OpenBGPD 7.6 released
We have released OpenBGPD 7.6, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * Include OpenBSD 7.1 errata 008: bgpd(8) could fail to invalidate nexthops and incorrectly leave them in the FIB or Adj-RIB-Out. * Speedup bgpctl show rib 10/8 or-longer and show rib 10/8 or-shorter * Switch various static hash tables to RB trees improving performance on large systems * Export per neighbor pending update and withdraw statistics * Fix race between a neighbor session reset and its update message backlog * Improve handling of nexthop reachability state changes * Further improve portability of the FIB handling code OpenBGPD-portable is known to compile and run on FreeBSD, and the Linux distributions Alpine, Debian, Fedora, RHEL/CentOS and Ubuntu. It is our hope that packagers take interest and help adapt OpenBGPD-portable to more distributions. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.
Re: iostat.8 wording
On Thu, Sep 15, 2022 at 04:41:57PM +0200, Jan Stary wrote: > I believe this reads a little bit better. > > Jan > i agree, but i'd leave those commas in. jmc > Index: iostat.8 > === > RCS file: /cvs/src/usr.sbin/iostat/iostat.8,v > retrieving revision 1.27 > diff -u -p -r1.27 iostat.8 > --- iostat.8 7 Sep 2018 12:54:44 - 1.27 > +++ iostat.8 15 Sep 2022 14:41:05 - > @@ -150,8 +150,9 @@ Transfers per second > .It MB/s > Megabytes transferred per second > .El > -The alternate display format, (selected with > -.Fl D ) , > +.Pp > +The alternate display format selected with > +.Fl D > presents the following values: > .Pp > .Bl -tag -width indent -compact >
Re: immutable userland mappings
On Thu, Sep 15, 2022 at 08:31:06AM -0600, Theo de Raadt wrote: > RCS file: lib/libc/sys/mimmutable.2 ... > +Unmapped pages in the region do not retain immutability, but this > +behaviour should not be relied up. s/relied up/relied on/ or s/relied up/relied upon/
iostat.8 wording
I believe this reads a little bit better. Jan Index: iostat.8 === RCS file: /cvs/src/usr.sbin/iostat/iostat.8,v retrieving revision 1.27 diff -u -p -r1.27 iostat.8 --- iostat.87 Sep 2018 12:54:44 - 1.27 +++ iostat.815 Sep 2022 14:41:05 - @@ -150,8 +150,9 @@ Transfers per second .It MB/s Megabytes transferred per second .El -The alternate display format, (selected with -.Fl D ) , +.Pp +The alternate display format selected with +.Fl D presents the following values: .Pp .Bl -tag -width indent -compact
Re: immutable userland mappings
Theo de Raadt wrote: > > Yet another version of the diff as I incrementally get it working better. > > Call it version 22.. This is around version 30. There is still a subtle problem with RELRO, but it is masked with a hack. arm64 also works correctly, and I'm onto the next architecture. Systems using bfd.ld need to be checked also. There's a weird piece of logic related to "libraries that never unload", I am not sure I did it right. man page changes included. Transition steps are: make new kernel, install, reboot [you will see uvm_unmap errors for various programs in dmesg] make includes cd gnu/usr.bin/clang; make && make install make backup copies of /usr/libexec/ld.so and the most recent libc.so build and install ld.so [you will now see uvm_map_protect errors in dmesg] build and install libc.so [the messages should go away] build everything Index: gnu/llvm/lld/ELF/ScriptParser.cpp === RCS file: /cvs/src/gnu/llvm/lld/ELF/ScriptParser.cpp,v retrieving revision 1.1.1.4 diff -u -p -u -r1.1.1.4 ScriptParser.cpp --- gnu/llvm/lld/ELF/ScriptParser.cpp 17 Dec 2021 12:25:02 - 1.1.1.4 +++ gnu/llvm/lld/ELF/ScriptParser.cpp 2 Sep 2022 15:23:20 - @@ -1478,6 +1478,7 @@ unsigned ScriptParser::readPhdrType() { .Case("PT_GNU_EH_FRAME", PT_GNU_EH_FRAME) .Case("PT_GNU_STACK", PT_GNU_STACK) .Case("PT_GNU_RELRO", PT_GNU_RELRO) + .Case("PT_OPENBSD_MUTABLE", PT_OPENBSD_MUTABLE) .Case("PT_OPENBSD_RANDOMIZE", PT_OPENBSD_RANDOMIZE) .Case("PT_OPENBSD_WXNEEDED", PT_OPENBSD_WXNEEDED) .Case("PT_OPENBSD_BOOTDATA", PT_OPENBSD_BOOTDATA) Index: gnu/llvm/lld/ELF/Writer.cpp === RCS file: /cvs/src/gnu/llvm/lld/ELF/Writer.cpp,v retrieving revision 1.3 diff -u -p -u -r1.3 Writer.cpp --- gnu/llvm/lld/ELF/Writer.cpp 17 Dec 2021 14:46:47 - 1.3 +++ gnu/llvm/lld/ELF/Writer.cpp 2 Sep 2022 21:53:22 - @@ -146,7 +146,7 @@ StringRef elf::getOutputSectionName(cons {".text.", ".rodata.", ".data.rel.ro.", ".data.", ".bss.rel.ro.", ".bss.", ".init_array.", ".fini_array.", ".ctors.", ".dtors.", ".tbss.", ".gcc_except_table.", ".tdata.", ".ARM.exidx.", ".ARM.extab.", -".openbsd.randomdata."}) +".openbsd.randomdata.", ".openbsd.mutable." }) if (isSectionPrefix(v, s->name)) return v.drop_back(); @@ -2469,6 +2469,12 @@ std::vector Writer::c part.ehFrame->getParent() && part.ehFrameHdr->getParent()) addHdr(PT_GNU_EH_FRAME, part.ehFrameHdr->getParent()->getPhdrFlags()) ->add(part.ehFrameHdr->getParent()); + + // PT_OPENBSD_MUTABLE is an OpenBSD-specific feature. That makes + // the dynamic linker fill the segment with zero data, like bss, but + // it can be treated differently. + if (OutputSection *cmd = findSection(".openbsd.mutable", partNo)) +addHdr(PT_OPENBSD_MUTABLE, cmd->getPhdrFlags())->add(cmd); // PT_OPENBSD_RANDOMIZE is an OpenBSD-specific feature. That makes // the dynamic linker fill the segment with random data. Index: gnu/llvm/llvm/include/llvm/BinaryFormat/ELF.h === RCS file: /cvs/src/gnu/llvm/llvm/include/llvm/BinaryFormat/ELF.h,v retrieving revision 1.1.1.3 diff -u -p -u -r1.1.1.3 ELF.h --- gnu/llvm/llvm/include/llvm/BinaryFormat/ELF.h 17 Dec 2021 12:23:22 - 1.1.1.3 +++ gnu/llvm/llvm/include/llvm/BinaryFormat/ELF.h 14 Sep 2022 13:01:42 - @@ -1303,6 +1303,7 @@ enum { PT_GNU_RELRO = 0x6474e552,// Read-only after relocation. PT_GNU_PROPERTY = 0x6474e553, // .note.gnu.property notes sections. + PT_OPENBSD_MUTABLE = 0x65a3dbe5, // Like bss, but not immutable. PT_OPENBSD_RANDOMIZE = 0x65a3dbe6, // Fill with random data. PT_OPENBSD_WXNEEDED = 0x65a3dbe7, // Program does W^X violations. PT_OPENBSD_BOOTDATA = 0x65a41be6, // Section for boot arguments. Index: gnu/usr.bin/binutils/bfd/elf.c === RCS file: /cvs/src/gnu/usr.bin/binutils/bfd/elf.c,v retrieving revision 1.23 diff -u -p -u -r1.23 elf.c --- gnu/usr.bin/binutils/bfd/elf.c 13 Jan 2015 20:05:01 - 1.23 +++ gnu/usr.bin/binutils/bfd/elf.c 14 Sep 2022 13:00:27 - @@ -969,6 +969,7 @@ _bfd_elf_print_private_bfd_data (bfd *ab case PT_GNU_EH_FRAME: pt = "EH_FRAME"; break; case PT_GNU_STACK: pt = "STACK"; break; case PT_OPENBSD_RANDOMIZE: pt = "OPENBSD_RANDOMIZE"; break; + case PT_OPENBSD_MUTABLE: pt = "OPENBSD_MUTABLE"; break; default: sprintf (buf, "0x%lx", p->p_type); pt = buf; break; } fprintf (f, "%8s off0x", p
Re: [DIFF] Function Separation
On Thu, Sep 15, 2022 at 09:06:39AM +, Klemens Nanni wrote: > On Thu, Sep 15, 2022 at 04:29:36AM -0400, Varik Valefor wrote: > > This change removes a fairly large routine from a large function and places > > the fairly large routine into a dedicated function. The decreasing of the > > length of the main function should increase the readability of the large > > function. > > This patch does not apply cleanly onto current CVS for me. > > > > > Varik Valefor > > "When lost, just pure :: Monad m => a -> m a." > > > > diff --git a/sbin/bioctl/bioctl.c b/sbin/bioctl/bioctl.c > > index 58561e5f30f..19963ad762f 100644 > > --- a/sbin/bioctl/bioctl.c > > +++ b/sbin/bioctl/bioctl.c > > @@ -1307,6 +1307,29 @@ bcrypt_pbkdf_autorounds(void) > > > > return r; > > } > > +void > > +readpassphrasefile(char *passphrase, FILE *f, size_t pl, struct stat sb) > > +{ > > *f, pl and sb are still declared in derive_key() but unused there, > so they might as well be local to this new function. > > > + if ((f = fopen(password, "r")) == NULL) > > + err(1, "invalid passphrase file"); > > + > > + if (fstat(fileno(f), &sb) == -1) > > + err(1, "can't stat passphrase file"); > > + if (sb.st_uid != 0) > > + errx(1, "passphrase file must be owned by root"); > > + if ((sb.st_mode & ~S_IFMT) != (S_IRUSR | S_IWUSR)) > > + errx(1, "passphrase file has the wrong permissions"); > > + > > + if (fgets(passphrase, sizeof(passphrase), f) == NULL) Passphrase is a pointer here, so sizeof(passphrase) is 8 or 4 depending on whether this is run on a 64-bit or a 32-bit arch. In other words, this will only use the first 7 or 3 letters of the passphrase, which is not ideal... If we wanted to refactor this, the signature of the function should be: void readpassphrasefile(char *passphrase, size_t passphrase_len) { FILE *f; struct stat sb; size_t pl; ... > > + err(1, "can't read passphrase file"); > > + pl = strlen(passphrase); > > + if (pl > 0 && passphrase[pl - 1] == '\n') > > + passphrase[pl - 1] = '\0'; > > + else > > + errx(1, "invalid passphrase length"); > > + > > + fclose(f); > > +} > > > > void > > derive_key(u_int32_t type, int rounds, u_int8_t *key, size_t keysz, > > @@ -1331,25 +1354,7 @@ derive_key(u_int32_t type, int rounds, u_int8_t *key, > > size_t keysz, > > > > /* get passphrase */ > > if (password) { > > - if ((f = fopen(password, "r")) == NULL) > > - err(1, "invalid passphrase file"); > > - > > - if (fstat(fileno(f), &sb) == -1) > > - err(1, "can't stat passphrase file"); > > - if (sb.st_uid != 0) > > - errx(1, "passphrase file must be owned by root"); > > - if ((sb.st_mode & ~S_IFMT) != (S_IRUSR | S_IWUSR)) > > - errx(1, "passphrase file has the wrong > > permissions"); > > - > > - if (fgets(passphrase, sizeof(passphrase), f) == NULL) here sizeof(passphrase) is 1024, since passphrase is an array of length 1024 of type char. > > - err(1, "can't read passphrase file"); > > - pl = strlen(passphrase); > > - if (pl > 0 && passphrase[pl - 1] == '\n') > > - passphrase[pl - 1] = '\0'; > > - else > > - errx(1, "invalid passphrase length"); > > - > > - fclose(f); > > + readpassphrasefile(passphrase, f, pl, sb); Call this as readpassphrasefile(passphrase, sizeof(passphrase)); > > } else { > > if (readpassphrase(prompt, passphrase, sizeof(passphrase), > > rpp_flag) == NULL) > > >
Re: [DIFF] Function Separation
On Thu, Sep 15, 2022 at 04:29:36AM -0400, Varik Valefor wrote: > This change removes a fairly large routine from a large function and places > the fairly large routine into a dedicated function. The decreasing of the > length of the main function should increase the readability of the large > function. This patch does not apply cleanly onto current CVS for me. > > Varik Valefor > "When lost, just pure :: Monad m => a -> m a." > > diff --git a/sbin/bioctl/bioctl.c b/sbin/bioctl/bioctl.c > index 58561e5f30f..19963ad762f 100644 > --- a/sbin/bioctl/bioctl.c > +++ b/sbin/bioctl/bioctl.c > @@ -1307,6 +1307,29 @@ bcrypt_pbkdf_autorounds(void) > > return r; > } > +void > +readpassphrasefile(char *passphrase, FILE *f, size_t pl, struct stat sb) > +{ *f, pl and sb are still declared in derive_key() but unused there, so they might as well be local to this new function. > + if ((f = fopen(password, "r")) == NULL) > + err(1, "invalid passphrase file"); > + > + if (fstat(fileno(f), &sb) == -1) > + err(1, "can't stat passphrase file"); > + if (sb.st_uid != 0) > + errx(1, "passphrase file must be owned by root"); > + if ((sb.st_mode & ~S_IFMT) != (S_IRUSR | S_IWUSR)) > + errx(1, "passphrase file has the wrong permissions"); > + > + if (fgets(passphrase, sizeof(passphrase), f) == NULL) > + err(1, "can't read passphrase file"); > + pl = strlen(passphrase); > + if (pl > 0 && passphrase[pl - 1] == '\n') > + passphrase[pl - 1] = '\0'; > + else > + errx(1, "invalid passphrase length"); > + > + fclose(f); > +} > > void > derive_key(u_int32_t type, int rounds, u_int8_t *key, size_t keysz, > @@ -1331,25 +1354,7 @@ derive_key(u_int32_t type, int rounds, u_int8_t *key, > size_t keysz, > > /* get passphrase */ > if (password) { > - if ((f = fopen(password, "r")) == NULL) > - err(1, "invalid passphrase file"); > - > - if (fstat(fileno(f), &sb) == -1) > - err(1, "can't stat passphrase file"); > - if (sb.st_uid != 0) > - errx(1, "passphrase file must be owned by root"); > - if ((sb.st_mode & ~S_IFMT) != (S_IRUSR | S_IWUSR)) > - errx(1, "passphrase file has the wrong > permissions"); > - > - if (fgets(passphrase, sizeof(passphrase), f) == NULL) > - err(1, "can't read passphrase file"); > - pl = strlen(passphrase); > - if (pl > 0 && passphrase[pl - 1] == '\n') > - passphrase[pl - 1] = '\0'; > - else > - errx(1, "invalid passphrase length"); > - > - fclose(f); > + readpassphrasefile(passphrase, f, pl, sb); > } else { > if (readpassphrase(prompt, passphrase, sizeof(passphrase), > rpp_flag) == NULL) >
Re: libcrypto: add OID for RPKI signedTAL objects
On Thu, Sep 15, 2022 at 08:12:34AM +, Job Snijders wrote: > IANA made a permanent registration in the SMI Security for S/MIME CMS > Content Type registry at > https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 > for signed objects conforming to draft-ietf-sidrops-signed-tal. ok tb
libcrypto: add OID for RPKI signedTAL objects
IANA made a permanent registration in the SMI Security for S/MIME CMS Content Type registry at https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 for signed objects conforming to draft-ietf-sidrops-signed-tal. OK? Kind regards, Job Index: lib/libcrypto/objects/obj_mac.num === RCS file: /cvs/src/lib/libcrypto/objects/obj_mac.num,v retrieving revision 1.31 diff -u -p -r1.31 obj_mac.num --- lib/libcrypto/objects/obj_mac.num 16 Jul 2022 17:30:33 - 1.31 +++ lib/libcrypto/objects/obj_mac.num 15 Sep 2022 08:05:45 - @@ -1021,3 +1021,4 @@ ct_precert_signer 1020 ct_cert_scts 1021 hkdf 1022 id_smime_aa_signingCertificateV2 1023 +id_ct_signedTAL1024 Index: lib/libcrypto/objects/objects.txt === RCS file: /cvs/src/lib/libcrypto/objects/objects.txt,v retrieving revision 1.37 diff -u -p -r1.37 objects.txt --- lib/libcrypto/objects/objects.txt 16 Jul 2022 17:30:33 - 1.37 +++ lib/libcrypto/objects/objects.txt 15 Sep 2022 08:05:45 - @@ -265,6 +265,7 @@ id-smime-ct 36 : id-ct-resourceTaggedAt id-smime-ct 47 : id-ct-geofeedCSVwithCRLF id-smime-ct 48 : id-ct-signedChecklist id-smime-ct 49 : id-ct-ASPA +id-smime-ct 50 : id-ct-signedTAL # S/MIME Attributes id-smime-aa 1 : id-smime-aa-receiptRequest
Re: man sed(1): instructions wrt whitespace in functions
On Wed, Sep 14, 2022 at 11:51:41AM +0200, Luka Krmpoti?? wrote: > section "DESCRIPTION" of sed man(1) page, says > >The form of a sed command is as follows: > >[address[,address]]function[arguments] > >Whitespace may be inserted before the first address and the function > >portions of the command. > https://github.com/openbsd/src/blob/16748403c325ab5b4e9457bf8f0879a6698daba9/usr.bin/sed/sed.1#L138-L139 > > I don't understand where this whitespace would go, perhaps it should say: > >Whitespace may be inserted between the address and the function > >portions of the command. > hi. i think you should send a diff to say what you think it should say. jmc > if I use a `-f command_file` I tested that I can indeed insert a whitespace > between address & function portions, e.g. `1,3p` as well as `1,3 p` work. > > For this and the following mentions of whitespace, I have not managed > to make whitespace work when command was given as an argument > (either alone or part of -e flag). In my tests, I could insert whitespaces > in sed commands only in `command_file`. This behavior is not mentioned > in the man page. > > section "SED FUNCTIONS": > >The r and w functions, as well as the w flag to the s function, take a > >file parameter, which should be separated from the function or flag by > >whitespace. > > The r & w & s (with w flag) functions work also if file parameter is NOT > separated, while > if it IS separated by whitespace, they only work as part of `command_file`. > > perhaps, the instruction should read something like > >The r and w functions, as well as the w flag to the s function, take a > >file parameter, which can be separated from the function or flag by > >whitespace in `command_file`. > > I haven't looked into IEEE specification, perhaps the word "should" > applies to that, and the sentence should be left as is. > > then we have > >The b, r, s, t, w, y, and : functions all accept additional arguments. > >The synopses below indicate which arguments have to be separated from the > >function letters by whitespace characters. > > > >[2addr]b [label] > >[1addr]r file > >[2addr]s/RE/replacement/flags > >[2addr]t [label] > >[2addr]w file > >[2addr]y/string1/string2/ > >[0addr]:label > > again, (b,r,s,t,w) functions work without whitespace separation of > arguments, > while with whitespace only as part of `command_file` > so why does it say `have to` (again, maybe because of IEEE spec?). > > maybe the wording should be > >The b, r, s, t, w, y, and : functions all accept additional arguments. > >The synopses below indicate which arguments can be separated from the > >function letters by whitespace character in `command_file` > > In short, it is frustrating for someone learning sed, testing the sed > functions using > command argument (alone or part of -e), to be told to insert whitespace > when this only works as part of `command_file`. > > Best, > Luka > > P.S. > I appreciate my suggestions getting replies, unfortunately I'm struggling > with mail. I don't receive any replies in my inbox, and have to check > https://marc.info/?l=openbsd-tech to see them.