ifconfig description for wireguard peers

2021-10-20 Thread Noah Meier 
Hi,

While wireguard interfaces can have a description set by ifconfig, wireguard 
peers currently cannot. I now have a lot of peers and descriptions of them in 
ifconfig would be helpful.

This diff adds a 'wgdesc' option to a 'wgpeer' in ifconfig (and a corresponding 
'-wgdesc' option). Man page also updated.

NM


Index: ifconfig.8
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
retrieving revision 1.375
diff -u -p -u -p -r1.375 ifconfig.8
--- ifconfig.8  18 Aug 2021 18:10:33 -  1.375
+++ ifconfig.8  21 Oct 2021 00:09:20 -
@@ -2343,6 +2343,10 @@ It is optional but recommended and can b
 .Dl $ openssl rand -base64 32
 .It Cm -wgpsk
 Remove the pre-shared key for this peer.
+.It Cm wgdesc Ar value
+Specify a description of the peer.
+.It Cm -wgdesc
+Clear the peer description.
 .El
 .Sh EXAMPLES
 Assign the
Index: ifconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.445
diff -u -p -u -p -r1.445 ifconfig.c
--- ifconfig.c  6 Oct 2021 06:14:08 -   1.445
+++ ifconfig.c  21 Oct 2021 00:09:20 -
@@ -355,12 +355,14 @@ void  setwgpeerep(const char *, const cha
 void   setwgpeeraip(const char *, int);
 void   setwgpeerpsk(const char *, int);
 void   setwgpeerpka(const char *, int);
+void   setwgpeerdesc(const char *, int);
 void   setwgport(const char *, int);
 void   setwgkey(const char *, int);
 void   setwgrtable(const char *, int);
 
 void   unsetwgpeer(const char *, int);
 void   unsetwgpeerpsk(const char *, int);
+void   unsetwgpeerdesc(const char *, int);
 void   unsetwgpeerall(const char *, int);
 
 void   wg_status();
@@ -625,11 +627,13 @@ const struct  cmd {
{ "wgaip",  NEXTARG,A_WIREGUARD,setwgpeeraip},
{ "wgpsk",  NEXTARG,A_WIREGUARD,setwgpeerpsk},
{ "wgpka",  NEXTARG,A_WIREGUARD,setwgpeerpka},
+   { "wgdesc", NEXTARG,A_WIREGUARD,setwgpeerdesc},
{ "wgport", NEXTARG,A_WIREGUARD,setwgport},
{ "wgkey",  NEXTARG,A_WIREGUARD,setwgkey},
{ "wgrtable",   NEXTARG,A_WIREGUARD,setwgrtable},
{ "-wgpeer",NEXTARG,A_WIREGUARD,unsetwgpeer},
{ "-wgpsk", 0,  A_WIREGUARD,unsetwgpeerpsk},
+   { "-wgdesc",0,  A_WIREGUARD,unsetwgpeerdesc},
{ "-wgpeerall", 0,  A_WIREGUARD,unsetwgpeerall},
 
 #else /* SMALL */
@@ -5827,6 +5831,16 @@ setwgpeerpka(const char *pka, int param)
 }
 
 void
+setwgpeerdesc(const char *wgdesc, int param)
+{
+   if (wg_peer == NULL)
+   errx(1, "wgdesc: wgpeer not set");
+   if (strlen(wgdesc))
+   strlcpy(wg_peer->p_description, wgdesc, IFDESCRSIZE);
+   wg_peer->p_flags |= WG_PEER_SET_DESCRIPTION;
+}
+
+void
 setwgport(const char *port, int param)
 {
const char *errmsg = NULL;
@@ -5873,6 +5887,15 @@ unsetwgpeerpsk(const char *value, int pa
 }
 
 void
+unsetwgpeerdesc(const char *value, int param)
+{
+   if (wg_peer == NULL)
+   errx(1, "wgpesc: wgpeer not set");
+   strlcpy(wg_peer->p_description, (const char *)"", IFDESCRSIZE);
+   wg_peer->p_flags |= WG_PEER_SET_DESCRIPTION;
+}
+
+void
 unsetwgpeerall(const char *value, int param)
 {
ensurewginterface();
@@ -5931,6 +5954,9 @@ wg_status(void)
b64_ntop(wg_peer->p_public, WG_KEY_LEN,
key, sizeof(key));
printf("\twgpeer %s\n", key);
+
+   if (strlen(wg_peer->p_description))
+   printf("\t\tdescription: %s\n", wg_peer->p_description);
 
if (wg_peer->p_flags & WG_PEER_HAS_PSK)
printf("\t\twgpsk (present)\n");
Index: if_wg.c
===
RCS file: /cvs/src/sys/net/if_wg.c,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 if_wg.c
--- if_wg.c 5 Aug 2021 13:37:04 -   1.18
+++ if_wg.c 21 Oct 2021 00:10:29 -
@@ -222,6 +222,9 @@ struct wg_peer {
 
SLIST_ENTRY(wg_peer) p_start_list;
int  p_start_onlist;
+
+   struct mutex p_description_mtx;
+   char p_description[IFDESCRSIZE];
 };
 
 struct wg_softc {
@@ -276,6 +279,7 @@ int wg_peer_get_sockaddr(struct wg_peer 
 void   wg_peer_clear_src(struct wg_peer *);
 void   wg_peer_get_endpoint(struct wg_peer *, struct wg_endpoint *);
 void   wg_peer_counters_add(struct wg_peer *, uint64_t, uint64_t);
+void   wg_peer_set_description(struct wg_peer *, char *);
 
 intwg_aip_add(struct wg_softc *, struct wg_peer *, struct wg_aip_io *);
 struct wg_peer *
@@ -583,6 +587,15 @@ wg_peer_counters_add(struct wg_peer *pee
mtx_leave(>p_counters_mtx);
 }
 
+void
+wg_peer_set_description(struct wg_peer *peer, char *description)
+{
+

Re: nsd 4.3.8

2021-10-20 Thread Mischa 

Got it.

Oct 20 20:47:19 name2 nsd[62305]: nsd starting (NSD 4.3.8)
Oct 20 20:47:19 name2 nsd[37128]: nsd started (NSD 4.3.8), pid 31864
Oct 20 22:07:09 name2 nsd[37128]: signal received, shutting down...
Oct 20 22:07:09 name2 nsd[39445]: nsd starting (NSD 4.3.7)
Oct 20 22:07:10 name2 nsd[72021]: nsd started (NSD 4.3.7), pid 192

So far so good.

Mischa

On 2021-10-20 21:56, Florian Obser wrote:

I mean the diff I sent to bugs@ in response to the thread you started
on misc. "Re: NSD exit status 11 on 7.0"

This thread is about upgrading nsd in current, but we also need to fix
7.0. I thought you are running stable in production?


Anyway, having the full upgrade tested is also valuable, so thanks for
that. But if you are running stable please try the patch from bugs@, I
want to put that one into an errata.

On 20 October 2021 21:44:19 CEST, Mischa  wrote:

Is the below patch not needed?

I did run it without the below patch first, without any problems.
After I applied the below patch and compiled again.

Mischa

On 2021-10-20 21:34, Florian Obser wrote:
Uhm, could you please try the single patch from the other mail on 
7.0?

We are probably not going to syspatch to a new nsd version in 7.0.

On 20 October 2021 21:18:17 CEST, Mischa Peters 
wrote:

Hi Florian,

Great stuff!
Applied both patches and NSD has been running without crashing since
20:47 CEST.

Oct 20 20:47:19 name2 nsd[62305]: nsd starting (NSD 4.3.8)
Oct 20 20:47:19 name2 nsd[37128]: nsd started (NSD 4.3.8), pid 31864
Oct 20 20:47:30 name2 /bsd: carp24: state transition: BACKUP -> 
MASTER
Oct 20 20:47:46 name2 /bsd: carp23: state transition: BACKUP -> 
MASTER


Thanx a lot for the quick patches!!

Mischa

On 2021-10-20 18:27, Florian Obser wrote:

On 2021-10-20 18:24 +02, Florian Obser  wrote:

+4.3.8
+
+FEATURES:
+   - Set default for answer-cookie to no. Because in server
deployments
+ with mixed server software, a default of yes causes issues.


sthen and me think that we shouldn't flip-flop between cookie on 
and

cookie off since we shipped the cookie on default in 7.0.

This is on top of the 4.3.8 diff and reverts that behaviour to 
cookie

on
as we have in 7.0.

OK?

diff --git nsd.conf.5.in nsd.conf.5.in
index 4ee4b1292f9..9ae376f288c 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -494,7 +494,7 @@ With the value 0 the rate is unlimited.
 .TP
 .B answer\-cookie:\fR 
 Enable to answer to requests containig DNS Cookies as specified in
RFC7873.
-Default is no.
+Default is yes.
 .TP
 .B cookie\-secret:\fR <128 bit hex string>
 Servers in an anycast deployment need to be able to  verify  each
other's DNS
diff --git options.c options.c
index 6411959e8c6..d8fe022b412 100644
--- options.c
+++ options.c
@@ -131,7 +131,7 @@ nsd_options_create(region_type* region)
opt->tls_service_pem = NULL;
opt->tls_port = TLS_PORT;
opt->tls_cert_bundle = NULL;
-   opt->answer_cookie = 0;
+   opt->answer_cookie = 1;
opt->cookie_secret = NULL;
opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
opt->control_enable = 0;

Re: nsd 4.3.8

2021-10-20 Thread Florian Obser 
Sorry, I messed up the GitHub issues, this is the interesting one.

- Fix #194: Incorrect NSEC3 response for SOA query below delegation point.



On 20 October 2021 18:24:13 CEST, Florian Obser  wrote:
>
>Particularly interesting is
>- Fix #190: NSD returns 3 NSEC3 records for NODATA response.
>
>which I believe is a fix for the problem mischa reported on misc: "NSD
>exit status 11 on 7.0"
>
>Tests, OKs?
>
>diff --git doc/RELNOTES doc/RELNOTES
>index 054eb9b8f60..b7157bbc0a6 100644
>--- doc/RELNOTES
>+++ doc/RELNOTES
>@@ -1,5 +1,31 @@
> NSD RELEASE NOTES
> 
>+4.3.8
>+
>+FEATURES:
>+  - Merge #185 by cesarkuroiwa: Mutual TLS.
>+  - Set default for answer-cookie to no. Because in server deployments
>+with mixed server software, a default of yes causes issues.
>+BUG FIXES:
>+  - Fix to compile with OpenSSL 3.0.0beta2.
>+  - Fix configure detection of SSL_CTX_set_security_level.
>+  - Fix deprecated functions use from openssl 3.0.0beta2.
>+  - For #184: Note that all zones can be targeted by some nsd-control
>+commands in the man page.
>+  - Fixes for #185: Document client-cert, client-key and client-key-pw
>+in the man page. Fix yacc semicolon. Fix unused variable warning.
>+Use strlcpy instead of strncpy. Fix spelling error in error
>+printout.
>+  - Merge #187: Support using system-wide crypto policies.
>+  - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7.
>+  - Fix sed script in ssldir split handling.
>+  - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion
>+`query->delegation_rrset' failed.
>+  - Fix #190: NSD returns 3 NSEC3 records for NODATA response.
>+  - Fix compile failure with openssl 1.0.2.
>+  - Fix #194: Incorrect NSEC3 response for SOA query below delegation
>+point.
>+
> 4.3.7
> 
> FEATURES:
>diff --git acx_nlnetlabs.m4 acx_nlnetlabs.m4
>index 7ce79070805..1574f97bfe0 100644
>--- acx_nlnetlabs.m4
>+++ acx_nlnetlabs.m4
>@@ -2,7 +2,11 @@
> # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
> # BSD licensed.
> #
>-# Version 40
>+# Version 43
>+# 2021-08-17 fix sed script in ssldir split handling.
>+# 2021-08-17 fix for openssl to detect split version, with ssldir_include
>+#  and ssldir_lib output directories.
>+# 2021-07-30 fix for openssl use of lib64 directory.
> # 2021-06-14 fix nonblocking test to use host instead of target for mingw 
> test.
> # 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
> #  64bit compatibility.
>@@ -646,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [
> withval=$1
> if test x_$withval != x_no; then
> AC_MSG_CHECKING(for SSL)
>+  if test -n "$withval"; then
>+  dnl look for openssl install with different version, eg.
>+  dnl in /usr/include/openssl11/openssl/ssl.h
>+  dnl and /usr/lib64/openssl11/libssl.so
>+  dnl with the --with-ssl=/usr/include/openssl11
>+  if test ! -f "$withval/include/openssl/ssl.h" -a -f 
>"$withval/openssl/ssl.h"; then
>+  ssldir="$withval"
>+  found_ssl="yes"
>+  withval=""
>+  ssldir_include="$ssldir"
>+  dnl find the libdir
>+  ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
>+  if test -f "$ssldir_lib/libssl.a" -o -f 
>"$ssldir_lib/libssl.so"; then
>+  : # found here
>+  else
>+  ssldir_lib=`echo $ssldir | sed -e 
>'s/include/lib64/'`
>+  if test -f "$ssldir_lib/libssl.a" -o -f 
>"$ssldir_lib/libssl.so"; then
>+  : # found here
>+  else
>+  AC_MSG_ERROR([Could not find openssl 
>lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or 
>"/usr/include/openssl11"])
>+  fi
>+  fi
>+  fi
>+  fi
> if test x_$withval = x_ -o x_$withval = x_yes; then
> withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local 
> /opt/local /usr/sfw /usr"
> fi
>@@ -653,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
> ssldir="$dir"
> if test -f "$dir/include/openssl/ssl.h"; then
> found_ssl="yes"
>-AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the 
>SSL libraries installed.])
>-dnl assume /usr/include is already in the include-path.
>-if test "$ssldir" != "/usr"; then
>-CPPFLAGS="$CPPFLAGS -I$ssldir/include"
>-LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
>-fi
>+  ssldir_include="$ssldir/include"
>+  if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
>+

Re: nsd 4.3.8

2021-10-20 Thread Florian Obser 
I mean the diff I sent to bugs@ in response to the thread you started on misc. 
"Re: NSD exit status 11 on 7.0"

This thread is about upgrading nsd in current, but we also need to fix 7.0. I 
thought you are running stable in production?


Anyway, having the full upgrade tested is also valuable, so thanks for that. 
But if you are running stable please try the patch from bugs@, I want to put 
that one into an errata.

On 20 October 2021 21:44:19 CEST, Mischa  wrote:
>Is the below patch not needed?
>
>I did run it without the below patch first, without any problems.
>After I applied the below patch and compiled again.
>
>Mischa
>
>On 2021-10-20 21:34, Florian Obser wrote:
>> Uhm, could you please try the single patch from the other mail on 7.0?
>> We are probably not going to syspatch to a new nsd version in 7.0.
>> 
>> On 20 October 2021 21:18:17 CEST, Mischa Peters  
>> wrote:
>>> Hi Florian,
>>> 
>>> Great stuff!
>>> Applied both patches and NSD has been running without crashing since
>>> 20:47 CEST.
>>> 
>>> Oct 20 20:47:19 name2 nsd[62305]: nsd starting (NSD 4.3.8)
>>> Oct 20 20:47:19 name2 nsd[37128]: nsd started (NSD 4.3.8), pid 31864
>>> Oct 20 20:47:30 name2 /bsd: carp24: state transition: BACKUP -> MASTER
>>> Oct 20 20:47:46 name2 /bsd: carp23: state transition: BACKUP -> MASTER
>>> 
>>> Thanx a lot for the quick patches!!
>>> 
>>> Mischa
>>> 
>>> On 2021-10-20 18:27, Florian Obser wrote:
 On 2021-10-20 18:24 +02, Florian Obser  wrote:
> +4.3.8
> +
> +FEATURES:
> + - Set default for answer-cookie to no. Because in server 
> deployments
> +   with mixed server software, a default of yes causes issues.
 
 sthen and me think that we shouldn't flip-flop between cookie on and
 cookie off since we shipped the cookie on default in 7.0.
 
 This is on top of the 4.3.8 diff and reverts that behaviour to cookie
 on
 as we have in 7.0.
 
 OK?
 
 diff --git nsd.conf.5.in nsd.conf.5.in
 index 4ee4b1292f9..9ae376f288c 100644
 --- nsd.conf.5.in
 +++ nsd.conf.5.in
 @@ -494,7 +494,7 @@ With the value 0 the rate is unlimited.
  .TP
  .B answer\-cookie:\fR 
  Enable to answer to requests containig DNS Cookies as specified in
 RFC7873.
 -Default is no.
 +Default is yes.
  .TP
  .B cookie\-secret:\fR <128 bit hex string>
  Servers in an anycast deployment need to be able to  verify  each
 other's DNS
 diff --git options.c options.c
 index 6411959e8c6..d8fe022b412 100644
 --- options.c
 +++ options.c
 @@ -131,7 +131,7 @@ nsd_options_create(region_type* region)
opt->tls_service_pem = NULL;
opt->tls_port = TLS_PORT;
opt->tls_cert_bundle = NULL;
 -  opt->answer_cookie = 0;
 +  opt->answer_cookie = 1;
opt->cookie_secret = NULL;
opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
opt->control_enable = 0;
>>> 
>

-- 
Sent from a mobile device. Please excuse poor formatting.

Re: nsd 4.3.8

2021-10-20 Thread Mischa 

Is the below patch not needed?

I did run it without the below patch first, without any problems.
After I applied the below patch and compiled again.

Mischa

On 2021-10-20 21:34, Florian Obser wrote:

Uhm, could you please try the single patch from the other mail on 7.0?
We are probably not going to syspatch to a new nsd version in 7.0.

On 20 October 2021 21:18:17 CEST, Mischa Peters  
wrote:

Hi Florian,

Great stuff!
Applied both patches and NSD has been running without crashing since
20:47 CEST.

Oct 20 20:47:19 name2 nsd[62305]: nsd starting (NSD 4.3.8)
Oct 20 20:47:19 name2 nsd[37128]: nsd started (NSD 4.3.8), pid 31864
Oct 20 20:47:30 name2 /bsd: carp24: state transition: BACKUP -> MASTER
Oct 20 20:47:46 name2 /bsd: carp23: state transition: BACKUP -> MASTER

Thanx a lot for the quick patches!!

Mischa

On 2021-10-20 18:27, Florian Obser wrote:

On 2021-10-20 18:24 +02, Florian Obser  wrote:

+4.3.8
+
+FEATURES:
+	- Set default for answer-cookie to no. Because in server 
deployments

+ with mixed server software, a default of yes causes issues.


sthen and me think that we shouldn't flip-flop between cookie on and
cookie off since we shipped the cookie on default in 7.0.

This is on top of the 4.3.8 diff and reverts that behaviour to cookie
on
as we have in 7.0.

OK?

diff --git nsd.conf.5.in nsd.conf.5.in
index 4ee4b1292f9..9ae376f288c 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -494,7 +494,7 @@ With the value 0 the rate is unlimited.
 .TP
 .B answer\-cookie:\fR 
 Enable to answer to requests containig DNS Cookies as specified in
RFC7873.
-Default is no.
+Default is yes.
 .TP
 .B cookie\-secret:\fR <128 bit hex string>
 Servers in an anycast deployment need to be able to  verify  each
other's DNS
diff --git options.c options.c
index 6411959e8c6..d8fe022b412 100644
--- options.c
+++ options.c
@@ -131,7 +131,7 @@ nsd_options_create(region_type* region)
opt->tls_service_pem = NULL;
opt->tls_port = TLS_PORT;
opt->tls_cert_bundle = NULL;
-   opt->answer_cookie = 0;
+   opt->answer_cookie = 1;
opt->cookie_secret = NULL;
opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
opt->control_enable = 0;

Re: nsd 4.3.8

2021-10-20 Thread Florian Obser 
Uhm, could you please try the single patch from the other mail on 7.0? We are 
probably not going to syspatch to a new nsd version in 7.0.

On 20 October 2021 21:18:17 CEST, Mischa Peters  wrote:
>Hi Florian,
>
>Great stuff!
>Applied both patches and NSD has been running without crashing since 
>20:47 CEST.
>
>Oct 20 20:47:19 name2 nsd[62305]: nsd starting (NSD 4.3.8)
>Oct 20 20:47:19 name2 nsd[37128]: nsd started (NSD 4.3.8), pid 31864
>Oct 20 20:47:30 name2 /bsd: carp24: state transition: BACKUP -> MASTER
>Oct 20 20:47:46 name2 /bsd: carp23: state transition: BACKUP -> MASTER
>
>Thanx a lot for the quick patches!!
>
>Mischa
>
>On 2021-10-20 18:27, Florian Obser wrote:
>> On 2021-10-20 18:24 +02, Florian Obser  wrote:
>>> +4.3.8
>>> +
>>> +FEATURES:
>>> +   - Set default for answer-cookie to no. Because in server deployments
>>> + with mixed server software, a default of yes causes issues.
>> 
>> sthen and me think that we shouldn't flip-flop between cookie on and
>> cookie off since we shipped the cookie on default in 7.0.
>> 
>> This is on top of the 4.3.8 diff and reverts that behaviour to cookie 
>> on
>> as we have in 7.0.
>> 
>> OK?
>> 
>> diff --git nsd.conf.5.in nsd.conf.5.in
>> index 4ee4b1292f9..9ae376f288c 100644
>> --- nsd.conf.5.in
>> +++ nsd.conf.5.in
>> @@ -494,7 +494,7 @@ With the value 0 the rate is unlimited.
>>  .TP
>>  .B answer\-cookie:\fR 
>>  Enable to answer to requests containig DNS Cookies as specified in 
>> RFC7873.
>> -Default is no.
>> +Default is yes.
>>  .TP
>>  .B cookie\-secret:\fR <128 bit hex string>
>>  Servers in an anycast deployment need to be able to  verify  each 
>> other's DNS
>> diff --git options.c options.c
>> index 6411959e8c6..d8fe022b412 100644
>> --- options.c
>> +++ options.c
>> @@ -131,7 +131,7 @@ nsd_options_create(region_type* region)
>>  opt->tls_service_pem = NULL;
>>  opt->tls_port = TLS_PORT;
>>  opt->tls_cert_bundle = NULL;
>> -opt->answer_cookie = 0;
>> +opt->answer_cookie = 1;
>>  opt->cookie_secret = NULL;
>>  opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
>>  opt->control_enable = 0;
>

-- 
Sent from a mobile device. Please excuse poor formatting.

Re: nsd 4.3.8

2021-10-20 Thread Mischa Peters 

Hi Florian,

Great stuff!
Applied both patches and NSD has been running without crashing since 
20:47 CEST.


Oct 20 20:47:19 name2 nsd[62305]: nsd starting (NSD 4.3.8)
Oct 20 20:47:19 name2 nsd[37128]: nsd started (NSD 4.3.8), pid 31864
Oct 20 20:47:30 name2 /bsd: carp24: state transition: BACKUP -> MASTER
Oct 20 20:47:46 name2 /bsd: carp23: state transition: BACKUP -> MASTER

Thanx a lot for the quick patches!!

Mischa

On 2021-10-20 18:27, Florian Obser wrote:

On 2021-10-20 18:24 +02, Florian Obser  wrote:

+4.3.8
+
+FEATURES:
+   - Set default for answer-cookie to no. Because in server deployments
+ with mixed server software, a default of yes causes issues.


sthen and me think that we shouldn't flip-flop between cookie on and
cookie off since we shipped the cookie on default in 7.0.

This is on top of the 4.3.8 diff and reverts that behaviour to cookie 
on

as we have in 7.0.

OK?

diff --git nsd.conf.5.in nsd.conf.5.in
index 4ee4b1292f9..9ae376f288c 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -494,7 +494,7 @@ With the value 0 the rate is unlimited.
 .TP
 .B answer\-cookie:\fR 
 Enable to answer to requests containig DNS Cookies as specified in 
RFC7873.

-Default is no.
+Default is yes.
 .TP
 .B cookie\-secret:\fR <128 bit hex string>
 Servers in an anycast deployment need to be able to  verify  each 
other's DNS

diff --git options.c options.c
index 6411959e8c6..d8fe022b412 100644
--- options.c
+++ options.c
@@ -131,7 +131,7 @@ nsd_options_create(region_type* region)
opt->tls_service_pem = NULL;
opt->tls_port = TLS_PORT;
opt->tls_cert_bundle = NULL;
-   opt->answer_cookie = 0;
+   opt->answer_cookie = 1;
opt->cookie_secret = NULL;
opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
opt->control_enable = 0;

Re: nsd 4.3.8

2021-10-20 Thread Florian Obser 
On 2021-10-20 18:24 +02, Florian Obser  wrote:
> +4.3.8
> +
> +FEATURES:
> + - Set default for answer-cookie to no. Because in server deployments
> +   with mixed server software, a default of yes causes issues.

sthen and me think that we shouldn't flip-flop between cookie on and
cookie off since we shipped the cookie on default in 7.0.

This is on top of the 4.3.8 diff and reverts that behaviour to cookie on
as we have in 7.0.

OK?

diff --git nsd.conf.5.in nsd.conf.5.in
index 4ee4b1292f9..9ae376f288c 100644
--- nsd.conf.5.in
+++ nsd.conf.5.in
@@ -494,7 +494,7 @@ With the value 0 the rate is unlimited.
 .TP
 .B answer\-cookie:\fR 
 Enable to answer to requests containig DNS Cookies as specified in RFC7873.
-Default is no.
+Default is yes.
 .TP
 .B cookie\-secret:\fR <128 bit hex string>
 Servers in an anycast deployment need to be able to  verify  each other's DNS
diff --git options.c options.c
index 6411959e8c6..d8fe022b412 100644
--- options.c
+++ options.c
@@ -131,7 +131,7 @@ nsd_options_create(region_type* region)
opt->tls_service_pem = NULL;
opt->tls_port = TLS_PORT;
opt->tls_cert_bundle = NULL;
-   opt->answer_cookie = 0;
+   opt->answer_cookie = 1;
opt->cookie_secret = NULL;
opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt";
opt->control_enable = 0;


-- 
I'm not entirely sure you are real.

nsd 4.3.8

2021-10-20 Thread Florian Obser 


Particularly interesting is
- Fix #190: NSD returns 3 NSEC3 records for NODATA response.

which I believe is a fix for the problem mischa reported on misc: "NSD
exit status 11 on 7.0"

Tests, OKs?

diff --git doc/RELNOTES doc/RELNOTES
index 054eb9b8f60..b7157bbc0a6 100644
--- doc/RELNOTES
+++ doc/RELNOTES
@@ -1,5 +1,31 @@
 NSD RELEASE NOTES
 
+4.3.8
+
+FEATURES:
+   - Merge #185 by cesarkuroiwa: Mutual TLS.
+   - Set default for answer-cookie to no. Because in server deployments
+ with mixed server software, a default of yes causes issues.
+BUG FIXES:
+   - Fix to compile with OpenSSL 3.0.0beta2.
+   - Fix configure detection of SSL_CTX_set_security_level.
+   - Fix deprecated functions use from openssl 3.0.0beta2.
+   - For #184: Note that all zones can be targeted by some nsd-control
+ commands in the man page.
+   - Fixes for #185: Document client-cert, client-key and client-key-pw
+ in the man page. Fix yacc semicolon. Fix unused variable warning.
+ Use strlcpy instead of strncpy. Fix spelling error in error
+ printout.
+   - Merge #187: Support using system-wide crypto policies.
+   - Fix #188: NSD fails to build against openssl 1.1 on CentOS 7.
+   - Fix sed script in ssldir split handling.
+   - Fix #189: nsd 4.3.7 crash answer_delegation: Assertion
+ `query->delegation_rrset' failed.
+   - Fix #190: NSD returns 3 NSEC3 records for NODATA response.
+   - Fix compile failure with openssl 1.0.2.
+   - Fix #194: Incorrect NSEC3 response for SOA query below delegation
+ point.
+
 4.3.7
 
 FEATURES:
diff --git acx_nlnetlabs.m4 acx_nlnetlabs.m4
index 7ce79070805..1574f97bfe0 100644
--- acx_nlnetlabs.m4
+++ acx_nlnetlabs.m4
@@ -2,7 +2,11 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 40
+# Version 43
+# 2021-08-17 fix sed script in ssldir split handling.
+# 2021-08-17 fix for openssl to detect split version, with ssldir_include
+#   and ssldir_lib output directories.
+# 2021-07-30 fix for openssl use of lib64 directory.
 # 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
 # 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
 #   64bit compatibility.
@@ -646,6 +650,30 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 withval=$1
 if test x_$withval != x_no; then
 AC_MSG_CHECKING(for SSL)
+   if test -n "$withval"; then
+   dnl look for openssl install with different version, eg.
+   dnl in /usr/include/openssl11/openssl/ssl.h
+   dnl and /usr/lib64/openssl11/libssl.so
+   dnl with the --with-ssl=/usr/include/openssl11
+   if test ! -f "$withval/include/openssl/ssl.h" -a -f 
"$withval/openssl/ssl.h"; then
+   ssldir="$withval"
+   found_ssl="yes"
+   withval=""
+   ssldir_include="$ssldir"
+   dnl find the libdir
+   ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'`
+   if test -f "$ssldir_lib/libssl.a" -o -f 
"$ssldir_lib/libssl.so"; then
+   : # found here
+   else
+   ssldir_lib=`echo $ssldir | sed -e 
's/include/lib64/'`
+   if test -f "$ssldir_lib/libssl.a" -o -f 
"$ssldir_lib/libssl.so"; then
+   : # found here
+   else
+   AC_MSG_ERROR([Could not find openssl 
lib file, $ssldir_lib/libssl.[so,a], pass like "/usr/local" or 
"/usr/include/openssl11"])
+   fi
+   fi
+   fi
+   fi
 if test x_$withval = x_ -o x_$withval = x_yes; then
 withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local 
/opt/local /usr/sfw /usr"
 fi
@@ -653,12 +681,12 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 ssldir="$dir"
 if test -f "$dir/include/openssl/ssl.h"; then
 found_ssl="yes"
-AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL 
libraries installed.])
-dnl assume /usr/include is already in the include-path.
-if test "$ssldir" != "/usr"; then
-CPPFLAGS="$CPPFLAGS -I$ssldir/include"
-LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
-fi
+   ssldir_include="$ssldir/include"
+   if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
+   ssldir_lib="$ssldir/lib64"
+   else
+   ssldir_lib="$ssldir/lib"
+   fi
 break;
 fi
 done
@@ -666,13 +694,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [

Re: Missing semicolon in snmpd/parse.y

2021-10-20 Thread Otto Moerbeek 
On Wed, Oct 20, 2021 at 01:58:03PM +0200, Gerhard Roth wrote:

> Hi,
> 
> the rule for 'listen_udptcp' is missing a semicolon at its end.
> 
> I have no idea what yacc does to the following 'port' rule without
> that semicolon.

Looks like the generated c code is the same;

ok otto@

-Otto

> 
> Gerhard
> 
> 
> Index: usr.sbin/snmpd/parse.y
> ===
> RCS file: /cvs/src/usr.sbin/snmpd/parse.y,v
> retrieving revision 1.70
> diff -u -p -u -p -r1.70 parse.y
> --- usr.sbin/snmpd/parse.y15 Oct 2021 15:01:29 -  1.70
> +++ usr.sbin/snmpd/parse.y20 Oct 2021 11:45:29 -
> @@ -350,6 +350,7 @@ listen_udptcp : listenproto STRING port 
>   free($2);
>   free($3);
>   }
> + ;
>  
>  port : /* empty */   {
>   $$ = NULL;

Missing semicolon in snmpd/parse.y

2021-10-20 Thread Gerhard Roth 
Hi,

the rule for 'listen_udptcp' is missing a semicolon at its end.

I have no idea what yacc does to the following 'port' rule without
that semicolon.

Gerhard


Index: usr.sbin/snmpd/parse.y
===
RCS file: /cvs/src/usr.sbin/snmpd/parse.y,v
retrieving revision 1.70
diff -u -p -u -p -r1.70 parse.y
--- usr.sbin/snmpd/parse.y  15 Oct 2021 15:01:29 -  1.70
+++ usr.sbin/snmpd/parse.y  20 Oct 2021 11:45:29 -
@@ -350,6 +350,7 @@ listen_udptcp   : listenproto STRING port 
free($2);
free($3);
}
+   ;
 
 port   : /* empty */   {
$$ = NULL;


smime.p7s
Description: S/MIME cryptographic signature

Re: ucc: ignore get encoding requests

2021-10-20 Thread Landry Breuil 
Le Wed, Oct 20, 2021 at 07:43:36AM +0200, Anton Lindqvist a écrit :
> Hi,
> landry@ reported that he ended up with the wrong encoding in X11 while
> having a ucc keyboard attached and /etc/kbdtype being present. The
> advertised encoding of a wsmux is a bit fragile as the last attached
> device will dictate it. If this happens to be a ucc keyboard, KB_US will
> always be the advertised encoding as its encoding is immutable and
> /etc/kbdtype is ignored.
> 
> Instead, do not advertise the encoding for ucc devices when the parent
> mux queries its attached devices. However, asking the device directly
> (i.e. bypassing the mux) still returns the encoding as wsconsctl(8)
> would otherwise report an error.
> 
> Comments? OK?

fwiw i've tested this diff on my workplace desktop with a us kbd and a fr
kbd both plugged in, /etc/kbdtype contains fr, and machdep.forceukbd=1.
without the diff, previously i ended up with a us mapping in xenodm, and
now i correctly have the fr mapping. i also tested that with
machdep.forceukbd=0 and without the diff, i got the correct fr mapping
too.
thanks !