Better bgpd reload (step 1)
This is the first step to make bgpd reload non blocking in the RDE. It also speeds up the reload time a fair bit in some cases (mainly if you run with multiple RIBs and have larger filtersets) and it should also fix a few edge cases on reloads. I already sent out an earlier version of this diff some time ago. This new version fixes the problems of the earlier version and is adjusted to apply on -current. This needs some good testing so please help or it wont go in into the next release. -- :wq Claudio Index: bgpd.h === RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v retrieving revision 1.277 diff -u -p -r1.277 bgpd.h --- bgpd.h 11 May 2013 14:42:28 - 1.277 +++ bgpd.h 31 May 2013 23:20:20 - @@ -103,6 +103,7 @@ enum reconf_action { RECONF_NONE, RECONF_KEEP, RECONF_REINIT, + RECONF_RELOAD, RECONF_DELETE }; Index: rde.c === RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v retrieving revision 1.323 diff -u -p -r1.323 rde.c --- rde.c 10 Jul 2013 15:56:06 - 1.323 +++ rde.c 10 Jul 2013 18:33:22 - @@ -85,12 +85,11 @@ void rde_dump_mrt_new(struct mrt *, pi voidrde_dump_done(void *); int rde_rdomain_import(struct rde_aspath *, struct rdomain *); -voidrde_up_dump_upcall(struct rib_entry *, void *); +voidrde_reload_done(void); voidrde_softreconfig_out(struct rib_entry *, void *); voidrde_softreconfig_in(struct rib_entry *, void *); -voidrde_softreconfig_load(struct rib_entry *, void *); -voidrde_softreconfig_load_peer(struct rib_entry *, void *); voidrde_softreconfig_unload_peer(struct rib_entry *, void *); +voidrde_up_dump_upcall(struct rib_entry *, void *); voidrde_update_queue_runner(void); voidrde_update6_queue_runner(u_int8_t); @@ -119,7 +118,7 @@ struct bgpd_config *conf, *nconf; time_t reloadtime; struct rde_peer_headpeerlist; struct rde_peer*peerself; -struct filter_head *rules_l, *newrules; +struct filter_head *out_rules, *out_rules_tmp; struct rdomain_head*rdomains_l, *newdomains; struct imsgbuf *ibuf_se; struct imsgbuf *ibuf_se_ctl; @@ -224,10 +223,10 @@ rde_main(int pipe_m2r[2], int pipe_s2r[2 nexthop_init(nexthophashsize); peer_init(peerhashsize); - rules_l = calloc(1, sizeof(struct filter_head)); - if (rules_l == NULL) + out_rules = calloc(1, sizeof(struct filter_head)); + if (out_rules == NULL) fatal(NULL); - TAILQ_INIT(rules_l); + TAILQ_INIT(out_rules); rdomains_l = calloc(1, sizeof(struct rdomain_head)); if (rdomains_l == NULL) fatal(NULL); @@ -637,12 +636,11 @@ rde_dispatch_imsg_parent(struct imsgbuf struct imsg imsg; struct mrt xmrt; struct rde_rib rn; - struct rde_peer *peer; + struct filter_head *nr; struct filter_rule *r; struct filter_set *s; struct nexthop *nh; - int n, fd, reconf_in = 0, reconf_out = 0, -reconf_rib = 0; + int n, fd; u_int16_trid; if ((n = imsg_read(ibuf)) == -1) @@ -686,10 +684,10 @@ rde_dispatch_imsg_parent(struct imsgbuf sizeof(struct bgpd_config)) fatalx(IMSG_RECONF_CONF bad len); reloadtime = time(NULL); - newrules = calloc(1, sizeof(struct filter_head)); - if (newrules == NULL) + out_rules_tmp = calloc(1, sizeof(struct filter_head)); + if (out_rules_tmp == NULL) fatal(NULL); - TAILQ_INIT(newrules); + TAILQ_INIT(out_rules_tmp); newdomains = calloc(1, sizeof(struct rdomain_head)); if (newdomains == NULL) fatal(NULL); @@ -698,8 +696,11 @@ rde_dispatch_imsg_parent(struct imsgbuf NULL) fatal(NULL); memcpy(nconf, imsg.data, sizeof(struct bgpd_config)); - for (rid = 0; rid rib_size; rid++) + for (rid = 0; rid rib_size; rid++) { + if (*ribs[rid].name == '\0') + break; ribs[rid].state = RECONF_DELETE; + } break; case IMSG_RECONF_RIB: if (imsg.hdr.len -
manual patch for isakmpd's FIFO r
The following patch clarifies that sending r over the FIFO doesn't produce the exact same results as SIGUSR1. Or do you prefer that we change the behaviour of the FIFO's r to match SIGUSR1, for example by changing ui_report() to something similar to ui_report_sa(); opening a file, and rewrite a few _report functions to use fprintf instead of LOG_DBG()? --- sbin/isakmpd/isakmpd.8 Thu Jul 11 14:51:52 2013 +++ sbin/isakmpd/isakmpd.8.orig Thu Jul 11 14:44:58 2013 @@ -494,10 +494,13 @@ .It Ic r Report .Nm -internal state to log destination. -Same output as when sent a +internal state to a file. +See the +.Fl R +option. +Same as when sent a .Dv SIGUSR1 -signal, except that it is not written to the same file. +signal. .Pp .It Ic S Report information on all known SAs to the
Re: SSLHonorCipherOrder for OpenBSD's httpd
On Wed, Jul 10, 2013 at 10:28:32AM +0200, Otto Moerbeek wrote: On Sun, Jul 07, 2013 at 10:17:11PM -0700, Aaron Stellman wrote: On Mon, Jul 08, 2013 at 07:06:43AM +0200, Otto Moerbeek wrote: I think you missed the renogiate case. Anyway, I posted almost the same diff some time ago. You're right -- renegotiate case was missed. Your patch from April looks fine to me. It would be beneficial to have it committed. Thanks As gunther@ kindly remarked, there was a small issue: AP_SRV_CMD versus my AP_ALL_CMD in my original diff. So this is the diff I am going to commit unless sombody objects quickly. And here's the manual page. -Otto Index: ssl_reference.html === RCS file: /cvs/src/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html,v retrieving revision 1.11 diff -u -p -r1.11 ssl_reference.html --- ssl_reference.html 22 Jul 2008 11:20:10 - 1.11 +++ ssl_reference.html 11 Jul 2013 13:17:15 - @@ -294,6 +294,7 @@ virtual host''), which can occur inside nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;a href=#ToC7strongSSLEngine/strong/abr nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;a href=#ToC8strongSSLProtocol/strong/abr nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;a href=#ToC9strongSSLCipherSuite/strong/abr +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;a href=#ToC9astrongSSLHonorCipherOrder/strong/abr nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;a href=#ToC10strongSSLCertificateFile/strong/abr nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;a href=#ToC11strongSSLCertificateKeyFile/strong/abr nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;a href=#ToC12strongSSLCertificateChainFile/strong/abr @@ -1212,6 +1213,62 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MED /tr/table /td/tr/table /div +!-- SSLHonorCipherOrder - +p +br +a name=SSLCertificateFile/a +h2a name=ToC9aSSLHonorCipherOrder/a/h2 +table cellspacing=0 cellpadding=1 bgcolor=#cc border=0 summary= +tr +td +table bgcolor=white width=600 cellspacing=0 cellpadding=5 border=0 summary= +tr +td +table cellspacing=0 cellpadding=1 border=0 summary= +trtd +font face=Arial,HelveticabName:/b/font/a /tdtd bSSLHonorCipherOrder/b/td/tr +trtd +font face=Arial,HelveticabDescription:/b/font/a /tdtd User server's order of preference for ciphers/td/tr +trtda + href=../directive-dict.html#Syntax + rel=Help +font face=Arial,HelveticabSyntax:/b/font/a /tdtd codeSSLHonorCipherOrder/code emon|off/em/td/tr +trtda + href=../directive-dict.html#Default + rel=Help +font face=Arial,HelveticabDefault:/b/font/a /tdtd codeHonorCip Off/td/tr +trtda + href=../directive-dict.html#Context + rel=Help +font face=Arial,HelveticabContext:/b/font/a /tdtd server config, virtual host/td/tr +trtda + href=../directive-dict.html#Override + rel=Help +font face=Arial,HelveticabOverride:/b/font/a /tdtd emNot applicable/em/td/tr +trtda + href=../directive-dict.html#Status + rel=Help +font face=Arial,HelveticabStatus:/b/font/a /tdtd Extension/td/tr +trtda + href=../directive-dict.html#Module + rel=Help +font face=Arial,HelveticabModule:/b/font/a /tdtd mod_ssl/td/tr +trtda + href=../directive-dict.html#Compatibility + rel=Help +font face=Arial,HelveticabCompatibility:/b/font/a /tdtd/td/tr +/table +/td +/tr +/table +/td +/tr +/table +p +By default, the client's order of preference is used when choosing a cipher. +When switched on, this directive makes the server's order of preference for +ciphers leading. Applies to SSLv3 and TLS. +p !-- SSLCertificateFile - p br
Re: manual patch for isakmpd's FIFO r
The following patch clarifies that sending r over the FIFO doesn't produce the exact same results as SIGUSR1. Or do you prefer that we change the behaviour of the FIFO's r to match SIGUSR1, for example by changing ui_report() to something similar to ui_report_sa(); opening a file, and rewrite a few _report functions to use fprintf instead of LOG_DBG()? ...and here's the patch, in the right direction --- sbin/isakmpd/isakmpd.8.orig Thu Jul 11 14:44:58 2013 +++ sbin/isakmpd/isakmpd.8 Thu Jul 11 14:51:52 2013 @@ -494,13 +494,10 @@ .It Ic r Report .Nm -internal state to a file. -See the -.Fl R -option. -Same as when sent a +internal state to log destination. +Same output as when sent a .Dv SIGUSR1 -signal. +signal, except that it is not written to the same file. .Pp .It Ic S Report information on all known SAs to the
Re: base apache and HonorCipherOrder
On Mon, 8 Jul 2013, Damien Miller wrote: On Sun, 7 Jul 2013, Aaron Stellman wrote: On Tue, Apr 23, 2013 at 09:08:19AM +0200, Otto Moerbeek wrote: If there is any interest, I might add the manual stuff, get ok's and commit it. I find it useful to have SSLHonorCipherOrder in OpenBSD's apache. More than that, AFAIK it is necessary to mitigate some of the TLS crypto attacks. IMO it is well worth having. It would also be good if someone could make a patch to enable ECDHE cipher suites in Apache-1.x. This nginx patch is a good reference to what needs to be done: http://hg.nginx.org/nginx/rev/0832a6997227 The following should do the trick... $ openssl s_client -connect localhost:443 21 /dev/null | grep Cipher is New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Index: conf/httpd.conf === RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf,v retrieving revision 1.26 diff -u -p -u -p -r1.26 httpd.conf --- conf/httpd.conf 3 Jun 2009 18:28:21 - 1.26 +++ conf/httpd.conf 11 Jul 2013 15:28:21 - @@ -1034,6 +1034,11 @@ SSLEngine on # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP + +# SSL ECDH Curve: +# Named curve to use when generating ephemeral EC keys for an +# ECDHE-based cipher suite. +#SSLECDHCurve prime256v1 # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If Index: conf/httpd.conf-dist === RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf-dist,v retrieving revision 1.20 diff -u -p -u -p -r1.20 httpd.conf-dist --- conf/httpd.conf-dist1 Apr 2009 06:47:34 - 1.20 +++ conf/httpd.conf-dist11 Jul 2013 15:28:21 - @@ -1045,6 +1045,11 @@ SSLEngine on # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +# SSL ECDH Curve: +# Named curve to use when generating ephemeral EC keys for an +# ECDHE-based cipher suite. +SSLECDHCurve prime256v1 + # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a Index: src/modules/ssl/mod_ssl.c === RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.c,v retrieving revision 1.11 diff -u -p -u -p -r1.11 mod_ssl.c --- src/modules/ssl/mod_ssl.c 11 Jul 2013 12:41:52 - 1.11 +++ src/modules/ssl/mod_ssl.c 11 Jul 2013 15:28:21 - @@ -113,6 +113,9 @@ static command_rec ssl_config_cmds[] = { AP_ALL_CMD(CipherSuite, TAKE1, Colon-delimited list of permitted SSL Ciphers (`XXX:...:XXX' - see manual)) +AP_SRV_CMD(ECDHCurve, TAKE1, + Name of ECDH curve to use for ephemeral EC keys + (`curve' - see manual)) AP_SRV_CMD(CertificateFile, TAKE1, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)) Index: src/modules/ssl/mod_ssl.h === RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.h,v retrieving revision 1.22 diff -u -p -u -p -r1.22 mod_ssl.h --- src/modules/ssl/mod_ssl.h 11 Jul 2013 12:41:52 - 1.22 +++ src/modules/ssl/mod_ssl.h 11 Jul 2013 15:28:22 - @@ -514,6 +514,7 @@ typedef struct { char*szCACertificateFile; char*szLogFile; char*szCipherSuite; +char*szECDHCurve; FILE*fileLogFile; int nLogLevel; BOOL cipher_server_pref; @@ -592,6 +593,7 @@ const char *ssl_cmd_SSLRandomSeed(cmd_p const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *); +const char *ssl_cmd_SSLECDHCurve(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, char *, char *); Index: src/modules/ssl/ssl_engine_config.c === RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c,v retrieving revision 1.20 diff -u -p -u -p -r1.20 ssl_engine_config.c --- src/modules/ssl/ssl_engine_config.c 11 Jul 2013 12:41:52 - 1.20 +++ src/modules/ssl/ssl_engine_config.c 11 Jul 2013 15:28:22 - @@ -196,6 +196,7 @@ void *ssl_config_server_create(pool *p, sc-szCertificateChain = NULL; sc-szLogFile = NULL; sc-szCipherSuite = NULL; +sc-szECDHCurve
Re: base apache and HonorCipherOrder
Thanks all; I am glad to see this. On Thu, Jul 11, 2013 at 11:35 AM, Joel Sing j...@sing.id.au wrote: On Mon, 8 Jul 2013, Damien Miller wrote: On Sun, 7 Jul 2013, Aaron Stellman wrote: On Tue, Apr 23, 2013 at 09:08:19AM +0200, Otto Moerbeek wrote: If there is any interest, I might add the manual stuff, get ok's and commit it. I find it useful to have SSLHonorCipherOrder in OpenBSD's apache. More than that, AFAIK it is necessary to mitigate some of the TLS crypto attacks. IMO it is well worth having. It would also be good if someone could make a patch to enable ECDHE cipher suites in Apache-1.x. This nginx patch is a good reference to what needs to be done: http://hg.nginx.org/nginx/rev/0832a6997227 The following should do the trick... $ openssl s_client -connect localhost:443 21 /dev/null | grep Cipher is New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Index: conf/httpd.conf === RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf,v retrieving revision 1.26 diff -u -p -u -p -r1.26 httpd.conf --- conf/httpd.conf 3 Jun 2009 18:28:21 - 1.26 +++ conf/httpd.conf 11 Jul 2013 15:28:21 - @@ -1034,6 +1034,11 @@ SSLEngine on # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP + +# SSL ECDH Curve: +# Named curve to use when generating ephemeral EC keys for an +# ECDHE-based cipher suite. +#SSLECDHCurve prime256v1 # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If Index: conf/httpd.conf-dist === RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf-dist,v retrieving revision 1.20 diff -u -p -u -p -r1.20 httpd.conf-dist --- conf/httpd.conf-dist1 Apr 2009 06:47:34 - 1.20 +++ conf/httpd.conf-dist11 Jul 2013 15:28:21 - @@ -1045,6 +1045,11 @@ SSLEngine on # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +# SSL ECDH Curve: +# Named curve to use when generating ephemeral EC keys for an +# ECDHE-based cipher suite. +SSLECDHCurve prime256v1 + # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a Index: src/modules/ssl/mod_ssl.c === RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.c,v retrieving revision 1.11 diff -u -p -u -p -r1.11 mod_ssl.c --- src/modules/ssl/mod_ssl.c 11 Jul 2013 12:41:52 - 1.11 +++ src/modules/ssl/mod_ssl.c 11 Jul 2013 15:28:21 - @@ -113,6 +113,9 @@ static command_rec ssl_config_cmds[] = { AP_ALL_CMD(CipherSuite, TAKE1, Colon-delimited list of permitted SSL Ciphers (`XXX:...:XXX' - see manual)) +AP_SRV_CMD(ECDHCurve, TAKE1, + Name of ECDH curve to use for ephemeral EC keys + (`curve' - see manual)) AP_SRV_CMD(CertificateFile, TAKE1, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)) Index: src/modules/ssl/mod_ssl.h === RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.h,v retrieving revision 1.22 diff -u -p -u -p -r1.22 mod_ssl.h --- src/modules/ssl/mod_ssl.h 11 Jul 2013 12:41:52 - 1.22 +++ src/modules/ssl/mod_ssl.h 11 Jul 2013 15:28:22 - @@ -514,6 +514,7 @@ typedef struct { char*szCACertificateFile; char*szLogFile; char*szCipherSuite; +char*szECDHCurve; FILE*fileLogFile; int nLogLevel; BOOL cipher_server_pref; @@ -592,6 +593,7 @@ const char *ssl_cmd_SSLRandomSeed(cmd_p const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *); +const char *ssl_cmd_SSLECDHCurve(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, char *, char *); Index: src/modules/ssl/ssl_engine_config.c === RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c,v retrieving revision 1.20 diff -u -p -u -p -r1.20 ssl_engine_config.c --- src/modules/ssl/ssl_engine_config.c 11 Jul 2013 12:41:52 - 1.20 +++ src/modules/ssl/ssl_engine_config.c 11 Jul 2013 15:28:22
netbt, Bluetooth kernel code
I'm working on the netbt and /dev/bluetooth code, which is currently broken and has been disabled in the generic kernel for over a year now. I'm not an experienced BSD developer (yet) so I'm using this code as a way of learning how to debug and fix major problems. I'm also working on updating the OpenBSD 5.0 ports bluetooth-libs and bluetooth-tools to build and run on OpenBSD-current. Libs now builds, Tools needs a rewrite of the Unix socket credentials check. The NetBSD Service Discovery Protocol code still uses SCM_CREDS/struct sockcred, and this has been removed from the OpenBSD tree as obsolete. But a moved to SO_PEERCRED should work there. So hi, and if there's anybody else looking at this code, please get in touch. I hope I'll be able to fix the problems of the device sleeping in mutexed code. If there is a high likelihood that this code will soon be removed from the tree, that would be nice to know too. Maybe I could change that.
a.out in gcc-local(1)
Hi tech@ Just found no longer relevant block in gcc-local(1): - On a.out platforms (i.e. vax), gcc uses a linker wrapper to write stubs that call global constructors and destructors. Those platforms use gcc 2.95.3, and those calls can be traced using -Wl,-trace-ctors-dtors, using syslog_r(3). Cheers, Alexey
Re: netbt, Bluetooth kernel code
On Thu, Jul 11, 2013 at 21:46, Tony Sidaway wrote: So hi, and if there's anybody else looking at this code, please get in touch. I hope I'll be able to fix the problems of the device sleeping in mutexed code. If there is a high likelihood that this code will soon be removed from the tree, that would be nice to know too. Maybe I could change that. There is a sentiment among some developers that the current code is too network heavy. Perhaps it should look more like the usb code. But the existing code shouldn't go anywhere until there is a replacement, and I don't think there are any yet. So fixes to the existing code would be welcome.
Re: netbt, Bluetooth kernel code
So hi, and if there's anybody else looking at this code, please get in touch. I hope I'll be able to fix the problems of the device sleeping in mutexed code. If there is a high likelihood that this code will soon be removed from the tree, that would be nice to know too. Maybe I could change that. There is a sentiment among some developers that the current code is too network heavy. Concur. Perhaps it should look more like the usb code. Concur. But the existing code shouldn't go anywhere until there is a replacement, and I don't think there are any yet. So fixes to the existing code would be welcome. Concur. But it won't get enabled, even with bug fixes. Making it better requires a bigger effort. However, ones you get part way along the line you might see oh, lower level abstration good. If you get to that point, and make the next steps forward, you'll be a hero.