Re: [PATCH] src - fix IPsec capitalisation
On 2018/03/15 08:55, Raf Czlonka wrote: > Hi all, > > As per jmc's commit message[0], would anyone be so kind as to comment > on this, please? > > Thanks again to Jason for fixing the non-code bits. > > [0] https://marc.info/?m=151993729713231 > > Cheers, > > Raf > ... > > > +++ include/arpa/nameser.h26 Feb 2018 11:03:07 - > > > @@ -223,7 +223,7 @@ > > > #define KEYFLAG_USERACCOUNT 0x0400 /* key is assoc. with a user > > > acct */ > > > #define KEYFLAG_ENTITY 0x0200 /* key is assoc. with entity eg > > > host */ > > > #define KEYFLAG_ZONEKEY 0x0100 /* key is zone key for the zone > > > named */ > > > -#define KEYFLAG_IPSEC 0x0080 /* key is for IPSEC use (host > > > or user)*/ > > > +#define KEYFLAG_IPSEC 0x0080 /* key is for IPsec use (host > > > or user)*/ ok > > > retrieving revision 1.15 > > > diff -u -p -r1.15 ec_curve.c > > > --- lib/libcrypto/ec/ec_curve.c 29 Jan 2017 17:49:23 - 1.15 > > > +++ lib/libcrypto/ec/ec_curve.c 26 Feb 2018 11:03:09 - > > > @@ -2135,7 +2135,7 @@ static const struct { > > > } > > > }; > > > > > > -/* IPSec curves */ > > > +/* IPsec curves */ ok > > > /* NOTE: The of curves over a extension field of non prime degree > > > * is not recommended (Weil-descent). > > > * As the group order is not a prime this curve is not suitable > > > @@ -3116,10 +3116,10 @@ static const ec_list_element curve_list[ > > > #endif > > > {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 > > > bit prime field"}, > > > #ifndef OPENSSL_NO_EC2M > > > - /* IPSec curves */ > > > - {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3 > > > over a 155 bit binary field.\n" > > > + /* IPsec curves */ > > > + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPsec/IKE/Oakley curve #3 > > > over a 155 bit binary field.\n" > > > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, > > > - {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4 > > > over a 185 bit binary field.\n" > > > + {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPsec/IKE/Oakley curve #4 > > > over a 185 bit binary field.\n" I don't know if anything will parse these and expect to be as-is. Without more information I'd skip this. > > > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, > > > #endif > > > /* RFC 5639 curves */ > > > Index: lib/libcrypto/objects/objects.txt > > > === > > > RCS file: /cvs/src/lib/libcrypto/objects/objects.txt,v > > > retrieving revision 1.19 > > > diff -u -p -r1.19 objects.txt > > > --- lib/libcrypto/objects/objects.txt 25 May 2017 17:00:24 - > > > 1.19 > > > +++ lib/libcrypto/objects/objects.txt 26 Feb 2018 11:03:09 - > > > @@ -486,9 +486,9 @@ id-kp 2 : clientAuth > > > : TLS Web Client > > > id-kp 3 : codeSigning : Code Signing > > > !Cname email-protect > > > id-kp 4 : emailProtection : E-mail Protection > > > -id-kp 5 : ipsecEndSystem: IPSec End System > > > -id-kp 6 : ipsecTunnel : IPSec Tunnel > > > -id-kp 7 : ipsecUser : IPSec User > > > +id-kp 5 : ipsecEndSystem: IPsec End System > > > +id-kp 6 : ipsecTunnel : IPsec Tunnel > > > +id-kp 7 : ipsecUser : IPsec User Same as above, no idea what uses it. > > > !Cname time-stamp > > > id-kp 8 : timeStamping : Time Stamping > > > # From OCSP spec RFC2560 > > > Index: sbin/iked/iked.h > > > === > > > RCS file: /cvs/src/sbin/iked/iked.h,v > > > retrieving revision 1.117 > > > diff -u -p -r1.117 iked.h > > > --- sbin/iked/iked.h 30 Nov 2017 12:18:44 - 1.117 > > > +++ sbin/iked/iked.h 26 Feb 2018 11:03:14 - > > > @@ -165,7 +165,7 @@ RB_HEAD(iked_flows, iked_flow); > > > TAILQ_HEAD(iked_saflows, iked_flow); > > > > > > struct iked_childsa { > > > - uint8_t csa_saproto; /* IPSec protocol */ > > > + uint8_t csa_saproto; /* IPsec protocol */ > > > unsigned int csa_dir; /* in/out */ > > > > > > uint64_t csa_peerspi; /* peer relation */ > > > @@ -432,8 +432,8 @@ struct iked_sa { > > > struct ibuf *sa_eapmsk; /* EAK session key */ > > > > > > struct iked_proposalssa_proposals; /* SA proposals */ > > > - struct iked_childsas sa_childsas; /* IPSec Child SAs */ > > > - struct iked_saflows sa_flows; /* IPSec flows */ > > > + struct iked_childsas sa_childsas; /* IPsec Child SAs */ > > > + struct iked_saflows sa_flows; /* IPsec
Re: [PATCH] src - fix IPsec capitalisation
Hi all, As per jmc's commit message[0], would anyone be so kind as to comment on this, please? Thanks again to Jason for fixing the non-code bits. [0] https://marc.info/?m=151993729713231 Cheers, Raf On Wed, Feb 28, 2018 at 08:38:35PM GMT, Jason McIntyre wrote: > On Mon, Feb 26, 2018 at 12:15:28PM +, Raf Czlonka wrote: > > Hi all, > > > > Fix capitalisation of IPsec as per the RFC[0] - obviously, only > > where this makes sense. > > > > The remaining one in cert.pem[1] will get fixed automatically once > > the file is regenerated, after the object identifiers' description > > changes. > > > > If this gets in, I'd like to submit a patch for www - *not* individual > > presentations or papers, though. > > > > [0] https://tools.ietf.org/html/rfc4301#page-4 > > [1] https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/cert.pem > > > > Regards, > > > > Raf > > > > i'm ok with this diff. i don;t want to commit it as-is though, because > of the code bits. > > if no one shows any interest in taking it, i'll look at at least fixing the > man/calendar parts. > > jmc > > > Index: include/arpa/nameser.h > > === > > RCS file: /cvs/src/include/arpa/nameser.h,v > > retrieving revision 1.13 > > diff -u -p -r1.13 nameser.h > > --- include/arpa/nameser.h 16 Jan 2015 00:01:28 - 1.13 > > +++ include/arpa/nameser.h 26 Feb 2018 11:03:07 - > > @@ -223,7 +223,7 @@ > > #defineKEYFLAG_USERACCOUNT 0x0400 /* key is assoc. with a user > > acct */ > > #defineKEYFLAG_ENTITY 0x0200 /* key is assoc. with entity eg > > host */ > > #defineKEYFLAG_ZONEKEY 0x0100 /* key is zone key for the zone > > named */ > > -#defineKEYFLAG_IPSEC 0x0080 /* key is for IPSEC use (host > > or user)*/ > > +#defineKEYFLAG_IPSEC 0x0080 /* key is for IPsec use (host > > or user)*/ > > #defineKEYFLAG_EMAIL 0x0040 /* key is for email (MIME > > security) */ > > #defineKEYFLAG_RESERVED10 0x0020 /* reserved - must be zero */ > > #defineKEYFLAG_RESERVED11 0x0010 /* reserved - must be zero */ > > Index: lib/libcrypto/ec/ec_curve.c > > === > > RCS file: /cvs/src/lib/libcrypto/ec/ec_curve.c,v > > retrieving revision 1.15 > > diff -u -p -r1.15 ec_curve.c > > --- lib/libcrypto/ec/ec_curve.c 29 Jan 2017 17:49:23 - 1.15 > > +++ lib/libcrypto/ec/ec_curve.c 26 Feb 2018 11:03:09 - > > @@ -2135,7 +2135,7 @@ static const struct { > > } > > }; > > > > -/* IPSec curves */ > > +/* IPsec curves */ > > /* NOTE: The of curves over a extension field of non prime degree > > * is not recommended (Weil-descent). > > * As the group order is not a prime this curve is not suitable > > @@ -3116,10 +3116,10 @@ static const ec_list_element curve_list[ > > #endif > > {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 > > bit prime field"}, > > #ifndef OPENSSL_NO_EC2M > > - /* IPSec curves */ > > - {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3 > > over a 155 bit binary field.\n" > > + /* IPsec curves */ > > + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPsec/IKE/Oakley curve #3 > > over a 155 bit binary field.\n" > > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, > > - {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4 > > over a 185 bit binary field.\n" > > + {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPsec/IKE/Oakley curve #4 > > over a 185 bit binary field.\n" > > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, > > #endif > > /* RFC 5639 curves */ > > Index: lib/libcrypto/objects/objects.txt > > === > > RCS file: /cvs/src/lib/libcrypto/objects/objects.txt,v > > retrieving revision 1.19 > > diff -u -p -r1.19 objects.txt > > --- lib/libcrypto/objects/objects.txt 25 May 2017 17:00:24 - > > 1.19 > > +++ lib/libcrypto/objects/objects.txt 26 Feb 2018 11:03:09 - > > @@ -486,9 +486,9 @@ id-kp 2 : clientAuth: TLS > > Web Client > > id-kp 3: codeSigning : Code Signing > > !Cname email-protect > > id-kp 4: emailProtection : E-mail Protection > > -id-kp 5: ipsecEndSystem: IPSec End System > > -id-kp 6: ipsecTunnel : IPSec Tunnel > > -id-kp 7: ipsecUser : IPSec User > > +id-kp 5: ipsecEndSystem: IPsec End System > > +id-kp 6: ipsecTunnel : IPsec Tunnel > > +id-kp 7: ipsecUser : IPsec User > > !Cname time-stamp > > id-kp 8: timeStamping : Time Stamping > > # From OCSP spec RFC2560 > > Index:
Re: [PATCH] src - fix IPsec capitalisation
On Mon, Feb 26, 2018 at 12:15:28PM +, Raf Czlonka wrote: > Hi all, > > Fix capitalisation of IPsec as per the RFC[0] - obviously, only > where this makes sense. > > The remaining one in cert.pem[1] will get fixed automatically once > the file is regenerated, after the object identifiers' description > changes. > > If this gets in, I'd like to submit a patch for www - *not* individual > presentations or papers, though. > > [0] https://tools.ietf.org/html/rfc4301#page-4 > [1] https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/cert.pem > > Regards, > > Raf > i'm ok with this diff. i don;t want to commit it as-is though, because of the code bits. if no one shows any interest in taking it, i'll look at at least fixing the man/calendar parts. jmc > Index: include/arpa/nameser.h > === > RCS file: /cvs/src/include/arpa/nameser.h,v > retrieving revision 1.13 > diff -u -p -r1.13 nameser.h > --- include/arpa/nameser.h16 Jan 2015 00:01:28 - 1.13 > +++ include/arpa/nameser.h26 Feb 2018 11:03:07 - > @@ -223,7 +223,7 @@ > #define KEYFLAG_USERACCOUNT 0x0400 /* key is assoc. with a user > acct */ > #define KEYFLAG_ENTITY 0x0200 /* key is assoc. with entity eg > host */ > #define KEYFLAG_ZONEKEY 0x0100 /* key is zone key for the zone > named */ > -#define KEYFLAG_IPSEC 0x0080 /* key is for IPSEC use (host > or user)*/ > +#define KEYFLAG_IPSEC 0x0080 /* key is for IPsec use (host > or user)*/ > #define KEYFLAG_EMAIL 0x0040 /* key is for email (MIME > security) */ > #define KEYFLAG_RESERVED10 0x0020 /* reserved - must be zero */ > #define KEYFLAG_RESERVED11 0x0010 /* reserved - must be zero */ > Index: lib/libcrypto/ec/ec_curve.c > === > RCS file: /cvs/src/lib/libcrypto/ec/ec_curve.c,v > retrieving revision 1.15 > diff -u -p -r1.15 ec_curve.c > --- lib/libcrypto/ec/ec_curve.c 29 Jan 2017 17:49:23 - 1.15 > +++ lib/libcrypto/ec/ec_curve.c 26 Feb 2018 11:03:09 - > @@ -2135,7 +2135,7 @@ static const struct { > } > }; > > -/* IPSec curves */ > +/* IPsec curves */ > /* NOTE: The of curves over a extension field of non prime degree > * is not recommended (Weil-descent). > * As the group order is not a prime this curve is not suitable > @@ -3116,10 +3116,10 @@ static const ec_list_element curve_list[ > #endif > {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 > bit prime field"}, > #ifndef OPENSSL_NO_EC2M > - /* IPSec curves */ > - {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3 > over a 155 bit binary field.\n" > + /* IPsec curves */ > + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPsec/IKE/Oakley curve #3 > over a 155 bit binary field.\n" > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, > - {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4 > over a 185 bit binary field.\n" > + {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPsec/IKE/Oakley curve #4 > over a 185 bit binary field.\n" > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, > #endif > /* RFC 5639 curves */ > Index: lib/libcrypto/objects/objects.txt > === > RCS file: /cvs/src/lib/libcrypto/objects/objects.txt,v > retrieving revision 1.19 > diff -u -p -r1.19 objects.txt > --- lib/libcrypto/objects/objects.txt 25 May 2017 17:00:24 - 1.19 > +++ lib/libcrypto/objects/objects.txt 26 Feb 2018 11:03:09 - > @@ -486,9 +486,9 @@ id-kp 2 : clientAuth: TLS > Web Client > id-kp 3 : codeSigning : Code Signing > !Cname email-protect > id-kp 4 : emailProtection : E-mail Protection > -id-kp 5 : ipsecEndSystem: IPSec End System > -id-kp 6 : ipsecTunnel : IPSec Tunnel > -id-kp 7 : ipsecUser : IPSec User > +id-kp 5 : ipsecEndSystem: IPsec End System > +id-kp 6 : ipsecTunnel : IPsec Tunnel > +id-kp 7 : ipsecUser : IPsec User > !Cname time-stamp > id-kp 8 : timeStamping : Time Stamping > # From OCSP spec RFC2560 > Index: sbin/iked/iked.h > === > RCS file: /cvs/src/sbin/iked/iked.h,v > retrieving revision 1.117 > diff -u -p -r1.117 iked.h > --- sbin/iked/iked.h 30 Nov 2017 12:18:44 - 1.117 > +++ sbin/iked/iked.h 26 Feb 2018 11:03:14 - > @@ -165,7 +165,7 @@ RB_HEAD(iked_flows, iked_flow); > TAILQ_HEAD(iked_saflows, iked_flow); > > struct iked_childsa { > - uint8_t