On Wed, Apr 11, 2018 at 08:45:40PM +0200, Paul de Weerd wrote:
> Hi Peter,

Hello Paul,

> I downloaded those exact two files from the same IP addresses and the
> signature verified OK for me:
> 
> [weerd@pom] $ ftp -4 https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/i 
> >
> Trying 193.156.26.18...
> Requesting 
> https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/install63.iso
> 100% |**************************************************|   339 MB 01:41    
> 355909632 bytes received in 101.67 seconds (3.34 MB/s)
> [weerd@pom] $ nBSD/snapshots/amd64/SHA256.sig                                 
> <
> Trying 193.156.26.18...
> Requesting
> https://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/SHA256.sig
> 100% |**************************************************|  2152 00:00    
> 2152 bytes received in 0.00 seconds (1.02 MB/s)
> [weerd@pom] $ sd-63-base.pub -x SHA256.sig install63.iso                      
> <
> Signature Verified
> install63.iso: OK
> 
> (Note that I forced IPv4 as IPv6 was rather slow for me, but both
> addresses match what your dig gave you).
> 
> So, some options:
> 
> Maybe you caught the mirror mid-update.  Perhaps a bit fell over due
> to cosmic radiation hitting your machine at the wrong moment,
> affecting a bit of RAM.  Maybe your storage medium is dying.
> 
> Could be various reasons why it failed; can you try again and see if
> it still fails?  Try also on another machine, if you have one around.
> I got WxAW3clMg3BLs/NBq58q9lMGlWFQLAOW5ToeltQlSyU= as a sha256 hash.
> 
> Cheers,
> 
> Paul 'WEiRD' de Weerd

So I re-downloaded this file on another machine.  It turned out to have your
checksum (sha256 -b) and upon downloading another SHA256.sig it signify'ed 
correctly.  But this leads me to ask questions:

1. doesn't the https mode ftp use some sort of authentication/integrity 
checking while it's downloading?  It's encrypted and anyone with a bit of
knowledge knows that if encryption is changed in-flight it will flip bits,
but with a MAC/HMAC/GMAC it should detect any anomalies.  Does ftp not check
for this?

2. I use quite recently a new unencrypted wifi network but I have IPSEC enabled
which uses aes-256 and auth hmac-sha2-256:

SAD:
esp tunnel from fd43:5602:29bd:16:0:dead:beef:16 to 
fd43:5602:29bd:16:0:dead:beef:1 spi 0x6ab04db8 auth hmac-sha2-256 enc aes-256
esp tunnel from fd43:5602:29bd:16:0:dead:beef:1 to 
fd43:5602:29bd:16:0:dead:beef:16 spi 0x780a14d0 auth hmac-sha2-256 enc aes-256

It is entirely possible that my IPSEC was off minutely and the gif tunnel 
inside it was not protected, but there was still the https...

3. The argument that this may have been modified by ftpmirror (or similar 
software) is good but I stat'ed the file and it's larger than what was 
downloaded by
us on the second try.  A cmp -l shows a lot of differences... here is the stat:
theta$ touch test
theta$ date
Wed Apr 11 21:45:16 CEST 2018
theta$ stat test
1034 8616981 -rw-r--r-- 1 pjp pjp 0 0 "Apr 11 21:45:15 2018" "Apr 11 21:45:15 
2018" "Apr 11 21:45:15 2018" 32768 0 0 test
theta$ stat install63.iso
1034 8616961 -rw-r--r-- 1 pjp pjp 34424768 355905536 "Apr 11 20:59:23 2018" 
"Apr 11 19:33:47 2018" "Apr 11 19:33:47 2018" 32768 695360 0 install63.iso

I did mount this iso with vnconfig is it possible that it was modified then?  
(and grew?).

4. Is it possible that there was an attack on the OpenBSD network 
infrastructure?

5. Or mine?

Best regards,
-peter

Reply via email to