Re: rc: reorder_libs: [1/2] Drop unused _l, exit early on failure
On Sun, Jul 16, 2017 at 03:34:07AM +0200, Klemens Nanni wrote: > $_l is not used and picking the latest archive versions is of no use > if /usr/lib cannot be written to. > > This patch applies cleanly before my next one but not vice versa. > > Feedback? OK? _l is only unused after your second patch :) hoisting the remount over picking the library version makes sense, but you should keep it after the "echo -n 'reordering libraries:'" > > Index: rc > === > RCS file: /cvs/src/etc/rc,v > retrieving revision 1.507 > diff -u -p -r1.507 rc > --- rc4 Jul 2017 19:02:11 - 1.507 > +++ rc16 Jul 2017 01:25:27 - > @@ -158,7 +158,7 @@ make_keys() { > > # Re-link libraries, placing the objects in a random order. > reorder_libs() { > - local _dkdev _l _liba _libas _mp _tmpdir _remount=false _error=false > + local _dkdev _liba _libas _mp _tmpdir _remount=false _error=false > > [[ $library_aslr == NO ]] && return > > @@ -168,6 +168,16 @@ reorder_libs() { > # Skip if /usr/lib is on a nfs mounted filesystem. > [[ $_mp == *' type nfs '* ]] && return > echo -n 'reordering libraries:' > + # Remount read-write, if /usr/lib is on a read-only ffs filesystem. > + if [[ $_mp == *' type ffs '*'read-only'* ]]; then > + if mount -u -w $_dkdev; then > + _remount=true > + else > + echo ' failed.' > + return > + fi > + fi > + > echo -n 'reordering libraries:' delete this > > # Only choose the latest version of the libraries. > @@ -178,16 +188,6 @@ reorder_libs() { > done > _libas="$_libas $_liba" > done > - > - # Remount read-write, if /usr/lib is on a read-only ffs filesystem. > - if [[ $_mp == *' type ffs '*'read-only'* ]]; then > - if mount -u -w $_dkdev; then > - _remount=true > - else > - echo ' failed.' > - return > - fi > - fi > > for _liba in $_libas; do > _tmpdir=$(mktemp -dq /tmp/_librebuild.) && ( >
rc: reorder_libs: [2/2] Pick archive versions more efficiently
Why looping over all existing archives, picking the latest version of the current archive, skipping it in case it's already in our list of selected latest versions or adding it otherwise? The current code runs ls|sort|tail about n * (v - 1) times for n different libraries and v versions respectively since the globbed list is almost always sorted already, effectively adding the latest versions after skipping all others. This diff makes it much clearer and simpler by sorting and picking only as many versions as there are libraries to reorder (two). Globbing is done within the loop so future libraries with different naming schemes comes at no cost. Applies cleanly to both the current revision as well as my previous diff but the previous one will fail on top of this one. Feedback? Comments? Index: rc === RCS file: /cvs/src/etc/rc,v retrieving revision 1.507 diff -u -p -r1.507 rc --- rc 4 Jul 2017 19:02:11 - 1.507 +++ rc 16 Jul 2017 01:15:43 - @@ -171,13 +171,10 @@ reorder_libs() { echo -n 'reordering libraries:' # Only choose the latest version of the libraries. - for _liba in /usr/lib/libc.so.*.a /usr/lib/libcrypto.so.*.a; do - _liba=$(ls ${_liba%%.[0-9]*}*.a | sort -V | tail -1) - for _l in $_libas; do - [[ $_l == $_liba ]] && continue 2 - done - _libas="$_libas $_liba" + for _liba in 'libc.so.*.a' 'libcrypto.so.*.a'; do + _libas="$_libas $(ls /usr/lib/$_liba | sort -V | tail -1)" done + _libas=${_libas# } # Remount read-write, if /usr/lib is on a read-only ffs filesystem. if [[ $_mp == *' type ffs '*'read-only'* ]]; then
rc: reorder_libs: [1/2] Drop unused _l, exit early on failure
$_l is not used and picking the latest archive versions is of no use if /usr/lib cannot be written to. This patch applies cleanly before my next one but not vice versa. Feedback? OK? Index: rc === RCS file: /cvs/src/etc/rc,v retrieving revision 1.507 diff -u -p -r1.507 rc --- rc 4 Jul 2017 19:02:11 - 1.507 +++ rc 16 Jul 2017 01:25:27 - @@ -158,7 +158,7 @@ make_keys() { # Re-link libraries, placing the objects in a random order. reorder_libs() { - local _dkdev _l _liba _libas _mp _tmpdir _remount=false _error=false + local _dkdev _liba _libas _mp _tmpdir _remount=false _error=false [[ $library_aslr == NO ]] && return @@ -168,6 +168,16 @@ reorder_libs() { # Skip if /usr/lib is on a nfs mounted filesystem. [[ $_mp == *' type nfs '* ]] && return + # Remount read-write, if /usr/lib is on a read-only ffs filesystem. + if [[ $_mp == *' type ffs '*'read-only'* ]]; then + if mount -u -w $_dkdev; then + _remount=true + else + echo ' failed.' + return + fi + fi + echo -n 'reordering libraries:' # Only choose the latest version of the libraries. @@ -178,16 +188,6 @@ reorder_libs() { done _libas="$_libas $_liba" done - - # Remount read-write, if /usr/lib is on a read-only ffs filesystem. - if [[ $_mp == *' type ffs '*'read-only'* ]]; then - if mount -u -w $_dkdev; then - _remount=true - else - echo ' failed.' - return - fi - fi for _liba in $_libas; do _tmpdir=$(mktemp -dq /tmp/_librebuild.) && (
Re: RFC 7217: /etc/{rc,netstart} [4/8]
On Sat, Jul 15, 2017 at 05:09:43PM +, Florian Obser wrote: > netstart & simplification suggested by naddy > > OK? > > diff --git etc/netstart etc/netstart > index 71890bc7a5b..047eef1ab83 100644 > --- etc/netstart > +++ etc/netstart > @@ -190,6 +190,8 @@ if $PRINT_ONLY && (($# == 0)); then > exit 1 > fi > > +$PRINT_ONLY || sysctl -q "net.inet6.ip6.soiikey=$( + > # If we were invoked with a list of interface names, just reconfigure these > # interfaces (or bridges), add default routes and return. > if (($# > 0)); then > diff --git etc/rc etc/rc > index 48e5671335f..a2e23b163a1 100644 > --- etc/rc > +++ etc/rc > @@ -154,6 +154,12 @@ make_keys() { > fi > > ssh-keygen -A > + > + if [[ ! -f /etc/soii.key ]]; then > + openssl rand -hex 16 > /etc/soii.key && \ > + chmod 600 /etc/soii.key && sysctl -q \ > + "net.inet6.ip6.soiikey=$( + fi > } > > # Re-link libraries, placing the objects in a random order. OK -- -=[rpe]=-
Re: RFC 7217: installer support [8/8]
On Sat, Jul 15, 2017 at 05:16:04PM +, Florian Obser wrote: > OK? > > diff --git distrib/miniroot/install.sub distrib/miniroot/install.sub > index 26cecd81cbc..52360686b38 100644 > --- distrib/miniroot/install.sub > +++ distrib/miniroot/install.sub > @@ -2988,6 +2988,9 @@ do_upgrade() { > hostname $(stripcom /tmp/i/myname) > THESETS="$THESETS site$VERSION-$(hostname -s).tgz" > > + _f=/mnt/etc/soii.key > + [[ -f $_f ]] && sysctl net.inet6.ip6.soiikey=$(<$_f) > + > # Configure the network. > enable_network Still OK for the install.sub part ;-)
Re: RFC 7217: random but stable addresses (take 2)
>>> Christian Weisgerber 14-Jul-17 23:04 >>> > > > secondly, im always wary of truncating hash output in case it throws > > away some of the guarantees it's supposed to provide. if you cut > > sha512 output down to an 8th of its size, is it 8 times easier to > > calculate a collision, or more than 8 times easier? sha384 being a > > truncation of sha512 kind of argues against this though. > > NIST FIPS 180-4 (the SHA-2 standard) says: > > Some application may require a hash function with a message digest > length different than those provided by the hash functions in this > Standard. In such cases, a truncated message digest may be used, > whereby a hash function with a larger message digest length is > applied to the data to be hashed, and the resulting message digest > is truncated by selecting an appropriate number of the leftmost > bits. [...] > > (For some reason though the same standard specifies "SHA-512/t" > hash functions, which are SHA-512 truncated to t bits, to use > different initial hash values. Maybe some mathematical rigor thing > to distinguish truncation by the user from truncation inside the > function?) It is fine to truncate the output of a (good) hash function - see this answer from Thomas Pornin on crypto.SE: https://crypto.stackexchange.com/a/163 However, when defining a new hash function as the truncation of the output of an existing one (e.g. when using SHA256 to create a drop-in replacement for a system that used SHA1 or MD5), it is considered important to use a different set of IV constants - see this set of slides from NIST: http://csrc.nist.gov/groups/ST/hash/documents/Kelsey_Truncation.pdf No doubt I'll be shot down for the rest, but anway: Obviously when truncating output down to 48 bits, the birthday attack is only of the order of 2^24 bits, so finding colliions is not difficult. But anyway, our output is public, and someone wishing to collide with us doesn't have to use our mechanism, so collision resistance (in the usual sense) is immaterial. And nor (for the same reasons) are we worried about second preimage resistance. So really, we're just using the hash function here as a PRF, to generate random-looking but deterministic output from a given set of inputs. In which case it doesn't really matter whether we use SHA512 or SipHash. SipHash has some nice properties, but they're generally around the performance side of things. SHA512 is probably the more conservative choice, and absolutely fine here. Tom
ifstated diff cleanup before delegating proc/exec to privchild
This diff should probably be three separate diffs, but changes are colliding (i.e. adjacent lines of code are being modified within different diffs). The diff contains three modifications: - removal of unused logging code (see previous diff); - a cleanup of parse.y, converting it to use log.c; and - string to character array changes in preparation for the next pledge diff. Regards, Rob Index: ifstated.c === RCS file: /cvs/src/usr.sbin/ifstated/ifstated.c,v retrieving revision 1.50 diff -u -p -r1.50 ifstated.c --- ifstated.c 4 Jul 2017 21:09:52 - 1.50 +++ ifstated.c 15 Jul 2017 17:56:31 - @@ -639,7 +639,6 @@ clear_config(struct ifsd_config *oconf) TAILQ_REMOVE(>states, state, entries); remove_action(state->init, state); remove_action(state->body, state); - free(state->name); free(state); } remove_action(oconf->initstate.init, >initstate); @@ -656,12 +655,7 @@ remove_action(struct ifsd_action *action return; switch (action->type) { - case IFSD_ACTION_LOG: - free(action->act.logmessage); - break; case IFSD_ACTION_COMMAND: - free(action->act.command); - break; case IFSD_ACTION_CHANGESTATE: break; case IFSD_ACTION_CONDITION: @@ -697,7 +691,6 @@ remove_expression(struct ifsd_expression if (--expression->u.external->refcount == 0) { TAILQ_REMOVE(>external_tests, expression->u.external, entries); - free(expression->u.external->command); event_del(>u.external->ev); free(expression->u.external); } Index: ifstated.h === RCS file: /cvs/src/usr.sbin/ifstated/ifstated.h,v retrieving revision 1.16 diff -u -p -r1.16 ifstated.h --- ifstated.h 4 Jul 2017 21:04:14 - 1.16 +++ ifstated.h 15 Jul 2017 17:56:31 - @@ -28,6 +28,7 @@ #include #include +#include struct ifsd_expression; TAILQ_HEAD(ifsd_expression_list, ifsd_expression); @@ -45,15 +46,15 @@ struct ifsd_ifstate { }; struct ifsd_external { - TAILQ_ENTRY(ifsd_external) entries; - struct event ev; - struct ifsd_expression_list expressions; - char*command; - int prevstatus; - u_int32_tfrequency; - u_int32_trefcount; - u_int32_tlastexec; - pid_tpid; + TAILQ_ENTRY(ifsd_external) entries; + struct eventev; + struct ifsd_expression_list expressions; + charcommand[LINE_MAX]; + int prevstatus; + u_int32_t frequency; + u_int32_t refcount; + u_int32_t lastexec; + pid_t pid; }; struct ifsd_action; @@ -63,17 +64,15 @@ struct ifsd_action { TAILQ_ENTRY(ifsd_action) entries; struct ifsd_action *parent; union { - char*logmessage; - char*command; + charcommand[LINE_MAX]; struct ifsd_state *nextstate; - char*statename; + charstatename[NAME_MAX]; struct { struct ifsd_action_list actions; struct ifsd_expression *expression; } c; } act; u_int32_ttype; -#define IFSD_ACTION_LOG0 #define IFSD_ACTION_COMMAND1 #define IFSD_ACTION_CHANGESTATE2 #define IFSD_ACTION_CONDITION 3 @@ -111,7 +110,7 @@ struct ifsd_state { struct ifsd_action *init; struct ifsd_action *body; u_int32_tentered; - char*name; + charname[NAME_MAX]; }; TAILQ_HEAD(ifsd_state_list, ifsd_state); Index: parse.y === RCS file: /cvs/src/usr.sbin/ifstated/parse.y,v retrieving revision 1.44 diff -u -p -r1.44 parse.y --- parse.y 4 Jul 2017 21:13:03 - 1.44 +++ parse.y 15 Jul 2017 17:56:31 - @@ -190,11 +190,12 @@ action: RUN STRING{ struct ifsd_action *action; if ((action = calloc(1, sizeof(*action))) == NULL)
Re: RFC 7217: changelist & mtree [5/8]
less typo, pointed out by tb@, thanks! diff --git etc/changelist etc/changelist index 756927e29c6..9aed3f2a782 100644 --- etc/changelist +++ etc/changelist @@ -115,6 +115,7 @@ /etc/services /etc/shells /etc/snmpd.conf ++/etc/soii.key +/etc/spwd.db /etc/ssh/ssh_config +/etc/ssh/ssh_host_dsa_key diff --git etc/mtree/special etc/mtree/special index a2eec3e4476..8e1f292ba74 100644 --- etc/mtree/special +++ etc/mtree/special @@ -94,6 +94,7 @@ shellstype=file mode=0644 uname=root gname=wheel skey type=dir mode=01730 uname=root gname=auth optional .. #skey snmpd.conf type=file mode=0600 uname=root gname=wheel optional +soii.key type=file mode=0600 uname=root gname=wheel optional spwd.dbtype=file mode=0640 uname=root gname=_shadow sshtype=dir mode=0755 uname=root gname=wheel optional ssh_config type=file mode=0644 uname=root gname=wheel -- 2.13.0 -- I'm not entirely sure you are real.
RFC 7217: slaacd support [7/8]
OK? diff --git sbin/slaacd/engine.c sbin/slaacd/engine.c index 394df48eeb6..5fecf6e8779 100644 --- sbin/slaacd/engine.c +++ sbin/slaacd/engine.c @@ -64,6 +64,8 @@ #include #include +#include + #include #include #include @@ -180,6 +182,7 @@ struct address_proposal { uint8_t prefix_len; uint32_t vltime; uint32_t pltime; + uint8_t soiikey[SLAACD_SOIIKEY_LEN]; }; struct dfr_proposal { @@ -205,8 +208,10 @@ struct slaacd_iface { uint32_t if_index; int running; int autoconfprivacy; + int soii; struct ether_addrhw_address; struct sockaddr_in6 ll_address; + uint8_t soiikey[SLAACD_SOIIKEY_LEN]; LIST_HEAD(, radv)radvs; LIST_HEAD(, address_proposal)addr_proposals; LIST_HEAD(, dfr_proposal)dfr_proposals; @@ -615,12 +620,15 @@ engine_dispatch_main(int fd, short event, void *bula) iface->state = IF_DOWN; iface->autoconfprivacy = imsg_ifinfo.autoconfprivacy; + iface->soii = imsg_ifinfo.soii; memcpy(>hw_address, _ifinfo.hw_address, sizeof(struct ether_addr)); memcpy(>ll_address, _ifinfo.ll_address, sizeof(struct sockaddr_in6)); + memcpy(iface->soiikey, imsg_ifinfo.soiikey, + sizeof(iface->soiikey)); LIST_INIT(>radvs); LIST_INSERT_HEAD(_interfaces, iface, entries); @@ -635,6 +643,14 @@ engine_dispatch_main(int fd, short event, void *bula) imsg_ifinfo.autoconfprivacy; need_refresh = 1; } + + if (iface->soii != + imsg_ifinfo.soii) { + iface->soii = + imsg_ifinfo.soii; + need_refresh = 1; + } + if (memcmp(>hw_address, _ifinfo.hw_address, sizeof(struct ether_addr)) != 0) { @@ -643,6 +659,14 @@ engine_dispatch_main(int fd, short event, void *bula) sizeof(struct ether_addr)); need_refresh = 1; } + if (memcmp(iface->soiikey, + imsg_ifinfo.soiikey, + sizeof(iface->soiikey)) != 0) { + memcpy(iface->soiikey, + imsg_ifinfo.soiikey, + sizeof(iface->soiikey)); + need_refresh = 1; + } if (iface->state != IF_DOWN && imsg_ifinfo.running && need_refresh) @@ -699,6 +723,7 @@ send_interface_info(struct slaacd_iface *iface, pid_t pid) cei.if_index = iface->if_index; cei.running = iface->running; cei.autoconfprivacy = iface->autoconfprivacy; + cei.soii = iface->soii; memcpy(_address, >hw_address, sizeof(struct ether_addr)); memcpy(_address, >ll_address, sizeof(struct sockaddr_in6)); @@ -1149,7 +1174,10 @@ void gen_addr(struct slaacd_iface *iface, struct radv_prefix *prefix, struct address_proposal *addr_proposal, int privacy) { + SHA2_CTX ctx; struct in6_addr priv_in6; + int dad_counter = 0; /* XXX not used */ + u_int8_t digest[SHA512_DIGEST_LENGTH]; /* from in6_ifadd() in nd6_rtr.c */ /* XXX from in6.h, guarded by #ifdef _KERNEL XXX nonstandard */ @@ -1196,20 +1224,33 @@ gen_addr(struct slaacd_iface *iface, struct radv_prefix *prefix, struct addr_proposal->addr.sin6_addr.s6_addr32[3] |= (priv_in6.s6_addr32[3] & ~addr_proposal->mask.s6_addr32[3]); } else { - addr_proposal->addr.sin6_addr.s6_addr32[0] |= - (iface->ll_address.sin6_addr.s6_addr32[0] & - ~addr_proposal->mask.s6_addr32[0]); -
RFC 7217: link local addresses [6/8]
first thing that actually changes addresses: link local addresses - generate new link local address if soiikey changes - honour NOSOII flag when generating link local address - regen link local address if NOSOII flag changes OK? diff --git sys/net/if.c sys/net/if.c index 7477fa5606a..b11414c2266 100644 --- sys/net/if.c +++ sys/net/if.c @@ -1827,6 +1827,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct proc *p) char ifdescrbuf[IFDESCRSIZE]; char ifrtlabelbuf[RTLABEL_LEN]; int s, error = 0; +#ifdef INET6 + int soii_changed = 0; +#endif /* INET6 */ size_t bytesdone; short oif_flags; const char *label; @@ -1952,6 +1955,12 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct proc *p) if (error != 0) return (error); } + + if ((ISSET(ifr->ifr_flags, IFXF_INET6_NOSOII) && + !ISSET(ifp->if_xflags, IFXF_INET6_NOSOII)) || + (!ISSET(ifr->ifr_flags, IFXF_INET6_NOSOII) && + ISSET(ifp->if_xflags, IFXF_INET6_NOSOII))) + soii_changed = 1; #endif /* INET6 */ #ifdef MPLS @@ -2002,6 +2011,10 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct proc *p) ifp->if_xflags = (ifp->if_xflags & IFXF_CANTCHANGE) | (ifr->ifr_flags & ~IFXF_CANTCHANGE); rtm_ifchg(ifp); +#ifdef INET6 + if (soii_changed) + in6_soiiupdate(ifp); +#endif /* INET6 */ break; case SIOCSIFMETRIC: diff --git sys/netinet6/in6_ifattach.c sys/netinet6/in6_ifattach.c index 89acde9c6a4..dd6085d0b9f 100644 --- sys/netinet6/in6_ifattach.c +++ sys/netinet6/in6_ifattach.c @@ -58,6 +58,7 @@ int get_last_resort_ifid(struct ifnet *, struct in6_addr *); int get_hw_ifid(struct ifnet *, struct in6_addr *); +int get_soii_ifid(struct ifnet *, struct in6_addr *); int get_ifid(struct ifnet *, struct in6_addr *); int in6_ifattach_loopback(struct ifnet *); @@ -72,6 +73,26 @@ int in6_ifattach_loopback(struct ifnet *); #define IFID_LOCAL(in6)(!EUI64_LOCAL(in6)) #define IFID_UNIVERSAL(in6)(!EUI64_UNIVERSAL(in6)) +void +in6_soiiupdate(struct ifnet *ifp) +{ + struct ifaddr *ifa; + int s; + + s = splnet(); + + /* +* Update the link-local address. +*/ + ifa = _ifpforlinklocal(ifp, 0)->ia_ifa; + if (ifa) { + in6_purgeaddr(ifa); + dohooks(ifp->if_addrhooks, 0); + in6_ifattach(ifp); + } + splx(s); +} + /* * Generate a last-resort interface identifier, when the machine has no * IEEE802/EUI64 address sources. @@ -231,6 +252,45 @@ get_hw_ifid(struct ifnet *ifp, struct in6_addr *in6) } /* + * Generate a Semantically Opaque Interface Identifier according to RFC 7217 + * + * in6 - upper 64bits are preserved + */ +int +get_soii_ifid(struct ifnet *ifp, struct in6_addr *in6) +{ + SHA2_CTX ctx; + u_int8_t digest[SHA512_DIGEST_LENGTH]; + struct in6_addr prefix; + struct sockaddr_dl *sdl; + int dad_counter = 0; /* XXX not used */ + char *addr; + + if (ifp->if_xflags & IFXF_INET6_NOSOII) + return -1; + + sdl = ifp->if_sadl; + if (sdl == NULL || sdl->sdl_alen == 0) + return -1; + + memset(, 0, sizeof(prefix)); + prefix.s6_addr16[0] = htons(0xfe80); + addr = LLADDR(sdl); + + SHA512Init(); + + SHA512Update(, , sizeof(prefix)); + SHA512Update(, addr, sdl->sdl_alen); + SHA512Update(, _counter, sizeof(dad_counter)); + SHA512Update(, ip6_soiikey, sizeof(ip6_soiikey)); + SHA512Final(digest, ); + + bcopy(digest, >s6_addr[8], 8); + + return 0; +} + +/* * Get interface identifier for the specified interface. If it is not * available on ifp0, borrow interface identifier from other information * sources. @@ -240,7 +300,14 @@ get_ifid(struct ifnet *ifp0, struct in6_addr *in6) { struct ifnet *ifp; - /* first, try to get it from the interface itself */ + /* first, try to generate a Semantically Opaque Interface Identifier */ + if (get_soii_ifid(ifp0, in6) == 0) { + nd6log((LOG_DEBUG, "%s: got Semantically Opaque Interface " + "Identifier\n", ifp0->if_xname)); + goto success; + } + + /* next, try to get it from the interface itself */ if (get_hw_ifid(ifp0, in6) == 0) { nd6log((LOG_DEBUG, "%s: got interface identifier from itself\n", ifp0->if_xname)); diff --git sys/netinet6/in6_ifattach.h sys/netinet6/in6_ifattach.h index 6160fb984a6..00aad7dbc10 100644 --- sys/netinet6/in6_ifattach.h +++ sys/netinet6/in6_ifattach.h @@ -38,6 +38,7 @@ int in6_ifattach(struct ifnet *); void in6_ifdetach(struct ifnet *); int in6_nigroup(struct
RFC 7217: /etc/{rc,netstart} [4/8]
netstart & simplification suggested by naddy OK? diff --git etc/netstart etc/netstart index 71890bc7a5b..047eef1ab83 100644 --- etc/netstart +++ etc/netstart @@ -190,6 +190,8 @@ if $PRINT_ONLY && (($# == 0)); then exit 1 fi +$PRINT_ONLY || sysctl -q "net.inet6.ip6.soiikey=$( 0)); then diff --git etc/rc etc/rc index 48e5671335f..a2e23b163a1 100644 --- etc/rc +++ etc/rc @@ -154,6 +154,12 @@ make_keys() { fi ssh-keygen -A + + if [[ ! -f /etc/soii.key ]]; then + openssl rand -hex 16 > /etc/soii.key && \ + chmod 600 /etc/soii.key && sysctl -q \ + "net.inet6.ip6.soiikey=$(
RFC 7217: interface flag [2/8]
we need an interface flag to disable RFC 7217 processing, like autoconfprivacy it's on by default. OK? diff --git sys/net/if.h sys/net/if.h index 89867eac340..370c7928492 100644 --- sys/net/if.h +++ sys/net/if.h @@ -212,6 +212,7 @@ struct if_status_description { #defineIFXF_MPLS 0x8 /* supports MPLS */ #defineIFXF_WOL0x10/* wake on lan enabled */ #defineIFXF_AUTOCONF6 0x20/* v6 autoconf enabled */ +#define IFXF_INET6_NOSOII 0x40/* don't do RFC 7217 */ #defineIFXF_CANTCHANGE \ (IFXF_MPSAFE|IFXF_CLONED) -- 2.13.0 -- I'm not entirely sure you are real.
RFC 7217: sysctl [1/8]
I didn't not hear any objections to RFC 7217 support, so I guess it's time to get this thing in to get some operational experience with it before 6.2 is cut. Also the big diff gets a bit unwieldy, further improvement can happen in-tree. This is the sysctl part for "net.inet6.ip6.soiikey", written by dlg with a few tweaks by me. Therefore he should commit it. This is OK florian@, anyone else? diff --git sbin/sysctl/sysctl.c sbin/sysctl/sysctl.c index 94f78c0d673..cbacaca19d2 100644 --- sbin/sysctl/sysctl.c +++ sbin/sysctl/sysctl.c @@ -212,7 +212,7 @@ int sysctl_chipset(char *, char **, int *, int, int *); #endif void vfsinit(void); -char *equ = "="; +const char *equ = "="; int main(int argc, char *argv[]) @@ -286,6 +286,53 @@ listall(char *prefix, struct list *lp) } } +int +parse_hex_char(char ch) +{ + if (ch >= '0' && ch <= '9') + return (ch - '0'); + if (ch >= 'a' && ch <= 'f') + return (ch - 'a' + 10); + if (ch >= 'A' && ch <= 'F') + return (ch - 'A' + 10); + + return (-1); +} + +ssize_t +parse_hex_string(unsigned char *dst, size_t dstlen, const char *src) +{ + ssize_t len = 0; + int digit; + + while (len < dstlen) { + if (*src == '\0') + return (len); + + digit = parse_hex_char(*src++); + if (digit == -1) + return (-1); + dst[len] = digit << 4; + + digit = parse_hex_char(*src++); + if (digit == -1) + return (-1); + + dst[len] |= digit; + len++; + } + + while (*src != '\0') { + if (parse_hex_char(*src++) == -1 || + parse_hex_char(*src++) == -1) + return (-1); + + len++; + } + + return (len); +} + /* * Parse a name into a MIB entry. * Lookup and print out the MIB entry if it exists. @@ -302,6 +349,7 @@ parse(char *string, int flags) struct list *lp; int mib[CTL_MAXNAME]; char *cp, *bufp, buf[SYSCTL_BUFSIZ]; + unsigned char hex[SYSCTL_BUFSIZ]; (void)strlcpy(buf, string, sizeof(buf)); bufp = buf; @@ -566,6 +614,9 @@ parse(char *string, int flags) len = sysctl_inet6(string, , mib, flags, ); if (len < 0) return; + if (mib[2] == IPPROTO_IPV6 && + mib[3] == IPV6CTL_SOIIKEY) + special |= HEX; if ((mib[2] == IPPROTO_IPV6 && mib[3] == IPV6CTL_MRTMFC) || (mib[2] == IPPROTO_IPV6 && mib[3] == IPV6CTL_MRTMIF) || @@ -717,6 +768,27 @@ parse(char *string, int flags) newval = newsize = sizeof(quadval); break; + case CTLTYPE_STRING: + if (special & HEX) { + ssize_t len; + + len = parse_hex_string(hex, sizeof(hex), + newval); + if (len == -1) { + warnx("%s: hex string %s: invalid", + string, newval); + return; + } + if (len > sizeof(hex)) { + warnx("%s: hex string %s: too long", + string, newval); + return; + } + + newval = hex; + newsize = len; + } + break; } } size = (special & SMALLBUF) ? 512 : SYSCTL_BUFSIZ; @@ -936,13 +1008,30 @@ parse(char *string, int flags) if (newval == NULL) { if (!nflag) (void)printf("%s%s", string, equ); - (void)puts(buf); - } else { - if (!qflag) { - if (!nflag) - (void)printf("%s: %s -> ", string, buf); - (void)puts((char *)newval); + if (special & HEX) { + size_t i; + for (i = 0; i < size; i++) { + (void)printf("%02x", + (unsigned char)buf[i]); + } + (void)printf("\n"); + } else + (void)puts(buf); + } else if (!qflag) { + if (!nflag) { +
[PATCH] axen improvement
Hi, This patch does: - Fix axen won't work after interface down. - Fix definitions and comments that differ from linux ones. regards, --- sys/dev/usb/if_axen.c Fri Mar 3 15:04:52 2017 +++ sys/dev/usb/if_axen.c Mon Jun 19 16:05:09 2017 @@ -1256,6 +1256,14 @@ axen_init(void *xsc) */ axen_reset(sc); +#define AXEN_CONFIG_NO 1 +#define AXEN_IFACE_IDX 0 + if (usbd_set_config_no(sc->axen_udev, AXEN_CONFIG_NO, 1) || +usbd_device2interface_handle(sc->axen_udev, AXEN_IFACE_IDX, + >axen_iface)) + printf("%s: set_config failed\n", sc->axen_dev.dv_xname); + usbd_delay_ms(sc->axen_udev, 10); + /* XXX: ? */ bval = 0x01; axen_lock_mii(sc); --- sys/dev/usb/if_axenreg.h Fri Sep 16 22:17:07 2016 +++ sys/dev/usb/if_axenreg.h Mon Jun 19 10:54:28 2017 @@ -26,8 +26,8 @@ * || ++-L3_type (1:ipv4, 0/2:ipv6) *pkt_len(13) || ||+ ++-L4_type(0: icmp, 1: UDP, 4: TCP) * |765|43210 76543210|7654 3210 7654 3210| - * ||+-crc_err |+-L4_err |+-L4_CSUM_ERR - * |+-mii_err +--L3_err +--L3_CSUM_ERR + * ||+-crc_err |+-L4_err |+-L4_CSUM_ERR + * |+-mii_err+--L3_err +--L3_CSUM_ERR * +-drop_err * * ex) pkt_hdr 0x00680820 @@ -70,7 +70,7 @@ #define AXEN_RXHDR_L4_TYPE_TCP 0x4 /* L3 packet type (2bit) */ -#define AXEN_RXHDR_L3_TYPE_MASK 0x0600 +#define AXEN_RXHDR_L3_TYPE_MASK 0x0060 #define AXEN_RXHDR_L3_TYPE_OFFSET 5 #define AXEN_RXHDR_L3_TYPE_UNDEF 0x0 #define AXEN_RXHDR_L3_TYPE_IPV4 0x1
[PATCH] ure improvement
Hi, This patch does: - Enable RX aggregation. - Fix RX packet buffer alignment, using roundup() macro in sys/params.h. - Call usbd_set_config before configuring endpoints in ure_init to fix an error when re-opening pipes. I grabbed the code from if_kue.c. - Make the chip recognize given MAC address. - Remove ure_reset in ure_init, becasue its already called from ure_stop. Regards, --- sys/dev/usb/if_ure.c Wed May 3 22:20:15 2017 +++ sys/dev/usb/if_ure.c Mon Jun 19 09:11:09 2017 @@ -470,8 +470,6 @@ ure_init(void *xsc) /* Cancel pending I/O. */ ure_stop(sc); - ure_reset(sc); - if (ure_rx_list_init(sc) == ENOBUFS) { printf("%s: rx list init failed\n", sc->ure_dev.dv_xname); splx(s); @@ -484,9 +482,18 @@ ure_init(void *xsc) return; } +#define URE_CONFIG_NO 1 + if (usbd_set_config_no(sc->ure_udev, URE_CONFIG_NO, 1) || +usbd_device2interface_handle(sc->ure_udev, URE_IFACE_IDX, + >ure_iface)) + printf("%s: set_config failed\n", sc->ure_dev.dv_xname); + usbd_delay_ms(sc->ure_udev, 10); + /* Set MAC address. */ + ure_write_1(sc, URE_PLA_CRWECR, URE_MCU_TYPE_PLA, URE_CRWECR_CONFIG); ure_write_mem(sc, URE_PLA_IDR, URE_MCU_TYPE_PLA | URE_BYTE_EN_SIX_BYTES, sc->ure_ac.ac_enaddr, 8); + ure_write_1(sc, URE_PLA_CRWECR, URE_MCU_TYPE_PLA, URE_CRWECR_NORAML); /* Reset the packet filter. */ ure_write_2(sc, URE_PLA_FMC, URE_MCU_TYPE_PLA, @@ -683,10 +690,10 @@ ure_rtl8152_init(struct ure_softc *sc) URE_GPHY_STS_MSK | URE_SPEED_DOWN_MSK | URE_SPDWN_RXDV_MSK | URE_SPDWN_LINKCHG_MSK); - /* Disable Rx aggregation. */ + /* Enable Rx aggregation. */ ure_write_2(sc, URE_USB_USB_CTRL, URE_MCU_TYPE_USB, -ure_read_2(sc, URE_USB_USB_CTRL, URE_MCU_TYPE_USB) | -URE_RX_AGG_DISABLE); +ure_read_2(sc, URE_USB_USB_CTRL, URE_MCU_TYPE_USB) & +~URE_RX_AGG_DISABLE); /* Disable ALDPS. */ ure_ocp_reg_write(sc, URE_OCP_ALDPS_CONFIG, URE_ENPDNPS | URE_LINKENA | @@ -835,10 +842,10 @@ ure_rtl8153_init(struct ure_softc *sc) ure_init_fifo(sc); - /* Disable Rx aggregation. */ + /* Enable Rx aggregation. */ ure_write_2(sc, URE_USB_USB_CTRL, URE_MCU_TYPE_USB, -ure_read_2(sc, URE_USB_USB_CTRL, URE_MCU_TYPE_USB) | -URE_RX_AGG_DISABLE); +ure_read_2(sc, URE_USB_USB_CTRL, URE_MCU_TYPE_USB) & +~URE_RX_AGG_DISABLE); val = ure_read_2(sc, URE_USB_U2P3_CTRL, URE_MCU_TYPE_USB); if (!(sc->ure_chip & (URE_CHIP_VER_5C00 | URE_CHIP_VER_5C10))) @@ -1289,7 +1296,7 @@ ure_rxeof(struct usbd_xfer *xfer, void *priv, usbd_sta goto done; } - buf += pktlen; + buf += roundup(pktlen, 8); memcpy(, buf, sizeof(rxhdr)); total_len -= sizeof(rxhdr); @@ -1302,7 +1309,7 @@ ure_rxeof(struct usbd_xfer *xfer, void *priv, usbd_sta goto done; } - total_len -= pktlen; + total_len -= roundup(pktlen, 8); buf += sizeof(rxhdr); m = m_devget(buf, pktlen, ETHER_ALIGN);
Re: RFC 7217: random but stable addresses (take 3)
On Sat, Jul 15, 2017 at 06:58:40AM +0200, Sebastien Marie wrote: > On Fri, Jul 14, 2017 at 11:56:02AM +, Florian Obser wrote: > > next try > > - sha512 > > - fixed key size > > - /etc/soii.key > > - man page tweaks from sthen & jmc and rewording by me to get rid of 48 bits > > - link local address is updated when soii flag is toggled > > > > Could /etc/soii.key be added to /etc/changelist too please ? yes, good idea, thanks! added to my repo > > Index: changelist > === > RCS file: /cvs/src/etc/changelist,v > retrieving revision 1.117 > diff -u -p -r1.117 changelist > --- changelist3 May 2017 11:55:36 - 1.117 > +++ changelist15 Jul 2017 04:55:37 - > @@ -115,6 +115,7 @@ > /etc/services > /etc/shells > /etc/snmpd.conf > ++/etc/soii.key > +/etc/spwd.db > /etc/ssh/ssh_config > +/etc/ssh/ssh_host_dsa_key > > > Thanks. > -- > Sebastien Marie > -- I'm not entirely sure you are real.