Re: Canada and Software Backdoors

2016-12-05 Thread Raul Miller
It's not possible, in the general case, to provide a backdoor on user
supplied encryption, steneography nor user supplied useless and/or
trivial garbage.

It is, however, possible to claim to have done so and/or to address
some of the most common things people do.

-- 
Raul


On Mon, Dec 5, 2016 at 8:55 PM,   wrote:
> On 2016-12-05 05:41, Theodoros wrote:
>>
>> Hello misc,
>>
>> I would like your comments on how could the below affect OpenBSD; if at
>> all.
>>
>> link:
>>
>> http://www.tomshardware.com/news/canada-software-encryption-backdoors-feedback,33131.html
>>
>>
>> Best greetings,
>>
>> Theodore
>
>
> How i read this, it doesn't look like this will affect OpenBSD as a project.
> It would only affect companies using OpenBSD and require them to allow the
> Canadian government access (Im assuming by means of some form of official
> request) to that decrypted data. For companies storing data in decrypted
> form after being encrypted it would seem similar to how this is handled in
> the US, but it looks like companies who use end to end ecyrption (which have
> no access to decrypted user content) will have to provide a backdoor.



Re: HP Proliant MicroServer G8: not seeing disks [solved]

2016-12-05 Thread Bryan Vyhmeister
On Sat, Dec 03, 2016 at 02:21:15PM +0100, Stephane HUC "CIOTBSD" wrote:
> Hi Stuart.
> 
> What microserver would you recommend?!
> 
> Le 12/03/16 ? 12:08, Stuart Henderson a ?crit :
> > On 2016-12-02, Peter N. M. Hansteen  wrote:
> >> My only complaint is that due to the maze of twisty nonsense that is the
> >> HPE web site I never got the BIOS upgrade
> > 
> > It's at
> > http://h20564.www2.hpe.com/hpsc/swd/public/readIndex?sp4ts.oid=5390291=8=4168
> > but HP restrict BIOS downloads for computers, afaik it needs to either be
> > under warranty or you need a support contract.
> > 
> > As a result I don't buy HP machines any more, either new or second-hand.

I was considering looking for one of those HP MicroServers but I refuse
to deal with a support contract.

My suggestion for an alternative would be one of the several systems
based on the Supermicro CSE-721TQ-250B chassis.

https://www.supermicro.com/products/chassis/tower/721/SC721TQ-250B.cfm

Although I am not personally using that particular chassis, I am using
some similar custom built systems with Silverstone cases.

Bryan



Re: Lenovo Yoga 2 11

2016-12-05 Thread Bryan Vyhmeister
On Tue, Dec 06, 2016 at 09:30:06AM +0800, Denny White wrote:
> Trying to find out if anyone has had any luck with OBSD on a Lenovo
> Yoga 2 11 or anything close to that model in the Yoga line. I got it
> to boot off usb using amd64 iso due to the Yoga using UEFI.  I
> hadn???t ran OBSD in quite a while, dumbassed out & forgot to save a
> dmesg or ifconfig output, but I know from both the system didn???t
> recognize any network device like fxp0, eth0, etc., e.g. Only showed
> the lo0, enc0, & pflog0. I???m aware of /etc/firmware and from what I
> read it recognizes the network device & sees it needs a firmware fix
> the system does it on it???s own, but I guess that???s not gonna
> happen if the system doesn???t even recognize a network device. If
> anyone???s had any luck at all with a Yoga 2 series I would surely
> appreciate push in the right direction. Thx.

It is very hard to say much without a dmesg. As far as I am aware, the
Yoga type system do not have ethernet ports and probably only have
wireless network interfaces. The easiest route is to use a USB ethernet
adapter to connect to a network in order to run fw_update to get
whatever firmware is needed. That is not a guarantee though. All of the
Lenovo systems I have right now (ThinkPad X1 Carbon 1st Gen, ThinkPad
X230, ThinkPad 11e, LaVie Z, ThinkPad X260, and ThinkPad X1 Carbon 4th
Gen) all use Intel wireless cards supported by the iwm(4) or iwm(4)
drivers. However, none of these are "Yoga" type systems and they might
have some other wireless network interface.

OpenBSD has excellent UEFI support and almost all of the systems I
listed above are working great with a UEFI install. Again, a dmesg would
answer most of these questions.

Bryan



Re: IPSEC from behind NAT stage 2 failure

2016-12-05 Thread Robert Szasz
Yes on the diagram, I should have noted that I just deleted the psk 
rather than sending it out on email, pf.conf  and npppd.conf follow


Thanks,
Robert Szasz

npppd.conf

-

# $OpenBSD: npppd.conf,v 1.2 2014/03/22 04:32:39 yasuoka Exp $
# sample npppd configuration file.  see npppd.conf(5)

authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
#authentication RADIUS type radius {
#   authentication-server {
#   address 192.168.0.1 secret "hogehoge"
#   }
#   accounting-server {
#   address 192.168.0.1 secret "hogehoge"
#   }
#}

tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}

ipcp IPCP {
pool-address 10.216.196.150-10.216.196.200
dns-servers 10.216.194.254
}

# use pppx(4) interface.  use an interface per a ppp session.
#interface pppx0 address 10.0.0.1 ipcp IPCP
#bind tunnel from L2TP authenticated by LOCAL to pppx0

# use tun(4) interface.  multiple ppp sessions concentrate one interface.
interface tun0  address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0
---

pf.conf

---

#   $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
IntIF="em0"
ExtIF="em3"
CarpInt="carp0"
CarpExt="carp1"
icmp_types="echoreq"

udp_services="{isakmp, ipsec-nat-t}"
tcp_services="{ 22,500,4500,1701 }"

set skip on lo
set block-policy drop
block drop all
match out on $ExtIF inet from !($CarpExt:network) to any nat-to ($CarpExt)



# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# anchor for relayd(8)
#anchor "relayd/*"

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

#pass icmmp
pass in inet proto icmp all icmp-type $icmp_types

#pass IPSec
pass quick proto { esp, ah } from any to any
pass in on $ExtIF proto udp from any to any port {isakmp,ipsec-nat-t}

#pass CARP and pfsync
pass quick proto carp
pass quick proto pfsync

#pass services
pass in on $ExtIF proto udp from any to ($ExtIF) port {22, 500, 4500, 
1701} keep state
pass out on $ExtIF proto {tcp,udp,icmp} from any to any flags S/SA keep 
state



pass on $IntIF

pass on $IntIF inet proto tcp from any to ($CarpInt)


pass in on $ExtIF inet proto tcp from any to ($ExtIF) port $tcp_services
pass in on $ExtIF inet proto udp from any to ($ExtIF) port $udp_services

pass out on $ExtIF inet from any to $CarpExt keep state


pass on $ExtIF proto carp keep state (no-sync)

pass in on $ExtIF inet proto tcp from any to ($CarpExt) port $tcp_services
pass in on $ExtIF inet proto udp from any to ($CarpExt) port $udp_services


On 12/5/2016 6:16 PM, Damian McGuckin wrote:

Robert,

On Mon, 5 Dec 2016, Robert Szasz wrote:


I'm testing with the following setup

Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)


Do you mean?

Win10 ->obsd5.9(firewall doing nat)->{INTERNET}->obsd5.9(IPSEC)

The connection process fails at stage 2 with the error message below 
where X is the public IP of the box being connected to, and Y is the 
ip of the firewall the win10 machine is behind 10...58 is the private 
ip of the win10 machine.


I can try to help but as you probably read a week or so ago, am a bit 
of a learner with L2TP myself.



error in the isakmpd log


010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed 
invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
010420.423325 Default dropped message from y.y.y.y port 58544 due to 
notification type INVALID_ID_INFORMATION


ipsec.conf

ike passive esp transport \
 proto udp from x.x.x.x to any port 1701 \
 main auth hmac-sha1 enc "aes" group modp2048\
 quick auth hmac-sha1 enc "aes" group modp2048\
 psk ""


Why no pre-shared key?

Come versions of Windows 10 L2TP client, i.e. certain the one on my 
Windows 10 HOME box, only use 3DES, i.e. replace "aes" by "3des" 
above. Also, some only use modp1024 or maybe I am getting confused by 
those Apples.


I wouled also need to look at a copy of 'pf.conf' because that can be 
where the problem lies. That was where I made a mistake.


What about 'npppdf.conf'. Make sure that the sandbox network that it 
uses, or what some documentation called the VPN network, is different 
from the IPs of the 2 networks at each end of your link.


Regards - Damian

Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 
2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not 
wanted here
Views & opinions here are mine and not those of any past or present 
employer




Re: Canada and Software Backdoors

2016-12-05 Thread alexmcwhirter

On 2016-12-05 05:41, Theodoros wrote:

Hello misc,

I would like your comments on how could the below affect OpenBSD; if at 
all.


link:
http://www.tomshardware.com/news/canada-software-encryption-backdoors-feedback,33131.html


Best greetings,

Theodore


How i read this, it doesn't look like this will affect OpenBSD as a 
project. It would only affect companies using OpenBSD and require them 
to allow the Canadian government access (Im assuming by means of some 
form of official request) to that decrypted data. For companies storing 
data in decrypted form after being encrypted it would seem similar to 
how this is handled in the US, but it looks like companies who use end 
to end ecyrption (which have no access to decrypted user content) will 
have to provide a backdoor.




Re: IPSEC from behind NAT stage 2 failure

2016-12-05 Thread Damian McGuckin

Robert,

On Mon, 5 Dec 2016, Robert Szasz wrote:


I'm testing with the following setup

Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)


Do you mean?

Win10 ->obsd5.9(firewall doing nat)->{INTERNET}->obsd5.9(IPSEC)

The connection process fails at stage 2 with the error message below 
where X is the public IP of the box being connected to, and Y is the ip 
of the firewall the win10 machine is behind 10...58 is the private ip of 
the win10 machine.


I can try to help but as you probably read a week or so ago, am a bit of a 
learner with L2TP myself.



error in the isakmpd log


010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed invalid 
phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
010420.423325 Default dropped message from y.y.y.y port 58544 due to 
notification type INVALID_ID_INFORMATION


ipsec.conf

ike passive esp transport \
 proto udp from x.x.x.x to any port 1701 \
 main auth hmac-sha1 enc "aes" group modp2048\
 quick auth hmac-sha1 enc "aes" group modp2048\
 psk ""


Why no pre-shared key?

Come versions of Windows 10 L2TP client, i.e. certain the one on my 
Windows 10 HOME box, only use 3DES, i.e. replace "aes" by "3des" above. 
Also, some only use modp1024 or maybe I am getting confused by those 
Apples.


I wouled also need to look at a copy of 'pf.conf' because that can be 
where the problem lies. That was where I made a mistake.


What about 'npppdf.conf'. Make sure that the sandbox network that it uses, 
or what some documentation called the VPN network, is different from the 
IPs of the 2 networks at each end of your link.


Regards - Damian

Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer



IPSEC from behind NAT stage 2 failure

2016-12-05 Thread Robert Szasz
I'm trying to set up an L2TP/IPSEC tunnel for roaming windows users to 
tunnel in to our office network.


I'm testing with the following setup

Win10 ->obsd5.9(firewall doing nat)->{}->obsd5.9(IPSEC)

I'd like something reasonably robust, able to pass through most NAT a 
user might find themselves behind. Our current cisco vpn handles that 
part fairly well, but otherwise is unreliable and a pain to manage.


 The connection process fails at stage 2 with the error message below 
where X is the public IP of the box being connected to, and Y is the ip 
of the firewall the win10 machine is behind 10...58 is the private ip of 
the win10 machine.


Thanks,

Robert Szasz



error in the isakmpd log

---

010420.423317 Default responder_recv_HASH_SA_NONCE: peer proposed 
invalid phase 2 IDs: initiator id 10.1.1.58, responder id x.x.x.x
010420.423325 Default dropped message from y.y.y.y port 58544 due to 
notification type INVALID_ID_INFORMATION


ipsec.conf

ike passive esp transport \
 proto udp from x.x.x.x to any port 1701 \
 main auth hmac-sha1 enc "aes" group modp2048\
 quick auth hmac-sha1 enc "aes" group modp2048\
 psk ""



vmwpvs driver

2016-12-05 Thread R0me0 ***
Hello misc,

Some days ago , I tried to install OpenBSD 6.0 using vmwpvs ( Vmware
Paravirtual )

When obsd installer finish, I received a message that the boot could not
been done using my disk.

So I did a research on OBSD mailing lists and found:


"There's a problem with vmwpvs(4) where the first write gets lost.
IIRC if you shell out from the installer and run fdisk -iy sd0 manually
once, then resume installing, it then works. "



I follow it and solved ! I was able to boot my new OpenBSD fresh install.

* I performed it using full disk encryption

Is there any workaround beside this or is it  a legit bug ?


Thank you



Lenovo Yoga 2 11

2016-12-05 Thread Denny White
Trying to find out if anyone has had any luck with
OBSD on a Lenovo Yoga 2 11 or anything close
to that model in the Yoga line. I got it to boot off
usb using amd64 iso due to the Yoga using UEFI.
I hadn’t ran OBSD in quite a while, dumbassed
out & forgot to save a dmesg or ifconfig output,
but I know from both the system didn’t recognize
any network device like fxp0, eth0, etc., e.g. Only
showed the lo0, enc0, & pflog0. I’m aware of
/etc/firmware and from what I read it recognizes
the network device & sees it needs a firmware fix
the system does it on it’s own, but I guess that’s
not gonna happen if the system doesn’t even
recognize a network device. If anyone’s had any
luck at all with a Yoga 2 series I would surely
appreciate push in the right direction. Thx.



Re: Installer : deselecting X* sets if user doesn't want to run X

2016-12-05 Thread Clint Pachl

Clément 'wxcafé' Hertling wrote on 12/03/16 07:29:

Hey,

So each time I install an OpenBSD system I have to both answer no as to whether
I want to run X on the system, and then deselect the X* sets.

It's not a big thing, but I thought it couldn't be that hard to make it
automatic, that is, if the user indicated they are not planning to run X,
deselect the X* sets by default, since it's probably the most common case (they
could want to have the sets to build some software or to run remote X
applications, but in my opinion most users who indicate they don't want to run X
won't need these sets).


Back in the day before the automated install stuff was in base, I 
created my own. One thing my updater did, which is apropos to what 
you're asking, is it would look for existing well-known X11 directories 
which were part of the X sets. If it found them, it would install the X 
sets accordingly.


I wonder if this would be a useful solution?



Re: FAQ update

2016-12-05 Thread Bryan Vyhmeister
On Mon, Dec 05, 2016 at 09:12:49AM -0800, Todd Carpenter wrote:
> Next, create the mirror with the bioctl(8) 
>  command.
> 
> # *bioctl -c 1 -l sd0a,sd1a softraid0*
> 
> 
> *Thats good, but the next part shows*
> 
> 
> # *bioctl -c C -l sd0a softraid0*
> New passphrase:
> Re-type passphrase:
> sd1 at scsibus2 targ 1 lun 0:  SCSI2 0/direct fixed
> sd1: 19445MB, 512 bytes/sector, 39824607 sectors
> softraid0: CRYPTO volume attached as sd1
> 
> 
> The problem is that it says softraid is full. perhaps Im doing
> something wrong..

There are a couple of gaps in your understanding. I'm not sure what the
status of nested softraid(4) is but once you run the first command which
creates the mirror (bioctl -c 1), the softraid(4) device will now be a
new device called sd2. You would now setup the sd2 device with a
partition of type RAID and then use bioctl(8) on that new softraid(4)
disk device.

I believe it would then be:

bioctl -c C -l sd2a softraid0

After this command (and inputting a password) you will have a new volume
which would presumably be sd3. You would do your normal install on sd3.
In theory, to be bootable, you would then run:

installboot -v sd3

It's very possible that this will not be bootable and might not work
right but I know some work happened on nested softraid(4).

One reason this might be somewhat confusing is that the examples section
of bioctl(8) uses wd(4) devices for the chunks that make up the
softraid(4) device. The wd(4) driver is for older IDE drives while
modern SATA devices (and USB attached drives) show up as sd(4) as well.

Bryan



Re: OpenBSD's binutils

2016-12-05 Thread Stuart Longland
On 06/12/16 06:56, Stuart Longland wrote:
> On 06/12/16 01:31, Sebastian Reitenbach wrote:
>>> I started it off yesterday afternoon and this evening I note that the
 llvm/clang build failed with an "out of memory" error.  I've re-started
 on the off-chance it was a temporary issue, but I doubt it.
>> The OOM can also be a limit in /etc/login.conf, maybe you have to bump
>> datasize there, and try again.
> 
> Ahh okay, I just found that file and saw the limits set to 512MB so I've
> upped them to 2GB (RAM + swap) and will see how that goes.

No good it seems, unless I did it wrong (definitely possible).

I first upped the datasize limits in login.conf:
http://www.longlandclan.id.au/~stuartl/openbsd/2016/12/06-llvm/login.conf

Then I logged out, and logged back in.  (Editing
/etc/security/limits.conf in Linux requires this, I guessed OpenBSD
login.conf would be the same.)  Fired up a terminal session, ran `doas
-s` and tried again with the install of llvm:

http://www.longlandclan.id.au/~stuartl/openbsd/2016/12/06-llvm/llvm.log:
> FAILED: lib/IR/CMakeFiles/LLVMCore.dir/Function.cpp.o 
> /usr/local/ports/obj/llvm-3.8.0/bin/c++   -D__STDC_CONSTANT_MACROS 
> -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -Ilib/IR 
> -I/usr/local/ports/obj/llvm-3.8.0/llvm-3.8.0.src/lib/IR -Iinclude 
> -I/usr/local/ports/obj/llvm-3.8.0/llvm-3.8.0.src/include -O2 -pipe-fPIC 
> -fvisibility-inlines-hidden -Wall -W -Wno-unused-parameter -Wwrite-strings 
> -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long 
> -Wno-maybe-uninitialized -Wdelete-non-virtual-dtor -Wno-comment -std=c++11 
> -ffunction-sections -fdata-sections -DNDEBUG-fno-exceptions -MD -MT 
> lib/IR/CMakeFiles/LLVMCore.dir/Function.cpp.o -MF 
> lib/IR/CMakeFiles/LLVMCore.dir/Function.cpp.o.d -o 
> lib/IR/CMakeFiles/LLVMCore.dir/Function.cpp.o -c 
> /usr/local/ports/obj/llvm-3.8.0/llvm-3.8.0.src/lib/IR/Function.cpp
> 
> cc1plus: out of memory allocating 47721528 bytes after a total of 0 bytes
> ninja: build stopped: subcommand failed.
> *** Error 1 in . (/usr/ports/devel/cmake/cmake.port.mk:31 'do-build': @cd 
> /usr/local/ports/obj/llvm-3.8.0/build-mips64el && exec /usr/bin/en...)
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2670 
> '/usr/local/ports/obj/llvm-3.8.0/build-mips64el/.build_done')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:1891 
> '/usr/local/ports/packages/mips64el/all/llvm-3.8.0p2.tgz')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2416 
> '_internal-package')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2396 'package')
> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:1908 
> '/var/db/pkg/llvm-3.8.0p2/+CONTENTS')
> *** Error 1 in /usr/ports/devel/llvm 
> (/usr/ports/infrastructure/mk/bsd.port.mk:2396 'install')
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.



Re: OpenBSD's binutils

2016-12-05 Thread Stuart Longland
On 06/12/16 01:31, Sebastian Reitenbach wrote:
>> I started it off yesterday afternoon and this evening I note that the
>> > llvm/clang build failed with an "out of memory" error.  I've re-started
>> > on the off-chance it was a temporary issue, but I doubt it.
> The OOM can also be a limit in /etc/login.conf, maybe you have to bump
> datasize there, and try again.

Ahh okay, I just found that file and saw the limits set to 512MB so I've
upped them to 2GB (RAM + swap) and will see how that goes.

I note there's a default and a maximum limit.  I take it `ulimit`
controls the currently enforced limit?
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.



Re: FAQ update

2016-12-05 Thread Ax0n
The first command will create a new virtual drive device ( sd2 perhaps?)
and you'll want to create your softraid crypto volume on that device, not
on sd0.

Note that I've never tried this, and that the bootloader might need some
additional help after you have the striped softraid encrypted.

On Mon, Dec 5, 2016 at 11:12 AM, Todd Carpenter 
wrote:

> Hi guys,
>
> I was wondering if you could update the documentation to show how to both
> strip and geli encrypt the device..
>
> cut --
>
> to
>
> Next, create the mirror with the bioctl(8) 
>  command.
>
> # *bioctl -c 1 -l sd0a,sd1a softraid0*
>
>
> *Thats good, but the next part shows*
>
>
> # *bioctl -c C -l sd0a softraid0*
> New passphrase:
> Re-type passphrase:
> sd1 at scsibus2 targ 1 lun 0:  SCSI2 0/direct
> fixed
> sd1: 19445MB, 512 bytes/sector, 39824607 sectors
> softraid0: CRYPTO volume attached as sd1
>
>
> The problem is that it says softraid is full. perhaps Im doing
> something wrong..
>
>
> am I doing something wrong?
>
>
> thanks!



FAQ update

2016-12-05 Thread Todd Carpenter
Hi guys,

I was wondering if you could update the documentation to show how to both
strip and geli encrypt the device..

cut --

to

Next, create the mirror with the bioctl(8) 
 command.

# *bioctl -c 1 -l sd0a,sd1a softraid0*


*Thats good, but the next part shows*


# *bioctl -c C -l sd0a softraid0*
New passphrase:
Re-type passphrase:
sd1 at scsibus2 targ 1 lun 0:  SCSI2 0/direct fixed
sd1: 19445MB, 512 bytes/sector, 39824607 sectors
softraid0: CRYPTO volume attached as sd1


The problem is that it says softraid is full. perhaps Im doing
something wrong..


am I doing something wrong?


thanks!



Re: OpenBSD's binutils

2016-12-05 Thread Sebastian Reitenbach
On Monday, December 5, 2016 11:05 CET, Stuart Longland
 wrote:

> On 28/11/16 21:10, Stuart Henderson wrote:
> > You are right, gcc 4.9 generates some code using opcodes that need newer
gas.
> > Try building the port with clang (it would also help the case where the
port
> > itself has asm needing a newer assembler; clang has an integrated
assembler
> > which generally has better opcode support, it's needed e.g. for some
video
> > codecs in x86-land for this reason too).
> >
> > MODULES += lang/clang
> > MODCLANG_ARCHS = *
> >
> > gstreamer1 in -current already uses this but the currently available
mips64el
> > package snapshot pre-dates this change.
>
> A heads up, I'm in the process of giving this a try.
>
> I started it off yesterday afternoon and this evening I note that the
> llvm/clang build failed with an "out of memory" error.  I've re-started
> on the off-chance it was a temporary issue, but I doubt it.

The OOM can also be a limit in /etc/login.conf, maybe you have to bump
datasize there, and try again.

Sebastian



Re: cwm window manager usage, hidden windows

2016-12-05 Thread Okan Demirmen
On Mon 2016.12.05 at 14:21 +0100, Rudolf Sykora wrote:
> Hello,
> 
> I've been trying cwm for a while and would like to
> ask a question about it. As cwm seems to be developed
> within openbsd, I dare ask here.
> 
> I seem to need desktops, thus my .cwmrc contains
> 
> sticky yes
> bind M-1grouponly1
> bind M-2grouponly2
> bind M-3grouponly3
> bind M-4grouponly4
> bind MS-1   movetogroup1
> bind MS-2   movetogroup2
> bind MS-3   movetogroup3
> bind MS-4   movetogroup4
> 
> which emulates desktops, and works fine
> as long as one doesn't have hidden windows. My problem
> with a hidden window shows, when
> 
> 1) I have a certain group of windows,
> 2) I hide one window,
> 3) I switch to another group,
> 4) and I return to the original group.
> Now the window that I hid is no longer hidden.
> This I find annoying.
> (The movetogroup unhides all windows.)
> 
> Is there any help (or does my use of cwm differ
> from the usual use?)
> 
> Thanks for comments,
> Ruda

Hi,

I can't offer much help :) As you gathered, cwm doesn't have desktops, but it
can emulate desktops, with a few caveats (as you've found one). I see this a
lot from folks posting cwm configs - folks prefer desktops as opposed to
groups, which is what the original cwm was designed around. The mixing of
groups and ewmh desktops is fairly sloppy; replacing this emulation with actual
desktops is something I would like to see; I have some inital stabs at it, but
it does break groups and labels, thus it's almost a re-write from that
stand-point (making all 3 work without setting so-called 'modes' of
operations).  Doesn't mean it won't happen; it bothers me enough to get back to
it...

Thanks,
Okan



Re: IPv6 Setup not working on Hetzner server

2016-12-05 Thread R0me0 ***
+1
 ping -c 1 fe80::1%em0 > /dev/null

2016-12-05 11:05 GMT-02:00 Marc Peters :

> Am 12/02/16 um 13:39 schrieb Leo Unglaub:
> > I just found out that since i changed my mygate up to your suggestion
> > that i now have to ping6 fe80::1%em0 first and then i am able to
> > connecto to other hosts via IPv6. But not before i pinged the
> > fe80::1%em0. WTF?
>
> i have the same setup at hetzner and as someone suggested, i am using in
> my root crontab:
>
> @reboot sleep 10 && ping6 -c 10 fe80::1\%em0 > /dev/null
>
> works for me, at least.



Re: IPv6 Setup not working on Hetzner server

2016-12-05 Thread Martin Pieuchot
On 05/12/16(Mon) 14:05, Marc Peters wrote:
> Am 12/02/16 um 13:39 schrieb Leo Unglaub:
> > I just found out that since i changed my mygate up to your suggestion
> > that i now have to ping6 fe80::1%em0 first and then i am able to
> > connecto to other hosts via IPv6. But not before i pinged the
> > fe80::1%em0. WTF?
> 
> i have the same setup at hetzner and as someone suggested, i am using in
> my root crontab:
> 
> @reboot sleep 10 && ping6 -c 10 fe80::1\%em0 > /dev/null
> 
> works for me, at least.

Could you reports the problem on bugs@?  It would be nice to fix the
issue rather than documenting workarounds :)



cwm window manager usage, hidden windows

2016-12-05 Thread Rudolf Sykora
Hello,

I've been trying cwm for a while and would like to
ask a question about it. As cwm seems to be developed
within openbsd, I dare ask here.

I seem to need desktops, thus my .cwmrc contains

sticky yes
bind M-1grouponly1
bind M-2grouponly2
bind M-3grouponly3
bind M-4grouponly4
bind MS-1   movetogroup1
bind MS-2   movetogroup2
bind MS-3   movetogroup3
bind MS-4   movetogroup4

which emulates desktops, and works fine
as long as one doesn't have hidden windows. My problem
with a hidden window shows, when

1) I have a certain group of windows,
2) I hide one window,
3) I switch to another group,
4) and I return to the original group.
Now the window that I hid is no longer hidden.
This I find annoying.
(The movetogroup unhides all windows.)

Is there any help (or does my use of cwm differ
from the usual use?)

Thanks for comments,
Ruda



Re: IPv6 Setup not working on Hetzner server

2016-12-05 Thread Marc Peters
Am 12/02/16 um 13:39 schrieb Leo Unglaub:
> I just found out that since i changed my mygate up to your suggestion
> that i now have to ping6 fe80::1%em0 first and then i am able to
> connecto to other hosts via IPv6. But not before i pinged the
> fe80::1%em0. WTF?

i have the same setup at hetzner and as someone suggested, i am using in
my root crontab:

@reboot sleep 10 && ping6 -c 10 fe80::1\%em0 > /dev/null

works for me, at least.



Re: Setting MAC address of vm in vm.conf with lladdr

2016-12-05 Thread Eric Brown
Reyk Floeter  writes:

> I cannot reproduce it, it works as intended.  Are you sure that you
> were looking at the MAC address on the "VM guest side" and not on the
> host side, as mentioned in vm.conf(5):
>
>  lladdr etheraddr
>  Change the link layer address (MAC address) of the
>  interface on the VM guest side.  If not specified, a
>  randomized address will be assigned by vmd(8).
>
> Can you try with current and run vmd in foreground "vmd -dvv", I added
> a debug message that will show more details:
>
> run_vm: initializing hardware for vm openbsd.vm
> virtio_init: vm "openbsd.vm" vio0 lladdr 00:01:ba:d0:e8:db
> virtio_init: vm "openbsd.vm" vio1 lladdr fe:e1:bb:d2:bc:72
> run_vm: starting vcpu threads for vm openbsd.vm
>
> As you see, my test cases uses a fixed lladdr for the first interface;
> ifconfig within the guest show the same.
>
> Reyk
>

Hi Reyk,

Thank you for your response.  I think you have identified my
misunderstanding of the lladdr setting, which sets the vio0 address on
the inside of the VM just fine.

My interest in this setting is to assign an IP address from a DHCP
server based on MAC address, so that I can e.g. ssh and/or http into
this VM.

I am gathering that this should be done on the host side?

Eric



Canada and Software Backdoors

2016-12-05 Thread Theodoros
Hello misc,

I would like your comments on how could the below affect OpenBSD; if at all.

link:
http://www.tomshardware.com/news/canada-software-encryption-backdoors-feedback,33131.html


Best greetings,

Theodore



Re: OpenBSD's binutils

2016-12-05 Thread Stuart Longland
On 28/11/16 21:10, Stuart Henderson wrote:
> You are right, gcc 4.9 generates some code using opcodes that need newer gas.
> Try building the port with clang (it would also help the case where the port
> itself has asm needing a newer assembler; clang has an integrated assembler
> which generally has better opcode support, it's needed e.g. for some video
> codecs in x86-land for this reason too).
> 
> MODULES += lang/clang
> MODCLANG_ARCHS = *
> 
> gstreamer1 in -current already uses this but the currently available mips64el
> package snapshot pre-dates this change.

A heads up, I'm in the process of giving this a try.

I started it off yesterday afternoon and this evening I note that the
llvm/clang build failed with an "out of memory" error.  I've re-started
on the off-chance it was a temporary issue, but I doubt it.

Sadly the Yeeloong only came with 1GB RAM, and while it is in the form
of a DDR2 SO-DIMM, it does not recognise a DDR2 4GB stick of RAM I
borrowed from another machine (tried it, PMON2000 was a no-show, put the
RAM back where I got it and that machine still boots fine), so upping
the memory appears to be out.

Last time I had this trouble, it was building Firefox… and adding swap
files was no help.

A workaround to this might be to bring up OpenBSD within QEMU… while
it's not exactly going to be efficient, one advantage is I can give the
VM as much RAM as the host can spare.

NetBSD/evbmips appears to support the MIPS Malta board which I think
QEMU emulates, and I seem to recall OpenBSD is a NetBSD fork.

How feasible would it be to port that bit of NetBSD over to OpenBSD?
Anyone tried this?
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.



Re: Setting MAC address of vm in vm.conf with lladdr

2016-12-05 Thread Reyk Floeter
On Sun, Dec 04, 2016 at 09:55:32AM -0600, Eric Brown wrote:
> Dear List,
> 
> I am using the current snapshot (Dec 3 as of this post), and I am trying
> to set the MAC address of a vm host in vm.conf.
> 
> However, the MAC address reported by ifconfig -a seems to change with
> each restart. The lladdr that I had typed in was from a copy/paste of a
> random assignment, so I hope that it is valid.
> 
> I know that this is still a WIP, but I thought I would ask in case I'm
> making a dumb mistake.
> 
> Thanks, 
> Eric
> 

I cannot reproduce it, it works as intended.  Are you sure that you
were looking at the MAC address on the "VM guest side" and not on the
host side, as mentioned in vm.conf(5):

 lladdr etheraddr
 Change the link layer address (MAC address) of the
 interface on the VM guest side.  If not specified, a
 randomized address will be assigned by vmd(8).

Can you try with current and run vmd in foreground "vmd -dvv", I added
a debug message that will show more details:

run_vm: initializing hardware for vm openbsd.vm
virtio_init: vm "openbsd.vm" vio0 lladdr 00:01:ba:d0:e8:db
virtio_init: vm "openbsd.vm" vio1 lladdr fe:e1:bb:d2:bc:72
run_vm: starting vcpu threads for vm openbsd.vm

As you see, my test cases uses a fixed lladdr for the first interface;
ifconfig within the guest show the same.

Reyk

> 
> -
> /etc/vm.conf:
> 
> vm "current.ericcbrown.com" {
>   memory 2048M
>   kernel "/root/vmm/current/bsd"
>   disk "/var/vmm/current/disk.img"
>   interface tap {
> lladdr fe:e1:ba:d1:77:24
> switch uplink
>   } 
> }
> 
> switch uplink {
>   add bge0
> }
> 

-- 



Re: IPv6 Setup not working on Hetzner server

2016-12-05 Thread Sebastian Reitenbach
On Friday, December 2, 2016 13:39 CET, Leo Unglaub 
wrote:

> Hey,
>
> On 12/02/16 13:14, Reyk Floeter wrote:
> > This is a link-local address, you have to specify the interface scope id:
> >
> > $ cat /etc/mygate
> > 144.76.102.193
> > fe80::1%em0
>
> thanks for the hint. I fixed this but that alone still does not help me
> to send IPv6 data.
>
> > Hetzner also needs to know your link-local address on em0,
> > do they use the fe80::921b:eff:fe8b:f34%em0 derived from the MAC (I think
they do)
> > or do you have to configure something like fe80::2%em0 on your side?
>
> Thats a good question. Sadly they dont specify that in the docs and are
> also not willing to answer that via there support staff.
>
> All i could find in the documentation is the following line:
>
> > For IPv6 on dedicated servers and virtual servers from the CX line, the
gateway is fe80::1.
> > Since this is a link-local address, the explicit specification of the
network adapter (usually eth0) is necessary:
> > # ip route add default via fe80::1 dev eth0
>
> There answer is that it works on Linux without config and OpenBSD is not
> supported officially.
>
>
> I just found out that since i changed my mygate up to your suggestion
> that i now have to ping6 fe80::1%em0 first and then i am able to
> connecto to other hosts via IPv6. But not before i pinged the
> fe80::1%em0. WTF?
>
> Here are my rountes before the first ping to fe80::1 and then after the
> ping.

I have a 5.9 snapshot running @Hetzner, and ran into the very same problem.
That same setup worked fine for years, but a couple of months ago, they did
some
change in their network infrastructure, and since then, I also have to ping6
first,
to enable proper IPv6 connectivity.
Since that 5.9 box is quite old, I haven't repored it, since the many
networking changes since then.

Sebastian
>
> > Routing tables (before ping)
> >
> > Internet6:
> > DestinationGatewayFlags
Refs  Use   Mtu  Prio Iface
> > defaultfe80::1%em0UGS
0  579 - 8 em0
> > ::/96  ::1UGRS
00 32768 8 lo0
> > ::/104 ::1UGRS
00 32768 8 lo0
> > ::1::1UHl
14   14 32768 1 lo0
> > ::127.0.0.0/104::1UGRS
00 32768 8 lo0
> > ::224.0.0.0/100::1UGRS
00 32768 8 lo0
> > ::255.0.0.0/104::1UGRS
00 32768 8 lo0
> > :::0.0.0.0/96  ::1UGRS
00 32768 8 lo0
> > 2002::/24  ::1UGRS
00 32768 8 lo0
> > 2002:7f00::/24 ::1UGRS
00 32768 8 lo0
> > 2002:e000::/20 ::1UGRS
00 32768 8 lo0
> > 2002:ff00::/24 ::1UGRS
00 32768 8 lo0
> > 2a01:4f8:192:42d6::/64 2a01:4f8:192:42d6::10  UC
00 - 4 em0
> > 2a01:4f8:192:42d6::10  90:1b:0e:8b:0f:34  UHLl
0   18 - 1 em0
> > fe80::/10  ::1UGRS
01 32768 8 lo0
> > fec0::/10  ::1UGRS
00 32768 8 lo0
> > fe80::%em0/64  fe80::921b:eff:fe8b:f34%em0UC
00 - 4 em0
> > fe80::921b:eff:fe8b:f34%em090:1b:0e:8b:0f:34  UHLl
00 - 1 em0
> > fe80::1%lo0fe80::1%lo0UHl
00 32768 1 lo0
> > ff01::/16  ::1UGRS
01 32768 8 lo0
> > ff01::%em0/32  fe80::921b:eff:fe8b:f34%em0Um
01 - 4 em0
> > ff01::%lo0/32  ::1Um
01 32768 4 lo0
> > ff02::/16  ::1UGRS
01 32768 8 lo0
> > ff02::%em0/32  fe80::921b:eff:fe8b:f34%em0Um
01 - 4 em0
> > ff02::%lo0/32  ::1Um
01 32768 4 lo0
>
>
> > Routing tables (after ping)
> >
> > Internet6:
> > DestinationGatewayFlags
Refs  Use   Mtu  Prio Iface
> > defaultfe80::1%em0UGS
0  581 - 8 em0
> > ::/96  ::1UGRS
00 32768 8 lo0
> > ::/104 ::1UGRS