Re: ssh-keygen: tweak error for -b

2019-08-03 Thread Darren Tucker 
ok dtucker with one suggestion.

On Fri, 5 Jul 2019 at 06:01, Christian Weisgerber  wrote:
[...]
>  #ifdef WITH_OPENSSL
> -   u_int maxbits, nid;
> +   u_int nid;

nid is only used inside the #ifdef below, you can move this
declaration to the start of the block where it's used and delete this
ifdef.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: iked(8): more descriptive documentation for protected-subnet

2019-08-03 Thread Tobias Heider 
> Even after reading the RFC 
> (https://tools.ietf.org/html/rfc7296#section-3.15.2)
> I don't feel like I entirely grok it, but I think this is something that
> would be set on the gateway to tell the client that it should negotiate
> an additional SA other than the one implied by the address + subnet from
> address configuration.

This is one thing it can be used for, but there are other such as when the
tunnel allows all traffic to be routed through (the from and to are 0.0.0.0)
the gateway may need some way to inform the peer that it can reach a private
subnet via the tunnel. Or to inform the peer for which subnets it has to use
the internal IP and for which it should use it's global IP.

> "hidden", "private", etc, well it can be a standard public IP range, it's just
> an additional network that wants protecting by IPsec, so probably better to
> avoid words like that.

I think you are right, the hidden subnet setting is also just one of the
use-cases.

> (Also manpage nit: new sentence -> new line.)

Thanks!

As it turns out it is quite hard to put all these use-cases in a concise
description that is acutally helpful to the uniformed reader.

Here is an updated version:

Index: iked.conf.5
===
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.55
diff -u -p -u -r1.55 iked.conf.5
--- iked.conf.5 11 May 2019 16:30:23 -  1.55
+++ iked.conf.5 3 Aug 2019 19:04:02 -
@@ -578,7 +578,12 @@ This option is provided for compatibilit
 .It Ic dhcp-server Ar address
 The address of an internal DHCP server for further configuration.
 .It Ic protected-subnet Ar address/prefix
-The address of the protected subnet within the internal network.
+The address of an additional IPv4 or IPv6 subnet reachable over the
+gateway.
+This option is used to notify the peer of a subnet behind the gateway (that
+might require a second SA).
+Networks specified in this SA's "from" or "to" options do not need to be
+included.
 .It Ic access-server Ar address
 The address of an internal remote access server.
 .El

dead code: remove itimerround()

2019-08-03 Thread Scott Cheloha 
As of kern_time.c v1.122 this code is dead.  We still round the
per-process itimers up to one tick, but this happens in itimerfix()
anyway, so itimerround() was redundant and the last callsite in
sys_setitimer() was dropped.

While here, tweak an adjacent prototype in time.h for style(9).

ok?

Index: kern/kern_time.c
===
RCS file: /cvs/src/sys/kern/kern_time.c,v
retrieving revision 1.122
diff -u -p -r1.122 kern_time.c
--- kern/kern_time.c2 Aug 2019 02:17:35 -   1.122
+++ kern/kern_time.c3 Aug 2019 17:55:02 -
@@ -659,17 +659,6 @@ itimerfix(struct timeval *tv)
 }
 
 /*
- * Nonzero timer interval smaller than the resolution of the
- * system clock are rounded up.
- */
-void
-itimerround(struct timeval *tv)
-{
-   if (tv->tv_sec == 0 && tv->tv_usec != 0 && tv->tv_usec < tick)
-   tv->tv_usec = tick;
-}
-
-/*
  * Decrement an interval timer by the given number of nanoseconds.
  * If the timer expires and it is periodic then reload it.  When reloading
  * the timer we subtract any overrun from the next period so that the timer
Index: sys/time.h
===
RCS file: /cvs/src/sys/sys/time.h,v
retrieving revision 1.45
diff -u -p -r1.45 time.h
--- sys/time.h  2 Aug 2019 03:33:15 -   1.45
+++ sys/time.h  3 Aug 2019 17:55:02 -
@@ -298,8 +298,7 @@ struct proc;
 intclock_gettime(struct proc *, clockid_t, struct timespec *);
 
 intitimerfix(struct timeval *);
-intitimerdecr(struct itimerspec *itp, long nsec);
-void   itimerround(struct timeval *);
+intitimerdecr(struct itimerspec *, long);
 intsettime(const struct timespec *);
 intratecheck(struct timeval *, const struct timeval *);
 intppsratecheck(struct timeval *, int *, int);

Re: iked(8): more descriptive documentation for protected-subnet

2019-08-03 Thread Stuart Henderson 
On 2019/08/03 13:21, Tobias Heider wrote:
> As mlarkin@ noted the man page description of the protected-subnet option is 
> not
> very helpful. This diff tries to make things a little clearer.
> 
> Ok?
> 
> Index: iked.conf.5
> ===
> RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> retrieving revision 1.55
> diff -u -p -u -r1.55 iked.conf.5
> --- iked.conf.5   11 May 2019 16:30:23 -  1.55
> +++ iked.conf.5   3 Aug 2019 11:21:10 -
> @@ -578,7 +578,11 @@ This option is provided for compatibilit
>  .It Ic dhcp-server Ar address
>  The address of an internal DHCP server for further configuration.
>  .It Ic protected-subnet Ar address/prefix
> -The address of the protected subnet within the internal network.
> +The address of an additional hidden IPv4 or IPv6 subnet reachable over the
> +gateway. This option is used to notify the peer of a private subnet

I agree it needs explaining better (the current description seems wrong to me)
but I'm not sure this entirely helps.

(Just looking at iked doesn't help understand this because iked has no
client-side address-config support in the first place, so it's only something
that would be useful when connection non-iked clients).

Even after reading the RFC (https://tools.ietf.org/html/rfc7296#section-3.15.2)
I don't feel like I entirely grok it, but I think this is something that
would be set on the gateway to tell the client that it should negotiate
an additional SA other than the one implied by the address + subnet from
address configuration.

"hidden", "private", etc, well it can be a standard public IP range, it's just
an additional network that wants protecting by IPsec, so probably better to
avoid words like that.

> +behind the gateway. Networks specified in the "from" or
> +"to" options are known to the peer and do not necessarily need to be included
> +here.
>  .It Ic access-server Ar address
>  The address of an internal remote access server.
>  .El
> 

(Also manpage nit: new sentence -> new line.)

Re: add pkg-config files for readline, editline, ncurses

2019-08-03 Thread Stuart Henderson 
On 2019/07/26 01:23, Stephen Gregoratto wrote:
> mrsh[1], a cross-platform shell, can use readline in interactive mode.
> It's configure script detects the presence of readline using
> pkg-config(1). Thus, this patch adds a pkg-config file for our readline.
> I just copied over the generate_pkgconfig.sh script/make rules found in
> other libraries and edited to fit.

Just patch the configure script.

It's going to be horrible to validate adding these pc files across the
ports tree, and unless there are a bunch of ports needing patches due
to us not having this, the work isn't justifiable.

>   there are a couple editline libraries floating around,
> each differing slightly with each other:

exactly, this gives me the feeling that this is opening a can of worms.

(While on the subject of pkg-config files, the bogus version number in
the libressl ones is a small problem for ports, though I have no idea
what we'd change it to instead ...)

iked(8): more descriptive documentation for protected-subnet

2019-08-03 Thread Tobias Heider 
As mlarkin@ noted the man page description of the protected-subnet option is not
very helpful. This diff tries to make things a little clearer.

Ok?

Index: iked.conf.5
===
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.55
diff -u -p -u -r1.55 iked.conf.5
--- iked.conf.5 11 May 2019 16:30:23 -  1.55
+++ iked.conf.5 3 Aug 2019 11:21:10 -
@@ -578,7 +578,11 @@ This option is provided for compatibilit
 .It Ic dhcp-server Ar address
 The address of an internal DHCP server for further configuration.
 .It Ic protected-subnet Ar address/prefix
-The address of the protected subnet within the internal network.
+The address of an additional hidden IPv4 or IPv6 subnet reachable over the
+gateway. This option is used to notify the peer of a private subnet
+behind the gateway. Networks specified in the "from" or
+"to" options are known to the peer and do not necessarily need to be included
+here.
 .It Ic access-server Ar address
 The address of an internal remote access server.
 .El