Re: new feature in pkg_add(1)

[Patrik Lundin]

On Wed, Jun 22, 2016 at 02:19:26PM +0200, Marc Espie wrote:
> On Tue, Jun 21, 2016 at 10:43:07PM +0200, Patrik Lundin wrote:
> > The reason for doing this is that it is much faster than just blindly
> > trying to install a package, and does not hammer mirrors needlessly.
> > 
> > Are there any plans to teach pkg_info -e about "%"? Is it even possible?
> 
> Okay, just committed the exit code fix.
> 
> pkg_info -Iq inst:python%3.5
> will perform just as you would expect.

Awesome :).

I will play around with this and see what I can come up with, thanks!

-- 
Patrik Lundin

Re: Allow device/fifo creation with zipped archives

[Sebastien Marie]

On Wed, Jun 22, 2016 at 09:02:03PM -0400, tro...@kagu-tsuchi.com wrote:
> As brought up on misc@ pax doesn't allow creation of devices or fifos without
> the p flag, however this is only when the archive is not compressed.  If you
> compress the archive, you can create them upon decompression/unarchiving.  
> Since dpath was added to allow creation of devices in the pledge call for the
> non-compression code path, I am assuming it was meant to be added to the
> compresson code path as well.
> 
> Tim.
> 
> 
> Index: pax.c
> ===
> RCS file: /cvs/src/bin/pax/pax.c,v
> retrieving revision 1.44
> diff -u -p -r1.44 pax.c
> --- pax.c 16 Dec 2015 01:39:11 -  1.44
> +++ pax.c 23 Jun 2016 00:40:55 -
> @@ -267,7 +267,7 @@ main(int argc, char **argv)
>  
>   /* Copy mode, or no gzip -- don't need to fork/exec. */
>   if (gzip_program == NULL || act == COPY) {
> - if (pledge("stdio rpath wpath fattr cpath getpw ioctl",
> + if (pledge("stdio rpath wpath dpath fattr cpath getpw 
> ioctl",
>   NULL) == -1)
>   err(1, "pledge");
>   }
> 

I agree with your diff. 

While here, reorder pledge promises to make the order consistent in pax.
There are 3 pledges calls and with same order it makes differencies more
obvious.

OK ?
-- 
Sebastien Marie

Index: pax.c
===
RCS file: /cvs/src/bin/pax/pax.c,v
retrieving revision 1.44
diff -u -p -r1.44 pax.c
--- pax.c   16 Dec 2015 01:39:11 -  1.44
+++ pax.c   23 Jun 2016 04:38:34 -
@@ -261,13 +261,13 @@ main(int argc, char **argv)
 * so can't pledge at all then.
 */
if (pmode == 0 || (act != EXTRACT && act != COPY)) {
-   if (pledge("stdio rpath wpath cpath dpath fattr getpw ioctl 
proc exec",
+   if (pledge("stdio rpath wpath cpath fattr dpath getpw ioctl 
proc exec",
NULL) == -1)
err(1, "pledge");
 
/* Copy mode, or no gzip -- don't need to fork/exec. */
if (gzip_program == NULL || act == COPY) {
-   if (pledge("stdio rpath wpath fattr cpath getpw ioctl",
+   if (pledge("stdio rpath wpath cpath fattr dpath getpw 
ioctl",
NULL) == -1)
err(1, "pledge");
}

Re: sqlite3 update

[Ted Unangst]

Stuart Henderson wrote:
> Turns out I forgot about the pthread stubs, without which there
> are build failures in mandoc and various ports things unless we link
> them with -lpthread. This broke a few things in my first ports test
> build, but thanks to guenther's work it should now be valid to pull
> this in via an inter-library dependency rather than having to
> sprinkle it over mandoc and lots of the ports tree.


> Index: Makefile
> -# so that it works with NO THREADS
> -SRCS +=  pthread_stub.c
> -
> -#mem3.c mem5.c
> +SRCS =   sqlite3.c
> +LDADD =  -lpthread

Why are we dropping the stubs in favor of linking with libpthread?

Re: opencvs - fix revision lookups for branches

[Michael W. Bombardieri]

Yes please. As noted in older thread that XXX block in rcs.c produced side 
effects with cvs annotate.
https://marc.info/?l=openbsd-tech=144757775319206=2


On Wed, Jun 22, 2016 at 05:20:01PM +0200, Joris Vink wrote:
> On Wed, Jun 22, 2016 at 09:07:03AM -0600, Todd C. Miller wrote:
> > On Wed, 22 Jun 2016 12:21:56 +0200, Joris Vink wrote:
> > > Index: rcs.c
> > > ===
> > > RCS file: /cvs/src/usr.bin/cvs/rcs.c,v
> > > retrieving revision 1.313
> > > diff -u -p -r1.313 rcs.c
> > > --- rcs.c 5 Nov 2015 09:48:21 -   1.313
> > > +++ rcs.c 22 Jun 2016 09:52:04 -
> > > @@ -1796,17 +1796,13 @@ rcs_rev_getlines(RCSFILE *rfp, RCSNUM *f
> > >  
> > >  again:
> > >   for (;;) {
> > > + if (rdp == NULL)
> > > + break;
> > 
> > Wouldn't this be easier to read as:
> > 
> > while (rdp != NULL) {
> 
> Yes, updated diff below.
> 
> .joris
> 
> Index: rcs.c
> ===
> RCS file: /cvs/src/usr.bin/cvs/rcs.c,v
> retrieving revision 1.313
> diff -u -p -r1.313 rcs.c
> --- rcs.c 5 Nov 2015 09:48:21 -   1.313
> +++ rcs.c 22 Jun 2016 15:13:14 -
> @@ -1795,18 +1795,11 @@ rcs_rev_getlines(RCSFILE *rfp, RCSNUM *f
>   goto done;
>  
>  again:
> - for (;;) {
> + while (rdp != NULL) {
>   if (rdp->rd_next->rn_len != 0) {
>   trdp = rcs_findrev(rfp, rdp->rd_next);
>   if (trdp == NULL)
>   fatal("failed to grab next revision");
> - } else {
> - /*
> -  * XXX Fail, although the caller does not always do the
> -  * right thing (eg cvs diff when the tree is ahead of
> -  * the repository).
> -  */
> - break;
>   }
>  
>   if (rdp->rd_tlen == 0) {
> @@ -1857,7 +1850,7 @@ again:
>   }
>  
>  next:
> - if (!rcsnum_differ(rdp->rd_num, frev))
> + if (rdp == NULL || !rcsnum_differ(rdp->rd_num, frev))
>   done = 1;
>  
>   if (RCSNUM_ISBRANCHREV(frev) && done != 1) {
> @@ -2045,6 +2038,7 @@ rcs_rev_getbuf(RCSFILE *rfp, RCSNUM *rev
>   struct rcs_delta *rdp;
>   struct rcs_lines *lines;
>   struct rcs_line *lp, *nlp;
> + char version[RCSNUM_MAXSTR];
>   BUF *bp;
>  
>   rdp = NULL;
> @@ -2057,8 +2051,12 @@ rcs_rev_getbuf(RCSFILE *rfp, RCSNUM *rev
>   expmode = rcs_kwexp_get(rfp);
>  
>   if (!(expmode & RCS_KWEXP_NONE)) {
> - if ((rdp = rcs_findrev(rfp, rev)) == NULL)
> - fatal("could not fetch revision");
> + if ((rdp = rcs_findrev(rfp, rev)) == NULL) {
> + rcsnum_tostr(rev, version, sizeof(version));
> + fatal("could not find desired version %s in %s",
> + version, rfp->rf_path);
> + }
> +
>   expand = 1;
>   }
>   }
> 

unit test for fix included in r1.13 of bin/cat/cat.c

[Sevan Janiyan]

Hello,
The patch below adds a regress test to check the behaviour of cat when
invoked with the flags '-se' to ensure blank lines contain a dollar sign.
The attached patch reverts the fix from r1.13 on the latest version of
cat which allowed me to perform a comparison test.

This fix was committed to the tree over 14 years ago, I understand if
it's not of interest, I benefited from putting together the test.


Sevan Janiyan

Index: regress/bin/Makefile
===
RCS file: /cvs/src/regress/bin/Makefile,v
retrieving revision 1.9
diff -u -p -u -r1.9 Makefile
--- regress/bin/Makefile15 Jun 2015 09:25:22 -  1.9
+++ regress/bin/Makefile23 Jun 2016 02:43:46 -
@@ -1,6 +1,6 @@
 #  $OpenBSD: Makefile,v 1.9 2015/06/15 09:25:22 florian Exp $

-SUBDIR+= chmod ksh ln md5 pax ps systrace test
+SUBDIR+= cat chmod ksh ln md5 pax ps systrace test

 install:

Index: regress/bin/cat/Makefile
===
RCS file: regress/bin/cat/Makefile
diff -N regress/bin/cat/Makefile
--- /dev/null   1 Jan 1970 00:00:00 -
+++ regress/bin/cat/Makefile23 Jun 2016 02:43:46 -
@@ -0,0 +1,8 @@
+# $OpenBSD$
+
+REGRESS_TARGETS=cat_se
+
+cat_se:
+   cat -se ${.CURDIR}/cat_se.in | cmp -s ${.CURDIR}/cat_se.out /dev/stdin
+
+.include 
Index: regress/bin/cat/cat_se.in
===
RCS file: regress/bin/cat/cat_se.in
diff -N regress/bin/cat/cat_se.in
--- /dev/null   1 Jan 1970 00:00:00 -
+++ regress/bin/cat/cat_se.in   23 Jun 2016 02:43:46 -
@@ -0,0 +1,3 @@
+
+Free, functional and secure
+
Index: regress/bin/cat/cat_se.out
===
RCS file: regress/bin/cat/cat_se.out
diff -N regress/bin/cat/cat_se.out
--- /dev/null   1 Jan 1970 00:00:00 -
+++ regress/bin/cat/cat_se.out  23 Jun 2016 02:43:46 -
@@ -0,0 +1,3 @@
+$
+Free, functional and secure$
+$
Index: cat.c
===
RCS file: /cvs/src/bin/cat/cat.c,v
retrieving revision 1.24
diff -u -p -u -r1.24 cat.c
--- cat.c   4 Nov 2015 21:28:01 -   1.24
+++ cat.c   23 Jun 2016 02:35:15 -
@@ -145,23 +145,29 @@ cook_buf(FILE *fp)
line = gobble = 0;
for (prev = '\n'; (ch = getc(fp)) != EOF; prev = ch) {
if (prev == '\n') {
-   if (sflag) {
-   if (ch == '\n') {
-   if (gobble)
-   continue;
+   if (ch == '\n') {
+   if (sflag) {
+   if (!gobble && putchar(ch) == EOF)
+   break;
gobble = 1;
-   } else
-   gobble = 0;
-   }
-   if (nflag && (!bflag || ch != '\n')) {
+   continue;
+   }
+   if (nflag && !bflag) {
+   (void)fprintf(stdout, "%6d\t", ++line);
+   if (ferror(stdout))
+   break;
+   }
+   } else if (nflag) {
(void)fprintf(stdout, "%6d\t", ++line);
if (ferror(stdout))
break;
}
}
+   gobble = 0;
if (ch == '\n') {
-   if (eflag && putchar('$') == EOF)
-   break;
+   if (eflag)
+   if (putchar('$') == EOF)
+   break;
} else if (ch == '\t') {
if (tflag) {
if (putchar('^') == EOF || putchar('I') == EOF)

Allow device/fifo creation with zipped archives

[trondd]

As brought up on misc@ pax doesn't allow creation of devices or fifos without
the p flag, however this is only when the archive is not compressed.  If you
compress the archive, you can create them upon decompression/unarchiving.  
Since dpath was added to allow creation of devices in the pledge call for the
non-compression code path, I am assuming it was meant to be added to the
compresson code path as well.

Tim.


Index: pax.c
===
RCS file: /cvs/src/bin/pax/pax.c,v
retrieving revision 1.44
diff -u -p -r1.44 pax.c
--- pax.c   16 Dec 2015 01:39:11 -  1.44
+++ pax.c   23 Jun 2016 00:40:55 -
@@ -267,7 +267,7 @@ main(int argc, char **argv)
 
/* Copy mode, or no gzip -- don't need to fork/exec. */
if (gzip_program == NULL || act == COPY) {
-   if (pledge("stdio rpath wpath fattr cpath getpw ioctl",
+   if (pledge("stdio rpath wpath dpath fattr cpath getpw 
ioctl",
NULL) == -1)
err(1, "pledge");
}

Re: sqlite3 update

[Stuart Henderson]

On 2016/06/22 00:10, Stuart Henderson wrote:
> On 2016/06/08 19:01, James Turner wrote:
> > I prefer option 2. Switch to the amalgamation with our changes on top.
> 
> I've been looking at this. I don't really like any of the options
> but this seems the "least worst" one. I'm not terribly happy about
> this, but I don't see what else we can really do at present.
> 
> Current version of this diff is a horrendous 480K lines / 17MB
> uncompressed, so it's at https://junkpile.org/sqlite-3.11.0.diff.gz
> rather than in this mail, and I am just starting a ports build
> with it.

Results from the ports build are in. pthread is a slight problem;
most things are fine, but there are a couple of ports which statically
link libsqlite3 and those of course don't pull in libpthread.

Re: pf divert port reuse

[Alexander Bluhm]

On Wed, Jun 22, 2016 at 08:15:09PM +0200, Mike Belopuhov wrote:
> Can you or benno test NAT64 with this change?
> In case of weird behavior do this:
> 
> int sidx = pd->af == pd->naf ? pd->sidx : pd->didx;
> int didx = pd->af == pd->naf ? pd->didx : pd->sidx;
> 
> And use sidx/didx throughout instead of pd->sidx and pd->didx.
> 
> I'm pretty sure you need to do this trick, but I'm not 100%
> certain.

af-to state lookup in pf_get_sport() is quite broken.

Jun 23 00:25:26 q70 /bsd: pf: af-to inet6 rdr, 10.188.70.17:3003 -> 
10.188.216.114:7
Jun 23 00:25:26 q70 /bsd: pf: find state all dir=out, af=24, key0: 
fdd7:e83e:66bc:211:725f:caff:fe21:8d70[10001], key1: abc:d872::[7], proto=17
Jun 23 00:25:26 q70 /bsd: pf: af-to inet6 rdr done, prefixlen 120, 
fdd7:e83e:66bc:211:725f:caff:fe21:8d70[10001] -> 
fdd7:e83e:66bc:212:725f:caff:fe21:8d72[7]

Look at the key1: abc:d872::[7], that is the IPv4 address used as IPv6.
pf_get_transaddr_af() will fix the prefix later.

As there is more work to be done for af-to, I propose this version
of the nat-to fix.  With the explicit variables sidx and didx we
can swap it easily if we will need it.

bluhm

Index: net/pf_lb.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf_lb.c,v
retrieving revision 1.53
diff -u -p -r1.53 pf_lb.c
--- net/pf_lb.c 15 Jun 2016 11:36:06 -  1.53
+++ net/pf_lb.c 22 Jun 2016 22:18:30 -
@@ -155,6 +155,9 @@ pf_get_sport(struct pf_pdesc *pd, struct
struct pf_state_key_cmp key;
struct pf_addr  init_addr;
u_int16_t   cut;
+   int dir = (pd->dir == PF_IN) ? PF_OUT : PF_IN;
+   int sidx = pd->sidx;
+   int didx = pd->didx;
 
bzero(_addr, sizeof(init_addr));
if (pf_map_addr(pd->naf, r, >nsaddr, naddr, _addr, sn, >nat,
@@ -182,9 +185,9 @@ pf_get_sport(struct pf_pdesc *pd, struct
key.af = pd->naf;
key.proto = pd->proto;
key.rdomain = pd->rdomain;
-   PF_ACPY([0], >ndaddr, key.af);
-   PF_ACPY([1], naddr, key.af);
-   key.port[0] = pd->ndport;
+   PF_ACPY([didx], >ndaddr, key.af);
+   PF_ACPY([sidx], naddr, key.af);
+   key.port[didx] = pd->ndport;
 
/*
 * port search; start random, step;
@@ -194,20 +197,20 @@ pf_get_sport(struct pf_pdesc *pd, struct
pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6)) {
/* XXX bug: icmp states dont use the id on both
 * XXX sides (traceroute -I through nat) */
-   key.port[1] = pd->nsport;
-   if (pf_find_state_all(, PF_IN, NULL) == NULL) {
+   key.port[sidx] = pd->nsport;
+   if (pf_find_state_all(, dir, NULL) == NULL) {
*nport = pd->nsport;
return (0);
}
} else if (low == 0 && high == 0) {
-   key.port[1] = pd->nsport;
-   if (pf_find_state_all(, PF_IN, NULL) == NULL) {
+   key.port[sidx] = pd->nsport;
+   if (pf_find_state_all(, dir, NULL) == NULL) {
*nport = pd->nsport;
return (0);
}
} else if (low == high) {
-   key.port[1] = htons(low);
-   if (pf_find_state_all(, PF_IN, NULL) == NULL) {
+   key.port[sidx] = htons(low);
+   if (pf_find_state_all(, dir, NULL) == NULL) {
*nport = htons(low);
return (0);
}
@@ -223,16 +226,16 @@ pf_get_sport(struct pf_pdesc *pd, struct
cut = arc4random_uniform(1 + high - low) + low;
/* low <= cut <= high */
for (tmp = cut; tmp <= high; ++(tmp)) {
-   key.port[1] = htons(tmp);
-   if (pf_find_state_all(, PF_IN, NULL) ==
+   key.port[sidx] = htons(tmp);
+   if (pf_find_state_all(, dir, NULL) ==
NULL && !in_baddynamic(tmp, pd->proto)) {
*nport = htons(tmp);
return (0);
}
}
for (tmp = cut - 1; tmp >= low; --(tmp)) {
-   key.port[1] = htons(tmp);
-   if (pf_find_state_all(, PF_IN, NULL) ==
+   key.port[sidx] = htons(tmp);
+   if (pf_find_state_all(, dir, 

Re: [PATCH] let the mbufs use more then 4gb of memory

[Theo de Raadt]

> secondly, allocating more than 4g at a time to socket buffers is
> generally a waste of memory.

and there is one further problem.

Eventually, this subsystem will starve the system.  Other subsystems
which also need large amounts of memory, then have to scramble.  There
have to be backpressure mechanisms in each subsystem to force out
memory.

There is no such mechanism in socket buffers.

The mechanisms in the remaining parts of the kernel have always proven
to be weak, as in, they don't interact as nicely as we want, to create
space.  There has been much work to make them work better.

However in socket buffers, there is no such mechanism.  What are
you going to do.  Throw data away?  You can't do that.  Therefore,
you are holding the remaining system components hostage, and your
diff creates deadlock.

You probably tested your diff under ideal conditions with gobs of
memory...

 

Re: klog message buffer full

[Theo de Raadt]

> But if install kernel size is not that important, I can remove both
> ifdefs.

Kernel size does matter on the ramdisks.  But excessive sprinkling of
#ifdef gets out of control in some types of code.  Then it better to
forego it, and find a different target where it is less gross.   As
long as we have some anti-growth discipline, bsd.rd ends up being a
fairly full featured kernel, and we won't eventually hit a mistake of
"oh shit, the script needs this thing and we killed it on bsd.rd.."
(and btw, that tends to matter more for upgrades, than installs)

Re: klog message buffer full

[Alexander Bluhm]

On Wed, Jun 22, 2016 at 05:08:24PM -0400, Ted Unangst wrote:
> Alexander Bluhm wrote:
> > +#ifndef SMALL_KERNEL
> > +   if (mbp->msg_bufd > 0) {
> > +   char buf[64];
> 
> This is not so much code that I'm worried about it on small kernels. Rather,
> now you have the same problem where some kernels print correct information and
> some don't. I guess there's no syslog on ramdisk, so moot point? But I've been
> aggravated before by unexpected small kernel differences.

I have the #ifndef SMALL_KERNEL also in sendsyslog counting and I
wanted to be consistent.  There is no syslogd on ramdisk, so the
feature is useless there.  Besides code we also save the size of
the format strings.

But if install kernel size is not that important, I can remove both
ifdefs.

bluhm

Re: [PATCH] let the mbufs use more then 4gb of memory

[Claudio Jeker]

On Wed, Jun 22, 2016 at 01:58:25PM +0200, Simon Mages wrote:
> On a System where you use the maximum socketbuffer size of 256kbyte you
> can run out of memory after less then 9k open sockets.
> 
> My patch adds a new uvm_constraint for the mbufs with a bigger memory area.
> I choose this area after reading the comments in 
> sys/arch/amd64/include/pmap.h.
> This patch further changes the maximum sucketbuffer size from 256k to 1gb as
> it is described in the rfc1323 S2.3.

You read that RFC wrong. I see no reason to increase the socketbuffer size
to such a huge value. A change like this is currently not acceptable.
 
> I tested this diff with the ix, em and urndis driver. I know that this
> diff only works
> for amd64 right now, but i wanted to send this diff as a proposal what could 
> be
> done. Maybe somebody has a different solution for this Problem or can me why
> this is a bad idea.
> 

Are you sure that all drivers are able to handle memory with physical
addresses that are more than 32bit long? I doubt this. I think a lot more
is needed than this diff to make this work even just for amd64.

> 
> Index: arch/amd64/amd64/bus_dma.c
> ===
> RCS file: /openbsd/src/sys/arch/amd64/amd64/bus_dma.c,v
> retrieving revision 1.49
> diff -u -p -u -p -r1.49 bus_dma.c
> --- arch/amd64/amd64/bus_dma.c17 Dec 2015 17:16:04 -  1.49
> +++ arch/amd64/amd64/bus_dma.c22 Jun 2016 11:33:17 -
> @@ -584,7 +584,7 @@ _bus_dmamap_load_buffer(bus_dma_tag_t t,
>*/
>   pmap_extract(pmap, vaddr, (paddr_t *));
> 
> - if (curaddr > dma_constraint.ucr_high)
> + if (curaddr > mbuf_constraint.ucr_high)
>   panic("Non dma-reachable buffer at curaddr %#lx(raw)",
>   curaddr);
> 
> Index: arch/amd64/amd64/machdep.c
> ===
> RCS file: /openbsd/src/sys/arch/amd64/amd64/machdep.c,v
> retrieving revision 1.221
> diff -u -p -u -p -r1.221 machdep.c
> --- arch/amd64/amd64/machdep.c21 May 2016 00:56:43 -  1.221
> +++ arch/amd64/amd64/machdep.c22 Jun 2016 11:33:17 -
> @@ -202,9 +202,11 @@ struct vm_map *phys_map = NULL;
>  /* UVM constraint ranges. */
>  struct uvm_constraint_range  isa_constraint = { 0x0, 0x00ffUL };
>  struct uvm_constraint_range  dma_constraint = { 0x0, 0xUL };
> +struct uvm_constraint_range  mbuf_constraint = { 0x0, 0xfUL };
>  struct uvm_constraint_range *uvm_md_constraints[] = {
>  _constraint,
>  _constraint,
> +_constraint,
>  NULL,
>  };
> 
> Index: kern/uipc_mbuf.c
> ===
> RCS file: /openbsd/src/sys/kern/uipc_mbuf.c,v
> retrieving revision 1.226
> diff -u -p -u -p -r1.226 uipc_mbuf.c
> --- kern/uipc_mbuf.c  13 Jun 2016 21:24:43 -  1.226
> +++ kern/uipc_mbuf.c  22 Jun 2016 11:33:18 -
> @@ -153,7 +153,7 @@ mbinit(void)
> 
>   pool_init(, MSIZE, 0, 0, 0, "mbufpl", NULL);
>   pool_setipl(, IPL_NET);
> - pool_set_constraints(, _dma_contig);
> + pool_set_constraints(, _mbuf_contig);
>   pool_setlowat(, mblowat);
> 
>   pool_init(, PACKET_TAG_MAXSIZE + sizeof(struct m_tag),
> @@ -166,7 +166,7 @@ mbinit(void)
>   pool_init([i], mclsizes[i], 0, 0, 0,
>   mclnames[i], NULL);
>   pool_setipl([i], IPL_NET);
> - pool_set_constraints([i], _dma_contig);
> + pool_set_constraints([i], _mbuf_contig);
>   pool_setlowat([i], mcllowat);
>   }
> 
> Index: sys/socketvar.h
> ===
> RCS file: /openbsd/src/sys/sys/socketvar.h,v
> retrieving revision 1.60
> diff -u -p -u -p -r1.60 socketvar.h
> --- sys/socketvar.h   25 Feb 2016 07:39:09 -  1.60
> +++ sys/socketvar.h   22 Jun 2016 11:33:18 -
> @@ -112,7 +112,7 @@ struct socket {
>   short   sb_flags;   /* flags, see below */
>   u_short sb_timeo;   /* timeout for read/write */
>   } so_rcv, so_snd;
> -#define  SB_MAX  (256*1024)  /* default for max chars in 
> sockbuf */
> +#define  SB_MAX  (1024*1024*1024)/* default for max chars in 
> sockbuf */
>  #define  SB_LOCK 0x01/* lock on data queue */
>  #define  SB_WANT 0x02/* someone is waiting to lock */
>  #define  SB_WAIT 0x04/* someone is waiting for 
> data/space */
> Index: uvm/uvm_extern.h
> ===
> RCS file: /openbsd/src/sys/uvm/uvm_extern.h,v
> retrieving revision 1.139
> diff -u -p -u -p -r1.139 uvm_extern.h
> --- uvm/uvm_extern.h  5 Jun 2016 08:35:57 -   1.139
> +++ uvm/uvm_extern.h  22 Jun 2016 11:33:18 -
> @@ -234,6 +234,7 @@ extern struct uvmexp uvmexp;
>  /* Constraint 

Re: klog message buffer full

[Ted Unangst]

Alexander Bluhm wrote:
> This also gets me closer to my goal of reliable logging.
> 
> Do we want this feature?

yes, and I'd say always.

> +#ifndef SMALL_KERNEL
> + if (mbp->msg_bufd > 0) {
> + char buf[64];

This is not so much code that I'm worried about it on small kernels. Rather,
now you have the same problem where some kernels print correct information and
some don't. I guess there's no syslog on ramdisk, so moot point? But I've been
aggravated before by unexpected small kernel differences.

Re: klog message buffer full

[Todd C. Miller]

On Wed, 22 Jun 2016 22:14:19 +0200, Alexander Bluhm wrote:

> When doing usb debugging with a lot of kernel printfs, the dmesg
> buffer can overflow easily.  It is annoying that you don't notice
> this.  Then it is hard to correlate the messages.
> 
> So to make clear what happens, I would like to write such a message
> to syslogd:
> Jun 22 21:58:16 t430s /bsd: usbd_start_next: pipe=0x803cf
> Jun 22 21:58:16 t430s /bsd: klog: dropped 75602 bytes, message buffer full
> Jun 22 21:58:16 t430s /bsd: b_transfer_complete: repeat=0 new head=0x0
> 
> This also gets me closer to my goal of reliable logging.
> 
> Do we want this feature?

I think so.  Ultimately it would be nice to queue up messages in
the kernel for later delivery but for now just logging that messages
were dropped is an improvement.

 - todd

update nsd to 4.1.7 -> 4.1.10

[Florian Obser]

Lightly tested, I will test AXFR with tsig tomorrow.

tests / OKs?

diff --git Makefile.in Makefile.in
index 9103291..3fbd01b 100644
--- Makefile.in
+++ Makefile.in
@@ -439,9 +439,9 @@ xfrd-disk.o: $(srcdir)/xfrd-disk.c config.h 
$(srcdir)/xfrd-disk.h $(srcdir)/xfrd
 xfrd-notify.o: $(srcdir)/xfrd-notify.c config.h $(srcdir)/xfrd-notify.h 
$(srcdir)/tsig.h $(srcdir)/buffer.h \
  $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dname.h 
$(srcdir)/rbtree.h $(srcdir)/xfrd.h $(srcdir)/namedb.h $(srcdir)/dns.h \
  $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/xfrd-tcp.h 
$(srcdir)/packet.h
-xfrd-tcp.o: $(srcdir)/xfrd-tcp.c config.h $(srcdir)/xfrd-tcp.h 
$(srcdir)/xfrd.h $(srcdir)/rbtree.h \
- $(srcdir)/region-allocator.h $(srcdir)/namedb.h $(srcdir)/dname.h 
$(srcdir)/buffer.h $(srcdir)/util.h $(srcdir)/dns.h $(srcdir)/radtree.h \
- $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/packet.h $(srcdir)/xfrd-disk.h
+xfrd-tcp.o: $(srcdir)/xfrd-tcp.c config.h $(srcdir)/nsd.h $(srcdir)/dns.h 
$(srcdir)/edns.h $(srcdir)/buffer.h \
+ $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/xfrd-tcp.h 
$(srcdir)/xfrd.h $(srcdir)/rbtree.h $(srcdir)/namedb.h $(srcdir)/dname.h \
+ $(srcdir)/radtree.h $(srcdir)/options.h $(srcdir)/tsig.h $(srcdir)/packet.h 
$(srcdir)/xfrd-disk.h
 zlexer.o: zlexer.c config.h $(srcdir)/zonec.h $(srcdir)/namedb.h 
$(srcdir)/dname.h $(srcdir)/buffer.h \
  $(srcdir)/region-allocator.h $(srcdir)/util.h $(srcdir)/dns.h 
$(srcdir)/radtree.h $(srcdir)/rbtree.h zparser.h
 zonec.o: $(srcdir)/zonec.c config.h $(srcdir)/zonec.h $(srcdir)/namedb.h 
$(srcdir)/dname.h $(srcdir)/buffer.h \
diff --git acx_nlnetlabs.m4 acx_nlnetlabs.m4
index 26513e4..a6c174f 100644
--- acx_nlnetlabs.m4
+++ acx_nlnetlabs.m4
@@ -2,7 +2,11 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 30
+# Version 34
+# 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
+# 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
+# 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
+# 2015-12-11 FLTO check for new OSX, clang.
 # 2015-11-18 spelling check fix.
 # 2015-11-05 ACX_SSL_CHECKS no longer adds -ldl needlessly.
 # 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added.
@@ -241,7 +245,7 @@ ACX_CHECK_COMPILER_FLAG(xc99, [C99FLAG="-xc99"])
 
 AC_CHECK_HEADERS([getopt.h time.h],,, [AC_INCLUDES_DEFAULT])
 
-ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE 
-D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 
-D_ALL_SOURCE,
+ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE 
-D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 
-D_XOPEN_SOURCE_EXTENDED=1 -D_ALL_SOURCE,
 [
 #include "confdefs.h"
 #include 
@@ -276,9 +280,9 @@ int test() {
a = 0;
return a;
 }
-], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE 
-D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 
-D_ALL_SOURCE"])
+], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE 
-D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 
-D_ALL_SOURCE"])
 
-ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE 
-D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE,
+ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE 
-D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE,
 [
 #include "confdefs.h"
 #include 
@@ -313,7 +317,7 @@ int test() {
a = 0;
return a;
 }
-], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE 
-D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE"])
+], [CFLAGS="$CFLAGS $C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAULT_SOURCE 
-D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_ALL_SOURCE"])
 
 ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG,
 [
@@ -325,7 +329,7 @@ int test() {
 }
 ], [CFLAGS="$CFLAGS $C99FLAG"])
 
-ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE,
+ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE -D_DEFAULT_SOURCE,
 [
 #include 
 
@@ -334,7 +338,7 @@ int test() {
 a = isascii(32);
 return a;
 }
-], [CFLAGS="$CFLAGS -D_BSD_SOURCE"])
+], [CFLAGS="$CFLAGS -D_BSD_SOURCE -D_DEFAULT_SOURCE"])
 
 ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE,
 [
@@ -423,7 +427,7 @@ AC_DEFUN([ACX_CHECK_FLTO], [
 BAKCFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS -flto"
 AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [
-if $CC $CFLAGS -o conftest conftest.c 2>&1 | grep "warning: no 
debug symbols in executable" >/dev/null; then
+if $CC $CFLAGS -o conftest conftest.c 2>&1 | $GREP -e "warning: no 
debug symbols in executable" -e "warning: object" >/dev/null; then
 CFLAGS="$BAKCFLAGS"
 AC_MSG_RESULT(no)
 else
@@ -669,16 +673,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 ACX_RUNTIME_PATH_ADD([$ssldir/lib])
 fi
 
-  

klog message buffer full

[Alexander Bluhm]

Hi,

When doing usb debugging with a lot of kernel printfs, the dmesg
buffer can overflow easily.  It is annoying that you don't notice
this.  Then it is hard to correlate the messages.

So to make clear what happens, I would like to write such a message
to syslogd:
Jun 22 21:58:16 t430s /bsd: usbd_start_next: pipe=0x803cf
Jun 22 21:58:16 t430s /bsd: klog: dropped 75602 bytes, message buffer full
Jun 22 21:58:16 t430s /bsd: b_transfer_complete: repeat=0 new head=0x0

This also gets me closer to my goal of reliable logging.

Do we want this feature?

bluhm

Index: kern/subr_log.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/kern/subr_log.c,v
retrieving revision 1.46
diff -u -p -r1.46 subr_log.c
--- kern/subr_log.c 8 Jun 2016 11:11:47 -   1.46
+++ kern/subr_log.c 22 Jun 2016 20:09:08 -
@@ -155,6 +155,7 @@ msgbuf_putchar(struct msgbuf *mbp, const
if (mbp->msg_bufr == mbp->msg_bufx) {
if (++mbp->msg_bufr >= mbp->msg_bufs)
mbp->msg_bufr = 0;
+   mbp->msg_bufd++;
}
splx(s);
 }
@@ -200,6 +201,21 @@ logread(dev_t dev, struct uio *uio, int 
goto out;
}
logsoftc.sc_state &= ~LOG_RDWAIT;
+
+#ifndef SMALL_KERNEL
+   if (mbp->msg_bufd > 0) {
+   char buf[64];
+
+   l = snprintf(buf, sizeof(buf),
+   "<%d>klog: dropped %ld byte%s, message buffer full\n",
+   LOG_KERN|LOG_WARNING, mbp->msg_bufd,
+mbp->msg_bufd == 1 ? "" : "s");
+   error = uiomove(buf, ulmin(l, sizeof(buf) - 1), uio);
+   if (error)
+   goto out;
+   mbp->msg_bufd = 0;
+   }
+#endif
 
while (uio->uio_resid > 0) {
if (mbp->msg_bufx >= mbp->msg_bufr)
Index: sys/msgbuf.h
===
RCS file: /data/mirror/openbsd/cvs/src/sys/sys/msgbuf.h,v
retrieving revision 1.10
diff -u -p -r1.10 msgbuf.h
--- sys/msgbuf.h13 Jan 2015 18:51:27 -  1.10
+++ sys/msgbuf.h22 Jun 2016 19:45:10 -
@@ -39,6 +39,7 @@ structmsgbuf {
longmsg_bufr;   /* read pointer */
longmsg_bufs;   /* real msg_bufc size (bytes) */
longmsg_bufl;   /* # chars, <= msg_bufs */
+   longmsg_bufd;   /* number of dropped bytes */
charmsg_bufc[1];/* buffer */
 };
 #ifdef _KERNEL

Re: Stop mesa W^X violations

[Matthieu Herrb]

On Mon, Jun 20, 2016 at 10:22:58PM +0200, Mark Kettenis wrote:
> As reported by several people, mesa contains code that violates W^X.
> As a result glxgears aborts when using the swrast driver.  The diff
> below disables the offending code.  The code seems to deal the absence
> of W|X memory just fine.  There is a fallback path that is also used
> on SELinux systems.
> 
> Note that the existing code would have worked just fine if mmap
> returned MAP_FAILED for W^X violations instead of terminating the
> program.  Not entirely sure what the long-term plans are.
>

Ok matthieu@

> 
> Index: src/gallium/auxiliary/rtasm/rtasm_execmem.c
> ===
> RCS file: /cvs/xenocara/lib/mesa/src/gallium/auxiliary/rtasm/rtasm_execmem.c,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 rtasm_execmem.c
> --- src/gallium/auxiliary/rtasm/rtasm_execmem.c   22 Nov 2015 02:43:24 
> -  1.1.1.1
> +++ src/gallium/auxiliary/rtasm/rtasm_execmem.c   20 Jun 2016 20:08:37 
> -
> @@ -69,6 +69,16 @@ static struct mem_block *exec_heap = NUL
>  static unsigned char *exec_mem = NULL;
>  
>  
> +#ifdef __OpenBSD__
> +
> +static int
> +init_heap(void)
> +{
> +   return 0;
> +}
> +
> +#else
> +
>  static int
>  init_heap(void)
>  {
> @@ -82,6 +92,8 @@ init_heap(void)
>  
> return (exec_mem != MAP_FAILED);
>  }
> +
> +#endif
>  
>  
>  void *
> Index: src/mapi/u_execmem.c
> ===
> RCS file: /cvs/xenocara/lib/mesa/src/mapi/u_execmem.c,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 u_execmem.c
> --- src/mapi/u_execmem.c  22 Nov 2015 02:45:44 -  1.1.1.1
> +++ src/mapi/u_execmem.c  20 Jun 2016 20:08:39 -
> @@ -45,8 +45,15 @@ static unsigned int head = 0;
>  
>  static unsigned char *exec_mem = (unsigned char *)0;
>  
> +#if defined(__OpenBSD__)
>  
> -#if defined(__linux__) || defined(__OpenBSD__) || defined(_NetBSD__) || 
> defined(__sun) || defined(__HAIKU__)
> +static int
> +init_map(void)
> +{
> +  return 0;
> +}
> +
> +#elif defined(__linux__) || defined(_NetBSD__) || defined(__sun) || 
> defined(__HAIKU__)
>  
>  #include 
>  #include 
> Index: src/mesa/main/execmem.c
> ===
> RCS file: /cvs/xenocara/lib/mesa/src/mesa/main/execmem.c,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 execmem.c
> --- src/mesa/main/execmem.c   22 Nov 2015 02:39:37 -  1.1.1.1
> +++ src/mesa/main/execmem.c   20 Jun 2016 20:08:40 -
> @@ -36,7 +36,15 @@
>  
>  
>  
> -#if defined(__linux__) || defined(__OpenBSD__) || defined(_NetBSD__) || 
> defined(__sun) || defined(__HAIKU__)
> +#if defined(__OpenBSD__)
> +
> +static int
> +init_heap(void)
> +{
> +  return 0;
> +}
> +
> +#elif defined(__linux__) || defined(_NetBSD__) || defined(__sun) || 
> defined(__HAIKU__)
>  
>  /*
>   * Allocate a large block of memory which can hold code then dole it out

-- 
Matthieu Herrb


signature.asc
Description: PGP signature

Re: pf divert port reuse

[Alexander Bluhm]

On Tue, Jun 21, 2016 at 05:12:39PM +0200, Mike Belopuhov wrote:
> On Tue, Jun 21, 2016 at 16:08 +0200, Alexander Bluhm wrote:
> > On Tue, Jun 21, 2016 at 02:45:42PM +0200, Mike Belopuhov wrote:
> > > Unless I'm wrong, I have to retract my OK and ask you to fix
> > > the sport bit instead.
> > 
> > Yes, fixing it in pf_get_sport() is more correct.  I will try
> > to make a diff.
> >
> 
> Cool.

I have found an issue with pf_get_sport(), it only works for out
rules.  In my use case I have an in rule that does nat and diverts
to a socket.  Collisions with existing states were not found.

This diff fixes it, now I can trigger such a log message:
Jun 21 11:18:14 q70 /bsd: pf: pf: NAT proxy port allocation (1-10001) failed

Unfortunately it does not solve my orignal state key reuse problem.
But I suggest fixing things step by step.

ok?

bluhm

Index: net/pf_lb.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf_lb.c,v
retrieving revision 1.53
diff -u -p -r1.53 pf_lb.c
--- net/pf_lb.c 15 Jun 2016 11:36:06 -  1.53
+++ net/pf_lb.c 22 Jun 2016 17:08:06 -
@@ -155,6 +155,7 @@ pf_get_sport(struct pf_pdesc *pd, struct
struct pf_state_key_cmp key;
struct pf_addr  init_addr;
u_int16_t   cut;
+   int dir = (pd->dir == PF_IN) ? PF_OUT : PF_IN;
 
bzero(_addr, sizeof(init_addr));
if (pf_map_addr(pd->naf, r, >nsaddr, naddr, _addr, sn, >nat,
@@ -182,9 +183,9 @@ pf_get_sport(struct pf_pdesc *pd, struct
key.af = pd->naf;
key.proto = pd->proto;
key.rdomain = pd->rdomain;
-   PF_ACPY([0], >ndaddr, key.af);
-   PF_ACPY([1], naddr, key.af);
-   key.port[0] = pd->ndport;
+   PF_ACPY([pd->didx], >ndaddr, key.af);
+   PF_ACPY([pd->sidx], naddr, key.af);
+   key.port[pd->didx] = pd->ndport;
 
/*
 * port search; start random, step;
@@ -194,20 +195,20 @@ pf_get_sport(struct pf_pdesc *pd, struct
pd->proto == IPPROTO_ICMP || pd->proto == IPPROTO_ICMPV6)) {
/* XXX bug: icmp states dont use the id on both
 * XXX sides (traceroute -I through nat) */
-   key.port[1] = pd->nsport;
-   if (pf_find_state_all(, PF_IN, NULL) == NULL) {
+   key.port[pd->sidx] = pd->nsport;
+   if (pf_find_state_all(, dir, NULL) == NULL) {
*nport = pd->nsport;
return (0);
}
} else if (low == 0 && high == 0) {
-   key.port[1] = pd->nsport;
-   if (pf_find_state_all(, PF_IN, NULL) == NULL) {
+   key.port[pd->sidx] = pd->nsport;
+   if (pf_find_state_all(, dir, NULL) == NULL) {
*nport = pd->nsport;
return (0);
}
} else if (low == high) {
-   key.port[1] = htons(low);
-   if (pf_find_state_all(, PF_IN, NULL) == NULL) {
+   key.port[pd->sidx] = htons(low);
+   if (pf_find_state_all(, dir, NULL) == NULL) {
*nport = htons(low);
return (0);
}
@@ -223,16 +224,16 @@ pf_get_sport(struct pf_pdesc *pd, struct
cut = arc4random_uniform(1 + high - low) + low;
/* low <= cut <= high */
for (tmp = cut; tmp <= high; ++(tmp)) {
-   key.port[1] = htons(tmp);
-   if (pf_find_state_all(, PF_IN, NULL) ==
+   key.port[pd->sidx] = htons(tmp);
+   if (pf_find_state_all(, dir, NULL) ==
NULL && !in_baddynamic(tmp, pd->proto)) {
*nport = htons(tmp);
return (0);
}
}
for (tmp = cut - 1; tmp >= low; --(tmp)) {
-   key.port[1] = htons(tmp);
-   if (pf_find_state_all(, PF_IN, NULL) ==
+   key.port[pd->sidx] = htons(tmp);
+   if (pf_find_state_all(, dir, NULL) ==
NULL && !in_baddynamic(tmp, pd->proto)) {
*nport = htons(tmp);
return (0);

Re: Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

[Bob Beck]

I'm wondering outloud it we should remove the #define, instead of
leaving it in there. I.E. should we be deliberately
breaking anything making use of that?

At the very least this (along with the DH one) can probably #ifndef
LIBRESSL_INTERNAL - and failing that should
we nuke them and bump majors?


On Wed, Jun 22, 2016 at 7:44 AM, Brent Cook  wrote:
> This is another patch from César Pereida that disables the DH and RSA
> non-constant-time flags as well.
>
> ok?
>
> Index: src/crypto/dh/dh.h
> ===
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
> retrieving revision 1.16
> diff -u -p -u -p -r1.16 dh.h
> --- src/crypto/dh/dh.h  12 Jun 2014 15:49:28 -  1.16
> +++ src/crypto/dh/dh.h  22 Jun 2016 13:37:33 -
> @@ -78,12 +78,8 @@
>  #endif
>
>  #define DH_FLAG_CACHE_MONT_P 0x01
> -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
> -   * implementation now uses constant 
> time
> -   * modular exponentiation for secret 
> exponents
> -   * by default. This flag causes the
> -   * faster variable sliding window 
> method to
> -   * be used for all exponents.
> +#define DH_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this 
> switched off
> +   * constant time behaviour.
> */
>
>  /* If this flag is set the DH method is FIPS compliant and can be used
> Index: src/crypto/dh/dh_key.c
> ===
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
> retrieving revision 1.23
> diff -u -p -u -p -r1.23 dh_key.c
> --- src/crypto/dh/dh_key.c  9 Feb 2015 15:49:22 -   1.23
> +++ src/crypto/dh/dh_key.c  22 Jun 2016 13:37:33 -
> @@ -147,21 +147,21 @@ generate_key(DH *dh)
> }
>
> {
> -   BIGNUM local_prk;
> -   BIGNUM *prk;
> +   BIGNUM *prk = BN_new();
>
> -   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> -   BN_init(_prk);
> -   prk = _prk;
> -   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
> -   } else
> -   prk = priv_key;
> +   if (prk == NULL)
> +   goto err;
> +
> +   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
>
> if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
> -   mont))
> +   mont)) {
> +   BN_free(prk);
> goto err;
> +   }
> +   BN_free(prk);
> }
> -
> +
> dh->pub_key = pub_key;
> dh->priv_key = priv_key;
> ok = 1;
> @@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
> if (dh->flags & DH_FLAG_CACHE_MONT_P) {
> mont = BN_MONT_CTX_set_locked(>method_mont_p,
> CRYPTO_LOCK_DH, dh->p, ctx);
> -   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> -   /* XXX */
> -   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> -   }
> +
> +   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> +
> if (!mont)
> goto err;
> }
> @@ -238,16 +237,7 @@ static int
>  dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
>  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
>  {
> -   /*
> -* If a is only one word long and constant time is false, use the 
> faster
> -* exponenentiation function.
> -*/
> -   if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
> -   BN_ULONG A = a->d[0];
> -
> -   return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
> -   } else
> -   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
> +   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
>  }
>
>  static int
> Index: src/crypto/rsa/rsa.h
> ===
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
> retrieving revision 1.27
> diff -u -p -u -p -r1.27 rsa.h
> --- src/crypto/rsa/rsa.h14 Feb 2015 15:10:39 -  1.27
> +++ src/crypto/rsa/rsa.h22 Jun 2016 13:37:33 -
> @@ -195,13 +195,9 @@ struct rsa_st {
>  #define RSA_FLAG_NO_BLINDING   0x0080
>
>  /*
> - * The built-in RSA implementation uses constant time operations by default
> - * in private key operations, e.g., constant time modular exponentiation,
> - * modular inverse without leaking branches, division without leaking 
> branches.
> - * This flag disables these constant time operations and 

Re: add mirror discovery to pkg_add

[Theo de Raadt]

>this is the exact same code that s currently in install.sub
>transposed ad perl

I get it.

It makes sense for installing the base system.

We started using it in pkg.conf.  I am no longer sure that is the
right thing to do.

Speaking to the installation backend all the time worries me.

Re: add mirror discovery to pkg_add

[Marc Espie]

this is the exact same code that s currently in install.sub
transposed ad perl

Re: add mirror discovery to pkg_add

[Theo de Raadt]

> On 06/22/16 18:57, Theo de Raadt wrote:
> >>> Aside from that, i dont think we should be hardcoding ip-adresses like 
> >>> that.
> >>>
> >> we are doing that with miniroot/install.sub, time to change ?
> > 
> > No, that is not what miniroot/install.sub does.  Not at all.
> > 
> I know, I just said that the ip address is hardcoded somewhere else as well.

No, it is not.

Re: add mirror discovery to pkg_add

[Giovanni Bechis]

On 06/22/16 18:57, Theo de Raadt wrote:
>>> Aside from that, i dont think we should be hardcoding ip-adresses like that.
>>>
>> we are doing that with miniroot/install.sub, time to change ?
> 
> No, that is not what miniroot/install.sub does.  Not at all.
> 
I know, I just said that the ip address is hardcoded somewhere else as well.

Re: add mirror discovery to pkg_add

[Theo de Raadt]

> > Aside from that, i dont think we should be hardcoding ip-adresses like that.
> > 
> we are doing that with miniroot/install.sub, time to change ?

No, that is not what miniroot/install.sub does.  Not at all.

Re: add mirror discovery to pkg_add

[Giovanni Bechis]

On 06/22/16 18:28, Sebastian Benoit wrote:
> Ted Unangst(t...@tedunangst.com) on 2016.06.22 12:25:04 -0400:
>> Marc Espie wrote:
>>> This would allow pkg_add to auto-configure a mirror, for the case where
>>> PKG_PATH was not specified and where pkg.conf does not exist.
>>>
>>> It only triggers when a location ends up empty and when run in interactive
>>> mode, e.g., it shouldn't interfere with local lookups.
>>>
>>> Good idea, or awful ?
>>
>> This would be pretty surprising to me I think. If for some reason I have
>> failed to configure a mirror, I would prefer to get an error so I can fix the
>> underlying problem. If we can't contact a DNS server, we don't fallback on a
>> list of known public servers.
>>
>> Auto config at install time is helpful, but this sort of dynamic auto config
>> violates an important principle: it should be possible to unconfig something.
> 
> Aside from that, i dont think we should be hardcoding ip-adresses like that.
> 
we are doing that with miniroot/install.sub, time to change ?
 
> A name can be changed in DNS, but this will cause http requests to that ip
> for quite some time.
> 
I agree with that.
 Cheers
  Giovanni

Re: add mirror discovery to pkg_add

[Sebastian Benoit]

Ted Unangst(t...@tedunangst.com) on 2016.06.22 12:25:04 -0400:
> Marc Espie wrote:
> > This would allow pkg_add to auto-configure a mirror, for the case where
> > PKG_PATH was not specified and where pkg.conf does not exist.
> > 
> > It only triggers when a location ends up empty and when run in interactive
> > mode, e.g., it shouldn't interfere with local lookups.
> > 
> > Good idea, or awful ?
> 
> This would be pretty surprising to me I think. If for some reason I have
> failed to configure a mirror, I would prefer to get an error so I can fix the
> underlying problem. If we can't contact a DNS server, we don't fallback on a
> list of known public servers.
> 
> Auto config at install time is helpful, but this sort of dynamic auto config
> violates an important principle: it should be possible to unconfig something.

Aside from that, i dont think we should be hardcoding ip-adresses like that.

A name can be changed in DNS, but this will cause http requests to that ip
for quite some time.

Re: add mirror discovery to pkg_add

[Theo de Raadt]

I agree with Ted.  This feels very much like building a CDN at the wrong
level, considering how slowly and carelessly the mirrors are updated
at this time.

Re: add mirror discovery to pkg_add

[Ted Unangst]

Marc Espie wrote:
> This would allow pkg_add to auto-configure a mirror, for the case where
> PKG_PATH was not specified and where pkg.conf does not exist.
> 
> It only triggers when a location ends up empty and when run in interactive
> mode, e.g., it shouldn't interfere with local lookups.
> 
> Good idea, or awful ?

This would be pretty surprising to me I think. If for some reason I have
failed to configure a mirror, I would prefer to get an error so I can fix the
underlying problem. If we can't contact a DNS server, we don't fallback on a
list of known public servers.

Auto config at install time is helpful, but this sort of dynamic auto config
violates an important principle: it should be possible to unconfig something.

Fwd: tcp state transition in sloppy mode

[Jingmin Zhou]

Thanks for help on this issue!

-- Forwarded message --
From: Stuart Henderson 
Date: Wed, Jun 22, 2016 at 2:21 AM
Subject: Re: tcp state transition in sloppy mode
To: Jingmin Zhou 


Hi,

Nice analysis.

The PF mailing list is not very widely used any more, so you
might not get a useful response here - it might be a good idea to
post this to tech@openbsd.org to reach a wider audience.

Best regards
Stuart


On 2016/06/21 14:15, Jingmin Zhou wrote:
> Hi,
>
> Recently we ran into some issues with pf sloppy mode with regards to
> some long standing TCP connections. While reading pf code, we feel
> puzzled by the way pf handles TCP packets in sloppy mode. Here are
> some of our analysis.
>
> Background: a TCP connection were established between two hosts (A
> and B) before pf is enabled in sloppy mode. The connection is mostly
> idle with periodic keep alive packets, i.e., PUSH-ACK and ACK packets
> every few minutes. An pass rule matches this connection and allows
> packet to pass through.
>
> When a PUSH-ACK packet of the connection was observed from host A->B,
> the pass rule lets pf.c:pf_create_state function to create a new
> state for the connection. In the state, s->src.state = TCPS_SYN_SENT,
> and s->dst.state = TCPS_CLOSED (line 3563 and 3564 in the code below).
>
>
> 3488 static __inline int
>
> 3489 pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct
> pf_rule *a,
>
> 3490 struct pf_rule *nr, struct pf_state_key **skw, struct
> pf_state_key **sks,
>
> 3491 int *rewrite, struct pf_state **sm, int tag, struct pf_rule_
> slist *rules,
>
> 3492 struct pf_rule_actions *act, struct pf_src_node *sns
> [PF_SN_MAX])
>
> 3493 {
>
>  ...
>
>
> 3532 switch (pd->proto) {
>
> 3533 case IPPROTO_TCP:
>
>  ...
>
> 3561 s->dst.seqhi = 1;
>
> 3562 s->dst.max_win = 1;
>
> 3563 s->src.state = TCPS_SYN_SENT;
>
> 3564 s->dst.state = TCPS_CLOSED;
>
> 3565 s->timeout = PFTM_TCP_FIRST_PACKET;
>
> 3566 break;
>
>
> The second packet is an ACK packet from B to A. It eventually makes
> pf enter into pf.c:pf_test_state function. A simplified code flow
> is shown as below:
>
>
> 4320 int
>
> 4321 pf_test_state(struct pf_pdesc *pd, struct pf_state **state, u
> _short *reason)
>
> 4322 {
>
>  ...
>
> 4338 STATE_LOOKUP(pd->kif, , pd->dir, *state, pd->m);
>
> 4339
>
> 4340 if (pd->dir == (*state)->direction) {
>
> 4341 src = &(*state)->src;
>
> 4342 dst = &(*state)->dst;
>
> 4343 } else {
>
> 4344 src = &(*state)->dst;
>
> 4345 dst = &(*state)->src;
>
> 4346 }
>
> 4347
>
> 4348 switch (pd->virtual_proto) {
>
> 4349 case IPPROTO_TCP:
>
>  ...
>
> 4369 if ((*state)->state_flags & PFSTATE_SLOPPY) {
>
> 4370 if (pf_tcp_track_sloppy(pd, src, dst, state, reason) =
> =
>
> 4371 PF_DROP)
>
> 4372 return (PF_DROP);
>
> 4373 } else {
>
>  ...
>
> 4465 }
>
>
> Please notice that src and dst are taken from state entry and are
> swapped at line 4344 and 4345 before being passed into function
> pf_tcp_track_sloppy. So the src has a state TCPS_CLOSED and dst
> has a state TCPS_SYN_SENT in function pf_tcp_track_sloppy.
>
> Below, a simplified pf_tcp_track_sloppy is shown. As we can see,
> the ACK packet from B to A will match condition at line 4168. So
> the state now changes to ESTABLISHED (A->B.src) and CLOSED (A->B.
> dst).
>
>
> 4155 int
>
> 4156 pf_tcp_track_sloppy(struct pf_pdesc *pd, struct pf_state_peer
> *src,
>
> 4157 struct pf_state_peer *dst, struct pf_state **state, u_short
> *reason)
>
> 4158 {
>
>  ...
>
> 4167 if (th->th_flags & TH_ACK) {
>
> 4168 if (dst->state == TCPS_SYN_SENT) {
>
> 4169 dst->state = TCPS_ESTABLISHED;
>
> 4170 if (src->state == TCPS_ESTABLISHED &&
>
> 4171 !SLIST_EMPTY(&(*state)->src_nodes) &&
>
> 4172 pf_src_connlimit(state)) {
>
> 4173 REASON_SET(reason, PFRES_SRCLIMIT);
>
> 4174 return (PF_DROP);
>
> 4175 }
>
> 4176 } else if (dst->state == TCPS_CLOSING) {
>
> 4177 dst->state = TCPS_FIN_WAIT_2;
>
> 4178 } else if (src->state == TCPS_SYN_SENT &&
>
> 4179 dst->state < TCPS_SYN_SENT) {
>
> 4180 /*
>
> 4181  * Handle a special sloppy case where we only see one
>
> 4182  * half of the connection. If there is a ACK after
>
> 4183  * the initial SYN without ever seeing a packet from
>
> 4184  * the destination, set the connection to established.
>
> 4185  */
>
> 4186 dst->state = src->state = TCPS_ESTABLISHED;
>
> 4187 if (!SLIST_EMPTY(&(*state)->src_nodes) &&
>
> 4188 pf_src_connlimit(state)) {
>
> 4189 REASON_SET(reason, 

Re: add mirror discovery to pkg_add

[Marc Espie]

Here's an expanded version of the patch.
So far, ask_list was happy with prompting, but the mirror list is slightly
large, so being able to pipe thru more comes in handy.

This means a bit of refactor: we've got state, so we can get the height
from a progressmeter (or the stub), and it's reasonably easy to tweak
state display to be able to use arbitrary fh...

This shows another logic limitation of the current code, namely that the
size detection of the display is linked to the progressmeter options, whereas
it should more or less always happen when we detect we got a tty connected,
since the width/height information is uncorrelated to whether or not we
need/want a progressmeter.

To be continued...

Index: OpenBSD/AddCreateDelete.pm
===
RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/AddCreateDelete.pm,v
retrieving revision 1.37
diff -u -p -r1.37 AddCreateDelete.pm
--- OpenBSD/AddCreateDelete.pm  15 Jun 2016 15:40:13 -  1.37
+++ OpenBSD/AddCreateDelete.pm  22 Jun 2016 15:55:29 -
@@ -43,6 +43,11 @@ sub progress
return $self->{progressmeter};
 }
 
+sub height
+{
+   my $self = shift;
+   return $self->{progressmeter}->height;
+}
 sub not
 {
my $self = shift;
Index: OpenBSD/Interactive.pm
===
RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/Interactive.pm,v
retrieving revision 1.20
diff -u -p -r1.20 Interactive.pm
--- OpenBSD/Interactive.pm  30 Jan 2015 11:42:55 -  1.20
+++ OpenBSD/Interactive.pm  22 Jun 2016 15:55:29 -
@@ -35,13 +35,23 @@ sub ask_list
if ($self->{always}) {
return $values[0];
}
+   my ($fh, $pid);
+   if ($self->{state}->height <= @values + 1) {
+   $pid = open($fh, "|-", "more", "-c");
+   }
 
-   $self->{state}->errsay('#1', $prompt);
+   $fh //= \*STDERR;
+
+   $self->{state}->fhsay($fh, '#1', $prompt);
my $i = 0;
for my $v (@values) {
-   $self->{state}->errsay("#1\t#2: #3", 
+   $self->{state}->fhsay($fh, "#1\t#2: #3", 
$i == 0 ? "a" : "", $i, $v);
$i++;
+   }
+   if (defined $pid) {
+   close($fh);
+   waitpid $pid, 0;
}
 LOOP:
$self->{state}->errprint("Your choice: ");
Index: OpenBSD/PackageLocator.pm
===
RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PackageLocator.pm,v
retrieving revision 1.105
diff -u -p -r1.105 PackageLocator.pm
--- OpenBSD/PackageLocator.pm   30 Jan 2016 11:29:29 -  1.105
+++ OpenBSD/PackageLocator.pm   22 Jun 2016 15:55:29 -
@@ -24,6 +24,7 @@ use OpenBSD::PackageRepositoryList;
 use OpenBSD::PackageRepository;
 
 my $default_path;
+my $is_configured;
 
 sub build_default_path
 {
@@ -37,17 +38,93 @@ sub build_default_path
while (my $o = OpenBSD::PackageRepository->parse(\$v, $state)) {
$default_path->add($o);
}
+   $is_configured = 1;
return;
}
$default_path->add(OpenBSD::PackageRepository->new("./", 
$state)->can_be_empty);
-   return if $state->defines('NOINSTALLPATH');
+   if ($state->defines('NOINSTALLPATH')) {
+   $is_configured = 1;
+   return;
+   }
 
return unless defined $state->config->value('installpath');
+   $is_configured = 1;
for my $i ($state->config->value("installpath")) {
$default_path->add(OpenBSD::PackageRepository->new($i, $state));
}
 }
 
+sub discover_mirror
+{
+   my ($self, $state) = @_;
+
+   # can't ask the user -> no mirror
+   return undef unless $state->is_interactive;
+
+
+   require OpenBSD::PackageRepository;
+   # ftp.openbsd.org == 129.128.5.191 and will remain at
+   # that address for the foreseeable future.
+   my $fake = 
OpenBSD::PackageRepository->new("http://129.128.5.191/cgi-bin/;, $state);
+   # XXX
+   bless $fake, "OpenBSD::PackageRepository::Cgi";
+   my $l = $fake->list;
+   my @m = @$l;
+   my %h;
+   for my $d (@m) {
+   my $e = $d;
+   $d =~ s,^http://(.*?)(/.*?)?\s+(.*)$,$1\t$3,;
+   $e =~ s/\s+.*$//;
+   $h{$d} = $e;
+   }
+   $m[0] = "";
+   my $i = $state->ask_list("No mirror configured, choose one", @m);
+   if ($i eq "") {
+   return undef;
+   }
+   return $h{$i};
+}
+
+sub convert_to_packages
+{
+   my ($self, $url) = @_;
+   # mirror was "designed" for base releases.
+   # convert into short installpath version
+   $url =~ s,^http://(.*)/pub/OpenBSD$,$1, or
+   $url =~ s,$,/%c/packages/%a,;
+   return $url;
+}
+
+sub last_chance
+{
+   if ($is_configured) {
+   return [];
+   }
+   $is_configured = 1;
+   

Re: opencvs - fix revision lookups for branches

[Joris Vink]

On Wed, Jun 22, 2016 at 09:07:03AM -0600, Todd C. Miller wrote:
> On Wed, 22 Jun 2016 12:21:56 +0200, Joris Vink wrote:
> > Index: rcs.c
> > ===
> > RCS file: /cvs/src/usr.bin/cvs/rcs.c,v
> > retrieving revision 1.313
> > diff -u -p -r1.313 rcs.c
> > --- rcs.c   5 Nov 2015 09:48:21 -   1.313
> > +++ rcs.c   22 Jun 2016 09:52:04 -
> > @@ -1796,17 +1796,13 @@ rcs_rev_getlines(RCSFILE *rfp, RCSNUM *f
> >  
> >  again:
> > for (;;) {
> > +   if (rdp == NULL)
> > +   break;
> 
> Wouldn't this be easier to read as:
> 
>   while (rdp != NULL) {

Yes, updated diff below.

.joris

Index: rcs.c
===
RCS file: /cvs/src/usr.bin/cvs/rcs.c,v
retrieving revision 1.313
diff -u -p -r1.313 rcs.c
--- rcs.c   5 Nov 2015 09:48:21 -   1.313
+++ rcs.c   22 Jun 2016 15:13:14 -
@@ -1795,18 +1795,11 @@ rcs_rev_getlines(RCSFILE *rfp, RCSNUM *f
goto done;
 
 again:
-   for (;;) {
+   while (rdp != NULL) {
if (rdp->rd_next->rn_len != 0) {
trdp = rcs_findrev(rfp, rdp->rd_next);
if (trdp == NULL)
fatal("failed to grab next revision");
-   } else {
-   /*
-* XXX Fail, although the caller does not always do the
-* right thing (eg cvs diff when the tree is ahead of
-* the repository).
-*/
-   break;
}
 
if (rdp->rd_tlen == 0) {
@@ -1857,7 +1850,7 @@ again:
}
 
 next:
-   if (!rcsnum_differ(rdp->rd_num, frev))
+   if (rdp == NULL || !rcsnum_differ(rdp->rd_num, frev))
done = 1;
 
if (RCSNUM_ISBRANCHREV(frev) && done != 1) {
@@ -2045,6 +2038,7 @@ rcs_rev_getbuf(RCSFILE *rfp, RCSNUM *rev
struct rcs_delta *rdp;
struct rcs_lines *lines;
struct rcs_line *lp, *nlp;
+   char version[RCSNUM_MAXSTR];
BUF *bp;
 
rdp = NULL;
@@ -2057,8 +2051,12 @@ rcs_rev_getbuf(RCSFILE *rfp, RCSNUM *rev
expmode = rcs_kwexp_get(rfp);
 
if (!(expmode & RCS_KWEXP_NONE)) {
-   if ((rdp = rcs_findrev(rfp, rev)) == NULL)
-   fatal("could not fetch revision");
+   if ((rdp = rcs_findrev(rfp, rev)) == NULL) {
+   rcsnum_tostr(rev, version, sizeof(version));
+   fatal("could not find desired version %s in %s",
+   version, rfp->rf_path);
+   }
+
expand = 1;
}
}

Re: opencvs - fix revision lookups for branches

[Todd C. Miller]

On Wed, 22 Jun 2016 12:21:56 +0200, Joris Vink wrote:

> This diff below fixes a serious issue in opencvs when
> checking out revisions from a branch.
> 
> Properly perform a revision lookup so update -r actually
> works again, as a bonus throw a more correct error when
> the revision could not be found.
> 
> .joris
> 
> Index: rcs.c
> ===
> RCS file: /cvs/src/usr.bin/cvs/rcs.c,v
> retrieving revision 1.313
> diff -u -p -r1.313 rcs.c
> --- rcs.c 5 Nov 2015 09:48:21 -   1.313
> +++ rcs.c 22 Jun 2016 09:52:04 -
> @@ -1796,17 +1796,13 @@ rcs_rev_getlines(RCSFILE *rfp, RCSNUM *f
>  
>  again:
>   for (;;) {
> + if (rdp == NULL)
> + break;

Wouldn't this be easier to read as:

while (rdp != NULL) {

> +
>   if (rdp->rd_next->rn_len != 0) {
>   trdp = rcs_findrev(rfp, rdp->rd_next);
>   if (trdp == NULL)
>   fatal("failed to grab next revision");
> - } else {
> - /*
> -  * XXX Fail, although the caller does not always do the
> -  * right thing (eg cvs diff when the tree is ahead of
> -  * the repository).
> -  */
> - break;
>   }
>  
>   if (rdp->rd_tlen == 0) {

Add $REQUEST_SCHEME (block) macro to httpd

[Ross L Richardson]

The patch below adds a "$REQUEST_SCHEME" macro to those available in
block rules in httpd.conf

Justification: when redirecting from a (virtual) server which supports
both http and https to a (virtual) server which also supports both
schemes, it make sense to be able to respect (preserve) the scheme of
the original request rather than having to hard-code "http" or "https".

Patch is against -current, but has been tested (only) against
5.9-stable.

Ross


Index: src/usr.sbin/httpd/httpd.conf.5
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.73
diff -u -p -u -r1.73 httpd.conf.5
--- src/usr.sbin/httpd/httpd.conf.5 9 May 2016 19:36:54 -   1.73
+++ src/usr.sbin/httpd/httpd.conf.5 22 Jun 2016 11:16:01 -
@@ -202,7 +202,7 @@ The
 .Ar uri
 may contain predefined macros that will be expanded at runtime:
 .Pp
-.Bl -tag -width $DOCUMENT_URI -offset indent -compact
+.Bl -tag -width $REQUEST_SCHEME -offset indent -compact
 .It Ic $DOCUMENT_URI
 The request path.
 .It Ic $QUERY_STRING
@@ -213,6 +213,14 @@ The IP address of the connected client.
 The TCP source port of the connected client.
 .It Ic $REMOTE_USER
 The remote user for HTTP authentication.
+.It Ic $REQUEST_SCHEME
+The scheme
+.Po
+.Dq http
+or
+.Dq https
+.Pc
+of the request.
 .It Ic $REQUEST_URI
 The request path and optional query string.
 .It Ic $SERVER_ADDR
Index: src/usr.sbin/httpd/server_http.c
===
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.108
diff -u -p -u -r1.108 server_http.c
--- src/usr.sbin/httpd/server_http.c27 May 2016 11:24:13 -  1.108
+++ src/usr.sbin/httpd/server_http.c22 Jun 2016 11:16:01 -
@@ -1011,6 +1011,12 @@ server_expand_http(struct client *clt, c
if (ret != 0)
return (NULL);
}
+   if (strstr(val, "$REQUEST_SCHEME") != NULL) {
+   ret = expand_string(buf, len, "$REQUEST_SCHEME",
+   clt->clt_tls_ctx != NULL ? "https" : "http");
+   if (ret != 0)
+   return (NULL);
+   }
if (strstr(val, "$SERVER_") != NULL) {
if (strstr(val, "$SERVER_ADDR") != NULL) {
if (print_host(_conf->ss,

add mirror discovery to pkg_add

[Marc Espie]

Most of the code was already there.

This would allow pkg_add to auto-configure a mirror, for the case where
PKG_PATH was not specified and where pkg.conf does not exist.

It only triggers when a location ends up empty and when run in interactive
mode, e.g., it shouldn't interfere with local lookups.

Good idea, or awful ?

Index: OpenBSD/PackageLocator.pm
===
RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PackageLocator.pm,v
retrieving revision 1.105
diff -u -p -r1.105 PackageLocator.pm
--- OpenBSD/PackageLocator.pm   30 Jan 2016 11:29:29 -  1.105
+++ OpenBSD/PackageLocator.pm   22 Jun 2016 13:51:40 -
@@ -24,6 +24,7 @@ use OpenBSD::PackageRepositoryList;
 use OpenBSD::PackageRepository;
 
 my $default_path;
+my $is_configured;
 
 sub build_default_path
 {
@@ -37,17 +38,91 @@ sub build_default_path
while (my $o = OpenBSD::PackageRepository->parse(\$v, $state)) {
$default_path->add($o);
}
+   $is_configured = 1;
return;
}
$default_path->add(OpenBSD::PackageRepository->new("./", 
$state)->can_be_empty);
-   return if $state->defines('NOINSTALLPATH');
+   if ($state->defines('NOINSTALLPATH')) {
+   $is_configured = 1;
+   return;
+   }
 
return unless defined $state->config->value('installpath');
+   $is_configured = 1;
for my $i ($state->config->value("installpath")) {
$default_path->add(OpenBSD::PackageRepository->new($i, $state));
}
 }
 
+sub discover_mirror
+{
+   my ($self, $state) = @_;
+
+   # can't ask the user -> no mirror
+   return undef unless $state->is_interactive;
+
+
+   require OpenBSD::PackageRepository;
+   my $fake = 
OpenBSD::PackageRepository->new("http://129.128.5.191/cgi-bin/;, $state);
+   # XXX
+   bless $fake, "OpenBSD::PackageRepository::Cgi";
+   my $l = $fake->list;
+   my @m = @$l;
+   my %h;
+   for my $d (@m) {
+   my $e = $d;
+   $d =~ s,^http://(.*?)(/.*?)?\s+(.*)$,$1\t$3,;
+   $e =~ s/\s+.*$//;
+   $h{$d} = $e;
+   }
+   $m[0] = "";
+   my $i = $state->ask_list("No mirror configured, choose one", @m);
+   if ($i eq "") {
+   return undef;
+   }
+   return $h{$i};
+}
+
+sub convert_to_packages
+{
+   my ($self, $url) = @_;
+   # mirror was "designed" for base releases.
+   # convert into short installpath version
+   $url =~ s,^http://(.*)/pub/OpenBSD$,$1, or
+   $url =~ s,$,/%c/packages/%a,;
+   return $url;
+}
+
+sub last_chance
+{
+   if ($is_configured) {
+   return [];
+   }
+   $is_configured = 1;
+   my ($self, @search) = @_;
+   my $state = pop @search;
+
+   my $url = $self->discover_mirror($state);
+   if (!defined $url) {
+   return [];
+   }
+   
+   $url = $self->convert_to_packages($url);
+
+   # try setting it "permanently"
+   if (open(my $f, ">>", OpenBSD::Paths->pkgconf)) {
+   print $f "installpath += $url\n";
+   close $f;
+   } else {
+   $state->errsay("Couldn't write to #1", OpenBSD::Paths->pkgconf);
+   }
+
+   # use it for the current round anyway
+   $default_path->add(OpenBSD::PackageRepository->new($url, $state));
+
+   return $self->match_locations(@search, $state);
+}
+
 sub default_path
 {
if (!defined $default_path) {
@@ -107,4 +182,27 @@ sub match_locations
return $self->default_path($state)->match_locations(@search);
 }
 
+package OpenBSD::PackageRepository::Cgi;
+our @ISA = qw(OpenBSD::PackageRepository::HTTP);
+
+# we know how to get a list, we just need to override the specific url
+# and parser
+sub get_http_list
+{
+   my ($self, $error) = @_;
+
+   require OpenBSD::Paths;
+   my $fullname = 
$self->url."ftplist.cgi?path=".OpenBSD::Paths->os_directory."/".OpenBSD::Paths->machine_architecture;
+   my $l = [];
+   my $fh = $self->open_read_ftp(OpenBSD::Paths->ftp." -o - $fullname", 
+   $error) or return;
+   while(<$fh>) {
+   chomp;
+   if (m/^http:\/\//) {
+   push(@$l, $_);
+   }
+   }
+   $self->close_read_ftp($fh);
+   return $l;
+}
 1;
Index: OpenBSD/PackageRepositoryList.pm
===
RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PackageRepositoryList.pm,v
retrieving revision 1.30
diff -u -p -r1.30 PackageRepositoryList.pm
--- OpenBSD/PackageRepositoryList.pm9 Jul 2015 12:57:55 -   1.30
+++ OpenBSD/PackageRepositoryList.pm22 Jun 2016 13:51:40 -
@@ -86,7 +86,7 @@ sub match_locations
return $l;
}
}
-   return [];
+   return 

Deprecate flags DH_FLAG_NO_EXP_CONSTTIME and RSA_FLAG_NO_CONSTTIME

[Brent Cook]

This is another patch from César Pereida that disables the DH and RSA
non-constant-time flags as well.

ok?

Index: src/crypto/dh/dh.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 dh.h
--- src/crypto/dh/dh.h  12 Jun 2014 15:49:28 -  1.16
+++ src/crypto/dh/dh.h  22 Jun 2016 13:37:33 -
@@ -78,12 +78,8 @@
 #endif
 
 #define DH_FLAG_CACHE_MONT_P 0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-   * implementation now uses constant time
-   * modular exponentiation for secret 
exponents
-   * by default. This flag causes the
-   * faster variable sliding window method 
to
-   * be used for all exponents.
+#define DH_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this 
switched off 
+   * constant time behaviour.
*/
 
 /* If this flag is set the DH method is FIPS compliant and can be used
Index: src/crypto/dh/dh_key.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
retrieving revision 1.23
diff -u -p -u -p -r1.23 dh_key.c
--- src/crypto/dh/dh_key.c  9 Feb 2015 15:49:22 -   1.23
+++ src/crypto/dh/dh_key.c  22 Jun 2016 13:37:33 -
@@ -147,21 +147,21 @@ generate_key(DH *dh)
}
 
{
-   BIGNUM local_prk;
-   BIGNUM *prk;
+   BIGNUM *prk = BN_new();
 
-   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-   BN_init(_prk);
-   prk = _prk;
-   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-   } else
-   prk = priv_key;
+   if (prk == NULL)
+   goto err;
+
+   BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
 
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
-   mont))
+   mont)) {
+   BN_free(prk);
goto err;
+   }
+   BN_free(prk);
}
-   
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
ok = 1;
@@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(>method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
-   if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-   /* XXX */
-   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
-   }
+
+   BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
if (!mont)
goto err;
}
@@ -238,16 +237,7 @@ static int
 dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 {
-   /*
-* If a is only one word long and constant time is false, use the faster
-* exponenentiation function.
-*/
-   if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
-   BN_ULONG A = a->d[0];
-
-   return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
-   } else
-   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+   return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
 
 static int
Index: src/crypto/rsa/rsa.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
retrieving revision 1.27
diff -u -p -u -p -r1.27 rsa.h
--- src/crypto/rsa/rsa.h14 Feb 2015 15:10:39 -  1.27
+++ src/crypto/rsa/rsa.h22 Jun 2016 13:37:33 -
@@ -195,13 +195,9 @@ struct rsa_st {
 #define RSA_FLAG_NO_BLINDING   0x0080
 
 /*
- * The built-in RSA implementation uses constant time operations by default
- * in private key operations, e.g., constant time modular exponentiation,
- * modular inverse without leaking branches, division without leaking branches.
- * This flag disables these constant time operations and results in faster RSA
- * private key operations.
+ * Does nothing. Previously this switched off constant time behaviour.
  */
-#define RSA_FLAG_NO_CONSTTIME  0x0100
+#define RSA_FLAG_NO_CONSTTIME  0x
 
 
 #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
Index: src/crypto/rsa/rsa_crpt.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v
retrieving revision 1.14
diff -u -p -u -p -r1.14 rsa_crpt.c
--- src/crypto/rsa/rsa_crpt.c   11 Feb 2015 03:19:37 -  1.14
+++ 

iwm: lower retry limit for management frames

[Stefan Sperling]

The Linux iwlwifi driver uses less retry attempts for management frames,
as in the diff below. I think it makes sense to do likewise.

Index: if_iwm.c
===
RCS file: /cvs/src/sys/dev/pci/if_iwm.c,v
retrieving revision 1.92
diff -u -p -r1.92 if_iwm.c
--- if_iwm.c22 Jun 2016 11:32:12 -  1.92
+++ if_iwm.c22 Jun 2016 13:15:38 -
@@ -4381,6 +4381,7 @@ iwm_tx_fill_cmd(struct iwm_softc *sc, st
/* for non-data, use the lowest supported rate */
ridx = (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan)) ?
IWM_RIDX_OFDM : IWM_RIDX_CCK;
+   tx->data_retry_limit = IWM_MGMT_DFAULT_RETRY_LIMIT;
} else if (ic->ic_fixed_mcs != -1) {
ridx = sc->sc_fixed_ridx;
} else if (ic->ic_fixed_rate != -1) {

Re: [PATCH] let the mbufs use more then 4gb of memory

[David Gwynne]

On Wed, Jun 22, 2016 at 01:58:25PM +0200, Simon Mages wrote:
> On a System where you use the maximum socketbuffer size of 256kbyte you
> can run out of memory after less then 9k open sockets.
> 
> My patch adds a new uvm_constraint for the mbufs with a bigger memory area.
> I choose this area after reading the comments in 
> sys/arch/amd64/include/pmap.h.
> This patch further changes the maximum sucketbuffer size from 256k to 1gb as
> it is described in the rfc1323 S2.3.
> 
> I tested this diff with the ix, em and urndis driver. I know that this
> diff only works
> for amd64 right now, but i wanted to send this diff as a proposal what could 
> be
> done. Maybe somebody has a different solution for this Problem or can me why
> this is a bad idea.

hey simon,

first, some background.

the 4G watermark is less about limiting the amount of memory used
by the network stack and more about making the memory addressable
by as many devices, including network cards, as possible. we support
older chips that only deal with 32 bit addresses (and one or two
stupid ones with an inability to address over 1G), so we took the
conservative option and made made the memory generally usable without
developers having to think about it much.

you could argue that if you should be able to give big addresses
to modern cards, but that falls down if you are forwarding packets
between a modern and old card, cos the old card will want to dma
the packet the modern card rxed, but it needs it below the 4g line.
even if you dont have an old card, in todays hotplug world you might
plug an old device in. either way, the future of an mbuf is very
hard for the kernel to predict.

secondly, allocating more than 4g at a time to socket buffers is
generally a waste of memory. in practice you should scale the amount
of memory available to sockets according to the size of the tcp
windows you need to saturate the bandwidth available to the box.
this means if you want to sustain a gigabit of traffic with a 300ms
round trip time for packets, you'd "only" need ~37.5 megabytes of
buffers. to sustain 40 gigabit you'd need 1.5 gigabytes, which is
still below 4G. allowing more use of memory for buffers would likely
induce latency.

the above means that if you want to sustain a single 40G tcp
connection to that host you'd need to be able to place 1.5G on the
socket buffer, which is above the 1G you mention above. however,
if you want to sustain 2 connections, you ideally want to fairly
share the 1.5G between both sockets. they should get 750M each.

fairly sharing buffers between the sockets may already be in place
in openbsd. when i reworked the pools subsystem i set it up so
things sleeping on memory were woken up in order.

it occurs to me that perhaps we should limit mbufs by the bytes
they can use rather than the number of them. that would also work
well if we moved to per cpu caches for mbufs and clusters, cos the
number of active mbufs in the system becomes hard to limit accurately
if we want cpus to run independently.

if you want something to work on in this area, could you look at
letting sockets use the "jumbo" clusters instead of assuming
everything has to be in 2k clusters? i started on thsi with the
diff below, but it broke ospfd and i never got back to it.

if you get it working, it would be interested to test creating even
bigger cluster pools, eg, a 1M or 4M mbuf cluster.

cheers,
dlg

Index: uipc_socket.c
===
RCS file: /cvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.135
diff -u -p -r1.135 uipc_socket.c
--- uipc_socket.c   11 Dec 2014 19:21:57 -  1.135
+++ uipc_socket.c   22 Dec 2014 01:11:03 -
@@ -493,15 +493,18 @@ restart:
mlen = MLEN;
}
if (resid >= MINCLSIZE && space >= MCLBYTES) {
-   MCLGET(m, M_NOWAIT);
+   MCLGETI(m, M_NOWAIT, NULL, lmin(resid,
+   lmin(space, MAXMCLBYTES)));
if ((m->m_flags & M_EXT) == 0)
goto nopages;
if (atomic && top == 0) {
-   len = lmin(MCLBYTES - max_hdr,
-   resid);
+   len = lmin(resid,
+   m->m_ext.ext_size -
+   max_hdr);
m->m_data += max_hdr;
} else
-   len = lmin(MCLBYTES, resid);
+   len = lmin(resid,
+   m->m_ext.ext_size);
  

Re: new feature in pkg_add(1)

[Marc Espie]

On Tue, Jun 21, 2016 at 10:43:07PM +0200, Patrik Lundin wrote:
> The reason for doing this is that it is much faster than just blindly
> trying to install a package, and does not hammer mirrors needlessly.
> 
> Are there any plans to teach pkg_info -e about "%"? Is it even possible?

Okay, just committed the exit code fix.

pkg_info -Iq inst:python%3.5
will perform just as you would expect.

Re: new feature in pkg_add(1)

[Marc Espie]

On Tue, Jun 21, 2016 at 10:43:07PM +0200, Patrik Lundin wrote:
> However, "pkg_info -e" does not understand it:
> ===
> # pkg_info -e python%2.7
> Invalid spec: python%2.7
> ===
> 
> I use pkg_info -e to check if a requested package is installed or
> not prior to attempting to install/remove it.
> 
> The reason for doing this is that it is much faster than just blindly
> trying to install a package, and does not hammer mirrors needlessly.
> 
> Are there any plans to teach pkg_info -e about "%"? Is it even possible?

Doesn't fit within the model, but you can already do that thing in a
different way, by choosing the right repository, namely inst.

e.g.,
pkg_info inst:python2.7
ought to give you the right result.

I need to make sure you get a sensible rc code though, which isn't okay right
now.

[PATCH] let the mbufs use more then 4gb of memory

[Simon Mages]

On a System where you use the maximum socketbuffer size of 256kbyte you
can run out of memory after less then 9k open sockets.

My patch adds a new uvm_constraint for the mbufs with a bigger memory area.
I choose this area after reading the comments in sys/arch/amd64/include/pmap.h.
This patch further changes the maximum sucketbuffer size from 256k to 1gb as
it is described in the rfc1323 S2.3.

I tested this diff with the ix, em and urndis driver. I know that this
diff only works
for amd64 right now, but i wanted to send this diff as a proposal what could be
done. Maybe somebody has a different solution for this Problem or can me why
this is a bad idea.


Index: arch/amd64/amd64/bus_dma.c
===
RCS file: /openbsd/src/sys/arch/amd64/amd64/bus_dma.c,v
retrieving revision 1.49
diff -u -p -u -p -r1.49 bus_dma.c
--- arch/amd64/amd64/bus_dma.c  17 Dec 2015 17:16:04 -  1.49
+++ arch/amd64/amd64/bus_dma.c  22 Jun 2016 11:33:17 -
@@ -584,7 +584,7 @@ _bus_dmamap_load_buffer(bus_dma_tag_t t,
 */
pmap_extract(pmap, vaddr, (paddr_t *));

-   if (curaddr > dma_constraint.ucr_high)
+   if (curaddr > mbuf_constraint.ucr_high)
panic("Non dma-reachable buffer at curaddr %#lx(raw)",
curaddr);

Index: arch/amd64/amd64/machdep.c
===
RCS file: /openbsd/src/sys/arch/amd64/amd64/machdep.c,v
retrieving revision 1.221
diff -u -p -u -p -r1.221 machdep.c
--- arch/amd64/amd64/machdep.c  21 May 2016 00:56:43 -  1.221
+++ arch/amd64/amd64/machdep.c  22 Jun 2016 11:33:17 -
@@ -202,9 +202,11 @@ struct vm_map *phys_map = NULL;
 /* UVM constraint ranges. */
 struct uvm_constraint_range  isa_constraint = { 0x0, 0x00ffUL };
 struct uvm_constraint_range  dma_constraint = { 0x0, 0xUL };
+struct uvm_constraint_range  mbuf_constraint = { 0x0, 0xfUL };
 struct uvm_constraint_range *uvm_md_constraints[] = {
 _constraint,
 _constraint,
+_constraint,
 NULL,
 };

Index: kern/uipc_mbuf.c
===
RCS file: /openbsd/src/sys/kern/uipc_mbuf.c,v
retrieving revision 1.226
diff -u -p -u -p -r1.226 uipc_mbuf.c
--- kern/uipc_mbuf.c13 Jun 2016 21:24:43 -  1.226
+++ kern/uipc_mbuf.c22 Jun 2016 11:33:18 -
@@ -153,7 +153,7 @@ mbinit(void)

pool_init(, MSIZE, 0, 0, 0, "mbufpl", NULL);
pool_setipl(, IPL_NET);
-   pool_set_constraints(, _dma_contig);
+   pool_set_constraints(, _mbuf_contig);
pool_setlowat(, mblowat);

pool_init(, PACKET_TAG_MAXSIZE + sizeof(struct m_tag),
@@ -166,7 +166,7 @@ mbinit(void)
pool_init([i], mclsizes[i], 0, 0, 0,
mclnames[i], NULL);
pool_setipl([i], IPL_NET);
-   pool_set_constraints([i], _dma_contig);
+   pool_set_constraints([i], _mbuf_contig);
pool_setlowat([i], mcllowat);
}

Index: sys/socketvar.h
===
RCS file: /openbsd/src/sys/sys/socketvar.h,v
retrieving revision 1.60
diff -u -p -u -p -r1.60 socketvar.h
--- sys/socketvar.h 25 Feb 2016 07:39:09 -  1.60
+++ sys/socketvar.h 22 Jun 2016 11:33:18 -
@@ -112,7 +112,7 @@ struct socket {
short   sb_flags;   /* flags, see below */
u_short sb_timeo;   /* timeout for read/write */
} so_rcv, so_snd;
-#defineSB_MAX  (256*1024)  /* default for max chars in 
sockbuf */
+#defineSB_MAX  (1024*1024*1024)/* default for max chars in 
sockbuf */
 #defineSB_LOCK 0x01/* lock on data queue */
 #defineSB_WANT 0x02/* someone is waiting to lock */
 #defineSB_WAIT 0x04/* someone is waiting for 
data/space */
Index: uvm/uvm_extern.h
===
RCS file: /openbsd/src/sys/uvm/uvm_extern.h,v
retrieving revision 1.139
diff -u -p -u -p -r1.139 uvm_extern.h
--- uvm/uvm_extern.h5 Jun 2016 08:35:57 -   1.139
+++ uvm/uvm_extern.h22 Jun 2016 11:33:18 -
@@ -234,6 +234,7 @@ extern struct uvmexp uvmexp;
 /* Constraint ranges, set by MD code. */
 extern struct uvm_constraint_range  isa_constraint;
 extern struct uvm_constraint_range  dma_constraint;
+extern struct uvm_constraint_range  mbuf_constraint;
 extern struct uvm_constraint_range  no_constraint;
 extern struct uvm_constraint_range *uvm_md_constraints[];

@@ -398,6 +399,7 @@ extern const struct kmem_pa_mode kp_zero
 extern const struct kmem_pa_mode kp_dma;
 extern const struct kmem_pa_mode kp_dma_contig;
 extern const struct kmem_pa_mode kp_dma_zero;
+extern const struct kmem_pa_mode kp_mbuf_contig;
 extern const struct kmem_pa_mode 

opencvs - log command fixes

[Joris Vink]

Hi,

Brings log a bit more inline with its GNU counterpart
by attempting to parse the date range early on, killing
extra output from date.y and having a proper fatal message.

Any caller of date_parse() already displays its own error
messages anyway if it fails.

Additionally lets not return -1 from a function that is
declared to return an unsigned int.

.joris

Index: date.y
===
RCS file: /cvs/src/usr.bin/cvs/date.y,v
retrieving revision 1.25
diff -u -p -r1.25 date.y
--- date.y  5 Nov 2015 09:48:21 -   1.25
+++ date.y  22 Jun 2016 09:52:04 -
@@ -483,16 +483,8 @@ static TABLE const MilitaryTable[] = {
 static int
 yyerror(const char *s)
 {
-#if !defined(TEST)
-   char *str;
-
-   (void)xasprintf(, "parsing date string: %s", s);
-   cvs_log(LP_ERR, "%s", str);
-   free(str);
-#endif
return (0);
 }
-
 
 static time_t
 ToSeconds(time_t Hours, time_t Minutes, time_t Seconds, MERIDIAN Meridian)
Index: getlog.c
===
RCS file: /cvs/src/usr.bin/cvs/getlog.c,v
retrieving revision 1.98
diff -u -p -r1.98 getlog.c
--- getlog.c1 Dec 2014 21:58:46 -   1.98
+++ getlog.c22 Jun 2016 09:52:04 -
@@ -40,7 +40,7 @@
 voidcvs_log_local(struct cvs_file *);
 static void log_rev_print(struct rcs_delta *);
 static char*push_date(char *dest, const char *);
-static u_intdate_select(RCSFILE *, char *);
+static int date_select(RCSFILE *, char *, u_int *);
 
 int runflags = 0;
 char   *logrev = NULL;
@@ -210,6 +210,14 @@ cvs_log_local(struct cvs_file *cf)
 
cvs_file_classify(cf, cvs_directory_tag);
 
+   if (logrev != NULL)
+   nrev = cvs_revision_select(cf->file_rcs, logrev);
+   else if (logdate != NULL) {
+   if (date_select(cf->file_rcs, logdate, ) == -1)
+   fatal("Can't parse date/time: %s", logdate);
+   } else
+   nrev = cf->file_rcs->rf_ndelta;
+
if (cf->file_type == CVS_DIR) {
if (verbosity > 1)
cvs_log(LP_ERR, "Logging %s", cf->file_path);
@@ -230,16 +238,6 @@ cvs_log_local(struct cvs_file *cf)
return;
}
 
-   if (logrev != NULL)
-   nrev = cvs_revision_select(cf->file_rcs, logrev);
-   else if (logdate != NULL) {
-   if ((nrev = date_select(cf->file_rcs, logdate)) == -1) {
-   cvs_log(LP_ERR, "invalid date: %s", logdate);
-   return;
-   }
-   } else
-   nrev = cf->file_rcs->rf_ndelta;
-
cvs_printf("\nRCS file: %s", cf->file_rpath);
 
if (cvs_cmdop != CVS_OP_RLOG)
@@ -418,8 +416,8 @@ push_date(char *dest, const char *src)
return (dest);
 }
 
-static u_int
-date_select(RCSFILE *file, char *date)
+static int
+date_select(RCSFILE *file, char *date, u_int *cnt)
 {
int i, nrev, flags;
struct rcs_delta *rdp;
@@ -427,6 +425,7 @@ date_select(RCSFILE *file, char *date)
char *first, *last, delim;
time_t firstdate, lastdate, rcsdate;
 
+   *cnt = 0;
nrev = 0;
args = cvs_strsplit(date, ";");
 
@@ -566,7 +565,8 @@ date_select(RCSFILE *file, char *date)
}
}
 
+   *cnt = nrev;
cvs_argv_destroy(args);
 
-   return (nrev);
+   return 0;
 }

opencvs - use correct size when creating h_table

[Joris Vink]

Hi,

Don't allocate the length of a pointer but rather the
entire size of the struct hash_head data structure
when creating the h_table array.

.joris

Index: hash.c
===
RCS file: /cvs/src/usr.bin/cvs/hash.c,v
retrieving revision 1.2
diff -u -p -r1.2 hash.c
--- hash.c  16 Jan 2015 06:40:07 -  1.2
+++ hash.c  22 Jun 2016 09:52:04 -
@@ -44,7 +44,7 @@ hash_table_init(struct hash_table *htabl
hsize = 1 << power;
}
 
-   htable->h_table = xcalloc(hsize, sizeof(struct hash_head *));
+   htable->h_table = xcalloc(hsize, sizeof(struct hash_head));
htable->h_size = hsize;
 
for (i = 0; i < htable->h_size; i++)

opencvs - fix signed vs unsigned type confusion across opencvs.

[Joris Vink]

Hi,

The diff below fixes several signed vs unsigned type confusion
warnings and shuffles some assignments around.

.joris

Index: buf.c
===
RCS file: /cvs/src/usr.bin/cvs/buf.c,v
retrieving revision 1.83
diff -u -p -r1.83 buf.c
--- buf.c   5 Nov 2015 09:48:21 -   1.83
+++ buf.c   22 Jun 2016 09:52:04 -
@@ -106,7 +106,7 @@ buf_load_fd(int fd)
if (lseek(fd, 0, SEEK_SET) == -1)
fatal("buf_load_fd: lseek: %s", strerror(errno));
 
-   if (st.st_size > SIZE_MAX)
+   if ((uintmax_t)st.st_size > SIZE_MAX)
fatal("buf_load_fd: file size too big");
buf = buf_alloc(st.st_size);
if (atomicio(read, fd, buf->cb_buf, buf->cb_size) != buf->cb_size)
Index: diff3.c
===
RCS file: /cvs/src/usr.bin/cvs/diff3.c,v
retrieving revision 1.59
diff -u -p -r1.59 diff3.c
--- diff3.c 5 Nov 2015 09:48:21 -   1.59
+++ diff3.c 22 Jun 2016 09:52:04 -
@@ -295,7 +295,8 @@ diff3_internal(int argc, char **argv, co
free(overlap);
free(de);
 
-   de = d13 = d23 = overlap = NULL;
+   overlap = NULL;
+   de = d13 = d23 = NULL;
 
increase();
 
@@ -793,7 +794,7 @@ edscript(int n)
(void)fseek(fp[2], (long)de[n].new.from, SEEK_SET);
for (k = de[n].new.to-de[n].new.from; k > 0; k-= j) {
j = k > BUFSIZ ? BUFSIZ : k;
-   if (fread(block, 1, j, fp[2]) != j)
+   if (fread(block, 1, j, fp[2]) != (size_t)j)
return (-1);
block[j] = '\0';
diff_output("%s", block);
Index: diff_internals.c
===
RCS file: /cvs/src/usr.bin/cvs/diff_internals.c,v
retrieving revision 1.38
diff -u -p -r1.38 diff_internals.c
--- diff_internals.c5 Nov 2015 09:48:21 -   1.38
+++ diff_internals.c22 Jun 2016 09:52:04 -
@@ -455,13 +455,17 @@ prepare(int i, FILE *fd, off_t filesize,
 
rewind(fd);
 
-   sz = (filesize <= SIZE_MAX ? filesize : SIZE_MAX) / 25;
+   if ((uintmax_t)filesize <= SIZE_MAX)
+   sz = filesize / 25;
+   else
+   sz = SIZE_MAX / 25;
+
if (sz < 100)
sz = 100;
 
p = xcalloc(sz + 3, sizeof(*p));
for (j = 0; (h = readhash(fd, flags));) {
-   if (j == sz) {
+   if ((size_t)j == sz) {
sz = sz * 3 / 2;
p = xreallocarray(p, sz + 3, sizeof(*p));
}
Index: file.c
===
RCS file: /cvs/src/usr.bin/cvs/file.c,v
retrieving revision 1.267
diff -u -p -r1.267 file.c
--- file.c  5 Nov 2015 09:48:21 -   1.267
+++ file.c  22 Jun 2016 09:52:04 -
@@ -461,12 +461,13 @@ cvs_file_walkdir(struct cvs_file *cf, st
fatal("cvs_file_walkdir: %s %s", cf->file_path,
strerror(errno));
 
-   if (st.st_size > SIZE_MAX)
+   if ((uintmax_t)st.st_size > SIZE_MAX)
fatal("cvs_file_walkdir: %s: file size too big", cf->file_name);
 
-   bufsize = st.st_size;
-   if (bufsize < st.st_blksize)
+   if (st.st_size < st.st_blksize)
bufsize = st.st_blksize;
+   else
+   bufsize = st.st_size;
 
buf = xmalloc(bufsize);
RB_INIT();
@@ -1032,7 +1033,7 @@ cvs_file_cmp(const char *file1, const ch
if (S_ISREG(stb1.st_mode)) {
void *p1, *p2;
 
-   if (stb1.st_size > SIZE_MAX) {
+   if ((uintmax_t)stb1.st_size > SIZE_MAX) {
ret = 1;
goto out;
}
@@ -1087,28 +1088,31 @@ cvs_file_copy(const char *from, const ch
 
if (S_ISREG(st.st_mode)) {
char *p;
+   size_t len;
int saved_errno;
 
-   if (st.st_size > SIZE_MAX) {
+   if ((uintmax_t)st.st_size > SIZE_MAX) {
ret = -1;
goto out;
}
 
+   len = st.st_size;
+
if ((dst = open(to, O_CREAT|O_TRUNC|O_WRONLY,
st.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO))) == -1)
fatal("cvs_file_copy: open `%s': %s",
to, strerror(errno));
 
-   if ((p = mmap(NULL, st.st_size, PROT_READ,
+   if ((p = mmap(NULL, len, PROT_READ,
MAP_FILE, src, (off_t)0)) == MAP_FAILED) {
saved_errno = errno;
(void)unlink(to);
fatal("cvs_file_copy: mmap: %s", strerror(saved_errno));
}
 
-   madvise(p, st.st_size, MADV_SEQUENTIAL);
+   madvise(p, len, 

opencvs - correct type of p in annotate

[Joris Vink]

Hi,

Use the correct type for p.

.joris

Index: annotate.c
===
RCS file: /cvs/src/usr.bin/cvs/annotate.c,v
retrieving revision 1.65
diff -u -p -r1.65 annotate.c
--- annotate.c  5 Nov 2015 09:48:21 -   1.65
+++ annotate.c  22 Jun 2016 09:52:04 -
@@ -155,7 +155,8 @@ void
 cvs_annotate_local(struct cvs_file *cf)
 {
int i;
-   char date[10], rnum[13], *p;
+   u_char *p;
+   char date[10], rnum[13];
RCSNUM *bnum, *rev;
struct rcs_line *line;
struct rcs_line **alines;

opencvs - fix revision lookups for branches

[Joris Vink]

Hi,

This diff below fixes a serious issue in opencvs when
checking out revisions from a branch.

Properly perform a revision lookup so update -r actually
works again, as a bonus throw a more correct error when
the revision could not be found.

.joris

Index: rcs.c
===
RCS file: /cvs/src/usr.bin/cvs/rcs.c,v
retrieving revision 1.313
diff -u -p -r1.313 rcs.c
--- rcs.c   5 Nov 2015 09:48:21 -   1.313
+++ rcs.c   22 Jun 2016 09:52:04 -
@@ -1796,17 +1796,13 @@ rcs_rev_getlines(RCSFILE *rfp, RCSNUM *f
 
 again:
for (;;) {
+   if (rdp == NULL)
+   break;
+
if (rdp->rd_next->rn_len != 0) {
trdp = rcs_findrev(rfp, rdp->rd_next);
if (trdp == NULL)
fatal("failed to grab next revision");
-   } else {
-   /*
-* XXX Fail, although the caller does not always do the
-* right thing (eg cvs diff when the tree is ahead of
-* the repository).
-*/
-   break;
}
 
if (rdp->rd_tlen == 0) {
@@ -1857,7 +1853,7 @@ again:
}
 
 next:
-   if (!rcsnum_differ(rdp->rd_num, frev))
+   if (rdp == NULL || !rcsnum_differ(rdp->rd_num, frev))
done = 1;
 
if (RCSNUM_ISBRANCHREV(frev) && done != 1) {
@@ -2045,6 +2041,7 @@ rcs_rev_getbuf(RCSFILE *rfp, RCSNUM *rev
struct rcs_delta *rdp;
struct rcs_lines *lines;
struct rcs_line *lp, *nlp;
+   char version[RCSNUM_MAXSTR];
BUF *bp;
 
rdp = NULL;
@@ -2057,8 +2054,12 @@ rcs_rev_getbuf(RCSFILE *rfp, RCSNUM *rev
expmode = rcs_kwexp_get(rfp);
 
if (!(expmode & RCS_KWEXP_NONE)) {
-   if ((rdp = rcs_findrev(rfp, rev)) == NULL)
-   fatal("could not fetch revision");
+   if ((rdp = rcs_findrev(rfp, rev)) == NULL) {
+   rcsnum_tostr(rev, version, sizeof(version));
+   fatal("could not find desired version %s in %s",
+   version, rfp->rf_path);
+   }
+
expand = 1;
}
}