Re: The OpenBSD developers approve “optimizing assembler” and compilers?

2015-10-30 Thread Kimmo Paasiala 
On Fri, Oct 30, 2015 at 3:41 PM, Raul Miller  wrote:
> On Fri, Oct 30, 2015 at 8:13 AM, français  wrote:
>> The OpenBSD developers approve “optimizing assembler” and compilers?
>
> You are overgeneralizing from jokes.
>
> --
> Raul
>

I believe you're feeding a troll.

Re: Diffie-Helman issue?

2015-10-21 Thread Kimmo Paasiala 
On Tue, Oct 20, 2015 at 7:43 PM, Giancarlo Razzolini
<grazzol...@gmail.com> wrote:
> Em 20-10-2015 10:25, Kimmo Paasiala escreveu:
>> Someone correct me if I'm wrong but as far as I know the prime numbers
>> used in DH group exchange are not secret but must be known by everyone
>> (and couple other parameters are also public) for the key exchange to
>> be possible in the first place.
>
> How is that different from pre-shared keys then? You can generate your
> own primes. If you don't the defaults get used. And it are these
> defaults that can be precomputed, because almost everyone do not
> generate their own dh parameters.
>
>>  What NSA can do is to perform a
>> "pre-calculation" over the possible key exchange results and the
>> danger is in that too small DH group can be covered sufficiently by
>> them to be able to crack DH exchange on the fly.
>>
>> Hence the recommendation to increase the size of the group size used.
>
> The OpenSSH project regenerates the moduli file every release, AFAIK.
> And the DH parameters for IPSec on OpenBSD just got bumped to 3072 if
> I'm not mistaken. Bottom line, generate your own (big) parameters and
> keep them as safe as possible. The dh parameters are even more important
> than your private key. Specially if you do not change it after a key
> replacement.
>
> Cheers,
> Giancarlo Razzolini
>
>
>

There are probably some implementation details and the plain DH
exchange is not used alone because it's totally insecure against man
in the middle attacks but the basics should be the same, the prime
numbers are not keys but fixed parameters to the DH exchange
algorithm. Maybe someone who knows more can chime in?

-Kimmo

Re: Diffie-Helman issue?

2015-10-20 Thread Kimmo Paasiala 
On Sat, Oct 17, 2015 at 11:57 AM,
<22xtrv+f800c4addk...@guerrillamail.com> wrote:
> According to
> https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-m
> uch-crypto/
>
> "Since a handful of primes are so widely reused, the payoff, in
> terms of connections they could decrypt, would be enormous. Breaking a single,
> common 1024-bit prime would allow NSA to passively decrypt connections to
> two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a
> second 1024-bit prime would allow passive eavesdropping on connections to
> nearly 20% of the top million HTTPS websites. In other words, a one-time
> investment in massive computation would make it possible to eavesdrop on
> trillions of encrypted connections."
>
> How is the prime set up for DH in
> OpenSSH and is that something a user can change?
>
>
>


Someone correct me if I'm wrong but as far as I know the prime numbers
used in DH group exchange are not secret but must be known by everyone
(and couple other parameters are also public) for the key exchange to
be possible in the first place. What NSA can do is to perform a
"pre-calculation" over the possible key exchange results and the
danger is in that too small DH group can be covered sufficiently by
them to be able to crack DH exchange on the fly.

Hence the recommendation to increase the size of the group size used.

-Kimmo

Re: match rules and priorities

2015-10-08 Thread Kimmo Paasiala 
On Thu, Oct 8, 2015 at 4:26 PM, Christer Solskogen
 wrote:
> On Thu, Oct 8, 2015 at 10:57 AM, Ville Valkonen  wrote:
>>
>> you can only queue outgoing traffic. Once you think about it, that makes
>> sense.
>>
>
> I boiled the rule down to this:
> match proto tcp to port { http https } set prio 7
>
> But I still can't see that it does anything useful, as I don't see any
> better speed on http with or without that rule.
> What have I missed? :(
>
> --
> chs
>

As others have pointed out you can set priorities only on traffic
leaving out via an interface. Your downloads from the internet are
incoming traffic on your internet facing network interface and can not
be prioritized.

-Kimmo

Re: Is OpenSMTPD worthy of OpenBSD inclusion?

2015-10-05 Thread Kimmo Paasiala 
On Mon, Oct 5, 2015 at 10:52 PM, Артур Истомин  wrote:
> On Mon, Oct 05, 2015 at 01:07:24PM -0400, STeve Andre' wrote:
>> The smtpd code is very good.
>
> static void
> filter_tx_io(struct io *io, int evt)
> {
> struct filter_session   *s = io->arg;
> size_t   len, n;
> char*data;
> charbuf[65535];
>
>
> switch (evt) {
> case IO_DATAIN:
> data = iobuf_data(>ibuf);
> len = iobuf_len(>ibuf);
> memmove(buf, data, len);
> buf[len] = 0;
>

You just validated all the concerns about the quality of OpenSMTPd and
also the need for peer/code reviews. That is not production quality
code by any measure.

Re: ugen0 instead of urtwn0

2015-09-22 Thread Kimmo Paasiala 
On Tue, Sep 22, 2015 at 8:52 AM, Thuban  wrote:
>> Grab relevant
>>
>> src/sys/dev/usb/if_urtwn.c
>> sys/dev/usb/usbdevs
>>
>> from CVS, than cd sys/dev/usb && make, than rebuild/install kernel
>> as described in FAQ.
>>
> I rebuild and installed the kernel without any error, but still, the usb
> stick isn't detected as urtwn.
>
> What did I do wrong :
>
> # cd /usr
> # export CVSROOT=anon...@anoncvs.fr.openbsd.org:/cvs
> # cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src


You don't want to do this if you're going to checkout src/sys/*, the
two cvs(1) commands below will
create /usr/src/sys/dev/src/sys/dev/* instead of updating
/usr/src/sys/dev/* as intended.
> # cd //usr/src/sys/dev


> # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/usbdevs
> # cvs -d$CVSROOT -bOPENBSD_5_8 get src/sys/dev/if_urtwn.c


> # # rebuild/install kernel
>
> --
> Thuban
> PubKey : http://yeuxdelibad.net/Divers/thuban.pub
>

-Kimmo

Re: update/upgrade

2015-09-20 Thread Kimmo Paasiala 
On Sun, Sep 20, 2015 at 11:49 PM, Quartz  wrote:
> We have a bunch of low power embedded devices that we'd like to keep
> reasonably up to date, but the disk space and cpu overhead of tracking
> -stable is kind of a nonstarter. Is there another/better way of doing things
> these days? (Other than applying dozens of patches manually).
>

Something like this?

http://www.bsdnow.tv/tutorials/stable-iso

Re: issue with pf syntax parser

2015-09-04 Thread Kimmo Paasiala 
On Fri, Sep 4, 2015 at 4:02 PM, Joseph A Borg  wrote:
> maybe the syntax error should point to the line where there are extra 
> characters after the escape?
>
>

That would require making the backslash a lexical token in the
pf.conf(5) syntax. Now it's just a simple escape character that gets
eaten and forgotten by the lexical analyzer that splits the input into
tokens to be parsed by the syntax parser.

-Kimmo

Re: Maintaining CAs not in cert.pem

2015-07-30 Thread Kimmo Paasiala 
On Thu, Jul 30, 2015 at 7:47 PM, Michael McConville
mmcco...@sccs.swarthmore.edu wrote:
 Giancarlo Razzolini wrote:
 Em 30-07-2015 09:15, trondd escreveu:
  I guess the meat of the question is is certs.pem the only location
  for CAs used by the system? (ignoring application certificate
  stores, ie. Firefox or java).

 Another meat could be, why you're using self-signed certificates?
 Given the plethora of options for getting free (valid) certificates.

 He mentioned in his original email that it's a requirement where he
 works. That's common, from what I hear, although probably not the
 safest.


That depends on the use case of the certificate. Use of self-signed
certificate is no less secure than an official one as far as the
actual encryption on the transport layer goes. It's only a question if
the user trusts the authenticity of the self-signed certificate and
the issuer of certificate is prepared to educate his/her users what a
self-signed certificate is and why they should trust it.

-Kimmo

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

2015-07-27 Thread Kimmo Paasiala 
On Mon, Jul 27, 2015 at 12:46 PM, Quartz qua...@sneakertech.com wrote:
 Some years ago I remember reading that when using OpenBSD (or any OS,
 really) as a router+firewall it was considered inadvisable from a security
 standpoint to have the different networks all attached to a single network
 card with multiple ethernet ports. The thinking being that it was
 theoretically possible for an attacker to exploit bugs in the card's chip to
 short circuit the path and route packets directly across the card in a way
 pf can't control. It was also suggested that in addition to using different
 physical cards, the cards should really use different chipsets too, in case
 an unknown driver bug allows a short circuit.

 I swear I read this somewhere on the website, but I can't seem to find it
 now and I'm wondering if the concept is even still valid. The impetus here
 is that I'm building a router+firewall for a cramped location and it's
 turning out rather difficult to find a case that's small enough to fit. I'd
 really like to use an itx system with multiple onboard ethernet jacks and
 cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure
 if that's a good idea, security wise. Any thoughts?



It is certainly possible theoretically but you'll have to go to very
great lengths to imagine a scenario where a remote attacker could
exploit such a flaw. It's next to impossible identify the make and
model of the NIC that holds an IP address (if it is even directly
bound to a NIC, CARP and other similar technologies get in the way if
used), the attacker would first have to aquire this information trough
other means.

-Kimmo

Re: dhclient.conf alias declarations?

2015-07-27 Thread Kimmo Paasiala 
On Mon, Jul 27, 2015 at 4:21 AM, Edgar Pettijohn
ed...@pettijohn-web.com wrote:
 On 07/26/15 19:10, Kimmo Paasiala wrote:

 On Mon, Jul 27, 2015 at 3:00 AM, Kimmo Paasiala kpaas...@gmail.com
 wrote:

 On Mon, Jul 27, 2015 at 2:33 AM, Josh Grosse j...@jggimi.homeip.net
 wrote:

 On 2015-07-26 19:12, Kimmo Paasiala wrote:

 Hello,

 I'm in the process of migrating my router/firewall system from FreeBSD
 to OpenBSD and I came across a minor problem. I want to have a static
 alias address on an interface that is otherwise configured with DHCP.
 What I had in FreeBSD was this entry in /etc/dhclient.conf:

 alias {
  interface vr0;
  fixed-address 192.168.1.200;
  option subnet-mask 255.255.255.0;
 }

 This seems to be silently ignored on OpenBSD 5.7 and the dhclient.conf
 manual page makes no mention of alias declarations. How am I supposed
 to achieve the same effect?

 -Kimmo


 Perhaps something like this in your /etc/hostname.vr0 instead would work
 for you?

 dhcp
 !ifconfig vr0 alias 192.168.1.200/32

 No, doesn't work. Interestingly doing the alias manually when dhclient
 is running and vr0 has a public IP address from DHCP:

 sudo ifconfig vr0 alias 192.168.1.200/24

 This kills dhclient(8) completely and removes the main address.

 Any other ideas?

 -Kimmo


 The system log /var/log/messages reveals:

 Jul 27 03:01:30 firewall dhclient[23894]: 192.168.1.200 added to vr0;
 exiting

 Why is this done in so bizarre fashion? It is not unusual to want to
 have a static alias address on an interface that is otherwise
 configured with DHCP.

 -Kimmo

 I can't test this, but from what I'm reading I think this should work

 /etc/hostname.vr0

 dhcp alias 192.168.1.200 netmask 255.255.255.0


Unfortunately that doesn't work either, ifconfig complains about
invalid options. It looks like you can only add media options etc.
with dhcp. I can live without the alias address, it would have been
a convinient way to access the ADSL modem on the WAN side from inside
the LAN network.

-Kimmo

Re: dhclient.conf alias declarations?

2015-07-26 Thread Kimmo Paasiala 
On Mon, Jul 27, 2015 at 3:00 AM, Kimmo Paasiala kpaas...@gmail.com wrote:
 On Mon, Jul 27, 2015 at 2:33 AM, Josh Grosse j...@jggimi.homeip.net wrote:
 On 2015-07-26 19:12, Kimmo Paasiala wrote:

 Hello,

 I'm in the process of migrating my router/firewall system from FreeBSD
 to OpenBSD and I came across a minor problem. I want to have a static
 alias address on an interface that is otherwise configured with DHCP.
 What I had in FreeBSD was this entry in /etc/dhclient.conf:

 alias {
 interface vr0;
 fixed-address 192.168.1.200;
 option subnet-mask 255.255.255.0;
 }

 This seems to be silently ignored on OpenBSD 5.7 and the dhclient.conf
 manual page makes no mention of alias declarations. How am I supposed
 to achieve the same effect?

 -Kimmo


 Perhaps something like this in your /etc/hostname.vr0 instead would work
 for you?

 dhcp
 !ifconfig vr0 alias 192.168.1.200/32

 No, doesn't work. Interestingly doing the alias manually when dhclient
 is running and vr0 has a public IP address from DHCP:

 sudo ifconfig vr0 alias 192.168.1.200/24

 This kills dhclient(8) completely and removes the main address.

 Any other ideas?

 -Kimmo


The system log /var/log/messages reveals:

Jul 27 03:01:30 firewall dhclient[23894]: 192.168.1.200 added to vr0; exiting

Why is this done in so bizarre fashion? It is not unusual to want to
have a static alias address on an interface that is otherwise
configured with DHCP.

-Kimmo

Re: dhclient.conf alias declarations?

2015-07-26 Thread Kimmo Paasiala 
On Mon, Jul 27, 2015 at 2:33 AM, Josh Grosse j...@jggimi.homeip.net wrote:
 On 2015-07-26 19:12, Kimmo Paasiala wrote:

 Hello,

 I'm in the process of migrating my router/firewall system from FreeBSD
 to OpenBSD and I came across a minor problem. I want to have a static
 alias address on an interface that is otherwise configured with DHCP.
 What I had in FreeBSD was this entry in /etc/dhclient.conf:

 alias {
 interface vr0;
 fixed-address 192.168.1.200;
 option subnet-mask 255.255.255.0;
 }

 This seems to be silently ignored on OpenBSD 5.7 and the dhclient.conf
 manual page makes no mention of alias declarations. How am I supposed
 to achieve the same effect?

 -Kimmo


 Perhaps something like this in your /etc/hostname.vr0 instead would work
 for you?

 dhcp
 !ifconfig vr0 alias 192.168.1.200/32

No, doesn't work. Interestingly doing the alias manually when dhclient
is running and vr0 has a public IP address from DHCP:

sudo ifconfig vr0 alias 192.168.1.200/24

This kills dhclient(8) completely and removes the main address.

Any other ideas?

-Kimmo

dhclient.conf alias declarations?

2015-07-26 Thread Kimmo Paasiala 
Hello,

I'm in the process of migrating my router/firewall system from FreeBSD
to OpenBSD and I came across a minor problem. I want to have a static
alias address on an interface that is otherwise configured with DHCP.
What I had in FreeBSD was this entry in /etc/dhclient.conf:

alias {
interface vr0;
fixed-address 192.168.1.200;
option subnet-mask 255.255.255.0;
}

This seems to be silently ignored on OpenBSD 5.7 and the dhclient.conf
manual page makes no mention of alias declarations. How am I supposed
to achieve the same effect?

-Kimmo