Re: email dkim signing failing with 6.8

2021-05-22 Thread Martijn van Duren
I'm not sure what you're doing, but you show a piece of rspamd config
for your signing, while you claim to use dkimproxy_out. I haven't used
dkimproxy_out in a long time (basically since I wrote filter-dkimsign)
but last time I used dkimproxy_in it worked as expected for rsa.

Also note that dkimproxy doesn't have had a new release since 2011,
which doesn't have to mean anything, but is usually not a great sign.

If you really want to continue using dkimproxy I'd suggest running
dkimproxy_out on the shell:
/usr/local/bin/dkimproxy.out --conf_file=/etc/dkimproxy_out.conf 
--user=_dkimproxy --group=_dkimproxy
and see what it spews out.

Personally I'd replace dkimproxy with either (filter-)respamd or
filter-dkimsign depending on your needs.

martijn@

On Sat, 2021-05-22 at 11:44 +0200, flipchan wrote:
> Hi all,
> 
> 
> I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim 
> signatures to my emails. I have tried to debug it but im not really 
> getting anywhere. dkimproxy_out is running without complains.
> 
> Does anyone see what im doing wrong?
> 
> 
> mail# cat /etc/mail/smtpd.conf
> table aliases file:/etc/mail/aliases
> #table other-relays file:/etc/mail/other-relays
> 
> pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
> pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
> 
> filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"
> 
> listen on vio0 port 587 hostname example.com tls-require pki 
> mail.example.com auth filter "rspamd"
> #mask-src
> listen on vio0 port 25 hostname example.com tls pki mail.example.com 
> filter "rspamd"
> # auth-optional
> 
> #action "mbox" mbox alias 
> #action "relay" relay
> 
> #match for local action "mbox"
> #match for any action "relay"
> #match !from src  mail-from "@example.com" for any \
>   # reject
> 
> listen on lo0 port 10028 tag DKIM
> 
> action "mbox" mbox alias 
> action "relay" relay
> action "relay_dkim" relay host smtp://127.0.0.1:10027
> match from any for domain example.com action "mbox"
> 
> match auth from any for any action "relay"
> match for local action "mbox"
> match tag DKIM for any action "relay"
> #match tag dkim for any action "relay"
> #match tag DKIM for any action "outbound"
> #match for any action relay_dkim
> match auth from any for any action "relay_dkim"
> mail#
> dkim_signing.conf    redis.conf
> mail# cat /etc/rspamd/local.d/dkim_signing.conf
> domain {
>  example.com {
>  path = "/var/dkimproxy/default.private";
>  selector = "default";
>  }
> }
> mail# uname -a
> OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64
> 
> 
> 
> Thanks!
> 
> Sincerely,
> 
> Flipchan
> 




Re: relay email from users to per-user smtp servers

2021-01-24 Thread Martijn van Duren
I have no clue on what you're trying to do, so here's my best guess.
Your users have something like a shell account and want to submit mail
via the sendmail command. Your users want you to forward the mail to
their "standard" mailserver before it is relayed further.

Afaik there is no option to configure a specific runtime determined
relay host option, so you'd have to create a different "relay host"
action per match rule.

Another option is to let your users submit the mail to their mail
provider directly through port 587 or something similar, or why not
just let you handle the mail and let them add your server's IP to
their SPF-record and install filter-dkimsign, which supports multiple
domains for DMARC from-domain matching.

But like I said, no idea what you're trying to achieve, so my answer
might be way off.

martijn@

On Fri, 2021-01-22 at 23:45 +0100, Rudolf Sykora wrote:
> Dear list,
> 
> 
> if I have several users, each of which wants to be able to send email to
> generally different smtp servers with their own credentials, how does
> one arrange such a thing? Can it be done easily without having a
> separate rule in the system-wide /etc/mail/smtp.conf for each individual
> user? Can it be done that they themselves can easily modify the smtp
> servers information/credentials?
> 
> 
> Thanks for comments
> Ruda
> 




Re: doas changes?

2021-01-21 Thread Martijn van Duren
On Thu, 2021-01-21 at 19:56 +0100, Simon Parrer wrote:
> Hello together,
> maybe any one can say me if there are changes on doas?
> I ask because my doas say Abort trap when i try to use it with sysupgrade or 
> pkg_add -u.
> I do sysupgrade to OpenBSD 6.8-current (GENERIC.MP) #285: Wed Jan 20 17:31:16 
> MST 2021.
> Many Thanks and best regards Simon
> 
There has been a recent change that caused a pledge violation in some
situations. The change has been reverted and the next snapshot should
fix things.

martijn@



Re: OpenSMTPD is not sending e-mail.

2021-01-20 Thread Martijn van Duren
You haven't given much log output, but "Network error on destination
MXs" usually indicates something like DNS or network issues.

Considering it states relay="openbsd.org", where it should be
"mail.openbsd.org" my best guess is DNS issues.

martijn@

On Wed, 2021-01-20 at 17:04 -0800, latincom wrote:
> I read the archives of OpenSMTPD, and found 2 messages related to ssl, 
> nothing more. Can someone give me an advise where to look, please?
> 
> did something stupid, maybe:
> I forgot, that the installer, ask for a name; then i wrote a name, which 
> later change to a fqdn; according to man page; declared it in hosts and 
> myname!
> 
>  From Log:
> mta delivery evpid=7465b44496df9b1a from= 
> to= rcpt=<-> source="-" relay="openbsd.org" 
> delay=11h8m1s result="TempFail" stat="Network error on destination MXs"
> 
> smtp.conf:
> #   $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
> 
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
> 
> table aliases file:/etc/mail/aliases
> 
> listen on socket
> 
> # To accept external mail, replace with: listen on all
> #
> listen on all
> 
> action "local_mail" mbox alias 
> action "outbound" relay
> 
> # Uncomment the following to accept external mail for domain "example.org"
> #
> match from any for domain "agroena.org" action "local_mail"
> match from local for local action "local_mail"
> match from local for any action "outbound"
> 
> ssl:
> m# ls -l /etc/ssl/
> total 764
> -r--r--r--  1 root  bin    350172 Oct  4 23:47 cert.pem
> -r--r--r--  1 root  wheel    3791 Jan 10 23:57 fullchain.pem
> -rw-r--r--  1 root  wheel    2703 Oct  4 23:47 ikeca.cnf
> -r--r--r--  1 root  bin   745 Oct  4 23:47 openssl.cnf
> drwx--  2 root  wheel 512 Jan 10 23:57 private
> -r--r--r--  1 root  bin  1006 Oct  4 23:47 x509v3.cnfatch from local
> 
> 
> 




Re: adding user to a group

2021-01-08 Thread Martijn van Duren
User and group information is set during login. When running a new shell
with -l it only reads the shell profile:
 -l  Login shell.  If the basename the shell is called with
 (i.e. argv[0]) starts with ‘-’ or if this option is used,
 the shell is assumed to be a login shell and the shell
 reads and executes the contents of /etc/profile and
 $HOME/.profile if they exist and are readable.
So you need to log out and log in again (either from your terminal
session or X11 session).

If you want to make sure your user is added to the group dialer you can
verify via:
$ getent group dialer
dialer:*:117:ruda

martijn@

On Fri, 2021-01-08 at 16:21 +0100, Rudolf Sykora wrote:
> Dear list,
> 
> 
> I tried to add myself to the "dialer" group:
> 
> #usermod -G dialer ruda
> 
> But when I write
> 
> $groups
> 
> in a terminal I still do not see the new group. Not even if I open a new login
> shell (by writing "ksh -l"). However, when I log in in a text console
> (ctrl-alt-1), I see the new group there.
> 
> What is it that I have to do to have the membership updated, i.e., how
> can I open e.g. a terminal in the running environment that would see my
> new groups?
> 
> 
> Thanks for comments
> Ruda
> 




Re: OpenSMTPD-extras manual

2020-12-19 Thread Martijn van Duren
On Sat, 2020-12-19 at 15:37 -0600, Edgar Pettijohn wrote:
> On Sat, Dec 19, 2020 at 08:02:19PM +0300, ??  wrote:
> > Hello.
> > Where can I find any manuals and examples regarding OpenSMTPD-extras?
> > Which table types are supported and do not have status "experimental"
> > like ldap tables?
> > E.g. what is opensmtpd-extras-python and how can I use it?
> > -- 
> > Best regards
> > Maksim Rodin
> > 
> 
> Your best bet is to git clone the repository and search for the tables, 
> etc you are interested in. If there is a manual simply `mandoc file | less`.
> 
> Unfortunantly there aren't manuals for all of the `extras`.
> 
> Good luck,
> 
> Edgar
> 
I don't play around too much with opensmtpd-extras and I don't do
python, but minor unrelated hint: mandoc -l will spawn less for
you and will include the tags-file.

martijn@



Re: dkim && ed25519

2020-12-04 Thread Martijn van Duren
On Fri, 2020-12-04 at 17:53 +0200, Gregory Edigarov wrote:
> Hello misc@,
> 
> Just wanna check status of ed25519/x25519 support in OpenBSD.
> I want to use ed25519 keypair for dkim, because of the smaller
> size of the resulting keys, to completely eliminate the line breaking
> issues.
> Found nothing in man openssl, how am I supposed to generate keypair?
> Will ssh-keygen or signify do the trick?
> 
> Thank you.
> --
> With best regards,
>         Gregory Edigarov
> 
> 
> 
You failed to specify which mailserver/dkimsigner you want to use,
but if it's filter-dkimsign you're currently out of luck.
libressl currently doesn't support ed25519 and so neither does
filter-dkimsign.

martijn@



Re: OpenSMTPD and ldap+tls

2020-11-30 Thread Martijn van Duren
Hello,

There is table_ldap in the opensmtpd-extras package, but I've never used
it, it's undocumented and I've heard that the author sees it as a proof
of concept only at this point. So no idea how far this will take you,
but it's your best shot. :-)

A quick look through the source shows me the following snippet of the
config parser:

else if (!strcmp(key, "username"))
read_value(, key, value);
else if (!strcmp(key, "password"))
read_value(, key, value);
else if (!strcmp(key, "basedn"))
read_value(, key, value);
else if (!strcmp(key, "alias_filter"))
read_value([LDAP_ALIAS].filter, key, value);
else if (!strcmp(key, "alias_attributes")) {
ldap_parse_attributes([LDAP_ALIAS],
key, value, 1);
} else if (!strcmp(key, "credentials_filter"))
read_value([LDAP_CREDENTIALS].filter, key, 
value);
else if (!strcmp(key, "credentials_attributes")) {
ldap_parse_attributes([LDAP_CREDENTIALS],
key, value, 2);
} else if (!strcmp(key, "domain_filter"))
read_value([LDAP_DOMAIN].filter, key, value);
else if (!strcmp(key, "domain_attributes")) {
ldap_parse_attributes([LDAP_DOMAIN],
key, value, 1);
} else if (!strcmp(key, "userinfo_filter"))
read_value([LDAP_USERINFO].filter, key, value);
else if (!strcmp(key, "userinfo_attributes")) {
ldap_parse_attributes([LDAP_USERINFO],
key, value, 3);
} else if (!strcmp(key, "mailaddr_filter"))
read_value([LDAP_MAILADDR].filter, key, value);
else if (!strcmp(key, "mailaddr_attributes")) {

Hope this works for you.

martijn@

On Tue, 2020-12-01 at 09:02 +0300, Родин Максим wrote:
> Hello
> Is there a way to make opensmtpd work
> with ldap aliases over a secure connection?
> 
> I do not know where to find working examples of this
> My current /etc/mail/ldap.conf look like this:
>    1 url>>--->---ldap://ldap1.mydomain.ru
>    2 basedn>->--->---dc=mydomain,dc=ru
>    3 username>--->---cn=service,dc=mydomain,dc=ru
>    4 password>--->---passpasspass
>    5
>    6 domain_filter>-->---(&(objectClass=domain)(dc=%s))
>    7 domain_attributes>--dc
>    8
>    9 credentials_filter>-(&(objectClass=posixAccount)(uid=%s))
>   10 credentials_attributes>-uid,userPassword
>   11
>   12 userinfo_filter>>---(&(objectClass=posixAccount)(uid=%s))
>   13 userinfo_attributes>uid,uidNumber,gidNumber,homeDirectory
>   14
>   15 alias_filter>--->---(&(objectClass=nisMailAlias)(cn=%s))
>   16 alias_attributes>---rfc822MailMember
> 
> ldapd daemon is set up on another host to work over tls and ssl and
> working correctly.
> 
> If I change url to ldaps://ldap1.mydomain.ru
> or to ldap+tls://ldap1.mydomain.ru
> then smtpd -dv shows:
> """
> _
> vdomains[50952]: warn: ldap_parse_url fail
> vdomains[50952]: warn: ldap_connect error
> vdomains[50952]: fatal: failed to connect
> """
> _
> 




Re: ldapd.conf certificate directive not working?

2020-11-28 Thread Martijn van Duren
On Sat, 2020-11-28 at 23:08 +0100, Theo Buehler wrote:
> > "If the certificate name is an absolute path, a .crt and .key
> > extension are appended to form the certificate path and key path
> > respectively."
> > This part does not seem to work at all.
> > Neither it tries to search certificates using the absolute path nor
> > it tries to append .crt or .key extension to the absolute path when no
> > extension is used in config.
> > 
> > Or I do it completely wrong?
> 
> It's a bug. If the certificate path is absolute, faulty short-circuiting
> logic would result in first correctly appending ".crt" to the path, then
> incorrectly prepending "/etc/ldap/cert".
> 
> You can see the problem with a config containing
> 
> listen on lo0 port 6636 tls certificate "/bogus/lo0"
> 
> $ ldapd -vv -f ldapd.conf -n
> ...
> loading certificate file /etc/ldap/certs//bogus/lo0.crt
> ldapd.conf:5: cannot load certificate: /bogus/lo0
> ...
> 
> The diff below avoids calling bsnprintf() twice for an absolute
> certificate path.
> 

Wouldn't it be more future idiot proof if we were a little more verbose?
But if you prefer, your diff also looks good to me.

martijn@

Index: parse.y
===
RCS file: /cvs/src/usr.sbin/ldapd/parse.y,v
retrieving revision 1.36
diff -u -p -r1.36 parse.y
--- parse.y 24 Jun 2020 07:20:47 -  1.36
+++ parse.y 28 Nov 2020 22:54:42 -
@@ -1279,12 +1279,17 @@ load_certfile(struct ldapd_config *env, 
goto err;
}
 
-   if ((name[0] == '/' &&
-!bsnprintf(certfile, sizeof(certfile), "%s.crt", name)) ||
-   !bsnprintf(certfile, sizeof(certfile), "/etc/ldap/certs/%s.crt",
-   name)) {
-   log_warn("load_certfile: path truncated");
-   goto err;
+   if (name[0] == '/') {
+   if (!bsnprintf(certfile, sizeof(certfile), "%s.crt", name)) {
+   log_warn("load_certfile: path truncated");
+   goto err;
+   }
+   } else {
+   if (!bsnprintf(certfile, sizeof(certfile),
+   "/etc/ldap/certs/%s.crt", name)) {
+   log_warn("load_certfile: path truncated");
+   goto err;
+   }
}
 
log_debug("loading certificate file %s", certfile);
@@ -1298,12 +1303,17 @@ load_certfile(struct ldapd_config *env, 
goto err;
}
 
-   if ((name[0] == '/' &&
-!bsnprintf(certfile, sizeof(certfile), "%s.key", name)) ||
-   !bsnprintf(certfile, sizeof(certfile), "/etc/ldap/certs/%s.key",
-   name)) {
-   log_warn("load_certfile: path truncated");
-   goto err;
+   if (name[0] == '/') {
+   if (!bsnprintf(certfile, sizeof(certfile), "%s.key", name)) {
+   log_warn("load_certfile: path truncated");
+   goto err;
+   }
+   } else {
+   if (!bsnprintf(certfile, sizeof(certfile),
+   "/etc/ldap/certs/%s.key", name)) {
+   log_warn("load_certfile: path truncated");
+   goto err;
+   }
}
 
log_debug("loading key file %s", certfile);




Re: How to split install.wim

2020-09-02 Thread Martijn van Duren
There's ntfs_3g in ports.
But never had a use for it, so no clue how well it functions.

On Wed, 2020-09-02 at 01:49 -0700, Greg Thomas wrote:
> I believe NTFS is read only on *BSD.
> 
> On Tue, Sep 1, 2020 at 11:44 PM Peter Nicolai Mathias Hansteen <
> pe...@bsdly.net> wrote:
> 
> > 
> > > 2. sep. 2020 kl. 07:33 skrev Predrag Punosevac :
> > > 
> > > Hi All,
> > > 
> > > I am using my desktop
> > > 
> > > predrag@oko$ uname -a
> > > OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#5 amd64
> > > 
> > > to create a bootable Windows 10 USB flash drive. It is a paid job
> > > although I would not be surprised that my consent to do it, is
> > > consistent with the early signs of dementia. I just wasted a few hours
> > > of my life to find out that install.wim is too large to be written on
> > > Fat32 file system as described in this article
> > > 
> > > 
> > https://www.zdnet.com/article/windows-10-installer-files-too-big-for-usb-flash-drive-heres-the-fix/
> > 
> > Urgh. I’s probably due to the lack of a useful dd analogue that they make
> > users jump through hoops like that.
> > 
> > Otherwise my initial reaction before reading the article was ‘just use
> > dd’, but that would be totally foreign territory to most Windows admins
> > most likely.
> > 
> > But I agree with Aaron that the other workaround would be to format the
> > USB drive as NTFS to start with, that would not be subject to the 4GB file
> > size restriction. Just how good the NTFS support is in OpenBSD I have no
> > personal experience with, though.
> > 
> > All the best,
> > 
> > —
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> > "Remember to set the evil bit on all malicious network traffic"
> > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> > 
> > 
> > 
> > 
> > 



Re: Potential grep bug?

2020-06-24 Thread Martijn van Duren
This seems to fix the issue for me.

OK?

martijn@

On Tue, 2020-06-23 at 19:29 -0700, Jordan Geoghegan wrote:
> Hello,
> 
> I was working on a couple POSIX regular expressions to search for and 
> validate IPv4 and IPv6 addresses with optional CIDR blocks, and 
> encountered some strange behaviour from the base system grep.
> 
> I wanted to validate my regex against a list of every valid IPv4 
> address, so I generated a list with a zsh 1 liner:
> 
>   for i in {0..255}; do; echo $i.{0..255}.{0..255}.{0..255} ; done | 
> tr '[:space:]' '\n' > IPv4.txt
> 
> My intentions were to test the regex by running it with 'grep -c' to 
> confirm there was indeed 2^32 addresses matched, and I also wanted to 
> benchmark and compare performance between BSD grep, GNU grep and 
> ripgrep. The command I used:
> 
> grep -Eoc 
> "((25[0-5]|(2[0-4]|1{0,1}[[:digit:]]){0,1}[[:digit:]])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[[:digit:]]){0,1}[[:digit:]])(/[1-9]|/[1-2][[:digit:]]|/3[0-2])?"
> 
> My findings were surprising. Both GNU grep and ripgrep were able get 
> through the file in roughly 10 and 20 minutes respectively, whereas the 
> base system grep took over 20 hours! What interested me the most was 
> that the base system grep when run with '-c' returned '0' for match 
> count. It seems that 'grep -c' will have its counter overflow if there 
> are more than 2^32-1 matches (4294967295) and then the counter will 
> start counting from zero again for further matches.
> 
>  ryzen$ time zcat IPv4.txt.gz | grep -Eoc "((25[0-5]|(2[0-4]|1{0,1}...
>  0
>  1222m09.32s real  1224m28.02s user 1m16.17s system
> 
>  ryzen$ time zcat allip.txt.gz | ggrep -Eoc "((25[0-5]|(2[0-4]|1{0,1}...
>  4294967296
>  10m00.38s real11m40.57s user 0m30.55s system
> 
>  ryzen$ time rg -zoc "((25[0-5]|(2[0-4]|1{0,1}...
>  4294967296
>  21m06.36s real27m06.04s user 0m50.08s system
> 
> # See the counter overflow/reset:
>  jot 4294967350 | grep -c "^[[:digit:]]"
>  54
> 
> All testing was done on a Ryzen desktop machine running 6.7 stable.
> 
> The grep counting bug can be reproduced with this command:
> jot 4294967296 | nice grep -c "^[[:digit:]]"
> 
> Regards,
> 
> Jordan
> 
Index: util.c
===
RCS file: /cvs/src/usr.bin/grep/util.c,v
retrieving revision 1.62
diff -u -p -r1.62 util.c
--- util.c  3 Dec 2019 09:14:37 -   1.62
+++ util.c  24 Jun 2020 06:46:52 -
@@ -106,7 +106,8 @@ procfile(char *fn)
 {
str_t ln;
file_t *f;
-   int c, t, z, nottext;
+   int t, z, nottext;
+   unsigned long long c;
 
mcount = mlimit;
 
@@ -169,7 +170,7 @@ procfile(char *fn)
if (cflag) {
if (!hflag)
printf("%s:", ln.file);
-   printf("%u\n", c);
+   printf("%llu\n", c);
}
if (lflag && c != 0)
printf("%s\n", fn);



Re: filter-dkimsign and multiple domains

2020-05-05 Thread Martijn van Duren
On 5/5/20 7:15 PM, Paul N. Pace wrote:
> I saw the recent thread regarding multiple domains and filter-dkimsign.
> 
> I just wanted to add in my $.02 that I prefer to have as much 
> proof-of-work as reasonable since it seems, at least a little, to help 
> with inboxing at the oligopoly providers. The trend for them to direct 
> legitimate mail to spam filters has been notching up year-by-year, and 
> having the domain of the DKIM signature match the from address seems 
> like an easy check for them to perform.
> 
> My purpose for filter-dkimsign is on a webserver that sends 
> transactional email for several domains.
> 
> A solution that would work for me does not have to be complex or 
> feature-rich. For example, if there were an option to sign with whatever 
> domain is in the from address (everything after '@'), that would be perfect.
> 
> In any case, thank you for the very easy to implement DKIM signing solution.
> 
> Paul
> 
You've read the threat so you know my position and you know what it
would take for me to change my mind, yet you come here with a feature-
request that's actually worth what you priced it.
Your request *IS* complex and it *IS* feature-rich if you actually took
the time to work out the details of what you're asking. If I'm wrong in
that show me your diff and we'll talk.

martijn@



Re: How to enable TLS 1.3?

2020-04-30 Thread Martijn van Duren
If it's not in the manpage it's probably not there.
I did gave a quick look through the relayd source, but from what I saw  
there's no TLS1.3 support there.


On 4/30/20 3:55 PM, Chad Hoolie wrote:
> Any idea about relayd though? I don't see any mentioning of 1.3 in man 
> relayd.conf:
> 
> tls
>   no tlsv1.2
>   Disable the TLSv1.2 protocol.  The default is to enable
>   TLSv1.2.
> 
>   sslv3   Enable the SSLv3 protocol.  The default is no sslv3.
> 
>   tlsv1   Enable all TLSv1 protocols.  This is an alias that
>   includes tlsv1.0, tlsv1.1, and tlsv1.2.  The default is
>   no tlsv1.
> 
>   tlsv1.0
>   Enable the TLSv1.0 protocol.  The default is no tlsv1.0.
> 
>   tlsv1.1
>   Enable the TLSv1.1 protocol.  The default is no tlsv1.1.
> 
> --Chad
> 
> ‐‐‐ Original Message ‐‐‐
> On Thursday, April 30, 2020 3:04 PM, Martijn van Duren 
>  wrote:
> 
>> On 4/30/20 1:19 PM, Chad Hoolie wrote:
>>
>>> Hello,
>>> I'm using httpd with acme-client and Let's Encrypt 
>>> (https://www.romanzolotarev.com/openbsd/acme-client.html).
>>> This setup, however, only seems to support TLS 1.2, whereas TLS 1.3 is 
>>> needed to achieve A+ ratings across the board.
>>> Anybody know how to make the upgrade?
>>> --Chad
>>
>> httpd(8):
>> protocols string Specify the TLS protocols to enable for this server.
>> If not specified, the value "default" will be used (secure protocols;
>> TLSv1.2-only). Refer to the tls_config_parse_protocols(3) function for
>> other valid protocol string values.
>>
>> tls_config_parse_protocols(3):
>> Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all
>> supported protocols),
>>
>> untested, but seems pretty self-explanatory.
> 
> 



Re: How to enable TLS 1.3?

2020-04-30 Thread Martijn van Duren
On 4/30/20 1:19 PM, Chad Hoolie wrote:
> Hello,
> 
> I'm using httpd with acme-client and Let's Encrypt 
> (https://www.romanzolotarev.com/openbsd/acme-client.html).
> 
> This setup, however, only seems to support TLS 1.2, whereas TLS 1.3 is needed 
> to achieve A+ ratings across the board.
> 
> Anybody know how to make the upgrade?
> 
> --Chad
> 
httpd(8):
protocols string Specify the TLS protocols to enable for this server.   
If not specified, the value "default" will be used (secure protocols; 
TLSv1.2-only).  Refer to the tls_config_parse_protocols(3) function for 
other valid protocol string values.


tls_config_parse_protocols(3):
Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all
supported protocols),

untested, but seems pretty self-explanatory.



Re: /bin/sh echo \n

2020-04-26 Thread Martijn van Duren
On 4/26/20 12:27 PM, Thomas de Grivel wrote:
> Hello,
> 
> I was testing some scripting using /bin/sh and I could not find this
> behaviour in the documentation :
> 
>> $ /bin/sh
>> $ echo -n '\n'
>>
>> $
> 
> It seems that ksh even in sh (posix ?) mode does expansion of \n to an
> actual newline.> 
> First is there a way to turn off the \n expansion in simple quotes in /bin/sh 
> ?

You mean placing an additional \ in front of it?
$ echo '\\n'
\n

Or by calling the binary instead of the shell builtin?
$ /bin/echo '\n'
\n

Or by adding -E?
$ echo -E '\n'
\n

Now also note what POSIX itself says[0]:
It is not possible to use echo portably across all POSIX systems unless
both -n (as the first argument) and escape sequences are omitted.
...
New applications are encouraged to use printf instead of echo.
> 
> Second I don't see this feature described neither in man sh nor man
> ksh so is it a known behaviour of ksh ?

from echo(1):
echo does not support any of the backslash character sequences mandated
by XSI.

from ksh(1):
See the print command below for a list of other backslash sequences that
are recognized.
...
By default, certain C escapes are translated.  These include ‘\b’, ‘\f’,
‘\n’, ‘\r’, ‘\t’, ‘\v’, and ‘\0###’ (‘#’ is an octal digit, of which
there may be 0 to 3).
> 
> Thanks a ton,
> 
[0] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/echo.html



Re: [/ is full] How to delete junk in /dev ?

2020-04-05 Thread Martijn van Duren
On 4/5/20 10:19 AM, Olivier wrote:
> Hi,
> 
> I am running OpenBSD from a long time(T410 / Amd64) ; and 6.6 from the 
> release. I did not monitor the size of / in the past...
> Until today :(
> 
> Please, how to identify junk to remove in /dev below :
> 
> +---< oliv@snow >---< / >
> +---> df -h 
> Filesystem SizeUsed   Avail Capacity  Mounted on
> /dev/sd0a 1008M   1003M  -44.9M   105%/
> /dev/sd0m 37.4G3.7G   31.8G10%/home
> /dev/sd0d  3.9G1.6M3.7G 0%/tmp
> /dev/sd0f  3.9G975M2.8G25%/usr
> /dev/sd0g 1008M258M700M27%/usr/X11R6
> /dev/sd0h 15.7G4.5G   10.5G30%/usr/local
> /dev/sd0l  2.0G2.0K1.9G 0%/usr/obj
> /dev/sd0k  2.0G2.0K1.9G 0%/usr/src
> /dev/sd0e  7.9G971M6.5G13%/var
> +---< oliv@snow >---< / >
> +---> doas find -x / -size +1 -exec du -h {} \; 
> 17.9M /bsd
> 9.8M  /bsd.rd
> 848K  /dev/sdXc
> 884M  /dev/sd3
> 17.8M /bsd.sp
> 17.9M /bsd.booted
> +---< oliv@snow >---< / >
> +---> doas du -d1 -h -x /   
> 2.0K  /home
> 2.0K  /tmp
> 2.0K  /usr
> 2.0K  /var
> 16.0K /net
> 2.0K  /altroot
> 10.1M /bin
> 885M  /dev
> 16.2M /etc
> 2.0K  /mnt
> 4.6M  /root
> 23.4M /sbin
> 1003M /
> +---< oliv@snow >---< / >
> +---> doas du -d1 -h -x /dev
> 2.0K  /dev/fd
> 885M  /dev
> +---< oliv@snow >---< / >
> +---> 
> 
> 
> 
> 
> Thanks in advance.
> 
Most likely one of your device nodes turned into a regular file.
Considering what I've seen over the years the most likely culprit is
/dev/null.
Probably the easiest way to find it is with:
find /dev/ -type f -a ! -name MAKEDEV
Once you've find it you can just delete it and recreate it with
cd /dev; sh ./MAKEDEV 

martijn@



Re: Multi-domain DKIM signature with OpenSMTPd

2020-03-19 Thread Martijn van Duren
On 3/19/20 9:21 PM, Matthieu wrote:
> Le 19/03/2020 à 20:46, Martijn van Duren a écrit :
>> On 3/19/20 8:24 PM, Matthieu wrote:
>>> Thank you for your response.
>>> My main reason is that, as a freelancer, I have a professional email
>>> that I don't want to mix with my personal email. Moreover, a friend asks
>>> me to host his emails and I don't want to mix it up either.
>>
>> Please be more concise. What do you mean "don't want to mix it up"?
>> What would be mixed up? What would be the consequences of that?
>> Based on what would it need to be separated?
> I don't want the personal or professional domain name to appear in the 
> other's signature. I understand that nobody is going to look at it and 
> that it's a bit maniacal, but I find it cleaner.
> Knowing that Gmail and others are quite strict about their spam filters, 
> I don't find it useless.
> 
So basically the warm and fuzzies. :-)
No problem, but in that case dkimsign is not for you and dkimproxy might
be more suitable.



Re: Multi-domain DKIM signature with OpenSMTPd

2020-03-19 Thread Martijn van Duren
On 3/19/20 8:24 PM, Matthieu wrote:
> 
>> On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote:
> 
>> Could you explain why you (think you) need to have multiple domain
>> support?
>> You (currently?) can't. If you want multiple conditions on different
>> filters you would need to create multiple listening sockets (e.g.
>> multiple ips or ports) and apply the correct match-rules based on the
>> socket.
>>
>> martijn@
>>
> Thank you for your response.
> My main reason is that, as a freelancer, I have a professional email 
> that I don't want to mix with my personal email. Moreover, a friend asks 
> me to host his emails and I don't want to mix it up either.

Please be more concise. What do you mean "don't want to mix it up"?
What would be mixed up? What would be the consequences of that?
Based on what would it need to be separated?

And just to be clear, I'm not trying to be a pedantic asshole for its
own sake. I honestly don't see where our interpretations diverge.
> 
> I'm not develloper C, but if I propose a patch for this feature, does it 
> have a possibility to be integrated ?
> 
Any patch is welcome if properly motivated. If it's not up to par we can
always polish it further. But I'd advise to first come to an understanding
on the motivation.



Re: Multi-domain DKIM signature with OpenSMTPd

2020-03-19 Thread Martijn van Duren
On 3/19/20 7:49 PM, Chris Bennett wrote:
> On Wed, Mar 18, 2020 at 10:45:06PM +0100, Martijn van Duren wrote:
>> That's because filter-dkimsign doesn't support multiple domains, and
>> unless someone can give me a good reason to do so it probably is going
>> to stay that way.
>>
>> I know that some mail providers add an additional positive score to
>> your spam rating if you have DKIM, but I reckon this is BS, because
>> DKIM is nothing more than a glorified debugging tool to tell you which
>> server butchered the content of your mail if every server in the chain
>> adds a DKIM signature. To be precise: it only tells you that a
>> particular domain owner (d-option) knows what server(s) a particular key
>> (s-option) belongs to, so that if a signature fails it it could only
>> have happened before the last server which has a valid signature.
>>
>> Could you explain why you (think you) need to have multiple domain
>> support?
>> You (currently?) can't. If you want multiple conditions on different
>> filters you would need to create multiple listening sockets (e.g.
>> multiple ips or ports) and apply the correct match-rules based on the
>> socket.
>>
>> martijn@
>>
> 
> OK, thanks for clearing that up. I learned a lot using it. I would also
> like to use multiple domains, but I don't see any reason to ask you to
> do any more work than you want to.
> Thanks for your work. I appreciate it. And trying to use multiple
> domains was a good lesson in strange results. :-}
> 
> Chris Bennett
> 
I've had multiple people tell me that they want to have multiple domain
support, but either they misunderstood the workings of DKIM, or it's a
case of "but it gives me the warm and fuzzies".

So please, be as clear as you can be on why you want to use it and how
you want to use it; and either we can improve your understanding of the
spec and your setup (and help people on the list at the same time) or
you make a valid case (maybe I did miss something) and I might be
motivated to add it.

In other words, I'm not definitively saying no, but it will only
complicate the code even further with all the additional risks; there
must be a damn good reason to go down that path.



Re: Multi-domain DKIM signature with OpenSMTPd

2020-03-19 Thread Martijn van Duren
On 3/19/20 5:06 AM, Graeme Lee wrote:
> 
> 
> On 19/03/2020 8:45 am, Martijn van Duren wrote:
>> On 3/18/20 8:41 PM, Matthieu wrote:
>>> Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit :
>>>> On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote:
>>>>> Hi everybody
>>>>> I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it 
>>>>> before ?
>>>>> My first intention is to sign mails from different domains on a single 
>>>>> mail
>>>>> server. So the
>>>>>
>>>>> OpenDKIM works with a socket and I don't know how and if it works with the
>>>>> smptd filter.
>>>>> I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify
>>>>> one domaine.
>>>>>
>>>>> Otherwise I'd be looking at the side of dkimproxy if it can do the job or
>>>>> not.
>>>>>
>>>>> Thx for any help.
>>>>>
>>>> Hi,
>>>>
>>>> Theres an example described in the smtpd.conf(5) man page.
>>>>
>>>> opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign
>>>>
>>>> The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c
>>>> It's relatively small and also privilege-separated.
>>>>
>>>> It has a parameter to set the domain name (-d). In smtpd.conf you can 
>>>> define
>>>> multiple filters. See also the man page filter-dkimsign(8) for detailed
>>>> information.
>>>>
>>>> I've replaced dkimproxy (Perl-based and complex) with
>>>> opensmtpd-filter-dkimsign. It works well for my needs.
>>>>
>>> Hi Hiltjo,
>>> Currently I already use opensmtpd-filter-dkimsign, but I didn't
>>> understand how to use it for multiple domains at once.
>>>
>>> I've seen the example in the man page :
>>> https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign
>>>
>>> I thought  was to be replaced by only one domain to sign. Is a
>>> domain a table like Alias? If so, what is the format of the file? But I
>>> doubt it since in the filter code it doesn't look like a list.
>>>
>>> static char *domain = NULL;
>>> […]
>>> box 'd':
>>>   domain = optarg;
>>> […]
>>> if (!dkim_signature_printf(message,
>>> "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1",
>>> cryptalg, hashalg,
>>> canonheader == CANON_SIMPLE ? "simple": "relaxed."
>>> canonbody == CANON_SIMPLE ? "simple": "relaxed."
>>> domain, selector))
>>>
>>> Finally in the example given in this presentation it is indeed a single
>>> domain:
>>> https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf
>>>
>> That's because filter-dkimsign doesn't support multiple domains, and
>> unless someone can give me a good reason to do so it probably is going
>> to stay that way.
> I'm using dkimproxy for this.  I host multiple domain names. dkimproxy 
> is pretty easy to configure to sign outbound on a per domain basis.
> 
> /etc/dkimproxy_out.conf
> listen 127.0.0.1:
> relay 127.0.0.1:
> sender_map /etc/mail/dkim/sender_map
> 
> /etc/dmail/dkim/sender_map
> example.com 
> dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1)
> example.org 
> dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1)
> ...
> 
> I can send the smtpdconf through if you're stuck.
> 
> If the domain being relayed is not in the map, it isn't signed. 
> dkimproxy is not doing any inbound processing.  It would be awesome to 
> pull this from a pgsql db source, which is how I manage what smtpd can 
> and cannot relay.
> 
>>
>> I know that some mail providers add an additional positive score to
>> your spam rating if you have DKIM, but I reckon this is BS, because
>> DKIM is nothing more than a glorified debugging tool to tell you which
>> server butchered the content of your mail if every server in the chain
>> adds a DKIM signature. To be precise: it only tells you that a
>> particular domain owner (d-option) knows what server(s) a particular key
>> (s-option) belongs to, so that if a signature fails it it could only
>> have happened before the last server which has a valid signature.
>>
>> Could you explain why you (think you) need to have multiple domain
>> support?
> I own (and manage) multiple domains.  Why would I not take advantage of 
> virtual domains on 1 host?

I do to, but as far as I'm aware there's nothing in the spec that states
that a mail domain should be signed with a key in its own domain; and
I'd to think that I've be pretty thorough while reading it multiple
times. If I want I can sign a mail with an @gmail.com sender on it with
my personal imperialat.at DKIM key and recipients will properly validate
it.

So yes, I have multiple virtual hosts and only one key (domain+selector)
per server. And if you were to look through your mailbox you'd find
multiple vendors who also sign their mail with a different domain in
their DKIM signature than is in the domain component of their from
header; including office365.
> 
> Graeme
> 
> 



Re: Multi-domain DKIM signature with OpenSMTPd

2020-03-18 Thread Martijn van Duren
On 3/18/20 8:41 PM, Matthieu wrote:
> Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit :
>> On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote:
>>> Hi everybody
>>> I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ?
>>> My first intention is to sign mails from different domains on a single mail
>>> server. So the
>>>
>>> OpenDKIM works with a socket and I don't know how and if it works with the
>>> smptd filter.
>>> I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify
>>> one domaine.
>>>
>>> Otherwise I'd be looking at the side of dkimproxy if it can do the job or
>>> not.
>>>
>>> Thx for any help.
>>>
>>
>> Hi,
>>
>> Theres an example described in the smtpd.conf(5) man page.
>>
>> opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign
>>
>> The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c
>> It's relatively small and also privilege-separated.
>>
>> It has a parameter to set the domain name (-d). In smtpd.conf you can define
>> multiple filters. See also the man page filter-dkimsign(8) for detailed
>> information.
>>
>> I've replaced dkimproxy (Perl-based and complex) with
>> opensmtpd-filter-dkimsign. It works well for my needs.
>>
> 
> Hi Hiltjo,
> Currently I already use opensmtpd-filter-dkimsign, but I didn't 
> understand how to use it for multiple domains at once.
> 
> I've seen the example in the man page :
> https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign
> 
> I thought  was to be replaced by only one domain to sign. Is a 
> domain a table like Alias? If so, what is the format of the file? But I 
> doubt it since in the filter code it doesn't look like a list.
> 
> static char *domain = NULL;
> […]
> box 'd':
>  domain = optarg;
> […]
> if (!dkim_signature_printf(message,
>   "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1",
>   cryptalg, hashalg,
>   canonheader == CANON_SIMPLE ? "simple": "relaxed."
>   canonbody == CANON_SIMPLE ? "simple": "relaxed."
>   domain, selector))
> 
> Finally in the example given in this presentation it is indeed a single 
> domain:
> https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf
>  
> 
That's because filter-dkimsign doesn't support multiple domains, and
unless someone can give me a good reason to do so it probably is going
to stay that way.

I know that some mail providers add an additional positive score to
your spam rating if you have DKIM, but I reckon this is BS, because
DKIM is nothing more than a glorified debugging tool to tell you which
server butchered the content of your mail if every server in the chain
adds a DKIM signature. To be precise: it only tells you that a
particular domain owner (d-option) knows what server(s) a particular key
(s-option) belongs to, so that if a signature fails it it could only
have happened before the last server which has a valid signature.

Could you explain why you (think you) need to have multiple domain
support?
> 
> Besides, I can't find the man page you're talking about:
> https://man.openbsd.org/filter-dkimsign

man.openbsd.org doesn't contain manpages for packages.
But it should be installed with the package (man filter-dkimsign)
> 
> Finally, I understand how to write multiple filters, but not how to 
> modify the "listen" directive to choose the right filter.
> 
You (currently?) can't. If you want multiple conditions on different
filters you would need to create multiple listening sockets (e.g.
multiple ips or ports) and apply the correct match-rules based on the
socket.

martijn@



Re: How to test for FORTIFY_SOURCE?

2020-03-18 Thread Martijn van Duren
On 3/18/20 3:59 PM, Jeffrey Walton wrote:
> On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson  wrote:
>>
>> On 2020-03-18, Jeffrey Walton  wrote:
>>> According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE
>>> OpenBSD implements glibc bounds checking on certain functions. I am
>>> trying to detect FORTIFY_SOURCE without looking up operating system
>>> names and versions.
>>
>> That is a NetBSD manual page, it does not apply to OpenBSD.
> 
> Thanks.
> 
> I may be splitting hairs, but the pages title clearly says it is an
> OpenBSD man page.
> 
> What is the purpose of supplying man pages for the wrong operating
> system? It wastes people's time and breaks search. This search does
> not produce expected results:
> https://www.google.com/search?q=FORTIFY_SOURCE+site%3Aopenbsd.org.
> 
> If you really want to confuse folks, maybe OpenSD can supply Windows man 
> pages.
> 
> Jeff
> 
What do you mean?
Do you mean "OpenBSD manual page server", which clearly states OpenBSD's
the just the server.
>From the NAME section: "security — NetBSD security features"
>From the DESCRIPTION section: "NetBSD supports a variety of security
features"
>From the footer: "May 21, 2016 NetBSD-8.1"

On the entire page OpenBSD is only mentioned once, NetBSD 16 times, not
including the drop down menu allowing you to select your operating
system + version of choice.

To me this feels similar to someone coming to the list and asking why
they can't find snmpctl on their OpenBSD 6.6 machine, because some
search engine send them to a 6.5 or older page.



Re: Start point to learn OpenBSD programming

2020-03-16 Thread Martijn van Duren
On 3/16/20 9:22 AM, Ingo Schwarze wrote:
> Hi Martijn,
> 
> Martijn van Duren wrote on Mon, Mar 16, 2020 at 08:52:54AM +0100:
>> On 3/16/20 8:23 AM, Martin wrote:
>> If you want reading material find a function you don't understand and
>> lookup the manpage. If you want to have a more adventurous approach:
>> $ PAGE=$(ls /usr/share/man/man[23] | sort -R  | head -1); \
>> man ${PAGE##*.} ${PAGE%.*}
> 
> That can be simplified:
> 
>   $ man -l $(ls /usr/share/man/man[23]/*.[23] | sort -R  | head -1)
> 
> ;-)
>   Ingo
> 
Who said I went for simple? I even left a minor bug in there for Martin
to find. :-)



Re: Start point to learn OpenBSD programming

2020-03-16 Thread Martijn van Duren
On 3/16/20 8:23 AM, Martin wrote:
> Hello list,
> 
> The best way for beginner to start with OpenbBSD programming?
> 
> Martin
> 
This belongs on misc, so moving it there.

My usual routine (and probably of a lot of other OpenBSD developers) is:
1) Use it
2) Get annoyed by something (bug?)
3) Dive into /usr/src to see what it actually does
4a) Realize I'm wrong in my initial annoyance; goto 1)
4b) Realize you can't fix the bug and ask for help on bugs@; goto 1)
4c) Try to fix the bug and sent a patch to tech@
5a) Patch falls in between the cracks (no-one responds) and it's not
that important to you; goto 1)
5b) Patch falls in between the cracks and it's important to you;
send reminder and goto 1) in the meantime.
5c) Realize my interpretation was wrong based on feedback; goto 1)
5d) Realize my patch was wrong based on feedback; goto 4b)
5e) Patch gets committed; goto 1)

If you want reading material find a function you don't understand and
lookup the manpage. If you want to have a more adventurage approach:
$ PAGE=$(ls /usr/share/man/man[23] | sort -R  | head -1); \
man ${PAGE##*.} ${PAGE%.*}

Another interesting place for some backstories is:
https://www.openbsd.org/events.html

Hope this helps.

martijn@



Re: FreeBSD daemon(8)-like command for OpenBSD

2020-01-28 Thread Martijn van Duren
On 1/28/20 9:29 AM, Patrick Kristiansen wrote:
> Hi Ingo
> 
> Thank you for your reply.
> 
> I can't say I disagree with your and the OpenBSD team's attitude about
> bug-free daemons. But I am just a lowly application programmer, and
> sometimes I introduce horrible bugs that make our systems crash. In many
> cases it will be preferable to just start the process again (and, of
> course, fix the bug) for the purposes of keeping our business running.

Everyone has a testing environment, not everyone has a production
environment...
> 
> But another use for daemon(8) is for its ability to detach the child
> process from the controlling terminal and furthermore redirect its
> stdout/stderr to syslog. Is there some mechanism to do that from the
> shell? Perhaps a combination of nohup and starting a background job?

I once had to write a support script in shell that needed to run as
daemon, basically some action needed to be taken if something was found
in a log-file. To do this I did exactly what you said:
nohup  2>&1 | logger  &
and put this inside an rc.d file or equivalent format of your OS of
choice.

now I'm not promoting this kind of hackery, but this worked for me
quite reliably at the time.

martijn@
> 
> Best regards,
> Patrick
> 
>> Hi Patrick,
>>
>> Patrick Kristiansen wrote on Mon, Jan 27, 2020 at 08:13:28PM +0100:
>>
>>> Is there something like the FreeBSD daemon(8) command for OpenBSD,
>>> which can run a process in the background and restart it if it
>>> crashes?
>>
>> Absolutely not, we are strongly convinced this is an utterly stupid
>> idea and a serious security risk.
>>
>> If a daemon crashes, it has a bug.  Many bugs that cause crashes
>> are also exploitable.  So if a daemon crashes, you first have to
>> understand why it crashed, fix or at least mitigate the bug, and
>> can only restart it afterwards.
>>
>> Restarting it automatically is an irresponsible thing to do.
>>
>> If a daemon keeps crashing so frequently that you can only run it
>> in production with automatic restarts, then running it at all is
>> irresponsible in the first place.
>>
>> Yours,
>>  Ingo
> 



Re: The OpenBSD talk at 36c3

2019-12-30 Thread Martijn van Duren
On 12/30/19 11:46 AM, Claudio Jeker wrote:
> On Sun, Dec 29, 2019 at 01:29:12PM +0100, Henry Jensen wrote:
>> Greetings,
>>
>> for those who didn't watched it, there is an accompanied site at
>> https://isopenbsdsecu.re/
>>
>> Summary: There are a lot of claims. The speaker basically said, that
>> some mitigations are "cool", but other, more or less, useless.
>>
>> Further accusations are, that OpenBSD still uses e-mail and cvs and not
>> more advanced CI tools.
>>
>> I can't say anything to the more technical claims about useless
>> mitigations, since I am not a OS developer. Is there going to be a
>> response from the OpenBSD team?
>>
> 
> One thing that everyone can check is the claim that 50% of our commit
> messages are less than 10 chars long and 75% are less than 20 chars.
> Using the git repo you can run something like this and get the numbers
> yourself.
> 
> openbsd-git> git log --log-size --format="%B" | grep '^log size ' | cut -f
> 3 -d ' ' | awk '{ t++; if ($1 <= 10) s++; if ($1 <= 20) m++; else l++; }
> END { print s " <= 10 char"; print m " <= 20 char"; print l " rest"; print
> t " total" }'
> 
> 12386 <= 10 char
> 25894 <= 20 char
> 176304 rest
> 202198 total
> 
> Sorry but 25k is no where close to 75% of 202198.
> Seems he did count words not characters.
> 
And of those messages the vast majority are sync and regen which are
done to whip the built/sets infrastructure back into shape after a major
change (addition or deletion) and don't need any additional information.

$ git log --log-size --format="%B" | \
awk '/^log size/{
  if (matches == 1) {messages[line]++; line = ""}
  matches = 0;
  if ($3 <= 10) { matches = 1}
}
{
  if (matches == 1 && $0 !~ /^log size/) {line = line tolower($0)}
}
END {
  for (line in messages){ print messages[line]": "line}
}' | \
sort -n | tail
107: tweaks;
115: spelling
117: regen.
135: indent
183: oops
249: spacing
416: knf
441: typo
1902: regen
4915: sync



Re: snmpd(8) custom OID names

2019-11-28 Thread Martijn van Duren
On 11/27/19 4:27 PM, Joel Carnat wrote:
> Hello,
> 
> I have set custom OIDs in my snmpd.conf(5).
> When I walk or get those values, using snmp(1) or snmpget(1), the
> "name" parameters is not listed. I only get values described as
> OPENBSD-BASE-MIB::localTest.*
> 
> Is there a straight way to get the configured names from snmp clients?
> Or do I have to write a MIB file for this particular localTest sub-MIB?
> 
> TIA,
> Jo
> 
The snmp protocol has no notion of symbolic names, it's just the oid
and the value.

If you want to show your custom name with snmp(1) you can add it to
mib.h and recompile. This is of course not supported. There currently
is no support for MIB-files for snmp(1), and there might never be.

For net-snmp you can write a custom MIB-file to get the symbolic name.

martijn@



Re: Tools for writers

2019-11-05 Thread Martijn van Duren
On 11/6/19 12:07 AM, Steve Litt wrote:
> On Tue, 5 Nov 2019 23:12:52 +0100
> Ingo Schwarze  wrote:
> 
>  
>> https://www.openbsd.org/papers/bsdcan18-mandoc.pdf
> 
> If the preceding presentation was authored in mdoc(7), could  you please
> post the mdoc code that created it, and the mandoc(1) command and any
> filter programs that caused it to be a presentation instead of a man
> page?

You mean this one?
https://www.openbsd.org/papers/bsdcan18-mandoc.roff

There are more examples at:
https://www.openbsd.org/events.html

martijn@



Re: LDAP tls: handshake failure

2019-10-24 Thread Martijn van Duren
On 10/24/19 3:29 PM, Robert Klein wrote:
> On Thu, 24 Oct 2019 14:06:47 +0200,
> Martijn van Duren wrote:
>>
>> On 10/24/19 1:50 PM, Robert Klein wrote:
>>> Hi,
>>>
>>>
>>>
>>> On Thu, 24 Oct 2019 05:26:49 +0200,
>>> Predrag Punosevac wrote:
>>>>
>>>> Kapetanakis Giannis wrote:
>>>>
>>>>> On 23/10/2019 19:14, Predrag Punosevac wrote:
>>>>>> Hi Misc,
>>>>>>
>>>>>> I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
>>>>>> authentication services for a 100 some member university research group.
>>>>>> It appears TLS handshake is broken. This worked perfectly on 6.5 and
>>>>>> earlier.
>>>>>>
>>>
>>> [ rest deleted ]
>>>
>>>> I am out of fuel to look more this tonight but I am 99% sure something
>>>> have changed on 6.6 which broke the things. Maybe my configuration was
>>>> wrong all along and in 6.6 few screws got tighten up which bit me for my
>>>> rear end. I would appreciate any further commend or suggestions how to
>>>> debug this. I would also appreciate any reports of fully working ldapd
>>>> on 6.6 release
>>>>
>>>> Best,
>>>> Predrag
>>>>
>>>
>>> This is related to commit “Make sure that ber in ber_scanf_elements is
>>> not NULL before parsing format” (martijn@) and caused by the scan string
>>> used by ber_scanf_elements on line 310 in ldape.c
>>
>> Thanks for looking into this. I didn't found the time yet.
>>>
>>> Regarding the commit, see also emails with subject “ber.c: Don't
>>> continue on nonexistent ber” to tech@ on August, 13.
>>>
>>> When you set scan string for ber_scanf_elements in line 310 of ldape.c
>>> from "{se" to "{s" it works again.  Patch below.
>>>
>>> When you look at the ldap_extended function on ldape.c, you see ext_val
>>> is assigned to req_op in line 314.  The only use could happen in the
>>> extended_ops[i]fn(req) call in line 318.  This currently can only be a
>>> call to ldap_starttls (beginning at line 285, same file) which doesn't
>>> use req_op either.  So it the `e' shouldn't matter.
>>>
>>> At a guess, this also conforms to RFC4511, section 4.14.1.
>>
>> Glancing over the RFC seems that you are correct.
>>>
>>> If ldap_extended is extended to handle other operations than starttls,
>>> care must be taken for an optional additional octet string in the
>>> request (see definition of extended request in RFC4511, section 4.12).
>>
>> Diff below should handle this. Also, you forgot to remove the ext_val.
> 
> Sorry.  Been too happy to get it working.
> 
> Is it necessary to assign req->op ?  I didn't see it used and it gets
> freed in the call to request_free().

In its current form probably not, but on the other hand it keeps the
current behaviour/intent more consistent and might help expand if we
ever want to add additional extended operations.

If you feel strongly I'll remove it altogether, I'm not strongly
inclined either way.
> 
> 
> Robert
> 
>>>
>>>
>>> Best regards
>>> Robert
>>>
>> martijn@
>>
>> Index: ldape.c
>> ===
>> RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v
>> retrieving revision 1.31
>> diff -u -p -r1.31 ldape.c
>> --- ldape.c  28 Jun 2019 13:32:48 -  1.31
>> +++ ldape.c  24 Oct 2019 12:05:19 -
>> @@ -298,7 +298,6 @@ ldap_extended(struct request *req)
>>  {
>>  int  i, rc = LDAP_PROTOCOL_ERROR;
>>  char*oid = NULL;
>> -struct ber_element  *ext_val = NULL;
>>  struct {
>>  const char  *oid;
>>  int (*fn)(struct request *);
>> @@ -307,11 +306,11 @@ ldap_extended(struct request *req)
>>  { NULL }
>>  };
>>  
>> -if (ber_scanf_elements(req->op, "{se", , _val) != 0)
>> +if (ber_scanf_elements(req->op, "{s", ) != 0)
>>  goto done;
>>  
>>  log_debug("got extended operation %s", oid);
>> -req->op = ext_val;
>> +req->op = req->op->be_sub->be_next;
>>  
>>  for (i = 0; extended_ops[i].oid != NULL; i++) {
>>  if (strcmp(oid, extended_ops[i].oid) == 0) {
> 



Re: LDAP tls: handshake failure

2019-10-24 Thread Martijn van Duren
On 10/24/19 2:25 PM, Claudio Jeker wrote:
> 
> OK claudio@
> 
I'll commit this soon-ish based on claudio's OK, but if at all possible 
I would like to ask the people affected by this to test this and see if 
this solves their problem.

For the people running -current, here's an updated diff based on tb@'s
commit which changes ber_* to ober_* (note that you also need to get
the latest libutil).

martijn@

Index: ldape.c
===
RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v
retrieving revision 1.32
diff -u -p -r1.32 ldape.c
--- ldape.c 24 Oct 2019 12:39:26 -  1.32
+++ ldape.c 24 Oct 2019 13:22:37 -
@@ -298,7 +298,6 @@ ldap_extended(struct request *req)
 {
int  i, rc = LDAP_PROTOCOL_ERROR;
char*oid = NULL;
-   struct ber_element  *ext_val = NULL;
struct {
const char  *oid;
int (*fn)(struct request *);
@@ -307,11 +306,11 @@ ldap_extended(struct request *req)
{ NULL }
};
 
-   if (ober_scanf_elements(req->op, "{se", , _val) != 0)
+   if (ober_scanf_elements(req->op, "{s", ) != 0)
goto done;
 
log_debug("got extended operation %s", oid);
-   req->op = ext_val;
+   req->op = req->op->be_sub->be_next;
 
for (i = 0; extended_ops[i].oid != NULL; i++) {
if (strcmp(oid, extended_ops[i].oid) == 0) {



Re: LDAP tls: handshake failure

2019-10-24 Thread Martijn van Duren
On 10/24/19 1:50 PM, Robert Klein wrote:
> Hi,
> 
> 
> 
> On Thu, 24 Oct 2019 05:26:49 +0200,
> Predrag Punosevac wrote:
>>
>> Kapetanakis Giannis wrote:
>>
>>> On 23/10/2019 19:14, Predrag Punosevac wrote:
 Hi Misc,

 I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
 authentication services for a 100 some member university research group.
 It appears TLS handshake is broken. This worked perfectly on 6.5 and
 earlier.

> 
> [ rest deleted ]
> 
>> I am out of fuel to look more this tonight but I am 99% sure something
>> have changed on 6.6 which broke the things. Maybe my configuration was
>> wrong all along and in 6.6 few screws got tighten up which bit me for my
>> rear end. I would appreciate any further commend or suggestions how to
>> debug this. I would also appreciate any reports of fully working ldapd
>> on 6.6 release
>>
>> Best,
>> Predrag
>>
> 
> This is related to commit “Make sure that ber in ber_scanf_elements is
> not NULL before parsing format” (martijn@) and caused by the scan string
> used by ber_scanf_elements on line 310 in ldape.c

Thanks for looking into this. I didn't found the time yet.
> 
> Regarding the commit, see also emails with subject “ber.c: Don't
> continue on nonexistent ber” to tech@ on August, 13.
> 
> When you set scan string for ber_scanf_elements in line 310 of ldape.c
> from "{se" to "{s" it works again.  Patch below.
> 
> When you look at the ldap_extended function on ldape.c, you see ext_val
> is assigned to req_op in line 314.  The only use could happen in the
> extended_ops[i]fn(req) call in line 318.  This currently can only be a
> call to ldap_starttls (beginning at line 285, same file) which doesn't
> use req_op either.  So it the `e' shouldn't matter.
> 
> At a guess, this also conforms to RFC4511, section 4.14.1.

Glancing over the RFC seems that you are correct.
> 
> If ldap_extended is extended to handle other operations than starttls,
> care must be taken for an optional additional octet string in the
> request (see definition of extended request in RFC4511, section 4.12).

Diff below should handle this. Also, you forgot to remove the ext_val.
> 
> 
> Best regards
> Robert
> 
martijn@

Index: ldape.c
===
RCS file: /cvs/src/usr.sbin/ldapd/ldape.c,v
retrieving revision 1.31
diff -u -p -r1.31 ldape.c
--- ldape.c 28 Jun 2019 13:32:48 -  1.31
+++ ldape.c 24 Oct 2019 12:05:19 -
@@ -298,7 +298,6 @@ ldap_extended(struct request *req)
 {
int  i, rc = LDAP_PROTOCOL_ERROR;
char*oid = NULL;
-   struct ber_element  *ext_val = NULL;
struct {
const char  *oid;
int (*fn)(struct request *);
@@ -307,11 +306,11 @@ ldap_extended(struct request *req)
{ NULL }
};
 
-   if (ber_scanf_elements(req->op, "{se", , _val) != 0)
+   if (ber_scanf_elements(req->op, "{s", ) != 0)
goto done;
 
log_debug("got extended operation %s", oid);
-   req->op = ext_val;
+   req->op = req->op->be_sub->be_next;
 
for (i = 0; extended_ops[i].oid != NULL; i++) {
if (strcmp(oid, extended_ops[i].oid) == 0) {



Re: OpenBSD and doas xterm pftop

2019-10-21 Thread Martijn van Duren
On 10/21/19 10:35 PM, Peter Fraser wrote:
> I was surprised that after upgrading to 6.6 that
> 
> doas xterm pftop & 
> 
> fails with:
> 
> Warning: This program is an suid-root program or is being run by the root 
> user.
> The full text of the error or warning message cannot be safely formatted
> in this environment. You may get a more descriptive message by running the
> program as a non-root user or by removing the suid bit on the executable.
> xterm: Xt error: Can't open display: %s
> 
> This is the result of the change in the behavior of doas.
> Quoting from the upgrade manual
> 
> doas(1). The environment variable handling in doas(1) has been changed. In 
> particular HOME and PATH are now reset to the target user.
> 
> I assume that the problem arises because .Xauthority cannot be found
> 
> Pass HOME and PATH in doas.conf allows the old behavior.
> 
This is primarily the reason for changing doas' behaviour.
Not Xauthority per say, but reaching back to he caller's home directory
allowing arbitrary files to be loaded and potentially executed as
another user in a way not intended potentially leading to privilege
escalation.

Instead of setenving HOME and PATH I suggest you change the command to
xterm -e doas pftop &
or if your needs are covered
xterm -e doas systat states &

martijn@



Re: vi(1) and ranges

2019-10-18 Thread Martijn van Duren
On 10/18/19 7:23 PM, adr wrote:
> Going through the vi man page (and the one of editors/nvi) looking
> for some hint about '|' in maps some days before, I noticed that
> the ranges aren't described.
> 
> If the developers are interested I can add the description from
> the nvi reference manual, next to the description of count, motion,
> etc.
> 
> regards,
> adr
> 
First you insult someone who says he's happy with a developers answer 
and then you send this email without any contribution to basically the  
wrong list. You might want to learn from the saying "You catch more 
flies with honey than vinegar".

I for one am currently not interested in looking at your work (assuming
there's going to be any) if that's how you present yourself to the
community.

martijn@



Re: shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

2019-07-09 Thread Martijn van Duren
On 7/9/19 11:40 AM, mansoor wrote:
> Hi,
> I am using OpenBSD 6.4 and php version 5.6, I am trying to execute shell
> commands through php file using exec, shell_exec or system (tried all of
> them) but none is working.
> 
> Here is a sample code in my index.php file.
> 
>  $output = shell_exec('ls -l');
> echo "$output";
> ?>

It's almost never a good idea to use shell_exec or system.
In this case I'd advise to use opendir+readdir and stat if you need the
file metadata.
> 
> Here is  link
> 
>  
> to my stackoverflow question.
> 
> I am stuck in this problem for about a week now.
> Please help me if anyone know about this.
> Thanks

You haven't given enough information for a definitive answer, but my
guess is that you run php through php-fpm, which is by default chrooted
to /var/www. Since shell_exec and system first call /bin/sh and you
most likely didn't copy it to /var/www/bin/sh it can't find your shell.
After that you'd also need to copy the binaries (in this case ls) to
your chroot and possible library dependencies (not needed for files
under /bin).

Hope this helps for illustrative purposes, but please don't use it in
production.

martijn@
> 
> 
> 
> --
> Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
> 



Re: [6.5] minidlna error: accept(http): Too many open files

2019-04-29 Thread Martijn van Duren
I haven't spend any time on the why, but I also had some problems with  
openfiles-{cur,max}, but changing it to openfiles=x worked for me.

ymmv.

martijn@

On 4/28/19 10:35 PM, Stephane HUC "PengouinBSD" wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> Hi, all
> 
> After upgrading OpenBSD from 6.4 to 6.5, I've problem to use minidlna.
> It fill the /var/log/minidlna/minidlna.log with severals errors
> messages, as:
> [2019/04/25 15:26:29] monitor_kqueue.c:226: error:
> open(/home/z2/Music/xyz) [Too many open files]
> (...)
> [2019/04/25 20:15:05] minidlna.c:165: error: accept(http): Too many
> open files
> 
> as read on the pkg-readme, I change both files '/etc/sysctl.conf',
> '/etc/login.conf'.
> 
> I added 'kern.maxfiles=16384' for sysctl.
> And on login file, I wrote:
> "minidlna:\
> :openfiles-cur=16384:\
> :openfiles-max=16384:\
> :tc=daemon:
> "
> And after, I rebooted my machine.
> 
> But, thoses errors continue, and grow the log until my dedicated slide
> /var/log is full. and minidlna not run correctly. Why?
> What are the good values of limits systems to run correctly minidlna?
> 
> - 
> 
> OpenBSD 6.5 (GENERIC.MP) #3: Sat Apr 13 14:48:43 MDT 2019
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8487260160 (8094MB)
> avail mem = 8220409856 (7839MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec580 (74 entries)
> bios0: vendor Alienware version "A08" date 01/25/2018
> bios0: Alienware Alienware 13
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI SSDT ASF!
> SLIC SSDT SSDT SSDT SSDT CSRT SSDT
> acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4)
> PEG2(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4)
> PXSX(S4) RP04(S4) RP05(S4) PEGP(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 799.44 MHz, 06-45-01
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,
> DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOV
> BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAH
> F,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIB
> P,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 799.32 MHz, 06-45-01
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,
> DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOV
> BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAH
> F,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIB
> P,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 1 (application processor)
> cpu2: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 799.31 MHz, 06-45-01
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,
> DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOV
> BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAH
> F,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIB
> P,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 1, core 0, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 799.31 MHz, 06-45-01
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
> CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,
> DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOV
> BE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAH
> F,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIB
> P,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 1, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
> acpimadt0: bogus nmi for apid 0
> acpimadt0: bogus nmi for apid 2
> acpimadt0: bogus nmi for apid 1
> acpimadt0: bogus nmi for apid 3
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xf800, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 

Re: Code of Conduct location

2019-04-28 Thread Martijn van Duren
You mean something like this the following?
https://www.openbsd.org/mail.html

martijn@

On 4/28/19 9:58 AM, Strahil Nikolov wrote:
> Hello All,
> 
> can someone point me to the link of the OpenBSD code of Conduct ?
> 
> It seems that I can't find it even with the help of google.
> 
> Best Regards,
> Strahil Nikolov
> 



Re: Changing kern.nprocs and kern.nfiles

2018-11-16 Thread Martijn van Duren
On 11/16/18 10:24 AM, Mik J wrote:
> Hello,
> 
> Does anyone know how to change these values ?
> 
> # sysctl kern.nprocs=52
> sysctl: kern.nprocs: Operation not permitted
> # sysctl kern.nfiles=575
> sysctl: kern.nfiles: Operation not permitted
> 
> Regards
> 
See sysctl(2):
   Second level nameTypeChangeable
...
   KERN_NFILES  integer no
...
   KERN_NPROCS  integer no
...
 KERN_NFILES (kern.nfiles)
 Number of open files.
...
 KERN_NPROCS (kern.nprocs)
 The number of entries in the kernel process table.

If you want to change the maximum number of open files/processes take a
look at ksh(1) ulimit or csh(1) limit and login.conf(5).

Hope this helps.

martijn@



Re: Clarification about mfs/tmpfs on /tmp

2018-10-09 Thread Martijn van Duren
On 10/9/18 2:03 PM, Stuart Henderson wrote:
> On 2018-10-09,   wrote:
>> Solene Rapenne wrote:
>>> hello,
>>
>>> if you don't put any /tmp in fstab, /tmp comes from the / partition, which
>>> doesn't have nodev and nosuid mount options, and which is very tiny.
>>
>>> tmpfs has been disabled: see
>>> https://marc.info/?l=openbsd-tech=148173068424515=2 
>>> 
>>
>>> main difference between mfs and tmpfs. mfs is a ffs mounted from memory and
>>> will use the memory reserved for it, while tmpfs will use memory only when 
>>> it's
>>> really used. If you give 500 MB to mfs, it will be instantly used in your
>>> memory, even if you have 0 file in it.
>>
>>> I don't know for chromium.
>>
>> Thank you for your reply, this resolves my first two problems.
>> I have two follow-up questions:
>>
>> 1) Regarding mfs, using an fstab entry as in the example in fstab(5), i.e.,
>>     swap /tmp mfs rw,nodev,nosuid,-s=153600 0 0, gives me a /tmp with write
>>     permissions for root only (as opposed to mounting UID.d, where every
>>     user can write on /tmp). Looking up newfs(8), I don't see a way to set
>>     permissions, hence I have done this using a chmod command in rc.local.
>>     Is there a better way to set the right permissions for a mfs /tmp?
> 
> This one is easy, simply set the appropriate permissions on the
> directory where you mount the mfs.
> 
> 
> 
> 
>> 2) "tmpfs has been disabled": Would it make sense to write to the developer
>>     mailing list and suggest to either drop it (as I understand it, OpenBSD
>>     has a policy of dropping unsupported/unmaintained features) or at least
> 
> It's not included in the GENERIC kernel configuration but isn't
> otherwise disabled. Actually removing code from the tree would make
> it harder if anyone wants to fix it ..
> 
>>     to mention that tmpfs has been disabled in mount_tmpfs(8)?
> 
> Perhaps. Though I think in general with the mount_* manuals it's
> assumed that the relevant support is compiled into the kernel for them
> to work ..
> 
> 
So what about unlinking the tool from the build?
Probably not until after release though.

This probably should probably be done in the rd as well, but I'm not
familiar enough with that part of the tree to include it in this
quick diff.

martijn@

Index: Makefile
===
RCS file: /cvs/src/sbin/Makefile,v
retrieving revision 1.106
diff -u -p -r1.106 Makefile
--- Makefile3 Jun 2017 10:00:29 -   1.106
+++ Makefile9 Oct 2018 12:13:30 -
@@ -4,7 +4,7 @@ SUBDIR= atactl badsect bioctl clri dhcli
disklabel dmesg dump dumpfs fdisk fsck fsck_ext2fs fsck_ffs  \
fsck_msdos fsdb fsirand growfs ifconfig iked init ipsecctl  \
isakmpd kbd ldattach mknod mount \
-   mount_cd9660 mount_ext2fs mount_ffs mount_msdos \
+   mount_cd9660 mount_ffs mount_msdos \
mount_nfs mount_ntfs mount_tmpfs mount_udf \
mount_vnd mountd ncheck_ffs newfs newfs_ext2fs newfs_msdos \
nfsd nologin pdisk pfctl pflogd ping quotacheck \



Re: Pkg_add

2018-09-13 Thread Martijn van Duren
On 09/13/18 07:08, Michael Ayres wrote:
> New to OpenBSD, which I am newly running as a Parallels VM on my Apple 
> MacBook Pro. Shell and basic commands working, and have set path variable 
> PKG_PATH =
> 
> On calling PGK_ADD, with -v switch,  I get screen display of
> 
> “Update candidates: quits-2.414 -> quirks-2.414
> quirks-2.414 signed on 2018-03-29T09:01:59Z"
> 
> but then nothing.
> 
> Recalling Unix’s reticent personality, I wait, but nothing ever seems to 
> happen. With a new install, downloaded 6, do I have 29 tons of updates, has 
> BSD become to bored with me to even acknowledge I exit, or I have I misspoken 
> to it?
> 
> 
> Michael Ayres
> 
> Michael Ayres, MS, CISSP, CSEP, CSM, PMI-ACP, PMP | www.mace-associates.com 
> 
> San Francisco, CA. | 415.999.2049   
> https://www.linkedin.com/in/michaelmaceayres 
> 
> michael.ay...@yahoo.com 
> 
> 
> 
I'm not 100% sure what your question is, but here's my take on things:
pkg_add only works on 3rd party packages. If you have 3rd party
packages installed you can update those with `pkg_add -u`, although
they usually don't get updates on stable releases, which you're
running based on quirks version.
If you want updates on your base OS you can run syspatch(8).

Once you feel familiar enough with the system I encourage you to
run -current, since that's where the cool kids hang out. You can
update to -current by downloading bsd.rd from your favourite mirror
and boot it, similar to how you've installed OpenBSD.
Once you've updated to -current, don't forget to update your packages
with `pkg_add -u`.

For further reading I recommend at least:
http://man.openbsd.org/syspatch
http://man.openbsd.org/pkg_add
https://www.openbsd.org/faq/current.html
https://www.openbsd.org/faq/faq15.html
and if you're up to it the rest of the FAQ and after that some
manpages. They're a never ending source of information.

Hope this helps.

martijn@



Re: VMD linux/debian cdrom issue

2018-08-23 Thread Martijn van Duren
Hello Ales,

I ran into the same problem and found that the Debian installer doesn't
include the virtio drivers and thus can't use the cdrom or the disk.

I worked around this by bootstrapping the disk via the qemu port and
booting the disk from vmm once it's finally done. Qemu is significantly
slower than vmm, so do get another cup of $BEVERAGE.

I haven't taken the time to contact Debian about this, so it's
probably not yet known to them.

Hope this helps for now.

martijn@

On 08/23/18 12:18, Ales Tepina wrote:
> Hello!
> 
> I have a lenovo T470 running current on which i would like to use vmd
> to run debian for some work specific stuff.
> I'm having trouble installing debian though because the installer
> doesn't seem to find cdrom.
> 
> My vm.conf is pretty basic:
>  switch "local" {
>  interface bridge0
>  }
>  vm "work" {
>  disable
>  memory 2G
>  cdrom "/home/vm/debian-9.5.0-amd64-xfce-CD-1.iso"
>  disk "/home/vm/debian.img"
>  interface { switch "local" }
>  }
> 
> On the debian installer boot menu, i select Install and press TAB to
> edit the menu entry. I remove the "quiet" at the end and append from
> --- onwards so at the end it looks like this:
>  (omitted part)/install.amd/vmlinuz desktop=xfce vga=788
> initrd=/install.amd/initrd.gz --- clocksource=tsc console=ttyS0,115200
> noapic
> 
> The text based installer starts and i'm able to choose language,
> location and keyboard.
> At the "Detect and mount CD-ROM section, i'm informed that "No common
> CD-ROM drive was detected." and i'm given the option to load CD-ROM
> drivers from removable media. When i select NO the installer gives me
> the option to manually select a CD-ROM module or device. I  can choose
> between none and cdrom. The cdrom option just asks me for a device
> like /dev/ cdrom
> 
> I tried with debian netboot image - same problem.
> 
> I've read Mike Larkin's slides "OpenBSD vmm/vmd Update" and if some of
> you are running linux in vmm (for testing purposes of course) i would
> be gratefull to know how did you manage to get past this problem?
> 
> Best regards, Ales
> 



Re: roundcube installation php modules

2018-07-10 Thread Martijn van Duren
On 07/10/18 14:00, Teno Deuter wrote:
> Dear list,
> 
> in a OpenBSD 6.3 machine I run httpd and opensmptd and try to intall
> roundcubemail 1.3.5 from the OpenBSD packages repository.
> 
> When running the installer, in the first page, I get following warnings:
> 
> FileInfo:  OK
> Libiconv:  OK
> Intl:  NOT AVAILABLE(See http://www.php.net/manual/en/book.intl.php)
> Exif:  OK
> LDAP:  NOT AVAILABLE(See http://www.php.net/manual/en/book.ldap.php)
> GD:  NOT AVAILABLE(See http://www.php.net/manual/en/book.image.php)
> Imagick:  NOT AVAILABLE(See http://www.php.net/manual/en/book.imagick.php)
> 
> but pkg_info shows:
> 
> php-gd-5.6.34   image manipulation extensions for php
> php-intl-5.6.34 intl library support for php
> 
> and I think php-imagick is already part of the php OpenBSD package.
> 
> Why do I get the above warnings?

$ doas cp /et/php-5.6.sample/{gd,intl}.ini /etc/php-5.6
$ doas rcctl restart php56_fpm
> 
> Also, in the second installation page I get the following:
> 
> Mimetype to file extension mapping:  NOT OK
> 
> but in httpd.conf, on the top of the file, I have the following entry:
> 
> types { include "/usr/share/misc/mime.types" }

No clue.
> 
> Thank you
> martijn@



Re: ed viewing trailing spaces

2018-05-23 Thread Martijn van Duren
Hello Predrag,

I assume that you don't run -current. I changed this about a month ago.

martijn@

On 05/24/18 06:28, Predrag Punosevac wrote:
> Hi Misc,
> 
> I just got Michael Lucas' Ed Mastery. While reading through the book I
> tried few things and I realized that viewing trailing spaces on OpenBSD
> 6.3 doesn't work the way described in man pages, Michael's book, and
> other OSs (I tired Red Hat 7.5, FreeBSD 11.1p10, DFBSD 5.2.1)
> 
> Namely command 
> 
> ,l
> 
> doesn't allow me to see trailing spaces. I would expect to see a dollar
> sign at the end of the line.
> 
> Am I missing something obvious here. I like probably most of you use ed
> only when trying to edit something in the single user mode so I don't
> recall using this particular command before.
> 
> Cheers,
> Predrag
> 
> P.S. It is nice to see that after Jacek Artymiak, Michael took a shot
> and wrote this short book on Ed. The book is nice read and so far my
> main complaint with it is the lack of the summary of all Ed commands
> which is actually present in man pages as well as in this GNU manual
> (obviously different version of the editor)
> 
> https://www.gnu.org/software/ed/manual/ed_manual.html
> 



Re: pledge violation in firefox-60 on snapshots

2018-05-16 Thread Martijn van Duren
$ grep SYS_fork /usr/include/sys/syscall.h
#define SYS_fork2

See: https://marc.info/?l=openbsd-ports=152623658627250=2

You probably don't run dbus, so I assume you're going to need to start
it up in your .xsession file.

martijn@

On 05/16/18 03:59, William Orr wrote:
> Hey there,
> 
> When visiting the following health insurance site: 
> 
> https://www.cignaglobal.com/CASPAI/public/SignIn.do?application=CIEB_IPMI=GB=en=all=https://www.cignaglobal.com/ma/pages/CASPA/Landing.html=.
> 
> Clicking the password field will consistently cause that tab in firefox
> to crash with a pledge violation (calling fork):
> 
> firefox[75379]: pledge "proc", syscall 2
> firefox[99617]: pledge "proc", syscall 2
> firefox[89996]: pledge "proc", syscall 2
> firefox[29564]: pledge "proc", syscall 2
> firefox[58111]: pledge "proc", syscall 2
> firefox[97980]: pledge "proc", syscall 2
> firefox[37363]: pledge "proc", syscall 2
> 
> Is anyone else seeing something similar? I've repro'd this in safe mode
> with add-ons disabled. I'm runnning a snapshot as of 3 days ago with
> firefox from packages.
> 
> % pkg_info firefox
> Information for inst:firefox-60.0
> 
> 
> Following is a full dmesg. Let me know if there's other info that I can
> provide. There are other firefox pledge violations in there, but I have
> no indication that they're related.
> 
> Thanks!
> 
> OpenBSD 6.3-current (GENERIC.MP) #29: Fri May  4 09:22:48 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 17040244736 (16250MB)
> avail mem = 16515768320 (15750MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xee7f0 (26 entries)
> bios0: vendor American Megatrends Inc. version "P2.90" date 07/11/2013
> bios0: ASRock Z77 Extreme4
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT MCFG SSDT AAFT HPET SSDT SSDT SSDT BGRT
> acpi0: wakeup devices UAR1(S4) P0P1(S4) USB1(S3) USB2(S3) USB3(S3) 
> USB4(S3) USB5(S3) USB6(S3) USB7(S3) RP01(S4) RP02(S4) RP03(S4) RP04(S4) 
> RP05(S4) BR40(S4) RP06(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 3500.52 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
> 
> ,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> 
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 100MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 3500.02 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
> 
> ,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> 
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 3500.02 MHz
> cpu2: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
> 
> ,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> 
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 3500.02 MHz
> cpu3: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
> 
> ,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> 
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 3, package 0
> cpu4 at mainbus0: apid 1 (application processor)
> cpu4: Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz, 

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

2018-05-07 Thread Martijn van Duren
On 05/07/18 23:51, Martin Gignac wrote:
>> It looks like 'received-on' would be a cleaner and shorter way to
>> achieve my goal by allowing me to specify inbound and outbound
>> interfaces in the same rule.
>>
> 
> I think I spoke to quickly; it would be an alternative way, but not a
> shorter one as I would still need the initial "pass in lab01" I guess. I
> just wouldn't have to tag it.
> 
>>
I usually do the filtering on the outbound interface and add a statement
like the following the pass in all to be forwarded packets:
pass in to !(self)

This way you don't have to add different rules for different tags.

martijn@



Re: frequent SeaMonkey crashes

2018-05-07 Thread Martijn van Duren
Hello Riccardo,

On 05/06/18 21:53, Riccardo Mottola wrote:
> Hi,
> 
> after 6.3 upgade (with associated packages) I experience very frequent 
> crashes of the SeaMonkey browser.
> I checked RAM consumption and it crashes even if it is not very hight, around 
> 400MB, for example.
> 
> I tried starting it from a terminal and see this message after a crash:
> 
> seamonkey: Fatal IO error 12 (Cannot allocate memory) on X server :0.

You can try to extend your data area size via ulimit -d.
See ksh(1) for more information. Don't forget to start SeaMonkey via
that same shell as well, changing the data area only works for child-
programs, not the entire X login session.

If this works for you you can increase the limit permanent via
/etc/login.conf (which will increase the limit for all applications) or
by creating a wrapper-script which will increase the limit before
executing SeaMonkey.

Hope this helps.
> 
> Is it a bug perhaps_ or some limit i can extend?
> 
> I tried FireFox and it seems a little bit better: strange though, because 
> usually it is has always been the other way and I am a long-time seamonkey 
> fan.
> 
> Riccardo
> 

martijn@



Re: HTTPD and php-cgi

2018-05-06 Thread Martijn van Duren
On 05/06/18 06:31, Duncan Patton a Campbell wrote:
> On Sat, 5 May 2018 12:19:59 +0200
> Martijn van Duren <openbsd+m...@list.imperialat.at> wrote:
> 
> On Sat, 5 May 2018 08:48:23 +0200
> Mischa Peters <obs...@high5.nl> wrote:
> 
> Hi Martijn, Mischa.  Thanks for you replies, from which 
> I've figured out that the problem is I'm running sparc64
> and the packages you refer to are not extant...  I guess
> I'll have a go with ports and hopefully report back...

sparc64 currently misses php-7.0, because of segfaults during the
generation of phar, but php-5.6 is available. So if you
`pkg_add php` you'll get the php-5.6 package which contains php-fpm.
After that's installed you can run `rcctl start php56-fpm`.

I have a patch in the pipeline that can disable the extensions based on
architecture during compile-time which should allow us to have php-7.0
on sparc64 (without phar), but I don't have the hardware to test it.
> 
> Thanks again.
> 
> Dhu
> 



Re: HTTPD and php-cgi

2018-05-05 Thread Martijn van Duren
Hello Duncan,

On 05/05/18 03:23, Duncan Patton a Campbell wrote:
> 
> I am looking for documentation on running php-cgi-5.6 under the bsd httpd 
> server.
> 
> From what I can tell, the function of php-fastcgi has been subsumed to 
> php-cgi-5.6, 
> but further than that I can find little or no salient documentation.  Any 
> pointers
> would be appreciated.
> 
> Thanks,
> 
> Dhu
> 
This is exactly the reason why php-fastcgi was renamed to php-cgi. The
old php-fastcgi contained what normally is normally called the php-cgi
binary, which also contains *some* fastcgi functionality, but is *not*
the recommended way to run php in fastcgi mode.

The recommended way to run php in fastcgi mode is php-fpm, which is
included in in the php main package. You can start this daemon by
running `rcctl start php${PHP_VERSION}_fpm`. This will make php-fpm
listen on its socket which can be set via the listen statement in
/etc/php-fpm.conf (by default it's /var/www/run/php-fpm.sock).

Once you have php-fpm up and running you can connect to it through httpd
through the "fastcgi socket /run/php-fpm.sock" command in the
appropriate "location" block from. See httpd.conf(5) for more
information.

Hope this helps.

martijn@



Re: net-snmpd extend and doas : a tty is required

2018-04-13 Thread Martijn van Duren
On 04/12/18 23:13, Joel Carnat wrote:
>> Le 12 avr. 2018 à 21:10, Stuart Henderson  a écrit :
>>
>> On 2018-04-12, Joel Carnat > wrote:
>>> Hi,
>>>
>>> I want net-snmpd to run a script via the extend directive.
>>> This script has to run a command using doas to get temporary root 
>>> permission.
>>>
>>> The script is run on snmpcmd call but the doas command returns:
>>> doas: a tty is required
>>>
>>> Is there a way to run doas from net-snmpd ?
>>> I already have doas running from collectd-exec without issues.
>>>
>>> Thanks.
>>>
>>> # More infos on configuration and commands
>>>
>>> # grep extend /etc/snmp/snmpd.conf
>>> extend test /home/scripts/test.sh
>>>
>>> # grep snmpd /etc/doas.conf
>>> permit nopass _snmpd as root
>>
>> Net-SNMP runs as _netsnmp, but you're giving nopass access to _snmpd
>> (base snmpd's uid, which doesn't execute anything anyway).
> 
> Of course…
> Using "permit nopass _netsnmp as root" makes it run as expected.

Please add "cmd  args ..." to that line to prevent more root-
exposure than required.
> 
> Thanks a lot!
>



Re: sudoedit for doas?

2018-03-01 Thread Martijn van Duren

On 03/01/18 11:41, tomr wrote:



On 02/28/18 17:50, Hess THR wrote:

Hello,

hmm, I went through the relevant man pages:

https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1
https://man.openbsd.org/doas.conf.5

but I cannot find a sudoedit alternative for the "doas".

Are there any?


Use `doas -C` in a wrapper script that:

- checks for a lock / creates a lock
- copies /etc/doas.conf somewhere
- edits it with your editor of choice
- checks it (with -C)
- copies it back into place
- removes the lock

t


sudoedit != visudo



Re: OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-22 Thread Martijn van Duren

On 02/22/18 09:51, Joel Carnat wrote:

Hi,

Le 22/02/2018 09:35, Stuart Henderson a écrit :

On 2018-02-22, Igor V. Gubenko  wrote:

I am far from an expert; having issues myself at the moment, but maybe
if we get all of the iked experimenters together, we can figure it out
:)


This definitely isn't going to work, iked only supports username/password
authentication as a responder. not initiator.


Is there any software that enables openbsd to be an ipsec initiator 
using user/pass ?


Thanks.

Maybe not as native a solution as you'd like, but I have one environment 
where I have to login with username/password over ikev2. For this I have 
a VM with Alpine Linux+strongswan through which I route the VPN-destined 
traffic.




Re: vmd - Unable to reboot Alpine guest

2018-02-19 Thread Martijn van Duren

Hello Aham,

On 02/18/18 21:09, Aham Brahmasmi wrote:

Hi Carlos,

Thank you for your response.

I have been learning and understanding OpenBSD for around one month now.
As such, I had installed -release, and used syspatch to reach -stable.

I have spent some time right now trying to understand the mechanism to
reach -current from -stable.

 From what I understand, I first need to upgrade to the latest snapshot.
 From there, I need to use source build instructions at
https://www.openbsd.org/faq/faq5.html#Bld to reach -current.


There's no need to build from source, just upgrading via the latest
snapshot suffices.


I would like to do the above because I am also interested in the spamd
and IPv6 diff that phessler@ has. But right now, I am quite a bit
inexperienced, so you would have to be patient with me.

 From what I understand, to install snapshot I need to download
https://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd, boot that
at the boot prompt and then (U)pgrade from there.


That is correct.
If you don't intent to work on the source, there's no need to build it
yourself.

martijn@



Re: Syn flood crashed my LAN

2018-02-11 Thread Martijn van Duren
Try -current[0]. I think henning will be glad to hear how his new toy
works in the field.

martijn@

[0] https://marc.info/?l=openbsd-cvs=151796069324365=2

On 02/12/18 01:26, Martin Hanson wrote:
> Hi,
> 
> I have a home network that is segmented into 3 different zones using a NIC 
> with 4 ports sitting on an OpenBSD firewall/dhcp server. One port is 
> connected to the Internet (ISP router) and each of the three others has a 
> D-Link DGS-1005D switch connected to each.
> 
> So..
> 
> LAN1 = 192.168.1.0
> LAN2 = 192.168.2.0
> LAN3 = 192.168.3.0
> 
> Learning more about networking I wanted to test a SYN flood so I set up a 
> couple of boxes on LAN1 and LAN3 to flood a box on LAN2. I used "hping3" with 
> the "S" and "flood" options.
> 
> Running a regular ping in a terminal I could see how the response time 
> decreased and eventually the box began to loose packages.
> 
> However after a while it seemed like the entire internal network went down.
> 
> No box on any LAN could get an IP address from the DHCP server on the OpenBSD 
> box.
> 
> I eventually rebooted the OpenBSD box, but that didn't immediately help, and 
> only after powering down the switches and powering the switches on again, 
> everything worked again.
> 
> I have been looking through the PF documentation to see if PF somehow blocks 
> SYN flooding, but I am not using synproxy on any rules.
> 
> What could cause such a "melt down" of the entire network because of a SYN 
> flood to a box?
> 
> I suspect that the D-Link switches are pretty bad and maybe are the cause of 
> the problem?
> 
> I eventually will try again to see if I can determine what's causing the 
> "melt down", but I want to know if anyone perhaps has experienced similar 
> results during some testing?
> 
> Many thanks in advance.
> 
> Kind regards,
> 
> Martin 
> 



Re: message authentication code incorrect

2018-01-24 Thread Martijn van Duren
Hello Jan,

See https://marc.info/?l=openbsd-cvs=151673244010209=2 and
https://marc.info/?l=openbsd-cvs=151673766411788=2.
So it's probably fixed in the next snapshot.

On 01/24/18 14:08, Jan Stary wrote:
> On Jan 23 16:48:57, h...@stare.cz wrote:
>> I just upgraded my current/amd64 and now con't ssh to it
> 
> In fact, I can't ssh _fom_ it either:
> 
> $ ssh wherever
> write: Socket is not connected
> 
> has something changed with ssh or sshd?
> 
>   Jan
> 
>> from an amd64 machine running the Jan 19 snapshot:
>>
>> $ ssh -v biblio.stare.cz
>> OpenSSH_7.6, LibreSSL 2.7.0
>> debug1: Reading configuration data /home/hans/.ssh/config
>> debug1: /home/hans/.ssh/config line 1: Applying options for *
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Connecting to biblio.stare.cz [147.32.233.137] port 22.
>> debug1: Connection established.
>> debug1: identity file /home/hans/.ssh/id_rsa type 0
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_rsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_dsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_dsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_ecdsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_ecdsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_ed25519 type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /home/hans/.ssh/id_ed25519-cert type -1
>> debug1: Local version string SSH-2.0-OpenSSH_7.6
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
>> debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x0400
>> debug1: Authenticating to biblio.stare.cz:22 as 'hans'
>> debug1: SSH2_MSG_KEXINIT sent
>> Bad packet length 1349676916.
>> ssh_dispatch_run_fatal: Connection to 147.32.233.137 port 22: message 
>> authentication code incorrect
>>
>>  Jan
>>
> 



Re: After a failed checksum: What options remain?

2018-01-12 Thread Martijn van Duren
Hello Charlie,

There is no correct way to wear a tinfoil hat. Do you trust your current
installation of Windows? And why? Do you trust your computer hardware?
Intel has proven something along those lines a couple of times in recent
history. Based on what premise do you trust OpenBSD?

Suspicion can be a good thing, but you need to balance your security
with other factors in life like usability, stability, compatibility and
probably some other ity's.

I love OpenBSD. Both for its security, but also its simplicity and
usability. But I'm also aware that even OpenBSD isn't without its quirks
and bugs. It's also still based on the premises that you trust other
components on which OpenBSD was build around. Even the mathematical
principles behind signature verification.

In other words choose something that works for you and where you feel
confident enough that it won't try to kill your kittens.

As for the checking a signature you can start by downloading OpenBSD 6.2
and verifying its signature:
$ cat /etc/signify/openbsd-62-base.pub
untrusted comment: openbsd 6.2 base public key
RWRVWzAMgtyg7g27STK1h1xA6RIwtjex6Vr5Y9q5SC5q5+b0GN4lLhfu
You can compare that string to any other sources, among others:
- https://www.openbsd.org/62.html
- https://twitter.com/phessler/status/914414877539803136
- ...
If you need signify I found a Windows port here[0], but since I don't
run Windows, so I haven't tested any of it (nor checked the diff). I
found that it is an older release, so the diff (against my personal
OpenBSD cvs account checkout) below also includes changes in OpenBSD's
current signify. But I guess this release will still work and the diff
is still small enough to manually verify if something funky has been
done with this port (still a pain though).
Nevertheless, it runs on Windows, so you have to trust your Windows
installation, which runs on 
Once OpenBSD is installed it'll automatically install the keys for the
next release and which will be verified with the current key.

Finally your usability question. I find it easy to use, but that's a
combination of years of experience and liking the minimal footprint.
A lot of people seem to be unable to work with the removal of a lot
of abstraction layers, I find it liberating and it gives me more
peace of mind that not a lot more happens than I request of the system.
If it works for you, is for you to find out. Just install it and take it
for a test run. OpenBSD's FAQ[1] is quite good and covers quite a lot of
subjects. You can use the FAQ to guide you to the man pages and if that
doesn't satisfy you, you can always turn to the source. Feel free to
send in some patches if you find something quirky in the source. :-)

Hope this helps.

martijn@

[0] https://github.com/stoeckmann/signify-windows
[1] https://www.openbsd.org/faq/

Only in /home/martijn/src/OpenBSD/usr.bin/signify: CVS
Only in /home/martijn/src/OpenBSD/usr.bin/signify: Makefile
Only in /tmp/signify-windows/patched-src: base64.c
diff -ru /home/martijn/src/OpenBSD/usr.bin/signify/crypto_api.c 
/tmp/signify-windows/patched-src/crypto_api.c
--- /home/martijn/src/OpenBSD/usr.bin/signify/crypto_api.c  Wed Jan  8 
04:59:46 2014
+++ /tmp/signify-windows/patched-src/crypto_api.c   Fri Jan 12 11:07:34 2018
@@ -3,6 +3,8 @@
  * Public domain. Author: Ted Unangst 
  * API compatible reimplementation of functions from nacl
  */
+#include "mingw.h"
+
 #include 
 
 #include 
Only in /tmp/signify-windows/patched-src: err.c
Only in /tmp/signify-windows/patched-src: errx.c
Only in /tmp/signify-windows/patched-src: explicit_bzero.c
Only in /tmp/signify-windows/patched-src: sha2.c
Only in /tmp/signify-windows/patched-src: sha2.h
Only in /home/martijn/src/OpenBSD/usr.bin/signify: signify.1
diff -ru /home/martijn/src/OpenBSD/usr.bin/signify/signify.c 
/tmp/signify-windows/patched-src/signify.c
--- /home/martijn/src/OpenBSD/usr.bin/signify/signify.c Wed Jul 12 01:27:13 2017
+++ /tmp/signify-windows/patched-src/signify.c  Fri Jan 12 11:07:34 2018
@@ -1,4 +1,4 @@
-/* $OpenBSD: signify.c,v 1.128 2017/07/11 23:27:13 tedu Exp $ */
+/* $OpenBSD: signify.c,v 1.100 2015/01/16 06:16:12 tedu Exp $ */
 /*
  * Copyright (c) 2013 Ted Unangst 
  *
@@ -14,11 +14,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+#include "mingw.h"
+
 #include 
 
-#include 
-#include 
-
 #include 
 #include 
 #include 
@@ -26,15 +25,10 @@
 #include 
 #include 
 #include 
-#include 
-#include 
 #include 
-#include 
-#include 
 #include 
 
 #include "crypto_api.h"
-#include "signify.h"
 
 #define SIGBYTES crypto_sign_ed25519_BYTES
 #define SECRETBYTES crypto_sign_ed25519_SECRETKEYBYTES
@@ -71,7 +65,9 @@
uint8_t sig[SIGBYTES];
 };
 
-static void __dead
+char *__progname = "signify";
+
+static void
 usage(const char *error)
 {
if (error)
@@ -80,14 +76,13 @@
 #ifndef VERIFYONLY
"\t%1$s -C 

Re: ed(1) text editor issue with Spanish accents

2017-12-04 Thread Martijn van Duren
Hello Alejandro,

ed works on both binary and ASCII text, which are all individual bytes.
Since ´ is an UTF-8 character, which comprises of the bytes C2 and B4,
ed thinks it should only delete a single byte which results in only C2.

Your terminal can't tell the meaning of just C2 which results, in this
particular case, in a question mark.

The reason the character disappears after the backspace is because the
presentation layer gets the instruction to clear the column prior to
the current position, so hence it appears deleted after the backspace.

Currently there's no UTF-8 support in our ed, and I don't see how this
can be done without endangering the binary editing capabilities.

martijn@

On 12/04/17 00:43, Alejandro G. Peregrina wrote:
> Hello,
> 
> I've noticed something unexpected when entering an accent character
> alone (´) and then deleting it in ed(1) in xterm(1). Instead of deleting
> it, it creates another character which is seen as an inverted
> exclamation (?) in the font 'misc-fixed'.
> 
>   How to reproduce:
> $ uname -a
> OpenBSD foo.my.domain 6.2 GENERIC.MP#1 amd64
> $ locale
> LANG=
> LC_COLLATE="C"
> LC_CTYPE=en_US.UTF-8
> LC_MONETARY="C"
> LC_NUMERIC="C"
> LC_TIME="C"
> LC_MESSAGES="C"
> LC_ALL=
> $ #Let's append the ´ character in ed(1)
> $ ed -p"> "
>> a
> ´
> 
>   Now let's delete with a backspace, return to create a newline and a dot
> to stop appending, and then print:
> 
> $ ed -p"> "
>> a
> 
> .
>> p
> (?)
> 
>   (The (?) is a simulation of the font character that misc-fixed shows to
> the terminal.)
> 
>   Whenever I use more(1) or less(1) to view it, it shows:
> 
> $ more test.txt
> 
> 
> 
> 
> I have to add that I tested this with urxvt and ed(1) prints an Â
> character, but more(1) and less(1) keep printing .
> 
> When not using X this can't be reproduced. This is reproducible with
> xterm(1) and urxvt(1) in cwm(1) and fvwm(1). I've tested this in Linux
> and FreeBSD and this behaviour is not reproducible.
> 
> Thank you,
> A
> 



Re: Debugging a php's script startup

2017-11-08 Thread Martijn van Duren
Hello C.,

Can you start up the daemon process from the CLI (without the rc
script)? If not and it still has the same error message as below (which
I reckon it will) you might want to change your mysqli.default_socket =
in your /etc/php-7.0.ini.
Do note however that this will also affect php-fpm and mod_php which run
chrooted by default (hence the weird path), so if you need those installs
unaffected try to create a custom ini-file and specify it with -c as a
php-argument.

Also note that php is not designed to write daemons in and should only
be done if there are no other options. The rc-script won't restart your
daemon automatically if it crashes.

Hope this helps.

martijn@

On 11/08/17 20:22, C. L. Martinez wrote:
> Hi all,
> 
>  I am trying to setup a startup file for TT-Rss (installed under OpenBSD 6.2 
> host, fully patched). This is the script:
> 
> #!/bin/sh -x
> #
> 
> daemon="/usr/local/bin/php-7.0"
> daemon_flags="/var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log"
> daemon_user="www"
> 
> . /etc/rc.d/rc.subr
> 
> pexp="${MODPHP_BIN} ${daemon}${daemon_flags:+ ${daemon_flags}}"
> 
> rc_bg=YES
> rc_reload=NO
> 
> rc_post() {
> rm -f /var/www/htdocs/rss/lock/update_daemon.lock
> }
> 
> rc_cmd $1
> 
>  And when I try to start it, this is the output:
> 
> root@rssweb:/etc/rc.d# ./tt_rss start
> + daemon=/usr/local/bin/php-7.0
> + daemon_flags=/var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log
> + daemon_user=www
> + . /etc/rc.d/rc.subr
> + _rc_actions=start stop restart reload check
> + readonly _rc_actions
> + [ -n  ]
> + basename ./tt_rss
> + _name=tt_rss
> + _rc_check_name tt_rss
> + [ -n /usr/local/bin/php-7.0 ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/tt_rss
> + _rc_do _rc_parse_conf
> + eval _rcflags=${tt_rss_flags}
> + _rcflags=
> + eval _rcrtable=${tt_rss_rtable}
> + _rcrtable=
> + eval _rcuser=${tt_rss_user}
> + _rcuser=
> + eval _rctimeout=${tt_rss_timeout}
> + _rctimeout=
> + getcap -f /etc/login.conf tt_rss
> + > /dev/null 
> + 2>&1 
> + daemon_class=daemon
> + [ -z  ]
> + daemon_rtable=0
> + [ -z www ]
> + [ -z  ]
> + daemon_timeout=30
> + [ -n  -o start != start ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + [ -n  ]
> + readonly daemon_class
> + unset _rcflags _rcrtable _rcuser _rctimeout
> + pexp=/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log
> + rcexec=su -l -c daemon -s /bin/sh www -c
> + [ 0 -eq 0 ]
> + pexp= /usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log
> + rc_bg=YES
> + rc_reload=NO
> + rc_cmd start
> tt_rss(failed)
> 
>  pexp's option seems good ... I think the problem is with 'www' user and with 
> this command: "su -l -c daemon -s /bin/sh www -c". Launching from console 
> returns an error:
> 
> root@rssweb:/etc/rc.d# su -l -c daemon -s /bin/sh www -c 
> '/usr/local/bin/php-7.0 /var/www/htdocs/rss/update_daemon2.php --log 
> /tmp/update_rss.log'
> PHP Warning:  mysqli_connect(): (HY000/2002): Can't connect to local MySQL 
> server through socket '/var/run/mysql/mysql.sock' (2 "No such file or 
> directory") in /var/www/htdocs/rss/classes/db/mysqli.php on line 8
> Unable to connect to database (as rss to localhost, database dbrss): Can't 
> connect to local MySQL server through socket '/var/run/mysql/mysql.sock'
> 
>  mysql's socket is created under www's chroot like in pkg-readme says: 
> srwxrwxrwx  1 _mysql  _mysql  0 Nov  8 17:45 /var/www/var/run/mysql/mysql.sock
> 
>  If I am not wrong, then, how can I configure this startup script?
> 
> Thanks
> 



Re: php-fpm and OpenBSD 6.2

2017-10-12 Thread Martijn van Duren
On 10/12/17 09:39, Markus Rosjat wrote:
> Hi there,
> 
> I can't find a php-fpm package under 6.2 but there are php-fastcgi packages. 
> Is this the new php-fpm naming convention starting with 6.2 or do I get this 
> wrong here?
> 
> regards
> 

php-fpm is currently part of the PHP package (php-5.6.31 and php-7.0.23).
With my latest proposed patch the php-fpm will be moved to it's own
subpackage, along with all the other SAPI interfaces[0], so it might be
changed for the 6.3 release.

As for the -fastcgi subpackage. It's the -cgi SAPI, which in my opinion
has been misnamed for this package. Don't use it unless you absolutely
need it. Also note that -fastcgi will be renamed back to -cgi with my
patch.

martijn@

[0] https://marc.info/?l=openbsd-ports=150774437313393=2



Re: Strange sed substitution removes text

2017-09-25 Thread Martijn van Duren
On 09/25/17 09:15, Andreas Kusalananda Kähäri wrote:
> Yes, this seems to fix this particular issue for me nicely,
> but the "int i = 0;" is probably not needed.

You're right, that part was from some debugging printfs.
I also wasn't asking for OKs, but merely pointing out the root of
problem.

Lets just wait until Ingo has time to look into it. He's still on
holiday in Paris, so it might be a few days.
> 
> 
> On Sun, Sep 24, 2017 at 11:59:49PM +0200, Martijn van Duren wrote:
>> and now with 100% more patch...
>>
>> Index: process.c
>> ===
>> RCS file: /cvs/src/usr.bin/sed/process.c,v
>> retrieving revision 1.32
>> diff -u -p -r1.32 process.c
>> --- process.c22 Feb 2017 14:09:09 -  1.32
>> +++ process.c24 Sep 2017 21:58:14 -
>> @@ -336,6 +336,7 @@ substitute(struct s_command *cp)
>>  int n, lastempty;
>>  size_t le = 0;
>>  char *s;
>> +int i = 0;
>>  
>>  s = ps;
>>  re = cp->u.s->re;
>> @@ -386,7 +387,7 @@ substitute(struct s_command *cp)
>>   * and at the end of the line, terminate.
>>   */
>>  if (match[0].rm_so == match[0].rm_eo) {
>> -if (*s == '\0' || *s == '\n')
>> +            if (*s == '\0')
>>  slen = -1;
>>  else
>>  slen--;
>>
>>
>> On 09/24/17 23:57, Martijn van Duren wrote:
>>> This fixes the issue for me, but I'm not sure about the motivation
>>> behind the check.
>>> Maybe schwarze@ can shed some light on it, since he's to (cvs) blame for
>>> the particular line.
>>>
>>> martijn@
>>>
>>> On 09/24/17 15:42, Andreas Kusalananda Kähäri wrote:
>>>> Hi,
>>>>
>>>> Given the input file of three lines:
>>>>
>>>> line 1
>>>> line 2
>>>> line 3
>>>>
>>>> and the sed script
>>>>
>>>> s/\>>> /g
>>>> s/^/hello/
>>>>
>>>> which inserts a newline in front of every word and then prepends the
>>>> word "hello" to the beginning of the pattern space.
>>>>
>>>> The following happens:
>>>>
>>>> $ sed -f script.sed input.txt
>>>> hello
>>>>
>>>> hello
>>>>
>>>> hello
>>>>
>>>>
>>>> I was expecting to get
>>>>
>>>> hello
>>>> line
>>>> 1
>>>> hello
>>>> line
>>>> 2
>>>> hello
>>>> line
>>>> 3
>>>>
>>>> This is a bit surprising since running only the first sed expression
>>>> gives (as expected)
>>>>
>>>>
>>>> line
>>>> 1
>>>>
>>>> line
>>>> 2
>>>>
>>>> line
>>>> 3
>>>>
>>>>
>>>> The question is, why does the "line N" data disappear when inserting a
>>>> word at the start of the pattern space here?
>>>>
>>>> I'm also noticing that this does not happen if a space (for instance)
>>>> precedes the escaped newline in the first expression:
>>>>
>>>> s/\>>> /g
>>>> s/^/hello/
>>>>
>>>>
>>>> This is using sed in the base system on OpenBSD 6.1-stable (amd64).
>>>>
>>>> Cheers,
>>>>
>>>
> 



Re: Strange sed substitution removes text

2017-09-24 Thread Martijn van Duren
and now with 100% more patch...

Index: process.c
===
RCS file: /cvs/src/usr.bin/sed/process.c,v
retrieving revision 1.32
diff -u -p -r1.32 process.c
--- process.c   22 Feb 2017 14:09:09 -  1.32
+++ process.c   24 Sep 2017 21:58:14 -
@@ -336,6 +336,7 @@ substitute(struct s_command *cp)
int n, lastempty;
size_t le = 0;
char *s;
+int i = 0;
 
s = ps;
re = cp->u.s->re;
@@ -386,7 +387,7 @@ substitute(struct s_command *cp)
 * and at the end of the line, terminate.
 */
if (match[0].rm_so == match[0].rm_eo) {
-   if (*s == '\0' || *s == '\n')
+   if (*s == '\0')
slen = -1;
else
slen--;


On 09/24/17 23:57, Martijn van Duren wrote:
> This fixes the issue for me, but I'm not sure about the motivation
> behind the check.
> Maybe schwarze@ can shed some light on it, since he's to (cvs) blame for
> the particular line.
> 
> martijn@
> 
> On 09/24/17 15:42, Andreas Kusalananda Kähäri wrote:
>> Hi,
>>
>> Given the input file of three lines:
>>
>> line 1
>> line 2
>> line 3
>>
>> and the sed script
>>
>> s/\> /g
>> s/^/hello/
>>
>> which inserts a newline in front of every word and then prepends the
>> word "hello" to the beginning of the pattern space.
>>
>> The following happens:
>>
>> $ sed -f script.sed input.txt
>> hello
>>
>> hello
>>
>> hello
>>
>>
>> I was expecting to get
>>
>> hello
>> line
>> 1
>> hello
>> line
>> 2
>> hello
>> line
>> 3
>>
>> This is a bit surprising since running only the first sed expression
>> gives (as expected)
>>
>>
>> line
>> 1
>>
>> line
>> 2
>>
>> line
>> 3
>>
>>
>> The question is, why does the "line N" data disappear when inserting a
>> word at the start of the pattern space here?
>>
>> I'm also noticing that this does not happen if a space (for instance)
>> precedes the escaped newline in the first expression:
>>
>> s/\> /g
>> s/^/hello/
>>
>>
>> This is using sed in the base system on OpenBSD 6.1-stable (amd64).
>>
>> Cheers,
>>
> 



Re: Strange sed substitution removes text

2017-09-24 Thread Martijn van Duren
This fixes the issue for me, but I'm not sure about the motivation
behind the check.
Maybe schwarze@ can shed some light on it, since he's to (cvs) blame for
the particular line.

martijn@

On 09/24/17 15:42, Andreas Kusalananda Kähäri wrote:
> Hi,
> 
> Given the input file of three lines:
> 
> line 1
> line 2
> line 3
> 
> and the sed script
> 
> s/\ /g
> s/^/hello/
> 
> which inserts a newline in front of every word and then prepends the
> word "hello" to the beginning of the pattern space.
> 
> The following happens:
> 
> $ sed -f script.sed input.txt
> hello
> 
> hello
> 
> hello
> 
> 
> I was expecting to get
> 
> hello
> line
> 1
> hello
> line
> 2
> hello
> line
> 3
> 
> This is a bit surprising since running only the first sed expression
> gives (as expected)
> 
> 
> line
> 1
> 
> line
> 2
> 
> line
> 3
> 
> 
> The question is, why does the "line N" data disappear when inserting a
> word at the start of the pattern space here?
> 
> I'm also noticing that this does not happen if a space (for instance)
> precedes the escaped newline in the first expression:
> 
> s/\ /g
> s/^/hello/
> 
> 
> This is using sed in the base system on OpenBSD 6.1-stable (amd64).
> 
> Cheers,
> 



Re: Octeon/MIPS64 SMP Support

2017-09-13 Thread Martijn van Duren
On 09/13/17 22:28, Dante F. B. Colò wrote:
> Hi
> 
> I'm think about get a Ubiquiti Edgerouter  box  and drop openbsd there. 
> I read the instalation  file and was not clear to me  if the current 
> MIPS/Octeon kernel implementation supports SMP or not , does it support ?
> 
> Regards
> 
> Dante F. B. Colò
> 
Yes it does, just don't forget to set numcores/coremask in the boot
command.

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.  https://www.OpenBSD.org

OpenBSD 6.1 (GENERIC.MP) #0: Mon Apr  3 08:08:00 UTC 2017
visa@octeon:/usr/src/sys/arch/octeon/compile/GENERIC.MP
real mem = 2147483648 (2048MB)
avail mem = 2113486848 (2015MB)
warning: no entropy supplied by boot loader
mainbus0 at root
cpu0 at mainbus0: CN61xx CPU rev 0.1 800 MHz, Software FP emulation
cpu0: cache L1-I 512KB D 8KB 64 way, L2 1024KB 8 way
cpu1 at mainbus0: CN61xx CPU rev 0.1 800 MHz, Software FP emulation
cpu1: cache L1-I 512KB D 8KB 64 way, L2 1024KB 8 way
clock0 at mainbus0: int 5
iobus0 at mainbus0
octuctl0 at iobus0 base 0x118006f00 irq 56
ehci0 at octuctl0
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Octeon EHCI root hub" rev 2.00/1.00 
addr 1
ohci0 at octuctl0, version 1.0
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Octeon OHCI root hub" rev 1.00/1.00 
addr 1
octrng0 at iobus0 base 0x14000 irq 0
cn30xxgmx0 at iobus0 base 0x118000800
cnmac0 at cn30xxgmx0: SGMII, address 24:a4:3c:06:a2:72
ukphy0 at cnmac0 phy 4: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac1 at cn30xxgmx0: SGMII, address 24:a4:3c:06:a2:73
ukphy1 at cnmac1 phy 5: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac2 at cn30xxgmx0: SGMII, address 24:a4:3c:06:a2:74
ukphy2 at cnmac2 phy 6: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac3 at cn30xxgmx0: SGMII, address 24:a4:3c:06:a2:75
ukphy3 at cnmac3 phy 7: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cn30xxgmx1 at iobus0 base 0x118001000
cnmac4 at cn30xxgmx1: SGMII, address 24:a4:3c:06:a2:76
ukphy4 at cnmac4 phy 0: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac5 at cn30xxgmx1: SGMII, address 24:a4:3c:06:a2:77
ukphy5 at cnmac5 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac6 at cn30xxgmx1: SGMII, address 24:a4:3c:06:a2:78
ukphy6 at cnmac6 phy 2: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
cnmac7 at cn30xxgmx1: SGMII, address 24:a4:3c:06:a2:79
ukphy7 at cnmac7 phy 3: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x180361, model 0x0004
simplebus0 at iobus0: "soc"
octmmc0 at simplebus0
sdmmc0 at octmmc0: 8-bit, mmc high-speed
uartbus0 at mainbus0
com0 at uartbus0 base 0x118000800 irq 34: ns16550a, 64 byte fifo
com0: console
com1 at uartbus0 base 0x118000c00 irq 35: ns16550a, 64 byte fifo
/dev/ksyms: Symbol table not valid.
ural0 at uhub0 port 1 configuration 1 interface 0 "Cisco-Linksys Wireless-G USB 
Network Adapter" rev 2.00/0.04 addr 2
ural0: MAC/BBP RT2571 (rev 0x05), RF RT2526, address 00:14:bf:75:9a:45
scsibus0 at sdmmc0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  SCSI2 0/direct removable
sd0: 3776MB, 512 bytes/sector, 7733248 sectors
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
boot device: sd0
root on sd0a (5e15570835adc5f6.a) swap on sd0b dump on sd0b



Re: (Possibly OT) Trouble installing kanboard

2017-09-12 Thread Martijn van Duren
On 09/12/17 15:38, Andreas Thulin wrote:
> Hi all!
> 
> This may be OT, and if so I apologise (and appreciate being pushed in the
> right direction). I'm trying to install and run kanboard (
> https://kanboard.net) on my 6.1-stable amd64 VPS using httpd + php 7.0.16 +
> php-fpm-7.0.
> 
> At first, the web GUI installer complained (Internal Error: PHP extension
> required: "gd"), so I installed php-gd, and
> 
> # rcctl restart php70_fpm
> as well as
> # rcctl restart httpd
> 
> but I still get the same error message. My php_info() page claims I have gd
> ("shared", whatever that means) support.
Extensions aren't loaded in by default.

# cp /etc/php-7.0.sample/gd.ini /etc/php-7.0
# rcctl restart php70_fpm
> 
> There are a few different components involved here, so I'm not sure where
> to start trouble-shooting. Any pointers would help.
> 
> BR
> Andreas
> 

martijn@



Re: gmail and hotmail blocking mail sent from my IP

2017-08-06 Thread Martijn van Duren
Not an authority on this, so take my reply for what you want.

As far as I know this list is used to keep track of ip-addresses by ISPs
for home-addresses, which are not intended to be used for outgoing mail.

You can whitelist your ip-address on this list yourself and all should
be back to normal.

I faced the same issues and adding my ip did solve the 550s.

Do note that my ip gets removed every year and thus should be re-added
ever year.

Sincerely,

martijn@

On 08/06/17 16:51, Walter Alejandro Iglesias wrote:
> Hello everyone,
> 
> I was using smtpd(8) (static IP and FQDN resolving direct and reverse)
> for a year without problems.  Today sending from my server (from the
> same address I'm using now) to gmail and hotmail they answered the
> following (MAILER-DAEMON answer).
> 
> Sending to gmail addresses:
> 
>   *@gmail.com: 550-5.7.1 [185.37.212.61] The IP you're using to send
>   mail is not authorized to send email directly to our servers.  Please
>   use the SMTP relay at your service provider instead. Learn more at
>   https://support.google.com/mail/?p=NotAuthorizedError
>   e1si6736354wra.236 - gsmtp
> 
> Sending to hotmail:
> 
>   *@hotmail.com: 550 DY-001 (SNT004-MC3F42) Unfortunately, messages from
>   185.37.212.61 weren't sent. Please contact your Internet service
>   provider. You can tell them that Hotmail does not relay
>   dynamically-assigned IP ranges. You can also refer your provider to
>   http://mail.live.com/mail/troubleshooting.aspx#errors.
> 
> 
> On the hotmail link above the explanaition for code DY-001 is:
> 
>   Mail rejected by Outlook.com for policy reasons. We generally do not
>   accept email from dynamic IP's as they are not typically used to
>   deliver unauthenticated SMTP email to an Internet mail server. If you
>   are not an email/network admin please contact your Email/Internet
>   Service Provider for help. http://www.spamhaus.org maintains lists of
>   dynamic and residential IP addresses.
> 
> It doesn't happen with yahoo.
> 
> I visited spamhaus.org site and found out my IP is included in a list
> called PBL that, as they  explain is not a spammers list, it just
> includes dynamic and "non mail server IP ranges".
> 
> Does someone here know what is "non mail server IP ranges" about?  Or,
> how could my static IP could be taken as dynamic (some DNS faliure at my
> ISP end?).
> 



Re: FastCGI sent in stderr: "PHP message: PHP Warning: Unknown: Unable to create temporary file, Check permissions in temporary files directory.

2017-08-01 Thread Martijn van Duren
Hello Stephane,

First, please send mails with questions about packages to ports@ in the
future. I'm not changing list now because I don't want to continue the
discussion, but merely rectify a few of your mistakes and hopefully
prevent people finding this thread in the future from making the same
ones.

If anyone feels like they should continue this thread please change the
list to ports@.

On 07/26/17 23:33, Stephane HUC "PengouinBSD" wrote:
> Hi, all.
> 
> Sorry for the latence!
> 
> Yes, i'm sure all ENV* variables are absolute to the system root.
> As explain on the php-fpm.conf, only few directives are relative to be
> chroot.
> 
> [quote]
> (...)
> ; Per pool prefix
> ; It only applies on the following directives:
> ; - 'access.log'
> ; - 'slowlog'
> ; - 'listen' (unixsocket)
> ; - 'chroot'
> ; - 'chdir'
> ; - 'php_values'
> ; - 'php_admin_values'
> ; When not set, the global prefix (or /usr/local) applies instead.
> ; Note: This directive can also be relative to the global prefix.
> (...)
> [/quote]
> 
> I modified the php-fpm.conf_user as:
> 
> env[TMP] = /var/www/tmp/$pool
> env[TMPDIR] = /var/www/tmp/$pool
> env[TEMP] = /var/www/tmp/$pool
> (...)
> php_admin_value[upload_tmp_dir]=/tmp/$pool
> 
> I created the directory /var/www/tmp/$pool, and chowned user_blog:www on
> this!
> 
> In facts, i was wrong user.
> 
> Now, it's run correctly! ;)

It runs because of sheer luck, not because of a proper configuration,
let alone correctly.

My statements are based on 7.1.7 which I compiled locally and will
hopefully hit the tree soon(tm), but should be equally valid for
other versions of PHP.
Also, I don't know your setup, so my response is based on
speculation, but is hopefully accurate enough for you to figure out
what is going on yourself.

I assume that you try to upload a file to a PHP script and store
it locally. This reaches main/rfc1867.c:1021 in the PHP core.

This tries to open a file based on upload_tmp_dir, which you've
set to /tmp/$pool in your final solution. This succeeds, because
it exists inside your chroot.
The problem here is that you haven't fixed env[{TMP,TMPDIR,TEMP}].

If upload_tmp_dir isn't set php_open_temporary_fd_ex
(main/php_open_temporary_file.c:294) calls php_get_temporary_directory.
This function tries several options, of which one is getenv("TMPDIR");.
Because you've set this variable to /var/www/tmp in your original setup,
but is called *AFTER* the fpm-daemon has chrooted to /var/www it
effectively tries to call /var/www/var/www/tmp, which does not exist.
See also the documentation at http://php.net/manual/en/ini.core.php.

If you hadn't set the environment variable it would've eventually fallen
back to /tmp, which is effectively /var/www/tmp because of the chroot.
Ergo: Fix your environment and unset upload_tmp_dir.

The second problem you hit is that /var/www/tmp is owned by www:www
with 755 permissions (pitfall, these permissions can be reset at any
time to 700). So even if PHP would try to create the intermediate
directories (don't know, haven't checked) it would still fail because of
the permissions on this directory.
Creating the /var/www/tmp/$pool directory with the correct owner
solves the problem indeed, but not because of your env statements.

The problem now is that you've fixed one problem but you've left open an
entire subsection of problems that you happen to not hit, and are still
a risk for people copying your configuration, or even yourself in the
future.
If you were to use tmpfile() you'd probably run into the same problem,
and that's just one example that I thought of, there's probably a lot
more.

So please, make sure you know what you're doing, especially if you claim
you've fixed something. These misconfigurations are always picked up by
other users and will cause problems down the road.

Next time you run into a similar problem go through the following steps:
1) Formulate what you've changed compared to the default configuration
file.
2) Formulate why you've changed these settings.
3) If you happen to solve your particular problem, report it as such
(that it fixes just your use case), unless you've researched why things
failed in the first place and you're absolutely sure your solution is
a generic solution.

Hope this mail helped you understand a little more of the internals and
added a little to your skills to debug such problems yourself.

martijn@
> 
> Thank you all.
> 
> 
> Le 07/26/17 à 01:50, Todd Mortimer a écrit :
>> Hi Stephane,
>>
>> Are you sure that the env[TMP], env[TMPDIR] and env[TEMP] variables are
>> supposed to be relative to the real system root, or relative to the
>> chroot? If I were to guess, I would bet that php is trying to create a
>> file after chrooting itself, and inside the chroot, /var/www/tmp doesn't
>> exist. Try setting those env vars to /tmp and see if that works. 
>>
>> Todd
>>
>> On Tue, Jul 25, 2017 at 09:03:38AM +0200, Stephane HUC "PengouinBSD" wrote:
>>> Hi all.
>>>
>>> I have this error on my,OpenBSD server 

Re: Missed ifconfig [[-]txpower dBm] option for 802.11

2017-07-04 Thread Martijn van Duren
On 07/04/17 15:07, Denis wrote:
> Looking for ifconfig '[[-]txpower dBm]' option which was present in
> OpenBSD 5.4 amd64. Try to find 'txpower' on 6.0 amd64 but seems it
> missed out.
> 
> Actively using it to match power for 802.11 card and it's RF recipient
> (post amp). What mechanism of output power matching is provided
> currently since 5.4 amd64?
> 
> Thanks for answers in advance.
> 
A quick look in the ifconfig.8 cvs log shows:
revision 1.264
date: 2015/12/06 12:50:05;  author: tedu;  state: Exp;  lines: +2 -10;  
commitid: elXp5QtailrWrL5N;
remove txpower option. only relevant to the now irrelevant wi driver.
(several other drivers misleadingly claim generic 802.11 txpower, but
do not in fact do anything. the knob is not connected to the radio.)
ok benno jsg krw reyk

martijn@



scsi_xfer pool exhausted

2017-06-28 Thread Martijn van Duren
Hello misc@,

A customer system of mine has problems with the system since this 
morning (happened 3 times so far).
The dmesg shows a large number "scsi_xfer pool exhausted" messages.

Right now I have no idea on how to debug this any further.

Cluestick more than welcome

$ dmesg 
OpenBSD 6.1 (GENERIC.MP) #7: Mon Jun 12 20:41:01 CEST 2017

rob...@syspatch-61-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2026598400 (1932MB)
avail mem = 1960488960 (1869MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7ad34018 (93 entries)
bios0: vendor FUJITSU // American Megatrends Inc. version "V4.6.5.4 R1.25.0 for 
D3230-A1x" date 06/24/2014
bios0: FUJITSU ESPRIMO P420
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SSDT SSDT MCFG HPET SSDT SSDT MSDM SLIC
acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
PXSX(S4) RP04(S4) GLAN(S4) EHC1(S4) EHC2(S4) XHC_(S4) HDEF(S4) PEG0(S4) PEGP(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU G3220 @ 3.00GHz, 2993.54 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2993537960 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU G3220 @ 3.00GHz, 2993.06 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 6 (RP03)
acpiprt4 at acpi0: bus 7 (RP04)
acpiprt5 at acpi0: bus -1 (PEG0)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2(350@117 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(350@117 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: FN00, resource for FAN0
acpipwrres1 at acpi0: FN01, resource for FAN1
acpipwrres2 at acpi0: FN02, resource for FAN2
acpipwrres3 at acpi0: FN03, resource for FAN3
acpipwrres4 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
"INT3F0D" at acpi0 not configured
"PNP0303" at acpi0 not configured
acpibtn0 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2900, 2700, 2600, 2400, 2300, 
2100, 2000, 1800, 1700, 1500, 1400, 1200, 1100, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 4G Host" rev 0x06
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x06
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1280x1024, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 3 function 0 "Intel Core 4G HD Audio" rev 0x06: msi
azalia0: No codecs found
xhci0 at pci0 dev 20 function 0 "Intel 8 Series xHCI" rev 0x04: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
"Intel 8 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
ehci0 at pci0 dev 26 function 0 "Intel 8 Series USB" rev 0x04: apic 8 int 16
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
azalia1 at pci0 dev 27 function 0 "Intel 8 Series HD Audio" rev 0x04: msi
azalia1: codecs: Realtek/0x0671
audio0 at azalia1
ppb0 at pci0 dev 28 function 0 "Intel 8 Series PCIE" rev 0xd4: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 8 Series PCIE" rev 0xd4: msi
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 vendor "ASMedia", unknown product 0x1182 rev 0x00
pci3 at ppb2 bus 3
ppb3 at pci3 dev 3 function 0 vendor "ASMedia", unknown product 0x1182 rev 
0x00: msi
pci4 at ppb3 bus 4
re0 at pci4 dev 0 function 

Re: HELP! My HTTPD website keeps breaking because the custom directory/user permissions are being reverting for some reason!

2017-05-28 Thread Martijn van Duren
On 05/29/17 01:57, tec...@protonmail.com wrote:
> Hi there,
> 
> I have been using httpd for quite a while now, but after a new 
> project/website having to have read/write/execute permissions (unsafe, I do 
> realise..) I decided to:
> 
> 1. add root to the www group,
> 2. chown -R www:www /var/www/htdocs
> 3. chmod -R 775 /var/www/htdocs
> 
> Everything was running smoothly, until I was testing out the functionality 
> and realised I couldn't use php to write new directories or files, so I 
> checked the permissions and for some reason they have all switched back to: 
> root:daemon with permissions of 755.
> 
> Now, I'm guessing this is a security feature in some way, but for my purposes 
> and he type of service I'm creating it is breaking everything. Can someone 
> tell me what to man page to look up for this or something? Time is of the 
> essence because I need this website runing properly by tomorrow at latest.
> 
> Many many thanks!!
> 

My suggestion would be to look into mtree(8) and security(8)



Re: OpenIKED and Windows 10 Client

2017-04-12 Thread Martijn van Duren
On 04/12/17 11:42, Stuart Henderson wrote:
> On 2017-04-11, Markus Rosjat  wrote:
>> I think the problem is with the windows site because it tells me there 
>> is no certificate to be found. I added the certificate to local machine 
>> store -> own certificates (at least in the german UI is no personal folder)
> 
> I think you're adding this cert to the wrong one of the many cert stores
> on Windows. It worked for me in trusted CAs, though there may be a better
> option that also works.
> 
One thing that also bit me was that I had to put them in the system-wide
store and not in the personal store.



Re: bandwidth monitoring

2017-03-07 Thread Martijn van Duren
On 03/07/17 12:08, thrph.i...@gmail.com wrote:
> http://www.ex-parrot.com/pdw/iftop/

systat(1) states
> 
> On Tue, 7 Mar 2017 11:28:50 +0100
> Frank White  wrote:
> 
>> Hi,
>> how can I monitor the bandwidth and know what client is occupying the
>> bandwidth ?
>> Thank u.



Re: System monitor in base?

2016-09-02 Thread Martijn van Duren
On 09/03/16 00:46, Aioi Yuuko wrote:
> Hi,
> 
> I'm trying to wean myself off external packages as much as possible. Is there 
> a common, accepted way of viewing, for instance, battery life, with only 
> included programs?
> 

It depends upon your precise needs, but you could look into sensorsd(8)
and snmpd(8), or just run apm(8) if you want the current status.



Re: Creating a blog using OpenBSD: technology choices and security considerations

2016-04-26 Thread Martijn van Duren
On 04/26/16 12:54, Murk Fletcher wrote:
> Hi!
> 
> Both Perl and PHP are dying languages. Python is nice, but Ruby on Rails is
> way nicer. That's just my opinion though, and I build tons of super cool
> web and mobile apps.

I'm looking forward to your reimplementation of pkg_* and dpb in ruby.
Hopefully it's here before Perl dies.
> 
> Ruby on Rails vs PHP - Commercial #3 of 9:
> https://www.youtube.com/watch?v=p5EIrSM8dCA etc.
> 
> --Murk



Re: After resuming from sleep, HP laptop kb unusable

2016-04-19 Thread Martijn van Duren
There was a patch for keyboards not coming back again after suspend on  
April 14th. You should try a newer snapshot.

On 04/19/16 15:18, Riccardo Mottola wrote:
> Hi,
> 
> I can suspend my laptop by closing the lid, hitting the powerbutton the 
> computer comes up again, however it looks frozen, I cannot type anything (or 
> I may type 1 or two chars before it locks up). It happens both under console 
> as with X11
> Actually, it is not frozen. I noticed that with a mouse, under X11 and I also 
> can ssh into the machine and get a dmesg, which contains also the resume 
> messages.
> 
> I notice there is a "stack trace". Is that a hint to the issue? Someone other 
> experience such a behaviour?
> 
> Riccardo
> 
> $ dmesg
> OpenBSD 5.9 (GENERIC.MP) #1888: Fri Feb 26 01:20:19 MST 2016
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> RTC BIOS diagnostic error 
> 9d
> real mem = 4209762304 (4014MB)
> avail mem = 4077973504 (3889MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xacdb6000 (25 entries)
> bios0: vendor Hewlett-Packard version "68SRR Ver. F.41" date 05/22/2013
> bios0: Hewlett-Packard HP ProBook 4530s
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP HPET APIC MCFG ASF! SSDT SSDT SLIC SSDT SSDT
> acpi0: wakeup devices LANC(S0) EHC1(S0) EHC2(S0) PCIB(S5) RP02(S4) ECF0(S4) 
> RP03(S4) RP04(S5) WNIC(S5) RP06(S0) NIC_(S0) RP07(S4) RP08(S0) HST1(S5)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz, 2494.73 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz, 2494.34 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 1, core 0, package 0
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz, 2494.34 MHz
> cpu2: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 1, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz, 2494.34 MHz
> cpu3: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 1, core 1, package 0
> ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpiprt0 at acpi0: bus -1 (PEGP)
> acpiprt1 at acpi0: bus -1 (PCIB)
> acpiprt2 at acpi0: bus 1 (RP01)
> acpiprt3 at acpi0: bus 2 (RP02)
> acpiprt4 at acpi0: bus 35 (RP03)
> acpiprt5 at acpi0: bus 36 (RP04)
> acpiprt6 at acpi0: bus 37 (RP06)
> acpiprt7 at acpi0: bus 38 (RP08)
> acpiprt8 at acpi0: bus 0 (PCI0)
> acpiec0 at acpi0
> acpicpu0 at acpi0: C3(350@104 mwait.1@0x20), C1(1000@1 mwait.1), PSS
> acpicpu1 at acpi0: C3(350@104 mwait.1@0x20), C1(1000@1 mwait.1), PSS
> acpicpu2 at acpi0: C3(350@104 mwait.1@0x20), C1(1000@1 mwait.1), PSS
> acpicpu3 at acpi0: C3(350@104 mwait.1@0x20), C1(1000@1 mwait.1), PSS
> acpipwrres0 at acpi0: APPR, resource for HDEF
> acpipwrres1 at acpi0: COMP, resource for COM1
> acpipwrres2 at acpi0: LPP_, resource for LPT0
> acpitz0 at acpi0: critical temperature is 128 degC
> acpitz1 at acpi0: critical temperature is 128 degC
> acpitz2 at acpi0: critical temperature is 128 degC
> acpitz3 at acpi0: critical temperature is 128 degC
> acpitz4 at acpi0: critical temperature is 128 degC
> acpitz5 at acpi0: critical temperature is 128 degC
> acpitz6 at acpi0: critical temperature is 128 degC
> acpitz7 at acpi0: critical temperature is 

Re: owncloud - external files directory

2016-04-17 Thread Martijn van Duren
On 04/17/16 13:20, Joseph Oficre wrote:
> I want to store all my files centralized. I have some windows pc's at home,
> some notebooks and my work laptop. So i want to be able to put and take the
> files from any of this PC's. But /var/ partition only 100gb size, so i
> think it's good idea to move datadir to /home/ partition(or even to
> external large disk, that i can just put in my pocket)

You could set chroot voor httpd and php-fpm to /home/USER/owncloud.
This however would mean that both daemons are stuck within that directory.

Keep user-permissions in mind when doing this.

See httpd.conf(5) and /etc/php-fpm.conf.
> 
> 2016-04-17 14:12 GMT+03:00 Erling Westenvik :
> 
>> On Sun, Apr 17, 2016 at 12:40:59PM +0300, Joseph Oficre wrote:
>>> Hello misc.
>>> I've installed ownCloud with this guide
>>>
>> https://github.com/reyk/httpd/wiki/Running-ownCloud-with-httpd-on-OpenBSD
>>>
>>> Everything looks fine, but i want to store all my files not in
>>> /var/www/owncloud/data but in /home/USER/owncloud/data/
>>> Moving datadir to home and reconfiguring config/config.php
>> "datadirectory"
>>> did nothing, only error:
>>
>> httpd(8) is chroot(8)'ed to /var/www by default. Your options include:
>>
>> - disabling chroot, which isn't a very recommended option, or
>> - set up /home as the new chroot, which probably isn't a very recommended
>>   option either.
>>
>> What are you trying to achive?
>>
>> Regards,
>>
>> Erling
>>
>>>
>>> PHP message:
>>>
>> {"reqId":"HMQmV6NKyZ0Af967TUia","remoteAddr":"192.168.0.102","app":"index","message":"Exception:
>>> {\"Exception\":\"DoctrineDBALDBALException\",\"Message\":\"Failed
>>> to connect to the database: An exception occured in driver:
>> SQLSTATE[HY000]
>>> [14] unable to open database file\",\"Code\":0,\"Trace\":\"#0
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Connection.php(973):
>>> OCDBConnection->connect()\\n#1
>>> \\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php(203):
>>> DoctrineDBALConnection->executeUpdate('PRAGMA read_unc...',
>> Array,
>>> Array)\\n#2
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Connection.php(621):
>>> OCDBConnection->executeUpdate('PRAGMA read_unc...')\\n#3
>>> \\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php(135):
>>> DoctrineDBALConnection->setTransactionIsolation(2)\\n#4
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/DriverManager.php(172):
>>> OCDBConnection->__cons...
>>> PHP message:
>>>
>> {"reqId":"HMQmV6NKyZ0Af967TUia","remoteAddr":"192.168.0.102","app":"core","message":"Exception:
>>> {\"Exception\":\"DoctrineDBALDBALException\",\"Message\":\"Failed
>>> to connect to the database: An exception occured in driver:
>> SQLSTATE[HY000]
>>> [14] unable to open database file\",\"Code\":0,\"Trace\":\"#0
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Connection.php(973):
>>> OCDBConnection->connect()\\n#1
>>> \\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php(203):
>>> DoctrineDBALConnection->executeUpdate('PRAGMA read_unc...',
>> Array,
>>> Array)\\n#2
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Connection.php(621):
>>> OCDBConnection->executeUpdate('PRAGMA read_unc...')\\n#3
>>> \\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php(135):
>>> DoctrineDBALConnection->setTransactionIsolation(2)\\n#4
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/DriverManager.php(172):
>>> OCDBConnection->__const...
>>> PHP message:
>>>
>> {"reqId":"HMQmV6NKyZ0Af967TUia","remoteAddr":"192.168.0.102","app":"core","message":"Exception:
>>> {\"Exception\":\"DoctrineDBALDBALException\",\"Message\":\"Failed
>>> to connect to the database: An exception occured in driver:
>> SQLSTATE[HY000]
>>> [14] unable to open database file\",\"Code\":0,\"Trace\":\"#0
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Connection.php(973):
>>> OCDBConnection->connect()\\n#1
>>> \\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php(203):
>>> DoctrineDBALConnection->executeUpdate('PRAGMA read_unc...',
>> Array,
>>> Array)\\n#2
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/Connection.php(621):
>>> OCDBConnection->executeUpdate('PRAGMA read_unc...')\\n#3
>>> \\\/owncloud\\\/lib\\\/private\\\/db\\\/connection.php(135):
>>> DoctrineDBALConnection->setTransactionIsolation(2)\\n#4
>>>
>> \\\/owncloud\\\/3rdparty\\\/doctrine\\\/dbal\\\/lib\\\/Doctrine\\\/DBAL\\\/DriverManager.php(172):
>>> OCDBConnection->__const...
>>>
>>> PHP message:
>>>
>> {"reqId":"HMQmV6NKyZ0Af967TUia","remoteAddr":"192.168.0.102","app":"PHP","message":"touch():
>>> Unable to create file \/home\/usf\/owncloud\/data\/owncloud.log because
>> No

Re: doas.conf cmd with argument(s)

2016-04-01 Thread Martijn van Duren
see doas.conf(5):
 args ... Arguments to command.  If specified, the command arguments
  provided by the user need to match for the command to be
  successful.  Specifying args alone means that command should
  be run without any arguments.

You forgot the args keyword.

On 04/01/16 23:33, Tor Houghton wrote:
> Hi,
> 
> Now that sudo is out of base, I am wondering -- do I need to add it again,
> or does doas.conf allow for specifying commands with arguments?
> 
> Obviously not like this (doas doesn't like that), but akin to:
> 
>   permit nopass support as root cmd /usr/sbin/rcctl restart ntpd 
> 
> I don't want the support user to be able to use rcctl on any daemon process,
> basically.
> 
> Kind regards,
> 
> Tor



Re: OT: True hardware UNIX terminal

2016-03-29 Thread Martijn van Duren
On 03/29/16 13:20, Mihai Popescu wrote:
> Hello,
> 
> This question is somehow off topic but I know there are some readers
> here old enough to shade some light in this matter.
> I want to get and idea of what was or is an old true hardware UNIX
> terminal. I have searched google, but the word "terminal" associated
> with UNIX points most of the time to what we know today as UNIX shell.
> If someone, please, can show me a doc or explain a little bit what was
> a terminal at that moment back in time. I know that it was some kind
> of hardware, maybe RS232 related, used to connect to some main frame.
> But I am unable to find the details. I even lack some tech words to
> search deeper on the web.
> 
> Thank you.
> 
Maybe this will be of help: http://www.vt100.net/docs/vt220-rm/



Re: Search with regex in nvi

2016-02-25 Thread Martijn van Duren
>From what I can see your regex is the same as Attiva.*XXL[1],
so why not just that one?

Or what pattern are you trying to match exactly?

On 02/26/16 04:39, Артур Истомин wrote:
> Suppose I have file with next lines among others:
> 
> Omsa Attiva 40 cioccolato 2
> Omsa Attiva 40 blue XXL
> Omsa Attiva 40 milk S
> Omsa Attiva 40 sierra XXL
> Omsa Attiva 40 nero M
> Omsa Attiva 40 nero XXL
> 
> I need to find lines, where size is XXL. I can do it with "Attiva\&.*XXL" in 
> vim
> but it doesn't work in nvi. Are there any general way to do it in both 
> editors?
> 
> Thank you.
> 
[1] use both /Attiva\&.*XXL and /Attiva.*XXL in vim with :set hlsearch



Re: ls cant print higher UTF-8 chars

2016-01-06 Thread Martijn van Duren

On 01/06/16 11:05, Mike Burns wrote:

On 2016-01-06 10.56.52 +0100, Jon S wrote:

Is this a known problem? Is there a solution to make ls print correct UTF-8?


Use colorls from packages instead.

http://marc.info/?l=openbsd-misc=142539814225472=2


Or wait for 5.9 to come out.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/bin/ls/



Re: upd(4) wrong reads

2015-11-09 Thread Martijn van Duren

ping

On 11/04/15 11:44, Martijn van Duren wrote:

Hello misc@,

I've installed a UPS (eaton ellipse 600) at a customer of mine, which
attaches as a upd(4) device without problems. When monitoring this
device with sensorsd it sporadically sends out emails about power
problems, even when there are no problems at that moment location.

When taking a closer look at the logs it appears that sensorsd regularly
reads wrong data from the device.

Is there a way to detect whether this issue is in the UPS or with the
driver?

I've placed an extra check on indicator0 with the shutdown command, so
there haven't been any untimely shutdowns yet, but it might be just a
matter of star and moon alignment before both percent0 and indicator0
are read wrong simultaniously.

Sincerely,

Martijn van Duren

$ sysctl hw.sensors.upd0
hw.sensors.upd0.indicator0=On (Charging), OK
hw.sensors.upd0.indicator1=Off (Discharging), OK
hw.sensors.upd0.indicator2=Off (NeedReplacement), OK
hw.sensors.upd0.indicator3=Off (ShutdownImminent), OK
hw.sensors.upd0.indicator4=On (ACPresent), OK
hw.sensors.upd0.indicator5=Off (Overload), OK
hw.sensors.upd0.percent0=100.00% (RemainingCapacity), OK
hw.sensors.upd0.percent1=100.00% (FullChargeCapacity), OK
hw.sensors.upd0.timedelta0=0.00 secs (RunTimeToEmpty), OK
$ zgrep sensorsd /var/log/daemon*
/var/log/daemon:Nov  4 07:00:20 server sensorsd[5]: upd0.percent0:
within limits: 100.00%
/var/log/daemon:Nov  4 08:58:24 server sensorsd[5]: upd0.percent0:
exceeds limits: 19.00% is below 20.00%
/var/log/daemon:Nov  4 08:58:44 server sensorsd[5]: upd0.percent0:
within limits: 100.00%
/var/log/daemon:Nov  4 09:31:37 server sensorsd[1790]: startup, system
has 40 sensors
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator0:
On, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator1:
Off, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator2:
Off, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator3:
Off, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator4:
On, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator5:
Off, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.percent0:
100.00%, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.percent0:
within limits: 100.00%
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.percent1:
100.00%, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.timedelta0:
0.00 secs, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]:
softraid0.drive0: online, OK
/var/log/daemon:Nov  4 09:32:31 server sensorsd[15990]: startup, system
has 40 sensors
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator0:
On, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator1:
Off, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator2:
Off, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator3:
Off, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator4:
On, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator5:
Off, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.percent0:
100.00%, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.percent0:
within limits: 100.00%
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.percent1:
100.00%, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.timedelta0:
0.00 secs, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]:
softraid0.drive0: online, OK
/var/log/daemon.0.gz:Nov  3 21:47:35 server sensorsd[5]: upd0.percent0:
exceeds limits: 19.00% is below 20.00%
/var/log/daemon.0.gz:Nov  3 21:47:55 server sensorsd[5]: upd0.percent0:
within limits: 100.00%
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]:
upd0.indicator0: On, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]:
upd0.indicator1: Off, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]:
upd0.indicator2: Off, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]:
upd0.indicator3: Off, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]:
upd0.indicator4: On, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]:
upd0.indicator5: Off, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]:
upd0.indicator0: On, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]:
upd0.indicator1: Off, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]:
upd0.indicator2: Off, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]:
upd0.indicator3: Off, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]:
upd0.indicator4: On, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]:
upd0.indicator5: Off, OK
/var/log/daemon.0.gz:Nov  3 23:49:24 server sensorsd[5]: upd0.percent0:
exceeds limits: 19.00% is below 20.00%
/var/log/daemon.0.gz:Nov  3 23:49:44 server

upd(4) wrong reads

2015-11-04 Thread Martijn van Duren

Hello misc@,

I've installed a UPS (eaton ellipse 600) at a customer of mine, which 
attaches as a upd(4) device without problems. When monitoring this 
device with sensorsd it sporadically sends out emails about power 
problems, even when there are no problems at that moment location.


When taking a closer look at the logs it appears that sensorsd regularly 
reads wrong data from the device.


Is there a way to detect whether this issue is in the UPS or with the 
driver?


I've placed an extra check on indicator0 with the shutdown command, so 
there haven't been any untimely shutdowns yet, but it might be just a 
matter of star and moon alignment before both percent0 and indicator0 
are read wrong simultaniously.


Sincerely,

Martijn van Duren

$ sysctl hw.sensors.upd0
hw.sensors.upd0.indicator0=On (Charging), OK
hw.sensors.upd0.indicator1=Off (Discharging), OK
hw.sensors.upd0.indicator2=Off (NeedReplacement), OK
hw.sensors.upd0.indicator3=Off (ShutdownImminent), OK
hw.sensors.upd0.indicator4=On (ACPresent), OK
hw.sensors.upd0.indicator5=Off (Overload), OK
hw.sensors.upd0.percent0=100.00% (RemainingCapacity), OK
hw.sensors.upd0.percent1=100.00% (FullChargeCapacity), OK
hw.sensors.upd0.timedelta0=0.00 secs (RunTimeToEmpty), OK
$ zgrep sensorsd /var/log/daemon*
/var/log/daemon:Nov  4 07:00:20 server sensorsd[5]: upd0.percent0: 
within limits: 100.00%
/var/log/daemon:Nov  4 08:58:24 server sensorsd[5]: upd0.percent0: 
exceeds limits: 19.00% is below 20.00%
/var/log/daemon:Nov  4 08:58:44 server sensorsd[5]: upd0.percent0: 
within limits: 100.00%
/var/log/daemon:Nov  4 09:31:37 server sensorsd[1790]: startup, system 
has 40 sensors
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator0: 
On, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator1: 
Off, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator2: 
Off, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator3: 
Off, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator4: 
On, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.indicator5: 
Off, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.percent0: 
100.00%, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.percent0: 
within limits: 100.00%
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.percent1: 
100.00%, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: upd0.timedelta0: 
0.00 secs, OK
/var/log/daemon:Nov  4 09:31:52 server sensorsd[10211]: 
softraid0.drive0: online, OK
/var/log/daemon:Nov  4 09:32:31 server sensorsd[15990]: startup, system 
has 40 sensors
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator0: 
On, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator1: 
Off, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator2: 
Off, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator3: 
Off, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator4: 
On, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.indicator5: 
Off, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.percent0: 
100.00%, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.percent0: 
within limits: 100.00%
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.percent1: 
100.00%, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: upd0.timedelta0: 
0.00 secs, OK
/var/log/daemon:Nov  4 09:32:46 server sensorsd[15230]: 
softraid0.drive0: online, OK
/var/log/daemon.0.gz:Nov  3 21:47:35 server sensorsd[5]: upd0.percent0: 
exceeds limits: 19.00% is below 20.00%
/var/log/daemon.0.gz:Nov  3 21:47:55 server sensorsd[5]: upd0.percent0: 
within limits: 100.00%
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]: 
upd0.indicator0: On, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]: 
upd0.indicator1: Off, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]: 
upd0.indicator2: Off, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]: 
upd0.indicator3: Off, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]: 
upd0.indicator4: On, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:48:57 server sensorsd[5]: 
upd0.indicator5: Off, UNKNOWN
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]: 
upd0.indicator0: On, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]: 
upd0.indicator1: Off, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]: 
upd0.indicator2: Off, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]: 
upd0.indicator3: Off, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]: 
upd0.indicator4: On, OK
/var/log/daemon.0.gz:Nov  3 22:49:17 server sensorsd[5]: 
upd0.indicator5: Off, OK
/var/log/daemon.0.gz:Nov  3 23:49:24 server sensorsd[5]: upd0.percent0: 
exceeds limits: 19.00% is below 20.00%
/var/log/daemon.0.gz:Nov  3 23:49:44

Re: Unbound root.key in insecurity output

2015-10-29 Thread Martijn van Duren

I solved this by commenting out the file in /etc/changelist.

On 10/29/15 09:29, Martijn Rijkeboer wrote:

Hi,

I'm running a DNS resolver using Unbound (OpenBSD 5.8-stable AMD64) with the
auto-trust-anchor-file option set. This results in daily updates of the
/var/unbound/db/root.key file (only comments are changed). Unfortunately this
file is also checked via the security(8) script, which results in getting an
insecurity output mail every day (Cry Wolf problem). Is there a way to
exclude
the comments in the checks or the complete root.key file?

Kind regards,


Martijn Rijkeboer




Re: Show us your /etc/profile

2015-08-28 Thread Martijn van Duren
Here's some potential useful feature from my .profile. It might not be 
perfect, but at least it's better then some of the generators I've seen 
in production.


# $RANDOM is not portable and in ksh it's limited to 32767.
rand() {
local number
local rdevice

for rdevice in /dev/{u,}random fail; do
test -c $rdevice -a -r $rdevice  break
done
test $rdevice = fail  return 1

number=$(dd if=$rdevice bs=4 count=1 2/dev/null | hexdump -e '/4 
%u\n')
if [ -z $1 ]; then
echo $number
else
echo $(($number % $(($1 + 1
fi
}

# http://xkcd.com/936/
generatepw_file() {
local file=${1:-/usr/share/dict/words}
local lineno=`wc -l  $file` || return 1
local i=0
local passphrase
local random

if [ $lineno -lt 75000 ]; then
echo Not enough words in $file 2
return 1
fi

while [ $i -lt 4 ]; do
random=$(rand $lineno) || return 1
passphrase=${passphrase}$(sed -n $random p $file)
i=$((i+1));
done

echo $passphrase
}

generatepw_random() {
	local 
characters='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^*()-_=+[]{}:,./?\|'

local charactercount=$(echo -n $characters | wc -c)
local password=''
# Password should be somewhere between 10 and 20 characters
local passwordlength=$((`rand 10` + 10))
local i=0
local random

while [ $i -lt $passwordlength ]; do
random=$(rand ${charactercount}) || return 1
		password=${password}$(echo $characters | sed -n 
s/^.\{${random}\}\(.\).*/\1/p)

i=$((i+1))
done
echo $password
}

generatepw() {
if [ `rand 1` = 1 ]; then
generatepw_file || generatepw_random || return 1
else
generatepw_random || return 1
fi
}

On 08/28/15 02:36, T B wrote:

Resurrecting this not-too-old thread.  You might find this one useful if
you run CARP firewalls which gives you a dynamic prompt telling you the
master/backup/other status.

function fwStatus {
 IFCONFIG=`ifconfig -a | grep carp:`
 NUMCARPS=`echo $IFCONFIG | wc -l`
 BACKUPCARPS=`echo $IFCONFIG | grep 'carp: BACKUP' | wc -l`
 MASTERCARPS=`echo $IFCONFIG | grep 'carp: MASTER' | wc -l`

 if [[ $MASTERCARPS == $NUMCARPS ]]; then
 printf master
 elif [[ $BACKUPCARPS == $NUMCARPS ]]; then
 printf backup
 else
 printf other
 fi
}

HOSTNAME=`hostname -s`
PS1='${USER}@${HOSTNAME}:${PWD} ($(fwStatus)) $ '




beaglebone rj45 cape

2015-06-24 Thread Martijn van Duren

Hello misc@,

I'm currently looking into a managed switch for my home and I would like 
to achieve this with OpenBSD's bridge(4) option and pf. The throughput 
shouldn't be too high (at most some video streaming to my tv and 
generic websurfing) and preferably with low power usage.


I found the following board which at first glance seems to do exactly 
what I need [1].
What I would like to know if there's a good chance (or even a guarantee) 
that it would work with OpenBSD, before I spend my hard earned money on it.
If it is expected not to work, would there be an alternative (12 ports 
plus would be preferred) that would work?


Sincerely,

Martijn van Duren

[1] http://rgb-123.com/product/beaglebone-black-rj45-cape/



OpenBSD on iMac

2015-04-17 Thread Martijn van Duren
, unknown product 0x1513 rev 
0x00: msi

pci10 at ppb9 bus 58
ppb10 at pci6 dev 6 function 0 vendor Intel, unknown product 0x1513 
rev 0x00: msi

pci11 at ppb10 bus 107
uhci1 at pci0 dev 29 function 0 vendor Intel, unknown product 0x1c27 
rev 0x05: apic 2 int 19

ehci1 at pci0 dev 29 function 7 Intel 6 Series USB rev 0x05: apic 2 int 22
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 Intel Z68 LPC rev 0x05
pciide0 at pci0 dev 31 function 2 Intel 6 Series SATA rev 0x05: DMA, 
channel 0 configured to native-PCI, channel 1 configured to native-PCI

pciide0: using apic 2 int 19 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: ST3500418AS
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: OPTIARC, DVD RW AD-5680H, 3AHF ATAPI 
5/cdrom removable

wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 Intel 6 Series SMBus rev 0x05: apic 
2 int 18

iic0 at ichiic0
iic0: addr 0x4a 01=20 05=d1 0a=08 10=0a 11=04 12=02 13=02 14=02 15=02 
20=f2 21=01 23=88 words 00=0020 01=2000 02= 03= 04=00d1 05=d100 
06= 07=

spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600 SO-DIMM
spdmem1 at iic0 addr 0x52: 2GB DDR3 SDRAM PC3-10600 SO-DIMM
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nvram: invalid checksum
uhub4 at uhub0 port 1 Standard Microsystems product 0x2514 rev 
2.00/0.03 addr 2

uhub5 at uhub4 port 1 Apple Inc. BRCM2046 Hub rev 2.00/1.00 addr 3
ugen0 at uhub5 port 1 Apple Inc. Bluetooth USB Host Controller rev 
2.00/2.07 addr 4
uhidev0 at uhub5 port 2 configuration 1 interface 0 Apple Computer 
product 0x820a rev 2.00/1.00 addr 5

uhidev0: iclass 3/1, 1 report id
ukbd0 at uhidev0 reportid 1: 8 variable keys, 6 key codes
wskbd0 at ukbd0: console keyboard
uhidev1 at uhub5 port 3 configuration 1 interface 0 Apple Computer 
product 0x820b rev 2.00/1.00 addr 6

uhidev1: iclass 3/1, 2 report ids
ums0 at uhidev1 reportid 2: 3 buttons
wsmouse0 at ums0 mux 0
uhidev2 at uhub4 port 3 configuration 1 interface 0  USB Keyboard rev 
1.10/1.01 addr 7

uhidev2: iclass 3/1
ukbd1 at uhidev2: 8 variable keys, 6 key codes
wskbd1 at ukbd1 mux 1
uhidev3 at uhub4 port 3 configuration 1 interface 1  USB Keyboard rev 
1.10/1.01 addr 7

uhidev3: iclass 3/0, 2 report ids
uhid0 at uhidev3 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev3 reportid 2: input=3, output=0, feature=0
uvideo0 at uhub0 port 2 configuration 1 interface 0 Apple Inc. FaceTime 
HD Camera (Built-in) rev 2.00/7.55 addr 8

video0 at uvideo0
ugen1 at uhub0 port 2 configuration 1 Apple Inc. FaceTime HD Camera 
(Built-in) rev 2.00/7.55 addr 8
uhub6 at uhub1 port 1 Standard Microsystems product 0x2514 rev 
2.00/0.03 addr 2
umass0 at uhub6 port 1 configuration 1 interface 0 Apple Card Reader 
rev 2.00/98.33 addr 3

umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd0 at scsibus2 targ 1 lun 0: APPLE, SD Card Reader, 1.00 SCSI0 
0/direct removable serial.05ac84039833
uhidev4 at uhub6 port 2 configuration 1 interface 0 Apple Computer, 
Inc. IR Receiver rev 2.00/0.16 addr 4

uhidev4: iclass 3/0, 38 report ids
uhid2 at uhidev4 reportid 36: input=4, output=0, feature=0
uhid3 at uhidev4 reportid 37: input=4, output=0, feature=0
uhid4 at uhidev4 reportid 38: input=4, output=0, feature=0
uhidev5 at uhub6 port 4 configuration 1 interface 0 Sunplus USB Optical 
Mouse rev 2.00/0.10 addr 5

uhidev5: iclass 3/1, 2 report ids
ums1 at uhidev5 reportid 1: 3 buttons, Z dir
wsmouse1 at ums1 mux 0
uhid5 at uhidev5 reportid 2: input=1, output=0, feature=0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
sd1 at scsibus4 targ 1 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed
sd1: 425057MB, 512 bytes/sector, 870518697 sectors
root on sd1a (6bb75aae4f92eb77.a) swap on sd1b dump on sd1b
clock: unknown CMOS layout
drm: initializing kernel modesetting (TURKS 0x1002:0x6741 0x106B:0x6741).
radeondrm0: VRAM: 512M 0x - 0x1FFF (512M used)
radeondrm0: GTT: 512M 0x2000 - 0x3FFF
drm: probing gen 2 caps for device 0x8086:0x0101 = 2/0
drm: enabling PCIE gen 2 link speeds, disable with radeon.pcie_gen2=0
drm: PCIE GART of 512M enabled (table at 0x0004).
drm: Special thermal controller config
radeondrm0: 1920x1080
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0
wskbd1: connecting to wsdisplay0
wsdisplay0: screen 1-5 added (std, vt100 emulation)

Sincerely,

Martijn van Duren



Re: OpenBSD on iMac

2015-04-17 Thread Martijn van Duren

On 04/17/15 11:07, Jonathan Gray wrote:

On Fri, Apr 17, 2015 at 09:57:49AM +0200, Martijn van Duren wrote:

On 04/17/15 09:36, Alexandre Ratchov wrote:

On Fri, Apr 17, 2015 at 09:06:55AM +0200, Martijn van Duren wrote:

Hello misc@,

I just got a replacement system (iMac 12,1) at work, so I decided to go
ahead and install OpenBSD on it. To do so I installed refind through debian
and created a GPT/MBR hybrid.

Most of the system runs perfectly (see dmesg pr0n below), but there are a
couple of minor inconveniences:
1) The sound from the speakers sound like they come from a cheap cellphone.


You mean the level is to low? Does mixerctl outputs.spkr_boost=on
improves things?


It's not that the volume is low, but it sounds like it sounds rather high
pitched and a narrow with a narrow bandwith.


Does undoing the gpio quirk for that subid change anything?

Index: sys/dev/pci/azalia_codec.c
===
RCS file: /cvs/src/sys/dev/pci/azalia_codec.c,v
retrieving revision 1.165
diff -u -p -r1.165 azalia_codec.c
--- sys/dev/pci/azalia_codec.c  10 Dec 2014 14:18:11 -  1.165
+++ sys/dev/pci/azalia_codec.c  17 Apr 2015 09:03:22 -
@@ -65,8 +65,7 @@ azalia_codec_init_vtbl(codec_t *this)
switch (this-vid) {
case 0x10134206:
this-name = Cirrus Logic CS4206;
-   if (this-subid == 0xcb8910de || /* APPLE_MBA3_1 */
-   this-subid == 0x72708086) { /* APPLE_MBA4_1 */
+   if (this-subid == 0xcb8910de) { /* APPLE_MBA3_1 */
this-qrks |= AZ_QRK_GPIO_UNMUTE_1 |
AZ_QRK_GPIO_UNMUTE_3;
}



This renders my system completely mute.



Re: OpenBSD on iMac

2015-04-17 Thread Martijn van Duren

On 04/17/15 09:36, Alexandre Ratchov wrote:

On Fri, Apr 17, 2015 at 09:06:55AM +0200, Martijn van Duren wrote:

Hello misc@,

I just got a replacement system (iMac 12,1) at work, so I decided to go
ahead and install OpenBSD on it. To do so I installed refind through debian
and created a GPT/MBR hybrid.

Most of the system runs perfectly (see dmesg pr0n below), but there are a
couple of minor inconveniences:
1) The sound from the speakers sound like they come from a cheap cellphone.


You mean the level is to low? Does mixerctl outputs.spkr_boost=on
improves things?


It's not that the volume is low, but it sounds like it sounds rather 
high pitched and a narrow with a narrow bandwith.





2) When plugging in headphones the main speakers are muted, but there's no
sound from the headphones themselves. I tried setting sndiod to channels 0:1
(default - main speakers), 2:3 (main speakers) and 4:5 (no sound)


You could set sndiod_flags to -c0:3 to make it output to all
dacs. Does this help?



This doesn't help unfortunately.



Re: weak symbols

2015-04-08 Thread Martijn van Duren

On 04/08/15 08:10, Philip Guenther wrote:

On Tue, 7 Apr 2015, Martijn van Duren wrote:

I'm currently experimenting with weak symbols for a library that I want
to be thread safe without hard linking in the entire libpthread.

To test this I've set up the following code:

...

When compiling with pthread it seems it only resolves
pthread_mutex_init, but still uses the weak pthread_create and executes
secondary lock first:

...

Could someone please elaborate on what I'm doing wrong and how to implement
these weak symbols properly. Thank you in advance.


If the symbol is defined in the base executable, then it cannot be
overriden by a shared library, regardless of its binding (global or weak)
in the executable.  Indeed, the reference will be resolved when the
executable is created, leaving no relocation dependent on the symbol
definition.

If you want to work with symbol interposition like this, you'll need to
actually build shared libraries.


Philip Guenther



Thank you, this seems to work.

I've also been looking at other ways to make this work, like by making a 
custom cpthread_* function, which in turns loads pthread_create via 
dlsym(RTLD_NEXT, pthread_create) and test the output for NULL, which 
also seems to work.


Could you inform me on the preferred way for making a library thread safe?
- always linking in lpthread into the library (which causes some extra 
bloat in the loading of the extra library).
- making the required symbols available via weak symbols, as per my 
original question. (which might not be very portable and might make the 
code less transparent)
- making custom functions which load in the required symbols via dlsym 
(which requires extra LoC)

- another method I haven't thought of?

To make my question even more concrete: I intend to lock a file with 
flock, which isn't thread safe. Is there a (portable) way to lock a file 
for both processes and threads alike, or should I construct a wrapper 
with extra locking as per my question mentioned above?


Martijn van Duren



weak symbols

2015-04-07 Thread Martijn van Duren

Hello misc@,

I'm currently experimenting with weak symbols for a library that I want 
to be thread safe without hard linking in the entire libpthread.


To test this I've set up the following code:
#include fcntl.h
#include stdio.h
#include errno.h
#include pthread.h
#include unistd.h

pthread_mutex_t mut;

#pragma weak pthread_create
#pragma weak pthread_mutex_init
#pragma weak pthread_mutex_lock
#pragma weak pthread_mutex_unlock

int
pthread_create(pthread_t *thread, const pthread_attr_t *attr, void 
*(*start_routine)(void *), void *arg) {

start_routine(arg);
return 0;
}

int
pthread_mutex_init(pthread_mutex_t *mutex, const pthread_mutexattr_t 
*attr) {

return 0;
}

int
pthread_mutex_lock(pthread_mutex_t *mutex) {
return 0;
}

int
pthread_mutex_unlock(pthread_mutex_t *mutex) {
return 0;
}

void *
thread(void *arg) {
sleep(1);

pthread_mutex_lock(mut);
printf(Got secondary lock\n);

sleep(2);

pthread_mutex_unlock(mut);
printf(Released secondary lock\n);

return NULL;
}

int
main()
{
pthread_t   tid;

pthread_mutex_init(mut, NULL);
pthread_create(tid, NULL, thread, NULL);

pthread_mutex_lock(mut);
printf(Got main lock\n);

sleep(2);
pthread_mutex_unlock(mut);
printf(Released main lock\n);
sleep(2);
}

When compiling without pthread it runs as expected:
$ gcc ./test.c 




$ ./a.out 




Got secondary lock
Released secondary lock
Got main lock
Released main lock
$ nm -e ./a.out 




002011f0 a   _DYNAMIC
00301338 a   _GLOBAL_OFFSET_TABLE_
 W   _Jv_RegisterClasses
004013d8 A   __bss_start
 W   __cxa_atexit - _dl_searchnum
00201018 D   __dso_handle
0f30 T   __fini
00301338 D   __got_start
00201008 D   __guard_local
0ad0 T   __init
 W   __init_tcb
00201010 D   __progname
00401440 B   __progname_storage
0c90 W   __register_frame_info - (null)
 U   __stack_smash_handler
0b60 T   __start
00401420 B   _dl_skipnum
004013d8 A   _edata
00401548 A   _end
0b60 T   _start
00401428 B   environ
0e85 T   main
00401540 B   mut
0dd4 W   pthread_create - __got_end
0dfd W   pthread_mutex_init - __data_start
0e10 W   pthread_mutex_lock - exit
0e1f W   pthread_mutex_unlock - atexit
 U   puts
 U   sleep
 F   test.c
0e2e T   thread

When compiling with pthread it seems it only resolves 
pthread_mutex_init, but still uses the weak pthread_create and executes 
secondary lock first:
$ gcc -lpthread ./test.c 




$ ./a.out 




Got secondary lock
Released secondary lock
Got main lock
Released main lock
$ nm -e ./a.out 




002012b0 a   _DYNAMIC
00301408 a   _GLOBAL_OFFSET_TABLE_
 W   _Jv_RegisterClasses
004014a8 A   __bss_start
 W   __cxa_atexit - _dl_searchnum
002010d8 D   __dso_handle
0ff0 T   __fini
00301408 D   __got_start
002010c8 D   __guard_local
0b90 T   __init
 W   __init_tcb - pthread_mutex_init
002010d0 D   __progname
00401520 B   __progname_storage
0d50 W   __register_frame_info - (null)
 U   __stack_smash_handler
0c20 T   __start
00401500 B   _dl_skipnum
004014a8 A   _edata
00401628 A   _end
0c20 T   _start
00401508 B   environ
0f45 T   main
00401620 B   mut
0e94 W   pthread_create - __got_end
0ed0 W   pthread_mutex_lock - exit
0edf W   pthread_mutex_unlock - atexit
 U   puts
 U   sleep
 F   test.c
0eee T   thread

Could someone please elaborate on what I'm doing wrong and how to 
implement these weak symbols properly. Thank you in advance.


Sincerely,

Martijn van Duren



Re: mobile internet support

2015-01-22 Thread Martijn van Duren

On 01/21/15 10:32, Mike Larkin wrote:

On Wed, Jan 21, 2015 at 10:02:47AM +0100, Martijn van Duren wrote:

Hello misc@,

I need to have mobile internet to be standby for work.
Is there any 4G dongle fully supported by OpenBSD (in combination with
dutch mobile internet providers)?

Sincerely,

Martijn van Duren



Tether to your cellphone and use urndis(4)?

I wasn't aware of this feature. I had to buy a new cable, but it works 
like a charm.

Thank you very much for the pointer.



mobile internet support

2015-01-21 Thread Martijn van Duren
Hello misc@,

I need to have mobile internet to be standby for work.
Is there any 4G dongle fully supported by OpenBSD (in combination with
dutch mobile internet providers)?

Sincerely,

Martijn van Duren



Re: multiple calls to OpenSSL_add_all_algorithms

2014-10-24 Thread Martijn van Duren

On 10/23/14 11:33, Stuart Henderson wrote:

On 2014-10-22, Martijn van Duren martijn...@gmail.com wrote:

I'm currently trying to write a library that heavily relies on
libcrypto. Because I don't want applications linking to it, to have to
call OpenSSL_add_all_algorithms, for convenience, I added those calls to
the appropriate places in my library. Because of this nature, the
function is called multiple times, and even if I shielded it within my
library it could still be called outside of it by an application using
my library.


fwiw, Asterisk ran into this, this was the result:

http://reviewboard.asterisk.org/r/1006/


Sorry, forgot that misc@ removed attachments.
This time inline:
Index: ./objects/o_names.c
===
RCS file: /cvs/src/lib/libssl/src/crypto/objects/o_names.c,v
retrieving revision 1.18
diff -u -p -r1.18 o_names.c
--- ./objects/o_names.c 12 Jun 2014 15:49:30 -  1.18
+++ ./objects/o_names.c 23 Oct 2014 21:30:33 -
@@ -94,6 +94,8 @@ obj_name_cmp(const void *a_void, const v
const OBJ_NAME *a = (const OBJ_NAME *)a_void;
const OBJ_NAME *b = (const OBJ_NAME *)b_void;

+   if (a == NULL || b == NULL)
+   return -1;
ret = a-type - b-type;
if (ret == 0) {
if ((name_funcs_stack != NULL) 



Re: multiple calls to OpenSSL_add_all_algorithms

2014-10-23 Thread Martijn van Duren
On 10/23/14 11:33, Stuart Henderson wrote:
 On 2014-10-22, Martijn van Duren martijn...@gmail.com wrote:
 I'm currently trying to write a library that heavily relies on
 libcrypto. Because I don't want applications linking to it, to have to
 call OpenSSL_add_all_algorithms, for convenience, I added those calls to
 the appropriate places in my library. Because of this nature, the
 function is called multiple times, and even if I shielded it within my
 library it could still be called outside of it by an application using
 my library.

 fwiw, Asterisk ran into this, this was the result:

 http://reviewboard.asterisk.org/r/1006/


To me it sounds like something that would be nice to see fixed in libressl.
I'm by far an expert in this code, so this is pretty much a shot in the 
dark, but when I added an extra NULL-check to obj_name_cmp it resolved 
my problem and the application didn't crash anymore, nor did I notice 
any (new) strange behavior in the regress tests of my library, nor in 
the libcrypto regress test.
Although I do suspect that the problem itself lays somewhere else in the 
libcrypto source, and that n1-data shouldn't be NULL in the first place.

Attached is the my patch for completeness and I hope that someone on 
this list can could look into this further or point me in the right 
direction.

Sincerely,

Martijn van Duren

[demime 1.01d removed an attachment of type text/x-patch which had a name of 
o_names.diff]



multiple calls to OpenSSL_add_all_algorithms

2014-10-22 Thread Martijn van Duren

Hello misc@,

I'm currently trying to write a library that heavily relies on 
libcrypto. Because I don't want applications linking to it, to have to 
call OpenSSL_add_all_algorithms, for convenience, I added those calls to 
the appropriate places in my library. Because of this nature, the 
function is called multiple times, and even if I shielded it within my 
library it could still be called outside of it by an application using 
my library.
On AMD64 (OpenBSD 5.5-stable) this hasn't given me any problems yet, but 
as soon as I run my code on i386 (5.6-current) it crashes with the 
following trace:
#0  obj_name_LHASH_COMP (arg1=0x0, arg2=0x857b7630) at 
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/objects/o_names.c:97
#1  0x0e91190c in getrn (lh=0x867d0380, data=0x857b7630, rhash=Variable 
rhash is not available.

) at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/lhash/lhash.c:419
#2  0x0e911c92 in lh_insert (lh=0x867d0380, data=0x857b7630) at 
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/lhash/lhash.c:192
#3  0x0e8a0852 in OBJ_NAME_add (name=0x2e800aac aes-256-cfb, type=2, 
data=0x2e815360 ­\001)
at 
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/objects/o_names.c:181
#4  0x0e8a0149 in EVP_add_cipher (c=0x2e815360) at 
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/evp/names.c:80
#5  0x0e8384f3 in OpenSSL_add_all_ciphers () at 
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/evp/c_allc.c:183
#6  0x0e8357bc in OPENSSL_add_all_algorithms_noconf () at 
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/evp/c_all.c:76


I'm aware that the OpenSSL_add_all_algorithms(3) says:
A typical application will call OpenSSL_add_all_algorithms() initially 
and EVP_cleanup() before exiting.
but it doesn't explicitly says that it can only be called ones without 
causing problems.


Could anyone tell me if this kind of use of this function is the 
undefined behaviour area that I should avoid or if this is a bug? If it 
is grey area that should be avoided, what is the recommended way to 
initialise ciphers and digests from within the library without risking 
crashes from initialization from within an application? I do use 
EVP_get_{cipher,digest}bynid(3), so all ciphers and digests need to be 
available.


Sincerely,

Martijn van Duren



Re: OpenBSD 5.6 pre-orders in Germany possible

2014-09-30 Thread Martijn van Duren
On Sat, 2014-09-27 at 07:30 +0100, OpenBSD Europe wrote:
  Hi folks,
 
  I just noticed that in Germany Lehmanns (see OpenBSD's order-site)
  already accepts pre-orders for OpenBSD 5.6-release.
 
  Guess what I just did :-)
 
  My little contribution to the project along with a big
  THANK YOU to the devs!
 
  Cheers,
  STEFAN
 
 
 Please don't do this and cancel your order. Things will become obvious on
 Monday :)
 
I might have missed something, but could you provide me with an update
on this issue?



low power device

2014-09-12 Thread Martijn van Duren
Hello misc@,

In just under two month I'll be moving from my old room (with service
costs included) to a new apartment (where I'll have to pay the
electricity bill myself).

Currently I have an old desktop PC running as a home server/media
center, which runs OpenBSD. Most of the time it's idling, but does run
(open)ssh/(open)smtp/imap(dovecot)/http(nginx/apache
+subversion)/minidnla, which I want to keep available.

Because this PC requires more power then should necessary for its
purpose I would like to acquire something like a pandaboard, which is
low power, and has at least 2 sata ports, 1 network port and if possible
supported audio for network playback.

Is there any board/device known which can support these requirements and
is fully (within the requirements) supported by OpenBSD?

Sincerely,

Martijn van Duren



Re: low power device

2014-09-12 Thread Martijn van Duren
On Fri, 2014-09-12 at 16:10 +0200, Boudewijn Dijkstra wrote:
 Op Fri, 12 Sep 2014 15:27:39 +0200 schreef Martijn van Duren 
 martijn...@gmail.com:
  [...] I would like to acquire something [...]
  low power, and has at least 2 sata ports, [...].
 
 Spinning hard disks also use power.  Why 2× SATA?
 
 

I'm aware of this, but it's the cheapest and easiest way to store 2TB
of data.



Re: low power device

2014-09-12 Thread Martijn van Duren
On Fri, 2014-09-12 at 16:22 +0100, Zé Loff wrote:
 On Fri, Sep 12, 2014 at 04:28:46PM +0200, Lars wrote:
  On 12.09.2014 15:27, Martijn van Duren wrote:
  Hello misc@,
  
  Hi,
  
  Currently I have an old desktop PC running as a home server/media
  center, which runs OpenBSD. Most of the time it's idling, but does run
  (open)ssh/(open)smtp/imap(dovecot)/http(nginx/apache
  +subversion)/minidnla, which I want to keep available.
  
  Is there any board/device known which can support these requirements and
  is fully (within the requirements) supported by OpenBSD?
  
  
  As a personal preference I would avoid using ARM boards and would try to go
  with x86/amd64 boards instead. I don't know how well those ARM devices are
  supported on OpenBSD (I have only a little experince with running Linux on
  those), but the performance was pretty disappointing(with Linux). *I* would
  decide for the APU from pcengines.
  http://pcengines.ch/apu.htm
 
 My first thought too, but it has no video, which is probably required by
 the OP.

Video is not an requirement, since I primarily use it for streaming via
DLNA, so network and storage are sufficient.

Performance is also not much of an issue, since I just run some personal
things. So I prefer power consumption over power.

 
  I haven't used these either but they are x86/amd64 and well supported with
  OpenBSD as a lot of devs use them. I can not say anything about the
  performance, but I would *assume* they have at least the same performance as
  your mentioned pandaboard (if not better) and probably cost the same.
  
  I use an HP Microserver N54L for the same purpose. It is roughly the same
  price but probably doesn't fit your power consumption requirements (roughly
  40 Watts with 2 drives)
  
  Sincerely,
  
  Martijn van Duren
  
  Have a nice day
  Lars



Re: Terminate session on serial terminal (com0) when ssh disconnects

2014-08-14 Thread Martijn van Duren
On Tue, 2014-08-12 at 00:37 -0700, Clint Pachl wrote:
 Here's my situation: I ssh into a remote server in my group. From that 
 server, I connect to an adjacent, local server in the group via the 
 serial terminal using tip(1) or cu(1). If the ssh connection is 
 disconnected, the login session to the second server's serial com0 will 
 remain open/active.
 
 Is there a reliable, system-wide method or configuration to terminate 
 the serial session if the ssh connection dies?

There already have been some answers, but you may also want to use
tmux(1) when working over ssh.
It will not close cu(1)/tip(1) connections when your ssh connection bugs
out, but you can re-login and just attach to the running session and
continue where you left of. I find that very convenient myself.
 
 So far, all I have come up with is the shell's timeout variable (i.e., 
 TMOUT). However, this can be overridden by the user.
 
 I also tried the gettytab(5) timeout option to, but that didn't work 
 as expected. It terminates and restarts the initial terminal login 
 process, not the user session.
 
 Thanks,
 Clint



Re: openbsd live-cd?

2014-06-16 Thread Martijn van Duren

On 06/16/14 21:38, Gustav Fransson Nyvell wrote:

On 06/16/14 21:35, Thuban wrote:

Hi,
I would like to try openBSD before installing it on my laptop to check
if things works correctly (X server as example).
Do you know any liveCD or any methode to try openBSD on some hardware
before installing?

Regards,
--
Thuban
PubKey : http://yeuxdelibad.net/Divers/thuban.pub
KeyID : 0x54CD2F2F

[demime 1.01d removed an attachment of type application/pgp-signature
which had a name of signature.asc]


You'll be testing OpenBSD if you boot install55.iso.


I didn't know install55.iso comes with a fully functioning Xorg. :)

You might want to try http://liveusb-openbsd.sourceforge.net/.
I've only used it to bootstrap my netbook once, so no guarantees about 
the validity or quality from my end, but it might be what you're looking 
for.




Re: iked connecting with sophos (pluto)

2014-05-20 Thread Martijn van Duren

ping?

On 05/08/14 14:07, Martijn van Duren wrote:

Hello misc,

I'm currently trying to set up an ipsec connection from my laptop to the
vpn at my work. I'm new to ipsec, so my apologies if I missed something
obvious.

When setting up the connection I do see my requests go to the server,
but I never get a reply. My colleagues use an ipsec connection from the
same network, so it should not be a network issue. I have pf on my
laptop disabled for this test.

Below are the system settings as used, both on the vpn-server as on my
machine. I would like to know if someone could tell me what I'm doing
wrong or whether this is a bug.

server:
- system: Sophos UTM 9
- daemon: Pluto (strongSwan 4.4.1git20100610 THREADS VENDORID
CISCO_QUIRKS)
- ip: aa.bb.cc.dd
- config (the required information as far as I can see):
Compression off, not using strict policy.
IKE Settings: AES 256 / SHA1 / Group 2: MODP 1024   Lifetime: 36000
seconds
IPsec Settings: AES 256 / SHA1 / Group 2: MODP 1024   Lifetime: 36000
seconds
VPN ID: vpn01.company.tld

client:
- system: see dmesg below
- network: In a NAT network, with public ip ee.ff.gg.hh
- config:
 - initial:
ikev2 company active esp \
from any to any \
peer vpn01.company.tld \
ikesa auth hmac-sha1 prf hmac-sha1 group modp1024 \
childsa auth hmac-sha1 enc aes-256 group modp1024 \
dstid vpn01.company.tld \
lifetime 36000 \
eap mschap-v2
 - 2nd (more basic? config):
ikev2 active esp from any to any peer vpn01.company.tld

When starting the iked it sends its IKE_SA_INIT, but I never get a
reply:
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
ca_reload: local cert type RSA_KEY
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
/etc/iked.conf: loaded 1 configuration rules
config_getocsp: ocsp_url none
config_getpolicy: received policy
ikev2 policy1 active esp inet from any to any local any peer
aa.bb.cc.dd ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5
group modp2048-256,modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800
bytes 536870912 rsa
config_getpfkey: received pfkey fd 4
config_getcompile: compilation done
config_getsocket: received socket fd 11
config_getsocket: received socket fd 12
config_getsocket: received socket fd 14
config_getsocket: received socket fd 20
ikev2_init_ike_sa: initiating policy1
ikev2_policy2id: srcid FQDN/loki.my.domain length 18
ikev2_add_proposals: length 132
ikev2_next_payload: length 136 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x20ca1a29b41bb241 0x
0.0.0.0:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x20ca1a29b41bb241
0x 87.233.176.10:500
ikev2_next_payload: length 28 nextpayload NONE
ikev2_pld_parse: header ispi 0x20ca1a29b41bb241 rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 520 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136
ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE
spisize 0 xforms 14 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00
length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_msg_send

iked connecting with sophos (pluto)

2014-05-08 Thread Martijn van Duren
Hello misc,

I'm currently trying to set up an ipsec connection from my laptop to the
vpn at my work. I'm new to ipsec, so my apologies if I missed something
obvious.

When setting up the connection I do see my requests go to the server,
but I never get a reply. My colleagues use an ipsec connection from the
same network, so it should not be a network issue. I have pf on my
laptop disabled for this test.

Below are the system settings as used, both on the vpn-server as on my
machine. I would like to know if someone could tell me what I'm doing
wrong or whether this is a bug.

server:
- system: Sophos UTM 9
- daemon: Pluto (strongSwan 4.4.1git20100610 THREADS VENDORID
CISCO_QUIRKS)
- ip: aa.bb.cc.dd
- config (the required information as far as I can see): 
Compression off, not using strict policy.
IKE Settings: AES 256 / SHA1 / Group 2: MODP 1024   Lifetime: 36000
seconds
IPsec Settings: AES 256 / SHA1 / Group 2: MODP 1024   Lifetime: 36000
seconds
VPN ID: vpn01.company.tld

client:
- system: see dmesg below
- network: In a NAT network, with public ip ee.ff.gg.hh
- config:
- initial:
ikev2 company active esp \
   from any to any \
   peer vpn01.company.tld \
   ikesa auth hmac-sha1 prf hmac-sha1 group modp1024 \
   childsa auth hmac-sha1 enc aes-256 group modp1024 \
   dstid vpn01.company.tld \
   lifetime 36000 \
   eap mschap-v2
- 2nd (more basic? config):
ikev2 active esp from any to any peer vpn01.company.tld

When starting the iked it sends its IKE_SA_INIT, but I never get a
reply:
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
ca_reload: local cert type RSA_KEY
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
/etc/iked.conf: loaded 1 configuration rules
config_getocsp: ocsp_url none
config_getpolicy: received policy
ikev2 policy1 active esp inet from any to any local any peer
aa.bb.cc.dd ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5
group modp2048-256,modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800
bytes 536870912 rsa
config_getpfkey: received pfkey fd 4
config_getcompile: compilation done
config_getsocket: received socket fd 11
config_getsocket: received socket fd 12
config_getsocket: received socket fd 14
config_getsocket: received socket fd 20
ikev2_init_ike_sa: initiating policy1
ikev2_policy2id: srcid FQDN/loki.my.domain length 18
ikev2_add_proposals: length 132
ikev2_next_payload: length 136 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x20ca1a29b41bb241 0x
0.0.0.0:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x20ca1a29b41bb241
0x 87.233.176.10:500
ikev2_next_payload: length 28 nextpayload NONE
ikev2_pld_parse: header ispi 0x20ca1a29b41bb241 rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 520 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136
ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE
spisize 0 xforms 14 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00
length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_msg_send: IKE_SA_INIT from 0.0.0.0:500 to 87.233.176.10:500, 520
bytes

  1   2   >