Re: Removing PF

2019-04-01 Thread Devin Ceartas
Will authpf be around?



Re: Inflamation by Bryan Cantrill Content-Transfer-Encoding: 8bit

2018-06-13 Thread Devin Ceartas
Thanks.

On 13 Jun 2018, at 23:48, Theo de Raadt wrote:

> In some forums, Bryan Cantrill is crafting a fiction.
>
> He is saying the FPU problem (and other problems) were received
> as a leak.
>
> He is not being truthful, inventing a storyline, and has not asked me
> for the facts.
>
> This was discovered by guessing Intel made a mistake.
>
> We are doing the best for OpenBSD.  Our commit is best effort for our
> user community when Intel didn't reply to mails asking for us to be
> included.  But we were not included, there was no reply.  End of story.
> That leaves us to figure things out ourselves.
>
> Bryan is just upset we guessed right.  It is called science.



Re: faq/current.html: Mention sudo removal

2015-07-04 Thread Devin Ceartas

On 4 Jul 2015, at 11:16, Todd C. Miller wrote:


On Sat, 04 Jul 2015 15:36:58 +0530, Hrishikesh Muruk wrote:

Why is sudo being removed from base? It is pretty useful. I imagine 
many

use sudo


The version of sudo in base was 5 years old and not really 
maintainable.

Theo has been uncomfortable with the amount of code in sudo that
runs as root so there was resistance to updating it to a newer
version.

Moving sudo to ports means we have a more modern version available
and also makes it possible to have an LDAP flavor.

Sudo in base will likely be replaced either by tedu's doas or an
extended su.

- todd


Sounds reasonable. Is there a place to read up on does or is that in 
very early stages yet?


devin
--
contact info: http://nacredata.com/devin

Ask me about Google Apps for Work: hosting your domain-branded email, 
calendar and cloud storage on Google's infrastructure.




Re: Want to help upstream software improve their random?

2014-12-11 Thread Devin Ceartas

On 12 Dec 2014, at 5:02, Theo de Raadt wrote:


In all of these code blocks are a well-known piece of information
(same time on your machine as everywhere else) is being used to seed a
deterministic number generator.

At some later point, deterministic numbers are taken out using rand(),
random(), drand48(), lrand48(), mrand48(), or srand48(), or some
derivative function inside the program itself, and used for WHO KNOWS
WHAT PURPOSE.

I did not audit what the numbers are being used for.

Quite likely some numbers are just used to help hashing.  Some could
be used to print pretty pictures.  But in xulrunner?  In the zip 
password

creator? In postgresql, or say in openldap (a network related thing)?

It is doubtful they are all fine.

For the benefit of other projects who haven't taken the same steps as
OpenBSD, it would be nice if some people helped out these pieces of
software.

EMBOSS-6.0.1srand((unsigned) time(tm));

[...]

What you say makes sense. Is there a best practice alternative you 
suggest or did I miss that? Perhaps just some better initiation value, 
preferably not all from the same place?




devin
--
contact info: http://nacredata.com/devin
gpg public key: http://www.nacredata.com/public_key.txt
Use unique, strong passwords! https://www.nacredata.com/password.php



Re: Want to help upstream software improve their random?

2014-12-11 Thread Devin Ceartas
On 12 Dec 2014, at 5:43, Theo de Raadt wrote:

 On 12 Dec 2014, at 5:02, Theo de Raadt wrote:

 In all of these code blocks are a well-known piece of information
 (same time on your machine as everywhere else) is being used to seed a
 deterministic number generator.

 At some later point, deterministic numbers are taken out using rand(),
 random(), drand48(), lrand48(), mrand48(), or srand48(), or some
 derivative function inside the program itself, and used for WHO KNOWS
 WHAT PURPOSE.

 I did not audit what the numbers are being used for.

 Quite likely some numbers are just used to help hashing.  Some could
 be used to print pretty pictures.  But in xulrunner?  In the zip
 password
 creator? In postgresql, or say in openldap (a network related thing)?

 It is doubtful they are all fine.

 For the benefit of other projects who haven't taken the same steps as
 OpenBSD, it would be nice if some people helped out these pieces of
 software.

 EMBOSS-6.0.1srand((unsigned) time(tm));
 [...]

 What you say makes sense. Is there a best practice alternative you
 suggest or did I miss that? Perhaps just some better initiation value,
 preferably not all from the same place?

 These code sequences do not need deterministic values.  They actually
 want non-deterministic values.  Steps are like this:

1. Remove the srand(), srandom(), srand48(), seed48(),
   lcong48() calls.

2. Replace all rand(), random(), lrand48(), mrand48() calls with
   arc4random()

3. If the calls use %, consider using arcrandom_uniform() instead.

4. If it loops to fill a buffer, use arc4random_buf()

5. Replace drand48() with arc4random and some floating point, but
   be careful.  drand48() is very rare.

 Now, talk to the upstream projects.  They will reject your changes
 because Linux lacks arc4random().

 Basically, only Linux and Solaris lack arc4random().  All the other
 platforms have it.

 There are libraries available which provide arc4random() on Linux, so
 maybe you find an upstream software provider who is willing to create
 a dependency on such a library on Linux.

 Lots of software is doing precisely that, so don't be afraid.

Got it. Thanks. 


devin
--
contact info: http://nacredata.com/devin
gpg public key: http://www.nacredata.com/public_key.txt
Use unique, strong passwords! https://www.nacredata.com/password.php



Re: LibreSSL: GOST ciphers implementation

2014-11-05 Thread Devin Ceartas

On 5 Nov 2014, at 20:25, Theo de Raadt wrote:


How do we find people on the internet who care, and knit them into a
community, and then somewhere down the road meet them and have them
become this so-called 'core developer' group?

We start reading code from them.


The code, yes, the code.

Nothing to stop anyone from being suspicious for any reason whatsoever 
and giving some code some extra review. So much the better.



devin
--
contact info: http://nacredata.com/devin
gpg public key: http://www.nacredata.com/public_key.txt
Use unique, strong passwords! https://www.nacredata.com/password.php



Re: missing ports.tar.gz in snapshot

2014-03-06 Thread Devin Ceartas
On Mar 6, 2014, at 3:13 PM, Vijay Sankar vsan...@foretell.ca wrote:

 Quoting Theo de Raadt dera...@cvs.openbsd.org:
 
 is there a reason, why there is no ports.tar.gz in the latest snapshot 
 folder?
 
 At present, it is not being built in the ftp area any more.
 
 I'd like to ask.  Does anyone find it useful?  It is not in sync with the
 packages beside it.
 
 
 

Are all the ports in the packages in snapshots? I seem to remember needing to 
build some of the things I use to test, but maybe that has changed. 

I use snapshots when I have time to test, so whatever direction you want to 
give as far as testing goes, just let us know. 

devin




Re: missing ports.tar.gz in snapshot

2014-03-06 Thread Devin Ceartas
On Mar 6, 2014, at 3:34 PM, Theo de Raadt dera...@cvs.openbsd.org wrote:

 Are all the ports in the packages in snapshots?
 
 The best way to get source code from our project is not in tar files,
 but using the repository-access methods described on the web site
 and in the FAQ.  Then it is easier to move your tree forward in time,
 rather than downloading files this big, every time.
 
 -rw-r--r--  1 deraadt  wheel  21.8M Mar  5 13:14 ports.tar.gz
 -rw-r--r--  1 deraadt  wheel   160M Mar  5 09:46 src.tar.gz
 -rw-r--r--  1 deraadt  wheel   110M Mar  5 09:46 xenocara.tar.gz
 

OK, sure, cvs update the ports tree. That works for me. Now that I think about 
it, I'm sure that's what I've done at least some of the time. No problem. 



Re: base apache and HonorCipherOrder

2013-07-11 Thread Devin Ceartas
Thanks all; I am glad to see this.


On Thu, Jul 11, 2013 at 11:35 AM, Joel Sing j...@sing.id.au wrote:

 On Mon, 8 Jul 2013, Damien Miller wrote:
  On Sun, 7 Jul 2013, Aaron Stellman wrote:
   On Tue, Apr 23, 2013 at 09:08:19AM +0200, Otto Moerbeek wrote:
If there is any interest, I might add the manual stuff, get ok's and
commit it.
  
   I find it useful to have SSLHonorCipherOrder in OpenBSD's apache.
 
  More than that, AFAIK it is necessary to mitigate some of the TLS crypto
  attacks. IMO it is well worth having.
 
  It would also be good if someone could make a patch to enable ECDHE
 cipher
  suites in Apache-1.x.
  This nginx patch is a good reference to what needs to
  be done:
 
  http://hg.nginx.org/nginx/rev/0832a6997227

 The following should do the trick...

 $ openssl s_client -connect localhost:443 21 /dev/null | grep Cipher
 is
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

 Index: conf/httpd.conf
 ===
 RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf,v
 retrieving revision 1.26
 diff -u -p -u -p -r1.26 httpd.conf
 --- conf/httpd.conf 3 Jun 2009 18:28:21 -   1.26
 +++ conf/httpd.conf 11 Jul 2013 15:28:21 -
 @@ -1034,6 +1034,11 @@ SSLEngine on
  #   List the ciphers that the client is permitted to negotiate.
  #   See the mod_ssl documentation for a complete list.
  #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
 +
 +#   SSL ECDH Curve:
 +#   Named curve to use when generating ephemeral EC keys for an
 +#   ECDHE-based cipher suite.
 +#SSLECDHCurve prime256v1

  #   Server Certificate:
  #   Point SSLCertificateFile at a PEM encoded certificate.  If
 Index: conf/httpd.conf-dist
 ===
 RCS file: /cvs/src/usr.sbin/httpd/conf/httpd.conf-dist,v
 retrieving revision 1.20
 diff -u -p -u -p -r1.20 httpd.conf-dist
 --- conf/httpd.conf-dist1 Apr 2009 06:47:34 -   1.20
 +++ conf/httpd.conf-dist11 Jul 2013 15:28:21 -
 @@ -1045,6 +1045,11 @@ SSLEngine on
  #   See the mod_ssl documentation for a complete list.
  SSLCipherSuite
 ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 +#   SSL ECDH Curve:
 +#   Named curve to use when generating ephemeral EC keys for an
 +#   ECDHE-based cipher suite.
 +SSLECDHCurve prime256v1
 +
  #   Server Certificate:
  #   Point SSLCertificateFile at a PEM encoded certificate.  If
  #   the certificate is encrypted, then you will be prompted for a
 Index: src/modules/ssl/mod_ssl.c
 ===
 RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.c,v
 retrieving revision 1.11
 diff -u -p -u -p -r1.11 mod_ssl.c
 --- src/modules/ssl/mod_ssl.c   11 Jul 2013 12:41:52 -  1.11
 +++ src/modules/ssl/mod_ssl.c   11 Jul 2013 15:28:21 -
 @@ -113,6 +113,9 @@ static command_rec ssl_config_cmds[] = {
  AP_ALL_CMD(CipherSuite, TAKE1,
 Colon-delimited list of permitted SSL Ciphers 
 (`XXX:...:XXX' - see manual))
 +AP_SRV_CMD(ECDHCurve, TAKE1,
 +   Name of ECDH curve to use for ephemeral EC keys 
 +   (`curve' - see manual))
  AP_SRV_CMD(CertificateFile, TAKE1,
 SSL Server Certificate file 
 (`/path/to/file' - PEM or DER encoded))
 Index: src/modules/ssl/mod_ssl.h
 ===
 RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/mod_ssl.h,v
 retrieving revision 1.22
 diff -u -p -u -p -r1.22 mod_ssl.h
 --- src/modules/ssl/mod_ssl.h   11 Jul 2013 12:41:52 -  1.22
 +++ src/modules/ssl/mod_ssl.h   11 Jul 2013 15:28:22 -
 @@ -514,6 +514,7 @@ typedef struct {
  char*szCACertificateFile;
  char*szLogFile;
  char*szCipherSuite;
 +char*szECDHCurve;
  FILE*fileLogFile;
  int  nLogLevel;
  BOOL cipher_server_pref;
 @@ -592,6 +593,7 @@ const char  *ssl_cmd_SSLRandomSeed(cmd_p
  const char  *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
  const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int);
  const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char
 *);
 +const char  *ssl_cmd_SSLECDHCurve(cmd_parms *, char *, char *);
  const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, char *, char *);
  const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, char *, char *);
  const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, char *, char *);
 Index: src/modules/ssl/ssl_engine_config.c
 ===
 RCS file: /cvs/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c,v
 retrieving revision 1.20
 diff -u -p -u -p -r1.20 ssl_engine_config.c
 --- src/modules/ssl/ssl_engine_config.c 11 Jul 2013 12:41:52 -
  1.20
 +++ src/modules/ssl/ssl_engine_config.c 11 Jul 2013 15:28:22 

Re: [miniroot/install.sub] skip x* sets if do not expect to run X.

2013-01-12 Thread Devin Ceartas
There are cases where you want to compile some port not directly related to X 
but the dependency is missing if you didn't load the X sets. I don't remember 
the particular, but I know this has happened to me. 

devin

On Jan 12, 2013, at 9:33 PM, Bob Beck wrote:

 No, I normally install all the X sets, I just do not run X on the console.
 So I don't like this.
 
 On Wed, Jan 9, 2013 at 3:43 PM, Gleydson Soares gsoa...@trusted.com.brwrote:
 
 the diff below changes src/distrib/miniroot/install.sub to by default skip
 x* sets if someone do not expect to run X
 Do you expect to run the X Window System [no]
 
 if someone still want to install those sets may select by hand afterwards:
 Set name(s)? (or 'abort' or 'done') [done] x*
 
 i've compile a RAMDISK_CD and seems to work fine.
 
 ok? feedback?
 Index: install.sub
 ===
 RCS file: /cvs/src/distrib/miniroot/install.sub,v
 retrieving revision 1.674
 diff -u -p -r1.674 install.sub
 --- install.sub 2 Jan 2013 20:35:00 -   1.674
 +++ install.sub 11 Jan 2013 23:41:45 -
 @@ -1098,8 +1098,9 @@ install_files() {
for _f in $THESETS; do
isin $_f $_files || continue;
_sets=$(addel $_f $_sets)
 -   if [[ -z $DISPLAY  ! -d /mnt/etc/X11 ]]; then
 -   # No displays and X isn't installed == skip X sets
 +   if [[ -z $DISPLAY  ! -d /mnt/etc/X11 || $x11 == n ]];
 then
 +   # No displays and X isn't installed or do not
 expect to run X
 +   # = skip X sets
isin ${_f%${VERSION}.tgz} xbase xetc xshare xfont
 xserv  continue
fi
isin $_f $DEFAULTSETS site$VERSION-$(hostname -s).tgz 
 \



SSD won't be recognized

2012-11-02 Thread Devin Ceartas
hp laptop with Intel SSD won't boot under 5.2 - the problem reported on screen
appears to be the one described here:
http://old.nabble.com/Re%3A-Fwd%3A--mSATA-failure-on-6501-w--OpenBSD-5.0-td32
881415.html#a32884546

 ahci0: stopping the port, softreset slot 31 was still active.
 ahci0: failed to reset port during timeout handling, disabling it

Does anyone have a patch to try or is there a way to boot into the full system
starting from a CD or network boot?

-- devin



Re: diff install.sub: if user won't be running X, skip X sets during install

2010-12-31 Thread Devin Ceartas

On Dec 31, 2010, at 1:41 PM, Theo de Raadt wrote:

Feel free to flame, explain, or generally malign, any logic or  
unforseen

consequences of this diff.


Sorry, not going to change this.

Before moving to the always give people X, we had way too many  
people

choose badly and then struggle to install X after the fact.



Fair enough, I didn't know the history of this.

My own curiositiy, what was the struggle people had? I admit, I  
might be
minimising the difficulty of searching via Google 'openbsd adding  
sets after
install,' or perhaps there is some behind the scenes install bits  
that I've

missed that do not take place when adding the set after-the-fact?


200MB on everyone's disk that they might need, or put up with people  
who

have ADD?

We'll put it on everyone's disk...




The trouble I've had in the past wasn't so much needing X later, but  
needing dependencies in the X packages later, FWIW.

--
http://nacredata.com/devin