Re: traceroute support for RFC 5837

[Claudio Jeker]

On Fri, Sep 03, 2010 at 06:45:19PM -0700, Matthew Dempsky wrote:
> On Tue, Sep 07, 2010 at 04:40:38PM +0200, Claudio Jeker wrote:
> > +   if (objhdr.ieo_ctype & 0x02) {
> > +   /* interface name */
> > +   if (olen < buf[0]) {
> > +   printf("|)");
> > +   return;
> > +   }
> > +   name = strndup(buf + 1, buf[0]);
> > +   olen -= buf[0];
> > +   buf += buf[0];
> > +   }
> 
> buf[0] is the length of the entire sub-object not just the interface
> name, so I think we should a) check that it's in the range [1,64] and
> b) replace strndup(buf + 1, buf[0]) with strndup(buf + 1, buf[0] - 1).
> 
> There's also a memory leak that name might not be free(3)'d before
> return if the MTU field is truncated.
> 

Ugh, you're right. Fixed diff attached. I will commit the
non-ICMP_EXT_IFINFO part somewhen soon since the MPLS output is much
nicer.

traceroute to 192.168.237.242 (192.168.237.242), 64 hops max, 40 byte packets
 1  192.168.237.2 (192.168.237.2)  1.426 ms  0.257 ms  0.195 ms
 2  10.42.3.1 (10.42.3.1)  2.903 ms  1.741 ms  1.108 ms [MPLS Label 23, 666]
 3  10.42.7.1 (10.42.7.1)  2.95 ms  1.515 ms  1.310 ms [MPLS Label 23, 666]
 4  10.42.42.2 (10.42.42.2)  2.210 ms  1.520 ms  1.79 ms [MPLS Label 16, 666]
 5  192.168.237.242 (192.168.237.242)  2.883 ms  1.334 ms  1.74 ms

instead of

traceroute to 192.168.237.242 (192.168.237.242), 64 hops max, 40 byte packets
 1  192.168.237.2 (192.168.237.2)  3.31 ms  0.382 ms  0.256 ms
 2  10.42.3.1 (10.42.3.1)  3.434 ms  1.235 ms  1.62 ms [MPLS: Label 23 Exp 0, 
Label 666 Exp 0]
 3  10.42.7.1 (10.42.7.1)  2.148 ms  1.184 ms  1.551 ms [MPLS: Label 23 Exp 0, 
Label 666 Exp 0]
 4  10.42.42.2 (10.42.42.2)  2.103 ms  1.151 ms  1 ms [MPLS: Label 16 Exp 0, 
Label 666 Exp 0]
 5  192.168.237.242 (192.168.237.242)  2.140 ms  1.253 ms  1.39 ms

-- 
:wq Claudio

Index: traceroute.c
===
RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
retrieving revision 1.72
diff -u -p -r1.72 traceroute.c
--- traceroute.c9 Jul 2010 12:27:09 -   1.72
+++ traceroute.c7 Sep 2010 14:37:48 -
@@ -728,7 +728,9 @@ print_exthdr(u_char *buf, int cc)
struct ip *ip;
struct icmp *icp;
int hlen, first;
-   u_int32_t label;
+   u_int32_t label, ifindex, mtu;
+   struct in_addr addr;
+   char *name;
u_int16_t off, olen;
u_int8_t type;

@@ -805,13 +807,14 @@ print_exthdr(u_char *buf, int cc)
olen -= sizeof(u_int32_t);

if (first == 0) {
-   printf(" [MPLS: ");
+   printf(" [MPLS Label ");
first++;
} else
printf(", ");
-   printf("Label %d Exp %d",
-   MPLS_LABEL(label), 
-   MPLS_EXP(label));
+   printf("%d", MPLS_LABEL(label));
+   if (MPLS_EXP(label))
+   printf(" (Exp %x)",
+   MPLS_EXP(label));
}
if (olen > 0) {
printf("|]");
@@ -826,6 +829,91 @@ print_exthdr(u_char *buf, int cc)
}
break;
case ICMP_EXT_IFINFO:
+   /* RFC 5837: Extending ICMP for Interface and Next-Hop
+* Identification */
+   mtu = 0;
+   ifindex = 0;
+   addr.s_addr = INADDR_ANY;
+   name = NULL;
+   if (objhdr.ieo_ctype & 0x80)
+   printf("(fwd");
+   else
+   printf("(recv");
+   /* must parse in this order */
+   if (objhdr.ieo_ctype & 0x08) {
+   /* ifIndex */
+   if (olen < sizeof(u_int32_t)) {
+   printf("|)");
+   return;
+   }
+   memcpy(&ifindex, buf, sizeof(u_int32_t));
+   ifindex = ntohl(ifindex);
+   buf += sizeof(u_int32_t);
+

Re: sender expansions for opensmtpd(try 2)

[Gilles Chehade]

ok by me, commited

gilles

On 09/06/10 11:48, Gregory Edigarov wrote:

Hi everybody,

The following diff adds sender expansions to OpenSMTPD.
%U for sender localpart
%D for sender domainpart

--- lka.c.orig  Sun Jun 20 12:56:26 2010
+++ lka.c   Sun Sep  5 16:41:37 2010
@@ -55,11 +55,11 @@
  struct lkasession *lka_session_init(struct smtpd *, struct message *);
  void  lka_request_forwardfile(struct smtpd *, struct lkasession *, 
struct path *);
  void  lka_clear_expandtree(struct expandtree *);
  void  lka_clear_deliverylist(struct deliverylist *);
  char   *lka_encode_secret(struct map_secret *);
-size_t lka_expand(char *, size_t, struct path *);
+size_t lka_expand(char *, size_t, struct path *,struct path *);
  void  lka_rcpt_action(struct smtpd *, char *, struct path *);
  void  lka_session_destroy(struct smtpd *, struct lkasession *);
  void  lka_expansion_done(struct smtpd *, struct lkasession *);
  void  lka_session_fail(struct smtpd *, struct lkasession *);
  void  lka_queue_append(struct smtpd *, struct lkasession *, int);
@@ -370,20 +370,19 @@
  {
return 1;
  }

  size_t
-lka_expand(char *buf, size_t len, struct path *path)
+lka_expand(char *buf, size_t len, struct path *path, struct path *sender)
  {
char *p, *pbuf;
struct rule r;
size_t ret;
struct passwd *pw;

bzero(r.r_value.path, MAXPATHLEN);
pbuf = r.r_value.path;
-
ret = 0;
for (p = path->rule.r_value.path; *p != '\0'; ++p) {
if (p == path->rule.r_value.path&&  *p == '~') {
if (*(p + 1) == '/' || *(p + 1) == '\0') {
pw = getpwnam(path->pw_name);
@@ -422,10 +421,26 @@
pbuf += strlen(pw->pw_dir);
p += strlen(username);
continue;
}
}
+   if (strncmp(p, "%U", 2) == 0) {
+   ret += strlcat(pbuf, sender->user, len);
+   if (ret>= len)
+   return ret;
+   pbuf += strlen (sender->user);
+   ++p;
+   continue;
+   }
+   if (strncmp(p,"%D",2) == 0) {
+   ret += strlcat(pbuf, sender->domain, len);
+   if (ret>= len)
+   return ret;
+   pbuf += strlen(sender->domain);
+   ++p;
+   continue;
+   }
if (strncmp(p, "%a", 2) == 0) {
ret += strlcat(pbuf, path->user, len);
if (ret>= len)
return ret;
pbuf += strlen(path->user);
@@ -680,11 +695,11 @@
return;
}

/* send next item to queue */
message = s->message;
-   lka_expand(path->rule.r_value.path, sizeof(path->rule.r_value.path), 
path);
+   lka_expand(path->rule.r_value.path, sizeof(path->rule.r_value.path), 
path,&message.sender);
message.recipient = *path;
sep = strchr(message.session_hostname, '@');
if (sep) {
*sep = '\0';
uid = strtonum(message.session_hostname, 0, UID_MAX,&errstr);

ipv6 support for tftp

[Gleydson Soares]

hi,

- ipv6 support for tftp client.

based on an old itojun's diff.

[demime 1.01d removed an attachment of type text/x-diff]

Stay connected to the latest restaurant products and services

[Nation's Restaurant News]

If you have problems viewing this message, click below:
http://www.magnetmail.net/actions/email_web_version.cfm?recipient_id=18203973
8&message_id=1082084&user_id=Lebhar_ENT&group_id=265105


Join over 1,000 users a day who visit Anything4Restaurants.com
(http://www.Anything4Restaurants.com?utm_source=NRN%20Advertising&utm_medium=
Newsletter&utm_term=POSITION&utm_content=NRN-MKT-A4R%20Social%20to%20Operator
s%20Aug%202010&utm_campaign=Stay%20connected%20to%20the%20latest%20restaurant
%20products%20and%20services)

Since launching two years ago Anything4Restaurants.com
(http://www.Anything4Restaurants.com?utm_source=NRN%20Advertising&utm_medium=
Newsletter&utm_term=POSITION&utm_content=NRN-MKT-A4R%20Social%20to%20Operator
s%20Aug%202010&utm_campaign=Stay%20connected%20to%20the%20latest%20restaurant
%20products%20and%20services) has become established as the online marketplace
built exclusively for the foodservice industry. With over 3,000 suppliers
listed and more than 130,000 products to help run a restaurant, A4R.com has
everything you need, all in one place.

Staying connected is easy:

Bookmark Anything4Restaurants.com
(http://www.Anything4Restaurants.com?utm_source=NRN%20Advertising&utm_medium=
Newsletter&utm_term=POSITION&utm_content=NRN-MKT-A4R%20Social%20to%20Operator
s%20Aug%202010&utm_campaign=Stay%20connected%20to%20the%20latest%20restaurant
%20products%20and%20services) and visit often to browse new products

Follow A4R.com on Twitter: www.twitter.com/a4rdotcom
(http://www.twitter.com/a4rdotcom)

Become a fan of A4R.com on Facebook: www.facebook.com/A4Rdotcom
(http://www.facebook.com/A4Rdotcom)

If you need any more information on how to get connected with A4R.com, contact
Tom Dillon at tdil...@anything4restaurants.com
(mailto:tdil...@anything4restaurants.com).


Become a fan of Nation's Restaurant News on Facebook and follow us on
Twitter:
www.facebook.com/RestaurantNews (http://www.facebook.com/RestaurantNews)
http://twitter.com/NRNonline (http://twitter.com/NRNonline)
http://twitter.com/NRNmarketing (http://twitter.com/NRNmarketing)
**
425 Park Avenue, New York, NY 10022

Periodically, we will inform you of related conferences, educational
information, products and other offers that we believe you will find helpful
in your profession.
**
Use this link to unsubscribe:
http://www.magnetmail.net/Actions/unsubscribe.cfm?message_id=1082084&user_id=
Lebhar_ENT&recipient_id=182039738&email=t...@openbsd.org&group_id=265105

Re: ipv6 support for tftp

[Gleydson Soares]

On Wed, Sep 08, 2010 at 11:51:11AM -0300, Gleydson Soares wrote:
> hi,
> 
> - ipv6 support for tftp client.
> 
> based on an old itojun's diff.

i forgot to attach the diff inline.
Index: tftpsubs.c
===
RCS file: /cvs/src/usr.bin/tftp/tftpsubs.c,v
retrieving revision 1.14
diff -u -r1.14 tftpsubs.c
--- tftpsubs.c  27 Oct 2009 23:59:44 -  1.14
+++ tftpsubs.c  8 Sep 2010 14:01:19 -
@@ -258,7 +258,7 @@
 {
int i, j = 0;
charrbuf[SEGSIZE_MIN];
-   struct sockaddr_in  from;
+   struct sockaddr_storage from;
socklen_t   fromlen;
 
for (;;) {
Index: tftp.c
===
RCS file: /cvs/src/usr.bin/tftp/tftp.c,v
retrieving revision 1.22
diff -u -r1.22 tftp.c
--- tftp.c  27 Oct 2009 23:59:44 -  1.22
+++ tftp.c  8 Sep 2010 14:01:39 -
@@ -58,7 +58,7 @@
 #include "tftpsubs.h"
 
 static int makerequest(int, const char *, struct tftphdr *, const char *);
-static voidnak(int);
+static voidnak(int, struct sockaddr *);
 static voidtpacket(const char *, struct tftphdr *, int);
 static voidstartclock(void);
 static voidstopclock(void);
@@ -67,7 +67,7 @@
 static voidoack(struct tftphdr *, int, int);
 static int oack_set(const char *, const char *);
 
-extern struct sockaddr_in   peeraddr;  /* filled in by main */
+extern struct sockaddr_storage  peeraddr;  /* filled in by main */
 extern int  f; /* the opened socket */
 extern int  trace;
 extern int  verbose;
@@ -124,7 +124,8 @@
 sendfile(int fd, char *name, char *mode)
 {
struct tftphdr  *dp, *ap; /* data and ack packets */
-   struct sockaddr_in   from;
+   struct sockaddr_storage  from;
+   struct sockaddr_storage peer;
struct pollfdpfd[1];
unsigned longamount;
socklen_tfromlen;
@@ -138,6 +139,7 @@
convert = !strcmp(mode, "netascii");
block = 0;
amount = 0;
+   memcpy(&peer, &peeraddr, peeraddr.ss_len);
 
do {
/* read data from file */
@@ -146,7 +148,7 @@
else {
size = readit(file, &dp, convert, segment_size);
if (size < 0) {
-   nak(errno + 100);
+   nak(errno + 100, (struct sockaddr *)&peer);
break;
}
dp->th_opcode = htons((u_short)DATA);
@@ -164,8 +166,8 @@
if (trace)
tpacket("sent", dp, size + 4);
if (sendto(f, dp, size + 4, 0,
-   (struct sockaddr *)&peeraddr,
-   sizeof(peeraddr)) != size + 4) {
+   (struct sockaddr *)&peer,
+   peer.ss_len) != size + 4) {
warn("sendto");
goto abort;
}
@@ -202,7 +204,19 @@
warn("recvfrom");
goto abort;
}
-   peeraddr.sin_port = from.sin_port;  /* added */
+   switch (peer.ss_family) {   /* added */
+   case AF_INET:
+   ((struct sockaddr_in *)&peer)->sin_port =
+   ((struct sockaddr_in *)&from)->sin_port;
+   break;
+   case AF_INET6:
+   ((struct sockaddr_in6 *)&peer)->sin6_port =
+   ((struct sockaddr_in6 *)&from)->sin6_port;
+   break;
+   default:
+   /* unsupported */
+   break;
+   }
if (trace)
tpacket("received", ap, n);
 
@@ -256,7 +270,8 @@
 recvfile(int fd, char *name, char *mode)
 {
struct tftphdr  *dp, *ap; /* data and ack packets */
-   struct sockaddr_in   from;
+   struct sockaddr_storage  from;
+   struct sockaddr_storage peer;
struct pollfdpfd[1];
unsigned longamount;
socklen_tfromlen;
@@ -273,6 +288,7 @@
block = 1;
amount = 0;
firsttrip = 1;
+   memcpy(&peer, &peeraddr, peeraddr.ss_len);
 
 options:
do {
@@ -298,8 +314,8 @@
if (trace)
tpacket("sent", ap, size);
if (sendto(f, ackbuf, size, 0

Re: "generating new host key..."

[Ted Unangst]

On Tue, Sep 7, 2010 at 7:18 PM, Alexander Hall  wrote:
> $ which true false
> /usr/bin/true
> /usr/bin/false
>
> while those should be available to /etc/rc, I'd prefer not using them.

-5 points for using which. :)

$ whence -v true
true is a shell builtin

I happen to think that explicit true and false values make things
easier to read, without as much [ ] noise.

Re: "generating new host key..."

[Bret S. Lambert]

On Wed, Sep 08, 2010 at 11:39:59AM -0400, Ted Unangst wrote:
> On Tue, Sep 7, 2010 at 7:18 PM, Alexander Hall  wrote:
> > $ which true false
> > /usr/bin/true
> > /usr/bin/false
> >
> > while those should be available to /etc/rc, I'd prefer not using them.
> 
> -5 points for using which. :)
> 
> $ whence -v true
> true is a shell builtin
> 
> I happen to think that explicit true and false values make things
> easier to read, without as much [ ] noise.
> 

Truly, you do not grasp the simple elegance of a banana-shaped bikeshed.

Re: ipv6 support for tftp

[Paul de Weerd]

On Wed, Sep 08, 2010 at 09:35:10AM -0300, Gleydson Soares wrote:
| On Wed, Sep 08, 2010 at 11:51:11AM -0300, Gleydson Soares wrote:
| > hi,
| > 
| > - ipv6 support for tftp client.
| > 
| > based on an old itojun's diff.
| 
| i forgot to attach the diff inline.

Works for me:

[we...@impreza] $ tftp 2001:7b8:3af::1
tftp> get bsd.rd
Received 7241454 bytes in 7.5 seconds

Thanks,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: AES-GCM Part 3: isakmpd

[Mike Belopuhov]

changes:

made sure that we won't generate quick mode config strings
with gcm and other hashes (the very first hunk of the diff).
pointed out by naddy.

Index: conf.c
===
RCS file: /home/cvs/src/sbin/isakmpd/conf.c,v
retrieving revision 1.98
diff -u -p -r1.98 conf.c
--- conf.c  4 Aug 2010 18:09:45 -   1.98
+++ conf.c  8 Sep 2010 17:04:57 -
@@ -402,6 +402,11 @@ conf_load_defaults_qm(int tr, char *qme,
if (pfs == 0 && strcmp(dhg_p, ""))
return;
 
+   /* For GCM no additional authentication must be specified */
+   if (proto == 0 && strcmp(qmh, "NONE") != 0 &&
+   (strcmp(qme, "AESGCM") == 0 || strcmp(qme, "AESGMAC") == 0))
+   return;
+
snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto),
MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p);
 
@@ -428,13 +433,19 @@ conf_load_defaults_qm(int tr, char *qme,
if (strcmp(qme ,"BLOWFISH") == 0)
conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
 1);
-   else if (strcmp(qme_p ,"-AES-128") == 0)
+   else if (strcmp(qme_p, "-AES-128") == 0 ||
+   strcmp(qme_p, "-AESGCM-128") == 0 ||
+   strcmp(qme_p, "-AESGMAC-128") == 0)
conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
-   else if (strcmp(qme_p ,"-AES-192") == 0)
+   else if (strcmp(qme_p, "-AES-192") == 0 ||
+   strcmp(qme_p, "-AESGCM-192") == 0 ||
+   strcmp(qme_p, "-AESGMAC-192"))
conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
-else if (strcmp(qme_p ,"-AES-256") == 0)
-conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
-   else if (strcmp(qme ,"AES") == 0)
+   else if (strcmp(qme_p, "-AES-256") == 0 ||
+   strcmp(qme_p, "-AESGCM-256") == 0 ||
+   strcmp(qme_p, "-AESGMAC-256") == 0)
+   conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
+   else if (strcmp(qme, "AES") == 0)
conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
 1);
 
@@ -472,9 +483,13 @@ conf_load_defaults(int tr)
char*dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
"-GRP15", 0};
char*qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES",
-   "AES", "AES", "AES", "AES_128_CTR", "NULL", "NONE", 0};
+   "AES", "AES", "AES", "AESCTR", "AESGCM", "AESGCM",
+   "AESGCM", "AESGMAC", "AESGMAC", "AESGMAC", "NULL",
+   "NONE", 0};
char*qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES",
-   "-AES-128", "-AES-192", "-AES-256", "-AESCTR", "-NULL",
+   "-AES-128", "-AES-192", "-AES-256", "-AESCTR",
+   "-AESGCM-128", "-AESGCM-192", "-AESGCM-256",
+   "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL",
"", 0};
char*qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
"HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
Index: ipsec.c
===
RCS file: /home/cvs/src/sbin/isakmpd/ipsec.c,v
retrieving revision 1.135
diff -u -p -r1.135 ipsec.c
--- ipsec.c 29 Jun 2010 19:50:16 -  1.135
+++ ipsec.c 6 Sep 2010 14:48:49 -
@@ -975,7 +975,7 @@ ipsec_validate_transform_id(u_int8_t pro
transform_id > IPSEC_AH_RIPEMD ? -1 : 0;
case IPSEC_PROTO_IPSEC_ESP:
return transform_id < IPSEC_ESP_DES_IV64 ||
-   (transform_id > IPSEC_ESP_AES_128_CTR &&
+   (transform_id > IPSEC_ESP_AES_GMAC &&
transform_id < IPSEC_ESP_AES_MARS) ||
transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0;
case IPSEC_PROTO_IPCOMP:
@@ -1788,6 +1788,11 @@ ipsec_esp_enckeylength(struct proto *pro
return iproto->keylen / 8;
case IPSEC_ESP_AES_128_CTR:
return 20;
+   case IPSEC_ESP_AES_GCM_16:
+   case IPSEC_ESP_AES_GMAC:
+   if (!iproto->keylen)
+   return 20;
+   return iproto->keylen / 8 + 4;
case IPSEC_ESP_AES:
if (!iproto->keylen)
return 16;
Index: ipsec_num.cst
===
RCS file: /home/cvs/src/sbin/isakmpd/ipsec_num.cst,v
retrieving revision 1.16
diff -u -p -r1.16 ipsec_num.cst
--- ipsec_num.cst   14 Jun 2005 10:50:47 -  1.16
+++ ipsec_num.cst   30 Aug 2010 18:15:03 -
@@ -235,6 +235,8 @@ IPSEC_ESP
   NULL 11
   AES  12
   AES_128_CTR  13
+  AES_GCM_16   20
+  AES_GMAC 23
   AES_MARS

Re: "generating new host key..."

[Alexander Hall]

On 09/08/10 17:39, Ted Unangst wrote:
> On Tue, Sep 7, 2010 at 7:18 PM, Alexander Hall  wrote:
>> $ which true false
>> /usr/bin/true
>> /usr/bin/false
>>
>> while those should be available to /etc/rc, I'd prefer not using them.
> 
> -5 points for using which. :)

Ah fuck. Yes. Darn. :-d

> $ whence -v true
> true is a shell builtin
> 
> I happen to think that explicit true and false values make things
> easier to read, without as much [ ] noise.

Yup. I totally agree then. :)

Re: AES-GCM Part 4: ipsecctl

[Mike Belopuhov]

changes:

- don't allow other hashes with gcm.  pointed out by naddy.

Index: ike.c
===
RCS file: /home/cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.67
diff -u -p -r1.67 ike.c
--- ike.c   4 Oct 2009 11:39:32 -   1.67
+++ ike.c   6 Sep 2010 14:30:01 -
@@ -161,6 +161,7 @@ static int
 ike_section_p2(struct ipsec_rule *r, FILE *fd)
 {
char*exchange_type, *sprefix;
+   int needauth = 1;
 
switch (r->p2ie) {
case IKE_QM:
@@ -224,6 +225,30 @@ ike_section_p2(struct ipsec_rule *r, FIL
case ENCXF_AESCTR:
fprintf(fd, "AESCTR");
break;
+   case ENCXF_AES_128_GCM:
+   fprintf(fd, "AESGCM-128");
+   needauth = 0;
+   break;
+   case ENCXF_AES_192_GCM:
+   fprintf(fd, "AESGCM-192");
+   needauth = 0;
+   break;
+   case ENCXF_AES_256_GCM:
+   fprintf(fd, "AESGCM-256");
+   needauth = 0;
+   break;
+   case ENCXF_AES_128_GMAC:
+   fprintf(fd, "AESGMAC-128");
+   needauth = 0;
+   break;
+   case ENCXF_AES_192_GMAC:
+   fprintf(fd, "AESGMAC-192");
+   needauth = 0;
+   break;
+   case ENCXF_AES_256_GMAC:
+   fprintf(fd, "AESGMAC-256");
+   needauth = 0;
+   break;
case ENCXF_BLOWFISH:
fprintf(fd, "BLF");
break;
@@ -232,6 +257,7 @@ ike_section_p2(struct ipsec_rule *r, FIL
break;
case ENCXF_NULL:
fprintf(fd, "NULL");
+   needauth = 0;
break;
default:
warnx("illegal transform %s",
@@ -270,43 +296,44 @@ ike_section_p2(struct ipsec_rule *r, FIL
warnx("illegal transform %s", r->p2xfs->authxf->name);
return (-1);
}
-   } else
-   fprintf(fd, "SHA2-256");
+   fprintf(fd, "-");
+   } else if (needauth)
+   fprintf(fd, "SHA2-256-");
 
if (r->p2xfs && r->p2xfs->groupxf) {
switch (r->p2xfs->groupxf->id) {
case GROUPXF_NONE:
break;
case GROUPXF_768:
-   fprintf(fd, "-PFS-GRP1");
+   fprintf(fd, "PFS-GRP1");
break;
case GROUPXF_1024:
-   fprintf(fd, "-PFS-GRP2");
+   fprintf(fd, "PFS-GRP2");
break;
case GROUPXF_1536:
-   fprintf(fd, "-PFS-GRP5");
+   fprintf(fd, "PFS-GRP5");
break;
case GROUPXF_2048:
-   fprintf(fd, "-PFS-GRP14");
+   fprintf(fd, "PFS-GRP14");
break;
case GROUPXF_3072:
-   fprintf(fd, "-PFS-GRP15");
+   fprintf(fd, "PFS-GRP15");
break;
case GROUPXF_4096:
-   fprintf(fd, "-PFS-GRP16");
+   fprintf(fd, "PFS-GRP16");
break;
case GROUPXF_6144:
-   fprintf(fd, "-PFS-GRP17");
+   fprintf(fd, "PFS-GRP17");
break;
case GROUPXF_8192:
-   fprintf(fd, "-PFS-GRP18");
+   fprintf(fd, "PFS-GRP18");
break;
default:
warnx("illegal group %s", r->p2xfs->groupxf->name);
return (-1);
};
} else
-   fprintf(fd, "-PFS");
+   fprintf(fd, "PFS");
fprintf(fd, "-SUITE force\n");
 
return (0);
Index: ipsec.conf.5
===
RCS file: /home/cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.126
diff -u -p -r1.126 ipsec.conf.5
--- ipsec.conf.57 Jun 2010 08:32:58 -   1.126
+++ ipsec.conf.56 Sep 2010 11:41:52 -
@@ -612,6 +612,12 @@ keyword:
 .It Li aes-192 Ta "192 bits"
 .It Li aes-256 Ta "256 bits"
 .It Li aesctr Ta "160 bits" T

lookup -> vfs_lookup

[Thordur I Bjornsson]

i've always been annoyed with the oh so very generic name
"lookup" for the vfs lookup routine, so rename it and the
relookup routine to vfs_lookup and vfs_relookup.

comments/oks?

Index: kern/vfs_lookup.c
===
RCS file: /home/cvs/src/sys/kern/vfs_lookup.c,v
retrieving revision 1.42
diff -u -p -r1.42 vfs_lookup.c
--- kern/vfs_lookup.c   20 May 2010 02:32:02 -  1.42
+++ kern/vfs_lookup.c   8 Sep 2010 21:30:43 -
@@ -179,7 +179,7 @@ namei(struct nameidata *ndp)
}
cnp->cn_nameptr = cnp->cn_pnbuf;
ndp->ni_startdir = dp;
-   if ((error = lookup(ndp)) != 0) {
+   if ((error = vfs_lookup(ndp)) != 0) {
pool_put(&namei_pool, cnp->cn_pnbuf);
return (error);
}
@@ -293,7 +293,7 @@ badlink:
  * if WANTPARENT set, return unlocked parent in ni_dvp
  */
 int
-lookup(struct nameidata *ndp)
+vfs_lookup(struct nameidata *ndp)
 {
char *cp;   /* pointer into pathname argument */
struct vnode *dp = 0;   /* the directory we are searching */
@@ -613,7 +613,7 @@ bad:
  * Reacquire a path name component.
  */
 int
-relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp)
+vfs_relookup(struct vnode *dvp, struct vnode **vpp, struct componentname *cnp)
 {
struct proc *p = cnp->cn_proc;
struct vnode *dp = 0;   /* the directory we are searching */
Index: msdosfs/msdosfs_vnops.c
===
RCS file: /home/cvs/src/sys/msdosfs/msdosfs_vnops.c,v
retrieving revision 1.73
diff -u -p -r1.73 msdosfs_vnops.c
--- msdosfs/msdosfs_vnops.c 6 Sep 2010 23:44:10 -   1.73
+++ msdosfs/msdosfs_vnops.c 8 Sep 2010 21:36:24 -
@@ -957,7 +957,7 @@ abortit:
goto out;
if ((tcnp->cn_flags & SAVESTART) == 0)
panic("msdosfs_rename: lost to startdir");
-   if ((error = relookup(tdvp, &tvp, tcnp)) != 0)
+   if ((error = vfs_relookup(tdvp, &tvp, tcnp)) != 0)
goto out;
dp = VTODE(tdvp);
xp = tvp ? VTODE(tvp) : NULL;
@@ -1007,7 +1007,7 @@ abortit:
panic("msdosfs_rename: lost from startdir");
if (!newparent)
VOP_UNLOCK(tdvp, 0, p);
-   (void) relookup(fdvp, &fvp, fcnp);
+   (void) vfs_relookup(fdvp, &fvp, fcnp);
if (fvp == NULL) {
/*
 * From name has disappeared.
Index: nfs/nfs_serv.c
===
RCS file: /home/cvs/src/sys/nfs/nfs_serv.c,v
retrieving revision 1.90
diff -u -p -r1.90 nfs_serv.c
--- nfs/nfs_serv.c  29 Mar 2010 23:33:39 -  1.90
+++ nfs/nfs_serv.c  8 Sep 2010 21:31:30 -
@@ -997,7 +997,7 @@ nfsrv_create(struct nfsrv_descript *nfsd
nd.ni_cnd.cn_flags &= ~(LOCKPARENT | SAVESTART);
nd.ni_cnd.cn_proc = procp;
nd.ni_cnd.cn_cred = cred;
-   if ((error = lookup(&nd)) != 0) {
+   if ((error = vfs_lookup(&nd)) != 0) {
pool_put(&namei_pool, nd.ni_cnd.cn_pnbuf);
nfsm_reply(0);
error = 0;
@@ -1194,7 +1194,7 @@ nfsrv_mknod(struct nfsrv_descript *nfsd,
nd.ni_cnd.cn_flags &= ~(LOCKPARENT | SAVESTART);
nd.ni_cnd.cn_proc = procp;
nd.ni_cnd.cn_cred = procp->p_ucred;
-   error = lookup(&nd);
+   error = vfs_lookup(&nd);
pool_put(&namei_pool, nd.ni_cnd.cn_pnbuf);
if (error)
goto out;
@@ -1712,7 +1712,7 @@ nfsrv_symlink(struct nfsrv_descript *nfs
nd.ni_cnd.cn_flags |= (NOFOLLOW | LOCKLEAF);
nd.ni_cnd.cn_proc = procp;
nd.ni_cnd.cn_cred = cred;
-   error = lookup(&nd);
+   error = vfs_lookup(&nd);
if (!error) {
bzero((caddr_t)fhp, sizeof(nfh));
fhp->fh_fsid = nd.ni_vp->v_mount->mnt_stat.f_fsid;
Index: nfs/nfs_subs.c
===
RCS file: /home/cvs/src/sys/nfs/nfs_subs.c,v
retrieving revision 1.109
diff -u -p -r1.109 nfs_subs.c
--- nfs/nfs_subs.c  6 Sep 2010 23:44:10 -   1.109
+++ nfs/nfs_subs.c  8 Sep 2010 21:40:04 -
@@ -1252,7 +1252,7 @@ nfs_namei(struct nameidata *ndp, fhandle
 * And call lookup() to do the real work
 */
cnp->cn_proc = p;
-   error = lookup(ndp);
+   error = vfs_lookup(ndp);
if (error)
goto out;
/*
Index: sys/namei.h
===
RCS

Još samo 2 dana da obradujete mališane

[Top Shop]

Poštovani,

Ostalo je još samo 2 dana da svoje mališane obradujete igraD
kom i
dodatnim poklonom.

Obradujte svoje dete duplim poklonom i izmamite mu osmeh! PoE>urite, jer
ostalo je još samo 5 kompleta Beach Circle Racket - deD
ijih reketa koje
dobijate na poklon uz svaku poruD
enu igraD
ku iz ove ponude!

•

Doris - kreativna igra i slagalica za sve uzraste, uz POPUST!

•

Art Kocke - jedinstvenog dizajna, razvijaju motoriD
ke sposobnosti i
pospešuju kreativnost!

•

Hama Dizni princeze - perlice sa likom Dizni princeze.

•

Hama Ben Ten - perlice sa likom Ben Tena, najpopularnijeg superheroja!

•

Hama safari - sloE>ite figurice svojih omiljenih E>ivotinja sa safarija!

•

Hama Winnie The Pooh - perlice D
ine likove Vini Pua i njegove druE>ine!

•

Klasici Crtanog filma - 5 DVD starih, dobrih crtaDa!

PoE>urite i iskoristite ovu sjajnu ponudu za najmlaDe još danas - ova
ponuda traje samo do 9. septembra!

Najatraktivnije iz Quelle asortimana uz D
ak 40% popusta na sve!

Vaš
Top Shop

Ovu elektronsku poštu primate, ukoliko ste svojevoljno ostavili svoju
e-mail adresu na nekom od sajtova Top Shop-a, uD
estvovali u našoj poklon
igri ili nagradnom kvizu ili se prijavili za e-D
asopis Top Shop-a ili
nekog od nasih brendova.

Ponude date u ovom e-mailu vaE>e iskljuD
ivo za porudE>bine upuDene
putem Interneta ili broja telefona 021 489 26 60.

Ukoliko ne E>elite više da primate naše elektronske poruke, za
odjavljivanje sa naše e-mailing liste, kliknite ovde.

Studio Moderna d.o.o., Bulevar vojvode Stepe 30, 21000 Novi Sad, Tel: 021
489 26 60, Fax: 021 489 29 08,
E-mail: i...@news.top-shop.rs

[IMAGE]If you would no longer like to receive our emails please
unsubscribe by clicking here.

pthread_join() not interruptable?

[patrick keshishian]

Hola,

I'm not sure if the subject line is worded correctly, but chasing
another problem I noticed that a thread (e.g., main thread) after call
to pthread_join() isn't interrupted to handle signals.

Same .c file on another OS works as expected.

Is my expectation or .c file incorrect, or is this a bug in OpenBSD?

I expect after compiling following .c file, and running the resulting
executable, to be able to ^C and have it nicely quit.

--patrick



$ cat foo.c
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

int quit;

/* prototypes */
voidsigh(int);
void*thr1(void*);

void
sigh(int sig)
{
quit = 1;
printf("Caught signal:%d\n", sig);
}

void*
thr1(void *arg)
{
sigset_tmask;

sigfillset(&mask);
if (0 != pthread_sigmask(SIG_SETMASK, &mask, NULL))
err(1, "pthread_sigmask()");

while (!quit) {
fprintf(stderr, ".");
sleep(1);
}
pthread_exit(NULL);
}

int
main(int argc, char *argv[])
{
void*prc;
pthread_t   a;
struct sigactionsa;

bzero(&sa, sizeof(sa));
sigemptyset(&sa.sa_mask);
sa.sa_handler = sigh;
sigaction(SIGTERM, &sa, NULL);
sigaction(SIGINT, &sa, NULL);

if (0 != pthread_create(&a, NULL, &thr1, NULL))
err(1, "pthread_create()");

#ifdef HACKAROUND   // XXX
// Compiling this bit in allows signal handler to
// be invoked upon receiving desired signals.
while (!quit)
sleep(1);
#endif

if (0 != pthread_join(a, &prc))
err(1, "pthread_join()");
free(prc);
exit(0);
}
$ cc -g -O0 -pthread foo.c -o foo
$ ./foo
..^C.^C^C..^\Quit (core dumped)

$ cc -g -O0 -pthread foo.c -o foo -DHACKAROUND
$ ./foo
...^CCaught signal:2



$ sysctl kern.version
kern.version=OpenBSD 4.8-beta (GENERIC) #84: Tue Aug  3 10:03:35 MDT 2010
dera...@macppc.openbsd.org:/usr/src/sys/arch/macppc/compile/GENERIC

Re: pthread_join() not interruptable?

[Marco S Hyman]

> I'm not sure if the subject line is worded correctly, but chasing
> another problem I noticed that a thread (e.g., main thread) after call
> to pthread_join() isn't interrupted to handle signals.

Known bug with OpenBSD pthreads.  A sleeping thread will not get signaled
until it wakes for some other reason.  In the test program main is sleeping
in the call to pthread join.  It won't see any signals until thr1 exits.

If you enable interrupts in thr1 the program will terminate as expected.

Don't call printf from signal handlers.

/\/\arc

various fixes in smtpd's lka.c

[Gilles Chehade]

hi tech@,

In lka.c:lka_expand(), there is a bug which causes the function to not compute
correctly the remaining space in its expansion buffer. All strlcpy and strlcat 
truncation tests will use the bogus value making them useless. The consequence
is that IF you hit that bug you will crash at RCPT time [1][2].

oga@ spotted the bug and rewrote a correct and simpler version of lka_expand()
which fixes the crash and other known shortcomings. the caller now knows if an
expansion has failed allowing us to reject recipient at RCPT time, rather than
assuming the admin knows how to write a proper format :)

please test, especially if you use rules with formats:

accept [...] deliver to mda "/path/to/bin %u"


[1] you are unlikely to hit the bug unless you have an insanely long format
or many many many specifiers.
[2] lka_expand() only processes sanitized inputs.


lka_expand() rewrite by oga@, lka_queue_append() change by me


Index: lka.c
===
RCS file: /cvs/src/usr.sbin/smtpd/lka.c,v
retrieving revision 1.116
diff -u -p -r1.116 lka.c
--- lka.c   8 Sep 2010 13:46:18 -   1.116
+++ lka.c   8 Sep 2010 23:51:10 -
@@ -62,7 +62,7 @@ void  lka_rcpt_action(struct smtpd *, ch
 void   lka_session_destroy(struct smtpd *, struct lkasession *);
 void   lka_expansion_done(struct smtpd *, struct lkasession *);
 void   lka_session_fail(struct smtpd *, struct lkasession *);
-void   lka_queue_append(struct smtpd *, struct lkasession *, int);
+intlka_queue_append(struct smtpd *, struct lkasession *, int);
 
 u_int32_t lka_id;
 
@@ -376,24 +376,24 @@ lka_expand(char *buf, size_t len, struct
 {
char *p, *pbuf;
struct rule r;
-   size_t ret;
+   size_t ret, lret = 0;
struct passwd *pw;
 
bzero(r.r_value.path, MAXPATHLEN);
pbuf = r.r_value.path;
 
ret = 0;
-   for (p = path->rule.r_value.path; *p != '\0'; ++p) {
+   for (p = path->rule.r_value.path; *p != '\0';
+   ++p, len -= lret, pbuf += lret, ret += lret) {
if (p == path->rule.r_value.path && *p == '~') {
if (*(p + 1) == '/' || *(p + 1) == '\0') {
pw = getpwnam(path->pw_name);
if (pw == NULL)
-   continue;
+   return 0;
 
-   ret += strlcat(pbuf, pw->pw_dir, len);
-   if (ret >= len)
-   return ret;
-   pbuf += strlen(pw->pw_dir);
+   lret = strlcat(pbuf, pw->pw_dir, len);
+   if (lret >= len)
+   return 0;
continue;
}
 
@@ -401,105 +401,81 @@ lka_expand(char *buf, size_t len, struct
char username[MAXLOGNAME];
char *delim;
 
-   ret = strlcpy(username, p + 1,
+   lret = strlcpy(username, p + 1,
sizeof(username));
-   delim = strchr(username, '/');
-   if (delim == NULL && ret >= sizeof(username)) {
-   continue;
-   }
+   if (lret >= sizeof(username))
+   return 0;
 
-   if (delim != NULL) {
-   *delim = '\0';
-   }
+   delim = strchr(username, '/');
+   if (delim == NULL)
+   goto copy;
+   *delim = '\0';
 
pw = getpwnam(username);
if (pw == NULL)
-   continue;
+   return 0;
 
-   ret += strlcat(pbuf, pw->pw_dir, len);
-   if (ret >= len)
-   return ret;
-   pbuf += strlen(pw->pw_dir);
+   lret = strlcat(pbuf, pw->pw_dir, len);
+   if (lret >= len)
+   return 0;
p += strlen(username);
continue;
}
}
-   if (strncmp(p, "%U", 2) == 0) {
-   ret += strlcat(pbuf, sender->user, len);
-   if (ret >= len)
-   return ret;
-   pbuf += strlen (sender->user)

pfctl(8) manpage minor addition

[Anders Langworthy]

I couldn't find clarification on this in the manpages and it seems to
be a common misconception.  Perhaps a note like the following would be
beneficial? (Apologies for gmail line mangling)

Index: pfctl.8
===
RCS file: /cvs/src/sbin/pfctl/pfctl.8,v
retrieving revision 1.145
diff -u -p -r1.145 pfctl.8
--- pfctl.8 25 Jun 2010 23:27:47 -  1.145
+++ pfctl.8 9 Sep 2010 03:47:17 -
@@ -231,6 +231,7 @@ may contain macros, tables, options, and normalization
 translation, and filtering rules.
 With the exception of macros and tables, the statements must appear in that
 order.
+It is not necessary to flush existing rules before loading the new ruleset.
 .It Fl g
 Include output helpful for debugging.
 .It Fl h