TOFU/cert pinning in libtls

2020-05-09 Thread Stephen Gregoratto 
I am currently implementing a simple C client for the gemini
protocol[1]. All transactions are protected using TLS, with a catch:

> Clients can validate TLS connections however they like (including not
> at all) but the strongly RECOMMENDED approach is to implement a
> lightweight "TOFU" certificate-pinning system which treats self-signed
> certificates as first- class citizens.  This greatly reduces TLS
> overhead on the network (only one cert needs to be sent, not a whole
> chain) and lowers the barrier to entry for setting up a Gemini site
> (no need to pay a CA or setup a Let's Encrypt cron job, just make a
> cert and go).

My basic idea for the client is:

- load a db of self-signed certs.
- connect to host
- if host cert is self signed
  - if not in db, prompt user and add to db
  - if in db, check fingerprint and warn user if they don't match.

Browsing the manuals/source code, there doesn't seem to be an easy way
to configure this. I don't want to have to use the OpenSSL API for this
:(.

P.S. Big shoutout to Bob for his tutorial[2], it's a great introduction
to an awesome library!

[1] https://gemini.circumlunar.space/docs/spec-spec.txt
[2] https://github.com/bob-beck/libtls/blob/
-- 
Stephen Gregoratto

Prefered manpage idioms?

2019-05-30 Thread Stephen Gregoratto 
When I'm writing new manpages, I like to draw inspiration from the
documentation of similar programs. The problem is that many manpages
have different ways of saying the same thing, probably due to their
authors and time period they were written in.

So, I'd like to ask what your preferred choice is of the following
common idioms I keep finding:

1. Manpage

Is it:
  man page
  man-page
  manpage
  reference
  manual
  UNIX™ Programmers Manual
...on second thought, maybe not

2. Standard output

Is it:
  Print to standard output/error
tee(1)
  Print to the standard output/error
cat(1), echo(1)
  Print to stdout/stderr
bzcat(1)

Bonus Round:
  Print to ...
  Write to ...
  Print on ...
readlink(1)

3. Program arguments

Is it:
  Argument
echo(1)
  Operand
printf(1), also echo(1)?
-- 
Stephen Gregoratto
PGP: 3FC6 3D0E 2801 C348 1C44 2D34 A80C 0F8E 8BAB EC8B

Re: Upgrade procedure (6.4 -> 6.5)

2019-05-02 Thread Stephen Gregoratto 
On 2019-05-02 11:46, Noth wrote:
> I set up a script for sysclean:
> 
> cat sysclean65.txt | while read line ; do rm -rf "${line}" ; done

Nitpick, but this could be shortened to:

  xargs rm -rf < sysclean??.txt

Just tested this on my server, so it should work fine.
-- 
Stephen Gregoratto
PGP: 3FC6 3D0E 2801 C348 1C44 2D34 A80C 0F8E 8BAB EC8B

Re: How to print nicely formatted man pages?

2019-02-08 Thread Stephen Gregoratto 
In my opinion I find the PostScript/PDF output from groff to be better 
than mandoc's, sorry Ingo :(. The font size and line spacing makes a 
better print, which makes sense considering that groff is a typesetting 
suite. The catch is that groff doesn't detect if eqn(1) or tbl(1) needs 
to be run for the man page, while mandoc does. You would need to use 
grog(1) for that.

Here are some example pdf's for the 6.4 version of man(1):

https://www.sgregoratto.me/paste/man-groff.1.pdf
  $ groff -mandoc -T pdf /usr/share/man/man1/man.1
  alternatively...
  $ grog -T pdf --run /usr/share/man/man1/man.1
https://www.sgregoratto.me/paste/man-mandoc.1.pdf
  $ mandoc -T pdf /usr/share/man/man1/man.1
  alternatively...
  $ man -T pdf 1 man

You should replace 'pdf' with 'ps' if you are using a PostScript 
printer. It's up to you to decide which one looks better.

-- 
Stephen Gregoratto

[UPDATE] sysutils/neofetch to 6.0.0

2019-01-08 Thread Stephen Gregoratto 
Neofetch has been updated to version 6.0.0. I've bumped the port number 
and removed the patches, as they were pulled from upstream.

Index: sysutils/neofetch/Makefile
===
RCS file: /cvs/ports/sysutils/neofetch/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- sysutils/neofetch/Makefile  4 Sep 2018 20:41:42 -   1.3
+++ sysutils/neofetch/Makefile  9 Jan 2019 07:22:09 -
@@ -2,11 +2,11 @@
 
 COMMENT =  system information tool written in bash
 CATEGORIES =   sysutils misc
-REVISION = 1
+REVISION = 0
 
 GH_ACCOUNT =   dylanaraps
 GH_PROJECT =   neofetch
-GH_TAGNAME =   5.0.0
+GH_TAGNAME =   6.0.0
 
 MAINTAINER =   Charlene Wendling 
 
Index: sysutils/neofetch/distinfo
===
RCS file: /cvs/ports/sysutils/neofetch/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 distinfo
--- sysutils/neofetch/distinfo  18 Jul 2018 09:28:55 -  1.1.1.1
+++ sysutils/neofetch/distinfo  9 Jan 2019 07:22:09 -
@@ -1,2 +1,2 @@
-SHA256 (neofetch-5.0.0.tar.gz) = Kk9IU7+DuIoDeZTbxTqQyL1XCPXuszkvVtTknEnZlbM=
-SIZE (neofetch-5.0.0.tar.gz) = 110526
+SHA256 (neofetch-6.0.0.tar.gz) = Jkp2iVYbtJj5fxAjGVm92PfIc2cbrC/7Zg3ppYY7HHY=
+SIZE (neofetch-6.0.0.tar.gz) = 115538
Index: sysutils/neofetch/patches/patch-neofetch
===
RCS file: sysutils/neofetch/patches/patch-neofetch
diff -N sysutils/neofetch/patches/patch-neofetch
--- sysutils/neofetch/patches/patch-neofetch4 Sep 2018 20:41:42 -   
1.2
+++ /dev/null   1 Jan 1970 00:00:00 -
@@ -1,96 +0,0 @@
-$OpenBSD: patch-neofetch,v 1.2 2018/09/04 20:41:42 bcallah Exp $
-
-Battery fixes. Add support for amphour and charging status.
-From upstream 71df4ffd3b20abaf21c260c5a109793d579dfa11
-
-Fix WM detection, add disk and vmm(4) support
-From upstream e07f545c26a47151236af3a3bc73acae62d87922
-
-Index: neofetch
 neofetch.orig
-+++ neofetch
-@@ -1137,6 +1137,7 @@ get_model() {
- 
- case "$model" in
- "Standard PC"*) model="KVM/QEMU (${model})" ;;
-+"OpenBSD"*) model="vmm (${model})" ;;
- esac
- }
- 
-@@ -1474,8 +1475,13 @@ get_wm() {
- # If function was run, stop here.
- ((wm_run == 1)) && return
- 
-+case "$uname" in
-+*"OpenBSD"*)ps_flags=(x -c) ;;
-+*)  ps_flags=(-e) ;;
-+esac
-+
- if [[ "$WAYLAND_DISPLAY" ]]; then
--wm="$(ps -e | grep -m 1 -o -F \
-+wm="$(ps "${ps_flags[@]}" | grep -m 1 -o -F \
--e "arcan" \
--e "asc" \
--e "clayland" \
-@@ -1512,11 +1518,11 @@ get_wm() {
- 
- # Window Maker does not set _NET_WM_NAME
- [[ "$wm" =~ "WINDOWMAKER" ]] && wm="wmaker"
--
- # Fallback for non-EWMH WMs.
- [[ -z "$wm" ]] && \
--wm="$(ps -e | grep -m 1 -o -F \
-+wm="$(ps "${ps_flags[@]}" | grep -m 1 -o -F \
--e "catwm" \
-+   -e "fvwm" \
--e "dwm" \
--e "2bwm" \
--e "monsterwm" \
-@@ -3084,9 +3090,20 @@ get_disk() {
- 
- # Create an array called 'disks' where each element is a separate line 
from
- # df's output. We then unset the first element which removes the column 
titles.
--IFS=$'\n' read -d "" -ra disks <<< "$(df "${df_flags[@]}" 
"${disk_show[@]:-/}")"
--unset "disks[0]"
--
-+if [[ "$uname" == "OpenBSD" ]]; then
-+# On OpenBSD you can't use df against a /dev/... unless being root or
-+# in the 'operator' group. Making a separate disks array creation.
-+df_flags=(-h)
-+# building an AWK regexp
-+disk_re="${disk_show[*]:-/}"
-+disk_re="${disk_re// /\|}"
-+disk_re="^(${disk_re//\//\\\/})\$"
-+IFS=$'\n' read -d "" -ra disks <<< "$(df "${df_flags[@]}" | \
-+awk -v disk_re="$disk_re" '(NR > 1) && ($1 ~ disk_re || $6 ~ 
disk_re)')"
-+else
-+IFS=$'\n' read -d "" -ra disks <<< "$(df "${df_flags[@]}" 
"${disk_show[@]:-/}")"
-+unset "disks[0]"
-+fi
- # Stop here if 'df' fails to print disk info.
- [[ -z "${disks[*]}" ]] && {
- err "Disk: df failed to print the disks, make sure the disk_show 
array is set properly."
-@@ -3179,12 +3196,19 @@ get_battery() {
- ;;
- 
- "OpenBSD"* | "Bitrig"*)
--battery0full="$(sysctl -n hw.sensors.acpibat0.watthour0)"
--battery0full="${battery0full/ Wh*}"
-+battery0full="$(sysctl -n   hw.sensors.acpibat0.watthour0\
-+hw.sensors.acpibat0.amphour0)"
-+battery0full="${battery0full%% *}"
- 
--battery0now="$(sysctl -n hw.sensors.acpibat0

Re: Help with LibreSSL manpages

2018-11-26 Thread Stephen Gregoratto 
Thanks for your response Ingo. I think I'll start with the missing 
functions and go through them by order of length. I'll try and peruse 
through the ports and check for any examples.

Speaking of functions: I'm trying to generate a list of each function, 
the source file it's defined in and the corresponding line number, 
similar to the format of `grep -n`. Is there a way to force ctags to 
output in some tabular format that can be AWK'd? The -x option isn't 
cutting it for me.

-- 
Stephen Gregoratto

Help with LibreSSL manpages

2018-11-25 Thread Stephen Gregoratto 
Hello,

I've recently been getting into (re)writing my manpages using mdoc(7), 
and came across Ingo's talk about mandoc/LibreSSL [1]. In it he 
mentioned that there are still some functions to document and many pages 
need a couple of goes over (specifically openssl(1)).

Now I've never developed for Open/LibreSSL, and have an OK knowledge of 
C, but I do have a bit of free time over Christmas and would be happy to 
help out in any way. Would I need to fully grok the code before I could 
write the docs?

[1] https://www.openbsd.org/papers/eurobsdcon2018-mandoc.pdf
-- 
Stephen Gregoratto