Re: Trimming tcpdump a bit
On 2014/11/24 09:59, Theo de Raadt wrote: Thing is, in a few cases we have de-forked as well. For instance, in less(1). Hmm, kind of relevant recently.. Fortunately we don't have ours use lesspipe by default :-)
Re: Fix AHCI on SUNXI
On Mon, Nov 24, 2014 at 08:12:33PM -0600, Edwin Amsler wrote: Here are the changes needed to make SATA drives available on the Cubieboard A10. It consists of a DMA workaround and fiddling with some register assignments. I?ve successfully built the RAMDISK kernel via an external drive using this driver patch, so it?s been through what I?m hoping is a valid smoke test. This patch was based off work done by others. Let me know what needs changing. dlg would prefer this to be done with a callback rather than a flag. So here's an attempt to handle it that way. Doesn't seem to break anything on an amd64 machine with ahci. Index: dev/ic/ahci.c === RCS file: /cvs/src/sys/dev/ic/ahci.c,v retrieving revision 1.16 diff -u -p -r1.16 ahci.c --- dev/ic/ahci.c 13 Jul 2014 23:10:23 - 1.16 +++ dev/ic/ahci.c 25 Nov 2014 10:52:15 - @@ -75,7 +75,7 @@ int ahci_port_alloc(struct ahci_softc void ahci_port_free(struct ahci_softc *, u_int); intahci_port_init(struct ahci_softc *, u_int); -intahci_port_start(struct ahci_port *, int); +intahci_default_port_start(struct ahci_port *, int); intahci_port_stop(struct ahci_port *, int); intahci_port_clo(struct ahci_port *); intahci_port_softreset(struct ahci_port *); @@ -175,6 +175,9 @@ ahci_attach(struct ahci_softc *sc) u_int32_t pi; int i; + if (sc-sc_port_start == NULL) + sc-sc_port_start = ahci_default_port_start; + if (ahci_init(sc) != 0) { /* error already printed by ahci_init */ goto unmap; @@ -832,7 +835,7 @@ reterr: } int -ahci_port_start(struct ahci_port *ap, int fre_only) +ahci_default_port_start(struct ahci_port *ap, int fre_only) { u_int32_t r; Index: dev/ic/ahcivar.h === RCS file: /cvs/src/sys/dev/ic/ahcivar.h,v retrieving revision 1.8 diff -u -p -r1.8 ahcivar.h --- dev/ic/ahcivar.h14 Apr 2014 04:42:22 - 1.8 +++ dev/ic/ahcivar.h25 Nov 2014 10:50:20 - @@ -137,9 +137,12 @@ struct ahci_softc { u_int32_t sc_ccc_ports; u_int32_t sc_ccc_ports_cur; #endif + + int (*sc_port_start)(struct ahci_port *, int); }; #define DEVNAME(_s)((_s)-sc_dev.dv_xname) +#define ahci_port_start(_p, _f)((_p)-ap_sc-sc_port_start((_p), (_f))) intahci_attach(struct ahci_softc *); intahci_detach(struct ahci_softc *, int); Index: arch/armv7/sunxi/sxiahci.c === RCS file: /cvs/src/sys/arch/armv7/sunxi/sxiahci.c,v retrieving revision 1.6 diff -u -p -r1.6 sxiahci.c --- arch/armv7/sunxi/sxiahci.c 14 Apr 2014 04:42:22 - 1.6 +++ arch/armv7/sunxi/sxiahci.c 25 Nov 2014 11:37:56 - @@ -1,6 +1,7 @@ /* $OpenBSD*/ /* * Copyright (c) 2013 Patrick Wildt patr...@blueri.se + * Copyright (c) 2013,2014 Artturi Alm * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -44,13 +45,21 @@ #defineSXIAHCI_TIMEOUT 0x10 #define SXIAHCI_PWRPIN 40 +#define SXIAHCI_PREG_DMA 0x70 +#define SXIAHCI_PREG_DMA_MASK (0xff8) +#define SXIAHCI_PREG_DMA_INIT (0x448) + void sxiahci_attach(struct device *, struct device *, void *); intsxiahci_detach(struct device *, int); intsxiahci_activate(struct device *, int); +intsxiahci_port_start(struct ahci_port *, int); extern int ahci_intr(void *); extern u_int32_t ahci_read(struct ahci_softc *, bus_size_t); extern void ahci_write(struct ahci_softc *, bus_size_t, u_int32_t); +extern u_int32_t ahci_pread(struct ahci_port *, bus_size_t); +extern void ahci_pwrite(struct ahci_port *, bus_size_t, u_int32_t); +extern int ahci_default_port_start(struct ahci_port *, int); struct sxiahci_softc { struct ahci_softc sc; @@ -75,18 +84,15 @@ sxiahci_attach(struct device *parent, st struct armv7_attach_args *aa = args; struct sxiahci_softc *sxisc = (struct sxiahci_softc *)self; struct ahci_softc *sc = sxisc-sc; - bus_space_tag_t iot; - bus_space_handle_t ioh; uint32_t timo; - sc-sc_iot = iot = aa-aa_iot; + sc-sc_iot = aa-aa_iot; sc-sc_ios = aa-aa_dev-mem[0].size; sc-sc_dmat = aa-aa_dmat; if (bus_space_map(sc-sc_iot, aa-aa_dev-mem[0].addr, - aa-aa_dev-mem[0].size, 0, sc-sc_ioh)) + sc-sc_ios, 0, sc-sc_ioh)) panic(sxiahci_attach: bus_space_map failed!); - ioh = sc-sc_ioh; /* enable clock */
iked control process crash at startup
Hi tech@, I've been using iked for some weeks to tunnel my laptop to home over 3G. Sunday I upgraded my laptop to the latest snapshot; previous upgrade was about 2 or 3 weeks ago. When I started iked, it crashed randomly, as in one time it runs just fine and completes the handshake, the other it crashes before even sending the first packet. I ran ktrace -di /sbin/iked and kdump'd the resulting file. Of the 5 processes, 4 finished by calling exit(0), one was terminated on a SIGSEGV. As it is also the only one that do stuff on /var/run/iked.sock, it is the control process. I repeated the above ktrace 4 times and got consistent results: SIGSEGV'd control process. I'll keep the hunt going, but I am not sure how long this will take nor how much time I'll have to spare, so here is the control process kdump. Cheers, -- Vincent 17866 iked RET fork 0 17866 iked CALL getpid() 17866 iked RET getpid 17866/0x45ca 17866 iked CALL setpgid(0,0x45ca) 17866 iked RET setpgid 0 17866 iked CALL socket(PF_LOCAL,0x1SOCK_STREAM,0) 17866 iked RET socket 15/0xf 17866 iked CALL unlink(0x631ceb) 17866 iked NAMI /var/run/iked.sock 17866 iked RET unlink 0 17866 iked CALL umask(0117S_IXUSR|S_IXGRP|S_IROTH|S_IWOTH|S_IXOTH) 17866 iked RET umask 18/0x12 17866 iked CALL bind(0xf,0x7f7c8660,0x6a) 17866 iked STRU struct sockaddr { AF_LOCAL, /var/run/iked.sock } 17866 iked NAMI /var/run/iked.sock 17866 iked RET bind 0 17866 iked CALL umask(022S_IWGRP|S_IWOTH) 17866 iked RET umask 79/0x4f 17866 iked CALL chmod(0x631ceb,0660S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP) 17866 iked NAMI /var/run/iked.sock 17866 iked RET chmod 0 17866 iked CALL fcntl(0xf,F_GETFL) 17866 iked RET fcntl 2 17866 iked CALL fcntl(0xf,F_SETFL,0x6O_RDWR|O_NONBLOCK) 17866 iked RET fcntl 0 17866 iked CALL chroot(0x631d39) 17866 iked NAMI /etc/iked/ 17866 iked RET chroot 0 17866 iked CALL chdir(0x6669f2) 17866 iked NAMI / 17866 iked RET chdir 0 17866 iked CALL __sysctl(2.3,0x7f7c8640,0x7f7c8630,0,0) 17866 iked RET __sysctl 0 17866 iked CALL setgroups(0x1,0x9bddb4) 17866 iked RET setgroups 0 17866 iked CALL setresgid(0x65,0x65,0x65) 17866 iked RET setresgid 0 17866 iked CALL setresuid(0x65,0x65,0x65) 17866 iked RET setresuid 0 17866 iked CALL clock_gettime(CLOCK_MONOTONIC,0x7f7c86c0) 17866 iked STRU struct timespec { 150798.566033906 } 17866 iked RET clock_gettime 0 17866 iked CALL clock_gettime(CLOCK_MONOTONIC,0x7f7c8690) 17866 iked STRU struct timespec { 150798.566077766 } 17866 iked RET clock_gettime 0 17866 iked CALL issetugid() 17866 iked RET issetugid 0 17866 iked CALL kqueue() 17866 iked RET kqueue 16/0x10 17866 iked CALL getpid() 17866 iked RET getpid 17866/0x45ca 17866 iked CALL getentropy(0x7f7c8550,0x28) 17866 iked RET getentropy 0 17866 iked CALL issetugid() 17866 iked RET issetugid 0 17866 iked CALL kevent(0x10,0x7f7c8640,0x1,0,0,0x7f7c8660) 17866 iked STRU struct timespec { 0 } 17866 iked RET kevent 0 17866 iked CALL sigaction(SIGINT,0x7f7c85f0,0x2817fb150) 17866 iked STRU struct sigaction { handler=0x42f6f0, mask=~0, flags=0x2SA_RESTART } 17866 iked STRU struct sigaction { handler=SIG_DFL, mask=0, flags=0 } 17866 iked RET sigaction 0 17866 iked CALL kevent(0x10,0x7f7c8640,0x1,0,0,0x7f7c8660) 17866 iked STRU struct timespec { 0 } 17866 iked RET kevent 0 17866 iked CALL sigaction(SIGTERM,0x7f7c85f0,0x2817fcc30) 17866 iked STRU struct sigaction { handler=0x42f6f0, mask=~0, flags=0x2SA_RESTART } 17866 iked STRU struct sigaction { handler=SIG_DFL, mask=0, flags=0 } 17866 iked RET sigaction 0 17866 iked CALL kevent(0x10,0x7f7c8640,0x1,0,0,0x7f7c8660) 17866 iked STRU struct timespec { 0 } 17866 iked RET kevent 0 17866 iked CALL sigaction(SIGCHLD,0x7f7c85f0,0x2817fa980) 17866 iked STRU struct sigaction { handler=0x42f6f0, mask=~0, flags=0x2SA_RESTART } 17866 iked STRU struct sigaction { handler=SIG_DFL, mask=0, flags=0 } 17866 iked RET sigaction 0 17866 iked CALL kevent(0x10,0x7f7c8640,0x1,0,0,0x7f7c8660) 17866 iked STRU struct timespec { 0 } 17866 iked RET kevent 0 17866 iked CALL sigaction(SIGHUP,0x7f7c85f0,0x2817fc530) 17866 iked STRU struct sigaction { handler=0x42f6f0, mask=~0, flags=0x2SA_RESTART } 17866 iked STRU struct sigaction { handler=SIG_DFL, mask=0, flags=0 } 17866 iked RET sigaction 0 17866 iked CALL kevent(0x10,0x7f7c8640,0x1,0,0,0x7f7c8660) 17866 iked STRU struct timespec { 0 } 17866 iked RET kevent 0 17866 iked CALL
Re: iked control process crash at startup
On 25 November 2014 at 13:11, Vincent Gross dermi...@kilob.yt wrote: Hi tech@, I've been using iked for some weeks to tunnel my laptop to home over 3G. Sunday I upgraded my laptop to the latest snapshot; previous upgrade was about 2 or 3 weeks ago. When I started iked, it crashed randomly, as in one time it runs just fine and completes the handshake, the other it crashes before even sending the first packet. I ran ktrace -di /sbin/iked and kdump'd the resulting file. Of the 5 processes, 4 finished by calling exit(0), one was terminated on a SIGSEGV. As it is also the only one that do stuff on /var/run/iked.sock, it is the control process. I repeated the above ktrace 4 times and got consistent results: SIGSEGV'd control process. I'll keep the hunt going, but I am not sure how long this will take nor how much time I'll have to spare, so here is the control process kdump. Cheers, -- Vincent can you please provide iked -dvv output when it crashes and a trace from the core file. to generate a core file compile iked like so: # cd /usr/src/sbin/iked # make clean # make obj # make DEBUG=-g setup core file generation: # mkdir /var/crash/iked # chmod 700 /var/crash/iked # sysctl kern.nosuidcoredump=3 run /usr/src/sbin/iked/obj/iked -dvv and once it crashes retrieve the full backtrace from the core file: # cd /usr/src/sbin/iked # gdb -c /var/crash/iked/4970.core ./obj/iked (gdb) bt full and send this along with the iked output. please make sure that you pick the correct core file so that it corresponds to the debug output.
LibreSSL-portable 2.1.1 s_client supports connecting to SSLv3 servers
Hi, Running LibreSSL portable 2.1.1 from FreeBSD ports on FreeBSD 10.1 $ /usr/local/bin/openssl version LibreSSL 2.1 $ uname -a FreeBSD meterkast3.example.org 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r264324M: Tue Nov 11 13:46:58 CET 2014 r...@meterkast3.example.org:/usr/obj/usr/src/sys/BEASTIE101 amd64 To my surprise, the LibreSSL openssl binary does not see the -sslv3 option as an error. (examples and captures with google.com server) $ /usr/local/bin/openssl s_client -connect 173.194.65.147:443 -ssl3 CONNECTED(0003) where I would expect the same behaviour as e.g. openssl 0.9.8 when calling it with the -tls1_2 option. Next to that I see that it succefully negotiates a connection using an ssl3-capable server. Client Hello and Server Hello both have 0x0300 as can be seen in attached capture and at end of this mail. Is this expected behaviour? I.e. has LibreSSL only removed the sslv3 server capability? When I setup an SSL server with OpenSSL 1.0.1j from base, I can not connect to it straight away but I can connect when I use -ssl3 (both in log below) $ openssl version OpenSSL 1.0.1j-freebsd 15 Oct 2014 $ openssl s_server -ssl3 -accept 4443 Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR shutting down SSL CONNECTION CLOSED ACCEPT -BEGIN SSL SESSION PARAMETERS- snip -END SSL SESSION PARAMETERS- snipCIPHER is ECDHE-RSA-AES256-SHA Secure Renegotiation IS supported DONE shutting down SSL CONNECTION CLOSED ACCEPT $ /usr/local/bin/openssl s_client -connect localhost:4443 CONNECTED(0003) 34378806536:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:497: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 280 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- $ /usr/local/bin/openssl s_client -connect localhost:4443 -ssl3 snip --- SSL handshake has read 1524 bytes and written 262 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: ECDHE-RSA-AES256-SHA Session-ID: 468B5F3CE1CF1CDA9F49312EE9424BD985B22FC1A9EA92692C9C6EB818F0C725 Session-ID-ctx: Master-Key: 78D830C15F518C6FC9C5D9760B8B3F09D58F516944E72C9F2A89D3B3E6DD6D78189B1B0A702D4FBB8CDDEBF83B19A433 Start Time: 1416914867 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- Thanks! Bernard (Barnerd) Spil. depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- snip -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3578 bytes and written 258 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: ECDHE-RSA-RC4-SHA Session-ID: D807A5102140A0D0F5DF4562E961C485F7C0D506572FF7852D61207576F3C5A5 Session-ID-ctx: Master-Key: 175DDE1E866E41DC8F9D64779B0BBB5F4AA663F2DBF1EB1C312036CFE9E580997653A73CB6C7AEB2310B6D5793F13C55 Start Time: 1416913094 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) --- libressl-ssl3.pcap Description: application/vnd.tcpdump.pcap
Re: LibreSSL-portable 2.1.1 s_client supports connecting to SSLv3 servers
Hi Bernard, Current versions of LibreSSL's libssl only disable SSLv3 by default. Support still exists, and programs can still enable it if they choose. For example, you will get an error if you do not explicitly specify -ssl3 as an option to openssl(1). In case there is confusion, libtls, which is not packaged with the portable version yet, does disable SSLv3 entirely with no option to enable. But, libssl still allows it optionally. - Brent On Tue, Nov 25, 2014 at 5:28 AM, Bernard Spil bern...@bachfreund.nl wrote: Hi, Running LibreSSL portable 2.1.1 from FreeBSD ports on FreeBSD 10.1 $ /usr/local/bin/openssl version LibreSSL 2.1 $ uname -a FreeBSD meterkast3.example.org 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r264324M: Tue Nov 11 13:46:58 CET 2014 r...@meterkast3.example.org:/usr/obj/usr/src/sys/BEASTIE101 amd64 To my surprise, the LibreSSL openssl binary does not see the -sslv3 option as an error. (examples and captures with google.com server) $ /usr/local/bin/openssl s_client -connect 173.194.65.147:443 -ssl3 CONNECTED(0003) where I would expect the same behaviour as e.g. openssl 0.9.8 when calling it with the -tls1_2 option. Next to that I see that it succefully negotiates a connection using an ssl3-capable server. Client Hello and Server Hello both have 0x0300 as can be seen in attached capture and at end of this mail. Is this expected behaviour? I.e. has LibreSSL only removed the sslv3 server capability? When I setup an SSL server with OpenSSL 1.0.1j from base, I can not connect to it straight away but I can connect when I use -ssl3 (both in log below) $ openssl version OpenSSL 1.0.1j-freebsd 15 Oct 2014 $ openssl s_server -ssl3 -accept 4443 Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR shutting down SSL CONNECTION CLOSED ACCEPT -BEGIN SSL SESSION PARAMETERS- snip -END SSL SESSION PARAMETERS- snipCIPHER is ECDHE-RSA-AES256-SHA Secure Renegotiation IS supported DONE shutting down SSL CONNECTION CLOSED ACCEPT $ /usr/local/bin/openssl s_client -connect localhost:4443 CONNECTED(0003) 34378806536:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:497: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 280 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- $ /usr/local/bin/openssl s_client -connect localhost:4443 -ssl3 snip --- SSL handshake has read 1524 bytes and written 262 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: ECDHE-RSA-AES256-SHA Session-ID: 468B5F3CE1CF1CDA9F49312EE9424BD985B22FC1A9EA92692C9C6EB818F0C725 Session-ID-ctx: Master-Key: 78D830C15F518C6FC9C5D9760B8B3F09D58F516944E72C9F2A89D3B3E6DD6D78189B1B0A702D4FBB8CDDEBF83B19A433 Start Time: 1416914867 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- Thanks! Bernard (Barnerd) Spil. depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- snip -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3578 bytes and written 258 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: ECDHE-RSA-RC4-SHA Session-ID: D807A5102140A0D0F5DF4562E961C485F7C0D506572FF7852D61207576F3C5A5 Session-ID-ctx: Master-Key: 175DDE1E866E41DC8F9D64779B0BBB5F4AA663F2DBF1EB1C312036CFE9E580997653A73CB6C7AEB2310B6D5793F13C55 Start Time: 1416913094 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
Re: LibreSSL-portable 2.1.1 s_client supports connecting to SSLv3 servers
On Tue, 25 Nov 2014, Bernard Spil wrote: Hi, Running LibreSSL portable 2.1.1 from FreeBSD ports on FreeBSD 10.1 $ /usr/local/bin/openssl version LibreSSL 2.1 $ uname -a FreeBSD meterkast3.example.org 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r264324M: Tue Nov 11 13:46:58 CET 2014 r...@meterkast3.example.org:/usr/obj/usr/src/sys/BEASTIE101 amd64 To my surprise, the LibreSSL openssl binary does not see the -sslv3 option as an error. (examples and captures with google.com server) $ /usr/local/bin/openssl s_client -connect 173.194.65.147:443 -ssl3 CONNECTED(0003) where I would expect the same behaviour as e.g. openssl 0.9.8 when calling it with the -tls1_2 option. Next to that I see that it succefully negotiates a connection using an ssl3-capable server. Client Hello and Server Hello both have 0x0300 as can be seen in attached capture and at end of this mail. Is this expected behaviour? Yes. I.e. has LibreSSL only removed the sslv3 server capability? SSLv3 has only been disabled by default - if you explicitly ask for it then you still get it. In the case of s_client, the -ssl3 option explicitly switches to the SSLv3 client method, hence it will *only* negotiate SSLv3. When I setup an SSL server with OpenSSL 1.0.1j from base, I can not connect to it straight away but I can connect when I use -ssl3 (both in log below) Are you saying that running 'openssl s_client' fails to connect to 'openssl s_server'? I do not see any example where you are not specifying -ssl3 with s_server - by doing that you can only ever connect to it with SSLv3 (-ssl3 does not enable the negotiation of SSLv3, it makes it SSLv3 *only*). $ openssl version OpenSSL 1.0.1j-freebsd 15 Oct 2014 $ openssl s_server -ssl3 -accept 4443 Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR shutting down SSL CONNECTION CLOSED ACCEPT -BEGIN SSL SESSION PARAMETERS- snip -END SSL SESSION PARAMETERS- snipCIPHER is ECDHE-RSA-AES256-SHA Secure Renegotiation IS supported DONE shutting down SSL CONNECTION CLOSED ACCEPT $ /usr/local/bin/openssl s_client -connect localhost:4443 CONNECTED(0003) 34378806536:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:497: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 280 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- $ /usr/local/bin/openssl s_client -connect localhost:4443 -ssl3 snip --- SSL handshake has read 1524 bytes and written 262 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: ECDHE-RSA-AES256-SHA Session-ID: 468B5F3CE1CF1CDA9F49312EE9424BD985B22FC1A9EA92692C9C6EB818F0C725 Session-ID-ctx: Master-Key: 78D830C15F518C6FC9C5D9760B8B3F09D58F516944E72C9F2A89D3B3E6DD6D78189B1B0A702 D4FBB8CDDEBF83B19A433 Start Time: 1416914867 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- Thanks! Bernard (Barnerd) Spil. depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -BEGIN CERTIFICATE- snip -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3578 bytes and written 258 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: ECDHE-RSA-RC4-SHA Session-ID: D807A5102140A0D0F5DF4562E961C485F7C0D506572FF7852D61207576F3C5A5 Session-ID-ctx: Master-Key: 175DDE1E866E41DC8F9D64779B0BBB5F4AA663F2DBF1EB1C312036CFE9E580997653A73CB6C 7AEB2310B6D5793F13C55 Start Time: 1416913094 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) --- -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard
Re: Simplify in_broadcast()
On 20 November 2014 at 15:24, Martin Pieuchot mpieuc...@nolizard.org wrote: Diff below make the function always iterate on all the interfaces. After that I'd like to change ifa_ifwithaddr() to only match unicast addresses and use in_broadcast() in the few places where we also accept broadcast addresses. This would prevent people from matching a broadcast address when they don't want to. Ok? OK
struct route
3 places where we don't need any struct route. ok? Index: netinet/ip_icmp.c === RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.126 diff -u -p -r1.126 ip_icmp.c --- netinet/ip_icmp.c 1 Nov 2014 21:40:38 - 1.126 +++ netinet/ip_icmp.c 25 Nov 2014 14:51:16 - @@ -912,19 +912,16 @@ icmp_sysctl(int *name, u_int namelen, vo struct rtentry * icmp_mtudisc_clone(struct in_addr dst, u_int rtableid) { - struct sockaddr_in *sin; - struct route ro; + struct sockaddr_in sin; struct rtentry *rt; int error; - memset(ro, 0, sizeof(ro)); - ro.ro_tableid = rtableid; - sin = satosin(ro.ro_dst); - sin-sin_family = AF_INET; - sin-sin_len = sizeof(*sin); - sin-sin_addr = dst; + memset(sin, 0, sizeof(sin)); + sin.sin_family = AF_INET; + sin.sin_len = sizeof(sin); + sin.sin_addr = dst; - rt = rtalloc(ro.ro_dst, RT_REPORT|RT_RESOLVE, rtableid); + rt = rtalloc(sintosa(sin), RT_REPORT|RT_RESOLVE, rtableid); if (rt == NULL) return (NULL); @@ -940,7 +937,7 @@ icmp_mtudisc_clone(struct in_addr dst, u struct rt_addrinfo info; memset(info, 0, sizeof(info)); - info.rti_info[RTAX_DST] = sintosa(sin); + info.rti_info[RTAX_DST] = sintosa(sin); info.rti_info[RTAX_GATEWAY] = rt-rt_gateway; info.rti_flags = RTF_GATEWAY | RTF_HOST | RTF_DYNAMIC; Index: netinet/ip_output.c === RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.272 diff -u -p -r1.272 ip_output.c --- netinet/ip_output.c 20 Nov 2014 15:55:04 - 1.272 +++ netinet/ip_output.c 25 Nov 2014 14:51:16 - @@ -1663,8 +1663,8 @@ ip_setmoptions(int optname, struct ip_mo struct ifnet *ifp = NULL; struct ip_moptions *imo = *imop; struct in_multi **immp; - struct route ro; - struct sockaddr_in *dst, sin; + struct rtentry *rt; + struct sockaddr_in sin; int i, error = 0; u_char loop; @@ -1768,21 +1768,18 @@ ip_setmoptions(int optname, struct ip_mo * the route to the given multicast address. */ if (mreq-imr_interface.s_addr == INADDR_ANY) { - ro.ro_rt = NULL; - dst = satosin(ro.ro_dst); - dst-sin_len = sizeof(*dst); - dst-sin_family = AF_INET; - dst-sin_addr = mreq-imr_multiaddr; - if (!(ro.ro_rt ro.ro_rt-rt_ifp - (ro.ro_rt-rt_flags RTF_UP))) - ro.ro_rt = rtalloc(ro.ro_dst, - RT_REPORT|RT_RESOLVE, rtableid); - if (ro.ro_rt == NULL) { + memset(sin, 0, sizeof(sin)); + sin.sin_len = sizeof(sin); + sin.sin_family = AF_INET; + sin.sin_addr = mreq-imr_multiaddr; + rt = rtalloc(sintosa(sin), RT_REPORT|RT_RESOLVE, + rtableid); + if (rt == NULL) { error = EADDRNOTAVAIL; break; } - ifp = ro.ro_rt-rt_ifp; - rtfree(ro.ro_rt); + ifp = rt-rt_ifp; + rtfree(rt); } else { memset(sin, 0, sizeof(sin)); sin.sin_len = sizeof(sin); Index: netinet6/frag6.c === RCS file: /home/ncvs/src/sys/netinet6/frag6.c,v retrieving revision 1.57 diff -u -p -r1.57 frag6.c --- netinet6/frag6.c18 Nov 2014 02:37:31 - 1.57 +++ netinet6/frag6.c25 Nov 2014 14:51:16 - @@ -172,8 +172,8 @@ frag6_input(struct mbuf **mp, int *offp, int fragoff, frgpartlen;/* must be larger than u_int16_t */ struct ifnet *dstifp; #ifdef IN6_IFSTAT_STRICT - struct route_in6 ro; - struct sockaddr_in6 *dst; + struct sockaddr_in6 dst; + struct rtentry *rt; #endif u_int8_t ecn, ecn0; @@ -185,21 +185,19 @@ frag6_input(struct mbuf **mp, int *offp, dstifp = NULL; #ifdef IN6_IFSTAT_STRICT /* find the destination interface of the packet. */ - bzero(ro, sizeof(ro)); - ro.ro_tableid = m-m_pkthdr.ph_rtableid; - dst = ro.ro_dst; - dst-sin6_family = AF_INET6; - dst-sin6_len = sizeof(struct sockaddr_in6); - dst-sin6_addr = ip6-ip6_dst; + memset(dst, 0, sizeof(dst)); + dst.sin6_family = AF_INET6; + dst.sin6_len = sizeof(struct sockaddr_in6); + dst.sin6_addr = ip6-ip6_dst; -
pf(4) and struct route
Diff below removes the non-needed usages of struct route friends in pf.c, any comment or ok? Index: net/pf.c === RCS file: /home/ncvs/src/sys/net/pf.c,v retrieving revision 1.896 diff -u -p -r1.896 pf.c --- net/pf.c20 Nov 2014 13:54:24 - 1.896 +++ net/pf.c25 Nov 2014 14:58:42 - @@ -2952,42 +2952,36 @@ pf_calc_mss(struct pf_addr *addr, sa_fam { #ifdef INET struct sockaddr_in *dst; - struct route ro; #endif /* INET */ #ifdef INET6 struct sockaddr_in6 *dst6; - struct route_in6 ro6; #endif /* INET6 */ struct rtentry *rt = NULL; + struct sockaddr_storage ss; int hlen; u_int16_tmss = tcp_mssdflt; + memset(ss, 0, sizeof(ss)); + switch (af) { #ifdef INET case AF_INET: hlen = sizeof(struct ip); - bzero(ro, sizeof(ro)); - dst = (struct sockaddr_in *)ro.ro_dst; + dst = (struct sockaddr_in *)ss; dst-sin_family = AF_INET; dst-sin_len = sizeof(*dst); dst-sin_addr = addr-v4; - ro.ro_tableid = rtableid; - ro.ro_rt = rtalloc(ro.ro_dst, RT_REPORT, ro.ro_tableid); - rt = ro.ro_rt; + rt = rtalloc(sintosa(dst), RT_REPORT, rtableid); break; #endif /* INET */ #ifdef INET6 case AF_INET6: hlen = sizeof(struct ip6_hdr); - bzero(ro6, sizeof(ro6)); - dst6 = (struct sockaddr_in6 *)ro6.ro_dst; + dst6 = (struct sockaddr_in6 *)ss; dst6-sin6_family = AF_INET6; dst6-sin6_len = sizeof(*dst6); dst6-sin6_addr = addr-v6; - ro6.ro_tableid = rtableid; - ro6.ro_rt = rtalloc(sin6tosa(ro6.ro_dst), RT_REPORT, - ro6.ro_tableid); - rt = ro6.ro_rt; + rt = rtalloc(sin6tosa(dst6), RT_REPORT, rtableid); break; #endif /* INET6 */ } @@ -5396,25 +5390,22 @@ int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif, int rtableid) { + struct sockaddr_storage ss; struct sockaddr_in *dst; int ret = 1; int check_mpath; #ifdef INET6 struct sockaddr_in6 *dst6; - struct route_in6 ro; -#else - struct route ro; #endif struct rtentry *rt; struct ifnet*ifp; check_mpath = 0; - bzero(ro, sizeof(ro)); - ro.ro_tableid = rtableid; + memset(ss, 0, sizeof(ss)); switch (af) { #ifdef INET case AF_INET: - dst = (struct sockaddr_in *)ro.ro_dst; + dst = (struct sockaddr_in *)ss; dst-sin_family = AF_INET; dst-sin_len = sizeof(*dst); dst-sin_addr = addr-v4; @@ -5430,7 +5421,7 @@ pf_routable(struct pf_addr *addr, sa_fam */ if (IN6_IS_SCOPE_EMBED(addr-v6)) goto out; - dst6 = ro.ro_dst; + dst6 = (struct sockaddr_in6 *)ss; dst6-sin6_family = AF_INET6; dst6-sin6_len = sizeof(*dst6); dst6-sin6_addr = addr-v6; @@ -5444,10 +5435,8 @@ pf_routable(struct pf_addr *addr, sa_fam if (kif != NULL kif-pfik_ifp-if_type == IFT_ENC) goto out; - ro.ro_rt = rtalloc((struct sockaddr *)ro.ro_dst, RT_REPORT, - ro.ro_tableid); - - if (ro.ro_rt != NULL) { + rt = rtalloc((struct sockaddr *)ss, RT_REPORT, rtableid); + if (rt != NULL) { /* No interface given, this is a no-route check */ if (kif == NULL) goto out; @@ -5459,7 +5448,6 @@ pf_routable(struct pf_addr *addr, sa_fam /* Perform uRPF check if passed input interface */ ret = 0; - rt = ro.ro_rt; do { if (rt-rt_ifp-if_type == IFT_CARP) ifp = rt-rt_ifp-if_carpdev; @@ -5473,8 +5461,8 @@ pf_routable(struct pf_addr *addr, sa_fam } else ret = 0; out: - if (ro.ro_rt != NULL) - rtfree(ro.ro_rt); + if (rt != NULL) + rtfree(rt); return (ret); } @@ -5482,21 +5470,19 @@ int pf_rtlabel_match(struct pf_addr *addr, sa_family_t af, struct pf_addr_wrap *aw, int rtableid) { + struct sockaddr_storage ss; struct sockaddr_in *dst; #ifdef INET6 struct sockaddr_in6 *dst6; - struct route_in6 ro; -#else - struct route ro; #endif + struct rtentry *rt; int ret = 0; - bzero(ro, sizeof(ro)); -
patch: integer overflows and oob memory access
Hi, it is possible to overflow line numbers in patch; this diff cares about the lines specified in diff files. If such an overflow happens with unified diffs, out of bound memory access can occur. If you have a 32 bit system, take this one (LONG_MAX = 2^31 - 1): --- a Sat Nov 15 00:25:29 2014 +++ b Sat Nov 15 00:06:50 2014 @@ -1 +2147483647,2147483647 @@ -a +b If you have a 64 bit system, take this one, untested (LONG_MAX = 2^63 - 1): --- a Sat Nov 15 00:25:29 2014 +++ b Sat Nov 15 00:06:50 2014 @@ -1 +9223372036854775807,9223372036854775807 @@ -a +b $ arch OpenBSD.i386 $ touch a $ patch a arch.diff Hmm... Looks like a unified diff to me... The text leading up to this was: -- |--- a Sat Nov 15 00:25:29 2014 |+++ b Sat Nov 15 00:06:50 2014 -- Patching file a using Plan A... Segmentation fault (core dumped) $ _ Tobias Index: pch.c === RCS file: /cvs/src/usr.bin/patch/pch.c,v retrieving revision 1.45 diff -u -p -u -p -r1.45 pch.c --- pch.c 25 Nov 2014 10:26:07 - 1.45 +++ pch.c 25 Nov 2014 15:19:59 - @@ -585,12 +585,17 @@ another_hunk(void) if (!*s) malformed(); p_ptrn_lines = strtolinenum(s, s) - p_first + 1; + if (p_ptrn_lines 0) + malformed(); } else if (p_first) p_ptrn_lines = 1; else { p_ptrn_lines = 0; p_first = 1; } + if (p_first = LINENUM_MAX - p_ptrn_lines || + p_ptrn_lines = LINENUM_MAX - 6) + malformed(); /* we need this much at least */ p_max = p_ptrn_lines + 6; @@ -652,12 +657,17 @@ another_hunk(void) malformed(); p_repl_lines = strtolinenum(s, s) - p_newfirst + 1; + if (p_repl_lines 0) + malformed(); } else if (p_newfirst) p_repl_lines = 1; else { p_repl_lines = 0; p_newfirst = 1; } + if (p_newfirst = LINENUM_MAX - p_repl_lines || + p_repl_lines = LINENUM_MAX - p_end) + malformed(); p_max = p_repl_lines + p_end; if (p_max MAXHUNKSIZE) fatal(hunk too large (%ld lines) at line %ld: %s, @@ -868,6 +878,10 @@ hunk_done: s++; if (*s != '@') malformed(); + if (p_first = LINENUM_MAX - p_ptrn_lines || + p_newfirst LINENUM_MAX - p_repl_lines || + p_ptrn_lines = LINENUM_MAX - p_repl_lines - 1) + malformed(); if (!p_ptrn_lines) p_first++; /* do append rather than insert */ p_max = p_ptrn_lines + p_repl_lines + 1; @@ -1010,8 +1024,12 @@ hunk_done: p_first = strtolinenum(buf, s); if (*s == ',') { p_ptrn_lines = strtolinenum(s + 1, s) - p_first + 1; + if (p_ptrn_lines 0) + malformed(); } else p_ptrn_lines = (*s != 'a'); + if (p_first = LINENUM_MAX - p_ptrn_lines) + malformed(); hunk_type = *s; if (hunk_type == 'a') p_first++; /* do append rather than insert */ @@ -1020,16 +1038,21 @@ hunk_done: max = strtolinenum(s + 1, s); else max = min; + if (min 0 || min max || max - min == LINENUM_MAX) + malformed(); if (hunk_type == 'd') min++; - p_end = p_ptrn_lines + 1 + max - min + 1; + p_newfirst = min; + p_repl_lines = max - min + 1; + if (p_newfirst LINENUM_MAX - p_repl_lines ||
Re: patch: add regression tests
On Tue, Nov 25, 2014 at 04:34:25PM +0100, Tobias Stoeckmann wrote: Hi, the regress tests for patch only cover unified diffs so far. I guess nobody minds if I add 3 tests for: - normal diff - context diff - ed diff regress does not need oks, just add stuff if you think it makes sense (it does, however). -Otto Tobias Index: Makefile === RCS file: /cvs/src/regress/usr.bin/patch/Makefile,v retrieving revision 1.7 diff -u -p -u -p -r1.7 Makefile --- Makefile 20 Aug 2008 18:29:37 - 1.7 +++ Makefile 25 Nov 2014 15:17:35 - @@ -3,7 +3,7 @@ PATCH=patch PATCHOPTIONS=-sN -REGRESS_TARGETS=t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 +REGRESS_TARGETS=t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t13 t14 t15 t16 # .in: input file # .diff: patch @@ -11,7 +11,7 @@ REGRESS_TARGETS=t1 t2 t3 t4 t5 t6 t7 t8 # t1: diff contains invalid line number 0. # t2: diff contains invalid line numbers beyond end of input file. -# t3: a case where it patch should detect a previously applied patch. +# t3: a case where patch should detect a previously applied patch. # Diff transform an empty file into a single line one. Currently fails. # t4: a case where patch has to detect a previously applied patch. # Diff transform a file with a single line with an eol into a single @@ -20,6 +20,9 @@ REGRESS_TARGETS=t1 t2 t3 t4 t5 t6 t7 t8 # t6-t12: various cases of no eol at end of file handling. # t13: a case where patch has to detect a previously applied patch. # Diff transform a file ending with no eol into a file ending with eol. +# t14: diff in normal diff format. +# t15: diff in context diff format. +# t16: diff in ed format. all: clean ${REGRESS_TARGET} Index: t14.diff === RCS file: t14.diff diff -N t14.diff --- /dev/null 1 Jan 1970 00:00:00 - +++ t14.diff 25 Nov 2014 15:17:35 - @@ -0,0 +1,13 @@ +1d0 + line 0 +2a2 + line between 1 and 2 +4,5c4,5 + line 3 + line 4 +--- + adjusted line 3 + adjusted line 4 +7,8d6 + line 6 + line 7 Index: t14.in === RCS file: t14.in diff -N t14.in --- /dev/null 1 Jan 1970 00:00:00 - +++ t14.in25 Nov 2014 15:17:35 - @@ -0,0 +1,8 @@ +line 0 +line 1 +line 2 +line 3 +line 4 +line 5 +line 6 +line 7 Index: t14.out === RCS file: t14.out diff -N t14.out --- /dev/null 1 Jan 1970 00:00:00 - +++ t14.out 25 Nov 2014 15:17:35 - @@ -0,0 +1,6 @@ +line 1 +line between 1 and 2 +line 2 +adjusted line 3 +adjusted line 4 +line 5 Index: t15.diff === RCS file: t15.diff diff -N t15.diff --- /dev/null 1 Jan 1970 00:00:00 - +++ t15.diff 25 Nov 2014 15:17:35 - @@ -0,0 +1,19 @@ +*** t15.orig Tue Nov 25 15:33:48 2014 +--- t15.in Tue Nov 25 15:33:56 2014 +*** +*** 1,8 +- line 0 + line 1 + line 2 +! line 3 +! line 4 + line 5 +- line 6 +- line 7 +--- 1,6 + line 1 ++ line between 1 and 2 + line 2 +! adjusted line 3 +! adjusted line 4 + line 5 Index: t15.in === RCS file: t15.in diff -N t15.in --- /dev/null 1 Jan 1970 00:00:00 - +++ t15.in25 Nov 2014 15:17:35 - @@ -0,0 +1,8 @@ +line 0 +line 1 +line 2 +line 3 +line 4 +line 5 +line 6 +line 7 Index: t15.out === RCS file: t15.out diff -N t15.out --- /dev/null 1 Jan 1970 00:00:00 - +++ t15.out 25 Nov 2014 15:17:35 - @@ -0,0 +1,6 @@ +line 1 +line between 1 and 2 +line 2 +adjusted line 3 +adjusted line 4 +line 5 Index: t16.diff === RCS file: t16.diff diff -N t16.diff --- /dev/null 1 Jan 1970 00:00:00 - +++ t16.diff 25 Nov 2014 15:17:35 - @@ -0,0 +1,9 @@ +7,8d +4,5c +adjusted line 3 +adjusted line 4 +. +2a +line between 1 and 2 +. +1d Index: t16.in === RCS file: t16.in diff -N t16.in --- /dev/null 1 Jan 1970 00:00:00 - +++ t16.in25 Nov 2014 15:17:35 - @@ -0,0 +1,8 @@ +line 0 +line 1 +line 2 +line 3 +line 4 +line 5 +line 6 +line 7 Index: t16.out === RCS file: t16.out diff -N t16.out --- /dev/null 1 Jan 1970 00:00:00 - +++ t16.out 25 Nov 2014 15:17:35 - @@ -0,0 +1,6 @@ +line 1 +line between 1 and 2 +line 2 +adjusted line 3 +adjusted line 4 +line 5
Re: locate(1): ignore paths longer than MAXPATHLEN
Tobias Stoeckmann wrote: I would free() it nontheless outside the while loop. For the sake of faster review. But that's just my opinion. Also, it would be nice if there is only one len/sizeof() check after fgetln. Which means that the check should be done after the if/else-block. Could happen that we malloc memory for nothing, but hey: It happens only once and just if there is a missing newline. And while at it, silently ignoring lines doesn't sound like a good idea. I would even go for an err() call; or at least warn(). Again, thank you for your suggestions. I didn't thought about factoring out the len/sizeof comparisons. I have also added the free() call, and an errx() call when a pathname is too long. Nicolas Bedos Index: src/usr.bin/locate//bigram/locate.bigram.c === RCS file: /cvs/src/usr.bin/locate/bigram/locate.bigram.c,v retrieving revision 1.12 diff -u -p -u -r1.12 locate.bigram.c --- src/usr.bin/locate//bigram/locate.bigram.c 27 Oct 2009 23:59:39 - 1.12 +++ src/usr.bin/locate//bigram/locate.bigram.c 25 Nov 2014 18:46:34 - @@ -43,13 +43,13 @@ * Use 'code' to encode a file using this output. */ +#include limits.h/* for PATH_MAX */ #include stdio.h #include stdlib.h -#include sys/param.h /* for MAXPATHLEN */ #include locate.h -u_char buf1[MAXPATHLEN] = ; -u_char buf2[MAXPATHLEN]; +u_char buf1[PATH_MAX] = ; +u_char buf2[PATH_MAX]; u_int bigram[UCHAR_MAX + 1][UCHAR_MAX + 1]; int Index: src/usr.bin/locate//code/locate.code.c === RCS file: /cvs/src/usr.bin/locate/code/locate.code.c,v retrieving revision 1.17 diff -u -p -u -r1.17 locate.code.c --- src/usr.bin/locate//code/locate.code.c 17 Nov 2013 20:19:36 - 1.17 +++ src/usr.bin/locate//code/locate.code.c 25 Nov 2014 18:46:34 - @@ -78,10 +78,10 @@ * Wolfram Schneider, Berlin September 1996 */ -#include sys/param.h #include err.h #include errno.h +#include limits.h #include stdio.h #include stdlib.h #include string.h @@ -91,8 +91,7 @@ #defineBGBUFSIZE (NBG * 2) /* size of bigram buffer */ -u_char buf1[MAXPATHLEN] = ; -u_char buf2[MAXPATHLEN]; +u_char buf[PATH_MAX] = ; u_char bigrams[BGBUFSIZE + 1] = { 0 }; #define LOOKUP 1 /* use a lookup array instead a function, 3x faster */ @@ -115,7 +114,8 @@ extern int optopt; int main(int argc, char *argv[]) { - u_char *cp, *oldpath, *path; + u_char *cp, *oldpath, *path, *mbuf; + size_t len; int ch, code, count, diffcount, oldcount; FILE *fp; int i, j; @@ -156,23 +156,31 @@ main(int argc, char *argv[]) #endif /* LOOKUP */ - oldpath = buf1; - path = buf2; + oldpath = buf; oldcount = 0; + mbuf = NULL; - while (fgets(path, sizeof(buf2), stdin) != NULL) { - + while ((path=(u_char *)fgetln(stdin, len)) != NULL) { /* skip empty lines */ if (*path == '\n') continue; - /* remove newline */ - for (cp = path; *cp != '\0'; cp++) { - /* chop newline */ - if (*cp == '\n') - *cp = '\0'; + if (path[len-1] == '\n') { + /* remove newline */ + path[len-1] = '\0'; + } else { + if ((mbuf = malloc(len+1)) == NULL) + err(1, malloc); + memcpy(mbuf, path, len); + mbuf[len] = '\0'; + len++; + path = mbuf; } + if (len sizeof(buf)) + errx(1, pathname exceeding %zu byte limit: %s, + sizeof(buf), path); + /* Skip longest common prefix. */ for (cp = path; *cp == *oldpath; cp++, oldpath++) if (*cp == '\0') @@ -222,14 +230,11 @@ main(int argc, char *argv[]) } } - if (path == buf1) { /* swap pointers */ - path = buf2; - oldpath = buf1; - } else { - path = buf1; - oldpath = buf2; - } + memcpy(buf, path, len); } + + free(mbuf); + /* Non-zero status if there were errors */ if (fflush(stdout) != 0 || ferror(stdout)) exit(1); Index: src/usr.bin/locate//locate/fastfind.c === RCS file: /cvs/src/usr.bin/locate/locate/fastfind.c,v retrieving revision 1.11 diff -u -p -u -r1.11 fastfind.c --- src/usr.bin/locate//locate/fastfind.c 25 Oct 2010 19:16:45 -
Re: LibreSSL-portable 2.1.1 s_client supports connecting to SSLv3 servers
Hi Joel, Brent, Thanks for the clarification! Joel: You're not seeing me doing an s_server -ssl3 as I was assuming that was not available, I was using OpenSSL 1.0.1j from FreeBSD 10.1 base to run the sslv3-only server. Just tested and indeed it is still possible to create an SSLv3 server with LibreSSL 2.1.1 $ /usr/local/bin/openssl s_server -ssl3 -accept 4443 Using default temp DH parameters Using default temp ECDH parameters ACCEPT -BEGIN SSL SESSION PARAMETERS- MHUCAQECAgMABALAFAQgQIMFttih6H+d/qjB8ckEsiZiM+YbpJaXh9bCrKoNVWwE MIrKGaJqgQagkKufuctMdtzWf6Yj6LYgoJwDF/csnIERa8M6S78SIhUn4enymt3Z gaEGAgRUdKPOogQCAhwgpAYEBAE= -END SSL SESSION PARAMETERS- Shared ciphers:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA CIPHER is ECDHE-RSA-AES256-SHA Secure Renegotiation IS supported ERROR shutting down SSL CONNECTION CLOSED ACCEPT again, /usr/local/bin/openssl is LibreSSL 2.1.1 (/usr/bin/)openssl is OpenSSL 1.0.1j-freebsd 15 Oct 2014 from FreeBSD 10.1-RELEASE Kind regards, Bernard Spil. On 2014-11-25 15:40, Joel Sing wrote: On Tue, 25 Nov 2014, Bernard Spil wrote: Hi, Running LibreSSL portable 2.1.1 from FreeBSD ports on FreeBSD 10.1 $ /usr/local/bin/openssl version LibreSSL 2.1 $ uname -a FreeBSD meterkast3.example.org 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r264324M: Tue Nov 11 13:46:58 CET 2014 r...@meterkast3.example.org:/usr/obj/usr/src/sys/BEASTIE101 amd64 To my surprise, the LibreSSL openssl binary does not see the -sslv3 option as an error. (examples and captures with google.com server) $ /usr/local/bin/openssl s_client -connect 173.194.65.147:443 -ssl3 CONNECTED(0003) where I would expect the same behaviour as e.g. openssl 0.9.8 when calling it with the -tls1_2 option. Next to that I see that it succefully negotiates a connection using an ssl3-capable server. Client Hello and Server Hello both have 0x0300 as can be seen in attached capture and at end of this mail. Is this expected behaviour? Yes. I.e. has LibreSSL only removed the sslv3 server capability? SSLv3 has only been disabled by default - if you explicitly ask for it then you still get it. In the case of s_client, the -ssl3 option explicitly switches to the SSLv3 client method, hence it will *only* negotiate SSLv3. When I setup an SSL server with OpenSSL 1.0.1j from base, I can not connect to it straight away but I can connect when I use -ssl3 (both in log below) Are you saying that running 'openssl s_client' fails to connect to 'openssl s_server'? I do not see any example where you are not specifying -ssl3 with s_server - by doing that you can only ever connect to it with SSLv3 (-ssl3 does not enable the negotiation of SSLv3, it makes it SSLv3 *only*). $ openssl version OpenSSL 1.0.1j-freebsd 15 Oct 2014 $ openssl s_server -ssl3 -accept 4443 Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR shutting down SSL CONNECTION CLOSED ACCEPT -BEGIN SSL SESSION PARAMETERS- snip -END SSL SESSION PARAMETERS- snipCIPHER is ECDHE-RSA-AES256-SHA Secure Renegotiation IS supported DONE shutting down SSL CONNECTION CLOSED ACCEPT $ /usr/local/bin/openssl s_client -connect localhost:4443 CONNECTED(0003) 34378806536:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:497: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 280 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- $ /usr/local/bin/openssl s_client -connect localhost:4443 -ssl3 snip --- SSL handshake has read 1524 bytes and written 262 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: ECDHE-RSA-AES256-SHA Session-ID: 468B5F3CE1CF1CDA9F49312EE9424BD985B22FC1A9EA92692C9C6EB818F0C725 Session-ID-ctx: Master-Key: 78D830C15F518C6FC9C5D9760B8B3F09D58F516944E72C9F2A89D3B3E6DD6D78189B1B0A702 D4FBB8CDDEBF83B19A433 Start Time: 1416914867 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- Thanks! Bernard (Barnerd) Spil. depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0
faq diff: kerberos
Hi, kerberos was moved to ports, but the docs still link to kerberos(8): http://www.openbsd.org/faq/faq10.html#YP_secure Does the following diff make sense? (Apologies in advance if gmail mangles the diff, or if the diff needs to be generated with different options). --- www/faq/faq10.html.orig 2014-11-25 15:35:13.828391026 -0800 +++ www/faq/faq10.html 2014-11-25 15:42:42.269591036 -0800 @@ -1286,8 +1286,7 @@ segments carrying YP traffic can bind your YP domain and retrieve its data. In some cases, passing YP traffic through SSL or IPSec tunnels might be an option, or you might consider combining YP with -a href=http://www.openbsd.org/cgi-bin/man.cgi?query=kerberosamp;sektion=8; -kerberos(8)/a authentication. +kerberos authentication (available from ports). p a name=YP_server/a -Jonathon
Re: faq diff: kerberos
Sorry for the extra email... cvs diff -u below: Index: www/faq/faq10.html === RCS file: /cvs/www/faq/faq10.html,v retrieving revision 1.188 diff -u -r1.188 faq10.html --- www/faq/faq10.html 1 Nov 2014 13:42:51 - 1.188 +++ www/faq/faq10.html 25 Nov 2014 23:55:32 - @@ -1286,8 +1286,7 @@ segments carrying YP traffic can bind your YP domain and retrieve its data. In some cases, passing YP traffic through SSL or IPSec tunnels might be an option, or you might consider combining YP with -a href=http://www.openbsd.org/cgi-bin/man.cgi?query=kerberosamp;sektion=8; -kerberos(8)/a authentication. +kerberos authentication (available from ports). p a name=YP_server/a
Behavior of changing routes on OpenBSD 5.6
Hi tech, since OpenBSD 5.6 route change messages can change the interface of a route (rt_ifa) even if a message doesn't seem to require it because of a changed gateway or stuff like that. I would like to ask if it's a regression or if the new behavior is intended. Example: (only for testing - it doesn't represent my network topology) ifconfig em0 inet6 fd88::1/64 ifconfig em1 inet6 fd99::1/64 route add -inet6 fd88::666 fd99::1 route get fd88::666 interface: em1 (as expected) route change fd88::666 -mtu 1500 route get fd88::666 interface: em0 (broken - trying to ping the target results in No route to host) In the example I can workaround the problem with adding a gateway while changing the mtu: route change fd88::666 fd99::1 -mtu 1500 A comment in route_output (rtsock.c) says /* * new gateway could require new ifaddr, ifp; * flags may also be different; ifp may be specified * by ll sockaddr when protocol address is ambiguous */ but their is no check for a 'new gateway'. With OpenBSD 5.5 some checks with RTAX_GATEWAY, RTAX_IFP and RTAX_IFA were made, before rt_ifa changed. Would it make sense to add a check like follow or is the new behavior intended and 'route change' has to be called with destination and gateway now? The patch is not tested very well yet, it's a proposal awaiting your comments. Regards, Florian --- sys/net/rtsock.c2014-11-26 06:08:59.0 +0100 +++ sys/net/rtsock.c.new2014-11-26 06:08:24.0 +0100 @@ -763,7 +763,7 @@ report: } ifa = info.rti_ifa; if (ifa) { - if (rt-rt_ifa != ifa) { + if (rt-rt_ifa != ifa newgate) { if (rt-rt_ifa-ifa_rtrequest) rt-rt_ifa-ifa_rtrequest( RTM_DELETE, rt);