Known info

2019-12-05 Thread Manuel Solis 
Dear devs,

You are awesome!

>From @qualys twitter:
Qualys researchers discovered an authentication-bypass vulnerability 
(CVE-2019-19521) in OpenBSD's authentication system. Special thanks to Theo de 
Raadt and the OpenBSD developers for a very quick response: they published 
patches in <40 hours. qualys.com/2019/12/04/cve…

you dont just submits patches and enhacements, also you make us feel safe and 
happy in a world full of wrong aproachings intended and unintended.

And i thank you for that.

Happy december

Manuel

Re: Using unveil(2) to block the entire file system

2019-12-05 Thread Ingo Schwarze 
Hi Chris,

i just committed the patch shown below;
thanks for bringing up the point.

Yours,
  Ingo



CVSROOT:/cvs
Module name:src
Changes by: schwa...@cvs.openbsd.org2019/12/05 17:14:08

Modified files:
lib/libc/sys   : unveil.2 

Log message:
Explicitly say that *permissions can be "".

Potential for misunderstanding noticed by Chris Rawnsley , wording proposed by deraadt@, patch sent by Chris
Rawnsley, OK deraadt@.


Chris Rawnsley wrote on Wed, Dec 04, 2019 at 06:34:00PM +:

> Index: lib/libc/sys/unveil.2
> ===
> RCS file: /cvs/src/lib/libc/sys/unveil.2,v
> retrieving revision 1.19
> diff -u -p -u -r1.19 unveil.2
> --- lib/libc/sys/unveil.2 25 Jul 2019 13:47:40 -  1.19
> +++ lib/libc/sys/unveil.2 4 Dec 2019 18:28:03 -
> @@ -62,7 +62,8 @@ promise.
>  .Pp
>  The
>  .Fa permissions
> -argument points to a string consisting of the following characters:
> +argument points to a string consisting of zero or more of the following
> +characters:
>  .Pp
>  .Bl -tag -width "" -offset indent -compact
>  .It Cm r

Re: Using unveil(2) to block the entire file system

2019-12-05 Thread Ingo Schwarze 
Hi,

i like the tweak; OK to commit?

While it is reasonable to expect this behaviour without the "zero
or more", i see how the misunderstanding "one or more" can arise:
In many situations, to grant no permissions on a given path, it is
sufficient to not mention it in unveil(2) at all, so it may not be
obvious to everybody that the "" case is sometimes useful (and
implemented).

Yours,
  Ingo


Chris Rawnsley wrote on Wed, Dec 04, 2019 at 06:34:00PM +:
> On Wed, 4 Dec 2019, at 18:07, Theo de Raadt wrote:

>> I think it is implied, if no permissions are listed.

> Perhaps and it may be due my inexperience with C interfaces that I didn't
> think to try it.
> 
> I think your wording would have been enough for me to twig so I've made
> the patch for that instances too (if you change your mind, of course :) ).
> 
> Index: lib/libc/sys/unveil.2
> ===
> RCS file: /cvs/src/lib/libc/sys/unveil.2,v
> retrieving revision 1.19
> diff -u -p -u -r1.19 unveil.2
> --- lib/libc/sys/unveil.2 25 Jul 2019 13:47:40 -  1.19
> +++ lib/libc/sys/unveil.2 4 Dec 2019 18:28:03 -
> @@ -62,7 +62,8 @@ promise.
>  .Pp
>  The
>  .Fa permissions
> -argument points to a string consisting of the following characters:
> +argument points to a string consisting of zero or more of the following
> +characters:
>  .Pp
>  .Bl -tag -width "" -offset indent -compact
>  .It Cm r

Re: issues configuring vlan on top of aggr device

2019-12-05 Thread David Gwynne 
On Tue, Dec 03, 2019 at 02:11:16PM +, Pedro Caetano wrote:
> Hi again,
> 
> I'm sorry, but since the boxes do not (yet) have working networking it is
> not easy for me to get the text output.
> I'm attaching a few pictures with the requested output.
> 
> https://picpaste.me/images/2019/12/03/cat_hostname.vl3800_hostname.aggr0.jpg
> https://picpaste.me/images/2019/12/03/ifconfig_vl3800.jpg
> https://picpaste.me/images/2019/12/03/ifconfig_aggr0.jpg
> 
> 
> Best regards,
> Pedro Caetano
> 
> On Tue, Dec 3, 2019 at 12:35 PM Hrvoje Popovski  wrote:
> 
> > On 3.12.2019. 13:15, Pedro Caetano wrote:
> > > Hi Hrvoje, thank you for the fast reply,
> > >
> > > Unfortunately I have the same behavior.
> > > The aggr0 works as expected, as I can see the links bonded on the switch.
> > > I'm able to se the correct vid s, when tcpdump'ing the aggr0 interface.
> > >
> > > I'd appreciate any help on this topic.
> > >
> >
> > can you send ifconfig aggr0 and ifconfig vlan3800 ?
> >
> >
> >
> >
> > > This configuration is working on -current with em(4) nics.
> > >
> > >
> > > Best regards,
> > > Pedro Caetano
> > >
> > > A ter??a, 3/12/2019, 12:01, Hrvoje Popovski  > > > escreveu:
> > >
> > > On 3.12.2019. 12:21, Pedro Caetano wrote:
> > > > Hi misc@
> > > >
> > > > I'm running openbsd 6.6 with latest patches running on a pair of
> > > hp dl 360
> > > > gen6 servers.
> > > >
> > > > I'm attempting to configure an aggr0 device towards a cat 3650.
> > > >
> > > > The aggr0 associates successfully with the switch, but I'm unable
> > > to run
> > > > vlans on top of it.
> > > >
> > > > The configuration on openbsd is the following:
> > > > #ifconfig aggr0 create
> > > > #ifconfig aggr0 trunkport bnx0
> > > > #ifconfig aggr0 trunkport bnx1
> > >
> > > add this - ifconfig aggr0 up
> > > if you have hostname.aggr0 add "up" at the end of that file ...
> > >
> > > > #ifconfig vlan3800 create
> > > > #ifconfig vlan3800 vnetid 3800
> > > > #ifconfig vlan3800 parent aggr0
> > > > #ifconfig vlan3800 10.80.253.10/24 
> > > > ifconfig: SIOCAIFADDR: No buffer space available.

hey,

hrvoje gave me a heads up about this, and i came up with some diffs that
which seem to help according to his testing.

the most useful for you using aggr is this diff for bnx which enables
the use of jumbos. it's pretty mechanical, except that it stops
advertising the VLAN_MTU capability. instead it advertises what the
actual hardmtu is, which allows the extra 4 bytes to be used by any
protocol, not just vlan(4).

aggr(4) does not (currently) pass the VLAN_MTU capability from it's
ports through for vlan(4) to use, but passing the larger hardmtu through
has the same effect.

unless anyone objects, im going to commit this tomorrow.

fyi, ifconfig foo0 hwfeatures is how you see the capabilities and
hardmtu settings.

Index: if_bnx.c
===
RCS file: /cvs/src/sys/dev/pci/if_bnx.c,v
retrieving revision 1.125
diff -u -p -r1.125 if_bnx.c
--- if_bnx.c10 Mar 2018 10:51:46 -  1.125
+++ if_bnx.c5 Dec 2019 09:52:04 -
@@ -875,12 +875,13 @@ bnx_attachhook(struct device *self)
ifp->if_ioctl = bnx_ioctl;
ifp->if_qstart = bnx_start;
ifp->if_watchdog = bnx_watchdog;
+   ifp->if_hardmtu = BNX_MAX_JUMBO_ETHER_MTU_VLAN -
+   sizeof(struct ether_header);
IFQ_SET_MAXLEN(&ifp->if_snd, USABLE_TX_BD - 1);
bcopy(sc->eaddr, sc->arpcom.ac_enaddr, ETHER_ADDR_LEN);
bcopy(sc->bnx_dev.dv_xname, ifp->if_xname, IFNAMSIZ);
 
-   ifp->if_capabilities = IFCAP_VLAN_MTU | IFCAP_CSUM_TCPv4 |
-   IFCAP_CSUM_UDPv4;
+   ifp->if_capabilities = IFCAP_CSUM_TCPv4 | IFCAP_CSUM_UDPv4;
 
 #if NVLAN > 0
ifp->if_capabilities |= IFCAP_VLAN_HWTAGGING;
@@ -2417,7 +2418,7 @@ bnx_dma_alloc(struct bnx_softc *sc)
 */
for (i = 0; i < TOTAL_TX_BD; i++) {
if (bus_dmamap_create(sc->bnx_dmatag,
-   MCLBYTES * BNX_MAX_SEGMENTS, BNX_MAX_SEGMENTS,
+   BNX_MAX_JUMBO_ETHER_MTU_VLAN, BNX_MAX_SEGMENTS,
MCLBYTES, 0, BUS_DMA_NOWAIT, &sc->tx_mbuf_map[i])) {
printf(": Could not create Tx mbuf %d DMA map!\n", 1);
rc = ENOMEM;
@@ -2650,8 +2651,8 @@ bnx_dma_alloc(struct bnx_softc *sc)
 * Create DMA maps for the Rx buffer mbufs.
 */
for (i = 0; i < TOTAL_RX_BD; i++) {
-   if (bus_dmamap_create(sc->bnx_dmatag, BNX_MAX_MRU,
-   BNX_MAX_SEGMENTS, BNX_MAX_MRU, 0, BUS_DMA_NOWAIT,
+   if (bus_dmamap_create(sc->bnx_dmatag, BNX_MAX_JUMBO_MRU,
+   1, BNX_MAX_JUMBO_MRU, 0, BUS_DMA_NOWAIT,
&sc->rx_mbuf_map[i])) {
printf(": Could not create Rx mbuf %d DMA map!\n", i);
rc =

Re: No WAF detected

2019-12-05 Thread Stuart Henderson 
On 2019/12/05 00:17, Kihaguru Gathura wrote:
> 
> 
> 
> On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura  wrote:
> 
> 
> 
> >> Which is a better way to implement a WAF on OpenBSD using the base 
> utilities?
> >
> > relayd configured in certain ways might be considered as a WAF.
> 
> 
> All methods and all other security headers and path filters are coded in 
> the web
> application which had always been detected as a custom WAF until two 
> weeks ago.
> 
> I have now included relayd and a re-test passes all other requirements 
> but does not detect
> a WAF (please find sample configurations and test report below).
> 
> Any hint highly appreciated

I think you will need to talk to your assessors and ask what they're looking 
for.