vmm(4)/vmd(8) support for seabios and linux guests
I just committed the last parts of my working tree to enable both seabios and alpine linux support (using serial console). This should be enough for people to create images and help find and fix bugs. Here are things I already know about: * since vmd's emulated uart is a no-fifo 8250, you'll see a bunch of "too much work for irq4" or "too much work for com1" on the serial console. Interacting with the serial port causes that to free itself up. If this bothers you, ssh into the vm for now instead. * i386 guests and hosts are temporarily broken until I go back to fix them. * I've had my alpine guest randomly lock up on a couple occasions. On a whim, I grabbed a serial port console build of ubuntu cloud image from their site and booted that. It gets lost in the initrd somewhere, I haven't had a chance to look into it yet. Other distribtions may or may not work. The only distribution I have done more than just a tiny bit of testing with is alpine. You can use the vmm-firmware port to get the seabios with the right config for vmd, or you can wait until that is hooked into the fw_update mechanism. If you don't want to use seabios for some reason, you can still boot existing OpenBSD VMs without it by using the "-b" option (this option used to be called -k) and specify a kernel of your choice - this mode requires no seabios, and works as before. -ml
Re: ticket support in httpd
On Sat, Mar 25, 2017 at 06:06:48PM +0100, Claudio Jeker wrote:
> I realized I never commited the ticket support in httpd that I added in
> Brisbane. Anyone want to give me an OK on it?
>
diff reads fine OK reyk@
> Cheers
> --
> :wq Claudio
>
> Index: config.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/config.c,v
> retrieving revision 1.50
> diff -u -p -r1.50 config.c
> --- config.c 6 Nov 2016 10:49:38 - 1.50
> +++ config.c 24 Jan 2017 11:21:35 -
> @@ -146,6 +146,7 @@ config_getcfg(struct httpd *env, struct
> memcpy(, imsg->data, sizeof(cf));
> env->sc_opts = cf.cf_opts;
> env->sc_flags = cf.cf_flags;
> + memcpy(env->sc_tls_sid, cf.cf_tls_sid, sizeof(env->sc_tls_sid));
>
> what = ps->ps_what[privsep_process];
>
> @@ -238,6 +239,9 @@ config_setserver(struct httpd *env, stru
> close(srv->srv_s);
> srv->srv_s = -1;
> }
> +
> + explicit_bzero(>srv_conf.tls_ticket_key,
> + sizeof(srv->srv_conf.tls_ticket_key));
>
> return (0);
> }
> Index: httpd.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
> retrieving revision 1.64
> diff -u -p -r1.64 httpd.c
> --- httpd.c 23 Jan 2017 04:25:05 - 1.64
> +++ httpd.c 25 Jan 2017 04:22:34 -
> @@ -57,6 +57,8 @@ int parent_dispatch_server(int, struct
> struct imsg *);
> int parent_dispatch_logger(int, struct privsep_proc *,
> struct imsg *);
> +void parent_tls_ticket_rekey_start(struct server *);
> +void parent_tls_ticket_rekey(int, short, void *);
>
> struct httpd *httpd_env;
>
> @@ -252,6 +254,9 @@ main(int argc, char *argv[])
> exit(0);
> }
>
> + /* initialize the TLS session id to a random key for all procs */
> + arc4random_buf(env->sc_tls_sid, sizeof(env->sc_tls_sid));
> +
> if (parent_configure(env) == -1)
> fatalx("configuration failed");
>
> @@ -287,6 +292,10 @@ parent_configure(struct httpd *env)
> TAILQ_FOREACH(srv, env->sc_servers, srv_entry) {
> if (srv->srv_conf.flags & SRVFLAG_LOCATION)
> continue;
> + /* start the rekey of the tls ticket keys */
> + if (srv->srv_conf.flags & SRVFLAG_TLS &&
> + srv->srv_conf.tls_ticket_lifetime)
> + parent_tls_ticket_rekey_start(srv);
> if (config_setserver(env, srv) == -1)
> fatal("send server");
> }
> @@ -306,6 +315,7 @@ parent_configure(struct httpd *env)
> continue;
> cf.cf_opts = env->sc_opts;
> cf.cf_flags = env->sc_flags;
> + memcpy(cf.cf_tls_sid, env->sc_tls_sid, sizeof(cf.cf_tls_sid));
>
> proc_compose(env->sc_ps, id, IMSG_CFG_DONE, , sizeof(cf));
> }
> @@ -449,6 +459,38 @@ parent_dispatch_logger(int fd, struct pr
> }
>
> return (0);
> +}
> +
> +void
> +parent_tls_ticket_rekey_start(struct server *srv)
> +{
> + struct timeval tv;
> +
> + server_generate_ticket_key(>srv_conf);
> +
> + evtimer_set(>srv_evt, parent_tls_ticket_rekey, srv);
> + timerclear();
> + tv.tv_sec = srv->srv_conf.tls_ticket_lifetime / 4;
> + evtimer_add(>srv_evt, );
> +}
> +
> +void
> +parent_tls_ticket_rekey(int fd, short events, void *arg)
> +{
> + struct server *srv = arg;
> + struct timeval tv;
> +
> + server_generate_ticket_key(>srv_conf);
> + proc_compose_imsg(httpd_env->sc_ps, PROC_SERVER, -1,
> + IMSG_TLSTICKET_REKEY, -1, -1, >srv_conf.tls_ticket_key,
> + sizeof(srv->srv_conf.tls_ticket_key));
> + explicit_bzero(>srv_conf.tls_ticket_key,
> + sizeof(srv->srv_conf.tls_ticket_key));
> +
> + evtimer_set(>srv_evt, parent_tls_ticket_rekey, srv);
> + timerclear();
> + tv.tv_sec = srv->srv_conf.tls_ticket_lifetime / 4;
> + evtimer_add(>srv_evt, );
> }
>
> /*
> Index: httpd.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> retrieving revision 1.80
> diff -u -p -r1.80 httpd.conf.5
> --- httpd.conf.5 16 Mar 2017 10:18:11 - 1.80
> +++ httpd.conf.5 24 Mar 2017 07:26:44 -
> @@ -564,6 +564,13 @@ will be used (secure protocols; TLSv1.2-
> Refer to the
> .Xr tls_config_parse_protocols 3
> function for other valid protocol string values.
> +.It Ic ticket Ic lifetime Ar seconds
> +Enable TLS session tickets with a
> +.Ar seconds
> +session lifetime.
> +It is possible to set
> +.Ar seconds
> +to default to use the httpd default timeout of 2 hours.
> .El
> .El
> .Sh TYPES
> Index: httpd.h
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
>
ticket support in httpd
I realized I never commited the ticket support in httpd that I added in
Brisbane. Anyone want to give me an OK on it?
Cheers
--
:wq Claudio
Index: config.c
===
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.50
diff -u -p -r1.50 config.c
--- config.c6 Nov 2016 10:49:38 - 1.50
+++ config.c24 Jan 2017 11:21:35 -
@@ -146,6 +146,7 @@ config_getcfg(struct httpd *env, struct
memcpy(, imsg->data, sizeof(cf));
env->sc_opts = cf.cf_opts;
env->sc_flags = cf.cf_flags;
+ memcpy(env->sc_tls_sid, cf.cf_tls_sid, sizeof(env->sc_tls_sid));
what = ps->ps_what[privsep_process];
@@ -238,6 +239,9 @@ config_setserver(struct httpd *env, stru
close(srv->srv_s);
srv->srv_s = -1;
}
+
+ explicit_bzero(>srv_conf.tls_ticket_key,
+ sizeof(srv->srv_conf.tls_ticket_key));
return (0);
}
Index: httpd.c
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.64
diff -u -p -r1.64 httpd.c
--- httpd.c 23 Jan 2017 04:25:05 - 1.64
+++ httpd.c 25 Jan 2017 04:22:34 -
@@ -57,6 +57,8 @@ intparent_dispatch_server(int, struct
struct imsg *);
int parent_dispatch_logger(int, struct privsep_proc *,
struct imsg *);
+voidparent_tls_ticket_rekey_start(struct server *);
+voidparent_tls_ticket_rekey(int, short, void *);
struct httpd *httpd_env;
@@ -252,6 +254,9 @@ main(int argc, char *argv[])
exit(0);
}
+ /* initialize the TLS session id to a random key for all procs */
+ arc4random_buf(env->sc_tls_sid, sizeof(env->sc_tls_sid));
+
if (parent_configure(env) == -1)
fatalx("configuration failed");
@@ -287,6 +292,10 @@ parent_configure(struct httpd *env)
TAILQ_FOREACH(srv, env->sc_servers, srv_entry) {
if (srv->srv_conf.flags & SRVFLAG_LOCATION)
continue;
+ /* start the rekey of the tls ticket keys */
+ if (srv->srv_conf.flags & SRVFLAG_TLS &&
+ srv->srv_conf.tls_ticket_lifetime)
+ parent_tls_ticket_rekey_start(srv);
if (config_setserver(env, srv) == -1)
fatal("send server");
}
@@ -306,6 +315,7 @@ parent_configure(struct httpd *env)
continue;
cf.cf_opts = env->sc_opts;
cf.cf_flags = env->sc_flags;
+ memcpy(cf.cf_tls_sid, env->sc_tls_sid, sizeof(cf.cf_tls_sid));
proc_compose(env->sc_ps, id, IMSG_CFG_DONE, , sizeof(cf));
}
@@ -449,6 +459,38 @@ parent_dispatch_logger(int fd, struct pr
}
return (0);
+}
+
+void
+parent_tls_ticket_rekey_start(struct server *srv)
+{
+ struct timeval tv;
+
+ server_generate_ticket_key(>srv_conf);
+
+ evtimer_set(>srv_evt, parent_tls_ticket_rekey, srv);
+ timerclear();
+ tv.tv_sec = srv->srv_conf.tls_ticket_lifetime / 4;
+ evtimer_add(>srv_evt, );
+}
+
+void
+parent_tls_ticket_rekey(int fd, short events, void *arg)
+{
+ struct server *srv = arg;
+ struct timeval tv;
+
+ server_generate_ticket_key(>srv_conf);
+ proc_compose_imsg(httpd_env->sc_ps, PROC_SERVER, -1,
+ IMSG_TLSTICKET_REKEY, -1, -1, >srv_conf.tls_ticket_key,
+ sizeof(srv->srv_conf.tls_ticket_key));
+ explicit_bzero(>srv_conf.tls_ticket_key,
+ sizeof(srv->srv_conf.tls_ticket_key));
+
+ evtimer_set(>srv_evt, parent_tls_ticket_rekey, srv);
+ timerclear();
+ tv.tv_sec = srv->srv_conf.tls_ticket_lifetime / 4;
+ evtimer_add(>srv_evt, );
}
/*
Index: httpd.conf.5
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.80
diff -u -p -r1.80 httpd.conf.5
--- httpd.conf.516 Mar 2017 10:18:11 - 1.80
+++ httpd.conf.524 Mar 2017 07:26:44 -
@@ -564,6 +564,13 @@ will be used (secure protocols; TLSv1.2-
Refer to the
.Xr tls_config_parse_protocols 3
function for other valid protocol string values.
+.It Ic ticket Ic lifetime Ar seconds
+Enable TLS session tickets with a
+.Ar seconds
+session lifetime.
+It is possible to set
+.Ar seconds
+to default to use the httpd default timeout of 2 hours.
.El
.El
.Sh TYPES
Index: httpd.h
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.130
diff -u -p -r1.130 httpd.h
--- httpd.h 7 Feb 2017 12:27:42 - 1.130
+++ httpd.h 16 Feb 2017 19:23:08 -
@@ -76,6 +76,9 @@
#define SERVER_MIN_PREFETCHED 32
#define SERVER_HSTS_DEFAULT_AGE
Re: relayd.conf.5: X-Forwarded-By $REMOTE_ADDR typo
On Fri, Mar 24, 2017 at 06:10:33PM +0100, Hiltjo Posthuma wrote:
> Hey,
>
> I think there is a typo in relayd.conf(5).
>
> X-Forwarded-By should be the server $SERVER_ADDR instead of the client
> $REMOTE_ADDR.
>
> X-Forwarded-For is the client (correct).
>
> diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
> index 8bed93efa1f..5f3eb0b2f9a 100644
> --- a/usr.sbin/relayd/relayd.conf.5
> +++ b/usr.sbin/relayd/relayd.conf.5
> @@ -1470,7 +1470,7 @@ http protocol "https" {
> match header append "X-Forwarded-For" \e
> value "$REMOTE_ADDR"
> match header append "X-Forwarded-By" \e
> - value "$REMOTE_ADDR:$SERVER_PORT"
> + value "$SERVER_ADDR:$SERVER_PORT"
> match header set "Keep-Alive" value "$TIMEOUT"
>
> match query hash "sessid"
>
I agree. OK claudio@
--
:wq Claudio
Re: [Patch] (www) Updated Copyright on CVS Page
On 2017/03/24 13:26, Elijah Abney wrote: > Just updating the copyright to 2017 for the anoncvs page. > > Index: anoncvs.html.head > === > RCS file: /cvs/www/build/mirrors/anoncvs.html.head,v > retrieving revision 1.61 > diff -u -p -r1.61 anoncvs.html.head > --- anoncvs.html.head22 Oct 2016 17:30:35 -1.61 ^^^ > +++ anoncvs.html.head24 Mar 2017 17:19:01 - > @@ -7,7 +7,8 @@ > OpenBSD Anonymous CVS > > > - > + > > > https://www.openbsd.org/anoncvs.html;> > But there weren't any changes in 2017...
pfctl: Fix function name in errx(3) message
Index: pfctl.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.338
diff -u -p -r1.338 pfctl.c
--- pfctl.c 26 Jan 2017 08:24:34 - 1.338
+++ pfctl.c 25 Mar 2017 11:37:01 -
@@ -753,7 +753,7 @@ pfctl_show_rules(int dev, char *path, in
memset(, 0, sizeof(pr));
if (anchorname[0] == '/') {
if ((npath = calloc(1, PATH_MAX)) == NULL)
- errx(1, "pfctl_rules: calloc");
+ errx(1, "pfctl_show_rules: calloc");
strlcpy(npath, anchorname, PATH_MAX);
} else {
if (path[0])
Re: [PATCH] pcidump - Enhanced Capabilities
On Thu, Mar 23, 2017 at 04:20:07PM +0100, Simon Mages wrote:
> Hi,
>
> on some machines i saw some unknown enhanced capabilities. After
> looking into it i saw that
> on some intel chipsets there actually is a capability with id 0x0.
> This capability contains some
> registers of the Advanced Error Reporting Capability but not all of
> them. I guess intel choose
> 0x0 instead of 0x1 because there implementation contains not all of
> the minimal Advanced
> Error Reporting registers.
>
> Anyway, i think it makes sense to print the enhanced capability id,
> even if it is not in the list.
> This way one does not have to look at the hexdump of pcidump -xxx to
> figure out which
> capability id the unknown capability has.
>
Thanks, committed.
> Index: usr.sbin/pcidump/pcidump.c
> ===
> --- pcidump.c 16 Mar 2017 22:05:46 - 1.42
> +++ pcidump.c 23 Mar 2017 15:12:07 -
> @@ -392,6 +392,7 @@ void
> dump_pcie_enhanced_caplist(int bus, int dev, int func)
> {
> u_int32_t reg;
> + u_int32_t capidx;
> u_int16_t ptr;
> u_int16_t ecap;
>
> @@ -407,10 +408,12 @@ dump_pcie_enhanced_caplist(int bus, int
>
> ecap = PCI_PCIE_ECAP_ID(reg);
> if (ecap >= nitems(pci_enhanced_capnames))
> - ecap = 0;
> + capidx = 0;
> + else
> + capidx = ecap;
>
> printf("\t0x%04x: Enhanced Capability 0x%02x: ", ptr, ecap);
> - printf("%s\n", pci_enhanced_capnames[ecap]);
> + printf("%s\n", pci_enhanced_capnames[capidx]);
>
> ptr = PCI_PCIE_ECAP_NEXT(reg);
>
>
> According to Rev. 3.0 of the PCIe spec, the last two bits are reserved
> for future use. I do not
> have access to the spec > Rev. 3.0.
>
> Index: dev/pci/pcireg.h
> ===
> --- dev/pci/pcireg.h 22 Mar 2017 07:21:39 - 1.52
> +++ dev/pci/pcireg.h 23 Mar 2017 13:36:09 -
> @@ -606,7 +606,7 @@ typedef u_int8_t pci_revision_t;
> #define PCI_PCIE_ECAP0x100
> #define PCI_PCIE_ECAP_ID(x) (((x) & 0x))
> #define PCI_PCIE_ECAP_VER(x) (((x) >> 16) & 0x0f)
> -#define PCI_PCIE_ECAP_NEXT(x) ((x) >> 20)
> +#define PCI_PCIE_ECAP_NEXT(x) (((x) >> 20) & 0xffc)
> #define PCI_PCIE_ECAP_LAST 0x0
>
> /*
>
