Re: add nl(1)

2013-07-15 Thread Landry Breuil 
On Sun, Jul 14, 2013 at 04:30:48PM +0200, Jérémie Courrèges-Anglas wrote:
> "Todd C. Miller"  writes:
> 
> > On Mon, 20 May 2013 12:43:19 +0300, Arto Jonsson wrote:
> >
> >> Updated diff. I removed the int width handling and modified the
> >> separator printing based on your comment.
> >
> > That looks good to me.
> >
> >  - todd
> 
> I propose to import it.  ok?
> (+ a note about NetBSD and OpenBSD 5.4 in the manpage.)

That version caused no fallout in a ports bulk build.

Landry

Re: awk(1) update

2013-07-15 Thread Landry Breuil 
On Sun, Jul 14, 2013 at 09:41:28AM +0200, Jérémie Courrèges-Anglas wrote:
> 
> This diff updates awk to the 20121220 upstream version, with a few
> fixups.

This caused no direct fallout in a ports bulk build.

Landry

usr.sbin/httpd and ECDHE

2013-07-15 Thread Joel Sing 
On Fri, 12 Jul 2013, Joel Sing wrote:
> On Mon, 8 Jul 2013, Damien Miller wrote:
> > On Sun, 7 Jul 2013, Aaron Stellman wrote:
> > > On Tue, Apr 23, 2013 at 09:08:19AM +0200, Otto Moerbeek wrote:
> > > > If there is any interest, I might add the manual stuff, get ok's and
> > > > commit it.
> > >
> > > I find it useful to have SSLHonorCipherOrder in OpenBSD's apache.
> >
> > More than that, AFAIK it is necessary to mitigate some of the TLS crypto
> > attacks. IMO it is well worth having.
> >
> > It would also be good if someone could make a patch to enable ECDHE
> > cipher suites in Apache-1.x.
> > This nginx patch is a good reference to what needs to
> > be done:
> >
> > http://hg.nginx.org/nginx/rev/0832a6997227
>
> The following should do the trick...
>
> $ openssl s_client -connect localhost:443 2>&1  is" New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
>

And an improved version, after feedback from djm:

Index: conf/httpd.conf
===
RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf,v
retrieving revision 1.26
diff -u -p -u -p -r1.26 httpd.conf
--- conf/httpd.conf 3 Jun 2009 18:28:21 -   1.26
+++ conf/httpd.conf 15 Jul 2013 15:31:19 -
@@ -1034,6 +1034,11 @@ SSLEngine on
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
 #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
+
+#   SSL ECDH Curve:
+#   Named curve to use when generating ephemeral EC keys for an
+#   ECDHE-based cipher suite, or `none' to disable.
+SSLECDHCurve prime256v1
 
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
Index: conf/httpd.conf-dist
===
RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf-dist,v
retrieving revision 1.20
diff -u -p -u -p -r1.20 httpd.conf-dist
--- conf/httpd.conf-dist1 Apr 2009 06:47:34 -   1.20
+++ conf/httpd.conf-dist15 Jul 2013 15:31:19 -
@@ -1045,6 +1045,11 @@ SSLEngine on
 #   See the mod_ssl documentation for a complete list.
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
+#   SSL ECDH Curve:
+#   Named curve to use when generating ephemeral EC keys for an
+#   ECDHE-based cipher suite, or `none' to disable.
+SSLECDHCurve prime256v1
+
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
Index: src/modules/ssl/mod_ssl.c
===
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.c,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 mod_ssl.c
--- src/modules/ssl/mod_ssl.c   11 Jul 2013 12:41:52 -  1.11
+++ src/modules/ssl/mod_ssl.c   15 Jul 2013 15:31:19 -
@@ -113,6 +113,9 @@ static command_rec ssl_config_cmds[] = {
 AP_ALL_CMD(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
+AP_SRV_CMD(ECDHCurve, TAKE1,
+   "Name of ECDH curve to use for ephemeral EC keys "
+   "(`curve' - see manual)")
 AP_SRV_CMD(CertificateFile, TAKE1,
"SSL Server Certificate file "
"(`/path/to/file' - PEM or DER encoded)")
Index: src/modules/ssl/mod_ssl.h
===
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.22
diff -u -p -u -p -r1.22 mod_ssl.h
--- src/modules/ssl/mod_ssl.h   11 Jul 2013 12:41:52 -  1.22
+++ src/modules/ssl/mod_ssl.h   15 Jul 2013 15:31:19 -
@@ -514,6 +514,7 @@ typedef struct {
 char*szCACertificateFile;
 char*szLogFile;
 char*szCipherSuite;
+int  nECDHCurve;
 FILE*fileLogFile;
 int  nLogLevel;
 BOOL cipher_server_pref;
@@ -592,6 +593,7 @@ const char  *ssl_cmd_SSLRandomSeed(cmd_p
 const char  *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int);
 const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
+const char  *ssl_cmd_SSLECDHCurve(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, char *, char *);
Index: src/modules/ssl/ssl_engine_config.c
===
RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.20
diff -u -p -u -p -r1.20 ssl_engine_config.c
--- src/modules/ssl/ssl_engine_config.c 11 Jul 2013 12:41:52 -  1.20
+++ src/modules/ssl/ssl_engine_config.c 15 Jul 2013 15:31:19 -
@@ -196,6 +196,7 @

Re: Fix of sysctl.c rev. 1.191 related bug and unbreak diskless(8)

2013-07-15 Thread RD Thrush 
On 07/14/13 23:50, Philip Guenther wrote:
> On Sun, Jul 14, 2013 at 12:54 AM, Rafael Neves  wrote:
>> The patch below fixes a bug on sysctl(8) introduced by revision 1.191
>> of sysctl.c. After rev1.191, `sysctl vfs' mangles information about
>> filesystems (mounted instances of ffs are attributed to nfs, of nfs
>> are atrributed to mfs, and so on). As a consequence, `sysctl
>> vfs.mounts.nfs' reports 0 mounted instances on a diskless(8) setup,
>> thus /etc/rc script (lines 335 to 342) doesn't add pf rules that allow
>> NFS, and system hangs when it enables pf.
> 
> First off: thank you for (a) noticing this, and (b) tracking down the 
> mismatch.
> 
> ...
>> --- sysctl.c9 Jun 2013 12:54:38 -   1.192
>> +++ sysctl.c14 Jul 2013 07:09:28 -
>> @@ -1175,8 +1175,8 @@ vfsinit(void)
>>
>> vfsname[0].ctl_name = "mounts";
>> vfsname[0].ctl_type = CTLTYPE_NODE;
>> -   vfsvars[0].list = vfsname + 1;
>> -   vfsvars[0].size = maxtypenum - 1;
>> +   vfsvars[0].list = vfsname;
>> +   vfsvars[0].size = maxtypenum;
> 
> Soo close...
> 
> While this fixes the observed problem, it's not 100% correct.  The
> glitch is that it fails a negative test: the command
>  sysctl vfs.mounts.mounts
> should fail with the error
>  sysctl: third level name mounts in vfs.mounts.mounts is invalid
> 
> but with your patch it silently succeeds.  The vfsname list is offset
> by one in vfsvars[0].list to prevent that, so the fix that avoids the
> unwanted match against vfsname[0] is to keep the offset, but undo it
> in the lookup:
> 
> --- sysctl.c9 Jun 2013 12:54:38 -   1.192
> +++ sysctl.c15 Jul 2013 03:43:27 -
> @@ -1200,7 +1200,7 @@ sysctl_vfsgen(char *string, char **bufpp
> 
> mib[1] = VFS_GENERIC;
> mib[2] = VFS_CONF;
> -   mib[3] = indx;
> +   mib[3] = indx + 1;
> size = sizeof vfc;
> if (sysctl(mib, 4, &vfc, &size, (void *)0, (size_t)0) < 0) {
> if (errno != EOPNOTSUPP)
> 
> 
> That make sense?

Sorry, I previously replied to the wrong list...

Your patch produces correct results for my previous report.  Without repeating
that email, here's the current summary:

172>diff -wbu before after
--- before  Mon Jul 15 05:53:23 2013
+++ after   Mon Jul 15 05:53:58 2013
@@ -17,9 +17,9 @@
 a8v:/pub2 on /a8v/pub2 type nfs (nodev, nosuid, read-only, v3, udp, timeo=100,
retrans=101)
 nas2:/work on /nas2/work type nfs (nodev, nosuid, v3, udp, timeo=100, 
retrans=101)
 nas2:/media on /nas2/media type nfs (nodev, nosuid, v3, udp, rdirsize=4096,
timeo=100, retrans=101)
-vfs.mounts.nfs has 12 mounted instances
-vfs.mounts.mfs has 6 mounted instances
-vfs.mounts.msdos has 1 mounted instance
+vfs.mounts.ffs has 12 mounted instances
+vfs.mounts.nfs has 6 mounted instances
+vfs.mounts.mfs has 1 mounted instance
 vfs.ffs.doclusterread=1
 vfs.ffs.doclusterwrite=1
 vfs.ffs.doreallocblks=1

Thanks.