Re: restrict carp use to ethernet interfaces

2018-01-10 Thread Jonathan Gray 
On Thu, Jan 11, 2018 at 08:25:26AM +0100, Matthieu Herrb wrote:
> On Thu, Jan 11, 2018 at 10:29:17AM +1000, David Gwynne wrote:
> > carp interfaces output using ether_output, so it is reasonable to
> > require that they only get configured on top of ethernet interfaces
> > rather than just !IFT_CARP.
> >
> Hi,
> 
> in this context are vlan interfaces also considered as IFT_ETHER ?
> I've use cases for carp over vlan interfaces. I'd hate not being able
> to do that anymore.
> -- 
> Matthieu Herrb
> 

vlan(4) calls ether_ifattach() which sets ifp->if_type = IFT_ETHER

Re: restrict carp use to ethernet interfaces

2018-01-10 Thread Mischa Peters 

> On 11 Jan 2018, at 08:25, Matthieu Herrb  wrote:
> 
>> On Thu, Jan 11, 2018 at 10:29:17AM +1000, David Gwynne wrote:
>> carp interfaces output using ether_output, so it is reasonable to
>> require that they only get configured on top of ethernet interfaces
>> rather than just !IFT_CARP.
>> 
> Hi,
> 
> in this context are vlan interfaces also considered as IFT_ETHER ?
> I've use cases for carp over vlan interfaces. I'd hate not being able
> to do that anymore.

Doing the same at the moment. Super useful to be able to continue to do this. 

Mischa

Re: restrict carp use to ethernet interfaces

2018-01-10 Thread Matthieu Herrb 
On Thu, Jan 11, 2018 at 10:29:17AM +1000, David Gwynne wrote:
> carp interfaces output using ether_output, so it is reasonable to
> require that they only get configured on top of ethernet interfaces
> rather than just !IFT_CARP.
>
Hi,

in this context are vlan interfaces also considered as IFT_ETHER ?
I've use cases for carp over vlan interfaces. I'd hate not being able
to do that anymore.
-- 
Matthieu Herrb

disabled code in ksh tree.c

2018-01-10 Thread Michael W. Bombardieri 
Hello,

Revision 1.9 of tree.c (from 1999) added the disabled code and it
is still disabled. Would it be better to remove it?

- Michael


Index: tree.c
===
RCS file: /cvs/src/bin/ksh/tree.c,v
retrieving revision 1.30
diff -u -p -u -r1.30 tree.c
--- tree.c  6 Jan 2018 16:28:58 -   1.30
+++ tree.c  11 Jan 2018 07:16:55 -
@@ -47,25 +47,8 @@ ptree(struct op *t, int indent, struct s
fptreef(shf, indent, "#no-args# ");
break;
case TEXEC:
-#if 0 /* ?not useful - can't be called? */
-   /* Print original vars */
-   if (t->left->vars)
-   for (w = t->left->vars; *w != NULL; )
-   fptreef(shf, indent, "%S ", *w++);
-   else
-   fptreef(shf, indent, "#no-vars# ");
-   /* Print expanded vars */
-   if (t->args)
-   for (w = t->args; *w != NULL; )
-   fptreef(shf, indent, "%s ", *w++);
-   else
-   fptreef(shf, indent, "#no-args# ");
-   /* Print original io */
-   t = t->left;
-#else
t = t->left;
goto Chain;
-#endif
case TPAREN:
fptreef(shf, indent + 2, "( %T) ", t->left);
break;

Re: Basic SHA3 support

2018-01-10 Thread lists 
Wed, 10 Jan 2018 20:34:44 -0700 "Theo de Raadt" 
> > Another question raised by a SHA-3 import is whether this should
> > also be added to LibreSSL and if we want to continue with having
> > duplicate implementations of hash algorithms in libc and libcrypto.  
> 
> very good question.
> 
> Who *crucially* needs this
> 
> OpenBSD is intended to be a small operating system.  I don't want
> to compile SHA3 stuff every single build unless there is a substantial
> and growing userbase for it
> 
> Is that the case, or is this fad of the month?
> 

Hi tech@,

I won't cry if this became a port instead of importing 'it' in base:

NIST https://en.wikipedia.org/wiki/The_Mist_(film)
MIST https://en.wikipedia.org/wiki/SHA-3#Capacity_change_controversy

I won't have a use for it even in that case, given the above detail.

Kind regards,
Anton Lazarov

Re: move gif_encap to simplify gif_start

2018-01-10 Thread David Gwynne 
On Thu, Jan 11, 2018 at 01:27:56PM +1000, David Gwynne wrote:
> this avoids having to parse the gif packet before sending it to
> bpf. instead, we stash the address family in the mbuf and add it
> after bpf.
> 
> however, a gif_encap error will not be propagated back to the sender.
> i dont think this is a huge loss as the ip packet is usually
> encapsulated itself after ip_send/ip_output (eg, by ethernet), which
> could fail without propagating an error back either.
> 
> ok?

visa@ noted that gif_encap frees the mbuf on failure so gif_start
doesn't have to.

Index: if_gif.c
===
RCS file: /cvs/src/sys/net/if_gif.c,v
retrieving revision 1.107
diff -u -p -r1.107 if_gif.c
--- if_gif.c9 Jan 2018 15:24:24 -   1.107
+++ if_gif.c11 Jan 2018 04:36:37 -
@@ -175,55 +175,14 @@ gif_start(struct ifnet *ifp)
 
 #if NBPFILTER > 0
if (ifp->if_bpf) {
-   int offset;
-   sa_family_t family;
-   u_int8_t proto;
-
-   /* must decapsulate outer header for bpf */
-   switch (sc->gif_psrc->sa_family) {
-   case AF_INET:
-   offset = sizeof(struct ip);
-   proto = mtod(m, struct ip *)->ip_p;
-   break;
-#ifdef INET6
-   case AF_INET6:
-   offset = sizeof(struct ip6_hdr);
-   proto = mtod(m, struct ip6_hdr *)->ip6_nxt;
-   break;
-#endif
-   default:
-   proto = 0;
-   break;
-   }
-   switch (proto) {
-   case IPPROTO_IPV4:
-   family = AF_INET;
-   break;
-   case IPPROTO_IPV6:
-   family = AF_INET6;
-   break;
-   case IPPROTO_ETHERIP:
-   family = AF_LINK;
-   offset += sizeof(struct etherip_header);
-   break;
-   case IPPROTO_MPLS:
-   family = AF_MPLS;
-   break;
-   default:
-   offset = 0;
-   family = sc->gif_psrc->sa_family;
-   break;
-   }
-   m->m_data += offset;
-   m->m_len -= offset;
-   m->m_pkthdr.len -= offset;
-   bpf_mtap_af(ifp->if_bpf, family, m, BPF_DIRECTION_OUT);
-   m->m_data -= offset;
-   m->m_len += offset;
-   m->m_pkthdr.len += offset;
+   bpf_mtap_af(ifp->if_bpf, m->m_pkthdr.ph_family, m,
+   BPF_DIRECTION_OUT);
}
 #endif
 
+   if (gif_encap(ifp, , m->m_pkthdr.ph_family) != 0)
+   continue;
+
/* XXX we should cache the outgoing route */
 
switch (sc->gif_psrc->sa_family) {
@@ -294,9 +253,7 @@ gif_output(struct ifnet *ifp, struct mbu
goto end;
}
 
-   error = gif_encap(ifp, , dst->sa_family);
-   if (error)
-   goto end;
+   m->m_pkthdr.ph_family = dst->sa_family;
 
error = if_enqueue(ifp, m);

cast __swapXX in _endian.h to help the compiler

2018-01-10 Thread David Gwynne 
this silences the warnings when building dhclient.

according to guenther@, the c standard says ternary operators are
subject to type promotion rules, ie, it ends up being at least an
int. this adds explicit casts to the expected type, which makes
printf happier when you tell it that it's a %hu coming up.

ok?

Index: _endian.h
===
RCS file: /cvs/src/sys/sys/_endian.h,v
retrieving revision 1.7
diff -u -p -r1.7 _endian.h
--- _endian.h   7 Jan 2018 15:17:42 -   1.7
+++ _endian.h   11 Jan 2018 03:31:01 -
@@ -83,9 +83,12 @@ __swap64md(__uint64_t x)
 }
 #endif
 
-#define __swap16(x) (__builtin_constant_p(x) ? __swap16gen(x) : __swap16md(x))
-#define __swap32(x) (__builtin_constant_p(x) ? __swap32gen(x) : __swap32md(x))
-#define __swap64(x) (__builtin_constant_p(x) ? __swap64gen(x) : __swap64md(x))
+#define __swap16(x)\
+   (__uint16_t)(__builtin_constant_p(x) ? __swap16gen(x) : __swap16md(x))
+#define __swap32(x)\
+   (__uint32_t)(__builtin_constant_p(x) ? __swap32gen(x) : __swap32md(x))
+#define __swap64(x)\
+   (__uint64_t)(__builtin_constant_p(x) ? __swap64gen(x) : __swap64md(x))
 
 #if _BYTE_ORDER == _LITTLE_ENDIAN

Re: Basic SHA3 support

2018-01-10 Thread Theo de Raadt 
> Another question raised by a SHA-3 import is whether this should
> also be added to LibreSSL and if we want to continue with having
> duplicate implementations of hash algorithms in libc and libcrypto.

very good question.

Who *crucially* needs this

OpenBSD is intended to be a small operating system.  I don't want
to compile SHA3 stuff every single build unless there is a substantial
and growing userbase for it

Is that the case, or is this fad of the month?

Re: Basic SHA3 support

2018-01-10 Thread Theo de Raadt 
> I also use the sha512 command on a regular basis, and notice a
> performance improvement (compared to sha256) with amd64 systems.

But is /bin the place to put a performance improving command?

No.  That isn't the place for putting strange performance commands.
It is a place for putting *interoperating* commands.

I don't think Todd's original question was answered, except along
the lines of "i love features".

move gif_encap to simplify gif_start

2018-01-10 Thread David Gwynne 
this avoids having to parse the gif packet before sending it to
bpf. instead, we stash the address family in the mbuf and add it
after bpf.

however, a gif_encap error will not be propagated back to the sender.
i dont think this is a huge loss as the ip packet is usually
encapsulated itself after ip_send/ip_output (eg, by ethernet), which
could fail without propagating an error back either.

ok?

Index: if_gif.c
===
RCS file: /cvs/src/sys/net/if_gif.c,v
retrieving revision 1.107
diff -u -p -r1.107 if_gif.c
--- if_gif.c9 Jan 2018 15:24:24 -   1.107
+++ if_gif.c11 Jan 2018 03:22:09 -
@@ -175,55 +175,16 @@ gif_start(struct ifnet *ifp)
 
 #if NBPFILTER > 0
if (ifp->if_bpf) {
-   int offset;
-   sa_family_t family;
-   u_int8_t proto;
-
-   /* must decapsulate outer header for bpf */
-   switch (sc->gif_psrc->sa_family) {
-   case AF_INET:
-   offset = sizeof(struct ip);
-   proto = mtod(m, struct ip *)->ip_p;
-   break;
-#ifdef INET6
-   case AF_INET6:
-   offset = sizeof(struct ip6_hdr);
-   proto = mtod(m, struct ip6_hdr *)->ip6_nxt;
-   break;
-#endif
-   default:
-   proto = 0;
-   break;
-   }
-   switch (proto) {
-   case IPPROTO_IPV4:
-   family = AF_INET;
-   break;
-   case IPPROTO_IPV6:
-   family = AF_INET6;
-   break;
-   case IPPROTO_ETHERIP:
-   family = AF_LINK;
-   offset += sizeof(struct etherip_header);
-   break;
-   case IPPROTO_MPLS:
-   family = AF_MPLS;
-   break;
-   default:
-   offset = 0;
-   family = sc->gif_psrc->sa_family;
-   break;
-   }
-   m->m_data += offset;
-   m->m_len -= offset;
-   m->m_pkthdr.len -= offset;
-   bpf_mtap_af(ifp->if_bpf, family, m, BPF_DIRECTION_OUT);
-   m->m_data -= offset;
-   m->m_len += offset;
-   m->m_pkthdr.len += offset;
+   bpf_mtap_af(ifp->if_bpf, m->m_pkthdr.ph_family, m,
+   BPF_DIRECTION_OUT);
}
 #endif
 
+   if (gif_encap(ifp, , m->m_pkthdr.ph_family) != 0) {
+   m_freem(m);
+   continue;
+   }
+
/* XXX we should cache the outgoing route */
 
switch (sc->gif_psrc->sa_family) {
@@ -294,9 +255,7 @@ gif_output(struct ifnet *ifp, struct mbu
goto end;
}
 
-   error = gif_encap(ifp, , dst->sa_family);
-   if (error)
-   goto end;
+   m->m_pkthdr.ph_family = dst->sa_family;
 
error = if_enqueue(ifp, m);

bpf for subsystems, not just interfaces

2018-01-10 Thread David Gwynne 
im sending this out more as a backup than a serious diff.

this tweaks bpf so it can be used by subsystems, not just interfaces.
this is done by making bpf store and use names (eg, "pf" and "em0")
instead of just interfaces. interfaces get some special handling
so you can't bpfwrite or enable ifpromisc unless bif_ifp is set.

an example use of this is attaching bpf to pf. you can see all the
packets handed to pf_test with this diff and tcpdump -ni pf.

Index: bpf.c
===
RCS file: /cvs/src/sys/net/bpf.c,v
retrieving revision 1.165
diff -u -p -r1.165 bpf.c
--- bpf.c   30 Dec 2017 23:08:29 -  1.165
+++ bpf.c   10 Jan 2018 07:27:45 -
@@ -93,7 +93,7 @@ struct bpf_if *bpf_iflist;
 LIST_HEAD(, bpf_d) bpf_d_list;
 
 intbpf_allocbufs(struct bpf_d *);
-void   bpf_ifname(struct ifnet *, struct ifreq *);
+void   bpf_ifname(struct bpf_if*, struct ifreq *);
 int_bpf_mtap(caddr_t, const struct mbuf *, u_int,
void (*)(const void *, void *, size_t));
 void   bpf_mcopy(const void *, void *, size_t);
@@ -320,6 +320,8 @@ bpf_detachd(struct bpf_d *d)
if (d->bd_promisc) {
int error;
 
+   KASSERT(bp->bif_ifp != NULL);
+
d->bd_promisc = 0;
 
bpf_get(d);
@@ -593,7 +595,7 @@ bpfwrite(dev_t dev, struct uio *uio, int
bpf_get(d);
ifp = d->bd_bif->bif_ifp;
 
-   if ((ifp->if_flags & IFF_UP) == 0) {
+   if (ifp == NULL || (ifp->if_flags & IFF_UP) == 0) {
error = ENETDOWN;
goto out;
}
@@ -789,7 +791,7 @@ bpfioctl(dev_t dev, u_long cmd, caddr_t 
 * No interface attached yet.
 */
error = EINVAL;
-   } else {
+   } else if (d->bd_bif->bif_ifp != NULL) { 
if (d->bd_promisc == 0) {
MUTEX_ASSERT_UNLOCKED(>bd_mtx);
error = ifpromisc(d->bd_bif->bif_ifp, 1);
@@ -839,7 +841,7 @@ bpfioctl(dev_t dev, u_long cmd, caddr_t 
if (d->bd_bif == NULL)
error = EINVAL;
else
-   bpf_ifname(d->bd_bif->bif_ifp, (struct ifreq *)addr);
+   bpf_ifname(d->bd_bif, (struct ifreq *)addr);
break;
 
/*
@@ -1049,10 +1051,7 @@ bpf_setif(struct bpf_d *d, struct ifreq 
 * Look through attached interfaces for the named one.
 */
for (bp = bpf_iflist; bp != NULL; bp = bp->bif_next) {
-   struct ifnet *ifp = bp->bif_ifp;
-
-   if (ifp == NULL ||
-   strcmp(ifp->if_xname, ifr->ifr_name) != 0)
+   if (strcmp(bp->bif_name, ifr->ifr_name) != 0)
continue;
 
if (candidate == NULL || candidate->bif_dlt > bp->bif_dlt)
@@ -1090,9 +1089,9 @@ out:
  * Copy the interface name to the ifreq.
  */
 void
-bpf_ifname(struct ifnet *ifp, struct ifreq *ifr)
+bpf_ifname(struct bpf_if *bif, struct ifreq *ifr)
 {
-   bcopy(ifp->if_xname, ifr->ifr_name, IFNAMSIZ);
+   bcopy(bif->bif_name, ifr->ifr_name, sizeof(ifr->ifr_name));
 }
 
 /*
@@ -1538,21 +1537,17 @@ bpf_put(struct bpf_d *bd)
free(bd, M_DEVBUF, sizeof(*bd));
 }
 
-/*
- * Attach an interface to bpf.  driverp is a pointer to a (struct bpf_if *)
- * in the driver's softc; dlt is the link layer type; hdrlen is the fixed
- * size of the link header (variable length headers not yet supported).
- */
-void
-bpfattach(caddr_t *driverp, struct ifnet *ifp, u_int dlt, u_int hdrlen)
+void *
+bpfsattach(caddr_t *bpfp, const char *name, u_int dlt, u_int hdrlen)
 {
struct bpf_if *bp;
 
if ((bp = malloc(sizeof(*bp), M_DEVBUF, M_NOWAIT)) == NULL)
panic("bpfattach");
SRPL_INIT(>bif_dlist);
-   bp->bif_driverp = (struct bpf_if **)driverp;
-   bp->bif_ifp = ifp;
+   bp->bif_driverp = (struct bpf_if **)bpfp;
+   bp->bif_name = name;
+   bp->bif_ifp = NULL;
bp->bif_dlt = dlt;
 
bp->bif_next = bpf_iflist;
@@ -1567,6 +1562,17 @@ bpfattach(caddr_t *driverp, struct ifnet
 * performance reasons and to alleviate alignment restrictions).
 */
bp->bif_hdrlen = BPF_WORDALIGN(hdrlen + SIZEOF_BPF_HDR) - hdrlen;
+
+   return (bp);
+}
+
+void
+bpfattach(caddr_t *driverp, struct ifnet *ifp, u_int dlt, u_int hdrlen)
+{
+   struct bpf_if *bp;
+
+   bp = bpfsattach(driverp, ifp->if_xname, dlt, hdrlen);
+   bp->bif_ifp = ifp;
 }
 
 /* Detach an interface from its attached bpf device.  */
@@ -1574,31 +1580,39 @@ void
 bpfdetach(struct ifnet *ifp)
 {
struct bpf_if *bp, *nbp, **pbp = _iflist;
-   struct bpf_d *bd;
-   int maj;
 
KERNEL_ASSERT_LOCKED();
 
for (bp = bpf_iflist; bp; bp = nbp) {
-   nbp= bp->bif_next;
+   nbp = bp->bif_next;
if

merge vlan and carp input back into ether_input

2018-01-10 Thread David Gwynne 
while we were working on making the various pseudo interfaces you
stack on top of ethernet mpsafe, we split their input processing
off so they could be attacked one by one. they're all mpsafe now,
so this separation is not strictly necessary anymore.

this moves carp and vlan input back into ether_input. a lot of care
is taken to correctly order when we give the packets to the sub
interfaces. basically, any ethernet packet with a vlan tag is
unconditionally given to vlan_input. carp input is only attempted
if the packet is not for the parent interface, but before the
multicast handling is done. by checking the interfaces mac address
first, carp interfaces can get their packets immediately, which
means we can  stop messing around with the M_BCAST and M_MCAST flags
on carp mbufs. the relevant chunk of code is:

#if NVLAN > 0
if (ISSET(m->m_flags, M_VLANTAG) ||
etype == ETHERTYPE_VLAN ||
etype == ETHERTYPE_QINQ) {
vlan_input(ifp, ml, m);
return;
}
#endif

if (memcmp(ac->ac_enaddr, eh->ether_dhost, ETHER_ADDR_LEN) != 0) {
/* The packet doesn't match the ether addr on this iface */

#if NCARP > 0
/* It may be addressed to a child carp iface */
if (ifp->if_type != IFT_CARP &&
!SRPL_EMPTY_LOCKED(>if_carp) &&
carp_input(ifp, ml, m)) {
/* carp_input has consumed the packet */
return;
}
#endif

/* It must be multicast if it isn't for us or a child carp */
if (!ETHER_IS_MULTICAST(eh->ether_dhost))
goto dropanyway;

/* Drop it if it came from us in the first place */
if (!ISSET(ifp->if_flags, IFF_SIMPLEX) &&
memcmp(ac->ac_enaddr, eh->ether_shost,
 ETHER_ADDR_LEN) == 0)
goto dropanyway;

SET(m->m_flags, (memcmp(etherbroadcastaddr, eh->ether_dhost,
ETHER_ADDR_LEN) == 0) ? M_BCAST : M_MCAST);
ifp->if_imcasts++; /* XXX lock? */
}

doing vlan and carp input here let's us remove special handling for
VLAN packets in carp code.

this diff also gets rid of the use of the pseudo interfaces input
queues, it processes their packets off an mbuf list for each real
ethernet packet. if we can tie all the work done on behalf of a
physical ring to a single task it makes rx ring moderation for
physical interfaces a lot easier to implement.

note that trunk and bridge/switch are still implemented using
interface input handlers at the moment.

ok?

Index: net/if_ethersubr.c
===
RCS file: /cvs/src/sys/net/if_ethersubr.c,v
retrieving revision 1.250
diff -u -p -r1.250 if_ethersubr.c
--- net/if_ethersubr.c  10 Jan 2018 00:14:38 -  1.250
+++ net/if_ethersubr.c  11 Jan 2018 01:20:54 -
@@ -103,6 +103,16 @@ didn't get a copy, you may request one f
 #include 
 #endif
 
+#include "vlan.h"
+#if NVLAN > 0
+#include 
+#endif
+
+#include "carp.h"
+#if NCARP > 0
+#include 
+#endif
+
 #include "pppoe.h"
 #if NPPPOE > 0
 #include 
@@ -121,6 +131,8 @@ didn't get a copy, you may request one f
 #include 
 #endif /* MPLS */
 
+void   ether_input_m(struct ifnet *, struct mbuf_list *, struct mbuf *);
+
 u_int8_t etherbroadcastaddr[ETHER_ADDR_LEN] =
 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
 u_int8_t etheranyaddr[ETHER_ADDR_LEN] =
@@ -306,69 +318,108 @@ bad:
return (error);
 }
 
-/*
- * Process a received Ethernet packet;
- * the packet is in the mbuf chain m without
- * the ether header, which is provided separately.
- */
+void
+ether_enqueue(struct ifnet *ifp, struct mbuf_list *ml, struct mbuf *m)
+{
+#if NBPFILTER > 0
+   caddr_t if_bpf;
+#endif
+
+   m->m_pkthdr.ph_ifidx = ifp->if_index;
+   m->m_pkthdr.ph_rtableid = ifp->if_rdomain;
+
+   /* XXX lock? */
+   ifp->if_ipackets++;
+   ifp->if_ibytes += m->m_pkthdr.len;
+
+#if NBPFILTER > 0
+   if_bpf = ifp->if_bpf;
+   if (if_bpf) {
+   if (bpf_mtap_ether(if_bpf, m, BPF_DIRECTION_IN)) {
+   m_freem(m);
+   return;
+   }
+   }
+#endif
+
+   ml_enqueue(ml, m);
+}
+
 int
 ether_input(struct ifnet *ifp, struct mbuf *m, void *cookie)
 {
+   struct mbuf_list ml = MBUF_LIST_INITIALIZER();
+
+   /* Drop short frames */
+   if (m->m_len < ETHER_HDR_LEN) {
+   m_freem(m);
+   return (1);
+   }
+
+   /* We have a reference to this ifp already */
+   ether_input_m(ifp, , m);
+
+   /* Run the packet through any child interfaces */
+   while ((m = ml_dequeue()) != NULL) {
+   ifp = if_get(m->m_pkthdr.ph_ifidx);
+   if (ifp != NULL)
+   ether_input_m(ifp, , m);
+   else
+

restrict carp use to ethernet interfaces

2018-01-10 Thread David Gwynne 
carp interfaces output using ether_output, so it is reasonable to
require that they only get configured on top of ethernet interfaces
rather than just !IFT_CARP.

there's some more simplification that can occur after this is done.

ok?

Index: ip_carp.c
===
RCS file: /cvs/src/sys/netinet/ip_carp.c,v
retrieving revision 1.324
diff -u -p -r1.324 ip_carp.c
--- ip_carp.c   11 Jan 2018 00:14:15 -  1.324
+++ ip_carp.c   11 Jan 2018 00:26:52 -
@@ -1001,7 +1001,7 @@ carp_send_ad_all(void)
return;
++carp_send_all_recur;
TAILQ_FOREACH(ifp0, , if_list) {
-   if (ifp0->if_type == IFT_CARP)
+   if (ifp0->if_type != IFT_ETHER)
continue;
 
cif = >if_carp;
@@ -1347,7 +1347,7 @@ carp_ourether(struct ifnet *ifp, u_int8_
struct carp_softc *vh;
 
KERNEL_ASSERT_LOCKED(); /* touching if_carp + carp_vhosts */
-   KASSERT(ifp->if_type != IFT_CARP);
+   KASSERT(ifp->if_type == IFT_ETHER);
cif = >if_carp;
 
SRPL_FOREACH_LOCKED(vh, cif, sc_list) {
@@ -1694,7 +1694,7 @@ carp_set_ifp(struct carp_softc *sc, stru
if ((ifp0->if_flags & IFF_MULTICAST) == 0)
return (EADDRNOTAVAIL);
 
-   if (ifp0->if_type == IFT_CARP)
+   if (ifp0->if_type != IFT_ETHER)
return (EINVAL);
 
cif = >if_carp;
@@ -2469,7 +2469,7 @@ carp_carpdev_state(void *v)
struct carp_softc *sc;
struct ifnet *ifp0 = v;
 
-   if (ifp0->if_type == IFT_CARP)
+   if (ifp0->if_type != IFT_ETHER)
return;
 
cif = >if_carp;

Re: Basic SHA3 support

2018-01-10 Thread bytevolcano 
I also use the sha512 command on a regular basis, and notice a
performance improvement (compared to sha256) with amd64 systems.

On Wed, 10 Jan 2018 17:10:40 + (GMT)
Tom Cosgrove  wrote:

> >>> "Todd C. Miller" 10-Jan-18 16:28 >>>  
> >
> > On Wed, 10 Jan 2018 15:59:30 +0100, Jeremie Courreges-Anglas wrote:
> >  
> > > Do we really want these?  For SHA-2, sha256 and sha512 are enough IMHO.  
> >
> > Does anyone actually use the sha512 command?  I'd be fine with
> > retiring the sha512 link and adding a sha3-256 one.
> >
> >  - todd  
> 
> I'd like to keep the sha512 link - I do use it.
> 
> Tom
>

Re: urndis0: urndis_decap invalid buffer len 1 < minimum header 44

2018-01-10 Thread Artturi Alm 
On Wed, Sep 13, 2017 at 05:51:27AM +0300, Artturi Alm wrote:
> Hi,
> 
> even after having recently updated the phone to a newer version of android,
> i'm still spammed by urndis w/msg on subject.
> 
> doesn't really matter to me what you do to silence it, but something like
> below does work for me, and thanks in advacne:)
> -Artturi
> 

ping?
i was told i don't reason my diffs, so here's sorry attempt:
$ dmesg | wc -l
1040
$ dmesg | grep urndis_decap | wc -l
1039

either of the diffs below would work for me.
-Artturi


... this ...

diff --git a/sys/dev/usb/if_urndis.c b/sys/dev/usb/if_urndis.c
index 5d148da4ab5..7dc12573c0d 100644
--- a/sys/dev/usb/if_urndis.c
+++ b/sys/dev/usb/if_urndis.c
@@ -834,11 +834,11 @@ urndis_decap(struct urndis_softc *sc, struct urndis_chain 
*c, u_int32_t len)
len));
 
if (len < sizeof(*msg)) {
-   printf("%s: urndis_decap invalid buffer len %u < "
+   DPRINTF(("%s: urndis_decap invalid buffer len %u < "
"minimum header %zu\n",
DEVNAME(sc),
len,
-   sizeof(*msg));
+   sizeof(*msg)));
return;
}
 


... or this ...

diff --git a/sys/dev/usb/if_urndis.c b/sys/dev/usb/if_urndis.c
index 5d148da4ab5..4b2c6e89ec9 100644
--- a/sys/dev/usb/if_urndis.c
+++ b/sys/dev/usb/if_urndis.c
@@ -834,6 +834,8 @@ urndis_decap(struct urndis_softc *sc, struct urndis_chain 
*c, u_int32_t len)
len));
 
if (len < sizeof(*msg)) {
+   if (len == 1)   /* workaround for spamming androids */
+   return;
printf("%s: urndis_decap invalid buffer len %u < "
"minimum header %zu\n",
DEVNAME(sc),

Re: Basic SHA3 support

2018-01-10 Thread Christian Weisgerber 
On 2018-01-09, Daniel Loebenberger  wrote:

> enclosed you find a patch to add basic SHA3-/Keccak support to OpenBSD.

What do you want to use it for?

I've had something like this on my to-do list for some time and
eventually dropped it because I couldn't think of a compelling use
case.

"Maybe Skip SHA-3"
https://www.imperialviolet.org/2017/05/31/skipsha3.html

Another question raised by a SHA-3 import is whether this should
also be added to LibreSSL and if we want to continue with having
duplicate implementations of hash algorithms in libc and libcrypto.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: vmd: allow vm with "cdrom" but no disk

2018-01-10 Thread Mike Larkin 
On Wed, Jan 10, 2018 at 02:00:57PM +, Stuart Henderson wrote:
> Currently we require either "kernel" or "disk", but there may be
> some viable use cases where just a CDROM image is given. This adjusts
> the check to avoid bailing in that case.
> 
> OK?
> 

sure

> Index: vmd.c
> ===
> RCS file: /cvs/src/usr.sbin/vmd/vmd.c,v
> retrieving revision 1.78
> diff -u -p -r1.78 vmd.c
> --- vmd.c 8 Jan 2018 11:58:27 -   1.78
> +++ vmd.c 10 Jan 2018 13:57:26 -
> @@ -1140,8 +1140,9 @@ vm_register(struct privsep *ps, struct v
>   } else if (vcp->vcp_nnics > VMM_MAX_NICS_PER_VM) {
>   log_warnx("invalid number of interfaces");
>   goto fail;
> - } else if (strlen(vcp->vcp_kernel) == 0 && vcp->vcp_ndisks == 0) {
> - log_warnx("no kernel or disk specified");
> + } else if (strlen(vcp->vcp_kernel) == 0 &&
> + vcp->vcp_ndisks == 0 && strlen(vcp->vcp_cdrom) == 0) {
> + log_warnx("no kernel or disk/cdrom specified");
>   goto fail;
>   } else if (strlen(vcp->vcp_name) == 0) {
>   log_warnx("invalid VM name");
>

Re: Basic SHA3 support

2018-01-10 Thread Tom Cosgrove 
>>> "Todd C. Miller" 10-Jan-18 16:28 >>>
>
> On Wed, 10 Jan 2018 15:59:30 +0100, Jeremie Courreges-Anglas wrote:
>
> > Do we really want these?  For SHA-2, sha256 and sha512 are enough IMHO.
>
> Does anyone actually use the sha512 command?  I'd be fine with
> retiring the sha512 link and adding a sha3-256 one.
>
>  - todd

I'd like to keep the sha512 link - I do use it.

Tom

Re: Basic SHA3 support

2018-01-10 Thread Todd C. Miller 
On Wed, 10 Jan 2018 15:59:30 +0100, Jeremie Courreges-Anglas wrote:

> Do we really want these?  For SHA-2, sha256 and sha512 are enough IMHO.

Does anyone actually use the sha512 command?  I'd be fine with
retiring the sha512 link and adding a sha3-256 one.

 - todd

Re: Basic SHA3 support

2018-01-10 Thread Theo de Raadt 
> >  LINKS= ${BINDIR}/md5 ${BINDIR}/sha1 \
> > +   ${BINDIR}/md5 ${BINDIR}/sha224 \
> > ${BINDIR}/md5 ${BINDIR}/sha256 \
> > +   ${BINDIR}/md5 ${BINDIR}/sha384 \
> 
> Do we really want these?  For SHA-2, sha256 and sha512 are enough IMHO.
> 
> > ${BINDIR}/md5 ${BINDIR}/sha512 \
> > +   ${BINDIR}/md5 ${BINDIR}/sha3-224 \
> > +   ${BINDIR}/md5 ${BINDIR}/sha3-256 \
> > +   ${BINDIR}/md5 ${BINDIR}/sha3-384 \
> > +   ${BINDIR}/md5 ${BINDIR}/sha3-512 \
> 
> Same question but for the SHA-3 version.

I think this is also a waste of time.

Look, it is the /bin directory.  Look at what is in it now.

Adding 6 commands?  How many people will use them?  shells and
other things cache the existance of these things.

Re: Basic SHA3 support

2018-01-10 Thread Jeremie Courreges-Anglas 

Hi,

On Wed, Jan 10 2018, Daniel Loebenberger  wrote:
> Hi Todd,
>
> thank you for your comments!
>
> We have included all the necessary changes in the patch attached.

One thing caught my eye:

> Best regards,
> Daniel, Stefan and Alexander
>
> Index: bin/md5/Makefile
> ===
> RCS file: /cvs/src/bin/md5/Makefile,v
> retrieving revision 1.15
> diff -u -p -u -p -r1.15 Makefile
> --- bin/md5/Makefile  30 Mar 2016 06:38:40 -  1.15
> +++ bin/md5/Makefile  10 Jan 2018 13:43:55 -
> @@ -3,9 +3,16 @@
>  PROG=md5
>  SRCS=crc.c md5.c
>  MAN= cksum.1 md5.1
> +
>  LINKS=   ${BINDIR}/md5 ${BINDIR}/sha1 \
> + ${BINDIR}/md5 ${BINDIR}/sha224 \
>   ${BINDIR}/md5 ${BINDIR}/sha256 \
> + ${BINDIR}/md5 ${BINDIR}/sha384 \

Do we really want these?  For SHA-2, sha256 and sha512 are enough IMHO.

>   ${BINDIR}/md5 ${BINDIR}/sha512 \
> + ${BINDIR}/md5 ${BINDIR}/sha3-224 \
> + ${BINDIR}/md5 ${BINDIR}/sha3-256 \
> + ${BINDIR}/md5 ${BINDIR}/sha3-384 \
> + ${BINDIR}/md5 ${BINDIR}/sha3-512 \

Same question but for the SHA-3 version.

[...]

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: Basic SHA3 support

2018-01-10 Thread Theo de Raadt 
I don't think you compiled a ramdisk.

The ramdisk users distrib/special/md5 to build a binary with
fewer included components, otherwise it won't fit on the media.

At least this isn't right:

 #endif /* !defined(SHA2_ONLY) */
SHA2_CTX sha2;
+   SHA3_CTX sha3;

You can inspect the Makefile there and make the SHA2_ONLY #ifdefs
work right.

Re: vmd: allow vm with "cdrom" but no disk

2018-01-10 Thread Carlos Cardenas 
On Wed, Jan 10, 2018 at 02:00:57PM +, Stuart Henderson wrote:
> Currently we require either "kernel" or "disk", but there may be
> some viable use cases where just a CDROM image is given. This adjusts
> the check to avoid bailing in that case.
> 
> OK?

ok ccardenas

> 
> Index: vmd.c
> ===
> RCS file: /cvs/src/usr.sbin/vmd/vmd.c,v
> retrieving revision 1.78
> diff -u -p -r1.78 vmd.c
> --- vmd.c 8 Jan 2018 11:58:27 -   1.78
> +++ vmd.c 10 Jan 2018 13:57:26 -
> @@ -1140,8 +1140,9 @@ vm_register(struct privsep *ps, struct v
>   } else if (vcp->vcp_nnics > VMM_MAX_NICS_PER_VM) {
>   log_warnx("invalid number of interfaces");
>   goto fail;
> - } else if (strlen(vcp->vcp_kernel) == 0 && vcp->vcp_ndisks == 0) {
> - log_warnx("no kernel or disk specified");
> + } else if (strlen(vcp->vcp_kernel) == 0 &&
> + vcp->vcp_ndisks == 0 && strlen(vcp->vcp_cdrom) == 0) {
> + log_warnx("no kernel or disk/cdrom specified");
>   goto fail;
>   } else if (strlen(vcp->vcp_name) == 0) {
>   log_warnx("invalid VM name");
>

Re: Basic SHA3 support

2018-01-10 Thread Daniel Loebenberger 
Hi Todd,

thank you for your comments!

We have included all the necessary changes in the patch attached.

Best regards,
Daniel, Stefan and Alexander

Index: bin/md5/Makefile
===
RCS file: /cvs/src/bin/md5/Makefile,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 Makefile
--- bin/md5/Makefile30 Mar 2016 06:38:40 -  1.15
+++ bin/md5/Makefile10 Jan 2018 13:43:55 -
@@ -3,9 +3,16 @@
 PROG=  md5
 SRCS=  crc.c md5.c
 MAN=   cksum.1 md5.1
+
 LINKS= ${BINDIR}/md5 ${BINDIR}/sha1 \
+   ${BINDIR}/md5 ${BINDIR}/sha224 \
${BINDIR}/md5 ${BINDIR}/sha256 \
+   ${BINDIR}/md5 ${BINDIR}/sha384 \
${BINDIR}/md5 ${BINDIR}/sha512 \
+   ${BINDIR}/md5 ${BINDIR}/sha3-224 \
+   ${BINDIR}/md5 ${BINDIR}/sha3-256 \
+   ${BINDIR}/md5 ${BINDIR}/sha3-384 \
+   ${BINDIR}/md5 ${BINDIR}/sha3-512 \
${BINDIR}/md5 ${BINDIR}/cksum
 
 CPPFLAGS+= -I${.CURDIR}
Index: bin/md5/md5.1
===
RCS file: /cvs/src/bin/md5/md5.1,v
retrieving revision 1.47
diff -u -p -u -p -r1.47 md5.1
--- bin/md5/md5.1   23 Feb 2017 20:46:08 -  1.47
+++ bin/md5/md5.1   10 Jan 2018 13:43:55 -
@@ -18,14 +18,18 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd $Mdocdate: February 23 2017 $
+.Dd $Mdocdate: January 9 2018 $
 .Dt MD5 1
 .Os
 .Sh NAME
 .Nm md5 ,
 .Nm sha1 ,
 .Nm sha256 ,
-.Nm sha512
+.Nm sha512 ,
+.Nm sha3-224 ,
+.Nm sha3-256 ,
+.Nm sha3-384 ,
+.Nm sha3-512
 .Nd calculate a message digest (checksum) for a file
 .Sh SYNOPSIS
 .Nm md5
@@ -52,6 +56,30 @@
 .Op Fl h Ar hashfile
 .Op Fl s Ar string
 .Op Ar
+.Nm sha3-224
+.Op Fl bcpqrtx
+.Op Fl C Ar checklist
+.Op Fl h Ar hashfile
+.Op Fl s Ar string
+.Op Ar
+.Nm sha3-256
+.Op Fl bcpqrtx
+.Op Fl C Ar checklist
+.Op Fl h Ar hashfile
+.Op Fl s Ar string
+.Op Ar
+.Nm sha3-384
+.Op Fl bcpqrtx
+.Op Fl C Ar checklist
+.Op Fl h Ar hashfile
+.Op Fl s Ar string
+.Op Ar
+.Nm sha3-512
+.Op Fl bcpqrtx
+.Op Fl C Ar checklist
+.Op Fl h Ar hashfile
+.Op Fl s Ar string
+.Op Ar
 .Sh DESCRIPTION
 These utilities take as input a message of arbitrary length and produce
 as output a message digest (checksum) of the input.
@@ -136,7 +164,13 @@ and \*(Gt0 if an error occurs.
 .%R RFC 3174
 .%T US Secure Hash Algorithm 1 (SHA1)
 .Re
+.Pp
 .Rs
 .%T Secure Hash Standard
 .%O FIPS PUB 180-2
+.Re
+.Pp
+.Rs
+.%T SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
+.%O FIPS PUB 202
 .Re
Index: bin/md5/md5.c
===
RCS file: /cvs/src/bin/md5/md5.c,v
retrieving revision 1.92
diff -u -p -u -p -r1.92 md5.c
--- bin/md5/md5.c   11 Sep 2017 16:35:38 -  1.92
+++ bin/md5/md5.c   10 Jan 2018 13:43:55 -
@@ -42,6 +42,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
 #define STYLE_MD5  0
@@ -61,6 +62,7 @@ union ANY_CTX {
SHA1_CTX sha1;
 #endif /* !defined(SHA2_ONLY) */
SHA2_CTX sha2;
+   SHA3_CTX sha3;
 };
 
 struct hash_function {
@@ -177,6 +179,50 @@ struct hash_function {
(void (*)(void *, const unsigned char *, size_t))SHA512Update,
(void (*)(unsigned char *, void *))SHA512Final,
(char *(*)(void *, char *))SHA512End
+   },
+   {
+   "SHA3-224",
+   SHA3_224_DIGEST_LENGTH,
+   STYLE_MD5,
+   0,
+   NULL,
+   (void (*)(void *))SHA3_224Init,
+   (void (*)(void *, const unsigned char *, size_t))SHA3_Update,
+   (void (*)(unsigned char *, void *))SHA3_Final,
+   (char *(*)(void *, char *))SHA3_224End
+   },
+   {
+   "SHA3-256",
+   SHA3_256_DIGEST_LENGTH,
+   STYLE_MD5,
+   0,
+   NULL,
+   (void (*)(void *))SHA3_256Init,
+   (void (*)(void *, const unsigned char *, size_t))SHA3_Update,
+   (void (*)(unsigned char *, void *))SHA3_Final,
+   (char *(*)(void *, char *))SHA3_256End
+   },
+   {
+   "SHA3-384",
+   SHA3_384_DIGEST_LENGTH,
+   STYLE_MD5,
+   0,
+   NULL,
+   (void (*)(void *))SHA3_384Init,
+   (void (*)(void *, const unsigned char *, size_t))SHA3_Update,
+   (void (*)(unsigned char *, void *))SHA3_Final,
+   (char *(*)(void *, char *))SHA3_384End
+   },
+   {
+   "SHA3-512",
+   SHA3_512_DIGEST_LENGTH,
+   STYLE_MD5,
+   0,
+   NULL,
+   (void (*)(void *))SHA3_512Init,
+   (void (*)(void *, const unsigned char *, size_t))SHA3_Update,
+   (void (*)(unsigned char *, void *))SHA3_Final,
+   (char *(*)(void *,

vmd: allow vm with "cdrom" but no disk

2018-01-10 Thread Stuart Henderson 
Currently we require either "kernel" or "disk", but there may be
some viable use cases where just a CDROM image is given. This adjusts
the check to avoid bailing in that case.

OK?

Index: vmd.c
===
RCS file: /cvs/src/usr.sbin/vmd/vmd.c,v
retrieving revision 1.78
diff -u -p -r1.78 vmd.c
--- vmd.c   8 Jan 2018 11:58:27 -   1.78
+++ vmd.c   10 Jan 2018 13:57:26 -
@@ -1140,8 +1140,9 @@ vm_register(struct privsep *ps, struct v
} else if (vcp->vcp_nnics > VMM_MAX_NICS_PER_VM) {
log_warnx("invalid number of interfaces");
goto fail;
-   } else if (strlen(vcp->vcp_kernel) == 0 && vcp->vcp_ndisks == 0) {
-   log_warnx("no kernel or disk specified");
+   } else if (strlen(vcp->vcp_kernel) == 0 &&
+   vcp->vcp_ndisks == 0 && strlen(vcp->vcp_cdrom) == 0) {
+   log_warnx("no kernel or disk/cdrom specified");
goto fail;
} else if (strlen(vcp->vcp_name) == 0) {
log_warnx("invalid VM name");

get rid of struct carp_if by making if_carp itself an srpl

2018-01-10 Thread David Gwynne 
currently carp uses a struct carp_if to hold an srp list head, which
is accessed by both if_carp in struct ifnet, and via the if input
handlers list.

this gets rid of some indirection by making if_carp itself the list
head, and makes accessing the list consistent by only using if_carp
to get to it.

after this i would like to restrict carp to using IFT_ETHER interfaces
instead of !IFT_CARP, and then i could move the srp list head into
struct arpcom.

ok?

Index: net/if_var.h
===
RCS file: /cvs/src/sys/net/if_var.h,v
retrieving revision 1.88
diff -u -p -r1.88 if_var.h
--- net/if_var.h8 Jan 2018 23:05:21 -   1.88
+++ net/if_var.h10 Jan 2018 10:28:53 -
@@ -134,7 +134,7 @@ struct ifnet {  /* and the 
entries */
caddr_t if_mcast6;  /* used by IPv6 multicast code */
caddr_t if_pf_kif;  /* pf interface abstraction */
union {
-   caddr_t carp_s; /* carp structure (used by !carp ifs) */
+   struct srpl carp_s; /* carp if list (used by !carp ifs) */
struct ifnet *carp_d;   /* ptr to carpdev (used by carp ifs) */
} if_carp_ptr;
 #define if_carpif_carp_ptr.carp_s
Index: net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.536
diff -u -p -r1.536 if.c
--- net/if.c9 Jan 2018 17:50:57 -   1.536
+++ net/if.c10 Jan 2018 10:28:53 -
@@ -1007,7 +1007,7 @@ if_deactivate(struct ifnet *ifp)
 
 #if NCARP > 0
/* Remove the interface from any carp group it is a part of.  */
-   if (ifp->if_carp && ifp->if_type != IFT_CARP)
+   if (ifp->if_type != IFT_CARP && !SRPL_EMPTY_LOCKED(>if_carp))
carp_ifdetach(ifp);
 #endif
NET_UNLOCK();
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.300
diff -u -p -r1.300 if_bridge.c
--- net/if_bridge.c 9 Jan 2018 15:24:24 -   1.300
+++ net/if_bridge.c 10 Jan 2018 10:28:53 -
@@ -1108,8 +1108,8 @@ bridge_process(struct ifnet *ifp, struct
ac = (struct arpcom *)ifl->ifp;
if (bcmp(ac->ac_enaddr, eh->ether_dhost, ETHER_ADDR_LEN) == 0
 #if NCARP > 0
-   || (ifl->ifp->if_carp && carp_ourether(ifl->ifp->if_carp,
-   (u_int8_t *)>ether_dhost) != NULL)
+   || (!SRPL_EMPTY_LOCKED(>ifp->if_carp) &&
+   !carp_ourether(ifl->ifp, eh->ether_dhost))
 #endif
) {
if (srcifl->bif_flags & IFBIF_LEARNING)
@@ -1131,8 +1131,8 @@ bridge_process(struct ifnet *ifp, struct
}
if (bcmp(ac->ac_enaddr, eh->ether_shost, ETHER_ADDR_LEN) == 0
 #if NCARP > 0
-   || (ifl->ifp->if_carp && carp_ourether(ifl->ifp->if_carp,
-   (u_int8_t *)>ether_shost) != NULL)
+   || (!SRPL_EMPTY_LOCKED(>ifp->if_carp) &&
+   !carp_ourether(ifl->ifp, eh->ether_shost))
 #endif
) {
m_freem(m);
Index: netinet/ip_carp.c
===
RCS file: /cvs/src/sys/netinet/ip_carp.c,v
retrieving revision 1.322
diff -u -p -r1.322 ip_carp.c
--- netinet/ip_carp.c   10 Jan 2018 10:25:52 -  1.322
+++ netinet/ip_carp.c   10 Jan 2018 10:28:53 -
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_carp.c,v 1.322 2018/01/10 10:25:52 dlg Exp $   */
+/* $OpenBSD: ip_carp.c,v 1.321 2018/01/09 15:24:24 bluhm Exp $ */
 
 /*
  * Copyright (c) 2002 Michael Shalayeff. All rights reserved.
@@ -188,10 +188,6 @@ struct cpumem *carpcounters;
 
 intcarp_send_all_recur = 0;
 
-struct carp_if {
-   struct srpl vhif_vrs;
-};
-
 #defineCARP_LOG(l, sc, s)  
\
do {\
if (carp_opts[CARPCTL_LOG] >= l) {  \
@@ -231,7 +227,7 @@ voidcarp_timer_down(void *);
 void   carp_master_down(struct carp_vhost_entry *);
 intcarp_ioctl(struct ifnet *, u_long, caddr_t);
 intcarp_vhids_ioctl(struct carp_softc *, struct carpreq *);
-intcarp_check_dup_vhids(struct carp_softc *, struct carp_if *,
+intcarp_check_dup_vhids(struct carp_softc *, struct srpl *,
struct carpreq *);
 void   carp_ifgroup_ioctl(struct ifnet *, u_long, caddr_t);
 void   carp_ifgattr_ioctl(struct ifnet *, u_long, caddr_t);
@@ -595,15 +591,15 @@ carp_proto_input_c(struct ifnet *ifp, st
struct carp_softc *sc;
struct carp_vhost_entry *vhe;
struct timeval sc_tv, ch_tv;
-   struct carp_if *cif;
+   struct srpl *cif;
 
if (ifp->if_type == IFT_CARP)
-   cif =