Re: ssl(8) manpage: update key size and algorithm recommendations
On Thu, Sep 01, 2011 at 11:20:32PM -0400, Lawrence Teo wrote: This diff changes the ssl(8) man page to use a key size of 2048 bits when generating the RSA private key for use with httpd. Increasing numbers of CAs will no longer accept 1024-bit RSA CSRs as a response to NIST's draft publication SP800-57 Recommendation for Key Management. In addition, it changes the recommended algorithm for encrypting the private key from 3DES to AES-256. Thoughts? Lawrence fixed, thanks. jmc Index: ssl.8 === RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.46 diff -u -p -r1.46 ssl.8 --- ssl.8 26 Mar 2010 19:30:40 - 1.46 +++ ssl.8 2 Sep 2011 03:04:03 - @@ -94,7 +94,7 @@ directory, with the keys in the directory. .Pp Private keys can be encrypted using -.Ar 3DES +.Ar AES and a passphrase to protect their integrity should the encrypted file be disclosed. However, it is important to note that encrypted server keys mean that the @@ -110,13 +110,13 @@ you will need to generate an .Ar RSA certificate. .Bd -literal -offset indent -# openssl genrsa -out /etc/ssl/private/server.key 1024 +# openssl genrsa -out /etc/ssl/private/server.key 2048 .Ed .Pp Or, if you wish the key to be encrypted with a passphrase that you will have to type in when starting servers .Bd -literal -offset indent -# openssl genrsa -des3 -out /etc/ssl/private/server.key 1024 +# openssl genrsa -aes256 -out /etc/ssl/private/server.key 2048 .Ed .Pp The next step is to generate a
diff to PackageLocator.pm to support multiple installpath entries
Hi there, see attached diff to PackageLocator.pm. It seems like in it's current version it doesn't support multiple installpath entries, like: installpath = ftp://mymirror/localrepo installpath += ftp://mymirror/officialrepo Before it was only honoring the first entry, no matter whether += or = for the first entry. However, now it works as documented in pkg.conf(5) best regards, Marian http://crivens.terrorteam.de/~rabauke/OpenBSD/PackageLocator.pm.diff or Index: usr.sbin/pkg_add/OpenBSD/PackageLocator.pm === RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PackageLocator.pm,v retrieving revision 1.99 diff -p -u -r1.99 PackageLocator.pm --- usr.sbin/pkg_add/OpenBSD/PackageLocator.pm 26 Aug 2011 08:46:10 - 1.99 +++ usr.sbin/pkg_add/OpenBSD/PackageLocator.pm 7 Sep 2011 10:19:24 - @@ -40,7 +40,7 @@ sub build_default_path return; } $default_path-add(OpenBSD::PackageRepository-new(./, $state)-can_be_empty); - if (my $i = $state-config-value(installpath)) { + for my $i ($state-config-value(installpath)) { $default_path-add(OpenBSD::PackageRepository-new($i, $state)); } }
Re: [patch] pf_norm: clear IPv4 reserved flag
Good idea, thx. @OpenBSD-tech: here is the new diff. -Steffen cvs server: Diffing . Index: pf_norm.c === RCS file: /cvs/src/sys/net/pf_norm.c,v retrieving revision 1.140 diff -u -p -r1.140 pf_norm.c --- pf_norm.c 18 Jul 2011 21:03:10 - 1.140 +++ pf_norm.c 7 Sep 2011 13:52:18 - @@ -1454,4 +1454,7 @@ pf_scrub(struct mbuf *m, u_int16_t flags if (flags PFSTATE_RANDOMID af == AF_INET !(h-ip_off ~htons(IP_DF))) h-ip_id = htons(ip_randomid()); + + /* clear IP reserved flag */ + h-ip_off ^= htons(IP_RF); } On Wed, 7 Sep 2011 13:32:02 +, wrote: Avoid the branch... Don't need the if h-off = ~htons(IP_RF); --jason wright --Original Message-- From: Steffen Wendzel Sender: owner-t...@openbsd.org To: tech@openbsd.org Subject: [patch] pf_norm: clear IPv4 reserved flag Sent: Sep 7, 2011 02:41 Hi list, it would be nice, if the reserved flag in the IP would be cleared by pf_norm to eliminate covert channels using the bit. Here is a small patch for that. regards, Steffen Index: pf_norm.c === RCS file: /cvs/src/sys/net/pf_norm.c,v retrieving revision 1.140 diff -u -p -r1.140 pf_norm.c --- pf_norm.c 18 Jul 2011 21:03:10 - 1.140 +++ pf_norm.c 6 Sep 2011 15:40:48 - @@ -1454,4 +1454,8 @@ pf_scrub(struct mbuf *m, u_int16_t flags if (flags PFSTATE_RANDOMID af == AF_INET !(h-ip_off ~htons(IP_DF))) h-ip_id = htons(ip_randomid()); + + /* clear IP reserved flag */ + if (h-ip_off htons(IP_RF)) + h-ip_off ^= htons(IP_RF); } -- My Website: http://www.wendzel.de, Openbook: http://www.linux-openbook.de
Re: diff to PackageLocator.pm to support multiple installpath entries
On Wed, Sep 07, 2011 at 12:26:30PM +0200, Marian Hettwer wrote: Hi there, see attached diff to PackageLocator.pm. It seems like in it's current version it doesn't support multiple installpath entries, like: installpath = ftp://mymirror/localrepo installpath += ftp://mymirror/officialrepo Before it was only honoring the first entry, no matter whether += or = for the first entry. However, now it works as documented in pkg.conf(5) best regards, Marian http://crivens.terrorteam.de/~rabauke/OpenBSD/PackageLocator.pm.diff or Index: usr.sbin/pkg_add/OpenBSD/PackageLocator.pm === RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PackageLocator.pm,v retrieving revision 1.99 diff -p -u -r1.99 PackageLocator.pm --- usr.sbin/pkg_add/OpenBSD/PackageLocator.pm26 Aug 2011 08:46:10 - 1.99 +++ usr.sbin/pkg_add/OpenBSD/PackageLocator.pm7 Sep 2011 10:19:24 - @@ -40,7 +40,7 @@ sub build_default_path return; } $default_path-add(OpenBSD::PackageRepository-new(./, $state)-can_be_empty); - if (my $i = $state-config-value(installpath)) { + for my $i ($state-config-value(installpath)) { $default_path-add(OpenBSD::PackageRepository-new($i, $state)); } } 2 points: 1/ pkg.conf(5) does not actually say that all variables are lists. And it was not really intended for installpath (in particular, if you make installpath into a list, your next binary upgrade of the base system is going to give really funny results). 2/ the whole repository/locator/handle mess is under reconstruction, as it is a total mess, and doesn't even do what I want it to do correctly. Not exactly the right time to tweak minor bits in code that's directly headed to the trashcan...
USB nitpicking
if_atu.c includes kthread.h but it doesn't actually have any threads, so include timeout.h instead since that's what's needed (usbdi.h pulls in struct timeout). ohci.c uses 0 instead of NULL in a pointer assignment. -m. Index: if_atu.c === RCS file: /var/ocvs/src/sys/dev/usb/if_atu.c,v retrieving revision 1.99 diff -u -p -r1.99 if_atu.c --- if_atu.c3 Jul 2011 15:47:17 - 1.99 +++ if_atu.c7 Sep 2011 23:51:36 - @@ -53,7 +53,7 @@ #include sys/kernel.h #include sys/socket.h #include sys/systm.h -#include sys/kthread.h +#include sys/timeout.h #include sys/queue.h #include sys/device.h Index: ohci.c === RCS file: /var/ocvs/src/sys/dev/usb/ohci.c,v retrieving revision 1.104 diff -u -p -r1.104 ohci.c --- ohci.c 3 Jul 2011 15:47:17 - 1.104 +++ ohci.c 8 Sep 2011 00:36:42 - @@ -442,7 +442,7 @@ ohci_alloc_sed(ohci_softc_t *sc) sed = sc-sc_freeeds; sc-sc_freeeds = sed-next; memset(sed-ed, 0, sizeof(ohci_ed_t)); - sed-next = 0; + sed-next = NULL; return (sed); } -- The Librarian gave him the kind of look other people would reserve for people who said things like `What's so bad about genocide?' -- (Terry Pratchett, Guards! Guards!)
Sandybridge graphics support: part 1 basic kernel support.
A few months ago jcs@ got a sandybridge laptop, he did some work to get it almost working. I continued this a few months ago in edmonton at c2k11. Since then kettenis@ who has hardware has made yet more progress. Now the plan is to get this into the tree, but first some precursors. This kernel patch is just the very basic bits needed to get sandybridge working, the extra ringsbuffers (BSD, blit) are not in this patch (I have half to 2/3 of a diff for that). Nor are the requisit xserver bits. For now some extra testing is required to make sure these patches don't break any existing setups so that they can go in and work can progress. So please mail me and kettenis@ privately if this patch regresses your inteldrm(4) using hardware. Reports that this does nothing other than attach for sandybridge right now are not necessary. We know. Cheers, -0- -- It took me fifteen years to discover that I had no talent for writing, but I couldn't give up because by that time I was too famous. -- Robert Benchley diff --git dev/pci/agp_i810.c dev/pci/agp_i810.c index 41b9189..b62610e 100644 --- dev/pci/agp_i810.c +++ dev/pci/agp_i810.c @@ -71,6 +71,7 @@ enum { CHIP_G4X= 7,/* G4X */ CHIP_PINEVIEW = 8,/* Pineview/Pineview M */ CHIP_IRONLAKE = 9,/* Clarkdale/Arrandale */ + CHIP_SANDYBRIDGE=10,/* Sandybridge */ }; struct agp_i810_softc { @@ -183,13 +184,23 @@ agp_i810_get_chiptype(struct pci_attach_args *pa) case PCI_PRODUCT_INTEL_82G45_IGD_1: case PCI_PRODUCT_INTEL_82G41_IGD_1: return (CHIP_G4X); + break; case PCI_PRODUCT_INTEL_PINEVIEW_IGC_1: case PCI_PRODUCT_INTEL_PINEVIEW_M_IGC_1: return (CHIP_PINEVIEW); + break; case PCI_PRODUCT_INTEL_CLARKDALE_IGD: case PCI_PRODUCT_INTEL_ARRANDALE_IGD: return (CHIP_IRONLAKE); break; + case PCI_PRODUCT_INTEL_CORE2G_GT1: + case PCI_PRODUCT_INTEL_CORE2G_M_GT1: + case PCI_PRODUCT_INTEL_CORE2G_GT2: + case PCI_PRODUCT_INTEL_CORE2G_M_GT2: + case PCI_PRODUCT_INTEL_CORE2G_GT2_PLUS: + case PCI_PRODUCT_INTEL_CORE2G_M_GT2_PLUS: + return (CHIP_SANDYBRIDGE); + break; } return (CHIP_NONE); } @@ -246,6 +257,7 @@ agp_i810_attach(struct device *parent, struct device *self, void *aux) case CHIP_I965: case CHIP_G4X: case CHIP_IRONLAKE: + case CHIP_SANDYBRIDGE: gmaddr = AGP_I965_GMADR; mmaddr = AGP_I965_MMADR; memtype = PCI_MAPREG_TYPE_MEM | PCI_MAPREG_MEM_TYPE_64BIT; @@ -477,6 +489,85 @@ agp_i810_attach(struct device *parent, struct device *self, void *aux) gatt-ag_physical = READ4(AGP_I810_PGTBL_CTL) ~1; break; + case CHIP_SANDYBRIDGE: + + /* Stolen memory is set up at the beginning of the aperture by +* the BIOS, consisting of the GATT followed by 4kb for the +* BIOS display. +*/ + + gcc1 = (u_int16_t)pci_conf_read(bpa.pa_pc, bpa.pa_tag, + AGP_INTEL_SNB_GMCH_CTRL); + + stolen = 4; + + switch (gcc1 AGP_INTEL_SNB_GMCH_GMS_STOLEN_MASK) { + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_32M: + isc-stolen = (32768 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_64M: + isc-stolen = (65536 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_96M: + isc-stolen = (98304 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_128M: + isc-stolen = (131072 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_160M: + isc-stolen = (163840 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_192M: + isc-stolen = (196608 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_224M: + isc-stolen = (229376 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_256M: + isc-stolen = (262144 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_288M: + isc-stolen = (294912 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_320M: + isc-stolen = (327680 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_352M: +
Re: USB nitpicking
I don't have any atu(4) device. However, I do have an OHCI HUB with a keyboard hooked. No breakage up to now, and the ukbd still works fine. ohci0 at pci4 dev 0 function 0 ATT/Lucent USB 2-port rev 0x10: apic 1 int 16, version 1.0, legacy support usb1 at ohci0: USB revision 1.0 uhub1 at usb1 ATT/Lucent OHCI root hub rev 1.00/1.00 addr 1 ohci0 at pci4 dev 0 function 0 ATT/Lucent USB 2-port rev 0x10: apic 1 int 16, version 1.0, legacy support usb1 at ohci0: USB revision 1.0 uhub1 at usb1 ATT/Lucent OHCI root hub rev 1.00/1.00 addr 1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 uhidev0 at uhub1 port 2 configuration 1 interface 0 Ever Electronics Corp. Usb KeyBoard rev 1.10/1.05 addr 2 uhidev1 at uhub1 port 2 configuration 1 interface 1 Ever Electronics Corp. Usb KeyBoard rev 1.10/1.05 addr 2 uhub1 at usb1 ATT/Lucent OHCI root hub rev 1.00/1.00 addr 1 On Thu, Sep 8, 2011 at 5:00 AM, Michael Knudsen m...@molioner.dk wrote: if_atu.c includes kthread.h but it doesn't actually have any threads, so include timeout.h instead since that's what's needed (usbdi.h pulls in struct timeout). ohci.c uses 0 instead of NULL in a pointer assignment. -m. Index: if_atu.c === RCS file: /var/ocvs/src/sys/dev/usb/if_atu.c,v retrieving revision 1.99 diff -u -p -r1.99 if_atu.c --- if_atu.c3 Jul 2011 15:47:17 - 1.99 +++ if_atu.c7 Sep 2011 23:51:36 - @@ -53,7 +53,7 @@ #include sys/kernel.h #include sys/socket.h #include sys/systm.h -#include sys/kthread.h +#include sys/timeout.h #include sys/queue.h #include sys/device.h Index: ohci.c === RCS file: /var/ocvs/src/sys/dev/usb/ohci.c,v retrieving revision 1.104 diff -u -p -r1.104 ohci.c --- ohci.c 3 Jul 2011 15:47:17 - 1.104 +++ ohci.c 8 Sep 2011 00:36:42 - @@ -442,7 +442,7 @@ ohci_alloc_sed(ohci_softc_t *sc) sed = sc-sc_freeeds; sc-sc_freeeds = sed-next; memset(sed-ed, 0, sizeof(ohci_ed_t)); - sed-next = 0; + sed-next = NULL; return (sed); } -- The Librarian gave him the kind of look other people would reserve for people who said things like `What's so bad about genocide?' -- (Terry Pratchett, Guards! Guards!) -- `` Real men run current !''
Re: Sandybridge graphics support: part 1 basic kernel support.
diff --git dev/pci/agpreg.h dev/pci/agpreg.h index 4e3af78..47d5748 100644 --- dev/pci/agpreg.h +++ dev/pci/agpreg.h @@ -1,4 +1,4 @@ -/* $OpenBSD$ */ +/* $OpenBSD: agpreg.h,v 1.12 2008/12/24 05:42:58 oga Exp $ */ /* $NetBSD: agpreg.h,v 1.1 2001/09/10 10:01:02 fvdl Exp $ */ Great. Please don't bother mailing out diffs using git solutions unless you know how to spot, and test, and cope, when the diffs are not going to apply.
Re: Sandybridge graphics support: part 1 basic kernel support.
On Thu, Sep 08, 2011 at 05:25:46AM +0100, Owain Ainsworth wrote: A few months ago jcs@ got a sandybridge laptop, he did some work to get it almost working. I continued this a few months ago in edmonton at c2k11. Since then kettenis@ who has hardware has made yet more progress. Now the plan is to get this into the tree, but first some precursors. This kernel patch is just the very basic bits needed to get sandybridge working, the extra ringsbuffers (BSD, blit) are not in this patch (I have half to 2/3 of a diff for that). Nor are the requisit xserver bits. For now some extra testing is required to make sure these patches don't break any existing setups so that they can go in and work can progress. So please mail me and kettenis@ privately if this patch regresses your inteldrm(4) using hardware. Reports that this does nothing other than attach for sandybridge right now are not necessary. We know. Cheers, -0- Bah, now without a keyword bit that won't apply. Index: dev/pci/agp_i810.c === RCS file: /cvs/src/sys/dev/pci/agp_i810.c,v retrieving revision 1.69 diff -u -p -r1.69 agp_i810.c --- dev/pci/agp_i810.c 6 Sep 2010 15:00:50 - 1.69 +++ dev/pci/agp_i810.c 8 Sep 2011 04:59:19 - @@ -71,6 +71,7 @@ enum { CHIP_G4X= 7,/* G4X */ CHIP_PINEVIEW = 8,/* Pineview/Pineview M */ CHIP_IRONLAKE = 9,/* Clarkdale/Arrandale */ + CHIP_SANDYBRIDGE=10,/* Sandybridge */ }; struct agp_i810_softc { @@ -183,13 +184,23 @@ agp_i810_get_chiptype(struct pci_attach_ case PCI_PRODUCT_INTEL_82G45_IGD_1: case PCI_PRODUCT_INTEL_82G41_IGD_1: return (CHIP_G4X); + break; case PCI_PRODUCT_INTEL_PINEVIEW_IGC_1: case PCI_PRODUCT_INTEL_PINEVIEW_M_IGC_1: return (CHIP_PINEVIEW); + break; case PCI_PRODUCT_INTEL_CLARKDALE_IGD: case PCI_PRODUCT_INTEL_ARRANDALE_IGD: return (CHIP_IRONLAKE); break; + case PCI_PRODUCT_INTEL_CORE2G_GT1: + case PCI_PRODUCT_INTEL_CORE2G_M_GT1: + case PCI_PRODUCT_INTEL_CORE2G_GT2: + case PCI_PRODUCT_INTEL_CORE2G_M_GT2: + case PCI_PRODUCT_INTEL_CORE2G_GT2_PLUS: + case PCI_PRODUCT_INTEL_CORE2G_M_GT2_PLUS: + return (CHIP_SANDYBRIDGE); + break; } return (CHIP_NONE); } @@ -246,6 +257,7 @@ agp_i810_attach(struct device *parent, s case CHIP_I965: case CHIP_G4X: case CHIP_IRONLAKE: + case CHIP_SANDYBRIDGE: gmaddr = AGP_I965_GMADR; mmaddr = AGP_I965_MMADR; memtype = PCI_MAPREG_TYPE_MEM | PCI_MAPREG_MEM_TYPE_64BIT; @@ -477,6 +489,85 @@ agp_i810_attach(struct device *parent, s gatt-ag_physical = READ4(AGP_I810_PGTBL_CTL) ~1; break; + case CHIP_SANDYBRIDGE: + + /* Stolen memory is set up at the beginning of the aperture by +* the BIOS, consisting of the GATT followed by 4kb for the +* BIOS display. +*/ + + gcc1 = (u_int16_t)pci_conf_read(bpa.pa_pc, bpa.pa_tag, + AGP_INTEL_SNB_GMCH_CTRL); + + stolen = 4; + + switch (gcc1 AGP_INTEL_SNB_GMCH_GMS_STOLEN_MASK) { + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_32M: + isc-stolen = (32768 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_64M: + isc-stolen = (65536 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_96M: + isc-stolen = (98304 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_128M: + isc-stolen = (131072 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_160M: + isc-stolen = (163840 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_192M: + isc-stolen = (196608 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_224M: + isc-stolen = (229376 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_256M: + isc-stolen = (262144 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_288M: + isc-stolen = (294912 - stolen) * 1024 / 4096; + break; + case AGP_INTEL_SNB_GMCH_GMS_STOLEN_320M: + isc-stolen = (327680 - stolen) * 1024 / 4096; + break; + case