guest - flak

openbsd changes of note 6

In a bit of a hurry, but here’s some random stuff that happened.

Add connection timeout for ftp (http). Mostly for the installer so it can error out and try something else.

simplefb for framebuffer on armv7 devices like rpi.

Complete https support for the installer.

find -delete support like all the other kids have.

The ongoing effort to rewrite many libssl and libcrypto man pages is still ongoing.

Remove “CVS tips” section from the web site. This forbidden knowledge is now forbidden.

Add cross compiler build support for clang.

Prevent boot from crashing on amd64 by allocating a buffer on the heap instead of the extremely tiny stack.

Build with -fno-builtin because otherwise clang would optimize the local versions of functions like _dl_memset into a call to memset, which doesn’t exist.

Continue reading openbsd changes of note 6...

Posted 2017-02-07 13:55:57 by tedu Updated: 2017-02-07 13:55:57
Tagged: openbsd

turn your network inside out with one pf.conf trick

I think this falls somewhere a little short of common knowledge, but obvious once you know it. It lets machines roam in and out of the network without too much config fiddling. Instead, we configure machines to always use “cloud” services but intercept the packets to provide local services.

Here’s the pf.conf rules I have on my router.

pass in on cnmac1 proto { udp , tcp } from any to any port domain rdr-to port domain pass in on cnmac1 proto { udp , tcp } from any to any port ntp rdr-to port ntp

This steals any DNS or NTP traffic bound for the internet and redirects it back to the local machine, servicing it locally.

Normally one gets a DNS server via DHCP, but I usually prefer to use So I override that option in dhclient.conf. Works great outside the house. But when I’m home, then I really do want to use the local server because that’s the one that knows about other hostnames on the network. This lets me keep a hardcoded config on my laptop and fix it at the router.

Similarly with NTP, although the situation is a little different since we don’t usually get that from the DHCP server. Instead it’s configured once. I could use the server pool, but it’s silly to have a half dozen machines each probing several upstream servers. For a while I used a config that pointed at the router directly, but then when I take a laptop on the road, it can’t sync time at all. Solution: point everything at in ntpd.conf, and again have the router fix it up. (Bonus benefit: Windows and Apple machines will also now use the router’s time service with no config fiddling either.)

In short, permanently configure laptops for mobile use, and then configure the router to provide optimized services. This is typically easier than trying to configure the laptop to detect which network it’s using.

Posted 2017-01-04 09:16:52 by tedu Updated: 2017-01-04 09:16:52
Tagged: openbsd

openbsd changes of note 5

New year, old changes.

bluhm, mikeb, and mpi are continuing ongoing work to introduce the NET_LOCK. The plan is to replace splsoftnet() with an rwlock. However, unlike splsoftnet, rwlocks are not recursive, which requires some care in acquiring the lock once, only once, and in just the right spot. This is complicated by the fact that the network stack has many layers calling into each other. And in the case of NFS, even stranger dangers. In the mean time, some macros are used to allow switching between splsoftnet and rwlock until all the issues are solved.

kettenis is working to fix various warnings generated by the clang compiler. krw is also fixing a bunch of compiler warnings.

visa’s work on octeon now includes a MMC driver for the EdgeRouter Pro.

Continue reading openbsd changes of note 5...

Posted 2017-01-03 18:55:28 by tedu Updated: 2017-01-03 19:26:58
Tagged: openbsd

watt time is left

So Apple no longer knows how to make a battery meter. The good news is OpenBSD is still here for all your desktop needs. How does its battery meter work?

The simplest interface to get battery status info is to run apm. This gives us both percentage and an estimate of time remaining.

Continue reading watt time is left...

Posted 2016-12-16 13:49:18 by tedu Updated: 2016-12-16 13:49:18
Tagged: computers openbsd software

who even calls link_ntoa?

So there’s a buffer overflow in link_ntoa. What does this mean? CERT says an attacker may be able to execute arbitrary code, but who can be an attacker? Where is link_ntoa used?

What does link_ntoa even do? I’ve never heard of this function before.

The link_ntoa() function takes a link-level address and returns an ASCII string representing some of the information present, including the link level address itself, and the interface name or number, if present. This facility is experimental and is still subject to change.

Networking something or other I guess.

First place to look is in libc itself, where the function lives. The implementation lives in net/linkaddr.c but it’s the declaration that’s of particular interest.


The PROTO_DEPRECATED macro marks a function as exported from the library, but not for use internally. We can also verify with grep that nothing in libc calls link_ntoa, but with the symbol marking we can be confident we haven’t missed any thing.

Moving on to base, we find a few occurrences.

sbin/route/route.c: printf("%s: link %s; ", which, link_ntoa(&su->sdl)); sbin/route/show.c: return (link_ntoa(sdl)); usr.bin/netstat/show.c: return (link_ntoa(sdl));

This is used to print route information obtained from the kernel. So if you haven’t patched yet, before you run route show again, make sure you trust the kernel.

Posted 2016-12-07 03:00:07 by tedu Updated: 2016-12-07 03:00:07
Tagged: openbsd software

openbsd changes of note 2

Things happened, stuff changed.

X550 support among other ix changes and cleanup.

Ongoing switch work. Better OpenFlow compat. You know it’s serious when tcpdump gets an update.

Loongson 3A support.

Turn ipstat into a set of percpu counters. Per CPU counters allow simple statistics to be collected in a lockless manner, collating them as necessary. The basic mechanism was introduced a little earlier in October.

Hydrogen bomb fixes.

Dedicated build user builds for xenocara.

Some iwm diffs, since committed. reducing rx latency. ack rates. reduce retry limit.

PCI info ioctl for DRM.

Assorted changes to pool memory management. More mbuf pool changes to come.

Something else of potential interest: pine64 bootloader.

Posted 2016-11-23 02:37:09 by tedu Updated: 2016-11-23 02:37:09
Tagged: openbsd software

openbsd changes of note

Stuff happened, things changed.

mcl2k2 pools and the em conversion. The details are in the commits, but the short story is that due to hardware limitations, a number of tradeoffs need to be made between performance and memory usage. The em chip can (mostly) only be programmed to write to 2k buffers. However, ethernet payloads are not nicely aligned. They’re two bytes off. Leading to a costly choice. Provide a 2k buffer, and then copy all the data after the fact, which is slow. Or allocate a larger than 2k buffer, and provide em with a pointer that’s 2 bytes offset. Previously, the next size up from 2k was 4k, which is quite wasteful. The new 2k2 buffer size still wastes a bit of memory, but much less.

Continue reading openbsd changes of note...

Posted 2016-11-16 21:28:16 by tedu Updated: 2016-11-16 21:28:16
Tagged: openbsd software

process listing consistency

POSIX specifies that there is a ps utility to list processes, although it doesn’t describe how the command is implemented. In fact, it’s not possible to implement ps using only POSIX interfaces. However it’s implemented, it’s unlikely to use double buffering, which means on a sufficiently busy system, the results may be inconsistent. If lots of processes are being created and exited while ps runs, some of the output may be “before” and some “after”. Much like a game without vsync.

In order to test for inconsistency, we need to create lots of processes, but in a predictable way. Then we run ps over and over, looking for discrepancies. Enter the chicken and the egg.

Continue reading process listing consistency...

Posted 2016-10-06 12:26:37 by tedu Updated: 2016-10-06 12:26:37
Tagged: c openbsd programming

OpenBSD on HP Stream 7

Recent events have rocked the mobile computing world to its core. OpenBSD retired the zaurus port, leaving users in desperate need of a new device. And not long before that, Microsoft released the Anniversary Update to Windows 10, but with free space requirements such that it’s nigh impossible to install on cheap 32GB eMMC equipped devices such as the HP Stream series, leaving users searching for a new lightweight operating system. With necessity as both mother and father, the scene is set for a truly epic pairing. OpenBSD on the HP Stream 7.

The HP Stream line is a series of budget computers in a couple form factors. The Stream 11 is a fairly typical netbook. However, the Stream 7 and 8 are tablets. They look like cheap Android devices, but inside the case, they’re real boys, er PCs, with Intel Atom CPUs.

Continue reading OpenBSD on HP Stream 7...

Posted 2016-09-10 13:17:55 by tedu Updated: 2016-09-12 14:46:42
Tagged: computers gadget openbsd

doas mastery

It’s been a year since the introduction of doas, so it’s clearly time to write a book. Or maybe a pamphlet.

UNIX systems have two classes of user, the super user and regular users. The super user is super, and everybody else is not. This concentration of power keeps things simple, but also means that often too much power is granted. Usually we only need super user powers to perform one task. We would rather not have such power all the time. Think of the responsibility that would entail! Like the sudo command, doas allows for subdivision of super user privileges, granting them only for specific tasks.

The doas command itself has a few options, which we’ll discuss somewhat later, but the most interesting part is the configuration file. This is where the real magic happens.

Continue reading doas mastery...

Posted 2016-09-05 09:02:36 by tedu Updated: 2016-09-19 01:19:43
Tagged: openbsd software

backlight battery indicator

The last few models of Thinkpads are sadly devoid of indicators. How do you tell if caps lock is on? Type something and see if it matches expectations. If it happens to be the lock screen, loltastic. More importantly, how do you know if AC power has accidentally been disconnected and the battery is running low? The red dot on the opposite side of the lid isn’t much use.

It’s possible to use some sort of desktop environment status bar, but I prefer a low thrills environment. I don’t need a big honking battery icon distracting me. Accordingly, I have only a small (text) battery display in the corner. It’s there when I need it, but unobtrusive. The only problem is if I think I’m plugged into the wall, but I’m not, I won’t be checking battery and may not notice even as the situation grows dire.

Continue reading backlight battery indicator...

Posted 2016-08-28 02:43:19 by tedu Updated: 2016-09-09 21:02:52
Tagged: c computers openbsd programming

connect doesn’t restart

There was an interesting bug where pkg_add failed when resizing the terminal. The bug was actually in ftp, specifically the way it calls connect. When the terminal is resized, SIGWINCH is sent, which interrupts the connect system call. Sometimes syscalls restart, but connect is not among those that do. This may be a little surprising, because the previous bug involved the server side counterpart to connect, accept. On the server, accept restarts, but on the client, connect does not.

Behind the scenes, what’s happening? As the man page says, connect “initiates a connection on a socket”. It doesn’t say much about finishing the connection, though, which may be a bit surprising. Depending on whether the socket is blocking or nonblocking, there are two ways that may happen. This all assumes TCP, which involves some interplay of SYNs and ACKs that does not take place instantaneously. (Which explains why accept behaves differently. It is never in a half connected state.)

Continue reading connect doesn’t restart...

Posted 2016-08-15 21:00:54 by tedu Updated: 2016-08-15 21:00:54
Tagged: c openbsd programming

new shadow passwd functions

Long, long ago, password hashes were kept in the /etc/passwd file. This is obviously bad because it allows users to pry into other users’ hashes, attempting to crack them. The solution was to move the real hashes to another file, called master.passwd on OpenBSD. BSD systems also turn the text passwd files into a database file so that calling getpwnam is fast even with thousands of users on a 10MHz vax.

On some systems, e.g. Linux, there are two sets of functions. Normal functions like getpwnam that open the regular passwd files, and shadow functions like getspnam that open the files with password hashes. The problem is that struct passwd and struct spwd are not the same, making it difficult to write code that can work with both variants. Everything must be written twice, even though the code will be identical except for a few characters difference.

On BSD systems, the shadowed password files were integrated into the regular functions. Calling getpwnam will first attempt to open spwd.db and if that fails, will open the world readable pwd.db file without passwords. The same set of functions can be used for authentication programs like login and for user utilities like ls.

The downside to this second approach is that user utilities run as root still open the shadow files. If one were to discover an infoleak in ls that dumped memory contents, and tricked root into running it, and then tricked root into showing the output, that may result in a leak of the password hashes. Unlikely, but ungood.

New in OpenBSD 5.9 were a set of shadow functions such as getpwnam_shadow. These are documented to open the shadow password database, although the existing functions still worked. Starting with 6.0, the default functions no longer attempt to open the shadow database. Code which wishes to check passwords needs to use the shadow flavor of functions. However, the changes are very minimal, only requiring a change to the name of a single function call.

Posted 2016-08-12 18:27:39 by tedu Updated: 2016-08-12 18:27:39
Tagged: openbsd


Some newer laptops adjust the screen brightness according to ambient light in the room. This is fairly annoying in most cases, because what I really care about is the relative brightness of the screen contents. White web pages are too bright in a dark room. Fortunately, there’s a tool, Lumen, which can adjust the backlight based on actual brightness. Unfortunately, it’s for somebody else’s computer.

In order to write xautobacklight we need to do about three things. We need to measure the screen brightness (and consequently detect changes). We need to adjust the backlight to a comfortable level. And, as a bonus, we need to fiddle with the contrast.

Continue reading xautobacklight...

Posted 2016-08-09 17:33:25 by tedu Updated: 2016-09-09 21:03:45
Tagged: openbsd project x11

it’s hard work printing nothing

It all starts with a bug report to LibreSSL that the openssl tool crashes when it tries to print NULL. This bug doesn’t manifest on OpenBSD because libc will convert NULL strings to ”(null)” when printing. However, this behavior is not required, and as observed, it’s not universal. When snprintf silently accepts NULL, that simply leads to propagating the error.

There’s an argument to be made that silly error messages are better than crashing browsers, but stacking layers of sand seems like a poor means of building robust software in the long term.

As soon as development for the next release of OpenBSD restarted, some developers began testing a patch that would remove this crutch from printf.

Continue reading it’s hard work printing nothing...

Posted 2016-08-08 17:00:03 by tedu Updated: 2016-10-10 19:46:11
Tagged: c openbsd programming

one reason to hate openbsd

The gcc-local man page, which documents local changes to the compiler has this to say.

The -O2 option does not include -fstrict-aliasing, as this option causes issues on some legacy code. -fstrict-aliasing is very unsafe with code that plays tricks with casts, bypassing the already weak type system of C.

What does this mean and why should you care? The first part is easy to answer. Long ago, in the dark ages when legacy code was written, people used to write functions like this:

float superbad(float f) { int *x = (int *)&f; *x = 0x5f3759df - ( *x >> 1 ); return f; }

The C standard clearly says that objects are not to be accessed through incompatible pointers, but people did it anyway. Fucking idiots.

As for why one should care about the default setting of the compiler, the best answer I can give is that if you’re in a position to care, you probably know more than enough to form your own opinion and don’t need me to explain it to you. Otherwise, nobody cares except to the extent it confirms one’s own biases.

The strict aliasing optimization is disabled in gcc 4.2 because it was disabled in gcc 3.3. It was disabled in gcc 3.3 because it was disabled in gcc 2.95. It was disabled in gcc 2.95 because it was the year 1999.

The gcc-local man page continues with even more stupid options.

The -O2 option does not include -fstrict-overflow, as this option causes issues on some legacy code. -fstrict-overflow can cause surprising optimizations to occur, possibly deleting security critical overflow checks.


The Strict Aliasing Situation Is Pretty Bad.

Posted 2016-07-25 12:52:07 by tedu Updated: 2016-09-08 13:06:33
Tagged: c openbsd rants

my int is too big

Lots of kernel patches yesterday. Several of them, as reported by NCC, involved similar integer truncation issues. Actually, they involved very similar modern 64 bit code meeting classic 32 bit code. The NCC Group report describes the bugs, but not the history of the code. (Some of the other bugs like usermount aren’t interesting. The unp bug is kind of interesting, but not part of the NCC set. Also doesn’t involve integers. Another time.)


The thrsleep system call is a part of the kernel code that supports threads. As the name implies, it gives userland a measure of control over scheduling and lets a thread sleep until something happens. As such, it takes a timeout in the form of a timespec. The kernel, however, internally implements time keeping using ticks (there are HZ, 100, ticks per second). The tsleep function (t is for timed) takes an int number of ticks and performs basic validation by checking that it’s not negative. A negative timeout would indicate that the caller has miscalculated. The kernel panics so you can fix the bug, instead of stalling forever.

Continue reading my int is too big...

Posted 2016-07-15 15:47:35 by tedu Updated: 2016-07-15 18:33:44
Tagged: c openbsd

timeline of libexpat random vulnerability

libexpat calls rand to obtain a secret hash salt. That’s not good. Actually, as far as vulnerabilities go, it’s pretty chickenshit, but perhaps there’s a lesson to be learned.

2012-03-24 - libexpat 2.1.0 released with a fix for an algorithmic hash table attack (CVE-2012-0876). It uses rand() seeded by srand(time(NULL)) to obtain a hash table salt.

2012-04-01 - libexpat 2.1.0 imported to OpenBSD. The rand calls are replaced with arc4random as spotted by deraadt and nicm. April Fools!

2012-04-05 - A public report that using random may be too predictable.

2013 - Tick tock.

2014 - Tick tock.

2015-02-07 - Redhat bug filed. The complaint is not that rand is a poor choice for secret salts, but that calling srand interferes with the proper malfunctioning of other rand consumers.

2016-06-04 - libexpat is the proud recipient of two more CVE awards. By sheer miraculous luck, OpenBSD is not susceptible. Users of other operating systems need not be alarmed as libexpat has been patched to use getpid as a source of entropy as well.

const unsigned long entropy = gather_time_entropy() ^ getpid() ^ (unsigned long)parser;

Lesson to be learned? Sometimes bad things happen and there’s nothing we can do to prevent them. So it goes.

Posted 2016-06-10 05:40:40 by tedu Updated: 2016-06-10 05:40:40
Tagged: openbsd security software