man.openbsd.org timing out via HTTP & HTTPS

2023-12-29 Thread Tim Chase 
Not much to add to the subject.  For a couple days now, I've tried
connecting via HTTP & HTTPS from various points around the internet
and they all time out.  Sounds like something hung or accidentally
lost power and needs a nudge.

Thanks!

-tkc

Re: Pausing/Freezing issues with Protectli FW4B

2023-08-11 Thread Tim Baumgard 
On Fri, Aug 11, 2023 at 5:56 PM Stuart Henderson
 wrote:
>
> On 2023-08-11, Tim Baumgard  wrote:
> > I'm having an issue with my Protectli FW4B that's become more of a
> > problem lately. Essentially, it's the same thing that this person [0]
> > encountered.
>
> IIRC those are the machines that have problems if there's no display connected

I put in a dummy HDMI plug from another piece of tricky hardware, and
that seems to have fixed it. 200 pings and not a single spike over
1 ms. Thanks!

Tim

Pausing/Freezing issues with Protectli FW4B

2023-08-11 Thread Tim Baumgard 
I'm having an issue with my Protectli FW4B that's become more of a
problem lately. Essentially, it's the same thing that this person [0]
encountered.

I'm having keystrokes momentarily freeze when typing via ssh and am
getting some ping spikes that happen anywhere from every 10-30 seconds
and going from well under 1 ms in the typical case up to around 800 ms
when spiking. The freezes coincide with the spikes. When connected via
serial, I see the same pausing when typing or even pinging localhost,
and the pausing coincides with the ping spikes remotely. ping will pause
at the same time I get a spike remotely, but the actual ping time
doesn't fluctuate out of the ordinary.

I tried the things Stuart recommended [1] in the thread. Everything
seems normal, but I admit I'm not sure what all of the finer details
mean. I've included them below. I'm not too sure it's a network issue
given what I'm seeing when connected via serial, but I'm also not sure
if it smells of a hardware, locking/scheduling issue, or what.

The base part of router is fairly simple: I enable IP forwarding in
sysctl.conf, em0 is the WAN port, and em1-em3 provide different subnets
for different purposes. I'm also using pf, dhcpd, unbound, wg, and
vnstat. All of this works as-is, and I've tried completely disabling
vnstat and pf. FWIW, this is a 1Gbps fiber connection. top shows CPU
usage trends around 5%, memory usage around 25%, and 0% swap being used.

Any pointers where I can investigate next would be appreciated.

Tim

[0] https://marc.info/?l=openbsd-misc&m=159166807203817&w=2
[1] https://marc.info/?l=openbsd-misc&m=159764612717042&w=2

--- ping

64 bytes from 10.0.0.1: icmp_seq=0 ttl=255 time=0.640 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.601 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=139.876 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=0.742 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=0.744 ms
64 bytes from 10.0.0.1: icmp_seq=5 ttl=255 time=0.779 ms
64 bytes from 10.0.0.1: icmp_seq=6 ttl=255 time=0.477 ms
64 bytes from 10.0.0.1: icmp_seq=7 ttl=255 time=0.675 ms
64 bytes from 10.0.0.1: icmp_seq=8 ttl=255 time=0.753 ms
64 bytes from 10.0.0.1: icmp_seq=9 ttl=255 time=0.734 ms
64 bytes from 10.0.0.1: icmp_seq=10 ttl=255 time=0.782 ms
64 bytes from 10.0.0.1: icmp_seq=11 ttl=255 time=0.788 ms
64 bytes from 10.0.0.1: icmp_seq=12 ttl=255 time=0.698 ms
64 bytes from 10.0.0.1: icmp_seq=13 ttl=255 time=122.548 ms
64 bytes from 10.0.0.1: icmp_seq=14 ttl=255 time=0.736 ms
64 bytes from 10.0.0.1: icmp_seq=15 ttl=255 time=0.748 ms
64 bytes from 10.0.0.1: icmp_seq=16 ttl=255 time=0.816 ms
64 bytes from 10.0.0.1: icmp_seq=17 ttl=255 time=0.735 ms
64 bytes from 10.0.0.1: icmp_seq=18 ttl=255 time=0.732 ms
64 bytes from 10.0.0.1: icmp_seq=19 ttl=255 time=0.735 ms
64 bytes from 10.0.0.1: icmp_seq=20 ttl=255 time=0.706 ms
64 bytes from 10.0.0.1: icmp_seq=21 ttl=255 time=0.802 ms
64 bytes from 10.0.0.1: icmp_seq=22 ttl=255 time=0.545 ms
64 bytes from 10.0.0.1: icmp_seq=23 ttl=255 time=0.739 ms
64 bytes from 10.0.0.1: icmp_seq=24 ttl=255 time=99.840 ms
64 bytes from 10.0.0.1: icmp_seq=25 ttl=255 time=0.702 ms
64 bytes from 10.0.0.1: icmp_seq=26 ttl=255 time=0.837 ms
64 bytes from 10.0.0.1: icmp_seq=27 ttl=255 time=0.672 ms
64 bytes from 10.0.0.1: icmp_seq=28 ttl=255 time=0.772 ms
64 bytes from 10.0.0.1: icmp_seq=29 ttl=255 time=0.438 ms
64 bytes from 10.0.0.1: icmp_seq=30 ttl=255 time=0.819 ms
64 bytes from 10.0.0.1: icmp_seq=31 ttl=255 time=0.556 ms
64 bytes from 10.0.0.1: icmp_seq=32 ttl=255 time=0.685 ms
64 bytes from 10.0.0.1: icmp_seq=33 ttl=255 time=0.757 ms
64 bytes from 10.0.0.1: icmp_seq=34 ttl=255 time=0.797 ms
64 bytes from 10.0.0.1: icmp_seq=35 ttl=255 time=82.728 ms

--- dmesg

OpenBSD 7.3 (GENERIC.MP) #3: Tue Jul 25 08:20:26 MDT 2023

r...@syspatch-73-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8473063424 (8080MB)
avail mem = 8196857856 (7817MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xec120 (49 entries)
bios0: vendor American Megatrends Inc. version "5.11" date 06/18/2021
bios0: Protectli FW4B
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT
acpi0: wakeup devices SIO1(S0) BRC1(S0) XHC1(S4) HDEF(S4) RP01(S4)
PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J3160 @ 1.60GHz, 1600.34 MHz, 06-4c-04
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LA

Re: httpd - conditional redirects

2021-04-28 Thread Tim Baumgard 
On Wed, Apr 28, 2021 at 7:50 PM  wrote:
>
> .
>
> redirect [not]  to 
>
> I could then accomplish what I want using two location blocks:
>
> location match "^/maintenance.html$" {
>root "/htdocs/example.com/maintenance"
> }
> location match ".*" {
>redirect not my.ho.me.ip to scheme://host/maintenance.html
> }

I can’t speak for the OpenBSD developers, but I personally don’t think
this would be generally useful. However, I can maybe give you some
advice on how to accomplish what you want without any changes to httpd.

Back before httpd included what it does today, I used to use a "shim"
that I created to customize HTTP requests to do whatever I needed, even
if the application I was using didn't work due to a lack of some
features in httpd. In my case, it was a PHP file that would modify the
request and then pass everything on to whatever application. I set up a
match rule in httpd.conf that would match anything and set it to call
that shim, which would then dispatch things as needed.

So, some pseudo code for a shim for your instance:

if (isInMaintenanceMode && ipAddress != myIpAddress) {
// output the maintenance page
} else {
// load the normal app
}

Hopefully you can figure out something that will work for your
situation.

Tim

Re: explicit_bzero vs. alternatives

2020-08-10 Thread Tim van der Molen 
Philipp Klaus Krause (2020-08-10 21:00 +0200):
> Am 10.08.20 um 17:00 schrieb Theo de Raadt:
> > Philipp Klaus Krause  wrote:
> > 
> >> OpenBSD has the explicit_bzero function to reliably (i.e. even if not
> >> observable in the C abstract machine) overwrite memory with zeroes.
> >>
> >> WG14 is currently considering adding similar functionality to C2X.
> > 
> > Then perhaps in the interests of the public they should use the same
> > name, but I suspect they won't.
> 
> The functionality (i.e. some way to reliably overwrite memory) already
> exists under different names: explicit_bzero in OpenBSD,

explicit_bzero is also in glibc, musl, FreeBSD and DragonFly.

> memzero_explicit in Linux,

I think that is in the Linux *kernel*.

> memset_s in the optional Annex K of the C
> standard, explicit_memset in NetBSD, SecureZeroMemory in Windows etc.
> 
> A problem with the explicit_bzero name is that it is not an identifier
> reserved for future extensions of the C standard, unlike identifiers
> starting with mem.
> 
> > 
> >> Considered options include:
> >>
> >> * A function like explicit_bzero or memset_explicit, that overwrites the
> >> memory with a known value.
> > 
> > We have never needed any value other than zero.
> 
> Thanks. I assume this will help WG14.
> > 
> >> * A function like memclear, that overwrites the memory in an
> >> implementation-defined manner, possibly using random data.
> > 
> > This option is pretty laughable, because the compiler has no way to
> > collect random data.  Their is nothing portable the compiler can call
> > to get the random data.  I've personally worked on making this possible
> > for more than a decade, and it is still not all there.
> 
> This option under the name secure_clear apparently is the one preferred
> by WG21, the C++ comittee.
> 
> Philipp

Re: Traffic inspection with relayd

2020-04-16 Thread Tim Baumgard 
Here are some helpful links that have information about TLS inspection
with relayd in case you haven't already seen them:

https://www.openbsd.org/papers/relayd-asiabsdcon2013.pdf
https://www.openbsd.org/papers/relayd-slides-asiabsdcon2013.pdf
https://reykfloeter.com/posts/relayd-ssl-interception
https://man.openbsd.org/relayd.conf.5

Since you didn't say what IoT devices you're using, I'll mention that
this won't work if you can't configure them somehow. You need them to
point to/proxy through your router or trust your CA certificate. If
your router could inspect TLS packets without doing that, TLS would be
broken or the device would have a security issue. I don't think many
commercial IoT devices will let you do this kind of inspection.

If you're using devices that are open source or that allow you to
access the OS, another option is to monitor them or inspect what
they're doing on the devices or in the source code instead. The
downside is that you can't monitor all of them in one place, but it
might be your only option.

Tim

On Wed, Apr 15, 2020 at 2:31 PM Cornelius Jubjub
 wrote:
>
> Hello all,
>
> First off, I hope everyone is staying happy, healthy and sane in these
> difficult times.
>
> I've been working on a little side project involving some IoT devices
> and I'm in the need of a HTTPS MITM proxy so I can do some traffic
> analysis. I'm running OpenBSD 6.6 as my firewall at home doing NAT and
> providing some other network plumbing (great term btw!). I have been
> exploring relayd to do this intercept on the firewall. Currently I have
> this config for a tls proxy:
>
> log connection
>
> http protocol httpfilter {
> return error
> pass
> match url log
>
> tls ca key "/etc/ssl/private/ca.key" password "stinkbutt"
> tls ca cert "/etc/ssl/ca.crt"
> }
>
> relay tlsmitm {
> listen on 127.0.0.1 port 8443 tls
> protocol httpfilter
> forward with tls to destination
> }
>
> EOF
>
> The issues I'm having are two fold, first off I can't, for the life of
> me get anything to appear in the log (/var/log/daemon) except for the
> usual daemon start and stops. Secondly, I'd really like to dump all of
> the traffic al la tcpdump but I don't really see a place to do so (no
> unencrypted data passes through an interface AFAIK).
>
> I'm hoping someone might be able to steer me in the right direction
> and maybe let me know if I'm using the wrong tool for the job.
>
> Thank you,
>
> CJ
>

Re: softraid i/o errors, crypto blocks

2020-02-22 Thread Tim van der Molen 
freda_bundc...@nym.hush.com (2020-02-18 10:13 -0600):
> I've had Postgresql data on an encrypted external USB drive 
> (encrypted via the OpenBSD FAQ instructions) for about a year
> and it's worked great. 
> 
> Recently, I started gettting dmesg messages
> saying softraid i/o error and it listed various crypto blocks:
> 
> Feb 18 09:04:14 freda /bsd: softraid0: chunk sd4a already in use
> Feb 18 09:04:22 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 27xxx
> Feb 18 09:04:22 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 6xx
> Feb 18 09:04:31 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 
> 1624932xxx
> Feb 18 09:04:31 freda /bsd: softraid0: sd5: i/o error 0 @ CRYPTO block 
> 1624811xxx
> 
> In this case, it happened when I tried to mount a second external encrypted 
> drive.
> (I don't recall if this is what always triggers the problem.) 
> 
> My  drive with Postgresql running was sd5i. I always mount the drives with 
> the DUID
> after running bioctl. The sd4a above refers to RAID on the second encrypted 
> drive I had 
> plugged in and just run /sbin/bioctl -c C -l softraid0 DUIDHERE.a on.

The last two arguments in that command are reversed. Fixing that should
solve at least part of your problem.

> I'm running
> OpenBSD 6.6-current (GENERIC.MP) #648: Sun Feb 16 13:54:33 MST 2020
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> 
> Currently, I have Postgresql 12.1p1 but it happened when the previous external
> drive had 11.6 data also.
> 
> At this point of course I can no longer access my data. If I reboot then / 
> also fails
> to unmount. Rebooting is successful  though after filesystem checks. Next 
> time it happens
> I will take a picture of the messages.
> 
> I thought my external drive was bad so I switched to a new one, but the same 
> thing
> happened today.
> 
> So I am just wondering if anyone else has recently started experiencing this 
> sort
> of problem. I haven't lost any data since I backup early and often, and in 
> any case,
> fsck has fixed things so far.

Re: Detecting DoH using PF

2020-02-18 Thread Tim Baumgard 
On Mon, Feb 17, 2020 at 1:19 PM Erik Lauritsen  wrote:
> Is a DNS over HTTPS recognizable somehow so that it can be fingerprinted
> and redirected or blocked using pf?
>
> I am thinking about the ability of PF to detect when requests are coming from
> a windows machine for example.

As Paul asked, what's the reason behind your question?  Privacy? The
solution for you depends on you how much work you want to do and what
you have for a network, devices, and applications.

Blocking requests is a reasonable solution with some caveats. Remember
that you'd have to keep the configuration updated, though probably
infrequently. Applications and devices may use their own factory-set DNS
settings and not those specified by your DHCP server, so they may fail
if they can't connect to a server blocked in pf(4). This means that some
things you can't fully configure like IOT devices, TVs, game consoles,
or that one thing your boss likes may not work or may not work after a
future update. This isn't as much of a problem if the network can be
segmented so that the pf(4) rules apply to only certain devices, but it
does involve a little extra work.

Redirecting or relaying the request requires some form of deep packet
inspection since the requests are encrypted. This also requires a local
certificate authority that is trusted by the devices on the network,
which may not be possible for everything on it. Devices like those
listed above may fail. Again, this may not be an issue if you can
segment your network so that you're only relaying the requests from the
devices that you can install the local CA certificate on, but I'm not
sure if a program to relay DoH requests exists anyway.

As far as I'm aware, "enterprise policies" can be used to disable DoH in
some OSes and applications. All devices and applications have to support
them and be configured to use them to fully block them. Things that
don't support them will get through.

Again, you have to think about your situation and what you want to
accomplish. If the above shortcomings are okay with you, pick the one
that works best for your situation.

That said, this is what I do personally for my own network:

I don't knowingly use any devices, OSes, or applications on my network
that use DoH other than Firefox, and all my main devices--desktop,
laptop, phone, tablet--are known to obey the DNS settings from
dhcpd(8). My network is also segmented. My current "works well enough
for me" solution to cover Firefox without changing its settings on every
device is to add this to my unbound.conf(5):

# By default, disable DoH for Firefox.
# 
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
local-zone: "use-application-dns.net" always_nxdomain

This means that all the things I really care about privacy-wise with
regards to DoH are fine. Be aware that Firefox apparently still uses DoH
if the setting is turned on in its preferences. For what it's worth, the
OpenBSD port of Firefox disables DoH by default.

Tim

minor tcpdump.8 inconsistency

2019-10-31 Thread Tim Kuijsten 
minor inconsistency

diff --git a/tcpdump.8 b/tcpdump.8
index ce16951..8c2cf33 100644
--- a/tcpdump.8
+++ b/tcpdump.8
@@ -1257,7 +1257,7 @@ end of this connection.
 .Ar window
 is the number of bytes of receive buffer space available
 at the other end of this connection.
-.Ar urg
+.Ar urgent
 indicates there is urgent data in the packet.
 .Ar options
 are TCP options enclosed in angle brackets e.g.,

Re: Blind OpenBSD users

2019-05-17 Thread Tim Chase 
(sorry, out of thread; copying from the marc.info post so
References/In-Reply-To aren't set)

> I am looking to understand / enhance the OpenBSD experience for
> blind users.

While not blind, I occasionally attempt to do some screenless testing
with accessibility-tech on OpenBSD, FreeBSD, and Linux.  I also hang
out in the blinux mailing list for blind Linux users, so am
interested in making the BSDs more accessible.

> Do we have any blind users reading misc that can offer any insight
> into their usecases / pain points / work flows / wants?
> I am sure OpenBSD is lacking on this front, so use cases in *nix
> would also be helpful.

>From some recent experiences:

- using a serial port or SSH has proven the best/most-reliable.  For
  some the machine would be attached to an external serial-driven
  synth or Braille device.  For others, it's a serial program on
  another machine that is accessible, or accessing via SSH from that
  other machine.  However, as powerful as the CLI is, it doesn't grant
  access to GUI tools like a real browser.

- yasr isn't available as a package (it's my go-to console
  screen-reader) but can be installed from source.  It does have a
  sample config file but needs a bunch of work to get set up,
  including getting speech-dispatcher to listen via an inet socket
  rather than a unix socket, then pointing yasr at speech-dispatcher,
  and making sure that it is configured properly. Also,
  speech-dispatcher times out after 5-seconds with no connection, so
  you have to know to start yasr within that window of time.

- attempting to `pip install fenrir-screenreader` fails because it
  uses some linux-specific headers

Getting Orca set up is a bit of a bear.  Doable, but it already
assumes you have access to the system.  But roughly involves
installing Gnome (plus configuring GDM which is mostly following the
docs, but it's certainly not out-of-the-box easy), Orca, eflite,
etc.  While GDM comes up with options to turn on text-to-speech, you
have to know the Alt+Super+S shortcut to enable, and you have to know
how to *use* Orca to navigate it.  All of that   All of that is pretty
difficult to do if you're blind and on your own.

Additionally, latency in Orca is pretty horrible on my test machine
here, even under light usage (in this context, running Gnome and the
Orca settings panel; no extra programs or non-default OBSD services
running).  It's not a powerhouse machine (3GB of RAM, dual-core 2GHZ)
but it's also not unreasonable specs for an older machine.

So in the end, using ssh/serial from a remote machine or using yasr +
speech-dispatcher locally was the most usable solution I've been able
to get working.  It would be nice to get Orca working usably so I
could test with a GUI browser.

As for things that could be improved, a couple ideas:

- adding yasr to the package repos

- perhaps some meta-package or a tutorial on getting
  speech-dispatcher + yasr + flite/festival/espeak/whatever working
  together

- tweak Gnome or whatever launches Orca so that it comes up with a
  tutorial mode and/or settings on first-run.

I'd be glad to test other configurations if needed.

-tkc
(@gumnos)

Re: Is anyone able to use certificates with openbsd iked/ikev2 and Apple iOS (iphone)?

2019-04-16 Thread Tim Stewart 
Matt,

Matthew Ernisse  writes:

> I have not tried ECDSA, however I've had iOS and macOS devices
> running with iked since it came into OpenBSD using certificate auth
> with RSA 2048 certs and a RSA 4096 CA.
>
> I just recently wrote a blog post on it, it includes a general overview
> of how I did it and a fragment of my .mobileconfig and iked.conf.
>
> https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html
>
> My VPN endpoint is currently running:
> OpenBSD 6.4 (GENERIC) #7: Thu Feb 28 18:10:07 CET 2019
> r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC


My configuration is rather similar, at least in spirit.  The main
differences I see are that I specify a dstid in iked.conf and I don't
specify exact crypto transforms.  My .mobileconfig file is basically
identical to yours.

I'll do another round of testing and be more explicit about the crypto
transforms, and will reply here with the results.

Thanks for the link!

-TimS


>> On Apr 4, 2019, at 20:08, Tim Stewart  wrote:
>>
>> Hi Ted,
>>
>> On 6/2/18 12:26 PM, Theodore Wynnychenko wrote:
>>> Hello
>>> Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and
>>> RFC7427 authentication" diff was committed to current), I had set up and had
>>> been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have 
>>> ikev2
>>> VPN's happen, almost as if by, magic.
>>> Authentication was accomplished using certificates signed by a local 
>>> authority
>>> and then distributed to the iOS devices.
>>> Since 3/27/17, this has not been working.  I sent a couple of emails about 
>>> this
>>> last year (the initial one:
>>> https://marc.info/?l=openbsd-bugs&m=149706080419488&w=2).
>>> Over the last year, I have tried many things.  Even though I don't know 
>>> anything
>>> about programming (or C), I tried making little changes to the iked source, 
>>> all
>>> without success.  (Is that any surprise? No.  I was amazed at times that my
>>> changes even resulted in a program that would actually start up and run.)
>>> I have tried creating several different CA's and certificates, using various
>>> different algorithms (ECDSA and RSA, with varying key lengths), all without
>>> success.  For example, I just tried creating a CA and certificates with
>>> ECDSA384/SHA2-384; I distribute those to the iOS device (which supports 
>>> them),
>>> but, iked will not accept them and create a tunnel.
>>> In iked.conf, if I don't explicitly state something like "ecdsa384" as the
>>> authentication method (and, this requires having a local copy of the public 
>>> key
>>> on the openbsd machine), iked falls back to rfc7427 for authentication, but 
>>> it
>>> appears that iOS does not support this (yet?).
>>> I have been downgrading iked to a version before the 3/27/17 (every time I
>>> update -current), and this still allows my old certificates to work.  But, 
>>> that
>>> doesn't seem sustainable.
>>> I have no idea how to proceed?
>>> Has anyone been able to get -current (or at least, a snapshot after 3/27/17)
>>> version of iked to work with any iOS devices using certificates 
>>> successfully?
>>> If so, I would really appreciate some advice on how it can be done.
>>> Thanks
>>> Ted
>>
>> Last night I tried to set up my iPad for the first time and ran into a 
>> similar issue.  Today I remembered writing a patch for a similar issue after 
>> RFC7427 was added:
>>
>>  https://marc.info/?l=openbsd-tech&m=149499973130985
>>
>> After applying this, and adding the `rsa' ikeauth parameter to the policy, 
>> the iPad successfully connected.
>>
>> Can you try applying that patch and see if it resolves your issue?  If it 
>> also works for you, I'll reply on that thread and see if anyone wants to 
>> opine on the patch.
>>
>> -TimS
>>
>> --
>> Tim Stewart
>> t...@stoo.org
>>

Re: Is anyone able to use certificates with openbsd iked/ikev2 and Apple iOS (iphone)?

2019-04-04 Thread Tim Stewart 

Hi Ted,

On 6/2/18 12:26 PM, Theodore Wynnychenko wrote:

Hello

Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and
RFC7427 authentication" diff was committed to current), I had set up and had
been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have ikev2
VPN's happen, almost as if by, magic.

Authentication was accomplished using certificates signed by a local authority
and then distributed to the iOS devices.

Since 3/27/17, this has not been working.  I sent a couple of emails about this
last year (the initial one:
https://marc.info/?l=openbsd-bugs&m=149706080419488&w=2).

Over the last year, I have tried many things.  Even though I don't know anything
about programming (or C), I tried making little changes to the iked source, all
without success.  (Is that any surprise? No.  I was amazed at times that my
changes even resulted in a program that would actually start up and run.)

I have tried creating several different CA's and certificates, using various
different algorithms (ECDSA and RSA, with varying key lengths), all without
success.  For example, I just tried creating a CA and certificates with
ECDSA384/SHA2-384; I distribute those to the iOS device (which supports them),
but, iked will not accept them and create a tunnel.

In iked.conf, if I don't explicitly state something like "ecdsa384" as the
authentication method (and, this requires having a local copy of the public key
on the openbsd machine), iked falls back to rfc7427 for authentication, but it
appears that iOS does not support this (yet?).

I have been downgrading iked to a version before the 3/27/17 (every time I
update -current), and this still allows my old certificates to work.  But, that
doesn't seem sustainable.

I have no idea how to proceed?

Has anyone been able to get -current (or at least, a snapshot after 3/27/17)
version of iked to work with any iOS devices using certificates successfully?

If so, I would really appreciate some advice on how it can be done.

Thanks
Ted


Last night I tried to set up my iPad for the first time and ran into a 
similar issue.  Today I remembered writing a patch for a similar issue 
after RFC7427 was added:


  https://marc.info/?l=openbsd-tech&m=149499973130985

After applying this, and adding the `rsa' ikeauth parameter to the 
policy, the iPad successfully connected.


Can you try applying that patch and see if it resolves your issue?  If 
it also works for you, I'll reply on that thread and see if anyone wants 
to opine on the patch.


-TimS

--
Tim Stewart
t...@stoo.org

Re: want.html: Unifi wifi gear for interop debugging

2018-10-06 Thread Tim Jones 
‐‐‐ Original Message ‐‐‐
On Saturday, October 6, 2018 6:00 PM, Jacqueline Jolicoeur  
wrote:

> > Oh right, and the rest of us don't have day-jobs, plus other
>
> commitments outside of working hours ?
>
> That must be hard for you. You feel you want more time in your life.
>
> > If you want another financial donation ? Well, be prepared for
>
> it to come with tight restrictions.
>
> You feel the way to have control is with money.


Jacqueline,

You are taking things um-necessarily out of context.

Re: want.html: Unifi wifi gear for interop debugging

2018-10-06 Thread Tim Jones 
> Thank you for handling the logistics so I don't have to do that
> on top of everything else I'm doing.
> I am looking forward to receiving your shipment.


Oh right, and the rest of us don't have day-jobs, plus other commitments 
outside of working hours ?

>From now on, I'll take a simple stance.  If you want my spare Unifi kit, 
>you'll pay for the packaging and the postage.

If you want another financial donation ?  Well, be prepared for it to come with 
tight restrictions.

Re: want.html: Unifi wifi gear for interop debugging

2018-10-06 Thread Tim Jones 
I think the point I'm making here is it should be worthwhile to send the kit.

Unifi access points are so cheap, that second-hand ones "lying around" are not 
likely to be worth the cost and effort to ship internationally (or even 
nationally in the case of some postal systems).

Something like a 10gig switch or whatever would be a different kettle of fish, 
as the residual value would make it worthwhile.

For commodity kit like that, I think Tom Smyth is thinking more down the 
correct lines of approaching the manufacturer.  I would also suggest 
approaching the higher-tier "authorised resellers" would be an equally good 
idea, as larger resellers higher up the food chain are often allocated a quota 
of free/cheap units.  They are generally not permitted to dispose of the 
freebies for a defined period, but after that, they can normally do with them 
as they wish.

Re: want.html: Unifi wifi gear for interop debugging

2018-10-06 Thread Tim Jones 
> That's the nature of a donation: it comes with
> no strings attached for the party receiving.

Evidently you have not heard of restricted funds.

If a donor gives on a restricted funds basis (happens all the time), then its 
black and white, either (a) return the funds or (b) abide by the restrictions 
set by the donor.

The vast majority of non-profits will quite happily accept restricted funds 
because its a bit of a "cut

Re: want.html: Unifi wifi gear for interop debugging

2018-10-06 Thread Tim Jones 
‐‐‐ Original Message ‐‐‐
On Saturday, October 6, 2018 9:21 AM, Marcus MERIGHI  
wrote:

> Dear all,
>
> not everyone is reading want.html every day, therefore I wanted to hint
> at: https://www.openbsd.org/want.html
>
> stsp@wifi is asking for gear and we should deliver :-)
>
> "Ubiquity Unifi Ufo / Unifi AP Pro are needed for wifi driver debugging
> in Berlin, Germany. Contact s...@openbsd.org"
>
> I cannot find "Unifi Ufo", but "Unifi AP Pro" is not a cheapo Access
> Point, around EUR 160,-- here.
>
> Marcus


Unifi not a cheapo access point ? That's a first for me! Unifi APs are probably 
the cheapest half-decent APs on the market, especially if you compare them to 
the typical cost of a brand name "enterprise" AP.

As someone who has recently donated, surely this is the very sort of thing the 
OpenBSD Foundation should be funding ?  I didn't just give money to pay for 
electricity bills caused by people insisting on maintaining racks of vintage 
room-heaters.

Re: Which really small, portable and lightweight system/device is usable running OpenBSD?

2018-09-24 Thread Tim Jones 
> Can confirm, typing on mine currently. Have to use an external wifi adapter, 
> but most everything else works just fine. It's a little on the slow side, but 
> it does well enough for daily computing.


Out of interest, did you find a OpenBSD friendly USB-C WIFI adapter or are you 
using an adapter ?

Re: Certificate authority software

2018-09-21 Thread Tim Jones 


‐‐‐ Original Message ‐‐‐
On Friday, September 21, 2018 1:21 PM, Gregory Edigarov  
wrote:

> Hello, list.
>
> I need to setup a CA for intranet. I have some (rather not very
> positive) experience with ejbca.
> before I will set it up, I want to take a look at alternatives, and so i
> need an advice on the choice of software.
>
> what would you guys use? something with less dependencies is preferred
> (but with web interface).
>
> thank you.
>
>


Depends what you want to do and the scale of your infrastructure ?

If its your home lab or a small(ish) business then buy some Yubikeys (for the 
"secure your keys in an HSM" element) and fire up a copy of OpenSSL, and Robert 
is your uncle.

If your talking thousands of users or tens of thousands of servers, then I'm 
sure you've got the budget for to pay for advice. ;-)

Re: PF possibly causing weird SSL issues ?

2018-09-19 Thread Tim Jones 
I've just done a tcpdump. About to look at it myself, but maybe eyes on list 
will spot the issue (if any) quicker than my tired eyes.

198.51.100.167 is me (RFC5737 obfuscated)
52.216.65.232 is amazon (I used the IP to rule out any possible DNS issues even 
though I've triple checked the DNS is working perfectly)

# From a server behind the firewall
> openssl s_client -connect 52.216.65.232:443 -servername 
> github-production-release-asset-2e65be.s3.amazonaws.com
CONNECTED(0003)
140007268579136:error:1408F10B:SSL routines:ssl3_get_record:wrong version 
number:ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 240 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1537377960
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
# INTERNAL INTERFACE
$ doas tcpdump -i vlan178  'host 198.51.100.167 and 52.216.65.232'
tcpdump: listening on vlan178, link-type EN10MB
18:25:57.268855 myserver.example.com.32792 > s3-1-w.amazonaws.com.4433: . ack 
630647770 win 29200 (DF)
18:26:00.298134 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: S 
4238555681:4238555681(0) win 29200  (DF)
18:26:00.298147 s3-1-w.amazonaws.com.https > myserver.example.com.54112: S 
3428578097:3428578097(0) ack 4238555682 win 0  (DF) [tos 0x10]
18:26:00.298384 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: . ack 
1 win 29200 (DF)
18:26:00.373869 s3-1-w.amazonaws.com.https > myserver.example.com.54112: . ack 
1 win 1 (DF) [tos 0x10]
18:26:00.580732 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:00.788730 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:01.204744 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:02.036771 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:03.700700 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:06.996828 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:11.410370 s3-1-w.amazonaws.com.4433 > myserver.example.com.32792: R 
0:0(0) ack 1 win 0 (DF) [tos 0x10]
18:26:13.652796 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: P 
1:2(1) ack 1 win 29200 (DF)
18:26:20.474809 s3-1-w.amazonaws.com.https > myserver.example.com.54112: P 
1:8(7) ack 1 win 14600
18:26:20.475044 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: . ack 
8 win 29200 (DF)
18:26:20.475294 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: FP 
2:241(239) ack 8 win 29200 (DF)
18:26:20.475296 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: R 
242:242(0) ack 8 win 29200 (DF)
18:26:20.550879 s3-1-w.amazonaws.com.https > myserver.example.com.54112: . ack 
1 win 14600
18:26:20.550892 s3-1-w.amazonaws.com.https > myserver.example.com.54112: . ack 
1 win 14600
18:26:20.551002 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: R 
4238555682:4238555682(0) win 0 (DF)
18:26:20.551126 myserver.example.com.54112 > s3-1-w.amazonaws.com.https: R 
4238555682:4238555682(0) win 0 (DF)
# EXTERNAL INTERFACE
$ doas tcpdump -i em1 'host 198.51.100.167 and 52.216.65.232'
tcpdump: listening on em1, link-type EN10MB
18:26:00.298424 198.51.100.167.54112 > 52.216.65.232.https: S 
3428578097:3428578097(0) win 0 (DF) [tos 0x10]
18:26:00.373822 52.216.65.232.https > 198.51.100.167.54112: S 
4188089135:4188089135(0) ack 3428578098 win 0 
18:26:00.373863 198.51.100.167.54112 > 52.216.65.232.https: . ack 1 win 29200 
(DF) [tos 0x10]
18:26:20.474775 52.216.65.232.https > 198.51.100.167.54112: P 1:8(7) ack 1 win 
14600 (DF)
18:26:20.475060 198.51.100.167.54112 > 52.216.65.232.https: . ack 8 win 29200
18:26:20.475311 198.51.100.167.54112 > 52.216.65.232.https: FP 2:241(239) ack 8 
win 29200
18:26:20.475323 198.51.100.167.54112 > 52.216.65.232.https: R 242:242(0) ack 8 
win 29200
18:26:20.550857 52.216.65.232.https > 198.51.100.167.54112: . ack 1 win 14600 
(DF)
18:26:20.550858 52.216.65.232.https > 198.51.100.167.54112: . ack 1 win 14600 
(DF)
18:26:20.551018 198.51.100.167.54112 > 52.216.65.232.https: R 
3428578098:3428578098(0) win 0
18:26:20.551140 198.51.100.167.54112 > 52.216.65.232.https: R 
3428578098:3428578098(0) win 0

Re: PF possibly causing weird SSL issues ?

2018-09-19 Thread Tim Jones 



>
> Is there one OpenBSD BGP router or more, and is PF running there too?
> (Basically check with tcpdump on various interfaces along the way that
> the packets you expect to receive from the TLS server/s you're
> connecting to aren't being dropped somewhere - if there are paths
> to/from "the internet" going via multiple stateful firewalls you
> can have problems with asymmetric traffic if you're not careful).

Currently only one (this is an edge node for something, there are plans to add 
a second router soon, but has not happened yet).

PF is running on the OpenBSD router, but a very small and basic ruleset just to 
keep undesirables away from the localhost SSH and BGPD, the rest of the traffic 
is sent straight through (i.e. PF is running default "pass no state" instead of 
default drop).

Not that asymmetric traffic is the problem here, but if it were, surely I would 
be seeing broader problems, not just this relatively small and confined one ?

I will try some more experiments with tcpdump later.

Re: PF possibly causing weird SSL issues ?

2018-09-19 Thread Tim Jones 


> This is a very bad advise you got. Syncookies should only be used in
> exterme situations because the they do lose some of the additional
> information that is part of the SYN packet. "syncookies always" is only
> there for testing but should not be used in production.
>

Thank you Claudio.  Message received. "syncookies always" has now been removed 
from my pf.conf (has not fixed the current problem, but at least you've made me 
confident I've avoided a potential future problem !).

Re: Google abruptly accessed photos on memory card and MUCH more without permission

2018-09-19 Thread Tim Jones 
> I travel frequently. Often outside of the US. I decided when in Mexico
> that I could possibly lose the tiny notepad so I took photos of my
> passwords on it. I did this on a Mexican phone and I have often used
> these photos when I couldn't remember rarely used passwords and my
> notepad wasn't with me.


It is regrettably very difficult to feel sorry for you given your first 
paragraph:

(a) You have passwords written down in a notebook
(b) You take photographs of passwords written down in a notebook

Why have you not taken even the most basic security measures ?

Re: PF possibly causing weird SSL issues ?

2018-09-19 Thread Tim Jones 


> This feels like it might be an MTU related problem, especially likely
> if the connection is going via pppoe or a tunnel - you may need "scrub
> (max-mss ##)".
>
> The way Google's TLS server handshake is setup, it fits in pppoe without
> fragmentation, most other sites do not this.
>
> Otherwise try simplifying pf.conf (one change at a time and test):
> disable syncookies and change "modulate state" to "keep state", maybe
> also the random-id scrub. ("syncookies always" in PF doesn't make a
> lot of sense to me except for testing, especially if only allowing
> inside->outside traffic, I think "adaptive" would be more usual if
> using this feature).



Thanks Stuart. These sound possibly more likely than some of the other 
suggestions (e.g. wrong date/time or bad pf rules ... I'm not that silly).

The connection is not going via PPPoE or tunnel.  The immediate next hop is an 
OpenBSD based BGP router  (where, incidentally I can't replicate this SSL 
issue, but the router is not (yet) running 6.3 either).  The OpenBSD router box 
is then plugged into large carrier routers.  So it all this is not hanging off 
the end of some random DSL line !

The reason I've got "syncookies always" is because there are various internet 
exposed services (e.g. webservers) sitting behind this PF instance, and as far 
as I can gather syncookies is recommended as a good thing (tm) for these sort 
of applications ?  This PF instance is very much a majority out->in instance.

But at the same time I'm also unclear as to what the impact of syncookies is on 
states ?  The man page talks of "continue the connection with synproxy in 
place", which in my mind implies "synproxy state" ?

Re: PF possibly causing weird SSL issues ?

2018-09-18 Thread Tim Jones 
> Check the time and date.
> And enable ntpd if you already haven't.

Time and data are fine.

NTP already runs extensively on this network, so setting it up on OpenBSD 
instances was a subconcious nobrainer. ;-)

PF possibly causing weird SSL issues ?

2018-09-18 Thread Tim Jones 
Hi,

I'm wracking my brains here.   I have just replaced  
with one based on OpenBSD 6.3 PF. Nothing else has changed on the network, just 
the firewall.

Lots of "stuff" that used to work (e.g. various nightly pushes of data to "the 
cloud") have suddenly stopped working after the new firewall was put in place.

It seems to be down to some sort of weird handling of SSL by PF ?  I can't see 
why it should be OpenBSD, and yet I also can't see why it cannot be OpenBSD, 
given nothing else has changed.

The reason I say this is because of what I see if I take troubleshooting down 
to its most basic level :

This:
wget -O bp_linux.tar.gz 
https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz
Fails with:
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

And yet this (ironically !) :
wget https://cdn.openbsd.org/pub/OpenBSD/6.3/amd64/install63.iso
Works fine.

Similarly, this :
openssl s_client -connect 
github-production-release-asset-2e65be.s3.amazonaws.com:443 -servername 
github-production-release-asset-2e65be.s3.amazonaws.
com
Returns:
no peer certificate available
No client certificate CA names sent

And yet this :
openssl s_client -connect google.com:443 -servername google.com
Shows SSL certs OK  !

My PF is simple as follows (there is no NAT here, its fully routable) :
match in all scrub (no-df random-id)
block drop
set block-policy drop
set syncookies always
pass from  to any flags S/SA modulate state (pflow)

DNS and everything else is working fine.

Re: Running your own mail server

2018-09-18 Thread Tim Jones 


> Webmail isn't worth bothering with at all. Too complicated.

Let me rephrase that for you.

Webmail is easy.  Open source webmail is all horrible stuff stuck in the last 
century.

To make open source webmail look and behave like the  is the complicated bit.

Re: Integration between CARP and BGPD ?

2018-09-12 Thread Tim Jones 


On Wednesday, 12 September 2018 20:49, Stuart Henderson  
wrote:

> On 2018-09-11, Tim Jones b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch 
> wrote:
>
> > I've had a quick look through the man pages and am still a bit unclear, 
> > perhaps I'm just overthinking this ?
> > Let's say I've got two perimeter "firewalls" running OpenBSD, talking BGP 
> > to upstream routers.
> > On the "LAN" side I'm thinking about CARP, which is active/passive, and the 
> > devices on "LAN" side will have the CARP set as their default gateway.
> > If both BGP talkers advertise the "LAN" to the upstreams (i.e. "network 
> > 192.0.2.0/24" in bgpd.conf), how does that work in terms of reachability 
> > from the device that is currently CARP passive ?
> > The man pages mention two CARP related configuration options for bgpd.conf 
> > but these don't seem to cater for the application I'm thinking of ?  (i.e. 
> > "demote" is more related to waiting until BGP is established, and  "depend 
> > on" is related to staying in idle if CARP is passive, which is obviously 
> > not an attractive idea as I'd obviously like both upstreams BGP sessions 
> > active ? ).
>
> If both are advertising the same prefixes, packets could arrive at
> either router, so to do this you'll need an IP address on the "carpdev
> interface" i.e. the interface that carp is running over.
>
> PF does TCP sequence number checking, so to avoid problems there you'll
> also need one of the following
>
> -   not use PF
> -   use PF rules with "keep state (sloppy)"
> -   use pfsync(4) with the "defer" flag
>
> Alternatively maybe you could control advertising the network by not
> listing it in config, but use "bgpctl network" commands from ifstated or
> similar, that way directing traffic towards the correct machine. Either
> advertise with low localpref when you have carp backup and switch to
> high localpref when you have master. Or (probably only really useful
> within your own network) advertise the whole lan all the time, but also
> advertise deaggregates from the machine with carp master.
>

Thank you Stuart !

Based on your comments I've just spent in a bit of time with ifstated and it 
seems that was the missing link.  Fails over nicely now with both BGP instances 
advertising but changing prefs.

Re: BGP over IKED, routes not being installed ?

2018-09-12 Thread Tim Jones 


> sounds like a nexthop validation issue. What does`bgpctl show nexthop` gives 
> you? Do you have a route to them?

It gives this :

Flags: * = nexthop valid

  Nexthop Route  Prio Gateway Iface
  10.250.250.250


But surely I have a route if I can ping ? (As part of my testing, I redefined 
the next-hops as RFC1918 to ensure that if ping worked it meant the IKED VPN 
worked).

If I do `ipsecctl -sa` I can see the flows that IKED created.  But are you 
saying these flows don't get recognised by BGPD ?

BGP over IKED, routes not being installed ?

2018-09-12 Thread Tim Jones 
I'm probably missing something silly, here's what I've got so far:

1/ Working VPN, I can ping between the BGP loopbacks on both sides

ping -S 192.168.1.1 10.250.250.250
ping -S 10.250.250.250 192.168.1.1

2/ The BGP sessions come up

3/ "bgpctl sho ri" shows all routes.  But none of them have any flags, not even 
the *=valid flag.

4/ Setting "nexthop qualify via default" gets the valid & select flags, but 
doing a traceroute sees the traffic going of the default gateway instead of the 
vpn

5/ Playing with "fib-priority" in bgpd.conf doesnt' seem to achieve much.

bgpd.conf looks like below :
MY_ROUTER_ID_V4="192.168.1.1"
MY_ASN="64550"
AS $MY_ASN
router-id $MY_ROUTER_ID_V4
socket "/var/www/run/bgpd.rsock" restricted
rde med compare always
group my_remote_group {
    remote-as 64515
    announce none
    announce IPv6 none
    neighbor 10.250.250.250 {
    local-address $MY_ROUTER_ID_V4
    descr "REMOTE NUMBER 1"
    }
}
deny from any
match from any set origin igp
allow from any prefix {198.51.100.0/24 or-longer,203.0.113.0/24 or-longer}
deny to any
allow to any prefix {192.0.2.0/24 or-longer}

Integration between CARP and BGPD ?

2018-09-11 Thread Tim Jones 
I've had a quick look through the man pages and am still a bit unclear, perhaps 
I'm just overthinking this ?

Let's say I've got two perimeter "firewalls" running OpenBSD, talking BGP to 
upstream routers.

On the "LAN" side I'm thinking about CARP, which is active/passive, and the 
devices on "LAN" side will have the CARP set as their default gateway.

If both BGP talkers advertise the "LAN" to the upstreams (i.e. "network 
192.0.2.0/24" in bgpd.conf), how does that work in terms of reachability from 
the device that is currently CARP passive ?

The man pages mention two CARP related configuration options for bgpd.conf but 
these don't seem to cater for the application I'm thinking of ?  (i.e. "demote" 
is more related to waiting until BGP is established, and  "depend on" is 
related to staying in idle if CARP is passive, which is obviously not an 
attractive idea as I'd obviously like both upstreams BGP sessions active ? ).

IKED not sending packets ?

2018-09-10 Thread Tim Jones 
Hi,

Thinking it might be something with my earlier config, I created a simple 
one-liner:

ikev2 esp from 172.16.1.2 to 172.16.1.3

However iked does not appear to be sending out any packets ?  Which I thought 
would be the case in its default active mode ?  It seems to just load the 
config and then sit there doing nothing ?

$ doas iked -dvvv
ikev2 "policy1" passive esp inet from 172.16.1.2 to 172.16.1.3 local 172.16.1.2 
peer 172.16.1.3 ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 rfc7427
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type ECDSA length 171
ca_pubkey_serialize: type ECDSA length 124
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: no mobike
ca_privkey_to_method: type ECDSA method ECDSA_384
ca_getkey: received private key type ECDSA length 171
ca_getkey: received public key type ECDSA length 124
ca_dispatch_parent: config reset
ca_reload: local cert type ECDSA
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0

Re: IKED "not a valid authentication mode"

2018-09-10 Thread Tim Jones 
> Note that this isn't commenting a line, this is commenting all lines
> that come after it. The parser joins the line first and removes
> comments afterwards, so the config above becomes
>
> ... group curve22519 #childsa enc aes-128 auth hmac-sha2-256 srcid ...
>
> and then everything after the # is ignored. As someone pointed out the
> error is at ikeauth. The error goes away because that line is
> commented out, as are the three that precede it.
>
> You have no idea how many hours I wasted trying to make sense of why
> some configuration changes seemed to have no effect whatsoever, before I
> learned about this. Incidentally, pf.conf uses the same parser, so it
> behaves the same.
>
> Cheers
> Zé


Zé wow.  That's one handy piece of advice. As you say, could save hours and 
days of wasted time. Thank you.

IKED "not a valid authentication mode"

2018-09-10 Thread Tim Jones 
Unless I misunderstand the 6.3 docs, the following should be valid :
childsa auth enc chacha20-poly1305 group curve25519

But i get an error "not a valid authentication mode".  If I comment out that 
line, my configuration validates OK.

The same happens if I copy/paste one of the examples from the docs (e.g. 
childsa enc aes-128 auth hmac-sha2-256 )

This is what my /etc/iked.conf looks like (excluding the macro lines, which 
have been wittheld to protect the innocent) :

# MAIN CONFIG
ikev2 esp from $local_subnet to $remote_subnet \
    local $local_ip peer $remote_ip \
    ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519 
\
    #childsa enc aes-128 auth hmac-sha2-256\
    srcid $local_ip dstid $remote_ip \
    ikelifetime 4h lifetime 3h bytes 512M \
    ikeauth ecdsa384

Re: "Transit" BGPD not announcing learnt routes to neighbors

2018-09-10 Thread Tim Jones 


> I think you are mixing up 6.3 code with docs for -current, this was
> changed mid-June:
> https://marc.info/?l=openbsd-cvs&m=152888243922828&w=2
>
> There have been big changes in bgpd since 6.3, there are now methods
> to give a simpler/clearer configuration, and some big improvements in
> performance especially when using some of the newer config. These are
> ongoing, especially this week as a network-focussed hackathon is
> currently taking place.
>
> If you aren't quite happy with how things work in 6.3 (especially for
> performance when filtering is used), I'd strongly recommend re-evaluating
> with -current in a week or so.


Thanks Stuart. Will bear that im mind.

Re: "Transit" BGPD not announcing learnt routes to neighbors

2018-09-09 Thread Tim Jones 


> "announce all" is probably missing here, since the default in 6.3 was
> "announce self" and so transit routes would be filtered.
>

Fabulous !  Thanks for that.

I was somewhere along the right lines, but I was confused with talk in the docs 
of "announce all" being no-op which I took to mean "do nothing" i.e. be the 
default.

"Transit" BGPD not announcing learnt routes to neighbors

2018-09-09 Thread Tim Jones 
Hi,

I'm working with something in a lab environment at the moment, testing out 
OpenBGPD to see if it can replace "something else" on an internal network.

I have three OpenBSD instances (A <->B<->C), and whilst B is learning routes 
from C, it is not pushing them out to A, no matter how relaxed I make my 
filters.  

On the other hand, going in the other direction, C is learning the default 
route sent by A without problems.

This is on OpenBSD 6.3.

$bgpctl sho nei A-1
  Update statistics:
  Sent   Received 
  Updates  0  1
  Withdraws    0  0
  End-of-Rib   1  1

$bgpctl sho nei C-1
  Update statistics:
   
  Sent   Received   
   
  Updates  1  1 
   
  Withdraws    0  0 
   
  End-of-Rib   1  1 
   

$ bgpctl sho ri nei C-1
*>    198.51.100.164/32    198.51.100.164 100 0 64555 i 

AS 64515
router-id 192.0.2.97
socket "/var/www/run/bgpd.rsock" restricted
rde med compare always

# network inet connected  # I have tried both with and without this line

group "A_NETS" {
    neighbor 192.0.2.122 {
    descr "A-1"
    remote-as 64500
    local-address 192.0.2.121
    }
}
group "C_NETS" {
    neighbor 198.51.100.164 {
    descr "C-1"
    remote-as 64555
    local-address 198.51.100.252
    announce default-route
    }
}
match from any set { origin igp }
allow from any
deny to any
allow to any prefix 198.51.100.164/32
allow to any prefix 203.0.113.0/24 prefixlen >= 24 
allow to group "C_NETS"

Re: Running your own mail server

2018-09-09 Thread Tim Jones 
Ken,

Putting all the OpenBSD evangelists to one side, there are two things to say.

First, like me, you might use OpenBSD for many things. And like me, you might 
come to the conclusion that using OpenBSD for mail is not one of those 
things.Personally I prefer to use a decent Linux stack for my mail, but I know 
saying that is probably amounts to heresy round here, so I all I will say is 
"do your homework, test various options, see what works for you".

But the second (far more important) point I want to make is please *THINK 
TWICE* if "running your own mail server" is something you are planning to do on 
your home internet connection.

Why ?

 Well, you have all the spammers of this world to thank for the xSP community 
taking "more rigorous" approaches to spam filtering.

I can tell you now that running a mailserver on your home internet connection 
is only likely to lead to many head-scratching "why is Joe not receiving my 
emails ?" moments.

If you are going to run your own personal mailserver, then either: (a) Rent a 
box somewhere else;or
(b) Do it at home, but on a business internet connection where you can jump 
through all the anti-spam hoops without problems (static IP, reverse DNS etc. 
etc. etc.  all of which will be difficult or impossible to convince your 
ISP to implement on your typical dollar a month residential connection).

Re: iked support for IKEv2 Message Fragmentation (RFC 7383)

2018-06-19 Thread Tim Stewart 
Tim Stewart  writes:

> Hello misc@,
>
> My IKEv2 sessions are occasionally down due to transit networks dropping
> UDP fragments for one reason or another[1].  It happens frequently
> enough that I am considering implementing support for RFC 7383 in
> iked.
>
> Before I dig in, I feel that I should ask if anyone has already started
> on such work.  If not, perhaps someone that is familiar with the code
> could suggest an approach at a high level?
>
> Thanks for any advice,
>
> -TimS
>
>
> [1] Whenver I've asked, the reason is usually something about DDoS
> prevention.

I realize now I should send this to tech@.  My apologies for the noise.

--
Tim Stewart
---
Mail:   t...@stoo.org
Matrix: @tim:stoo.org

iked support for IKEv2 Message Fragmentation (RFC 7383)

2018-06-19 Thread Tim Stewart 
Hello misc@,

My IKEv2 sessions are occasionally down due to transit networks dropping
UDP fragments for one reason or another[1].  It happens frequently
enough that I am considering implementing support for RFC 7383 in
iked.

Before I dig in, I feel that I should ask if anyone has already started
on such work.  If not, perhaps someone that is familiar with the code
could suggest an approach at a high level?

Thanks for any advice,

-TimS


[1] Whenver I've asked, the reason is usually something about DDoS
prevention.

--
Tim Stewart
---
Mail:   t...@stoo.org
Matrix: @tim:stoo.org

Re: acme-client new cert error

2018-05-25 Thread Tim van der Molen 
I have run into a problem that seems similar to yours. I'm still
debugging it (or rather trying to find the time to do so), but I believe
the problem is that acme-client does not correctly handle the "pending"
status: it is handled as "valid". As a result, the challenge file is
removed before the acme server could verify it.

In my case, disabling the code that removes the challenge file (see diff
below) improves the chance of success. Perhaps that's helpful to you too
as a temporary workaround.

Index: chngproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/chngproc.c,v
retrieving revision 1.12
diff -p -u -r1.12 chngproc.c
--- chngproc.c  24 Jan 2017 13:32:55 -  1.12
+++ chngproc.c  25 May 2018 21:10:39 -
@@ -139,8 +139,10 @@ out:
if (fd != -1)
close(fd);
for (i = 0; i < fsz; i++) {
+#if 0
if (unlink(fs[i]) == -1 && errno != ENOENT)
warn("%s", fs[i]);
+#endif
free(fs[i]);
}
free(fs);

Scott Vanderbilt (2018-05-25 22:10 +0200):
> I'm having difficulty creating a new SSL cert for a virtual host I'm just
> standing up for the first time. I get the following error on successive
> attempts:
> 
> urn:acme:error:unauthorized
> Error creating new cert :: authorizations for these names not found or
> expired: aeneas.datagenic.com
> 
> I've verified it's not a web server access issue, as I am able to
> successfully retrieve a static HTML file from the challenge directory
> 
>    aeneas$ curl
> http://aeneas.datagenic.com/.well-known/acme-challenge/test.html
>    Foo
>    aeneas$
> 
> Complete verbose error message, config file, and dmesg follow.
> 
> Thanks in advance for any assistance you can lend.
> 
> 
> 
> aeneas# acme-client -vvAD aeneas.datagenic.com
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: domain
> key exists (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
> creating)
> acme-client: /etc/ssl/acme/private/aeneas.datagenic.com/privkey.pem: loaded
> RSA domain key
> acme-client: /etc/acme/letsencrypt-privkey.pem: loaded RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.75.196.250
> acme-client: transfer buffer: [{ "key-change":
> "https://acme-v01.api.letsencrypt.org/acme/key-change";, "meta": {
> "caaIdentities": [ "letsencrypt.org" ], "terms-of-service":
> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";,
> "website": "https://letsencrypt.org"; }, "new-authz":
> "https://acme-v01.api.letsencrypt.org/acme/new-authz";, "new-cert":
> "https://acme-v01.api.letsencrypt.org/acme/new-cert";, "new-reg":
> "https://acme-v01.api.letsencrypt.org/acme/new-reg";, "revoke-cert":
> "https://acme-v01.api.letsencrypt.org/acme/revoke-cert";, "sw0ePngTU-0": 
> "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417";
> }] (658 bytes)
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: req-auth:
> aeneas.datagenic.com
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value":
> "aeneas.datagenic.com" }, "status": "pending", "expires":
> "2018-06-01T19:22:23Z", "challenges": [ { "type": "tls-sni-01", "status":
> "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114624";,
> "token": "TpW1KNEcns3ebXVxbBwYToVOjsMEzR78MWySuyKvdhI" }, { "type":
> "dns-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114625";,
> "token": "Iq66R_OgKJ2VURMLyVxLD8hjnWtLqrjqSYb0L3YRqNU" }, { "type":
> "http-01", "status": "pending", "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626";,
> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co" } ], "combinations":
> [ [ 1 ], [ 0 ], [ 2 ] ] }] (998 bytes)
> acme-client:
> /var/www/htdocs/default/acme/iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co:
> created
> acme-client: 
> https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626:
> challenge
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: acme-v01.api.letsencrypt.org: cached
> acme-client: transfer buffer: [{ "type": "http-01", "status": "pending",
> "uri": 
> "https://acme-v01.api.letsencrypt.org/acme/challenge/xFIciSX0MzV47lV98sOT6mojdXIXXfIh_2yiH-dzT6k/4809114626";,
> "token": "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co", "keyAuthorization": 
> "iJcmtseVVljOzlLIKYoN0-Pu5SQ4sLcqmCGgtwUj3co.oHnB0_JsMCOWBPKhfVMYsIDZr_T2Wo-Y5z0fh-cmkA4"
> }] (336 bytes)
> acme-client: 
>

Re: "athn0: could not load firmware" for AR9271

2017-10-14 Thread Tim Stewart 
Maximilian Pichler  writes:

> The dmesg is the same as previously (this is on the APU), except for:
> athn0 at pci5 dev 0 function 0 "Atheros AR9281" rev 0x01: apic 2 int 16
> athn0: AR9280 rev 2 (2T2R), ROM rev 22, address xx:xx:xx:xx:xx:e2

I'm debugging some issues with my wle200nx in a PC Engines apu2c4, and I
have a very similar dmesg output:

  athn0 at pci4 dev 0 function 0 "Atheros AR9281" rev 0x01: apic 5 int 16
  athn0: AR9280 rev 2 (2T2R), ROM rev 22, address 04:f0:21:26:d3:28

I am curious, is it expected that the first line says "Atheros AR9281"
and the second says "AR9280"?  In particular, athn(4) makes the AR9281
sound less capable:

  The AR9281 is a single-chip PCIe 802.11n solution.  It exists in PCIe
  Mini Card (XB91) and half Mini Card (HB91) form factors.  It operates in
  the 2GHz spectrum and supports 1 transmit path and 2 receiver paths
  (1T2R).

I will reply with more details if I can better quantify the issues I'm
having.

-TimS

--
Tim Stewart
---
Mail:   t...@stoo.org
Matrix: @tim:stoo.org

iked: NAT Detection and Child SA Rekeying

2017-06-21 Thread Tim Stewart 
Hello misc@,

I have discovered what may be an oversight in iked(8)'s NAT detection
code, as well as traffic blocking after the first rekey of the Child SA
when NAT has been detected by one of the IKE daemons.

I have the following passive config on a host with a static IP
(1.2.3.4):

ikev2 "demo" passive esp \
from 10.1.0.0/16 to 10.2.0.0/16 \
local 1.2.3.4 peer any \
lifetime 1m \
rsa

And the following active config on a host with a dynamic IP (currently,
5.6.7.8):

ikev2 "demo" active esp \
from 10.2.0.0/16 to 10.1.0.0/16 \
peer 1.2.3.4 \
rsa

I start iked(8) on both hosts, the active host starts the negotiation
and flows and SAs are set up.  The networks can ping one another and all
is well.  There is no NAT between the hosts on the Internet.  I then
observe two, possibly dependent, problems (full logs at end):


 Problem 1:

The passive host decides that there is a NAT involved due to the active
side's choice of 0.0.0.0 for NAT_DETECTION_SOURCE_IP (see debug logs
below, search for "0.0.0.0:500").  This surprised me--I expected iked(8)
to either 1) figure out what the source IP really would be and use it in
the NAT_DETECTION_SOURCE_IP payload, or 2) add multiple
NAT_DETECTION_SOURCE_IP payloads, one for each possible source address.

I have verified that adding "local 5.6.7.8" to the active config
alongside "peer" causes that address to be used in the
NAT_DETECTION_SOURCE_IP instead of 0.0.0.0, and then no NAT is detected
by the passive host.

Flows and SAs as of Problem 1:

 Passive host:

FLOWS:
flow esp in from 10.2.0.0/16 to 10.1.0.0/16 peer 5.6.7.8 srcid 
FQDN/foo.example.com dstid FQDN/bar.example.com type use
flow esp out from 10.1.0.0/16 to 10.2.0.0/16 peer 5.6.7.8 srcid 
FQDN/foo.example.com dstid FQDN/bar.example.com type require

SAD:
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x236518d7 auth hmac-sha2-256 enc aes-256
sa: spi 0x236518d7 auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404
lifetime_cur: alloc 0 bytes 192 add 1498100037 first 1498100038
lifetime_hard: alloc 0 bytes 536870912 add 60 first 0
lifetime_soft: alloc 0 bytes 478351982 add 53 first 0
address_src: 5.6.7.8
address_dst: 1.2.3.4
identity_src: type fqdn id 0: FQDN/bar.example.com
identity_dst: type fqdn id 0: FQDN/foo.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100039
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x746f493b auth hmac-sha2-256 enc aes-256
sa: spi 0x746f493b auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404
lifetime_cur: alloc 0 bytes 168 add 1498100037 first 1498100038
lifetime_hard: alloc 0 bytes 536870912 add 60 first 0
lifetime_soft: alloc 0 bytes 508953624 add 56 first 0
address_src: 1.2.3.4
address_dst: 5.6.7.8
identity_src: type fqdn id 0: FQDN/foo.example.com
identity_dst: type fqdn id 0: FQDN/bar.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100039

 Active host:

FLOWS:
flow esp in from 10.1.0.0/16 to 10.2.0.0/16 peer 1.2.3.4 srcid 
FQDN/bar.example.com dstid FQDN/foo.example.com type use
flow esp out from 10.2.0.0/16 to 10.1.0.0/16 peer 1.2.3.4 srcid 
FQDN/bar.example.com dstid FQDN/foo.example.com type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x236518d7 auth hmac-sha2-256 enc aes-256
sa: spi 0x236518d7 auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404
lifetime_cur: alloc 0 bytes 252 add 1498100071 first 1498100072
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 468688306 add 9428 first 0
address_src: 5.6.7.8
address_dst: 1.2.3.4
identity_src: type fqdn id 0: FQDN/bar.example.com
identity_dst: type fqdn id 0: FQDN/foo.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100074
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x746f493b auth hmac-sha2-256 enc aes-256
sa: spi 0x746f493b auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404
lifetime_cur: alloc 0 bytes 288 add 1498100071 first 1498100072
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 493921239 add 9936 first 0
address_src: 1.2.3.4
address_dst: 5.6.7.8
identity_src: type fqdn id 0: FQDN/foo.example.com
identity_dst: type fqdn id 0: FQDN/bar.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100074


 Problem 2:

Given that NAT has been detected in Problem 1 by the passive host,
rekeying of the Child SA stops further traffic from flowing in either
direction.  I'm not sure how to debug this further.  I have verified via
pflog that no packets are being dropped by pf.  (This rekeying is also
included in the debug logs belo

Re: Can't connect from StrongSWAN to OpenBSD's iked

2017-06-21 Thread Tim Stewart 
theblo...@gmail.com writes:

> Thank you for your help!

No problem!

> I’ve been meaning to use the patch but I still hadn’t the time to test
> it. I will probably do it in the future and report back with problems
> if I get them. Either way I’ll be watching out for news about this.

I plan to stay active on this topic, so watch that tech@ thread for more
details.

>> On 19/06/2017, at 05:07, Tim Stewart  wrote:
>>
>> theblo...@gmail.com writes:
>>
>>> Hello,
>>>
>>> I’ve been trying to create an IPSec VPN in my OpenBSD computer and
>>> every time I connect my Android phone (running StrongSWAN) to the
>>> server I get the following errors in the logs (running iked -dvvv):
>>>
>>>> ikev2_sa_responder_dh: invalid dh, size 4096
>>>> ikev2_resp_recv: failed to get IKE SA keys
>>
>> The problem is that iked(8) does not know how to perform Diffie-Hellman
>> group negotiation.  I have an incomplete fix for this issue:
>>
>>  https://marc.info/?l=openbsd-tech&m=149499865830823
>>
>> You can try the patch in that thread and see if it allows you to
>> complete negotiation.  The first patch is probably better, but I think
>> it breaks rekeying of child SAs.

I failed to mention that the referenced patch was motivated specifically
by strongSwan support.  On Android, strongSwan uses ECP_256 in its
initial IKE_SA_INIT request which is different than the policy I had at
the time, so I attempted to add negotiation support (it worked).

>> I'm working on a better fix right now.  I hope to have something more
>> correct to submit to the above thread this week.
>>
>>> My iked.conf is:
>>>
>>>> ikev2 "base" from any to any \
>>>>  peer any \
>>>>  ikesa enc aes-256 auth hmac-sha2-512 group modp4096 \
>>>>  childsa enc aes-256 auth hmac-sha2-512 group modp4096 \
>>>>  config address 192.168.2.0/24 \
>>>>  config name-server 192.168.1.254 \
>>>>  config access-server 192.168.1.254
>>>
>>> I’m using 4096 keys and modp4096 but AFAIK both the server and the
>>> cliente support them. I’m not sure where to start troubleshooting the
>>> problem and could use some help.

Instead of the patch, you could also try specifying "group ecp256"
within the ikesa line above.  In theory this removes the needs for DH
group negotiation.  Strangely, I don't remember if I tried this before.

>>> Thanks in advance.
>>
>> I don't see anything obviously wrong here.

--
Tim Stewart
---
Mail:   t...@stoo.org
Matrix: @tim:stoo.org

Re: Can't connect from StrongSWAN to OpenBSD's iked

2017-06-18 Thread Tim Stewart 
theblo...@gmail.com writes:

> Hello,
>
> I’ve been trying to create an IPSec VPN in my OpenBSD computer and
> every time I connect my Android phone (running StrongSWAN) to the
> server I get the following errors in the logs (running iked -dvvv):
>
>> ikev2_sa_responder_dh: invalid dh, size 4096
>> ikev2_resp_recv: failed to get IKE SA keys

The problem is that iked(8) does not know how to perform Diffie-Hellman
group negotiation.  I have an incomplete fix for this issue:

  https://marc.info/?l=openbsd-tech&m=149499865830823

You can try the patch in that thread and see if it allows you to
complete negotiation.  The first patch is probably better, but I think
it breaks rekeying of child SAs.

I'm working on a better fix right now.  I hope to have something more
correct to submit to the above thread this week.

> My iked.conf is:
>
>> ikev2 "base" from any to any \
>>   peer any \
>>   ikesa enc aes-256 auth hmac-sha2-512 group modp4096 \
>>   childsa enc aes-256 auth hmac-sha2-512 group modp4096 \
>>   config address 192.168.2.0/24 \
>>   config name-server 192.168.1.254 \
>>   config access-server 192.168.1.254
>
> I’m using 4096 keys and modp4096 but AFAIK both the server and the
> cliente support them. I’m not sure where to start troubleshooting the
> problem and could use some help.
>
> Thanks in advance.

I don't see anything obviously wrong here.

-TimS

--
Tim Stewart
---
Mail:   t...@stoo.org
Matrix: @tim:stoo.org

Re: can't find fstab entry ?

2016-09-11 Thread Tim Hoddy 
On Saturday 10 Sep 2016 13:54:50 Theo de Raadt wrote:
 
> Summary: The OP has a learning disability.  He should probably stay in
> Linux land, where the field is large, and his inability can remain
> hidden.  See, once again I am not insulting Linux.

You sell OpenBSD short somewhat.

I've vast amounts of inability but I get on with OpenBSD just fine.

But then I take time to read OpenBSD's excellent documentation - FAQs and man 
pages, etc.

Gratefully

Tim H

s/specifies to/specifies how to/ in elf.5

2016-09-06 Thread Tim Kuijsten 

Index: elf.5
===
RCS file: /cvs/src/share/man/man5/elf.5,v
retrieving revision 1.27
diff -u -p -r1.27 elf.5
--- elf.5   10 Sep 2015 17:55:21 -  1.27
+++ elf.5   7 Sep 2016 00:35:29 -
@@ -147,7 +147,7 @@ typedef struct {
 The fields have the following meanings:
 .Bl -tag -width "e_phentsize" -offset indent
 .It Dv e_ident
-This array of bytes specifies to interpret the file,
+This array of bytes specifies how to interpret the file,
 independent of the processor or the file's remaining contents.
 Within this array everything is named by macros, which start with
 the prefix

Re: Packet loss on traffic flowing between VLANs

2016-06-02 Thread Tim Korn 
Hi Evgeniy,
Thank you for your reply.  The states hard limit was the problem.  The
default limit is quite low :)


--
Tim Korn
Network Ninja


On Thu, Jun 2, 2016 at 3:48 AM, Evgeniy Sudyr  wrote:

> Tim,
>
> from your problem description I can suggest you to check if you are not
> hitting
>
> states hard limit with (note - during load when you can reproduce issue):
>
> pfctl -si
> pfctl -sm
>
> Default limit is: stateshard limit1
>
> --
> Evgeniy
>
> On Thu, Jun 2, 2016 at 3:29 AM, Tim Korn  wrote:
> > Hi.  I have a pair of openBSD boxes (5.8) setup as a core/firewall.  I
> have
> > ten VLANs tied to a physical NIC (Intel 82599).  This is a new setup and
> it
> > was just recently put in service.  Traffic was fine (or at least we
> didn't
> > notice any issues) until a large job was run which roughly doubled
> traffic
> > going thru the firewall.  Traffic rate is still extremely low... roughly
> 2k
> > packets per second on the interface in question and around 20Mb.  I have
> > other identical openBSD boxes that don't use VLANs, and they pass
> multiple
> > gigs of traffic per second, so I'm having a hard time not leaning towards
> > it being a VLAN issue, however I don't know where to look to prove it.
> >
> > If a host in vlan100 pings a host in vlan101 I see packet loss on the
> first
> > few packets, than all subsequent packets pass.  Stopping and restarting
> the
> > ping results in the same thingfirst few pings lost, then responses
> and
> > never fail again until the ping is stopped and restarted.  We see this
> > behavior with pretty much any new connection.  I can replicate it
> > consistently with ICMP, TCP, and UDP traffic.
> >
> > PF ruleset is quite basic.  Simple *pass in* rules on the VLANs and *pass
> > out* is allowed on all interfaces.  icmp has a rule at the top saying
> "pass
> > log quick proto icmp".  i really don't think theres a pf issue of any
> kind.
> >
> > I've run a tcpdump to confirm that packets come in on vlan100, and never
> > leave vlan101.  Here is an example:
> >
> > Ping from host in vlan100 (you can see the seq start at 9.  first 8
> > never left the firewall):
> > [root@pakkit ~]# ping 10.95.1.50
> > PING 10.95.1.50 (10.95.1.50) 56(84) bytes of data.
> > 64 bytes from 10.95.1.50: icmp_seq=9 ttl=63 time=0.263 ms
> > 64 bytes from 10.95.1.50: icmp_seq=10 ttl=63 time=0.341 ms
> > 64 bytes from 10.95.1.50: icmp_seq=11 ttl=63 time=0.335 ms
> > 64 bytes from 10.95.1.50: icmp_seq=12 ttl=63 time=0.348 ms
> > 64 bytes from 10.95.1.50: icmp_seq=13 ttl=63 time=0.348 ms
> >
> >
> >
> > tcpdump on vlan100 showing 13 echo requests:
> > [root@pci-ny2-fw1:~ (master)] tcpdump -neti vlan100 host 10.95.0.5 and
> > host 10.95.1.50
> > tcpdump: listening on vlan100, link-type EN10MB
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 24:6e:96:04:1b:d8 00:0c:29:16:f7:bf 0800 98: 10.95.1.50 > 10.95.0.5:
> > icmp: echo reply
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 24:6e:96:04:1b:d8 00:0c:29:16:f7:bf 0800 98: 10.95.1.50 > 10.95.0.5:
> > icmp: echo reply
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 24:6e:96:04:1b:d8 00:0c:29:16:f7:bf 0800 98: 10.95.1.50 > 10.95.0.5:
> > icmp: echo reply
> > 00:0c:29:16:f7:bf 00:00:5e:00:01:64 0800 98: 10.95.0.5 > 10.95.1.50:
> > icmp: echo request (DF)
> > 24:6e:96:04:1b:d8 00:0c:29:16:f7:bf 0800 98: 10.95.1.50 > 10.95.0.5:
> > icmp: echo reply
> > 00:0c:29:16:f7:bf 0

Packet loss on traffic flowing between VLANs

2016-06-01 Thread Tim Korn 
packets received by filter
0 packets dropped by kernel

Any help would be greatly appreciated.  This is causing massive slow downs
for all traffic flowing thru this firewall.  Thank you for your time.

-Tim

Re: Upgrade to 5.9 full disk encryption

2016-04-15 Thread Tim Hoddy 
On 15 April 2016 23:04:45 BST, Bryan Everly  wrote:
>Boot the installer. Exit to the shell. Then do:
>
>bioctl -c C -l /dev/sd0a softraid0
>
>(Substitute for your actual device that is the softraid container).
>You will be promoted for your password.
>
>Watch for the console message telling you what it mounted as. Then
>type exit to return to the installer and upgrade that disk.
>
>Thanks,
>Bryan
>
>> On Apr 15, 2016, at 5:56 PM, Jack J. Woehr  wrote:
>>
>> How does one upgrade a full-disk encrypted OpenBSD boot disk?


The original question is not clear.

Your instruction will involve an overwrite of a previous install and is, 
therefore, not a "upgrade".

Re: doas.conf cmd with argument(s)

2016-04-03 Thread Tim van der Molen 
Philip Guenther (2016-04-01 23:47 +0200):
> Sooo close.  To quote doas.conf(5):
> 
>  The rules have the following format:
> 
>permit|deny [options] identity [as target] [cmd command [args ...]]
...
> 'args' is *literal* there, so the correct config line would be
> permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd

I think doas.conf(5) is misleading here: the ellipsis in "args ..."
implies that "args" is an argument that may be given multiple times.

Hence "args ..." should be replaced by "args [arg ...]" as done in the
diff below. (Unfortunately, with this diff the rule format will no
longer fit on one line.)

Index: doas.conf.5
===
RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
retrieving revision 1.18
diff -p -u -r1.18 doas.conf.5
--- doas.conf.5 2 Jan 2016 08:34:47 -   1.18
+++ doas.conf.5 3 Apr 2016 22:25:17 -
@@ -35,7 +35,7 @@ The rules have the following format:
 .Op Ar options
 .Ar identity
 .Op Ic as Ar target
-.Op Ic cmd Ar command Op Ic args ...
+.Op Ic cmd Ar command Op Ic args Op Ar arg ...
 .Ed
 .Pp
 Rules consist of the following parts:
@@ -78,7 +78,7 @@ Be advised that it's best to specify abs
 If a cmd is specified, only a restricted
 .Ev PATH
 will be searched.
-.It Ic args ...
+.It Ic args Op Ar arg ...
 Arguments to command.
 If specified, the command arguments provided by the user
 need to match for the command to be successful.

Re: typo in calendar.music

2016-03-27 Thread Tim van der Molen 
Carson Chittom (2016-03-27 15:00 +0200):
> In my daily email this morning from calendar(1), I noticed that
> tomorrow's entry for Sergei Rachmaninov in calendar.music has a typo: it
> should be "Beverly" rather than "Beverley".  Just thought I'd point it
> out.

Fixed; thanks!

Re: httpd slowcgi permission advice

2016-03-25 Thread Tim van der Molen 
Byron Klippert (2016-03-25 18:37 +0100):
> CGI script:
> #!/bin/ksh
> printf "Content-type: text/html\n\n"
> printf "Hello!\n"
> printf "\n"
> printf "`doas pfctl -sr`"
>  
> 
> doas.conf:
> permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
> permit nopass www as root cmd /sbin/pfctl
> ^
> 
> httpd debug output:
> doas:
> Operation not permitted

You have "/sbin/pfctl" in doas.conf, so you should do "doas /sbin/pfctl"
rather than "doas pfctl".

recompile packages to include base / libressl errata?

2015-10-21 Thread Tim Kuijsten 
I'm following 5.7-stable but I'm not confident if my dovecot server has 
the recent OBJ_obj2txt fix (019) for it's tls connections. Should I 
start using the dovecot port and recompile instead of using the dovecot 
package in order to get the fix? I'm using dovecot with IMAP over tls.


Furthermore, is ldd and the knowledge if a package uses tls enough to 
determine if a package has to be recompiled or not? If so, am I correct 
to conclude that postfix does not have to be recompiled because it 
dynamically links libssl.so.32.0 and libcrypto.so.32.0?


-Tim

Re: mini itx from intel

2015-10-03 Thread Tim Kuijsten 

Op 03-10-15 om 02:45 schreef Brian Conway:

FYI- My 2820 won't boot reliably headless without an HDMI dummy plug
attached (such as


my NUC 5CPYH won't boot either without an hdmi cable attached.

Re: X security claims in FAQ considering Xorg setuid root binary (was: Slightly OT, .. 5.5 Nagios)

2015-09-29 Thread Tim Kuijsten 

Op 28-09-15 om 23:29 schreef Philip Guenther:

On Mon, Sep 28, 2015 at 1:31 PM, L. V. Lammert  wrote:
...

X has never been installed on this box, .. why now?


http://www.openbsd.org/faq/faq4.html#FilesNeededX



From the FAQ:
"By itself, installing X on a system does not change the risk of 
external security issues."


I might be misinterpreting "external" here, but considering some files 
from the X sets[1], wouldn't the following be more accurate: "Installing 
X adds one setuid root binary and some setgid non-root binaries on a 
system, but apart from that does not change the risk of external 
security issues."?


[1] from xbase57.tgz and xserv57.tgz:
-rwsr-xr-x  1 root  wheel  2651992 Aug 12 15:28 /usr/X11R6/bin/Xorg
-rwxr-sr-x  1 root  auth   2970888 Mar  7  2015 /usr/X11R6/bin/xlock
-rwxr-sr-x  1 root  utmp594648 Aug 12 15:24 /usr/X11R6/bin/xterm

Re: Cheap hardware for router, perhaps fileserver?

2015-09-20 Thread Tim Kuijsten 

Op 20-09-15 om 11:23 schreef Mark Carroll:

 even to the level of Intel NUCs which look pretty good if
their hardware is solid.


I've recently installed an Intel NUC NUC5CPYH to be used as a quiet low 
power sftp file server. Support for the nic is recently added and the 
machine works perfect for sftp with only a few users (really not sure 
what the maximum amount of users would be).


http://marc.info/?l=openbsd-misc&m=144148311202959&w=2

Re: dmesg Intel NUC NUC5CPYH

2015-09-05 Thread Tim Kuijsten 

Op 04-09-15 om 21:06 schreef Tim Kuijsten:

Op 04-09-15 om 21:01 schreef Ted Unangst:

Tim Kuijsten wrote:

tl;dr no network, dmesg for 5.7 release, 5.8 current mp and sp included.


With 5.7 release a dhcp response is received, but no other addresses
than the one that is assigned to the machine can be pinged (the dhcp
server is in the arp cache, but no ping reply is received from it).


jsg commited a fix for the ethernet earlier today.

the wifi won't be supported for some time though.



wow, that would be awesome! I'll test a new snapshot as soon as they
become available.

(this will be a small low power sftp server that won't use wifi anyway).


The network is idd functional now with the snapshot from today, super! 
Special thanks to jsg, tedu and brad, I will increase my 
number-of-openbsd-boxes donation multiplier. :)


I'll add another dmesg, sysctl hw.sensors and apm output of the mp 
kernel (still figuring out who is using the duplicate ip-address, I 
assume it's not a problem in the driver).


OpenBSD 5.8-current (GENERIC.MP) #1347: Sat Sep  5 01:11:49 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8489840640 (8096MB)
avail mem = 8228626432 (7847MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT 
CSRT SSDT
acpi0: wakeup devices PS2K(S3) PS2M(S3) XHC1(S4) HDEF(S4) PXSX(S4) 
RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) BRCM(S0) 
BRC1(S0) PWRB(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU N3050 @ 1.60GHz, 1600.40 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,

xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 80MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Celeron(R) CPU N3050 @ 1.60GHz, 1600.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,

xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 2, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: CLK0, resource for CAMD
acpipwrres1 at acpi0: CLK0
acpipwrres2 at acpi0: CLK1, resource for CAM3
acpipwrres3 at acpi0: USBC, resource for XHC1
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PWRB
acpibtn2 at acpi0: SLPB
acpivideo0 at acpi0: GFX0
cpu0: Enhanced SpeedStep 1600 MHz: speeds: 1601, 1600, 1520, 1440, 1360, 
1280, 1200, 1120, 1040, 960, 880, 800, 720, 640, 560, 480 MHz

pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Braswell Host" rev 0x21
vga1 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x21
intagp at vga1 not configured
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ahci0 at pci0 dev 19 function 0 "Intel Braswell AHCI" rev 0x21: msi, 
AHCI 1.3.1

ahci0: port 0: 6.0Gb/s
ahci0: PHY offline on port 1
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct 
fixed naa.500a0751f0096edf

sd0: 238475MB, 512 bytes/sector, 488397168 sectors, thin
xhci0 at pci0 dev 20 function 0 "Intel Braswell xHCI" rev 0x21: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel Braswell SIO DMA" rev 0x21 at pci0 dev 24 function 0 not configured
"Intel Braswell SIO I2C" rev 0x21 at pci0 dev 24 function 6 not configured
"Intel Braswell SIO I2C" rev 0x21 at pci0 dev 24 function 7 not configured
"Intel Baswell TXE" rev 0x21 at pci0 dev 26 function 0 not configured
ppb0 at pci0 dev 28 function 0 &q

Re: dmesg Intel NUC5CPYH

2015-09-04 Thread Tim Kuijsten 

Op 04-09-15 om 21:01 schreef Ted Unangst:

Tim Kuijsten wrote:

tl;dr no network, dmesg for 5.7 release, 5.8 current mp and sp included.


With 5.7 release a dhcp response is received, but no other addresses
than the one that is assigned to the machine can be pinged (the dhcp
server is in the arp cache, but no ping reply is received from it).


jsg commited a fix for the ethernet earlier today.

the wifi won't be supported for some time though.



wow, that would be awesome! I'll test a new snapshot as soon as they 
become available.


(this will be a small low power sftp server that won't use wifi anyway).

dmesg Intel NUC5CPYH

2015-09-04 Thread Tim Kuijsten 

tl;dr no network, dmesg for 5.7 release, 5.8 current mp and sp included.


With 5.7 release a dhcp response is received, but no other addresses 
than the one that is assigned to the machine can be pinged (the dhcp 
server is in the arp cache, but no ping reply is received from it).


with 5.8 no dhcp response is received (and after a timeout the one that 
was received with 5.7 is reused, but the network is still non-functional).


I had to disable Legacy USB support in the bios, otherwise the system 
boot hangs at "uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 
1". If I remember correctly this is only since I've updated the bios and 
was not a problem with the original (pre-June).



dmesg for 5.7 mp, current mp and current sp:

OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8489840640 (8096MB)
avail mem = 8259919872 (7877MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xedc60 (49 entries)
bios0: vendor Intel Corp. version "PYBSWCEL.86A.0031.2015.0601.1712" 
date 06/01/2015

bios0: Intel Corporation NUC5CPYB
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT 
CSRT SSDT
acpi0: wakeup devices PS2K(S3) PS2M(S3) XHC1(S4) HDEF(S4) PXSX(S4) 
RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) BRCM(S0) 
BRC1(S0) PWRB(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU N3050 @ 1.60GHz, 1600.35 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS

cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 79MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0, IBE
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Celeron(R) CPU N3050 @ 1.60GHz, 1600.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS

cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 2, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3, C1, PSS
acpicpu1 at acpi0: C3, C1, PSS
acpipwrres0 at acpi0: CLK0, resource for CAMD
acpipwrres1 at acpi0: CLK0
acpipwrres2 at acpi0: CLK1, resource for CAM3
acpipwrres3 at acpi0: USBC, resource for XHC1
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PWRB
acpibtn2 at acpi0: SLPB
acpivideo0 at acpi0: GFX0
cpu0: Enhanced SpeedStep 1600 MHz: speeds: 1601, 1600, 1520, 1440, 1360, 
1280, 1200, 1120, 1040, 960, 880, 800, 720, 640, 560, 480 MHz

pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x2280 
rev 0x21
vga1 at pci0 dev 2 function 0 vendor "Intel", unknown product 0x22b1 rev 
0x21

intagp at vga1 not configured
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ahci0 at pci0 dev 19 function 0 vendor "Intel", unknown product 0x22a3 
rev 0x21: msi, AHCI 1.3.1

ahci0: PHY offline on port 1
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct 
fixed naa.500a0751f0096edf

sd0: 238475MB, 512 bytes/sector, 488397168 sectors, thin
xhci0 at pci0 dev 20 function 0 vendor "Intel", unknown product 0x22b5 
rev 0x21: msi

usb0 at xhci0: USB revision 3.0
uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
vendor "Intel", unknown product 0x22c0 (class system subclass 8237 DMA, 
rev 0x21) at pci0 dev 24 function 0 not configured
vendor "Intel", unknown product 0x22c6 (class serial bus unknown 
subclass 0x80, rev 0x21) at pci0 dev 24 function 6 not configured
vendor "Intel", unknown product 0x22c7 (class serial bus unknown 
subclass 0x80, rev 0x21) at pci0 dev 24 function 7 not configured
vendor "Intel", unknown product 0x2298 (class crypto subclass 
miscellaneous, rev 0x21) at pci0 dev 26 function 0 not configured
ppb0 at pci0 dev 28 function 0 vendor "Intel", unknown product 0x22c8 
rev 0x21: msi

pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 vendor "Intel", unknown product 0x22ca 
rev 0x21: msi

pci2

Re: NSA transition to quantum resistant algorithms

2015-08-18 Thread Tim Kuijsten 

Op 15-08-15 om 21:14 schreef Devin Reade:

Interesting background info, including recommended minimum key sizes during the 
interim:





I find it interesting that symmetric ciphers like 256 bit AES are 
probably quantum resistant[0], while all currently used public key 
systems can be easily broken with quantum computers (because they're 
based on integer factorization and discrete logarithms). So any traffic 
recorded today[1] that is using Diffie-Hellman key exchange will be 
easily broken in the not so far future. This has made me appreciate 
pre-shared key systems again.


[0] 
https://en.wikipedia.org/wiki/Post-quantum_cryptography#Symmetric_Key_Based_Cryptography
[1] "It is the first facility in the world expected to gather and house 
a yottabyte – or one thousand trillion gigabytes – of data." 
http://blog.governor.utah.gov/2012/02/2012-energy-summit/

Re: cert.pem 400 after updating stable 5.7

2015-08-13 Thread Tim Kuijsten 

Op 13-08-15 om 14:59 schreef Tim Kuijsten:

Every time I update my 5.7 systems by following stable the permissions
of /etc/ssl/cert.pem are set to 400. Noticed this because OpenSMTPD
stopped sending mail since it can not verify ssl connections: TempFail,
"stat=Network error on destination MXs".

Cheers,

-Tim



Found it :/

# umask
077

cert.pem 400 after updating stable 5.7

2015-08-13 Thread Tim Kuijsten 
Every time I update my 5.7 systems by following stable the permissions 
of /etc/ssl/cert.pem are set to 400. Noticed this because OpenSMTPD 
stopped sending mail since it can not verify ssl connections: TempFail, 
"stat=Network error on destination MXs".


Cheers,

-Tim

Re: ifconfig.if rtsol autoconf diff

2015-06-08 Thread Tim Kuijsten 

Op 06-06-15 om 13:24 schreef Florian Obser:

On Fri, Jun 05, 2015 at 03:41:22PM +0200, Tim Kuijsten wrote:

Had some trouble this morning in configuring inet6 on a new laptop.


What problems did you encounter? inet6 autoconf or rtsol in
hostname.if are supposed to work exactly the same.


Mmm, I tried inet6 rtsol instead of just rtsol. Now it works idd like 
inet6 autoconf. Tnx!


Somehow the static address that was set during install results in some 
routing errors (i.e. "ping6: UDP connect: No route to host") after 
booting into the installed OS. That's why I removed the static address 
and tried rtsol again.


Thanks for the explanation. I have to read a bit more about IPv6.

-Tim




Finally figured out that rtsol is dropped and that the functionality
is moved to the kernel. Diff for hostname.if(5) included. Someone
might want to replace the "rtsol" keyword in the installer as well.


When I moved the SLAAC logic into the kernel the main motivation was
to get rid of rtsol(8). Back then I suggested to change /etc/netstart
and the installer to deprecate the rtsol keyword as well but I got
some objections to that. Maybe we should revisit that.

Note however that rtsol in hostname.if is a keyword, it does not refer
to the (old) /sbin/rtsol binary and never did; exactly the same as the
dhcp keyword - there isn't even a dhcp binary.

So when /etc/netstart encounters the rtsol keyword it executes
ifconfig $if inet6 autoconf.
The same for dhcp, it executes dhclient $if.
inet6 autoconf in hostname.if works, too, because it's passed to
ifconfig by /etc/netstart.

I notice an inconsistency however. I recently changed some kernel bits
so that SLAAC works with net.inet6.ip6.forwarding enabled. This is
needed for RFC 7084 and intended for cpe devices.

While inet6 autoconf works perfectly fine with
net.inet6.ip6.forwarding enabled /etc/netstart will complain if it
encounters the rtsol keyword with forwarding enabled.




Index: hostname.if.5
===
RCS file: /cvs/src/share/man/man5/hostname.if.5,v
retrieving revision 1.62
diff -u -p -r1.62 hostname.if.5
--- hostname.if.5   12 Jul 2014 16:59:06 -  1.62
+++ hostname.if.5   5 Jun 2015 13:30:46 -
@@ -248,26 +248,24 @@ Valid options for a particular interface
  .Pp
  IPv6 stateless address autoconfiguration:
  .Bd -ragged -offset indent
-.Li rtsol
+.Li inet6 autoconf
  .Va options
  .Ed
  .Pp
  The above format has the following field values:
  .Bl -tag -width indent -offset indent
-.It Li rtsol
+.It Li autoconf
  The literal string
-.Dq rtsol
+.Dq autoconf
  if the interface is to be configured using
  IPv6 stateless address autoconfiguration.
  This should be used on single interface hosts only,
  since the IPv6 specifications are silent about the
  behavior on multi-interface hosts.
  Also note that the kernel must be configured as a host (i.e. non-router).
-Add the following line into
-.Xr sysctl.conf 5 :
-.Bd -literal -offset indent
-net.inet6.ip6.forwarding=0
-.Ed
+This is the default. This value deprecates the
+.Dq rtsol
+field value.
  .It Va options
  Miscellaneous options to set on the interface, e.g.,
  .Dq media 100baseTX mediaopt full-duplex .

ifconfig.if rtsol autoconf diff

2015-06-05 Thread Tim Kuijsten 
Had some trouble this morning in configuring inet6 on a new laptop. 
Finally figured out that rtsol is dropped and that the functionality is 
moved to the kernel. Diff for hostname.if(5) included. Someone might 
want to replace the "rtsol" keyword in the installer as well.


Index: hostname.if.5
===
RCS file: /cvs/src/share/man/man5/hostname.if.5,v
retrieving revision 1.62
diff -u -p -r1.62 hostname.if.5
--- hostname.if.5   12 Jul 2014 16:59:06 -  1.62
+++ hostname.if.5   5 Jun 2015 13:30:46 -
@@ -248,26 +248,24 @@ Valid options for a particular interface
 .Pp
 IPv6 stateless address autoconfiguration:
 .Bd -ragged -offset indent
-.Li rtsol
+.Li inet6 autoconf
 .Va options
 .Ed
 .Pp
 The above format has the following field values:
 .Bl -tag -width indent -offset indent
-.It Li rtsol
+.It Li autoconf
 The literal string
-.Dq rtsol
+.Dq autoconf
 if the interface is to be configured using
 IPv6 stateless address autoconfiguration.
 This should be used on single interface hosts only,
 since the IPv6 specifications are silent about the
 behavior on multi-interface hosts.
 Also note that the kernel must be configured as a host (i.e. non-router).
-Add the following line into
-.Xr sysctl.conf 5 :
-.Bd -literal -offset indent
-net.inet6.ip6.forwarding=0
-.Ed
+This is the default. This value deprecates the
+.Dq rtsol
+field value.
 .It Va options
 Miscellaneous options to set on the interface, e.g.,
 .Dq media 100baseTX mediaopt full-duplex .

Re: openntpd portable sync fails

2015-05-29 Thread Tim Kuijsten 

Op 29-05-15 om 20:05 schreef Theo de Raadt:

Just a quick question, why is S in sensors uppercase? Is that not to
confuse it with status?

% ntpctl
usage: ntpctl -s all | peers | Sensors | status


yes...



whoops, should have read a bit better. trustlevel and stratum it is.

Re: openntpd portable sync fails

2015-05-29 Thread Tim Kuijsten 

Op 29-05-15 om 20:05 schreef Theo de Raadt:

Just a quick question, why is S in sensors uppercase? Is that not to
confuse it with status?

% ntpctl
usage: ntpctl -s all | peers | Sensors | status


yes...



while on the topic. I didn't find an explanation of the header in 
ntpctl(8). I'm curious to what tl and st mean.

Re: chacha20 cipher_algbits is 0

2015-05-25 Thread Tim Kuijsten 
ps. this is a cross post from the postfix-users mailing list where they 
advised me to contact the LibreSSL developers*.


recap:
> Postfix outputs:
>
> cipher_usebits/cipher_algbits
>
> obtained via:
>
> cipher = SSL_get_current_cipher(ssl);
> cipher_usebits = SSL_CIPHER_get_bits(cipher, &cipher_algbits);
>
> If LibreSSL returns 0 for algbits, that's an artifact of their
> implementation.

-Tim

* http://marc.info/?l=postfix-users&m=143251444523619&w=2

chacha20 cipher_algbits is 0

2015-05-25 Thread Tim Kuijsten 
Since I'm running postfix with LibreSSL, some clients encrypt the 
connection using ECDHE-RSA-CHACHA20-POLY1305. Now I'm used to seeing 
headers like "using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 
(128/128 bits)" . But these ChaCha20 headers look like "using TLSv1.2 
with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/0 bits)". I'm wondering 
what the 0 part in 256/0 bits mean. I've read it's "the number of bits 
actually used" vs. "the number of bits the algorithm is based on", but 
this sounds confusing to me. Can someone maybe clarify?


Thanks,

Tim

syslogd doesn't daemonize without inet6 since 5.7

2015-05-05 Thread Tim Kuijsten 
I've upgraded some 5.6 boxes to 5.7 and found out that syslogd doesn't 
start in daemon mode if there is no inet6 address configured (i.e. 
"-inet6" in hostname.*).


Starting syslogd either in the foreground with -d or binding on inet 
only with -4 makes it start again.


-Tim

Re: [Patch]: calendar entry for King's Birthday in Netherlands

2015-05-01 Thread Tim van der Molen 
Paul de Weerd (2015-05-01 21:16 +0200):
> Note that the 27th of April is actually both "Koningsdag" (King's Day)
> and our king's birthday.

You're right, of course. As the day is commonly referred to as "King's
Day", I suggested that.

> | one more question though:
> | 
> | calendar.holiday:12/15  Statue Day in Netherlands Antilles
> 
> This is 'Koninkrijksdag', or "Kingdom day", the day on which the
> charter of the kingdom was signed.  See
> http://en.wikipedia.org/wiki/Koninkrijksdag for a bit more background.
> 
> | i left that entry alone because i couldn;t find anything about "statue
> | day". is it really statue?! statute, maybe. but couldn;t find out what
> | it was. any takers?
> 
> Given the "signing of the charter", I'm pretty sure what was meant was
> 'statute'.

Perhaps the entry should be changed to "Kingdom Day in the Netherlands".
I quite like Statue Day, though. :-)

Re: [Patch]: calendar entry for King's Birthday in Netherlands

2015-05-01 Thread Tim van der Molen 
Einfach Jemand (2015-05-01 03:22 +0200):
> According to
> 
> http://en.wikipedia.org/wiki/Koningsdag
> 
> the Netherlands are no longer celebrating the Queen's Birthday on
> April 30 but the King's birthday on April 27 since 2014.
> 
> The patch below does not reflect the fact that this holiday is shifted
> to April 26 if the 27th is a Sunday.
> 
> Index: calendar.holiday
> ===
> RCS file: /cvs/src/usr.bin/calendar/calendars/calendar.holiday,v
> retrieving revision 1.27
> diff -u -p -r1.27 calendar.holiday
> --- calendar.holiday19 Jan 2015 18:07:47 -  1.27
> +++ calendar.holiday1 May 2015 00:55:33 -
> @@ -472,8 +472,8 @@
> 
>  04/21  Tiradentes in Brazil
>  04/25  Anniversary of the Revolution in Portugal
> +04/27  King's Birthday in Netherlands, Netherlands Antilles
>  04/29  Greenary day in Japan
> -04/30  Queen's Birthday in Netherlands, Netherlands Antilles
>  05/01  Boy's day in Japan
>  05/02  King's Birthday in Lesotho
>  05/05  Battle of Puebla in Mexico

Two further adjustments: "King's Day" is a more accurate translation and
the Netherlands Antilles no longer exist (dissolved a few years ago).

Re: i386 bsd.rd panic

2015-04-27 Thread Tim van der Molen 
Theo de Raadt (2015-04-26 16:53 +0200):
> > Eivind Eide (2015-04-26 13:02 +0200):
> > > I've been trying to update this -current machine with the bsd.rd from the
> > > last 4 snapshots,
> > > the last being from "Sun Apr 26 02:22:08 MDT 2015".
> > > However this kernel immediately after reporting how much ram I have panics
> > > with this message:
> > > 
> > > fatal protection fault (4) in supervisor mode
> > > trap type 4 code 0 eip d020204e cs 8 eflags 10006 cr2 0 cpl 0
> > > panic: trap type 4, code=0, pc=d020204e
> > 
> > I see the same when booting bsd.rd (#788, 24 April) on a medieval
> > laptop. Below a dmesg from the currently installed snapshot.
> 
> You don't have a NX bit.  Please try a new snapshot in a few hours.

Problem solved; thanks.

Re: i386 bsd.rd panic

2015-04-26 Thread Tim van der Molen 
Eivind Eide (2015-04-26 13:02 +0200):
> I've been trying to update this -current machine with the bsd.rd from the
> last 4 snapshots,
> the last being from "Sun Apr 26 02:22:08 MDT 2015".
> However this kernel immediately after reporting how much ram I have panics
> with this message:
> 
> fatal protection fault (4) in supervisor mode
> trap type 4 code 0 eip d020204e cs 8 eflags 10006 cr2 0 cpl 0
> panic: trap type 4, code=0, pc=d020204e

I see the same when booting bsd.rd (#788, 24 April) on a medieval
laptop. Below a dmesg from the currently installed snapshot.

OpenBSD 5.7-beta (GENERIC) #729: Tue Mar  3 17:40:43 MST 2015
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) III Mobile CPU 933MHz ("GenuineIntel" 686-class) 931 
MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,SSE,PERF
real mem  = 266747904 (254MB)
avail mem = 250011648 (238MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 07/30/01, BIOS32 rev. 0 @ 0xfd860, SMBIOS rev. 2.3 @ 
0xfef (53 entries)
bios0: vendor Phoenix/FUJITSU version "Version  1.06" date 07/30/2001
bios0: FUJITSU SIEMENS LIFEBOOK E Series
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP
acpi0: wakeup devices UAR1(S3) HUB_(S4) DCS1(S4) A97M(S3) LID_(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 2 (HUB_)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2, FVS, 933, 733 MHz
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID_
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: CMB1 model "CP021007-XX" serial 1 type LION oem "Fujitsu"
acpibat1 at acpi0: CMB2 not present
acpidock0 at acpi0: DCS3 not docked (0)
acpidock1 at acpi0: DCS1 not docked (0)
acpivideo0 at acpi0: VGA_
bios0: ROM list: 0xc/0xe000
cpu0 at mainbus0: (uniprocessor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82830M Host" rev 0x02
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xe000, size 0xe40
ppb0 at pci0 dev 1 function 0 "Intel 82830M AGP" rev 0x02
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility M6" rev 0x00
drm0 at radeondrm0
radeondrm0: irq 11
uhci0 at pci0 dev 29 function 0 "Intel 82801CA/CAM USB" rev 0x01: irq 11
uhci1 at pci0 dev 29 function 2 "Intel 82801CA/CAM USB" rev 0x01: irq 11
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x41
pci2 at ppb1 bus 2
cbb0 at pci2 dev 10 function 0 "O2 Micro OZ6933 CardBus" rev 0x02: irq 11
cbb1 at pci2 dev 10 function 1 "O2 Micro OZ6933 CardBus" rev 0x02: irq 11
rl0 at pci2 dev 13 function 0 "Realtek 8139" rev 0x10: irq 11, address 
00:e0:00:58:97:2d
rlphy0 at rl0 phy 0: RTL internal PHY
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x0, lattimer 0x20
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 4 device 0 cacheline 0x0, lattimer 0x20
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 "Intel 82801CAM LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801CAM IDE" rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 6194MB, 12685680 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 0, DMA mode 1
ichiic0 at pci0 dev 31 function 3 "Intel 82801CA/CAM SMBus" rev 0x01: SMI
iic0 at ichiic0
iic0: addr 0x19 00=00 01=00 02=00 03=00 04=00 05=00 06=00 07=00 08=00 09=00 
0a=00 0b=00 0c=00 0d=00 0e=00 0f=00 10=00 11=20 24=00 b9=00 ba=00 words 00= 
01= 02= 03= 04= 05= 06= 07=
auich0 at pci0 dev 31 function 5 "Intel 82801CA/CAM AC97" rev 0x01: irq 11, 
ICH3 AC97
ac97: codec id 0x83847609 (SigmaTel STAC9721/23)
ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D
audio0 at auich0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb1 at uhci1: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pms0: ALPS Glidepoint, version 0x7321
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd0 at scsibus3 targ 1 lun 0:  SCSI2 0/direct fixed
sd0: 6193MB, 512

Re: C++14 and C11 support sucks in OpenBSDs default compiler - any chance of Clang in base?

2015-03-27 Thread Tim van der Molen 
Dmitrij D. Czarkoff (2015-03-27 09:29 +0100):
> Some Developer said:
> > So what are the reasons why OpenBSD has so far shunned Clang and LLDB? Is it
> > missing some extra security features that the OpenBSD team have added to
> > their version of GCC?
> 
> First and foremost it is missing platform support.

Also, as miod@ once explained, before a switch to clang could be made,
intimate knowledge of its internals is needed. Over the years, the
OpenBSD developers have become very familiar with gcc. They are now
working on becoming just as familiar with clang.

Search the archives; this has been discussed before.

Re: bypass xlock/slock

2015-03-09 Thread Tim van der Molen 
Alexandre Ratchov (2015-03-09 11:30 +0100):
> On Mon, Mar 09, 2015 at 10:25:28AM +0100, Alex Greif wrote:
> > Hi,
> > 
> > I am currently trying to find a solution to lock my desktop system (openbsd
> > 5.6, amd64), but with the following steps I can always bypass xlock or
> > slock:
> > 
> > - run X session with startx
> > - lock it with xlock or slock
> > - switch to text console 2 (with [CTRL]+[ALT]+[F2])
> > - switch to text console 1, where X server seems to run in foreground. The
> > last message is (II) AIGLX: Suspending AIGLX clients fro VT switch
> > ... now the problem begins...
> > - CTRL-C a few times
> > - xinit is killed
> > - you are in the login shell of the user who locked the screen ... arrgh
> > 
> > Is there a security advice how to prevent killing the X session by switching
> > the text console and killing xinit?
> 
> starting X with "exec startx" prevents ^C from returning to the
> shell

Another solution: startx & lock -np

Re: Quick OpenBSD/thinkpad question

2015-03-07 Thread Tim van der Molen 
Dmitrij D. Czarkoff (2015-03-06 23:01 +0100):
> m...@jeremiahford.com said:
> > My question is; Does anyone have any insight into these claims, whether it
> > be proving or disproving?
> 
> With amount of firmware in laptops these days I guess it is effectively
> impossible to disprove backdoor claims.
> 
> Jiri B. said:
> > There are two kinds of this attacks - hardware or software.
> 
> Hardware attacks?  With flamethrowers?

Possibly. Don't tell me you don't run a firewall.

Re: From the military propaganda department

2013-05-28 Thread Tim Nelson 
- Original Message -
> Hi.
> 
> If I understand correctly, this is off topic here, as much as generic
> hardware or networking issues or whatever. General cryptology and
> associated legal issues in this sense (again as I understand you) are
> not specific to OpenBSD being vendor neutral issues.
> That said I'm all for this discussion.
> Not to pre-empt others (disregarding the initial negative responses),
> I think you should be aware there's a valid and consistent case to be
> made that this might be one of those cases where you'll get little
> traction.
> My advice, if this thread doesn't get the traction you like; go
> elsewhere.
> Insert quotes from Ben Franklin et al. ... choose your audience.
> 
> Regardless.
> 
> While there's a lot of commonality between the US and some of the
> rest
> of us, we have constitutions of our own (except england of course).
> Please don't fall into the trap that any of this stuff is
> transferrable. That's a point of law and it stands.
> I don't have "freedom of speech", the right to keep and bear arms and
> so on.
> FYI, I live in a democracy, not a republic. We're transitive. There's
> a real world difference.
> 
> Nevertheless, Aristotle nailed this.
> http://en.wikipedia.org/wiki/Modes_of_persuasion
> 
> Those ideas are somewhat intertwined but you've failed.
> 
> You've failed on logos - the facts - give some context. Clear
> context.
> Why do I or anyone else here care about rights violations?
> Without that, prima facie this comes off as a rant without relevance
> ... uname(1) or tread lightly.
> 
> You've failed on your pathos - my sympathy or empathy - this is why
> this is definitely in the off topic "decisions to be made" grey area.
> I don't see a clear connection between LEO and OpenBSD here. See
> previous ... uname(1) or tread lightly.
> 
> You've failed to clarify your ethos - I don't believe you. Your
> constitution is enough authority but I'm not seeing it presented
> appropriately. I admire your conjunction of munitions and the second.
> May I use that?
> In this case though, open sauce, crypto, second, etcetera are an
> entirely different issue to the fourth amendment question -
> protection
> against unreasonable search and seizure.
> You've muddied the waters and failed to convince on either account.
> That's the big deal here. The fourth ...
> 
> "The right of the people to be secure in their persons, houses,
> papers, and effects, against unreasonable searches and seizures,
> shall
> not be violated ..."
> http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html#4
> 
> First? Sure. Publish, done. Matter of course. No infringements.
> Right?
> Second? Sure. Sidebar. Again off topic but trivially interesting.
> 
> Rubber hose cryptanalysis, the browbeating or otherwise of citizens
> to
> gain passwords so DHS inter alia, i.e. Border Patrol, can look at
> your
> stuff is strictly a fourth amendment issue (obliquely a fifth).
> That's where you should be thinking.
> You live in a common law country with a written constitution - not
> something to be assumed.
> There's a trodden path. Stand your ground - "no officer ... unless
> you
> provide a warrant based on probable cause I won't be giving you my
> key".
> Go read the fourth ...
> The key is standing your ground.
> Get arrested or worse or combinations of whatever and go from there.
> To paraphrase a founding father:
> "They that can give up essential liberty to purchase a little
> temporary safety, deserve neither liberty nor safety."
> Trees need iron. Blood serves fine. Ask Thomas Jefferson ...
> Good on you for taking an hour out of your life. Give me something
> more than a hypothesis of how bad things are happening that might be
> violations and how people that I care about are affected on the
> ground
> ...
> Get arrested or GTFO ...
> 
> I'm not Armorican. I read your constitution and your bill of rights
> and study your law and your country.
> I've stood up to LEO here. Describe your experience.
> Light on the hill. Get the fuck up there.
> 
> 

Fantastic points, I'd love to hear more, from both sides.

--Tim

Re: Netatalk (Apple Filing Protocol) daemon replies "Something wrong with the volume's CNID DB"

2013-05-01 Thread Tim Leonard 
On May 1, 2013 5:54:32 AM EDT, Yoshihisa Matsushita  said:

> From: Tim Leonard 
> Subject: Netatalk (Apple Filing Protocol) daemon replies "Something wrong 
> with the volume's CNID DB"
> Date: Tue, 30 Apr 2013 22:36:40 -0400
> 
>> I'm having a problem using Apple Filing Protocol (AFP) services provided by
>> netatalk on OpenBSD, from an OS X Mountain Lion client.
>> 
>> I have OpenBSD 5.2 running on an old iMac, with the netatalk-2.2.3p0 package.
>> I made no changes to the default configuration beyond editing
>> /etc/netatalk/afpd.conf to assign the server its name and IP address.
>> I started afpd (the AFP daemon provided by netatalk).
> 
> My guess is you forgot starting cnid_metad with afpd.
> 
> Try:
> 
> $ sudo /etc/rc.d/cnid_metad start
> $ sudo /etc/rc.d/afpd start
> 
> and see if this solves the problem.
> 

> Basically afpd and cnid_metad are meant to be used together. 
> Try 'man cnid_metad' for more details.

Yes, that solved the problem.
(Though I first had to stop an instance of afpd that was already running.)

> By the way,
> 
> pkg_scripts="afpd cnid_metad"
> 
> is what you want in your rc.conf.local. 'man rc.conf.local'
> and 'man rc.d' are your friends.

The man pages were a great help.
In order to make sure that cnid_metad gets started first during system startup,
I instead listed the two daemons in the other order in /etc/rc.conf.local:
pkg_scripts="cnid_metad afpd"

Netatalk (Apple Filing Protocol) daemon replies "Something wrong with the volume's CNID DB"

2013-04-30 Thread Tim Leonard 
I'm having a problem using Apple Filing Protocol (AFP) services provided by
netatalk on OpenBSD, from an OS X Mountain Lion client.

I have OpenBSD 5.2 running on an old iMac, with the netatalk-2.2.3p0 package.
I made no changes to the default configuration beyond editing
/etc/netatalk/afpd.conf to assign the server its name and IP address.
I started afpd (the AFP daemon provided by netatalk).

>From another Mac, I can connect to the resulting server, but get:
Message from server "oldMac"
Something wrong with the volume's CNID DB, using
temporary CNID DB instead.Check server messages
for details. Switching to read-only mode.

I looked for help on the web and found
[Solved] [netatalk] Something wrong with CNID DB - The FreeBSD Forums
(http://forums.freebsd.org/showthread.php?t=20324)
which suggested
1. Stop netatalk.
2. Delete the .AppleDB cnid db in the root of your share(s).
3. Make sure that the cnidscheme is set to dbd in AppleVolumes.default
4. Crucially, make sure that the cnid_metad daemon has been started, by
adding the following line to /etc/rc.conf:
cnid_metad_enable="YES"
5. Start netatalk.

Following that suggestion, I stopped afpd, enabled cnid_metad_enable in
/etc/rc.conf.local, and restarted afpd.
I did not change AppleVolumes.default because the cnidscheme is already dbd by
default.
I did not delete an .AppleDB folder or its contents because none exists
(though there is a .AppleDouble folder).
The changes did not solve the problem.

I also found
609: Mac OS X Mountain Lion & Lion clients receive CNID DB error 
when
connecting to OMV AFP shares - MantisBT
(http://bugtracker.openmediavault.org/print_bug_page.php?bug_id=609)
which suggested
Edit /etc/netatalk/afpd.conf and change the entry to:
- -tcp -noddp -uamlist uams_dhx.so,uams_dhx2_passwd.so
Edit /etc/default/netatalk and add this line at the end:
AFPD_UAMLIST="-U uams_dhx.so,uams_dhx2_passwd.so"

I added the suggested switches to the configuration line in afpd.conf.
I did not add anything to a /etc/default/netatalk because I don't have such a
file. Other web pages imply that that file is Debian-ish rather than
OpenBSD-ish.
I stopped and restarted afpd.
The changes did not solve the problem.

Do any of you have other suggestions?

How can I turn off the LCD console backlight on an iMac?

2013-03-08 Thread Tim Leonard 
Is there any way of turning off an iMac's LCD console backlight, 
with OpenBSD 5.2 running on an iMac (2006)?
(The video card died so the machine is running as a server
in console mode, and I don't want the backlight to burn out.)

If this were a PowerPC Mac, OpenBSD/macppc could do it, with
wsconsctl -w display.backlight=0
but the iMac (2006) has an Intel Core 2 Duo.

I was able to use
wsconsctl display.kbdact=on
to blank the screen so to avoid burn-in, but the backlight is still lit.

If there's no current method, what would it take to port the 
macppc solution to Intel Macs?

Re: no sound azalia(4)

2013-02-27 Thread Tim van der Molen 
On Wed, 27 Feb 2013 10:12:31 +0100, Jan Stary wrote:
> On Feb 27 07:59:46, martijn...@gmail.com wrote:
> > On Tue, 2013-02-26 at 23:36 +0100, Jan Stary wrote:
> > > On Feb 26 23:25:17, martijn...@gmail.com wrote:
> > > > Hello misc,
> > > > 
> > > > I'm having troubles setting up my sound system on my openbsd-current
> > > > laptop, a quite old Sony Vaio PCG-7H2M. If anyone has any idea of
> > > > what the problem could be and has tips on how to solve it, it would
> > > > be highly appreciated.
> > > 
> > > What problem are you actually seeing?
> > > How exactly are you trying to play/record
> > > and what exactly is happening?
> > 
> > As the subject says, I have no sound what so ever. I tried playing back
> > a couple of songxx.ogg files via the ogg123 command as suggested per
> > faq/faq13.html. The program seems to run fine, I just can't seem to put
> > it through to my laptop speakers. I can't test for external atm since I
> > have a temporary lack of cable.
> 
> Are you running sndiod?
> Please try again with SIO_DEBUG=1.

For the record, that should be SNDIO_DEBUG.

I don't see any spkr variables in the mixerctl output you posted
previously. That may be an indication of the root of your problem.

Do you get sound from headphones?

Also, to rule out OpenBSD-specific problems, you may want to try a live
CD with Linux or similar and see if you get sound there.

Regards,
Tim

Re: add a daemon user

2013-01-29 Thread Tim Hoddy 
On Tuesday 29 Jan 2013 21:52:46 Alexander Hall wrote:

> On 01/29/13 18:23, Tim Hoddy wrote:
> > On Tuesday 29 Jan 2013 21:06:11 Wesley M.A. wrote:
> >> To add a "daemon user" like for example _nginx :
> >> 
> >> useradd -L daemon -d /var/empty -s /sbin/nologin -g =uid _nginx
> >> 
> >> Is this enough ?
> > 
> > Is there a '-L' option?
> 
> The man page states so. Shouldn't it be?

It should.  I did a 'man useradd' from a shell on a Linux m/c.

Apologies.

Re: add a daemon user

2013-01-29 Thread Tim Hoddy 
On Tuesday 29 Jan 2013 21:06:11 Wesley M.A. wrote:

> To add a "daemon user" like for example _nginx :
> 
> useradd -L daemon -d /var/empty -s /sbin/nologin -g =uid _nginx
> 
> Is this enough ?

Is there a '-L' option?

Re: Unified BSD?

2012-11-13 Thread Tim Larson 
I know the basic history of all the BSDs and the reasons for divergence, but
I've always tended to think of them as different focus areas of a single
project. The best ideas tend to get shared around, where applicable, but each
retains its unique focus and niche within the greater whole. We don't need a
"unified" BSD; BSD is already unified in the ways that matter. Open source and
meritocracy see to that.

Tim
--





Tim Larson
Software Engineer
[Proxibid]<http://www.proxibid.com/>
e: tim.lar...@proxibid.com
p: 877-505-7770
d: 402-505-7770



This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you have received this email in error please notify by return email. If you
are not the intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited.

Warning: Although the company has taken reasonable precautions to ensure no
viruses are present in this email, no assurance or warranty is given that this
email and any attachments are free of viruses.

Re: OpenBSD's webpage desing

2012-06-28 Thread Tim Howe 
On Thu, 28 Jun 2012 11:09:37 -0700
patrick keshishian  wrote:

> On Thu, Jun 28, 2012 at 10:53 AM, Tim Howe  wrote:
> > On Thu, 28 Jun 2012 10:26:52 +0200
> > Marc Espie  wrote:
> >
> >> If you guys are serious about anything, go look at ports-readmes.
> >>
> >> It does extract information from the ports tree, and creates readmes for
> >> all ports.
> >>
> >> Currently, it's a static port. It could very well be a dynamic
> application.
> >>
> >> You can experiment with css, you can experiment with nginx.
> >>
> >> Preferably, don't add large dependencies (python or ruby out of the
> question),
> >> write it as a perl fcgi or something, you can use Plack or Catalyst or
> >> whatever.
> >>
> >>
> >> Or hey, at least tweak the templates to be nicer.
> >
> >        Perl FTW.  I think the site could easily be built with ttree.
> > You will have easy to manage templates and content that anyone with
> > some html knowledge can edit as easily as before; plus you will have
> > static html output.  Parts that should be templated can be in a
> > flexible and easy to decipher/learn way.  Little or no knowledge of
> > Template::Toolkit would be required for most changes to be made.
> >
> >        It's pretty easy to bootstrap with your existing layout and
> > content.  The build process could be managed with an easy make script.
> > Template Toolkit is in the ports tree.
> >
> >      
>
 http://www.devshed.com/c/a/Perl/Building-a-Complete-Website-using-the-Templa
> te-Toolkit/
>
> from the page you referenced:
>
>   | Although HTML is simple, it does tend to be rather
>   | verbose. It's all too easy for the core content of
>   | the page to be obscured by the extra markup
>   | required around it
>
> Then, the next link on that page takes you to:
>
>
http://www.devshed.com/c/a/Perl/Building-a-Complete-Website-using-the-Templat
> e-Toolkit/1/
>
> Yes, that *IS* much, /much/ better than the initial HTML.
>
> --patrick

90-something percent of the files would only contain the html
content and a tag that references what wrapper is used for it.  Editing
content would not require knowing or working around any TT markup,
which was the main point I was trying to make.

--TimH

Re: OpenBSD's webpage desing

2012-06-28 Thread Tim Howe 
On Thu, 28 Jun 2012 10:26:52 +0200
Marc Espie  wrote:

> If you guys are serious about anything, go look at ports-readmes.
> 
> It does extract information from the ports tree, and creates readmes for
> all ports.
> 
> Currently, it's a static port. It could very well be a dynamic application.
> 
> You can experiment with css, you can experiment with nginx.
> 
> Preferably, don't add large dependencies (python or ruby out of the 
> question), 
> write it as a perl fcgi or something, you can use Plack or Catalyst or
> whatever.
> 
> 
> Or hey, at least tweak the templates to be nicer.

Perl FTW.  I think the site could easily be built with ttree.
You will have easy to manage templates and content that anyone with
some html knowledge can edit as easily as before; plus you will have
static html output.  Parts that should be templated can be in a
flexible and easy to decipher/learn way.  Little or no knowledge of
Template::Toolkit would be required for most changes to be made.

It's pretty easy to bootstrap with your existing layout and
content.  The build process could be managed with an easy make script.
Template Toolkit is in the ports tree.


http://www.devshed.com/c/a/Perl/Building-a-Complete-Website-using-the-Template-Toolkit/

--TimH

Re: (Kinda O.T.) Digital Millennium Copyright Act used to censor hardware specifications

2012-05-31 Thread Tim van der Molen 
On Thu, 31 May 2012 21:19:23 +0200, Theo de Raadt wrote:
> > On Thu, 31 May 2012 18:25:14 +0200, Theo de Raadt wrote:
> > > Shame on you.
> > > 
> > > Don't you know that linking to links that link to links that have DCMA'd
> > > is a crime?
> > > 
> > > Enjoy the bars.
> > 
> > I'm sure quoting mails that link to links that link to DCMA'd links is a
> > felony, too.
> > 
> > Perhaps we'll be sharing a cell.
> 
> Probably.  But you'll be serving two terms, and I only one.

Very clever. But those who give up their right to link to DCMA'd links
for a little more liberty deserve neither. Or something very close to
that.

> > > > On Thu, 31 May 2012 17:12:58 +0200, Ted Unangst wrote:
> > > > > On Thu, May 31, 2012 at 11:11, Brett wrote:
> > > > > 
> > > > > > Pursuant to a rights owner notice under the Digital Millennium 
> > > > > > Copyright
> > > > > > Act (DMCA), the Wikimedia Foundation acted under the law and took 
> > > > > > down and
> > > > > > restricted the content in question. A copy of the received notice 
> > > > > > can be
> > > > > 
> > > > > > Reverse engineering necessary to have open source in the brave new 
> > > > > > world?
> > > > > 
> > > > > PCI spec docs (and many others) are copyrighted.  Maybe they should 
> > > > > be,
> > > > > maybe they shouldn't, but they are.
> > > > > 
> > > > > As far as I know, the actual specs cannot be copyrighted (or it's
> > > > > murky), but knowing wikipedia, somebody probably copied an entire
> > > > > table from the doc and dropped it into the article.  that's a no-no,
> > > > > and not something I'd find nearly as alarming as "censorship".
> > > > 
> > > > Actually, the crime consisted in linking to a few PDFs located
> > > > elsewhere. The last revision of the article to contain the links is:
> > > > 
> > > > [LINK DELETED]

Re: (Kinda O.T.) Digital Millennium Copyright Act used to censor hardware specifications

2012-05-31 Thread Tim van der Molen 
On Thu, 31 May 2012 18:25:14 +0200, Theo de Raadt wrote:
> Shame on you.
> 
> Don't you know that linking to links that link to links that have DCMA'd
> is a crime?
> 
> Enjoy the bars.

I'm sure quoting mails that link to links that link to DCMA'd links is a
felony, too.

Perhaps we'll be sharing a cell.

> > On Thu, 31 May 2012 17:12:58 +0200, Ted Unangst wrote:
> > > On Thu, May 31, 2012 at 11:11, Brett wrote:
> > > 
> > > > Pursuant to a rights owner notice under the Digital Millennium Copyright
> > > > Act (DMCA), the Wikimedia Foundation acted under the law and took down 
> > > > and
> > > > restricted the content in question. A copy of the received notice can be
> > > 
> > > > Reverse engineering necessary to have open source in the brave new 
> > > > world?
> > > 
> > > PCI spec docs (and many others) are copyrighted.  Maybe they should be,
> > > maybe they shouldn't, but they are.
> > > 
> > > As far as I know, the actual specs cannot be copyrighted (or it's
> > > murky), but knowing wikipedia, somebody probably copied an entire
> > > table from the doc and dropped it into the article.  that's a no-no,
> > > and not something I'd find nearly as alarming as "censorship".
> > 
> > Actually, the crime consisted in linking to a few PDFs located
> > elsewhere. The last revision of the article to contain the links is:
> > 
> > http://en.wikipedia.org/w/index.php?title=Conventional_PCI&oldid=405114605

Re: (Kinda O.T.) Digital Millennium Copyright Act used to censor hardware specifications

2012-05-31 Thread Tim van der Molen 
On Thu, 31 May 2012 17:12:58 +0200, Ted Unangst wrote:
> On Thu, May 31, 2012 at 11:11, Brett wrote:
> 
> > Pursuant to a rights owner notice under the Digital Millennium Copyright
> > Act (DMCA), the Wikimedia Foundation acted under the law and took down and
> > restricted the content in question. A copy of the received notice can be
> 
> > Reverse engineering necessary to have open source in the brave new world?
> 
> PCI spec docs (and many others) are copyrighted.  Maybe they should be,
> maybe they shouldn't, but they are.
> 
> As far as I know, the actual specs cannot be copyrighted (or it's
> murky), but knowing wikipedia, somebody probably copied an entire
> table from the doc and dropped it into the article.  that's a no-no,
> and not something I'd find nearly as alarming as "censorship".

Actually, the crime consisted in linking to a few PDFs located
elsewhere. The last revision of the article to contain the links is:

http://en.wikipedia.org/w/index.php?title=Conventional_PCI&oldid=405114605

USB Storage hangs on H8SSL with 5.1

2012-05-14 Thread tim Howe 
On a Supermicro H8SSL board I started using, moving non-trivial amounts
of data to a USB flash drive hangs.  If the USB has an OpenBSD fs, it
just hangs the cp operation (or whatever) and makes other access
to the drive hang.  With a msdos fs it can completely hang the system
to the point that I can't even log into a different TTY.  Just copying
a small file or doing an initial ls after mounting seems to return OK
(at least at first) but moving a file larger than a couple of Meg hangs.

I tried a 4.9 install and it seems to work fine.  So I upgraded that to
a 5.0 install and that seems to work fine too (although, it just occurs
to me that those were i386 and the 5.1 that is hanging is amd64, should
it matter?).  So it seems something changed between 5.0 and 5.1 that is
causing this.  I looked through CVS web stuff to see if anything jumped
out at me, but I really don't know what I am looking for.

I've also tested with a couple of different USB drives (Sandisk, LG).
I've tried some different BIOS options for the USB.

Anyone else have similar issues or a suggestion of something to try or
what else I can do to provide better info?

Thanks.

dmesg follows:

OpenBSD 5.1 (GENERIC) #181: Sun Feb 12 09:35:53 MST 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 3220045824 (3070MB)
avail mem = 3120263168 (2975MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfb8d0 (50 entries)
bios0: vendor American Megatrends Inc. version "080011" date 03/26/2007
bios0: Supermicro H8SSL
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC OEMB
acpi0: wakeup devices P1P2(S4) USB0(S1) USB1(S1) USB2(S1) PS2K(S4) PS2M(S4) 
SLPB(S1)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Opteron(tm) Processor 148, 2194.83 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: AMD erratum 89 present, BIOS upgrade may be required
cpu0: apic clock running at 199MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 16 pins
ioapic1 at mainbus0: apid 2 pa 0xfec01000, version 11, 16 pins
ioapic2 at mainbus0: apid 3 pa 0xfec02000, version 11, 16 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P1)
acpiprt2 at acpi0: bus 2 (P1P2)
acpicpu0 at acpi0: PSS
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
cpu0: Cool'n'Quiet K8 2194 MHz: speeds: 2200 2000 1800 1000 MHz
pci0 at mainbus0 bus 0
ppb0 at pci0 dev 1 function 0 "ServerWorks HT-1000 PCI" rev 0x00
pci1 at ppb0 bus 1
ppb1 at pci1 dev 13 function 0 "ServerWorks HT-1000 PCIX" rev 0xb2
pci2 at ppb1 bus 2
bge0 at pci2 dev 3 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 
(0x2100): apic 2 int 8, address 00:30:48:56:64:88
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci2 dev 3 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 
(0x2100): apic 2 int 9, address 00:30:48:56:64:89
brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
pciide0 at pci1 dev 14 function 0 "ServerWorks HT-1000 SATA" rev 0x00: DMA
pciide0: using apic 1 int 11 for native-PCI interrupt
pciide0: port 0: device present, speed: 1.5Gb/s
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
pciide0: port 1: PHY offline
pciide0: port 2: PHY offline
pciide0: port 3: PHY offline
pciide1 at pci1 dev 14 function 1 "ServerWorks HT-1000 SATA" rev 0x00
piixpm0 at pci0 dev 2 function 0 "ServerWorks HT-1000" rev 0x00: polling
iic0 at piixpm0
admcts0 at iic0 addr 0x2c
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0
spdmem1 at iic0 addr 0x51: 512MB DDR SDRAM non-parity PC3200CL3.0
spdmem2 at iic0 addr 0x52: 1GB DDR SDRAM non-parity PC3200CL3.0
spdmem3 at iic0 addr 0x53: 512MB DDR SDRAM non-parity PC3200CL3.0
pciide2 at pci0 dev 2 function 1 "ServerWorks HT-1000 IDE" rev 0x00: DMA
atapiscsi0 at pciide2 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  ATAPI 5/cdrom 
removable
atapiscsi1 at pciide2 channel 0 drive 1
scsibus1 at atapiscsi1: 2 targets
sd0 at scsibus1 targ 0 lun 0:  ATAPI 0/direct removable
cd0(pciide2:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2
sd0(pciide2:0:1): using PIO mode 0
pcib0 at pci0 dev 2 function 2 "ServerWorks HT-1000 LPC" rev 0x00
ohci0 at pci0 dev 3 function 0 "ServerWorks HT-1000 USB" rev 0x01: apic 1 int 
10, version 1.0, legacy support
ohci1 at pci0 dev 3 function 1 "ServerWorks HT-1000 USB" rev 0x01: apic 1 int 
10, version 1.0, legacy support
ehci0 at pci0 dev 3 function 2 "ServerWorks HT-1000 USB" rev 0x01: api

Re: hw.sensors for arc no longer works with 5.0?

2012-02-01 Thread Tim Howe 
On Wed, 1 Feb 2012 12:44:43 -0800
Tim Howe  wrote:

> [...]
> In anything before 5.0, I am able to monitor the RAID status via snmp
> at OPENBSD-SENSORS-MIB::sensorStatus.  The 5.0 boxes are returning
> unknown status (and the device IOD has changed from 3 to 46).
> 
> sysctl reports differently in 5.0:
> 
> 4.9 box (this is same in 4.8):
> hw.sensors.arc0.drive0=online (sd0), OK
> 
> 5.0 box:
> hw.sensors.arc0.drive0=unknown (sd0), UNKNOWN

Installed the latest snap...

Seems to work again on 5.1-beta on the new oid:

hw.sensors.arc0.drive0=online (sd0), OK

# snmpget -v 1 -c [string] [my ip] OPENBSD-SENSORS-MIB::sensorStatus.46  
OPENBSD-SENSORS-MIB::sensorStatus.46 = INTEGER: ok(1)

\o/

--TimH

hw.sensors for arc no longer works with 5.0?

2012-02-01 Thread Tim Howe 
I have a number of servers with almost identical hardware (Supermicro
MB, Areca 1210 or 1220 RAID card).

These span from OpenBSD 4.5 to 5.0.

In anything before 5.0, I am able to monitor the RAID status via snmp
at OPENBSD-SENSORS-MIB::sensorStatus.  The 5.0 boxes are returning
unknown status (and the device IOD has changed from 3 to 46).

sysctl reports differently in 5.0:

4.9 box (this is same in 4.8):
hw.sensors.arc0.drive0=online (sd0), OK

5.0 box:
hw.sensors.arc0.drive0=unknown (sd0), UNKNOWN

I can't seem to find any mention that I should be doing something
different as of 5.0.  Has something broken?  Do I need to do something
different?

Thanks for any help.

dmesg from 4.9 box:

OpenBSD 4.9 (GENERIC.MP) #819: Wed Mar  2 06:57:49 MST 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3486973952 (3325MB)
avail mem = 3380129792 (3223MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcfedf000 (39 entries)
bios0: vendor Phoenix Technologies LTD version "1.2a" date 12/19/2008
bios0: Supermicro X7SBL
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP _MAR TCPA MCFG APIC BOOT SPCR ERST HEST BERT EINJ SLIC 
SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices PEG_(S5) PEX_(S5) LAN_(S5) USB4(S5) USB5(S5) USB7(S5) 
ESB2(S5) EXP1(S5) EXP5(S5) EXP6(S5) USB1(S5) USB2(S5) USB3(S5) USB6(S5) 
ESB1(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) PWRB(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-16
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3110 @ 3.00GHz, 2992.88 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: apic clock running at 332MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3110 @ 3.00GHz, 2992.50 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG
cpu1: 6MB 64b/line 16-way L2 cache
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEG_)
acpiprt2 at acpi0: bus -1 (PEX_)
acpiprt3 at acpi0: bus 5 (EXP1)
acpiprt4 at acpi0: bus 13 (EXP5)
acpiprt5 at acpi0: bus 15 (EXP6)
acpiprt6 at acpi0: bus 17 (PCIB)
acpicpu0 at acpi0: C3, PSS
acpicpu1 at acpi0: C3, PSS
acpibtn0 at acpi0: PWRB
acpivideo0 at acpi0: IGD0
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 2992 MHz: speeds: 3000, 2667, 2333, 2000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 3200/3210 Host" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 3200/3210 PCIE" rev 0x01: apic 2 int 16 
(irq 5)
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel IOP333 PCIE-PCIX" rev 0x00
pci2 at ppb1 bus 2
arc0 at pci2 dev 14 function 0 "Areca ARC-1220" rev 0x00: apic 2 int 18 (irq 11)
arc0: 8 ports, 256MB SDRAM, firmware V1.49 2010-12-02
scsibus0 at arc0: 16 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct 
fixed
sd0: 953674MB, 512 bytes/sec, 1953124352 sec total
ppb2 at pci1 dev 0 function 2 "Intel IOP333 PCIE-PCIX" rev 0x00
pci3 at ppb2 bus 3
uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x02: apic 2 int 16 (irq 
5)
uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x02: apic 2 int 17 (irq 
10)
uhci2 at pci0 dev 26 function 2 "Intel 82801I USB" rev 0x02: apic 2 int 18 (irq 
11)
ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x02: apic 2 int 18 (irq 
11)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02: apic 2 int 16 (irq 
5)
pci4 at ppb3 bus 5
ppb4 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: apic 2 int 16 (irq 
5)
pci5 at ppb4 bus 13
em0 at pci5 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: apic 2 int 
16 (irq 5), address 00:30:48:f9:71:3e
ppb5 at pci0 dev 28 function 5 "Intel 82801I PCIE" rev 0x02: apic 2 int 17 (irq 
10)
pci6 at ppb5 bus 15
em1 at pci6 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: apic 2 int 
17 (irq 10), address 00:30:48:f9:71:3f
uhci3 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 2 int 23 (irq 
10)
uhci4 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 2 int 22 (irq 
11)
uhci5 at pci0 dev 29 function 2 "Intel 82801I USB" rev 0x02: apic 2 int 18 (irq 
11)
ehci1 at pci0 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 2 int 23 (irq 
10)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92
pci7 at ppb6 bus 17
vga1 at pci7 dev 4 function 0 "XGI Technology Volari Z9s/Z9m" rev 0x00
wsdispl

Leafpad: Sometimes Undo currupted document

2012-01-28 Thread Tim Peterson 
Hello. This is OpenBSD4.9, but I believe latest Leafpad still has this
problem.
$ pkg_info leafpadInformation for inst:leafpad-0.8.17p4

Sometimes Undo currupted document, and this was shown in xterm.
> (leafpad:5025): GLib-GObject-WARNING **: gsignal.c:2354: handler `238' of
instance `0x7df450d8' is not blocked> (leafpad:5025): GLib-GObject-WARNING **:
gsignal.c:2354: handler `239' of instance `0x7df450d8' is not blocked
The cause of problem was,
   1. When user modifies text, cb_begin_user_action() will be called.  It
unlocks signal handler which stores record of modification into  undo
buffer. This signal handler is disabled usually because there  is
modification should not go into undo buffer. (ie: undo itself)
   2. While unlock faze, another cb_begin_user_action() can be called.
 (I'm not sure, but it's natural to think so)  But this time, glib's
internal lock count is already 0, so that  warning was shown.
   3. Inner cb_end_user_action() increses lock count to 1.
   4. Outer cb_end_user_action() increses lock count to 2. (!)
Now, next cb_begin_user_action() cannot unlock signal handler, becauselock
count is 2 not 1. So undo buffer management
corrupts.gtk_text_buffer_begin_user_action() will avoid this, because ittreats
another *user action* count internally, 
# I don't think so, but maybe other g_signal_emit_by_name also# should be
replaced by similar functions.
Workaround is "leafpad-undo.patch". I'm not sure this is real fix.
--sync option (Make X calls synchronous) didn't solve undo
problem. :-(
/
leafpad-undo.patch
=== modified file 'indent.c'--- indent.c2011-05-08 09:13:10 ++++ 
indent.c
2011-05-08 09:25:28 +@@ -69,13 +69,13 @@GtkTextBuffer *buffer =
gtk_text_view_get_buffer(GTK_TEXT_VIEW(text_view)); -
g_signal_emit_by_name(G_OBJECT(buffer), "begin-user-action");+
gtk_text_buffer_begin_user_action(buffer); 
gtk_text_buffer_delete_selection(buffer, TRUE, TRUE); 
gtk_text_buffer_get_iter_at_mark(buffer, &iter,
gtk_text_buffer_get_insert(buffer));ind = compute_indentation(buffer, &iter,
gtk_text_iter_get_line(&iter)); str = g_strconcat("\n", ind, NULL); 
gtk_text_buffer_insert(buffer, &iter, str, -1);-
g_signal_emit_by_name(G_OBJECT(buffer), "end-user-action");+
gtk_text_buffer_end_user_action(buffer);g_free(str);g_free(ind);
@@
-149,9 +149,9 @@for (i = start_line; i < end_line; i++) { 
gtk_text_buffer_get_iter_at_line(buffer, &iter, i); 
gtk_text_buffer_place_cursor(buffer, &iter);-
g_signal_emit_by_name(G_OBJECT(buffer), "begin-user-action");+
gtk_text_buffer_begin_user_action(buffer);  
gtk_text_buffer_insert(buffer,
&iter, "\t", 1);-   g_signal_emit_by_name(G_OBJECT(buffer),
"end-user-action");+gtk_text_buffer_end_user_action(buffer); 
undo_set_sequency(TRUE);}   undo_set_sequency(FALSE);@@ -201,9 
+201,9 @@ 
end_iter = start_iter;  gtk_text_iter_forward_chars(&end_iter, 
len); 
gtk_text_buffer_move_mark_by_name(buffer, "insert", &end_iter);-
g_signal_emit_by_name(G_OBJECT(buffer), "begin-user-action");+
gtk_text_buffer_begin_user_action(buffer);  
gtk_text_buffer_delete(buffer,
&start_iter, &end_iter);-   
g_signal_emit_by_name(G_OBJECT(buffer),
"end-user-action");+
gtk_text_buffer_end_user_action(buffer); 
undo_set_sequency(TRUE);g_free(ind);}
=== modified file 'search.c'--- search.c2011-05-08 09:13:10 ++++ 
search.c
2011-05-08 09:25:28 +@@ -218,12 +218,10 @@ 
gtk_text_buffer_get_insert(textbuffer));offset =
gtk_text_iter_get_offset(&rep_start);   
undo_set_sequency(TRUE);-
g_signal_emit_by_name(G_OBJECT(textbuffer),-
"begin-user-action");+
gtk_text_buffer_begin_user_action(textbuffer); 
gtk_text_buffer_insert_at_cursor(textbuffer,
string_replace,
strlen(string_replace));-   
g_signal_emit_by_name(G_OBJECT(textbuffer),-
"end-user-action");+
gtk_text_buffer_end_user_action(textbuffer); 
gtk_text_buffer_get_iter_at_mark(   
textbuffer, &iter, 
gtk_text_buffer_get_insert(textbuffer));

[demime 1.01d removed an attachment of type text/x-patch]

Re: OpenSMTPd and Monit.

2011-11-16 Thread Tim van der Molen 
On Wed, 16 Nov 2011 04:09:43 +0100, Sarah Caswell wrote:
> Hi,
> 
> I'm running a mailserver with smtpd (on OpenBSD) for a small group of folks 
> and get some (very occasional) crashes - usually just corrupted sessions.
> No big deal, a restart of smtpd is all that it takes.
> 
> I'm trying to create a Monit (v 4.10.1) recipe that will automatically 
> restart the smtpd process for me, but it just doesn't work.
> I found the recipe below on a Linux list for monitoring services that don't 
> write a pidfile. 
> 
> -recipe is currently 
> 
> check host localhost with address www.xxx.yyy.zzz
>   start program = "/usr/libexec/smtpd -f /etc/mail/smtpd.conf"

I'm not familiar with Monit, but /usr/libexec/smtpd is a directory, not
an executable. You may wish to try /usr/sbin/smtpd instead.

Regards,
Tim

>   stop program = "pkill smtpd"
>if failed host www.xxx.yyy.zzz port 25 type tcp protocol smtp then restart
> 
> --
> 
> Is anyone here using monit to successfully restart smtpd?
> 
> Any info appreciated.
> 
> :-)
> 
> Sarah
> 
> -- 
> "Go out on a limb. Thats where the fruit is" - Jimmy Carter

Areca alarm silencing with bioctl

2011-08-31 Thread Tim Howe 
I have Areca 1210 and 1220 RAID Controllers in a number of OpenBSD
servers.

The arc man page says "arc supports alarm control and monitoring of
volumes configured on the controllers via the bio(4) interface and the
bioctl(8) utility."

However, when I try to silence an alarm, I get the following:

# bioctl -a s arc0   
bioctl: BIOCALARM: Operation not permitted

One thought I had was that the card's bios has a password that needs to
be entered for certain functions.  Is this required here?  If so, how?
Am I doing something else wrong?

--TimH


OpenBSD 4.9 (GENERIC.MP) #819: Wed Mar  2 06:57:49 MST 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2145255424 (2045MB)
avail mem = 2074124288 (1978MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.51 @ 0x7feea000 (33 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 08/27/2007
bios0: Supermicro PDSML
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP MCFG APIC BOOT SPCR SSDT
acpi0: wakeup devices DEV1(S5) EXP1(S5) EXP5(S5) EXP6(S5) PCIB(S5) KBC0(S1) 
MSE0(S1) COM1(S5) COM2(S5) USB1(S4) USB2(S4) USB3(S4) USB4(S4) EUSB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xf000, bus 0-14
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz, 1995.25 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG
cpu0: 1MB 64b/line 4-way L2 cache
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) Dual CPU E2180 @ 2.00GHz, 1995.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG
cpu1: 1MB 64b/line 4-way L2 cache
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (DEV1)
acpiprt2 at acpi0: bus 9 (EXP1)
acpiprt3 at acpi0: bus 13 (EXP5)
acpiprt4 at acpi0: bus 14 (EXP6)
acpiprt5 at acpi0: bus 15 (PCIB)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: PWRB
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0xc0
ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0xc0: apic 2 int 16 (irq 7)
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel IOP333 PCIE-PCIX" rev 0x00
pci2 at ppb1 bus 2
arc0 at pci2 dev 14 function 0 "Areca ARC-1220" rev 0x00: apic 2 int 18 (irq 5)
arc0: 8 ports, 256MB SDRAM, firmware V1.49 2010-12-02
scsibus0 at arc0: 16 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct 
fixed
sd0: 1430511MB, 512 bytes/sec, 2929686528 sec total
ppb2 at pci1 dev 0 function 2 "Intel IOP333 PCIE-PCIX" rev 0x00
pci3 at ppb2 bus 3
ppb3 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 2 int 17 
(irq 11)
pci4 at ppb3 bus 9
ppb4 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: apic 2 int 17 (irq 
11)
pci5 at ppb4 bus 13
em0 at pci5 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: apic 2 int 
16 (irq 7), address 00:30:48:9b:10:80
ppb5 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: apic 2 int 16 (irq 
7)
pci6 at ppb5 bus 14
em1 at pci6 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: apic 2 int 
17 (irq 11), address 00:30:48:9b:10:81
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23 
(irq 10)
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 19 
(irq 11)
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 18 
(irq 5)
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int 16 
(irq 7)
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23 
(irq 10)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci7 at ppb6 bus 15
vga1 at pci7 dev 0 function 0 "XGI Technology Volari Z7" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 2 int 19 
(irq 11)
iic0 at ichiic0
lm1 at iic0 addr 0x2d: W83627HF
wbng0 at iic0 addr 0x2f: w83793g
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM ECC PC2-5300CL5
spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM ECC PC2-5300CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 a

Re: SMTPD broken after latest update

2011-07-02 Thread Tim van der Molen 
On Sat, 02 Jul 2011 09:53:05 +0200, Gilles Chehade wrote:
> hi,
> 
> Just passing by, I will be able to commit this diff Monday, i'm without a 
> workstation until then, don't worry Tim I haven't forgotten your diff ;-)
> 
> Gilles

I never doubted it for a second. ;)

Re: SMTPD broken after latest update

2011-06-29 Thread Tim van der Molen 
On Thu, 30 Jun 2011 03:35:23 +0200, Hugo Osvaldo Barrera wrote:
> I've been using SMTPD for many many months now, but after an update
> to the latest snapshots today, it seems to have broken.
> 
> I deliver mail to dovecot's LDA, which places it in my mailbox.
> 
> After today's update,
> Mail delivered to this address (h...@osvaldobarrera.com.ar), is
> passed on to dovecot, but dovecot with recipient
> "osvaldobarrera.com...@osvaldobarrera.com.ar" (domain@domain).

It is a bug in smtpd. I have run into it as well. The below diff (also
sent to gilles@) should fix it.

Regards,
Tim

Index: lka_session.c
===
RCS file: /cvs/src/usr.sbin/smtpd/lka_session.c,v
retrieving revision 1.7
diff -p -u lka_session.c
--- lka_session.c   9 Jun 2011 17:41:52 -   1.7
+++ lka_session.c   20 Jun 2011 20:02:22 -
@@ -557,7 +557,7 @@ lka_session_expand_format(char *buf, size_t len, struc
string = dlv->agent.mda.as_user;
break;
case 'u':
-   string = dlv->rcpt.domain;
+   string = dlv->rcpt.user;
break;
case 'd':
string = dlv->rcpt.domain;

Re: nroff

2011-06-22 Thread Tim van der Molen 
On Wed, 22 Jun 2011 16:52:17 +0200, Friedrich Locke wrote:
> i have installed openbsd 4.9 and i am trying to compile ucspi-tcp-0.88
> with a ssl patch, but the compilation process fails due to not finding
> a program called nroff.
> 
> Previous version of OpenBSD seems to have installed nroff. Does
> anybody knows why it was removed?

nroff is part of groff, which has been removed from the base system in
favour of mandoc(1). See:

http://mdocml.bsd.lv/
http://undeadly.org/cgi?action=article&sid=20110314142734

> How could i install it?

You can install groff from packages or ...

> ./load instcheck hier.o auto_home.o unix.a byte.a
> nroff -man tcpclient.1 > tcpclient.0

... replace "nroff -man" with "mandoc" and see if the output in
tcpclient.0 is readable. Chances are you don't even need nroff.

Re: mount_xfs in -current gone?

2009-08-11 Thread Tim Gruene 
Thanks. So an (SGI) xfs-volume cannot be mounted under OpenBSD? That's a 
pity. Is there a reason for it other than no ones implemented it, yet?


Tim

--
Tim Gruene
Institut fuer anorganische Chemie
Tammannstr. 4
D-37077 Goettingen

GPG Key ID = A46BEE1A


On Tue, 11 Aug 2009, Janne Johansson wrote:


Tim Gruene wrote:

I tried using mount_xfs from base45.tgz, but the XFS is not defined in
the gerneric kernel. Does anyone know whether mount_xfs is going to come
back? Do I have to compile the kernel myself just to mount an
xfs-formatted usb-stick?


The xfs (that was renamed to nnpfs) is not the SGI journalled
filesystem, so no usb stick will be xfs/nnpfs-formatted on obsd 4.5.

It's a userspace-filesystem translator to make AFS clients possible on
obsd, nothing else.

  1   2   3   >