Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
[11 lines not shown]
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
from tobhe@; ok and discussed with markus@ stsp@
Add ikev2_validate_ef() to validate fragment payload header size field
as we do for other IKEv2 payloads.
Reported by Dirk Loss
from tobhe@; ok markus@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
from tobhe@; ok markus@ hshoexer@
[11 lines not shown]
If we receive a response it must have the exact same msgid as the last
request we sent, so make sure they match exactly rather than allowing
higher msgids.
We can't handle out of order responses and if we don't receive a response
in time we retransmit our request until we get one or run into a timeout.
Found by Dirk Loss
ok markus@ hshoexer@
iked only ever handles one exchange at a time so we can drop the
entire fragment queue instead of doing a lookup based on the msgid
Found by Dirk Loss
ok markus@ hshoexer@
Add SA state check for CREATE_CHILD_SA exchange, similar to what we do
for INFORMATIONAL exchanges. iked currently assumes that IKE_AUTH always
results in valid child SAs, so IKEV2_STATE_ESTABLISHED means we have
successfully completed the IKE_AUTH exchange for the SA.
Independently found by Dirk Loss and Daniel Polak (SYS.nl)
ok and discussed with markus@ stsp@
Do the unveil() after the daemon() call, because otherwise we wouldneed
"/dev/null" "rw" and "/" "r", in particular the second is ugly.
pointed out by bluhm, discussion also with dgl.
Restore the previous behaviour with maximum verification depth.
The maximum depth is not expected to include the leaf certificate - restore
the decrement prior to checking, which means the previous behaviour is
retained for the callback depth and the maximum depth. Reduce the maximum
depth by one in order to avoid the overwrite that could previously occur.
Thanks to anton@ for flagging the rust-openssl failure in regress.
ok tb@
make ddb output visible when entering ddb from X on amdgpu
add a call to drm_fb_helper_restore_fbdev_mode_unlocked()
to amdgpu_enter_ddb() otherwise ddb output can't be seen
not required on inteldrm or radeondrm
Clean up vmctl, remove use of vmd's log.c.
This reimplements simpler versions of logging functions needed for
linking the qcow and raw disk image code from vmd.
Also cleans up the Makefile a bit, removing atomicio.c which is
unused.
ok mlarkin@
Some new intel machines have a new 3rd tier of cpus called LP-E which are
E-core (Atom) without L3 cache. These cpus are Lethargic, and it sucks
when processes migrate to them.
This introduces sysctl hw.blockcpu= which takes a sequence of 4 letters.
S (for SMT), P (regular performance cpu), E (efficient cpu) generally
80% to 50% as fast), and L (lethargic cpu) which are even slower.
By setting this, you can select cpus to kick out of the scheduler. The
default is SL.
The hw.smt sysctl remains for now but we will eventually delete it.
hw.smt changes and follows hw.blockcpu=S.
ok kettenis mlarkin