); @@ -1007,6 +1066,13 @@ static void prime_field_tests(void) # ifdef OPENSSL_EC_BIN_PT_COMP # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ if (!BN_hex2bn(&x, _x)) ABORT; \ + if (!BN_hex2bn(&y, _y)) ABORT; \ + if (!BN_add(yplusone, y, BN_value_one())) ABORT; \ + /* \ + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \ + * and therefore setting the coordinates should fail. \ + */ \ + if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \ if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \ if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ @@ -1025,6 +1091,12 @@ static void prime_field_tests(void) # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ if (!BN_hex2bn(&x, _x)) ABORT; \ if (!BN_hex2bn(&y, _y)) ABORT; \ + if (!BN_add(yplusone, y, BN_value_one())) ABORT; \ + /* \ + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \ + * and therefore setting the coordinates should fail. \ + */ \ + if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \ if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \ if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ @@ -1062,7 +1134,7 @@ static void char2_field_tests(void) EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 = NULL, *C2_B571 = NULL; EC_POINT *P, *Q, *R; - BIGNUM *x, *y, *z, *cof; + BIGNUM *x, *y, *z, *cof, *yplusone; unsigned char buf[100]; size_t i, len; int k; @@ -1076,7 +1148,7 @@ static void char2_field_tests(void) p = BN_new(); a = BN_new(); b = BN_new(); - if (!p || !a || !b) + if (p == NULL || a == NULL || b == NULL) ABORT; if (!BN_hex2bn(&p, "13")) @@ -1142,7 +1214,8 @@ static void char2_field_tests(void) y = BN_new(); z = BN_new(); cof = BN_new(); - if (!x || !y || !z || !cof) + yplusone = BN_new(); + if (x == NULL || y == NULL || z == NULL || cof == NULL || yplusone == NULL) ABORT; if (!BN_hex2bn(&x, "6")) @@ -1504,6 +1577,7 @@ static void char2_field_tests(void) BN_free(y); BN_free(z); BN_free(cof); + BN_free(yplusone); if (C2_K163) EC_GROUP_free(C2_K163); @@ -1672,7 +1746,7 @@ static const struct nistp_test_params nistp_tests_para static void nistp_single_test(const struct nistp_test_params *test) { BN_CTX *ctx; - BIGNUM *p, *a, *b, *x, *y, *n, *m, *order; + BIGNUM *p, *a, *b, *x, *y, *n, *m, *order, *yplusone; EC_GROUP *NISTP; EC_POINT *G, *P, *Q, *Q_CHECK; @@ -1687,6 +1761,7 @@ static void nistp_single_test(const struct nistp_test_ m = BN_new(); n = BN_new(); order = BN_new(); + yplusone = BN_new(); NISTP = EC_GROUP_new(test->meth()); if (!NISTP) @@ -1709,6 +1784,14 @@ static void nistp_single_test(const struct nistp_test_ ABORT; if (!BN_hex2bn(&y, test->Qy)) ABORT; + if (!BN_add(yplusone, y, BN_value_one())) + ABORT; + /* + * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, + * and therefore setting the coordinates should fail. + */ + if (EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, yplusone, ctx)) + ABORT; if (!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) ABORT; if (!BN_hex2bn(&x, test->Gx)) @@ -1811,6 +1894,7 @@ static void nistp_single_test(const struct nistp_test_ BN_free(x); BN_free(y); BN_free(order); + BN_free(yplusone); BN_CTX_free(ctx); } Modified: stable/11/crypto/openssl/crypto/ecdh/ech_ossl.c ============================================================================== --- stable/11/crypto/openssl/crypto/ecdh/ech_ossl.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/ecdh/ech_ossl.c Wed May 29 00:00:52 2019 (r348343) @@ -14,7 +14,7 @@ * */ /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -207,7 +207,7 @@ static int ecdh_compute_key(void *out, size_t outlen, err: if (tmp) - EC_POINT_free(tmp); + EC_POINT_clear_free(tmp); if (ctx) BN_CTX_end(ctx); if (ctx) Modified: stable/11/crypto/openssl/crypto/err/err.c ============================================================================== --- stable/11/crypto/openssl/crypto/err/err.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/err/err.c Wed May 29 00:00:52 2019 (r348343) @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -827,8 +827,24 @@ static unsigned long get_error_values(int inc, int top return ERR_R_INTERNAL_ERROR; } + while (es->bottom != es->top) { + if (es->err_flags[es->top] & ERR_FLAG_CLEAR) { + err_clear(es, es->top); + es->top = es->top > 0 ? es->top - 1 : ERR_NUM_ERRORS - 1; + continue; + } + i = (es->bottom + 1) % ERR_NUM_ERRORS; + if (es->err_flags[i] & ERR_FLAG_CLEAR) { + es->bottom = i; + err_clear(es, es->bottom); + continue; + } + break; + } + if (es->bottom == es->top) return 0; + if (top) i = es->top; /* last error */ else @@ -1158,23 +1174,6 @@ int ERR_pop_to_mark(void) return 1; } -#ifdef UINTPTR_T -# undef UINTPTR_T -#endif -/* - * uintptr_t is the answer, but unformtunately we can't assume that all - * compilers supported by 1.0.2 have it :-( - */ -#if defined(OPENSSL_SYS_VMS) && __INITIAL_POINTER_SIZE==64 -/* - * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4 - * even in 64-bit builds, which means that it won't work as mask. - */ -# define UINTPTR_T unsigned long long -#else -# define UINTPTR_T size_t -#endif - void err_clear_last_constant_time(int clear) { ERR_STATE *es; @@ -1186,11 +1185,11 @@ void err_clear_last_constant_time(int clear) top = es->top; - es->err_flags[top] &= ~(0 - clear); - es->err_buffer[top] &= ~(0UL - clear); - es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] & - ~((UINTPTR_T)0 - clear)); - es->err_line[top] |= 0 - clear; - - es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; + /* + * Flag error as cleared but remove it elsewhere to avoid two errors + * accessing the same error stack location, revealing timing information. + */ + clear = constant_time_select_int(constant_time_eq_int(clear, 0), + 0, ERR_FLAG_CLEAR); + es->err_flags[top] |= clear; } Modified: stable/11/crypto/openssl/crypto/err/err.h ============================================================================== --- stable/11/crypto/openssl/crypto/err/err.h Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/err/err.h Wed May 29 00:00:52 2019 (r348343) @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -143,6 +143,7 @@ extern "C" { # define ERR_TXT_STRING 0x02 # define ERR_FLAG_MARK 0x01 +# define ERR_FLAG_CLEAR 0x02 # define ERR_NUM_ERRORS 16 typedef struct err_state_st { Modified: stable/11/crypto/openssl/crypto/opensslv.h ============================================================================== --- stable/11/crypto/openssl/crypto/opensslv.h Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/opensslv.h Wed May 29 00:00:52 2019 (r348343) @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000212fL +# define OPENSSL_VERSION_NUMBER 0x1000213fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-fips 26 Feb 2019" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s-fips 28 May 2019" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-freebsd 26 Feb 2019" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s-freebsd 28 May 2019" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT Modified: stable/11/crypto/openssl/crypto/rsa/rsa_eay.c ============================================================================== --- stable/11/crypto/openssl/crypto/rsa/rsa_eay.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/rsa/rsa_eay.c Wed May 29 00:00:52 2019 (r348343) @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -589,7 +589,7 @@ static int RSA_eay_private_decrypt(int flen, const uns goto err; } RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED); - err_clear_last_constant_time(r >= 0); + err_clear_last_constant_time(1 & ~constant_time_msb(r)); err: if (ctx != NULL) { Modified: stable/11/crypto/openssl/crypto/rsa/rsa_oaep.c ============================================================================== --- stable/11/crypto/openssl/crypto/rsa/rsa_oaep.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/rsa/rsa_oaep.c Wed May 29 00:00:52 2019 (r348343) @@ -144,7 +144,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t * |num| is the length of the modulus; |flen| is the length of the * encoded message. Therefore, for any |from| that was obtained by * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, - * num < 2 * mdlen + 2 must hold for the modulus irrespective of + * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective of * the ciphertext, see PKCS #1 v2.2, section 7.1.2. * This does not leak any side-channel information. */ @@ -180,17 +180,16 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t from -= 1 & mask; *--em = *from & mask; } - from = em; /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ - good = constant_time_is_zero(from[0]); + good = constant_time_is_zero(em[0]); - maskedseed = from + 1; - maskeddb = from + 1 + mdlen; + maskedseed = em + 1; + maskeddb = em + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) goto cleanup; @@ -231,29 +230,30 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *t mlen = dblen - msg_index; /* - * For good measure, do this check in constant tine as well. + * For good measure, do this check in constant time as well. */ good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); - msg_index = constant_time_select_int(good, msg_index, dblen - tlen); - mlen = dblen - msg_index; - for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= dblen & equals; /* if (i == dblen) rewind */ - mask &= mask ^ equals; /* if (i == dblen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), + dblen - mdlen - 1, tlen); + for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0); + for (i = mdlen + 1; i < dblen - msg_index; i++) + db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]); } /* Modified: stable/11/crypto/openssl/crypto/rsa/rsa_pk1.c ============================================================================== --- stable/11/crypto/openssl/crypto/rsa/rsa_pk1.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/rsa/rsa_pk1.c Wed May 29 00:00:52 2019 (r348343) @@ -241,15 +241,14 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); /* scan over padding data */ found_zero_byte = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -257,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -276,24 +275,25 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, good &= constant_time_ge(tlen, mlen); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); - msg_index = constant_time_select_int(good, msg_index, num - tlen); - mlen = num - msg_index; - for (from += msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= tlen & equals; /* if (i == mlen) rewind */ - mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), + num - 11, tlen); + for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); + for (i = 11; i < num - msg_index; i++) + em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]); + } + for (i = 0; i < tlen; i++) { + mask = good & constant_time_lt(i, mlen); + to[i] = constant_time_select_8(mask, em[i + 11], to[i]); } OPENSSL_cleanse(em, num); Modified: stable/11/crypto/openssl/crypto/rsa/rsa_pmeth.c ============================================================================== --- stable/11/crypto/openssl/crypto/rsa/rsa_pmeth.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/rsa/rsa_pmeth.c Wed May 29 00:00:52 2019 (r348343) @@ -4,7 +4,7 @@ * 2006. */ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2006-2019 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -103,7 +103,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); if (!rctx) return 0; - rctx->nbits = 1024; + rctx->nbits = 2048; rctx->pub_exp = NULL; rctx->pad_mode = RSA_PKCS1_PADDING; rctx->md = NULL; Modified: stable/11/crypto/openssl/crypto/rsa/rsa_ssl.c ============================================================================== --- stable/11/crypto/openssl/crypto/rsa/rsa_ssl.c Tue May 28 22:22:40 2019 (r348342) +++ stable/11/crypto/openssl/crypto/rsa/rsa_ssl.c Wed May 29 00:00:52 2019 (r348343) @@ -104,7 +104,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding - * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also + * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, @@ -116,7 +116,10 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl unsigned int good, found_zero_byte, mask, threes_in_row; int zero_index = 0, msg_index, mlen = -1, err; - if (flen < 10) { + if (tlen <= 0 || flen <= 0) + return -1; + + if (flen > num || num < 11) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return (-1); } @@ -138,10 +141,9 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl from -= 1 & mask; *--em = *from & mask; } - from = em; - good = constant_time_is_zero(from[0]); - good &= constant_time_eq(from[1], 2); + good = constant_time_is_zero(em[0]); + good &= constant_time_eq(em[1], 2); err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02); mask = ~good; @@ -149,18 +151,18 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl found_zero_byte = 0; threes_in_row = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(from[i]); + unsigned int equals0 = constant_time_is_zero(em[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); found_zero_byte |= equals0; threes_in_row += 1 & ~found_zero_byte; - threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3); + threes_in_row &= found_zero_byte | constant_time_eq(em[i], 3); } /* - * PS must be at least 8 bytes long, and it starts two bytes into |from|. + * PS must be at least 8 bytes long, and it starts two bytes into |em|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -169,7 +171,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl RSA_R_NULL_BEFORE_BLOCK_MISSING); mask = ~good; - good &= constant_time_lt(threes_in_row, 8); + good &= constant_time_ge(threes_in_row, 8); err = constant_time_select_int(mask | good, err, RSA_R_SSLV3_ROLLBACK_ATTACK); mask = ~good; @@ -188,24 +190,25 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tl err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE); /* - * Even though we can't fake result's length, we can pretend copying - * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num| - * bytes are viewed as circular buffer with start at |tlen|-|mlen'|, - * where |mlen'| is "saturated" |mlen| value. Deducing information - * about failure or |mlen| would take attacker's ability to observe - * memory access pattern with byte granularity *as it occurs*. It - * should be noted that failure is indistinguishable from normal - * operation if |tlen| is fixed by protocol. + * Move the result in-place by |num|-11-|mlen| bytes to the left. + * Then if |good| move |mlen| bytes from |em|+11 to |to|. + * Otherwise leave |to| unchanged. + * Copy the memory back in a way that does not reveal the size of + * the data being copied via a timing side channel. This requires copying + * parts of the buffer multiple times based on the bits set in the real + * length. Clear bits do a non-copy with identical access pattern. + * The loop below has overall complexity of O(N*log(N)). */ - tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen); - msg_index = constant_time_select_int(good, msg_index, num - tlen); - mlen = num - msg_index; - for (from += msg_index, mask = good, i = 0; i < tlen; i++) { - unsigned int equals = constant_time_eq(i, mlen); - - from -= tlen & equals; /* if (i == mlen) rewind */ - mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ - to[i] = constant_time_select_8(mask, from[i], to[i]); + tlen = constant_time_select_int(constant_time_lt(num - 11, tlen), + num - 11, tlen); + for (msg_index = 1; msg_index < num - 11; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (num - 11 - mlen), 0); + for (i = 11; i < num - msg_index; i++) *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-stable-11@freebsd.org Wed May 29 14:28:15 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44DFE15C4460; Wed, 29 May 2019 14:28:15 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DEF326EC96; Wed, 29 May 2019 14:28:14 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AD5142E47; Wed, 29 May 2019 14:28:14 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4TESE3I034505; Wed, 29 May 2019 14:28:14 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4TESEN9034503; Wed, 29 May 2019 14:28:14 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201905291428.x4TESEN9034503@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Wed, 29 May 2019 14:28:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348362 - in stable/11/sys: amd64/amd64 i386/i386 x86/x86 X-SVN-Group: stable-11 X-SVN-Commit-Author: kib X-SVN-Commit-Paths: in stable/11/sys: amd64/amd64 i386/i386 x86/x86 X-SVN-Commit-Revision: 348362 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: DEF326EC96 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.958,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2019 14:28:15 -0000 Author: kib Date: Wed May 29 14:28:13 2019 New Revision: 348362 URL: https://svnweb.freebsd.org/changeset/base/348362 Log: MFC r348075: Do not call hw_mds_recalculate() from initializecpu(). Approved by: re (gjb) Modified: stable/11/sys/amd64/amd64/initcpu.c stable/11/sys/i386/i386/initcpu.c stable/11/sys/x86/x86/cpu_machdep.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/amd64/amd64/initcpu.c ============================================================================== --- stable/11/sys/amd64/amd64/initcpu.c Wed May 29 14:26:35 2019 (r348361) +++ stable/11/sys/amd64/amd64/initcpu.c Wed May 29 14:28:13 2019 (r348362) @@ -247,7 +247,6 @@ initializecpu(void) } hw_ibrs_recalculate(); hw_ssb_recalculate(false); - hw_mds_recalculate(); switch (cpu_vendor_id) { case CPU_VENDOR_AMD: init_amd(); Modified: stable/11/sys/i386/i386/initcpu.c ============================================================================== --- stable/11/sys/i386/i386/initcpu.c Wed May 29 14:26:35 2019 (r348361) +++ stable/11/sys/i386/i386/initcpu.c Wed May 29 14:28:13 2019 (r348362) @@ -769,7 +769,6 @@ initializecpu(void) elf32_nxstack = 1; } #endif - hw_mds_recalculate(); if ((amd_feature & AMDID_RDTSCP) != 0 || (cpu_stdext_feature2 & CPUID_STDEXT2_RDPID) != 0) wrmsr(MSR_TSC_AUX, PCPU_GET(cpuid)); Modified: stable/11/sys/x86/x86/cpu_machdep.c ============================================================================== --- stable/11/sys/x86/x86/cpu_machdep.c Wed May 29 14:26:35 2019 (r348361) +++ stable/11/sys/x86/x86/cpu_machdep.c Wed May 29 14:28:13 2019 (r348362) @@ -1118,6 +1118,14 @@ hw_mds_recalculate(void) } } +static void +hw_mds_recalculate_boot(void *arg __unused) +{ + + hw_mds_recalculate(); +} +SYSINIT(mds_recalc, SI_SUB_SMP, SI_ORDER_ANY, hw_mds_recalculate_boot, NULL); + static int sysctl_mds_disable_handler(SYSCTL_HANDLER_ARGS) { From owner-svn-src-stable-11@freebsd.org Wed May 29 18:32:45 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF4F615A9D7F; Wed, 29 May 2019 18:32:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 72E8480B36; Wed, 29 May 2019 18:32:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 46F9F5AE1; Wed, 29 May 2019 18:32:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4TIWirb066333; Wed, 29 May 2019 18:32:44 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4TIWiMO066332; Wed, 29 May 2019 18:32:44 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201905291832.x4TIWiMO066332@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Wed, 29 May 2019 18:32:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348368 - stable/11/contrib/llvm/lib/CodeGen/SelectionDAG X-SVN-Group: stable-11 X-SVN-Commit-Author: dim X-SVN-Commit-Paths: stable/11/contrib/llvm/lib/CodeGen/SelectionDAG X-SVN-Commit-Revision: 348368 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 72E8480B36 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.95)[-0.951,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2019 18:32:45 -0000 Author: dim Date: Wed May 29 18:32:43 2019 New Revision: 348368 URL: https://svnweb.freebsd.org/changeset/base/348368 Log: MFC r348288: Pull in r361696 from upstream llvm trunk (by Sanjay Patel): [SelectionDAG] soften assertion when legalizing narrow vector FP ops The test based on PR42010: https://bugs.llvm.org/show_bug.cgi?id=42010 ...may show an inaccuracy for PPC's target defs, but we should not be so aggressive with an assert here. There's no telling what out-of-tree targets look like. This fixes an assertion when building the graphics/mesa-dri port for PowerPC64. Approved by: re (kib) Reported by: Mark Millard PR: 238082 Modified: stable/11/contrib/llvm/lib/CodeGen/SelectionDAG/LegalizeVectorTypes.cpp Directory Properties: stable/11/ (props changed) Modified: stable/11/contrib/llvm/lib/CodeGen/SelectionDAG/LegalizeVectorTypes.cpp ============================================================================== --- stable/11/contrib/llvm/lib/CodeGen/SelectionDAG/LegalizeVectorTypes.cpp Wed May 29 18:23:18 2019 (r348367) +++ stable/11/contrib/llvm/lib/CodeGen/SelectionDAG/LegalizeVectorTypes.cpp Wed May 29 18:32:43 2019 (r348368) @@ -2523,13 +2523,11 @@ void DAGTypeLegalizer::WidenVectorResult(SDNode *N, un // We're going to widen this vector op to a legal type by padding with undef // elements. If the wide vector op is eventually going to be expanded to // scalar libcalls, then unroll into scalar ops now to avoid unnecessary - // libcalls on the undef elements. We are assuming that if the scalar op - // requires expanding, then the vector op needs expanding too. + // libcalls on the undef elements. EVT VT = N->getValueType(0); - if (TLI.isOperationExpand(N->getOpcode(), VT.getScalarType())) { - EVT WideVecVT = TLI.getTypeToTransformTo(*DAG.getContext(), VT); - assert(!TLI.isOperationLegalOrCustom(N->getOpcode(), WideVecVT) && - "Target supports vector op, but scalar requires expansion?"); + EVT WideVecVT = TLI.getTypeToTransformTo(*DAG.getContext(), VT); + if (!TLI.isOperationLegalOrCustom(N->getOpcode(), WideVecVT) && + TLI.isOperationExpand(N->getOpcode(), VT.getScalarType())) { Res = DAG.UnrollVectorOp(N, WideVecVT.getVectorNumElements()); break; } From owner-svn-src-stable-11@freebsd.org Wed May 29 19:11:10 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 86F8015AAD6D; Wed, 29 May 2019 19:11:10 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 263258322B; Wed, 29 May 2019 19:11:10 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EB4A6612D; Wed, 29 May 2019 19:11:09 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4TJB9rW086691; Wed, 29 May 2019 19:11:09 GMT (envelope-from cy@FreeBSD.org) Received: (from cy@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4TJB9Ea086690; Wed, 29 May 2019 19:11:09 GMT (envelope-from cy@FreeBSD.org) Message-Id: <201905291911.x4TJB9Ea086690@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cy set sender to cy@FreeBSD.org using -f From: Cy Schubert Date: Wed, 29 May 2019 19:11:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348369 - stable/11/contrib/wpa/wpa_supplicant X-SVN-Group: stable-11 X-SVN-Commit-Author: cy X-SVN-Commit-Paths: stable/11/contrib/wpa/wpa_supplicant X-SVN-Commit-Revision: 348369 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 263258322B X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.965,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2019 19:11:10 -0000 Author: cy Date: Wed May 29 19:11:09 2019 New Revision: 348369 URL: https://svnweb.freebsd.org/changeset/base/348369 Log: MFC r347642: The driver list prints "(null)" for the NDIS driver when -h (help) or an unknown switch is passed outputting the command usage. This is because the NDIS driver is uninitialized when usage help is printed. To resolve this we initialize the driver prior to the possibility of printing the usage help message. Approved by: re (gjb@) Modified: stable/11/contrib/wpa/wpa_supplicant/main.c stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant.c Directory Properties: stable/11/ (props changed) Modified: stable/11/contrib/wpa/wpa_supplicant/main.c ============================================================================== --- stable/11/contrib/wpa/wpa_supplicant/main.c Wed May 29 18:32:43 2019 (r348368) +++ stable/11/contrib/wpa/wpa_supplicant/main.c Wed May 29 19:11:09 2019 (r348369) @@ -199,6 +199,11 @@ int main(int argc, char *argv[]) wpa_supplicant_fd_workaround(1); +#ifdef CONFIG_DRIVER_NDIS + void driver_ndis_init_ops(void); + driver_ndis_init_ops(); +#endif /* CONFIG_DRIVER_NDIS */ + for (;;) { c = getopt(argc, argv, "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvW"); Modified: stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant.c ============================================================================== --- stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant.c Wed May 29 18:32:43 2019 (r348368) +++ stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant.c Wed May 29 19:11:09 2019 (r348369) @@ -6357,13 +6357,6 @@ struct wpa_global * wpa_supplicant_init(struct wpa_par if (params == NULL) return NULL; -#ifdef CONFIG_DRIVER_NDIS - { - void driver_ndis_init_ops(void); - driver_ndis_init_ops(); - } -#endif /* CONFIG_DRIVER_NDIS */ - #ifndef CONFIG_NO_WPA_MSG wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb); #endif /* CONFIG_NO_WPA_MSG */ From owner-svn-src-stable-11@freebsd.org Wed May 29 20:45:32 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 551EA15ACD31; Wed, 29 May 2019 20:45:32 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EB290866FF; Wed, 29 May 2019 20:45:31 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D89B070A9; Wed, 29 May 2019 20:45:31 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4TKjVaO040849; Wed, 29 May 2019 20:45:31 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4TKjVVZ040848; Wed, 29 May 2019 20:45:31 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <201905292045.x4TKjVVZ040848@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Wed, 29 May 2019 20:45:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348371 - stable/11/usr.sbin/bhyve X-SVN-Group: stable-11 X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: stable/11/usr.sbin/bhyve X-SVN-Commit-Revision: 348371 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: EB290866FF X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.977,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2019 20:45:32 -0000 Author: jhb Date: Wed May 29 20:45:31 2019 New Revision: 348371 URL: https://svnweb.freebsd.org/changeset/base/348371 Log: MFC 345158: Fix uart emulation bug THRE is always asserted in LSR reads, so REG_IER writes that raise IER_ETXRDY must also set thre_int_pending. Approved by: re (gjb) Modified: stable/11/usr.sbin/bhyve/uart_emul.c Directory Properties: stable/11/ (props changed) Modified: stable/11/usr.sbin/bhyve/uart_emul.c ============================================================================== --- stable/11/usr.sbin/bhyve/uart_emul.c Wed May 29 20:34:35 2019 (r348370) +++ stable/11/usr.sbin/bhyve/uart_emul.c Wed May 29 20:45:31 2019 (r348371) @@ -430,6 +430,9 @@ uart_write(struct uart_softc *sc, int offset, uint8_t sc->thre_int_pending = true; break; case REG_IER: + /* Set pending when IER_ETXRDY is raised (edge-triggered). */ + if ((sc->ier & IER_ETXRDY) == 0 && (value & IER_ETXRDY) != 0) + sc->thre_int_pending = true; /* * Apply mask so that bits 4-7 are 0 * Also enables bits 0-3 only if they're 1 From owner-svn-src-stable-11@freebsd.org Wed May 29 23:11:08 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76D9415B04E7; Wed, 29 May 2019 23:11:08 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 40A978C10A; Wed, 29 May 2019 23:11:08 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1DFE08866; Wed, 29 May 2019 23:11:08 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4TNB72u016002; Wed, 29 May 2019 23:11:07 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4TNB7Vf016000; Wed, 29 May 2019 23:11:07 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <201905292311.x4TNB7Vf016000@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Wed, 29 May 2019 23:11:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348375 - stable/11/usr.sbin/bhyve X-SVN-Group: stable-11 X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: stable/11/usr.sbin/bhyve X-SVN-Commit-Revision: 348375 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 40A978C10A X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.95)[-0.951,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2019 23:11:08 -0000 Author: jhb Date: Wed May 29 23:11:07 2019 New Revision: 348375 URL: https://svnweb.freebsd.org/changeset/base/348375 Log: MFC 347033: Increase the VirtIO segment count to support modern Windows guests. The Windows virtio driver ignores the advertized seg_max field and assumes the host can accept up to 67 segments in indirect descriptors, triggering an assert in the bhyve process. This brings back r282922 but with a couple of changes: - It raises the block interface segment limit to 128 instead of 67. - Linux's virtio driver assumes that the segment limit is no larger than the ring size. To avoid breaking Linux guests, raise the VirtIO ring size to 128, and cap the VirtIO segment limit at ring size - 2 (effectively 126). Approved by: re (gjb) Modified: stable/11/usr.sbin/bhyve/block_if.c stable/11/usr.sbin/bhyve/block_if.h stable/11/usr.sbin/bhyve/pci_virtio_block.c Directory Properties: stable/11/ (props changed) Modified: stable/11/usr.sbin/bhyve/block_if.c ============================================================================== --- stable/11/usr.sbin/bhyve/block_if.c Wed May 29 23:05:26 2019 (r348374) +++ stable/11/usr.sbin/bhyve/block_if.c Wed May 29 23:11:07 2019 (r348375) @@ -62,7 +62,7 @@ __FBSDID("$FreeBSD$"); #define BLOCKIF_SIG 0xb109b109 #define BLOCKIF_NUMTHR 8 -#define BLOCKIF_MAXREQ (64 + BLOCKIF_NUMTHR) +#define BLOCKIF_MAXREQ (BLOCKIF_RING_MAX + BLOCKIF_NUMTHR) enum blockop { BOP_READ, Modified: stable/11/usr.sbin/bhyve/block_if.h ============================================================================== --- stable/11/usr.sbin/bhyve/block_if.h Wed May 29 23:05:26 2019 (r348374) +++ stable/11/usr.sbin/bhyve/block_if.h Wed May 29 23:11:07 2019 (r348375) @@ -41,7 +41,13 @@ #include #include -#define BLOCKIF_IOV_MAX 33 /* not practical to be IOV_MAX */ +/* + * BLOCKIF_IOV_MAX is the maximum number of scatter/gather entries in + * a single request. BLOCKIF_RING_MAX is the maxmimum number of + * pending requests that can be queued. + */ +#define BLOCKIF_IOV_MAX 128 /* not practical to be IOV_MAX */ +#define BLOCKIF_RING_MAX 128 struct blockif_req { struct iovec br_iov[BLOCKIF_IOV_MAX]; Modified: stable/11/usr.sbin/bhyve/pci_virtio_block.c ============================================================================== --- stable/11/usr.sbin/bhyve/pci_virtio_block.c Wed May 29 23:05:26 2019 (r348374) +++ stable/11/usr.sbin/bhyve/pci_virtio_block.c Wed May 29 23:11:07 2019 (r348375) @@ -3,6 +3,7 @@ * * Copyright (c) 2011 NetApp, Inc. * All rights reserved. + * Copyright (c) 2019 Joyent, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -55,8 +56,10 @@ __FBSDID("$FreeBSD$"); #include "virtio.h" #include "block_if.h" -#define VTBLK_RINGSZ 64 +#define VTBLK_RINGSZ 128 +_Static_assert(VTBLK_RINGSZ <= BLOCKIF_RING_MAX, "Each ring entry must be able to queue a request"); + #define VTBLK_S_OK 0 #define VTBLK_S_IOERR 1 #define VTBLK_S_UNSUPP 2 @@ -351,7 +354,15 @@ pci_vtblk_init(struct vmctx *ctx, struct pci_devinst * /* setup virtio block config space */ sc->vbsc_cfg.vbc_capacity = size / DEV_BSIZE; /* 512-byte units */ sc->vbsc_cfg.vbc_size_max = 0; /* not negotiated */ - sc->vbsc_cfg.vbc_seg_max = BLOCKIF_IOV_MAX; + + /* + * If Linux is presented with a seg_max greater than the virtio queue + * size, it can stumble into situations where it violates its own + * invariants and panics. For safety, we keep seg_max clamped, paying + * heed to the two extra descriptors needed for the header and status + * of a request. + */ + sc->vbsc_cfg.vbc_seg_max = MIN(VTBLK_RINGSZ - 2, BLOCKIF_IOV_MAX); sc->vbsc_cfg.vbc_geometry.cylinders = 0; /* no geometry */ sc->vbsc_cfg.vbc_geometry.heads = 0; sc->vbsc_cfg.vbc_geometry.sectors = 0; From owner-svn-src-stable-11@freebsd.org Thu May 30 16:32:20 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A16F15C6C5B; Thu, 30 May 2019 16:32:20 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C13E931F2; Thu, 30 May 2019 16:32:20 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DB7161BB37; Thu, 30 May 2019 16:32:19 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4UGWJkU066908; Thu, 30 May 2019 16:32:19 GMT (envelope-from tuexen@FreeBSD.org) Received: (from tuexen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4UGWJSJ066904; Thu, 30 May 2019 16:32:19 GMT (envelope-from tuexen@FreeBSD.org) Message-Id: <201905301632.x4UGWJSJ066904@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: tuexen set sender to tuexen@FreeBSD.org using -f From: Michael Tuexen Date: Thu, 30 May 2019 16:32:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348435 - stable/11/sys/netinet X-SVN-Group: stable-11 X-SVN-Commit-Author: tuexen X-SVN-Commit-Paths: stable/11/sys/netinet X-SVN-Commit-Revision: 348435 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 0C13E931F2 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.978,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2019 16:32:20 -0000 Author: tuexen Date: Thu May 30 16:32:18 2019 New Revision: 348435 URL: https://svnweb.freebsd.org/changeset/base/348435 Log: MFC r338053: Don't expose the uptime via the TCP timestamps. The TCP client side or the TCP server side when not using SYN-cookies used the uptime as the TCP timestamp value. This patch uses in all cases an offset, which is the result of a keyed hash function taking the source and destination addresses and port numbers into account. The keyed hash function is the same a used for the initial TSN. The use of VNET_DEFINE_STATIC(u_char, ts_offset_secret[32]); had to be replaced by VNET_DEFINE(u_char, ts_offset_secret[32]); MFC r348290: When an ACK segment as the third message of the three way handshake is received and support for time stamps was negotiated in the SYN/SYNACK exchange, perform the PAWS check and only expand the syn cache entry if the check is passed. Without this check, endpoints may get stuck on the incomplete queue. Reviewed by: jtl@, rrs@ Approved by: re (kib@)) Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D16636 Differential Revision: https://reviews.freebsd.org/D20374 Modified: stable/11/sys/netinet/tcp_subr.c stable/11/sys/netinet/tcp_syncache.c stable/11/sys/netinet/tcp_usrreq.c stable/11/sys/netinet/tcp_var.h Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/tcp_subr.c ============================================================================== --- stable/11/sys/netinet/tcp_subr.c Thu May 30 16:11:20 2019 (r348434) +++ stable/11/sys/netinet/tcp_subr.c Thu May 30 16:32:18 2019 (r348435) @@ -226,6 +226,12 @@ VNET_DEFINE(uma_zone_t, sack_hole_zone); VNET_DEFINE(struct hhook_head *, tcp_hhh[HHOOK_TCP_LAST+1]); +VNET_DEFINE(u_char, ts_offset_secret[32]); +#define V_ts_offset_secret VNET(ts_offset_secret) + +static int tcp_default_fb_init(struct tcpcb *tp); +static void tcp_default_fb_fini(struct tcpcb *tp, int tcb_is_purged); +static int tcp_default_handoff_ok(struct tcpcb *tp); static struct inpcb *tcp_notify(struct inpcb *, int); static struct inpcb *tcp_mtudisc_notify(struct inpcb *, int); static void tcp_mtudisc(struct inpcb *, int); @@ -683,6 +689,7 @@ tcp_init(void) /* Setup the tcp function block list */ init_tcp_functions(); register_tcp_functions(&tcp_def_funcblk, M_WAITOK); + read_random(&V_ts_offset_secret, sizeof(V_ts_offset_secret)); if (tcp_soreceive_stream) { #ifdef INET @@ -2185,7 +2192,41 @@ out: } #endif /* INET6 */ +static uint32_t +tcp_keyed_hash(struct in_conninfo *inc, u_char *key) +{ + MD5_CTX ctx; + uint32_t hash[4]; + MD5Init(&ctx); + MD5Update(&ctx, &inc->inc_fport, sizeof(uint16_t)); + MD5Update(&ctx, &inc->inc_lport, sizeof(uint16_t)); + switch (inc->inc_flags & INC_ISIPV6) { +#ifdef INET + case 0: + MD5Update(&ctx, &inc->inc_faddr, sizeof(struct in_addr)); + MD5Update(&ctx, &inc->inc_laddr, sizeof(struct in_addr)); + break; +#endif +#ifdef INET6 + case INC_ISIPV6: + MD5Update(&ctx, &inc->inc6_faddr, sizeof(struct in6_addr)); + MD5Update(&ctx, &inc->inc6_laddr, sizeof(struct in6_addr)); + break; +#endif + } + MD5Update(&ctx, key, 32); + MD5Final((unsigned char *)hash, &ctx); + + return (hash[0]); +} + +uint32_t +tcp_new_ts_offset(struct in_conninfo *inc) +{ + return (tcp_keyed_hash(inc, V_ts_offset_secret)); +} + /* * Following is where TCP initial sequence number generation occurs. * @@ -2226,7 +2267,7 @@ out: * as reseeding should not be necessary. * * Locking of the global variables isn_secret, isn_last_reseed, isn_offset, - * isn_offset_old, and isn_ctx is performed using the TCP pcbinfo lock. In + * isn_offset_old, and isn_ctx is performed using the ISN lock. In * general, this means holding an exclusive (write) lock. */ @@ -2247,15 +2288,11 @@ static VNET_DEFINE(u_int32_t, isn_offset_old); #define V_isn_offset_old VNET(isn_offset_old) tcp_seq -tcp_new_isn(struct tcpcb *tp) +tcp_new_isn(struct in_conninfo *inc) { - MD5_CTX isn_ctx; - u_int32_t md5_buffer[4]; tcp_seq new_isn; u_int32_t projected_offset; - INP_WLOCK_ASSERT(tp->t_inpcb); - ISN_LOCK(); /* Seed if this is the first use, reseed if requested. */ if ((V_isn_last_reseed == 0) || ((V_tcp_isn_reseed_interval > 0) && @@ -2266,26 +2303,7 @@ tcp_new_isn(struct tcpcb *tp) } /* Compute the md5 hash and return the ISN. */ - MD5Init(&isn_ctx); - MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_fport, sizeof(u_short)); - MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_lport, sizeof(u_short)); -#ifdef INET6 - if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0) { - MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_faddr, - sizeof(struct in6_addr)); - MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->in6p_laddr, - sizeof(struct in6_addr)); - } else -#endif - { - MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_faddr, - sizeof(struct in_addr)); - MD5Update(&isn_ctx, (u_char *) &tp->t_inpcb->inp_laddr, - sizeof(struct in_addr)); - } - MD5Update(&isn_ctx, (u_char *) &V_isn_secret, sizeof(V_isn_secret)); - MD5Final((u_char *) &md5_buffer, &isn_ctx); - new_isn = (tcp_seq) md5_buffer[0]; + new_isn = (tcp_seq)tcp_keyed_hash(inc, V_isn_secret); V_isn_offset += ISN_STATIC_INCREMENT + (arc4random() & ISN_RANDOM_INCREMENT); if (ticks != V_isn_last) { Modified: stable/11/sys/netinet/tcp_syncache.c ============================================================================== --- stable/11/sys/netinet/tcp_syncache.c Thu May 30 16:11:20 2019 (r348434) +++ stable/11/sys/netinet/tcp_syncache.c Thu May 30 16:32:18 2019 (r348435) @@ -1088,7 +1088,29 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt } } #endif /* TCP_SIGNATURE */ + /* + * RFC 7323 PAWS: If we have a timestamp on this segment and + * it's less than ts_recent, drop it. + * XXXMT: RFC 7323 also requires to send an ACK. + * In tcp_input.c this is only done for TCP segments + * with user data, so be consistent here and just drop + * the segment. + */ + if (sc->sc_flags & SCF_TIMESTAMP && to->to_flags & TOF_TS && + TSTMP_LT(to->to_tsval, sc->sc_tsreflect)) { + SCH_UNLOCK(sch); + if ((s = tcp_log_addrs(inc, th, NULL, NULL))) { + log(LOG_DEBUG, + "%s; %s: SEG.TSval %u < TS.Recent %u, " + "segment dropped\n", s, __func__, + to->to_tsval, sc->sc_tsreflect); + free(s, M_TCPLOG); + } + return (-1); /* Do not send RST */ + } + + /* * Pull out the entry to unlock the bucket row. * * NOTE: We must decrease TCPS_SYN_RECEIVED count here, not @@ -1494,6 +1516,7 @@ skip_alloc: if (to->to_flags & TOF_TS) { sc->sc_tsreflect = to->to_tsval; sc->sc_flags |= SCF_TIMESTAMP; + sc->sc_tsoff = tcp_new_ts_offset(inc); } if (to->to_flags & TOF_SCALE) { int wscale = 0; @@ -2029,11 +2052,6 @@ syncookie_generate(struct syncache_head *sch, struct s iss = hash & ~0xff; iss |= cookie.cookie ^ (hash >> 24); - /* Randomize the timestamp. */ - if (sc->sc_flags & SCF_TIMESTAMP) { - sc->sc_tsoff = arc4random() - tcp_ts_getticks(); - } - TCPSTAT_INC(tcps_sc_sendcookie); return (iss); } @@ -2120,7 +2138,7 @@ syncookie_lookup(struct in_conninfo *inc, struct synca if (to->to_flags & TOF_TS) { sc->sc_flags |= SCF_TIMESTAMP; sc->sc_tsreflect = to->to_tsval; - sc->sc_tsoff = to->to_tsecr - tcp_ts_getticks(); + sc->sc_tsoff = tcp_new_ts_offset(inc); } if (to->to_flags & TOF_SIGNATURE) Modified: stable/11/sys/netinet/tcp_usrreq.c ============================================================================== --- stable/11/sys/netinet/tcp_usrreq.c Thu May 30 16:11:20 2019 (r348434) +++ stable/11/sys/netinet/tcp_usrreq.c Thu May 30 16:32:18 2019 (r348435) @@ -1308,7 +1308,9 @@ tcp_connect(struct tcpcb *tp, struct sockaddr *nam, st soisconnecting(so); TCPSTAT_INC(tcps_connattempt); tcp_state_change(tp, TCPS_SYN_SENT); - tp->iss = tcp_new_isn(tp); + tp->iss = tcp_new_isn(&inp->inp_inc); + if (tp->t_flags & TF_REQ_TSTMP) + tp->ts_offset = tcp_new_ts_offset(&inp->inp_inc); tcp_sendseqinit(tp); return 0; @@ -1347,7 +1349,9 @@ tcp6_connect(struct tcpcb *tp, struct sockaddr *nam, s soisconnecting(inp->inp_socket); TCPSTAT_INC(tcps_connattempt); tcp_state_change(tp, TCPS_SYN_SENT); - tp->iss = tcp_new_isn(tp); + tp->iss = tcp_new_isn(&inp->inp_inc); + if (tp->t_flags & TF_REQ_TSTMP) + tp->ts_offset = tcp_new_ts_offset(&inp->inp_inc); tcp_sendseqinit(tp); return 0; Modified: stable/11/sys/netinet/tcp_var.h ============================================================================== --- stable/11/sys/netinet/tcp_var.h Thu May 30 16:11:20 2019 (r348434) +++ stable/11/sys/netinet/tcp_var.h Thu May 30 16:32:18 2019 (r348435) @@ -826,7 +826,9 @@ void tcp_hc_updatemtu(struct in_conninfo *, u_long); void tcp_hc_update(struct in_conninfo *, struct hc_metrics_lite *); extern struct pr_usrreqs tcp_usrreqs; -tcp_seq tcp_new_isn(struct tcpcb *); + +uint32_t tcp_new_ts_offset(struct in_conninfo *); +tcp_seq tcp_new_isn(struct in_conninfo *); int tcp_sack_doack(struct tcpcb *, struct tcpopt *, tcp_seq); void tcp_update_sack_list(struct tcpcb *tp, tcp_seq rcv_laststart, tcp_seq rcv_lastend); From owner-svn-src-stable-11@freebsd.org Thu May 30 16:42:58 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5B1A15A4218; Thu, 30 May 2019 16:42:58 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 77FC793AD8; Thu, 30 May 2019 16:42:58 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 51D751BCFF; Thu, 30 May 2019 16:42:58 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4UGgwmF072902; Thu, 30 May 2019 16:42:58 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4UGgwku072901; Thu, 30 May 2019 16:42:58 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <201905301642.x4UGgwku072901@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Thu, 30 May 2019 16:42:58 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348437 - stable/11/sys/amd64/vmm X-SVN-Group: stable-11 X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: stable/11/sys/amd64/vmm X-SVN-Commit-Revision: 348437 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 77FC793AD8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.976,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2019 16:42:59 -0000 Author: jhb Date: Thu May 30 16:42:57 2019 New Revision: 348437 URL: https://svnweb.freebsd.org/changeset/base/348437 Log: MFC 347964: Expose the MD_CLEAR capability used by Intel MDS mitigations to guests. Approved by: re (gjb) Modified: stable/11/sys/amd64/vmm/x86.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/amd64/vmm/x86.c ============================================================================== --- stable/11/sys/amd64/vmm/x86.c Thu May 30 16:40:21 2019 (r348436) +++ stable/11/sys/amd64/vmm/x86.c Thu May 30 16:42:57 2019 (r348437) @@ -359,7 +359,7 @@ x86_emulate_cpuid(struct vm *vm, int vcpu_id, CPUID_STDEXT_AVX512ER | CPUID_STDEXT_AVX512CD); regs[2] = 0; - regs[3] = 0; + regs[3] &= CPUID_STDEXT3_MD_CLEAR; /* Advertise INVPCID if it is enabled. */ error = vm_get_capability(vm, vcpu_id, From owner-svn-src-stable-11@freebsd.org Thu May 30 17:21:00 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 744EC15A55A6; Thu, 30 May 2019 17:21:00 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 108439507C; Thu, 30 May 2019 17:21:00 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-4.local (ralph.baldwin.cx [66.234.199.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 3FD97A2B7; Thu, 30 May 2019 17:20:59 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: svn commit: r348435 - stable/11/sys/netinet To: Michael Tuexen , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org References: <201905301632.x4UGWJSJ066904@repo.freebsd.org> From: John Baldwin Openpgp: preference=signencrypt Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: Date: Thu, 30 May 2019 10:20:58 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <201905301632.x4UGWJSJ066904@repo.freebsd.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 108439507C X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.991,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2019 17:21:00 -0000 On 5/30/19 9:32 AM, Michael Tuexen wrote: > Author: tuexen > Date: Thu May 30 16:32:18 2019 > New Revision: 348435 > URL: https://svnweb.freebsd.org/changeset/base/348435 > > Log: > MFC r338053: > > Don't expose the uptime via the TCP timestamps. > > The TCP client side or the TCP server side when not using SYN-cookies > used the uptime as the TCP timestamp value. This patch uses in all > cases an offset, which is the result of a keyed hash function taking > the source and destination addresses and port numbers into account. > The keyed hash function is the same a used for the initial TSN. > > The use of > VNET_DEFINE_STATIC(u_char, ts_offset_secret[32]); > had to be replaced by > VNET_DEFINE(u_char, ts_offset_secret[32]); > > MFC r348290: > > When an ACK segment as the third message of the three way handshake is > received and support for time stamps was negotiated in the SYN/SYNACK > exchange, perform the PAWS check and only expand the syn cache entry if > the check is passed. > Without this check, endpoints may get stuck on the incomplete queue. > > Reviewed by: jtl@, rrs@ > Approved by: re (kib@)) > Sponsored by: Netflix, Inc. > Differential Revision: https://reviews.freebsd.org/D16636 > Differential Revision: https://reviews.freebsd.org/D20374 This broke the build on GCC platforms. > Modified: stable/11/sys/netinet/tcp_subr.c > ============================================================================== > --- stable/11/sys/netinet/tcp_subr.c Thu May 30 16:11:20 2019 (r348434) > +++ stable/11/sys/netinet/tcp_subr.c Thu May 30 16:32:18 2019 (r348435) > @@ -226,6 +226,12 @@ VNET_DEFINE(uma_zone_t, sack_hole_zone); > > VNET_DEFINE(struct hhook_head *, tcp_hhh[HHOOK_TCP_LAST+1]); > > +VNET_DEFINE(u_char, ts_offset_secret[32]); > +#define V_ts_offset_secret VNET(ts_offset_secret) > + > +static int tcp_default_fb_init(struct tcpcb *tp); > +static void tcp_default_fb_fini(struct tcpcb *tp, int tcb_is_purged); > +static int tcp_default_handoff_ok(struct tcpcb *tp); This is a mismerge. These three prototypes for tcp_default_* shouldn't have been added and these prototypes are causing the build breakage. (They weren't added in r338053 in HEAD but in an earlier change. This was probably a merge conflict during the MFC). I think the fix is to just remove them. cc -c -O -pipe -g -nostdinc -I. -I/usr/src/sys -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -MD -MF.depend.tcp_subr.o -MTtcp_subr.o -ffreestanding -fwrapv -fstack-protector -gdwarf-2 -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -Wmissing-include-dirs -fdiagnostics-show-option -Wno-unknown-pragmas -Wno-uninitialized -fno-common -fms-extensions -finline-limit=15000 --param inline-unit-growth=100 --param large-function-growth=1000 -mcmodel=medany -msoft-float -std=iso9899:1999 -Werror /usr/src/sys/netinet/tcp_subr.c cc1: warnings being treated as errors /usr/src/sys/netinet/tcp_subr.c:232: warning: 'tcp_default_fb_init' declared 'static' but never defined /usr/src/sys/netinet/tcp_subr.c:233: warning: 'tcp_default_fb_fini' declared 'static' but never defined /usr/src/sys/netinet/tcp_subr.c:234: warning: 'tcp_default_handoff_ok' declared 'static' but never defined *** [tcp_subr.o] Error code 1 make[2]: stopped in /usr/obj/sparc64.sparc64/usr/src/sys/GENERIC -- John Baldwin From owner-svn-src-stable-11@freebsd.org Thu May 30 17:21:48 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FCB415A57CF; Thu, 30 May 2019 17:21:48 +0000 (UTC) (envelope-from tuexen@freebsd.org) Received: from drew.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.franken.de", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A5B669524F; Thu, 30 May 2019 17:21:47 +0000 (UTC) (envelope-from tuexen@freebsd.org) Received: from [192.168.1.2] (p57BB4327.dip0.t-ipconnect.de [87.187.67.39]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTPSA id 95BD971B63032; Thu, 30 May 2019 19:21:44 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: svn commit: r348435 - stable/11/sys/netinet From: Michael Tuexen In-Reply-To: Date: Thu, 30 May 2019 19:21:43 +0200 Cc: src-committers , svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <693EB912-4B80-47AD-B13B-AB54FF82774C@freebsd.org> References: <201905301632.x4UGWJSJ066904@repo.freebsd.org> To: John Baldwin X-Mailer: Apple Mail (2.3445.104.11) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail-n.franken.de X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2019 17:21:48 -0000 > On 30. May 2019, at 19:20, John Baldwin wrote: >=20 > On 5/30/19 9:32 AM, Michael Tuexen wrote: >> Author: tuexen >> Date: Thu May 30 16:32:18 2019 >> New Revision: 348435 >> URL: https://svnweb.freebsd.org/changeset/base/348435 >>=20 >> Log: >> MFC r338053: >>=20 >> Don't expose the uptime via the TCP timestamps. >>=20 >> The TCP client side or the TCP server side when not using = SYN-cookies >> used the uptime as the TCP timestamp value. This patch uses in all >> cases an offset, which is the result of a keyed hash function taking >> the source and destination addresses and port numbers into account. >> The keyed hash function is the same a used for the initial TSN. >>=20 >> The use of >> VNET_DEFINE_STATIC(u_char, ts_offset_secret[32]); >> had to be replaced by >> VNET_DEFINE(u_char, ts_offset_secret[32]); >>=20 >> MFC r348290: >>=20 >> When an ACK segment as the third message of the three way handshake = is >> received and support for time stamps was negotiated in the = SYN/SYNACK >> exchange, perform the PAWS check and only expand the syn cache entry = if >> the check is passed. >> Without this check, endpoints may get stuck on the incomplete queue. >>=20 >> Reviewed by: jtl@, rrs@ >> Approved by: re (kib@)) >> Sponsored by: Netflix, Inc. >> Differential Revision: https://reviews.freebsd.org/D16636 >> Differential Revision: https://reviews.freebsd.org/D20374 >=20 > This broke the build on GCC platforms. >=20 >> Modified: stable/11/sys/netinet/tcp_subr.c >> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >> --- stable/11/sys/netinet/tcp_subr.c Thu May 30 16:11:20 2019 = (r348434) >> +++ stable/11/sys/netinet/tcp_subr.c Thu May 30 16:32:18 2019 = (r348435) >> @@ -226,6 +226,12 @@ VNET_DEFINE(uma_zone_t, sack_hole_zone); >>=20 >> VNET_DEFINE(struct hhook_head *, tcp_hhh[HHOOK_TCP_LAST+1]); >>=20 >> +VNET_DEFINE(u_char, ts_offset_secret[32]); >> +#define V_ts_offset_secret VNET(ts_offset_secret) >> + >> +static int tcp_default_fb_init(struct tcpcb *tp); >> +static void tcp_default_fb_fini(struct tcpcb *tp, int = tcb_is_purged); >> +static int tcp_default_handoff_ok(struct tcpcb *tp); >=20 > This is a mismerge. These three prototypes for tcp_default_* = shouldn't have > been added and these prototypes are causing the build breakage. (They = weren't > added in r338053 in HEAD but in an earlier change. This was probably = a merge > conflict during the MFC). >=20 > I think the fix is to just remove them. >=20 > cc -c -O -pipe -g -nostdinc -I. -I/usr/src/sys -D_KERNEL = -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -MD = -MF.depend.tcp_subr.o -MTtcp_subr.o -ffreestanding -fwrapv = -fstack-protector -gdwarf-2 -Wall -Wredundant-decls -Wnested-externs = -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline = -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions = -Wmissing-include-dirs -fdiagnostics-show-option -Wno-unknown-pragmas = -Wno-uninitialized -fno-common -fms-extensions -finline-limit=3D15000 = --param inline-unit-growth=3D100 --param large-function-growth=3D1000 = -mcmodel=3Dmedany -msoft-float -std=3Diso9899:1999 -Werror = /usr/src/sys/netinet/tcp_subr.c > cc1: warnings being treated as errors > /usr/src/sys/netinet/tcp_subr.c:232: warning: 'tcp_default_fb_init' = declared 'static' but never defined > /usr/src/sys/netinet/tcp_subr.c:233: warning: 'tcp_default_fb_fini' = declared 'static' but never defined > /usr/src/sys/netinet/tcp_subr.c:234: warning: 'tcp_default_handoff_ok' = declared 'static' but never defined > *** [tcp_subr.o] Error code 1 >=20 > make[2]: stopped in /usr/obj/sparc64.sparc64/usr/src/sys/GENERIC Working on it. Thanks for letting me know. Best regards Michael >=20 > --=20 > John Baldwin From owner-svn-src-stable-11@freebsd.org Thu May 30 17:31:20 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 411AE15A5D84; Thu, 30 May 2019 17:31:20 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D916695AB6; Thu, 30 May 2019 17:31:19 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B3F841C421; Thu, 30 May 2019 17:31:19 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4UHVJ1X094858; Thu, 30 May 2019 17:31:19 GMT (envelope-from tuexen@FreeBSD.org) Received: (from tuexen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4UHVJ9m094857; Thu, 30 May 2019 17:31:19 GMT (envelope-from tuexen@FreeBSD.org) Message-Id: <201905301731.x4UHVJ9m094857@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: tuexen set sender to tuexen@FreeBSD.org using -f From: Michael Tuexen Date: Thu, 30 May 2019 17:31:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348441 - stable/11/sys/netinet X-SVN-Group: stable-11 X-SVN-Commit-Author: tuexen X-SVN-Commit-Paths: stable/11/sys/netinet X-SVN-Commit-Revision: 348441 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: D916695AB6 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2019 17:31:20 -0000 Author: tuexen Date: Thu May 30 17:31:19 2019 New Revision: 348441 URL: https://svnweb.freebsd.org/changeset/base/348441 Log: Unbreak the powerpc, powerpc64, and sparc64 builds. The issue was introduced in r348435. Approved by: re (gjb@) Modified: stable/11/sys/netinet/tcp_subr.c Modified: stable/11/sys/netinet/tcp_subr.c ============================================================================== --- stable/11/sys/netinet/tcp_subr.c Thu May 30 17:27:40 2019 (r348440) +++ stable/11/sys/netinet/tcp_subr.c Thu May 30 17:31:19 2019 (r348441) @@ -229,9 +229,6 @@ VNET_DEFINE(struct hhook_head *, tcp_hhh[HHOOK_TCP_LAS VNET_DEFINE(u_char, ts_offset_secret[32]); #define V_ts_offset_secret VNET(ts_offset_secret) -static int tcp_default_fb_init(struct tcpcb *tp); -static void tcp_default_fb_fini(struct tcpcb *tp, int tcb_is_purged); -static int tcp_default_handoff_ok(struct tcpcb *tp); static struct inpcb *tcp_notify(struct inpcb *, int); static struct inpcb *tcp_mtudisc_notify(struct inpcb *, int); static void tcp_mtudisc(struct inpcb *, int); From owner-svn-src-stable-11@freebsd.org Thu May 30 17:34:13 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3DE615A5EBE; Thu, 30 May 2019 17:34:13 +0000 (UTC) (envelope-from tuexen@freebsd.org) Received: from drew.franken.de (mail-n.franken.de [193.175.24.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.franken.de", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2973295CFE; Thu, 30 May 2019 17:34:13 +0000 (UTC) (envelope-from tuexen@freebsd.org) Received: from [192.168.1.2] (p57BB4327.dip0.t-ipconnect.de [87.187.67.39]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTPSA id 17FEF71B18AF4; Thu, 30 May 2019 19:34:10 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: svn commit: r348435 - stable/11/sys/netinet From: Michael Tuexen In-Reply-To: Date: Thu, 30 May 2019 19:34:09 +0200 Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <59773D8A-CD81-4059-BC74-0D0445F5915D@freebsd.org> References: <201905301632.x4UGWJSJ066904@repo.freebsd.org> To: John Baldwin X-Mailer: Apple Mail (2.3445.104.11) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail-n.franken.de X-Rspamd-Queue-Id: 2973295CFE X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.991,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2019 17:34:14 -0000 > On 30. May 2019, at 19:20, John Baldwin wrote: >=20 > On 5/30/19 9:32 AM, Michael Tuexen wrote: >> Author: tuexen >> Date: Thu May 30 16:32:18 2019 >> New Revision: 348435 >> URL: https://svnweb.freebsd.org/changeset/base/348435 >>=20 >> Log: >> MFC r338053: >>=20 >> Don't expose the uptime via the TCP timestamps. >>=20 >> The TCP client side or the TCP server side when not using = SYN-cookies >> used the uptime as the TCP timestamp value. This patch uses in all >> cases an offset, which is the result of a keyed hash function taking >> the source and destination addresses and port numbers into account. >> The keyed hash function is the same a used for the initial TSN. >>=20 >> The use of >> VNET_DEFINE_STATIC(u_char, ts_offset_secret[32]); >> had to be replaced by >> VNET_DEFINE(u_char, ts_offset_secret[32]); >>=20 >> MFC r348290: >>=20 >> When an ACK segment as the third message of the three way handshake = is >> received and support for time stamps was negotiated in the = SYN/SYNACK >> exchange, perform the PAWS check and only expand the syn cache entry = if >> the check is passed. >> Without this check, endpoints may get stuck on the incomplete queue. >>=20 >> Reviewed by: jtl@, rrs@ >> Approved by: re (kib@)) >> Sponsored by: Netflix, Inc. >> Differential Revision: https://reviews.freebsd.org/D16636 >> Differential Revision: https://reviews.freebsd.org/D20374 >=20 > This broke the build on GCC platforms. >=20 >> Modified: stable/11/sys/netinet/tcp_subr.c >> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >> --- stable/11/sys/netinet/tcp_subr.c Thu May 30 16:11:20 2019 = (r348434) >> +++ stable/11/sys/netinet/tcp_subr.c Thu May 30 16:32:18 2019 = (r348435) >> @@ -226,6 +226,12 @@ VNET_DEFINE(uma_zone_t, sack_hole_zone); >>=20 >> VNET_DEFINE(struct hhook_head *, tcp_hhh[HHOOK_TCP_LAST+1]); >>=20 >> +VNET_DEFINE(u_char, ts_offset_secret[32]); >> +#define V_ts_offset_secret VNET(ts_offset_secret) >> + >> +static int tcp_default_fb_init(struct tcpcb *tp); >> +static void tcp_default_fb_fini(struct tcpcb *tp, int = tcb_is_purged); >> +static int tcp_default_handoff_ok(struct tcpcb *tp); >=20 > This is a mismerge. These three prototypes for tcp_default_* = shouldn't have > been added and these prototypes are causing the build breakage. (They = weren't > added in r338053 in HEAD but in an earlier change. This was probably = a merge > conflict during the MFC). >=20 > I think the fix is to just remove them. >=20 > cc -c -O -pipe -g -nostdinc -I. -I/usr/src/sys -D_KERNEL = -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -MD = -MF.depend.tcp_subr.o -MTtcp_subr.o -ffreestanding -fwrapv = -fstack-protector -gdwarf-2 -Wall -Wredundant-decls -Wnested-externs = -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline = -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions = -Wmissing-include-dirs -fdiagnostics-show-option -Wno-unknown-pragmas = -Wno-uninitialized -fno-common -fms-extensions -finline-limit=3D15000 = --param inline-unit-growth=3D100 --param large-function-growth=3D1000 = -mcmodel=3Dmedany -msoft-float -std=3Diso9899:1999 -Werror = /usr/src/sys/netinet/tcp_subr.c > cc1: warnings being treated as errors > /usr/src/sys/netinet/tcp_subr.c:232: warning: 'tcp_default_fb_init' = declared 'static' but never defined > /usr/src/sys/netinet/tcp_subr.c:233: warning: 'tcp_default_fb_fini' = declared 'static' but never defined > /usr/src/sys/netinet/tcp_subr.c:234: warning: 'tcp_default_handoff_ok' = declared 'static' but never defined > *** [tcp_subr.o] Error code 1 >=20 > make[2]: stopped in /usr/obj/sparc64.sparc64/usr/src/sys/GENERIC Fixed in https://svnweb.freebsd.org/changeset/base/348441 Best regards Michael >=20 > --=20 > John Baldwin From owner-svn-src-stable-11@freebsd.org Fri May 31 00:00:04 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9618715AE181; Fri, 31 May 2019 00:00:04 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B4AD73618; Fri, 31 May 2019 00:00:04 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 114292058E; Fri, 31 May 2019 00:00:04 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4V003Ow000655; Fri, 31 May 2019 00:00:03 GMT (envelope-from gjb@FreeBSD.org) Received: (from gjb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4V003dH000654; Fri, 31 May 2019 00:00:03 GMT (envelope-from gjb@FreeBSD.org) Message-Id: <201905310000.x4V003dH000654@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gjb set sender to gjb@FreeBSD.org using -f From: Glen Barber Date: Fri, 31 May 2019 00:00:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348450 - stable/11/sys/conf X-SVN-Group: stable-11 X-SVN-Commit-Author: gjb X-SVN-Commit-Paths: stable/11/sys/conf X-SVN-Commit-Revision: 348450 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 3B4AD73618 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.976,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 May 2019 00:00:04 -0000 Author: gjb Date: Fri May 31 00:00:03 2019 New Revision: 348450 URL: https://svnweb.freebsd.org/changeset/base/348450 Log: Update stable/11 to BETA2 as part of the 11.3-RELEASE cycle. Approved by: re (implicit) Sponsored by: The FreeBSD Foundation Modified: stable/11/sys/conf/newvers.sh Modified: stable/11/sys/conf/newvers.sh ============================================================================== --- stable/11/sys/conf/newvers.sh Thu May 30 23:43:54 2019 (r348449) +++ stable/11/sys/conf/newvers.sh Fri May 31 00:00:03 2019 (r348450) @@ -44,7 +44,7 @@ TYPE="FreeBSD" REVISION="11.3" -BRANCH="BETA1" +BRANCH="BETA2" if [ -n "${BRANCH_OVERRIDE}" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-stable-11@freebsd.org Fri May 31 17:18:10 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C19D15C1EDE; Fri, 31 May 2019 17:18:10 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C4334753B8; Fri, 31 May 2019 17:18:09 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9B75834CF; Fri, 31 May 2019 17:18:09 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4VHI9ve050766; Fri, 31 May 2019 17:18:09 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4VHI99r050765; Fri, 31 May 2019 17:18:09 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201905311718.x4VHI99r050765@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 31 May 2019 17:18:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348470 - stable/11/sys/netinet6 X-SVN-Group: stable-11 X-SVN-Commit-Author: ae X-SVN-Commit-Paths: stable/11/sys/netinet6 X-SVN-Commit-Revision: 348470 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: C4334753B8 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.973,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 May 2019 17:18:10 -0000 Author: ae Date: Fri May 31 17:18:09 2019 New Revision: 348470 URL: https://svnweb.freebsd.org/changeset/base/348470 Log: MFC r348236: Restore IPV6_NEXTHOP option support that seem was partially broken since r286195. Do not forget results of route lookup and initialize rt and ifp pointers. PR: 238098 Submitted by: Masse Nicolas Approved by: re (gjb) Modified: stable/11/sys/netinet6/in6_src.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet6/in6_src.c ============================================================================== --- stable/11/sys/netinet6/in6_src.c Fri May 31 17:02:37 2019 (r348469) +++ stable/11/sys/netinet6/in6_src.c Fri May 31 17:18:09 2019 (r348470) @@ -725,6 +725,10 @@ selectroute(struct sockaddr_in6 *dstsock, struct ip6_p if (ron->ro_rt == NULL || (ron->ro_rt->rt_flags & RTF_GATEWAY) != 0) error = EHOSTUNREACH; + else { + rt = ron->ro_rt; + ifp = rt->rt_ifp; + } goto done; } From owner-svn-src-stable-11@freebsd.org Fri May 31 20:26:57 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97C0515C5114; Fri, 31 May 2019 20:26:57 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 36C3D834D2; Fri, 31 May 2019 20:26:57 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 135EC575D; Fri, 31 May 2019 20:26:57 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4VKQuG4051214; Fri, 31 May 2019 20:26:56 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4VKQu3T051213; Fri, 31 May 2019 20:26:56 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <201905312026.x4VKQu3T051213@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Fri, 31 May 2019 20:26:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348482 - stable/11/sys/netipsec X-SVN-Group: stable-11 X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: stable/11/sys/netipsec X-SVN-Commit-Revision: 348482 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 36C3D834D2 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.962,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 May 2019 20:26:58 -0000 Author: jhb Date: Fri May 31 20:26:56 2019 New Revision: 348482 URL: https://svnweb.freebsd.org/changeset/base/348482 Log: MFC 348205: Add deprecation warnings for IPsec algorithms deprecated in RFC 8221. All of these algorithms are either explicitly marked MUST NOT, or they are implicitly MUST NOTs by virtue of not being included in IETF's list of protocols at all despite having assignments from IANA. Specifically, this adds warnings for the following ciphers: - des-cbc - blowfish-cbc - cast128-cbc - des-deriv - des-32iv - camellia-cbc Warnings for the following authentication algorithms are also added: - hmac-md5 - keyed-md5 - keyed-sha1 - hmac-ripemd160 Approved by: re (gjb) Modified: stable/11/sys/netipsec/xform_ah.c stable/11/sys/netipsec/xform_esp.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netipsec/xform_ah.c ============================================================================== --- stable/11/sys/netipsec/xform_ah.c Fri May 31 20:25:57 2019 (r348481) +++ stable/11/sys/netipsec/xform_ah.c Fri May 31 20:26:56 2019 (r348482) @@ -108,6 +108,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, sta #endif static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ +static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn; +static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; static int ah_input_cb(struct cryptop*); static int ah_output_cb(struct cryptop*); @@ -174,6 +176,26 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, st __func__, sav->alg_auth)); return EINVAL; } + + switch (sav->alg_auth) { + case SADB_AALG_MD5HMAC: + if (ratecheck(&md5warn, &warninterval)) + gone_in(13, "MD5-HMAC authenticator for IPsec"); + break; + case SADB_X_AALG_RIPEMD160HMAC: + if (ratecheck(&ripewarn, &warninterval)) + gone_in(13, "RIPEMD160-HMAC authenticator for IPsec"); + break; + case SADB_X_AALG_MD5: + if (ratecheck(&kpdkmd5warn, &warninterval)) + gone_in(13, "Keyed-MD5 authenticator for IPsec"); + break; + case SADB_X_AALG_SHA: + if (ratecheck(&kpdksha1warn, &warninterval)) + gone_in(13, "Keyed-SHA1 authenticator for IPsec"); + break; + } + /* * Verify the replay state block allocation is consistent with * the protocol type. We check here so we can make assumptions Modified: stable/11/sys/netipsec/xform_esp.c ============================================================================== --- stable/11/sys/netipsec/xform_esp.c Fri May 31 20:25:57 2019 (r348481) +++ stable/11/sys/netipsec/xform_esp.c Fri May 31 20:26:56 2019 (r348482) @@ -94,6 +94,9 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, st struct espstat, espstat, "ESP statistics (struct espstat, netipsec/esp_var.h"); +static struct timeval deswarn, blfwarn, castwarn, camelliawarn; +static struct timeval warninterval = { .tv_sec = 1, .tv_usec = 0 }; + static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); @@ -156,6 +159,26 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) __func__)); return EINVAL; } + + switch (sav->alg_enc) { + case SADB_EALG_DESCBC: + if (ratecheck(&deswarn, &warninterval)) + gone_in(13, "DES cipher for IPsec"); + break; + case SADB_X_EALG_BLOWFISHCBC: + if (ratecheck(&blfwarn, &warninterval)) + gone_in(13, "Blowfish cipher for IPsec"); + break; + case SADB_X_EALG_CAST128CBC: + if (ratecheck(&castwarn, &warninterval)) + gone_in(13, "CAST cipher for IPsec"); + break; + case SADB_X_EALG_CAMELLIACBC: + if (ratecheck(&camelliawarn, &warninterval)) + gone_in(13, "Camellia cipher for IPsec"); + break; + } + /* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; if (txform->minkey > keylen || keylen > txform->maxkey) { From owner-svn-src-stable-11@freebsd.org Fri May 31 20:36:34 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 31B2A15C55B9; Fri, 31 May 2019 20:36:34 +0000 (UTC) (envelope-from ken@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C850083AEA; Fri, 31 May 2019 20:36:33 +0000 (UTC) (envelope-from ken@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A0CCC58FB; Fri, 31 May 2019 20:36:33 +0000 (UTC) (envelope-from ken@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4VKaXZJ056297; Fri, 31 May 2019 20:36:33 GMT (envelope-from ken@FreeBSD.org) Received: (from ken@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4VKaXZj056295; Fri, 31 May 2019 20:36:33 GMT (envelope-from ken@FreeBSD.org) Message-Id: <201905312036.x4VKaXZj056295@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ken set sender to ken@FreeBSD.org using -f From: "Kenneth D. Merry" Date: Fri, 31 May 2019 20:36:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r348483 - stable/11/sys/dev/isp X-SVN-Group: stable-11 X-SVN-Commit-Author: ken X-SVN-Commit-Paths: stable/11/sys/dev/isp X-SVN-Commit-Revision: 348483 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: C850083AEA X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.962,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 May 2019 20:36:34 -0000 Author: ken Date: Fri May 31 20:36:32 2019 New Revision: 348483 URL: https://svnweb.freebsd.org/changeset/base/348483 Log: MFC r348247: ------------------------------------------------------------------------ r348247 | ken | 2019-05-24 13:58:29 -0400 (Fri, 24 May 2019) | 57 lines Fix FC-Tape bugs caused in part by r345008. The point of r345008 was to reset the Command Reference Number (CRN) in some situations where a device stayed in the topology, but had changed somehow. This can include moving from a switch connection to a direct connection or vice versa, or a device that temporarily goes away and comes back. (e.g. moving to a different switch port) There were a couple of bugs in that change: - We were reporting that a device had not changed whenever the Establish Image Pair bit was not set. That is not quite correct. Instead, if the Establish Image Pair bit stays the same (set or not), the device hasn't changed in that way. - We weren't setting PRLI Word0 in the port database when a new device arrived, so comparisons with the old value for the Establish Image Pair bit weren't really possible. So, make sure PRLI Word0 is set in the port database for new devices. - We were resetting the CRN whenever the Establish Image Pair bit was set for a device, even when the device had stayed the same and the value of the bit hadn't changed. Now, only reset the CRN for devices that have changed, not devices that sayed the same. The result of all of this was that if we had a single FC device on an FC port and it went away and came back, we would wind up correctly resetting the CRN. But, if we had multiple devices connected via a switch, and there was any change in one or more of those devices, all of the devices that stayed the same would also have their CRN values reset. The result, from a user standpoint, is that the tape drives, etc. would all start to time out commands and the initiator would send aborts. sys/dev/isp/isp.c: In isp_pdb_add_update(), look at whether the Establish Image Pair bit has changed as part of the check to determine whether a device is still the same. This was causing erroneous change notifications. Also, when creating a new port database entry, initialize the PRLI Word 0 values. sys/dev/isp/isp_freebsd.c: In isp_async(), in the changed/stayed case, instead of looking at the Establish Image Pair bit to determine whether to reset the CRN, look at the command value. (Changed vs. Stayed.) Only reset the CRN for devices that have changed. ------------------------------------------------------------------------ Sponsored by: Spectra Logic Approved by: re (gjb) Modified: stable/11/sys/dev/isp/isp.c stable/11/sys/dev/isp/isp_freebsd.c Modified: stable/11/sys/dev/isp/isp.c ============================================================================== --- stable/11/sys/dev/isp/isp.c Fri May 31 20:26:56 2019 (r348482) +++ stable/11/sys/dev/isp/isp.c Fri May 31 20:36:32 2019 (r348483) @@ -3249,7 +3249,8 @@ isp_pdb_add_update(ispsoftc_t *isp, int chan, isp_pdb_ if (lp->portid == pdb->portid && lp->handle == pdb->handle && lp->prli_word3 == pdb->prli_word3 && - ((pdb->prli_word0 & PRLI_WD0_EST_IMAGE_PAIR) == 0)) { + ((pdb->prli_word0 & PRLI_WD0_EST_IMAGE_PAIR) == + (lp->prli_word0 & PRLI_WD0_EST_IMAGE_PAIR))) { if (lp->state != FC_PORTDB_STATE_NEW) lp->state = FC_PORTDB_STATE_VALID; isp_prt(isp, ISP_LOG_SANCFG, @@ -3280,6 +3281,7 @@ isp_pdb_add_update(ispsoftc_t *isp, int chan, isp_pdb_ lp->probational = 0; lp->state = FC_PORTDB_STATE_NEW; lp->portid = lp->new_portid = pdb->portid; + lp->prli_word0 = lp->new_prli_word0 = pdb->prli_word0; lp->prli_word3 = lp->new_prli_word3 = pdb->prli_word3; lp->handle = pdb->handle; lp->port_wwn = wwpn; Modified: stable/11/sys/dev/isp/isp_freebsd.c ============================================================================== --- stable/11/sys/dev/isp/isp_freebsd.c Fri May 31 20:26:56 2019 (r348482) +++ stable/11/sys/dev/isp/isp_freebsd.c Fri May 31 20:36:32 2019 (r348483) @@ -3787,7 +3787,7 @@ isp_async(ispsoftc_t *isp, ispasync_t cmd, ...) xpt_async(AC_CONTRACT, fc->path, &ac); } - if ((lp->new_prli_word0 & PRLI_WD0_EST_IMAGE_PAIR) && + if ((cmd == ISPASYNC_DEV_CHANGED) && (crn_reset_done == 0)) isp_fcp_reset_crn(isp, bus, tgt, /*tgt_set*/ 1); From owner-svn-src-stable-11@freebsd.org Fri May 31 22:35:52 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B4CD15C7854; Fri, 31 May 2019 22:35:52 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0AD88877A3; Fri, 31 May 2019 22:35:52 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-4.local (ralph.baldwin.cx [66.234.199.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id 6933B17197; Fri, 31 May 2019 22:35:51 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: svn commit: r348482 - stable/11/sys/netipsec From: John Baldwin To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org References: <201905312026.x4VKQu3T051213@repo.freebsd.org> Openpgp: preference=signencrypt Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: <15af7ff4-42c9-2020-4167-6e757317f38a@FreeBSD.org> Date: Fri, 31 May 2019 15:35:46 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <201905312026.x4VKQu3T051213@repo.freebsd.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 0AD88877A3 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.96)[-0.957,0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 May 2019 22:35:52 -0000 On 5/31/19 1:26 PM, John Baldwin wrote: > Author: jhb > Date: Fri May 31 20:26:56 2019 > New Revision: 348482 > URL: https://svnweb.freebsd.org/changeset/base/348482 > > Log: > MFC 348205: > Add deprecation warnings for IPsec algorithms deprecated in RFC 8221. > > All of these algorithms are either explicitly marked MUST NOT, or they > are implicitly MUST NOTs by virtue of not being included in IETF's > list of protocols at all despite having assignments from IANA. > > Specifically, this adds warnings for the following ciphers: > - des-cbc > - blowfish-cbc > - cast128-cbc > - des-deriv > - des-32iv > - camellia-cbc > > Warnings for the following authentication algorithms are also added: > - hmac-md5 > - keyed-md5 > - keyed-sha1 > - hmac-ripemd160 > > Approved by: re (gjb) Sigh, so I just noticed while testing an MFC of another commit that adds deprecation warnings (GELI) that these warnings don't actually fire in 11 because gone_in(13, ...) only warns on 12.x and later: void _gone_in(int major, const char *msg) { gone_panic(major, P_OSREL_MAJOR(__FreeBSD_version), msg); if (P_OSREL_MAJOR(__FreeBSD_version) >= major) printf("Obsolete code will removed soon: %s\n", msg); else if (P_OSREL_MAJOR(__FreeBSD_version) + 1 == major) printf("Deprecated code (to be removed in FreeBSD %d): %s\n", major, msg); } I guess we could make the later test unconditional on stable/11 (and possibly make that change on HEAD and MFC it)? I think I understand why we did that originally (you could MFC warnings back to older branches without annoying users to keep code in sync), but I wonder if in practice we don't want the warnings always enabled? -- John Baldwin From owner-svn-src-stable-11@freebsd.org Fri May 31 22:47:34 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE68015C7A5B for ; Fri, 31 May 2019 22:47:34 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D22987D1D for ; Fri, 31 May 2019 22:47:34 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-qk1-x72e.google.com with SMTP id s22so5348675qkj.12 for ; Fri, 31 May 2019 15:47:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+xTJJ9VcMEEceSZlJm7q7AfI4+M5hZffATNoG/TFm3c=; b=ZkKEtAM439nyyeT0FwVtED0qVkGOxOyuQrhfruRFfm1mggeFn8FOozI7rl9vVVGbpm Qg9wAi92n/BehrIIWDbxO892VG3uGzpuY/sS1WCtV02sy/B3V8py9wPDDmjgZpzpDuny JeuLqK37tSuiEM66JKMkMfCbjI5P4xJcXdaCP596kZ2QJ6pzO9OoR8JBzKN4wbOEpbDb +hJAtc4smXPRHVdXs+SyH+SSdT+XfoaD72QSwifn6VA7z6XIsUidMQ/4TiGXi8FRYfP2 4TECD0DcexBMfj7dxelx8QxmxpL6bQ8TVMbRi9n0q4Esh770FWyAkcx9DHPRzRNlxmaa fddQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+xTJJ9VcMEEceSZlJm7q7AfI4+M5hZffATNoG/TFm3c=; b=p8a/9nuEhuBqXqBzhZO5zQJo3MI1s2B/Qt8O2ITX2/szumwMWGeZzFab66SjbKm1o2 rP3HMlhq9hJXCxaDDTGKeFZuScB8ABDs+bLy21V70PfCtPOWM8l4rlOIxj6rJp/XiBMG hbQHgLwDyqhSy6kqQLAAlDc/Sgq58qOPl90kYDlJTI2oEqRhjLSt7dpEzDmtD5KjCxu9 Bc5K1M9OSZ493Tn3OeRksv0V0IqnfDOiCRs9vYHX44GPH6tPEcukCChAo604Yn1CBcND kDgwPMQaUzPzOJeowR7iDz+CLYDJcqMd1sEP+aBDSZfVHPTK40w9EOPt9VqA6BJo4BcW dwfw== X-Gm-Message-State: APjAAAVmluVrR34j0XAigpnxRYh0ItrE6/PebdiVYgLg0pE/k13a0C9i 3ptxxrQic+m7YFCJV588eNMEvQtWBu4o/+/0N12tWKvf X-Google-Smtp-Source: APXvYqzP2rDNTSr5BNmHCHvu1DvP6/fyMjyRSmDEVMD5nCdw8/k2UiXMlB13F1aFT0fugFpIAwi5DvqsaE+ecpFp9IU= X-Received: by 2002:a37:484e:: with SMTP id v75mr10541988qka.331.1559342853160; Fri, 31 May 2019 15:47:33 -0700 (PDT) MIME-Version: 1.0 References: <201905312026.x4VKQu3T051213@repo.freebsd.org> <15af7ff4-42c9-2020-4167-6e757317f38a@FreeBSD.org> In-Reply-To: <15af7ff4-42c9-2020-4167-6e757317f38a@FreeBSD.org> From: Warner Losh Date: Fri, 31 May 2019 16:47:21 -0600 Message-ID: Subject: Re: svn commit: r348482 - stable/11/sys/netipsec To: John Baldwin Cc: src-committers , svn-src-all , svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org X-Rspamd-Queue-Id: 3D22987D1D X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.93 / 15.00]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.93)[-0.934,0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 May 2019 22:47:35 -0000 On Fri, May 31, 2019 at 4:36 PM John Baldwin wrote: > On 5/31/19 1:26 PM, John Baldwin wrote: > > Author: jhb > > Date: Fri May 31 20:26:56 2019 > > New Revision: 348482 > > URL: https://svnweb.freebsd.org/changeset/base/348482 > > > > Log: > > MFC 348205: > > Add deprecation warnings for IPsec algorithms deprecated in RFC 8221. > > > > All of these algorithms are either explicitly marked MUST NOT, or they > > are implicitly MUST NOTs by virtue of not being included in IETF's > > list of protocols at all despite having assignments from IANA. > > > > Specifically, this adds warnings for the following ciphers: > > - des-cbc > > - blowfish-cbc > > - cast128-cbc > > - des-deriv > > - des-32iv > > - camellia-cbc > > > > Warnings for the following authentication algorithms are also added: > > - hmac-md5 > > - keyed-md5 > > - keyed-sha1 > > - hmac-ripemd160 > > > > Approved by: re (gjb) > > Sigh, so I just noticed while testing an MFC of another commit that adds > deprecation warnings (GELI) that these warnings don't actually fire in 11 > because gone_in(13, ...) only warns on 12.x and later: > > void > _gone_in(int major, const char *msg) > { > > gone_panic(major, P_OSREL_MAJOR(__FreeBSD_version), msg); > if (P_OSREL_MAJOR(__FreeBSD_version) >= major) > printf("Obsolete code will removed soon: %s\n", msg); > else if (P_OSREL_MAJOR(__FreeBSD_version) + 1 == major) > printf("Deprecated code (to be removed in FreeBSD %d): > %s\n", > major, msg); > } > > I guess we could make the later test unconditional on stable/11 (and > possibly > make that change on HEAD and MFC it)? I think I understand why we did that > originally (you could MFC warnings back to older branches without annoying > users to keep code in sync), but I wonder if in practice we don't want the > warnings always enabled? > "It seemed like a good idea at the time" I think is why we did it, but it turns out that it's not such a good idea. I agree: we should always warn in older branches because latter-day releases of those branches will be proximate to the removal time in major + 2. This is a perfect example of this. Warner From owner-svn-src-stable-11@freebsd.org Fri May 31 23:40:19 2019 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA3DC15A45EE; Fri, 31 May 2019 23:40:18 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7C74389190; Fri, 31 May 2019 23:40:18 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from John-Baldwins-MacBook-Pro-4.local (ralph.baldwin.cx [66.234.199.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: jhb) by smtp.freebsd.org (Postfix) with ESMTPSA id A401D178A7; Fri, 31 May 2019 23:40:17 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Subject: Re: svn commit: r348482 - stable/11/sys/netipsec To: Warner Losh Cc: src-committers , svn-src-all , svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org References: <201905312026.x4VKQu3T051213@repo.freebsd.org> <15af7ff4-42c9-2020-4167-6e757317f38a@FreeBSD.org> From: John Baldwin Openpgp: preference=signencrypt Autocrypt: addr=jhb@FreeBSD.org; keydata= mQGiBETQ+XcRBADMFybiq69u+fJRy/0wzqTNS8jFfWaBTs5/OfcV7wWezVmf9sgwn8TW0Dk0 c9MBl0pz+H01dA2ZSGZ5fXlmFIsee1WEzqeJzpiwd/pejPgSzXB9ijbLHZ2/E0jhGBcVy5Yo /Tw5+U/+laeYKu2xb0XPvM0zMNls1ah5OnP9a6Ql6wCgupaoMySb7DXm2LHD1Z9jTsHcAQMD /1jzh2BoHriy/Q2s4KzzjVp/mQO5DSm2z14BvbQRcXU48oAosHA1u3Wrov6LfPY+0U1tG47X 1BGfnQH+rNAaH0livoSBQ0IPI/8WfIW7ub4qV6HYwWKVqkDkqwcpmGNDbz3gfaDht6nsie5Z pcuCcul4M9CW7Md6zzyvktjnbz61BADGDCopfZC4of0Z3Ka0u8Wik6UJOuqShBt1WcFS8ya1 oB4rc4tXfSHyMF63aPUBMxHR5DXeH+EO2edoSwViDMqWk1jTnYza51rbGY+pebLQOVOxAY7k do5Ordl3wklBPMVEPWoZ61SdbcjhHVwaC5zfiskcxj5wwXd2E9qYlBqRg7QeSm9obiBCYWxk d2luIDxqaGJARnJlZUJTRC5vcmc+iGAEExECACAFAkTQ+awCGwMGCwkIBwMCBBUCCAMEFgID AQIeAQIXgAAKCRBy3lIGd+N/BI6RAJ9S97fvbME+3hxzE3JUyUZ6vTewDACdE1stFuSfqMvM jomvZdYxIYyTUpC5Ag0ERND5ghAIAPwsO0B7BL+bz8sLlLoQktGxXwXQfS5cInvL17Dsgnr3 1AKa94j9EnXQyPEj7u0d+LmEe6CGEGDh1OcGFTMVrof2ZzkSy4+FkZwMKJpTiqeaShMh+Goj XlwIMDxyADYvBIg3eN5YdFKaPQpfgSqhT+7El7w+wSZZD8pPQuLAnie5iz9C8iKy4/cMSOrH YUK/tO+Nhw8Jjlw94Ik0T80iEhI2t+XBVjwdfjbq3HrJ0ehqdBwukyeJRYKmbn298KOFQVHO EVbHA4rF/37jzaMadK43FgJ0SAhPPF5l4l89z5oPu0b/+5e2inA3b8J3iGZxywjM+Csq1tqz hltEc7Q+E08AAwUIAL+15XH8bPbjNJdVyg2CMl10JNW2wWg2Q6qdljeaRqeR6zFus7EZTwtX sNzs5bP8y51PSUDJbeiy2RNCNKWFMndM22TZnk3GNG45nQd4OwYK0RZVrikalmJY5Q6m7Z16 4yrZgIXFdKj2t8F+x613/SJW1lIr9/bDp4U9tw0V1g3l2dFtD3p3ZrQ3hpoDtoK70ioIAjjH aIXIAcm3FGZFXy503DOA0KaTWwvOVdYCFLm3zWuSOmrX/GsEc7ovasOWwjPn878qVjbUKWwx Q4QkF4OhUV9zPtf9tDSAZ3x7QSwoKbCoRCZ/xbyTUPyQ1VvNy/mYrBcYlzHodsaqUDjHuW+I SQQYEQIACQUCRND5ggIbDAAKCRBy3lIGd+N/BCO8AJ9j1dWVQWxw/YdTbEyrRKOY8YZNwwCf afMAg8QvmOWnHx3wl8WslCaXaE8= Message-ID: <1d68c9d4-65f8-1f24-40d1-38813aa5de57@FreeBSD.org> Date: Fri, 31 May 2019 16:40:16 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 7C74389190 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.88 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.88)[-0.876,0] X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 May 2019 23:40:19 -0000 On 5/31/19 3:47 PM, Warner Losh wrote: > On Fri, May 31, 2019 at 4:36 PM John Baldwin wrote: > >> On 5/31/19 1:26 PM, John Baldwin wrote: >>> Author: jhb >>> Date: Fri May 31 20:26:56 2019 >>> New Revision: 348482 >>> URL: https://svnweb.freebsd.org/changeset/base/348482 >>> >>> Log: >>> MFC 348205: >>> Add deprecation warnings for IPsec algorithms deprecated in RFC 8221. >>> >>> All of these algorithms are either explicitly marked MUST NOT, or they >>> are implicitly MUST NOTs by virtue of not being included in IETF's >>> list of protocols at all despite having assignments from IANA. >>> >>> Specifically, this adds warnings for the following ciphers: >>> - des-cbc >>> - blowfish-cbc >>> - cast128-cbc >>> - des-deriv >>> - des-32iv >>> - camellia-cbc >>> >>> Warnings for the following authentication algorithms are also added: >>> - hmac-md5 >>> - keyed-md5 >>> - keyed-sha1 >>> - hmac-ripemd160 >>> >>> Approved by: re (gjb) >> >> Sigh, so I just noticed while testing an MFC of another commit that adds >> deprecation warnings (GELI) that these warnings don't actually fire in 11 >> because gone_in(13, ...) only warns on 12.x and later: >> >> void >> _gone_in(int major, const char *msg) >> { >> >> gone_panic(major, P_OSREL_MAJOR(__FreeBSD_version), msg); >> if (P_OSREL_MAJOR(__FreeBSD_version) >= major) >> printf("Obsolete code will removed soon: %s\n", msg); >> else if (P_OSREL_MAJOR(__FreeBSD_version) + 1 == major) >> printf("Deprecated code (to be removed in FreeBSD %d): >> %s\n", >> major, msg); >> } >> >> I guess we could make the later test unconditional on stable/11 (and >> possibly >> make that change on HEAD and MFC it)? I think I understand why we did that >> originally (you could MFC warnings back to older branches without annoying >> users to keep code in sync), but I wonder if in practice we don't want the >> warnings always enabled? >> > > "It seemed like a good idea at the time" I think is why we did it, but it > turns out that it's not such a good idea. I agree: we should always warn in > older branches because latter-day releases of those branches will be > proximate to the removal time in major + 2. This is a perfect example of > this. Another datapoint in favor that I realized after my original e-mail is that gone_panic() doesn't have the + 1 check. If you set the associated sysctl to 2 (not the default) to panic for deprecated things, it will panic over something that it doesn't warn about by default. -- John Baldwin