Re: usbdevs: small addition
Jonathan Gray wrote: > > - add vendor id for "Synaptics, Inc. > > I'd just go with "Synaptics" It is critical to be as terse as possible, since these tables go into many kernels, some of which are space constrained.
Re: usbdevs: small addition
On Sat, Feb 22, 2020 at 04:22:25PM +0100, Jasper Lievisse Adriaanse wrote: > Hi, > > - add an AMD product found on the APU2 I would not consider 0x7900 a root hub as it attaches to another hub uhub2 at uhub1 port 1 configuration 1 interface 0 "Advanced Micro Devices product 0x7900" rev 2.00/0.18 addr 2 > - add vendor id for "Synaptics, Inc. I'd just go with "Synaptics" > - add synaptics fingerprint reader found on recent thinkpads; I couldn't find > a proper > name for this device in the Linux usb.ids repository so I went with the > generic > 'Fingerprint Reader" that's also used elsewhere in this file. does it not supply a string itself? the lenovo windows driver matches on 0x06cb:0x00bd and 0x06cb:0x00c2 and calls itself "Synaptics UWP WBDI" which isn't very helpful. > > OK? > > Index: usbdevs > === > RCS file: /cvs/src/sys/dev/usb/usbdevs,v > retrieving revision 1.710 > diff -u -p -r1.710 usbdevs > --- usbdevs 27 Jan 2020 15:41:42 - 1.710 > +++ usbdevs 22 Feb 2020 15:21:41 - > @@ -262,6 +262,7 @@ vendor AGFA 0x06bd AGFA-Gevaert > vendor ASIAMD0x06be Asia Microelectronic Development > vendor PHIDGETS 0x06c2 Phidgets > vendor BIZLINK 0x06c4 Bizlink International > +vendor SYNAPTICS 0x06cb Synaptics, Inc. > vendor KEYSPAN 0x06cd Keyspan > vendor AASHIMA 0x06d6 Aashima Technology > vendor LIEBERT 0x06da Liebert > @@ -888,6 +889,9 @@ product ALTI2 NEPTUNE30x6001 Neptune 3 > product AMBIT WLAN 0x0302 WLAN > product AMBIT NTL_2500x6098 NTL 250 cable modem > > +/* Advanced Micro Devices products */ > +product AMD HUB 0x7900 Root Hub > + > /* Amigo Technology products */ > product AMIGO RT2870_1 0x9031 RT2870 > product AMIGO RT2870_2 0x9041 RT2870 > @@ -4167,6 +4171,9 @@ product SWEEX2 LW1530x0153 LW153 > product SWEEX2 LW154 0x0154 LW154 > product SWEEX2 LW303 0x0302 LW303 > product SWEEX2 LW313 0x0313 LW313 > + > +/* Synaptics, Inc. products */ > +product SYNAPTICS FPRINT 0x00bd Fingerprint Reader > > /* Syntech Information products */ > product SYNTECH SERIAL 0x0001 Serial > >
Re: ifconfig with UTF-8 nwid
On 2020/02/22 17:24, Stefan Sperling wrote:
> On Sat, Feb 22, 2020 at 02:56:54PM +0100, Mark Kettenis wrote:
> > IMHO it is a bad idea to make the output of ifconfig locale-dependent.
>
> Fine. I'll drop this diff.
>
Pity, it is quite useful if you are somewhere that uses UTF-8 SSIDs,
otherwise it's a complete pain to decode to figure out if you're
connecting to the correct network. An alternative would be to filter
ifconfig output through something like this
while(<>) {
if ($_ =~ m/nwid 0x([0-9a-f]+)\s/) {
my $hex = $1;
my $decoded = pack "H*", $hex;
$_ =~ s/$hex/$hex ("$decoded")/;
}
print $_;
}
but it won't validate the characters so best redirect output to a file
and open it in a UTF-8 editor to view it rather than displaying it
directly on a terminal.
Re: iked.conf.5: Provide GRE tunnel in transport mode example
> >
> > We should rather fix the defaults to do what we expect them to do.
> > In your example case that would be using fqdn/D.example.com
> Agreed; do you take a stab at it? I'm happy to test.
>
Try this
Index: parse.y
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/parse.y,v
retrieving revision 1.89
diff -u -p -r1.89 parse.y
--- parse.y 21 Feb 2020 15:17:34 - 1.89
+++ parse.y 22 Feb 2020 21:04:16 -
@@ -1962,6 +1962,11 @@ set_policy(char *idstr, int type, struct
const char *prefix = NULL;
EVP_PKEY*key = NULL;
+ if (idstr == NULL) {
+ log_warnx("%s: can not set empty ID.", __func__);
+ return (-1);
+ }
+
switch (type) {
case IKEV2_ID_IPV4:
prefix = "ipv4";
@@ -2112,7 +2117,7 @@ host_dns(const char *s, int mask)
err(1, "%s", __func__);
copy_sockaddrtoipa(ipa, res->ai_addr);
error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
- sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
+ sizeof(hbuf), NULL, 0, 0);
if (error)
err(1, "host_dns: getnameinfo");
ipa->name = strdup(hbuf);
@@ -2798,6 +2803,10 @@ create_ike(char *name, int af, uint8_t i
pol.pol_peer.addr_net = ipb->netaddress;
if (pol.pol_af == AF_UNSPEC)
pol.pol_af = ipb->af;
+ if (ipb->name) {
+ strlcpy(idstr, ipb->name, sizeof(idstr));
+ idtype = get_id_type(ipb->name);
+ }
}
if (ikelifetime)
@@ -2984,20 +2993,6 @@ create_ike(char *name, int af, uint8_t i
if (dstid) {
strlcpy(idstr, dstid, sizeof(idstr));
idtype = pol.pol_peerid.id_type;
- } else if (!pol.pol_peer.addr_net) {
- print_host((struct sockaddr *)_peer.addr, idstr,
- sizeof(idstr));
- switch (pol.pol_peer.addr.ss_family) {
- case AF_INET:
- idtype = IKEV2_ID_IPV4;
- break;
- case AF_INET6:
- idtype = IKEV2_ID_IPV6;
- break;
- default:
- log_warnx("%s: unknown address family", __func__);
- break;
- }
}
/* Make sure that we know how to authenticate this peer */
ifconfig man page fix
SSIDs are required to contain printable ASCII only. Otherwise, they must be specified in hex. Let's document this explicitly. diff c20bd74017ceeadb2db0f78a352ed1f1e2b77c2b /usr/src blob - 3fb0780ba7cf1333894f5c3485a95e71885fbd6d file + sbin/ifconfig/ifconfig.8 --- sbin/ifconfig/ifconfig.8 +++ sbin/ifconfig/ifconfig.8 @@ -972,8 +972,9 @@ list if they are found during a scan. .Pp The .Ar id -can either be any text string up to 32 characters in length, -or a series of hexadecimal digits up to 64 digits. +can either be a printable ASCII string up to 32 characters in length, +or a series of hexadecimal digits up to 64 digits preceded by +.Dq 0x . If .Ar id is the empty string @@ -1077,6 +1078,12 @@ Remove specified flag. .It Cm nwid Ar id Connect to the network with NWID/ESSID .Ar id . +The +.Ar id +can either be a printable ASCII string up to 32 characters in length, +or a series of hexadecimal digits up to 64 digits preceded by +.Dq 0x . +.Pp Unlike .Cm join , the
fix ifconfig joinlist width bug
This fixes display of hex SSIDs in 'ifconfig joinlist' and prevents a
negative number being passed to printf on the following line when 'maxlen'
ends up being capped below the maximum value returned from len_string():
printf("%-*s", maxlen - len, " ");
Hex SSIDs can be as wide as IEEE80211_NWID_LEN * 2 + 2 /* "0x" */
ok?
diff c20bd74017ceeadb2db0f78a352ed1f1e2b77c2b /usr/src
blob - e1dc9dbb07bf109c3ec7f5fd4d851a7dbb5692f1
file + sbin/ifconfig/ifconfig.c
--- sbin/ifconfig/ifconfig.c
+++ sbin/ifconfig/ifconfig.c
@@ -2571,16 +2571,14 @@ join_status(void)
maxlen = 0;
for (i = 0; i < ja.ja_nodes; i++) {
len = len_string(jn[i].i_nwid, jn[i].i_len);
if (len > maxlen)
maxlen = len;
}
- if (maxlen > IEEE80211_NWID_LEN)
- maxlen = IEEE80211_NWID_LEN - 1;
for (i = 0; i < ja.ja_nodes; i++) {
printf("\t ");
if (jn[i].i_len > IEEE80211_NWID_LEN)
jn[i].i_len = IEEE80211_NWID_LEN;
len = print_string(jn[i].i_nwid, jn[i].i_len);
printf("%-*s", maxlen - len, " ");
Re: ifconfig with UTF-8 nwid
On Sat, Feb 22, 2020 at 07:08:36AM -0700, Theo de Raadt wrote: > Stefan Sperling wrote: > > > + > > +/* UTF-8 support */ > > +#include > > +#include > > +#include > > +#include > > #endif /* SMALL */ > > I don't see how the installer will work with this. I cannot, and that wasn't the goal. Anyway, this diff is cancelled.
Re: ifconfig with UTF-8 nwid
On Sat, Feb 22, 2020 at 02:56:54PM +0100, Mark Kettenis wrote: > IMHO it is a bad idea to make the output of ifconfig locale-dependent. Fine. I'll drop this diff.
usbdevs: small addition
Hi, - add an AMD product found on the APU2 - add vendor id for "Synaptics, Inc. - add synaptics fingerprint reader found on recent thinkpads; I couldn't find a proper name for this device in the Linux usb.ids repository so I went with the generic 'Fingerprint Reader" that's also used elsewhere in this file. OK? Index: usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.710 diff -u -p -r1.710 usbdevs --- usbdevs 27 Jan 2020 15:41:42 - 1.710 +++ usbdevs 22 Feb 2020 15:21:41 - @@ -262,6 +262,7 @@ vendor AGFA 0x06bd AGFA-Gevaert vendor ASIAMD 0x06be Asia Microelectronic Development vendor PHIDGETS0x06c2 Phidgets vendor BIZLINK 0x06c4 Bizlink International +vendor SYNAPTICS 0x06cb Synaptics, Inc. vendor KEYSPAN 0x06cd Keyspan vendor AASHIMA 0x06d6 Aashima Technology vendor LIEBERT 0x06da Liebert @@ -888,6 +889,9 @@ product ALTI2 NEPTUNE3 0x6001 Neptune 3 product AMBIT WLAN 0x0302 WLAN product AMBIT NTL_250 0x6098 NTL 250 cable modem +/* Advanced Micro Devices products */ +product AMD HUB0x7900 Root Hub + /* Amigo Technology products */ product AMIGO RT2870_1 0x9031 RT2870 product AMIGO RT2870_2 0x9041 RT2870 @@ -4167,6 +4171,9 @@ product SWEEX2 LW153 0x0153 LW153 product SWEEX2 LW154 0x0154 LW154 product SWEEX2 LW303 0x0302 LW303 product SWEEX2 LW313 0x0313 LW313 + +/* Synaptics, Inc. products */ +product SYNAPTICS FPRINT 0x00bd Fingerprint Reader /* Syntech Information products */ product SYNTECH SERIAL 0x0001 Serial
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 02:33:17PM +0100, Tobias Heider wrote: > Peer can not be "any" in an active policy, somehow the initiator must know > where to send the messages. In this case the default currently is what I've > described before: the IP of peer. But in `passive' policies which is the default unless `active' is specified explicitly; the manual already makes use of `peer any' in the EXAMPLES section. > In a passive policy the key is only needed when > the peer's ID has been exchanged in the IKE_AUTH message, > so (I think) the default is to use whatever ID was received. That does not match the manual wording, then. > I think this works pretty well in 90% of the cases and I've always been a > fan of a short default configuration, so i don't think requiring to > set dstid is a good idea. > > We should rather fix the defaults to do what we expect them to do. > In your example case that would be using fqdn/D.example.com Agreed; do you take a stab at it? I'm happy to test.
Re: ifconfig with UTF-8 nwid
Stefan Sperling wrote: > + > +/* UTF-8 support */ > +#include > +#include > +#include > +#include > #endif /* SMALL */ I don't see how the installer will work with this.
Re: ifconfig with UTF-8 nwid
> Date: Sat, 22 Feb 2020 12:44:12 +0100
> From: Stefan Sperling
>
> This is another attempt at improving usability with non-ASCII network IDs.
>
> Previous attempts have been rejected in part because entering UTF-8 strings
> is difficult to do for Americans and, to a lesser extent, Canadians.
>
> It occurred to me that the real issue might have been that previous attempts
> were erasing the hex string representation in favour of UTF-8, instead of
> amending the hex string with a human-readable representation of that string.
>
> With the diff below ifconfig shows both representations, provided the UTF-8
> locale is active and the string can be successfully decoded, and fits NWID
> length restrictions, and contains printable Unicode only.
>
> We still need to enter a hex ID to use a network, but at least it becomes
> much easier to tell which one to use.
>
> Before:
>
> $ ifconfig iwm0 scan
> iwm0: flags=808843 mtu 1500
> [...]
> nwid 0x6162616374c3a97269c3a96d69717565 chan 4 bssid
> xx:xx:xx:xx:xx:xx 68% HT-MCS7 privacy,short_preamble,short_slottime,wpa2
> nwid 0x chan 6
> bssid xx:xx:xx:xx:xx:xx 25% HT-MCS15 privacy,short_slottime,wpa2
>
>
> After:
>
> $ ifconfig iwm0 scan iwm0:
> flags=808843 mtu 1500
> [...]
> nwid 0x6162616374c3a97269c3a96d69717565 ("abactériémique") chan
> 4 bssid xx:xx:xx:xx:xx:xx 68% HT-MCS7
> privacy,short_preamble,short_slottime,wpa2
> nwid 0x chan 6
> bssid xx:xx:xx:xx:xx:xx 25% HT-MCS15 privacy,short_slottime,wpa2
>
>
> I'm making the man page point out that 'ifconfig nwid' accepts only
> *printable ASCII* strings or hex. Based on that it should be clear what
> the user needs to do with information shown in the scan result list.
>
> This feature also works with 'ifconfig joinlist'. While here fix a bug
> where non-ASCII IDs on this list were improperly truncated to 32 columns
> when displayed. The hexstring can be up to 66 colomns in length so capping
> joinlist SSIDs to IEEE80211_NWID_LEN - 1 columns is wrong.
> A human-readable representation needs additional space to be displayed.
>
> Since print_string() and len_string() are only used with NWIDs nowadays I
> am renaming them to print_nwid() and width_nwid() (the latter function is
> being used to compute a display width, not a string length in bytes).
>
> Is this acceptable or are there objections to the idea?
IMHO it is a bad idea to make the output of ifconfig locale-dependent.
> diff c20bd74017ceeadb2db0f78a352ed1f1e2b77c2b /usr/src
> blob - 3fb0780ba7cf1333894f5c3485a95e71885fbd6d
> file + sbin/ifconfig/ifconfig.8
> --- sbin/ifconfig/ifconfig.8
> +++ sbin/ifconfig/ifconfig.8
> @@ -972,8 +972,9 @@ list if they are found during a scan.
> .Pp
> The
> .Ar id
> -can either be any text string up to 32 characters in length,
> -or a series of hexadecimal digits up to 64 digits.
> +can either be a printable ASCII string up to 32 characters in length,
> +or a series of hexadecimal digits up to 64 digits preceded by
> +.Dq 0x .
> If
> .Ar id
> is the empty string
> @@ -1077,6 +1078,12 @@ Remove specified flag.
> .It Cm nwid Ar id
> Connect to the network with NWID/ESSID
> .Ar id .
> +The
> +.Ar id
> +can either be a printable ASCII string up to 32 characters in length,
> +or a series of hexadecimal digits up to 64 digits preceded by
> +.Dq 0x .
> +.Pp
> Unlike
> .Cm join ,
> the
> blob - e1dc9dbb07bf109c3ec7f5fd4d851a7dbb5692f1
> file + sbin/ifconfig/ifconfig.c
> --- sbin/ifconfig/ifconfig.c
> +++ sbin/ifconfig/ifconfig.c
> @@ -110,6 +110,12 @@
> #ifndef SMALL
> #include
> #include
> +
> +/* UTF-8 support */
> +#include
> +#include
> +#include
> +#include
> #endif /* SMALL */
>
> #include "ifconfig.h"
> @@ -156,6 +162,7 @@ structifaliasreq addreq;
>
> int wconfig = 0;
> int wcwconfig = 0;
> +int is_utf8_locale = 0;
> #endif /* SMALL */
>
> char ifname[IFNAMSIZ];
> @@ -654,8 +661,9 @@ const char *get_linkstate(int, int);
> void status(int, struct sockaddr_dl *, int);
> __dead void usage(void);
> const char *get_string(const char *, const char *, u_int8_t *, int *);
> -int len_string(const u_int8_t *, int);
> -int print_string(const u_int8_t *, int);
> +int utf8_nwid(const u_int8_t *, int);
> +int width_nwid(const u_int8_t *, int);
> +int print_nwid(const u_int8_t *, int);
> char *sec2str(time_t);
>
> const char *get_media_type_string(uint64_t);
> @@ -731,6 +739,10 @@ main(int argc, char *argv[])
> int found_rulefile = 0;
> int i;
>
> +#ifndef SMALL
> + setlocale(LC_CTYPE, "");
> + is_utf8_locale = (strcmp(nl_langinfo(CODESET), "UTF-8") == 0);
> +#endif
> /* If no args at all, print all interfaces. */
> if (argc < 2) {
> /* no filesystem visibility */
> @@ -1678,9 +1690,44 @@ get_string(const char *val, const char *sep, u_int8_t
> return val;
> }
>
>
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 01:47:35PM +0100, Klemens Nanni wrote: > On Sat, Feb 22, 2020 at 01:18:13PM +0100, Tobias Heider wrote: > > It seems I was mistaken because I usually use IPs in local > > and peer. What I said is true for IPs. When using > > FQDNs for local/peer however, iked first does the name > > resolution and then uses the IP as default dstid value > > to lookup the key... > > > > I still think using the actual value of peer would be the > > better dstid default, so maybe we should fix it in the > > code. What do you think? > Rereading the manual: > >If srcid is omitted, the default is to use the hostname of the >local machine, see hostname(1) to set or print the hostname. > >dstid is similar to srcid, but instead specifies the ID to be used >by the remote peer. > k > So `srcid' is a string (hostname), but what does `dstid' default to? > `peer' can be "any": what then? > > About `peer', the manual says > >[...]. If it is not specified or if the keyword any is >given, the default peer is used. > > What is "the default peer"? No idea what the default peer is supposed to mean. > I'd expect `dstid' to always use the literal value of `peer' unless it > is "any", in which case I am not sure; perhaps require `dstid' to be > set explicitly? Peer can not be "any" in an active policy, somehow the initiator must know where to send the messages. In this case the default currently is what I've described before: the IP of peer. In a passive policy the key is only needed when the peer's ID has been exchanged in the IKE_AUTH message, so (I think) the default is to use whatever ID was received. I think this works pretty well in 90% of the cases and I've always been a fan of a short default configuration, so i don't think requiring to set dstid is a good idea. We should rather fix the defaults to do what we expect them to do. In your example case that would be using fqdn/D.example.com
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 01:18:13PM +0100, Tobias Heider wrote: > It seems I was mistaken because I usually use IPs in local > and peer. What I said is true for IPs. When using > FQDNs for local/peer however, iked first does the name > resolution and then uses the IP as default dstid value > to lookup the key... > > I still think using the actual value of peer would be the > better dstid default, so maybe we should fix it in the > code. What do you think? Rereading the manual: If srcid is omitted, the default is to use the hostname of the local machine, see hostname(1) to set or print the hostname. dstid is similar to srcid, but instead specifies the ID to be used by the remote peer. k So `srcid' is a string (hostname), but what does `dstid' default to? `peer' can be "any": what then? About `peer', the manual says [...]. If it is not specified or if the keyword any is given, the default peer is used. What is "the default peer"? I'd expect `dstid' to always use the literal value of `peer' unless it is "any", in which case I am not sure; perhaps require `dstid' to be set explicitly?
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 12:50:27PM +0100, Klemens Nanni wrote: > On Sat, Feb 22, 2020 at 12:24:36PM +0100, Klemens Nanni wrote: > > On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > > > This is not what dstid does. When setting 'dstid D.example.com' the > > > policy still > > > only applies if the peer sends 'D.example.com' as it's identity in the ID > > > payload. > > > Not setting dstid explicitly means iked will fall back to the value of > > > "peer", > > > which in your case would be the same: "D.example.com". > > > > > > Setting dstid is only necessary if you are using the IP address in the > > > "peer" option but still want to use a FQDN as ID, which is really only the > > > case with certificate authentication where the ID must match the > > > subjectAltName. > > I can double check yet again, but I'm pretty sure that setting dstid > > was what made iked find the public key. So far, I have not used literal > > IPs in my configuration - that I know for sure. > Here is an example, you can verify what I observed by merely parsing > the configuration with and without the `dstitd' line. > > # find /etc/iked/pubkeys/ ! -type d -ls > 1044254 -rw-r--r--1 root wheel 800 Feb 10 19:36 > /etc/iked/pubkeys/fqdn/D.example.com > > # cat /etc/iked.conf > ikesa transport \ > proto gre > from A.example.com to D.example.com \ > peer D.example.com \ > dstid D.example.com > # iked -dnv > ikev2 "policy1" passive transport esp proto gre inet6 from 1.2.3.4 to > 5.6.7.8 from 2001::db8:1 to 2001::db8:2 local any peer 2001::db8:2 ikesa enc > aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth > hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc > aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn dstid > D.example.com lifetime 10800 bytes 536870912 rsa > configuration OK > > # cat /etc/iked.conf > ikesa transport \ > proto gre > from A.example.com to D.example.com \ > peer D.example.com > # iked -dnv > set_policy: could not find pubkey for /etc/iked/pubkeys/ipv6/2001::db8:2 > ikev2 "policy1" passive transport esp proto gre inet6 from 1.2.3.4 to > 5.6.7.8 from 2001::db8:1 to 2001::db8:2 local any peer 2001::db8:2 ikesa enc > aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth > hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc > aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn lifetime 10800 > bytes 536870912 rfc7427 > configuration OK > > So my proposed wording is misleading or rather wrong since I did not > set `dstid' due to whatever the peer sends but rather because iked is > not able to find the corresponding public key in the first place. > It seems I was mistaken because I usually use IPs in local and peer. What I said is true for IPs. When using FQDNs for local/peer however, iked first does the name resolution and then uses the IP as default dstid value to lookup the key... I still think using the actual value of peer would be the better dstid default, so maybe we should fix it in the code. What do you think?
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 12:41:12PM +0100, Landry Breuil wrote: > On Sat, Feb 22, 2020 at 12:24:36PM +0100, Klemens Nanni wrote: > > On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > > > This is not what dstid does. When setting 'dstid D.example.com' the > > > policy still > > > only applies if the peer sends 'D.example.com' as it's identity in the ID > > > payload. > > > Not setting dstid explicitly means iked will fall back to the value of > > > "peer", > > > which in your case would be the same: "D.example.com". > > > > > > Setting dstid is only necessary if you are using the IP address in the > > > "peer" option but still want to use a FQDN as ID, which is really only the > > > case with certificate authentication where the ID must match the > > > subjectAltName. > > I can double check yet again, but I'm pretty sure that setting dstid > > was what made iked find the public key. So far, I have not used literal > > IPs in my configuration - that I know for sure. > > that was also my experience when working on faq17, srcid/dstid were used > to lookup the cert/key in /etc/iked... They are indeed used for the lookup. But IIRC iked should use the value of peer as dstid by default, so setting both to the same value should not be necessary.
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 12:24:36PM +0100, Klemens Nanni wrote: > On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > > This is not what dstid does. When setting 'dstid D.example.com' the policy > > still > > only applies if the peer sends 'D.example.com' as it's identity in the ID > > payload. > > Not setting dstid explicitly means iked will fall back to the value of > > "peer", > > which in your case would be the same: "D.example.com". > > > > Setting dstid is only necessary if you are using the IP address in the > > "peer" option but still want to use a FQDN as ID, which is really only the > > case with certificate authentication where the ID must match the > > subjectAltName. > I can double check yet again, but I'm pretty sure that setting dstid > was what made iked find the public key. So far, I have not used literal > IPs in my configuration - that I know for sure. Here is an example, you can verify what I observed by merely parsing the configuration with and without the `dstitd' line. # find /etc/iked/pubkeys/ ! -type d -ls 1044254 -rw-r--r--1 root wheel 800 Feb 10 19:36 /etc/iked/pubkeys/fqdn/D.example.com # cat /etc/iked.conf ikesa transport \ proto gre from A.example.com to D.example.com \ peer D.example.com \ dstid D.example.com # iked -dnv ikev2 "policy1" passive transport esp proto gre inet6 from 1.2.3.4 to 5.6.7.8 from 2001::db8:1 to 2001::db8:2 local any peer 2001::db8:2 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn dstid D.example.com lifetime 10800 bytes 536870912 rsa configuration OK # cat /etc/iked.conf ikesa transport \ proto gre from A.example.com to D.example.com \ peer D.example.com # iked -dnv set_policy: could not find pubkey for /etc/iked/pubkeys/ipv6/2001::db8:2 ikev2 "policy1" passive transport esp proto gre inet6 from 1.2.3.4 to 5.6.7.8 from 2001::db8:1 to 2001::db8:2 local any peer 2001::db8:2 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn lifetime 10800 bytes 536870912 rfc7427 configuration OK So my proposed wording is misleading or rather wrong since I did not set `dstid' due to whatever the peer sends but rather because iked is not able to find the corresponding public key in the first place.
ifconfig with UTF-8 nwid
This is another attempt at improving usability with non-ASCII network IDs.
Previous attempts have been rejected in part because entering UTF-8 strings
is difficult to do for Americans and, to a lesser extent, Canadians.
It occurred to me that the real issue might have been that previous attempts
were erasing the hex string representation in favour of UTF-8, instead of
amending the hex string with a human-readable representation of that string.
With the diff below ifconfig shows both representations, provided the UTF-8
locale is active and the string can be successfully decoded, and fits NWID
length restrictions, and contains printable Unicode only.
We still need to enter a hex ID to use a network, but at least it becomes
much easier to tell which one to use.
Before:
$ ifconfig iwm0 scan
iwm0: flags=808843 mtu 1500
[...]
nwid 0x6162616374c3a97269c3a96d69717565 chan 4 bssid
xx:xx:xx:xx:xx:xx 68% HT-MCS7 privacy,short_preamble,short_slottime,wpa2
nwid 0x chan 6
bssid xx:xx:xx:xx:xx:xx 25% HT-MCS15 privacy,short_slottime,wpa2
After:
$ ifconfig iwm0 scan iwm0:
flags=808843 mtu 1500
[...]
nwid 0x6162616374c3a97269c3a96d69717565 ("abactériémique") chan
4 bssid xx:xx:xx:xx:xx:xx 68% HT-MCS7
privacy,short_preamble,short_slottime,wpa2
nwid 0x chan 6
bssid xx:xx:xx:xx:xx:xx 25% HT-MCS15 privacy,short_slottime,wpa2
I'm making the man page point out that 'ifconfig nwid' accepts only
*printable ASCII* strings or hex. Based on that it should be clear what
the user needs to do with information shown in the scan result list.
This feature also works with 'ifconfig joinlist'. While here fix a bug
where non-ASCII IDs on this list were improperly truncated to 32 columns
when displayed. The hexstring can be up to 66 colomns in length so capping
joinlist SSIDs to IEEE80211_NWID_LEN - 1 columns is wrong.
A human-readable representation needs additional space to be displayed.
Since print_string() and len_string() are only used with NWIDs nowadays I
am renaming them to print_nwid() and width_nwid() (the latter function is
being used to compute a display width, not a string length in bytes).
Is this acceptable or are there objections to the idea?
diff c20bd74017ceeadb2db0f78a352ed1f1e2b77c2b /usr/src
blob - 3fb0780ba7cf1333894f5c3485a95e71885fbd6d
file + sbin/ifconfig/ifconfig.8
--- sbin/ifconfig/ifconfig.8
+++ sbin/ifconfig/ifconfig.8
@@ -972,8 +972,9 @@ list if they are found during a scan.
.Pp
The
.Ar id
-can either be any text string up to 32 characters in length,
-or a series of hexadecimal digits up to 64 digits.
+can either be a printable ASCII string up to 32 characters in length,
+or a series of hexadecimal digits up to 64 digits preceded by
+.Dq 0x .
If
.Ar id
is the empty string
@@ -1077,6 +1078,12 @@ Remove specified flag.
.It Cm nwid Ar id
Connect to the network with NWID/ESSID
.Ar id .
+The
+.Ar id
+can either be a printable ASCII string up to 32 characters in length,
+or a series of hexadecimal digits up to 64 digits preceded by
+.Dq 0x .
+.Pp
Unlike
.Cm join ,
the
blob - e1dc9dbb07bf109c3ec7f5fd4d851a7dbb5692f1
file + sbin/ifconfig/ifconfig.c
--- sbin/ifconfig/ifconfig.c
+++ sbin/ifconfig/ifconfig.c
@@ -110,6 +110,12 @@
#ifndef SMALL
#include
#include
+
+/* UTF-8 support */
+#include
+#include
+#include
+#include
#endif /* SMALL */
#include "ifconfig.h"
@@ -156,6 +162,7 @@ struct ifaliasreq addreq;
intwconfig = 0;
intwcwconfig = 0;
+intis_utf8_locale = 0;
#endif /* SMALL */
char ifname[IFNAMSIZ];
@@ -654,8 +661,9 @@ const char *get_linkstate(int, int);
void status(int, struct sockaddr_dl *, int);
__dead voidusage(void);
const char *get_string(const char *, const char *, u_int8_t *, int *);
-intlen_string(const u_int8_t *, int);
-intprint_string(const u_int8_t *, int);
+intutf8_nwid(const u_int8_t *, int);
+intwidth_nwid(const u_int8_t *, int);
+intprint_nwid(const u_int8_t *, int);
char *sec2str(time_t);
const char *get_media_type_string(uint64_t);
@@ -731,6 +739,10 @@ main(int argc, char *argv[])
int found_rulefile = 0;
int i;
+#ifndef SMALL
+ setlocale(LC_CTYPE, "");
+ is_utf8_locale = (strcmp(nl_langinfo(CODESET), "UTF-8") == 0);
+#endif
/* If no args at all, print all interfaces. */
if (argc < 2) {
/* no filesystem visibility */
@@ -1678,9 +1690,44 @@ get_string(const char *val, const char *sep, u_int8_t
return val;
}
+/*
+ * Attempt to create a human-readable representation of an NWID in UTF-8.
+ * Return the width of the representation (amount of terminal columns used)
+ * and optionally print to stdout.
+ */
int
-len_string(const u_int8_t *buf, int len)
+utf8_nwid(const u_int8_t *buf, int print_nwid)
{
+#ifndef SMALL
+ wchar_t wcid[IEEE80211_NWID_LEN + 1];
+
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 12:24:36PM +0100, Klemens Nanni wrote: > On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > > This is not what dstid does. When setting 'dstid D.example.com' the policy > > still > > only applies if the peer sends 'D.example.com' as it's identity in the ID > > payload. > > Not setting dstid explicitly means iked will fall back to the value of > > "peer", > > which in your case would be the same: "D.example.com". > > > > Setting dstid is only necessary if you are using the IP address in the > > "peer" option but still want to use a FQDN as ID, which is really only the > > case with certificate authentication where the ID must match the > > subjectAltName. > I can double check yet again, but I'm pretty sure that setting dstid > was what made iked find the public key. So far, I have not used literal > IPs in my configuration - that I know for sure. that was also my experience when working on faq17, srcid/dstid were used to lookup the cert/key in /etc/iked...
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > This is not what dstid does. When setting 'dstid D.example.com' the policy > still > only applies if the peer sends 'D.example.com' as it's identity in the ID > payload. > Not setting dstid explicitly means iked will fall back to the value of "peer", > which in your case would be the same: "D.example.com". > > Setting dstid is only necessary if you are using the IP address in the > "peer" option but still want to use a FQDN as ID, which is really only the > case with certificate authentication where the ID must match the > subjectAltName. I can double check yet again, but I'm pretty sure that setting dstid was what made iked find the public key. So far, I have not used literal IPs in my configuration - that I know for sure. Will test and verify before committing anything.
Re: some vulns
CVSROOT:/cvs Module name:src Changes by: morti...@cvs.openbsd.org2020/02/15 15:59:55 Modified files: sys/arch/amd64/amd64: vmm.c Log message: Add bounds check on addresses passed from guests in pvclock. Fixes an issue where a guest can write to host memory by passing bogus addresses. I'm a bit confused here. It is not because the GPAs are contiguous that the HPAs are too. If the structure crosses a page, the guest still can write to host memory.
Re: iked.conf.5: Provide GRE tunnel in transport mode example
On Sat, Feb 22, 2020 at 12:26:01AM +0100, Klemens Nanni wrote: > On Fri, Feb 21, 2020 at 10:28:50PM +, Jason McIntyre wrote: > > it should be "a gre tunnel", not "an" > Sure, leftover from previous wording/reshuffling. > > > > +.Xr gre 4 > > > +tunnel from the local machine A to peer D using FQDN based public key > > > > probably s/the local machine A/local machine A/ (as you do for peer D) > > maybe "FQDN-based", since similar instances exist in this page: > Both reads better, thanks. > > > you should try to not split a sentence with a comma. if it's a list you > > can do: > I went with a semicolon. > > > OK? I have a comment about the use of dstid inline, otherwise I think it's great you thought of documenting this use case. Thanks! > Index: iked.conf.5 > === > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > retrieving revision 1.63 > diff -u -p -r1.63 iked.conf.5 > --- iked.conf.5 21 Feb 2020 15:17:34 - 1.63 > +++ iked.conf.5 21 Feb 2020 23:25:01 - > @@ -990,6 +990,23 @@ ikev2 "subnet" esp from 10.0.3.0/24 to 1 > ikev2 esp from 10.0.5.0/30 to 10.0.5.4/30 peer 192.168.1.2 > ikev2 esp from 10.0.5.8/30 to 10.0.5.12/30 peer 192.168.1.3 > .Ed > +.Pp > +This example encrypts a > +.Xr gre 4 > +tunnel from local machine A to peer D using FQDN-based public key > +authentication. > +.Ar transport > +mode is used to avoid duplicate encapsulation of GRE; > +.Ar dstid > +is set explicitly to the peer's FQDN such that its public key is looked up > even > +if the peer does not send its FQDN as peer ID: This is not what dstid does. When setting 'dstid D.example.com' the policy still only applies if the peer sends 'D.example.com' as it's identity in the ID payload. Not setting dstid explicitly means iked will fall back to the value of "peer", which in your case would be the same: "D.example.com". Setting dstid is only necessary if you are using the IP address in the "peer" option but still want to use a FQDN as ID, which is really only the case with certificate authentication where the ID must match the subjectAltName. > +.Bd -literal -offset indent > +ikev2 transport \e > + proto gre \e > + from A.example.com to D.example.com \e > + peer D.example.com \e > + dstid D.example.com > +.Ed > .Sh SEE ALSO > .Xr enc 4 , > .Xr ipsec 4 , >
