summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* tell config how to build wg(4)dlg2020-06-211-1/+7
|
* add wg(4), an in kernel driver for WireGuard vpn communication.dlg2020-06-217-1/+5218
| | | | | | | | | | | thanks to Matt Dunwoodie and Jason A. Donenfeld for their effort. it's at least as functional as the go implementation, and maybe more so since this one works on more architectures. i'm sure there's further development that can be done, but you can say that about anything and everything that's in the tree. ok deraadt@
* wireguard is taking over the gif mbuf tag.dlg2020-06-212-11/+10
| | | | | | | | | | | | | | gif used its mbuf tag to store it's interface index so it could detect loops. gre also did this, and i cut most of the drivers (including gif) over to using the gre tag. so the gif tag is unused. wireguard uses the tag to store peer information between different contexts the packet is processed in. it also needs a bit more space to do that. from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
* wireguard can do ipv6, but doesnt do link local addresses.dlg2020-06-211-1/+8
| | | | | | | | | i feel like i should add IFT_L3IPVLAN here so mgre(4) can take advantage of this too. from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
* add IFT_WIREGUARD.dlg2020-06-211-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | i'm still not a fan of the peer semantics of wireguard interfaces where each interface can have multiple peers and each peer has a set of the allowed ips configurred, aka cryptokey routing. traditionally we would use a tunnel (IFT_TUNNEL) style interface per peer, which means there's a 1:1 mapping between a peer and an interface. in turn that means you can apply policy with things like pf to the interface and it implies policy on the peer. so allowed ips inside a wg interface feels like a bandaid for a self inflicted wound to some degree. however, deraadt@ points out that the boat has sailed, and being compatible with the larger ecosystem has benefits. admins can choose to setup an interface per peer if they want too, so we get the best of both worlds. i will admit an interface per peer sucks in a concentrator situation though. that's why we still have pppac(4) as well as pppx(4). i also don't have any better ideas for how to scale or even express this kind of policy in a concentrator setting either. apologies for the teary. from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
* add constructions for wireguard.dlg2020-06-212-0/+174
| | | | | | from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
* add hchacha20 for wireguard.dlg2020-06-211-0/+40
| | | | | | | | | | i think we should turn the chacha code into an actual c file at some point to reduce duplication of object code, but that can happen later. from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
* curve25519 for wireguard.dlg2020-06-212-0/+933
| | | | | | via Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
* add blake2s for wireguard.dlg2020-06-212-0/+309
| | | | | | via Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
* Add RCS markertb2020-06-211-0/+2
|
* add neil peart; from matthew j. c. clarkejmc2020-06-211-1/+3
|
* document mq_push()dlg2020-06-211-2/+21
|
* add mq_push. it's like mq_enqueue, but drops from the head, not the tail.dlg2020-06-212-2/+22
| | | | from Matt Dunwoodie and Jason A. Donenfeld
* wrap a long line. no functional change.dlg2020-06-211-2/+3
|
* if an inp_upcall is set, let it look at and maybe steal the udp packet.dlg2020-06-211-3/+11
| | | | | i wrote the original version of this, but it was tweaked by Matt Dunwoodie and Jason A. Donenfeld for use with wireguard.
* The onboard interfaces on T7/S7 machines don't provide a valid MAC addressjmatthew2020-06-211-1/+11
| | | | | | | for themselves, so use the "local-mac-address" Open Firmware property instead, as done in ix(4). ok dlg@
* knf: the inp_upcall line was too long.dlg2020-06-211-2/+3
|
* add a inp_upcall function pointer and inp_upcall_arg to struct in_pcb.dlg2020-06-211-1/+3
| | | | | | | | | this is so protocols (eg, udp) can let things (eg, kernel support for wireguard or vxlan or geneve) look at and possibly steal packets before they get added to a socket buffer. i wrote the original version of this, but it was tweaked by Matt Dunwoodie and Jason A. Donenfeld for use with wireguard.
* wire the wireguard packet printer into tcpdump.dlg2020-06-215-8/+21
| | | | from Matt Dunwoodie and Jason A. Donenfeld
* don't claim packets as wg if there's not enough captured bytes to read.dlg2020-06-211-1/+11
|
* cope with a truncated capture of a packet. this avoids reading invalid mem.dlg2020-06-211-11/+27
|
* add a printer for wireguard messages, but not hooked up just yet.dlg2020-06-211-0/+126
| | | | from Matt Dunwoodie and Jason A. Donenfeld
* syncderaadt2020-06-211-0/+1
|
* supply the Aq (angle brackets) part missing in:jmc2020-06-2020-61/+61
| | | | .An author Aq Mt address
* bcmtmon(4)kettenis2020-06-202-2/+50
|
* Add bcmtmon(4), a driver for the temperature sensor on the Raspberry Pi 4.kettenis2020-06-203-2/+131
| | | | Written by Alastair Poole.
* Shifts (<<) of more than 32 bits must be done on 64-bit values.krw2020-06-201-2/+2
| | | | | | COVERITY 1491295 ok kettenis@
* Make FUNCTION()/UNIT() return valid major/minor device numbers ratherkrw2020-06-201-3/+4
| | | | | | | | | | | | than always returning 0. bktr0..bktr15 should now 'work'. COVERITY 1452865 COVERITY 1452956 COVERITY 1453025 COVERITY 1453186 COVERITY 1453231 ian@'s bktr still works as well as it did before.
* Avoid one uninitialized warning in file_get()jca2020-06-201-2/+2
|
* basic macro cleanup: .Fo for long .Fn lines, .Fa for struct fields,schwarze2020-06-201-69/+75
| | | | avoid \*(Gt and \*(Lt, .Dv NULL, .Cm for pledge promises
* add missing ENVIRONMENT. HISTORY, and AUTHORS sections,schwarze2020-06-201-12/+29
| | | | | and a few other wording and markup improvements while here; OK jmc@ ratchov@
* With filesystem having many cylinder groups and many inodes per cg theotto2020-06-2013-158/+181
| | | | | | | ncg * ipg calcualtion can overflow if signed types are used. Move to uint32_t for the relevant values. Aligned with FreeBSD changes. Also make sure newfs refuses to create an fs with more that 2^32-1 inodes. ok millert@
* make zeroing fb mem conditional matching linux pathjsg2020-06-201-1/+2
| | | | ok kettenis@
* Break a glass ceiling on cwnd due to integer division during congestionprocter2020-06-191-2/+2
| | | | | | | | | avoidance. The problem and fix is noted in RFC5681 section 3.1, page 7. Report, diff and testing from Brian Brombacher, thanks! Testing and a cosmetic tweak by myself. ok claudio
* VM_MAXUSER_ADDRESS needs to be page-aligned.kettenis2020-06-191-1/+1
|
* Fix calculation of the year.kettenis2020-06-191-2/+2
|
* Not quite correct implementations of copystr(9) and kcopy(9).kettenis2020-06-191-7/+20
|
* Enable lucky 13 test.tb2020-06-191-5/+2
|
* We inherited the constant time CBC padding removal from BoringSSL, buttb2020-06-191-4/+4
| | | | | | | | | | | missed a subsequent fix for an off-by-one in that code. If the first byte of a CBC padding of length 255 is mangled, we don't detect that. Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7 Fixes the failing tlsfuzzer lucky 13 test case. ok beck inoguchi
* First stab at implementing system calls.kettenis2020-06-192-2/+109
|
* Add support for BCM4359 SDIO variants such as the AP6359SA module foundkettenis2020-06-192-3/+12
| | | | | | | | | on the RockPro64 WiFi module. Note that there is no fiirmware for this chip in the bwfm-firmware package at the moment. ok patrick@
* Whitespace.krw2020-06-191-2/+2
|
* Set %r13 with a pointer to our per-CPU info struct when setting up akettenis2020-06-191-1/+2
| | | | trapframe.
* mark the functions documented in des_read_pw(3) as deprecatedschwarze2020-06-192-6/+11
| | | | | and point to UI_UTIL_read_pw(3) instead; tb@ agrees with the general direction
* fold the TSC value in fewer operations, same result; ok deraadt@naddy2020-06-192-12/+13
|
* Whitespace. Two short lines to one line.krw2020-06-192-14/+13
|
* document X509_get0_pubkey_bitstr(3),schwarze2020-06-191-5/+81
| | | | | | correct the description of X509_get_X509_PUBKEY(3), document error handling of the read accessors, and mention the relevant STANDARDS
* document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)schwarze2020-06-191-3/+52
|
* Merge documentation of X509_get0_serialNumber(3) from OpenSSL-1.1.1schwarze2020-06-191-4/+19
| | | | which is still under a free license. Wording tweaked by me.
* Make iwx(4) reset Tx byte count table slots for frames that are done.stsp2020-06-191-5/+11
| | | | | | | | | | | This fixes a "fatal firmware error" at run-time. Thanks again to Sara Sharon who provided the hint that the error trace I was looking at indicated that the firmware was running into a problem while trying to flush its Tx queues, and that this could be related to the Tx byte count table not being maintained properly. Tested by sven falempin and myself.