Re: Experience using httpd in production on busy machines?

[Crystal Kolipe]

On Thu, Aug 26, 2021 at 11:46:15AM +0200, Stefan Sperling wrote:
> On Thu, Aug 26, 2021 at 06:20:08AM -0300, Crystal Kolipe wrote:
> > On Thu, Aug 26, 2021 at 02:47:40AM +, iio7 wrote:
> > > Any caveats to look out for?
> > 
> > There is an issue with httpd and large file uploads, ( > ~ 600 Mb), which 
> > was introduced sometime after OpenBSD 6.1.
> > 
> > We had a system handling such large file uploads via http, (which is 
> > probably not a typical use case), and it worked fine whilst it was running 
> > OpenBSD 6.1.  When OpenBSD 6.6 was released we did a fresh installation and 
> > found that uploads over about 600 Mb would randomly abort.  Since by this 
> > time the system had fallen into disuse anyway, as far as I know nobody here 
> > bothered to investigate further, but testing now on an OpenBSD 6.9 
> > installation, I can see that the bug still exists.
> > 
> 
> If your test on 6.9 involves a handoff to fcgi (e.g. nextcloud) then
> please try again with a server running -current. There was a related
> bug fixed in May after 6.9 was branched.

A quick test on -current with a very simple CGI handler invoked via
slowcgi showed different behaviour.  It now results in a repeatable
kernel panic after uploading about 1098-1119 Mb.  Smaller uploads work
fine.

As we know that it worked at one point, albeit several years ago, I'll
try to find the commit that broke it.  That might take a while, though.

Re: Experience using httpd in production on busy machines?

[Crystal Kolipe]

On Thu, Aug 26, 2021 at 02:47:40AM +, iio7 wrote:
> Any caveats to look out for?

There is an issue with httpd and large file uploads, ( > ~ 600 Mb), which was 
introduced sometime after OpenBSD 6.1.

We had a system handling such large file uploads via http, (which is probably 
not a typical use case), and it worked fine whilst it was running OpenBSD 6.1.  
When OpenBSD 6.6 was released we did a fresh installation and found that 
uploads over about 600 Mb would randomly abort.  Since by this time the system 
had fallen into disuse anyway, as far as I know nobody here bothered to 
investigate further, but testing now on an OpenBSD 6.9 installation, I can see 
that the bug still exists.

Re: assistance request for IKEv2 VPN setup with iked

[Crystal Kolipe]

On Thu, Oct 21, 2021 at 10:23:51AM +0200, Johann Belau wrote:
> Dear all,
> 
> I am in desperate need of assistance for setting up an IKEv2 VPN tunnel to a 
> remote LAN with OpenBSD as my VPN gateway.
> 
> A short outline of what I'm trying to achieve:
> 
> 1. I have a remote private LAN with Windows Servers and one OpenBSD gateway 
> (gateway has a public IP, the rest of the private LAN don't)
> 2. It should be possible to establish an ikev2 VPN tunnel (using iked) to the 
> private LAN from Windows / Mac OS X clients (road warriers)
> 3. After establishing VPN connection to OpenBSD VPN gateway it should be 
> possible to connect to the Windows Servers in private LAN from Win/Mac 
> clients using RDP
> 4. The Windows Servers in the private LAN and the road warriers should be 
> able to send traffic to the internet (using unbound for DNS) and be protected 
> from incoming malicious traffic using some reasonable pf rule sets
> 
> I have tried many things and researched a lot of guides and howtos - but so 
> far I failed to produce results

The setup you describe above is fairly straightforward.  What dificulties have 
you had?

Essentially, at the OpenBSD gateway end, you just need to ensure that you have 
appropriate keys in /etc/iked/, and a /etc/iked.conf something like:

ikev2 esp from gateway.vpn.example to client.vpn.example local 
gateway.public.fqdn peer any dstid expected.remote.client ecdsa384

Where:
gateway.vpn.example and client.vpn.example are private IP addresses 
assigned by you for the vpn endpoints
gateway.public.fqdn is the public IP of the gateway, I.E. where the ESP 
packets are sent from
expected.remote.client is the hostname of the remote client.

Since the clients have dynamic IPs that the gateway doesn't know, you want to 
leave the gateway set to passive mode waiting for incoming connections, and the 
remote peers to active mode.

Note that at some point between OpenBSD 6.8 and OpenBSD 6.9, transport mode was 
broken.  I know this first hand, because I was the one who reconfigured all of 
our transport mode VPNs to use tunnel mode after the upgrade to OpenBSD 6.9.  I 
haven't checked to see if it has been fixed since.  In your application you'll 
almost certainly be using tunnel mode anyway.

Some time ago there was also a bug that prevented the keys which are generated 
automatically by /etc/rc at first boot from working correctly.  Generate new 
ECDSA keys manually with something like:

# openssl ecparm -genkey -name secp384r1 -out /etc/iked/private/local.key
# openssl ec -in /etc/iked/private/local.key -pubout -out /etc/iked/local.pub
# chmod 640 /etc/iked/private/local.key

The above should get you started, with IPSEC packets flowing between the 
gateway and one client.

Re: athn AP

[Crystal Kolipe]

On Sat, Oct 16, 2021 at 03:18:52PM +0200, Stefan Sperling wrote:
> On Sat, Oct 16, 2021 at 01:40:55PM +0200, Jan Stary wrote:
> > Would people now recommend running an AP "natively",
> > i.e. a wifi card (plus the anthenas) on and OpenBSD box
> > over running wifi over a dedicated device?
> 
> Not if you want a modern 11ac/ax AP. There is no driver which supports
> hostap and matches off-the-shell APs in terms of stability and speed.
> 
> athn(4) mostly works but is slow due to lack of proper 11n support
> and has several unresolved performance bugs. And it still lacks
> support for 3-antenna devices.

For what it's worth, I've been using:

athn0 at pci1 dev 0 function 0 "Atheros AR9287" rev 0x01: apic 2 int 16
athn0: AR9287 rev 2 (2T2R), ROM rev 4, address **:**:**:**:**:**

in hostAP mode for the last few months for file transfer via sftp and ssh 
between my pinephones and an OpenBSD machine.

Performance is not amazing, but it does seem stable.

I've also tested it in BBS mode connected to an android hotspot, and again, 
performance is not good but it's mostly stable.

Re: unable to send external mail with smtpd

[Crystal Kolipe]

On Wed, Oct 20, 2021 at 12:05:20PM +0100, freddiebub...@countermail.com wrote:
> Hi, I'm new to openbsd having just set it up on my x200 and loving it
> (running so much better than my old distro). after reading through c0ffee's
> laptop set up guide and the afterboot man page i'm struggling to work out
> why i can't send mail through my mail account w smtpd. i have asked my
> provider for support about the issues i saw other people having (port 25 not
> being open) but they said that wasn't it and they were unsure about the
> problem. below i have linked to a paste of my smtpd.conf and my maillog.
> Personally i'm struggling to work out whats wrong from the log but i'm
> assuming i've not set something up right...
> 
> maillog: http://ix.io/3ChF
> smtpd.conf:
> 
> table aliases file:/etc/mail/aliases
> table secrets file:/etc/mail/secrets
> 
> #listen on socket
> 
> # To accept external mail, replace with: listen on all
> #
> listen on all
> 
> action "local" mbox alias 
> action "outbound" relay host
> smtp+tls://freddiebub...@imap1.countermail.com:465 auth 

You probably want smtps here, rather than smtp+tls.

> 
> # Uncomment the following to accept external mail for domain "example.org"
> #
> # match from any for domain "example.org" action "local_mail"
> match from local for local action "local"
> match from local for any action "outbound"
> 
> Cheers,
> Freddie
> 

Re: I got a new ???em??? card. pf uses old ???self???

[Crystal Kolipe]

On Mon, Dec 20, 2021 at 05:38:45AM -0600, Luke Small wrote:
> I reserved a new address for the new I350-T2 card and replaced unbound.conf
> and all uses of it in /etc.
> 
> ???tcpdump -aetvvipflog0??? still returns the old reserved address!
> 
> What do I do?

Post a more comprehensive bug report.

Re: disk lights on but top showed nothing!

[Crystal Kolipe]

On Sat, Jan 01, 2022 at 12:01:28AM -0600, Luke Small wrote:
> The lights on my server which shows that the disks are busy were on and not
> just flashing and I looked at top and usually it???s because security is
> running, but this time NOTHING! I even killed Firefox and by far the
> busiest thing on there was top! pftop didn???t seem especially busy either!

>From the extremely limited information you've given, it's hard to diagnose the 
>problem.

In future, please include the output of dmesg and the output of relevant 
commands in problem reports.  This answers questions such as: how many disks 
are in this server?  Are they part of an array?

Did the output from top show a process with low or zero cpu usage, but stuck in 
the biowait state?

This can happen, for example, if you have a bad or failing data cable from the 
disk to the motherboard.  It can also happen with some SSDs, likely due to the 
firmware doing some kind of internal management of the flash memory.

Re: PHP 500 error does not redirect to custom error page in httpd

[Crystal Kolipe]

On Fri, Dec 31, 2021 at 09:13:38PM +, i...@protonmail.com wrote:
> Oh, the problem is that httpd cannot intercept fast-cgi errors.

Yes it can...

... if you hack the server_abort_http function in server_http.c :-)

Have a look at our 404 page, for example:

https://www.exoticsilicon.com/foobar

That's httpd ;-)

Re: Disk partition not recognized

[Crystal Kolipe]

On Wed, Dec 22, 2021 at 05:29:34PM +0100, Tilo Stritzky wrote:
> (With an MBR disk you could force feed a handcrafted disklabel but
> that won't work here because on a GPT disk without OpenBSD partition
> the disklabel and the primary GPT share a physical sector and that
> won't work.)

That is incorrect.

At one time, the disklabel program would try to write it to the second block, 
I.E. the sector after the MBR.  This would indeed fail if a GPT was already 
there.

However, if you test this on OpenBSD 7.0-release, you will see that the 
disklabel will happily be written elsewhere:

# dd if=/dev/zero of=/tmp/vd bs=1m count=512
# vnconfig vnd0 /tmp/vd
# fdisk -e vnd0 # Create a non-OpenBSD GPT partition
# disklabel -E vnd0 # Write the disklabel to the media
# hexdump -C /tmp/vd

  ea 05 00 c0 07 8c c8 8e  d0 bc fc ff 8e d8 b8 a0  ||
0010  07 8e c0 31 f6 31 ff b9  00 02 fc f3 a4 ea 22 00  |...1.1".|
0020  a0 07 1e 07 0e 1f b4 02  cd 16 a8 03 74 0d b0 07  |t...|
0030  e8 de 00 67 80 0d b4 01  00 00 01 f6 c2 80 75 08  |...g..u.|
0040  be 49 01 e8 bf 00 b2 80  be be 01 b9 04 00 8a 04  |.I..|
0050  3c 80 74 0f 83 c6 10 e2  f5 be 7d 01 e8 a6 00 fb  |<.t...}.|
0060  f4 eb fc 88 d0 24 0f 04  30 a2 3a 01 b0 34 28 c8  |.$..0.:..4(.|
0070  a2 47 01 56 be 2d 01 67  f6 05 b4 01 00 00 01 75  |.G.V.-.g...u|
0080  01 46 e8 80 00 5e 26 67  c7 05 fe 01 00 00 00 00  |.F...^|
0090  67 f6 05 b4 01 00 00 01  75 34 88 14 bb aa 55 b4  |g...u4U.|
00a0  41 cd 13 8a 14 72 27 81  fb 55 aa 75 21 f6 c1 01  |Ar'..U.u!...|
00b0  74 1c b0 2e e8 5a 00 66  8b 4c 08 67 66 89 0d 25  |tZ.f.L.gf..%|
00c0  01 00 00 56 b4 42 be 1d  01 cd 13 5e 73 1a b0 3b  |...V.B.^s..;|
00d0  e8 3e 00 8a 74 01 8b 4c  02 b8 01 02 31 db cd 13  |.>..t..L1...|
00e0  73 06 be 65 01 e9 74 ff  be 90 01 e8 17 00 26 67  |s..e..t...|
00f0  81 3d fe 01 00 00 55 aa  75 05 ea 00 7c 00 00 be  |.=U.u...|...|
0100  74 01 e9 57 ff 50 fc ac  84 c0 74 0f e8 02 00 eb  |t..W.Pt.|
0110  f6 50 53 b4 0e bb 01 00  cd 10 5b 58 c3 10 00 01  |.PS...[X|
0120  00 00 00 c0 07 00 00 00  00 00 00 00 00 21 55 73  |.!Us|
0130  69 6e 67 20 64 72 69 76  65 20 58 2c 20 70 61 72  |ing drive X, par|
0140  74 69 74 69 6f 6e 20 59  00 4d 42 52 20 6f 6e 20  |tition Y.MBR on |
0150  66 6c 6f 70 70 79 20 6f  72 20 6f 6c 64 20 42 49  |floppy or old BI|
0160  4f 53 0d 0a 00 0d 0a 52  65 61 64 20 65 72 72 6f  |OS.Read erro|
0170  72 0d 0a 00 4e 6f 20 4f  2f 53 0d 0a 00 4e 6f 20  |r...No O/S...No |
0180  61 63 74 69 76 65 20 70  61 72 74 69 74 69 6f 6e  |active partition|
0190  0d 0a 00 90 00 00 00 00  00 00 00 00 00 00 00 00  ||
01a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
01b0  00 00 00 00 00 00 4f 78  00 00 00 00 00 00 00 ff  |..Ox|
01c0  ff ff ee ff ff ff 01 00  00 00 ff ff ff ff 00 00  ||
01d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
*
01f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..U.|
0200  45 46 49 20 50 41 52 54  00 00 01 00 5c 00 00 00  |EFI PART\...|
0210  65 43 91 cc 00 00 00 00  01 00 00 00 00 00 00 00  |eC..|
0220  ff ff 0f 00 00 00 00 00  22 00 00 00 00 00 00 00  |"...|
0230  de ff 0f 00 00 00 00 00  f2 63 79 02 b9 99 39 48  |.cy...9H|
0240  99 97 2e 77 79 98 35 f5  02 00 00 00 00 00 00 00  |...wy.5.|
0250  80 00 00 00 80 00 00 00  a7 be 55 7f 00 00 00 00  |..U.|
0260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
*
0400  a2 a0 d0 eb e5 b9 33 44  87 c0 68 b6 b7 26 99 c7  |..3D..h..&..|
0410  41 60 b8 b5 2b 54 10 41  ba 44 ee f8 3e 55 7b 50  |A`..+T.A.D..>U{P|
0420  22 00 00 00 00 00 00 00  de ff 0f 00 00 00 00 00  |"...|
0430  00 00 00 00 00 00 00 00  66 00 6f 00 6f 00 00 00  |f.o.o...|
0440  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
*

vvv BSD disklabel here vvv

4600  57 45 56 82 0c 00 00 00  76 6e 64 20 64 65 76 69  |WEV.vnd devi|
4610  63 65 00 00 00 00 00 00  66 69 63 74 69 74 69 6f  |ce..fictitio|
4620  75 73 00 00 00 00 00 00  00 02 00 00 64 00 00 00  |us..d...|
4630  01 00 00 00 f5 28 00 00  64 00 00 00 00 00 10 00  |.(..d...|
4640  38 88 61 0e cf 69 90 5f  00 00 00 00 00 00 00 00  |8.a..i._|
4650  22 00 00 00 df ff 0f 00  00 00 00 00 00 00 00 00  |"...|
4660  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
4670  00 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
4680  00 00 00 00 57 45 56 82  97 e8 10 00 00 20 00 00  |WEV.. ..|
4690  00 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  

Re: how to reload date from ntpd

[Crystal Kolipe]

On Wed, Dec 22, 2021 at 11:42:16AM -, ue...@danwin1210.de wrote:
> I want to reload time from ntpd after dnscrypt_proxy is started because
> it's local DNS server and when it's not started ntpd can't resolve
> hostnames.

Why not just add the literal IP address of a known and trusted ntp server
to ntpd.conf, or add the hostname and IP to your hosts file?  That way
you will have ntpd working even when name resolution is unavailabe.

Re: how to reload date from ntpd

[Crystal Kolipe]

On Sat, Dec 25, 2021 at 11:09:32AM -, Stuart Henderson wrote:
> On 2021-12-22, ue...@danwin1210.de  wrote:
> > How can I reload date from ntpd after boot?
> 
> rcctl stop ntpd
> rdate $timeserver
> rcctl start ntpd

Note that rdate doesn't support the concept of constraints as
ntpd does, so it's entirely possible for someone who can observe
the outgoing request, (to see the random timestamp that we send),
and spoof a response from the ntp server, to deliberately cause
your clock to be set incorrectly.

Assuming that ntpd restarts correctly immediately afterwards, the
window of opportunity is very small, but it does introduce a
vulnerability that wouldn't exist using ntpd alone.

Re: Disk partition not recognized

[Crystal Kolipe]

On Thu, Dec 23, 2021 at 08:11:31PM -0300, Crystal Kolipe wrote:
> On Thu, Dec 23, 2021 at 07:28:19PM -0300, Crystal Kolipe wrote:
> > On Thu, Dec 23, 2021 at 04:15:50PM -0500, Rob Whitlock wrote:
> > > On Thu, Dec 23, 2021 at 3:24 PM Crystal Kolipe 
> > > 
> > > wrote:
> > > 
> > > > Again, there is nothing there that would stop it working.
> > > >
> > > > You have an MBR partition of type EE starting on sector 1, which is 
> > > > what is
> > > > checked for in gpt_chk_mbr, so unless I'm overlooking something it's
> > > > probably chocking in gpt_chk_hdr due to something unexpected in the GPT
> > > > header,
> > > > (LBA block 1).
> > > >
> > > 
> > > Here is LBA block 1:
> > 
> > OK, I now know why it's not working :-).
> > 
> > Either:
> > 
> > * Upgrade to OpenBSD 7.0
> > 
> > or
> > 
> > * Change line 610 of /usr/src/kern/subr_disk.c as it changed between
> > version 1.241 and version 1.242:
> > 
> > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/kern/subr_disk.c.diff?r1=1.241=1.242=h
> > 
> > ... and recompile the kernel.
> > 
> > Either way, the spoofed disklabel will then include your non-OpenBSD 
> > partitions.
> > 
> > And in future, please test the latest version of the code before reporting 
> > a bug ;-).
> 
> Hang on, that's only part of the problem, there is something else wrong too...
> 
> I was testing with a slightly different GPT header, (block 1), when I observed
> the issue I described above.  The fix I gave does indeed work for the GPT
> header that I was using for testing.
> 
> However, I just tested it with your exact GPT header block, and it still fails
> to see the non-OpenBSD partitions.
> 
> But looking at the two, the only fields that are different are the four bytes
> at offset 0x10, which are a CRC, the 16 bytes at offset 0x38, which are the
> disk GUID, and the four bytes at offset 0x58, which are another CRC.
> 
> I won't have time to look in to this further for the next couple of days,
> which is why I'm posting this in case somebody else wants to step up and
> resolve it.
> 
> --- works.hex Thu Dec 23 20:02:08 2021
> +++ doesnt.hexThu Dec 23 20:02:02 2021
> @@ -6,11 +6,11 @@
>  *
>  01f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  
> |..U.|
>  0200  45 46 49 20 50 41 52 54  00 00 01 00 5c 00 00 00  |EFI 
> PART\...|
> -0210  c2 7d c2 16 00 00 00 00  01 00 00 00 00 00 00 00  
> |.}..|
> +0210  34 b3 c1 18 00 00 00 00  01 00 00 00 00 00 00 00  
> |4...|
>  0220  ae d9 30 46 02 00 00 00  22 00 00 00 00 00 00 00  
> |..0F"...|
> -0230  8d d9 30 46 02 00 00 00  07 8f ed 99 ec 89 df 45  
> |..0F...E|
> -0240  a5 38 96 c6 05 d7 c5 e9  02 00 00 00 00 00 00 00  
> |.8..|
> -0250  80 00 00 00 80 00 00 00  52 9e e8 0b 00 00 00 00  
> |R...|
> +0230  8d d9 30 46 02 00 00 00  69 b0 0a 57 69 18 ed 44  
> |..0Fi..Wi..D|
> +0240  91 1b a5 68 af 12 75 ff  02 00 00 00 00 00 00 00  
> |...h..u.|
> +0250  80 00 00 00 80 00 00 00  6c 88 7a 3f 00 00 00 00  
> |l.z?|
>  0260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  
> ||
>  *
>  0400  28 73 2a c1 1f f8 d2 11  ba 4b 00 a0 c9 3e c9 3b  
> |(s*..K...>.;|

OK, the issue lies with the four byte checksum at offset 0x58 in sector 1.

Testing on OpenBSD 7.0 release and using your GPT:

The kernel enters spoofgptlabel and reads sector 1.

When we call gpt_chk_parts, the calculated checksum comes to 0x0BE89E52, 
whereas the on-disk checksum is 0x3F7A886C, as you can see in the hexdumps.

Note that the on-disk checksum is stored in little-endian format.

As a result, gpt_chk_parts returns EINVAL.  When control returns to 
spoofgptlabel, it doesn't read the partitions contained within, and goes on to 
try to read the second GPT at sector dsize-1, which in your case is sector 
9767541167.

That's the reason why you don't see the non-OpenBSD partitions in your, 
(spoofed), disklabel, the on-disk checksum of the partition entries does not 
match the calculated checksum, so the kernel considers the GPT to be invalid.

If you want to test removing the call to gpt_chk_parts, thereby forcing the 
kernel to parse whatever it finds and ignoring any checksum errors, the 
attached diffs should allow you to do that.  As you said that you were still 
running OpenBSD 6.9, I've produced a diff against that too, including the 
change in line 609 that I mentioned earlier, but it's untested.  There were 
other changes to 

Re: Is fw_update documentation outdated?

[Crystal Kolipe]

On Sat, Dec 25, 2021 at 04:07:07PM +, Alexander wrote:
> at https://cvsweb.openbsd.org/src/usr.sbin/fw_update/ which has been in
> the attic for the last 6 years.

> Where do I actually find the version history of the fw_update that is
> installed on my system in CVSweb?

fw_update is a hard link to pkg_add.  Try looking in:

/usr/src/usr.sbin/pkg_add

Re: how to get ipv6 working

[Crystal Kolipe]

On Sun, Dec 26, 2021 at 12:38:15PM -0500, John Holland wrote:
> I added
> 
> "inet6 autoconf"
> 
> to the /etc/hostname.trunk0 and issued
> 
> 
> pfctl -d
> 
> ifconfig trunk0 destroy

Why are you using trunk?  What are you trying to do exactly?

You haven't given much detail about your network setup, so I'm assuming that 
it's just a simple home network with various devices connected to a hub or 
switch rather than something more complex.

> This gives trunk0 an IP6 address, and I can ping that address. when I try to
> ping one of the other computers though I get "Network is unreachable".

In, (very), simple terms, the link-local addresses that you are using are only 
for point to point communications.  Such an address is known as a 'locally 
scoped' address, and cannot be routed.

If you're using automatic configuration such as slaac, one or more globally 
scoped addresses will be assigned to the network adaptor, and these can be 
routed.

Alternatively, you can assign static IPv6 addresses with global scope, which 
will also be routable.

If your devices are connected to a router that is configured for IPv6 and 
advertising routes, you should be able to simply set inet6 autoconf on the 
interface on the OpenBSD machine, and a globally scoped address will be 
assigned to it automatically by slaacd.

If your devices are just connected together via a dumb hub, you can assign 
private addresses in, for example, the fd00:: range to each connected machine, 
and they should be able to communicate with each other using those addresses.

Re: Disk partition not recognized

[Crystal Kolipe]

On Thu, Dec 23, 2021 at 04:15:50PM -0500, Rob Whitlock wrote:
> On Thu, Dec 23, 2021 at 3:24 PM Crystal Kolipe 
> wrote:
> 
> > Again, there is nothing there that would stop it working.
> >
> > You have an MBR partition of type EE starting on sector 1, which is what is
> > checked for in gpt_chk_mbr, so unless I'm overlooking something it's
> > probably chocking in gpt_chk_hdr due to something unexpected in the GPT
> > header,
> > (LBA block 1).
> >
> 
> Here is LBA block 1:

OK, I now know why it's not working :-).

Either:

* Upgrade to OpenBSD 7.0

or

* Change line 610 of /usr/src/kern/subr_disk.c as it changed between
version 1.241 and version 1.242:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/kern/subr_disk.c.diff?r1=1.241=1.242=h

... and recompile the kernel.

Either way, the spoofed disklabel will then include your non-OpenBSD partitions.

And in future, please test the latest version of the code before reporting a 
bug ;-).

Re: Disk partition not recognized

[Crystal Kolipe]

On Thu, Dec 23, 2021 at 07:28:19PM -0300, Crystal Kolipe wrote:
> On Thu, Dec 23, 2021 at 04:15:50PM -0500, Rob Whitlock wrote:
> > On Thu, Dec 23, 2021 at 3:24 PM Crystal Kolipe 
> > wrote:
> > 
> > > Again, there is nothing there that would stop it working.
> > >
> > > You have an MBR partition of type EE starting on sector 1, which is what 
> > > is
> > > checked for in gpt_chk_mbr, so unless I'm overlooking something it's
> > > probably chocking in gpt_chk_hdr due to something unexpected in the GPT
> > > header,
> > > (LBA block 1).
> > >
> > 
> > Here is LBA block 1:
> 
> OK, I now know why it's not working :-).
> 
> Either:
> 
> * Upgrade to OpenBSD 7.0
> 
> or
> 
> * Change line 610 of /usr/src/kern/subr_disk.c as it changed between
> version 1.241 and version 1.242:
> 
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/kern/subr_disk.c.diff?r1=1.241=1.242=h
> 
> ... and recompile the kernel.
> 
> Either way, the spoofed disklabel will then include your non-OpenBSD 
> partitions.
> 
> And in future, please test the latest version of the code before reporting a 
> bug ;-).

Hang on, that's only part of the problem, there is something else wrong too...

I was testing with a slightly different GPT header, (block 1), when I observed
the issue I described above.  The fix I gave does indeed work for the GPT
header that I was using for testing.

However, I just tested it with your exact GPT header block, and it still fails
to see the non-OpenBSD partitions.

But looking at the two, the only fields that are different are the four bytes
at offset 0x10, which are a CRC, the 16 bytes at offset 0x38, which are the
disk GUID, and the four bytes at offset 0x58, which are another CRC.

I won't have time to look in to this further for the next couple of days,
which is why I'm posting this in case somebody else wants to step up and
resolve it.

--- works.hex   Thu Dec 23 20:02:08 2021
+++ doesnt.hex  Thu Dec 23 20:02:02 2021
@@ -6,11 +6,11 @@
 *
 01f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..U.|
 0200  45 46 49 20 50 41 52 54  00 00 01 00 5c 00 00 00  |EFI PART\...|
-0210  c2 7d c2 16 00 00 00 00  01 00 00 00 00 00 00 00  |.}..|
+0210  34 b3 c1 18 00 00 00 00  01 00 00 00 00 00 00 00  |4...|
 0220  ae d9 30 46 02 00 00 00  22 00 00 00 00 00 00 00  |..0F"...|
-0230  8d d9 30 46 02 00 00 00  07 8f ed 99 ec 89 df 45  |..0F...E|
-0240  a5 38 96 c6 05 d7 c5 e9  02 00 00 00 00 00 00 00  |.8..|
-0250  80 00 00 00 80 00 00 00  52 9e e8 0b 00 00 00 00  |R...|
+0230  8d d9 30 46 02 00 00 00  69 b0 0a 57 69 18 ed 44  |..0Fi..Wi..D|
+0240  91 1b a5 68 af 12 75 ff  02 00 00 00 00 00 00 00  |...h..u.|
+0250  80 00 00 00 80 00 00 00  6c 88 7a 3f 00 00 00 00  |l.z?|
 0260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
 *
 0400  28 73 2a c1 1f f8 d2 11  ba 4b 00 a0 c9 3e c9 3b  |(s*..K...>.;|

Re: disk lights on but top showed nothing!

[Crystal Kolipe]

On Sun, Jan 02, 2022 at 11:09:40AM -0600, Luke Small wrote:
> And if there was a super busy disk program running which would make a 2x3
> RAID10 array of 15000 RPM disks busy running on OpenBSD, I presume it would
> be without fail taking up more than 1 percent cpu time, which nothing other
> than top was.

Then you 'presume' incorrectly.

Try running two dd processes concurrently, one that reads data from the start
of a disk, (or in your case disk array), and one that reads data from near
the end of the disk, (or array), using the raw character devices.

I see <1% cpu usage for both dd processes testing on my current workstation.

Think about why this might be happening.

Sure, if you have a single process reading data from disk such that the disk
is hitting it's maximum data transfer rate, it's probably reasonable to expect
that the host CPU is going to be doing something with that data and the reading
process will show more than 1% CPU usage in 'top'.

However, your 'server' may well have more than one process accessing disk at
the same time, reading from all over the media.

To put it in very simple terms: the led that flashes on and off to show disk
activity, will also be on whilst the heads are seeking across the disk.  So
if it's going from the first cylinder to the last and back again repeatedly,
most of that time will not be spent actually writing data to the SATA bus or
wherever else the disk is connected, so the flow of data to the CPU will be
minimal, but the led will still be on.

Quite possibly a particuar pattern of reads and writes caused the disk to
thrash and therefore data throughput to fall.

Or maybe one of the disks in the array was thermal re-calibrating itself.

Or maybe your 'server' has an unreliable data cable somewhere.

I'm not seeing anything that suggests that it's a software issue with OpenBSD.

Re: Help with basic pf rule to open port 25

[Crystal Kolipe]

On Wed, Jan 05, 2022 at 11:03:02AM -0500, Sean McBride wrote:
> pass in log quick on egress proto tcp to any port smtp

> If on the OpenBSD system itself I do `telnet
> localhost 25` I see the built-in OpenSTMPD.  But if I telnet from another
> machine on my LAN, I fail to connect.  Shouldn't that rule have opened port
> 25?

Assuming that you only have a single network card and that it is configured 
with the default routes, then yes, that rule will open port 25 to the other 
machines on your LAN.

Have you actually changed the default /etc/mail/smtpd.conf to listen for 
external connections?  By default it only listens on the loopback interface, 
(and local socket).

Re: Disk partition not recognized

[Crystal Kolipe]

On Thu, Dec 23, 2021 at 12:08:49PM -0500, Rob Whitlock wrote:
> On Thu, Dec 23, 2021 at 1:15 AM Theo de Raadt  wrote:
> >
> > Crystal Kolipe  wrote:
> >
> > > On Tue, Dec 21, 2021 at 06:04:28PM -0500, Rob Whitlock wrote:
> > > > A problem seems to be that there is no disklabel entry for the ExFAT
> > > > partition.
> > >
> > > You probably wrote a BSD disklabel to the disk before creating the
> ExFAT partition.
> > >
> > > If there is no on-disk disklabel, the kernel will create one in memory
> based on information from other partitioning schemes, (MBR, GPT).  So in
> this case, as you change those MBR or GPT partitions, those changes will be
> reflected in the disklabel that the kernel sees.
> > >
> > > Once you actually write a disklabel to the disk, that on-disk disklabel
> is then used in place of calculating one each time the disk is attached,
> and the automatic parsing of MBR and GPT partition information stops.
> > >
> > > To solve your problem, you need to add the details of the ExFAT
> partition to the BSD disklabel.  You can either do that manually with the
> disklabel command, or since you do not have any OpenBSD partitions on the
> disk, you could overwrite the on-disk disklabel, allow the kernel to
> generate one automatically with the correct information, then optionally
> force it to be written to the disk by running disklabel and entering 'w' at
> the interactive prompt.
> >
> > This can be investigated with
> >
> >  disklabel -d
> >
> > (BTW, when the disklabel is constructed from other information on the
> disk,
> > we call it a "spoofed label")
> 
> I would like to avoid modifying the data on the disk. Is there a way to use
> disklabel to update the in-core copy of the disklabel with a spoofed label,
> without also writing it to disk? I see in the disklabel(5) manual page that
> the DIOCSDINFO ioctl updates the in-core copy, so it seems it should be
> technically possible, but I don't see how to do it with the disklabel(8)
> program. My understanding of disklabel -d is that it gives you a default
> disklabel to start with, but does not affect how or where the disklabel is
> written.

The output from 'disklabel -d' will simply show us the spoofed label
regardless of whether there is a real disklabel already written to the disk
or not, (which I now suspect that there is not, having noticed that your duid
is ).

If the spoofed label includes your non-OpenBSD partitions, then presumably
the disk already has a real label written to it which does not include them.

If the spoofed label does not include your non-OpenBSD partitions, then for
some reason the kernel is not parsing the data from the GPT, and we will
presumably need a hexdump of the GPT to see why.

Re: PHP 7.4: SSL routines:CONNECT_CR_CERT:certificate verify failed

[Crystal Kolipe]

On Thu, Dec 23, 2021 at 12:51:14AM +0100, Leo Unglaub wrote:
> Here is the successful response:
> 
> >CONNECTED(0003)
> >3143473289712:error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert 
> >protocol version:/usr/src/lib/libssl/tls13_lib.c:151:
> >---
> >no peer certificate available
> >---
> >No client certificate CA names sent
> >---
> >SSL handshake has read 5 bytes and written 201 bytes
> >---
> >New, (NONE), Cipher is (NONE)
> >Secure Renegotiation IS NOT supported
> >Compression: NONE
> >Expansion: NONE
> >No ALPN negotiated
> >SSL-Session:
> >Protocol  : TLSv1.2
> >Cipher: 
> >Session-ID: Session-ID-ctx: Master-Key: Start Time:
> >1640216653
> >Timeout   : 7200 (sec)
> >Verify return code: 0 (ok)
> >---

That is not a successful response.

Try this:

# echo "foobar" | nc -l localhost 12345 &

# openssl s_client -tls1_2 -connect localhost:12345

and compare the output to what you have above.

Then try:

# echo "foobar" | nc -l -c -C /etc/ssl/server.crt -K 
/etc/ssl/private/server.key localhost 12345 &

# openssl s_client -tls1_2 -connect localhost:12345

To see what a successful response looks like.

Re: PHP 7.4: SSL routines:CONNECT_CR_CERT:certificate verify failed

[Crystal Kolipe]

On Thu, Dec 23, 2021 at 12:51:14AM +0100, Leo Unglaub wrote:
> Hey friends,
> 
> i have a OpenBSD 7.0 server with all syspatches applied.

By the way, I don't know if this is the same server that handles inbound SMTP 
for your domain, (mail.unglaub.at), but you have a configuration issue 
affecting TLS there as well.  When I connected over IPv6, opportunistic TLS 
negociation failed and my last mail to you was downgraded to sending in 
plaintext.

Furthermore your webserver is using a self-signed certificate with an incorrect 
CN and no SAN.

Re: how to get ipv6 working

[Crystal Kolipe]

On Tue, Dec 28, 2021 at 12:35:54PM -0500, John Holland wrote:
> I eventually found I needed to append ???%trunk0??? to the IPV6 address when 
> using it as an argument to say ssh.

Note that you only need to do this for the link-local addresses.  If you assign 
your own IPv6 addresses to the interfaces, either manually or automatically, 
you don't append an interface identifier.

Re: Disk partition not recognized

[Crystal Kolipe]

On Tue, Dec 21, 2021 at 06:04:28PM -0500, Rob Whitlock wrote:
> A problem seems to be that there is no disklabel entry for the ExFAT
> partition.

You probably wrote a BSD disklabel to the disk before creating the ExFAT 
partition.

If there is no on-disk disklabel, the kernel will create one in memory based on 
information from other partitioning schemes, (MBR, GPT).  So in this case, as 
you change those MBR or GPT partitions, those changes will be reflected in the 
disklabel that the kernel sees.

Once you actually write a disklabel to the disk, that on-disk disklabel is then 
used in place of calculating one each time the disk is attached, and the 
automatic parsing of MBR and GPT partition information stops.

To solve your problem, you need to add the details of the ExFAT partition to 
the BSD disklabel.  You can either do that manually with the disklabel command, 
or since you do not have any OpenBSD partitions on the disk, you could 
overwrite the on-disk disklabel, allow the kernel to generate one automatically 
with the correct information, then optionally force it to be written to the 
disk by running disklabel and entering 'w' at the interactive prompt.

Re: Disk partition not recognized

[Crystal Kolipe]

On Thu, Dec 23, 2021 at 02:25:32PM -0500, Rob Whitlock wrote:
> On Thu, Dec 23, 2021 at 2:14 PM Crystal Kolipe 
> wrote:
> 
> > On Thu, Dec 23, 2021 at 01:15:52PM -0500, Rob Whitlock wrote:
> > > On Thu, Dec 23, 2021 at 12:22 PM Crystal Kolipe <
> > kolip...@exoticsilicon.com>
> > > wrote:
> > >
> > > > If the spoofed label does not include your non-OpenBSD partitions,
> > then for
> > > > some reason the kernel is not parsing the data from the GPT, and we
> > will
> > > > presumably need a hexdump of the GPT to see why.
> > > >
> > >
> > > Here is the GPT (the third sector on the disk):
> >
> > There is nothing unusual about these GPT entries.  Every field apart from
> > the
> > partition serial numbers is identical to what would be written by creating
> > the
> > layout you described in your first email using OpenBSD fdisk.
> >
> > When I create this exact layout, the spoofed disklabel includes the
> > non-OpenBSD
> > partitions.
> >
> > I suspect that your MBR is trashed.  Can you send a dump of the first
> > sector,
> > LBA 0?
> >
> 
> Sure, here it is.

Again, there is nothing there that would stop it working.

You have an MBR partition of type EE starting on sector 1, which is what is
checked for in gpt_chk_mbr, so unless I'm overlooking something it's
probably chocking in gpt_chk_hdr due to something unexpected in the GPT header,
(LBA block 1).

Re: Disk partition not recognized

[Crystal Kolipe]

On Thu, Dec 23, 2021 at 01:15:52PM -0500, Rob Whitlock wrote:
> On Thu, Dec 23, 2021 at 12:22 PM Crystal Kolipe 
> wrote:
> 
> > If the spoofed label does not include your non-OpenBSD partitions, then for
> > some reason the kernel is not parsing the data from the GPT, and we will
> > presumably need a hexdump of the GPT to see why.
> >
> 
> Here is the GPT (the third sector on the disk):

There is nothing unusual about these GPT entries.  Every field apart from the
partition serial numbers is identical to what would be written by creating the
layout you described in your first email using OpenBSD fdisk.

When I create this exact layout, the spoofed disklabel includes the non-OpenBSD
partitions.

I suspect that your MBR is trashed.  Can you send a dump of the first sector,
LBA 0?

Re: How to check that HT is working and used?

[Crystal Kolipe]

On Wed, Nov 17, 2021 at 11:00:10AM +0300, Dev Op wrote:
> I was dealing with one router and faced with the fact that I did not see
> hypertrading after installing OpenBSD 7.0. I came across an email
> https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html,
> where I read hypertrading was disabled for Intel processors running on
> OpenBSD/amd64 and that it can be enabled via hw.smt. I did so, but I don't
> see it making a difference. How do you make sure it's on and used?

Hyperthreading is not 'disabled' by the OpenBSD kernel in the same way that
it can be disabled in the BIOS.  All cores will be detected and active by
the MP kernel, but no processes will be scheduled on the HT cores.

What 'difference' are you expecting to see, anyway?

> dmesg.boot is here: https://pastebin.com/G24A7Jbw

Please include the full dmesg inline in future.

> The following services worked before the updates: pf / CARP / ospfd /
> zabbix-proxy / snmpd.

I would be surprised if this machine is actually CPU bound, and that
enabling HT would show a meaningful performance increase for your
application.

Also note that HT is unused by default in OpenBSD for good reasons that
have been discussed and explained on the mailing lists before.

Re: boundend less than total sectors ??? amd64, install70.iso, new HDD

[Crystal Kolipe]

> Are you using MBR or GPT?
> MBR has 2TiB size limit, so it kind of sounds like your issue. If that's the
> case, you have to reinstall on GPT.

No you don't.  At least not if you're using the disk exclusively with OpenBSD
or you know for sure that any other operating systems that touch it will
co-operate.

For disks larger than 2 Tb, you can create an fdisk partition spanning the
first 2 Tb, then just adjust the bounds within the disklabel to use the
whole capacity of the disk.

If you don't need to boot from the disk, you could probably get away with
not creating fdisk partitions at all, and just creating a disklabel on the
raw volume.  However, there are various caveats doing this, some of which
may not be obvious.

ports/graphics/dcraw MASTER_SITES update

[Crystal Kolipe]

The homepage and distribution site for dcraw changed a long time ago:

--- ports/graphics/dcraw/Makefile.dist  Thu Nov 11 16:27:45 2021
+++ ports/graphics/dcraw/Makefile   Thu Nov 11 16:29:18 2021
@@ -3,11 +3,12 @@
 COMMENT =  digital camera RAW format conversion tool
 
 DISTNAME = dcraw-9.28.0
+REVISION = 1
 CATEGORIES =   graphics
 
-HOMEPAGE = http://www.cybercom.net/~dcoffin/dcraw/
+HOMEPAGE = https://www.dechifro.org/dcraw/
 
-MASTER_SITES = http://cybercom.net/~dcoffin/dcraw/archive/
+MASTER_SITES = https://www.dechifro.org/dcraw/archive/
 
 # Some code is completely free, some is under the GPL
 PERMIT_PACKAGE =   Yes

Re: libdmx removal incomplete?

[Crystal Kolipe]

On Mon, Nov 29, 2021 at 08:36:42AM +0100, Sebastien Marie wrote:
> On Sun, Nov 28, 2021 at 10:58:38PM -0700, Theo de Raadt wrote:
> >  (2) who don't recognize they can always reinstall and
> 
> Reinstalling means "choose the files you want to keep" vs "choose the
> files you want to remove". Both have pros and cons.

If you're in a situation where restoring configuration and user data
after a re-install, either of the same or a more recent OpenBSD version,
is a significant burden then you've already got a potential problem
looming in the background.

100% of our production machines and servers are updated to each new
OpenBSD version by re-install.  This includes compiling any and all
required ports from source.  I can't remember the last time any
particular machine required more than six hours, including time to
either image the main system disk or physically replace it with another
unit.

If you keep the OpenBSD installation separate from user data, I.E. on
a different physical disk, upgrade by re-installation becomes very
easy.  Just backup the entire installation to a partition on the user
data disk, and do a fresh install on the system disk.  Then mount the
backup that you just made, copy and manually update any custom
configuration that you had previously.

Since we build all of our packages from source, often with local
modifications to the makefiles, we tend to download the relevant source
files first and check that the custom builds complete successfully on a
scratch machine the day before we start the real updates.

This also has the advantage that we can easily downgrade back to a
clean install of a previous version if it ever became necessary for
testing or other reasons.

Re: Support

[Crystal Kolipe]

On Thu, Nov 11, 2021 at 09:19:00AM +0100, Michael Hekeler wrote:
> Am 10.11.21 03:57 schrieb Brian O'Loughlin:
> > Hi
> > 
> > Further to my support request in September, (...)
> 
> You are refering to an email x weeks ago?
> I think you will get more helpful answers if continuing your old thread

I doubt it.  Have you seen the original thread?

Re: Limit Mail Submission to inet4

[Crystal Kolipe]

On Thu, Nov 18, 2021 at 10:55:00AM +0100, Simon Hoffmann wrote:
> > 
> > 
> > >GMail still wont accept my IPv6 submitted mails.
> > 
> > Are you using ipv6 connectivity over tunnel from tunnelbroker.net?
> 
> Nope. My relays have "real" IPv6 /64 networks assigned to their interfaces 
> natively.
> 
> However, I'd still like to only use IPv4 when sending messages.

Why?  Why not fix the IPv6 issue?  Our servers deliver to gmail over IPv6 with
no issues.

> Suggestions?

Set a fixed IPv4 source address using the src parameter in the action directive
of your smtpd.conf.

Re: Dhcp client configuration in 7.0

[Crystal Kolipe]

On Fri, Oct 29, 2021 at 03:37:56PM +0300, Samarul Meu wrote:
> Hello to you all!
> 
> Prior to 7.0 I was using this line in /etc/dhclient.conf
> supersede domain-name-servers 127.0.0.1;
> so that I do not get the DNS from the ISP provider.
> 
> I am using unbound to resolve my queries. With the new changes I can not
> get the same functionality.
> 
> I tried to add this in /etc/dhcpleased.conf
> interface urtwn0 ignore dns
> where urtwn0 is my interface or disable resolvd.
> 
> If resolvd is on I get my ISP DNS server, if not when unbound starts
> resolvd  adds the ISP DNS server to resolv.conf.
> 
> Can you please tell me what am I doing wrong and how can I have only
> 127.0.0.1 on the resolv.conf file?

If you want to list only specific nameservers in resolv.conf, then you don't 
need to run resolvd at all.

> Thank you!

Re: cannot boot from SSD

[Crystal Kolipe]

On Tue, Oct 26, 2021 at 08:15:48AM +0100, Claus Assmann wrote:
> On Mon, Oct 25, 2021, Crystal Kolipe wrote:
> 
> > Can you provide the output of the atactl identify command for this unit?
> 
> Thanks for the reply; below is the output from atactl identify,
> fdisk, and disklabel. The disk can be mounted without a problem
> and -- based on a brief look -- has the installed content.
> Is there some simple way to check that the boot loader is installed
> on the disk (besides trying to read some sectors using od or something
> similar?)
> 
> # atactl sd0 identify
> Model: KINGSTON SA400S37240G, Rev: S1Z40102, Serial #: 50026B7380B702FF

You seem to have a different firmware revision to any of our drives, which 
might be relevant, however...

> $ fdisk sd0
> Disk: sd0 geometry: 29185/255/63 [468862128 Sectors]
> Offset: 0 Signature: 0xAA55
> Starting Ending LBA Info:
>  #: id  C   H   S -  C   H   S [   start:size ]
> ---
>  0: BF  0   1   2 -  14592 254  63 [  64:   234436481 ] Solaris   
>   
>  1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
>   
>  2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
>   
> *3: A6  14593   0   1 -  29184 254  63 [   234436545:   234420480 ] OpenBSD   
>   

Seeing that you have Solaris installed on the same disk, I'm now wondering if 
you have some non-standard MBR code that is causing the problem.

As your Solaris partition is first on the disk, I'm assuming that you installed 
OpenBSD afterwards.  I'm also assuming that you didn't manually use the 
'update' command from within OpenBSD fdisk to overwrite the MBR boot code, 
(just the boot code and not the partition data).

The OpenBSD MBR code, I.E. what would be loaded from the first sector on the 
SSD at boot, is responsible for displaying the 'Using drive X, partition Y' 
message.  If you are not seeing this, then the OpenBSD MBR code is not running.

Of course, the Solaris MBR code should also correctly parse the partition 
table, see that partition 3 is flagged as active and pass control to the 
OpenBSD PBR contained in it, at which point you would see 'Loading', but that 
is not happening.

If you boot into the OpenBSD bootloader from another device, such as a USB 
flash drive with the OpenBSD installation media on it, and manually type 'boot 
sd0a:/bsd', or whatever device the BIOS sees the SSD as, you should find that 
your newly installed system boots.

If you want to write the OpenBSD MBR code to the SSD, you can do that using the 
'update' command within fdisk.  This will probably allow you to boot OpenBSD 
from the SSD.  However, you will have overwritten the Solaris MBR, which may or 
may not cause you issues booting Solaris.

You could back up the existing MBR first with a command such as:

# dd if=/dev/sd0c of=$HOME/old_mbr bs=512 count=1

If you want to check that the OpenBSD MBR code is installed on the disk, the 
output of the following two commands should match:

# dd if=/usr/mdec bs=446 count=1 | hexdump -C
# dd if=/dev/sd0c bs=446 count=1 | hexdump -C

Re: cannot boot from SSD

[Crystal Kolipe]

On Tue, Oct 26, 2021 at 07:20:41AM -0300, Crystal Kolipe wrote:
> manually type 'boot sd0a:/bsd'

That should be hd0a:/bsd

Re: "ERR M" on booting installation USB on Athlon

[Crystal Kolipe]

On Mon, Nov 08, 2021 at 08:25:24PM +0200, u...@mailo.com wrote:
> Tried to install amd64 "install70.img" from a microSD on an old PC:
> CPU: Athlon 64 X2 4200+
> Motherboard: Asus M2N-E
> Chipset: nVIDIA nForce 570 SLI, AMD Hammer
> USB1 controller: nVIDIA nForce 570 SLI (MCP55P) - OHCI USB 1.1 Controller
> USB2 controller: nVIDIA nForce 570 SLI (MCP55P) - EHCI USB 2.0 Controller
> 
> The "install70.img" was checked with both `sha256sum` and `signify-openbsd` 
> (a Debian package).
> BTW, do I need `sha256sum` or does `signify` check the SHA sums as well?

If you used something like:

signify -C -p openbsd-70-base.pub -x SHA256.sig install70.img

then signify would have checked the signature on the SHA256.sig file, and if 
and only if it's valid, then proceeded to check the checksums of the files 
listed in it.

> At the very beginning of the boot, I get:
> 
> 
> Loading;..
> ERR M

The semi-colon indicated that the device is being read with CHS reads rather 
than LBA.

I'm guessing that your BIOS is enumerating the flash drive as a floppy disk 
device rather than a hard disk.  You might be able to change this behaviour in 
the BIOS.

The ERR M suggests that the wrong blocks were read from the device, as you have 
tried a different card and reader with the same results, I'm assuming that it's 
not a bad card, or badly written image.

Re: Accounts Updates

[Crystal Kolipe]

On Fri, Nov 05, 2021 at 05:09:07PM +0300, Vitaliy Makkoveev wrote:
> Yeah, don't forget to include both sides photos of your credit
> cards.

And the output from dmesg, please ;-).

> 
> > On 5 Nov 2021, at 16:57, Sven F.  wrote:
> > 
> > zeitzone ?
> > 
> > -- Forwarded message -
> > From: source-changes 
> > Date: Fri, Nov 5, 2021 at 9:00 AM
> > Subject: Accounts Updates
> > To: 
> > 
> > 
> > Verify account
> > 
> > Your account has been listed
> > 
> > source-changes
> > 
> > Sign-in details
> > 
> > 
> > Email : source-chan...@openbsd.org
> > 
> > Date: 11/5/2021 6:53:26 a.m.
> > 
> > 
> > All openbsd.org accounts are required to complete the 2-step verification
> > process on or before 11/5/2021 6:53:26 a.m. to avoid email suspension.
> > Your account has been listed for suspension today if not verified.
> > 
> > Complete process
> > 
> > 
> > Thanks,
> > 
> > The openbsd.org account team
> > 
> > 
> > -- 
> > --
> > -
> > Knowing is not enough; we must apply. Willing is not enough; we must do
> 

Re: httpd.conf Dokuwiki

[Crystal Kolipe]

On Sun, Nov 07, 2021 at 05:58:35AM -0800, latin...@vcn.bc.ca wrote:
> Could somebody please tell me what is wrong in my httpd.conf?

Yes.  Nothing.  This is a valid httpd.conf file.

What are you trying to do that is not working?

Re: cannot boot from SSD

[Crystal Kolipe]

On Mon, Oct 25, 2021 at 08:42:06PM +0100, Claus Assmann wrote:
> I installed OpenBSD 7.0 via miniroot70.img from a USB stick on a
> Kingston SA400S3 SSD but unfortunately the machine does not boot
> from it (there is just a blinking cursor at the top of console).

We've used several Kingston SA400S3 SSDs on OpenBSD machines, including as boot 
drives, and not had many problems.

Can you provide the output of the atactl identify command for this unit?

One thing we have noticed is that large continuous writes to these SSDs often 
result in extremely slow performance for a while after ~500 Mb of writing, with 
the process stuck in a biowait state.  One unit that had been in use for a 
couple of years got so bad that we had to secerase it, and which point it 
seemed to brick itself for about 24 hours before coming back to life and on the 
face of it working just fine ever since.

Our Sandisk Ultra II and Corsair Force SSDs have never shown similar issues.

Re: dd: /dev/rsd1c: device not configured

[Crystal Kolipe]

On Tue, Nov 30, 2021 at 02:36:22PM +0100, Luca Ferrari wrote:
> Hi,
> I'm trying to install 7.0 in a virtual box machine using full disk
> encryption, following
> . I've done it on
> real hardware without a problem, but I'm not understanding the error
> in the virtual box machine. In particular, I cannot copy random data
> on the disk before doing the effective encryption.
> This is what I do, after entering the shell at the very first prompt:
> 
> 
> # sysctl hw.disknames
> hw.disknames=wd0:,cd0:,rd0:7c72fe60b4e2338d
> 
> # ls  /dev/rsd*c
> /dev/rsd0c
> 
> Uhm, why is sd0 there and does not appear in the hw.disknames?
> However, I tried to configure the sd1 device:
> 
> # cd /dev
> # sh MAKEDEV sd1
> # dd if=/dev/urandom of=/dev/rsd1c bs=1m
> dd: /dev/rsd1c: device not configured
> 
> # ls /dev/rsd1c
> /dev/rsd1c
> 
> What am I missing here?

You've successfully created a set of device special files in /dev/ for
sd1, I.E. files that have a major device number of 4, and corresponding
minor numbers for each partition.

But since there is no sd1 device present in your, (virtual), machine,
you get the device not configured error.  You're trying to talk to a
device that does not exist.

If your main disk is attaching as wd0, you will need to specify
of=/dev/rwd0c in the dd command to write scratch data over it.

Assuming you don't have any sd devices, when you create the softraid
volume, it will appear as sd0.

Re: Is it true that `dd` is almost not needed?

[Crystal Kolipe]

On Sun, Dec 12, 2021 at 03:09:37PM +0100, evh wrote:
> On Sat, Dec 11, 2021 at 06:06:43PM +0200, u...@mailo.com wrote:
> > Another reason to prefer the cat variant is that it lets you actually
> > string together a normal shell pipeline. For instance, if you want
> > progress information with cat you can combine it with the pv command:
> > 
> > # Cat version with progress meter
> > cat image.iso | pv >/dev/sdb
> But you can with dd as well, and still get the useful options.

Or you can just send a sig INFO, (normally bound to ^T), to the dd
process, and get the records in, records out, bytes transferred, etc.

Re: route one port via a specific host (both directions)

[Crystal Kolipe]

On Fri, Dec 10, 2021 at 08:49:08AM +, Claus Assmann wrote:
> I am trying to run an SMTP server on a dynamic IP address
> (and maybe other services later on, e.g., DNS or HTTP)

We recently published a comprehensive guide for running inbound and outbound
SMTP from a dynamic IP via an IPSEC tunnel to a VM running OpenBSD:

https://www.exoticsilicon.com/jay/smtp_via_ipsec_tunnels

This might be of some use to you.

Re: Problems with a fresh install not finding SSD drive over floppy img HTML5/KVM

[Crystal Kolipe]

On Tue, Nov 30, 2021 at 12:30:50PM -0800, Chris Bennett wrote:
> After looking over the list, it looks like many SSD's have compatibility
> problems, so I'm just going to switch over to a spinning drive.

There are plenty of SSDs that work just fine with OpenBSD, and have done
for a long time.

We've used Corsair, Sandisk, and Kingston SSDs in various OpenBSD machines
for many years with very few issues.

Re: cu/screen non-functional on 115200 (9600 ok)

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 06:01:39PM +, Laura Smith wrote:
> Hi
> 
> I'm having a really weird experience on a 6.9 box trying to connect to a 
> switch serial console.
> 
> If I run "cu -r" then I can see the switch (when the switch is running its 
> fine, I can interact with the CLI, but if the switch reboots, I just get 
> random characters)

So is it just during the boot sequence that you get noise, and then at some 
point you can access it again at 9600, or does rebooting it make it impossible 
to access again until you restart cu?

Is there any hardware handshaking on this serial connection?

Is the line noise actually always random characters or mostly ÿÿÿ ?

It sounds like the switch is simply using one baud rate during boot, and 
switching to 9600 afterwards.

However, I have noticed when using cu on a 115200 baud link with no 
handshaking, that when sending more than about 2 or 3 kilobytes of text 
continuously at maximum speed, (using the local ~> escape), that the cu session 
can freeze and only be recovered by exiting and restarting cu.  I also saw a 
kernel panic on one occasion, but was unable to reproduce it.

I had assumed that this was a bug in the USB serial driver, but I haven't 
investigated it further and it may be something else.

Re: No firefox on OpenBSD 7.0 i386?

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 05:06:24PM +0100, Josuah Demangeon wrote:

> * https://surf.suckless.org/ (webkit/gtk+)

Surf would work well on his hardware, but it's minimal interface is somewhat 
different to a traditional web browser, and probably not what he is expecting.

It also has some fairly unique issues with some websites due to the way 
non-html links are passed to curl.  Session cookies are not passed to the curl 
instance, so downloading anything that requires authentication from any kind of 
portal that you're logged in to generally doesn't work, (think statements on 
internet banking, etc).  Surf also often chokes on pop-up windows that have a 
javascript target URI, and there are a few other oddities as well.

Having said that, I use surf a lot, our website definitely works well in Surf, 
and the way you can drive Surf completely via keyboard navigation is excellent.

> * https://sourceforge.net/projects/midori-browser/ (as on Raspbian)

Midori might be worth looking at as a light-weight browser replacement for 
Firefox, although I haven't used it for a number of years.

> But you might encounter increasingly more websites that do not work
> with them, as the web grows in complexity.

Agreed.

Re: No firefox on OpenBSD 7.0 i386?

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 03:38:11PM +, Roderick wrote:
> I just updated OpenBSD to 7.0. After pkg_add -u, it seems
> firefox was not updated:

Firefox no longer builds on i386, since shortly after the release of OpenBSD 
6.9.

> Any hint?

Are you actually running on hardware that doesn't support amd64?

Re: No firefox on OpenBSD 7.0 i386?

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 04:36:36PM +, Roderick wrote:
> 
> On Fri, 7 Jan 2022, Crystal Kolipe wrote:
> 
> >>But you might encounter increasingly more websites that do not work
> >>with them, as the web grows in complexity.
> >
> >Agreed.
> 
> And this is the main point. I need the web browser for example for
> internetbanking, not just "surfing".

Well, if your needs are for a few specific sites rather than general
browsing, it might be worth testing surf to see if they are usable or
not.  I pointed out some particular issues with Surf that I am aware
of, but overall it's compatibility is fairly good.

Re: No firefox on OpenBSD 7.0 i386?

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 11:39:43AM -0500, Daniel Wilkins wrote:
> Crystal Kolipe wrote:
> >>* https://sourceforge.net/projects/midori-browser/ (as on Raspbian)
> >Midori might be worth looking at as a light-weight browser replacement for 
> >Firefox, although I haven't used it for a number of years.
> >
> Worth nothing that this version of Midori has been abandoned for the
> better part of a decade by this point.

True, I didn't notice that the link I quoted was an old one pointing to 
sourceforge.net.

The version of Midori that we have in ports is V9.0, released in July 2019.

Admittedly it still doesn't look very actively maintained.

Re: controlling terminal - to have and have not

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 05:08:16PM +0100, Jan Stary wrote:
> This is how ps(1) differentiates between displaying
> processes that have a terminal and those that have not:
> 
>   -a Display information about processes
>  for all users with controlling terminals.
> 
>   -x Display information about processes
>  without controlling terminals.
> 
> Strangely, some processes appear in both listings:
> 
>   $ ps -a | grep man 
>   22867 p6  Ip   0:00.02 man ps
>   82326 p6  I+p  0:00.02 less -T /tmp/man.TkUznrbk0K /tmp/man.qGVXE5xsvJ
>   43736 p7  R+p/30:00.00 grep man
> 
>   $ ps -x | grep man 
>   22867 p6  Ip   0:00.02 man ps
>   82326 p6  I+p  0:00.02 less -T /tmp/man.TkUznrbk0K /tmp/man.qGVXE5xsvJ
>   50867 p7  R+p/20:00.05 grep man
> 
> Is this intended? Am I missing something obvious?
> Or does the wording mean "users with controlling terminals"?

-x doesn't limit the display to ONLY processes with controlling terminals, it 
includes them in addition to the processes that would otherwise be listed.

Have a look at ps.c, the code is quite straightforward.  The -a and -x options 
just set the all and xflg flags, which are tested later on when the list of 
processes is parsed.

Re: Interrupts hover above 40% when idle on Dell Latitude E7450

[Crystal Kolipe]

On Sat, Jan 08, 2022 at 09:57:05PM -0500, Ryan Kavanagh wrote:
> I installed OpenBSD 7.0-current on a Dell Latitude E7450 and interrupts
> hover above 40%-45% when idle. I can reproduce this with OpenBSD 7.0 as
> well. The laptop runs hot (I'm guessing as a result). How should I go
> about debugging this issue?

What does systat report about the interrupts?

Re: Interrupts hover above 40% when idle on Dell Latitude E7450

[Crystal Kolipe]

On Sun, Jan 09, 2022 at 03:12:06PM -, Stuart Henderson wrote:
> On 2022-01-09, Crystal Kolipe  wrote:
> > On Sat, Jan 08, 2022 at 09:57:05PM -0500, Ryan Kavanagh wrote:
> >> I installed OpenBSD 7.0-current on a Dell Latitude E7450 and interrupts
> >> hover above 40%-45% when idle. I can reproduce this with OpenBSD 7.0 as
> >> well. The laptop runs hot (I'm guessing as a result). How should I go
> >> about debugging this issue?
> >
> > What does systat report about the interrupts?
> 
> That's shown after the dmesg, though "vmstat -i" would probably be better
> as it has the totals as well.

Well I didn't scroll down and look at it, because he said:

> I'm including a copy of dmesg output and a representative snapshot of
> systctl vm.

  ^^^

I assumed that 'systctl' was some obscure program from ports that I was not
familiar with.

Re: Interrupts hover above 40% when idle on Dell Latitude E7450

[Crystal Kolipe]

On Sun, Jan 09, 2022 at 11:24:43AM -0500, Ryan Kavanagh wrote:
> Yes. Looking at top, I see that CPU0 is spending roughly the same amount
> of time processing interrupts, while CPU1 is free to do other stuff.

Currently, _hardware_ interrupts are always handled on CPU0.

Re: Install latest package without prompts on OpenBSD 7.0

[Crystal Kolipe]

On Mon, Jan 10, 2022 at 07:15:25PM +0100, Andreas Kusalananda Khri wrote:
> Which one is the "latest" here?
> 
>   $ doas pkg_add bogofilter
>   doas (kk@box) password:
>   quirks-4.92 signed on 2022-01-07T13:45:06Z
>   Ambiguous: choose package for bogofilter
>   a   0: 
>   1: bogofilter-1.2.5
>   2: bogofilter-1.2.5-db4
>   3: bogofilter-1.2.5-lmdb
>   4: bogofilter-1.2.5-qdbm
>   5: bogofilter-1.2.5-sqlite3
>   Your choice:

None of them is the 'latest', those are just different 'flavors' of the port.

Re: Install latest package without prompts on OpenBSD 7.0

[Crystal Kolipe]

On Tue, Jan 11, 2022 at 01:13:27AM -, Stuart Henderson wrote:
> On 2022-01-10, Ian Darwin  wrote:
> > On Mon, Jan 10, 2022 at 06:28:38PM -0300, Crystal Kolipe wrote:
> >> On Mon, Jan 10, 2022 at 07:15:25PM +0100, Andreas Kusalananda Khri wrote:
> >> > Which one is the "latest" here?
> >> > 
> >> >  $ doas pkg_add bogofilter
> >> >  doas (kk@box) password:
> >> >  quirks-4.92 signed on 2022-01-07T13:45:06Z
> >> >  Ambiguous: choose package for bogofilter
> >> >  a   0: 
> >> >  1: bogofilter-1.2.5
> >> >  2: bogofilter-1.2.5-db4
> >> >  3: bogofilter-1.2.5-lmdb
> >> >  4: bogofilter-1.2.5-qdbm
> >> >  5: bogofilter-1.2.5-sqlite3
> >> >  Your choice:
> >> 
> >> None of them is the 'latest', those are just different 'flavors' of the 
> >> port.
> >
> > Agreed.
> >
> > The discussion was about different numbered versions, but has been hijacked 
> > to
> > be about flavors.
> >
> > If a "simple automated scripted" pkg_add were desired, it would take choice 
> > #1 in this
> > case or any where there are flavors AND where no flavor was specified.
> 
> For flavours you can choose that with "pkg_add somepkg--".
> ..and it would give you DB 3.x which is probably the worst option.

Perhaps we need an option to choose a random flavor.

Re: OpenSMTPd: Unable to use TLS/SSL over IPv6

[Crystal Kolipe]

On Thu, Jan 13, 2022 at 05:25:41PM +, Stuart Henderson wrote:
> On 2022/01/13 18:05, Leo Unglaub wrote:
> > Hey,
> > 
> > On 11/01/2022 21:28, Stuart Henderson wrote:
> > > I bet it is MTU related. Try lowering MTU on that interface (you
> > > cannot do it separately for IPv4 and IPv6 so it will change both,
> > > but that's not likely to be a problem) and get someone who has
> > > seen the problems to re-test.
> > 
> > thank you so much for your answer. I would have never ever thought about the
> > MTU in this case. I used the default 1500. I talked to the technical support
> > from the datacenter (Hetzner Online) and they asured me that 1500 is
> > correct.
> > 
> > However, i have set the value to 1400 and asked some people who had the
> > issue to re-test it. I will post the results of the test here so other
> > people can find them via a search engine.
> > 
> > Thank you so much, very kind of you!
> 
> The possible issue is that many people (especially people connecting
> over tunnels, but also those on pppoe) are on lower MTUs than this.
> Normally this is OK as fragmentation-needed messages will sort things
> out but sometimes firewalls are not be configured to pass these which
> will cause problems. If that _is_ what's happening then there are
> other ways to fix it but changing MTU is often the easiest one that
> you can do yourself.

Well, I can connect to his server using:

openssl s_client -starttls smtp -connect mail.unglaub.at:25

The handshake completes and I'm able to issue smtp commands.

However smtpd always reports that opportunistic TLS failed, and
downgrades to plaintext.

Re: How to disable httpd's default

[Crystal Kolipe]

On Fri, Jan 14, 2022 at 03:21:03AM -0700, Anthony J. Bentley wrote:
> From that I would expect to be able to create server blocks enumerating
> valid hostnames, name the last block "*", and specify a self-signed
> certificate with a domain name of "invalid".

You just commented in another mail in this thread that you considered
'manually generating fake certificates' to be the wrong solution!

> I can "force" the desired behavior by duplicating the invalid block
> to mention that certificate first. But it doesn't seem like that
> should be necessary.

It's not.  Put the invalid block first and remove the wildcard block at
the end.

Re: How to disable httpd's default

[Crystal Kolipe]

On Fri, Jan 14, 2022 at 01:49:01AM -0700, Anthony J. Bentley wrote:
> Crystal Kolipe writes:
> > On Thu, Jan 13, 2022 at 11:46:18PM +, i...@protonmail.com wrote:
> > > I would like to avoid httpd giving anything if a user types in the IP
> > > address of the server.
> > > 
> > > At first I just made an empty page, which is fine for port 80, but if
> > > the user then types https://xxx.xxx.xxx.xxx, then the certificate for a
> > > domain shows, which doesn't fit the IP address.
> >
> > Why not create a dummy self-signed certificate that only has the IP
> > address and no domain names?
> 
> The natural next question would be what leaks when someone accesses the
> server using a made-up hostname.

By 'made-up hostname', I'm assuming that you mean connecting to the server's
IP address and then having the TLS handshake include an SNI field containing
a domain name that is not listed in the public DNS for that IP, and for
which the server is not specifically configured.

In that case, what are you concerned about leaking?  The IP is already
known, so presumably you are either concerned about leaking a hostname that
is actually served, or details of the server and operating system in use.

> Manually generating fake certificates feels like the wrong solution for this.

I didn't suggest a 'fake' certificate.  I suggested a certificate with a
literal IP in the CN and SAN fields.  This would be the correct certificate
to present when connecting to the literal IP, and in the case of a 'made-up'
hostname that the server doesn't actually host, a literal IP cert makes
sense too.

Of course, you can't easily or cheaply get a certificate for a literal IP
address that is signed by a recognised CA.  The original poster doesn't tell
us his exact requirements or motives for setting up this server, so I'm
assuming that it's a personal webserver.  In that case, a self-signed cert
for the fall-back literal IP case seems like the best option.

In our case, we just present the cert for exoticsilicon.com for any
requests to the literal IP, or any non-recognised domain.  This leaks nothing
as of course we have dns ptr records for the IPs, which  resolve to subdomains
of exoticsilicon.com.

If you access the literal IP, or put an invalid hostname in SNI, the server
presents the cert but serves no http content.

The only exception is if you issue an invalid http request, for example, then
you get a 400 error page served back.  In our case that has been customised,
so it shows references to exoticsilicon, but most users will just get a
generic 400 bad request from httpd.

So at most, you leak details of the operating system and webserver, and that
works over plain unencrypted http as well, anyway, even using the 'block drop'
directive, (which may in itself be a bug?)

Re: OpenSMTPd: Unable to use TLS/SSL over IPv6

[Crystal Kolipe]

On Fri, Jan 14, 2022 at 01:17:47AM +0100, Leo Unglaub wrote:
> >RCPT TO: RENEGOTIATING
> >139809772520832:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl 
> >version:../ssl/ssl_lib.c:2142:
> 
> Are the last two lines expected behavour? I get then on IPv4 and IPv6.
> Someone else beeing so kind trying to debug this send me something similar.

Reading the manual page for openssl, specifically the section on s_client would 
be a very good idea.

Re: How to disable httpd's default

[Crystal Kolipe]

On Thu, Jan 13, 2022 at 11:46:18PM +, i...@protonmail.com wrote:
> I would like to avoid httpd giving anything if a user types in the IP
> address of the server.
> 
> At first I just made an empty page, which is fine for port 80, but if
> the user then types https://xxx.xxx.xxx.xxx, then the certificate for a
> domain shows, which doesn't fit the IP address.

Why not create a dummy self-signed certificate that only has the IP
address and no domain names?

Re: Unable to decrypt a file with LibreSSL

[Crystal Kolipe]

On Wed, Jan 12, 2022 at 08:56:19PM +, Ricky Cintron wrote:
> As the subject reads, I am suddenly unable to decrypt a file that I encrypted
> with LibreSSL. When I try, I get the following message:
> 
> bad decrypt
> 11957684617984:error:06FFF064:digital envelope routines:CRYPTO_internal: \
> bad decrypt:/usr/src/lib/libcrypto/evp/evp_enc.c:549:
> 
> I haven't been able to figure out the cause, so I'm looking for guidance.

That error message is very non-specific, and can have many causes.

> Some more information:
> I encrypted this file around September or October of 2021 using the following
> command:
> 
> $ openssl aes-256-cbc -e -a -salt -in  -out 
> 
> And to decrypt it, I use
> 
> $ openssl aes-256-cbc -d -a -in  -out 
> 
> I also configured neovim to allow me to open and overwrite the file
> transparently, using an autocmd group, which has worked without issue. I
> upgraded my -current system on Saturday, January 8 (OpenBSD 7.0-current
> (GENERIC.MP) #242: Sat Jan  8 12:33:38 MST 2022), and I was able to decrypt it
> with neovim on Monday, but I didn't modify/write the file (it was last 
> modified
> on Dec 20 2021). I attempted to open the file again in neovim on Tuesday, but
> was presented with the 'bad decrypt' message instead. I initially tried in
> neovim, but I'm seeing the same message when I use the openssl command (above)
> directly.

Just to confirm, you were able to decrypt it once after the system upgrade on
the 8th, but subsequently failed, the file itself has, (apparently), not been
modified, and you have not made any other changes to the system?

When you attempt to decrypt from the command line, do you get partial decrypted
output, I.E. the beginning of the expected plaintext?  A truncated ciphertext
can cause the 'bad decrypt' error, but the start of the file will be correctly
decrypted.

Since your encrypted file is base64 encoded, have you looked at it and checked
that it's not corrupted?  For example, 512 bytes of all 0x00 or 0xFF somewhere
in it would obviously be suspicious.

Are you absolutely sure that you are using the correct passphrase?

Finally, and this is NOT your problem, but I'm mentioning it for the benefit of
anybody searching the mailing list archives with a similar problem: a number of
years ago the default message digest for OpenSSL changed, (from md5 to sha256),
and files encrypted with the old md will need -md md5 specified on the command
line to decrypt them with current versions of OpenSSL or LibreSSL.  But that is
not the issue here.

Re: How to disable httpd's default

[Crystal Kolipe]

On Fri, Jan 14, 2022 at 07:50:36PM +, i...@protonmail.com wrote:
> > It's not. Put the invalid block first and remove the wildcard block at the 
> > end.
> 
> It doesn't work. Then the valid domains gets served with the
> self-made certificate.

It does work.  You must have an error in your config file.

Re: ttyflags hangs on Dell PowerEdge R200

[Crystal Kolipe]

On Fri, Jan 14, 2022 at 10:41:52PM +0100, Jan Stary wrote:
> I suspect it's com1; I have yet to try commenting out just tty01.
> But commenting out both makes it boot OK.
> 
> com0 at acpi0 COMA addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo
> com1 at acpi0 COMB addr 0x2f8/0x8 irq 3: ti16750, 64 byte fifo
> 
> Are these known to misbehave under ttyflags?
> 
> I realize a lot has changed since then, but it's a production machine,
> and while I would love nothing more than go through the releases one
> by one, this machine has to run now.

Well there were recently changes to make com attach via acpi, and now
you have a com port that you didn't have before.

My suspicion would be that the new com1 either does not really exist in
hardware, or that it's mis-configured.

Does the BIOS mention it?  Can it be disabled there?

Re: Bioctl password file

[Crystal Kolipe]

On Thu, Jan 06, 2022 at 12:23:43PM -0500, fo...@dnmx.org wrote:
> So, instead of using a password or a keyfile, I'd like to use a passfile.
> How do I create one? I tried searching on the internet but couldn't find
> an guide.
> 
> Do I just put the password itself in the file and chmod it to the
> specified permissions?

Yes.

Re: cu/screen non-functional on 115200 (9600 ok)

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 06:31:38PM +, Laura Smith wrote:
> > Is there any hardware handshaking on this serial connection?
> 
> Not AFAIK, vendor spec for connection is "serial port settings are 115200, 8 
> data bits, and no parity"
> I'm using a good old "Cisco-style" cable (serial at one end, RJ45 at the 
> other)

It probably does have hardware handshaking then, which is a good thing.

> Not AFAIK. I had vendor support guy on the line and I was screensharing. His 
> expectation was everything should be at 115200.

What serial interface are you using on the OpenBSD machine?  Is it a puc device 
by any chance?  It's possible that the serial port on your OpenBSD machine is 
actually running at 115200, even though you have it set to 9600.

I'm also wondering if it's possible that when the switch is reset, the serial 
line is going low for long enough to be recognised as a break and confusing 
misbehaviour that way.

Re: Can OpenBSD use more than one fdisk partition?

[Crystal Kolipe]

On Thu, Jan 06, 2022 at 11:11:30AM -, Stuart Henderson wrote:
> You can create more than one "fdisk partition" but there's not much
> point in doing so. It doesn't give you any extra "disklabel partitions".

There is a niche use case for multiple OpenBSD MBR partitions, though:

Imagine a machine with an existing disk layout like this:

Disk: vnd0  geometry: 156250/1/100 [15625000 Sectors]
Offset: 0   Signature: 0xAA55
Starting Ending LBA Info:
 #: id  C   H   S -  C   H   S [   start:size ]
---
 0: 0C  0   0  65 -  41943   0  68 [  64: 4194304 ] Win95 FAT32L
 1: 83  41943   0  69 -  83886   0  72 [ 4194368: 4194304 ] Linux files*
 2: 82  83886   0  73 - 125829   0  76 [ 8388672: 4194304 ] Linux swap  
 3: 00  0   0   0 -  0   0   0 [   0:   0 ] unused  

The spoofed disklabel would look something like:

# /dev/rvnd0c:
type: vnd
disk: vnd device
label: fictitious
duid: 
flags:
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 156250
total sectors: 15625000
boundstart: 0
boundend: 15625000
drivedata: 0 

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  c: 156250000  unused
  i:  4194304   64   MSDOS
  j:  4194304  4194368  ext2fs
  k:  4194304  8388672 unknown

Note that there is about 1.5 Gb of free space at the end of the disk.

If you now wanted to install OpenBSD on this disk, keeping the Linux 
installation but deleting the FAT partition at the beginning, you could edit 
the MBR to include two OpenBSD MBR partitions:

Disk: vnd0  geometry: 156250/1/100 [15625000 Sectors]
Offset: 0   Signature: 0xAA55
Starting Ending LBA Info:
 #: id  C   H   S -  C   H   S [   start:size ]
---
 0: A6  0   0  65 -  41943   0  68 [  64: 4194304 ] OpenBSD 
 1: 83  41943   0  69 -  83886   0  72 [ 4194368: 4194304 ] Linux files*
 2: 82  83886   0  73 - 125829   0  76 [ 8388672: 4194304 ] Linux swap  
 3: A6 125829   0  77 - 156249   0 100 [12582976: 3042024 ] OpenBSD 

The spoofed disklabel would now look like this:

# /dev/rvnd0c:
type: vnd
disk: vnd device
label: fictitious
duid: 
flags:
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 156250
total sectors: 15625000
boundstart: 64
boundend: 4194368
drivedata: 0 

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  c: 156250000  unused
  i:  4194304  4194368  ext2fs
  j:  4194304  8388672 unknown

Note that the bounds of the OpenBSD partition no longer cover the whole disk, 
as they did when there was no OpenBSD MBR partition, but now only span the 
space defined by the first OpenBSD MBR partition.

We can change the bounds:

# /dev/rvnd0c:
type: vnd
disk: vnd device
label: fictitious
duid: a8dacebd60fac195
flags:
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 156250
total sectors: 15625000
boundstart: 64
boundend: 15625000
drivedata: 0 

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  c: 156250000  unused
  i:  4194304  4194368  ext2fs
  j:  4194304  8388672 unknown

And now create disklabel partitions across the whole of the disk:

# /dev/rvnd0c:
type: vnd
disk: vnd device
label: fictitious
duid: a8dacebd60fac195
flags:
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 156250
total sectors: 15625000
boundstart: 64
boundend: 15625000
drivedata: 0 

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  a:  4194304   64  4.2BSD   2048 16384 1 
  b:  1048624 12582976swap
  c: 156250000  unused
  d:  1993376 13631616  4.2BSD   2048 16384 1 
  i:  4194304  4194368  ext2fs
  j:  4194304  8388672 unknown

Note that the disklabel editor will not, by default, allow you to create a 
disklabel partition which overlaps space used by one of the other MBR 
partitions, which is usually a good thing and probably the behaviour that most 
people would want.

However, if we instead wanted to use the space currently allocated 

Re: Can OpenBSD use more than one fdisk partition?

[Crystal Kolipe]

On Thu, Jan 06, 2022 at 01:27:25PM +, Stuart Henderson wrote:
> On 2022/01/06 09:56, Crystal Kolipe wrote:
> > On Thu, Jan 06, 2022 at 11:11:30AM -, Stuart Henderson wrote:
> > > You can create more than one "fdisk partition" but there's not much
> > > point in doing so. It doesn't give you any extra "disklabel partitions".
> > 
> > There is a niche use case for multiple OpenBSD MBR partitions, though:
> 
> I said "not much" rather than "no" for a reason. I didn't think it was
> really helpful to go into more details of things which are possible but
> inadvisable.

I agree that such a partitioning scheme isn't very useful in practice, but
I think the example helps people to understand that the BSD disklabel does
not live "inside" the OpenBSD MBR partition.

There seems to be this kind of urban myth that the MBR partitioning scheme
is treated as the "overall" disk layout and that the OpenBSD partition is
then "sub-divided" into pieces which only matter to OpenBSD.  Then people
start making wrong assumptions, such as that the disklabel is always in
the same location, that it's portable between architectures, that a disk
without an OpenBSD MBR partition can't have a disklabel, and that changes
to the MBR partitions will or should be reflected in the disklabel
automatically.

Re: Can OpenBSD use more than one fdisk partition?

[Crystal Kolipe]

On Thu, Jan 06, 2022 at 11:57:06AM +0100, Marek Kozlowski wrote:
> https://www.openbsd.org/faq/faq14.html says:
> 
> *Normally*, only one OpenBSD fdisk partition will be placed on a disk and
> that partition will then be subdivided into disklabel partitions.
> 
> The fs naming scheme suggests that only one OpenBSD partition for a drive is
> allowed.
> 
> I'd really appreciate some clarification:
> 
> *Normally* only one fdisk partition. How about *abnormally*? I mean: is it
> technically possible to place (and use!) more than one OpenBSD partition for
> a drive?

Of course, you can create more than one OpenBSD MBR partition, fdisk will not 
prevent you from doing this, although it will warn about it.

However, you can't really do anything useful with it, and the reason becomes 
obvious when you look into how disk partitioning works on OpenBSD, (and on most 
BSD systems).

OpenBSD basically doesn't care about the MBR, (or GPT).  Disk partitioning in 
OpenBSD is defined by the BSD disklabel.  The MBR, (or GPT), is only consulted:

* At boot time
* When no BSD disklabel exists on the disk, (or it is deliberately being 
ignored)

So even if you create more than one OpenBSD MBR partition, there will still 
only ever be one BSD disklabel for that disk that matters, either real or 
spoofed.

It is also NOT the case that each OpenBSD MBR partition contains a disklabel, 
NOR that the disklabel, if it exists, is always in the second sector of the 
OpenBSD partition.  The location of the BSD disklabel also varies by 
architecture.

So basically, whatever you are trying to do by creating a second OpenBSD MBR 
partition, it almost certainly will not work.

HOWEVER, what I suspect that you are trying to do, based on your previous email 
about the firmware for your wifi card, is to add a separate partition to the 
installer image, independent of the filesystems that are already on it.

This can be done in several ways, but none of them involve creating a second 
OpenBSD MBR partition.  I actually did this, (and documented it), when I 
installed OpenBSD on my Pinephone, (although that was a bit of a special case, 
as I was overwriting the installation media itself during the installation).

If you are indeed trying to make the wifi firmware accessible during the 
installation, and you are new to OpenBSD, I suggest that you use a separate USB 
flash drive for the extra files, as it will be much quicker and easier to 
prepare, especially if you don't have access to another OpenBSD machine.

If you are really determined to add the files to the existing installer image, 
you can:

Use the 'b' option of the disklabel program invoked as disklabel -E, to 
increase the bounds of the OpenBSD area to the size of the entire flash drive
Add a new disklabel partition
Create a filesystem on it and copy the required files to it

> BTW: One more thing is not clear for me from that FAQ as well as:
> 
> https://man.openbsd.org/?query=mount_=8=1
> https://man.openbsd.org/mount
> 
> If I'm able to mount an NTFS or EXT3 partition using a /dev/* block device
> file. What are the names for OTHER fdisk partitions?

If there is no BSD disklabel already on the media, then the kernel will assien 
non-OpenBSD partitions to disklabel partitions starting with i, so the first 
will be /dev/sdXi, the second, /dev/sdXj, and so on.

However, again, if you are thinking of adding a non-OpenBSD partition to the 
installer image, it will not automatically be recognised, as that image already 
has a real disklabel, so the kernel will ignore your additional partition.  You 
would need to add it to the disklabel manually, which you could do within the 
installer by dropping to a shell, creating the relevant device files in /dev, 
looking at the output of disklabel -d, noting the details for your new 
non-OpenBSD partition, and then editing the disklabel manually to add them to 
the existing disklabel.

If this is your first OpenBSD installation, I strongly suggest that you simply 
complete the installation without the NIC, and install the firmware afterwards, 
as has already been suggested.

Re: What password manager do you recommend?

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 01:44:51PM -0800, Sean Kamath wrote:
> > On Jan 7, 2022, at 13:38, Crystal Kolipe  wrote:
> > 
> > On Fri, Jan 07, 2022 at 01:23:30PM -0800, Sean Kamath wrote:
> >> gpg < file.gpg
> > 
> > Why gpg and not openssl?
> 
> 21 years of muscle memory?
> 
> But that is a good point. . . Hrm.

OK, so I decided to see how easily this could be implemented using just what's 
in the OpenBSD base install.

Passphrase manager in 584 bytes:

#!/bin/sh
F="$HOME/.pwm/secrets"
mkdir -m 700 ~/.pwm 2> /dev/null 
if [[ -z "$1" ]] ; then exit ; fi 
read P?'Passphrase? '
if [[ ! -e $F ]] ; then echo FiLeMaGiC | openssl enc -k "$P" -chacha -out $F ; 
fi
typeset -L16 name=$1
openssl enc -k "$P" -d -chacha -in $F -out "$F"_
head -1 "$F"_ | grep -q FiLeMaGiC || { echo "Wrong passphrase!" ; rm "$F"_ ; 
exit ; }
grep "^$name" "$F"_ && { rm "$F"_ ; exit ; }
echo $name not found, creating new entry:
N=`openssl rand -base64 - 12 | cut -b 1-16`
echo "$name"$N
echo "$name"$N | cat "$F"_ - | openssl enc -k "$P" -chacha -out $F
rm "$F"_

It's quite simple, you call it with one argument, which is your reference for 
the place that the passphrase corresponds to.  If it already exists in the 
database, it's printed.  If not, a new passphrase is created:

$ ./pwm bank
Passphrase? foobar
bank not found, creating new entry:
bankpFjrBm8hEuUcupj0

$ ./pwm email_provider 
Passphrase? foobar
email_provider not found, creating new entry:
email_provider  VKLuZTUcQjkh+jLc

$ ./pwm bank
Passphrase? foobar
bankpFjrBm8hEuUcupj0

$ ./pwm bank
Passphrase? baz
Wrong passphrase!

$ hexdump -C .pwm/secrets
  53 61 6c 74 65 64 5f 5f  c0 dc ac 04 28 5f 68 96  |Salted__(_h.|
0010  7c 27 c3 c8 c8 ed 32 81  c3 e1 5a cb 73 41 78 0d  ||'2...Z.sAx.|
0020  e8 30 39 ce 49 91 eb 1c  87 51 84 59 15 93 05 87  |.09.IQ.Y|
0030  c8 56 1e fe 77 21 f3 d3  b0 6e 60 ea 06 fd 6a 4c  |.V..w!...n`...jL|
0040  c0 ca 60 dd dd ee 47 3b  a2 e8 43 2d 2c 5f ed e0  |..`...G;..C-,_..|
0050  a9 e4 e7 be b8 91 48 b5  36 da 9c 91  |..H.6...|

It's obviously not intended for serious use, but it demonstrates the principle 
that there isn't always a need to go rushing to the ports tree for simple 
tasks.  A lot of good tools are already in the base install.

Re: What password manager do you recommend?

[Crystal Kolipe]

On Fri, Jan 07, 2022 at 01:23:30PM -0800, Sean Kamath wrote:
> gpg < file.gpg

Why gpg and not openssl?

Re: Help with basic pf rule to open port 25

[Crystal Kolipe]

On Thu, Jan 06, 2022 at 03:39:00PM -0500, Sean McBride wrote:
> I don't actually want to use OpenSMTPD, I was just using it as a way to test
> my experimental pf rules.  I'l try to find some other way to test them.

netcat

# man nc

Re: Generating Disk Labels for New Fdisk Partitions

[Crystal Kolipe]

On Wed, Jan 19, 2022 at 10:13:02PM +, thatfatblack...@disroot.org wrote:
> After installing OpenBSD I realized I was going to need another
> partition, so I went ahead and created it with fdisk.
> 
> Problem is that partition is not showing up like sd0i or sd0j.

This is expected behaviour.  Since your disk has a 'real' disklabel on it, any 
other fdisk partitions that you create will not be parsed and added 
automatically.

> I need a way to generate it without having to reinstall OpenBSD.

You need to add the details of the new, non-OpenBSD partition to the disklabel 
manually.

This is not difficult.  If you invoke disklabel with the -E parameter, you will 
be able to edit the disklabel partitions in the same way that you did in the 
installer, so you can use option 'a' to add a partition, and fill in the 
correct parameters, such as offset, size, etc.

If you don't know the parameters, invoke disklabel with the -d parameter.  This 
will show you how the kernel would parse the partitions if there was no 
disklabel already present.  From this information, you should be able to pick 
out which is your new partition, probably i or j, note the details down, then 
add them as described above.

Re: No firefox on OpenBSD 7.0 i386?

[Crystal Kolipe]

On Thu, Jan 20, 2022 at 01:46:11AM +0100, Riccardo Mottola wrote:
> Crystal Kolipe wrote:
> > On Fri, Jan 07, 2022 at 03:38:11PM +, Roderick wrote:
> >> I just updated OpenBSD to 7.0. After pkg_add -u, it seems
> >> firefox was not updated:
> > Firefox no longer builds on i386, since shortly after the release of 
> > OpenBSD 6.9.
> 
> I noticed that to, it is sad. Wonder why?

See the commit log for revision 1.460 of the makefile.

I'm sure that it could be fixed, but that requires somebody with an
interest in fixing it.

Also, just because it compiles and runs, doesn't mean that it's going
to be usable for doing useful work.

Re: No firefox on OpenBSD 7.0 i386?

[Crystal Kolipe]

On Thu, Jan 20, 2022 at 04:28:45PM +0100, Jan Stary wrote:
> > On Fri, 7 Jan 2022 15:38:11 + (UTC)
> > Roderick  wrote:
> > 
> > > With chrome I have a problem, because it does not separate URL
> > > entry from search entry.
> 
> Why is that a problem?

Presumably because if you make a typo when entering an URL, it sends the URL 
string, (which may contain references to a private server), to a search engine.

Re: How to disable httpd's default

[Crystal Kolipe]

On Fri, Jan 14, 2022 at 08:59:00AM -0500, Steven Shockley wrote:
> Note that this does not require haproxy to have the client certificates,
> since the hostname is transmitted in plaintext with SNI.

At the moment, yes, but at some point we might implement ECH...

Re: Unable to decrypt a file with LibreSSL

[Crystal Kolipe]

On Thu, Jan 13, 2022 at 03:50:15AM +, Ricky Cintron wrote:
> ? Original Message ?
> 
> On Wednesday, January 12th, 2022 at 1:14 PM, Crystal Kolipe 
>  wrote:
> 
> > On Wed, Jan 12, 2022 at 08:56:19PM +, Ricky Cintron wrote:
> >
> > > As the subject reads, I am suddenly unable to decrypt a file that I 
> > > encrypted
> > >
> > > with LibreSSL. When I try, I get the following message:
> > >
> > > bad decrypt
> > >
> > > 11957684617984:error:06FFF064:digital envelope routines:CRYPTO_internal: \
> > >
> > > bad decrypt:/usr/src/lib/libcrypto/evp/evp_enc.c:549:
> > >
> > > I haven't been able to figure out the cause, so I'm looking for guidance.
> >
> > That error message is very non-specific, and can have many causes.
> >
> > > Some more information:
> > >
> > > I encrypted this file around September or October of 2021 using the 
> > > following
> > >
> > > command:
> > >
> > > $ openssl aes-256-cbc -e -a -salt -in  -out 
> > >
> > > And to decrypt it, I use
> > >
> > > $ openssl aes-256-cbc -d -a -in  -out 
> > >
> > > I also configured neovim to allow me to open and overwrite the file
> > >
> > > transparently, using an autocmd group, which has worked without issue. I
> > >
> > > upgraded my -current system on Saturday, January 8 (OpenBSD 7.0-current
> > >
> > > (GENERIC.MP) #242: Sat Jan 8 12:33:38 MST 2022), and I was able to 
> > > decrypt it
> > >
> > > with neovim on Monday, but I didn't modify/write the file (it was last 
> > > modified
> > >
> > > on Dec 20 2021). I attempted to open the file again in neovim on Tuesday, 
> > > but
> > >
> > > was presented with the 'bad decrypt' message instead. I initially tried in
> > >
> > > neovim, but I'm seeing the same message when I use the openssl command 
> > > (above)
> > >
> > > directly.
> >
> > Just to confirm, you were able to decrypt it once after the system upgrade 
> > on
> >
> > the 8th, but subsequently failed, the file itself has, (apparently), not 
> > been
> >
> > modified, and you have not made any other changes to the system?
> >
> > When you attempt to decrypt from the command line, do you get partial 
> > decrypted
> >
> > output, I.E. the beginning of the expected plaintext? A truncated ciphertext
> >
> > can cause the 'bad decrypt' error, but the start of the file will be 
> > correctly
> >
> > decrypted.
> >
> > Since your encrypted file is base64 encoded, have you looked at it and 
> > checked
> >
> > that it's not corrupted? For example, 512 bytes of all 0x00 or 0xFF 
> > somewhere
> >
> > in it would obviously be suspicious.
> >
> > Are you absolutely sure that you are using the correct passphrase?
> >
> > Finally, and this is NOT your problem, but I'm mentioning it for the 
> > benefit of
> >
> > anybody searching the mailing list archives with a similar problem: a 
> > number of
> >
> > years ago the default message digest for OpenSSL changed, (from md5 to 
> > sha256),
> >
> > and files encrypted with the old md will need -md md5 specified on the 
> > command
> >
> > line to decrypt them with current versions of OpenSSL or LibreSSL. But that 
> > is
> >
> > not the issue here.
> 
> I was going to respond to each of your questions individually, but when I 
> went to
> copy/paste the additional text that is printed along with the 'bad decrypt'
> message to stdout (when not using the -out option), my muscle memory 
> apparently
> kicked in just enough to hint that I was possibly messing up the password. So
> yeah, I can confirm that, for some absurd reason, I had mixed up some symbols 
> in
> the password, and after correcting it, I am now able to decrypt the file 
> again.
> That's two days of attempting the wrong password. Just stunning. :|

It's nowhere near as uncommon as you think.  We once had somebody bring us a 
file
that "wouldn't decrypt" with the correct passphrase.  Suspecting that it was a
typo made whilst encrypting, we wrote a program to brute-force the possible key-
strokes around the given keys.  For example, if the first character was 
supposedly
'f', we tested e, r, t, d, f, g, c, v, and b in that position.  With a few
optimisations to test what seemed the most likely combinations first, we found

Re: How to disable httpd's default

[Crystal Kolipe]

On Fri, Jan 14, 2022 at 05:52:21AM -0700, Anthony J. Bentley wrote:
> Crystal Kolipe writes:
> > On Fri, Jan 14, 2022 at 01:49:01AM -0700, Anthony J. Bentley wrote:
> > > The natural next question would be what leaks when someone accesses the
> > > server using a made-up hostname.
> >
> > By 'made-up hostname', I'm assuming that you mean connecting to the server's
> > IP address and then having the TLS handshake include an SNI field containing
> > a domain name that is not listed in the public DNS for that IP, and for
> > which the server is not specifically configured.
> >
> > In that case, what are you concerned about leaking?
> 
> I understood the original question to mean a situation like: the server
> is intended to serve pages for a given set of hostnames, including over
> TLS; if an IP address or any other hostname is requested, then don't
> serve any of those pages and don't leak any valid hostnames through the
> certificate. That's a question I've had myself.

Yes, I understood the question in the same way.

> > I didn't suggest a 'fake' certificate.  I suggested a certificate with a
> > literal IP in the CN and SAN fields.  This would be the correct certificate
> > to present when connecting to the literal IP, and in the case of a 'made-up'
> > hostname that the server doesn't actually host, a literal IP cert makes
> > sense too.
> 
> 'Fake' was not a judgmental term. I was suggesting that if there is
> no intent to serve actual content when the user manually enters an IP
> address, then there's no need for the certificate to manually specify
> the IP

I don't 100% agree with that assumption.

> instead it makes more sense to generate a single catch-all
> certificate for all invalid cases (many hostnames and potentially
> multiple IP addresses). In that case, the reserved name "invalid"
> makes sense, doesn't it?

Well, I don't think that we should assume that a literal IP address and an
invalid hostname are best treated in the same way.

Assuming that the server config is correct, and that all DNS entries are
correct, then requesting an invalid hostname makes no sense.  There is no
sensible response, and the request is likely to be coming from an unwanted
bot anyway.  So no point in serving any content, and since they already know
your IP, nothing to gain or lose by serving a cert with just that IP in the CN
and SAN.

In the case of a request for a literal IP, that does potentially have a genuine
use-case.  Somebody debugging a problem with a broken client, network issue,
DNS resolution problem, etc, etc.  Ideally in this case, you would serve no
http content, but with a real CA signed cert with the literal IP.  That way,
the client knows that they actually reached the intended machine, (no MITM),
and can assume that the decision to serve no content was intentional.

Since such a cert is not available free of charge, and most people would not
want to pay for one, you can either use a cert for your real domain, (which
we do), or a cert for a junk domain that you don't use, or a self-signed cert.

I think that a self-signed cert for the literal IP case looks more professional,
but at the end of the day, I suppose it doesn't really matter.

Re: OpenBSD 7.4

[Crystal Kolipe]

On Fri, Oct 13, 2023 at 10:36:43AM +, Laura Smith wrote:
> Certainly by all means, track that file on CVS as the "source of truth" but
> ultimately there's no certainty until it happens.

For more accuracy you could try grabbing a local copy of the CVS repo with
reposync and writing a script to carefully analyse the changes to every file
across each release ever made, compare them to previous known release dates,
do some kind of statistical analysis using a machine learning system, produce
a mathematical model that approximates the mental processes of the developers
involved, manually adjust the algo for known external factors then compute an
estimated release date for 7.4.

Or just wait until Monday.

Re: USB serial local getty terminal re-prompts for login on any input

[Crystal Kolipe]

On Thu, Oct 26, 2023 at 12:20:08PM -0400, Morgan Aldridge wrote:
> Yes, your assumption was correct, every keypress acts as if I had pressed
> enter. Thanks for confirming!

Getty re-displays the login prompt when it sees either 0x00 or 0x80 on the
serial line.  In fact, you can do it from the normal framebuffer console too,
just hit control-@ at the login prompt and it should repeat.

(This is a historic behaviour which was once used for semi-automatic baud rate
 selection where you hit 'BREAK' a few times to get the remote end to cycle
 through all the speeds it supported until you, (hopefully), got a login
 prompt).

So in your case, it seems that either the terminal is putting something on the
serial data lines that the USB serial adaptor is interpreting as nulls, or
possibly it's doing something with the handshaking lines that makes the
USB serial adaptor generate the equivalent internally.

Any extra nulls added as padding bytes probably wouldn't show up in the
loopback test either, because the terminal would just happily ignore them.

Re: __dead

[Crystal Kolipe]

On Tue, Nov 07, 2023 at 04:01:12PM +, Lucretia wrote:
> I read the whole file top to bottom, slowly and with care, and saw no
> comments about __dead. Unless by chance they've been added since
> 7.4 release.

Immediately above where __dead and __pure are defined is the following
comment:

/*
 * GCC1 and some versions of GCC2 declare dead (non-returning) and
 * pure (no side effects) functions using "volatile" and "const";
 * unfortunately, these then cause warnings under "-ansi -pedantic".
 * GCC >= 2.5 uses the __attribute__((attrs)) style.  All of these
 * work for GNU C++ (modulo a slight glitch in the C++ grammar in
 * the distribution version of 2.5.5).
 */

This, with a few updates and changes, has been in the source code
for > 30 years.

For reference, the same comment in the same file in the NetBSD tree
is a bit more verbose and gives some examples of what pure and const
are used for.

Re: __dead

[Crystal Kolipe]

On Tue, Nov 07, 2023 at 03:08:18PM +, Lucretia wrote:
> I've seen __dead a few places in the source code, does this mean it isn't
> functional anymore, or maybe just deprecated?

Read the comments about it in /usr/src/sys/sys/cdefs.h.

Re: USB serial local getty terminal re-prompts for login on any input

[Crystal Kolipe]

On Wed, Oct 25, 2023 at 01:35:39PM -0400, Morgan Aldridge wrote:
> On the terminal, keeping the same 9600 8N1 settings, but enabling local
> echo, and shorting the TX/RX pins gets me duplicated input with no odd
> characters or breaks (AFAICT).
> 
> On the OpenBSD side (with getty disabled on the tty, of course), I ran `cu
> dr -l ttyU1 -s 9600` and jumped the TX/RX pins, and confirmed that the
> characters entered were received back without any breaks or odd characters
> (though there's no local echo.) I confirmed that cu(1) is just not echoing
> locally by un-jumping the TX/RX pins and seeing that I did _not_ receive
> the characters entered.

OK, so the hardware is essentially working, that's good.

Could you confirm exactly what you meant when you said:

On Mon, Oct 23, 2023 at 11:37:10PM -0400, Morgan Aldridge wrote:
> Unfortunately, regardless of what input is provided on the
> terminal, getty(8) just sends a new login prompt.

Do you mean that:

1. Any single keypress triggers a new login prompt, (as if you were pressing
   enter each time).

or

2. You can successfully enter a username, which is echoed back but then
   pressing enter the system just presents you with another login prompt
   instead of accepting the username and asking for a password.

I assumed it was '1', but just want to check before going any further.

Re: PineView not using the whole screen

[Crystal Kolipe]

On Thu, Oct 26, 2023 at 10:07:41AM +0200, Daniele B. wrote:
> Just to specify I'm hoping you are going to solve this software issue in
> the next releases (a properly running device driver is maybe better that
> properly running sleep button at my side)

What software issue are you talking about?

Do you actually have any keyboards that don't work correctly with OpenBSD?

What is the problem with the ucc driver attaching as well?  Does it break
anything?

Re: PineView not using the whole screen

[Crystal Kolipe]

On Thu, Oct 26, 2023 at 12:15:47PM +0200, Daniele B. wrote:
> Well, here for a secure OpenBSD I'm expecting a minimal usage of resources.
> But I see..if inserting my physical keyboard I get two keyboard devices 
> attached to run a sleep
> button properly on a *consumer multimedia product* well..I missed mayb the 
> point and
> everything is questionable.

On your keyboard there is just one extra button.

On other multimedia keyboards there might be a lot of extra buttons which are
implemented separately to the regular keyboard keys.

> Then, if you are asking tips on how to attack my working station by injection 
> of keystrocks on a
> pseudo keyboard device I have no clue but is it important indeed?

If you are concerned about that possibility then you can disable the ucc driver.

But if a malicious USB device was going to inject keystrokes then it could do
that just as easily using the normal keyboard device driver, so are you going
to disable that as well?

It could also inject mouse movements and clicks as a mouse device and copy and
paste characters in to your terminal, so maybe you want to disable the mouse
driver too.

And even if you go out and buy a PS/2 keyboard and mouse so that you can
disable the USB drivers, a malicious USB device could still attach as a
network card so make sure you take steps to avoid that causing any problems.

> ( I also asked you in my previous posts to stress test better this ucc driver 
> and parents because my bad
> experiences with usb keyboards passing by an Aten KVM "Secure" switch, is it 
> anything enlightning? )

Well you didn't provide any debugging info about the problem with the KVM
switch, and nothing to suggest that it was even related to the ucc driver.

Common sense suggests that the injected keystroke are more likely to be some
kind of 'reset' sequence that the switch sends when switching between the
attached devices, or otherwise it's just buggy.  Or both.

Re: PineView not using the whole screen

[Crystal Kolipe]

On Thu, Oct 26, 2023 at 03:43:20PM +0200, Daniele B. wrote:
> Thanks a lot, appreciated, I solved with 12$ more in my wallet now.

Then you've saved enough cash to buy three of these:

https://pckeyboard.com/page/product/PANIC

Re: Default Revival of a ten years old computer : how would you do it?

[Crystal Kolipe]

On Mon, Nov 06, 2023 at 11:29:22AM +0100, h...@mailo.com wrote:
> what would you recommmend them for a common web browsing using openbsd?

The surf browser in www/surf works quite well on older hardware.

Re: I nuked my filesystem

[Crystal Kolipe]

On Tue, Sep 26, 2023 at 11:14:15PM -0400, Nick Holland wrote:
> To recover sd1e, you need to recreate a disklabel that matches what
> was there before...exactly.  To the sector.

Re-creating the disklabel is obviously the primary focus in these
situations - the data which has been overwritten is gone if it's
not backed up elsewhere, but non-overwritten stuff can potentially
be recovered.

Once piece of advice, which is sadly probably too late for this
particular case, but very, very useful to know and remember for
the future:

* The kernel keeps it's working copy of the disklabel in memory. *

If you know this in advance, what this means is that if you overwrite
a raw disk device and realise what you've done, just keep cool.

Immediately hit ^C, and invoke disklabel.  Since you were dd'ing to a
raw device, you were likely already logged in as root and doing other
things related to partitioning, etc.  Even if you've overwritten the
boot and root partitions, things like ksh and the disklabel binary
are likely in the buffer cache.

If you can get in to disklabel and display the label for the trashed
disk, then note it down somewhere, even if that means writing it down
on paper.  Having this information is the key to any recovery of data
that was not overwritten.

Re: Webcam support on Lenovo Thinkpad T14 Gen3 (Intel)

[Crystal Kolipe]

On Sat, Oct 07, 2023 at 08:51:36AM +, Comte wrote:
> The webcam seems well detected but no image is displayed...

What happens if you run /usr/X11R6/bin/video instead of using ffmpeg?

> # dmesg | grep "uvideo"
^

Please post a full dmesg next time.

> uvideo0 at uhub1 port 4 configuration 1 interface 0 "Chicony Electronics 
> Co.,Ltd. Integrated Camera" rev 2.01/54.20 addr 3
> video0 at uvideo0
> uvideo1 at uhub1 port 4 configuration 1 interface 2 "Chicony Electronics 
> Co.,Ltd. Integrated Camera" rev 2.01/54.20 addr 3
> video1 at uvideo1

However, this camera should almost certainly just work anyway.

> $ ffplay -f v4l2 -input_format mjpeg -video_size 1280x720 -i /dev/video0
   ^^^

Why?

Re: Webcam support on Lenovo Thinkpad T14 Gen3 (Intel)

[Crystal Kolipe]

On Sat, Oct 07, 2023 at 01:33:48PM +0200, Jan Stary wrote:
> On Oct 07 13:30:50, dco...@gmail.com wrote:
> > On Sat, Oct 7, 2023 at 1:26???PM Jan Stary  wrote:
> > >
> > > On Oct 07 07:08:21, kolip...@exoticsilicon.com wrote:
> > > > On Sat, Oct 07, 2023 at 08:51:36AM +, Comte wrote:
> > > > > The webcam seems well detected but no image is displayed...
> > >
> > > To be sure: you have kern.audio.record=1, right?
> > 
> > kern.video.record, not kern.audio.record.
> 
> ECOFFEE, sorry

His original mail said that he does have it enabled:

On Sat, Oct 07, 2023 at 08:51:36AM +, Comte wrote:
> # sysctl kern.video.record
> kern.video.record=1

I'm pretty sure that the issue is that he is invoking ffmpeg with
switches that expect mjpeg data from the camera, whereas the camera
actually provides raw YUV pixel data.

On Sat, Oct 07, 2023 at 08:51:36AM +, Comte wrote:
> # video -q -f /dev/video0
> video device /dev/video0:
>   encodings: yuy2
>   frame sizes (width x height, in pixels) and rates (in frames per second):
> 320x180: 30
> 320x240: 30
> 352x288: 30
> 424x240: 30
> 640x360: 30
> 640x480: 30
> 848x480: 20
> 960x540: 15
> 1280x720: 10
> 1920x1080: 5

These combinations of resolutions and framerates are typical of the
constraints of USB-2 bandwidth streaming YUV data.  If it really was mjpeg,
I'd expect 1920x1080 to be available at 30fps.

Re: rdiff-backup remotely

[Crystal Kolipe]

It's not really clear what you are talking about.

I think what you are saying is that you usually use rdiff for backup, but
you want to perform an additional backup to local media because you are
moving from one hosting provider to another and there is a possiblilty that
something might go wrong.

In that case, since you'll be doing a full, (non-incremental), backup
anyway, just do it the simple way - use /bin/pax, and download the archive
your local machine over sftp afterwards.

On Thu, Oct 05, 2023 at 05:42:35AM +0200, Daniele B. wrote:
> 
> I found the fact that I'm running different versions between localhost
> and remote host (2.2.2) gives some deep scratches to rdiff-backup that
> stops to run almost immediately.
> 
> Do you suggest to wait for 7.4 and retry? other thoughts?
> 
> 
> "Daniele B."  wrote:
> 
> > Hello,
> > 
> > I moving on the cloud between providers and I have been suggested
> > maybe correctly to backup my little cloud stuff also manually.
> > 
> > I'm stick on rdiff-backup and I would like to try it also remotely via
> > ssh. I have not clue how to do it yet so I'm here to ask if anyone has
> > already experienced the thing, if it is secure ( I see from the man
> > that there are some concerns ) and eventually practicable via.
> > 
> > Thanks!
> > 
> > -- Daniele Bonini 
> 

Re: Webcam support on Lenovo Thinkpad T14 Gen3 (Intel)

[Crystal Kolipe]

On Sat, Oct 07, 2023 at 07:02:23PM +, Comte wrote:
> $ video -q -f /dev/video1
> video: /dev/video1 has no usable YUV encodings
> 
> $ video -s 1920x1080 -f /dev/video1
> video: /dev/video1 has no usable YUV encodings

What does video -g -f /dev/video0 do?

(The -g flag being of interest here).

This error:

> >> On 2023 Oct 07 (Sat) at 12:53:12 + (+), Comète wrote:
> >> :Hi,
> >> :
> >> :$ video -f /dev/video0
> >> :video: ioctl VIDIOC_DQBUF: Invalid argument

... narrows it down quite a bit, but I'm still not sure why it's not working.

Re: PineView not using the whole screen

[Crystal Kolipe]

On Fri, Oct 20, 2023 at 05:00:47PM +0200, Daniele B. wrote:
> 
> > wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
> > wskbd1: connecting to wsdisplay0
> > wskbd2: connecting to wsdisplay0
> > wsdisplay0: screen 1-5 added (std, vt100 emulation)
> 
> Just to add, that these are my settings too, from a life and these don't 
> depend from 7.4.
> I also wonders the same when it is about the two keyboards.

https://marc.info/?l=openbsd-tech=162922414816784

Re: PineView not using the whole screen

[Crystal Kolipe]

On Fri, Oct 20, 2023 at 04:46:32PM +0200, Jan Stary wrote:
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe69cb (27 entries)
> bios0: vendor Intel Corp. version "MWPNT10N.86A.0069.2010.0913.1432" date 
> 09/13/2010
> bios0: Intel Corporation D525MW

These are very old boards, we had one which was decomissioned some time ago
but previously ran OpenBSD from release 5.0 up to some time around 6.2.

I remember always seeing the same issue with only the top left 1280 x 800
portion of a 1920 x 1080 display used when it was on the console but I never
bothered to investigate it further because the machine was mostly used
headless.

In X11 the it worked fine, (if slowly), using the whole 1920 x 1080 resolution.

So this is not exclusively a new problem with this motherboard.

Also, ours exhibited a strange bug with the USB subsystem in that the mouse
stopped working every time the machine was powered off and on, and had to be
physically disconnected and re-connected to be recognised again.  No other USB
peripherals suffered the same problem, and the mouse worked fine on other test
machines.

Re: USB serial local getty terminal re-prompts for login on any input

[Crystal Kolipe]

On Mon, Oct 23, 2023 at 11:37:10PM -0400, Morgan Aldridge wrote:
> I have experimented with the following with no change in the underlying
> issue of the terminal showing the login prompt, but each character input
> causing the login prompt to be resent:

If you short the tx/rx lines at the DE-9 end and then access the serial
device using /usr/bin/cu on the OpenBSD machine, does your input
reliably each back to you?  Or are some characters lost or garbled?

(Obviously remove or disable the ttys line for this test.)

You might need to short rts/cts and dtr/dsr as well depending on your
hardware handshaking setup.

Re: shmmax

[Crystal Kolipe]

On Fri, Nov 10, 2023 at 03:17:29PM +0100, Daniele B. wrote:
> As my system is still fast and running properly after this tweak I need
> to ask if you think that sysupgrade requires or will (I doubt) any
> special value for shmmax?

Leave it at the default setting.

Re: calling all PFsync users for experience, gotchas, feedback, tips and tricks

[Crystal Kolipe]

On Thu, May 19, 2022 at 09:35:53AM -, Stuart Henderson wrote:
> On 2022-05-19, Jordan Geoghegan  wrote:
> > I've run pfsync + CARP for a number of years now. One interesting 
> > "gotcha" I discovered when building an IPv6-only test network was that 
> > pfsync does not work in an IPv6-only environment. I tried both unicast 
> > and multicast configurations to no avail. When pfsync has a parent 
> > interface that only has an IPv6 address assigned (ie no IPv4 at all), no 
> > pfsync traffic transits the interface. Just thought I'd share this 
> > little tidbit since you were looking for edge cases and gotchas and 
> > since IPv6 support (or lack thereof) is not mentioned in the manpage.
> 
> That sounds like a bug not an "edge case". To my knowledge nobody ever
> reported that, consider writing it up for bugs@.

Connectivity issues in a pure IPv6 environment are often due to NDP
packets not being correctly passed.

For example, the default firewall ruleset in /etc/rc is supposed to allow
basic connectivity such as ssh.

However, it breaks IPv6 neighour discovery protocol in at least some
situations.

I'm not in the office at the moment, so I can't test anything on a current
system, but notes I made last year which would have been with 6.8-release:

Considering a direct link between two machines with no routing or other
network hardware inbetween:

Output from ndp -a with the default ruleset:

Neighbor Linklayer Address   Netif ExpireS Flags
node1(incomplete)  em0 expired   N 
node2b4:2e:99:f2:2f:67 em0 permanent R l
fe80::b62e:99ff:fef2:2f67%em0b4:2e:99:f2:2f:67 em0 permanent R l

The default ruleset allows neighbour solicitations out and neighbour
advertisements in.

Adding rules to allow neighbour solicitations in and neighbour
advertisements out, fixes the problem.

Re: Resizing encrypted disk

[Crystal Kolipe]

On Sun, Jun 26, 2022 at 04:25:56AM +0100, Chris Narkiewicz wrote:
> Now, I modified sd1a partition by growing it.
> When I attach the volume using bioctl, it mounts,
> but disklabel -v sd2 shows the same number of sectors and
> and I'm unable to grow the decrypted partition sd2a to fill sd1a.

https://www.exoticsilicon.com/research/resizing_softraid_volumes

Backup your data first.

A port of es-srme was also sent to -ports a while ago.

Re: Dynamic gif Tunnel

[Crystal Kolipe]

On Sun, Jun 05, 2022 at 10:51:49AM -, Stuart Henderson wrote:
> You will probably be happier with wg(4) though, for this scenario
> with a static IP at one side you don't need to do anything special
> to maintain the tunnel, it "just works".and automatically follows
> changes of client IP.

Except possibly set up some kind of slow ping or other keep-alive
mechanism.

Since wireguard is stateless, if the dynamic IP is behind some kind
of NAT, the ISP might break inbound connectivity if there is no
outbound traffic for a certain period, (typically 2 minutes or so).

This only matters if you expect to receive inbound connections
without making an outbound connection first, (for example, inbound
SMTP), because any outbound traffic should bring up the link anyway.

IPSEC is another possible alternative.

Re: My home router, running OpenBSD 7.1, won't boot headlessly

[Crystal Kolipe]

On Sun, Sep 25, 2022 at 08:12:51AM -0400, Z. Charles Dziura wrote:
> it won't boot up properly unless I have a monitor plugged into
> one of the display ports.

On Sun, Sep 25, 2022 at 06:52:16PM +0200, Ronan Viel wrote:
> I had the same kind of issue with an Intel NUC some years ago and
> solved it with a fit-Headless HDMI dongle

On Sun, Sep 25, 2022 at 02:21:00PM -0700, Kastus Shchuka wrote:
> Seems you need a dummy HDMI plug

Although a dummy HDMI plug is the quick and easy fix, if this is
caused by a software problem in OpenBSD, (rather than being
caused by the BIOS, for example), then if everybody just 'fixes'
it by buying extra hardware, the real problem will never get
identified and fixed.  So _everybody_ ends up having to buy an
extra piece of hardware.

Even if you don't have a serial console to interact with the
machine and debug the issue, you could at least see if the
boot process is getting to and beyond the bootloader by
observing the amount of disk accesses.

It could be that simply as disabling the DRM driver in the
kernel will allow the machine to boot.

In any case, a dmesg from the affected machine so that we can
see exactly what hardware is in it would be useful.

Re: Guide for Configuring python(1) with httpd(8)

[Crystal Kolipe]

On Fri, Dec 23, 2022 at 07:57:56PM +, indivC wrote:
> However, the 'cgi' module is giving me trouble that I can't resolve.
> It simply won't import without errors.
> 
> Why am I trying to import the 'cgi' module?
> What I want to do is pass data.

...

> The above is just a simple example that has one input field ('name').
> In order to grab the 'name' inputted by the user,
> I need to use the 'cgi' module.

Firstly, you don't actually _need_ to use the Python cgi module to write a cgi
program that handles input and output from the webserver such as form
submissions, it's just one way of doing it.  CGI programs just read from
standard input and write to standard output.  If you are doing this as a
learning experience, it would be much more educational to actually study the
format that the webserver uses to send the form data and write a simple parser
for it.

But it seems that most people these days want to take all of the shortcuts.

> When I run 'chroot /var/www htdocs/test/cgi-test.py',
> I get the below:
> 
> File "/usr/local/lib/python3.9/email/header.py", line 14,
>  in 
>   import binascii
>   ImportError: Cannot load specified object

This is because the chroot environment is not fully set up.  It doesn't
contain all of the files in all of the right locations for what you want to
do.

> I know, chroot is bad bad.
> I think once I can resolve this,
> I'll go back through your responses
> and attempt to move away from chroot and start using fastcgi.

Why not just start using FastCGI now?  Honestly, you are just wasting your own
time by persuing the 'python interpreter in a chroot' method.  Other people
have pointed this out.  Especially since you are starting from scratch, and
not trying to run a piece of existing software that requires it.

I showed you how to get the python interpreter itself working in a chroot,
because that is useful general knowledge to have from a technical point of
view, and helps to explain in very simple terms how things work in a chroot.

But beyond just seeing it work and writing a hello world program, it's not
worth persuing.

> I tried to troubleshoot the above error,
> but I haven't gotten anywhere.
> My first thought was where is this module located,
> so I ran 'python3' to run the Python Interpreter
> and entered the below:
>   >>> import binascii
>   >>> binascii.__file__
>   '/usr/local/lib/python3.9/lib-dynload/binascii.cpython-39.so'
> 
> So that's the location of the module.
> It is located in the same path within '/var/www/'
> and it also has the correct permissions,
> but unsure what's the problem with importing it.

If you want to set up the chroot more thoroughly so that these extra Python
modules work, why don't you just use the script that Mark sent you:

https://marc.info/?l=openbsd-misc=167135242321424=2

I know you had a few problems with it:

> I removed the parts in the script
> that dealt with touching any folder path with 'run'.
> 'slowcgi.sock' is in '/var/www/run/'
> and I didn't want to mess with it.
> Also, it doesn't look like the script does anything with files
> in these folders, so it shouldn't matter that I omitted them. 
> 
> On the first run, it wasn't able to copy 'libiconv.so.7.0'.
> On my system, it's 'libiconv.so.7.1'.

This is because Mark's script was written for an older version of OpenBSD.

I tested it on a fresh OpenBSD 7.1 installation and it applied just fine
without any changes whatsoever.  And I was able to use the python CGI module
in the chroot.

> Therefore, I updated that line in the script to 'libiconv.so.*'.
> This better matches how all the other lines are in the script.
> I'm not sure why this line and the one above it are different.
> 
> Then, I ran the script again.
> However, I still get the same 'chroot' error:
> "ldconfig: /var/run/ld.so.hints.: No such file or directory"

Are you sure that /var is not full?

> It's like something is attempting to generate a pseudorandom file
> using 'ld.so.hints' as a base.

It is :-).

man 3 mktemp
man 3 mkstemp

> These pseudorandom filenames do not exist,
> but '/var/run/ld.so.hints' does,
> so I'm not sure why it doesn't just use that file directly.

Remember that OpenBSD is a multi-user system.

Like a lot of system programs, ldconfig does not overwrite it's files
directly when updating them.  If it did then there would be a short period of
time where /var/run/ld.so.hints contained invalid or incomplete data.  What
would happen if another program tried to access it at that moment?  Or if the
system crashed?

The way to avoid this on basically any unix-like system is to write the
changed version to a new temporary file, then once it's written you rename the
temporary file to the real name, overwriting the old file.

The rename operation is atomic, I.E. it happens 'instantly', so there should
be no risk of the file becoming mangled.

If /var is not full, then you have probably made a configuration change that
you haven't told us about whilst trying to set 

Re: how to get per-IP traffic statistics?

[Crystal Kolipe]

On Sat, Dec 24, 2022 at 07:53:09PM -0800, Jonathan Thornburg wrote:
> So, I'd like to modify the firewall to somehow record the per-IP-address
> number of bytes passed by the firewall

Add match rules to pf.conf for the IPs you're interested in and give them
named labels.

Then you can view statistics for the packets that matched each label using
pfctl -s labels.

Re: Reinstalling kernel with full disk encryption

[Crystal Kolipe]

On Wed, Dec 28, 2022 at 09:01:26PM +, Chris wrote:
> After that however, the bootloader no longer prompts me for the full disk
> encryption passphrase. Previously it was prompting me for the FDE passphrase
> before it tried to boot the broken kernel.

I'm assuming that you only have a single disk in this machine, and that you
are not multi-booting with another OS.  If this is not the case, let us know.

Does the machine actually boot in to your old system now if you do:

boot sr0a:/bsd

at the boot prompt?

Or does the kernel boot, but complain that it cannot find the root volume?

If the machine does boot, you probably just need to run:

# installboot -v sd1