carp(4) and Ethernet header

2015-04-09 Thread Martin Pieuchot
Same problem as with vlan(4).  carp(4) also need to stop calling
ether_input() directly and that implies having a mbuf with the
correct Ethernet header prepended.

Index: netinet/ip_carp.c
===
RCS file: /cvs/src/sys/netinet/ip_carp.c,v
retrieving revision 1.249
diff -u -p -r1.249 ip_carp.c
--- netinet/ip_carp.c   7 Apr 2015 10:46:20 -   1.249
+++ netinet/ip_carp.c   9 Apr 2015 12:08:35 -
@@ -1434,11 +1434,15 @@ carp_our_mcastaddr(struct ifnet *ifp, u_
 int
 carp_input(struct ifnet *ifp0, struct ether_header *eh0, struct mbuf *m)
 {
-   struct ether_header eh;
+   struct ether_header *eh;
struct carp_if *cif = (struct carp_if *)ifp0-if_carp;
struct ifnet *ifp;
 
-   memcpy(eh, eh0, sizeof(eh));
+   M_PREPEND(m, sizeof(*eh), M_DONTWAIT);
+   if (m == NULL)
+   return (-1);
+   eh = mtod(m, struct ether_header *);
+   memmove(eh, eh0, sizeof(*eh));
 
if ((ifp = carp_ourether(cif, eh0-ether_dhost)))
;
@@ -1459,11 +1463,11 @@ carp_input(struct ifnet *ifp0, struct et
m0-m_pkthdr.rcvif = vh-sc_if;
 #if NBPFILTER  0
if (vh-sc_if.if_bpf)
-   bpf_mtap_hdr(vh-sc_if.if_bpf, (char *)eh,
-   ETHER_HDR_LEN, m0, BPF_DIRECTION_IN, NULL);
+   bpf_mtap_ether(vh-sc_if.if_bpf, m,
+   BPF_DIRECTION_IN);
 #endif
vh-sc_if.if_ipackets++;
-   ether_input(m0, eh);
+   ether_input_mbuf(vh-sc_if, m0);
}
return (1);
}
@@ -1475,11 +1479,10 @@ carp_input(struct ifnet *ifp0, struct et
 
 #if NBPFILTER  0
if (ifp-if_bpf)
-   bpf_mtap_hdr(ifp-if_bpf, (char *)eh, ETHER_HDR_LEN, m,
-   BPF_DIRECTION_IN, NULL);
+   bpf_mtap_ether(ifp-if_bpf, m, BPF_DIRECTION_IN);
 #endif
ifp-if_ipackets++;
-   ether_input(m, eh);
+   ether_input_mbuf(ifp, m);
 
return (0);
 }



prevent short transfer in lptwrite()

2015-04-09 Thread Martin Natano
uio_resid may overflow when coerced to u_int, causing lptwrite() to
return early. Also, uiomovei() can be replaced with uiomove(), the size
argument is of type size_t anyway.

Index: dev/ic/lpt.c
===
RCS file: /cvs/src/sys/dev/ic/lpt.c,v
retrieving revision 1.13
diff -u -p -r1.13 lpt.c
--- dev/ic/lpt.c10 Feb 2015 21:56:09 -  1.13
+++ dev/ic/lpt.c9 Apr 2015 17:56:17 -
@@ -367,8 +367,8 @@ lptwrite(dev_t dev, struct uio *uio, int
size_t n;
int error = 0;
 
-   while ((n = min(LPT_BSIZE, uio-uio_resid)) != 0) {
-   error = uiomovei(sc-sc_cp = sc-sc_inbuf-b_data, n, uio);
+   while ((n = ulmin(LPT_BSIZE, uio-uio_resid)) != 0) {
+   error = uiomove(sc-sc_cp = sc-sc_inbuf-b_data, n, uio);
if (error != 0)
return error;
sc-sc_count = n;

cheers,
natano



Re: autoinstall(8) tweaks

2015-04-09 Thread Alex Wilson

On 09/04/15 10:53, Theo de Raadt wrote:


If you have very small disk, disklabel will give you one partition.
No problem.  DONE.

If you have ample disk, it will try to give you more partitions,
because the split partition scheme is MORE SECURE.  It will stepwise
increase the number of partitions in use, using a heuristic that a lot
of development effort went into.



The example I have is one of a cluster of about 50 small machines with 
16GB flash cards each. Currently the alloc_big scheme is used by 
disklabel for these (as with anything  about 8GB, depending on RAM). On 
a 16GB flash card it will allocate about 17% of total space to /usr/src 
and /usr/obj. I have no intention at all of rebuilding OpenBSD on any of 
these, so I consider this wasted space.


I agree that such a use case seems to be very uncommon, and after 
reading the replies I withdraw my question as to whether there could be 
a useful patch to come out of it.


Building a patched bsd.rd locally for such a unique need is not a 
problem at all. I asked out of curiousity more than anything else, so 
I'm sorry to waste your time on it.




Re: autoinstall(8) tweaks

2015-04-09 Thread Alexander Hall


On April 9, 2015 9:33:57 AM GMT+02:00, Stuart Henderson st...@openbsd.org 
wrote:
On 2015/04/09 09:13, Alexander Hall wrote:
 
 I don't think tweaking an existing auto label is unnecessary and
overly . Hardcoding mount points and their sizes should be enough, and
leave the rest unallocated. 

At least, specifying in % is pretty important.

Sounds plausible. Maybe even *.

But it seems people are expected to build a custom bsd.rd if they
want something different so I'll bow out of this conversation.

I'm by no means a big user of autoinstall, so my opinion on the use case 
shouldn't matter that much. I do think defining the file system layout is an 
almost essential detail thereof, though. I'm just interested in a clean 
implementation.



Re: autoinstall(8) tweaks

2015-04-09 Thread Stuart Henderson
On 2015/04/09 09:13, Alexander Hall wrote:
 
 I don't think tweaking an existing auto label is unnecessary and overly . 
 Hardcoding mount points and their sizes should be enough, and leave the rest 
 unallocated. 

At least, specifying in % is pretty important.

But it seems people are expected to build a custom bsd.rd if they
want something different so I'll bow out of this conversation.



Re: pfi_kif leaks for PBR rules

2015-04-09 Thread Mike Belopuhov
On 8 April 2015 at 19:16, Mike Belopuhov m...@belopuhov.com wrote:
 On Sun, Apr 05, 2015 at 12:06 +0200, Alexandr Nedvedicky wrote:
 Hello,

 while testing PBR on Solaris we found out the pfi_kif instances
 are not removed from pfi_ifs table. We took a look at crashdump
 and have seen pfik_route counter at those object is still
 non-zero, while all rules were gone.

 looking at sources we can see the 'pfik_route' (PFI_KIF_REF_ROUTE)
 reference is being grabbed in pfr_create_kentry():

 840   case PFRKE_ROUTE:
 841   if (ad-pfra_ifname[0])
 842   ke-pfrke_rkif = pfi_kif_get(ad-pfra_ifname);
 843   if (ke-pfrke_rkif)
 844   pfi_kif_ref(ke-pfrke_rkif, PFI_KIF_REF_ROUTE);
 845   break;
 846   default:
 847   panic(unknown pfrke_type %d, ke-pfrke_type);
 848   break;

 however we have not found any matching pfi_kif_ref() command, which
 would remove the reference created by pfr_create_kentry(). It seems
 to us the call to

   pfi_kif_unref(ke-pfrke_rkif, PFI_KIF_REF_ROUTE)

 is missing at pfr_destroy_kentry(). We created patch against OpenBSD CURRENT.
 We have no OpenBSD boxes around, where we could verify our fix.

 also for your info: IPF in Solaris is on its death row. PF in 11.3
 release will be available as optional firewall. We hope to make PF
 default (and only firewall) in Solaris 12. You've made excellent job,
 your PF is crystal-clear design.

 kind regards
 sasha

[snip]

 Hi,

 Your analysis is correct.  I'd drop the switch statement here for
 simplicity though.

 Anyone's willing to OK?

Committed, thanks!



Re: autoinstall(8) tweaks

2015-04-09 Thread Theo de Raadt
 The example I have is one of a cluster of about 50 small machines with 
 16GB flash cards each. Currently the alloc_big scheme is used by 
 disklabel for these (as with anything  about 8GB, depending on RAM). On 
 a 16GB flash card it will allocate about 17% of total space to /usr/src 
 and /usr/obj. I have no intention at all of rebuilding OpenBSD on any of 
 these, so I consider this wasted space.

Do you have a specific need for that 2.7GB of space, or do you wish to
add it to another partition because the waste looks offensive?

By the way, not using that space can have a side benefit.  If it is
currently scrubbed, it can stay in the flash scrubber's hands, and
thus improve wear-leveling.

 I agree that such a use case seems to be very uncommon, and after 
 reading the replies I withdraw my question as to whether there could be 
 a useful patch to come out of it.

As Alexander and I have explained, complicated hacks like this come
with maintainance downsides.  Secondly, the usage pattern for this so
twisted and obtuse, some of us doubt more than a handful would use it
before it passes into obscurity.

A better over-reaching solution was suggested around a year ago, which
is to replace the entire prompt-answering mechanism with something
more like expect.  Steps towards adding this would be: add pty support
to the media, write a minimal command with the functionality of
expect; then run the install script on a pty, and subject the
questions to answers subject to the autoinstall scheme.  That would
allow input into ALL the command prompts, not just the ksh-provided
questions.

That would need to be written, then looked at to see if there are
downsides.  Please understand that uwe's autoinstall was not the first
attempt at adding the mechanism... rather, it was the first clean one
which did not make the install scripts much more complex (in fact, his
changes pushed the scripts to be become simpler).

 Building a patched bsd.rd locally for such a unique need is not a 
 problem at all. I asked out of curiousity more than anything else, so 
 I'm sorry to waste your time on it.



Run ifp detach hooks before ether_ifdetach()

2015-04-09 Thread Martin Pieuchot
Changes done by pseudo-driver *after* ether_ifattach() must be undone
*before* ether_ifdetach().  Otherwise it is impossible to ensure we're
leaving a stacked pseudo-interface in a correct state.

Since I don't want to modify every single driver calling ether_ifdetach()
I'm using a new function, if_deactivate() to undo all the pseudo-driver
stuff.
It is safe to call this function multiple times because after the first
time the parent interface won't have any pseudo-interface attached to it.

I'm leaving splnet() below, even if pseudo-interfaces that need it should
take care of raising it, to be on the safe side.  More cleanup might
happen later.

This is a trivial change needed for upcoming if_input() work.

Ok?

Index: net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.327
diff -u -p -r1.327 if.c
--- net/if.c7 Apr 2015 10:46:20 -   1.327
+++ net/if.c9 Apr 2015 09:15:37 -
@@ -521,22 +521,12 @@ nettxintr(void)
splx(s);
 }
 
-/*
- * Detach an interface from everything in the kernel.  Also deallocate
- * private resources.
- */
 void
-if_detach(struct ifnet *ifp)
+if_deactivate(struct ifnet *ifp)
 {
-   struct ifaddr *ifa;
-   struct ifg_list *ifg;
-   int s = splnet();
-   struct domain *dp;
+   int s;
 
-   ifp-if_flags = ~IFF_OACTIVE;
-   ifp-if_start = if_detached_start;
-   ifp-if_ioctl = if_detached_ioctl;
-   ifp-if_watchdog = NULL;
+   s = splnet();
 
/*
 * Call detach hooks from head to tail.  To make sure detach
@@ -545,12 +535,6 @@ if_detach(struct ifnet *ifp)
 */
dohooks(ifp-if_detachhooks, HOOK_REMOVE | HOOK_FREE);
 
-   /* Remove the watchdog timeout */
-   timeout_del(ifp-if_slowtimo);
-
-   /* Remove the link state task */
-   task_del(systq, ifp-if_linkstatetask);
-
 #if NBRIDGE  0
/* Remove the interface from any bridge it is part of.  */
if (ifp-if_bridgeport)
@@ -562,6 +546,36 @@ if_detach(struct ifnet *ifp)
if (ifp-if_carp  ifp-if_type != IFT_CARP)
carp_ifdetach(ifp);
 #endif
+
+   splx(s);
+}
+
+/*
+ * Detach an interface from everything in the kernel.  Also deallocate
+ * private resources.
+ */
+void
+if_detach(struct ifnet *ifp)
+{
+   struct ifaddr *ifa;
+   struct ifg_list *ifg;
+   struct domain *dp;
+   int s;
+
+   /* Undo pseudo-driver changes. */
+   if_deactivate(ifp);
+
+   s = splnet();
+   ifp-if_flags = ~IFF_OACTIVE;
+   ifp-if_start = if_detached_start;
+   ifp-if_ioctl = if_detached_ioctl;
+   ifp-if_watchdog = NULL;
+
+   /* Remove the watchdog timeout */
+   timeout_del(ifp-if_slowtimo);
+
+   /* Remove the link state task */
+   task_del(systq, ifp-if_linkstatetask);
 
 #if NBPFILTER  0
bpfdetach(ifp);
Index: net/if.h
===
RCS file: /cvs/src/sys/net/if.h,v
retrieving revision 1.161
diff -u -p -r1.161 if.h
--- net/if.h18 Mar 2015 12:23:15 -  1.161
+++ net/if.h9 Apr 2015 09:15:37 -
@@ -446,6 +446,7 @@ voidif_attach(struct ifnet *);
 void   if_attachdomain(void);
 void   if_attachtail(struct ifnet *);
 void   if_attachhead(struct ifnet *);
+void   if_deactivate(struct ifnet *);
 void   if_detach(struct ifnet *);
 void   if_down(struct ifnet *);
 void   if_downall(void);
Index: net/if_ethersubr.c
===
RCS file: /cvs/src/sys/net/if_ethersubr.c,v
retrieving revision 1.191
diff -u -p -r1.191 if_ethersubr.c
--- net/if_ethersubr.c  7 Apr 2015 10:46:20 -   1.191
+++ net/if_ethersubr.c  9 Apr 2015 09:16:45 -
@@ -802,6 +802,9 @@ ether_ifdetach(struct ifnet *ifp)
struct ifih *ether_ifih;
struct ether_multi *enm;
 
+   /* Undo pseudo-driver changes. */
+   if_deactivate(ifp);
+
ether_ifih = SLIST_FIRST(ifp-if_inputs);
SLIST_REMOVE_HEAD(ifp-if_inputs, ifih_next);
 



Re: libressl-2.1.6 on AIX

2015-04-09 Thread Theo de Raadt
 Just to make sure I understand what is expected of isssetguid() - could you
 perhaps, in terms of ls -l output with suid programs describe the
 sequence(s) where the value should be 1 - and especially, when they might
 (read should) be 0.
 
 From memory of what I read (how I understood) the man page, if was
 superuser, and am still user - then 0 is appropriate. However, if was
 superuser (euid == 0) and a setuid call is used to demote/lower privilidge
 then 1 is the correct value.

Completely wrong, and I have no no idea where you got that from!

Read the man page again!

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/issetugid.2?query=issetugid

The issetugid status of a process is only affected by execve().

Let's look at the OpenBSD kernel, where this system call was invented,
for the exact semantics.

This issetugid() system call simply returns the status:

if (p-p_p-ps_flags  PS_SUGIDEXEC)
*retval = 1;
else
*retval = 0;

What affects PS_SUGIDEXEC?  It is only set or cleared in execve()
based on variables which are probably self-evident:

/*
 * If process does execve() while it has a mismatched real,
 * effective, or saved uid/gid, we set PS_SUGIDEXEC.
 */
if (cred-cr_uid != cred-cr_ruid ||
cred-cr_uid != cred-cr_svuid ||
cred-cr_gid != cred-cr_rgid ||
cred-cr_gid != cred-cr_svgid)
atomic_setbits_int(pr-ps_flags, PS_SUGIDEXEC);
else
atomic_clearbits_int(pr-ps_flags, PS_SUGIDEXEC);

Meanwhile, at fork() time, the child simply inherits the status of
the parent:

pr-ps_flags = parent-ps_flags  (PS_SUGID | PS_SUGIDEXEC);

You will note a second flag called PS_SUGID at fork, which dates back
to the dawn of time.  The difference between these flags is very
subtly described in the .h file:

#define PS_SUGID0x0010  /* Had set id privs since last exec. */
#define PS_SUGIDEXEC0x0020  /* last execve() was set[ug]id */

The dominant usage pattern for issetugid() is to prevent inspection of
the environment via getenv(), down in a library.

The issetugid() API relieves programs from having to sanitize their
environment before calling into libraries, because the 90's showed us
someone always screws up that pattern the libraries need a
method to save themselves.  Patterns like getuid() != geteuid() do not
give you the same guarantees.  issetugid() tells you that your
priviledge level is incompatible with the provinance of the
environment strings.



Re: whois(1): use whois.nic.tld where possible

2015-04-09 Thread Ted Unangst
Stuart Henderson wrote:
 There is a standard (required) hostname scheme, whois.nic.tld, for the
 new gTLDs. For months whois-servers.net didn't list any of the new ones,
 they are starting to catch up but are still behind,
 
 $ unbound-host sucks.whois-servers.net
 Host sucks.whois-servers.net not found: 3(NXDOMAIN).
 
 $ unbound-host whois.nic.sucks
 whois.nic.sucks is an alias for whois.sucks.aridnrs.net.au.
 whois.sucks.aridnrs.net.au has address 120.29.248.191
 whois.sucks.aridnrs.net.au has IPv6 address 2001:dcd:11::f0bf
 
 and the extra indirection just adds fragility in the cases where they do
 have the right details, so the diff teaches whois to use them directly.
 
 Any comments/OKs?

 - strlcpy(server, qhead, len);
 - strlcat(server, QNICHOST_TAIL, len);
 +
 + /*
 +  * Post-2003 (new) gTLDs are all supposed to have whois.nic.domain
 +  * (per registry agreement), some older gTLDs also support this...
 +  */
 + strlcpy(server, whois.nic., len);
 + strlcat(server, qhead, len);

 + strlcpy(server, qhead, len);
 + strlcat(server, QNICHOST_TAIL, len);

I see it was like this before, but these are obvious places to use snprintf
instead.



prevent short transfer in nvramread()

2015-04-09 Thread Martin Natano
Below another min() - ulmin() conversion to prevent integer overflow.
The size (tmp - buf) passed to uiomovei() is essentially bound by the
'count' variable, thus convert to uiomove().

Index: arch/amd64/amd64/nvram.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/nvram.c,v
retrieving revision 1.3
diff -u -p -r1.3 nvram.c
--- arch/amd64/amd64/nvram.c14 Mar 2015 03:38:46 -  1.3
+++ arch/amd64/amd64/nvram.c9 Apr 2015 17:50:54 -
@@ -94,7 +94,7 @@ nvramread(dev_t dev, struct uio *uio, in
u_char buf[NVRAM_SIZE];
u_int pos = uio-uio_offset;
u_char *tmp;
-   int count = min(sizeof(buf), uio-uio_resid);
+   size_t count = ulmin(sizeof(buf), uio-uio_resid);
int ret;
 
if (!nvram_initialized)
@@ -104,7 +104,7 @@ nvramread(dev_t dev, struct uio *uio, in
return (0);
 
 #ifdef NVRAM_DEBUG
-   printf(attempting to read %d bytes at offset %d\n, count, pos);
+   printf(attempting to read %zu bytes at offset %d\n, count, pos);
 #endif
 
for (tmp = buf; count--  0  pos  NVRAM_SIZE; ++pos, ++tmp)
@@ -114,7 +114,7 @@ nvramread(dev_t dev, struct uio *uio, in
printf(nvramread read %d bytes (%s)\n, (tmp - buf), tmp);
 #endif
 
-   ret = uiomovei((caddr_t)buf, (tmp - buf), uio);
+   ret = uiomove((caddr_t)buf, (tmp - buf), uio);
 
uio-uio_offset += uio-uio_resid;
 
cheers,
natano



Re: autoinstall(8) tweaks

2015-04-09 Thread Alexander Hall


On April 9, 2015 2:44:28 AM GMT+02:00, Stuart Henderson st...@openbsd.org 
wrote:
On 2015/04/09 01:53, Alexander Hall wrote:
 On April 8, 2015 9:13:27 AM GMT+02:00, Stuart Henderson
 st...@openbsd.org wrote:
 On 2015/04/07 20:02, Alex Wilson wrote:
  On the topic of local tweaks to autoinstall, I was trying to use
it
 for a
  bunch of blades with very limited disk the other day, and I really
 wanted to
  make them just create a single slice for / and some swap.
 ..
  So that then I could put
 
  Use (W)hole disk, use the = W
  Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout =
C
  disklabel = D\na b\n\n4g\n\na a\n\n\n\n/\np\nq\n
 
  in my install.conf
 
 I think this diff has been written a few times now, iirc everybody
 settled on the same method..
 
 We strive to make install.conf readable, and not contain semi-binary
 data. Also, the question asked should be specific enough to allow for
 more than one disk (unless we only do the disklabel for the primary
 disk?).
 
 I haven't put a great effort into it, but I'd rather present a
 possibility to suck in a disklabel from a separate file and allow the
 user to point out said file. IIRC, krw@ made some changes that
improved
 that possibility.
 
 /Alexander

Are people really wanting to change fsize, bsize and work out offsets
here?

IIRC you can leave those out. And if you want your own layout, I don't think 
creating a fake disklabel on some vnd is a huge effort 

 I'd have thought they want to say things like I want 2G /, 2G
/home, 8G /var, 4G /usr, 20G /usr/local, and split the rest of the disk
between /var/www and /data, or this is all great except this
humongous
/home, change it to 4G and put the rest in /mail.

I don't think tweaking an existing auto label is unnecessary and overly . 
Hardcoding mount points and their sizes should be enough, and leave the rest 
unallocated. 


If I'm not mistaken disklabel only looks at the first letter, so it
could be a bit more self-documenting,

disklabel = Default\nadd b\n\n4g\n\nadd a\n\n\n\n/\nprint\nquit\n

or neatened (to some eyes) with an s_;_\n_g

disklabel = Default;add b;;4g;;add a/;print;quit;

For the rest of the autoinstall file, while the questions and answers
are readable, they aren't documented, so basing it on a manual
installer
run seems the only way to get started (it could even be automated
from a serial port capture), the disklabel -E language seems a
reasonable fit with this doesn't it?

I think we can do better. Again, I'd much rather feed it a stripped down 
disklabel, possibly extending disklabel(8) to cope with the minimal amount of 
information, if needed. One missing thing was the ability to pass it the mount 
point. Ken might have added that since, but I'm not sure.

/Alexander



whois(1): use whois.nic.tld where possible

2015-04-09 Thread Stuart Henderson
There is a standard (required) hostname scheme, whois.nic.tld, for the
new gTLDs. For months whois-servers.net didn't list any of the new ones,
they are starting to catch up but are still behind,

$ unbound-host sucks.whois-servers.net
Host sucks.whois-servers.net not found: 3(NXDOMAIN).

$ unbound-host whois.nic.sucks
whois.nic.sucks is an alias for whois.sucks.aridnrs.net.au.
whois.sucks.aridnrs.net.au has address 120.29.248.191
whois.sucks.aridnrs.net.au has IPv6 address 2001:dcd:11::f0bf

and the extra indirection just adds fragility in the cases where they do
have the right details, so the diff teaches whois to use them directly.

Any comments/OKs?

Index: whois.c
===
RCS file: /cvs/src/usr.bin/whois/whois.c,v
retrieving revision 1.46
diff -u -p -r1.46 whois.c
--- whois.c 3 Jan 2014 15:25:18 -   1.46
+++ whois.c 9 Apr 2015 08:56:54 -
@@ -278,6 +278,12 @@ choose_server(const char *name, const ch
char *nserver;
char *ep;
size_t len;
+   struct addrinfo hints, *res;
+
+   memset(hints, 0, sizeof(hints));
+   hints.ai_flags = 0;
+   hints.ai_family = AF_UNSPEC;
+   hints.ai_socktype = SOCK_STREAM;
 
if (country != NULL)
qhead = country;
@@ -299,8 +305,33 @@ choose_server(const char *name, const ch
if ((nserver = realloc(server, len)) == NULL)
err(1, realloc);
server = nserver;
-   strlcpy(server, qhead, len);
-   strlcat(server, QNICHOST_TAIL, len);
+
+   /*
+* Post-2003 (new) gTLDs are all supposed to have whois.nic.domain
+* (per registry agreement), some older gTLDs also support this...
+*/
+   strlcpy(server, whois.nic., len);
+   strlcat(server, qhead, len);
+
+   /* most ccTLDs don't do this, but QNICHOST/whois-servers mostly works */
+   if ((strlen(qhead) == 2 ||
+   /* and is required for most of the =2003 TLDs/gTLDs */
+   strncasecmp(qhead, org, 3) == 0 ||
+   strncasecmp(qhead, com, 3) == 0 ||
+   strncasecmp(qhead, net, 3) == 0 ||
+   strncasecmp(qhead, cat, 3) == 0 ||
+   strncasecmp(qhead, pro, 3) == 0 ||
+   strncasecmp(qhead, info, 4) == 0 ||
+   strncasecmp(qhead, aero, 4) == 0 ||
+   strncasecmp(qhead, jobs, 4) == 0 ||
+   strncasecmp(qhead, mobi, 4) == 0 ||
+   strncasecmp(qhead, museum., 6) == 0 ||
+/* for others, if whois.nic.TLD doesn't exist, try whois-servers */
+   getaddrinfo(server, NULL, hints, res) != 0)) {
+   strlcpy(server, qhead, len);
+   strlcat(server, QNICHOST_TAIL, len);
+   }
+
return (server);
 }
Index: whois.1
===
RCS file: /cvs/src/usr.bin/whois/whois.1,v
retrieving revision 1.32
diff -u -p -r1.32 whois.1
--- whois.1 5 Mar 2013 16:09:10 -   1.32
+++ whois.1 9 Apr 2015 09:25:10 -
@@ -97,8 +97,11 @@ By default
 .Nm
 constructs the name of a whois server to use from the top-level domain
 .Pq Tn TLD
-of the supplied (single) argument, and appending
-.Qq Li .whois-servers.net .
+of the supplied (single) argument.
+For newer generic domains (gTLDs), a lookup for whois.nic.tld is attempted.
+For other TLDs, or if this lookup fails,
+.Qq Li .whois-servers.net
+is appended to the TLD.
 This effectively allows a suitable whois server to be selected
 automatically for a large number of
 .Tn TLDs .
 



bridge(4) and Ethernet header

2015-04-09 Thread Martin Pieuchot
Like vlan(4) and carp(4), bridge(4) also need to be tweaked to still
work during the if_input() transition.  Removing the ether_input()
calls in this driver was a bit tricky *because* bridge_input() is
called after ether_input().

See how 3 M_PREPEND() are converted to 1?  And soon none will be
required.

Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.233
diff -u -p -r1.233 if_bridge.c
--- net/if_bridge.c 7 Apr 2015 10:46:20 -   1.233
+++ net/if_bridge.c 9 Apr 2015 13:56:07 -
@@ -115,8 +115,7 @@ voidbridge_broadcast(struct bridge_soft
 struct ether_header *, struct mbuf *);
 void   bridge_localbroadcast(struct bridge_softc *, struct ifnet *,
 struct ether_header *, struct mbuf *);
-void   bridge_span(struct bridge_softc *, struct ether_header *,
-struct mbuf *);
+void   bridge_span(struct bridge_softc *, struct mbuf *);
 void   bridge_stop(struct bridge_softc *);
 void   bridge_init(struct bridge_softc *);
 intbridge_bifconf(struct bridge_softc *, struct ifbifconf *);
@@ -1004,7 +1003,7 @@ bridge_output(struct ifnet *ifp, struct 
return (0);
}
 #endif /* IPSEC */
-   bridge_span(sc, NULL, m);
+   bridge_span(sc, m);
 
TAILQ_FOREACH(p, sc-sc_iflist, next) {
dst_if = p-ifp;
@@ -1080,7 +1079,7 @@ sendunicast:
(sa = bridge_tunneltag(m, dst_p-brt_tunnel.sa.sa_family)) != NULL)
memcpy(sa, dst_p-brt_tunnel.sa, dst_p-brt_tunnel.sa.sa_len);
 
-   bridge_span(sc, NULL, m);
+   bridge_span(sc, m);
if ((dst_if-if_flags  IFF_RUNNING) == 0) {
m_freem(m);
return (ENETDOWN);
@@ -1296,9 +1295,10 @@ bridgeintr_frame(struct bridge_softc *sc
  * not for us, and schedule an interrupt.
  */
 struct mbuf *
-bridge_input(struct ifnet *ifp, struct ether_header *eh, struct mbuf *m)
+bridge_input(struct ifnet *ifp, struct ether_header *eh0, struct mbuf *m)
 {
struct bridge_softc *sc;
+   struct ether_header *eh;
int s;
struct bridge_iflist *ifl, *srcifl;
struct arpcom *ac;
@@ -1320,13 +1320,18 @@ bridge_input(struct ifnet *ifp, struct e
if ((sc-sc_if.if_flags  IFF_RUNNING) == 0)
return (m);
 
+   M_PREPEND(m, sizeof(*eh), M_DONTWAIT);
+   if (m == NULL)
+   return (NULL);
+   eh = mtod(m, struct ether_header *);
+   memmove(eh, eh0, sizeof(*eh));
+
 #if NBPFILTER  0
if (sc-sc_if.if_bpf)
-   bpf_mtap_hdr(sc-sc_if.if_bpf, (caddr_t)eh,
-   ETHER_HDR_LEN, m, BPF_DIRECTION_IN, NULL);
+   bpf_mtap_ether(sc-sc_if.if_bpf, m, BPF_DIRECTION_IN);
 #endif
 
-   bridge_span(sc, eh, m);
+   bridge_span(sc, m);
 
if (m-m_flags  (M_BCAST | M_MCAST)) {
/*
@@ -1356,18 +1361,9 @@ bridge_input(struct ifnet *ifp, struct e
(ifl-bif_state == BSTP_IFSTATE_DISCARDING))
return (m);
 
-   /*
-* make a copy of 'm' with 'eh' tacked on to the
-* beginning.  Return 'm' for local processing
-* and enqueue the copy.  Schedule netisr.
-*/
mc = m_copym2(m, 0, M_COPYALL, M_NOWAIT);
if (mc == NULL)
return (m);
-   M_PREPEND(mc, ETHER_HDR_LEN, M_DONTWAIT);
-   if (mc == NULL)
-   return (m);
-   bcopy(eh, mtod(mc, caddr_t), ETHER_HDR_LEN);
s = splnet();
if (IF_QFULL(sc-sc_if.if_snd)) {
m_freem(mc);
@@ -1387,11 +1383,11 @@ bridge_input(struct ifnet *ifp, struct e
m-m_pkthdr.ph_rtableid = ifl-ifp-if_rdomain;
 #if NBPFILTER  0
if (ifl-ifp-if_bpf)
-   bpf_mtap(ifl-ifp-if_bpf, m,
+   bpf_mtap_ether(ifl-ifp-if_bpf, m,
BPF_DIRECTION_IN);
 #endif
m-m_flags |= M_PROTO1;
-   ether_input(m, eh);
+   ether_input_mbuf(ifl-ifp, m);
ifl-ifp-if_ipackets++;
m = NULL;
}
@@ -1434,21 +1430,21 @@ bridge_input(struct ifnet *ifp, struct e
 * is aware */
 #if NBPFILTER  0
if (ifl-ifp-if_bpf)
-   bpf_mtap_hdr(ifl-ifp-if_bpf, (caddr_t)eh,
-   ETHER_HDR_LEN, m, BPF_DIRECTION_IN, NULL);
+   bpf_mtap_ether(ifl-ifp-if_bpf, m,
+   BPF_DIRECTION_IN);
 #endif
/* Count for the interface we are 

ps(1) getopt flags are not counters

2015-04-09 Thread Okan Demirmen
Hi,

kflag and wflag don't need to be counters; wflag only needs to know if
greater than 0 for its one test case.

Expanded diff context below.

OK?

Thanks,
Okan

Index: ps.c
===
RCS file: /home/open/cvs/src/bin/ps/ps.c,v
retrieving revision 1.63
diff -u -p -U8 -r1.63 ps.c
--- ps.c16 Jan 2015 06:39:32 -  1.63
+++ ps.c9 Apr 2015 18:41:13 -
@@ -153,17 +153,17 @@ main(int argc, char *argv[])
prtheader = ws.ws_row  5 ? ws.ws_row : 22;
break;
case 'j':
parsefmt(jfmt);
fmt = 1;
jfmt[0] = '\0';
break;
case 'k':
-   kflag++;
+   kflag = 1;
break;
case 'L':
showkey();
exit(0);
case 'l':
parsefmt(lfmt);
fmt = 1;
lfmt[0] = '\0';
@@ -243,17 +243,17 @@ main(int argc, char *argv[])
case 'W':
swapf = optarg;
break;
case 'w':
if (wflag)
termwidth = UNLIMITED;
else if (termwidth  131)
termwidth = 131;
-   wflag++;
+   wflag = 1;
break;
case 'x':
xflg = 1;
break;
default:
usage();
}
argc -= optind;



Re: zmore diff

2015-04-09 Thread Todd C. Miller
On Thu, 09 Apr 2015 08:37:31 +0200, Tim van der Molen wrote:

 This diff makes zmore and zless recognise options starting with + so
 that commands like zless +G foo.gz work.
 
 It makes sense to do this for zmore, too, because the less
 implementation of more also supports + options.

Thanks, committed.

 - todd



Re: whois(1): use whois.nic.tld where possible

2015-04-09 Thread Stuart Henderson
On 2015/04/09 10:25, Stuart Henderson wrote:
 There is a standard (required) hostname scheme, whois.nic.tld, for the
 new gTLDs. For months whois-servers.net didn't list any of the new ones,
 they are starting to catch up but are still behind,
 
 $ unbound-host sucks.whois-servers.net
 Host sucks.whois-servers.net not found: 3(NXDOMAIN).
 
 $ unbound-host whois.nic.sucks
 whois.nic.sucks is an alias for whois.sucks.aridnrs.net.au.
 whois.sucks.aridnrs.net.au has address 120.29.248.191
 whois.sucks.aridnrs.net.au has IPv6 address 2001:dcd:11::f0bf
 
 and the extra indirection just adds fragility in the cases where they do
 have the right details, so the diff teaches whois to use them directly.
 
 Any comments/OKs?

Giovanni noticed a stray . - fixed below.

Index: whois.c
===
RCS file: /cvs/src/usr.bin/whois/whois.c,v
retrieving revision 1.46
diff -u -p -r1.46 whois.c
--- whois.c 3 Jan 2014 15:25:18 -   1.46
+++ whois.c 9 Apr 2015 11:38:15 -
@@ -278,6 +278,12 @@ choose_server(const char *name, const ch
char *nserver;
char *ep;
size_t len;
+   struct addrinfo hints, *res;
+
+   memset(hints, 0, sizeof(hints));
+   hints.ai_flags = 0;
+   hints.ai_family = AF_UNSPEC;
+   hints.ai_socktype = SOCK_STREAM;
 
if (country != NULL)
qhead = country;
@@ -299,8 +305,33 @@ choose_server(const char *name, const ch
if ((nserver = realloc(server, len)) == NULL)
err(1, realloc);
server = nserver;
-   strlcpy(server, qhead, len);
-   strlcat(server, QNICHOST_TAIL, len);
+
+   /*
+* Post-2003 (new) gTLDs are all supposed to have whois.nic.domain
+* (per registry agreement), some older gTLDs also support this...
+*/
+   strlcpy(server, whois.nic., len);
+   strlcat(server, qhead, len);
+
+   /* most ccTLDs don't do this, but QNICHOST/whois-servers mostly works */
+   if ((strlen(qhead) == 2 ||
+   /* and is required for most of the =2003 TLDs/gTLDs */
+   strncasecmp(qhead, org, 3) == 0 ||
+   strncasecmp(qhead, com, 3) == 0 ||
+   strncasecmp(qhead, net, 3) == 0 ||
+   strncasecmp(qhead, cat, 3) == 0 ||
+   strncasecmp(qhead, pro, 3) == 0 ||
+   strncasecmp(qhead, info, 4) == 0 ||
+   strncasecmp(qhead, aero, 4) == 0 ||
+   strncasecmp(qhead, jobs, 4) == 0 ||
+   strncasecmp(qhead, mobi, 4) == 0 ||
+   strncasecmp(qhead, museum, 6) == 0 ||
+/* for others, if whois.nic.TLD doesn't exist, try whois-servers */
+   getaddrinfo(server, NULL, hints, res) != 0)) {
+   strlcpy(server, qhead, len);
+   strlcat(server, QNICHOST_TAIL, len);
+   }
+
return (server);
 }
 
Index: whois.1
===
RCS file: /cvs/src/usr.bin/whois/whois.1,v
retrieving revision 1.32
diff -u -p -r1.32 whois.1
--- whois.1 5 Mar 2013 16:09:10 -   1.32
+++ whois.1 9 Apr 2015 11:38:15 -
@@ -97,8 +97,11 @@ By default
 .Nm
 constructs the name of a whois server to use from the top-level domain
 .Pq Tn TLD
-of the supplied (single) argument, and appending
-.Qq Li .whois-servers.net .
+of the supplied (single) argument.
+For newer generic domains (gTLDs), a lookup for whois.nic.tld is attempted.
+For other TLDs, or if this lookup fails,
+.Qq Li .whois-servers.net
+is appended to the TLD.
 This effectively allows a suitable whois server to be selected
 automatically for a large number of
 .Tn TLDs .



Re: falloc and related stuff

2015-04-09 Thread kanonenvogel....@gmail.com
Struct file again.

f_flag isn’t modified often, so it’s modifacation can be atomic.
f_msgcount and f_rxfer, f_wxfer, f_seek, f_rbytes, f_wbytes can be protected by 
rwlock. 
f_offset protection is actual for vnodes only.
FIF_MARK and FIF_DEFER flags are used only by unpc garbage collector. This 
flags can
be moved out from f_iflags, for example to f_unpc_flags, and use their own 
protection.
FIF_HASLOCK checked only in vn_closefile(), but this flag doesn’t indicate 
actual vnode lock
state, because VOP_ADVLOCK()’s return value is not checked. May be it can be 
replaced by
 new vn_islocked() function, which will check actual vnode lock possibility and 
lock state?
only FIF_LARVAL remains in f_iflags, this flag sets only once, so it’s 
modification can be atomic.
f_count may be modified and checked under rwlock, but I think atomic ops are 
better on smp,
afaik, with uniprocessor kernel simple increment/decrement over volatile 
variable will be enough.

This modification doesn’t break pstat, all related FIF_* flags can be set in 
kinfo_file struct.  

f_offset protection can be done like in patch below. it is just 
proof-of-concept. I think f_offset 
protection stuff can be moved to external struct, which will be stored in hash 
with fp address as key.

FIF_MARK and FIF_DEFER stuff can be moved to external struct too, I suppose.

Index: compat/common/compat_dir.c
===
RCS file: /cvs/src/sys/compat/common/compat_dir.c,v
retrieving revision 1.11
diff -u -p -r1.11 compat_dir.c
--- compat/common/compat_dir.c  16 Dec 2014 21:25:28 -  1.11
+++ compat/common/compat_dir.c  9 Apr 2015 10:40:55 -
@@ -51,7 +51,6 @@ readdir_with_callback(struct file *fp, o
struct iovec aiov;
int eofflag = 0;
int error, len, reclen;
-   off_t newoff = *off;
struct vnode *vp;
struct vattr va;

@@ -84,10 +83,16 @@ again:
auio.uio_segflg = UIO_SYSSPACE;
auio.uio_procp = curproc;
auio.uio_resid = buflen;
-   auio.uio_offset = newoff;
-
+   if (fp-f_offset == off)
+   foffset_lock(fp, auio.uio_offset);
+   else
+   auio.uio_offset = *off;
error = VOP_READDIR(vp, auio, fp-f_cred, eofflag);
-   *off = auio.uio_offset;
+   if (fp-f_offset == off)
+   foffset_unlock(fp, auio.uio_offset);
+   else
+   *off = auio.uio_offset;
+
if (error)
goto out;
 
Index: kern/kern_descrip.c
===
RCS file: /cvs/src/sys/kern/kern_descrip.c,v
retrieving revision 1.116
diff -u -p -r1.116 kern_descrip.c
--- kern/kern_descrip.c 19 Jan 2015 01:19:17 -  1.116
+++ kern/kern_descrip.c 9 Apr 2015 10:41:10 -
@@ -61,6 +61,7 @@
 #include sys/event.h
 #include sys/pool.h
 #include sys/ktrace.h
+#include sys/rwlock.h
 
 #include sys/pipe.h
 
@@ -451,9 +452,9 @@ restart:
if (fl.l_start == 0  fl.l_len  0) {
/* lockf(3) compliance hack */
fl.l_len = -fl.l_len;
-   fl.l_start = fp-f_offset - fl.l_len;
+   fl.l_start = foffset_get(fp) - fl.l_len;
} else
-   fl.l_start += fp-f_offset;
+   fl.l_start += foffset_get(fp);
}
switch (fl.l_type) {
 
@@ -514,9 +515,9 @@ restart:
if (fl.l_start == 0  fl.l_len  0) {
/* lockf(3) compliance hack */
fl.l_len = -fl.l_len;
-   fl.l_start = fp-f_offset - fl.l_len;
+   fl.l_start = foffset_get(fp) - fl.l_len;
} else
-   fl.l_start += fp-f_offset;
+   fl.l_start += foffset_get(fp);
}
if (fl.l_type != F_RDLCK 
fl.l_type != F_WRLCK 
@@ -869,6 +870,7 @@ restart:
 */
nfiles++;
fp = pool_get(file_pool, PR_WAITOK|PR_ZERO);
+   rw_init(fp-f_offset_lck, f_offset_lck);
fp-f_iflags = FIF_LARVAL;
if ((fq = p-p_fd-fd_ofiles[0]) != NULL) {
LIST_INSERT_AFTER(fq, fp, f_list);
@@ -1125,6 +1127,47 @@ fdrop(struct file *fp, struct proc *p)
pool_put(file_pool, fp);
 
return (error);
+}
+
+off_t
+foffset_get(struct file *fp)
+{
+   off_t offset;
+
+   rw_enter_read(fp-f_offset_lck);
+   offset = fp-f_offset;
+   rw_exit_read(fp-f_offset_lck);
+   
+   return offset;
+}
+
+void
+foffset_lock(struct file *fp, off_t *foffset)
+{
+   KASSERT(foffset != NULL);
+   rw_enter_write(fp-f_offset_lck);
+   while (fp-f_offset_lckf  FOFFSET_LOCKED) {
+   fp-f_offset_lckf |= FOFFSET_LOCK_WAITING;
+   

vlan(4) and Ethernet header

2015-04-09 Thread Martin Pieuchot
Right now vlan_input() is called *after* ether_input().  More precisely
it is called after the mbuf has been m_adj(9)'usted to skip the Ethernet
header.  This is not a problem in se but...

To make sure vlan(4) keeps working during the if_input() transition, it
has to stop calling ether_input() and use if_input() instead.  Since
this new API will run input handler *before* ether_input(), the packet
*must* contain the original Ethernet header.  Hence the small hack
below.  This is just temporary this code will be deleted as soon as 
vlan(4) is converted to if_input().

Index: net/if_vlan.c
===
RCS file: /cvs/src/sys/net/if_vlan.c,v
retrieving revision 1.114
diff -u -p -r1.114 if_vlan.c
--- net/if_vlan.c   7 Apr 2015 10:46:20 -   1.114
+++ net/if_vlan.c   9 Apr 2015 12:12:35 -
@@ -277,6 +277,7 @@ vlan_input(struct ether_header *eh, stru
struct vlan_taghash *tagh;
u_inttag;
u_int16_tetype;
+   struct ether_header *eh1;
 
if (m-m_flags  M_VLANTAG) {
etype = ETHERTYPE_VLAN;
@@ -351,8 +352,14 @@ vlan_input(struct ether_header *eh, stru
}
}
 
+   M_PREPEND(m, sizeof(*eh1), M_DONTWAIT);
+   if (m == NULL)
+   return (-1);
+   eh1 = mtod(m, struct ether_header *);
+   memmove(eh1, eh, sizeof(*eh1));
+
ifv-ifv_if.if_ipackets++;
-   ether_input(m, eh);
+   ether_input_mbuf(ifv-ifv_if, m);
 
return (0);
 }



zmore diff

2015-04-09 Thread Tim van der Molen
This diff makes zmore and zless recognise options starting with + so
that commands like zless +G foo.gz work.

It makes sense to do this for zmore, too, because the less
implementation of more also supports + options.

cvs server: Diffing compress
Index: compress/zmore
===
RCS file: /cvs/src/usr.bin/compress/zmore,v
retrieving revision 1.7
diff -u -r1.7 zmore
--- compress/zmore  7 May 2014 21:42:50 -   1.7
+++ compress/zmore  9 Apr 2015 06:36:46 -
@@ -29,7 +29,7 @@
shift
break
;;
-   -*)
+   -*|+*)
flags=$flags $1
shift
;;



Re: libressl-2.1.6 on AIX

2015-04-09 Thread Michael Felt
I shall look at collecting the in-tree stuff. My servers are in the
netherlands, and I am in austin atm. I have a meeting with the security
team in about 30 minutes and I am going to mention libressl and get a
discussion going.

One of the things I wanted to discuss is about priv escalation.

Just to make sure I understand what is expected of isssetguid() - could you
perhaps, in terms of ls -l output with suid programs describe the
sequence(s) where the value should be 1 - and especially, when they might
(read should) be 0.

From memory of what I read (how I understood) the man page, if was
superuser, and am still user - then 0 is appropriate. However, if was
superuser (euid == 0) and a setuid call is used to demote/lower privilidge
then 1 is the correct value.
Also, if euid != 0 and an suid bit makes euid == 0 then the value should be
one.

Lastly, I am thinking that if a program starts as euid (even ruid) == 0,
but used setuid to implement a safe-mode (i.e., not running as root)
issetuid() should also return 1.

I just repeated the process of configure, make, make check - but with
OBJECT_MODE=64 and one test fails: asn1test.

No time to look at it right now. This evening I will download the tree and
test.

Atm I am testing with no openssl installed. I would like to be able to run
the whole process without needint autoconf/automake (because that requires
additional libraries). And I need to figure out a better way to get the
libraries to take a suffix of _64 so I can have both 32 and 64 bit support
- eventually.

Adding the configure setting: --program-suffix=_64 did not have any
effect I could discover.

re: the library loader - you can see what libpath is compiled into an
program and/or a library member using dump -H. At least, that is how I
examine it.

regards,
Michael

On Wed, Apr 8, 2015 at 10:28 PM, Brent Cook bust...@gmail.com wrote:

 Thanks Michael,

 I have incorporated some initial AIX patches - can you please check out
 the latest tree?


 https://github.com/libressl-portable/portable/commit/fe3f7fc6365bfaac3418a72256b8c11603e80cbf


 https://github.com/libressl-portable/openbsd/commit/37d8e3c080e7c73158093f253d8e06fa1906dc03

 There are a few changes from your original patch set, but this should make
 it easier to move forward now that they are in-tree. You can just patch on
 top of that rather than sending the whole thing.

 I undid some of the formatting changes for the getentropy file so it
 matched the other files - the style is intentional between the files so its
 easy to diff between them to spot changes. The perfstat stuff moves into
 the inner loop like the other files as well. I added the network counters
 (we have network counters on OS X too), but also added wpar cpu stats.

 The issetugid currently short circuits to always return '1' because I
 think it still needs some work, as we discussed earlier. If we can't find a
 way to make it work, a failsafe version isn't really a bad thing for most
 uses.

 Also, I didn't add the configure.ac line that set CFLAGS to empty string
 that was in the original patch. The current master branch has switched to
 letting autoconf initialize the CFLAGS directly. This worked fine with gcc
 when I tried it, but I'd be interested in seeing how it works with other
 AIX compilers.

 One slightly annoying thing I found was the system library loader would
 find other versions of libcrypto.a / libssl.a under LIBPATH and try to load
 those when running binaries in-tree rather than the build versions. I don't
 know if that was just a misconfiguration with my system.

  - Brent

  On Apr 8, 2015, at 9:19 PM, Michael Felt aixto...@gmail.com wrote:
 
  I applied the patch I had sent in before, made one change (correction) -
 correcting a typo that brent had pointed out (netinfo that needs to be
 diskinfo) in the getentrophy_aix.c
 
  If you need the patch again, I can send it again. I am curious about
 whether this is moving forward - and if there is anything extra I can do to
 assist.
 
 
 
  Testsuite summary for libressl 2.1.6
 
 
  # TOTAL: 47
  # PASS:  47
  # SKIP:  0
  # XFAIL: 0
  # FAIL:  0
  # XPASS: 0
  # ERROR: 0
 
 
 
  regards,
  Michael




Re: autoinstall(8) tweaks

2015-04-09 Thread Theo de Raadt
 But it seems people are expected to build a custom bsd.rd if they
 want something different so I'll bow out of this conversation.

No, the situation is that less than 1% of the user community
apparently have a secret usage case, but never manage to explain it.