Re: chromium and firefox - myths and facts?

[lampshade]

Maybe this time mail will be encoded properly.

>Chrome and Safari both derive from Apple WebKit which itself is a fork
>of the KHTML rendering engine developed by the KDE project, and has
>*always* been, LGPL licensed code since its first release in 1998.
>Yet today, Firefox is held up as the open-source darling and
>Chrome/Safari is seen as the proprietary devil.
>Go figure. :-)

But still Chrome has a purpose to push away people
from desktop programs to WebApps, because of all the advertisement,
marketing and tracking possibilities WebApps give to the companies, 
especially Google.

WebApps also means data is not stored locally, but remotely.

Not to mention Chrome sends your history to Google
servers when you log in into Google Account(Gmail, Youtube).

I know some people can write open-source WebApps
and host them on their private servers or at least
paid VPSes, but how many? Not to mention these
WebApps will probably not cover every use-case
and they are going to use some company WebApp
anyway.

Re: chromium and firefox - myths and facts?

[Lampshade]

Chrome and Safari both derive from Apple WebKit which itself is a 
forkof the KHTML rendering engine developed by the KDE project, and 
has*always* been, LGPL licensed code since its first release in 
1998.Yet today, Firefox is held up as the open-source darling 
andChrome/Safari is seen as the proprietary devil. Go figure. :-)But 
still Chrome has a purpose to push away people from desktop programs to 
WebApps, because of all the advertisement, marketing and tracking possibilities 
WebApps give to the companies, especially Google. WebApps also meansdata is not 
stored locally, but remotely.Not to mention Chrome sends your history to 
Googleservers when you log in into Google Account(Gmail, Youtube).I know some 
people can write open-source WebAppsand host them on their private servers or 
at leastpaid VPSes, but how many?

Re: Can SSH report successful connections to pf?

[Lampshade]

>At the end of a "pass" rule in pf.conf, the author adds:
>
> max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload  flush global
>
>which means:
>
> "any source can only have a total of three connections,
> and they may not create them at a rate faster than two
> every five minutes. If they do, they will be added to the
> abusers table and every packet/session will be globally
> dropped."
>
>I locked myself out of many boxes thanks to that.

As Peter pointed out it is best to set timeout/expiry date for IPs in blocklist.
One can also create whitelist for you own IPs. Personally I had checked IP
my ISP gave me, then checked by online services what AS number and CIDR
this IP is contained in. Then added to whitelist table. It creates some
hole in firewall, but proactive firewall based on blocklists in itself isn't 
strong
protection. It is mostly useful for performance reasons.

Re: For a FFS on an SSD, which of "-o" nil, "sync" &/ "softdep" is more data-safe and fast?

[Lampshade]

> Hi!
>
> If I understand mount(8) (http://man.openbsd.org/mount) right, FFS
> mounts have a metadata I/O mode and a data I/O mode. By default,
> metadata is accessed synchronously and data is accessed
> asynchronously.
>
> "-o sync" will force both to synchronous mode, and "-o softdep" would
> change the metadata I/O mode to the alternative softdep access mode.

No. softdep and async are different concepts.
Default: metadata, data accordingly: sync, async
not that there is async - not softdep

You can do the oposite by options: nosync, noasync
It would mean asynchronous mode for metadata and synchronous for data - which 
is stupid (slow and dangerous), so don't.

I think default are quite good for SSD. Maybe add noatime for some partitions.

Re: Kernel memory leaking on Intel CPUs?

[Lampshade]

Intel provided stable microcode for Skylake mitigating Spectre variant 2.

Current status
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf

When it comes to Meltdown:
Does OpenBSD is going to release patches for 6.2? I don't see anything related
to Meltdown in errata, but maybe it is too early. I understand other OSes
received disclosed information about bug a few months earlier.

Re: Kernel memory leaking on Intel CPUs?

[Lampshade]

There are some claims about Raspberry Pi:

Here you go:
We do not believe any generation of Raspberry Pi hardware
is susceptible to either the Spectre or Meltdown vulnerabilities.
https://twitter.com/EbenUpton/status/948999181309530116


Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown

https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

Re: Kernel memory leaking on Intel CPUs?

[Lampshade]

Intel is probably waiting for Microsoft, Red Hat,
Apple and major cloud companies to update 
OSes until release of Intel Security Advisory.

I am also curious does OpenBSD also maps
kernel to userspace memory of processes?
Could pledge protect against some scenarios
exploiting these kinds of bugs?

JRE, Java and JavaFX

[Lampshade]

Hello,
I would like to know whether is possible to execute GUI app
based on JavaFX using OpenBSD's package for JRE.
I had tried to compile and run but Maven says it can't find JavaFX
classes.
I also tried to compile on Windows and then copy target directory to
OpenBSD, but again I see something similar:

/usr/local/jre-1.8.0/bin/java -cp target/app-0.1-SNAPSHOT.jar
com.company.app.Main
Exception in thread "main" java.lang.NoClassDefFoundError:
javafx/application/Application
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:763)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:467)
at java.net.URLClassLoader.access$100(URLClassLoader.java:73)
at java.net.URLClassLoader$1.run(URLClassLoader.java:368)
at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at com.company1.app.Main.main(Main.java:7)
Caused by: java.lang.ClassNotFoundException: javafx.application.Application
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 13 more

Have a nice day.

Re: For the super paranoid

[Lampshade]

News from Reddit:
"AMD Listened to us, and added a PSP disable option in their new AGESA version!"

Not my picture (Credit to u/repo_code), but 
https://drive.google.com/file/d/1b4p3d-gtHbFvkUbHYC8HSIviL-1ssC7V/view
My Gigabyte AB350 Gaming 3 also has a bios based on the new 
agesa version, through it doesn't have the PBS options by default,
 so I enabled them, flashed the new bios, and indeed the setting was there!

>In order for me to trust AMD's implementation, they first need to can
>that ridiculous Platform "Security" Processor. It is as useless and
>dangerous as Intel Management Engine, running unknown code.
>
>A more plausible attack would be an application using malloc() for a
>large segment of memory, and transmitting the "uninitialised" content,
>which could contain private keys, sensitive documents, etc. from
>applications that either don't zero the memory after finishing, or
>programs which have crashed and the memory is now freely available
>to other processes.
>
>It would be nice in those cases to have different
>keys for different pages, so that when a process is terminated, the
>kernel can (instruct the CPU to) overwrite the key with a new random
>number.
>
>On Sat, 11 Mar 2017 20:18:37 + (UTC)
>Christian Weisgerber  wrote:
>
>> AMD thinks so.  Last year they announced support for memory encryption
>> in future CPUs.  The top two Google hits:
>> 
>> http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
>>  
>> https://events.linuxfoundation.org/sites/events/files/slides/AMD%20x86%20Memory%20Encryption%20Technology%20LSS%20Slides.pdf
>>

Re: Intel's Management Technology is indeed vulnerable

[Lampshade]

Intel's firmware bugs:

Intel SA-00086
Intel ID:   INTEL-SA-00086
Product family: Various
Impact of vulnerability:Elevation of Privilege
Severity rating:Important
Original release:   Nov 20, 2017
Last revised:   Nov 21, 2017 

https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability

>From gadgets.ndtv.com:
Security research firm Positive Technologies has said it will demonstrate an 
exploit that allows the running of arbitrary unsigned code on any PC with an 
Intel 6th Gen 'Skylake' Core CPU or later. The security hole exists because of 
Intel's Management Engine, a tiny microprocessor that exists within the 
platform controller, or chipset, of every PC motherboard built for Intel 
processors. The Intel Management Engine (IME) was introduced to allow functions 
such as remote booting and administration, but it also handles the 
initialisation of the CPU and its power management.

Will Harris‏ on twitter comments satirically:
Intel advisory generator: "Multiple unspecified issues in unspecified component 
in unspecified platform of unspecified version allows unspecified process to 
access privileged content via unspecified vector."

Re: Guess what today is

[Lampshade]

Happy birthday and live long OpenBSD!

Re: About WPA2 compromised protocol

[Lampshade]

Stefan Sperling:
> Also this was *NOT* a protocol bug.
> arstechnica claimed such nonesense without any basis in fact and
> now everybody keeps repeating it :(

Actually, the researcher claimed that are in the standard itself.

https://www.krackattacks.com/
The weaknesses are in the Wi-Fi standard itself, and not in individual products 
or implementations. Therefore, any correct implementation of WPA2 is likely 
affected.

Some paragraphs remarks about OpenBSD in a direct way.

Paper
Although this paper is made public now, it was already submitted for review on 
19 May 2017. After this, only minor changes were made. As a result, the 
findings in the paper are already several months old. In the meantime, we have 
found easier techniques to carry out our key reinstallation attack against the 
4-way handshake. With our novel attack technique, it is now trivial to exploit 
implementations that only accept encrypted retransmissions of message 3 of the 
4-way handshake. In particular this means that attacking macOS and OpenBSD is 
significantly easier than discussed in the paper.

Some attacks in paper seem hard
We have follow-up work making our attacks (against for example macOS and 
OpenBSD) significantly more general and easier to execute. So although we agree 
that some of the attack scenarios in the paper are rather impractical, do not 
let this fool you into believing key reinstallation attacks cannot be abused in 
practice.

How did you discover these vulnerabilities?
When working on the final (i.e. camera-ready) version of another paper, I was 
double-checking some claims we made regarding OpenBSD's implementation of the 
4-way handshake. In a sense I was slacking off, because I was supposed to be 
just finishing the paper, instead of staring at code. But there I was, 
inspecting some code I already read a hundred times, to avoid having to work on 
the next paragraph. It was at that time that a particular call to ic_set_key 
caught my attention. This function is called when processing message 3 of the 
4-way handshake, and it installs the pairwise key to the driver. While staring 
at that line of code I thought “Ha. I wonder what happens if that function is 
called twice”. At the time I (correctly) guessed that calling it twice might 
reset the nonces associated to the key. And since message 3 can be 
retransmitted by the Access Point, in practice it might indeed be called twice. 
“Better make a note of that. Other vendors might also call such a function 
twice. But let's first finish this paper...”. A few weeks later, after 
finishing the paper and completing some other work, I investigated this new 
idea in more detail. And the rest is history.

softraid i/o error 5 @ CRYPTO block

[Lampshade]

Hello
During recent update from older -current amd64 to newest -current amd64 kernel 
printed softraid/CRYPTO error.
This error message was printed after re-linking of kernel which failed.
What does this mean?

Small part of dmesg:
sd1 at scsibus1 targ 1 lun 0:  SCSI2 0/direct fixed
sd1: 71682MB, 512 bytes/sector, 146805279 sectors
root on rd0a swap on rd0b dump on rd0b
softraid0: sd1: i/o error 5 @ CRYPTO block 27426768
syncing disks... 
OpenBSD 6.2-current (GENERIC.MP) #149: Sat Oct 14 14:21:11 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

***

full dmesg:
https://paste.opensuse.org/ebf3782c

OpenBSD 6.2-current (RAMDISK_CD) #147: Sat Oct 14 14:25:36 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 632704 (6018MB)
avail mem = 6116085760 (5832MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6df0 (39 entries)
bios0: vendor Acer version "V2.21" date 12/16/2013
bios0: Acer Aspire E1-531G
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP UEFI ASF! HPET APIC MCFG SSDT BOOT ASPT DBGP FPDT SSDT 
SSDT SSDT
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU B960 @ 2.20GHz, 2195.37 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus 2 (RP01)
acpiprt3 at acpi0: bus 3 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus -1 (RP06)
acpiprt8 at acpi0: bus -1 (RP07)
acpiprt9 at acpi0: bus -1 (RP08)
acpiprt10 at acpi0: bus 1 (PEG0)
acpiprt11 at acpi0: bus -1 (PEG1)
acpiprt12 at acpi0: bus -1 (PEG2)
acpiprt13 at acpi0: bus -1 (PEG3)
acpiec0 at acpi0
acpicpu at acpi0 not configured
"10250759" at acpi0 not configured
"ETD0500" at acpi0 not configured
"INT3F0D" at acpi0 not configured
"PNP0C0A" at acpi0 not configured
"ACPI0003" at acpi0 not configured
"PNP0C0C" at acpi0 not configured
"PNP0C0D" at acpi0 not configured
"PNP0C0E" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"INT340E" at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
ppb0 at pci0 dev 1 function 0 "Intel Core 2G PCIE" rev 0x09: msi
pci1 at ppb0 bus 1
1:0:0: mem address conflict 0xfff8/0x8
vendor "NVIDIA", unknown product 0x1140 (class display subclass VGA, rev 0xa1) 
at pci1 dev 0 function 0 not configured
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 2000" rev 0x09
wsdisplay1 at vga1 mux 1: console (80x25, vt100 emulation)
"Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 0 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
"Intel 7 Series HD Audio" rev 0x04 at pci0 dev 27 function 0 not configured
ppb1 at pci0 dev 28 function 0 "Intel 7 Series PCIE" rev 0xc4: msi
pci2 at ppb1 bus 2
2:0:0: mem address conflict 0xf800/0x800
bge0 at pci2 dev 0 function 0 "Broadcom BCM57785" rev 0x10, BCM57765 B0 
(0x57785100): msi, address b8:88:e3:d3:08:70
brgphy0 at bge0 phy 1: BCM57765 10/100/1000baseT PHY, rev. 4
sdhc0 at pci2 dev 0 function 1 "Broadcom SD Host Controller" rev 0x10: apic 0 
int 17
sdhc0: SDHC 3.0, 200 MHz base clock
sdmmc0 at sdhc0: 8-bit, sd high-speed, mmc high-speed, dma
vendor "Broadcom", unknown product 0x16be (class system subclass miscellaneous, 
rev 0x10) at pci2 dev 0 function 2 not configured
vendor "Broadcom", unknown product 0x16bf (class system subclass miscellaneous, 
rev 0x10) at pci2 dev 0 function 3 not configured
ppb2 at pci0 dev 28 function 1 "Intel 7 Series PCIE" rev 0xc4: msi
pci3 at ppb2 bus 3
iwn0 at pci3 dev 0 function 0 "Intel Centrino Advanced-N 6200" rev 0x35: msi, 
MIMO 2T2R, MoW, address 00:27:10:a7:bf:cc
ehci1 at pci0 dev 29 function 0 "Intel 7 Series USB" rev 0x04: apic 0 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
"Intel HM77 LPC" rev 0x04 at pci0 dev 31 function 0 not configured
ahci0 at pci0 dev 31 function 2 "Intel 7 Series AHCI" rev 0x04: msi, AHCI 1.3
ahci0: port 0: 3.0Gb/s
ahci0: port 2: 1.5Gb/s
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed 
naa.5000c5005c9384dd
sd0: 476940MB, 512 bytes/sector, 976773168 sectors
cd0 at 

Re: Flaw resides in BTB helps bypass ASLR

[Lampshade]

> if you read the paper, you will notice that they only tested on Ubuntu and 
> OSX,
> neither of which actually ship with ASLR enabled by default if I remember 
> correctly.

https://wiki.ubuntu.com/Security/Features

Re: VMM test

[Lampshade]

>> Hi Everybody,
>>
>> I would like to give a try to vmm. If I do so, which os can I expect
>> to make it work? openbsd ok I guess. Linux? Windows?

>OpenBSD only, as of now.

Does it support both i386 and amd64 OpenBSDs guests?

Re: Unexpected behavior in su/doas

[Lampshade]

> > This is just one mechanism on tty, there are others.  On other
> > descriptors there are other abilities.
> > 
> 
> Would you mind explaining this a little bit. I don't really mean the
> sudo/doas part.
> 
> How to do operations without retaining access to a tty?
>
> What other descriptors?

Example:
If you have file descriptor to directory outside chroot
and you are root user you can escape chroot.

https://filippo.io/escaping-a-chroot-jail-slash-1/

Re: 6.0-stable panic

[Lampshade]

dhill () mindcry ! org also posted message to bugs mailing
list probably about this issue.
Title/subject:
KASSERT((sk->inp == NULL) || (sk->inp->inp_pf_sk == NULL));

http://marc.info/?l=openbsd-bugs=147472138723508=2

I also can confirm that relayd is triggering this kernel panic
on my system by exit syscall.
I have posted relayd.conf in mentioned thread.
Maybe you could post too, so we could check similarities.

Re: Dual booting - can't boot OpenBSD from Windows 10 bootloader

[Lampshade]

>Thank you all for your asnwers. I cannot use grub or lilo as some of
>you pointed out beaceuse grub is i386 only and lilo isn't even in
>ports, and I don't have linux installed.

Neither do I, but I have Grub2 (from Debian amd64)
and OpenBSD amd64 ;)
You don't need to install any Gnu/Linux system to have
bootloader from Gnu/Linux. 
You just need to prepare pendrive to boot
liveCD *once* and install lilo or Grub2 bootloader,
but not need to install the whole system.
I must admit that I have additional 50MB partition
with ext2 filesystem for bootloader.

Dual booting - can't boot OpenBSD from Windows 10 bootloader

[Lampshade]

I have installed OpenBSD before it had UEFI support,
so I installed in Legacy Boot mode (I have UEFI capable
laptop).
I personally use Grub2 installed via
debian live amd64 standard  image.

I don't have Gnu/Linux installed.
I only have bootloader from Debian.

I have Windows 8.1 and OpenBSD amd64.

# cat /mnt/ext2/grub/grub.cfg \ 
> | grep -v -e ^#  -e ^[:space:]*$
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
menuentry "Windows" --class os {
  set root=(hd0,2)
  chainloader (hd0,msdos2)+1
}
menuentry "OpenBSD" {
  set root=(hd0,4)
  chainloader +1
}

Grub2 is faster than Windows bootloader.

Re: graphics acceleration, DRI2, DRM problem

[Lampshade]

I think that actual, real job is done by:

aml_evalname(sc, node, "_OFF", 0, NULL,
)
or
aml_evalinteger(sc, node, "_OFF", 0,
NULL, )

inside acpi.c file.

The only good thing about this patch is
that it works for me.

Re: graphics acceleration, DRI2, DRM problem

[Lampshade]

> > +filedev/pci/nvdsbl.c
>
> can you include this file? and any new .h files as well?

I think that this was just for registering a dummy driver
for that Nvidia device. It does nothing useful itself.

# cat /usr/src/sys/dev/pci/nvdsbl.c
/*  $OpenBSD: nvdsbl.c,v 0.1 2015/07/28 12:00:01 somebody Exp $ */


/*
 * Driver changes power state / disables Nvidia GPU
 */

#include 
#include 
#include 

#include 
#include 
#include 

struct nvdsbl_softc {
struct device dev;
struct pci_attach_args nvdsbl_pa;
};

int nvdsbl_probe(struct device *, void *, void *);
void nvdsbl_attach(struct device *, struct device *, void *);

struct cfattach nvdsbl_ca = {
sizeof(struct nvdsbl_softc), nvdsbl_probe, nvdsbl_attach, NULL, NULL
};

struct cfdriver nvdsbl_cd = {
NULL, "nvdsbl", DV_DULL
};

static const struct pci_matchid nvdsbl_devices[] = {
{ 0x10de, 0x1140 }
};


int
nvdsbl_probe(struct device *parent, void *match, void *aux)
{
pci_matchbyid((struct pci_attach_args
*)aux,nvdsbl_devices,nitems(nvdsbl_devices));
}

void
nvdsbl_attach(struct device *parent, struct device *self, void *aux)
{
printf("inside pci nvdsbl attach\n");
}

Re: graphics acceleration, DRI2, DRM problem

[Lampshade]

This is totally fucked up code, but if you like hazard...
I mean that I really just called some random ACPI (aml) methods 
not knowing what they should do.
Additionally this code is for my laptop. I have GEFORCE 620M
GPU, so I added this to pcidevs. Another thing is that patched
code recognizes my GPU device through ACPI name
"\\_SB_.PCI0.PEG0.PEGP". I have discovered name when I was
using Linux kernel's module called acpi_call. Other laptops
may have differently named GPUs.

You use this at your own risk and you must *not* report bugs
to Project when using patched kernel.



File: GENERIC  Status: Locally Modified

   Working revision:1.427
   Repository revision: 1.427   /cvs/src/sys/arch/amd64/conf/GENERIC,v
   Commit Identifier:   xNzAQvg5oqM2b0pn
File: acpi.cStatus: Locally Modified

   Working revision:1.313
   Repository revision: 1.313   /cvs/src/sys/dev/acpi/acpi.c,v
   Commit Identifier:   h0GHFDGWnEdswfbK
File: dsdt.cStatus: Locally Modified

   Working revision:1.223
   Repository revision: 1.223   /cvs/src/sys/dev/acpi/dsdt.c,v
   Commit Identifier:   SBTJg3diM8lXHXRE
File: files.pci Status: Locally Modified

   Working revision:1.324
   Repository revision: 1.324   /cvs/src/sys/dev/pci/files.pci,v
   Commit Identifier:   aeD3LK9Qomrjecge
File: pcidevs   Status: Locally Modified

   Working revision:1.1802
   Repository revision: 1.1802  /cvs/src/sys/dev/pci/pcidevs,v
   Commit Identifier:   ZupaPoe9OBu6iKll
File: pcidevs.h Status: Locally Modified

   Working revision:1.1796
   Repository revision: 1.1796  /cvs/src/sys/dev/pci/pcidevs.h,v
   Commit Identifier:   Z3aUcOQiFLoINK6d
File: pcidevs_data.hStatus: Locally Modified

   Working revision:1.1791
   Repository revision: 1.1791  /cvs/src/sys/dev/pci/pcidevs_data.h,v
   Commit Identifier:   Z3aUcOQiFLoINK6d



Index: sys/arch/amd64/conf/GENERIC
===
RCS file: /cvs/src/sys/arch/amd64/conf/GENERIC,v
retrieving revision 1.427
diff -u -p -r1.427 GENERIC
--- sys/arch/amd64/conf/GENERIC 3 Aug 2016 17:23:38 -   1.427
+++ sys/arch/amd64/conf/GENERIC 19 Aug 2016 21:31:07 -
@@ -11,7 +11,7 @@
 
 machineamd64
 include"../../../conf/GENERIC"
-maxusers   80  # estimated number of users
+maxusers   100 # estimated number of users
 
 option USER_PCICONF# user-space PCI configuration
 
@@ -22,10 +22,14 @@ option  MTRR# CPU memory range 
attribu
 #optionKGDB# Remote debugger support; exclusive of 
DDB
 #option"KGDB_DEVNAME=\"com\"",KGDBADDR=0x2f8,KGDBRATE=9600
 
-option NTFS# NTFS support
+#optionNTFS# NTFS support
 option HIBERNATE   # Hibernate support
 
+
+option HZ=300
+
 config bsd swap generic
+#optionDEBUG
 
 mainbus0 at root
 
@@ -399,6 +403,7 @@ adw*at pci? # AdvanSys 
ULTRA WIDE SC
 pcscp* at pci? # AMD 53c974 PCscsi-PCI SCSI
 #trm*  at pci? # Tekram DC-3x5U SCSI Controllers
 vmwpvs*at pci? # VMware ParaVirtual SCSI
+nvdsbl* at pci? # Nvidia PCI Driver for disabling
 nvme*  at pci? # NVMe controllers
 
 scsibus* at scsi?



Index: sys/dev/acpi/acpi.c
===
RCS file: /cvs/src/sys/dev/acpi/acpi.c,v
retrieving revision 1.313
diff -u -p -r1.313 acpi.c
--- sys/dev/acpi/acpi.c 28 Jul 2016 21:57:56 -  1.313
+++ sys/dev/acpi/acpi.c 19 Aug 2016 21:31:44 -
@@ -562,11 +562,11 @@ acpi_getpci(struct aml_node *node, void 
 {
const char *pcihid[] = { ACPI_DEV_PCIB, ACPI_DEV_PCIEB, "HWP0002", 0 };
struct acpi_pci *pci, *ppci;
-   struct aml_value res;
+   struct aml_value res,res2;
struct acpi_softc *sc = arg;
pci_chipset_tag_t pc = NULL;
pcitag_t tag;
-   uint64_t val;
+   uint64_t val,val2;
uint32_t reg;
 
if (!node->value || node->value->type != AML_OBJTYPE_DEVICE)
@@ -620,6 +620,35 @@ acpi_getpci(struct aml_node *node, void 
pci->bus, pci->dev, pci->fun,
aml_nodename(node));
 
+
+   bool czyNvidiaGPU = false;
+if (!(strcmp("\\_SB_.PCI0.PEG0.PEGP",aml_nodename(node
+czyNvidiaGPU = true;
+
+if (czyNvidiaGPU) {
+printf("bedzie evalname na GPU\n");
+bool czyPoprawnieName = false;
+if(aml_evalname(sc, node, "_OFF", 0, NULL, )){
+printf("evalname na GPU true\n");
+czyPoprawnieName = true;
+aml_freevalue();
+} else {
+

Re: graphics acceleration, DRI2, DRM problem

[Lampshade]

I have trimmed lspci output, but actually it was important.
I have not only Intel GPU but also Nvidia GPU.

A year ago I have written ugly hack to disable Nvidia GPU year ago
for power saving.
I am sure that is too ugly to commit to repository and
I am not programming professional so I need a lot of time to
write even ugly and tiny patch.

Actually DRI2 works if I recompile the kernel with my patch.

Following is printed by mpv with working graphics acceleration:

$ EGL_LOG_LEVEL=debug LIBGL_DEBUG=verbose MESA_DEBUG=1 mpv movie.avi   
Playing: movie.avi
 (+) Video --vid=1 (mpeg4)
 (+) Audio --aid=1 (ac3)
 (+) Subs  --sid=1 'movie.srt' (subrip) (external)
libGL: OpenDriver: trying /usr/X11R6/lib/modules/dri/i965_dri.so
libGL: Using DRI2 for screen 0
libEGL debug: Native platform type: x11 (autodetected)
libEGL debug: added egl_dri2 to module array
libEGL debug: DRI2: dlopen(/usr/X11R6/lib/modules/dri/i965_dri.so)
libEGL debug: found extension `DRI_Core'
libEGL info: found extension DRI_Core version 1
libEGL debug: found extension `DRI_IMAGE_DRIVER'
libEGL debug: found extension `DRI_DRI2'
libEGL info: found extension DRI_DRI2 version 4
libEGL debug: found extension `DRI_DriverVtable'
libEGL debug: found extension `DRI_ConfigOptions'
libEGL debug: found extension `DRI_TexBuffer'
libEGL info: found extension DRI_TexBuffer version 3
libEGL debug: found extension `DRI2_Fence'
libEGL debug: found extension `DRI2_Flush'
libEGL info: found extension DRI2_Flush version 4
libEGL debug: found extension `DRI_IMAGE'
libEGL info: found extension DRI_IMAGE version 11
libEGL debug: found extension `DRI_RENDERER_QUERY'
libEGL debug: found extension `DRI_CONFIG_QUERY'
libEGL debug: found extension `DRI_Robustness'
libEGL info: Using DRI2
libEGL debug: the best driver is DRI2
[ffmpeg/audio] ac3: Channel layout '5.1(side)' with 6 channels
does not match specified number of channels 2: ignoring specified channel
layout
AO: [sdl] 48000Hz stereo 2ch s32
VO: [opengl] 720x304 yuv420p
AV: 00:29:00 / 02:14:49 (21%) A-V:  0.000 Cache:  0s+1MB
[ffmpeg/audio] ac3: frame sync error
Error decoding audio.
AV: 00:41:39 / 02:14:49 (30%) A-V:  0.000 Cache:  0s+8MB
[ffmpeg/audio] ac3: frame sync error
Error decoding audio.
AV: 00:41:42 / 02:14:49 (30%) A-V:  0.000 Cache:  9s+8MB


Exiting... (Quit)
pthread_mutex_destroy on mutex with waiters!
libEGL debug: Display 0x1728778c8800 is destroyed with resources

graphics acceleration, DRI2, DRM problem

[Lampshade]

Hello
I have:
$ sysctl kern.version
kern.version=OpenBSD 6.0-current (GENERIC.MP) #2353: Sat Aug 13 11:34:33 MDT
2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
# sysctl hw.model
hw.model=Intel(R) Pentium(R) CPU B960 @ 2.20GHz
# lspci -nn | grep VGA
00:02.0 VGA compatible controller [0300]: Intel Corporation 2nd Generation
Core Processor Family Integrated Graphics Controller [8086:0106] (rev 09)

It is Sandy Bridge CPU and GPU: HD 2000.

I used to watch movies on OpenBSD but now
(since a few days and upgrades) I have problems with performance
of multimedia/mpv. I suspect software problem with DRI2.

Infos about Audio/Video desynchronisation were present always,
but they don't disturbed, prevented from watching movies.

libEGL warning: DRI2: failed to authenticate
did it in past, so I needed to upgrade packages and base
to solve problem in past. Now it unfortunately didn't helped.

I chown-ed drm files:
# chown open /dev/drm[0-3]
#
But it didn't helped.

Part of Xorg.0.log:
[  3005.601] (II) intel(0): SNA initialized with Sandybridge (gen6, gt1)
backend
[  3005.601] (==) intel(0): Backing store enabled
[  3005.601] (==) intel(0): Silken mouse disabled
[  3005.601] (II) intel(0): HW Cursor enabled
[  3005.601] (II) intel(0): RandR 1.2 enabled, ignore the following RandR
disabled message.
[  3005.601] (==) intel(0): DPMS enabled
[  3005.602] (WW) intel(0): [DRI2] Direct rendering is not supported when VGA
arb is necessary for the device
[  3005.602] (II) intel(0): hardware support for Present enabled
[  3005.602] (--) RandR disabled
[  3005.602] (II) Found 2 VGA devices: arbiter wrapping enabled
[  3005.620] (II) AIGLX: Screen 0 is not DRI2 capable
[  3005.620] (EE) AIGLX: reverting to software rendering
[  3005.631] (II) AIGLX: enabled GLX_MESA_copy_sub_buffer
[  3005.632] (II) AIGLX: Loaded and initialized swrast
[  3005.632] (II) GLX: Initialized DRISWRAST GL provider for screen 0

What mpv is printing:
$ EGL_LOG_LEVEL=debug LIBGL_DEBUG=verbose MESA_DEBUG=1 mpv movie.avi
Playing: movie.avi
 (+) Video --vid=1 (mpeg4)
 (+) Audio --aid=1 (ac3)
 (+) Subs  --sid=1 'movie.srt' (subrip) (external)
libGL: screen 0 does not appear to be DRI2 capable
libGL: OpenDriver: trying /usr/X11R6/lib/modules/dri/swrast_dri.so
libEGL debug: Native platform type: x11 (autodetected)
libEGL debug: added egl_dri2 to module array
libEGL warning: DRI2: failed to authenticate
libEGL debug: DRI2: dlopen(/usr/X11R6/lib/modules/dri/swrast_dri.so)
libEGL debug: found extension `DRI_Core'
libEGL info: found extension DRI_Core version 1
libEGL debug: found extension `DRI_SWRast'
libEGL info: found extension DRI_SWRast version 4
libEGL debug: found extension `DRI_CopySubBuffer'
libEGL debug: found extension `DRI_ConfigOptions'
libEGL debug: found extension `DRI_TexBuffer'
libEGL info: found extension DRI_TexBuffer version 2
libEGL debug: found extension `DRI_RENDERER_QUERY'
libEGL debug: found extension `DRI_CONFIG_QUERY'
libEGL debug: the best driver is DRI2
[ffmpeg/audio] ac3: Channel layout '5.1(side)' with 6 channels does not match
specified number of channels 2: ignoring specified channel layout
AO: [sdl] 48000Hz stereo 2ch s32
VO: [opengl] 720x304 yuv420p
AV: 00:00:00 / 02:14:49 (0%) A-V:  0.211 Cache:  9s+16MB

Audio/Video desynchronisation detected! Possible reasons include too slow
hardware, temporary CPU spikes, broken drivers, and broken files. Audio
position will not match to the video (see A-V status field).

AV: 00:00:08 / 02:14:49 (0%) A-V:  0.000 Dropped: 176 Cache:  9s+16MB


Exiting... (Quit)
pthread_mutex_destroy on mutex with waiters!
libEGL debug: Display 0x34f55a7000 is destroyed with resources
$


$ cat /var/log/Xorg.0.log
[  3005.453] (--) checkDevMem: using aperture driver /dev/xf86
[  3005.465] (--) Using wscons driver on /dev/ttyC4
[  3005.484]
X.Org X Server 1.18.4
Release Date: 2016-07-19
[  3005.484] X Protocol Version 11, Revision 0
[  3005.484] Build Operating System: OpenBSD 6.0 amd64
[  3005.484] Current Operating System: OpenBSD r2d2 6.0 GENERIC.MP#2353 amd64
[  3005.485] Build Date: 13 August 2016  11:57:16AM
[  3005.485]
[  3005.485] Current version of pixman: 0.32.8
[  3005.485]Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
[  3005.485] Markers: (--) probed, (**) from config file, (==) default
setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
[  3005.485] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Aug 14 12:12:48
2016
[  3005.485] (==) Using config directory: "/etc/X11/xorg.conf.d"
[  3005.486] (==) Using system config directory
"/usr/X11R6/share/X11/xorg.conf.d"
[  3005.486] (==) No Layout section.  Using the first Screen section.
[  3005.486] (==) No screen section available. Using defaults.
[  3005.486] (**) |-->Screen "Default Screen Section" (0)
[  3005.486] (**) |   |-->Monitor ""
[  3005.486] (==) No 

Re: /usr/ and wxallowed

[Lampshade]

I have upgraded base system.
I am going to update ports when mirror will be in sync with main.

wxallowed on /usr works as expected


$ mount | grep /usr
/dev/sd2e on /usr type ffs (local, noatime, nodev, wxallowed, softdep)
$ grep wxallowed /etc/fstab
   
e2687744d2198a2e.e /usr ffs rw,wxallowed,nodev,softdep,noatime 1 2

Besides that I can add that Firefox works with W^X restriction
and Chromium does not.

wxallowed lets me use Chromium successfully.

/usr/ and wxallowed

[Lampshade]

Hello,I have non-standard partitioned OpenBSD-current installation dated before 
05/27.I don't have separate filesystem/disklabel partition for /usr/local/.I 
have /usr/ on separate ffs filesystem. Can I add wxallowed to /usr/ filesystem 
or I must repartition/reinstall OpenBSD?

Breakthrough in distributed rngs

[Lampshade]

Theoretical breakthrough in distributed random number generation.David
Zuckerman, a computer science professor, and Eshan Chattopadhyay, a graduate
student, published a paper in March that will be presented in June at the
Symposium on Theory of Computing.“We show that if you have two low-quality
random sources—lower quality sources are much easier to come by—two
sources that are independent and have no correlations between them, you can
combine them in a way to produce a high-quality random
number,”https://threatpost.com/academics-make-theoretical-breakthrough-in-r
andom-number-generation/118150/http://eccc.hpi-web.de/report/2015/119/

Re: mfs vs tmpfs: advantages and disadvantages

[Lampshade]

And what about performance?
Is tmpfs or mfs faster? Is one or another more resource hungry?
--
Furthermore, I consider that systemd must be destroyed
Latin oratorical phrase

today amd64 snapshot libpthread segfault

[Lampshade]

What exactly is version of base system?
$ sysctl kern.version
Have you also updated packages/ports?

On: http://www.openbsd.org/faq/current.html
is info about recent ABI break.

Re: Mail : MRA MDA LDA e-mail processors in OpenBSD

[Lampshade]

>I don't know what "MRA" means, but for fetching:

According to Wikipedia's "Email agent" there are:

Mail user agent (MUA)
Mail submission agent (MSA)
Mail access agent (MAA)
Mail transfer agent (MTA)
Mail delivery agent (MDA)
Mail retrieval agent (MRA)

Mail : MRA MDA LDA e-mail processors in OpenBSD

[Lampshade]

Hello,
I am casual OpenBSD user. I use it on laptop. I don't have servers and do
*not* want to create my own mail service. I use what crowd uses:
I have Yahoo, Gmail, Yandex mail accounts.

I would like to use mutt and shell scripts for mail notification etc.
To accomplish this I want to have local copy of mail in 
Maildir format. 
What MRA do you use for that? Getmail, fetchmail or something else?
Is there something in OpenBSD's base for that?

I would also like to do some things with mail for example
get rid off attachments for mail in one account and do reverse,
opposite on the other account: just backup attachments saving them
in normal file names with appropriate extensins in file names,
not inside other Maildir messages.
To accomplish this I think, but I am not sure, I need MDA such as
procmail or maildrop or something similar.
What do you use? I want something quite secure and not much
complicated. It does *not* need to be feature rich.
Bonus points for software in OpenBSD's base.

Re: Relayd TLS client mode CA verification

[Lampshade]

I have reported problem to bugs mailing list.
Thanks for checking that and response.

Re: Relayd TLS client mode CA verification

[Lampshade]

When it works fine, but without certificate verification:

$ cat /etc/relayd.conf
tcp protocol proto_wp {
#tls ca file "/etc/ssl/cert.pem"
tls tlsv1.1
pass
}

relay connect_to_mail_wp {
protocol proto_wp
listen on 127.0.0.1 port 
forward with tls to imap.wp.pl port 993
}
# relayd -d -vvv -f /etc/relayd.conf
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relay_privinit: adding relay connect_to_mail_wp
protocol 1: name proto_wp
flags: used, relay flags: tls client
tls flags: tlsv1.1, tlsv1.2, cipher-server-preference,
client-renegotiation
type: tcp
pass request 
ca_engine_init: using RSA privsep engine
socket_rlimit: max open files 1024
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
relay_launch: running relay connect_to_mail_wp
relay_launch: running relay connect_to_mail_wp
relay_launch: running relay connect_to_mail_wp
relay connect_to_mail_wp, tls session 1 connected (1 active)
relay connect_to_mail_wp, session 1 (1 active), 0, 127.0.0.1 ->
212.77.101.140:993, done

***

When if fails:

$ cat /etc/relayd.conf
tcp protocol proto_wp {
tls ca file "/etc/ssl/cert.pem"
tls tlsv1.1
pass
}

relay connect_to_mail_wp {
protocol proto_wp
listen on 127.0.0.1 port 
forward with tls to imap.wp.pl port 993
}
# relayd -d -vvv -f /etc/relayd.conf
startup
socket_rlimit: max open files 1024
relay_load_certfiles: using ca /etc/ssl/cert.pem
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relay_privinit: adding relay connect_to_mail_wp
protocol 1: name proto_wp
flags: used, relay flags: tls client
tls flags: tlsv1.1, tlsv1.2, cipher-server-preference,
client-renegotiation
type: tcp
pass request 
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine

Re: Relayd TLS client mode CA verification

[Lampshade]

Maybe I will post example of what I am doing.
OpenBSD-current amd64 March 16th, 2016.
Getmail and imap over TLS.

$ cat /etc/relayd.conf   
tcp protocol proto_wp {
tls ca file "/etc/ssl/cert.pem"
pass
}

relay connect_to_mail_wp {
protocol proto_wp
listen on 127.0.0.1 port 
forward with tls to imap.wp.pl port 993
}
$


cat getmailrc
[retriever]
type = SimpleIMAPRetriever
server = 127.0.0.1
port = 
username = censored
password = censored

[destination]
type = Maildir
path = censored

[options]
delete = false
message_log = censored

If you do:
openssl s_client -connect imap.wp.pl:993 -CAfile /etc/ssl/cert.pem
you will see that TLS is supported.

I can also confirm that removing line with tls ca file
allows me to connect successfully to imap over TLS
using relayd.
But I want verification of certificate...
Does I do something wrong or this is bug in relayd?

Relayd TLS client mode CA verification

[Lampshade]

Hello,

OpenBSD current amd64 march 16 snapshot.

I am using relayd as client for encrypted https connections.
I would like to make relayd verification of CA.
Now I have without verification:
web browser encrypted stream -> 1 relayd in server mode -> unencrypted stream ->
privoxy and divert using pf -> 2 relayd in client mode -> change destination 
port using pf -> Internet

And it works!
I only need to force verification of CA for certificates on 2 relayd, because 
as far as I understand
relayd does not do this by default. Problem is that if I add:
tls ca file "/etc/ssl/cert.pem"
to http protocol, web browser is not able to reach TLS website. W.B. does not 
show error, but loads
and loads and loads web page, but is not showing webpage.

Why this pf rule is not enough?

[Lampshade]

I have rdomain 1 and default rdomain
pair1 is in rdomain 1
pair2 is in default rdomain
Inside rdomain1 there is not loopback interface
network is 172.10.0.2/24

In /etc/resolv.conf I have nameserver 127.0.0.1
so all DNS (UDP 53) packets should go to 127.0.0.1
Default route in rdomain1 is pair2 interface (172.10.0.2)

I want (and achieved) intercepting DNS requests from rdomain1
to 172.10.0.2 port 9053. I have rule:

pass  out quick log (all, to pflog0)  on pair1 inet proto udp to 127.0.0.1 port 
53 rdr-to 172.10.0.2 port 9053 keep state (floating)

but it is not enough. I needed to add this rule:

pass in quick on pair2 inet proto udp from pair1 to any port 53 rdr-to pair2 
port 9053 keep state (floating)

Re: What are the disadvantages of soft updates?

[Lampshade]

Hello
Given that one could change options for filesystem such as sync to async
without remounting using mount -u -o options /what /where
is this possible to disable softdep on the fly (without unmounting)?

Second question:
Does mounting fs with softdep *and* sync options is secure?


For example now I have:
mount | grep usr
/dev/sd1e on /usr type ffs (local, nodev, synchronous, softdep)
and could have this
mount | grep usr
/dev/sd1e on /usr type ffs (local, softdep)

Re: Firefox W^X isn't a part of Pwn2Own contest

[Lampshade]

About X.Org isolation I have heard of
Xpra - "screen for X11"
but haven't used this yet.

Re: bug in pair ?

[Lampshade]

What you see in ifconfig?
I have line like that:
ifconfig pair1   
pair1: flags=8843 rdomain 1 mtu 1500

and the content of config file for interface:
cat /etc/hostname.pair1  
inet 172.10.0.1 255.255.255.0 172.10.0.255 rdomain 1

and probably less importantly:
sysctl net.inet.ip.forwarding net.inet6.ip6.forwarding

Softraid crypto header key backup

[Lampshade]

Hello
I am using OpenBSD amd64 with FDE. I wonder if there is possibility of
making backup of header/key used by softraid crypto like in
LUKS/dm-crypt solution for Gnu/Linux?
I know that backup is relevant and do backup, but if there is possibility
for add one more additional easy step to be more confident with data
survival/recovery, I would certainly do this.

Re: Firefox W^X isn't a part of Pwn2Own contest

[Lampshade]

Do you also sandbox the browser with some sort of remote desktop, or run
under a separate X session? AFAIK X allows any program to meddle with
any other program under the same display.

No, I don't.
Setup is easy. In the easiest scenario just create user, add to /etc/sudoers
line which lets you run Firefox as another user without need for password,
create one line script to use sudo and just refer to that script, if you want
to execute Firefox.

I think there was also on mailing list posted a small C program to change
UID and GID of Firefox process and you also probably can use
doas from base, but I still use sudo.

Firefox W^X isn't a part of Pwn2Own contest

[Lampshade]

Does original Firefox compiled by Mozilla running on Windows
have W^X? I bet: no, it doesn't.
I run browsers on the other user account in OpenBSD.

Re: Network isolation of process using rdomain rtable

[Lampshade]

It seems it is starting to  work.
Server command:
/usr/local/bin/sudo -u user /usr/bin/nc -4 -k -l 172.10.0.2 9191

Commands for programs I would like to intercept/redirect:
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 172.10.0.2 9191

random port
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 172.10.0.2 9192

random IP and port (this is Google, don't hack)
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 212.191.227.88 80


#cat pf.conf:
pass in quick  on pair2 inet proto tcp from pair1 \
rdr-to pair2 port 9191 keep state (floating)
pass in
pass out

#pfctl -sr 
pass in quick on pair2 inet proto tcp from 172.10.0.1 \
to any flags S/SA tag rdr_tor_tcp rdr-to 172.10.0.2 port 9191
pass in all flags S/SA
pass out all flags S/SA


Should I also do nat-to (source nat like in nftables)
or maybe it is not necessary?
Is there any possibility of packet leaks? I mean that this \
pf rules/ruleset will not match some packet and packet \
could go to Internet instead of local socket?
I would like to prevent that. I am better with not sending
packet anywhere than send to Internet.

Network isolation of process using rdomain rtable

[Lampshade]

012345678901234567890123456789012345678901234567890123456789
Hello,
OpenBSD current amd64
I would like to isolate application from network and also
to make sure that every packet goes to certain port at
certain IP address.
On Linux I achieved that using network namespace,  veth,
iptables (destination nat) or nftables (dnat and snat).

So far I have pair of pair devices:
cat /etc/hostname.pair*
inet 172.10.0.1 255.255.255.0 172.10.0.255 rdomain 1 \
description "An isolated Ethernet"
inet 172.10.0.2 255.255.255.0 172.10.0.255

patched together
ifconfig pair1 patch pair2

with default route:
route -T1 add default 172.10.0.2

Commands for programs:
Server
/usr/local/bin/sudo -u user /usr/bin/nc -4 -k -l 172.10.0.2 9191

Commands for programs I would like to intercept/redirect:
Client 1 (port is the same):
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -v 172.10.0.2 9191
Client 2 (port must be also redirected):
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -v 172.10.0.2 9192

I struggle with pf rules. Now I have something like that,
but probably wrong:
pass out  quick on pair1 inet  proto tcp from 172.10.0.1  \
rdr-to 172.10.0.2 port 9040  keep state (floating)
pass out  quick on pair1 inet  proto udp from 172.10.0.1  \
rdr-to 172.10.0.2 port 9053  keep state (floating)

pass in quick log (all, to pflog0) on pair2 inet proto tcp  \
to 172.10.0.2  nat-to pair1
pass in quick log (all, to pflog0) on pair2 inet proto udp  \
to 172.10.0.2 nat-to pair1

pass in
pass out
pass out on {pair1,pair2}
pass in  on  {pair1,pair2}

I have tried with various other pf rules, rtable option,
but none of that had worked.
Do I need rdr-to and nat-to (like in nftables) or
I just could use rdr-to (like in iptables)?
What pf rules should I use?

Ntpd's confusing log messages

[Lampshade]

012345678901234567890123456789012345678901234567890123456789
It is probably just aesthetics.
When I have clock not synchronized and differs a few seconds,
I have following output:
grep ntpd /var/log/daemon | tail -n 30
Feb  6 17:57:00 host ntpd[7585]: constraint reply from ip: offset 8.928573
Feb  6 17:57:19 host ntpd[7585]: peer 158.75.5.245 now valid
Feb  6 17:57:23 host ntpd[7585]: peer 194.29.130.252 now valid
Feb  6 17:57:25 host ntpd[7585]: peer 150.254.183.15 now valid
Feb  6 17:58:17 host ntpd[9279]: adjusting local clock by 9.096751s
Feb  6 18:02:02 host ntpd[9279]: adjusting local clock by 7.971861s
Feb  6 18:05:50 host ntpd[9279]: adjusting local clock by 6.838999s
Feb  6 18:07:26 host ntpd[9279]: adjusting local clock by 6.363730s
Feb  6 18:07:59 host ntpd[9279]: adjusting local clock by 6.196142s
Feb  6 18:11:11 host ntpd[9279]: adjusting local clock by 5.246003s
Feb  6 18:13:18 host ntpd[9279]: adjusting local clock by 4.615421s
Feb  6 18:14:55 host ntpd[9279]: adjusting local clock by 4.133148s
Feb  6 18:15:43 host ntpd[7585]: peer 150.254.183.15 now invalid
Feb  6 18:15:44 host ntpd[9279]: adjusting local clock by 3.892080s
Feb  6 18:20:04 host ntpd[9279]: adjusting local clock by 2.597929s
Feb  6 18:21:02 host ntpd[7585]: peer 150.254.183.15 now valid
Feb  6 18:24:19 host ntpd[9279]: adjusting local clock by 1.321471s
Feb  6 18:24:51 host ntpd[9279]: adjusting local clock by 1.161470s
Feb  6 18:29:06 host ntpd[7585]: clock is now synced

I don't think that clock is adjusted "by" that values.
If that would be the case, I guess clock would be far faster synced.

Re: xz: (stdin): Cannot allocate memory

[Lampshade]

I figured out that my default is:
ulimit -d

1572864

echo "1572864/1024" | bc
1536

Value, which lets me compress using this setting is
between 1682864 and 1672864 kilobytes.

I have also discovered command line option for xz --memlimit=
Now my command looks that:

cat archive.tar | xz -zf --memlimit=1600MiB  \
--format=xz -9e --threads=2 - > archive.tar.xz

but I get:
xz: Adjusted the number of threads from 2 to 1 to not exceed the memory
usage limit of 1600 MiB

1600 is clearly larger than 674*2=1348

In the end I can compress, but I think that something is wrong.

Od: "Christian Weisgerber" <na...@mips.inka.de>
Do: "Lampshade" <lampsh...@poczta.fm>;
Wysłane: 16:25 Sobota 2016-01-30
Temat: Re: xz: (stdin): Cannot allocate memory

> Lampshade:
>
> > I have following error:
> > cat archive.tar | xz -zf --format=xz -9e --threads=2 - >
archive.tar.xz
> > xz: (stdin): Cannot allocate memory
>
> You are using the most extreme compression setting, which requires
> about 674 MB per thread according to the xz(1) man page.  This
> causes you to bump against the data size limit (ulimit -d, see
> ksh(1)).
>
> You need to raise the limit or use a less greedy compression setting.
>
> --
> Christian "naddy" Weisgerber  na...@mips.inka.de

Re: xz: (stdin): Cannot allocate memory

[Lampshade]

This xz command worked in past so I think something must
have been changed in past. Indeed, this command worked
when I had 4G of DDR3@1333Mhz RAM. Now I have 6GB DDR3
on the same laptop so I have even more.
I will look at ulimit -d this evening. I didn't changed them manually, so they
must have been changed during upgrade from current to current.

xz: (stdin): Cannot allocate memory

[Lampshade]

Hello
I have this OS with packages as of yesterday (Jan 29):
kern.version=OpenBSD 5.9-beta (GENERIC.MP) #1865: Thu Jan 28 20:18:15 MST 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

and also tested on with packages around Jan 17:
kern.version=OpenBSD 5.9-beta (GENERIC.MP) #1846: Sun Jan 17 02:34:54 MST 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

I have following error:
cat archive.tar | xz -zf --format=xz -9e --threads=2 - > archive.tar.xz 
xz: (stdin): Cannot allocate memory

codepage and iocharset in fat32 aka msdos filesystem

[Lampshade]

Hello,
I am from Poland.
I am using Windows 8.1 64-bit and OpenBSD-current amd64.
When I used Gnu/Linux I mounted fat32 partitions
with these options:
iocharset=iso8859-2,codepage=852
However OpenBSD's mount tells me:
mount -t msdos  -o codepage=852 /dev/sd0f /mnt/partycjaFat/
mount_msdos: -o codepage: option not supported

and
mount -t msdos  -o iocharset=iso8859-2 /dev/sd0f /mnt/partycjaFat/
mount_msdos: -o iocharset: option not supported

1. What codepage is used by default in FAT32 filesystem created
and mounted in OpenBSD?
2. Is there a way to use other codepage in OpenBSD?
If answer to 2 is no, then:
3. Is there way to force Windows to use different codepage
for that FAT32 partition?

Re: Relayd as a HTTPS client

[Lampshade]

I have posted this message
also to bugs mailing lists with subject
Relayd in TlsClient mode accepts TLSv1 and TLSv1.1
today, January 10, 2016

Relayd as a HTTPS client

[Lampshade]

Hi,
I am using following configuration to connect to TLS websites:
Chromium <-> relayd as a server <-> privo-
xy <-> relayd as a client <-> hostile Internet
I want to focus on relayd as a client in this mailing list thread.
I want to instruct relayd as a client to only connect using TLS versions 1.1 
and 1.2
to servers. I don't want TLS version 1.0 and SSL version 3.0. Here is
, I hope relevant, part of my config /etc/relayd.conf:

http protocol certKlient {
tls no cipher-server-preference
tls no tlsv1.0
tls  tlsv1.1
tls  tlsv1.2
tls ca key "/etc/ssl/private/ca.key" password "domek" # i will change 
that in a future
# i don't use that config to my bank account and other relevant websites
tls ca cert "/etc/ssl/ca.crt"
tls ciphers 
"HIGH:!aNULL:!eNULL:!SSLv3:!TLSv1:!DSS:!ECDSA:!RSA:!SHA1:-ECDH:ECDHE:+SHA384:+SHA256"
pass
}

relay  SendReencryptNormal {
   listen on 127.0.0.1 port 7443
protocol certKlient
forward with tls to destination
}

The problem is that I can type into terminal something like:

openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -no_ssl3 
-no_tls1_1 -no_tls1_2
or
openssl s_server -key key.pem -cert cert.pem -accept 44330 -www  -tls1

and tell Chromium to go to: https://127.0.0.1:44330/
and it will connect using TLS version 1.0.

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
SSL-Session:
Protocol  : TLSv1
Cipher: ECDHE-RSA-AES256-SHA
Session-ID: 
Session-ID-ctx: 0100
Master-Key: 
EC6722729D895BEBEDAEDF1964920A6EDEC11674F5FC7F213C1449AE1CA19C393AD9952FBC7B8023ECD7767D72B47D9B
Start Time: 1452113060
Timeout   : 300 (sec)
Verify return code: 0 (ok)

I can also go to:
https://www.ssllabs.com/ssltest/viewMyClient.html
and this website also tells me, that I can be connected using TLS version 1.0.

So this is my main problem: I don't want to connect using TLS version 1.0.

What should I add to /etc/relayd.conf to prevent that?

Re: Failed to boot after upgrading to Dec. 23 snapshot

[Lampshade]

Similar problem:

Upgrade history:
Dec 18 2015 - ok
Dec 19 2015 - ok
Dec 23 2015 - can not boot after that

partial outputs from commands:
disklabel sd0
 size   offset fstype
a: 146805807  829967361  RAID
other not related to OpenBSD

disklabel sd1
 size  offsetfstypefsize   bsize   cpg
a: 8388608  64 4.2BSD 2048 16384 1
c: 146805279  0   unused
other related, but I don't think they are useful for this
If I am wrong ask for more information.

bioctl softraid0
Volume  Status  Size   Device
softraid0 0 Online 75164302848 sd1   CRYPTO
 0 Online 75164302848 0:0.0 noencl sd0a

machine diskinfo
DISK BIOS Type   Cyls  Heads
hd00x80  label 1023 255
Secs Flags Checksum
63  0x2 0xac69cac8

I am using FDE for OpenBSD current. I have upgraded as usual for me
from external separate installation media.
I have, as always, used bioctl to manually provision encrypted partition.
bioctl -c C -l /dev/sd0a softraid0

then I run upgrade.

I must admit that when I normally use OpenBSD then provisioned disc is
called sd1, and when I upgrade then provisioned disc is sd2,
but that never caused a problem.

I have also another warning, which I usually see but never
caused a problem, too.
Making all device nodes… done
installboot: /mnt/usr/mdec/biosboot
extends beyond sector 268435455. OpenBSD might not boot.
Multiprocessor machine; using bsd.mp instead of bsd.
Congratulations! something

>From bootloader I got:

Loading …..
probing: pc0 mem[something]
disk: hd0+ sr0*
>> OpenBSD/amd64 BOOT 3.29
Passphrase:
open (sr0a:/etc/boot.conf): can't read disk label
boot>
cannot open sr0a:/etc/random.seed:
can't read disk label
booting sr0a:/bsd:open sr0a:/bsd:
can't read disk label

Re: Failed to boot after upgrading to Dec. 23 snapshot

[Lampshade]

Topic should go to tech.. and is actually solved.

Browsers in OpenBSD with W^X support

[Lampshade]

Hello,
I would like to know if there are others browsers using W^X
except Firefox, which I know to have this enabled.
I am especially interested in Chromium package.

Mono and GTK on OpenBSD

[Lampshade]

Hello,
I would like to learn programming in C# using Mono on OpenBSD.
Is it possible to easily use GtkSharp  GTK# to prepare environment
to create Hello World program using GTK?

Re: I have problem compiling libgdamm

[Lampshade]

It was the root cause of problem.
When I downloaded release tarball instead of something from
git.gnome.org it compiled successfully.
Thanks for help.

Od: "Callum Davies" <calrog...@gmail.com>
Do: "Lampshade" <lampsh...@poczta.fm>;
Wysłane: 17:31 Niedziela 2015-12-06
Temat: Re: I have problem compiling libgdamm

> I'm running current amd64.  There's no need to run autogen.sh if you
> are using a release tarball of libgdamm.

I have problem compiling libgdamm

[Lampshade]

Hello,
I want to compile libgdamm from source.
I have tried with 3 releases and I have the same error
after I type: gmake.
libgdamm have been extracted to:
/home/open/kompilacje/libgdamm/kod/

gmake[1]: Entering directory 
'/home/open/kompilacje/libgdamm/kod/libgdamm-4.99.8/libgda/src'
/usr/bin/perl -I"/usr/local/lib/glibmm-2.4/proc/pm" -- 
"/usr/local/lib/glibmm-2.4/proc/gmmproc" -I ../../tools/m4 --defs . config . 
../libgdamm
Documentation: Class/Namespace for gda_dsn_split not found
Documentation: Transformed C name gda_dsn_split into C++ name gda_dsn_split
No initialization for type get4 from type GdaConfig* defined (line: get8, 
output param: get3, c return: gda_config_get`'())
 
m4 failed with exit code 1.  Aborting...

What can I do to successfully compile this library?

Re: Is it possible to use pledge(2) to make something similar to firejail?

[Lampshade]

Thanks for answers.
@dan mclaughlin. But how to prevent attacker going out of chroot?
Do you think that this is possible to prevent this using pledge(2)?

Thanks for links. Especially Jonathan's "Re: making firefox less
insecure"
mail dated 2014-11-23 is worth reading for me. I wonder if
pledge(2), in theory, can be used to extend his program.

Is it possible to use pledge(2) to make something similar to firejail?

[Lampshade]

Is it possible, in theory, to use pledge(2) to make something similar to 
firejail?
https://packages.debian.org/sid/main/firejail
Firejail is a Gnu/Linux's program which executes Firefox as it's descendant
with reduced privilages.
For example I would like to restrict Firefox to not write and read to directory
outside /home/firefox directory. Let's assume that I run firefox as another 
user than
my normal account. I would restrict, using traditional Unix privilages, Firefox
and all its descendants, logging as another user to regain privilages to
for example to /home/open. I imagine that would still leave huge attack vector
to pown system and/or sniff password, but I think it is better than nothing.

Re: pf change destination port for outgoing traffic

[Lampshade]

match out on  bge0  inet proto tcp to any port 80  user "_relayd"  tag 
przekierujNaPort443
pass out quick log (all, to pflog0) inet proto tcp tagged przekierujNaPort443 
rdr-to 0.0.0.0/0 port 443 bitmask

Indeed it works. Thank you very much.

Re: pf change destination port for outgoing traffic

[Lampshade]

Does anything changed during these years?
I would like to do the same thing the author of topic wanted.
I want it because I am playing with relayd, privoxy and pf.
I have done chain Firefox -> relayd1-> privoxy -> relayd2, but
relayd2 seems to try estabilish tls connection to 80 port rather
than 443 after line "forward with tls to destination" -
if I debug problem correctly .
This topic about chain 
is connected with "Re: TLS intercepting proxy [MitM]".

Re: TLS intercepting proxy [MitM]

[Lampshade]

Thanks Uwe Werler!

I have not yet estabilished chain described in first message, but it is due to 
lack of time
I didn't tried.
Firefox runs as firefox user. 
I have actually MitM on relayd *using divert* with this pf-magic:

cat /etc/pf_kop.conf  
 
ext_if="bge0"
int_if="lo0"

set state-policy floating
pass out quick log on $ext_if inet proto tcp to any port 443 user firefox 
route-to lo0
pass in quick log on lo0 inet proto tcp to any port 443 divert-to 127.0.0.1 
port 8443
pass in
pass out

Thanks for all, especially Uwe Werler!

I am going to try make chain described in first message in day or two.

Re: TLS intercepting proxy [MitM]

[Lampshade]

Ok, I know that relayd can decrypt traffic, then log, then encrypt. The thing 
is that I want to
send decrypted traffic to another process (privoxy), and then re-encrypt it.
I have also problem with  Reyk's config because I can not divert outgoing 
traffic using pf.
I have tried with rdr-to and nat-to, but it removes destination IP address in 
packets.
I want to intercept and alter traffic on the same box that I run Firefox.
Is this possible using pf and relayd or I must use something else?

TLS intercepting proxy [MitM]

[Lampshade]

Hello,
I would like to use privoxy to scrub/delete
some informations in application layer (HTTP) going out from my PC. 
Problem is that a lot of connections are secured with TLS, so privoxy can not 
filter them.
Is there any way to do something like that:
Firefox -> decrypt [MitM] -> privoxy -> encrypt securely  -(NIC)-> Internet?
It is my PC, so I can install new certificate or something like that, 
but neverthless I don't know how to achieve that result.
Is this possible using relayd?
Is it possible with other tool in ports or something that I can compile from 
source?

Changing directory for fetching source code

[Lampshade]

Hi,
I would like sometimes experiment with some options/custom config in kernel. 
On the other hand that is not supported by OpenBSD. Suppose I need to reproduce 
problem with original kernel. I think good solution for me would be to have 
two directories for OpenBSD's code. Instead of /usr/src/sys/ I would have:
1. /usr/original/src/sys/
2. /usr/modified/src/sys/

Quesion:
Does changing the path to source code directory is supported by OpenBSD? 
I mean this as the only one change to build process covered by FAQ. 
No other changes are going to be made.

Rust programming language

[Lampshade]

Hello
May 15 2015 have been a release date for Rust 1.0. What is your opinion on Rust?
Does it have any chances to be some day popular programming language? 
Do you think that learning Rust can be good for educational purposes?

Software for time management calendar

[Lampshade]

What software you use for this purposes?

Re: Raspberry Pi 2 Model B

[Lampshade]

Hello
I haven't know that Raspberry Pi is so closed that it requires closed source 
blob to even boot. Thanks for responses. I am not going to buy Raspberry Pi 2 
any more (or at least when blob will be open source).
Have a good day.

Raspberry Pi 2 Model B

[Lampshade]

Hi
New version of Raspberry Pi is announced. Its SoC have four cores in Cortex-A7 
microarchitecture so it is compatible with ARMv7. It also have 1 GB of RAM. 
Have the same GPU as its predecessor: VideoCore IV 3d. For some time GPU have 
open documentation and open (BSD licence) driver in Linux world. Price is still 
$35. It should be electrically compatible with predecessor and have the same 
dimensions.
Are you going to support this hardware in OpenBSD?

Does the OpenBSD support well AMD's APU hardware?

[Lampshade]

Hello,
I am a student from Poland (country in Central Europe) and I would love to
use OpenBSD everyday. I must have Windows operating system too. I must
have it because of Autodesk's Inventor and Autocad software (in future
probably also SolidWorks) and Ansys and so on. For that software I need
something more powerful than Intel's GPU (not only for performance but
also for quality). Today I have laptop with Optimus (Intel's GPU + Nvidia's
GPU, if Nvidia's GPU renders something, Intel's GPU is proxy). It works
well under Windows. Under Linux Intel's GPU works well, Nvidia's GPU is
by default powered off. I can use it by manually typed commands. I can not
do anything in BIOS to turn off Nvidia's GPU.
OpenBSD can not turn off my Nvidia's GPU (despite the fact that it not
renders or passes by anything) and just consumes a lot of energy from
battery and heats my laptop.
So I would consider buying a new laptop with AMD APU if it is supported
well by OpenBSD and not heats laptop to high temperatures. Does anybody
have experience with AMD APU's on OpenBSD and can let me know if it
performs well?
I know for a lot of you buying laptop is relatively more affordable. Please
consider that in Poland we have the same (or even a bit higher) prices of
electronics and considerably lower earnings, so I don't want to make a
mistake and buy hardware based on my wrong opinion about support of
AMD's GPUs with OpenBSD.
I don't posted this topic in „General Hardware” because I am particularly
interested in OpenBSD support, but if you consider it should land there
please place this topic there.

With best regards

Does the OpenBSD support well AMD's APU hardware?

[Lampshade]

Hello,
I am a student from Poland (country in Central Europe) and I would love to
use OpenBSD everyday. I must have Windows operating system too. I must
have it because of Autodesk's Inventor and Autocad software (in future
probably also SolidWorks) and Ansys and so on. For that software I need
something more powerful than Intel's GPU (not only for performance but
also for quality). Today I have laptop with Optimus (Intel's GPU +
Nvidia's GPU, if Nvidia's GPU renders something, Intel's GPU is proxy). It
works well under Windows. Under Linux Intel's GPU works well, Nvidia's
GPU is by default powered off. I can use it by manually typed commands.
I can not do anything in BIOS to turn off Nvidia's GPU.
OpenBSD can not turn off my Nvidia's GPU (despite the fact that it not
renders or passes by anything) and just consumes a lot of energy from
battery and heats my laptop.
So I would consider buying a new laptop with AMD APU if it is supported
well by OpenBSD and not heats laptop to high temperatures. Does anybody
have experience with AMD APU's on OpenBSD and can let me know if it
performs well?
I know for a lot of you buying laptop is relatively more affordable. Please
consider that in Poland we have the same (or even a bit higher) prices of
electronics and considerably lower earnings, so I don't want to make a
mistake and buy hardware based on my wrong opinion about support of
AMD's GPUs with OpenBSD.
I don't posted this topic in „General Hardware” because I am
particularly
interested in OpenBSD support, but if you consider it should land there
please place this topic there.

With best regards

Is there any chance to implement switch to turn off for example PCI-Express devices?

[Lampshade]

Hello
I have in laptop many devices that I don't use. For example DVD writer. But my 
greates problem is the unability to turn off under OpenBSD Nvidia GPU. 
Unfortunately I have Optimus laptop, so I don't have normal, independent 
hardware multiplexer. I have Intel and Nvidia GPUs, and Intel GPU is proxy for 
Nvidia GPU. I don't use Nvidia GPU under Linux and it is fine. However under 
OpenBSD I even can't turn off Nvidia GPU despite that GPU is not usable due to 
lack of drivers in OpenBSD for this GPU. Intel GPU is fine for me for Linux and 
OpenBSD tasks (I use Nvidia GPU for Autodesk Inventor in Windows). But Nvidia 
GPU is heating my laptop despite it isn't used by OpenBSD. It is significant 
change in temperature, under Linux and Windows (lightweight tasks) I have about 
42 Celsius degrees (°C) and under OpenBSD default configuration when it is idle 
it is 67 Celsius degrees (°C), when I switched frequency of CPU to lowest 
possible by apmd it is still about 63 Celsius degrees (°C).!
  I think this can reduce lifetime of my laptop.
I think that in OpenBSD there is currently no way to disable particular device, 
but as I understand PCI-Express has power-management capabilities and can turn 
off device. Is there any chance that in future version of OpenBSD will be 
implemented switch to turn off particular device by advanced users via sysctl 
or I don't know, /dev directory? Something like bbswitch under Linux.
In any case there is output of my dmesg: 
http://daemonforums.org/showpost.php?p=50519postcount=98