Re: Bad performance with re(4)

[Brent Cook]

On Aug 25, 2014, at 11:37 AM, Chester T. Field  
wrote:

> Hi friends, 
> 
> I'm experiencing really poor network performance via the Realtek 8101E (re)
> Ethernet card on my HP Mini 110. Using the default setting of tcpbench
> I'm getting an average Mbps of 0.172 versus a compatible machine (Asus 
> Eee PC (alc)) where I'm getting 92.690 Mbps.
> 
> I suspect this class of card might just not be supported very well 
> or perhaps is just a big smelly meatball but I figured I'd ask in case
> someone has run into similar problems with this NIC. Any suggestions?

That sounds really familiar. I had a random sparc machine show very similar 
behavior with multiple operating systems. It turned out it did not like to play 
nicely with my gigabit switch and was constantly renegotiating link speed. I 
think it had something to do with the power efficient ethernet support.

I bought a new switch, and everything worked properly.


> OpenBSD 5.6-current (GENERIC.MP) #344: Sun Aug 24 16:18:23 MDT 2014
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> RTC BIOS diagnostic error 80
> real mem = 1044639744 (996MB)
> avail mem = 1008156672 (961MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe6c10 (20 entries)
> bios0: vendor Hewlett-Packard version "F.15" date 01/14/2011
> bios0: Hewlett-Packard HP Mini 110-3000
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP HPET APIC MCFG SLIC BOOT SSDT SSDT SSDT WDAT
> acpi0: wakeup devices PWRB(S4) LID0(S4) P32_(S4) UHC1(S3) UHC2(S3) ECHI(S3) 
> EXP1(S4) PXSX(S4) EXP2(S4) AZAL(S4) MODM(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Atom(TM) CPU N450 @ 1.66GHz, 1662.99 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF
> cpu0: 512KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
> cpu0: apic clock running at 166MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.0.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Atom(TM) CPU N450 @ 1.66GHz, 1662.68 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF
> cpu1: 512KB 64b/line 8-way L2 cache
> cpu1: smt 1, core 0, package 0
> ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
> ioapic0: misconfigured as apic 0, remapped to apid 4
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 3 (P32_)
> acpiprt2 at acpi0: bus 1 (EXP1)
> acpiprt3 at acpi0: bus 2 (EXP2)
> acpiec0 at acpi0
> acpicpu0 at acpi0: C2, C1, PSS
> acpicpu1 at acpi0: C2, C1, PSS
> acpipwrres0 at acpi0: FN00
> acpitz0 at acpi0: critical temperature is 87 degC
> acpibtn0 at acpi0: PWRB
> acpibtn1 at acpi0: LID0
> acpibat0 at acpi0: BAT0 not present
> acpiac0 at acpi0: AC unit online
> acpivideo0 at acpi0: OVGA
> acpivout0 at acpivideo0: DD02
> cpu0: Enhanced SpeedStep 1662 MHz: speeds: 1666, 1333, 1000 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x00
> vga1 at pci0 dev 2 function 0 "Intel Pineview Video" rev 0x00
> intagp0 at vga1
> agp0 at intagp0: aperture at 0x4000, size 0x1000
> inteldrm0 at vga1
> drm0 at inteldrm0
> inteldrm0: 1024x600
> wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> "Intel Pineview Video" rev 0x00 at pci0 dev 2 function 1 not configured
> azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
> azalia0: codecs: IDT/0x7667
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: msi
> pci1 at ppb0 bus 1
> re0 at pci1 dev 0 function 0 "Realtek 8101E" rev 0x04: RTL8401E (0x2400), 
> msi, address 00:21:cc:50:2e:32
> rlphy0 at re0 phy 7: RTL8201L 10/100 PHY, rev. 1
> vendor "Realtek", unknown product 0x5288 (class undefined unknown subclass 
> 0x00, rev 0x01) at pci1 dev 0 function 1 not configured
> ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: msi
> pci2 at ppb1 bus 2
> athn0 at pci2 dev 0 function 0 "Atheros AR9285" rev 0x01: apic 4 int 17
> athn0: AR9285 rev 2 (1T1R), ROM rev 13, address 00:25:d3:d1:37:16
> uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 4 int 16
> uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 4 int 18
> uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 4 int 17
> uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: apic 4 int 19
> ehci0 at pci0 dev 29 function 7 "Inte

Re: Panic on intensive browsing of WWW.

[Brent Cook]

On Nov 6, 2014, at 9:18 AM, Jakub Skrzypnik  wrote:
> 
> It may be probably look like a x-post from bugs@, but I just want to share
> my experience with users, not only with developers, maybe I just do
> something wrong or someone here have same problem.
> 
> So, problem is simple, but really annoying. When I do more intensive
> browsing of Web, using Conkeror, Firefox or Chromium, and I try to open
> lots of tabs, or some heavyweight websites, browser starts to increase a
> very intensive disk activity for 10 seconds and goes to panic, not just
> segfault. It's only done when I use browsers, probably not intented by
> network, because I can stream videos from youtube using mplayer very well,
> and also downloading of very large files works well. It's not even caused
> by login.conf limit, to be sure I set them to infinity.
> I'm very confused and maybe a bit depressed, because OpenBSD looks like an
> awesome operating system, so I'll plan to use it as regular OS, but that
> problem strongly disallows me to do regular activites here. But maybe I
> just do it wrong, or wasn't have set up something correctly.
> If you're interesed about debugging, proper dmesg/ps/trace output is at
> bugs@, but among this, I'll appreciate any help or hints, or maybe someone
> here have that or related problem?
> 
> With regards,
> Jakub Skrzypnik
> 
> 
> Sorry for all language errors and fails, English is not my native language.
> 

Hi Jakub,

It would actually help us a lot if you updated to the latest snapshot. It
includes extra debug information that will help identify the root cause of
this issue, which appears to have cropped up only a few days ago.

A new 'panic' line from the latest build would be a useful datapoint:

panic: free: size too large 1881544 > 524288 (0x807b7000)

Re: Music On Console (MOC)

[Brent Cook]

I've used MOC quite a bit on OpenBSD, though just a local compile -
nothing fancy like a port. It's probably the only non-base program I
ever use on the Sparc 5.

What specifically is missing?

On Thu, Dec 11, 2014 at 8:00 PM, Richard Toohey
 wrote:
> Hi, guys.
>
> This might be more a question for ports@ but it is also a general "do you
> use it" question.
>
> I've been trying to help the MOC maintainer with testing changes on OpenBSD.
>
> He wants to use some newer POSIX features but it seems that if he does so,
> he'll have to leave OpenBSD behind.  I say "it seems" because I might have
> led him in the wrong direction.
>
> I'm definitely not the best person to advise him, so asking the general
> OpenBSD crowd if:
>
> (1) they use MOC or
> (2) have any interest in support for it on OpenBSD or
> (3) can help with the POSIX questions.
>
> The maintainer has asked the same question on a MOC forum:
>
> http://moc.daper.net/node/1369
>
> Thanks,
> Richard.

Re: Openbsd broke my hard drive twice! Getting frustrated

[Brent Cook]

On Mon, Dec 22, 2014 at 11:22 PM, Henrique Lengler
 wrote:
> On 2014-12-23 02:55, Eric Furman wrote:
>>
>> No. This is done by the BIOS.
>> After the computer boots the BIOS then hands over control to the OS.
>
>
> So this it the time the OS is able to do whatfuck it wants with my HDD, and
> so the OS have control over HDD. Right?
>
>> And yes, that is a gross over simplification of what actually happens.
>> There is no way that any OS can 'break' a hard drive.
>
>
> So why this happened when using OpenBSD?
> --
> Henrique Lengler
>

I forgot to CC the list in the reply, sorry for the duplication:

Sometimes vendors do not do extensive testing, and do things like
hardcode strings in the firmware to expect Windows or Linux. Here is
an article discussing a problem with a Lenovo Thinkcentre that only
worked with Windows, Redhat or Fedora:

http://mjg59.dreamwidth.org/20187.html

There have been a couple of reports similar to this one that were fixed
with a firmware update from the motherboard or system vendor. I would
presume the firmware basically crashes if it sees a boot code written
on the hard drive it does not expect, even if it follows the
standards:

http://marc.info/?t=13988430601&r=1&w=2

http://marc.info/?l=openbsd-misc&w=2&r=1&s=Axiomtek+NA570&q=b

I worked on a new-ish laptop recently that would not boot from a CD or
any non-Windows partition unless I first removed the hard drive,
entered the EFI/Bios setup, set a password, then disabled EFI secure
boot.

Re: Does portable NTPD use a drift file?

[Brent Cook]

On Tue, Jan 20, 2015 at 5:46 AM, John Long  wrote:
> Does portable NTPD use a drift file? I didn't see one in the previous
> version and a new install of 5.7p1 doesn't seem to have one either. I didn't
> see any discussion of a drift file in the manpage for ntpd nor for ntpd.conf
> in the portable version, though it is mentioned in the man pages for the
> OpenBSD version.

It is mentioned in the ntpd(8) man page at the bottom, though I should
fix the the portable version to adjust the manpage to point where it
actually gets configured for installation. Some packagers have already
been patching this for their distributions. By default, it should get
written to:

LOCALSTATEDIR "/db/ntpd.drift"

which translates to $(prefix)/var/db/ntpd.drift

> Also, what is the purpose of /var/empty/ntp in the portable version? It's
> empty ;)

Thanks for bringing that up. This is a privilege-separation directory
that the unprivileged ntpd processes chroot to on startup. It is
intentionally empty and unwritable by the unprivileged processes.
Having this directory empty and unwritable prevents the processes from
having access to any files or file system privileges that they do not
need to do their jobs.

Since /var/empty might not exist, e.g. Debian does not provide it,
your OS's package may have altered the privilege separation user
directory to be somewhere else, like '/var/run/openntpd'. But, that
should also be empty and unwritable.

That said, I made a mistake in having the installer suggest using
/var/empty/ntp by default, since one may have other processes using
/var/empty for privilege separation. I'm changing the recommendation
to /var/empty for future releases.

Thanks,
  Brent

Re: Does portable NTPD use a drift file?

[Brent Cook]

> On Jan 20, 2015, at 9:59 AM, John Long  wrote:
> 
>> though I should fix the the portable version to adjust the manpage to
>> point where it actually gets configured for installation. Some packagers
>> have already been patching this for their distributions. By default, it
>> should get written to:
>> 
>> LOCALSTATEDIR "/db/ntpd.drift"
> 
> Thanks, this helps. It was there, just not where I wanted since I install
> addons in /usr/local. Unfortunately now that I fixed the build to use /var
> like everything else I see there is a problem because /var/db is only root
> writeable and I believe the _ntp user is the one trying to write the drift
> file. It would be unfortunate to have to create a whole directory hierachy
> no matter how small just to have a place the _ntp user could write his drift
> file. I think I would even prefer /var/tmp to that. Any suggestions?

That's OK. Nothing will be written as the _ntp user. The unprivileged process 
instead sends a message to the privileged process, which actually does the 
writing of the drift file. You want it to be some place persistent, not 
/var/tmp.

Note that a new drift file is not written immediately on start, only after the 
proper frequency adjustment has been determined. That might take a long time 
depending on the stability of your systems's clock (e.g. VMs) and how quickly 
time can be synced, etc. Give it an hour or ten :)

> 
>>> Also, what is the purpose of /var/empty/ntp in the portable version? It's
>>> empty ;)
>> 
>> Thanks for bringing that up. This is a privilege-separation directory
>> that the unprivileged ntpd processes chroot to on startup. It is
>> intentionally empty and unwritable by the unprivileged processes.
>> Having this directory empty and unwritable prevents the processes from
>> having access to any files or file system privileges that they do not
>> need to do their jobs.
>> 
>> Since /var/empty might not exist, e.g. Debian does not provide it,
>> your OS's package may have altered the privilege separation user
>> directory to be somewhere else, like '/var/run/openntpd'. But, that
>> should also be empty and unwritable.
> 
> Ok, this was also fixed, presumably, when I set localstatedir for the
> build. 

I think this might be more likely:

'make install' checks to see if you have a properly configured unprivileged 
user and gives instructions if none is found. If you already have one 
configured, it does not display the instructions again.

> /jl
> 
> -- 
> ASCII ribbon campaign ( ) Powered by Lemote Fuloong
> against HTML e-mail   X  Loongson MIPS and OpenBSD
>   and proprietary/ \http://www.mutt.org
> attachments /   \  Code Blue or Go Home!
> Encrypted email preferred  PGP Key 2048R/DA65BC04 

Re: 1U / 2 Computers? For redundant FW pair

[Brent Cook]

I think Dell used to have servers in its 'Cloud' line that fit 2
machines in 1U, though IIRC they were a little pricey. I couldn't find
them again when searching.

The HP SL2x170z server pulls off a similar feat - you can find several
on ebay, though it may be discontinued as well.

On Wed, Jan 21, 2015 at 6:31 AM, Alan McKay  wrote:
> I know that Supermicro has some interesting side-by-sides starting at
> 2U, but I'm not aware of anything in 1U.  Basically I'd like to have
> my redundant FW pairs take up less rack space.   I guess another
> option would be half-width 1U if anything like that exists, and
> install a rack shelf.
>
>
> --
> "Don't eat anything you've ever seen advertised on TV"
>  - Michael Pollan, author of "In Defense of Food"

Re: 1U / 2 Computers? For redundant FW pair

[Brent Cook]

I take back the HP suggestion, since it was pointed out these share a
lot of components between the servers as well.

This looks interesting, though it may be under-powered depending on your needs:

http://www.hacom.net/catalog/mars-ii-twin-blade-d525-pfsense-1u-server

With the right search terms, I found a number of other half-width 1u
servers designed for this application that may also be appropriate.
They seem to basically repackage mini ITX boards.

On Wed, Jan 21, 2015 at 7:50 AM, Brent Cook  wrote:
> I think Dell used to have servers in its 'Cloud' line that fit 2
> machines in 1U, though IIRC they were a little pricey. I couldn't find
> them again when searching.
>
> The HP SL2x170z server pulls off a similar feat - you can find several
> on ebay, though it may be discontinued as well.
>
> On Wed, Jan 21, 2015 at 6:31 AM, Alan McKay  wrote:
>> I know that Supermicro has some interesting side-by-sides starting at
>> 2U, but I'm not aware of anything in 1U.  Basically I'd like to have
>> my redundant FW pairs take up less rack space.   I guess another
>> option would be half-width 1U if anything like that exists, and
>> install a rack shelf.
>>
>>
>> --
>> "Don't eat anything you've ever seen advertised on TV"
>>  - Michael Pollan, author of "In Defense of Food"

Re: Routing tables and pf rules with using 2 DHCP WAN interfaces ...

[Brent Cook]

On Aug 4, 2014, at 1:39 PM, Christophe  wrote:

> Hi misc@,
> 
> I was wondering about the behavior of OpenBSD in this case (not a
> production case at this time).
> 
> 2 WAN interfaces (Ethernet / IPv4 DHCP) , linked to an OpenBSD box and 1
> LAN interface (Ethernet / IPv4 static address)
> 
> WAN1 (em0 DHCP) -
> |--- OpenBSD - LAN (em2 static)
> WAN2 (em1 DHCP) -
> 
> DHCP is providing a default gateway for the 2 WAN interfaces (and can
> potentially change).
> 
> First of all :
> If only "dhcp" is specified in /etc/hostname.em[0|1] files, which of
> these interfaces will provide the default gateway ? Is there a
> precedence in this case ?
> 
> Otherwise, is there anyway to specify a routing table in /etc/hostname.X
> while using DHCP ?
> Second question :
> I used to write route-to and reply-to rules in pf.conf in a static context.
> As far as I've seen, there are modifiers on interface specifications
> like :network or :peer. But is there a :gateway or something similar
> telling pf to use the defaut gateway learned by DHCP on the specified
> interface ?
> 

I was just reading this article, which I think provides a different take on 
what I think you're trying to do. It uses ifstated to adjust pf rules 
dynamically based on usability of the WAN interfaces, load-balancing outbound 
connections between the two gateways as well:

https://www.geeklan.co.uk/?p=1564


> Thanks and regards,
> Christophe.

Re: Generating random.seed for network boot clients

[Brent Cook]

This is starting to remind me of Ubuntu's pollen/pollinate services.


On Sat, Aug 16, 2014 at 11:31 AM, Theo de Raadt 
wrote:

> I wonder if there would be some benefit to faking these files from inside
> the tftp daemon itself..

Re: Puzzling broadband issue

[Brent Cook]

On Tue, Jan 19, 2016 at 12:36 PM,   wrote:
> (i) a. With both Linux or Windows all downloads tend to hover around 100 KB/s 
> on a 50 Mb/s cable Internet connection
> b. if I run a processor intensive program while downloading (typically at the 
> moment a video of a burning fireplace) then the download rate starts to 
> return to normal
> c. if I am using some sort of encryption (SSH forwarding, OpenVPN) then there 
> will be a short burst of speed close to the full bandwidth at the start of 
> the download before falling back to circa. 100 KB/s
>
> ii) However whenever I have in the past booted up and configured an OpenBSD 
> install then the full 50MiB/s download speed is available without any issues.
> Can anyone make any sense of the above - why should there be no problems with 
> OpenBSD?
>
> This all happens on an old Compaq Presario C500EA - 
> http://support.hp.com/us-en/product/Compaq-Presario-C500-Notebook-PC-series/3318986/model/3357395/document/c00843649/
>
> I appreciate this is not an OpenBSD issue, but I figured if there was anyone 
> who could figure this one out this would probably be the place to ask.
>

Maybe your switch or cable router have rather shallow buffers, and are
not able to absorb the amount of data that your NIC is sending without
backpressure, which leads to a see-saw in performance. Some drivers
will send way more data to the NIC in a burst than they should.

This is a total shot in the dark, but try disabling TCP segmentation
offload in Linux, e.g. ethtool -K eth0 tx off sg off tso off

I'd also look at your network stack and ethernet driver stats to see
if there are any errors accumulating, e.g. retries, bad MTU, etc.

Re: OpenNTP features

[Brent Cook]

> On Mar 16, 2016, at 6:23 AM, Gabor Juhasz  wrote:
>
> Hi All,
>
> In our IoT project we have to select an NTPd for our embedded device
> in order it can have accurate time.
> It uses 3G/4G mobile net. Of course the net is expensive so we have to
> reduce the
> network usage. Currently we have 2 candidates : OpenNTPd and Chrony.
>
> In OpenNTP (5.7p4)  we are missing some features and we are looking
> for some solutions
> or workarounds to provide them. Do you have any idea how to do it with
> OpenNTPd :
>
> * Maxchange
> Maximum allowed offset corrected on a clock update. If the delta is
> bigger ntpd exists.

I think you need to explain more about why you need this. I can guess, but
that's not necessarily solving your problem.

So hypothetically, you have a device that might have a big initial delta on
boot, but might not have network access within the first 15 seconds of
starting ntpd. Is that why simply using 'ntpd -s' at startup is not enough for
this case? How would you know to trust any big jumps from NTP servers later
on? Is your proposal to still only allow for a one-time initial setting
(basically, make -s active forever until the time is initially set)?
Otherwise, this opens a big hole.

http://www.slideshare.net/jselvi/breaking-ssl-51430174


> * Polltime
> maxpoll /minpoll : setting the minimum/maximum polling interval
>
> * Offline mode
> You tell the ntpd that network is not available. So it will not keep
> trying to connect to ntp servers.
>
> Kind regards,
> Gabor Juhasz

Re: libcrypto errata

[Brent Cook]

Thanks for the report Jorge.

Yes, that looks like a bug. The outer read loop is missing
in asn1_d2i_read_bio, truncating the reads to ASN1_CHUNK_INITIAL_SIZE
(16k). Will get a patch going to resolve it.



On Wed, May 18, 2016 at 3:19 PM, Jorge Luiz Silva Peixoto <
jorge.peix...@gmail.com> wrote:

> Hello folks!
>
> I applied 005_crypto patch on OpenBSD 5.9 -release.
>
> After that, I get an error if I run:
> $ openssl crl -in acserprorfbv3.crl -inform DER
> unable to load CRL
> 19710855970772:error:0D07809F:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:unexpected
>
> eoc:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/tasn_dec.c:368:Type=X509_REVOKED
> 19710855970772:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
>
> error:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/tasn_dec.c:621:Field=revoked,
> Type=X509_CRL_INFO
> 19710855970772:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
>
> error:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/tasn_dec.c:653:Field=crl,
> Type=X509_CRL
>
> OpenBSD 5.9 is shipped with LibreSSL 2.3.2. The error above also
> happens with the lastest version (2.3.4).
>
> The command runs nicely when using OpenSSL 1.0.2h.
>
> All tests were done on the same system: OpenBSD 5.9 GENERIC.MP amd64.
>
> The certificate revocation list used in this test can be fetched here
> -> http://ccd.serpro.gov.br/lcr/acserprorfbv3.crl
>
> Regards,
> Jorge Peixoto
>
>
> 2016-05-03 11:32 GMT-03:00 Ted Unangst :
> > OpenSSL announced several issues today that also affect LibreSSL.
> >
> > - Memory corruption in the ASN.1 encoder (CVE-2016-2108)
> > - Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
> > - EVP_EncodeUpdate overflow (CVE-2016-2105)
> > - EVP_EncryptUpdate overflow (CVE-2016-2106)
> > - ASN.1 BIO excessive memory allocation (CVE-2016-2109)
> >
> > Thanks to OpenSSL for providing information and patches.
> >
> > Refer to https://www.openssl.org/news/secadv/20160503.txt
> >
> > Patches for OpenBSD are available:
> >
> >
> http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/005_crypto.patch.sig
> >
> >
> http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/013_crypto.patch.sig

Re: github

[Brent Cook]

On Mon, Aug 8, 2016 at 7:56 PM, David Schmidt 
wrote:

> Nick Holland wrote:
> >Nowhere on the OpenBSD website mentions github as anything official.
>
> It does on this page: https://www.openbsd.org/libressl/. Its even
> above the cvs link. Of course this is just for libressl not for the
> rest of openbsd.
>
>
We use github as a mirror​ for LibreSSL-portable and OpenNTPD-portable too.
It's not unlike the official python github mirror, which is synced from
that project's Mercurial repo: https://github.com/python/cpython

If you have patches for the openbsd@ side of these projects, it is best to
just email them to tech@, since the OpenBSD devs only have so many places
they will look for patches on a regular basis. Using git format-patch,
send-email or similar work well in my experience.

On the 'portable' side, github PRs are fine, since I'm using git natively
and can fetch from the github mirror directly.

Re: can't find fstab entry ?

[Brent Cook]

You forgot to put 'rw', 'ro', or 'rq' as the first element of the options
column (where you had the undefined word 'defaults').

If you don't include one of these options as indicated in the man page and
all of its examples, the fstab line will be ignored entirely in OpenBSD.
This is slightly different behavior than Linux, where invalid lines are not
discarded, but instead passed all the way to the mount command, to show a
different kind of error:

E.g., if I gave linux this: 10.10.10.10:/mnt  /mnt nfs nodev,nosuid,softdep
0 0

I'd get this:

  mount.nfs: an incorrect mount option was specified

The Linux manpage has almost the same warning about what should be in this
field. The only difference is Linux mount has a 'defaults' alias that means
'rw, suid, dev, exec, auto, nouser, and async', and doesn't really make
sense mixed with any other options on Linux either.


On Sat, Sep 10, 2016 at 7:05 AM, Bob Jones <
r.a.n.d.o.m.d.e.v.4+openbsdm...@gmail.com> wrote:

> And as I said in my reply to him and the list, I removed those options and
> it's still broken.
>
> On Thursday, 8 September 2016, Otto Moerbeek  wrote:
>
> > On Thu, Sep 08, 2016 at 02:46:03PM +0100, Bob Jones wrote:
> >
> > > Soany one care to give a more sensible suggestion than Theo's
> > > unnecessary anti-Linux rant ??
> >
> > He gave you a clue. You are using options that do not exist op OpenBSD.
> > See mount(8)
> >
> > -Otto
> >
> >
> > >
> > > On Monday, 5 September 2016, Theo de Raadt  > > wrote:
> > >
> > > > > OpenBSD 6.0 GENERIC.MP#0 amd64
> > > > >
> > > > > My fstab entry looks like :
> > > > >
> > > > > 10.10.10.10:/srv/share /mnt/ops_test nfs
> > defaults,noexec,nosuid,nodev,auto
> > > > 0 0
> > > > >
> > > > > However:
> > > > >
> > > > > $ doas mount /mnt/ops_test
> > > > > doas (m...@example.com  ) password:
> > > > > mount: can't find fstab entry for /mnt/ops_test
> > > > >
> > > > >
> > > > > Any ideas  ?  That style of fstab entry seems to work fine on my
> > linux
> > > > > boxes (albeit with nfs4 instead of nfs, but that makes no
> difference
> > > > > on openbsd).
> > > >
> > > > Well, openbsd is not linux.
> > > >
> > > > Have no idea what that word "defaults" in there means.

Re: LibreSSL Portable compilation problem on Mac OS X

[Brent Cook]

> On Apr 7, 2015, at 11:00 AM, Hrishikesh Murukkathampoondi  
> wrote:
> 
> Hi
> 
> I got LibreSSL portable from https://github.com/libressl-portable/portable
> 
> 
> I get the following error when trying to compile on Mac OS X Yosemite (ie I
> executed autogen.sh which in turn called autoreconf)

The path to aclocal seems to point to /Developer, do you have a really old 
version of xcode installed? I think the /Developer directory went away in Xcode 
4.3, right?

I use the latest versions of automake/autoconf, which are automake 1.15, 
autoconf 2.69 as supplied with Mac homebrew, and the libtool supplied with 
Xcode 6.2. You probably just need a newer version of autoconf and automake in 
your path. I've tested with Xcode 5 as well, but always prefer the latest 
automake/autoconf.


> ---
> 
> Zeppelin:libressl hrishi$ ./autogen.sh
> pulling upstream openbsd source
> Already on 'master'
> Your branch is up-to-date with 'origin/master'.
> Current branch master is up to date.
> libcrypto version 32:0:0
> libssl version 32:0:0
> libtls version 3:1:0
> copying libcrypto source
> generating ASM source for elf
> generating ASM source for macosx
> copying libtls source
> copying openssl(1) source
> copying libssl source
> copying tests
> copying manpages
> main::scan_file() called too early to check prototype at
> /Developer//usr/bin/aclocal line 607.
> main::scan_file() called too early to check prototype at
> /Developer//usr/bin/aclocal line 607.
> autom4te: m4sugar/m4sugar.m4: no such file or directory
> aclocal: /Developer//usr/bin/autom4te failed with exit status: 1
> autoreconf: aclocal failed with exit status: 1
> Zeppelin:libressl hrishi$
> 
> —
> 
> Is this a known issue ? Is there a work around?
> 
> Thanks
> Hrishi

Re: chacha20 cipher_algbits is 0

[Brent Cook]

On Mon, May 25, 2015 at 3:26 PM, Philip Guenther  wrote:
> On Mon, May 25, 2015 at 6:57 AM, Tim Kuijsten  wrote:
>> Since I'm running postfix with LibreSSL, some clients encrypt the connection
>> using ECDHE-RSA-CHACHA20-POLY1305. Now I'm used to seeing headers like
>> "using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)" . But
>> these ChaCha20 headers look like "using TLSv1.2 with cipher
>> ECDHE-RSA-CHACHA20-POLY1305 (256/0 bits)". I'm wondering what the 0 part in
>> 256/0 bits mean. I've read it's "the number of bits actually used" vs. "the
>> number of bits the algorithm is based on", but this sounds confusing to me.
>> Can someone maybe clarify?
>
> Seems like an oversight.  The apparent meaning of that field seems to
> be "how many bits is the key used by the algorithm", which 256 for
> these.  Diff to update that below.
>
> It's basically a pointless measure and I suspect it's logged and
> recorded by programs as a historical accident.  The strength bits tell
> you something about resistance to (some types of) attacks, but how
> would knowing how many bits the source had to feed into the cipher
> change your behavior?  

This appears to have been copied from the original BoringSSL
implementation, which indicates '0' here as well. You'd have to ask
Adam Langley if there was a purpose behind it, but this seems fine to
me. ok bcook@

>
> Philip Guenther
>
>
> Index: s3_lib.c
> ===
> RCS file: /data/src/openbsd/src/lib/libssl/src/ssl/s3_lib.c,v
> retrieving revision 1.95
> diff -u -p -r1.95 s3_lib.c
> --- s3_lib.c8 Feb 2015 22:06:49 -   1.95
> +++ s3_lib.c25 May 2015 20:09:32 -
> @@ -1820,7 +1820,7 @@ SSL_CIPHER ssl3_ciphers[] = {
> .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
> SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
> .strength_bits = 256,
> -   .alg_bits = 0,
> +   .alg_bits = 256,
> },
>
> /* Cipher CC14 */
> @@ -1837,7 +1837,7 @@ SSL_CIPHER ssl3_ciphers[] = {
> .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
> SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
> .strength_bits = 256,
> -   .alg_bits = 0,
> +   .alg_bits = 256,
> },
>
> /* Cipher CC15 */
> @@ -1854,7 +1854,7 @@ SSL_CIPHER ssl3_ciphers[] = {
> .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
> SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
> .strength_bits = 256,
> -   .alg_bits = 0,
> +   .alg_bits = 256,
> },
>  #endif

Re: openntpd portable sync fails

[Brent Cook]

> On May 29, 2015, at 11:51 AM, jungle Boogie  wrote:
> 
> Hello All,
> 
> Running openntpd portable version 5.7 without HTTPS contraint, like I
> have been doing for many months now, but upon rebooting, a machine
> can't sync:

The ntpdate command is not a part of openntpd.

'ntpctl all' would show information about the state of openntpd and its peers.

> % ntpdate -d hank
> 29 May 09:37:10 ntpdate[39781]: ntpdate 4.2.4p5-a (1)
> transmit(192.168.0.14)
> receive(192.168.0.14)
> transmit(192.168.0.14)
> receive(192.168.0.14)
> transmit(192.168.0.14)
> receive(192.168.0.14)
> transmit(192.168.0.14)
> receive(192.168.0.14)
> transmit(192.168.0.14)
> 192.168.0.14: Server dropped: Leap not in sync
> server 192.168.0.14, port 123
> stratum 3, precision -29, leap 11, trust 000
> refid [192.168.0.14], delay 0.02574, dispersion 0.0
> transmitted 4, in filter 4
> reference time:d91313a4.69eeb7ff  Fri, May 29 2015  9:34:44.413
> originate timestamp: d9131436.716697ff  Fri, May 29 2015  9:37:10.442
> transmit timestamp:  d9131436.712cd40d  Fri, May 29 2015  9:37:10.442
> filter delay:  0.02585  0.02576  0.02574  0.02576
> 0.0  0.0  0.0  0.0
> filter offset: 0.000820 0.000801 0.000802 0.000805
> 0.00 0.00 0.00 0.00
> delay 0.02574, dispersion 0.0
> offset 0.000802
> 
> 29 May 09:37:10 ntpdate[39781]: no server suitable for synchronization found
> 
> Same messages here:
> % ntpdate hank
> 29 May 09:38:11 ntpdate[39783]: no server suitable for synchronization found
> 
> % ntpdate -u hank
> 29 May 09:38:39 ntpdate[39785]: no server suitable for synchronization found
> 
> 
> On hank, I see this connection:
> _ntp ntpd   2021  7  udp4   192.168.0.14:123  *:*
> _ntp ntpd   2021  10 udp4   127.0.0.1:123 *:*
> _ntp ntpd   2021  14 udp4   192.168.0.14:61375192.241.209.150:123
> _ntp ntpd   2021  15 udp4   192.168.0.14:19628108.61.194.85:123
> _ntp ntpd   2021  16 udp4   192.168.0.14:3415570.35.113.44:123
> _ntp ntpd   2021  17 udp4   192.168.0.14:43924129.6.15.30:123
> 
> 
> ntpd file is nothing special:
> % cat /usr/local/etc/ntpd.conf
> # sample ntpd configuration file, see ntpd.conf(5)
> 
> # Addresses to listen on (ntpd does not listen by default)
> listen on *
> 
> # sync to a single server
> #server ntp.example.org
> 
> # use a random selection of NTP Pool Time Servers
> # see http://support.ntp.org/bin/view/Servers/NTPPoolServers
> server 0.pool.ntp.org
> server 1.pool.ntp.org
> server 2.pool.ntp.org
> server 3.pool.ntp.org
> 
> Even running ntpdate to adjust time fails:
> % ntpdate 0.pool.ntp.org
> 29 May 09:44:43 ntpdate[2031]: no server suitable for synchronization found
> 
> But when running:
> % ntpdate -d 0.pool.ntp.org
> 
> its final output adjusts the time:
> 29 May 09:49:23 ntpdate[2041]: adjust time server 192.241.209.150
> offset -0.003387 sec
> 
> 
> Any ideas what prevents openntpd from syncing?
> 
> 
> -- 
> ---
> inum: 883510009027723
> sip: jungleboo...@sip2sip.info
> xmpp: jungle-boo...@jit.si

Re: Problem building OpenSMTPD 5.7.1-rc1 so that /usr/sbin/smtpd links to LibreSSL 2.2.0 /usr/local/lib/libssl.so.32.0 library

[Brent Cook]

On Mon, Jun 29, 2015 at 4:38 PM, Seth  wrote:
> Build environment:
>
> OpenBSD 5.7-release (x64) with all latest patches applied via Mtier openup
> utility.
> LibreSSL 2.2.0
> OpenSMTPD 5.7.1-rc1
>
> I'm having difficulty getting OpenSMTPD 5.7.1-rc1 to build and link the
> /usr/sbin/smtpd binary to the proper /usr/local/lib/libssl.so.32.0 library
> provided by LibreSSL 2.2.0. Only the libcrypto library is being linked.
>
> $ ldd /usr/sbin/smtpd|grep -E "lib(ssl|crypto)"
> 1b5dca38c000 1b5dca7eb000 rlib 01   0
> /usr/lib/libssl.so.32.0
> 1b5d18179000 1b5d18749000 rlib 01   0
> /usr/local/lib/libcrypto.so.33.0

Does it help anyone to give LibreSSL portable an option to build with
an alternate library name like libssl2 / libcrypto2 that can then be
linked to explicitly?

Something like the discussion here under "4.3. Multiple libraries
versions": https://autotools.io/libtool/version.html

I've been asked a few times by older Linux distros to provide a way
for them to similarly bundle LibreSSL and OpenSSL.

> I ran into this problem earlier with the OpenSMTPD 5.4.4 release on an
> OpenBSD 5.6 system patched with LibreSSL 2.1.4. I found a successful
> workaround by using the following flags with make
>
> $ sudo CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib make
>
> This time around, the same trick is only 50% successful, as detailed by the
> ldd results earlier.
>
> I brought this up with OpenSMTPD developer gilles@ [1] and he suggested I
> ask on misc@ for suggestions.
>
>
> [1] = gilles@ response ===
>
> I was kinda puzzled then miod@ clarified for me, /usr/lib has priority
> over /usr/local/lib, if a lib is available in both the one in /usr/lib
> is the one used.
>
> Small snippet from cc(1):
>
>The directories searched include several standard system
>directories *plus* any that you specify with -L.
>
> It is an environment/host issue, I do not know if it can be fixed with
> a build option at this point, it needs investigating, I honestly don't
> have a clue if it can be worked-around.
>
> I suggest you ask on misc@openbsd.org for suggestions on how to do it,
> if it has worked in the past then the ld.so people may have changed it
> because our Makefile certainly has not changed.
>
> In the meantime, you can work around at runtime using LD_LIBRARY_PATH:
>
> $ ldd smtpd/smtpd|grep -E "lib(ssl|crypto)"
> 1d2e3b43c000 1d2e3b89b000 rlib 01   0
> /usr/lib/libssl.so.32.0
> 1d2e52d38000 1d2e53308000 rlib 02   0
> /usr/lib/libcrypto.so.33.0
> $ LD_LIBRARY_PATH=/usr/local/lib ldd smtpd/smtpd|grep -E "lib(ssl|crypto)"
> 141edd36f000 141edd7ce000 rlib 01   0
> /usr/local/lib/libssl.so.32.0
> 141fb51a 141fb577 rlib 02   0
> /usr/local/lib/libcrypto.so.33.0

Re: OpenNTPD - no constraint reply - no time sync

[Brent Cook]

On Thu, May 28, 2015 at 5:24 PM, Mikolaj Kucharski
 wrote:
> Hi,
>
> I've initially reported this problem a while ago and I thought problem
> was related to IPv6. Now I belive it is not. I did some research and
> this is what I've found. I contacted Reyk couple of days ago, but didn't
> get any reply from him yet, so decided to post here.
>
> I'm using OpenNTPD's constraint from the time it was introduced. However
> I found that ntpd(8) often is getting stuck at the very beginning when
> it starts and never recovers from that scenario. Usually it looks as
> follows when you hit the problem:
>
> # ntpctl -sa
> 0/4 peers valid, clock unsynced
>
> peer
>wt tl st  next  poll  offset   delay  jitter
> 87.232.1.41 0.pool.ntp.org
> 1  2  -0s0s  peer not valid 
> 54.171.104.100 1.pool.ntp.org
> 1  2  -0s0s  peer not valid 
> 193.1.193.157 2.pool.ntp.org
> 1  2  -0s0s  peer not valid 
> 85.91.1.180 3.pool.ntp.org
> 1  2  -0s0s  peer not valid 
>
> All counters are zero and all peers are not valid. For me it usually
> stays like that and never recovers until rcctl restart ntpd. Then often
> it fails like above again. Multiple restarts in a row solve the problem.
>
> I did some debug modifications to ntpd and this is what I've found.
> I'm running my tests on:
>
> # sysctl -n kern.version
> OpenBSD 5.7-current (GENERIC) #955: Thu May 28 13:09:53 MDT 2015
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
>
> and to keep IPv6 out of the picture I have following settings in resolv.conf:
>
> # grep -w family /etc/resolv.conf
> family inet4
>
> The ntpd server itself is configured as follows:
>
> # grep -ve '^#' /etc/ntpd.conf
> server 0.pool.ntp.org
> server 1.pool.ntp.org
> server 2.pool.ntp.org
> server 3.pool.ntp.org
> constraints from www.google.com
>
> I'm running debug version of ntpd as follows:
>
> ./ntpd.debug -vd 2>&1 | ts
>
> Here is example debug session when I hit the issue. Lines which contain
> XXX MK are added by me via log_debug():
>
> May 28 23:25:54 ntp engine ready
> May 28 23:25:54 XXX MK STATE_NONE=0
> May 28 23:25:54 XXX MK STATE_DNS_INPROGRESS=1
> May 28 23:25:54 XXX MK STATE_DNS_TEMPFAIL=2
> May 28 23:25:54 XXX MK STATE_DNS_DONE=3
> May 28 23:25:54 XXX MK STATE_QUERY_SENT=4
> May 28 23:25:54 XXX MK STATE_REPLY_RECEIVED=5
> May 28 23:25:54 XXX MK STATE_INVALID=6
> May 28 23:25:54 XXX MK ntp_main() constraint_cnt=0, constraint_median=0
> May 28 23:25:54 XXX MK client_query() start
> May 28 23:25:54 XXX MK client_query() start
> May 28 23:25:54 XXX MK client_query() start
> May 28 23:25:54 XXX MK client_query() start
> May 28 23:25:54 XXX MK constraint_query() starts state=1
> May 28 23:25:54 XXX MK constraint_query() fail with default?
> May 28 23:25:54 XXX MK ntp_main() function constraint_query() returned -1
> May 28 23:25:54 XXX MK ntp_main() about to loop with control_dispatch_msg() 
> and j=3 i=3 nfds=1
> May 28 23:25:54 XXX MK ntp_main() about to loop with 
> constraint_dispatch_msg() and j=3 i=3 nfds=1
> May 28 23:25:54 XXX MK ntp_main() constraint_cnt=0, constraint_median=0
> May 28 23:25:54 XXX MK constraint_query() starts state=1
> May 28 23:25:54 XXX MK constraint_query() fail with default?
> May 28 23:25:54 XXX MK ntp_main() function constraint_query() returned -1
> May 28 23:25:55 XXX MK ntp_main() about to loop with control_dispatch_msg() 
> and j=3 i=3 nfds=0
> May 28 23:25:55 XXX MK ntp_main() about to loop with 
> constraint_dispatch_msg() and j=3 i=3 nfds=0
> May 28 23:25:55 XXX MK ntp_main() constraint_cnt=1, constraint_median=0
> May 28 23:25:55 XXX MK constraint_query() starts with 216.58.208.68 state=3
> May 28 23:25:55 constraint request to 216.58.208.68
> May 28 23:25:55 XXX MK constraint_query() succeeded?
> May 28 23:25:55 XXX MK httpsdate_query() with 216.58.208.68
> May 28 23:25:55 XXX MK httpsdate_init() with 216.58.208.68
> May 28 23:25:55 XXX MK httpsdate_request() with 216.58.208.68 port 443
> May 28 23:25:55 XXX MK httpsdate_request() date from 216.58.208.68 is Date: 
> Thu, 28 May 2015 22:25:56 GMT
> May 28 23:25:55 XXX MK httpsdate_request() success from 216.58.208.68
> May 28 23:25:55 XXX MK httpsdate_query() with 216.58.208.68 done
> May 28 23:25:55 XXX MK ntp_main() function poll() returned -1, errno=4 i=4
> May 28 23:25:55 XXX MK ntp_main() about to loop with control_dispatch_msg() 
> and j=3 i=4 nfds=-1
> May 28 23:25:55 XXX MK ntp_main() about to loop with 
> constraint_dispatch_msg() and j=3 i=4 nfds=-1
> May 28 23:25:55 XXX MK constraint_check_child() bummer, we bump senderrors 
> now senderrors=1 fail=0 state=4
> May 28 23:25:55 XXX MK constraint_close() are we going to set state to 
> STATE_INVALID? state=4
> May 28 23:25:55 XXX MK constraint_close() somehow we set the state to 
> STATE_INVALID state=6 senderrors=1
> May 28 23:25:55 XXX MK ntp_main() constraint_cnt=1, constraint_median=0

Re: OpenNTPD - no constraint reply - no time sync

[Brent Cook]

> On Jul 18, 2015, at 1:52 PM, Mikolaj Kucharski  wrote:
> 
> On Sat, Jul 18, 2015 at 11:44:17AM -0600, Brent Cook wrote:
>> On Thu, May 28, 2015 at 5:24 PM, Mikolaj Kucharski
>>  wrote:
>>> minimalisic patch as below fixed the issue for me:
>>> 
>>> Index: constraint.c
>>> ===
>>> RCS file: /cvs/src/usr.sbin/ntpd/constraint.c,v
>>> retrieving revision 1.12
>>> diff -u -p -u -r1.12 constraint.c
>>> --- constraint.c28 May 2015 21:34:36 -  1.12
>>> +++ constraint.c28 May 2015 23:14:47 -
>>> @@ -279,7 +279,7 @@ constraint_check_child(void)
>>>&cstr->addr->ss), 
>>> CONSTRAINT_SCAN_INTERVAL);
>>>}
>>> 
>>> -   if (fail || cstr->state < STATE_REPLY_RECEIVED) {
>>> +   if (fail || cstr->state < STATE_QUERY_SENT) {
>>>cstr->senderrors++;
>>>constraint_close(cstr->fd);
>>>}
>> 
>> Thank you for the in-depth analysis. I have been running this patch
>> the last couple
>> of days and have not experienced any issues as well. What say you reyk?
> 
> I can confirm that I run this patch from the end of May (from the time
> when I've posted this to the misc mailing list) on amd64 and i386 and I
> don't have any issues with it. I did not test portable.
> 

Thanks, I have committed your simpler patch.

Re: RNG question

[Brent Cook]

> On Jul 30, 2019, at 5:15 AM, Remco  wrote:
> 
> On 30-07-19 09:51, Peter J. Philipp wrote:
>> Hi,
>> I had considered doing some programming in visual studio on windows and I
>> really miss the easy arc4random*() routines there.
> 
> You may be able to get the arc4ramdon interface on systems other than OpenBSD 
> by extracting the necessary files from:
> - src/lib/libc/crypt/
> - src/lib/libcrypto/arc4random/
> 
> This appears to work fine on Linux, I haven't tried it on Windows.
> 

Correct, these were built to be easily reusable within other projects. The 
LibreSSL Windows port uses these as well.

https://github.com/libressl-portable/portable/blob/master/crypto/CMakeLists.txt#L889
 


 - Brent