Re: src/usr.sbin/slowcgi: possible bug

2017-01-02 Thread Ali Farzanrad
>I recently checked the slowcgi(8) and found that it might have an issue
>when buf_pos is at the end of buffer and buf_len is zero.
>
>Am I right?

It seems that all fastcgi blocks are aligned in 8-bytes and buffer size
is 8+65535+255 = 65798 bytes which is not aligned in 8-bytes. It seems
that slowcgi has no problem with aligned data, but I think in general
slowcgi should not assume that all blocks are aligned in 8-bytes.

>Index: slowcgi.c
>===
>RCS file: /cvs/src/usr.sbin/slowcgi/slowcgi.c,v
>retrieving revision 1.50
>diff -u -p -r1.50 slowcgi.c
>--- slowcgi.c  4 Sep 2016 14:40:34 -   1.50
>+++ slowcgi.c  2 Jan 2017 12:52:01 -
>@@ -674,8 +674,8 @@ slowcgi_request(int fd, short events, vo
>   /* Make space for further reads */
>   if (c->buf_len > 0) {
>   bcopy(c->buf + c->buf_pos, c->buf, c->buf_len);
>-  c->buf_pos = 0;
>   }
>+  c->buf_pos = 0;
>   return;
> fail:
>   cleanup_request(c);
>
>



find -delete

2017-01-02 Thread Ted Unangst
This option is not posix (not like that's stopped find accumulating a dozen
extensions), but it is in gnu and freebsd (for 20 years). it's also somewhat
popular among sysadmins and blogs, etc. and perhaps most importantly, it
nicely solves one of the more troublesome caveats of find (which the man page
actually covers twice because it's so common and easy to screw up). So I think
it makes a good addition.

Code snatched from freebsd.

In passing, I'll also note that the man page example is very inefficient.
$ find . \( -name \*.jpg -o -name \*.gif \) -exec rm {} \;
This would be much faster with +. We can fix that too, but I'll add that a lot
of the online advice suggests -delete, and if not available, -exec rm {} \;,
instead of the smarter + exec. Not surprising since even the man page gets
this wrong.

Index: extern.h
===
RCS file: /cvs/src/usr.bin/find/extern.h,v
retrieving revision 1.21
diff -u -p -r1.21 extern.h
--- extern.h5 Oct 2015 15:25:16 -   1.21
+++ extern.h3 Jan 2017 04:57:04 -
@@ -53,6 +53,7 @@ PLAN  *c_atime(char *, char ***, int);
 PLAN   *c_cmin(char *, char ***, int);
 PLAN   *c_cnewer(char *, char ***, int);
 PLAN   *c_ctime(char *, char ***, int);
+PLAN   *c_delete(char *, char ***, int);
 PLAN   *c_depth(char *, char ***, int);
 PLAN   *c_empty(char *, char ***, int);
 PLAN   *c_exec(char *, char ***, int);
@@ -87,5 +88,5 @@ PLAN  *c_mtime(char *, char ***, int);
 PLAN   *c_not(char *, char ***, int);
 PLAN   *c_or(char *, char ***, int);
 
-extern int ftsoptions, isdepth, isoutput, isxargs;
+extern int ftsoptions, isdelete, isdepth, isoutput, isxargs;
 extern int mayexecve;
Index: find.1
===
RCS file: /cvs/src/usr.bin/find/find.1,v
retrieving revision 1.91
diff -u -p -r1.91 find.1
--- find.1  11 Sep 2015 18:58:16 -  1.91
+++ find.1  3 Jan 2017 05:04:52 -
@@ -182,6 +182,23 @@ was started, rounded up to the next full
 .Ar n
 24-hour periods.
 .Pp
+.It Ic -delete
+Delete found files and/or directories.
+Always returns true.
+This executes
+from the current working directory as
+.Nm
+recurses down the tree.
+It will not attempt to delete a filename with a
+.Dq Pa /
+character in its pathname relative to
+.Dq Pa \&.
+for security reasons.
+Depth-first traversal processing is implied by this option.
+The
+.Ic -delete
+primary will fail to delete a directory if it is not empty.
+Following symlinks is incompatible with this option.
 .It Ic -depth
 This primary always evaluates to true.
 The same as specifying the
@@ -587,6 +604,7 @@ primaries
 .Ic -anewer ,
 .Ic -cmin ,
 .Ic -cnewer ,
+.Ic -delete ,
 .Ic -empty ,
 .Ic -execdir ,
 .Ic -flags ,
Index: find.c
===
RCS file: /cvs/src/usr.bin/find/find.c,v
retrieving revision 1.20
diff -u -p -r1.20 find.c
--- find.c  10 Oct 2015 20:35:00 -  1.20
+++ find.c  3 Jan 2017 04:58:29 -
@@ -154,9 +154,15 @@ find_execute(PLAN *plan,   /* search plan 
int r, rval;
PLAN *p;
 
-   if (mayexecve == 0)
-   if (pledge("stdio rpath getpw", NULL) == -1)
-   err(1, "pledge");
+   if (mayexecve == 0) {
+   if (isdelete) {
+   if (pledge("stdio cpath rpath getpw", NULL) == -1)
+   err(1, "pledge");
+   } else {
+   if (pledge("stdio rpath getpw", NULL) == -1)
+   err(1, "pledge");
+   }
+   }
 
rval = 0;
 
Index: find.h
===
RCS file: /cvs/src/usr.bin/find/find.h,v
retrieving revision 1.17
diff -u -p -r1.17 find.h
--- find.h  15 Mar 2015 00:41:28 -  1.17
+++ find.h  3 Jan 2017 04:44:39 -
@@ -37,7 +37,7 @@
 enum ntype {
N_AND = 1,  /* must start > 0 */
N_AMIN, N_ANEWER, N_ATIME, N_CLOSEPAREN, N_CMIN, N_CNEWER, N_CTIME,
-   N_DEPTH, N_EMPTY, N_EXEC, N_EXECDIR, N_EXPR,
+   N_DELETE, N_DEPTH, N_EMPTY, N_EXEC, N_EXECDIR, N_EXPR,
N_FLAGS, N_FOLLOW, N_FSTYPE, N_GROUP, N_INAME, N_INUM, N_LINKS, N_LS,
N_MMIN, N_MAXDEPTH,
N_MINDEPTH, N_MTIME, N_NAME, N_NEWER, N_NOGROUP, N_NOT, N_NOUSER,
Index: function.c
===
RCS file: /cvs/src/usr.bin/find/function.c,v
retrieving revision 1.44
diff -u -p -r1.44 function.c
--- function.c  18 Apr 2015 18:28:37 -  1.44
+++ function.c  3 Jan 2017 05:00:20 -
@@ -295,6 +295,63 @@ c_depth(char *ignore, char ***ignored, i
 
return (palloc(N_DEPTH, f_always_true));
 }
+
+/*
+ * -delete funcions
+ */
+int
+f_delete(PLAN *plan, FTSENT *entry)
+{
+
+   /* can't delete these */
+   if (strcmp(entry->fts_accpath, ".") == 0 ||
+   

Re: acme-client use configuration file [1 of 5]

2017-01-02 Thread Bob Beck
No objection in principle.. although since some of us depend on this we
might either need warning and/or a small period of overlap where the old
stuff works and then we can move to the new stuff without things blowing
up.

On Sun, Jan 1, 2017 at 1:59 PM, Sebastian Benoit  wrote:

> start using the configuration file and delete command line arguments:
>
> -a agreement-> agreement url ...
> -c certdir  -> domain certificate "path"
> -f accountkey   -> account key "path"
> -k domainkey-> domain key "path"
> -s authority-> sign with "name"
>
> new argument:
> -f configfile
>
> the changes needed to use the new configuration are local to main.c for
> now.
> While the configuration could be passed directly to netproc(), keyproc()
> etc,
> the diff is smaller this way.
>
> This also removes the multidir (-m) mode for now - specify different paths
> in
> each domain {} block instead.
>
> diff --git usr.sbin/acme-client/Makefile usr.sbin/acme-client/Makefile
> index 55e0b0e..eae13ed 100644
> --- usr.sbin/acme-client/Makefile
> +++ usr.sbin/acme-client/Makefile
> @@ -13,6 +13,6 @@ CFLAGS+=  -W -Wall -I${.CURDIR}
>  CFLAGS+=   -Wstrict-prototypes -Wmissing-prototypes
>  CFLAGS+=   -Wmissing-declarations
>  CFLAGS+=   -Wshadow -Wpointer-arith
> -CFLAGS+=   -Wsign-compare
> +CFLAGS+=   -Wsign-compare -Wunused
>
>  .include 
> diff --git usr.sbin/acme-client/acme-client.1 usr.sbin/acme-client/acme-
> client.1
> index 526c11f..6f38573 100644
> --- usr.sbin/acme-client/acme-client.1
> +++ usr.sbin/acme-client/acme-client.1
> @@ -22,15 +22,10 @@
>  .Nd ACME client
>  .Sh SYNOPSIS
>  .Nm acme-client
> -.Op Fl bFmNnrv
> -.Op Fl a Ar agreement
> +.Op Fl bFNnrv
>  .Op Fl C Ar challengedir
> -.Op Fl c Ar certdir
> -.Op Fl f Ar accountkey
> -.Op Fl k Ar domainkey
> -.Op Fl s Ar authority
> +.Op Fl f Ar configfile
>  .Ar domain
> -.Op Ar altnames
>  .Sh DESCRIPTION
>  The
>  .Nm
> @@ -39,8 +34,6 @@ Automatic Certificate Management Environment (ACME)
> client.
>  .Pp
>  The options are as follows:
>  .Bl -tag -width Ds
> -.It Fl a Ar agreement
> -Use an alternative user agreement URL.
>  .It Fl b
>  Back up all certificates in the certificate directory.
>  This only happens if a remove or replace operation is possible.
> @@ -58,67 +51,21 @@ Any given backup uses the same Epoch time for all
> three certificates.
>  If there are no certificates in place, this option does nothing.
>  .It Fl C Ar challengedir
>  The directory to register challenges.
> -.It Fl c Ar certdir
> -The directory to store public certificates.
>  .It Fl F
>  Force updating the certificate signature even if it's too soon.
> -.It Fl f Ar accountkey
> -The account private key.
> -This was either made with a previous client or with
> -.Fl n .
> -.It Fl k Ar domainkey
> -The private key for the domain.
> -This may also be created with
> -.Fl N .
> -.It Fl m
> -Append
> -.Ar domain
> -to all default paths except the challenge path
> -.Pq i.e. those that are overridden by Fl c , k , f .
> -Thus,
> -.Ar foo.com
> -as the initial domain would make the default domain private key into
> -.Pa /etc/ssl/acme/private/foo.com/privkey.pem .
> -This is useful in setups with multiple domain sets.
> +.It Fl f Ar configfile
> +Specify an alternative configuration file.
>  .It Fl N
>  Create a new RSA domain key if one does not already exist.
>  .It Fl n
>  Create a new RSA account key if one does not already exist.
>  .It Fl r
>  Revoke the X509 certificate found in the certificates.
> -.It Fl s Ar authority
> -ACME
> -.Ar authority
> -to talk to.
> -Currently the following authorities are available:
> -.Pp
> -.Bl -tag -width "letsencrypt-staging" -compact
> -.It Cm letsencrypt
> -Let's Encrypt authority
> -.It Cm letsencrypt-staging
> -Let's Encrypt staging authority
> -.El
> -.Pp
> -The default is
> -.Cm letsencrypt .
>  .It Fl v
>  Verbose operation.
>  Specify twice to also trace communication and data transfers.
>  .It Ar domain
>  The domain name.
> -The only difference between this and
> -.Ar altnames
> -is that it's put into the certificate's
> -.Li CN
> -field and it uses the
> -.Qq main
> -domain when specifying
> -.Fl m .
> -.It Ar altnames
> -Alternative names
> -.Pq Dq SAN
> -for the domain name.
> -The number of SAN entries is limited to 100 or so.
>  .El
>  .Pp
>  Public certificates are by default placed in
> @@ -175,7 +122,7 @@ as in the
>  .Sx Challenges
>  section:
>  .Pp
> -.Dl # acme-client -vNn foo.com www.foo.com smtp.foo.com
> +.Dl # acme-client -vNn www.foo.com
>  .Pp
>  A daily
>  .Xr cron 8
> @@ -183,7 +130,7 @@ job can renew the certificates:
>  .Bd -literal -offset indent
>  #! /bin/sh
>
> -acme-client foo.com www.foo.com smtp.foo.com
> +acme-client www.foo.com
>
>  if [ $? -eq 0 ]
>  then
> diff --git usr.sbin/acme-client/chngproc.c usr.sbin/acme-client/chngproc.c
> index 4cb7f33..3e931da 100644
> --- usr.sbin/acme-client/chngproc.c
> +++ usr.sbin/acme-client/chngproc.c
> @@ -27,7 +27,7 @@
>  

sunxi framebuffer driver

2017-01-02 Thread Mark Kettenis
Here is a fun little driver that supports the framebuffer that u-boot
sets up for us on the sunxi platform.  The mainbus(4) changes are
necessary, because the framebuffer device tree node actually lives
under /chosen, so we don't pick it up during the normal device tree
walk.  The most common 15/16 bpp, 24 bpp and 32 bpp modes are
supported, although I think u-boot always uses 32 bpp on sunxi
hardware.  No console support (yet) so simplefb is not added to
RAMDISK kernels.

On other plaforms (imx for example) u-boot does set up the
framebuffer, but doesn't add the appropriate simplefb nodes to the
device tree.  That could be added though and I wouldn't expect this to
be a big effort.

ok?


Index: arch/arm/mainbus/mainbus.c
===
RCS file: /cvs/src/sys/arch/arm/mainbus/mainbus.c,v
retrieving revision 1.13
diff -u -p -r1.13 mainbus.c
--- arch/arm/mainbus/mainbus.c  6 Aug 2016 00:04:39 -   1.13
+++ arch/arm/mainbus/mainbus.c  2 Jan 2017 22:07:42 -
@@ -30,6 +30,7 @@ int mainbus_match(struct device *, void 
 void mainbus_attach(struct device *, struct device *, void *);
 
 void mainbus_attach_node(struct device *, int);
+void mainbus_attach_framebuffer(struct device *);
 
 int mainbus_legacy_search(struct device *, void *, void *);
 
@@ -133,12 +134,10 @@ mainbus_attach(struct device *parent, st
}
 
/* Scan the whole tree. */
-   for (node = OF_child(node);
-   node != 0;
-   node = OF_peer(node))
-   {
+   for (node = OF_child(node); node != 0; node = OF_peer(node))
mainbus_attach_node(self, node);
-   }
+
+   mainbus_attach_framebuffer(self);
 }
 
 /*
@@ -212,6 +211,18 @@ mainbus_attach_node(struct device *self,
 
free(fa.fa_reg, M_DEVBUF, fa.fa_nreg * sizeof(struct fdt_reg));
free(fa.fa_intr, M_DEVBUF, fa.fa_nintr * sizeof(uint32_t));
+}
+
+void
+mainbus_attach_framebuffer(struct device *self)
+{
+   int node = OF_finddevice("/chosen");
+
+   if (node == 0)
+   return;
+
+   for (node = OF_child(node); node != 0; node = OF_peer(node))
+   mainbus_attach_node(self, node);
 }
 
 /*
Index: arch/armv7/conf/GENERIC
===
RCS file: /cvs/src/sys/arch/armv7/conf/GENERIC,v
retrieving revision 1.69
diff -u -p -r1.69 GENERIC
--- arch/armv7/conf/GENERIC 23 Oct 2016 18:50:34 -  1.69
+++ arch/armv7/conf/GENERIC 2 Jan 2017 22:07:42 -
@@ -108,6 +108,9 @@ virtio* at fdt?
 
 psci*  at fdt?
 
+simplefb*  at fdt?
+wsdisplay* at simplefb?
+
 # Exynos
 exynos0at mainbus?
 exdisplay* at exynos?
Index: arch/armv7/conf/files.armv7
===
RCS file: /cvs/src/sys/arch/armv7/conf/files.armv7,v
retrieving revision 1.28
diff -u -p -r1.28 files.armv7
--- arch/armv7/conf/files.armv7 9 Oct 2016 23:46:23 -   1.28
+++ arch/armv7/conf/files.armv7 2 Jan 2017 22:07:42 -
@@ -65,6 +65,9 @@ include "dev/gpio/files.gpio"
 # Machine-independent 1-Wire drivers
 include "dev/onewire/files.onewire"
 
+# Machine-independent FDT drivers
+include "dev/fdt/files.fdt"
+
 # SoC includes
 include "arch/armv7/imx/files.imx"
 include "arch/armv7/omap/files.omap"
Index: dev/fdt/files.fdt
===
RCS file: dev/fdt/files.fdt
diff -N dev/fdt/files.fdt
--- /dev/null   1 Jan 1970 00:00:00 -
+++ dev/fdt/files.fdt   2 Jan 2017 22:07:45 -
@@ -0,0 +1,8 @@
+#  $OpenBSD$
+#
+# Config file and device description for machine-independent FDT code.
+# Included by ports that need it.
+
+device simplefb: wsemuldisplaydev, rasops15, rasops16, rasops24, rasops32
+attach simplefb at fdt
+file   dev/fdt/simplefb.c  simplefb
Index: dev/fdt/simplefb.c
===
RCS file: dev/fdt/simplefb.c
diff -N dev/fdt/simplefb.c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ dev/fdt/simplefb.c  2 Jan 2017 22:07:45 -
@@ -0,0 +1,243 @@
+/* $OpenBSD$   */
+/*
+ * Copyright (c) 2016 Mark Kettenis
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include 
+#include 
+#include 

Re: if attach/detach netlocks

2017-01-02 Thread Mike Belopuhov
On Fri, Dec 30, 2016 at 18:57 +0100, Mike Belopuhov wrote:
> On Thu, Dec 29, 2016 at 09:30 +0100, Martin Pieuchot wrote:
> > On 29/12/16(Thu) 01:15, Alexander Bluhm wrote:
> > > On Fri, Dec 23, 2016 at 12:09:32AM +0100, Martin Pieuchot wrote:
> > > > On 22/12/16(Thu) 20:45, Mike Belopuhov wrote:
> > > > > I think this is what is required here.  Works here, but YMMV.
> > > > 
> > > > splnet() in a pseudo-driver seems completely wrong, you could get rid of
> > > > it.
> > > 
> > > Yes, but that is another issue.  Can we get the netlock splasserts
> > > fixed first?  This diff looks good to me.
> > 
> > Sure I'm ok with the diff.
> > 
> 
> I agree with Martin and have cooked a diff but couldn't test it yet.
> This is it for the reference.
> 

I got to test the diff and I had to make another adjustment:
vxlan_if_change is setup as a detach hook, however dohooks is
called very early in if_detach before we remove IP addresses
from the interface.  It makes vxlan_config find these IP
addresses just fine and re-add its own detach hook again. This
repeats ad infinitum hogging the machine.  I couldn't think of
anything better than deferring an operation via a task.  Seems
to do the trick.

OK?

diff --git sys/net/if_vxlan.c sys/net/if_vxlan.c
index e9bc1cb8305..082e4ab5814 100644
--- sys/net/if_vxlan.c
+++ sys/net/if_vxlan.c
@@ -71,10 +71,12 @@ struct vxlan_softc {
in_port_tsc_dstport;
u_intsc_rdomain;
int64_t  sc_vnetid;
u_int8_t sc_ttl;
 
+   struct task  sc_task;
+
LIST_ENTRY(vxlan_softc)  sc_entry;
 };
 
 voidvxlanattach(int);
 int vxlanioctl(struct ifnet *, u_long, caddr_t);
@@ -89,10 +91,11 @@ void vxlan_media_status(struct ifnet *, struct 
ifmediareq *);
 int vxlan_config(struct ifnet *, struct sockaddr *, struct sockaddr *);
 int vxlan_output(struct ifnet *, struct mbuf *);
 voidvxlan_addr_change(void *);
 voidvxlan_if_change(void *);
 voidvxlan_link_change(void *);
+voidvxlan_config_defer(void *);
 
 int vxlan_sockaddr_cmp(struct sockaddr *, struct sockaddr *);
 uint16_t vxlan_sockaddr_port(struct sockaddr *);
 
 struct if_clonevxlan_cloner =
@@ -166,10 +169,12 @@ vxlan_clone_create(struct if_clone *ifc, int unit)
 */
ifp->if_mtu = ETHERMTU - sizeof(struct ether_header);
ifp->if_mtu -= sizeof(struct vxlanudphdr) + sizeof(struct ipovly);
 #endif
 
+   task_set(>sc_task, vxlan_config_defer, sc);
+
LIST_INSERT_HEAD(_tagh[VXLAN_TAGHASH(0)], sc, sc_entry);
vxlan_enable++;
 
return (0);
 }
@@ -178,13 +183,13 @@ int
 vxlan_clone_destroy(struct ifnet *ifp)
 {
struct vxlan_softc  *sc = ifp->if_softc;
int  s;
 
-   s = splnet();
+   NET_LOCK(s);
vxlan_multicast_cleanup(ifp);
-   splx(s);
+   NET_UNLOCK(s);
 
vxlan_enable--;
LIST_REMOVE(sc, sc_entry);
 
ifmedia_delete_instance(>sc_media, IFM_INST_ANY);
@@ -392,11 +397,11 @@ int
 vxlanioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 {
struct vxlan_softc  *sc = (struct vxlan_softc *)ifp->if_softc;
struct ifreq*ifr = (struct ifreq *)data;
struct if_laddrreq  *lifr = (struct if_laddrreq *)data;
-   int  error = 0, s;
+   int  error = 0;
 
switch (cmd) {
case SIOCSIFADDR:
ifp->if_flags |= IFF_UP;
/* FALLTHROUGH */
@@ -417,24 +422,20 @@ vxlanioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
case SIOCSIFMEDIA:
error = ifmedia_ioctl(ifp, ifr, >sc_media, cmd);
break;
 
case SIOCSLIFPHYADDR:
-   s = splnet();
error = vxlan_config(ifp,
(struct sockaddr *)>addr,
(struct sockaddr *)>dstaddr);
-   splx(s);
break;
 
case SIOCDIFPHYADDR:
-   s = splnet();
vxlan_multicast_cleanup(ifp);
bzero(>sc_src, sizeof(sc->sc_src));
bzero(>sc_dst, sizeof(sc->sc_dst));
sc->sc_dstport = htons(VXLAN_PORT);
-   splx(s);
break;
 
case SIOCGLIFPHYADDR:
if (sc->sc_dst.ss_family == AF_UNSPEC) {
error = EADDRNOTAVAIL;
@@ -451,14 +452,12 @@ vxlanioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
ifr->ifr_rdomainid > RT_TABLEID_MAX ||
!rtable_exists(ifr->ifr_rdomainid)) {
error = EINVAL;
break;
}
-   s = splnet();
sc->sc_rdomain = ifr->ifr_rdomainid;
(void)vxlan_config(ifp, NULL, NULL);
-   splx(s);
break;
 
case SIOCGLIFPHYRTABLE:
ifr->ifr_rdomainid = 

Re: pflow(4) vs NET_LOCK()

2017-01-02 Thread Alexander Bluhm
On Mon, Jan 02, 2017 at 12:12:42PM +0100, Martin Pieuchot wrote:
> Diff below adds an helper for pflowioctl().  The goal is to reduce the
> number of error paths where the NET_LOCK() should be released.
> 
> ok?

I would not call it pflow_init(), as ..._init() functions are often
called during boot.

There are some "if (...) { return (ENOMEM); }".  The braces are not
necessary.

anyway OK bluhm@

> 
> Index: net/if_pflow.c
> ===
> RCS file: /cvs/src/sys/net/if_pflow.c,v
> retrieving revision 1.65
> diff -u -p -r1.65 if_pflow.c
> --- net/if_pflow.c29 Dec 2016 12:12:43 -  1.65
> +++ net/if_pflow.c2 Jan 2017 11:11:01 -
> @@ -69,6 +69,7 @@ int pflow_output(struct ifnet *ifp, stru
>   struct rtentry *rt);
>  int  pflow_clone_create(struct if_clone *, int);
>  int  pflow_clone_destroy(struct ifnet *);
> +int  pflow_init(struct pflow_softc *, struct pflowreq *);
>  void pflow_init_timeouts(struct pflow_softc *);
>  int  pflow_calc_mtu(struct pflow_softc *, int, int);
>  void pflow_setmtu(struct pflow_softc *, int);
> @@ -302,6 +303,157 @@ pflowvalidsockaddr(const struct sockaddr
>   return (0);
>   }
>  }
> +
> +int
> +pflow_init(struct pflow_softc *sc, struct pflowreq *pflowr)
> +{
> + struct proc *p = curproc;
> + struct socket   *so;
> + struct sockaddr *sa;
> + int  error = 0;
> +
> + if (pflowr->addrmask & PFLOW_MASK_VERSION) {
> + switch(pflowr->version) {
> + case PFLOW_PROTO_5:
> + case PFLOW_PROTO_10:
> + break;
> + default:
> + return(EINVAL);
> + }
> + }
> +
> + pflow_flush(sc);
> +
> + if (pflowr->addrmask & PFLOW_MASK_DSTIP) {
> + if (sc->sc_flowdst != NULL &&
> + sc->sc_flowdst->sa_family != pflowr->flowdst.ss_family) {
> + free(sc->sc_flowdst, M_DEVBUF, sc->sc_flowdst->sa_len);
> + sc->sc_flowdst = NULL;
> + if (sc->so != NULL) {
> + soclose(sc->so);
> + sc->so = NULL;
> + }
> + }
> +
> + if (sc->sc_flowdst == NULL) {
> + switch (pflowr->flowdst.ss_family) {
> + case AF_INET:
> + if ((sc->sc_flowdst = malloc(
> + sizeof(struct sockaddr_in),
> + M_DEVBUF,  M_NOWAIT)) == NULL) {
> + return (ENOMEM);
> + }
> + memcpy(sc->sc_flowdst, >flowdst,
> + sizeof(struct sockaddr_in));
> + sc->sc_flowdst->sa_len = sizeof(struct
> + sockaddr_in);
> + break;
> + case AF_INET6:
> + if ((sc->sc_flowdst = malloc(
> + sizeof(struct sockaddr_in6),
> + M_DEVBUF, M_NOWAIT)) == NULL) {
> + return (ENOMEM);
> + }
> + memcpy(sc->sc_flowdst, >flowdst,
> + sizeof(struct sockaddr_in6));
> + sc->sc_flowdst->sa_len = sizeof(struct
> + sockaddr_in6);
> + break;
> + default:
> + break;
> + }
> + }
> + if (sc->sc_flowdst != NULL) {
> + sc->send_nam->m_len = sc->sc_flowdst->sa_len;
> + sa = mtod(sc->send_nam, struct sockaddr *);
> + memcpy(sa, sc->sc_flowdst, sc->sc_flowdst->sa_len);
> + }
> + }
> +
> + if (pflowr->addrmask & PFLOW_MASK_SRCIP) {
> + if (sc->sc_flowsrc != NULL &&
> + sc->sc_flowsrc->sa_family != pflowr->flowsrc.ss_family) {
> + free(sc->sc_flowsrc, M_DEVBUF, sc->sc_flowsrc->sa_len);
> + sc->sc_flowsrc = NULL;
> + if (sc->so != NULL) {
> + soclose(sc->so);
> + sc->so = NULL;
> + }
> + }
> +
> + if (sc->sc_flowsrc == NULL) {
> + switch(pflowr->flowsrc.ss_family) {
> + case AF_INET:
> + if ((sc->sc_flowsrc = malloc(
> + sizeof(struct sockaddr_in),
> + M_DEVBUF, M_NOWAIT)) == NULL) {
> + return (ENOMEM);
> + }
> + 

Re: libressl symbols

2017-01-02 Thread Reyk Floeter
Hi,

the function prototypes have been moved from he header to the .c file - you 
will have to revert this change as well.

+1 from me for exposing the API - I recently also ran into it but didn't speak 
up because my use case was probably not important enough.

Reyk


> Am 02.01.2017 um 16:29 schrieb Peter Hessler :
> 
> Looks like when libcrypto was convered to use a Symbol map, some
> functions were not included.
> 
> This change lets py-openssl be loaded by python processes.
> 
> I did not include the minor version bump, as there might be more issues.
> 
> 
> 
> Index: lib/libcrypto/Symbols.list
> ===
> RCS file: /cvs/src/lib/libcrypto/Symbols.list,v
> retrieving revision 1.1
> diff -u -p -u -p -r1.1 Symbols.list
> --- lib/libcrypto/Symbols.list21 Dec 2016 15:49:29 -1.1
> +++ lib/libcrypto/Symbols.list2 Jan 2017 15:17:02 -
> @@ -2805,6 +2805,8 @@ X509_VERIFY_PARAM_inherit
> X509_VERIFY_PARAM_lookup
> X509_VERIFY_PARAM_new
> X509_VERIFY_PARAM_set1
> +X509_VERIFY_PARAM_set1_email
> +X509_VERIFY_PARAM_set1_ip
> X509_VERIFY_PARAM_set1_name
> X509_VERIFY_PARAM_set1_policies
> X509_VERIFY_PARAM_set_depth
> 
> 
> -- 
> Reality is just a convenient measure of complexity.
>-- Alvy Ray Smith
> 



libressl symbols

2017-01-02 Thread Peter Hessler
Looks like when libcrypto was convered to use a Symbol map, some
functions were not included.

This change lets py-openssl be loaded by python processes.

I did not include the minor version bump, as there might be more issues.



Index: lib/libcrypto/Symbols.list
===
RCS file: /cvs/src/lib/libcrypto/Symbols.list,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 Symbols.list
--- lib/libcrypto/Symbols.list  21 Dec 2016 15:49:29 -  1.1
+++ lib/libcrypto/Symbols.list  2 Jan 2017 15:17:02 -
@@ -2805,6 +2805,8 @@ X509_VERIFY_PARAM_inherit
 X509_VERIFY_PARAM_lookup
 X509_VERIFY_PARAM_new
 X509_VERIFY_PARAM_set1
+X509_VERIFY_PARAM_set1_email
+X509_VERIFY_PARAM_set1_ip
 X509_VERIFY_PARAM_set1_name
 X509_VERIFY_PARAM_set1_policies
 X509_VERIFY_PARAM_set_depth


-- 
Reality is just a convenient measure of complexity.
-- Alvy Ray Smith



src/usr.sbin/slowcgi: possible bug

2017-01-02 Thread temp+101
Hi tech@,

I recently checked the slowcgi(8) and found that it might have an issue
when buf_pos is at the end of buffer and buf_len is zero.

Am I right?

Index: slowcgi.c
===
RCS file: /cvs/src/usr.sbin/slowcgi/slowcgi.c,v
retrieving revision 1.50
diff -u -p -r1.50 slowcgi.c
--- slowcgi.c   4 Sep 2016 14:40:34 -   1.50
+++ slowcgi.c   2 Jan 2017 12:52:01 -
@@ -674,8 +674,8 @@ slowcgi_request(int fd, short events, vo
/* Make space for further reads */
if (c->buf_len > 0) {
bcopy(c->buf + c->buf_pos, c->buf, c->buf_len);
-   c->buf_pos = 0;
}
+   c->buf_pos = 0;
return;
 fail:
cleanup_request(c);



Re: recursive splsoftnet()

2017-01-02 Thread Mike Belopuhov
On 2 January 2017 at 12:39, Martin Pieuchot  wrote:
> Kill two simple recursive splsoftnet().
>
> - pr_usrreq() functions are always called under NET_LOCK().
> - tcp_ident() is called by tcp_sysctl() only which asserts for the NET_LOCK()
>
> ok?
>

OK



recursive splsoftnet()

2017-01-02 Thread Martin Pieuchot
Kill two simple recursive splsoftnet().

- pr_usrreq() functions are always called under NET_LOCK().
- tcp_ident() is called by tcp_sysctl() only which asserts for the NET_LOCK()

ok?

Index: netinet/ip_gre.c
===
RCS file: /cvs/src/sys/netinet/ip_gre.c,v
retrieving revision 1.59
diff -u -p -r1.59 ip_gre.c
--- netinet/ip_gre.c4 Mar 2016 22:38:23 -   1.59
+++ netinet/ip_gre.c2 Jan 2017 11:34:01 -
@@ -411,12 +411,10 @@ gre_usrreq(struct socket *so, int req, s
struct inpcb *inp = sotoinpcb(so);
 
if (inp != NULL && inp->inp_pipex && req == PRU_SEND) {
-   int s;
struct sockaddr_in *sin4;
struct in_addr *ina_dst;
struct pipex_session *session;
 
-   s = splsoftnet();
ina_dst = NULL;
if ((so->so_state & SS_ISCONNECTED) != 0) {
inp = sotoinpcb(so);
@@ -432,7 +430,6 @@ gre_usrreq(struct socket *so, int req, s
(session = pipex_pptp_userland_lookup_session_ipv4(m,
*ina_dst)))
m = pipex_pptp_userland_output(m, session);
-   splx(s);
 
if (m == NULL)
return (ENOMEM);
Index: netinet/tcp_usrreq.c
===
RCS file: /cvs/src/sys/netinet/tcp_usrreq.c,v
retrieving revision 1.140
diff -u -p -r1.140 tcp_usrreq.c
--- netinet/tcp_usrreq.c26 Dec 2016 21:30:10 -  1.140
+++ netinet/tcp_usrreq.c2 Jan 2017 11:30:56 -
@@ -732,7 +732,7 @@ tcp_usrclosed(struct tcpcb *tp)
 int
 tcp_ident(void *oldp, size_t *oldlenp, void *newp, size_t newlen, int dodrop)
 {
-   int error = 0, s;
+   int error = 0;
struct tcp_ident_mapping tir;
struct inpcb *inp;
struct tcpcb *tp = NULL;
@@ -741,6 +741,9 @@ tcp_ident(void *oldp, size_t *oldlenp, v
struct sockaddr_in6 *fin6, *lin6;
struct in6_addr f6, l6;
 #endif
+
+   splsoftassert(IPL_SOFTNET);
+
if (dodrop) {
if (oldp != NULL || *oldlenp != 0)
return (EINVAL);
@@ -781,7 +784,6 @@ tcp_ident(void *oldp, size_t *oldlenp, v
return (EINVAL);
}
 
-   s = splsoftnet();
switch (tir.faddr.ss_family) {
 #ifdef INET6
case AF_INET6:
@@ -803,7 +805,6 @@ tcp_ident(void *oldp, size_t *oldlenp, v
tp = tcp_drop(tp, ECONNABORTED);
else
error = ESRCH;
-   splx(s);
return (error);
}
 
@@ -830,7 +831,6 @@ tcp_ident(void *oldp, size_t *oldlenp, v
tir.ruid = -1;
tir.euid = -1;
}
-   splx(s);
 
*oldlenp = sizeof (tir);
error = copyout((void *), oldp, sizeof (tir));



pflow(4) vs NET_LOCK()

2017-01-02 Thread Martin Pieuchot
Diff below adds an helper for pflowioctl().  The goal is to reduce the
number of error paths where the NET_LOCK() should be released.

ok?

Index: net/if_pflow.c
===
RCS file: /cvs/src/sys/net/if_pflow.c,v
retrieving revision 1.65
diff -u -p -r1.65 if_pflow.c
--- net/if_pflow.c  29 Dec 2016 12:12:43 -  1.65
+++ net/if_pflow.c  2 Jan 2017 11:11:01 -
@@ -69,6 +69,7 @@ int   pflow_output(struct ifnet *ifp, stru
struct rtentry *rt);
 intpflow_clone_create(struct if_clone *, int);
 intpflow_clone_destroy(struct ifnet *);
+intpflow_init(struct pflow_softc *, struct pflowreq *);
 void   pflow_init_timeouts(struct pflow_softc *);
 intpflow_calc_mtu(struct pflow_softc *, int, int);
 void   pflow_setmtu(struct pflow_softc *, int);
@@ -302,6 +303,157 @@ pflowvalidsockaddr(const struct sockaddr
return (0);
}
 }
+
+int
+pflow_init(struct pflow_softc *sc, struct pflowreq *pflowr)
+{
+   struct proc *p = curproc;
+   struct socket   *so;
+   struct sockaddr *sa;
+   int  error = 0;
+
+   if (pflowr->addrmask & PFLOW_MASK_VERSION) {
+   switch(pflowr->version) {
+   case PFLOW_PROTO_5:
+   case PFLOW_PROTO_10:
+   break;
+   default:
+   return(EINVAL);
+   }
+   }
+
+   pflow_flush(sc);
+
+   if (pflowr->addrmask & PFLOW_MASK_DSTIP) {
+   if (sc->sc_flowdst != NULL &&
+   sc->sc_flowdst->sa_family != pflowr->flowdst.ss_family) {
+   free(sc->sc_flowdst, M_DEVBUF, sc->sc_flowdst->sa_len);
+   sc->sc_flowdst = NULL;
+   if (sc->so != NULL) {
+   soclose(sc->so);
+   sc->so = NULL;
+   }
+   }
+
+   if (sc->sc_flowdst == NULL) {
+   switch (pflowr->flowdst.ss_family) {
+   case AF_INET:
+   if ((sc->sc_flowdst = malloc(
+   sizeof(struct sockaddr_in),
+   M_DEVBUF,  M_NOWAIT)) == NULL) {
+   return (ENOMEM);
+   }
+   memcpy(sc->sc_flowdst, >flowdst,
+   sizeof(struct sockaddr_in));
+   sc->sc_flowdst->sa_len = sizeof(struct
+   sockaddr_in);
+   break;
+   case AF_INET6:
+   if ((sc->sc_flowdst = malloc(
+   sizeof(struct sockaddr_in6),
+   M_DEVBUF, M_NOWAIT)) == NULL) {
+   return (ENOMEM);
+   }
+   memcpy(sc->sc_flowdst, >flowdst,
+   sizeof(struct sockaddr_in6));
+   sc->sc_flowdst->sa_len = sizeof(struct
+   sockaddr_in6);
+   break;
+   default:
+   break;
+   }
+   }
+   if (sc->sc_flowdst != NULL) {
+   sc->send_nam->m_len = sc->sc_flowdst->sa_len;
+   sa = mtod(sc->send_nam, struct sockaddr *);
+   memcpy(sa, sc->sc_flowdst, sc->sc_flowdst->sa_len);
+   }
+   }
+
+   if (pflowr->addrmask & PFLOW_MASK_SRCIP) {
+   if (sc->sc_flowsrc != NULL &&
+   sc->sc_flowsrc->sa_family != pflowr->flowsrc.ss_family) {
+   free(sc->sc_flowsrc, M_DEVBUF, sc->sc_flowsrc->sa_len);
+   sc->sc_flowsrc = NULL;
+   if (sc->so != NULL) {
+   soclose(sc->so);
+   sc->so = NULL;
+   }
+   }
+
+   if (sc->sc_flowsrc == NULL) {
+   switch(pflowr->flowsrc.ss_family) {
+   case AF_INET:
+   if ((sc->sc_flowsrc = malloc(
+   sizeof(struct sockaddr_in),
+   M_DEVBUF, M_NOWAIT)) == NULL) {
+   return (ENOMEM);
+   }
+   memcpy(sc->sc_flowsrc, >flowsrc,
+   sizeof(struct sockaddr_in));
+   sc->sc_flowsrc->sa_len = sizeof(struct
+   sockaddr_in);
+   break;
+   case AF_INET6:
+   

Re: acme-client use configuration file [1 of 5]

2017-01-02 Thread Raf Czlonka
Hi Todd,

I think you meant:

+.Xr acme-client.conf 5 ,

:^)

Raf

On Mon, Jan 02, 2017 at 01:58:26AM GMT, Todd C. Miller wrote:
> I think you also want something like the following.
> 
> Also, acme-client.conf.5 has paths like:
>   domain key /etc/ssl/private/example.com.key
>   domain certificate /etc/ssl/example.com.crt
> 
> instead of:
>   domain key /etc/ssl/acme/private/example.com.key
>   domain certificate /etc/ssl/acme/example.com.crt
> 
> Index: acme-client.1
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
> retrieving revision 1.11
> diff -u -p -u -r1.11 acme-client.1
> --- acme-client.1 15 Sep 2016 20:44:24 -  1.11
> +++ acme-client.1 31 Oct 2016 14:57:22 -
> @@ -192,6 +192,7 @@ fi
>  .Ed
>  .Sh SEE ALSO
>  .Xr openssl 1 ,
> +.Xr acme-client 5 ,
>  .Xr httpd.conf 5
>  .Sh STANDARDS
>  .Rs
>