headers
Mike Neuman | 1 Mar 2003 02:29
Picon
Favicon

Semantics for Unix Domain bind(2)

  Can anyone explain to me why the Unix Domain bind(2)
requires the socket not exist on the filesystem? There
are comments in the source and manual which would seem
to indicate someone else thinks this is a bug as well.
(See kern/uipc_usrreq.c, line 421 (OBSD32), or the man
page for bind).

  The fix is pretty simple (about 15 lines hacked
in--if we reworked the function to not do an
NDINIT(,CREATE,...) first, it would likely be less),
and doesn't really break anything, but it does allow
the use of unix domain sockets on read-only
filesystems. Is there any interest in this?

-Mike
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
Permalink | Reply | 0 comments |
headers
Daxbert | 1 Mar 2003 07:13

Differences between OpenBSD and FreeBSD -V option in make

While working on a portupgrade-like utility for OpenBSD,  I've noticed that
FreeBSD's make and OpenBSD's make treat the -V option differently.

FreeBSD-make recursively evaluates the variable(s) provided, while OpenBSD-make
does not.  This variable expansion is a feature I need for the portupgrade utility.

Example Makefile...

DISTNAME=       Atlas-C++-${VERSION}
PKGNAME=        ${DISTNAME:S/C++-//:L}

# make -V PKGNAME

FreeBSD-make returns  'atlas-0.4.3.1'
OpenBSD-make returns  '${DISTNAME:S/C++//:L}'

I've created a patch for make which mimics the FreeBSD expansion 
with the same option (-X) to disable expansion.

Is this feature currently missing because it *should* be missing?

The patch may be found at either of the two following links.  
As I'm new to this, comments would be greatly appreciated.

http://ra.dweebsoft.com/make.patch   (raw - no html)

or 

http://ra.dweebsoft.com/make.patch.html
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hakan Olsson | 1 Mar 2003 10:19
Picon

Re: Sentinel_SSH VPN client and Certs

On Fri, 28 Feb 2003, Infra wrote:
...
> 124805.916159 Negt 40 ike_phase_1_recv_ID: USER_FQDN:
> 124805.917337 Negt 40 6c617074 6f703240 63796265 72746865 7175652e 6e6574
> 124805.918905 Cryp 70 x509_hash_find: no certificate matched query
> 124805.936671 Misc 95 conf_get_str: configuration value not found
> [X509-certificates]:Accept-self-signed
> 124805.937601 Default x509_cert_validate: unable to get local issuer
> certificate
> 124805.941124 Default rsa_sig_decode_hash: received CERT can't
> be validated

Looks like you have not installed the (correct) CA cert (Issuer: C=US,
ST=MN, L=Duluth, O=Cybertheque, CN=nat1.cybertheque.net/emailAddress=
root <at> nat1.cybertheque.net), so this one cannot be verified/trusted.

Hint; does 'openssl verify -CAfile <path>/ca.crt <path>/some_cert.crt'
work? (some_cert.crt is the above one, ca.crt is the CA cert that's
supposed to validate it).

> 124805.942030 Misc 95 conf_get_str: configuration value not found
> [General]:Pubkey-directory
> 124805.955928 Negt 50 get_raw_key_from_file: file
> /etc/isakmpd/pubkeys/ufqdn/laptop2 <at> cybertheque.net not found

This isa isakmpd trying to find a trusted public key by other methods.

> 124805.956876 Default rsa_sig_decode_hash: no public key found
> 124805.957946 Default dropped message from 172.16.5.18 port 500 due to
> notification type INVALID_ID_INFORMATION
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Gwynne | 1 Mar 2003 12:13

VLAN support for em, ti and sk

These patches address issues people have been having with vlans using a few of the gige nics. Namely MTU size
errors when adding vlans with these interfaces as the parents. Hardware vlan tagging was reenabled in ti
and unbroken in em.

The changes are quite trivial and could be applied to any other driver without effort. For example the diff
to sk was one line. However, em, sk and ti were the only nics I had to test with. Big thanks to Chris Pascoe for
providing the hardware and an uncomfortable seat to work in.

David Gwynne
Index: if_ti.c
===================================================================
RCS file: /cvs/src/sys/dev/pci/if_ti.c,v
retrieving revision 1.44
diff -u -r1.44 if_ti.c
--- if_ti.c	2003/02/26 19:07:32	1.44
+++ if_ti.c	2003/03/01 10:26:20
 <at>  <at>  -81,6 +81,7  <at>  <at> 
  */

 #include "bpfilter.h"
+#include "vlan.h"

 #include <sys/param.h>
 #include <sys/systm.h>
 <at>  <at>  -110,6 +111,11  <at>  <at> 
 #include <net/bpf.h>
 #endif

+#if NVLAN > 0
+#include <net/if_types.h>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Chris Pascoe | 1 Mar 2003 12:31
Picon
Picon
Favicon

Re: VLAN support for em, ti and sk

David Gwynne writes:

> These patches address ...

And as the patches got squashed into the body, I've put them tab-safe on the
web at:

http://www.itee.uq.edu.au/~chrisp/OpenBSD/

Regards,
Chris
Permalink | Reply | 0 comments |
headers
Infra | 1 Mar 2003 18:45

Re: Sentinel_SSH VPN client and Certs

Hakan,

Thanks so much for your reply.

> Looks like you have not installed the (correct) CA cert (Issuer: C=US,
> ST=MN, L=Duluth, O=Cybertheque, CN=nat1.cybertheque.net/emailAddress=
> root <at> nat1.cybertheque.net), so this one cannot be verified/trusted.
>
> Hint; does 'openssl verify -CAfile <path>/ca.crt <path>/some_cert.crt'
> work? (some_cert.crt is the above one, ca.crt is the CA cert that's
> supposed to validate it).

openssl verify -CAfile /etc/isakmpd/ca/ca.crt laptop2.crt
laptop2.crt: OK

That is the only CA cert and the only 'user' cert.  The user cert was
imported into the Sentinel client key database.

The Sentinel client verifys the CA chain.

The policy.conf and isakmpd.conf are straight from the 'Allard' website
with only domain names and ip addresses changed.  The interface listening
for requests is NAT'ed with all traffic permitted in and out for testing.
The keys and certs were generated using the 'Allard' config script edited
for names and addresses.

The SSH_Sentinel version is 1.4.9.190 as grabbed from their ftp site.

I just checked-out the CVS; I'm building it now and will try it too.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Thomas Walpuski | 1 Mar 2003 19:11
Picon

Re: Sentinel_SSH VPN client and Certs

On Sat, Mar 01, 2003 at 11:45:35AM -0600, Infra wrote:
> The policy.conf and isakmpd.conf are straight from the 'Allard' website
> with only domain names and ip addresses changed.

Have changed Licencees in policy.conf to match the issuer's DN?
Permalink | Reply | 0 comments |
headers
Tom Bak | 1 Mar 2003 21:20
Picon
Favicon

wsfontload and 80x25bf

Hello!

I have been trying to load fonts at 80x25, but I didnt success.
I had to use the 80x25bf mode, in which I have my colors broken :(
When searching the archives I found this post:

http://marc.theaimsgroup.com/?l=openbsd-misc&m=102216844628973&w=2

After reading it, I thought, that I will not have my font loaded at
80x25,
BUT recently it turned out, that at 80x50 there is no such
limitation and
I can load custom font at full 16 color 80x50, not being forced to
use *bf.

Now I am full of doubts:
Why I can load a font at 80x50 and I can not at 80x25? Because of
hardware?
Am I wrong and I DO can load custom font at 80x25 on i386?
Maybe I did something wrong?
Please, clear my doubts. I need to be sure.

I tried with many different fonts (from NetBSD and OpenBSD's edited
with fed(1)), but with no success.
I tested it on i386 machines with 3 few different video cards and
OpenBSD-3.2 and 3.3-beta.

I load fonts and screens in this manner:

# 80x50
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Bryan | 1 Mar 2003 23:10

Re: Netgear FVS318 VPN connect to OpenBSD Router

I would check the shared secret first eg, retype it in the config and then try getting
rid of any white space around it.  Then try doing MD5, eg. change the default-quickmode line
to look like this

QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE

And maybe even the default-mainmode to something like this.
Transforms=             3DES-SHA,3DES-MD5

If that fails run isakmpd with the -d -D9=99 flag, and then maybe even -d -DA=99 (the later
will produce a lot of output.)

Also have you looked at this website?
http://ruff.cs.jmu.edu/~beetle/download/befvp41.html

Just a thought, maybe there's something that I've missed.

On Fri, Feb 21, 2003 at 11:35:09AM -0700, Sébastien Taylor had written:
> As far as the /etc/isakmpd/crls/ directory goes, you just have to create it. 
> I'll let someone else comment on the "giving up on message..." error.
> 
> 
> En réponse à "ted jordan, jordanteam" <ted <at> jordanteam.com>:
> 
> > I am trying to connect from a PC with Windows 98 thru a Netgear
> > FVS318 router via VPN to a router running OpenBSD 3.2 with
> > Windows 98 PCs connected within its network.
> > 
> >   192.168.123.X-Netgear-22.33.44.55- - -99.88.77.66-OpenBSD-196.168.0.X
> >
(Continue reading)

Permalink | Reply | 0 comments |
headers
Steve Bernard | 2 Mar 2003 01:07
Picon
Favicon

Parsing tcpdump files

I need to parse large packet captures in tcpdump/pcap format and am looking
for advice about what tools would be best for this. The captures contain the
IP and L4 headers only, but are well over a million packets each. The files
are currently in binary format but, I could convert to hex or ascii.

Thanks,

Steve
Permalink | Reply | 6 comments |

Gmane