Sending route messages for local routes or cloning routes

2014-12-23 Thread Florian Riehm 
Hi Martin,

as requested in your commit message I would like to tell you about a regression
with the introduced local routes:

Before OpenBSD 5.6 it was possible to add route labels to interfaces and tell
ospfd to redistribute all labeled routes. After adding an address to a labeled
interface a new route was announced via ospf.

Now the ospfd can't detect added or deleted addresses anymore, because the
kernel informs about local routes instead of cloning routes.

route -nv monitor:

OPENBSD_5_5:
RTM_NEWADDR: address being added to iface: len 96, metric 0, flags:CLONING
sockaddrs: NETMASK,IFP,IFA,BRD
 255.255.255.0 08:00:27:ad:dd:7c 5.5.5.5 5.5.5.255

RTM_ADD: Add Route: len 192, priority 4, table 0, pid: 0, seq 0, errno 0
flags:UP,CLONING
use:0   mtu:0expire:0 
locks:  inits: 
sockaddrs: DST,GATEWAY,NETMASK,LABEL
 5.5.5.0 link#3 255.255.255.0 EXPORT

OPENBSD_5_6:
RTM_NEWADDR: address being added to iface: len 96, metric 0, flags:UP
sockaddrs: NETMASK,IFP,IFA,BRD
 255.255.255.0 08:00:27:fd:b8:81 5.5.5.5 5.5.5.255

RTM_ADD: Add Route: len 184, priority 1, table 0, pid: 0, seq 0, errno 0
flags:UP,HOST,LLINFO,LOCAL
use:0   mtu:0expire:0 
locks:  inits: 
sockaddrs: DST,GATEWAY,LABEL
 5.5.5.5 08:00:27:fd:b8:81 EXPORT

In the commit message of route.c r1.172 you said always generating one message
per locally configured address.
Are any userland tools needing this message?

Would it make sense to remove the loop in rt_newaddrmsg which generates the two
route messages? Instead of this rt_newaddrmsg sends only the RTM_NEWADDR /
RTM_DELADDR message and the other message gets send after creating/deleting the
cloning route.

By the way if rt_newaddrmsg() sends RTM_NEWADDR and RTM_DELADDR we should
rename it to rt_addrmsg().

Regards,

Florian

Re: Sending route messages for local routes or cloning routes

2014-12-23 Thread Martin Pieuchot 
Hello Florian,

On 23/12/14(Tue) 11:17, Florian Riehm wrote:
 Hi Martin,
 
 as requested in your commit message I would like to tell you about a 
 regression
 with the introduced local routes:
 
 Before OpenBSD 5.6 it was possible to add route labels to interfaces and tell
 ospfd to redistribute all labeled routes. After adding an address to a labeled
 interface a new route was announced via ospf.
 
 Now the ospfd can't detect added or deleted addresses anymore, because the
 kernel informs about local routes instead of cloning routes.

Thanks for your attention and the report!

 route -nv monitor:
 
 OPENBSD_5_5:
 RTM_NEWADDR: address being added to iface: len 96, metric 0, flags:CLONING
 sockaddrs: NETMASK,IFP,IFA,BRD
  255.255.255.0 08:00:27:ad:dd:7c 5.5.5.5 5.5.5.255
 
 RTM_ADD: Add Route: len 192, priority 4, table 0, pid: 0, seq 0, errno 0
 flags:UP,CLONING
 use:0   mtu:0expire:0 
 locks:  inits: 
 sockaddrs: DST,GATEWAY,NETMASK,LABEL
  5.5.5.0 link#3 255.255.255.0 EXPORT
 
 OPENBSD_5_6:
 RTM_NEWADDR: address being added to iface: len 96, metric 0, flags:UP
 sockaddrs: NETMASK,IFP,IFA,BRD
  255.255.255.0 08:00:27:fd:b8:81 5.5.5.5 5.5.5.255
 
 RTM_ADD: Add Route: len 184, priority 1, table 0, pid: 0, seq 0, errno 0
 flags:UP,HOST,LLINFO,LOCAL
 use:0   mtu:0expire:0 
 locks:  inits: 
 sockaddrs: DST,GATEWAY,LABEL
  5.5.5.5 08:00:27:fd:b8:81 EXPORT
 
 In the commit message of route.c r1.172 you said always generating one 
 message
 per locally configured address.
 Are any userland tools needing this message?

At least dhclient(8).

 Would it make sense to remove the loop in rt_newaddrmsg which generates the 
 two
 route messages? Instead of this rt_newaddrmsg sends only the RTM_NEWADDR /
 RTM_DELADDR message and the other message gets send after creating/deleting 
 the
 cloning route.

I think it does make sense.  It would restore the RTM_ADD for
RTF_CLONING routes and keep one RTM_NEWADDR for RTF_LOCAL routes.
Apart from your scenario with ospfd/ospf6d, dhclient should be happy
with this change and I can think of a third case.  If  you configure
two addresses of the same subnet you should see 2 RTM_NEWADDR but only
one RTM_ADD since only the first address will get a cloning route.

 By the way if rt_newaddrmsg() sends RTM_NEWADDR and RTM_DELADDR we should
 rename it to rt_addrmsg().

If you remove the loop and generate only one message, I think that you can
simply use rt_sendmsg() and kill rt_newaddrmsg().

Re: Sending route messages for local routes or cloning routes

2014-12-23 Thread Florian Riehm 
On 12/23/14 11:59, Martin Pieuchot wrote:
 Would it make sense to remove the loop in rt_newaddrmsg which generates the 
 two
  route messages? Instead of this rt_newaddrmsg sends only the RTM_NEWADDR /
  RTM_DELADDR message and the other message gets send after 
  creating/deleting the
  cloning route.
 I think it does make sense.  It would restore the RTM_ADD for
 RTF_CLONING routes and keep one RTM_NEWADDR for RTF_LOCAL routes.
 Apart from your scenario with ospfd/ospf6d, dhclient should be happy
 with this change and I can think of a third case.  If  you configure
 two addresses of the same subnet you should see 2 RTM_NEWADDR but only
 one RTM_ADD since only the first address will get a cloning route.
 
  By the way if rt_newaddrmsg() sends RTM_NEWADDR and RTM_DELADDR we should
  rename it to rt_addrmsg().
 If you remove the loop and generate only one message, I think that you can
 simply use rt_sendmsg() and kill rt_newaddrmsg().


ok, thanks for your advice. I will try it and let you know if it works.

tls_init(3): mention tls_accept_socket function

2014-12-23 Thread Sunil Nimmagadda 
Hi,

tls_accept_socket function missing in tls_init(3) manpage.

Index: tls_init.3
===
RCS file: /cvs/src/lib/libtls/tls_init.3,v
retrieving revision 1.4
diff -u -p -r1.4 tls_init.3
--- tls_init.3  11 Nov 2014 04:17:34 -  1.4
+++ tls_init.3  23 Dec 2014 14:39:06 -
@@ -45,6 +45,7 @@
 .Nm tls_connect ,
 .Nm tls_connect_fds ,
 .Nm tls_connect_socket ,
+.Nm tls_accept_socket ,
 .Nm tls_read ,
 .Nm tls_write ,
 .Nd TLS client and server API
@@ -105,6 +106,8 @@
 .Ft int
 .Fn tls_connect_socket struct tls *ctx int s const char *hostname
 .Ft int
+.Fn tls_accept_socket struct tls *ctx struct tls **ctx int s
+.Ft int
 .Fn tls_read struct tls *ctx void *buf size_t buflen size_t *outlen
 .Ft int
 .Fn tls_write struct tls *ctx const void *buf size_t buflen size_t 
*outlen
@@ -295,6 +298,9 @@ connects a client context to a pair of e
 .It
 .Fn tls_connect_socket
 connects a client context to an already established socket connection.
+.It
+.Fn tls_accept_socket
+accepts a client context on an already established socket connection.
 .It
 .Fn tls_read
 reads

Re: httpd: redirect to https, or www, or non-www

2014-12-23 Thread trondd 
On Tue, Dec 23, 2014 at 12:44 PM, Carlin Bingham c...@viennan.net wrote:

 ngninx and apache support url rewriting, letting you redirect from
 arbitrary urls with pattern matching. In my experience the primary
 uses for this are to redirect from http to https or to remove/add www
 in the hostname, so I thought it might be useful to have options making
 these specific uses possible and simple to do.

 This adds an enforce option, where enforce https redirects non-http
 to https, enforce www redirects from example.org to www.example.org 
 http://www.example.org,
 and enforce no www redirects from www.example.org 
 http://www.example.org to example.org.

 Would appreciate any feedback or suggestions.

 Thanks


As someone who admins a number of web services with redirects to enforce
SSL, and consistent hostnames:

I feel like enforce https is ok, as it's a protocol and the options are
pretty limited and require differences in configurations so you know what
you want to support.  However enforce www seems too specific.  What if I
have www1.server.com or ww2.server.com or anything.server.com?  I would
want a more general approach to hostname/domain name rewriting.

Tim.

Re: [PATCH] update zlib to 1.2.8

2014-12-23 Thread Joerg Sonnenberger 
On Tue, Dec 23, 2014 at 10:54:15PM +0200, Timo Myyrä wrote:
 I was trying to port notmuch mail indexer but got little stuck with it as it
 requires newer Zlib version than whats in base.

It is easy to patch notmuch, the requirement is rather silly. FYI.

Joerg

Re: httpd: redirect to https, or www, or non-www

2014-12-23 Thread Bob Beck 
Making insecure redirects that the attacker can manipulate arbitrarily
is worse than dumb. because it trains users to like it.

I do not think we should be propagating such thinking.



On Tue, Dec 23, 2014 at 10:44 AM, Carlin Bingham c...@viennan.net wrote:
 ngninx and apache support url rewriting, letting you redirect from
 arbitrary urls with pattern matching. In my experience the primary
 uses for this are to redirect from http to https or to remove/add www
 in the hostname, so I thought it might be useful to have options making
 these specific uses possible and simple to do.

 This adds an enforce option, where enforce https redirects non-http
 to https, enforce www redirects from example.org to www.example.org 
 http://www.example.org,
 and enforce no www redirects from www.example.org http://www.example.org 
 to example.org.

 Would appreciate any feedback or suggestions.

 Thanks



 Index: usr.sbin/httpd/httpd.h
 ===
 RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
 retrieving revision 1.64
 diff -u -p -u -r1.64 httpd.h
 --- usr.sbin/httpd/httpd.h  12 Dec 2014 14:45:59 -  1.64
 +++ usr.sbin/httpd/httpd.h  23 Dec 2014 17:20:55 -
 @@ -345,6 +345,10 @@ SPLAY_HEAD(client_tree, client);
 \10\01NODELAY\02NO_NODELAY\03SACK\04NO_SACK   \
 \05SOCKET_BUFFER_SIZE\06IP_TTL\07IP_MINTTL\10NO_SPLICE

 +#define ENFORCE_HTTPS  0x10
 +#define ENFORCE_WWW0x01
 +#define ENFORCE_NO_WWW 0x02
 +
  enum log_format {
 LOG_FORMAT_COMMON,
 LOG_FORMAT_COMBINED,
 @@ -391,6 +395,8 @@ struct server_config {
 u_int8_t tcpipttl;
 u_int8_t tcpipminttl;

 +   u_int8_t enforce;
 +
 enum log_format  logformat;
 struct log_file *logaccess;
 struct log_file *logerror;
 @@ -499,6 +505,7 @@ struct server_config *
  serverconfig_byid(u_int32_t);
  int server_foreach(int (*)(struct server *,
 struct server_config *, void *), void *);
 +int server_enforce_redirect(struct client *);

  SPLAY_PROTOTYPE(client_tree, client, clt_nodes, server_client_cmp);

 Index: usr.sbin/httpd/parse.y
 ===
 RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
 retrieving revision 1.46
 diff -u -p -u -r1.46 parse.y
 --- usr.sbin/httpd/parse.y  21 Dec 2014 00:54:49 -  1.46
 +++ usr.sbin/httpd/parse.y  23 Dec 2014 17:20:56 -
 @@ -129,7 +129,7 @@ typedef struct {
  %token COMBINED CONNECTION DIRECTORY ERR FCGI INDEX IP KEY LISTEN LOCATION
  %token LOG LOGDIR MAXIMUM NO NODELAY ON PORT PREFORK REQUEST REQUESTS ROOT
  %token SACK SERVER SOCKET STYLE SYSLOG TCP TIMEOUT TLS TYPES
 -%token ERROR INCLUDE
 +%token ERROR INCLUDE ENFORCE HTTPS WWW
  %token v.string  STRING
  %token  v.number NUMBER
  %type  v.portport
 @@ -371,6 +371,15 @@ serveroptsl: LISTEN ON STRING opttls po
 }
 | DIRECTORY dirflags
 | DIRECTORY '{' dirflags_l '}'
 +   | ENFORCE HTTPS {
 +   srv_conf-enforce |= ENFORCE_HTTPS;
 +   }
 +   | ENFORCE WWW   {
 +   srv_conf-enforce |= ENFORCE_WWW;
 +   }
 +   | ENFORCE NO WWW{
 +   srv_conf-enforce |= ENFORCE_NO_WWW;
 +   }
 | logformat
 | fastcgi
 | LOCATION STRING   {
 @@ -863,8 +872,10 @@ lookup(char *s)
 { common, COMMON },
 { connection, CONNECTION },
 { directory,  DIRECTORY },
 +   { enforce,ENFORCE },
 { error,  ERR },
 { fastcgi,FCGI },
 +   { https,  HTTPS },
 { include,INCLUDE },
 { index,  INDEX },
 { ip, IP },
 @@ -890,7 +901,8 @@ lookup(char *s)
 { tcp,TCP },
 { timeout,TIMEOUT },
 { tls,TLS },
 -   { types,  TYPES }
 +   { types,  TYPES },
 +   { www,WWW }
 };
 const struct keywords   *p;

 Index: usr.sbin/httpd/server_http.c
 ===
 RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
 retrieving revision 1.57
 diff -u -p -u -r1.57 server_http.c
 --- usr.sbin/httpd/server_http.c21 Dec 2014 00:54:49 -  1.57
 +++ usr.sbin/httpd/server_http.c23 Dec 2014 17:20:56 -
 @@ -882,6 +882,9 @@ server_response(struct httpd *httpd, str
 /* Now search

Re: [PATCH] update zlib to 1.2.8

2014-12-23 Thread Jonas 'Sortie' Termansen 

Hi,

There's some value in having a newer zlib release. There have been bugfixes,
documentation fixes, various improvements, and API additions. I'm not 
sure how
much is backported to the OpenBSD zlib, but a quick glance through your 
attached
patch suggests there's stuff that would be nice to have. Do note your 
patch does

revert some OpenBSD-local changes to zlib. You should diff the older zlib
release with the OpenBSD zlib to see what they are and try to preserve 
them when

rebasing on the latest zlib release.

But if you read the patch to 1.2.8 carefully, you would also notice a 
good deal
of added portability code. Nothing too exciting has happened in the zlib 
world
the past decade, except the addition of more portability to support even 
more
awful systems. It's basically the OpenSSL approach to portability gone 
worse.

Not all of it is worth having, some of it is undesirable.

I think it's a better idea to go through the patch manually and pick out the
desirable changes and apply them. Or, as Joerg suggests, just patch the 
port to

be compatible with older zlib releases if possible.

Recently I got fed up with the awful code quality of upsteam zlib, so I 
fetched
1.2.8 and removed support for awful systems line by line, converting it 
to nice

standard C, not zlib-C. The result was a great deal simpler and the process
revealed a great deal of horrors. You just need to open a random file to 
find

them.

Jonas