Re: cwm(1): Enable numpad Enter on menus

[Okan Demirmen]

On Sat 2016.08.27 at 23:53 -0300, Henrique N. Lengler wrote:
> > Hi,
> > 
> > This is a tiny patch to enable the use of numpad Enter key on cwm menus.
> > 
> > Regards,
> > 
> > Henrique N. Lengler
> 
> No intention to apply this?
> 
> Numpad enter key is is recognized by every program on openbsd base and 
> xenocara,
> so this would keep consistency. Anyway it is only one line.

Applied; thank you!

Re: add option for disabling TLS session tickets to libttls

[Andreas Bartelt]

On 08/22/16 08:17, Claudio Jeker wrote:

On Sun, Aug 21, 2016 at 02:25:15PM -0400, Ted Unangst wrote:

Andreas Bartelt wrote:

Since the use of TLS session tickets potentially interferes with forward
secrecy on a per-session basis, I'd personally prefer an opt-in in
libtls as well as in httpd with regard to its usage. However, such a
semantic change would not be transparent. Any opinions on this?


Defaulting to off makes sense to me. It's the marginally safer option and at
small scale probably not a performance concern. But if the default results in
900 "tutorials" telling people to turn it back on because web scale, then all
we've done is make things difficult.



While I agree it is important to turn them on for HTTP servers or any
other protocol that does a lot of reconnects. This should also include
the magic to make them work accross multiple processes (see my relayd diff
for that -- which uses the libssl callback madness though).
Without tickets the full TLS handshake will be made for every reconnect
which is a common mode of operation for HTTP. Also I think tickets are a
bit saver than the session cache (which AFAIK is also default on for
servers) and probably the fallback mode.
Client side tickets should be enabled since they are just pass along to
the next connect without processing them.



here's another diff which also adds enable/disable functions with regard 
to TLS session resumption. Although this mechanism is technically not a 
TLS extension, it is also optional and basically provides the same 
functionality as the TLS session ticket extension.


This diff is transparent to the current behaviour of libtls, i.e., it 
enables session tickets as well as session resumption by default. As I 
already said, I personally don't like the current default. In 
particular, I don't like the lack of key management for TLS tickets 
which always has to be done manually (see Claudio's relayd patch on 
tech@). If things go wrong, the corresponding damage might be pretty 
high on long-running TLS servers.


I suppose further API functions should be added for explicitly 
configuring session resumption and session ticket parameters.


During testing, I've also noticed that the session resumption mechanism 
currently doesn't work reliably. It always seems to fail at the first 
session resumption attempt, and it works with unpredictable reliability 
afterwards. I didn't look at the corresponding code in libssl yet.


OK?
Index: src/lib/libtls/tls.h
===
RCS file: /cvs/src/lib/libtls/tls.h,v
retrieving revision 1.35
diff -u -p -u -r1.35 tls.h
--- src/lib/libtls/tls.h	22 Aug 2016 14:58:26 -	1.35
+++ src/lib/libtls/tls.h	28 Aug 2016 10:35:31 -
@@ -41,6 +41,10 @@ extern "C" {
 #define TLS_WANT_POLLIN		-2
 #define TLS_WANT_POLLOUT	-3
 
+/* TLS extensions and other optional mechanisms */
+#define TLS_SESSION_RESUMPTION		0x0001L
+#define TLS_SESSION_TICKETS		0x0002L
+
 struct tls;
 struct tls_config;
 
@@ -78,6 +82,12 @@ int tls_config_set_keypair_mem(struct tl
 size_t _cert_len, const uint8_t *_key, size_t _key_len);
 void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
 void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth);
+
+void tls_config_enable_session_resumption(struct tls_config *_config);
+void tls_config_enable_session_tickets(struct tls_config *_config);
+
+void tls_config_disable_session_resumption(struct tls_config *_config);
+void tls_config_disable_session_tickets(struct tls_config *_config);
 
 void tls_config_prefer_ciphers_client(struct tls_config *_config);
 void tls_config_prefer_ciphers_server(struct tls_config *_config);
Index: src/lib/libtls/tls_config.c
===
RCS file: /cvs/src/lib/libtls/tls_config.c,v
retrieving revision 1.28
diff -u -p -u -r1.28 tls_config.c
--- src/lib/libtls/tls_config.c	22 Aug 2016 14:55:59 -	1.28
+++ src/lib/libtls/tls_config.c	28 Aug 2016 10:35:32 -
@@ -193,6 +193,9 @@ tls_config_new(void)
 	tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
 	tls_config_set_verify_depth(config, 6);
 
+	tls_config_enable_session_resumption(config);
+	tls_config_enable_session_tickets(config);
+
 	tls_config_prefer_ciphers_server(config);
 
 	tls_config_verify(config);
@@ -580,6 +583,30 @@ void
 tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
 {
 	config->verify_depth = verify_depth;
+}
+
+void
+tls_config_enable_session_resumption(struct tls_config *config)
+{
+	config->tls_extensions |= TLS_SESSION_RESUMPTION;
+}
+
+void
+tls_config_enable_session_tickets(struct tls_config *config)
+{
+	config->tls_extensions |= TLS_SESSION_TICKETS;
+}
+
+void
+tls_config_disable_session_resumption(struct tls_config *config)
+{
+	config->tls_extensions &= ~TLS_SESSION_RESUMPTION;
+}
+
+void
+tls_config_disable_session_tickets(struct tls_config *config)
+{
+	

Re: cwm(1): Enable numpad Enter on menus

[Peter Hessler]

On 2016 Aug 27 (Sat) at 23:53:14 -0300 (-0300), Henrique N. Lengler wrote:
:> Hi,
:> 
:> This is a tiny patch to enable the use of numpad Enter key on cwm menus.
:> 
:> Regards,
:> 
:> Henrique N. Lengler
:
:No intention to apply this?
:
:Numpad enter key is is recognized by every program on openbsd base and 
xenocara,
:so this would keep consistency. Anyway it is only one line.

OK


:Index: menu.c
:===
:RCS file: /cvs/xenocara/app/cwm/menu.c,v
:retrieving revision 1.90
:diff -u -p -r1.90 menu.c
:--- menu.c 28 Apr 2016 16:28:38 -  1.90
:+++ menu.c 17 Aug 2016 19:14:06 -
:@@ -523,6 +523,7 @@ menu_keycode(XKeyEvent *ev, enum ctltype
:   case XK_BackSpace:
:   *ctl = CTL_ERASEONE;
:   break;
:+  case XK_KP_Enter:
:   case XK_Return:
:   *ctl = CTL_RETURN;
:   break;


-- 
If you're not part of the solution, you're part of the precipitate.

Re: nsd 4.1.11

[Florian Obser]

On Tue, Aug 16, 2016 at 07:00:39PM +, Florian Obser wrote:
> OK?
> 

anyone?


diff --git buffer.h buffer.h
index bee7d8b..9e17bc9 100644
--- buffer.h
+++ buffer.h
@@ -315,6 +315,20 @@ buffer_write_u32(buffer_type *buffer, uint32_t data)
 }
 
 static inline void
+buffer_write_u64_at(buffer_type *buffer, size_t at, uint64_t data)
+{
+   assert(buffer_available_at(buffer, at, sizeof(data)));
+   write_uint64(buffer->_data + at, data);
+}
+
+static inline void
+buffer_write_u64(buffer_type *buffer, uint64_t data)
+{
+   buffer_write_u64_at(buffer, buffer->_position, data);
+   buffer->_position += sizeof(data);
+}
+
+static inline void
 buffer_read_at(buffer_type *buffer, size_t at, void *data, size_t count)
 {
assert(buffer_available_at(buffer, at, count));
@@ -373,6 +387,21 @@ buffer_read_u32(buffer_type *buffer)
return result;
 }
 
+static inline uint64_t
+buffer_read_u64_at(buffer_type *buffer, size_t at)
+{
+   assert(buffer_available_at(buffer, at, sizeof(uint64_t)));
+   return read_uint64(buffer->_data + at);
+}
+
+static inline uint64_t
+buffer_read_u64(buffer_type *buffer)
+{
+   uint64_t result = buffer_read_u64_at(buffer, buffer->_position);
+   buffer->_position += sizeof(uint64_t);
+   return result;
+}
+
 /*
  * Print to the buffer, increasing the capacity if required using
  * buffer_reserve(). The buffer's position is set to the terminating
diff --git configlexer.lex configlexer.lex
index 113fa22..d536352 100644
--- configlexer.lex
+++ configlexer.lex
@@ -236,6 +236,7 @@ zone{COLON} { LEXOUT(("v(%s) ", yytext)); return 
VAR_ZONE;}
 zonefile{COLON}{ LEXOUT(("v(%s) ", yytext)); return 
VAR_ZONEFILE;}
 zonestats{COLON}   { LEXOUT(("v(%s) ", yytext)); return VAR_ZONESTATS;}
 allow-notify{COLON}{ LEXOUT(("v(%s) ", yytext)); return VAR_ALLOW_NOTIFY;}
+size-limit-xfr{COLON}  { LEXOUT(("v(%s) ", yytext)); return 
VAR_SIZE_LIMIT_XFR;}
 request-xfr{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_REQUEST_XFR;}
 notify{COLON}  { LEXOUT(("v(%s) ", yytext)); return VAR_NOTIFY;}
 notify-retry{COLON}{ LEXOUT(("v(%s) ", yytext)); return VAR_NOTIFY_RETRY;}
@@ -268,6 +269,10 @@ zonefiles-check{COLON} { LEXOUT(("v(%s) ", yytext)); 
return VAR_ZONEFILES_CHECK;
 zonefiles-write{COLON} { LEXOUT(("v(%s) ", yytext)); return 
VAR_ZONEFILES_WRITE;}
 log-time-ascii{COLON}  { LEXOUT(("v(%s) ", yytext)); return 
VAR_LOG_TIME_ASCII;}
 round-robin{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_ROUND_ROBIN;}
+max-refresh-time{COLON}{ LEXOUT(("v(%s) ", yytext)); return 
VAR_MAX_REFRESH_TIME;}
+min-refresh-time{COLON}{ LEXOUT(("v(%s) ", yytext)); return 
VAR_MIN_REFRESH_TIME;}
+max-retry-time{COLON}  { LEXOUT(("v(%s) ", yytext)); return 
VAR_MAX_RETRY_TIME;}
+min-retry-time{COLON}  { LEXOUT(("v(%s) ", yytext)); return 
VAR_MIN_RETRY_TIME;}
 {NEWLINE}  { LEXOUT(("NL\n")); cfg_parser->line++;}
 
/* Quoted strings. Strip leading and ending quotes */
diff --git configparser.y configparser.y
index 1d824d1..9089665 100644
--- configparser.y
+++ configparser.y
@@ -54,7 +54,7 @@ extern config_parser_state_t* cfg_parser;
 %token VAR_TCP_MSS VAR_OUTGOING_TCP_MSS VAR_IP_FREEBIND
 %token VAR_ZONEFILE 
 %token VAR_ZONE
-%token VAR_ALLOW_NOTIFY VAR_REQUEST_XFR VAR_NOTIFY VAR_PROVIDE_XFR 
+%token VAR_ALLOW_NOTIFY VAR_REQUEST_XFR VAR_NOTIFY VAR_PROVIDE_XFR 
VAR_SIZE_LIMIT_XFR 
 %token VAR_NOTIFY_RETRY VAR_OUTGOING_INTERFACE VAR_ALLOW_AXFR_FALLBACK
 %token VAR_KEY
 %token VAR_ALGORITHM VAR_SECRET
@@ -69,6 +69,8 @@ extern config_parser_state_t* cfg_parser;
 %token VAR_RRL_WHITELIST_RATELIMIT VAR_RRL_WHITELIST
 %token VAR_ZONEFILES_CHECK VAR_ZONEFILES_WRITE VAR_LOG_TIME_ASCII
 %token VAR_ROUND_ROBIN VAR_ZONESTATS VAR_REUSEPORT VAR_VERSION
+%token VAR_MAX_REFRESH_TIME VAR_MIN_REFRESH_TIME
+%token VAR_MAX_RETRY_TIME VAR_MIN_RETRY_TIME
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -598,7 +600,9 @@ content_pattern: pattern_name | zone_config_item;
 zone_config_item: zone_zonefile | zone_allow_notify | zone_request_xfr |
zone_notify | zone_notify_retry | zone_provide_xfr | 
zone_outgoing_interface | zone_allow_axfr_fallback | include_pattern |
-   zone_rrl_whitelist | zone_zonestats;
+   zone_rrl_whitelist | zone_zonestats | zone_max_refresh_time |
+   zone_min_refresh_time | zone_max_retry_time | zone_min_retry_time |
+   zone_size_limit_xfr;
 pattern_name: VAR_NAME STRING
{ 
OUTYY(("P(pattern_name:%s)\n", $2)); 
@@ -714,6 +718,14 @@ zone_request_xfr: VAR_REQUEST_XFR zone_request_xfr_data
{
}
;
+zone_size_limit_xfr: VAR_SIZE_LIMIT_XFR STRING
+   { 
+   OUTYY(("P(size_limit_xfr:%s)\n", $2)); 
+   if(atoll($2) < 0)
+   yyerror("number >= 0 expected");
+   else cfg_parser->current_pattern->size_limit_xfr = atoll($2);
+   }
+   ;
 

Re: ld.so: remove unused syscall stubs

[Mark Kettenis]

> Date: Sat, 27 Aug 2016 21:14:20 -0700
> From: Philip Guenther 
> 
> _dl_gettimeofday() was used by the prebind code, which was recently 
> removed.
> 
> _dl_lstat() was only used by _dl_realpath(), which no longer needs it.
> 
> ok?

ok kettenis@

> Index: alpha/ldasm.S
> ===
> RCS file: /cvs/src/libexec/ld.so/alpha/ldasm.S,v
> retrieving revision 1.36
> diff -u -p -r1.36 ldasm.S
> --- alpha/ldasm.S 7 Aug 2016 03:05:23 -   1.36
> +++ alpha/ldasm.S 28 Aug 2016 04:12:17 -
> @@ -316,10 +316,8 @@ DL_SYSCALL(getdents)
>  DL_SYSCALL(getentropy)
>  DL_SYSCALL(sendsyslog)
>  DL_SYSCALL(pledge)
> -DL_SYSCALL(gettimeofday)
>  DL_SYSCALL_NOERR(issetugid)
>  DL_SYSCALL_NOERR(getthrid)
> -DL_SYSCALL(lstat)
>  DL_SYSCALL(mprotect)
>  DL_SYSCALL(munmap)
>  DL_SYSCALL(open)
> Index: alpha/syscall.h
> ===
> RCS file: /cvs/src/libexec/ld.so/alpha/syscall.h,v
> retrieving revision 1.34
> diff -u -p -r1.34 syscall.h
> --- alpha/syscall.h   4 Jul 2016 21:15:06 -   1.34
> +++ alpha/syscall.h   28 Aug 2016 04:12:17 -
> @@ -51,10 +51,8 @@ int_dl_fstat(int, struct stat *);
>  ssize_t  _dl_getdents(int, char *, size_t);
>  long _dl__syscall(quad_t, ...);
>  int  _dl_sysctl(const int *, u_int, void *, size_t *, void *, size_t);
> -int  _dl_gettimeofday(struct timeval *, struct timezone *);
>  ssize_t  _dl_readlink(const char *, char *, size_t);
>  int  _dl_pledge(const char *, const char **);
> -int  _dl_lstat(const char *, struct stat *);
>  int  _dl_getcwd(char *, size_t);
>  int  _dl_utrace(const char *, const void *, size_t);
>  int  _dl_getentropy(char *, size_t);
> Index: amd64/ldasm.S
> ===
> RCS file: /cvs/src/libexec/ld.so/amd64/ldasm.S,v
> retrieving revision 1.24
> diff -u -p -r1.24 ldasm.S
> --- amd64/ldasm.S 7 May 2016 19:05:23 -   1.24
> +++ amd64/ldasm.S 28 Aug 2016 04:12:17 -
> @@ -91,10 +91,8 @@ DL_SYSCALL(getthrid)
>  DL_SYSCALL(getdents)
>  DL_SYSCALL(mprotect)
>  DL_SYSCALL(munmap)
> -DL_SYSCALL(gettimeofday)
>  DL_SYSCALL(exit)
>  DL_SYSCALL(readlink)
> -DL_SYSCALL(lstat)
>  DL_SYSCALL(utrace)
>  DL_SYSCALL(getentropy)
>  DL_SYSCALL(sendsyslog)
> Index: amd64/syscall.h
> ===
> RCS file: /cvs/src/libexec/ld.so/amd64/syscall.h,v
> retrieving revision 1.22
> diff -u -p -r1.22 syscall.h
> --- amd64/syscall.h   4 Jul 2016 21:15:06 -   1.22
> +++ amd64/syscall.h   28 Aug 2016 04:12:18 -
> @@ -51,10 +51,8 @@ ssize_t_dl_read(int, const char *, size
>  int  _dl_fstat(int, struct stat *);
>  ssize_t  _dl_getdents(int, char *, size_t);
>  int  _dl_sysctl(const int *, u_int, void *, size_t *, void *, size_t);
> -int  _dl_gettimeofday(struct timeval *, struct timezone *);
>  ssize_t  _dl_readlink(const char *, char *, size_t);
>  int  _dl_pledge(const char *, const char **);
> -int  _dl_lstat(const char *, struct stat *);
>  int  _dl_getcwd(char *, size_t);
>  int  _dl_utrace(const char *, const void *, size_t);
>  int  _dl_getentropy(char *, size_t);
> Index: arm/ldasm.S
> ===
> RCS file: /cvs/src/libexec/ld.so/arm/ldasm.S,v
> retrieving revision 1.23
> diff -u -p -r1.23 ldasm.S
> --- arm/ldasm.S   9 Aug 2016 03:58:35 -   1.23
> +++ arm/ldasm.S   28 Aug 2016 04:12:18 -
> @@ -126,9 +126,7 @@ DL_SYSCALL(open)
>  DL_SYSCALL(read)
>  DL_SYSCALL(write)
>  DL_SYSCALL(fstat)
> -DL_SYSCALL(gettimeofday)
>  DL_SYSCALL(readlink)
> -DL_SYSCALL(lstat)
>  DL_SYSCALL(utrace)
>  DL_SYSCALL(getentropy)
>  DL_SYSCALL(sendsyslog)
> Index: arm/syscall.h
> ===
> RCS file: /cvs/src/libexec/ld.so/arm/syscall.h,v
> retrieving revision 1.22
> diff -u -p -r1.22 syscall.h
> --- arm/syscall.h 4 Jul 2016 21:15:06 -   1.22
> +++ arm/syscall.h 28 Aug 2016 04:12:18 -
> @@ -51,10 +51,8 @@ ssize_t_dl_read(int, const char *, size
>  int  _dl_fstat(int, struct stat *);
>  ssize_t  _dl_getdents(int, char *, size_t);
>  int  _dl_sysctl(const int *, u_int, void *, size_t *, void *, size_t);
> -int  _dl_gettimeofday(struct timeval *, struct timezone *);
>  ssize_t  _dl_readlink(const char *, char *, size_t);
>  int  _dl_pledge(const char *, const char **);
> -int  _dl_lstat(const char *, struct stat *);
>  int  _dl_getcwd(char *, size_t);
>  int  _dl_utrace(const char *, const void *, size_t);
>  int  _dl_getentropy(char *, size_t);
> Index: hppa/ldasm.S
> ===
> RCS file: /cvs/src/libexec/ld.so/hppa/ldasm.S,v
> retrieving revision 1.21
> diff -u -p -r1.21 ldasm.S
> --- hppa/ldasm.S  7 May 2016 19:05:23 -   1.21
> +++ hppa/ldasm.S  28 Aug 2016