Re: smtp(1) certificate validation
On Fri, Sep 06, 2019 at 10:58:43PM +1000, Ross L Richardson wrote: >[...] > > For invalid certificates, the result sometimes does not correspond with > that from nc(1): > > $ ./smtp -nv -s smtps://devio.us:https > trying host 74.81.181.124 port 443... > certificate validation error 10 > connection error: Invalid server certificate > done... > $ nc -cvz devio.us https > Connection to devio.us 443 port [tcp/https] succeeded! > nc: tls handshake failed (certificate verification failed: certificate > has expired) > > $ ./smtp -nv -s smtps://www.nokia.com.au:https > trying host 180.150.2.201 port 443... > valid certificate > ^C > $ nc -cvz www.nokia.com.au https > Connection to www.nokia.com.au 443 port [tcp/https] succeeded! > nc: tls handshake failed (name `www.nokia.com.au' not present in server > certificate) > >[...] To be clear... For proper verification, smtp(1) needs to check the name(s) of the server certificate. Ross
thermal-zones - A64 support
Good evening Mark (and tech@), thank you for thermal zones support. I thought it would be nice to use it in A64 as well. I tested it by running 'ubench -c' in a loop and checking clocks and CPU temp. Clock went down when temperature rised limiting available operating-points as expected (as far as I could tell). I used following device tree entries: (excerpt that should present the idea) thermal-zones { cpu-thermal { polling-delay-passive = <250>; polling-delay = <1000>; thermal-sensors = < 0>; trips { cpu_warm: cpu_warm { temperature = <6500>; hysteresis = <200>; type = "passive"; }; cpu_hot_pre: cpu_hot_pre { temperature = <7000>; hysteresis = <200>; type = "passive"; }; cpu_hot: cpu_hot { temperature = <7500>; hysteresis = <200>; type = "passive"; }; cpu_very_hot: cpu_very_hot { temperature = <9000>; hysteresis = <200>; type = "passive"; }; }; cooling-maps { cpu_warm_limit_cpu { trip = <_warm>; cooling-device = < THERMAL_NO_LIMIT 2>; }; cpu_hot_pre_limit_cpu { trip = <_hot_pre>; cooling-device = < 2 3>; }; cpu_hot_limit_cpu { trip = <_hot>; cooling-device = < 3 4>; }; cpu_very_hot_pre_limit_cpu { trip = <_very_hot>; cooling-device = < 5 6>; }; cpu_very_hot_limit_cpu { trip = <_very_hot>; cooling-device = < 7 THERMAL_NO_LIMIT>; }; }; }; }; cpu0_opp_table: opp_table0 { compatible = "operating-points-v2"; opp-shared; opp-64800 { opp-hz = /bits/ 64 <64800>; opp-microvolt = <104>; clock-latency-ns = <244144>; /* 8 32k periods */ }; opp-79200 { opp-hz = /bits/ 64 <79200>; opp-microvolt = <110>; clock-latency-ns = <244144>; /* 8 32k periods */ }; opp-81600 { opp-hz = /bits/ 64 <81600>; opp-microvolt = <110>; clock-latency-ns = <244144>; /* 8 32k periods */ }; opp-91200 { opp-hz = /bits/ 64 <91200>; opp-microvolt = <112>; clock-latency-ns = <244144>; /* 8 32k periods */ }; opp-96000 { opp-hz = /bits/ 64 <96000>; opp-microvolt = <116>; clock-latency-ns = <244144>; /* 8 32k periods */ }; opp-100800 { opp-hz = /bits/ 64 <100800>; opp-microvolt = <120>; clock-latency-ns = <244144>; /* 8 32k periods */ }; opp-105600 { opp-hz = /bits/ 64 <105600>; opp-microvolt = <124>; clock-latency-ns = <244144>; /* 8 32k periods */ }; opp-110400 { opp-hz = /bits/ 64 <110400>; opp-microvolt = <126>; clock-latency-ns = <244144>; /* 8 32k periods */ }; opp-115200 {
Re: install.sub: ieee80211_{scan,config}: Allow quoted SSIDs
On Tue, Aug 08, 2017 at 11:15:28PM +0200, Klemens Nanni wrote: > On Tue, Jul 04, 2017 at 10:44:57PM +0200, Klemens Nanni wrote: > > On Mon, Jul 03, 2017 at 12:45:32AM +0200, Klemens Nanni wrote: > > > Thanks for looking into it. > > > > > > On Sun, Jul 02, 2017 at 04:32:43PM +, Robert Peichaer wrote: > > > > ieee80211_scan() > > > > - Extract the needed information (nwid, bssid) using a very specific > > > > sed expression. Any line, not matching this expr is ignored. > > > > > > > > - Remove leading and trailing double-quotes in case of nwids with > > > > spaces. > > > I had the ugly case of an empty SSID in reach while testing this so I > > > intentionally left double quotes in place within WLANLIST so that > > > the list presented to the user wouldn't look broken, e.g. > > > "my wifi" chan 1 bssid ... > > > "" chan 2 bssid ... > > > as opposed to > > > my wifi chan 1 bssid ... > > >chan 2 bssid ... > > > > > > I'd also leave unqouting to the routine that actually requires it > > > instead of the function that just provides the list. > > > > > > > - Write nwid and bssid into WLANLIST as '()'. > > > Writing the simple format directly to cache seems like a good idea > > > instead of just cutting ^nwid first here and .*$ somewhere else. > > > > > > > ieee80211_config() > > > > - just print WLANLIST using ieee80211_scan() if the user chooses > > > > '?' which has the right format already > > > > > > > > - in case the user selects an entry from WLANLIST using a number, > > > > remove the '()' part from the line, resulting in > > > > the nwid (without double-quotes) > > > > > > > > - using the quote() function with the ifconfig command ensures, > > > > that the nwid is quoted properly with single-quotes in case it > > > > contains spaces > > > This is not needed as "$_nwid" will even work if _nwid='my "wifi'. > > > > > > > - using the quote() function when writing the nwid to the hostname.if > > > > files ensures that the nwid is quoted properly with single-quotes > > > > in case it contains spaces > > > > > > > > The parse_hn_line() function in netstart does handle quoted nwids > > > > properly when processing the hostname.if config lines as far as I > > > > can see. > > > Yes, it does. But it chokes on SSIDs containing a literal " for example. > > > > > > > > > Here is an updated diff taking above considerations into account. > > > > > > Note how ([[:xdigit:]:]*)$ when picking the answer must not be > > > simplified to (.*)$ as this would fail on SSIDs like "my (hidden) wifi". > > > > > > Feedback/OK? > > That patch was mangled, sorry. Here it goes again. > > > > Index: install.sub > > === > > RCS file: /cvs/src/distrib/miniroot/install.sub,v > > retrieving revision 1.1019 > > diff -u -p -r1.1019 install.sub > > --- install.sub 2 Jul 2017 12:45:43 - 1.1019 > > +++ install.sub 4 Jul 2017 20:43:56 - > > @@ -1060,10 +1060,9 @@ v6_config() { > > # Perform an 802.11 network scan on interface $1. > > # The result is cached in $WLANLIST. > > ieee80211_scan() { > > - # N.B. Skipping quoted nwid's for now. > > [[ -f $WLANLIST ]] || > > ifconfig $1 scan | > > - sed -n 's/^ nwid \([^"]\)/\1/p' >$WLANLIST > > + sed -n 's/^[[:space:]]*nwid \(.*\) chan [0-9]* bssid > > \([[:xdigit:]:]*\).*/\1 (\2)/p' >$WLANLIST > > cat $WLANLIST > > } > > > > @@ -1082,12 +1081,12 @@ ieee80211_config() { > > ask_until "Access point? (ESSID, 'any', list# or '?')" "any" > > case "$resp" in > > +([0-9])) > > - _nwid=$(ieee80211_scan $_if | sed -n "${resp}s/ .*//p") > > + _nwid=$(ieee80211_scan $_if | > > + sed -n ${resp}'{s/ ([[:xdigit:]:]*)$//p;q;}') > > [[ -z $_nwid ]] && echo "There is no line $resp." > > + [[ $_nwid = \"*\" ]] && _nwid=${_nwid#\"} > > _nwid=${_nwid%\"} > > ;; > > - \?) ieee80211_scan $_if | > > - sed -n 's/^\([^ ]*\) chan .* bssid \([^ ]*\) > > .*$/ \1 (\2)/p' | > > - cat -n | more -c > > + \?) ieee80211_scan $_if | cat -n | more -c > > ;; > > *) _nwid=$resp > > ;; > > > Bump. Any progress on this? It still applies to the latest revision. Rebased diff that I just tested again on a X230 with athn(4) where I installed over an ESSID of the form "Wifi foo" just fine; empty ESSIDs showed up as "" in the list, all others still look normal and could be chosen just fine. The resulting hostname.athn0 contained nwid 'Wifi foo' dhcp I'd like to finally commit this so occasional installations over said wifi will just work. OK? Index: install.sub === RCS file:
Re: rad(8) and carp interfaces
Florian Obser(flor...@openbsd.org) on 2019.09.06 16:51:35 +0200: > On Wed, Sep 04, 2019 at 06:07:35PM +0200, Matthieu Herrb wrote: > > Hi, > > > > I've a pair of redundant routers, which need to run rad(8) on the > > internal interfaces. > > > > But using carp, on the inactive router, rad complains every > > time it tries to send a RA: > > > > rad[65590]: sendmsg on carp2: Can't assign requested address > > > > Which I can understand since it currently doesnt "own" the shared IPv6 > > address of the carp interface. > > > > Is there a way to configure rad to avoid these errors? > > How do other people handle the situation? > > > > Thanks in advance, > > -- > > Matthieu Herrb > > > > This should keep the noise down. > > OK? comment inline > > diff --git frontend.c frontend.c > index 8178b058629..920e9b7077c 100644 > --- frontend.c > +++ frontend.c > @@ -104,6 +104,7 @@ struct ra_iface { > charconf_name[IF_NAMESIZE]; > uint32_tif_index; > int removed; > + int link_state; > int prefix_count; > size_t datalen; > uint8_t data[RA_MAX_SIZE]; > @@ -117,6 +118,7 @@ void frontend_startup(void); > void icmp6_receive(int, short, void *); > void join_all_routers_mcast_group(struct ra_iface *); > void leave_all_routers_mcast_group(struct ra_iface *); > +int get_link_state(char *); > void merge_ra_interface(char *, char *); > void merge_ra_interfaces(void); > struct ra_iface *find_ra_iface_by_id(uint32_t); > @@ -720,21 +722,59 @@ find_ra_iface_conf(struct ra_iface_conf_head *head, > char *if_name) > return (NULL); > } > > +int > +get_link_state(char *if_name) > +{ > + struct ifaddrs *ifap, *ifa; > + int ls = LINK_STATE_UNKNOWN; > + > + if (getifaddrs() != 0) { > + log_warn("getifaddrs"); > + return LINK_STATE_UNKNOWN; > + } > + for (ifa = ifap; ifa; ifa = ifa->ifa_next) { > + if (ifa->ifa_addr->sa_family != AF_LINK) > + continue; > + if (strcmp(if_name, ifa->ifa_name) != 0) > + continue; > + > + ls = ((struct if_data*)ifa->ifa_data)->ifi_link_state; > + break; > + } > + freeifaddrs(ifap); > + return ls; > +} > + > void > merge_ra_interface(char *name, char *conf_name) > { > struct ra_iface *ra_iface; > uint32_t if_index; > + int link_state; > + > + link_state = get_link_state(name); > > if ((ra_iface = find_ra_iface_by_name(name)) != NULL) { > - log_debug("keeping interface %s", name); > - ra_iface->removed = 0; > + ra_iface->link_state = link_state; > + if (link_state == LINK_STATE_DOWN) { note that there are some (physical) interfaces that do not report a link state and thus are unknown even when they can send packets. Use the LINK_STATE_IS_UP() macro here. Do we need to consider the case of an interface being administratively down here (!(ifap->flags & IFF_UP))?. > + log_debug("%s down, ignoring", name); > + ra_iface->removed = 1; > + } else { > + log_debug("keeping interface %s", name); > + ra_iface->removed = 0; > + } > + return; > + } > + > + if (link_state == LINK_STATE_DOWN) { > + log_debug("%s down, ignoring", name); > return; > } > > log_debug("new interface %s", name); > if ((if_index = if_nametoindex(name)) == 0) > return; > + > log_debug("adding interface %s", name); > if ((ra_iface = calloc(1, sizeof(*ra_iface))) == NULL) > fatal("%s", __func__); > @@ -1135,6 +1175,9 @@ ra_output(struct ra_iface *ra_iface, struct > sockaddr_in6 *to) > ssize_t len; > int hoplimit = 255; > > + if (ra_iface->link_state == LINK_STATE_DOWN) > + return; > + > sndmhdr.msg_name = to; > sndmhdr.msg_iov[0].iov_base = ra_iface->data; > sndmhdr.msg_iov[0].iov_len = ra_iface->datalen; > > > -- > I'm not entirely sure you are real. >
Re: rad(8) and carp interfaces
On Wed, Sep 04, 2019 at 06:07:35PM +0200, Matthieu Herrb wrote: > Hi, > > I've a pair of redundant routers, which need to run rad(8) on the > internal interfaces. > > But using carp, on the inactive router, rad complains every > time it tries to send a RA: > > rad[65590]: sendmsg on carp2: Can't assign requested address > > Which I can understand since it currently doesnt "own" the shared IPv6 > address of the carp interface. > > Is there a way to configure rad to avoid these errors? > How do other people handle the situation? > > Thanks in advance, > -- > Matthieu Herrb > This should keep the noise down. OK? diff --git frontend.c frontend.c index 8178b058629..920e9b7077c 100644 --- frontend.c +++ frontend.c @@ -104,6 +104,7 @@ struct ra_iface { charconf_name[IF_NAMESIZE]; uint32_tif_index; int removed; + int link_state; int prefix_count; size_t datalen; uint8_t data[RA_MAX_SIZE]; @@ -117,6 +118,7 @@ void frontend_startup(void); voidicmp6_receive(int, short, void *); voidjoin_all_routers_mcast_group(struct ra_iface *); voidleave_all_routers_mcast_group(struct ra_iface *); +int get_link_state(char *); voidmerge_ra_interface(char *, char *); voidmerge_ra_interfaces(void); struct ra_iface*find_ra_iface_by_id(uint32_t); @@ -720,21 +722,59 @@ find_ra_iface_conf(struct ra_iface_conf_head *head, char *if_name) return (NULL); } +int +get_link_state(char *if_name) +{ + struct ifaddrs *ifap, *ifa; + int ls = LINK_STATE_UNKNOWN; + + if (getifaddrs() != 0) { + log_warn("getifaddrs"); + return LINK_STATE_UNKNOWN; + } + for (ifa = ifap; ifa; ifa = ifa->ifa_next) { + if (ifa->ifa_addr->sa_family != AF_LINK) + continue; + if (strcmp(if_name, ifa->ifa_name) != 0) + continue; + + ls = ((struct if_data*)ifa->ifa_data)->ifi_link_state; + break; + } + freeifaddrs(ifap); + return ls; +} + void merge_ra_interface(char *name, char *conf_name) { struct ra_iface *ra_iface; uint32_t if_index; + int link_state; + + link_state = get_link_state(name); if ((ra_iface = find_ra_iface_by_name(name)) != NULL) { - log_debug("keeping interface %s", name); - ra_iface->removed = 0; + ra_iface->link_state = link_state; + if (link_state == LINK_STATE_DOWN) { + log_debug("%s down, ignoring", name); + ra_iface->removed = 1; + } else { + log_debug("keeping interface %s", name); + ra_iface->removed = 0; + } + return; + } + + if (link_state == LINK_STATE_DOWN) { + log_debug("%s down, ignoring", name); return; } log_debug("new interface %s", name); if ((if_index = if_nametoindex(name)) == 0) return; + log_debug("adding interface %s", name); if ((ra_iface = calloc(1, sizeof(*ra_iface))) == NULL) fatal("%s", __func__); @@ -1135,6 +1175,9 @@ ra_output(struct ra_iface *ra_iface, struct sockaddr_in6 *to) ssize_t len; int hoplimit = 255; + if (ra_iface->link_state == LINK_STATE_DOWN) + return; + sndmhdr.msg_name = to; sndmhdr.msg_iov[0].iov_base = ra_iface->data; sndmhdr.msg_iov[0].iov_len = ra_iface->datalen; -- I'm not entirely sure you are real.
Re: rcctl issues when running in non-default rdomain
On Thu, Sep 05, 2019 at 11:00:06PM +0200, Matthieu Herrb wrote: > Hi, > > on my redundant firealls I have an " admin" interface in rdomain 1 > with a sshd listening, used to be able to access the slave machine and > let it access the internet to be able to run syspatch or pkg_add. > > This works well, but but if I use rcctl in this non default rdomain to > control services normally running in the default rdomain, things don't > behave too well. In particular, 'rcctl start' or 'restart' starts the > service with rtable 1. > > Alternatives would be to run the admin interface in the default rdomain > and all other interfaces in a separate one, but it feels more painful > to setup. > > It seems to me that the patch below helps, but may be it has other > unforseen and unwanted effects ? > > Thoughts ? I've been told privately that this was already handled. Indeed this was a pair of firewalls still runnuing 6.4. So issue closed. Thanks. > > Index: rc.subr > === > RCS file: /cvs/OpenBSD/src/etc/rc.d/rc.subr,v > retrieving revision 1.131 > diff -u -r1.131 rc.subr > --- rc.subr 21 Mar 2019 15:10:27 - 1.131 > +++ rc.subr 5 Sep 2019 20:56:38 - > @@ -320,5 +320,4 @@ > # make sure pexp matches the process (i.e. doesn't include the quotes) > pexp="$(eval echo ${daemon}${daemon_flags:+ ${daemon_flags}})" > rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c" > -[ "${daemon_rtable}" -eq "$(id -R)" ] || > - rcexec="route -T ${daemon_rtable} exec ${rcexec}" > +rcexec="route -T ${daemon_rtable} exec ${rcexec}" > > > -- > Matthieu Herrb -- Matthieu Herrb
[patch] pstat(8): display text for msts/endrun line disciplines
pstat(8) will display text description for the nmea line discipline, but not for msts/endrun. This patch adds support for displaying text for msts and endrun line disciplines in the output of pstat -t. diff --git usr.sbin/pstat/pstat.8 usr.sbin/pstat/pstat.8 index d523b0014..d2631f834 100644 --- usr.sbin/pstat/pstat.8 +++ usr.sbin/pstat/pstat.8 @@ -212,11 +212,17 @@ TTYDISC (see .Xr termios 4 ) , .Ql ppp for PPPDISC (see -.Xr ppp 4 ) -and +.Xr ppp 4 ) , .Ql nmea for NMEADISC (see -.Xr nmea 4 ) . +.Xr nmea 4 ) , +.Ql msts +for MSTSDISC (see +.Xr msts 4 ) , +and +.Ql endrun +for ENDRUNDISC (see +.Xr endrun 4 ) . .El .It Fl v Print the active vnodes. diff --git usr.sbin/pstat/pstat.c usr.sbin/pstat/pstat.c index 1684975c5..986dee90b 100644 --- usr.sbin/pstat/pstat.c +++ usr.sbin/pstat/pstat.c @@ -999,6 +999,12 @@ ttyprt(struct itty *tp) case NMEADISC: (void)printf("nmea\n"); break; + case MSTSDISC: + (void)printf("msts\n"); + break; + case ENDRUNDISC: + (void)printf("endrun\n"); + break; default: (void)printf("%d\n", tp->t_line); break;
Re: smtp(1) certificate validation
On Fri, Sep 06, 2019 at 08:41:21AM +0200, Eric Faurot wrote: > Hi, > > This patch adds the missing bits for verifying the server certificate > in smtp(1). >[...] Whilst this is a great improvement, it doesn't seem to be quite right... For sites with valid certificates, things seem OK: $ ./smtp -nv -s smtps://smtp.fastmail.com trying host 66.111.4.139 port 465... valid certificate connection ready... connection closed... trying host 66.111.4.140 port 465... valid certificate connection ready... connection closed... done... $ ./smtp -nv -s smtps://mail.aussiebroadband.com.au trying host 202.142.142.238 port 465... valid certificate connection ready... connection closed... trying host 202.142.142.239 port 465... valid certificate connection ready... connection closed... trying host 2403:5800:1:3::25 port 465... valid certificate connection ready... connection closed... trying host 2403:5800:1:4::25 port 465... valid certificate connection ready... connection closed... done... $ ./smtp -nv -s smtps://mail.internode.on.net trying host 203.16.214.182 port 465... valid certificate connection ready... connection closed... done... [I don't know of any mail servers with invalid certs against which I can test, so I've tried some web servers.] For invalid certificates, the result sometimes does not correspond with that from nc(1): $ ./smtp -nv -s smtps://devio.us:https trying host 74.81.181.124 port 443... certificate validation error 10 connection error: Invalid server certificate done... $ nc -cvz devio.us https Connection to devio.us 443 port [tcp/https] succeeded! nc: tls handshake failed (certificate verification failed: certificate has expired) $ ./smtp -nv -s smtps://www.nokia.com.au:https trying host 180.150.2.201 port 443... valid certificate ^C $ nc -cvz www.nokia.com.au https Connection to www.nokia.com.au 443 port [tcp/https] succeeded! nc: tls handshake failed (name `www.nokia.com.au' not present in server certificate) $ ./smtp -nv -s smtps://www.on.net:https trying host 150.101.140.197 port 443... valid certificate ^C $ nc -cvz www.on.net https Connection to www.on.net 443 port [tcp/https] succeeded! nc: tls handshake failed (handshake failed: error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure) Thanks, Ross
account stack map and syscall writable
Hi, To find more violators of our shiny security features, I would like to add stack map and system call write protection to process accounting. stackpivot -MDXT bluhmttyp3 0.00 secs Fri Sep 6 10:20 (0:00:00.00) PDP-11 compatibility on VAX is not used anymore, so recycle the bit. ok? bluhm Index: sys/sys/acct.h === RCS file: /data/mirror/openbsd/cvs/src/sys/sys/acct.h,v retrieving revision 1.8 diff -u -p -r1.8 acct.h --- sys/sys/acct.h 25 Jul 2019 09:37:32 - 1.8 +++ sys/sys/acct.h 6 Sep 2019 07:52:20 - @@ -58,7 +58,7 @@ struct acct { #defineAFORK 0x01/* fork'd but not exec'd */ #defineASU 0x02/* used super-user permissions */ -#defineACOMPAT 0x04/* used compatibility mode */ +#defineAMAP0x04/* system call or stack mapping violation */ #defineACORE 0x08/* dumped core */ #defineAXSIG 0x10/* killed by a signal */ #defineAPLEDGE 0x20/* killed due to pledge violation */ Index: sys/uvm/uvm_map.c === RCS file: /data/mirror/openbsd/cvs/src/sys/uvm/uvm_map.c,v retrieving revision 1.246 diff -u -p -r1.246 uvm_map.c --- sys/uvm/uvm_map.c 14 Jun 2019 05:52:43 - 1.246 +++ sys/uvm/uvm_map.c 6 Sep 2019 07:52:20 - @@ -86,6 +86,7 @@ #include #include +#include #include #include #include @@ -1872,6 +1873,7 @@ uvm_map_inentry(struct proc *p, struct p if (!ok) { printf(fmt, p->p_p->ps_comm, p->p_p->ps_pid, p->p_tid, addr, ie->ie_start, ie->ie_end); + p->p_p->ps_acflag |= AMAP; sv.sival_ptr = (void *)PROC_PC(p); trapsignal(p, SIGSEGV, 0, SEGV_ACCERR, sv); } Index: share/man/man5/acct.5 === RCS file: /data/mirror/openbsd/cvs/src/share/man/man5/acct.5,v retrieving revision 1.19 diff -u -p -r1.19 acct.5 --- share/man/man5/acct.5 30 Jul 2019 05:41:21 - 1.19 +++ share/man/man5/acct.5 6 Sep 2019 07:36:43 - @@ -69,7 +69,7 @@ struct acct { #defineAFORK 0x01/* fork'd but not exec'd */ #defineASU 0x02/* used super-user permissions */ -#defineACOMPAT 0x04/* used compatibility mode */ +#defineAMAP0x04/* system call or stack mapping violation */ #defineACORE 0x08/* dumped core */ #defineAXSIG 0x10/* killed by a signal */ #defineAPLEDGE 0x20/* killed due to pledge violation */ Index: usr.bin/lastcomm/lastcomm.1 === RCS file: /data/mirror/openbsd/cvs/src/usr.bin/lastcomm/lastcomm.1,v retrieving revision 1.23 diff -u -p -r1.23 lastcomm.1 --- usr.bin/lastcomm/lastcomm.1 11 Aug 2019 15:48:08 - 1.23 +++ usr.bin/lastcomm/lastcomm.1 6 Sep 2019 07:48:20 - @@ -101,9 +101,6 @@ Elapsed time of the process. The flags are encoded as follows: .Pp .Bl -tag -width 6n -compact -offset indent -.It Li C -The command was run in PDP-11 compatibility mode -(VAX only). .It Li D The command terminated with the generation of a .Pa core @@ -112,6 +109,9 @@ file. The command ran after a fork, but without a following .Xr execve 2 . +.It Li M +The command did a system call from writable memory or the stack +pointer was not in stack memory. .It Li P The command was terminated due to a .Xr pledge 2 Index: usr.bin/lastcomm/lastcomm.c === RCS file: /data/mirror/openbsd/cvs/src/usr.bin/lastcomm/lastcomm.c,v retrieving revision 1.28 diff -u -p -r1.28 lastcomm.c --- usr.bin/lastcomm/lastcomm.c 25 Jul 2019 13:13:53 - 1.28 +++ usr.bin/lastcomm/lastcomm.c 6 Sep 2019 07:50:25 - @@ -169,7 +169,7 @@ flagbits(int f) p = flags + 1; BIT(AFORK, 'F'); - BIT(ACOMPAT, 'C'); + BIT(AMAP, 'M'); BIT(ACORE, 'D'); BIT(AXSIG, 'X'); BIT(APLEDGE, 'P'); Index: etc/daily === RCS file: /data/mirror/openbsd/cvs/src/etc/daily,v retrieving revision 1.92 diff -u -p -r1.92 daily --- etc/daily 25 Jul 2019 13:13:53 - 1.92 +++ etc/daily 6 Sep 2019 07:54:37 - @@ -74,7 +74,7 @@ if [ -f /var/account/acct ]; then mv -f /var/account/acct.0 /var/account/acct.1 cp -f /var/account/acct /var/account/acct.0 sa -sq - lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[PTU]' + lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[MPTU]' fi # If ROOTBACKUP is set to 1 in the environment, and
tanf() can be modified according to a bugfix in tan()
The calculation of tanf() which lies in src/lib/libm/src/k_tanf.c can be modified according to a bugfix ported on FreeBSD on GitHub: https://github.com/freebsd/freebsd/commit/152a4c4166c18974fe1fc9d9a8535d78956aca26 And here's the code: - if(ix<0x3180) /* x < 2**-28 */ - {if((int)x==0) { /* generate inexact */ - if((ix|(iy+1))==0) return one/fabsf(x); - else return (iy==1)? x: -one/x; - } - } + if(ix<0x3180) { /* x < 2**-28 */ + if ((int) x == 0) { /* generate inexact */ + if ((ix | (iy + 1)) == 0) + return one / fabsf(x); + else { + if (iy == 1) + return x; + else { /* compute -1 / (x+y) carefully */ + double a, t; + + z = w = x + y; + GET_FLOAT_WORD(ix, z); + SET_FLOAT_WORD(z, ix & 0xf000); + v = y - (z - x); + t = a = -one / w; + GET_FLOAT_WORD(ix, t); + SET_FLOAT_WORD(t, ix & 0xf000); + s = one + t * z; + return t + a * (s + t * v); + } + } + } + } Although the bug really only applies to tan() and not tanf(), there seems to be a precedent that the float versions of the fdlibm routines should mirror their double counterparts. Greetings!
Re: Question about man 2 fcntl
> +.Dv F_SETLK or F_SETLKW , should be split into .Dv F_SETLK or .Dv F_SETLKW , and with that this diff is ok tb
Re: make patch: let MAKEOBJDIR be more powerful
On Thu, Aug 29, 2019 at 01:04:07PM +0200, Marc Espie wrote: > After some musings, I realized I just had to reorder a few things to > make MAKEOBJDIR way more powerful (and possibly useful) > > The idea here is to init vars early, which is easy, and to set up > .CURDIR, MACHINE, MACHINE_ARCH, MACHINE_CPU, so that > MAKEOBJDIR can actually become a full-blown make expression. > > e.g., with this something like > > MAKEOBJDIR='${.CURDIR}:S/src/obj/}' > > will work. > > any takers ? I did a make regress without problems. Although I have no use for the feature, why not. OK bluhm@ > - if ((path = getenv("MAKEOBJDIR")) == NULL) { > + Var_Set(".CURDIR", d->current); > + if ((path = getenv("MAKEOBJDIR")) == NULL) > path = _PATH_OBJDIR; > - } > + /* if there's a $ in there, allow substitution */ > + else if (strchr(path, '$')) I would keep the { } around the if block. Technically not neccessary as one of the two lines is a comment, but it looks odd anyway.
smtp(1) certificate validation
Hi, This patch adds the missing bits for verifying the server certificate in smtp(1). Eric. Index: smtpc.c === RCS file: /cvs/src/usr.sbin/smtpd/smtpc.c,v retrieving revision 1.8 diff -u -p -r1.8 smtpc.c --- smtpc.c 2 Sep 2019 20:05:21 - 1.8 +++ smtpc.c 6 Sep 2019 06:39:15 - @@ -20,6 +20,7 @@ #include #include +#include #include #include #include @@ -30,12 +31,12 @@ #include #include +#include + #include "smtp.h" +#include "ssl.h" #include "log.h" -void ssl_init(void); -void *ssl_mta_init(void *, char *, off_t, const char *); - static void parse_server(char *); static void parse_message(FILE *); static void resume(void); @@ -47,6 +48,8 @@ static struct addrinfo *res0, *ai; static struct smtp_params params; static struct smtp_mail mail; +static SSL_CTX *ssl_ctx; + static void usage(void) { @@ -132,6 +135,13 @@ main(int argc, char **argv) ssl_init(); event_init(); + ssl_ctx = ssl_ctx_create(NULL, NULL, 0, NULL); + if (!SSL_CTX_load_verify_locations(ssl_ctx, "/etc/ssl/cert.pem", NULL)) + fatal("SSL_CTX_load_verify_locations"); + if (!SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method())) + fatal("SSL_CTX_set_ssl_version"); + SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE , NULL); + if (pledge("stdio inet dns tmppath", NULL) == -1) fatal("pledge"); @@ -330,20 +340,34 @@ log_trace(int lvl, const char *emsg, ... void smtp_verify_server_cert(void *tag, struct smtp_client *proto, void *ctx) { - log_debug("validating server certificate..."); + SSL *ssl = ctx; + X509 *cert; + long res; + + if ((cert = SSL_get_peer_certificate(ssl))) { + X509_free(cert); + res = SSL_get_verify_result(ssl); + if (res == X509_V_OK) { + log_debug("valid certificate"); + smtp_cert_verified(proto, CERT_OK); + return; + } + log_debug("certificate validation error %ld", res); + } + else + log_debug("no certificate provided"); - /* Not implemented for now. */ - smtp_cert_verified(proto, CERT_UNKNOWN); + smtp_cert_verified(proto, CERT_INVALID); } void smtp_require_tls(void *tag, struct smtp_client *proto) { - void *ctx; - - ctx = ssl_mta_init(NULL, NULL, 0, NULL); + SSL *ssl = NULL; - smtp_set_tls(proto, ctx); + if ((ssl = SSL_new(ssl_ctx)) == NULL) + fatal("SSL_new"); + smtp_set_tls(proto, ssl); } void Index: smtp/Makefile === RCS file: /cvs/src/usr.sbin/smtpd/smtp/Makefile,v retrieving revision 1.2 diff -u -p -r1.2 Makefile --- smtp/Makefile 12 Jun 2019 17:42:53 - 1.2 +++ smtp/Makefile 5 Sep 2019 18:42:07 - @@ -13,7 +13,6 @@ SRCS+=log.c SRCS+= smtp_client.c SRCS+= smtpc.c SRCS+= ssl.c -SRCS+= ssl_smtpd.c CPPFLAGS+= -DIO_TLS