Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 03:54:38PM +0200, Florian Obser wrote:
> On Fri, Jun 14, 2019 at 02:04:00PM +0200, Renaud Allard wrote:
> >
> >
> > On 6/14/19 1:58 PM, Florian Obser wrote:
> > > On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> > > >
> > > >
> > > > On 6/12/19 2:30 PM, Renaud Allard wrote:
> > > > >
> > > > >
> > > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > > > > Hi,
> > > > > >
> > > > > > some feedback below.
> > > > > >
> > > > > > Renaud: maybe wait for feedback from florian or gilles until
> > > > > > acting on my comments, sometimes sending diffs to fast creates more
> > > > > > work ;)
> > > > > >
> > > > > > /Benno
> > > > > >
> > > > >
> > > > > As suggested by benno@
> > > > > removal of the global variable
> > > > > removal of KEYTYPE which was not used and was a leftover of a former
> > > > > patch
> > > > > define ECDSA_KEY to be more readable
> > > > >
> > > >
> > > > Any comment or OK on my latest patch?
> > > >
> > >
> > > I'd prefer to use enums like the rest of the code.
> > >
> >
> > Indeed, that seems even more explicit. I can't say an official OK, but
> > that's OK to me :)
> >
> >
>
>
> Bit more tweaking to the parse.y. This makes keytype reusable for the
> account key.
>
yes makes sense
> Still looking for an official OK :)
>
> I'll probably just put it in soon...
>
ok gilles@ still :-)
> diff --git extern.h extern.h
> index 17c6aa54f18..f6293a371ad 100644
> --- extern.h
> +++ extern.h
> @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const
> char *,
> int, int, const char *const *, size_t);
> int fileproc(int, const char *, const char *, const char *,
> const char *);
> -int keyproc(int, const char *, const char **, size_t);
> +int keyproc(int, const char *, const char **, size_t,
> + enum keytype);
> int netproc(int, int, int, int, int, int, int,
> struct authority_c *, const char *const *,
> size_t);
> @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
> char *, const char *);
> */
> int verbose;
>
> -/*
> - * Should we switch to ecdsa?
> - */
> -int ecdsa;
> -
> /*
> * What component is the process within (COMP__MAX for none)?
> */
> diff --git keyproc.c keyproc.c
> index 9c392a0f3f6..f9ce081457a 100644
> --- keyproc.c
> +++ keyproc.c
> @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
> *value)
> * jail and, on success, ship it to "netsock" as an X509 request.
> */
> int
> -keyproc(int netsock, const char *keyfile,
> -const char **alts, size_t altsz)
> +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
> +enum keytype keytype)
> {
> char*der64 = NULL, *der = NULL, *dercp;
> char*sans = NULL, *san = NULL;
> @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
> }
>
> if (newkey) {
> - if (ecdsa) {
> + switch (keytype) {
> + case KT_ECDSA:
> if ((pkey = ec_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated ECDSA domain key", keyfile);
> - } else {
> + break;
> + case KT_RSA:
> if ((pkey = rsa_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated RSA domain key", keyfile);
> + break;
> }
> } else {
> if ((pkey = key_load(f, keyfile)) == NULL)
> diff --git main.c main.c
> index ea8f7c5d348..d70a7048f47 100644
> --- main.c
> +++ main.c
> @@ -49,7 +49,6 @@ main(int argc, char *argv[])
> int popts = 0;
> pid_t pids[COMP__MAX];
> extern intverbose;
> - extern intecdsa;
> extern enum comp proccomp;
> size_ti, altsz, ne;
>
> @@ -148,10 +147,6 @@ main(int argc, char *argv[])
> errx(EXIT_FAILURE, "authority %s not found", auth);
> }
>
> - if (domain->keytype == 1) {
> - ecdsa = 1;
> - }
> -
> acctkey = authority->account;
>
> if ((chngdir = domain->challengedir) == NULL)
> @@ -258,7 +253,8 @@ main(int argc, char *argv[])
> close(file_fds[0]);
> close(file_fds[1]);
> c = keyproc(key_fds[0], domain->key,
> - (const char **)alts, altsz);
> + (const char **)alts, altsz,
> + domain->keytype);
> exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
> }
>
> diff --git parse.h parse.h
> index 78405590568..7f2d3ca546c 100644
> --- parse.h
> +++ parse.h
> @@ -27,6 +27,11 @@
> * limit all paths to PATH_MAX
> */
>
> +enum keytype
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 01:58:58PM +0200, Florian Obser wrote:
> On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> >
> >
> > On 6/12/19 2:30 PM, Renaud Allard wrote:
> > >
> > >
> > > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > > Hi,
> > > >
> > > > some feedback below.
> > > >
> > > > Renaud: maybe wait for feedback from florian or gilles until
> > > > acting on my comments, sometimes sending diffs to fast creates more
> > > > work ;)
> > > >
> > > > /Benno
> > > >
> > >
> > > As suggested by benno@
> > > removal of the global variable
> > > removal of KEYTYPE which was not used and was a leftover of a former patch
> > > define ECDSA_KEY to be more readable
> > >
> >
> > Any comment or OK on my latest patch?
> >
>
> I'd prefer to use enums like the rest of the code.
>
yes, ok gilles@
> diff --git extern.h extern.h
> index 17c6aa54f18..f6293a371ad 100644
> --- extern.h
> +++ extern.h
> @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const
> char *,
> int, int, const char *const *, size_t);
> int fileproc(int, const char *, const char *, const char *,
> const char *);
> -int keyproc(int, const char *, const char **, size_t);
> +int keyproc(int, const char *, const char **, size_t,
> + enum keytype);
> int netproc(int, int, int, int, int, int, int,
> struct authority_c *, const char *const *,
> size_t);
> @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
> char *, const char *);
> */
> int verbose;
>
> -/*
> - * Should we switch to ecdsa?
> - */
> -int ecdsa;
> -
> /*
> * What component is the process within (COMP__MAX for none)?
> */
> diff --git keyproc.c keyproc.c
> index 9c392a0f3f6..f9ce081457a 100644
> --- keyproc.c
> +++ keyproc.c
> @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
> *value)
> * jail and, on success, ship it to "netsock" as an X509 request.
> */
> int
> -keyproc(int netsock, const char *keyfile,
> -const char **alts, size_t altsz)
> +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
> +enum keytype keytype)
> {
> char*der64 = NULL, *der = NULL, *dercp;
> char*sans = NULL, *san = NULL;
> @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
> }
>
> if (newkey) {
> - if (ecdsa) {
> + switch (keytype) {
> + case KT_ECDSA:
> if ((pkey = ec_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated ECDSA domain key", keyfile);
> - } else {
> + break;
> + case KT_RSA:
> if ((pkey = rsa_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated RSA domain key", keyfile);
> + break;
> }
> } else {
> if ((pkey = key_load(f, keyfile)) == NULL)
> diff --git main.c main.c
> index ea8f7c5d348..d70a7048f47 100644
> --- main.c
> +++ main.c
> @@ -49,7 +49,6 @@ main(int argc, char *argv[])
> int popts = 0;
> pid_t pids[COMP__MAX];
> extern intverbose;
> - extern intecdsa;
> extern enum comp proccomp;
> size_ti, altsz, ne;
>
> @@ -148,10 +147,6 @@ main(int argc, char *argv[])
> errx(EXIT_FAILURE, "authority %s not found", auth);
> }
>
> - if (domain->keytype == 1) {
> - ecdsa = 1;
> - }
> -
> acctkey = authority->account;
>
> if ((chngdir = domain->challengedir) == NULL)
> @@ -258,7 +253,8 @@ main(int argc, char *argv[])
> close(file_fds[0]);
> close(file_fds[1]);
> c = keyproc(key_fds[0], domain->key,
> - (const char **)alts, altsz);
> + (const char **)alts, altsz,
> + domain->keytype);
> exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
> }
>
> diff --git parse.h parse.h
> index 78405590568..7f2d3ca546c 100644
> --- parse.h
> +++ parse.h
> @@ -27,6 +27,11 @@
> * limit all paths to PATH_MAX
> */
>
> +enum keytype {
> + KT_RSA = 0,
> + KT_ECDSA
> +};
> +
> struct authority_c {
> TAILQ_ENTRY(authority_c) entry;
> char*name;
> @@ -36,9 +41,9 @@ struct authority_c {
>
> struct domain_c {
> TAILQ_ENTRY(domain_c)entry;
> - TAILQ_HEAD(, altname_c) altname_list;
> - int altname_count;
> - int keytype;
> + TAILQ_HEAD(, altname_c) altname_list;
> + int altname_count;
> + enum keytype keytype;
> char
Re: ldpd(8): unveil(2) main proc / reduce pledge(2) on ldpe
ping?
On 12:33 Wed 22 May , Ricardo Mestre wrote:
> Hi,
>
> Like we did on other daemons that cannot be pledged due to forbidden ioctls
> the
> main process can be unveiled to restrict filesystem access. In this case we
> can
> restrict it to only read, although it must be the entire / since the daemon is
> able to include config files from anywhere.
>
> Additionally the ldpe process currently has cpath promise to unlink the
> socket,
> nevertheless the socket is actually unlinked from the main proc so this
> permission can be removed. As we discussed before leaving the socket behind
> doesn't do any harm that's why I didn't unveil it in the main proc.
>
> Comments? OK?
>
> Index: ldpd.c
> ===
> RCS file: /cvs/src/usr.sbin/ldpd/ldpd.c,v
> retrieving revision 1.64
> diff -u -p -u -r1.64 ldpd.c
> --- ldpd.c31 Mar 2019 03:36:18 - 1.64
> +++ ldpd.c22 May 2019 11:09:33 -
> @@ -222,6 +222,11 @@ main(int argc, char *argv[])
> pipe_parent2ldpe[1], debug, global.cmd_opts & LDPD_OPT_VERBOSE,
> sockname);
>
> + if (unveil("/", "r") == -1)
> + fatal("unveil");
> + if (unveil(NULL, NULL) == -1)
> + fatal("unveil");
> +
> event_init();
>
> /* setup signal handler */
> Index: ldpe.c
> ===
> RCS file: /cvs/src/usr.sbin/ldpd/ldpe.c,v
> retrieving revision 1.75
> diff -u -p -u -r1.75 ldpe.c
> --- ldpe.c23 Jan 2019 02:02:04 - 1.75
> +++ ldpe.c22 May 2019 11:09:33 -
> @@ -107,7 +107,7 @@ ldpe(int debug, int verbose, char *sockn
> setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> fatal("can't drop privileges");
>
> - if (pledge("stdio cpath inet mcast recvfd", NULL) == -1)
> + if (pledge("stdio inet mcast recvfd", NULL) == -1)
> fatal("pledge");
>
> event_init();
Re: unveil(2) sysctl(8)
Hi,
Sorry to be late in the game, but as jca@ pointed out sysctl(8) tries to
open _PATH_DEVDB first and then /dev if it cannot open the former, so
both should be unveil(2)ed. Scramble the includes while at it.
Index: sysctl.c
===
RCS file: /cvs/src/sbin/sysctl/sysctl.c,v
retrieving revision 1.242
diff -u -p -u -r1.242 sysctl.c
--- sysctl.c13 May 2019 20:47:19 - 1.242
+++ sysctl.c14 Jun 2019 19:04:01 -
@@ -94,13 +94,14 @@
#include
#include
+#include
#include
#include
+#include
+#include
#include
#include
#include
-#include
-#include
#include
#include
@@ -162,6 +163,8 @@ struct list secondlevel[] = {
intAflag, aflag, nflag, qflag;
+time_t boottime;
+
/*
* Variables requiring special processing.
*/
@@ -255,6 +258,15 @@ main(int argc, char *argv[])
argc -= optind;
argv += optind;
+ ctime(); /* satisfy potential $TZ expansion before unveil() */
+
+ if (unveil(_PATH_DEVDB, "r") == -1)
+ err(1,"unveil");
+ if (unveil("/dev", "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
+
if (argc == 0 || (Aflag || aflag)) {
debuginit();
vfsinit();
@@ -893,7 +905,6 @@ parse(char *string, int flags)
}
if (special & BOOTTIME) {
struct timeval *btp = (struct timeval *)buf;
- time_t boottime;
if (!nflag) {
boottime = btp->tv_sec;
On 10:35 Sat 08 Jun , Theo de Raadt wrote:
> When userland was massaged for pledge(), I hesitated using the
> "manually call tzset()" approach for handling things. It felt
> too low-level to call tzset(), an API almost noone knows the
> existance of.
>
> Arriving in the same situation to satisfy unveil(). Again calling
> tzset() feels too unfamiliar and low level.
>
> Regarding the comment in your diff, it says "localtime", but what is
> actually called is ctime(), which calls localtime() (which calls
> tzset(), which is where the unveil-files-missing or pledge-whatver
> issues would show up in some programs). Probably should adjust
> the comment
>
> Here's the later troublesome chunk:
>
> if (special & BOOTTIME) {
> struct timeval *btp = (struct timeval *)buf;
> time_t boottime;
>
> if (!nflag) {
> boottime = btp->tv_sec;
> (void)printf("%s%s%s", string, equ, ctime());
>
> That makes me wonder, can we be less obtuse up front, and
> prime the subsystem before unveil by calling the same function which
> will be called later?
>
> Something like this. It feels slightly better to me.
>
> Index: sysctl.c
> ===
> RCS file: /cvs/src/sbin/sysctl/sysctl.c,v
> retrieving revision 1.242
> diff -u -p -u -r1.242 sysctl.c
> --- sysctl.c 13 May 2019 20:47:19 - 1.242
> +++ sysctl.c 8 Jun 2019 16:33:07 -
> @@ -162,6 +162,8 @@ struct list secondlevel[] = {
>
> int Aflag, aflag, nflag, qflag;
>
> +time_t boottime;
> +
> /*
> * Variables requiring special processing.
> */
> @@ -255,6 +257,12 @@ main(int argc, char *argv[])
> argc -= optind;
> argv += optind;
>
> + ctime(); /* satisfy potential $TZ expansion before unveil() */
> +
> + if (unveil("/dev", "r") == -1)
> + err(1, "unveil");
> + if (unveil(NULL, NULL) == -1)
> + err(1, "unveil");
> if (argc == 0 || (Aflag || aflag)) {
> debuginit();
> vfsinit();
> @@ -893,7 +901,6 @@ parse(char *string, int flags)
> }
> if (special & BOOTTIME) {
> struct timeval *btp = (struct timeval *)buf;
> - time_t boottime;
>
> if (!nflag) {
> boottime = btp->tv_sec;
>
>
>
>
>
> Florian Obser wrote:
>
> > On Fri, Jun 07, 2019 at 11:24:30PM +0100, Ricardo Mestre wrote:
> > > i did that and for some for reason i didn't get it! it tries to open
> > > timezone so it kinda looks like a red flag right there...
> > >
> > > apart from /dev do we need to look into TZ on this one as well? if TZ
> > > var needs to be looked at then all bets are off :/
> >
> > this seems to do the right thing:
> >
> > diff --git sysctl.c sysctl.c
> > index dc6abc16670..c74e706942a 100644
> > --- sysctl.c
> > +++ sysctl.c
> > @@ -255,6 +255,13 @@ main(int argc, char *argv[])
> > argc -= optind;
> > argv += optind;
> >
> > + tzset(); /* for kern.boottime in localtime */
> > +
> > + if (unveil("/dev", "r") == -1)
> > + err(1, "unveil");
> > + if (unveil(NULL, NULL) == -1)
> > + err(1, "unveil");
> > +
> > if (argc == 0 || (Aflag || aflag)) {
> > debuginit();
> > vfsinit();
> >
> >
> > --
> > I'm not entirely sure
Re: [patch] use acme-client to sign certificated with ecdsa keys
ok
Florian Obser(flor...@openbsd.org) on 2019.06.14 13:58:58 +0200:
> On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> >
> >
> > On 6/12/19 2:30 PM, Renaud Allard wrote:
> > >
> > >
> > > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > > Hi,
> > > >
> > > > some feedback below.
> > > >
> > > > Renaud: maybe wait for feedback from florian or gilles until
> > > > acting on my comments, sometimes sending diffs to fast creates more
> > > > work ;)
> > > >
> > > > /Benno
> > > >
> > >
> > > As suggested by benno@
> > > removal of the global variable
> > > removal of KEYTYPE which was not used and was a leftover of a former patch
> > > define ECDSA_KEY to be more readable
> > >
> >
> > Any comment or OK on my latest patch?
> >
>
> I'd prefer to use enums like the rest of the code.
>
>
> diff --git extern.h extern.h
> index 17c6aa54f18..f6293a371ad 100644
> --- extern.h
> +++ extern.h
> @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const
> char *,
> int, int, const char *const *, size_t);
> int fileproc(int, const char *, const char *, const char *,
> const char *);
> -int keyproc(int, const char *, const char **, size_t);
> +int keyproc(int, const char *, const char **, size_t,
> + enum keytype);
> int netproc(int, int, int, int, int, int, int,
> struct authority_c *, const char *const *,
> size_t);
> @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
> char *, const char *);
> */
> int verbose;
>
> -/*
> - * Should we switch to ecdsa?
> - */
> -int ecdsa;
> -
> /*
> * What component is the process within (COMP__MAX for none)?
> */
> diff --git keyproc.c keyproc.c
> index 9c392a0f3f6..f9ce081457a 100644
> --- keyproc.c
> +++ keyproc.c
> @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
> *value)
> * jail and, on success, ship it to "netsock" as an X509 request.
> */
> int
> -keyproc(int netsock, const char *keyfile,
> -const char **alts, size_t altsz)
> +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
> +enum keytype keytype)
> {
> char*der64 = NULL, *der = NULL, *dercp;
> char*sans = NULL, *san = NULL;
> @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
> }
>
> if (newkey) {
> - if (ecdsa) {
> + switch (keytype) {
> + case KT_ECDSA:
> if ((pkey = ec_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated ECDSA domain key", keyfile);
> - } else {
> + break;
> + case KT_RSA:
> if ((pkey = rsa_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated RSA domain key", keyfile);
> + break;
> }
> } else {
> if ((pkey = key_load(f, keyfile)) == NULL)
> diff --git main.c main.c
> index ea8f7c5d348..d70a7048f47 100644
> --- main.c
> +++ main.c
> @@ -49,7 +49,6 @@ main(int argc, char *argv[])
> int popts = 0;
> pid_t pids[COMP__MAX];
> extern intverbose;
> - extern intecdsa;
> extern enum comp proccomp;
> size_ti, altsz, ne;
>
> @@ -148,10 +147,6 @@ main(int argc, char *argv[])
> errx(EXIT_FAILURE, "authority %s not found", auth);
> }
>
> - if (domain->keytype == 1) {
> - ecdsa = 1;
> - }
> -
> acctkey = authority->account;
>
> if ((chngdir = domain->challengedir) == NULL)
> @@ -258,7 +253,8 @@ main(int argc, char *argv[])
> close(file_fds[0]);
> close(file_fds[1]);
> c = keyproc(key_fds[0], domain->key,
> - (const char **)alts, altsz);
> + (const char **)alts, altsz,
> + domain->keytype);
> exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
> }
>
> diff --git parse.h parse.h
> index 78405590568..7f2d3ca546c 100644
> --- parse.h
> +++ parse.h
> @@ -27,6 +27,11 @@
> * limit all paths to PATH_MAX
> */
>
> +enum keytype {
> + KT_RSA = 0,
> + KT_ECDSA
> +};
> +
> struct authority_c {
> TAILQ_ENTRY(authority_c) entry;
> char*name;
> @@ -36,9 +41,9 @@ struct authority_c {
>
> struct domain_c {
> TAILQ_ENTRY(domain_c)entry;
> - TAILQ_HEAD(, altname_c) altname_list;
> - int altname_count;
> - int keytype;
> + TAILQ_HEAD(, altname_c) altname_list;
> + int altname_count;
> + enum keytype keytype;
> char
Re: net80211: more steady Tx rate with MiRa (please test)
Hi, * Stefan Sperling wrote: > On Fri, Jun 14, 2019 at 01:01:58PM +0200, Matthias Schmidt wrote: > > Hi Stefan, > > > > * Stefan Sperling wrote: > > > > > > Since I am knee-deep in Tx aggregation right now, I would like to delegate > > > testing of the diff below against plain -current to the community. > > > If some of you could test the diff below and report back to me I would > > > appreciate it. > > > You don't need to get numbers from wireshark for this if you don't want > > > to. > > > Letting me know if Tx is faster or not and whether there are any perceived > > > regressions is sufficient. > > > > I tested your diff for the last two days and noticed a regression > > After some time one of the two things happens: > > Are you sure these problem are introduced by this diff? > I am quite certain that these symptoms must be unrelated. The first problem also shows up without your diff, however, the reconnect happens a lot faster. I will spend some more time testing. Cheers Matthias
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 02:04:00PM +0200, Renaud Allard wrote:
>
>
> On 6/14/19 1:58 PM, Florian Obser wrote:
> > On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> > >
> > >
> > > On 6/12/19 2:30 PM, Renaud Allard wrote:
> > > >
> > > >
> > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > > > Hi,
> > > > >
> > > > > some feedback below.
> > > > >
> > > > > Renaud: maybe wait for feedback from florian or gilles until
> > > > > acting on my comments, sometimes sending diffs to fast creates more
> > > > > work ;)
> > > > >
> > > > > /Benno
> > > > >
> > > >
> > > > As suggested by benno@
> > > > removal of the global variable
> > > > removal of KEYTYPE which was not used and was a leftover of a former
> > > > patch
> > > > define ECDSA_KEY to be more readable
> > > >
> > >
> > > Any comment or OK on my latest patch?
> > >
> >
> > I'd prefer to use enums like the rest of the code.
> >
>
> Indeed, that seems even more explicit. I can't say an official OK, but
> that's OK to me :)
>
>
Bit more tweaking to the parse.y. This makes keytype reusable for the
account key.
Still looking for an official OK :)
I'll probably just put it in soon...
diff --git extern.h extern.h
index 17c6aa54f18..f6293a371ad 100644
--- extern.h
+++ extern.h
@@ -207,7 +207,8 @@ int revokeproc(int, const char *, const char *,
int, int, const char *const *, size_t);
int fileproc(int, const char *, const char *, const char *,
const char *);
-int keyproc(int, const char *, const char **, size_t);
+int keyproc(int, const char *, const char **, size_t,
+ enum keytype);
int netproc(int, int, int, int, int, int, int,
struct authority_c *, const char *const *,
size_t);
@@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
char *, const char *);
*/
int verbose;
-/*
- * Should we switch to ecdsa?
- */
-intecdsa;
-
/*
* What component is the process within (COMP__MAX for none)?
*/
diff --git keyproc.c keyproc.c
index 9c392a0f3f6..f9ce081457a 100644
--- keyproc.c
+++ keyproc.c
@@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
*value)
* jail and, on success, ship it to "netsock" as an X509 request.
*/
int
-keyproc(int netsock, const char *keyfile,
-const char **alts, size_t altsz)
+keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
+enum keytype keytype)
{
char*der64 = NULL, *der = NULL, *dercp;
char*sans = NULL, *san = NULL;
@@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
}
if (newkey) {
- if (ecdsa) {
+ switch (keytype) {
+ case KT_ECDSA:
if ((pkey = ec_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated ECDSA domain key", keyfile);
- } else {
+ break;
+ case KT_RSA:
if ((pkey = rsa_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated RSA domain key", keyfile);
+ break;
}
} else {
if ((pkey = key_load(f, keyfile)) == NULL)
diff --git main.c main.c
index ea8f7c5d348..d70a7048f47 100644
--- main.c
+++ main.c
@@ -49,7 +49,6 @@ main(int argc, char *argv[])
int popts = 0;
pid_t pids[COMP__MAX];
extern intverbose;
- extern intecdsa;
extern enum comp proccomp;
size_ti, altsz, ne;
@@ -148,10 +147,6 @@ main(int argc, char *argv[])
errx(EXIT_FAILURE, "authority %s not found", auth);
}
- if (domain->keytype == 1) {
- ecdsa = 1;
- }
-
acctkey = authority->account;
if ((chngdir = domain->challengedir) == NULL)
@@ -258,7 +253,8 @@ main(int argc, char *argv[])
close(file_fds[0]);
close(file_fds[1]);
c = keyproc(key_fds[0], domain->key,
- (const char **)alts, altsz);
+ (const char **)alts, altsz,
+ domain->keytype);
exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
}
diff --git parse.h parse.h
index 78405590568..7f2d3ca546c 100644
--- parse.h
+++ parse.h
@@ -27,6 +27,11 @@
* limit all paths to PATH_MAX
*/
+enum keytype {
+ KT_RSA = 0,
+ KT_ECDSA
+};
+
struct authority_c {
TAILQ_ENTRY(authority_c) entry;
char*name;
@@ -36,9 +41,9 @@ struct authority_c {
struct domain_c {
TAILQ_ENTRY(domain_c)entry;
- TAILQ_HEAD(, altname_c) altname_list;
- int
Re: net80211: more steady Tx rate with MiRa (please test)
On Fri, Jun 14, 2019 at 01:01:58PM +0200, Matthias Schmidt wrote: > Hi Stefan, > > * Stefan Sperling wrote: > > > > Since I am knee-deep in Tx aggregation right now, I would like to delegate > > testing of the diff below against plain -current to the community. > > If some of you could test the diff below and report back to me I would > > appreciate it. > > You don't need to get numbers from wireshark for this if you don't want to. > > Letting me know if Tx is faster or not and whether there are any perceived > > regressions is sufficient. > > I tested your diff for the last two days and noticed a regression > After some time one of the two things happens: Are you sure these problem are introduced by this diff? I am quite certain that these symptoms must be unrelated. > * Transfer rates drop to 0. Directly visible if I run tcpbench, > indirectly if I cannot work with the Network any longer. I waited > for quite some time (> 10m) for something to happened, however, nothing > changes. Then I restarted the interface. > * My Thinkpad completely looses connection to my AP (Fritzbox) such that > I have to take iwm0 down and run sh /etc/netstart iwm0. > > It happens when I work as usual (SSH, email, surfing, etc) and if I do > nothing else then running tcpbench between the Thinkpad and a APU2 > running 6.5. > > I run the diff with the following hardware on latest -current: > > iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 8265" rev 0x78, msi > iwm0: hw rev 0x230, fw ver 22.361476.0, address 7c:2a:31:4d:1c:b9 > > Cheers > > Matthias >
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/14/19 1:58 PM, Florian Obser wrote: On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote: On 6/12/19 2:30 PM, Renaud Allard wrote: On 6/11/19 2:36 PM, Sebastian Benoit wrote: Hi, some feedback below. Renaud: maybe wait for feedback from florian or gilles until acting on my comments, sometimes sending diffs to fast creates more work ;) /Benno As suggested by benno@ removal of the global variable removal of KEYTYPE which was not used and was a leftover of a former patch define ECDSA_KEY to be more readable Any comment or OK on my latest patch? I'd prefer to use enums like the rest of the code. Indeed, that seems even more explicit. I can't say an official OK, but that's OK to me :) smime.p7s Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
>
>
> On 6/12/19 2:30 PM, Renaud Allard wrote:
> >
> >
> > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > Hi,
> > >
> > > some feedback below.
> > >
> > > Renaud: maybe wait for feedback from florian or gilles until
> > > acting on my comments, sometimes sending diffs to fast creates more
> > > work ;)
> > >
> > > /Benno
> > >
> >
> > As suggested by benno@
> > removal of the global variable
> > removal of KEYTYPE which was not used and was a leftover of a former patch
> > define ECDSA_KEY to be more readable
> >
>
> Any comment or OK on my latest patch?
>
I'd prefer to use enums like the rest of the code.
diff --git extern.h extern.h
index 17c6aa54f18..f6293a371ad 100644
--- extern.h
+++ extern.h
@@ -207,7 +207,8 @@ int revokeproc(int, const char *, const char *,
int, int, const char *const *, size_t);
int fileproc(int, const char *, const char *, const char *,
const char *);
-int keyproc(int, const char *, const char **, size_t);
+int keyproc(int, const char *, const char **, size_t,
+ enum keytype);
int netproc(int, int, int, int, int, int, int,
struct authority_c *, const char *const *,
size_t);
@@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
char *, const char *);
*/
int verbose;
-/*
- * Should we switch to ecdsa?
- */
-intecdsa;
-
/*
* What component is the process within (COMP__MAX for none)?
*/
diff --git keyproc.c keyproc.c
index 9c392a0f3f6..f9ce081457a 100644
--- keyproc.c
+++ keyproc.c
@@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
*value)
* jail and, on success, ship it to "netsock" as an X509 request.
*/
int
-keyproc(int netsock, const char *keyfile,
-const char **alts, size_t altsz)
+keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
+enum keytype keytype)
{
char*der64 = NULL, *der = NULL, *dercp;
char*sans = NULL, *san = NULL;
@@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
}
if (newkey) {
- if (ecdsa) {
+ switch (keytype) {
+ case KT_ECDSA:
if ((pkey = ec_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated ECDSA domain key", keyfile);
- } else {
+ break;
+ case KT_RSA:
if ((pkey = rsa_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated RSA domain key", keyfile);
+ break;
}
} else {
if ((pkey = key_load(f, keyfile)) == NULL)
diff --git main.c main.c
index ea8f7c5d348..d70a7048f47 100644
--- main.c
+++ main.c
@@ -49,7 +49,6 @@ main(int argc, char *argv[])
int popts = 0;
pid_t pids[COMP__MAX];
extern intverbose;
- extern intecdsa;
extern enum comp proccomp;
size_ti, altsz, ne;
@@ -148,10 +147,6 @@ main(int argc, char *argv[])
errx(EXIT_FAILURE, "authority %s not found", auth);
}
- if (domain->keytype == 1) {
- ecdsa = 1;
- }
-
acctkey = authority->account;
if ((chngdir = domain->challengedir) == NULL)
@@ -258,7 +253,8 @@ main(int argc, char *argv[])
close(file_fds[0]);
close(file_fds[1]);
c = keyproc(key_fds[0], domain->key,
- (const char **)alts, altsz);
+ (const char **)alts, altsz,
+ domain->keytype);
exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
}
diff --git parse.h parse.h
index 78405590568..7f2d3ca546c 100644
--- parse.h
+++ parse.h
@@ -27,6 +27,11 @@
* limit all paths to PATH_MAX
*/
+enum keytype {
+ KT_RSA = 0,
+ KT_ECDSA
+};
+
struct authority_c {
TAILQ_ENTRY(authority_c) entry;
char*name;
@@ -36,9 +41,9 @@ struct authority_c {
struct domain_c {
TAILQ_ENTRY(domain_c)entry;
- TAILQ_HEAD(, altname_c) altname_list;
- int altname_count;
- int keytype;
+ TAILQ_HEAD(, altname_c) altname_list;
+ int altname_count;
+ enum keytype keytype;
char*domain;
char*key;
char*cert;
diff --git parse.y parse.y
index 994492706bb..0b68a35fb73 100644
--- parse.y
+++ parse.y
@@ -100,7 +100,7 @@ typedef struct {
%}
%token AUTHORITY URL API ACCOUNT
Re: dwiic: add apollo lake support
On Mon, Jun 10, 2019 at 11:54:55PM -0400, James Hastings wrote:
> Add support for Apollo Lake I2C at pci bus.
> Include two PCIE devs while we are here.
Committed without the pci renumbering as the additional ids are "PCIe-B"
in the datasheet the old ones are "PCIe-A".
The aplgpio and sdhc diffs you've sent are broken due to wrapped lines.
>
>
> Index: sys/dev/pci/dwiic_pci.c
> ===
> RCS file: /cvs/src/sys/dev/pci/dwiic_pci.c,v
> retrieving revision 1.5
> diff -u -p -u -r1.5 dwiic_pci.c
> --- sys/dev/pci/dwiic_pci.c 16 May 2019 01:14:08 - 1.5
> +++ sys/dev/pci/dwiic_pci.c 11 Jun 2019 01:31:03 -
> @@ -70,6 +70,14 @@ const struct pci_matchid dwiic_pci_ids[]
> { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_300SERIES_U_I2C_4 },
> { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_300SERIES_U_I2C_5 },
> { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_300SERIES_U_I2C_6 },
> + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_1 },
> + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_2 },
> + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_3 },
> + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_4 },
> + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_5 },
> + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_6 },
> + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_7 },
> + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_8 },
> };
>
> int
> Index: sys/dev/pci/pcidevs
> ===
> RCS file: /cvs/src/sys/dev/pci/pcidevs,v
> retrieving revision 1.1889
> diff -u -p -u -r1.1889 pcidevs
> --- sys/dev/pci/pcidevs 10 May 2019 15:28:45 - 1.1889
> +++ sys/dev/pci/pcidevs 11 Jun 2019 01:31:03 -
> @@ -4951,6 +4951,13 @@ product INTEL APOLLOLAKE_HDA 0x5a98 Apol
> product INTEL APOLLOLAKE_TXE 0x5a9a Apollo Lake TXE
> product INTEL APOLLOLAKE_XHCI0x5aa8 Apollo Lake xHCI
> product INTEL APOLLOLAKE_I2C_1 0x5aac Apollo Lake I2C
> +product INTEL APOLLOLAKE_I2C_2 0x5aae Apollo Lake I2C
> +product INTEL APOLLOLAKE_I2C_3 0x5ab0 Apollo Lake I2C
> +product INTEL APOLLOLAKE_I2C_4 0x5ab2 Apollo Lake I2C
> +product INTEL APOLLOLAKE_I2C_5 0x5ab4 Apollo Lake I2C
> +product INTEL APOLLOLAKE_I2C_6 0x5ab6 Apollo Lake I2C
> +product INTEL APOLLOLAKE_I2C_7 0x5ab8 Apollo Lake I2C
> +product INTEL APOLLOLAKE_I2C_8 0x5aba Apollo Lake I2C
> product INTEL APOLLOLAKE_UART_1 0x5abc Apollo Lake HSUART
> product INTEL APOLLOLAKE_SPI_1 0x5ac2 Apollo Lake SPI
> product INTEL APOLLOLAKE_SPI_2 0x5ac4 Apollo Lake SPI
> @@ -4959,9 +4966,11 @@ product INTEL APOLLOLAKE_SDMMC 0x5aca Ap
> product INTEL APOLLOLAKE_EMMC0x5acc Apollo Lake eMMC
> product INTEL APOLLOLAKE_SDIO0x5ad0 Apollo Lake SDIO
> product INTEL APOLLOLAKE_SMB 0x5ad4 Apollo Lake SMBus
> -product INTEL APOLLOLAKE_PCIE_1 0x5ad8 Apollo Lake PCIE
> -product INTEL APOLLOLAKE_PCIE_2 0x5ad9 Apollo Lake PCIE
> -product INTEL APOLLOLAKE_PCIE_3 0x5ada Apollo Lake PCIE
> +product INTEL APOLLOLAKE_PCIE_1 0x5ad6 Apollo Lake PCIE
> +product INTEL APOLLOLAKE_PCIE_2 0x5ad7 Apollo Lake PCIE
> +product INTEL APOLLOLAKE_PCIE_3 0x5ad8 Apollo Lake PCIE
> +product INTEL APOLLOLAKE_PCIE_4 0x5ad9 Apollo Lake PCIE
> +product INTEL APOLLOLAKE_PCIE_5 0x5ada Apollo Lake PCIE
> product INTEL APOLLOLAKE_AHCI0x5ae3 Apollo Lake AHCI
> product INTEL APOLLOLAKE_LPC 0x5ae8 Apollo Lake LPC
> product INTEL APOLLOLAKE_HB 0x5af0 Apollo Lake Host
> Index: sys/dev/pci/pcidevs.h
> ===
> RCS file: /cvs/src/sys/dev/pci/pcidevs.h,v
> retrieving revision 1.1882
> diff -u -p -u -r1.1882 pcidevs.h
> --- sys/dev/pci/pcidevs.h 10 May 2019 15:29:17 - 1.1882
> +++ sys/dev/pci/pcidevs.h 11 Jun 2019 01:31:04 -
> @@ -4956,6 +4956,13 @@
> #define PCI_PRODUCT_INTEL_APOLLOLAKE_TXE0x5a9a /*
> Apollo Lake TXE */
> #define PCI_PRODUCT_INTEL_APOLLOLAKE_XHCI 0x5aa8 /*
> Apollo Lake xHCI */
> #define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_1 0x5aac /*
> Apollo Lake I2C */
> +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_2 0x5aae /*
> Apollo Lake I2C */
> +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_3 0x5ab0 /*
> Apollo Lake I2C */
> +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_4 0x5ab2 /*
> Apollo Lake I2C */
> +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_5 0x5ab4 /*
> Apollo Lake I2C */
> +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_6 0x5ab6 /*
> Apollo Lake I2C */
> +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_7 0x5ab8 /*
> Apollo Lake I2C */
> +#define PCI_PRODUCT_INTEL_APOLLOLAKE_I2C_8 0x5aba /*
>
Re: net80211: more steady Tx rate with MiRa (please test)
Hi Stefan, * Stefan Sperling wrote: > > Since I am knee-deep in Tx aggregation right now, I would like to delegate > testing of the diff below against plain -current to the community. > If some of you could test the diff below and report back to me I would > appreciate it. > You don't need to get numbers from wireshark for this if you don't want to. > Letting me know if Tx is faster or not and whether there are any perceived > regressions is sufficient. I tested your diff for the last two days and noticed a regression After some time one of the two things happens: * Transfer rates drop to 0. Directly visible if I run tcpbench, indirectly if I cannot work with the Network any longer. I waited for quite some time (> 10m) for something to happened, however, nothing changes. Then I restarted the interface. * My Thinkpad completely looses connection to my AP (Fritzbox) such that I have to take iwm0 down and run sh /etc/netstart iwm0. It happens when I work as usual (SSH, email, surfing, etc) and if I do nothing else then running tcpbench between the Thinkpad and a APU2 running 6.5. I run the diff with the following hardware on latest -current: iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 8265" rev 0x78, msi iwm0: hw rev 0x230, fw ver 22.361476.0, address 7c:2a:31:4d:1c:b9 Cheers Matthias
Re: upgt: use timeout_add_msec(9)
On Thu, Jun 13, 2019 at 11:23:55PM +0200, Klemens Nanni wrote: > > Same as with urtw(4) but a tad more obvious: > > /usr/include/dev/usb/if_upgtvar.h > 312:#define UPGT_LED_ACTION_TMP_DUR 100 /* ms */ > > OK? I don't have upgt(4), but it looks good to me. > Index: sys/dev/usb/if_upgt.c > === > RCS file: /cvs/src/sys/dev/usb/if_upgt.c,v > retrieving revision 1.83 > diff -u -p -r1.83 if_upgt.c > --- sys/dev/usb/if_upgt.c 25 Apr 2019 01:52:14 - 1.83 > +++ sys/dev/usb/if_upgt.c 13 Jun 2019 21:18:37 - > @@ -2014,7 +2014,6 @@ upgt_set_led(struct upgt_softc *sc, int > struct upgt_data *data_cmd = >cmd_data; > struct upgt_lmac_mem *mem; > struct upgt_lmac_led *led; > - struct timeval t; > int len; > > /* > @@ -2063,9 +2062,7 @@ upgt_set_led(struct upgt_softc *sc, int > led->action_tmp_dur = htole16(UPGT_LED_ACTION_TMP_DUR); > /* lock blink */ > sc->sc_led_blink = 1; > - t.tv_sec = 0; > - t.tv_usec = UPGT_LED_ACTION_TMP_DUR * 1000L; > - timeout_add(>led_to, tvtohz()); > + timeout_add_msec(>led_to, UPGT_LED_ACTION_TMP_DUR); > break; > default: > return; > >
Re: urtw: use timeout_add_msec(9)
On Thu, Jun 13, 2019 at 11:12:23PM +0200, Klemens Nanni wrote: > > Simple sleeps for 100ms that currently use a timeval to specify > miliseconds, convert them to Hz with tvtohz(9) so they can be converted > back by timeout_add(9) - we can do better by now. > > I lack appropiate hardware, but the diff is pretty safe imho. The fact > that the argument has never been zero and will never be with this diff > makes it safe for timeout_add_msec(9) to now always sleep for at least > one tick. > > Feedback? OK? Tested on: urtw0 at uhub0 port 4 configuration 1 interface 0 "Realtek RTL8187_Wireless" rev 2.00/1.00 addr 3 urtw0: RTL8187 rev 0x04, RFv2, address 00:40:0c:xx:xx:xx ok kevlo@
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/12/19 2:30 PM, Renaud Allard wrote: On 6/11/19 2:36 PM, Sebastian Benoit wrote: Hi, some feedback below. Renaud: maybe wait for feedback from florian or gilles until acting on my comments, sometimes sending diffs to fast creates more work ;) /Benno As suggested by benno@ removal of the global variable removal of KEYTYPE which was not used and was a leftover of a former patch define ECDSA_KEY to be more readable Any comment or OK on my latest patch? smime.p7s Description: S/MIME Cryptographic Signature
