Re: ksh version lies
There are scripts that use KSH_VERSION to determine whether they are being run under ksh or a Bourne shell. That seems like a reasonable thing to do. I don't really care what the version number is set to. Using the OpenBSD version seems reasonable and could be generated at build time. - todd
Re: PATCH: ntpctl.8, ntpd.c
On Mon, Feb 16, 2015 at 04:25:44PM +0100, Ingo Schwarze wrote: Hi, hi. of course your mail arrives moments after i pinged henning and reyk ;) Jason McIntyre wrote on Sat, Feb 14, 2015 at 08:47:31AM +: On Fri, Feb 13, 2015 at 09:49:58PM -0600, Adam Thompson wrote: Fix a minor typo in the ntpctl help output, and same semantic mistake in the manpage. Currently says (to be pedantic) that '-s' only works with 'all', which is not the case: '-s' is required with all options. [...] i didn;t realise that -s was mandatory. pretty yucky that we have a utility with only one option, and it's not optional ;( before fixing the man page...could we not just have ntpctl run w/o args display all info, and use -s to select specific bits? even if we kept all for consistency with other *ctl. To reinforce what Jeremie said, the scope of ntpctl(8) is potentially broader than just display some info, or it would be called ntpinfo(8). So i wouldn't consider squatting on the option and argument namespace by making ntpctl without options and arguments an alias for ntpctl -s all a wise move. i disagree. i think having it do something is better than having it do nothing, and the argument that one day it might be needed for something else not really convincing. Making ntpctl -s without argument an alias for ntpctl -s all would be even worse. POSIX discourages optional option arguments for good reasons. note that the diff proposed would mean ntpctl -s should work. True, Adam's diff isn't quite accurate either. what we could maybe do is tweak the spacing: [-s all|peers|Sensors|status] Well, that no longer solves the original problem - it doesn't make it clear that the option isn't optional. yes, you're right. i lost sight of that ;) Given that Henning doesn't appear to be in a hurry to add more functionality right now, but that the interface is obviously designed for extension, i think we ought to document the current state for now, see the patch below. I don't consider the common problem with grouping in the SYNOPSIS - does -s all | peers mean -s (all | peers) or (-s all) | peers? - serious in the case at hand. The answer is obvious from the DESCRIPTION at first glance. Adding parentheses or removing the spacing would only make the SYNOPSIS ugly. i don;t think it ugly. i think it makes it more readable, and clearer. OK? i'm fine with whatever/ jmc Ingo Index: ntpctl.8 === RCS file: /cvs/src/usr.sbin/ntpd/ntpctl.8,v retrieving revision 1.7 diff -u -p -r1.7 ntpctl.8 --- ntpctl.8 10 Feb 2015 06:40:08 - 1.7 +++ ntpctl.8 16 Feb 2015 15:06:08 - @@ -22,7 +22,7 @@ .Nd control the Network Time Protocol daemon .Sh SYNOPSIS .Nm ntpctl -.Op Fl s Cm all | peers | Sensors | status +.Fl s Cm all | peers | Sensors | status .Sh DESCRIPTION The .Nm Index: ntpd.c === RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v retrieving revision 1.92 diff -u -p -r1.92 ntpd.c --- ntpd.c11 Feb 2015 03:16:57 - 1.92 +++ ntpd.c16 Feb 2015 15:06:08 - @@ -90,7 +90,7 @@ usage(void) if (strcmp(__progname, ntpctl) == 0) fprintf(stderr, - usage: ntpctl [-s all | peers | Sensors | status]\n); + usage: ntpctl -s all | peers | Sensors | status\n); else fprintf(stderr, usage: %s [-dnSsv] [-f file]\n, __progname);
Re: man ntpd.conf: small errors in constraints section
On Sat, Feb 14, 2015 at 05:16:49PM +0100, Max Fillinger wrote: Some small issues in the new section: - 'NTP servers' means actual servers, not the keyword, so remove the .Ic - 'constraint' is used instead of 'constraint from' in some places; that might be ok as an abbreviation, but at least the example should use the full keyword. In the diff below, I used 'constraint from' everywhere. fixed, thanks. jmc Index: usr.sbin/ntpd/ntpd.conf.5 === RCS file: /cvs/src/usr.sbin/ntpd/ntpd.conf.5,v retrieving revision 1.27 diff -u -p -r1.27 ntpd.conf.5 --- usr.sbin/ntpd/ntpd.conf.5 10 Feb 2015 19:21:16 - 1.27 +++ usr.sbin/ntpd/ntpd.conf.5 14 Feb 2015 15:55:54 - @@ -188,24 +188,23 @@ thereby reducing the impact of unauthent attacks. Received NTP packets with time information falling outside of a range near the constraint will be discarded and such NTP -.Ic servers -will be marked as invalid. +servers will be marked as invalid. .Bl -tag -width Ds .It Ic constraint from Ar url Specify the URL, IP address or the hostname of an HTTPS server to provide a constraint. If multiple -.Ic constraint +.Ic constraint from keywords are used, .Xr ntpd 8 will calculate a median constraint from all the servers specified. .Bd -literal -offset indent server ntp.example.org -constraint www.example.com +constraint from www.example.com .Ed .It Ic constraints from Ar url As with -.Ic constraint , +.Ic constraint from , specify the URL, IP address or the hostname of an HTTPS server to provide a constraint. Should the hostname resolve to multiple IP addresses,
Re: (patch) mg(1) reallocarray cleanup
Me wrote: I'm attaching a patch. Ooops, wrong file. New attached. patch-display.c-reallocarray-cleanup Description: Binary data
Re: (patch) mg(1) reallocarray cleanup
On 02/16/15 17:24, Kamil Rytarowski wrote: Me wrote: I'm attaching a patch. Ooops, wrong file. New attached. OK for me.
Re: syslogd SSL3_WRITE_PENDING:bad write retry
On Mon, Feb 16, 2015 at 10:17:05AM +0100, Reyk Floeter wrote: On Sun, Feb 15, 2015 at 11:21:45PM +0100, Alexander Bluhm wrote: On Fri, Feb 13, 2015 at 02:44:18PM -0500, Ted Unangst wrote: I think this is ok, but it needs some basic load testing with httpd (and ftp) as well. I have tested ftp https by downloading ports distfiles. I have done basic testing with httpd. Could someone test this diff who has a busy httpd server using https? bluhm I'm running it on some domains without problems so far but the pages aren't so busy. Otherwise OK reyk@ I have tried to download the 227 MB install56.iso from httpd. It is very slow and fails after half the data. There is a copied buffer in server_tls_writecb() to workaround the pending write. Without that httpd works. The ftp client does not check for parital writes in tls_write(). That seems to work anyway as it only writes a short HTTP header and the socket is blocking. What to do now? - set SSL_MODE_ENABLE_PARTIAL_WRITE in libtls - remove the clt_buf workaround in httpd - ignore ftp client - set SSL_MODE_ENABLE_PARTIAL_WRITE in libtls optionally - only syslogd does that bluhm Index: usr.sbin/httpd/httpd.h === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/httpd/httpd.h,v retrieving revision 1.80 diff -u -p -r1.80 httpd.h --- usr.sbin/httpd/httpd.h 12 Feb 2015 10:05:29 - 1.80 +++ usr.sbin/httpd/httpd.h 16 Feb 2015 20:11:55 - @@ -283,8 +283,6 @@ struct client { in_port_tclt_port; struct sockaddr_storage clt_ss; struct bufferevent *clt_bev; - char*clt_buf; - size_t clt_buflen; struct evbuffer *clt_output; struct event clt_ev; void*clt_descreq; Index: usr.sbin/httpd/server.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/httpd/server.c,v retrieving revision 1.59 diff -u -p -r1.59 server.c --- usr.sbin/httpd/server.c 12 Feb 2015 04:40:23 - 1.59 +++ usr.sbin/httpd/server.c 16 Feb 2015 20:21:05 - @@ -613,17 +613,8 @@ server_tls_writecb(int fd, short event, } if (EVBUFFER_LENGTH(bufev-output)) { - if (clt-clt_buf == NULL) { - clt-clt_buflen = EVBUFFER_LENGTH(bufev-output); - if ((clt-clt_buf = malloc(clt-clt_buflen)) == NULL) { - what |= EVBUFFER_ERROR; - goto err; - } - bcopy(EVBUFFER_DATA(bufev-output), - clt-clt_buf, clt-clt_buflen); - } - ret = tls_write(clt-clt_tls_ctx, clt-clt_buf, - clt-clt_buflen, len); + ret = tls_write(clt-clt_tls_ctx, EVBUFFER_DATA(bufev-output), + EVBUFFER_LENGTH(bufev-output), len); if (ret == TLS_READ_AGAIN || ret == TLS_WRITE_AGAIN) { goto retry; } else if (ret != 0) { @@ -632,11 +623,6 @@ server_tls_writecb(int fd, short event, } evbuffer_drain(bufev-output, len); } - if (clt-clt_buf != NULL) { - free(clt-clt_buf); - clt-clt_buf = NULL; - clt-clt_buflen = 0; - } if (EVBUFFER_LENGTH(bufev-output) != 0) server_bufferevent_add(bufev-ev_write, bufev-timeout_write); @@ -647,16 +633,11 @@ server_tls_writecb(int fd, short event, return; retry: - if (clt-clt_buflen != 0) + if (EVBUFFER_LENGTH(bufev-output) != 0) server_bufferevent_add(bufev-ev_write, bufev-timeout_write); return; err: - if (clt-clt_buf != NULL) { - free(clt-clt_buf); - clt-clt_buf = NULL; - clt-clt_buflen = 0; - } (*bufev-errorcb)(bufev, what, bufev-cbarg); } Index: lib/libtls/tls.c === RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls.c,v retrieving revision 1.7 diff -u -p -r1.7 tls.c --- lib/libtls/tls.c7 Feb 2015 09:50:09 - 1.7 +++ lib/libtls/tls.c16 Feb 2015 19:58:35 - @@ -183,6 +183,9 @@ err: int tls_configure_ssl(struct tls *ctx) { + SSL_CTX_set_mode(ctx-ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx-ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_options(ctx-ssl_ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ctx-ssl_ctx, SSL_OP_NO_SSLv3);
(patch) mg(1) reallocarray cleanup
Hello, I'm attaching a patch. Regards, patch-display.c-reallocarray-cleanup Description: Binary data
Re: (patch) mg(1) reallocarray cleanup
On 02/16/15 17:12, Kamil Rytarowski wrote: Hello, I'm attaching a patch. Regards, It's obvious that you didn't try to build mg with your own patch. ~Brian
Re: syslogd SSL3_WRITE_PENDING:bad write retry
On Mon, Feb 16, 2015 at 10:03:51PM +0100, Alexander Bluhm wrote: On Mon, Feb 16, 2015 at 10:17:05AM +0100, Reyk Floeter wrote: On Sun, Feb 15, 2015 at 11:21:45PM +0100, Alexander Bluhm wrote: On Fri, Feb 13, 2015 at 02:44:18PM -0500, Ted Unangst wrote: I think this is ok, but it needs some basic load testing with httpd (and ftp) as well. I have tested ftp https by downloading ports distfiles. I have done basic testing with httpd. Could someone test this diff who has a busy httpd server using https? bluhm I'm running it on some domains without problems so far but the pages aren't so busy. Otherwise OK reyk@ I have tried to download the 227 MB install56.iso from httpd. It is very slow and fails after half the data. There is a copied buffer in server_tls_writecb() to workaround the pending write. Without that httpd works. OK, good finding. I haven't tested large files yet. But workaround is a harsh word - this is the way you were supposed to use SSL_write(). It is adapted from relayd and was turned into tls_write(). I even wonder why you didn't pick this up in your evbuffer TLS implementation for syslogd; looks a bit reinvented. The ftp client does not check for parital writes in tls_write(). That seems to work anyway as it only writes a short HTTP header and the socket is blocking. What to do now? - set SSL_MODE_ENABLE_PARTIAL_WRITE in libtls - remove the clt_buf workaround in httpd - ignore ftp client This approach sounds sane and I would love to have tls_write(3) behave just like write(2). But It was not a workaround. The OpenSSL people didn't like SSL_MODE_ENABLE_PARTIAL_WRITE and SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER and they weren't the default for a reason. httpd and relayd are currently doing it the recommended way - and we have to figure out if this recommendation was wrong. I initially asked tedu@ about the impacts of these flags in httpd and I had the described workaround in mind but I failed to point it out. As I said, I would like to get your patch applied but I'd also like to understand OpenSSL's reasons to change the semantics: - What is the impact of adding the flags by default? - What is the reason for OpenSSL's defaults? There is an old thread with some dicussion about it: http://marc.info/?l=openssl-devm=118766345824094w=2 But I still don't get it. Was it just an optimization for speed? Reyk - set SSL_MODE_ENABLE_PARTIAL_WRITE in libtls optionally - only syslogd does that bluhm Index: usr.sbin/httpd/httpd.h === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/httpd/httpd.h,v retrieving revision 1.80 diff -u -p -r1.80 httpd.h --- usr.sbin/httpd/httpd.h12 Feb 2015 10:05:29 - 1.80 +++ usr.sbin/httpd/httpd.h16 Feb 2015 20:11:55 - @@ -283,8 +283,6 @@ struct client { in_port_tclt_port; struct sockaddr_storage clt_ss; struct bufferevent *clt_bev; - char*clt_buf; - size_t clt_buflen; struct evbuffer *clt_output; struct event clt_ev; void*clt_descreq; Index: usr.sbin/httpd/server.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/httpd/server.c,v retrieving revision 1.59 diff -u -p -r1.59 server.c --- usr.sbin/httpd/server.c 12 Feb 2015 04:40:23 - 1.59 +++ usr.sbin/httpd/server.c 16 Feb 2015 20:21:05 - @@ -613,17 +613,8 @@ server_tls_writecb(int fd, short event, } if (EVBUFFER_LENGTH(bufev-output)) { - if (clt-clt_buf == NULL) { - clt-clt_buflen = EVBUFFER_LENGTH(bufev-output); - if ((clt-clt_buf = malloc(clt-clt_buflen)) == NULL) { - what |= EVBUFFER_ERROR; - goto err; - } - bcopy(EVBUFFER_DATA(bufev-output), - clt-clt_buf, clt-clt_buflen); - } - ret = tls_write(clt-clt_tls_ctx, clt-clt_buf, - clt-clt_buflen, len); + ret = tls_write(clt-clt_tls_ctx, EVBUFFER_DATA(bufev-output), + EVBUFFER_LENGTH(bufev-output), len); if (ret == TLS_READ_AGAIN || ret == TLS_WRITE_AGAIN) { goto retry; } else if (ret != 0) { @@ -632,11 +623,6 @@ server_tls_writecb(int fd, short event, } evbuffer_drain(bufev-output, len); } - if (clt-clt_buf != NULL) { - free(clt-clt_buf); - clt-clt_buf = NULL; - clt-clt_buflen = 0; - } if (EVBUFFER_LENGTH(bufev-output) != 0) server_bufferevent_add(bufev-ev_write, bufev-timeout_write); @@ -647,16 +633,11 @@
unbound.conf(5): kill sample config from manual
This information is incorrect for OpenBSD and IMHO confusing (as we already have a default configuration). OK to remove it? Index: doc/unbound.conf.5.in === RCS file: /cvs/src/usr.sbin/unbound/doc/unbound.conf.5.in,v retrieving revision 1.1.1.7 diff -u -p -r1.1.1.7 unbound.conf.5.in --- doc/unbound.conf.5.in 11 Dec 2014 16:18:03 - 1.1.1.7 +++ doc/unbound.conf.5.in 17 Feb 2015 00:14:56 - @@ -25,42 +25,6 @@ ignored as is whitespace at the beginnin The utility \fIunbound\-checkconf\fR(8) can be used to check unbound.conf prior to usage. -.SH EXAMPLE -An example config file is shown below. Copy this to /etc/unbound/unbound.conf -and start the server with: -.P -.nf - $ unbound \-c /etc/unbound/unbound.conf -.fi -.P -Most settings are the defaults. Stop the server with: -.P -.nf - $ kill `cat /etc/unbound/unbound.pid` -.fi -.P -Below is a minimal config file. The source distribution contains an extensive -example.conf file with all the options. -.P -.nf -# unbound.conf(5) config file for unbound(8). -server: - directory: /etc/unbound - username: unbound - # make sure unbound can access entropy from inside the chroot. - # e.g. on linux the use these commands (on BSD, devfs(8) is used): - # mount \-\-bind \-n /dev/random /etc/unbound/dev/random - # and mount \-\-bind \-n /dev/log /etc/unbound/dev/log - chroot: /etc/unbound - # logfile: /etc/unbound/unbound.log #uncomment to use logfile. - pidfile: /etc/unbound/unbound.pid - # verbosity: 1 # uncomment and increase to get more logging. - # listen on all interfaces, answer queries from the local subnet. - interface: 0.0.0.0 - interface: ::0 - access\-control: 10.0.0.0/8 allow - access\-control: 2001:DB8::/64 allow -.fi .SH FILE FORMAT There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value.
Re: unbound problem in 5.6
In gmane.os.openbsd.misc, Otto wrote: On Tue, Dec 30, 2014 at 11:09:44AM -0200, Raimundo Santos wrote: Hello misc@! I have a router (peaking at 70Mbps of aggregated traffic) that acts as a recursive internal DNS server too (this configuration will die soon, as my traffic is growing), but Unbound keep saying, in /var/log/messages: Dec 30 09:57:07 myhost unbound: [3873:0] error: can't create socket: Too many open files Dec 30 09:57:08 myhost last message repeated 20284 times Dec 30 10:26:48 myhost unbound: [3873:0] error: can't create socket: Too many open files Dec 30 10:26:50 myhost last message repeated 24896 times Sometimes it says: Dec 27 21:49:19 myhost unbound: [2565:0] notice: sendto failed: No buffer space available I have: kern.maxfiles=16384 kern.somaxconn=16384 And in login.conf: daemon:\ :ignorenologin:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=4096:\ :openfiles-max=8192:\ :stacksize-cur=8M:\ :localcipher=blowfish,9:\ :tc=default: unbound:\ :ignorenologin:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=8192:\ :openfiles-max=16384:\ :stacksize-cur=32M:\ :localcipher=blowfish,9:\ :tc=default: With many resources just for Unbound, how can it keep complaining? There's an undocumented feature with unbound: it (only) sets its resource limits based on the class of its user (_unbound by default). So set the class of the _unbound user to unbound and you're all set. -Otto This would probably be less surprising. Comments, anyone? Index: master.passwd === RCS file: /cvs/src/etc/master.passwd,v retrieving revision 1.78 diff -u -p -r1.78 master.passwd --- master.passwd 15 Sep 2014 22:28:58 - 1.78 +++ master.passwd 17 Feb 2015 00:42:50 - @@ -9,7 +9,7 @@ _rstatd:*:30:30::0:0:rpc.rstatd:/var/emp _rusersd:*:32:32::0:0:rpc.rusersd:/var/empty:/sbin/nologin _fingerd:*:33:33::0:0:fingerd:/var/empty:/sbin/nologin _x11:*:35:35::0:0:X Server:/var/empty:/sbin/nologin -_unbound:*:53:53::0:0:Unbound Daemon:/var/unbound:/sbin/nologin +_unbound:*:53:53:unbound:0:0:Unbound Daemon:/var/unbound:/sbin/nologin _spamd:*:62:62::0:0:Spam Daemon:/var/empty:/sbin/nologin uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/var/spool/uucppublic:/sbin/nologin www:*:67:67::0:0:HTTP Server:/var/www:/sbin/nologin
unbound 1.5.2rc1
This updates to the head of the unbound tree, adding Ilya Bakulin's code to support unbound-control over a unix domain socket rather than SSL. I don't see many standard cases needing the SSL socket any more, so I've removed the code from the rc.d script that automatically generates SSL keys when control-enable is used, if somebody wants to control from a remote machine they can always do this themselves. Any comments/OKs? Index: etc/unbound.conf === RCS file: /cvs/src/etc/unbound.conf,v retrieving revision 1.4 diff -u -p -r1.4 unbound.conf --- etc/unbound.conf2 Apr 2014 21:43:30 - 1.4 +++ etc/unbound.conf17 Feb 2015 00:53:05 - @@ -37,6 +37,11 @@ server: # #tcp-upstream: yes +remote-control: + control-enable: yes + control-use-cert: no + control-interface: /var/run/unbound.sock + # Use an upstream forwarder (recursive resolver) for specific zones. # Example addresses given below are public resolvers valid as of 2014/03. # Index: etc/rc.d/unbound === RCS file: /cvs/src/etc/rc.d/unbound,v retrieving revision 1.2 diff -u -p -r1.2 unbound --- etc/rc.d/unbound29 Dec 2014 11:17:43 - 1.2 +++ etc/rc.d/unbound17 Feb 2015 00:53:05 - @@ -8,16 +8,9 @@ daemon_flags=-c /var/unbound/etc/unboun . /etc/rc.d/rc.subr pexp=unbound${daemon_flags:+ ${daemon_flags}} +rc_reload=NO rc_pre() { - if grep '^[[:space:]]*control-enable:[[:space:]]*yes' \ - /var/unbound/etc/unbound.conf /dev/null 21 \ - ! [[ -f /var/unbound/etc/unbound_server.key || - -f /var/unbound/etc/unbound_server.pem || - -f /var/unbound/etc/unbound_control.key || - -f /var/unbound/etc/unbound_control.pem ]]; then - /usr/sbin/unbound-control-setup 2 /dev/null - fi if grep '^[[:space:]]*auto-trust-anchor-file:' \ /var/unbound/etc/unbound.conf /dev/null 21; then /usr/sbin/unbound-anchor -v || true Index: usr.sbin/unbound/Makefile.in === RCS file: /cvs/src/usr.sbin/unbound/Makefile.in,v retrieving revision 1.13 diff -u -p -r1.13 Makefile.in --- usr.sbin/unbound/Makefile.in11 Dec 2014 16:26:58 - 1.13 +++ usr.sbin/unbound/Makefile.in17 Feb 2015 00:53:05 - @@ -459,8 +459,8 @@ strip: $(STRIP) unbound$(EXEEXT) $(STRIP) unbound-checkconf$(EXEEXT) $(STRIP) unbound-control$(EXEEXT) - $(STRIP) unbound-host$(EXEEXT) - $(STRIP) unbound-anchor$(EXEEXT) + $(STRIP) unbound-host$(EXEEXT) || $(STRIP) .libs/unbound-host$(EXEEXT) + $(STRIP) unbound-anchor$(EXEEXT) || $(STRIP) .libs/unbound-anchor$(EXEEXT) pythonmod-install: $(INSTALL) -m 755 -d $(DESTDIR)$(PYTHON_SITE_PKG) @@ -579,6 +579,7 @@ depend: -e 's?$$(srcdir)/util/configlexer.c?util/configlexer.c?g' \ -e 's?$$(srcdir)/util/configparser.c?util/configparser.c?g' \ -e 's?$$(srcdir)/util/configparser.h?util/configparser.h?g' \ + -e 's?$$(srcdir)/dnstap/dnstap_config.h??g' \ -e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \ -e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \ $(DEPEND_TMP) @@ -692,13 +693,14 @@ iter_utils.lo iter_utils.o: $(srcdir)/it $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/ldns/sbuffer.h listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/services/outside_network.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ - $(srcdir)/ldns/sbuffer.h + $(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/net_help.h $(srcdir)/ldns/sbuffer.h localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/ldns/str2wire.h $(srcdir)/ldns/rrdef.h \ $(srcdir)/ldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h + $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/ldns/pkthdr.h mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h
Re: mandoc width clamping
Hi Ted, Ted Unangst wrote on Sun, Feb 15, 2015 at 06:53:10AM -0500: In trying to set man up to use my current terminal width $(($COLUMNS-2)) I discovered that COLUMNS isn't exported to subshells. mandoc itself seems to go crazy when run with -O width=-2. Clamp width and indent settings to sensible values. OK schwarze@ for your patch, it clearly improves the situation. Once your patch will be in, i'll look into changing all the atoi() and strto*() in mandoc to strtonum(). There may be more similar problems elsewhere. I wasn't sure how to handle errors, Indeed, the command line option parsers for -O are ill-designed in so far as they don't allow reasonable error handling. At some point, i will have to redesign the -O handling, but not before release. so they're just ignored for now. I agree with that, for now. Yours, Ingo Index: term_ascii.c === RCS file: /cvs/src/usr.bin/mandoc/term_ascii.c,v retrieving revision 1.29 diff -u -p -r1.29 term_ascii.c --- term_ascii.c 31 Dec 2014 16:50:54 - 1.29 +++ term_ascii.c 15 Feb 2015 11:48:23 - @@ -55,6 +55,8 @@ ascii_init(enum termenc enc, const struc const char *toks[5]; char*v; struct termp*p; + const char *errstr; + int num; p = mandoc_calloc(1, sizeof(struct termp)); @@ -99,10 +101,14 @@ ascii_init(enum termenc enc, const struc while (outopts *outopts) switch (getsubopt(outopts, UNCONST(toks), v)) { case 0: - p-defindent = (size_t)atoi(v); + num = strtonum(v, 0, 1000, errstr); + if (!errstr) + p-defindent = num; break; case 1: - p-defrmargin = (size_t)atoi(v); + num = strtonum(v, 0, 1000, errstr); + if (!errstr) + p-defrmargin = num; break; case 2: /*
Re: stop deleting /usr/include/openssl
On 2015/02/16 08:15, Ted Unangst wrote: Stuart Henderson wrote: - @ln -sf openssl ${DESTDIR}/usr/include/ssl Not ok for this part... ack, this is highly likely to break ports. ? If we don't delete it, we don't have to create it. It's still going to be there. Is there some mtree magic we're missing? This seems the wrong place to be doing this, but I'm ok leaving it since it's mostly harmless. Releases start with a clean DESTDIR so it needs to be created somehow, and I don't see anywhere else that would create it. It does look like it might be possible to do this in mtree instead, but we don't currently have any 'link' lines in our mtree scripts for any of the existing symlinks in the distribution so it would be something new.
Re: Add support for Arduino Leonardo to umodem(4)
On 2015/02/16 01:08, Gregor Best wrote: Hi, Arduino Leonardos emulate a CDC ACM modem for their serial port. The following patch adds explicit matching for those in umodem_match, because apparently the emulation done by the Leonardo is not complete enough to make umodem attach automatically. I've tested a kernel with this patch for a few days now, but only with a baudrate of 115200, which seems to work fine. -- Gregor Best +++ dev/usb/usbdevs 13 Feb 2015 19:36:40 - @@ -54,6 +54,7 @@ vendor PLANEX4 0x0053 Planex Communicat vendor UNKNOWN2 0x0105 Unknown vendor vendor EGALAX2 0x0123 eGalax vendor UNKNOWN6 0x01e1 Unknown vendor +vendor ARDUINO 0x2341 Arduino LLC It's Arduino SA isn't it? The rest looks good to me.
Re: stop deleting /usr/include/openssl
On 2015/02/16 13:53, Jérémie Courrèges-Anglas wrote: Ted Unangst t...@tedunangst.com writes: Index: Makefile === RCS file: /cvs/src/include/Makefile,v retrieving revision 1.198 diff -u -p -r1.198 Makefile --- Makefile17 Jan 2015 20:37:04 - 1.198 +++ Makefile16 Feb 2015 11:29:24 - @@ -89,11 +89,6 @@ includes: ${INSTALL} ${INSTALL_COPY} -m 444 $$j ${DESTDIR}/usr/include/$$i/$$j; \ done; \ done - @rm -rf ${DESTDIR}/usr/include/openssl ${DESTDIR}/usr/include/ssl \ - ${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_CPU}-openbsd/ssl \ - ${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_CPU}-openbsd/openssl - @mkdir ${DESTDIR}/usr/include/openssl nice find. ok jca@ for the above. +1 - @ln -sf openssl ${DESTDIR}/usr/include/ssl Not ok for this part... ack, this is highly likely to break ports.
Re: stop deleting /usr/include/openssl
Stuart Henderson st...@openbsd.org writes: On 2015/02/16 13:53, Jérémie Courrèges-Anglas wrote: Ted Unangst t...@tedunangst.com writes: [...] - @ln -sf openssl ${DESTDIR}/usr/include/ssl Not ok for this part... ack, this is highly likely to break ports. and base. (I'm cooking the patch for usr.bin/dc) -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: stop deleting /usr/include/openssl
Ted Unangst t...@tedunangst.com writes: Index: Makefile === RCS file: /cvs/src/include/Makefile,v retrieving revision 1.198 diff -u -p -r1.198 Makefile --- Makefile 17 Jan 2015 20:37:04 - 1.198 +++ Makefile 16 Feb 2015 11:29:24 - @@ -89,11 +89,6 @@ includes: ${INSTALL} ${INSTALL_COPY} -m 444 $$j ${DESTDIR}/usr/include/$$i/$$j; \ done; \ done - @rm -rf ${DESTDIR}/usr/include/openssl ${DESTDIR}/usr/include/ssl \ - ${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_CPU}-openbsd/ssl \ - ${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_CPU}-openbsd/openssl - @mkdir ${DESTDIR}/usr/include/openssl ok jca@ for the above. - @ln -sf openssl ${DESTDIR}/usr/include/ssl Not ok for this part... @echo installing ${LFILES} @for i in ${LFILES}; do \ rm -f ${DESTDIR}/usr/include/$$i \ -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: stop deleting /usr/include/openssl
Stuart Henderson wrote: - @ln -sf openssl ${DESTDIR}/usr/include/ssl Not ok for this part... ack, this is highly likely to break ports. ? If we don't delete it, we don't have to create it. It's still going to be there. Is there some mtree magic we're missing? This seems the wrong place to be doing this, but I'm ok leaving it since it's mostly harmless.
Re: unbound problem in 5.6
On Tue, Feb 17, 2015 at 12:45:47AM +, Stuart Henderson wrote: In gmane.os.openbsd.misc, Otto wrote: On Tue, Dec 30, 2014 at 11:09:44AM -0200, Raimundo Santos wrote: Hello misc@! I have a router (peaking at 70Mbps of aggregated traffic) that acts as a recursive internal DNS server too (this configuration will die soon, as my traffic is growing), but Unbound keep saying, in /var/log/messages: Dec 30 09:57:07 myhost unbound: [3873:0] error: can't create socket: Too many open files Dec 30 09:57:08 myhost last message repeated 20284 times Dec 30 10:26:48 myhost unbound: [3873:0] error: can't create socket: Too many open files Dec 30 10:26:50 myhost last message repeated 24896 times Sometimes it says: Dec 27 21:49:19 myhost unbound: [2565:0] notice: sendto failed: No buffer space available I have: kern.maxfiles=16384 kern.somaxconn=16384 And in login.conf: daemon:\ :ignorenologin:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=4096:\ :openfiles-max=8192:\ :stacksize-cur=8M:\ :localcipher=blowfish,9:\ :tc=default: unbound:\ :ignorenologin:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=8192:\ :openfiles-max=16384:\ :stacksize-cur=32M:\ :localcipher=blowfish,9:\ :tc=default: With many resources just for Unbound, how can it keep complaining? There's an undocumented feature with unbound: it (only) sets its resource limits based on the class of its user (_unbound by default). So set the class of the _unbound user to unbound and you're all set. -Otto This would probably be less surprising. Comments, anyone? I would like this very much. -Otto Index: master.passwd === RCS file: /cvs/src/etc/master.passwd,v retrieving revision 1.78 diff -u -p -r1.78 master.passwd --- master.passwd 15 Sep 2014 22:28:58 - 1.78 +++ master.passwd 17 Feb 2015 00:42:50 - @@ -9,7 +9,7 @@ _rstatd:*:30:30::0:0:rpc.rstatd:/var/emp _rusersd:*:32:32::0:0:rpc.rusersd:/var/empty:/sbin/nologin _fingerd:*:33:33::0:0:fingerd:/var/empty:/sbin/nologin _x11:*:35:35::0:0:X Server:/var/empty:/sbin/nologin -_unbound:*:53:53::0:0:Unbound Daemon:/var/unbound:/sbin/nologin +_unbound:*:53:53:unbound:0:0:Unbound Daemon:/var/unbound:/sbin/nologin _spamd:*:62:62::0:0:Spam Daemon:/var/empty:/sbin/nologin uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/var/spool/uucppublic:/sbin/nologin www:*:67:67::0:0:HTTP Server:/var/www:/sbin/nologin
Re: Add support for Arduino Leonardo to umodem(4)
On Mon, Feb 16, 2015 at 02:20:06PM +, Stuart Henderson wrote: [...] It's Arduino SA isn't it? The rest looks good to me. [...] The controller reports itself as made by 'Arduino LLC' in the usbdevs output, but according to http://www.linux-usb.org/usb.ids, you're right. I think going with the established name is a better idea. I've attached an amended patch. -- Gregor Best Index: dev/usb/umodem.c === RCS file: /mnt/media/cvs/src/sys/dev/usb/umodem.c,v retrieving revision 1.57 diff -u -p -u -r1.57 umodem.c --- dev/usb/umodem.c12 Jul 2014 20:26:33 - 1.57 +++ dev/usb/umodem.c13 Feb 2015 19:36:39 - @@ -250,6 +250,10 @@ umodem_match(struct device *parent, void id-bInterfaceNumber == 0) ret = UMATCH_VENDOR_PRODUCT; + if (UGETW(dd-idVendor) == USB_VENDOR_ARDUINO + UGETW(dd-idProduct) == USB_PRODUCT_ARDUINO_LEONARDO) + ret = UMATCH_VENDOR_PRODUCT; + if (ret == UMATCH_NONE id-bInterfaceClass == UICLASS_CDC id-bInterfaceSubClass == UISUBCLASS_ABSTRACT_CONTROL_MODEL Index: dev/usb/usbdevs === RCS file: /mnt/media/cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.644 diff -u -p -u -r1.644 usbdevs --- dev/usb/usbdevs 9 Jan 2015 20:41:48 - 1.644 +++ dev/usb/usbdevs 13 Feb 2015 19:36:40 - @@ -54,6 +54,7 @@ vendor PLANEX40x0053 Planex Communicat vendor UNKNOWN20x0105 Unknown vendor vendor EGALAX2 0x0123 eGalax vendor UNKNOWN60x01e1 Unknown vendor +vendor ARDUINO 0x2341 Arduino SA vendor HUMAX 0x02ad HUMAX vendor BWCT0x03da Bernd Walter Computer Technology vendor AOX 0x03e8 AOX @@ -977,6 +978,9 @@ product APPLE ISIGHT0x8502 iSight /* Araneus Information Systems products */ product ARANEUS ALEA 0x0001 True Random Number Generator + +/* Arduino SA products */ +product ARDUINO LEONARDO 0x8036 Arduino Lenoardo /* Arkmicro products */ product ARKMICRO ARK3116 0x0232 ARK3116 Serial Index: dev/usb/usbdevs.h === RCS file: /mnt/media/cvs/src/sys/dev/usb/usbdevs.h,v retrieving revision 1.656 diff -u -p -u -r1.656 usbdevs.h --- dev/usb/usbdevs.h 9 Jan 2015 20:42:40 - 1.656 +++ dev/usb/usbdevs.h 13 Feb 2015 19:36:44 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs.h,v 1.656 2015/01/09 20:42:40 kettenis Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -61,6 +61,7 @@ #defineUSB_VENDOR_UNKNOWN2 0x0105 /* Unknown vendor */ #defineUSB_VENDOR_EGALAX2 0x0123 /* eGalax */ #defineUSB_VENDOR_UNKNOWN6 0x01e1 /* Unknown vendor */ +#defineUSB_VENDOR_ARDUINO 0x2341 /* Arduino SA */ #defineUSB_VENDOR_HUMAX0x02ad /* HUMAX */ #defineUSB_VENDOR_BWCT 0x03da /* Bernd Walter Computer Technology */ #defineUSB_VENDOR_AOX 0x03e8 /* AOX */ @@ -984,6 +985,9 @@ /* Araneus Information Systems products */ #defineUSB_PRODUCT_ARANEUS_ALEA0x0001 /* True Random Number Generator */ + +/* Arduino SA products */ +#defineUSB_PRODUCT_ARDUINO_LEONARDO0x8036 /* Arduino Lenoardo */ /* Arkmicro products */ #defineUSB_PRODUCT_ARKMICRO_ARK31160x0232 /* ARK3116 Serial */ Index: dev/usb/usbdevs_data.h === RCS file: /mnt/media/cvs/src/sys/dev/usb/usbdevs_data.h,v retrieving revision 1.650 diff -u -p -u -r1.650 usbdevs_data.h --- dev/usb/usbdevs_data.h 9 Jan 2015 20:42:40 - 1.650 +++ dev/usb/usbdevs_data.h 13 Feb 2015 19:36:44 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs_data.h,v 1.650 2015/01/09 20:42:40 kettenis Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -962,6 +962,10 @@ const struct usb_known_product usb_known True Random Number Generator, }, { + USB_VENDOR_ARDUINO, USB_PRODUCT_ARDUINO_LEONARDO, + Arduino Lenoardo, + }, + { USB_VENDOR_ARKMICRO, USB_PRODUCT_ARKMICRO_ARK3116, ARK3116 Serial, }, @@ -11248,6 +11252,10 @@ const struct usb_known_vendor usb_known_ { USB_VENDOR_UNKNOWN6, Unknown vendor, + }, + { + USB_VENDOR_ARDUINO, + Arduino SA, }, { USB_VENDOR_HUMAX,
Re: ksh version lies
Damien Miller wrote: On Sun, 15 Feb 2015, Ted Unangst wrote: ksh (and sh) have a version string embedded in them: @(#)PD KSH v5.2.14 99/07/13.2 This is clearly a lie. We've added, removed, and fixed bugs and features since then. I first noticed the lie in the man page, then saw that it's also exported via the environment and other places. Instead of trying to fix something that can't be fixed, That's a bit of a non sequitur; there are lots of ways to fix it. E.g. OpenBSD 5.7 ksh; based on PD KSH v5.2.14 Are we going to remember to keep incrementing the version number when changes are made? Or is just going to be the same as uname -r? The former seems untenable, the latter seems like one should just run uname -r. Does everything need a version? What's next? ls -v to print the version of ls? I dislike the principle of version strings like this because I think they encourage sloppy coding and workarounds. It was pointed out to me that /etc/ksh.kshrc has one such test: # the PD ksh is not 100% compatible case $KSH_VERSION in *PD*) # PD ksh What does that mean? How are we not compatible? Has the incompatibility been fixed? That file also contains such gems as # NOTE: SCO-UNIX doesn't have whoami, and a check for HP-UX, so I have my doubts as to the accuracy/ relevancy of the test. I'll note that the test above dates to the original 1996 checkin, even though ksh itself was updated as recently as 1999.
Re: PATCH: ntpctl.8, ntpd.c
Hi, Jason McIntyre wrote on Sat, Feb 14, 2015 at 08:47:31AM +: On Fri, Feb 13, 2015 at 09:49:58PM -0600, Adam Thompson wrote: Fix a minor typo in the ntpctl help output, and same semantic mistake in the manpage. Currently says (to be pedantic) that '-s' only works with 'all', which is not the case: '-s' is required with all options. [...] i didn;t realise that -s was mandatory. pretty yucky that we have a utility with only one option, and it's not optional ;( before fixing the man page...could we not just have ntpctl run w/o args display all info, and use -s to select specific bits? even if we kept all for consistency with other *ctl. To reinforce what Jeremie said, the scope of ntpctl(8) is potentially broader than just display some info, or it would be called ntpinfo(8). So i wouldn't consider squatting on the option and argument namespace by making ntpctl without options and arguments an alias for ntpctl -s all a wise move. Making ntpctl -s without argument an alias for ntpctl -s all would be even worse. POSIX discourages optional option arguments for good reasons. note that the diff proposed would mean ntpctl -s should work. True, Adam's diff isn't quite accurate either. what we could maybe do is tweak the spacing: [-s all|peers|Sensors|status] Well, that no longer solves the original problem - it doesn't make it clear that the option isn't optional. Given that Henning doesn't appear to be in a hurry to add more functionality right now, but that the interface is obviously designed for extension, i think we ought to document the current state for now, see the patch below. I don't consider the common problem with grouping in the SYNOPSIS - does -s all | peers mean -s (all | peers) or (-s all) | peers? - serious in the case at hand. The answer is obvious from the DESCRIPTION at first glance. Adding parentheses or removing the spacing would only make the SYNOPSIS ugly. OK? Ingo Index: ntpctl.8 === RCS file: /cvs/src/usr.sbin/ntpd/ntpctl.8,v retrieving revision 1.7 diff -u -p -r1.7 ntpctl.8 --- ntpctl.810 Feb 2015 06:40:08 - 1.7 +++ ntpctl.816 Feb 2015 15:06:08 - @@ -22,7 +22,7 @@ .Nd control the Network Time Protocol daemon .Sh SYNOPSIS .Nm ntpctl -.Op Fl s Cm all | peers | Sensors | status +.Fl s Cm all | peers | Sensors | status .Sh DESCRIPTION The .Nm Index: ntpd.c === RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v retrieving revision 1.92 diff -u -p -r1.92 ntpd.c --- ntpd.c 11 Feb 2015 03:16:57 - 1.92 +++ ntpd.c 16 Feb 2015 15:06:08 - @@ -90,7 +90,7 @@ usage(void) if (strcmp(__progname, ntpctl) == 0) fprintf(stderr, - usage: ntpctl [-s all | peers | Sensors | status]\n); + usage: ntpctl -s all | peers | Sensors | status\n); else fprintf(stderr, usage: %s [-dnSsv] [-f file]\n, __progname);
Re: syslogd SSL3_WRITE_PENDING:bad write retry
On Sun, Feb 15, 2015 at 11:21:45PM +0100, Alexander Bluhm wrote: On Fri, Feb 13, 2015 at 02:44:18PM -0500, Ted Unangst wrote: I think this is ok, but it needs some basic load testing with httpd (and ftp) as well. I have tested ftp https by downloading ports distfiles. I have done basic testing with httpd. Could someone test this diff who has a busy httpd server using https? bluhm I'm running it on some domains without problems so far but the pages aren't so busy. Otherwise OK reyk@ Reyk Index: lib/libtls/tls.c === RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls.c,v retrieving revision 1.7 diff -u -p -r1.7 tls.c --- lib/libtls/tls.c 7 Feb 2015 09:50:09 - 1.7 +++ lib/libtls/tls.c 13 Feb 2015 18:33:31 - @@ -183,6 +183,9 @@ err: int tls_configure_ssl(struct tls *ctx) { + SSL_CTX_set_mode(ctx-ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx-ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_options(ctx-ssl_ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ctx-ssl_ctx, SSL_OP_NO_SSLv3); --
stop deleting /usr/include/openssl
This was driving me nuts. Every time you run make includes, it blows away /usr/include/openssl, which means all of libcrypto, etc. get marked as stale and require rebuilding. So much waste. This makefile rule (which is silent, btw, arr) showed up 11 years ago to facilitate renaming /usr/include/ssl to /usr/include/openssl. I think we're past that. Index: Makefile === RCS file: /cvs/src/include/Makefile,v retrieving revision 1.198 diff -u -p -r1.198 Makefile --- Makefile17 Jan 2015 20:37:04 - 1.198 +++ Makefile16 Feb 2015 11:29:24 - @@ -89,11 +89,6 @@ includes: ${INSTALL} ${INSTALL_COPY} -m 444 $$j ${DESTDIR}/usr/include/$$i/$$j; \ done; \ done - @rm -rf ${DESTDIR}/usr/include/openssl ${DESTDIR}/usr/include/ssl \ - ${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_CPU}-openbsd/ssl \ - ${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_CPU}-openbsd/openssl - @mkdir ${DESTDIR}/usr/include/openssl - @ln -sf openssl ${DESTDIR}/usr/include/ssl @echo installing ${LFILES} @for i in ${LFILES}; do \ rm -f ${DESTDIR}/usr/include/$$i \