Re: First step towards improved unlocking in the VFS layer.

> On Jun 13, 2023, at 7:59 AM, Theo de Raadt wrote: > > Thordur I. Bjornsson wrote: > >> On Mon, Jun 12, 2023 at 9:15 PM Bob Beck wrote: >>> >>> On Mon, Jun 12, 2023 at 11:01:18AM -0600, Theo de Raadt wrote: >>>> + KASSERTMSG(1,

Re: First step towards improved unlocking in the VFS layer.

On Mon, Jun 12, 2023 at 11:01:18AM -0600, Theo de Raadt wrote: > + KASSERTMSG(1, "Ich Habe eine Rotweinflarsche in meinem Arsche"); > > That part of the diff is not OK. If everyone did this, we would have a > mess on our hands. Yeah, thats me nodding to my own past stupidity ;) changed

First step towards improved unlocking in the VFS layer.

Minimal diff, further cleanup and dead code removal to follow. --- sys/kern/vfs_syscalls.c | 7 +++ sys/sys/mount.h | 2 +- sys/ufs/ffs/ffs_softdep.c | 2 ++ sys/ufs/ffs/ffs_vfsops.c | 16 +++- 4 files changed, 9 insertions(+), 18 deletions(-) diff --git

Re: Add Miller-Rabin with random bases to BPSW primality check

On Fri, Apr 28, 2023 at 10:23:15AM +0200, Theo Buehler wrote: > The behavior of BPSW for numbers > 2^64 is not very well understood. > While there is no known composite that passes the test, there are > heuristics that indicate that there are likely many. Therefore it seems > appropriate to harden

Re: don't remove known vmd vm's on failure

Tried it out here with my gimpy little test setup and your suggested repro case. Seems to be more sane to me in this case, and looks like the right thing to do, So ok beck@ for what that’s worth. > On Jan 21, 2023, at 8:08 AM, Dave Voutila wrote: > > > *bump*... Anyone able to test or

Inconsistent isdigit(3) man page

So isdigit(3) says in the first paragraph that 'The complete list of decimal digits is 0 and 1-9, in any locale.' Later on it says: 'On systems supporting non-ASCII single-byte character encodings, different c arguments may correspond to the digits, and the results of isdigit() may depend on

Re: Please test: unlock mprotect/mmap/munmap

I have now been running it for two days, I *thought * had one hang a day ago, with chrome and local building churning away with me mashing on the editor.. but I’ve now been doing the same thing with witness on for a day and had no issues. So I think whatever I might have seen is not

Re: more unused parts of dig

I keep reading these as "unused parts of dlg" and wondering why he's not remoing them himself.. ok beck@ On Sat, Jun 25, 2022 at 08:48:48PM +1000, Jonathan Gray wrote: > Index: lib/dns/gen.c > === > RCS file:

Re: rpki-client: cache X509v3 extensions early

yes makes sense ok beck@ > On May 11, 2022, at 07:53, Theo Buehler wrote: > > Some funky libcrypto business ahead. > > X509 API functions such as X509_check_ca() or X509_get_extension_flags() > cache X509v3 extensions internally if they're not already cached. They > make decisions based on

Re: uvm: Consider BUFPAGES_DEFICIT in swap_shortage

On Thu, May 05, 2022 at 10:16:23AM -0600, Bob Beck wrote: > Ugh. You???re digging in the most perilous parts of the pile. > > I will go look with you??? sigh. (This is not yet an ok for that.) > > > On May 5, 2022, at 7:53 AM, Martin Pieuchot wrote: > > > > When

Re: acme-client: check token names

An ok beck@ from me with my usual curmudgeonly mutterings about the people who made this necessary for isalnum(), walls, and revolutions... > On May 5, 2022, at 7:57 AM, Florian Obser wrote: > > On 2022-05-04 13:21 +0430, Ali Farzanrad wrote: >> OK, I've tested following diff on my own

Re: rpki-client: factor filename extension parsing into a function

I like that.. LGTM ok beck@ On Fri, Jan 21, 2022 at 08:37:27PM +0100, Theo Buehler wrote: > > Lets start with that and optimize this in tree. I think we can rename the > > function to something like rtype_from_mftfile(). In that case I would move > > the function as well... > > Like this? >

Re: Add CT methods to standard_exts, fix timestamp printing

ok beck@ > On Nov 23, 2021, at 21:14, Theo Buehler wrote: > > Two small diffs now that beck has linked the certificate transparency > code to the build. > > The diff for ext_dat.h links the CT methods to the standard extensions. > This replaces the gibberish from the CT extensions which are

Re: cert.pem sync

ok > On Jun 10, 2021, at 05:05, Theo Buehler wrote: > > On Thu, Jun 10, 2021 at 11:39:46AM +0100, Stuart Henderson wrote: >> I was just reminded of the Apple cert problem with GeoTrust Global CA >> and checked and they're using better intermediates for api.push.apple.com >> now. OK to sync up

Re: NiX Spam mirroring

Should be fixed. a bit of a pain because their new site has an expired tls cert. On Thu, Oct 28, 2021 at 07:30:56AM +0200, Jan Johansson wrote: > Hello! > > I write to you because I beleive that you are running the NiX Spam > mirroring script for OpenBSD. The feed has been broken for some >

Re: rpki-client add back keep-alive to http requests

ok beck@ On Thu, Sep 09, 2021 at 09:35:51AM +0200, Claudio Jeker wrote: > While Connection: keep-alive should be the default it seems that at least > some of the CA repositories fail to behave like that. Adding back the > Connection header seems to fix this and delta downloads go faster again.

Re: Turn SCHED_LOCK() into a mutex

> > This work has been started by art@ more than a decade ago and I'm > > willing to finish it This is possibly one of the scariest things you can say in OpenBSD. I am now calling my doctor to get a giant bag of flintstones chewable zoloft prescribed to me just so I can recover from seeing

Re: Correctly set SSL error if x509_verify fails

On Sun, Oct 25, 2020 at 01:43:10PM -0600, Bob Beck wrote: > > > > On Fri, Oct 23, 2020 at 09:13:23AM +0200, Theo Buehler wrote: > > On Thu, Oct 22, 2020 at 08:44:29PM -0700, Jeremy Evans wrote: > > > I was trying to diagnose a certificate validation failure in Rub

Re: Correctly set SSL error if x509_verify fails

On Fri, Oct 23, 2020 at 09:13:23AM +0200, Theo Buehler wrote: > On Thu, Oct 22, 2020 at 08:44:29PM -0700, Jeremy Evans wrote: > > I was trying to diagnose a certificate validation failure in Ruby's > > openssl extension tests with LibreSSL 3.2.2, and it was made more > > difficult because the

Happy 25th Birthday OpenBSD!

Yeah, it's just a number. But it's been a pretty wild ride. Thanks everyone for 25 years. -Bob

Re: [PATCH netcat] Only force fd's to -1 once

On Sun, Sep 27, 2020 at 02:46:39PM +1000, Duncan Roe wrote: > The motivation for this is to make debug logs less confusing. What is this fixing and what behavior are you changing? > > All changed lines have previously demonstrated the problem. > > Signed-off-by: Duncan Roe > --- >

Re: agentx and clang static analyzer

On Tue, Sep 15, 2020 at 11:08:04AM +0200, Martijn van Duren wrote: > There are 3 things that actually look like valid complaints when running > clang's static analyzer. > > 1) A dead store in agentx_recv. > 2) sizeof(ipaddress) intead of sizeof(*ipaddress). Since this is ipv4, >this is only a

Re: acme-client: improve account creation error message

But what if I like json and I am already set up to be a hipster and feed all the untrusted inputs through jq.. (ok beck@) On Mon, Sep 14, 2020 at 03:37:25PM +0200, Florian Obser wrote: > not helpful: > $ doas acme-client $(hostname) > acme-client:

Re: dt: add static vfs probes

ok beck@ On Mon, Sep 14, 2020 at 12:45:55PM +0200, Jasper Lievisse Adriaanse wrote: > Hi, > > Whilst analyzing the cleaner I added tracepoints called 'cleaner' and > 'bufcache_take' to > track its behaviour. > > For the sake of symmetry I've added one in bufcache_release() too and moved >

Re: rpki-client cleanup includes

ok beck@ On Sat, Sep 12, 2020 at 05:42:39PM +0200, Claudio Jeker wrote: > extern.h uses stuff from openssl/x509.h so put that include in there > and remove all the various other openssl includes in other files that > actually don't need x509 functions. > > -- > :wq Claudio > > Index: as.c >

Re: tmpfs bug in reclaim

In the spirit of be careful what sticks to you, this has ok beck@ On Mon, Jul 13, 2020 at 11:56:18AM +0200, Gerhard Roth wrote: > tmpfs_reclaim() has to make sure that the VFS cache has no more > locks held for the vnode. Else vclean() could panic because v_holdcnt > is non-zero. > > I know

Re: Stuck in Needbuf state, trying to understand (6.7)

On Mon, Jun 29, 2020 at 03:56:43PM -0400, sven falempin wrote: > On Mon, Jun 29, 2020 at 12:58 PM sven falempin > wrote: > > It works in the original problematic setup. > > Will it go to base ? > Yes. revision 1.201 date: 2020/07/14 06:02:50; author: beck; state: Exp; lines: +9 -3;

Re: Stuck in Needbuf state, trying to understand (6.7)

> Awesome, thanks! > > I will test that, ASAP, > do not hesitate to slay dragon, > i heard the bathing in the blood pool is good for the skin > > Little concern, I did the test without the MFS and ran into issues , > anyway i get back to you (or list ?) when i have test report with patched >

Re: Stuck in Needbuf state, trying to understand (6.7)

On Sun, Jun 28, 2020 at 12:18:06PM -0400, sven falempin wrote: > On Sun, Jun 28, 2020 at 2:40 AM Bryan Linton wrote: > > > On 2020-06-27 19:29:31, Bob Beck wrote: > > > > > > No. > > > > > > I know *exactly* what needbuf is but to attempt to d

Re: Stuck in Needbuf state, trying to understand (6.7)

No. I know *exactly* what needbuf is but to attempt to diagnose what your problem is we need exact details. especially: 1) The configuration of your system including all the details of the filesystems you have mounted, all options used, etc. 2) The script you are using to generate the

Re: drop addtrust from cert.pem?

On Mon, Jun 01, 2020 at 06:04:17PM +0100, Stuart Henderson wrote: > OK to drop the expired AddTrust cert from cert.pem? yes, thanks. > > I checked against the firefox set, there are no new/removed certs that > work with libressl there. There are now two with GENERALIZEDTIME notAfter > dates

Re: drop addtrust from cert.pem?

On Mon, Jun 01, 2020 at 07:17:28PM +0200, Theo Buehler wrote: > On Mon, Jun 01, 2020 at 06:04:17PM +0100, Stuart Henderson wrote: > > OK to drop the expired AddTrust cert from cert.pem? > > Thanks for taking care of this (and for checking the firefox set). I see > no reason to keep it. > > ok >

Re: smtpd: make smarthost to use SNI when relaying

looks good to me ok beck@ On Sun, May 31, 2020 at 03:38:00PM +0200, Sebastien Marie wrote: > Hi, > > updated diff after millert@ and beck@ remarks: > - use union to collapse in_addr + in6_addr > - doesn't allocate buffer and directly use s->relay->domain->name > > Thanks. > -- > Sebastien

Re: smtpd: make smarthost to use SNI when relaying

On Sat, May 30, 2020 at 05:40:43PM +0200, Sebastien Marie wrote: > Hi, > > I am looking to make smtpd to set SNI (SSL_set_tlsext_host_name) when > connecting > to smarthost when relaying mail. > > After digging a bit in libtls (to stole the right code) and smtpd (to see > where > to put the

Re: official ports vs DEBUG_PACKAGES

> (iirc python does something strange) Inconcievable!

Re: official ports vs DEBUG_PACKAGES

On Fri, May 29, 2020 at 06:14:44PM +0200, Marc Espie wrote: > In a trace: > > > > > #3 0x15e48c95459e in WebVfx::shutdown () > > > > at /usr/obj/ports/webvfx-1.2.0/webvfx-1.2.0/webvfx/webvfx.cpp:193 > > Now, this is NOT the default location for WRKOBJDIR, but we are shipping > packages

Re: nsd 4.3.1

> On May 8, 2020, at 03:00, Stuart Henderson wrote: > > On 2020/05/08 06:58, Florian Obser wrote: >> I'm running this for about 2 weeks or so. >> Tests, OKs? > > Just off to look at a radio link in a church tower that I suspect a pigeon > may have knocked out of alignment, This is

Recent 'ftplist' changes visible in the installer

So, as some of you know the installer hits ftp.openbsd.org during the install process to query a CGI to provide you with a list of nearby mirrors and some other useful things. I've recently made some changes to modernize and improve this after the retirement of the GEO:IP

Re: suggest to run rpki-client hourly

On Mon, Apr 13, 2020 at 09:23:23PM -0600, Todd C. Miller wrote: > On Mon, 13 Apr 2020 20:27:30 -0600, Bob Beck wrote: > > > In my hearts desire I'd love for "R" to be chosen for each line once at > > start > > up. (so in > > the above example the things

Re: suggest to run rpki-client hourly

ally think this is only useful for hours and minutes On Mon, Apr 13, 2020 at 12:54:34PM -0600, Todd C. Miller wrote: > On Mon, 13 Apr 2020 10:00:52 -0600, Bob Beck wrote: > > > +1000. a new random time chosen at cron start. > > > > We see this all the time, and it wo

Re: suggest to run rpki-client hourly

On Mon, Apr 13, 2020 at 09:56:52AM -0600, Todd C. Miller wrote: > On Mon, 13 Apr 2020 09:37:14 -0600, "Theo de Raadt" wrote: > > > While I understand what RANDOM is trying to do, I am not a fan. I've > > thought often of an improvement, where the minute marker in a crontab > > file could be a

Re: fts and unveil issue

yes you are seeing the limitation of 6.4 unveil as mentioned at the bottom of the man page. this should be fixed in current On Sun, Feb 3, 2019 at 03:29 Kristaps Dzonsons wrote: > When I unveil(2), fts doesn't behave well. But only in a subtle way. > Enclosed is a demonstration. I found

Re: unveil spamlogd

ok beck@ as well On Wed, Oct 24, 2018 at 06:13 Todd C. Miller wrote: > On Wed, 24 Oct 2018 08:05:11 +0100, Ricardo Mestre wrote: > > > The only file that spamlogd needs to access after calling pledge is > > PATH_SPAMD_DB, so unveil it with O_RDWR permissions. > > Looks good. OK millert@ > > -

Re: Reuse VM ids.

works here and I like it. but probably for after unlock On Sun, Oct 7, 2018 at 22:11 Mischa Peters wrote: > No idea if the code works yet. > Hopefully I can try later. But love the idea. > > Mischa > > > On 8 Oct 2018, at 04:31, Ori Bernstein wrote: > > > > Keep a list of known vms, and reuse

Nuke PLEDGE_STAT for further pledge/unveil disentaglement.

So this gets rid of unveil's PLEDGE_STAT. Instead we use UNVEIL_INSPECT which is set by the stat and access opeerations that are needed for realpath() type traversals that effectively call stat/access for each component of a pathname before doing a final operation on the end. The intended

Re: unveil: incomplete unveil_flagmatch semantic

> Some examples that will need consideration for unveil(2): > - mount(2) > - unmount(2) > - quotactl(2) > - chroot(2) > - getfh(2) > - acct(2) > - coredump() > - loadfirmware() - I think ifconfig(1) could make the kernel loading a > firmware for some network card > > so having ni_unveil

Re: unveil: incomplete unveil_flagmatch semantic

> On Sat, Aug 04, 2018 at 10:40:11AM -0600, Bob Beck wrote: > > On Fri, Aug 03, 2018 at 06:31:00AM +0200, Sebastien Marie wrote: > > > On Thu, Aug 02, 2018 at 03:42:03PM +0200, Sebastien Marie wrote: > > > > On Mon, Jul 30, 2018 at 07:55:35AM -0600, Bob Beck wr

Re: unveil: incomplete unveil_flagmatch semantic

> > + nd.ni_unveil = 0; /* XXX No flags == allow it */ > > see my comment about ni_unveil != 0. > > as you still have check on (ni_pledge & PLEDGE_STAT), it should be still > ok. > It doesn't actually do this yt.. this comment was a reminder for me and should have had allow it? for my

Re: unveil: incomplete unveil_flagmatch semantic

On Fri, Aug 03, 2018 at 06:31:00AM +0200, Sebastien Marie wrote: > On Thu, Aug 02, 2018 at 03:42:03PM +0200, Sebastien Marie wrote: > > On Mon, Jul 30, 2018 at 07:55:35AM -0600, Bob Beck wrote: > > > yeah the latter will be the way to go > > > > > >

Re: unveil: incomplete unveil_flagmatch semantic

yeah the latter will be the way to go On Mon, Jul 30, 2018 at 06:02 Sebastien Marie wrote: > Hi, > > I think unveil_flagmatch() isn't complete and/or has not the right > semantic. > > A bit of internals for starting (I will speak about ni_pledge, people > that know what it is and how it works

Re: unveil: incorrect type flags on unvname_new()

ok beck@ On Mon, Jul 16, 2018 at 15:53 Sebastien Marie wrote: > Hi, > > While reviewing unveil(2) code, I found an incorrect type on > unvname_new() function: flags argument should be uint64_t. > > It is called by unveil_add_name() which uses uint64_t for flags, and > store the value in struct

Re: const qualifiers for EVP_*

ok On Sat, May 12, 2018 at 13:14 Theo Buehler wrote: > Here's another straightforward batch. As usual, it's been tested in a > bulk by sthen and there was no fallout. > > Index: lib/libcrypto/asn1/ameth_lib.c >

Re: Anyone can suggest a BitCoin processor to the OpenBSD Foundation? BitPay has become terrible

So, related to this topic, Apparently BitPay has now fixed us up again. I have put the button back on the web site, if anyone wants to try a bitcoin donation is is supposed to be possible again

Anyone can suggest a BitCoin processor to the OpenBSD Foundation? BitPay has become terrible

So, as some of you may know, the OpenBSD Foundation has accepted BitCoin donations for some time via BitPay.com BitPay was convenient for us since they will sell the BTC donations immediately, and convert to Canadian Dollars. We then periodically get bank transfers of the balance, and this works

Re: libressl: crash in DES_fcrypt

why AA? why not just choose two random ascii salt chars at that point? or since this is effectively a failure case encrypt a random ascii salt and random string? using AA will produce a usable result based on the original string. encrypting a random string with a random salt means the failure

Re: iked, don't return NULL in print_host

ok beck@ On Wed, Nov 29, 2017 at 02:17:21AM +0100, Claudio Jeker wrote: > On Wed, Nov 29, 2017 at 01:59:06AM +0100, Claudio Jeker wrote: > > Seen in my log file: > > Nov 28 17:47:22 dramaqueen iked: vfprintf %s NULL in "%s: %s %s from %s to > > %s ms gid %u, %ld bytes%s" > > > > and > > > > Nov

Official OpenBSD 6.2 CD set up for auction on Ebay

So, the only 6.2 set to be produced is up for auction, featuring hand-drawn artwork by Theo. Artisanally Made in Canada! All proceeds of the sale to fund OpenBSD development. Go have a look at http://www.ebay.ca/itm/Official-OpenBSD-6-2-CD-Set/253265944606

Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

effectivelyu providing a limitless OCSP staple is kind of stupid - you may as well simply *not staple* On Wed, Sep 6, 2017 at 8:23 AM, Bob Beck <b...@obtuse.com> wrote: > I'm not super inclined to make this "flexible" unless we see this used int > the wild, which I

Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

I'm not super inclined to make this "flexible" unless we see this used int the wild, which I have not. We are more restrictive than OpenSSL in many areas. On Wed, Sep 6, 2017 at 1:31 AM, Andreas Bartelt <o...@bartula.de> wrote: > On 09/06/17 04:40, Bob Beck wrote: > &g

Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

Andreas where are you seeing this as being a real issue - who is shipping out OCSP responses without a next update field? On Sat, Sep 2, 2017 at 11:28 AM, Andreas Bartelt wrote: > ocspcheck effectively treats a missing nextUpdate like an error, i.e., it > always provides a

Re: [PATCH 0/2] SMALL_TIME_T follow-ups (was Re: [PATCH] allow notAfter after 2038 with 32-bit time_t)

> > With the new define (SMALL_TIME_T) enabled, a 32-bit time_t build > using "openssl s_client -connect" can successfully connect to a server > and verify its certificate chain when one or more notAfter dates after > 2038 are present. > > However, using "nc -c" fails to connect to the

Re: [PATCH] allow notAfter after 2038 with 32-bit time_t

On Thu, May 18, 2017 at 7:31 AM, Kyle J. McKay wrote: > RFC 5280 section 4.1.2.5 states: > > To indicate that a certificate has no well-defined expiration date, > the notAfter SHOULD be assigned the GeneralizedTime value of > 1231235959Z. > > True enough. >

Re: Better handling of short reads

> As you all might have gathered by now Amit has jumped the gun > but was wrong to do so. His setup is not affected by this change. > That was expected so please don't get distracted by this as I'm > still looking forward to replies to the original set of changes. > beck@? > > > diff --git

Re: Better handling of short reads

- ok mike, I'm looking at it.. Allow me a short while to beat my head against a wall for a bit to get it into readahead mode... On Wed, Jun 14, 2017 at 3:56 AM, Mike Belopuhov wrote: > On Thu, Jun 08, 2017 at 11:55 +0200, Mike Belopuhov wrote: > > On Wed, Jun 07, 2017 at

Re: ocspcheck size_t printing

You are correct. Patch committed. Thanks! -Bob On Mon, May 08, 2017 at 08:20:57PM +0200, Jonas 'Sortie' Termansen wrote: > Hi, > > When upgrading to libressl-2.5.4 I noticed a couple -Wformat errors due > to this code assuming size_t is of type long when it was actually int on > this 32-bit

Official OpenBSD 6.1 CD !

So. There *Is* an official OpenBSD 6.1 CD Just One. If you are interested, please bid on ebay : http://www.ebay.com/itm/The-only-Official-OpenBSD-6-1-CD-set-to-be-made-For-auction-for-the-project-/252910718452?hash=item3ae2a74df4:g:SJQAAOSwrhBZBqkd (It's a pretty cool little CD set!)

Re: explicit_bzero after readpassphrase

On Mon, May 01, 2017 at 04:07:27PM -0600, Theo de Raadt wrote: > > Let me stop here and ask if the pattern is: "always explicit_bzero > a password field once it is used"? It might make sense, but some > of these are heading straight to exit immediately. Is it too much > to do it then, or is the

Re: patch: mv(1): Add -p flag to preserve time stamps for moved directories

> Note that I have noatime on this FS. then turn that off, or understand that things will not behave as you expect them to with it on.

Re: httpd/libtls: TLS client certificate revocation checking

There will be some libtls api additions post 6.1 to get the peer cert in PEM format In the meantime, testing snaps prior to 6.1 should be the priority. not a talkathon. On Sat, Apr 1, 2017 at 10:49 Joerg Sonnenberger wrote: > On Sat, Apr 01, 2017 at 07:53:05PM +1030, Jack Burton

Re: regarding OpenSSL License change

On Thu, Mar 23, 2017 at 17:48 Bob Beck <b...@obtuse.com> wrote: > Honestly, anyone who gets one of these should say no > > what would you all think if people quietly took derived works of software > licensed under one license and took silence as assent to relicense

Re: regarding OpenSSL License change

Honestly, anyone who gets one of these should say no what would you all think if people quietly took derived works of software licensed under one license and took silence as assent to relicense Does this mean that with an unanswered email i can now release my re licensed as ISC version of gcc?

Re: tlsv1 alert decrypt error

And as joel mentioned, a fix is already arriving for this - there was a bug in SSLv2 compatible handshake initiation, and Paypal still has it enabled... (yeeuch) On Mon, Mar 6, 2017 at 3:48 PM, Bob Beck <b...@obtuse.com> wrote: > > Move it to tech@ from misc.. not libress

Re: tlsv1 alert decrypt error

Move it to tech@ from misc.. not libressl.. libressl is not special ;) On Mon, Mar 6, 2017 at 3:21 PM, Kirill Miazine wrote: > Moving to libressl@ from misc@, as it's a LibreSSL issue. > > * Joel Sing [2017-03-05 23:01]: > > On Thursday 02 March 2017 13:28:08 Kirill Miazine

Re: Scheduler ping-pong with preempt()

Go for it mpi.. move forward. ok beck@ On Mon, Feb 6, 2017 at 7:48 AM, Martin Pieuchot wrote: > On 24/01/17(Tue) 13:35, Martin Pieuchot wrote: > > Userland threads are preempt()'d when hogging a CPU or when processing > > an AST. Currently when such a thread is preempted the

Re: Password corruption in adduser

ok beck@ On Sun, Feb 5, 2017 at 22:53 Theo Buehler wrote: > On Sun, Feb 05, 2017 at 09:47:35PM -0800, Philip Guenther wrote: > > On Sun, 5 Feb 2017, John McGuigan wrote: > > > I've noticed something strange in adduser -- when attempting to add a > > > user completely though

Re: netcat: IPv6 address support for proxy

ok beck@ On Sun, Feb 05, 2017 at 12:27:19AM +0100, Jeremie Courreges-Anglas wrote: > > The colons used in IPv6 addresses conflicts with the proxy port > specification. Do the right thing for -x ::1:8080, [::1] and > [::1]:8080. > > ok? > > > Index: netcat.c >

Re: Update for US Holidays.

On Sat, Feb 04, 2017 at 01:52:14PM -0700, Bob Beck wrote: > > Presented without further comment. > > ok? > Or maybe this is more appropriate: Index: calendar.history === RCS file: /cvs/src/usr.bin/cal

Re: Update for US Holidays.

On Sat, Feb 04, 2017 at 12:59:53PM -0800, Philip Guenther wrote: > On Sat, Feb 4, 2017 at 12:52 PM, Bob Beck <b...@obtuse.com> wrote: > > > > Presented without further comment. > > > > ok? > > NACK. Obsolete 32bit time_t OSes can track their own

Update for US Holidays.

Presented without further comment. ok? Index: calendar.usholiday === RCS file: /cvs/src/usr.bin/calendar/calendars/calendar.usholiday,v retrieving revision 1.9 diff -u -p -u -p -r1.9 calendar.usholiday --- calendar.usholiday 19

Re: specify curves via ecdhe statement in httpd.conf

try connecting with openbsd nc rather than s-client On Sat, Feb 4, 2017 at 09:13 Bob Beck <b...@obtuse.com> wrote: > > On Sat, Feb 4, 2017 at 07:51 Andreas Bartelt <o...@bartula.de> wrote: > > On 02/04/17 05:26, Joel Sing wrote: > > On Wednesday 01 February 2017

OpenBSD errata, Jan 31, 2017

An issue has been identified whereby httpd(8) could be subject to a denial of service attack. Repeated crafted requests could be made from a client using file-range requests, making the server consume excessive amounts of memory. This issue has been fixed in current. For 5.9 and 6.0 the following

err with multiple TLS sites but one OCSP?

Sooo.. Pretty sure mlucas has uncovered a problem with the ocsp interface. Basically I didn't attach it to the keypair, (yes Joel, I think you told me so) so it only works with the master keypair.. OK, but the problem is that it also returns the staple for other keypairs which is wrong.

Re: err with multiple TLS sites but one OCSP?

On Fri, Jan 27, 2017 at 15:23 Stuart Henderson <s...@spacehopper.org> wrote: > On 2017/01/27 22:09, Bob Beck wrote: > > > I think you have more issues than ocsp. if thats the same host you can't > > > have two different tls certs on the same ip. and you h

Re: err with multiple TLS sites but one OCSP?

27, 2017 at 09:53:25PM +0000, Bob Beck wrote: > > >On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas > > > Or a misconfiguration. Â show configs > > > > > > Configs follow. > > > > # cat /etc/httpd.conf > > include "/etc/sites/www3.conf&q

Re: err with multiple TLS sites but one OCSP?

On Fri, Jan 27, 2017 at 14:12 Michael W. Lucas wrote: > On Fri, Jan 27, 2017 at 02:50:29PM -0500, Michael W. Lucas wrote: > > > On Fri, Jan 27, 2017 at 06:49:06PM +, Stuart Henderson wrote: > > > > That looks like a web server bug, it shouldn't return a staple >

Re: Allow install from https server w/ self signed cert

On Sat, Jan 07, 2017 at 03:52:04PM -0700, Theo de Raadt wrote: > > What workarounds would be reasonable and approriate? and does it > > make sense for OpenBSD to support such scenarios out-of-the-box to > > promote wider adoption of better software? > > If you want buy the

Re: Allow install from https server w/ self signed cert

On Sat, Jan 07, 2017 at 05:42:24PM -0500, Jacob L. Leifman wrote: > Most of the time I agree with this particular attitude and it is indeed > appropriate for the OP case. However, there some major networks such as > various governments (or for example .mil) that do not participate in > the

Re: Allow install from https server w/ self signed cert

On Fri, Jan 06, 2017 at 10:48:37AM -0500, RD Thrush wrote: > On 01/06/17 06:28, Stuart Henderson wrote: > > Related to this (and particularly thinking about autoinstalls), > > would it make sense to allow explicit protocols in the hostname? > > > > some.host -> https with http fallback > >

Re: acme-client use configuration file [1 of 5]

No objection in principle.. although since some of us depend on this we might either need warning and/or a small period of overlap where the old stuff works and then we can move to the new stuff without things blowing up. On Sun, Jan 1, 2017 at 1:59 PM, Sebastian Benoit wrote:

Re: libtls syslogd pledge abort

> Or do not call tls_configure_ssl_verify() if verification is turned > off. This makes sense to me. > > Index: lib/libtls/tls_client.c > === > RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls_client.c,v > retrieving

Re: httpd(8)/proc.c: use less fds on startup

This is now working on www.openbsd.org. I upgraded my 6.0 system to current today off the latest snap and httpd would not start, same problem. This diff lets current httpd start again. ok beck@ On Tue, Oct 04, 2016 at 11:54:37PM +0200, Rafael Zalamena wrote: > On Tue, Oct 04, 2016 at

Re: rebound quantum entanglement

BTW I'm not picking on you.. my DNS setup blew up this week for local resolution and I've been dealing with the fallout - so the topic is relatively near and dear to my heart. On Wed, Sep 14, 2016 at 10:07 PM, Bob Beck <b...@obtuse.com> wrote: > > Yep. and now you need to solve

Re: rebound quantum entanglement

y then nothing changes at *all* when it's not there. On Wed, Sep 14, 2016 at 8:39 PM, Ted Unangst <t...@tedunangst.com> wrote: > Ted Unangst wrote: > > Bob Beck wrote: > > > how is rebound going to handle a change in resolv.conf? thats still a > > > problem h

Re: rebound quantum entanglement

into rebound to make it useful and then look at libc which might need slightly more cleverness than just adding localhost unconditionally. On Wednesday, 14 September 2016, Ted Unangst <t...@tedunangst.com> wrote: > Bob Beck wrote: > > how is rebound going to handle a change in resolv.co

Re: rebound quantum entanglement

how is rebound going to handle a change in resolv.conf? thats still a problem here On Wednesday, 14 September 2016, Ted Unangst wrote: > So the plan is for rebound to be the 'system' resolver, with libc talking > to > rbeound and rebound talking to the cloud. The main

Re: reduce double caching in mfs

I really dislike "CHEAP". and it almost seems like these should actually be NOCACHE.. why the heck can't they be? On Thu, Sep 8, 2016 at 7:49 PM, Ted Unangst wrote: > Currently, the bufcache doesn't know that mfs is backed by memory. All i/o > to > mfs ends up being

Re: [PATCH] Callback-based interface to libtls

I am in agreement in principle, but please coordinate with bcook@ and/or jsing@ who were possibly doing some related adjustments. On Mon, Sep 5, 2016 at 4:44 AM, Ted Unangst <t...@tedunangst.com> wrote: > Bob Beck wrote: > > > > > > Agreed, I was also a bit unclear

Re: hexdump(1): strlen + calloc + snprintf == asprintf

ok beck@ On Sun, Sep 4, 2016 at 9:54 AM, Theo Buehler wrote: > use the libc interface instead of rolling it by hand. > > Index: parse.c > === > RCS file: /var/cvs/src/usr.bin/hexdump/parse.c,v > retrieving

Re: [PATCH] Callback-based interface to libtls

On Sun, Sep 04, 2016 at 05:26:24AM -0500, Brent Cook wrote: > On Sun, Sep 04, 2016 at 05:57:54AM -0400, Ted Unangst wrote: > > Brent Cook wrote: > > > @@ -246,14 +252,18 @@ An already existing socket can be upgrad > > > .Fn tls_connect_socket . > > > Alternatively, a secure connection can be

Re: [PATCH] Callback-based interface to libtls

On Sun, Sep 04, 2016 at 05:57:54AM -0400, Ted Unangst wrote: > Brent Cook wrote: > > @@ -246,14 +252,18 @@ An already existing socket can be upgrad > > .Fn tls_connect_socket . > > Alternatively, a secure connection can be established over a pair of > > existing > > file descriptors by

  1   2   3   4   5   >