Re: [Patch] Spell ...initializ... consistently in 69.html

2021-04-19 Thread Theo Buehler
On Mon, Apr 19, 2021 at 09:20:07PM +1000, Ross L Richardson wrote: > It may be pedantic, but the only offending case has different spellings > in the same sentence! Fixed, thanks. > > Ross > > > Index: 69.html > === > RCS file:

Re: typo in 69.html

2021-04-10 Thread Theo Buehler
On Sat, Apr 10, 2021 at 06:56:11PM -0500, Edgar Pettijohn wrote: > numberous should be numerous fixed, thanks

Re: smtpd: unused files and dependency

2021-04-10 Thread Theo Buehler
On Sat, Apr 10, 2021 at 02:59:36PM +0200, Eric Faurot wrote: > Do not build unused files and remove related prototypes. > Also remove bogus libm dependency. ok tb > > Index: smtpd.h > === > RCS file:

Re: smtp: dead code

2021-04-10 Thread Theo Buehler
On Sat, Apr 10, 2021 at 10:32:16AM +0200, Eric Faurot wrote: > This diff removes unused code and lib depends from smtp(1). I think the dependencies on -lssl and -lcrypto should remain. There was a recent discussion of dropping -lssl from rpki-client and it depends on the linker if -ltls is

Re: small malloc diff

2021-04-08 Thread Theo Buehler
On Fri, Apr 09, 2021 at 07:36:35AM +0200, Otto Moerbeek wrote: > On Thu, Apr 01, 2021 at 11:23:58AM +0200, Otto Moerbeek wrote: > > > Hi, > > > > here's a small malloc diff. Most important part is an extra internal > > consistency check. I have been running this for a few week already, > >

Re: rpki-client http cleanup

2021-04-08 Thread Theo Buehler
On Thu, Apr 08, 2021 at 08:43:25PM +0200, Claudio Jeker wrote: > Also here is the last bit of the http work. This changes http_handle() and > ensures that http_nextstep() never returns 0. For http_tls_connect() this > requires a fall through to the next stage in case it returns 0. > Also

Re: rpki-client http cleanup

2021-04-08 Thread Theo Buehler
On Thu, Apr 08, 2021 at 07:18:39PM +0200, Claudio Jeker wrote: > On Thu, Apr 08, 2021 at 06:22:16PM +0200, Theo Buehler wrote: > > On Thu, Apr 08, 2021 at 04:47:15PM +0200, Claudio Jeker wrote: > > > This diff is a first step in tightening the code in http.c > > >

Re: rpki-client http cleanup

2021-04-08 Thread Theo Buehler
On Thu, Apr 08, 2021 at 04:47:15PM +0200, Claudio Jeker wrote: > This diff is a first step in tightening the code in http.c > It should cleanup the poll handling and make adds some code to ensure that > only expected results are returned. The goal is that http_handle() only > does IO processing

Re: rpki-client collect childs on pipe hangup

2021-04-08 Thread Theo Buehler
On Thu, Apr 08, 2021 at 10:56:26AM +0200, Claudio Jeker wrote: > Currently when a pipe to some child is closed the main process errors out > hard. This is not great since the exit reason is not shown. > Change this to break out of the poll loop and also restructure the wait > code to use a loop

Re: rpki-client http client and bind to address

2021-04-07 Thread Theo Buehler
On Wed, Apr 07, 2021 at 12:55:50PM +0200, Claudio Jeker wrote: > When -b is used rpki-client should bind to that address for outgoing > connections. The http code does that but only warns if a bind call fails > but try the connect none the less. This is different from other network > tools (nc,

Re: rpki-client rrdp merge repo fix

2021-04-07 Thread Theo Buehler
On Wed, Apr 07, 2021 at 12:50:15PM +0200, Claudio Jeker wrote: > In some cases unlink reports 'no such file or directory' when the RRDP > repository is merged at the end of a RRDP sync. > The problem is that some deleted files are in the temporary location and > not part of the real repo. Because

Re: rpki-client don't hang on rrdp hash errors

2021-04-06 Thread Theo Buehler
On Tue, Apr 06, 2021 at 06:08:04PM +0200, Claudio Jeker wrote: > When an rrdp request fails because the hash of a delta or snapshot is > incorrect the repo never finishes because the setting of > RRDP_STATE_PARSE_DONE and the call to rrdp_finished() is skipped. > The result is a hanging

rpki-client: don't leak d->uri in add_delta()

2021-04-01 Thread Theo Buehler
d->uri was allocated by xstrdup(), so needs to be freed. Was going back and forth between the below and adding free(d->uri). Index: rrdp_notification.c === RCS file: /cvs/src/usr.sbin/rpki-client/rrdp_notification.c,v retrieving

Re: rpki-client move encoding functions into own file

2021-03-31 Thread Theo Buehler
On Wed, Mar 31, 2021 at 01:13:08PM +0200, Claudio Jeker wrote: > As mentioned before move the base64 and hex encoding / decoding functions > into one file. This is just minor cleanup. ok tb > > -- > :wq Claudio > > PS: I know this will break regress and I will fix that once this goes in. > >

Re: rpki-client, don't double fail on getaddrinfo errors

2021-03-30 Thread Theo Buehler
On Tue, Mar 30, 2021 at 05:51:38PM +0200, Claudio Jeker wrote: > On Tue, Mar 30, 2021 at 05:45:39PM +0200, Theo Buehler wrote: > > On Tue, Mar 30, 2021 at 05:30:19PM +0200, Claudio Jeker wrote: > > > Found the hard way. http_new() call http_free() if http_resolv() failes. >

Re: rpki-client, don't double fail on getaddrinfo errors

2021-03-30 Thread Theo Buehler
On Tue, Mar 30, 2021 at 05:30:19PM +0200, Claudio Jeker wrote: > Found the hard way. http_new() call http_free() if http_resolv() failes. > http_free() call http_fail() in that case since the state is not > STATE_DONE. In the main poll loop another http_fail() call is made. This > results in bad

Re: rpki-client replace funky bin to hex loop in x509

2021-03-29 Thread Theo Buehler
On Mon, Mar 29, 2021 at 01:22:20PM +0200, Claudio Jeker wrote: > On Mon, Mar 29, 2021 at 01:19:21PM +0200, Claudio Jeker wrote: > > On Mon, Mar 29, 2021 at 12:42:02PM +0200, Theo Buehler wrote: > > > On Mon, Mar 29, 2021 at 10:38:54AM +0200, Claudio Jeker wrote: > > > &g

Re: rpki-client replace funky bin to hex loop in x509

2021-03-29 Thread Theo Buehler
On Mon, Mar 29, 2021 at 10:38:54AM +0200, Claudio Jeker wrote: > Replace a super strange way to translate some binary blob into a hex string. > The code drops the : from the string but this is fine, the : is just > visual fluff. I used the same function in the not yet finished RRDP > codebase and

Re: smtpd: set protocols and ciphers

2021-03-28 Thread Theo Buehler
On Thu, Mar 25, 2021 at 06:52:13PM +0100, Eric Faurot wrote: > Hi. > > This diff allows to specify the protocol versions and ciphers > to use for outgoing TLS sessions on a per relay basis. Yes, I think we need this. ok tb

Re: rpki-client compare file path properly

2021-03-26 Thread Theo Buehler
On Fri, Mar 26, 2021 at 03:38:54PM +0100, Claudio Jeker wrote: > Not sure on what I was tripping when writing filepathcmp() but it makes no > sense to use strcasecmp() there. It compares paths in the filesystem and > these are case-sensitive. ok > > -- > :wq Claudio > > Index: main.c >

Re: vmctl: off-by-one error handling mixing -a with a VM id

2021-03-26 Thread Theo Buehler
On Fri, Mar 26, 2021 at 07:24:32AM -0400, Dave Voutila wrote: > > Theo Buehler writes: > > > On Thu, Mar 25, 2021 at 08:07:53PM +0100, Preben Guldberg wrote: > >> Dave Voutila wrote: > >> > Preben Guldberg writes: > >> > > The patch be

Re: rpki-client cleanup poll loop

2021-03-26 Thread Theo Buehler
On Fri, Mar 26, 2021 at 09:52:04AM +0100, Claudio Jeker wrote: > This diff replaces mostly the same code in the poll loop with a for loop. > It also gives a hint which process closed a connection. This is much nicer. Would the msgbuf_write() errors not benefit from the same hint? ok tb > > --

Re: vmctl: off-by-one error handling mixing -a with a VM id

2021-03-25 Thread Theo Buehler
On Thu, Mar 25, 2021 at 08:07:53PM +0100, Preben Guldberg wrote: > Dave Voutila wrote: > > Preben Guldberg writes: > > > The patch below addresses an off-by-one error reading argv when > > > generating the error message. > > > > I personally find it clearer if the condition of mixing -a with an

Re: rpki-client http client adjustments

2021-03-25 Thread Theo Buehler
On Thu, Mar 25, 2021 at 10:46:18AM +0100, Claudio Jeker wrote: > This diff is mostly cleanup and adding the missing bits needed for RRDP. > Instead of a simple bool ok use an enum to report the state back. > Can be fail, ok or not-modified (the last is used for 304 Not Modified > answers (if a

Re: rpki-client adjust base64_decode

2021-03-25 Thread Theo Buehler
On Thu, Mar 25, 2021 at 09:57:51AM +0100, Claudio Jeker wrote: > RRDP has a lot of base64 strings to handle. Because of this adjust the > base64_decode function in tal.c to take a regular string as input. > For now keep the function static, will change that once RRDP is ready. > > OK? Since you

Re: libcrypto bio_cb.c: fix mangled debug output

2021-03-24 Thread Theo Buehler
On Wed, Mar 24, 2021 at 11:09:41AM +0100, Martin Vahlensieck wrote: > Hi > > This fixes mangled output from the openssl(1) -debug option: > > Before: > $ openssl aes-256-cbc -out test -debug > BIO[0x9102a7e5ctrl(106) - FILE pointer > BIO[0x9102a7e5ctrl return 1 > BIO[0x9102a801ctrl(108) - FILE

Re: rpki-client show version

2021-03-19 Thread Theo Buehler
On Fri, Mar 19, 2021 at 11:01:27AM +0100, Claudio Jeker wrote: > This is mostly for -portable but also the native version should be able to > mention that it is not the -portable version. > This is a compromise I can live with, hope everyone else agrees. Yes. Let's keep the diff in portable as

Re: fix rpki-client -t with relative paths

2021-03-19 Thread Theo Buehler
On Fri, Mar 19, 2021 at 10:02:26AM +0100, Claudio Jeker wrote: > rpki-client is currently not able to to load relative tal files via -t > option. The problem is that the chdir to the cache directory happens > before the tal files are loaded. Move the fchdir down so relative path > work when

Re: vmctl status does not reflect the stopping state of a VM

2021-03-19 Thread Theo Buehler
On Thu, Mar 18, 2021 at 05:06:53PM -0400, Dave Voutila wrote: > > Preben Guldberg writes: > > > In "vmctl status", VMs that are being stopped but are still running > > will simply show up as "running". > > > > The diff below gives preference to showing the stopping state akin to > > how a paused

rpki-client: do not include ':' in port

2021-03-18 Thread Theo Buehler
The port number starts after the ':'. Index: http.c === RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v retrieving revision 1.7 diff -u -p -r1.7 http.c --- http.c 18 Mar 2021 15:40:45 - 1.7 +++ http.c 18 Mar 2021

rpki-client: avoid NULL access in http_parse_uri()

2021-03-18 Thread Theo Buehler
A malformed URI such as "https://[::1/index.html; causes a NULL access in the hosttail[1] == ":" check. Index: http.c === RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v retrieving revision 1.6 diff -u -p -r1.6 http.c --- http.c

Re: rpki-client cleanup

2021-03-18 Thread Theo Buehler
On Thu, Mar 18, 2021 at 11:25:25AM +0100, Claudio Jeker wrote: > This diff aims at removing some warnings seen in -portable. > > - gcc has a hard time to realize when a variable like noop ensures that > an other variable is not used. > > - Similar the switch () statements in http.c include all

Re: LibreSSL: handle EXFLAG_INVALID

2021-03-13 Thread Theo Buehler
On Sat, Mar 13, 2021 at 09:20:32PM +0100, Tobias Heider wrote: > On Wed, Mar 03, 2021 at 05:36:12PM +0100, Theo Buehler wrote: > > On Thu, Feb 25, 2021 at 09:34:30PM +0100, Tobias Heider wrote: > > > Hi, > > > > > > while testing different x509 validat

Re: www: fix canonical meta links

2021-03-13 Thread Theo Buehler
On Sat, Mar 13, 2021 at 11:11:00PM +0200, Maxim Vuets wrote: > A minor patch that makes canonical links match their actual page URLs. Committed, thanks

Re: Remove booting from kernels in raw/qcow2 images in vmd(8)

2021-03-11 Thread Theo Buehler
On Thu, Mar 11, 2021 at 08:40:46PM -0800, Mike Larkin wrote: > On Thu, Mar 11, 2021 at 06:11:03PM -0500, Dave Voutila wrote: > > tl;dr: tedu vmboot.{c,h}, ufs.c from vmd(8) to remove broken ability to > > exract and boot a kernel image from a raw or qcow2 disk image > > > > The following diff

Re: ksh: [vi.c] "clear-screen" bug + patch

2021-03-10 Thread Theo Buehler
On Wed, Mar 10, 2021 at 01:10:55PM -0700, Todd C. Miller wrote: > Now the the clear screen change has been committed, here's the > insert mode ^R (redraw) diff again with a man page update. Note > that ^R is already supported in command mode. > ok

Re: libcurses: don't return ERR if resize didn't change size

2021-03-10 Thread Theo Buehler
On Thu, Jan 21, 2021 at 11:06:05AM -0700, Todd C. Miller wrote: > This is a backport of the ncurses 5.9 20120707 patch. > https://github.com/mirror/ncurses/commit/471bc007361fd4bc8d2fae060c7d5b09828ed541 ok tb

Re: ksh: [vi.c] "clear-screen" bug + patch

2021-03-10 Thread Theo Buehler
On Tue, Mar 09, 2021 at 10:03:56AM -0700, Todd C. Miller wrote: > I think that in do_clear_screen() full should not be set unless > neednl is 0. That is, we should only print the entire prompt if > the screen was actually cleared. Otherwise looks good to me. ok tb

Re: rpki-client per repo entity queue

2021-03-10 Thread Theo Buehler
On Wed, Mar 10, 2021 at 10:12:51AM +0100, Claudio Jeker wrote: > The entity queue is per repository. It is a queue of files that depend on > this repository and need to wait until the repository finished its sync. > There is no benefit of a global queue. > > In my opinion this is more

Re: smtpd: use mx name for sni

2021-03-07 Thread Theo Buehler
On Sun, Mar 07, 2021 at 09:47:45PM +0100, Eric Faurot wrote: > As spotted by krw@, the mta should use the mx hostname for sni, not > the reverse dns for the peer address. ok tb > > Eric. > > > Index: mta_session.c > === > RCS

Re: [PATCH] [src] games/hack/help - fix ordinal directions

2021-03-07 Thread Theo Buehler
On Sun, Mar 07, 2021 at 04:58:02PM +, Raf Czlonka wrote: > Hello, > > Ordinal (intercardinal) directions are swapped in hack(6)'s help. > > For a second there, I though that no one else noticed since the 80s ;^) > ...not the case[0] :^P > > While there, I'm tempted to capitalise both

Re: rpki-client validate URI function

2021-03-05 Thread Theo Buehler
On Fri, Mar 05, 2021 at 05:36:53PM +0100, Claudio Jeker wrote: [...] > Here we go. This should be better. ok tb

Re: rpki-client validate filehash function

2021-03-05 Thread Theo Buehler
On Fri, Mar 05, 2021 at 03:15:48PM +0100, Claudio Jeker wrote: > RRDP also uses SHA256 hashes to validate files (before withdraws and > updates). Again move this from the implementation in mft.c to validate.c > this way it can be reused. > > OK? ok tb > -- > :wq Claudio > > Index: extern.h >

Re: Fix assigning array variables in ksh

2021-03-05 Thread Theo Buehler
On Sun, Feb 21, 2021 at 10:04:07PM +0300, Vadim Zhukov wrote: > Hello all. > > This continues the 'Another potential ksh bug?' thread on misc@: > https://marc.info/?l=openbsd-misc=160736700220621=2 > This present is a bit too late for Christmas, but at least the Day of > Red Army is coming soon.

Re: rpki-client validate URI function

2021-03-05 Thread Theo Buehler
On Fri, Mar 05, 2021 at 01:48:43PM +0100, Claudio Jeker wrote: > Instead of adding similar checks all over the place introduce a > valid_uri() function that checks if a URI is valid enough for rpki-client. > rpki-client does not accept files or directories starting with ., bails on > URI that have

Re: rpki-client: unchecked str(n)dup

2021-03-04 Thread Theo Buehler
On Thu, Mar 04, 2021 at 04:10:12PM +0100, Claudio Jeker wrote: > On Thu, Mar 04, 2021 at 03:53:44PM +0100, Theo Buehler wrote: > > The first two seem obvious oversights. The ones in rsync_base_uri() > > would end up silently ignored: > > queue_add_from_cert > > repo_

rpki-client: unchecked str(n)dup

2021-03-04 Thread Theo Buehler
The first two seem obvious oversights. The ones in rsync_base_uri() would end up silently ignored: queue_add_from_cert repo_lookup rsync_base_uri Index: http.c === RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v retrieving

Re: LibreSSL: handle EXFLAG_INVALID

2021-03-03 Thread Theo Buehler
On Thu, Feb 25, 2021 at 09:34:30PM +0100, Tobias Heider wrote: > Hi, > > while testing different x509 validator corner cases i found that a bunch of > errors are currently not handled in libcrypto. > > In particular duplicate or undecodable extensions are ignored. > The diff below sets

Re: smtpd: use libtls

2021-03-02 Thread Theo Buehler
On Sat, Feb 13, 2021 at 06:26:02PM +0100, Eric Faurot wrote: > Hi. > > The diff seems to work for the few people who tested it (thanks). > Anyone wants to ok this? I read through the diff several times, but I'm not familiar with smtpd so cannot claim a thorough review. Nothing really stood out

Re: rpki-client, unify err() for out of memory situation

2021-03-02 Thread Theo Buehler
On Tue, Mar 02, 2021 at 02:09:37PM +0100, Claudio Jeker wrote: > This diff just brings all err(3) calls for out of memory situations to one > form: err(1, NULL); > It is not very helpful to tell if malloc, strdup or asprintf failed with no > mem. Just one common idiom. > > OK? ok. The https

Re: Teach rpki-client some https

2021-03-02 Thread Theo Buehler
On Tue, Mar 02, 2021 at 11:45:22AM +0100, Claudio Jeker wrote: > On Mon, Mar 01, 2021 at 11:57:03AM +0100, Claudio Jeker wrote: > > On Sun, Feb 28, 2021 at 09:09:05AM +0100, Theo Buehler wrote: > > > On Thu, Feb 25, 2021 at 05:03:19PM +0100, Claudio Jeker wrote: > > > &

Re: Teach rpki-client some https

2021-02-28 Thread Theo Buehler
On Sun, Feb 28, 2021 at 09:09:05AM +0100, Theo Buehler wrote: > > + if (error == EAI_SERVICE) > > + error = getaddrinfo(host, "443", , >res0); > > + if (error) { > > error != NULL Apologies, forgot to delete that.

Re: Teach rpki-client some https

2021-02-28 Thread Theo Buehler
On Thu, Feb 25, 2021 at 05:03:19PM +0100, Claudio Jeker wrote: > On Fri, Feb 19, 2021 at 07:10:02PM +0100, Claudio Jeker wrote: > > Some TAL files now include an https URI where the TA can be fetched from. > > With this diff rpki-client will download the TA from https unless that > > fails and

Re: Workflow question

2021-02-27 Thread Theo Buehler
> Following the advice in the FAQ I added my user to the wobj group. I > suppose I could "make obj" and have the objs written to /usr/obj? Is > this a workflow the developers recommend or follow? Thanks! Yes. More precisely, by default 'make obj' in /usr/src/usr.bin/systat will create a symlink

Re: Mesa leak in intel iris driver

2021-02-27 Thread Theo Buehler
On Sat, Feb 27, 2021 at 12:21:35AM +1100, Jonathan Gray wrote: > Bring in a change which was backported to Mesa 20.1 but not 20.0. > This is for inteldrm with >= gen8/broadwell hardware. > /var/log/Xorg.0.log with 'DRI driver: iris' and 'xdriinfo' will > show 'Screen 0: iris' if you are using the

Re: LibreSSL legacy verifier regression

2021-02-24 Thread Theo Buehler
On Wed, Feb 24, 2021 at 09:00:05PM +0100, Theo Buehler wrote: > On Wed, Feb 24, 2021 at 06:47:00AM +0100, Jan Klemkow wrote: > > Hi, > > > > another co-worker of mine has found an other regress in the LibreSSL > > legacy verifier. I took his diff and made a test for o

Re: LibreSSL legacy verifier regression

2021-02-24 Thread Theo Buehler
On Wed, Feb 24, 2021 at 06:47:00AM +0100, Jan Klemkow wrote: > Hi, > > another co-worker of mine has found an other regress in the LibreSSL > legacy verifier. I took his diff and made a test for our regression > framework. > > The legacy verifier seems not to check the certificate if no root CA

Re: rpki-client extra paranoia

2021-02-19 Thread Theo Buehler
On Fri, Feb 19, 2021 at 10:54:29AM +0100, Claudio Jeker wrote: > Better to make sure that all URI we ingest are sensitive. Similar check > is already done in cert.c so also do it for the TAL files (even though > these are normally controled by the user). > > OK? ok > -- > :wq Claudio > >

Re: relayd check script memory explosion

2021-02-19 Thread Theo Buehler
On Mon, Feb 15, 2021 at 12:03:42PM +1000, Jonathan Matthew wrote: > It's fairly easy to accidentally configure relayd to try to run check scripts > faster than they finish, for example if you have a check interval of one > second and the check script makes a tcp connection to a host that doesn't >

rpki-client: recallocarray conversions

2021-02-19 Thread Theo Buehler
As discussed a few days ago, there are a few reallocarray + memset that can be directly handled by recallocarray. Index: main.c === RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v retrieving revision 1.101 diff -u -p -r1.101 main.c

Re: further x509 cleanup in rpki-client

2021-02-18 Thread Theo Buehler
On Thu, Feb 18, 2021 at 02:41:39PM +0100, Claudio Jeker wrote: > Instead of iterating over all x509 extension and look for SKI and AKI use > X509_get_ext_d2i(). This reduces the complexity a fair bit. Also add > additional checks (e.g. make sure the extensions are non-critical). > More cleanup in

Re: rpki-client, create repo dir in parent process

2021-02-18 Thread Theo Buehler
On Thu, Feb 18, 2021 at 11:57:52AM +0100, Claudio Jeker wrote: > This diff moves the mkpath() call from the rsync child to the parent. > As a result the rsync process no longer needs cpath. It will also simplify > integration of RRDP since that will be another process. ok tb > > -- > :wq

Re: relayd and TLS client cert verification

2021-02-17 Thread Theo Buehler
Hi On Thu, Oct 15, 2020 at 05:52:40PM +1100, Ashe Connor wrote: > Hi there, > > A year or two ago I submitted a patch for adding TLS client certificate > validation to relayd. At the time it didn't make it in, and I stopped > pursuing it further. >

Re: LibreSSL regressions

2021-02-16 Thread Theo Buehler
On Tue, Feb 16, 2021 at 01:16:21PM +0100, Jan Klemkow wrote: > On Tue, Feb 16, 2021 at 04:36:59AM +1100, Joel Sing wrote: > > On 21-02-15 14:49:46, Jan Klemkow wrote: > > > On Sat, Feb 13, 2021 at 03:53:48PM +0100, Theo Buehler wrote: > > > > On Sat, Feb 13, 2021 at

Re: LibreSSL regressions

2021-02-15 Thread Theo Buehler
On Tue, Feb 16, 2021 at 04:36:59AM +1100, Joel Sing wrote: > On 21-02-15 14:49:46, Jan Klemkow wrote: > > On Sat, Feb 13, 2021 at 03:53:48PM +0100, Theo Buehler wrote: > > > On Sat, Feb 13, 2021 at 11:58:04AM +0100, Jan Klemkow wrote: > > > > A coworker of mine h

Re: change rpki-client repository code

2021-02-15 Thread Theo Buehler
> > > rt.repos = reallocarray(rt.repos, > > > rt.reposz + 1, sizeof(struct repo)); > > > > This line could be unwrapped. The code could also be simplified by using > > recallocarray() (it looks like the -portable update.sh is prepared for > > that). > > I leave that for later. There

Re: change rpki-client repository code

2021-02-15 Thread Theo Buehler
On Fri, Feb 12, 2021 at 10:01:38AM +0100, Claudio Jeker wrote: > On Mon, Feb 08, 2021 at 05:15:40PM +0100, Claudio Jeker wrote: > > Split the repository code into two parts: > > > > - fetch of the trust anchors (the certs referenced by TAL files) > > - fetch of the MFT files of a repository > >

Re: httpd(8) fix tls comparison of servers

2021-02-15 Thread Theo Buehler
On Mon, Feb 15, 2021 at 12:41:31PM +0100, Claudio Jeker wrote: > For SNI all TLS servers need to run with the same config. The config > parser has an extra step for this. The problem is it also compares the > TLS config params with non-TLS servers when a server block has both > listen * port 80

Re: LibreSSL regressions

2021-02-13 Thread Theo Buehler
On Sat, Feb 13, 2021 at 11:58:04AM +0100, Jan Klemkow wrote: > Hi, > > A coworker of mine has made tests with LibreSSL [1] and found some > regressions. I took his test descriptions and created the following > automated regression test. In the repository he described his findings > in detail.

Re: ssl(8) tweaks, mostly for ecdsa

2021-02-11 Thread Theo Buehler
On Thu, Feb 11, 2021 at 08:55:55PM +, Stuart Henderson wrote: > acme-client works with ecdsa certificates, but if there's no existing > key, it has no way to tell whether you want ec or rsa so it can't > actually generate a new ec key. (even if it did, acme-client's default > secp384r1 isn't

Re: rpki-client parse and check caRepository Subject Information Access

2021-02-05 Thread Theo Buehler
On Fri, Feb 05, 2021 at 02:45:41PM +0100, Claudio Jeker wrote: > RPKI certificates have 3 possible Subject Information Access URI that we > may be interested in: > - 1.3.6.1.5.5.7.48.5 (caRepository) > - 1.3.6.1.5.5.7.48.10 (rpkiManifest) > - 1.3.6.1.5.5.7.48.13 (rpkiNotify) > >

Re: rpki-client remove debug code

2021-02-05 Thread Theo Buehler
On Thu, Feb 04, 2021 at 06:56:05PM +0100, Claudio Jeker wrote: > This bit of debug code to understand the progress of rpki-client is no > longer helpful. Most of the time this is a stuck rsync that causes delays > and those are now nicely handled by an internal timeout. > I propose to remove this.

Re: rpki-client call a file a file

2021-02-04 Thread Theo Buehler
On Thu, Feb 04, 2021 at 03:09:33PM +0100, Claudio Jeker wrote: > The uri field in the entity queue struct is never a URI but always a local > path to the file in the repo. Rename the field so I'm less confused. > Compiler agrees with my change. Agreed. Some of the functions you need to touch also

Re: rpki-client, simplify main process

2021-02-04 Thread Theo Buehler
On Thu, Feb 04, 2021 at 11:37:08AM +0100, Claudio Jeker wrote: > Instead of passing around variables all the way down to entity_write_req() > and repo_lookup() use global variables. Especially for the repository > handling this will become more complex with the introduction of RRDP. > Also shuffle

Re: rpki-client factor out the parser code into own module

2021-02-03 Thread Theo Buehler
On Wed, Feb 03, 2021 at 08:08:20PM +0100, Claudio Jeker wrote: > This is just shuffling code around and adds a few definitions to extern.h. > The goal is to reduce the amount of code in main.c. I constantly get lost > in all the parsing and parent functions also I want to extend the > repository

Re: rpki-client remove double checking of hashes

2021-01-28 Thread Theo Buehler
On Thu, Jan 28, 2021 at 04:42:00PM +0100, Claudio Jeker wrote: > Initially rpki-client checked the file hash while parsing the file (.roa, > .cert or .crl) but since a while rpki-client does the hash check early > during the .mft parsing with mft_check(). After that all files in the > fileandhash

Re: unwind: silence "udp connect failed" errors

2021-01-24 Thread Theo Buehler
On Sun, Jan 24, 2021 at 12:44:39PM +0100, Klemens Nanni wrote: > unwind/libunbound always tries to connect to nameservers using both > address families, even if only one is configured on the local machine. > > So on IPv6 only boxes for example syslog gets spammed with these > > Jan 24 12:23:06

Re: games/canfield bug

2021-01-21 Thread Theo Buehler
> We should just ignore any of the special curses keys returned by > getch() since canfield is not prepared to deal with them. ok tb

Re: rad(8): get rid of inet_net_{ntop,pton}(3)

2021-01-19 Thread Theo Buehler
On Mon, Jan 18, 2021 at 06:41:26PM +0100, Florian Obser wrote: > > > This is not an api that seems to have caught on (especially the > AF_INET6 variant), maybe we can get rid of it entirely. > > (I also suspect that the AF_INET6 version is broken on FreeBSD and > NetBSD as well as mac osx.)

Re: behaviour of openssl s_server and certificate chains on 6.8

2021-01-14 Thread Theo Buehler
On Thu, Jan 14, 2021 at 02:37:20PM +0100, Robert Nagy wrote: > On 14/01/21 14:27 +0100, Robert Nagy wrote: > > On 14/01/21 14:20 +0100, Theo Buehler wrote: > > > On Thu, Jan 14, 2021 at 01:32:41PM +0100, Matthieu Herrb wrote: > > > > Hi, > > > > >

Re: behaviour of openssl s_server and certificate chains on 6.8

2021-01-14 Thread Theo Buehler
On Thu, Jan 14, 2021 at 01:32:41PM +0100, Matthieu Herrb wrote: > Hi, > > I'm trying to debug strange beahaviour changes with certificates on a > systemc after upgrading it from 6.7 to 6.8... > > On 6.7, If I run : > > openssl s_server -cert mycert.pem -key mykey.pem -CAfile CA.pem > > then

Re: cmp -s bugfix

2021-01-09 Thread Theo Buehler
On Sat, Jan 09, 2021 at 08:00:42AM +0100, Otto Moerbeek wrote: > As reported on misc@ > > https://marc.info/?l=openbsd-misc=161016188503894=2 ok tb > > -Otto > > Index: regular.c > === > RCS file:

Re: Fix -Wincompatible-pointer-types-discards-qualifiers

2021-01-08 Thread Theo Buehler
On Thu, Jan 07, 2021 at 11:30:43PM +, Adam Barth wrote: > Thanks so much! This is my first patch for OpenBSD, and I don't quite have > the workflow debugged yet. Committed, thank you! Probably easiest and safest way is to use git format-patch and to send the patch file as an attachment.

Re: Fix -Wincompatible-pointer-types-discards-qualifiers

2021-01-07 Thread Theo Buehler
On Thu, Jan 07, 2021 at 11:16:16PM +, Adam Barth wrote: > Previously, this code was passing string constants to functions that did > not declare their parameters as const. After this patch, the functions now > declare that they do not modify these arguments, making it safe to pass > string

Re: use getnameinfo in bgpd to print addresses

2021-01-04 Thread Theo Buehler
On Mon, Jan 04, 2021 at 08:48:55PM +0100, Otto Moerbeek wrote: > On Mon, Jan 04, 2021 at 05:50:53PM +0100, Otto Moerbeek wrote: > > > tOn Mon, Jan 04, 2021 at 01:42:48PM +0100, Theo Buehler wrote: > > > > > > > + return log_sockaddr(addr2sa(addr, 0,

Re: use getnameinfo in bgpd to print addresses

2021-01-04 Thread Theo Buehler
> > + return log_sockaddr(addr2sa(addr, 0, ), len); > > Perhaps I haven't yet had enough coffee this year, but I'm unsure > whether it is actually guaranteed that addr2sa() is called before the > second len in this line is passed to log_sockaddr(). Answering my own question: C99 and

Re: bgpd: struct mrt vs struct mrt_config confusion

2021-01-04 Thread Theo Buehler
On Mon, Jan 04, 2021 at 12:23:35PM +0100, Claudio Jeker wrote: > On Mon, Jan 04, 2021 at 12:09:46PM +0100, Theo Buehler wrote: > > Pointed out by llvm scan-build. mrt_config is much larger (> 10x). As > > far as I can tell, this isn't bad. It just overallocates and copies a

Re: use getnameinfo in bgpd to print addresses

2021-01-04 Thread Theo Buehler
On Mon, Jan 04, 2021 at 10:46:39AM +0100, Claudio Jeker wrote: > In bgpd most prefixes and addresses are stored as struct bgpd_addr. When > it is printed it uses inet_ntop() which is not ideal since it does not > handle IPv6 scoped_id. Instead convert to a struct sockaddr and use > log_sockaddr()

bgpd: struct mrt vs struct mrt_config confusion

2021-01-04 Thread Theo Buehler
Pointed out by llvm scan-build. mrt_config is much larger (> 10x). As far as I can tell, this isn't bad. It just overallocates and copies a lot of zeroes thanks to the calloc() in parse.y. Perhaps it would be better to use sizeof(*xm) instead. Regress passes with the Makefile diff at the end (is

Re: libc/regex: turn unsafe macros to inline functions

2021-01-03 Thread Theo Buehler
On Sun, Jan 03, 2021 at 04:45:30PM +, Miod Vallat wrote: > > Is there a reason not to do > > > > return (cs->ptr[(uch)c] & cs->mask) != 0; > > > > This would allow us to get rid of the !! construct in regcomp.c > > Why not. What about that? Thanks. Here's the diff rebased on top of

Re: libc/regex: turn unsafe macros to inline functions

2021-01-02 Thread Theo Buehler
On Sat, Jan 02, 2021 at 08:33:51PM +, Miod Vallat wrote: > That code was written before inline functions were supported by > compilers; now that they are even part of the language standard, turn > macros into inline functions so that there is no need to document in > comments that they will

Re: libc/regex: more dead code

2021-01-02 Thread Theo Buehler
On Sat, Jan 02, 2021 at 08:31:39PM +, Miod Vallat wrote: > The removal of the categories code made these two functions unused, so > remove them as well. ok tb

Re: httpd: call tls_close before closing the socket

2021-01-01 Thread Theo Buehler
On Fri, Jan 01, 2021 at 11:38:32PM +0100, Claudio Jeker wrote: > On Fri, Jan 01, 2021 at 09:06:34PM +0100, Theo Buehler wrote: > > httpd(8) leaks resources when clients connect via TLS. The reason for > > this is that server_close() closes the socket underlying the TLS > &

httpd: call tls_close before closing the socket

2021-01-01 Thread Theo Buehler
httpd(8) leaks resources when clients connect via TLS. The reason for this is that server_close() closes the socket underlying the TLS connection before calling tls_close(). The currently unchecked tls_close() call fails with EBADF when trying to write out the close_notify in SSL_shutdown().

httpd: another log related leak

2020-12-31 Thread Theo Buehler
msg is allocated by vasprintf, and is leaked on return of server_sendlog. vasprintf calculates the length of the string, so we can zap a needless call to strlen while there. Index: server.c === RCS file:

httpd: free log_file in logger_close()

2020-12-30 Thread Theo Buehler
The access and error logs are never freed. They are leaked on sending USR1 to the parent, for example. Index: logger.c === RCS file: /cvs/src/usr.sbin/httpd/logger.c,v retrieving revision 1.22 diff -u -p -r1.22 logger.c --- logger.c

Re: libc/regex: safer pointer arithmetic

2020-12-30 Thread Theo Buehler
On Tue, Dec 29, 2020 at 06:03:36AM -0700, Todd C. Miller wrote: > On Tue, 29 Dec 2020 10:33:26 +, Miod Vallat wrote: > > > regcomp.c uses the "start + count < end" idiom to check that there are > > "count" bytes available in an array of char "start" and "end" both point > > to. > > > > This

Re: tls_config_parse_protocols.3: more prominent protocol list

2020-12-29 Thread Theo Buehler
On Wed, Dec 30, 2020 at 07:05:47AM +, Jason McIntyre wrote: > On Wed, Dec 30, 2020 at 02:02:44AM +0100, Klemens Nanni wrote: > > Manuals like httpd.conf(5) refer to tls_config_parse_protocols(3) the > > list of supported protocols. > > > > Sentences with inlined elements are generally harder

Re: rpki-client unmarshal empty strings as NULL

2020-12-18 Thread Theo Buehler
> This is the next step. I added asserts for strings that must be set and > removed some of complications around optional strings. Especially cert.c > and some of the entityq code benefits from this. Looks good and works for me. ok tb

Re: rpki-client unmarshal empty strings as NULL

2020-12-18 Thread Theo Buehler
On Fri, Dec 18, 2020 at 05:45:01PM +0100, Claudio Jeker wrote: > On Fri, Dec 18, 2020 at 01:46:49PM +0100, Theo Buehler wrote: > > On Fri, Dec 18, 2020 at 11:43:40AM +0100, Claudio Jeker wrote: > > > On Wed, Dec 02, 2020 at 05:06:28PM +0100, Claudio Jeker wrote: > > >

  1   2   3   4   5   6   7   8   >