Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 03:54:38PM +0200, Florian Obser wrote: > On Fri, Jun 14, 2019 at 02:04:00PM +0200, Renaud Allard wrote: > > > > > > On 6/14/19 1:58 PM, Florian Obser wrote: > > > On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote: > > > > > > > > > > > > On 6/12/19 2:30 PM, Renaud Allard wrote: > > > > > > > > > > > > > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote: > > > > > > Hi, > > > > > > > > > > > > some feedback below. > > > > > > > > > > > > Renaud: maybe wait for feedback from florian or gilles until > > > > > > acting on my comments, sometimes sending diffs to fast creates more > > > > > > work ;) > > > > > > > > > > > > /Benno > > > > > > > > > > > > > > > > As suggested by benno@ > > > > > removal of the global variable > > > > > removal of KEYTYPE which was not used and was a leftover of a former > > > > > patch > > > > > define ECDSA_KEY to be more readable > > > > > > > > > > > > > Any comment or OK on my latest patch? > > > > > > > > > > I'd prefer to use enums like the rest of the code. > > > > > > > Indeed, that seems even more explicit. I can't say an official OK, but > > that's OK to me :) > > > > > > > Bit more tweaking to the parse.y. This makes keytype reusable for the > account key. > yes makes sense > Still looking for an official OK :) > > I'll probably just put it in soon... > ok gilles@ still :-) > diff --git extern.h extern.h > index 17c6aa54f18..f6293a371ad 100644 > --- extern.h > +++ extern.h > @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const > char *, > int, int, const char *const *, size_t); > int fileproc(int, const char *, const char *, const char *, > const char *); > -int keyproc(int, const char *, const char **, size_t); > +int keyproc(int, const char *, const char **, size_t, > + enum keytype); > int netproc(int, int, int, int, int, int, int, > struct authority_c *, const char *const *, > size_t); > @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const > char *, const char *); > */ > int verbose; > > -/* > - * Should we switch to ecdsa? > - */ > -int ecdsa; > - > /* > * What component is the process within (COMP__MAX for none)? > */ > diff --git keyproc.c keyproc.c > index 9c392a0f3f6..f9ce081457a 100644 > --- keyproc.c > +++ keyproc.c > @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char > *value) > * jail and, on success, ship it to "netsock" as an X509 request. > */ > int > -keyproc(int netsock, const char *keyfile, > -const char **alts, size_t altsz) > +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, > +enum keytype keytype) > { > char*der64 = NULL, *der = NULL, *dercp; > char*sans = NULL, *san = NULL; > @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile, > } > > if (newkey) { > - if (ecdsa) { > + switch (keytype) { > + case KT_ECDSA: > if ((pkey = ec_key_create(f, keyfile)) == NULL) > goto out; > dodbg("%s: generated ECDSA domain key", keyfile); > - } else { > + break; > + case KT_RSA: > if ((pkey = rsa_key_create(f, keyfile)) == NULL) > goto out; > dodbg("%s: generated RSA domain key", keyfile); > + break; > } > } else { > if ((pkey = key_load(f, keyfile)) == NULL) > diff --git main.c main.c > index ea8f7c5d348..d70a7048f47 100644 > --- main.c > +++ main.c > @@ -49,7 +49,6 @@ main(int argc, char *argv[]) > int popts = 0; > pid_t pids[COMP__MAX]; > extern intverbose; > - extern intecdsa; > extern enum comp proccomp; > size_ti, altsz, ne; > > @@ -148,10 +147,6 @@ main(int argc, char *argv[]) > errx(EXIT_FAILURE, "authority %s not found", auth); > } > > - if (domain->keytype == 1) { > - ecdsa = 1; > - } > - > acctkey = authority->account; > > if ((chngdir = domain->challengedir) == NULL) > @@ -258,7 +253,8 @@ main(int argc, char *argv[]) > close(file_fds[0]); > close(file_fds[1]); > c = keyproc(key_fds[0], domain->key, > - (const char **)alts, altsz); > + (const char **)alts, altsz, > + domain->keytype); > exit(c ? EXIT_SUCCESS : EXIT_FAILURE); > } > > diff --git parse.h parse.h > index 78405590568..7f2d3ca546c 100644 > --- parse.h > +++ parse.h > @@ -27,6 +27,11 @@ > * limit all paths to PATH_MAX > */ > > +enum keytype
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 01:58:58PM +0200, Florian Obser wrote: > On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote: > > > > > > On 6/12/19 2:30 PM, Renaud Allard wrote: > > > > > > > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote: > > > > Hi, > > > > > > > > some feedback below. > > > > > > > > Renaud: maybe wait for feedback from florian or gilles until > > > > acting on my comments, sometimes sending diffs to fast creates more > > > > work ;) > > > > > > > > /Benno > > > > > > > > > > As suggested by benno@ > > > removal of the global variable > > > removal of KEYTYPE which was not used and was a leftover of a former patch > > > define ECDSA_KEY to be more readable > > > > > > > Any comment or OK on my latest patch? > > > > I'd prefer to use enums like the rest of the code. > yes, ok gilles@ > diff --git extern.h extern.h > index 17c6aa54f18..f6293a371ad 100644 > --- extern.h > +++ extern.h > @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const > char *, > int, int, const char *const *, size_t); > int fileproc(int, const char *, const char *, const char *, > const char *); > -int keyproc(int, const char *, const char **, size_t); > +int keyproc(int, const char *, const char **, size_t, > + enum keytype); > int netproc(int, int, int, int, int, int, int, > struct authority_c *, const char *const *, > size_t); > @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const > char *, const char *); > */ > int verbose; > > -/* > - * Should we switch to ecdsa? > - */ > -int ecdsa; > - > /* > * What component is the process within (COMP__MAX for none)? > */ > diff --git keyproc.c keyproc.c > index 9c392a0f3f6..f9ce081457a 100644 > --- keyproc.c > +++ keyproc.c > @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char > *value) > * jail and, on success, ship it to "netsock" as an X509 request. > */ > int > -keyproc(int netsock, const char *keyfile, > -const char **alts, size_t altsz) > +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, > +enum keytype keytype) > { > char*der64 = NULL, *der = NULL, *dercp; > char*sans = NULL, *san = NULL; > @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile, > } > > if (newkey) { > - if (ecdsa) { > + switch (keytype) { > + case KT_ECDSA: > if ((pkey = ec_key_create(f, keyfile)) == NULL) > goto out; > dodbg("%s: generated ECDSA domain key", keyfile); > - } else { > + break; > + case KT_RSA: > if ((pkey = rsa_key_create(f, keyfile)) == NULL) > goto out; > dodbg("%s: generated RSA domain key", keyfile); > + break; > } > } else { > if ((pkey = key_load(f, keyfile)) == NULL) > diff --git main.c main.c > index ea8f7c5d348..d70a7048f47 100644 > --- main.c > +++ main.c > @@ -49,7 +49,6 @@ main(int argc, char *argv[]) > int popts = 0; > pid_t pids[COMP__MAX]; > extern intverbose; > - extern intecdsa; > extern enum comp proccomp; > size_ti, altsz, ne; > > @@ -148,10 +147,6 @@ main(int argc, char *argv[]) > errx(EXIT_FAILURE, "authority %s not found", auth); > } > > - if (domain->keytype == 1) { > - ecdsa = 1; > - } > - > acctkey = authority->account; > > if ((chngdir = domain->challengedir) == NULL) > @@ -258,7 +253,8 @@ main(int argc, char *argv[]) > close(file_fds[0]); > close(file_fds[1]); > c = keyproc(key_fds[0], domain->key, > - (const char **)alts, altsz); > + (const char **)alts, altsz, > + domain->keytype); > exit(c ? EXIT_SUCCESS : EXIT_FAILURE); > } > > diff --git parse.h parse.h > index 78405590568..7f2d3ca546c 100644 > --- parse.h > +++ parse.h > @@ -27,6 +27,11 @@ > * limit all paths to PATH_MAX > */ > > +enum keytype { > + KT_RSA = 0, > + KT_ECDSA > +}; > + > struct authority_c { > TAILQ_ENTRY(authority_c) entry; > char*name; > @@ -36,9 +41,9 @@ struct authority_c { > > struct domain_c { > TAILQ_ENTRY(domain_c)entry; > - TAILQ_HEAD(, altname_c) altname_list; > - int altname_count; > - int keytype; > + TAILQ_HEAD(, altname_c) altname_list; > + int altname_count; > + enum keytype keytype; > char
Re: ldpd(8): unveil(2) main proc / reduce pledge(2) on ldpe
ping? On 12:33 Wed 22 May , Ricardo Mestre wrote: > Hi, > > Like we did on other daemons that cannot be pledged due to forbidden ioctls > the > main process can be unveiled to restrict filesystem access. In this case we > can > restrict it to only read, although it must be the entire / since the daemon is > able to include config files from anywhere. > > Additionally the ldpe process currently has cpath promise to unlink the > socket, > nevertheless the socket is actually unlinked from the main proc so this > permission can be removed. As we discussed before leaving the socket behind > doesn't do any harm that's why I didn't unveil it in the main proc. > > Comments? OK? > > Index: ldpd.c > === > RCS file: /cvs/src/usr.sbin/ldpd/ldpd.c,v > retrieving revision 1.64 > diff -u -p -u -r1.64 ldpd.c > --- ldpd.c31 Mar 2019 03:36:18 - 1.64 > +++ ldpd.c22 May 2019 11:09:33 - > @@ -222,6 +222,11 @@ main(int argc, char *argv[]) > pipe_parent2ldpe[1], debug, global.cmd_opts & LDPD_OPT_VERBOSE, > sockname); > > + if (unveil("/", "r") == -1) > + fatal("unveil"); > + if (unveil(NULL, NULL) == -1) > + fatal("unveil"); > + > event_init(); > > /* setup signal handler */ > Index: ldpe.c > === > RCS file: /cvs/src/usr.sbin/ldpd/ldpe.c,v > retrieving revision 1.75 > diff -u -p -u -r1.75 ldpe.c > --- ldpe.c23 Jan 2019 02:02:04 - 1.75 > +++ ldpe.c22 May 2019 11:09:33 - > @@ -107,7 +107,7 @@ ldpe(int debug, int verbose, char *sockn > setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) > fatal("can't drop privileges"); > > - if (pledge("stdio cpath inet mcast recvfd", NULL) == -1) > + if (pledge("stdio inet mcast recvfd", NULL) == -1) > fatal("pledge"); > > event_init();
Re: unveil(2) sysctl(8)
Hi, Sorry to be late in the game, but as jca@ pointed out sysctl(8) tries to open _PATH_DEVDB first and then /dev if it cannot open the former, so both should be unveil(2)ed. Scramble the includes while at it. Index: sysctl.c === RCS file: /cvs/src/sbin/sysctl/sysctl.c,v retrieving revision 1.242 diff -u -p -u -r1.242 sysctl.c --- sysctl.c13 May 2019 20:47:19 - 1.242 +++ sysctl.c14 Jun 2019 19:04:01 - @@ -94,13 +94,14 @@ #include #include +#include #include #include +#include +#include #include #include #include -#include -#include #include #include @@ -162,6 +163,8 @@ struct list secondlevel[] = { intAflag, aflag, nflag, qflag; +time_t boottime; + /* * Variables requiring special processing. */ @@ -255,6 +258,15 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; + ctime(); /* satisfy potential $TZ expansion before unveil() */ + + if (unveil(_PATH_DEVDB, "r") == -1) + err(1,"unveil"); + if (unveil("/dev", "r") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + if (argc == 0 || (Aflag || aflag)) { debuginit(); vfsinit(); @@ -893,7 +905,6 @@ parse(char *string, int flags) } if (special & BOOTTIME) { struct timeval *btp = (struct timeval *)buf; - time_t boottime; if (!nflag) { boottime = btp->tv_sec; On 10:35 Sat 08 Jun , Theo de Raadt wrote: > When userland was massaged for pledge(), I hesitated using the > "manually call tzset()" approach for handling things. It felt > too low-level to call tzset(), an API almost noone knows the > existance of. > > Arriving in the same situation to satisfy unveil(). Again calling > tzset() feels too unfamiliar and low level. > > Regarding the comment in your diff, it says "localtime", but what is > actually called is ctime(), which calls localtime() (which calls > tzset(), which is where the unveil-files-missing or pledge-whatver > issues would show up in some programs). Probably should adjust > the comment > > Here's the later troublesome chunk: > > if (special & BOOTTIME) { > struct timeval *btp = (struct timeval *)buf; > time_t boottime; > > if (!nflag) { > boottime = btp->tv_sec; > (void)printf("%s%s%s", string, equ, ctime()); > > That makes me wonder, can we be less obtuse up front, and > prime the subsystem before unveil by calling the same function which > will be called later? > > Something like this. It feels slightly better to me. > > Index: sysctl.c > === > RCS file: /cvs/src/sbin/sysctl/sysctl.c,v > retrieving revision 1.242 > diff -u -p -u -r1.242 sysctl.c > --- sysctl.c 13 May 2019 20:47:19 - 1.242 > +++ sysctl.c 8 Jun 2019 16:33:07 - > @@ -162,6 +162,8 @@ struct list secondlevel[] = { > > int Aflag, aflag, nflag, qflag; > > +time_t boottime; > + > /* > * Variables requiring special processing. > */ > @@ -255,6 +257,12 @@ main(int argc, char *argv[]) > argc -= optind; > argv += optind; > > + ctime(); /* satisfy potential $TZ expansion before unveil() */ > + > + if (unveil("/dev", "r") == -1) > + err(1, "unveil"); > + if (unveil(NULL, NULL) == -1) > + err(1, "unveil"); > if (argc == 0 || (Aflag || aflag)) { > debuginit(); > vfsinit(); > @@ -893,7 +901,6 @@ parse(char *string, int flags) > } > if (special & BOOTTIME) { > struct timeval *btp = (struct timeval *)buf; > - time_t boottime; > > if (!nflag) { > boottime = btp->tv_sec; > > > > > > Florian Obser wrote: > > > On Fri, Jun 07, 2019 at 11:24:30PM +0100, Ricardo Mestre wrote: > > > i did that and for some for reason i didn't get it! it tries to open > > > timezone so it kinda looks like a red flag right there... > > > > > > apart from /dev do we need to look into TZ on this one as well? if TZ > > > var needs to be looked at then all bets are off :/ > > > > this seems to do the right thing: > > > > diff --git sysctl.c sysctl.c > > index dc6abc16670..c74e706942a 100644 > > --- sysctl.c > > +++ sysctl.c > > @@ -255,6 +255,13 @@ main(int argc, char *argv[]) > > argc -= optind; > > argv += optind; > > > > + tzset(); /* for kern.boottime in localtime */ > > + > > + if (unveil("/dev", "r") == -1) > > + err(1, "unveil"); > > + if (unveil(NULL, NULL) == -1) > > + err(1, "unveil"); > > + > > if (argc == 0 || (Aflag || aflag)) { > > debuginit(); > > vfsinit(); > > > > > > -- > > I'm not entirely sure
Re: [patch] use acme-client to sign certificated with ecdsa keys
ok Florian Obser(flor...@openbsd.org) on 2019.06.14 13:58:58 +0200: > On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote: > > > > > > On 6/12/19 2:30 PM, Renaud Allard wrote: > > > > > > > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote: > > > > Hi, > > > > > > > > some feedback below. > > > > > > > > Renaud: maybe wait for feedback from florian or gilles until > > > > acting on my comments, sometimes sending diffs to fast creates more > > > > work ;) > > > > > > > > /Benno > > > > > > > > > > As suggested by benno@ > > > removal of the global variable > > > removal of KEYTYPE which was not used and was a leftover of a former patch > > > define ECDSA_KEY to be more readable > > > > > > > Any comment or OK on my latest patch? > > > > I'd prefer to use enums like the rest of the code. > > > diff --git extern.h extern.h > index 17c6aa54f18..f6293a371ad 100644 > --- extern.h > +++ extern.h > @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const > char *, > int, int, const char *const *, size_t); > int fileproc(int, const char *, const char *, const char *, > const char *); > -int keyproc(int, const char *, const char **, size_t); > +int keyproc(int, const char *, const char **, size_t, > + enum keytype); > int netproc(int, int, int, int, int, int, int, > struct authority_c *, const char *const *, > size_t); > @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const > char *, const char *); > */ > int verbose; > > -/* > - * Should we switch to ecdsa? > - */ > -int ecdsa; > - > /* > * What component is the process within (COMP__MAX for none)? > */ > diff --git keyproc.c keyproc.c > index 9c392a0f3f6..f9ce081457a 100644 > --- keyproc.c > +++ keyproc.c > @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char > *value) > * jail and, on success, ship it to "netsock" as an X509 request. > */ > int > -keyproc(int netsock, const char *keyfile, > -const char **alts, size_t altsz) > +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, > +enum keytype keytype) > { > char*der64 = NULL, *der = NULL, *dercp; > char*sans = NULL, *san = NULL; > @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile, > } > > if (newkey) { > - if (ecdsa) { > + switch (keytype) { > + case KT_ECDSA: > if ((pkey = ec_key_create(f, keyfile)) == NULL) > goto out; > dodbg("%s: generated ECDSA domain key", keyfile); > - } else { > + break; > + case KT_RSA: > if ((pkey = rsa_key_create(f, keyfile)) == NULL) > goto out; > dodbg("%s: generated RSA domain key", keyfile); > + break; > } > } else { > if ((pkey = key_load(f, keyfile)) == NULL) > diff --git main.c main.c > index ea8f7c5d348..d70a7048f47 100644 > --- main.c > +++ main.c > @@ -49,7 +49,6 @@ main(int argc, char *argv[]) > int popts = 0; > pid_t pids[COMP__MAX]; > extern intverbose; > - extern intecdsa; > extern enum comp proccomp; > size_ti, altsz, ne; > > @@ -148,10 +147,6 @@ main(int argc, char *argv[]) > errx(EXIT_FAILURE, "authority %s not found", auth); > } > > - if (domain->keytype == 1) { > - ecdsa = 1; > - } > - > acctkey = authority->account; > > if ((chngdir = domain->challengedir) == NULL) > @@ -258,7 +253,8 @@ main(int argc, char *argv[]) > close(file_fds[0]); > close(file_fds[1]); > c = keyproc(key_fds[0], domain->key, > - (const char **)alts, altsz); > + (const char **)alts, altsz, > + domain->keytype); > exit(c ? EXIT_SUCCESS : EXIT_FAILURE); > } > > diff --git parse.h parse.h > index 78405590568..7f2d3ca546c 100644 > --- parse.h > +++ parse.h > @@ -27,6 +27,11 @@ > * limit all paths to PATH_MAX > */ > > +enum keytype { > + KT_RSA = 0, > + KT_ECDSA > +}; > + > struct authority_c { > TAILQ_ENTRY(authority_c) entry; > char*name; > @@ -36,9 +41,9 @@ struct authority_c { > > struct domain_c { > TAILQ_ENTRY(domain_c)entry; > - TAILQ_HEAD(, altname_c) altname_list; > - int altname_count; > - int keytype; > + TAILQ_HEAD(, altname_c) altname_list; > + int altname_count; > + enum keytype keytype; > char
Re: net80211: more steady Tx rate with MiRa (please test)
Hi, * Stefan Sperling wrote: > On Fri, Jun 14, 2019 at 01:01:58PM +0200, Matthias Schmidt wrote: > > Hi Stefan, > > > > * Stefan Sperling wrote: > > > > > > Since I am knee-deep in Tx aggregation right now, I would like to delegate > > > testing of the diff below against plain -current to the community. > > > If some of you could test the diff below and report back to me I would > > > appreciate it. > > > You don't need to get numbers from wireshark for this if you don't want > > > to. > > > Letting me know if Tx is faster or not and whether there are any perceived > > > regressions is sufficient. > > > > I tested your diff for the last two days and noticed a regression > > After some time one of the two things happens: > > Are you sure these problem are introduced by this diff? > I am quite certain that these symptoms must be unrelated. The first problem also shows up without your diff, however, the reconnect happens a lot faster. I will spend some more time testing. Cheers Matthias
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 02:04:00PM +0200, Renaud Allard wrote: > > > On 6/14/19 1:58 PM, Florian Obser wrote: > > On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote: > > > > > > > > > On 6/12/19 2:30 PM, Renaud Allard wrote: > > > > > > > > > > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote: > > > > > Hi, > > > > > > > > > > some feedback below. > > > > > > > > > > Renaud: maybe wait for feedback from florian or gilles until > > > > > acting on my comments, sometimes sending diffs to fast creates more > > > > > work ;) > > > > > > > > > > /Benno > > > > > > > > > > > > > As suggested by benno@ > > > > removal of the global variable > > > > removal of KEYTYPE which was not used and was a leftover of a former > > > > patch > > > > define ECDSA_KEY to be more readable > > > > > > > > > > Any comment or OK on my latest patch? > > > > > > > I'd prefer to use enums like the rest of the code. > > > > Indeed, that seems even more explicit. I can't say an official OK, but > that's OK to me :) > > Bit more tweaking to the parse.y. This makes keytype reusable for the account key. Still looking for an official OK :) I'll probably just put it in soon... diff --git extern.h extern.h index 17c6aa54f18..f6293a371ad 100644 --- extern.h +++ extern.h @@ -207,7 +207,8 @@ int revokeproc(int, const char *, const char *, int, int, const char *const *, size_t); int fileproc(int, const char *, const char *, const char *, const char *); -int keyproc(int, const char *, const char **, size_t); +int keyproc(int, const char *, const char **, size_t, + enum keytype); int netproc(int, int, int, int, int, int, int, struct authority_c *, const char *const *, size_t); @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const char *, const char *); */ int verbose; -/* - * Should we switch to ecdsa? - */ -intecdsa; - /* * What component is the process within (COMP__MAX for none)? */ diff --git keyproc.c keyproc.c index 9c392a0f3f6..f9ce081457a 100644 --- keyproc.c +++ keyproc.c @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char *value) * jail and, on success, ship it to "netsock" as an X509 request. */ int -keyproc(int netsock, const char *keyfile, -const char **alts, size_t altsz) +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, +enum keytype keytype) { char*der64 = NULL, *der = NULL, *dercp; char*sans = NULL, *san = NULL; @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile, } if (newkey) { - if (ecdsa) { + switch (keytype) { + case KT_ECDSA: if ((pkey = ec_key_create(f, keyfile)) == NULL) goto out; dodbg("%s: generated ECDSA domain key", keyfile); - } else { + break; + case KT_RSA: if ((pkey = rsa_key_create(f, keyfile)) == NULL) goto out; dodbg("%s: generated RSA domain key", keyfile); + break; } } else { if ((pkey = key_load(f, keyfile)) == NULL) diff --git main.c main.c index ea8f7c5d348..d70a7048f47 100644 --- main.c +++ main.c @@ -49,7 +49,6 @@ main(int argc, char *argv[]) int popts = 0; pid_t pids[COMP__MAX]; extern intverbose; - extern intecdsa; extern enum comp proccomp; size_ti, altsz, ne; @@ -148,10 +147,6 @@ main(int argc, char *argv[]) errx(EXIT_FAILURE, "authority %s not found", auth); } - if (domain->keytype == 1) { - ecdsa = 1; - } - acctkey = authority->account; if ((chngdir = domain->challengedir) == NULL) @@ -258,7 +253,8 @@ main(int argc, char *argv[]) close(file_fds[0]); close(file_fds[1]); c = keyproc(key_fds[0], domain->key, - (const char **)alts, altsz); + (const char **)alts, altsz, + domain->keytype); exit(c ? EXIT_SUCCESS : EXIT_FAILURE); } diff --git parse.h parse.h index 78405590568..7f2d3ca546c 100644 --- parse.h +++ parse.h @@ -27,6 +27,11 @@ * limit all paths to PATH_MAX */ +enum keytype { + KT_RSA = 0, + KT_ECDSA +}; + struct authority_c { TAILQ_ENTRY(authority_c) entry; char*name; @@ -36,9 +41,9 @@ struct authority_c { struct domain_c { TAILQ_ENTRY(domain_c)entry; - TAILQ_HEAD(, altname_c) altname_list; - int
Re: net80211: more steady Tx rate with MiRa (please test)
On Fri, Jun 14, 2019 at 01:01:58PM +0200, Matthias Schmidt wrote: > Hi Stefan, > > * Stefan Sperling wrote: > > > > Since I am knee-deep in Tx aggregation right now, I would like to delegate > > testing of the diff below against plain -current to the community. > > If some of you could test the diff below and report back to me I would > > appreciate it. > > You don't need to get numbers from wireshark for this if you don't want to. > > Letting me know if Tx is faster or not and whether there are any perceived > > regressions is sufficient. > > I tested your diff for the last two days and noticed a regression > After some time one of the two things happens: Are you sure these problem are introduced by this diff? I am quite certain that these symptoms must be unrelated. > * Transfer rates drop to 0. Directly visible if I run tcpbench, > indirectly if I cannot work with the Network any longer. I waited > for quite some time (> 10m) for something to happened, however, nothing > changes. Then I restarted the interface. > * My Thinkpad completely looses connection to my AP (Fritzbox) such that > I have to take iwm0 down and run sh /etc/netstart iwm0. > > It happens when I work as usual (SSH, email, surfing, etc) and if I do > nothing else then running tcpbench between the Thinkpad and a APU2 > running 6.5. > > I run the diff with the following hardware on latest -current: > > iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 8265" rev 0x78, msi > iwm0: hw rev 0x230, fw ver 22.361476.0, address 7c:2a:31:4d:1c:b9 > > Cheers > > Matthias >
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/14/19 1:58 PM, Florian Obser wrote: On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote: On 6/12/19 2:30 PM, Renaud Allard wrote: On 6/11/19 2:36 PM, Sebastian Benoit wrote: Hi, some feedback below. Renaud: maybe wait for feedback from florian or gilles until acting on my comments, sometimes sending diffs to fast creates more work ;) /Benno As suggested by benno@ removal of the global variable removal of KEYTYPE which was not used and was a leftover of a former patch define ECDSA_KEY to be more readable Any comment or OK on my latest patch? I'd prefer to use enums like the rest of the code. Indeed, that seems even more explicit. I can't say an official OK, but that's OK to me :) smime.p7s Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote: > > > On 6/12/19 2:30 PM, Renaud Allard wrote: > > > > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote: > > > Hi, > > > > > > some feedback below. > > > > > > Renaud: maybe wait for feedback from florian or gilles until > > > acting on my comments, sometimes sending diffs to fast creates more > > > work ;) > > > > > > /Benno > > > > > > > As suggested by benno@ > > removal of the global variable > > removal of KEYTYPE which was not used and was a leftover of a former patch > > define ECDSA_KEY to be more readable > > > > Any comment or OK on my latest patch? > I'd prefer to use enums like the rest of the code. diff --git extern.h extern.h index 17c6aa54f18..f6293a371ad 100644 --- extern.h +++ extern.h @@ -207,7 +207,8 @@ int revokeproc(int, const char *, const char *, int, int, const char *const *, size_t); int fileproc(int, const char *, const char *, const char *, const char *); -int keyproc(int, const char *, const char **, size_t); +int keyproc(int, const char *, const char **, size_t, + enum keytype); int netproc(int, int, int, int, int, int, int, struct authority_c *, const char *const *, size_t); @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const char *, const char *); */ int verbose; -/* - * Should we switch to ecdsa? - */ -intecdsa; - /* * What component is the process within (COMP__MAX for none)? */ diff --git keyproc.c keyproc.c index 9c392a0f3f6..f9ce081457a 100644 --- keyproc.c +++ keyproc.c @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char *value) * jail and, on success, ship it to "netsock" as an X509 request. */ int -keyproc(int netsock, const char *keyfile, -const char **alts, size_t altsz) +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz, +enum keytype keytype) { char*der64 = NULL, *der = NULL, *dercp; char*sans = NULL, *san = NULL; @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile, } if (newkey) { - if (ecdsa) { + switch (keytype) { + case KT_ECDSA: if ((pkey = ec_key_create(f, keyfile)) == NULL) goto out; dodbg("%s: generated ECDSA domain key", keyfile); - } else { + break; + case KT_RSA: if ((pkey = rsa_key_create(f, keyfile)) == NULL) goto out; dodbg("%s: generated RSA domain key", keyfile); + break; } } else { if ((pkey = key_load(f, keyfile)) == NULL) diff --git main.c main.c index ea8f7c5d348..d70a7048f47 100644 --- main.c +++ main.c @@ -49,7 +49,6 @@ main(int argc, char *argv[]) int popts = 0; pid_t pids[COMP__MAX]; extern intverbose; - extern intecdsa; extern enum comp proccomp; size_ti, altsz, ne; @@ -148,10 +147,6 @@ main(int argc, char *argv[]) errx(EXIT_FAILURE, "authority %s not found", auth); } - if (domain->keytype == 1) { - ecdsa = 1; - } - acctkey = authority->account; if ((chngdir = domain->challengedir) == NULL) @@ -258,7 +253,8 @@ main(int argc, char *argv[]) close(file_fds[0]); close(file_fds[1]); c = keyproc(key_fds[0], domain->key, - (const char **)alts, altsz); + (const char **)alts, altsz, + domain->keytype); exit(c ? EXIT_SUCCESS : EXIT_FAILURE); } diff --git parse.h parse.h index 78405590568..7f2d3ca546c 100644 --- parse.h +++ parse.h @@ -27,6 +27,11 @@ * limit all paths to PATH_MAX */ +enum keytype { + KT_RSA = 0, + KT_ECDSA +}; + struct authority_c { TAILQ_ENTRY(authority_c) entry; char*name; @@ -36,9 +41,9 @@ struct authority_c { struct domain_c { TAILQ_ENTRY(domain_c)entry; - TAILQ_HEAD(, altname_c) altname_list; - int altname_count; - int keytype; + TAILQ_HEAD(, altname_c) altname_list; + int altname_count; + enum keytype keytype; char*domain; char*key; char*cert; diff --git parse.y parse.y index 994492706bb..0b68a35fb73 100644 --- parse.y +++ parse.y @@ -100,7 +100,7 @@ typedef struct { %} %token AUTHORITY URL API ACCOUNT
Re: dwiic: add apollo lake support
On Mon, Jun 10, 2019 at 11:54:55PM -0400, James Hastings wrote: > Add support for Apollo Lake I2C at pci bus. > Include two PCIE devs while we are here. Committed without the pci renumbering as the additional ids are "PCIe-B" in the datasheet the old ones are "PCIe-A". The aplgpio and sdhc diffs you've sent are broken due to wrapped lines. > > > Index: sys/dev/pci/dwiic_pci.c > === > RCS file: /cvs/src/sys/dev/pci/dwiic_pci.c,v > retrieving revision 1.5 > diff -u -p -u -r1.5 dwiic_pci.c > --- sys/dev/pci/dwiic_pci.c 16 May 2019 01:14:08 - 1.5 > +++ sys/dev/pci/dwiic_pci.c 11 Jun 2019 01:31:03 - > @@ -70,6 +70,14 @@ const struct pci_matchid dwiic_pci_ids[] > { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_300SERIES_U_I2C_4 }, > { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_300SERIES_U_I2C_5 }, > { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_300SERIES_U_I2C_6 }, > + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_1 }, > + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_2 }, > + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_3 }, > + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_4 }, > + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_5 }, > + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_6 }, > + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_7 }, > + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_8 }, > }; > > int > Index: sys/dev/pci/pcidevs > === > RCS file: /cvs/src/sys/dev/pci/pcidevs,v > retrieving revision 1.1889 > diff -u -p -u -r1.1889 pcidevs > --- sys/dev/pci/pcidevs 10 May 2019 15:28:45 - 1.1889 > +++ sys/dev/pci/pcidevs 11 Jun 2019 01:31:03 - > @@ -4951,6 +4951,13 @@ product INTEL APOLLOLAKE_HDA 0x5a98 Apol > product INTEL APOLLOLAKE_TXE 0x5a9a Apollo Lake TXE > product INTEL APOLLOLAKE_XHCI0x5aa8 Apollo Lake xHCI > product INTEL APOLLOLAKE_I2C_1 0x5aac Apollo Lake I2C > +product INTEL APOLLOLAKE_I2C_2 0x5aae Apollo Lake I2C > +product INTEL APOLLOLAKE_I2C_3 0x5ab0 Apollo Lake I2C > +product INTEL APOLLOLAKE_I2C_4 0x5ab2 Apollo Lake I2C > +product INTEL APOLLOLAKE_I2C_5 0x5ab4 Apollo Lake I2C > +product INTEL APOLLOLAKE_I2C_6 0x5ab6 Apollo Lake I2C > +product INTEL APOLLOLAKE_I2C_7 0x5ab8 Apollo Lake I2C > +product INTEL APOLLOLAKE_I2C_8 0x5aba Apollo Lake I2C > product INTEL APOLLOLAKE_UART_1 0x5abc Apollo Lake HSUART > product INTEL APOLLOLAKE_SPI_1 0x5ac2 Apollo Lake SPI > product INTEL APOLLOLAKE_SPI_2 0x5ac4 Apollo Lake SPI > @@ -4959,9 +4966,11 @@ product INTEL APOLLOLAKE_SDMMC 0x5aca Ap > product INTEL APOLLOLAKE_EMMC0x5acc Apollo Lake eMMC > product INTEL APOLLOLAKE_SDIO0x5ad0 Apollo Lake SDIO > product INTEL APOLLOLAKE_SMB 0x5ad4 Apollo Lake SMBus > -product INTEL APOLLOLAKE_PCIE_1 0x5ad8 Apollo Lake PCIE > -product INTEL APOLLOLAKE_PCIE_2 0x5ad9 Apollo Lake PCIE > -product INTEL APOLLOLAKE_PCIE_3 0x5ada Apollo Lake PCIE > +product INTEL APOLLOLAKE_PCIE_1 0x5ad6 Apollo Lake PCIE > +product INTEL APOLLOLAKE_PCIE_2 0x5ad7 Apollo Lake PCIE > +product INTEL APOLLOLAKE_PCIE_3 0x5ad8 Apollo Lake PCIE > +product INTEL APOLLOLAKE_PCIE_4 0x5ad9 Apollo Lake PCIE > +product INTEL APOLLOLAKE_PCIE_5 0x5ada Apollo Lake PCIE > product INTEL APOLLOLAKE_AHCI0x5ae3 Apollo Lake AHCI > product INTEL APOLLOLAKE_LPC 0x5ae8 Apollo Lake LPC > product INTEL APOLLOLAKE_HB 0x5af0 Apollo Lake Host > Index: sys/dev/pci/pcidevs.h > === > RCS file: /cvs/src/sys/dev/pci/pcidevs.h,v > retrieving revision 1.1882 > diff -u -p -u -r1.1882 pcidevs.h > --- sys/dev/pci/pcidevs.h 10 May 2019 15:29:17 - 1.1882 > +++ sys/dev/pci/pcidevs.h 11 Jun 2019 01:31:04 - > @@ -4956,6 +4956,13 @@ > #define PCI_PRODUCT_INTEL_APOLLOLAKE_TXE0x5a9a /* > Apollo Lake TXE */ > #define PCI_PRODUCT_INTEL_APOLLOLAKE_XHCI 0x5aa8 /* > Apollo Lake xHCI */ > #define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_1 0x5aac /* > Apollo Lake I2C */ > +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_2 0x5aae /* > Apollo Lake I2C */ > +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_3 0x5ab0 /* > Apollo Lake I2C */ > +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_4 0x5ab2 /* > Apollo Lake I2C */ > +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_5 0x5ab4 /* > Apollo Lake I2C */ > +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_6 0x5ab6 /* > Apollo Lake I2C */ > +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_7 0x5ab8 /* > Apollo Lake I2C */ > +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_8 0x5aba /* >
Re: net80211: more steady Tx rate with MiRa (please test)
Hi Stefan, * Stefan Sperling wrote: > > Since I am knee-deep in Tx aggregation right now, I would like to delegate > testing of the diff below against plain -current to the community. > If some of you could test the diff below and report back to me I would > appreciate it. > You don't need to get numbers from wireshark for this if you don't want to. > Letting me know if Tx is faster or not and whether there are any perceived > regressions is sufficient. I tested your diff for the last two days and noticed a regression After some time one of the two things happens: * Transfer rates drop to 0. Directly visible if I run tcpbench, indirectly if I cannot work with the Network any longer. I waited for quite some time (> 10m) for something to happened, however, nothing changes. Then I restarted the interface. * My Thinkpad completely looses connection to my AP (Fritzbox) such that I have to take iwm0 down and run sh /etc/netstart iwm0. It happens when I work as usual (SSH, email, surfing, etc) and if I do nothing else then running tcpbench between the Thinkpad and a APU2 running 6.5. I run the diff with the following hardware on latest -current: iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 8265" rev 0x78, msi iwm0: hw rev 0x230, fw ver 22.361476.0, address 7c:2a:31:4d:1c:b9 Cheers Matthias
Re: upgt: use timeout_add_msec(9)
On Thu, Jun 13, 2019 at 11:23:55PM +0200, Klemens Nanni wrote: > > Same as with urtw(4) but a tad more obvious: > > /usr/include/dev/usb/if_upgtvar.h > 312:#define UPGT_LED_ACTION_TMP_DUR 100 /* ms */ > > OK? I don't have upgt(4), but it looks good to me. > Index: sys/dev/usb/if_upgt.c > === > RCS file: /cvs/src/sys/dev/usb/if_upgt.c,v > retrieving revision 1.83 > diff -u -p -r1.83 if_upgt.c > --- sys/dev/usb/if_upgt.c 25 Apr 2019 01:52:14 - 1.83 > +++ sys/dev/usb/if_upgt.c 13 Jun 2019 21:18:37 - > @@ -2014,7 +2014,6 @@ upgt_set_led(struct upgt_softc *sc, int > struct upgt_data *data_cmd = >cmd_data; > struct upgt_lmac_mem *mem; > struct upgt_lmac_led *led; > - struct timeval t; > int len; > > /* > @@ -2063,9 +2062,7 @@ upgt_set_led(struct upgt_softc *sc, int > led->action_tmp_dur = htole16(UPGT_LED_ACTION_TMP_DUR); > /* lock blink */ > sc->sc_led_blink = 1; > - t.tv_sec = 0; > - t.tv_usec = UPGT_LED_ACTION_TMP_DUR * 1000L; > - timeout_add(>led_to, tvtohz()); > + timeout_add_msec(>led_to, UPGT_LED_ACTION_TMP_DUR); > break; > default: > return; > >
Re: urtw: use timeout_add_msec(9)
On Thu, Jun 13, 2019 at 11:12:23PM +0200, Klemens Nanni wrote: > > Simple sleeps for 100ms that currently use a timeval to specify > miliseconds, convert them to Hz with tvtohz(9) so they can be converted > back by timeout_add(9) - we can do better by now. > > I lack appropiate hardware, but the diff is pretty safe imho. The fact > that the argument has never been zero and will never be with this diff > makes it safe for timeout_add_msec(9) to now always sleep for at least > one tick. > > Feedback? OK? Tested on: urtw0 at uhub0 port 4 configuration 1 interface 0 "Realtek RTL8187_Wireless" rev 2.00/1.00 addr 3 urtw0: RTL8187 rev 0x04, RFv2, address 00:40:0c:xx:xx:xx ok kevlo@
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/12/19 2:30 PM, Renaud Allard wrote: On 6/11/19 2:36 PM, Sebastian Benoit wrote: Hi, some feedback below. Renaud: maybe wait for feedback from florian or gilles until acting on my comments, sometimes sending diffs to fast creates more work ;) /Benno As suggested by benno@ removal of the global variable removal of KEYTYPE which was not used and was a leftover of a former patch define ECDSA_KEY to be more readable Any comment or OK on my latest patch? smime.p7s Description: S/MIME Cryptographic Signature