Re: [PATCH] src - fix IPsec capitalisation
On 2018/03/15 08:55, Raf Czlonka wrote:
> Hi all,
>
> As per jmc's commit message[0], would anyone be so kind as to comment
> on this, please?
>
> Thanks again to Jason for fixing the non-code bits.
>
> [0] https://marc.info/?m=151993729713231
>
> Cheers,
>
> Raf
>
...
> > > +++ include/arpa/nameser.h26 Feb 2018 11:03:07 -
> > > @@ -223,7 +223,7 @@
> > > #define KEYFLAG_USERACCOUNT 0x0400 /* key is assoc. with a user
> > > acct */
> > > #define KEYFLAG_ENTITY 0x0200 /* key is assoc. with entity eg
> > > host */
> > > #define KEYFLAG_ZONEKEY 0x0100 /* key is zone key for the zone
> > > named */
> > > -#define KEYFLAG_IPSEC 0x0080 /* key is for IPSEC use (host
> > > or user)*/
> > > +#define KEYFLAG_IPSEC 0x0080 /* key is for IPsec use (host
> > > or user)*/
ok
> > > retrieving revision 1.15
> > > diff -u -p -r1.15 ec_curve.c
> > > --- lib/libcrypto/ec/ec_curve.c 29 Jan 2017 17:49:23 - 1.15
> > > +++ lib/libcrypto/ec/ec_curve.c 26 Feb 2018 11:03:09 -
> > > @@ -2135,7 +2135,7 @@ static const struct {
> > > }
> > > };
> > >
> > > -/* IPSec curves */
> > > +/* IPsec curves */
ok
> > > /* NOTE: The of curves over a extension field of non prime degree
> > > * is not recommended (Weil-descent).
> > > * As the group order is not a prime this curve is not suitable
> > > @@ -3116,10 +3116,10 @@ static const ec_list_element curve_list[
> > > #endif
> > > {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224
> > > bit prime field"},
> > > #ifndef OPENSSL_NO_EC2M
> > > - /* IPSec curves */
> > > - {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3
> > > over a 155 bit binary field.\n"
> > > + /* IPsec curves */
> > > + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPsec/IKE/Oakley curve #3
> > > over a 155 bit binary field.\n"
> > > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
> > > - {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4
> > > over a 185 bit binary field.\n"
> > > + {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPsec/IKE/Oakley curve #4
> > > over a 185 bit binary field.\n"
I don't know if anything will parse these and expect to be as-is.
Without more information I'd skip this.
> > > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
> > > #endif
> > > /* RFC 5639 curves */
> > > Index: lib/libcrypto/objects/objects.txt
> > > ===
> > > RCS file: /cvs/src/lib/libcrypto/objects/objects.txt,v
> > > retrieving revision 1.19
> > > diff -u -p -r1.19 objects.txt
> > > --- lib/libcrypto/objects/objects.txt 25 May 2017 17:00:24 -
> > > 1.19
> > > +++ lib/libcrypto/objects/objects.txt 26 Feb 2018 11:03:09 -
> > > @@ -486,9 +486,9 @@ id-kp 2 : clientAuth
> > > : TLS Web Client
> > > id-kp 3 : codeSigning : Code Signing
> > > !Cname email-protect
> > > id-kp 4 : emailProtection : E-mail Protection
> > > -id-kp 5 : ipsecEndSystem: IPSec End System
> > > -id-kp 6 : ipsecTunnel : IPSec Tunnel
> > > -id-kp 7 : ipsecUser : IPSec User
> > > +id-kp 5 : ipsecEndSystem: IPsec End System
> > > +id-kp 6 : ipsecTunnel : IPsec Tunnel
> > > +id-kp 7 : ipsecUser : IPsec User
Same as above, no idea what uses it.
> > > !Cname time-stamp
> > > id-kp 8 : timeStamping : Time Stamping
> > > # From OCSP spec RFC2560
> > > Index: sbin/iked/iked.h
> > > ===
> > > RCS file: /cvs/src/sbin/iked/iked.h,v
> > > retrieving revision 1.117
> > > diff -u -p -r1.117 iked.h
> > > --- sbin/iked/iked.h 30 Nov 2017 12:18:44 - 1.117
> > > +++ sbin/iked/iked.h 26 Feb 2018 11:03:14 -
> > > @@ -165,7 +165,7 @@ RB_HEAD(iked_flows, iked_flow);
> > > TAILQ_HEAD(iked_saflows, iked_flow);
> > >
> > > struct iked_childsa {
> > > - uint8_t csa_saproto; /* IPSec protocol */
> > > + uint8_t csa_saproto; /* IPsec protocol */
> > > unsigned int csa_dir; /* in/out */
> > >
> > > uint64_t csa_peerspi; /* peer relation */
> > > @@ -432,8 +432,8 @@ struct iked_sa {
> > > struct ibuf *sa_eapmsk; /* EAK session key */
> > >
> > > struct iked_proposalssa_proposals; /* SA proposals */
> > > - struct iked_childsas sa_childsas; /* IPSec Child SAs */
> > > - struct iked_saflows sa_flows; /* IPSec flows */
> > > + struct iked_childsas sa_childsas; /* IPsec Child SAs */
> > > + struct iked_saflows sa_flows; /* IPsec
Re: [PATCH] src - fix IPsec capitalisation
Hi all,
As per jmc's commit message[0], would anyone be so kind as to comment
on this, please?
Thanks again to Jason for fixing the non-code bits.
[0] https://marc.info/?m=151993729713231
Cheers,
Raf
On Wed, Feb 28, 2018 at 08:38:35PM GMT, Jason McIntyre wrote:
> On Mon, Feb 26, 2018 at 12:15:28PM +, Raf Czlonka wrote:
> > Hi all,
> >
> > Fix capitalisation of IPsec as per the RFC[0] - obviously, only
> > where this makes sense.
> >
> > The remaining one in cert.pem[1] will get fixed automatically once
> > the file is regenerated, after the object identifiers' description
> > changes.
> >
> > If this gets in, I'd like to submit a patch for www - *not* individual
> > presentations or papers, though.
> >
> > [0] https://tools.ietf.org/html/rfc4301#page-4
> > [1] https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/cert.pem
> >
> > Regards,
> >
> > Raf
> >
>
> i'm ok with this diff. i don;t want to commit it as-is though, because
> of the code bits.
>
> if no one shows any interest in taking it, i'll look at at least fixing the
> man/calendar parts.
>
> jmc
>
> > Index: include/arpa/nameser.h
> > ===
> > RCS file: /cvs/src/include/arpa/nameser.h,v
> > retrieving revision 1.13
> > diff -u -p -r1.13 nameser.h
> > --- include/arpa/nameser.h 16 Jan 2015 00:01:28 - 1.13
> > +++ include/arpa/nameser.h 26 Feb 2018 11:03:07 -
> > @@ -223,7 +223,7 @@
> > #defineKEYFLAG_USERACCOUNT 0x0400 /* key is assoc. with a user
> > acct */
> > #defineKEYFLAG_ENTITY 0x0200 /* key is assoc. with entity eg
> > host */
> > #defineKEYFLAG_ZONEKEY 0x0100 /* key is zone key for the zone
> > named */
> > -#defineKEYFLAG_IPSEC 0x0080 /* key is for IPSEC use (host
> > or user)*/
> > +#defineKEYFLAG_IPSEC 0x0080 /* key is for IPsec use (host
> > or user)*/
> > #defineKEYFLAG_EMAIL 0x0040 /* key is for email (MIME
> > security) */
> > #defineKEYFLAG_RESERVED10 0x0020 /* reserved - must be zero */
> > #defineKEYFLAG_RESERVED11 0x0010 /* reserved - must be zero */
> > Index: lib/libcrypto/ec/ec_curve.c
> > ===
> > RCS file: /cvs/src/lib/libcrypto/ec/ec_curve.c,v
> > retrieving revision 1.15
> > diff -u -p -r1.15 ec_curve.c
> > --- lib/libcrypto/ec/ec_curve.c 29 Jan 2017 17:49:23 - 1.15
> > +++ lib/libcrypto/ec/ec_curve.c 26 Feb 2018 11:03:09 -
> > @@ -2135,7 +2135,7 @@ static const struct {
> > }
> > };
> >
> > -/* IPSec curves */
> > +/* IPsec curves */
> > /* NOTE: The of curves over a extension field of non prime degree
> > * is not recommended (Weil-descent).
> > * As the group order is not a prime this curve is not suitable
> > @@ -3116,10 +3116,10 @@ static const ec_list_element curve_list[
> > #endif
> > {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224
> > bit prime field"},
> > #ifndef OPENSSL_NO_EC2M
> > - /* IPSec curves */
> > - {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3
> > over a 155 bit binary field.\n"
> > + /* IPsec curves */
> > + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPsec/IKE/Oakley curve #3
> > over a 155 bit binary field.\n"
> > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
> > - {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4
> > over a 185 bit binary field.\n"
> > + {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPsec/IKE/Oakley curve #4
> > over a 185 bit binary field.\n"
> > "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
> > #endif
> > /* RFC 5639 curves */
> > Index: lib/libcrypto/objects/objects.txt
> > ===
> > RCS file: /cvs/src/lib/libcrypto/objects/objects.txt,v
> > retrieving revision 1.19
> > diff -u -p -r1.19 objects.txt
> > --- lib/libcrypto/objects/objects.txt 25 May 2017 17:00:24 -
> > 1.19
> > +++ lib/libcrypto/objects/objects.txt 26 Feb 2018 11:03:09 -
> > @@ -486,9 +486,9 @@ id-kp 2 : clientAuth: TLS
> > Web Client
> > id-kp 3: codeSigning : Code Signing
> > !Cname email-protect
> > id-kp 4: emailProtection : E-mail Protection
> > -id-kp 5: ipsecEndSystem: IPSec End System
> > -id-kp 6: ipsecTunnel : IPSec Tunnel
> > -id-kp 7: ipsecUser : IPSec User
> > +id-kp 5: ipsecEndSystem: IPsec End System
> > +id-kp 6: ipsecTunnel : IPsec Tunnel
> > +id-kp 7: ipsecUser : IPsec User
> > !Cname time-stamp
> > id-kp 8: timeStamping : Time Stamping
> > # From OCSP spec RFC2560
> > Index:
Re: [PATCH] src - fix IPsec capitalisation
On Mon, Feb 26, 2018 at 12:15:28PM +, Raf Czlonka wrote:
> Hi all,
>
> Fix capitalisation of IPsec as per the RFC[0] - obviously, only
> where this makes sense.
>
> The remaining one in cert.pem[1] will get fixed automatically once
> the file is regenerated, after the object identifiers' description
> changes.
>
> If this gets in, I'd like to submit a patch for www - *not* individual
> presentations or papers, though.
>
> [0] https://tools.ietf.org/html/rfc4301#page-4
> [1] https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/cert.pem
>
> Regards,
>
> Raf
>
i'm ok with this diff. i don;t want to commit it as-is though, because
of the code bits.
if no one shows any interest in taking it, i'll look at at least fixing the
man/calendar parts.
jmc
> Index: include/arpa/nameser.h
> ===
> RCS file: /cvs/src/include/arpa/nameser.h,v
> retrieving revision 1.13
> diff -u -p -r1.13 nameser.h
> --- include/arpa/nameser.h16 Jan 2015 00:01:28 - 1.13
> +++ include/arpa/nameser.h26 Feb 2018 11:03:07 -
> @@ -223,7 +223,7 @@
> #define KEYFLAG_USERACCOUNT 0x0400 /* key is assoc. with a user
> acct */
> #define KEYFLAG_ENTITY 0x0200 /* key is assoc. with entity eg
> host */
> #define KEYFLAG_ZONEKEY 0x0100 /* key is zone key for the zone
> named */
> -#define KEYFLAG_IPSEC 0x0080 /* key is for IPSEC use (host
> or user)*/
> +#define KEYFLAG_IPSEC 0x0080 /* key is for IPsec use (host
> or user)*/
> #define KEYFLAG_EMAIL 0x0040 /* key is for email (MIME
> security) */
> #define KEYFLAG_RESERVED10 0x0020 /* reserved - must be zero */
> #define KEYFLAG_RESERVED11 0x0010 /* reserved - must be zero */
> Index: lib/libcrypto/ec/ec_curve.c
> ===
> RCS file: /cvs/src/lib/libcrypto/ec/ec_curve.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 ec_curve.c
> --- lib/libcrypto/ec/ec_curve.c 29 Jan 2017 17:49:23 - 1.15
> +++ lib/libcrypto/ec/ec_curve.c 26 Feb 2018 11:03:09 -
> @@ -2135,7 +2135,7 @@ static const struct {
> }
> };
>
> -/* IPSec curves */
> +/* IPsec curves */
> /* NOTE: The of curves over a extension field of non prime degree
> * is not recommended (Weil-descent).
> * As the group order is not a prime this curve is not suitable
> @@ -3116,10 +3116,10 @@ static const ec_list_element curve_list[
> #endif
> {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224
> bit prime field"},
> #ifndef OPENSSL_NO_EC2M
> - /* IPSec curves */
> - {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3
> over a 155 bit binary field.\n"
> + /* IPsec curves */
> + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPsec/IKE/Oakley curve #3
> over a 155 bit binary field.\n"
> "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
> - {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4
> over a 185 bit binary field.\n"
> + {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPsec/IKE/Oakley curve #4
> over a 185 bit binary field.\n"
> "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
> #endif
> /* RFC 5639 curves */
> Index: lib/libcrypto/objects/objects.txt
> ===
> RCS file: /cvs/src/lib/libcrypto/objects/objects.txt,v
> retrieving revision 1.19
> diff -u -p -r1.19 objects.txt
> --- lib/libcrypto/objects/objects.txt 25 May 2017 17:00:24 - 1.19
> +++ lib/libcrypto/objects/objects.txt 26 Feb 2018 11:03:09 -
> @@ -486,9 +486,9 @@ id-kp 2 : clientAuth: TLS
> Web Client
> id-kp 3 : codeSigning : Code Signing
> !Cname email-protect
> id-kp 4 : emailProtection : E-mail Protection
> -id-kp 5 : ipsecEndSystem: IPSec End System
> -id-kp 6 : ipsecTunnel : IPSec Tunnel
> -id-kp 7 : ipsecUser : IPSec User
> +id-kp 5 : ipsecEndSystem: IPsec End System
> +id-kp 6 : ipsecTunnel : IPsec Tunnel
> +id-kp 7 : ipsecUser : IPsec User
> !Cname time-stamp
> id-kp 8 : timeStamping : Time Stamping
> # From OCSP spec RFC2560
> Index: sbin/iked/iked.h
> ===
> RCS file: /cvs/src/sbin/iked/iked.h,v
> retrieving revision 1.117
> diff -u -p -r1.117 iked.h
> --- sbin/iked/iked.h 30 Nov 2017 12:18:44 - 1.117
> +++ sbin/iked/iked.h 26 Feb 2018 11:03:14 -
> @@ -165,7 +165,7 @@ RB_HEAD(iked_flows, iked_flow);
> TAILQ_HEAD(iked_saflows, iked_flow);
>
> struct iked_childsa {
> - uint8_t
