cinap_lenrek [Sun, 25 Feb 2018 02:42:38 +0000 (03:42 +0100)]
devether: remove (unimplemented) detach, allow device creation on attach
we allow devether to create ethernet cards on attach. this is useull
for virtual cards like the sink driver, so we can create a sink
by simply: bind -a '#l2:sink ea=112233445566' /net
the detach routine was never called, so remove it from the few drivers
that attempted to implement it.
cinap_lenrek [Wed, 7 Feb 2018 17:13:22 +0000 (18:13 +0100)]
usbxhci: fix mistake in completering()
the td index "x" was incremented twice, once in for loop
and in the body expression. so r->rp only got updated
every second completion. this is wrong, but harmless.
cinap_lenrek [Mon, 29 Jan 2018 07:26:42 +0000 (08:26 +0100)]
pc64: fix kmap() and invlpg()
flushing tlb once the index wraps arround is not enougth
as in use pte's can be speculatively loaded. so instead
use invlpg() and explicitely invalidate the tlb of the
page mapped.
this fixes wired mount cache corruption for reads approaching
2MB which is the size of the KMAP window.
cinap_lenrek [Sun, 28 Jan 2018 21:36:01 +0000 (22:36 +0100)]
ndb/dns: fix leak in myaddr(), normalize ip strings
remove myaddr() function and replace with myip() function
that receives binary ip address. and don't use string
comparsion for ip addresses... parse and then ipcmp().
for sanity reasons, normalize ip address strings and
reject unparsable ones. done by calling ipalookup()
with a binary ip address.
cinap_lenrek [Sun, 21 Jan 2018 21:32:34 +0000 (22:32 +0100)]
authsrv: implement mschapv2 authentication, include MPPE secret in the ticket
this adds new rpc for mschapv2 authentication (21)
deliver the MPPE secret not after the ticket/authenticator
response as cheartext, but include it in the first 128 bit
of the ticket key. and the authenticator in the first 160 bit
of the authenticator random field.
cinap_lenrek [Tue, 16 Jan 2018 22:27:23 +0000 (23:27 +0100)]
ip/ipconfig: use 2000::/3 instead of ::/0 for v6 default route
the ::/0 route has the bad side effect of breaking v4 connections
when theres no default route due to v6 mapped v4 addresses. this
might be temporary measure.
cinap_lenrek [Tue, 16 Jan 2018 19:42:01 +0000 (20:42 +0100)]
set router R-flag when sendra is active for neighbor advertisement
windows 7 just drops the default router when it tries to
probe for router reachability but gets a neighbor avertisement
from the router with the router bit clear.
so set the R-flag when sendra is active, which implies that
we are a router.
cinap_lenrek [Sat, 13 Jan 2018 06:16:17 +0000 (07:16 +0100)]
ether82557: don't turn off promisc mode when mcast table is not empty
the driver doesnt implement multicast filter, but just turns
on promiscuous mode when a multicast address is added. but this
breaks when one actually enables and then disables promiscuous
mode with say, running snoopy.
we have to keep promisc mode active as long as multicast table
is not empty.
cinap_lenrek [Fri, 12 Jan 2018 07:01:15 +0000 (08:01 +0100)]
wifi: filter out loopback traffic from myself
broadcast traffic was received back on the wire causing
duplicate address detection to break with dmat proy as
the rewritten broadcasts where observable.
the fix is to just ignore packets from ourselfs received
from the air. devether already handles loopback.
cinap_lenrek [Sun, 7 Jan 2018 23:23:26 +0000 (00:23 +0100)]
ether8169: deal with kernel memory exhaution
when kernel memory is exhausted, rtl8169replenish() can fail
to plant more receive descriptors and rtl8169receive() would
run over the receive tail and crash on the nil ctlr->rb[x].
rtl8169receive() is called on "Receive Descriptor Unavailable"
and "Packet Underrun" so we will try to replenish descriptors
in the beginning first in case memory was exhausted and memory
is available again and make sure not to run over the tail.
cinap_lenrek [Sun, 31 Dec 2017 08:06:42 +0000 (09:06 +0100)]
libc: constant time implementation for encode(2) routines, fix base32
the string encoding functions touch secret key material
in a bunch of places (devtls, devcap), so make sure we do
not leak information by cache timing side channels, making
the encoding and decoding routines constant time.
we also expose the alphabets through encXchr()/decXchr()
functions so caller can find the end of a encoded string
before calling decode function (for libmp).
the base32 encoding was broken in several ways. inputs
lengths of len%5 == [2,3,4] had output truncated and
it was using non-standard alphabet. documenting the alphabet
change in the manpage.
cinap_lenrek [Sat, 30 Dec 2017 02:07:47 +0000 (03:07 +0100)]
libsec: implement SPKI fingerprinting for okCertificate()
Instead of only using a hash over the whole certificate for
white/black-listing, now we can also use a hash over the
Subject Public Key Info (SPKI) field of the certificate which
contians the public key algorithm and the public key itself.
This allows certificates to be renewed independendtly of the
public key.
X509dump() now prints the public key thumbprint in addition
to the certificate thumbprint.
tlsclient will print the certificate when run with -D flag.
okCertificate() will print the public key thumbprint in its
error string when no match has been found.