Re: mounting tmpfs ???
2016-12-14 17:07 GMT+01:00 sven falempin : > i am using this daily, what can i do !? maintain tmpfs Best Martin
Provide the "machdep.lidsuspend" sysctl on Loongson
Hi tech@, Here is a diff to add the "machdep.lidsuspend" sysctl on Loongson. This is another required step to activate suspend on lid close on the Lemote Yeeloong. Comments? OK? Index: etc/etc.loongson/sysctl.conf === RCS file: /cvs/src/etc/etc.loongson/sysctl.conf,v retrieving revision 1.2 diff -u -p -r1.2 sysctl.conf --- etc/etc.loongson/sysctl.conf24 Jun 2011 19:47:48 - 1.2 +++ etc/etc.loongson/sysctl.conf14 Dec 2016 14:05:36 - @@ -0,0 +1 @@ +#machdep.lidsuspend=0 # do not suspend laptop upon lid closing Index: sys/arch/loongson/loongson/machdep.c === RCS file: /cvs/src/sys/arch/loongson/loongson/machdep.c,v retrieving revision 1.69 diff -u -p -r1.69 machdep.c --- sys/arch/loongson/loongson/machdep.c11 Dec 2016 07:57:14 - 1.69 +++ sys/arch/loongson/loongson/machdep.c14 Dec 2016 14:06:28 - @@ -116,6 +116,7 @@ int physmem;/* Max supported memory, c intncpu = 1; /* At least one CPU in the system. */ intnnodes = 1; /* Number of NUMA nodes, only on 3A. */ struct user *proc0paddr; +intlid_suspend = 1; const struct platform *sys_platform; struct cpu_hwinfo bootcpu_hwinfo; @@ -1016,9 +1017,12 @@ cpu_sysctl(name, namelen, oldp, oldlenp, return ENOTDIR; /* Overloaded */ switch (name[0]) { + case CPU_LIDSUSPEND: + return (sysctl_int(oldp, oldlenp, newp, newlen, &lid_suspend)); default: - return EOPNOTSUPP; + return (EOPNOTSUPP); } + /* NOTREACHED */ } intwaittime = -1; Index: sys/arch/mips64/include/cpu.h === RCS file: /cvs/src/sys/arch/mips64/include/cpu.h,v retrieving revision 1.111 diff -u -p -r1.111 cpu.h --- sys/arch/mips64/include/cpu.h 14 Aug 2016 08:23:52 - 1.111 +++ sys/arch/mips64/include/cpu.h 14 Dec 2016 14:06:28 - @@ -361,12 +361,14 @@ void cp0_calibrate(struct cpu_info *); */ #defineCPU_ALLOWAPERTURE 1 /* allow mmap of /dev/xf86 */ /* 2 formerly: keyboard reset */ -#defineCPU_MAXID 3 /* number of valid machdep ids */ +#defineCPU_LIDSUSPEND 3 /* lid close causes a suspend */ +#defineCPU_MAXID 4 /* number of valid machdep ids */ #defineCTL_MACHDEP_NAMES { \ { 0, 0 }, \ { "allowaperture", CTLTYPE_INT }, \ { 0, 0 }, \ + { "lidsuspend", CTLTYPE_INT }, \ } /*
Re: igmp: set rtableid on new mbufs
On 14/12/16(Wed) 16:54, Rafael Zalamena wrote: > After running the igmpproxy in multiple domains I noticed that the kernel > started complaining about sending packets on wrong domains. Here is the > exact message: > " > vio1: trying to send packet on wrong domain. if 1 vs. mbuf 0 > " > > After some debugging I traced the problem to the igmp_sendpkt() function > and it seems that it is missing to set the mbuf rdomain, so this is > exactly what this diff does. It doesn't make sense to call if_get(9) when all the callers of igmp_sendpkt() already have a reference to the sending ifp. if_get(9) has a cost and adds complexity. I'd rather pass ifp or the rdomain to igmp_sendpkt(). > Index: sys/netinet/igmp.c > === > RCS file: /home/obsdcvs/src/sys/netinet/igmp.c,v > retrieving revision 1.56 > diff -u -p -r1.56 igmp.c > --- sys/netinet/igmp.c5 Dec 2016 15:31:43 - 1.56 > +++ sys/netinet/igmp.c14 Dec 2016 15:40:08 - > @@ -613,14 +613,21 @@ igmp_slowtimo(void) > void > igmp_sendpkt(struct in_multi *inm, int type, in_addr_t addr) > { > + struct ifnet *ifp; > struct mbuf *m; > struct igmp *igmp; > struct ip *ip; > struct ip_moptions imo; > > + if ((ifp = if_get(inm->inm_ifidx)) == NULL) > + return; > + > MGETHDR(m, M_DONTWAIT, MT_HEADER); > - if (m == NULL) > + if (m == NULL) { > + if_put(ifp); > return; > + } > + > /* >* Assume max_linkhdr + sizeof(struct ip) + IGMP_MINLEN >* is smaller than mbuf size returned by MGETHDR. > @@ -652,6 +659,7 @@ igmp_sendpkt(struct in_multi *inm, int t > m->m_data -= sizeof(struct ip); > m->m_len += sizeof(struct ip); > > + m->m_pkthdr.ph_rtableid = ifp->if_rdomain; > imo.imo_ifidx = inm->inm_ifidx; > imo.imo_ttl = 1; > > @@ -666,6 +674,7 @@ igmp_sendpkt(struct in_multi *inm, int t > #endif /* MROUTING */ > > ip_output(m, router_alert, NULL, IP_MULTICASTOPTS, &imo, NULL, 0); > + if_put(ifp); > > ++igmpstat.igps_snd_reports; > } >
Re: mounting tmpfs ???
On 2016/12/14 11:07, sven falempin wrote: > On Wed, Dec 14, 2016 at 10:51 AM, Stuart Henderson > wrote: > > > On 2016/12/14 10:44, sven falempin wrote: > > > [130]-[~] > > > # ktrace mount_tmpfs -s20M tmpfs /foo > > > mount_tmpfs: tmpfs on /foo: Operation not supported > > > [1]-[~] > > > # ls -ld /foo > > > drwxr-xr-x 2 root wheel 512 Dec 14 16:26 /foo > > > > > > revision 1.229 > > date: 2016/07/25 19:52:56; author: deraadt; state: Exp; lines: +2 -2; > > commit > > id: SKJd8VyGOLxZLj1g; > > disable tmpfs because it receives zero maintainance. > > > > > > > Okay, > > i am using this daily, what can i do !? > besides compiling my own 'unsuported' kernel . . . Switch to mfs?
Re: mounting tmpfs ???
On Wed, Dec 14, 2016 at 10:51 AM, Stuart Henderson wrote: > On 2016/12/14 10:44, sven falempin wrote: > > [130]-[~] > > # ktrace mount_tmpfs -s20M tmpfs /foo > > mount_tmpfs: tmpfs on /foo: Operation not supported > > [1]-[~] > > # ls -ld /foo > > drwxr-xr-x 2 root wheel 512 Dec 14 16:26 /foo > > > revision 1.229 > date: 2016/07/25 19:52:56; author: deraadt; state: Exp; lines: +2 -2; > commit > id: SKJd8VyGOLxZLj1g; > disable tmpfs because it receives zero maintainance. > > > Okay, i am using this daily, what can i do !? besides compiling my own 'unsuported' kernel . . . Cheers -- - () ascii ribbon campaign - against html e-mail /\
Re: mounting tmpfs ???
On 2016/12/14 10:44, sven falempin wrote: > [130]-[~] > # ktrace mount_tmpfs -s20M tmpfs /foo > mount_tmpfs: tmpfs on /foo: Operation not supported > [1]-[~] > # ls -ld /foo > drwxr-xr-x 2 root wheel 512 Dec 14 16:26 /foo revision 1.229 date: 2016/07/25 19:52:56; author: deraadt; state: Exp; lines: +2 -2; commit id: SKJd8VyGOLxZLj1g; disable tmpfs because it receives zero maintainance.
[patch] Minor corrections to xenocara man pages.
Hello tech@, I've just found man references in the SEE ALSO section to xfs(1), the X font server which was unlinked from base in 5.7, in the following man pages: fslsfonts(1) fstobdf(1) mkfontdir(1) mkfontscale(1) showfont(1) xfsinfo(1) Xserver(1) X(7) Also, in X(7) there's a reference to fsinfo(1), which as per xfsinfo(1) HISTORY section, it was renamed to xfsinfo "to avoid a clash with the fsinfo utility from the Berkeley automounter amd". I'm providing these trivial patches to address them, in case that helps. Regards, Salvador Sabaini Index: fslsfonts.man === RCS file: /cvs/xenocara/app/fslsfonts/man/fslsfonts.man,v retrieving revision 1.2 diff -u -p -r1.2 fslsfonts.man --- fslsfonts.man 3 Jan 2015 15:46:00 - 1.2 +++ fslsfonts.man 14 Dec 2016 14:06:09 - @@ -97,7 +97,7 @@ be specified in one of the formats defin .I Font Server Names section of X(__miscmansuffix__). .SH "SEE ALSO" -xfs(__appmansuffix__), showfont(__appmansuffix__), xlsfonts(__appmansuffix__), +showfont(__appmansuffix__), xlsfonts(__appmansuffix__), X(__miscmansuffix__). .SH BUGS Doing ``fslsfonts \-l'' can tie up your server for a very long time. Index: fstobdf.man === RCS file: /cvs/xenocara/app/fstobdf/man/fstobdf.man,v retrieving revision 1.2 diff -u -p -r1.2 fstobdf.man --- fstobdf.man 3 Jan 2015 15:46:53 - 1.2 +++ fstobdf.man 14 Dec 2016 15:27:41 - @@ -67,7 +67,7 @@ be specified in one of the formats defin .I Font Server Names section of X(__miscmansuffix__). .SH "SEE ALSO" -xfs(__appmansuffix__), bdftopcf(__appmansuffix__), showfont(__appmansuffix__), +bdftopcf(__appmansuffix__), showfont(__appmansuffix__), fslsfonts(__appmansuffix__), X(__miscmansuffix__). .SH AUTHOR Olaf Brandt, Network Computing Devices Index: mkfontdir.man === RCS file: /cvs/xenocara/app/mkfontdir/man/mkfontdir.man,v retrieving revision 1.1 diff -u -p -r1.1 mkfontdir.man --- mkfontdir.man 18 Feb 2012 09:01:38 - 1.1 +++ mkfontdir.man 14 Dec 2016 14:29:50 - @@ -172,4 +172,4 @@ List of known encodings and the files th Created by \fImkfontdir\fP. Read by the X server and font server each time a font with an unknown charset is opened. .SH "SEE ALSO" -X(__miscmansuffix__), Xserver(__appmansuffix__), mkfontscale(__appmansuffix__), xfs(__appmansuffix__), xset(__appmansuffix__) +X(__miscmansuffix__), Xserver(__appmansuffix__), mkfontscale(__appmansuffix__), xset(__appmansuffix__) Index: mkfontscale.man === RCS file: /cvs/xenocara/app/mkfontscale/man/mkfontscale.man,v retrieving revision 1.3 diff -u -p -r1.3 mkfontscale.man --- mkfontscale.man 25 Jan 2015 11:31:45 - 1.3 +++ mkfontscale.man 14 Dec 2016 14:38:01 - @@ -140,7 +140,7 @@ print program version and exit. .B \-\- end of options. .SH SEE ALSO -X(__miscmansuffix__), Xserver(__appmansuffix__), mkfontdir(__appmansuffix__), ttmkfdir(__appmansuffix__), xfs(__appmansuffix__), xset(__appmansuffix__) +X(__miscmansuffix__), Xserver(__appmansuffix__), mkfontdir(__appmansuffix__), ttmkfdir(__appmansuffix__), xset(__appmansuffix__) .SH NOTES The format of the .BR fonts.scale , Index: showfont.man === RCS file: /cvs/xenocara/app/showfont/man/showfont.man,v retrieving revision 1.2 diff -u -p -r1.2 showfont.man --- showfont.man3 Jan 2015 15:56:46 - 1.2 +++ showfont.man14 Dec 2016 15:34:51 - @@ -77,7 +77,7 @@ Do not show the font properties. .B \-version Print the program version and exit. .SH "SEE ALSO" -xfs(__appmansuffix__), fslsfonts(__appmansuffix__), +fslsfonts(__appmansuffix__), fstobdf(__appmansuffix__), xlsfonts(__appmansuffix__), X(__miscmansuffix__). .SH ENVIRONMENT .TP 8 Index: xfsinfo.man === RCS file: /cvs/xenocara/app/xfsinfo/man/xfsinfo.man,v retrieving revision 1.2 diff -u -p -r1.2 xfsinfo.man --- xfsinfo.man 3 Jan 2015 15:59:51 - 1.2 +++ xfsinfo.man 14 Dec 2016 15:34:00 - @@ -88,6 +88,6 @@ be specified in one of the formats defin .I Font Server Names section of X(__miscmansuffix__). .SH "SEE ALSO" -xfs(__appmansuffix__), fslsfonts(__appmansuffix__), X(__miscmansuffix__). +fslsfonts(__appmansuffix__), X(__miscmansuffix__). .SH AUTHOR Dave Lemke, Network Computing Devices, Inc Index: Xserver.man === RCS file: /cvs/xenocara/xserver/man/Xserver.man,v retrieving revision 1.10 diff -u -p -r1.10 Xserver.man --- Xserver.man 29 May 2016 12:02:39 - 1.10 +++ Xserver.man 14 Dec 2016 14:49:06 - @@ -606,7 +606,7 @@ Protocols: .I "X Display Manager Control Protocol" .PP F
igmp: set rtableid on new mbufs
After running the igmpproxy in multiple domains I noticed that the kernel started complaining about sending packets on wrong domains. Here is the exact message: " vio1: trying to send packet on wrong domain. if 1 vs. mbuf 0 " After some debugging I traced the problem to the igmp_sendpkt() function and it seems that it is missing to set the mbuf rdomain, so this is exactly what this diff does. ok? Index: sys/netinet/igmp.c === RCS file: /home/obsdcvs/src/sys/netinet/igmp.c,v retrieving revision 1.56 diff -u -p -r1.56 igmp.c --- sys/netinet/igmp.c 5 Dec 2016 15:31:43 - 1.56 +++ sys/netinet/igmp.c 14 Dec 2016 15:40:08 - @@ -613,14 +613,21 @@ igmp_slowtimo(void) void igmp_sendpkt(struct in_multi *inm, int type, in_addr_t addr) { + struct ifnet *ifp; struct mbuf *m; struct igmp *igmp; struct ip *ip; struct ip_moptions imo; + if ((ifp = if_get(inm->inm_ifidx)) == NULL) + return; + MGETHDR(m, M_DONTWAIT, MT_HEADER); - if (m == NULL) + if (m == NULL) { + if_put(ifp); return; + } + /* * Assume max_linkhdr + sizeof(struct ip) + IGMP_MINLEN * is smaller than mbuf size returned by MGETHDR. @@ -652,6 +659,7 @@ igmp_sendpkt(struct in_multi *inm, int t m->m_data -= sizeof(struct ip); m->m_len += sizeof(struct ip); + m->m_pkthdr.ph_rtableid = ifp->if_rdomain; imo.imo_ifidx = inm->inm_ifidx; imo.imo_ttl = 1; @@ -666,6 +674,7 @@ igmp_sendpkt(struct in_multi *inm, int t #endif /* MROUTING */ ip_output(m, router_alert, NULL, IP_MULTICASTOPTS, &imo, NULL, 0); + if_put(ifp); ++igmpstat.igps_snd_reports; }
mounting tmpfs ???
[130]-[~] # ktrace mount_tmpfs -s20M tmpfs /foo mount_tmpfs: tmpfs on /foo: Operation not supported [1]-[~] # ls -ld /foo drwxr-xr-x 2 root wheel 512 Dec 14 16:26 /foo trace: 6289 mount_tmpfs CALL lstat(0x7f7d9810,0x7f7d89f0) 6289 mount_tmpfs NAMI "/foo" 6289 mount_tmpfs STRU struct stat { dev=1024, ino=1974784, mode=drwxr-xr-x , nlink=2, uid=0<"root">, gid=0<"wheel">, rdev=7880112, atime=1481729169<"Dec 14 16:26:09 2016">.100496580, mtime=1481729169<"Dec 14 16:26:09 2016">.100496580, ctime=1481729169<"Dec 14 16:26:09 2016">.100496580, size=512, blocks=4, blksize=16384, flags=0x0, gen=0xd76f1232 } 6289 mount_tmpfs RET lstat 0 6289 mount_tmpfs CALL stat(0x7f7d9810,0x7f7d9700) 6289 mount_tmpfs NAMI "/foo" 6289 mount_tmpfs STRU struct stat { dev=1024, ino=1974784, mode=drwxr-xr-x , nlink=2, uid=0<"root">, gid=0<"wheel">, rdev=7880112, atime=1481729169<"Dec 14 16:26:09 2016">.100496580, mtime=1481729169<"Dec 14 16:26:09 2016">.100496580, ctime=1481729169<"Dec 14 16:26:09 2016">.100496580, size=512, blocks=4, blksize=16384, flags=0x0, gen=0xd76f1232 } 6289 mount_tmpfs RET stat 0 6289 mount_tmpfs CALL mount(0x1c632902c204,0x7f7d9810,0<>0,0x7f7d97e0) 6289 mount_tmpfs NAMI "/foo" 6289 mount_tmpfs RET mount -1 errno 45 Operation not supported dmesg : OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016 r...@stable-60-amd64.mtier.org: /binpatchng/work-binpatch60-amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8371699712 (7983MB) avail mem = 8113508352 (7737MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf6250 (11 entries) bios0: vendor SeaBIOS version "Ubuntu-1.8.2-1ubuntu1~cloud0+ovh1" date 04/01/2014 bios0: OpenStack Foundation OpenStack Nova acpi0 at bios0: rev 0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel Core Processor (Haswell, no TSX), 2394.79 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,OSXSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 1000MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel Core Processor (Haswell, no TSX), 2394.52 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,OSXSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu1: smt 0, core 0, package 1 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) "ACPI0006" at acpi0 not configured "PNP0303" at acpi0 not configured "PNP0F13" at acpi0 not configured "PNP0700" at acpi0 not configured "PNP0501" at acpi0 not configured "PNP0501" at acpi0 not configured "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured pvbus0 at mainbus0: KVM pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11 piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 iic0 at piixpm0 vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio0: address fa:16:3e:32:60:4e virtio0: msix shared virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00 vioblk0 at virtio1 scsibus1 at vioblk0: 2 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed sd0: 40960MB, 512 bytes/sector, 83886080 sectors virtio1: msix shared virtio
Re: commit format-pem script?
On 2016/12/14 09:40, Stuart Henderson wrote: > This is the current version of the script I'm using to sort cert.pem. > Would it be ok to commit it rather than maintaining it locally? > > Index: lib/libcrypto/format-pem Minor change suggested by jsg which I agree with: rename to format-pem.pl.
commit format-pem script?
This is the current version of the script I'm using to sort cert.pem. Would it be ok to commit it rather than maintaining it locally? Index: lib/libcrypto/format-pem === RCS file: lib/libcrypto/format-pem diff -N lib/libcrypto/format-pem --- /dev/null 1 Jan 1970 00:00:00 - +++ lib/libcrypto/format-pem14 Dec 2016 09:39:27 - @@ -0,0 +1,107 @@ +#!/usr/bin/perl +# $OpenBSD$ +# +# Copyright (c) 2016 Stuart Henderson +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +use strict; +use warnings; + +use File::Temp qw/ :seekable /; +if (! eval {require Date::Parse;1;}) { + print STDERR "Date::Parse not available - install p5-Time-TimeDate to check cert dates.\n"; +} else { + use Date::Parse; +} + +my $tmp = File::Temp->new(TEMPLATE => '/tmp/splitcert.'); +my $t = $tmp->filename; + +my $certs = 0; +my $incert = 0; +my %ca; +my $rcsid = '# $'.'OpenBSD$'; + +while(<>) { + $rcsid = $_ if ($_ =~ m/^# \$[O]penBSD/); + $incert++ if ($_ =~ m/^-BEGIN CERTIFICATE-/); + print $tmp $_ if ($incert); + + if ($_ =~ m/^-END CERTIFICATE-/) { + $certs++; + + my $issuer = `openssl x509 -in $t -noout -issuer`; + $issuer =~ s/^issuer= (.*)\n/$1/; + my $subj = `openssl x509 -in $t -noout -subject`; + $subj =~ s/^subject= (.*)\n/$1/; + + print STDERR "'$subj' not self-signed" + if ($issuer ne $subj); + + my $o = `openssl x509 -in $t -noout -nameopt sep_multiline,use_quote,esc_msb -subject`; + $o =~ s/.*O=([^\n]*).*/$1/sm; + + if (eval {require Date::Parse;1;}) { + my $startdate = `openssl x509 -in $t -startdate -noout`; + my $enddate = `openssl x509 -in $t -enddate -noout`; + $startdate =~ s/notBefore=(.*)\n/$1/; + $enddate =~ s/notAfter=(.*)\n/$1/; + my $starttime = str2time($startdate); + my $endtime = str2time($enddate); + + if ($starttime > time) { + print STDERR "'$subj' not valid yet\n" + } + if ($endtime < time) { + print STDERR "'$subj' expired on $startdate\n" + } elsif ($endtime < time + 86400 * 365 * 2) { + print STDERR "'$subj' expires on $enddate\n" + } + } + + my $info = qx/openssl x509 -in $t -text -fingerprint -sha1 -certopt no_pubkey,no_sigdump,no_issuer -noout/; + $info .= qx/openssl x509 -in $t -fingerprint -sha256 -noout/; + my $cert = qx/openssl x509 -in $t/; + + if (defined $ca{$o}{$subj}) { + print STDERR "'$subj': duplicate\n"; + } + + $ca{$o}{$subj}{'subj'} = $subj; + $ca{$o}{$subj}{'info'} = $info; + $ca{$o}{$subj}{'cert'} = $cert; + + $tmp->seek(0, SEEK_SET); + $incert = 0; + } +} + +close $tmp; +print $rcsid; +foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) { + print "\n### $o\n\n"; + foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) { + print "=== $subj\n"; + print $ca{$o}{$subj}{'info'}; + print $ca{$o}{$subj}{'cert'}; + } +} + +# print a visual summary at the end +foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) { + print STDERR "\n$o\n"; + foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) { + print STDERR " $subj\n"; + } +}
Re: cert.pem: Re-add mistakenly removed GlobalSign R2
On 2016/12/14 07:50, Stuart Henderson wrote: > On 2016/12/14 13:19, Steven McDonald wrote: > > It looks like revision 1.10 of cert.pem (which was intended only to > > sort the contents of the file) accidentally removed the GlobalSign R2 > > CA -- probably because it has the same CN as the R3 CA. The CN is used > > as a hash key in the script used for sorting > > (https://spacehopper.org/format-pem.20160201). > > > > This diff adds it back (though you may want to fetch it from CVS > > history rather than trusting this mail). I've verified that this is the > > only case of a duplicate CN in revision 1.9, so no others should be > > missing. > > I will go over the whole file; I know of at least one root that wasn't > listed before that we should add, and now that verification has been > fixed there are a number to be removed too. The one I was thinking of was indeed GlobalSign R2 (I noticed it with nginx.com). Here's a diff to re-add that and use full subjects. There's some extra noise as it changes the sort order. I'll send a separate diff for the removals. OK? Index: cert.pem === RCS file: /cvs/src/lib/libcrypto/cert.pem,v retrieving revision 1.13 diff -u -p -r1.13 cert.pem --- cert.pem4 Sep 2016 11:58:15 - 1.13 +++ cert.pem14 Dec 2016 09:33:45 - @@ -2,55 +2,7 @@ ### AddTrust AB -=== AddTrust Class 1 CA Root -Certificate: -Data: -Version: 3 (0x2) -Serial Number: 1 (0x1) -Signature Algorithm: sha1WithRSAEncryption -Validity -Not Before: May 30 10:38:31 2000 GMT -Not After : May 30 10:38:31 2020 GMT -Subject: C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root -X509v3 extensions: -X509v3 Subject Key Identifier: -95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B -X509v3 Key Usage: -Certificate Sign, CRL Sign -X509v3 Basic Constraints: critical -CA:TRUE -X509v3 Authority Key Identifier: - keyid:95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B -DirName:/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root -serial:01 - -SHA1 Fingerprint=CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D -SHA256 Fingerprint=8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7 --BEGIN CERTIFICATE- -MIIEGDCCAwCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJTRTEU -MBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3 -b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwHhcNMDAwNTMw -MTAzODMxWhcNMjAwNTMwMTAzODMxWjBlMQswCQYDVQQGEwJTRTEUMBIGA1UEChML -QWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFkZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYD -VQQDExhBZGRUcnVzdCBDbGFzcyAxIENBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCWltQhSWDia+hBBwzexODcEyPNwTXH+9ZOEQpnXvUGW2ul -CDtbKRY654eyNAbFvAWlA3yCyykQruGIgb3WntP+LVbBFc7jJp0VLhD7Bo8wBN6n -tGO0/7Gcrjyvd7ZWxbWroulpOj0OM3kyP3CCkplhbY0wCI9xP6ZIVxn4JdxLZlyl -dI+Yrsj5wAYi56xz36Uu+1LcsRVlIPo1Zmne3yzxbrww2ywkEtvrNTVokMsAsJch -PXQhI2U0K7t4WaPW4XY5mqRJjox0r26kmqPZm9I4XJuiGMx1I4S+6+JNM3GOGvDC -+Mcdoq0Dlyz4zyXG9rgkMbFjXZJ/Y/AlyVMuH79NAgMBAAGjgdIwgc8wHQYDVR0O -BBYEFJWxtPCUtr3H2tERCSG+wa9J/RB7MAsGA1UdDwQEAwIBBjAPBgNVHRMBAf8E -BTADAQH/MIGPBgNVHSMEgYcwgYSAFJWxtPCUtr3H2tERCSG+wa9J/RB7oWmkZzBl -MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxHTAbBgNVBAsTFEFk -ZFRydXN0IFRUUCBOZXR3b3JrMSEwHwYDVQQDExhBZGRUcnVzdCBDbGFzcyAxIENB -IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBACxtZBsfzQ3duQH6lmM0MkhHma6X -7f1yFqZzR1r0693p9db7RcwpiURdv0Y5PejuvE1Uhh4dbOMXJ0PhiVYrqW9yTkkz -43J8KiOavD7/KCrto/8cI7pDVwlnTUtiBi34/2ydYB7YHEt9tTEv2dB8Xfjea4MY -eDdXL+gzB2ffHsdrKpV2ro9Xo/D0UrSpUwjP4E/TelOL/bscVjby/rK25Xa71SJl -pz/+0WatC7xrmYbvP33zGDLKe8bjq2RGlfgmadlVg3sslgf/WSxEo8bl6ancoWOA -WiFeIc9TVPC6b4nbqKqVz4vjccweGyBECMB6tkD9xOQ14R0WHNC8K47Wcdk= --END CERTIFICATE- -=== AddTrust External CA Root +=== /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Certificate: Data: Version: 3 (0x2) @@ -99,7 +51,55 @@ Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1 c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -END CERTIFICATE- -=== AddTrust Public CA Root +=== /C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root +Certificate: +Data: +Version: 3 (0x2) +Serial Number: 1 (0x1) +Signature Algorithm: sha1WithRSAEncryption +Validity +Not Before: May 30 10:38:31 2000 GMT +Not After : May 30 10:38:31 2020 GMT +Subject: C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root +X509v3 extensions: +X509v3 Subject Key Identifier: +95:B1:B4:F0:94:B6:BD:C7:DA:D1:11:09:21:BE:C1:AF:49:FD:10:7B +X