On this week's episode, BSDNow interviews FreeBSD Security Officer Dag-Erling Smørgrav, links back to Undeadly g2k14 hackathon reports, and discusses the week's BSD news and hearsay.
As is now an habit, i had made zero plans for this hackathon, i had some unfinished stuff lying around, and no real big task ahead. Firefox 31 betas were already working for me, and only needed actual testing.
Read more...CVSROOT: /cvs Module name: src Changes by: email@example.com 2014/07/22 11:37:16 Modified files: usr.sbin : Makefile etc : Makefile changelist rc.conf Added files: etc/rc.d : httpd Log message: Enable httpd(8) in the builds to get more testing, feedback and improvements. It is not "finished" but serves static files. ok deraadt@
Undeadly was able to get a few minutes of time with Brent Cook (bcook@), who worked on the official LibreSSL port:
Undeadly: Tell us about yourself; who are you, and how did you get involved with the LibreSSL porting effort?Read more...
bcook@: My name is Brent Cook. I'm a generalist programmer by day, mostly working on low-level system stuff. I'm also a code performance junky, and I also play piano and saxophone, gigging occasionally around Austin, TX.
Matthieu Herrb (matthieu@), who is the mad Frenchman who maintains Xenocara, writes in to share his g2k14 experience:
My main projects (multitouch, dhcpv6) didn't make any progress as I was distracted into X sets tweaks at the request of a few other hackers.
We have released an update, LibreSSL 2.0.3 - which should be arriving in the LibreSSL directory of an OpenBSD mirror near you very soon. This release includes a number of portability fixes based on the the feedback we have received from the community. It also includes some improvements to the fork detection support. As noted before, we welcome feedback from the broader community. Enjoy, -Bob
Having missed Ljubljana 1, I looked forward to Ljubljana 2 with great expectations. I was not disappointed! Mitja ran a great hackathon with a nice site and an excellent city around it.Read more...
I spent most of this hackathon looking at problems in wifi drivers.Read more...
I wasn't exactly sure in advance which problems I wanted to work on. So I packed a bunch of hardware, including several USB wifi adapters, (rsu(4), 2x run(4), rum(4), urtwn(4), zyd(4)), some miniPCIe cards (an unsupported cousin of urtwn(4) named Realtek 8188CE, unsupported athn(4) AR9485, bwi(4)), two laptops, and an access point. This left me with more than enough toys for a week.
I arrived in Ljubljana somewhat tired so I started the first day off with some light ping(8) and ping6(8) hacking. Some unifdef(1) application forRead more...
#ifdef FEATURE_THAT_EXISTS_SINCE_FOREVER_BUT_MAYBE_WE_DONT_HAVE_IT and some cleanup by hand. The idea is to have ping(8) and ping6(8) be the same binary like traceroute(8) and traceroute6(8).
In the week right before the hackathon, I have done quite a bit of work cleaning up mandoc(1) warning and error messages. The goal is to provide more, more precise, and more readily understandable information to the user, in particular mentioning in the messages which section titles, macro names, and arguments each individual message is related to, and which workaround or fallback mandoc(1) has chosen, if any.Read more...
For me the hackathon started before arriving in Ljubljana. On my trip I noticed that there was something wrong with my ssh connections: some did not work. So I started debugging in Munich Airport and the result was a quick fix for a recent bug in ssh-add.
This hackathon started out for me with my usual routine of fixing some bugs in Puppet, add more facts to Facter and dig into pkg-config.
One of the first things I did at g2k14 was import the Mesa update I've been working on for some time now. I've been tracking the Mesa git for a few months and submitting patches to reduce the amount of pain involved and given the local diff isn't too large anymore it seemed like a decent time to update. Shortly before the hackathon I ran into a problem getting Mesa to build on i386 however. It turns out there is an i386 only codepath that does a sysctl to check if SSE is enabled. This turned out to be a problem because sysctl.h pulls in uvm_extern.h which then pulls in a bunch of kernel headers including mutex.h which meant that Mesa's mtx_init() collided with the kernel's mtx_init(). Theo spent some time cleaning up the sysctl and uvm headers so they wouldn't include anywhere near as many definitions, and that work had already been committed when I arrived at the hackathon.
I came to the hackathon with a single goal: working on the driver for the USB host controller interface found on the octeon machines.
As unusual as it sounds for someone working with the OpenBSD project, I'm not primarily an OpenBSD user. I actually use a Mac and Linux equally, and even do fair amount of Windows development. Some might say my involvement was more of a survival of the fittest.
There are two kinds of hackathons.
Those were you pack your headphones, and don't use them. And those where you forget to pack them, and wish you hadn't.
As a veteran hackathon attendee, I packed my headphones, of course. And I was more than happy to keep them packed, as the pace of the hackathon was so hectic it was better to relax by talking to people than to relax by listening to music.
In the two weeks leading up to Slovenia I worked with Bob Beck on the replacement functions that would be needed to emulate getentropy(2). During the start of the hackathon there was a final bit of work to ensure Bob and Brent Cook were on their way with that.Read more...
My initial plan was to bring our base to a state where LLVM's libcpp could be compiled, giving us C++11 support. After I read up on the latest POSIX locale additions, other developers made it clear that more library version cranks will be necessary in order not to break ports. After the first diff was ready, I set up a base system build to check if it breaks. And then my life has changed...
I came to hackathon with a short but heavy TODO list:Read more...
1. Finish KDE 4.13.2 and prepare 4.13.3 (official announce to be done Jul 15);
2. Import at least some stuff from semi-official openbsd-wip ports repository to official CVS;
3. Fix the long-standing issue with kded4 constantly eating CPU;
4. Continue hacking on Samba 4.x;
5. Enable ext2fs in RAMDISK_CD for amd64.
6. Put in CVS some stuff under ports/infrastructure/ I've developed for last months.
7. Put in CVS the man-pages-posix port.
First time in Slovenia. Took a few hours off to see the city, managing to escape the thunderstorms. Somewhat interesting mix, never seen that mixture of eastern european, southern europe, and tourist places.Read more...
Our second g2k14 report comes from Henning Brauer (henning@), who writes:
g2k14 has been weird: I, for the most part, wrote IPv6 code. No, that doesn't mean I'd suddenly think inet6 is any good. But let's start from the beginning.Read more...
Bob Beck (beck@) was the first developer to submit a report from the just concluded g2k14 hackathon:
Well, this was certainly not the hackathon I would have predicted several months ago for me. Had you asked me in January what I'd be doing here it would have been wading into uvm, kernel lock, buffer cache, and other such things in the kernel.
Then LibreSSL happened.
Bob Beck (beck@) announced the second release of LibreSSL-portable:
Bob also writes:We have released an update, LibreSSL 2.0.1 This release includes a number of portability fixes based on the initial feedback we have received from the community. This includes among other things two new configure options to set OPENSSLDIR and ENGINESDIR. We have removed a few hardcoded compiler options that were problematic on some systems as well as -Werror. We have also re-synced with the latest OpenBSD sources as a number of issues were fixed upstream. This release also includes pkg-config support. As noted before, we welcome feedback from the broader community. Enjoy, -Bob
Also starting with this release the directory includes SHA256 signatures which are signed using signify. The signify public key for libressl is: untrusted comment: LibreSSL Portable public key RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe
Bob Beck (beck@) announced the release of LibreSSL-portable:
The first release of LibreSSL portable has been released. LibreSSL can be found in the LibreSSL directory of your favorite OpenBSD mirror. http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors will soon. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OSX, and FreeBSD. This is intended as an initial release to allow the community to start using and providing feedback. We will be adding support for other platforms as time and resources permit. As always, donations (http://www.openbsdfoundation.org/donations.html) are appreciated to assist in our efforts. Enjoy, -Bob
The commit by Reyk Floeter (reyk@) has a CVS log message that reads:
Author Peter Hansteen comments, "It's good to see that the thing is still widely read and referenced. I'll keep working on that and the book for as long at is makes sense.", and continues, "But please do remember that I would have had noting to write about without a vital OpenBSD project producing high quality stuff. Please remember to not just buy the book, but also donate to the project to help keep it running."
You heard the man, now go ahead, read and donate!
The vulnerability known as CVE-2014-3956 could allow local users to interfere with open SMTP connections, and it is strongly advised that any sendmail users out there patch their systems without undue delay.
ld.so has a very basic malloc. This diff changes it to use a (somewhat stripped) libc malloc with all the randomization and other goodness.
A bit late ourselves on a late announcement, but Theo de Raadt (deraadt@) and Bob Beck (beck@) will be giving a presentation in Calgary:
I'm sorry for the late public announcement...
Tomorrow (Tuesday) Bob Beck will be hurtling down the Highway from Edmonton to Calgary.
Then in the evening, he and I will present at the local calgary unix group meeting about recent changes in LibreSSL, OpenBSD, and how the OpenBSD Foundation fits into this.
Anyone in the area who is able to attend probably should.
An Anonymous Coward writes in to tell us about sightings of secrets-related privsep in the wild:
The developer known by the pseudonym insane coder, who authored the popular pro-LibreSSL review LibreSSL: The good and the bad, has presented a solution for preventing common coding mistakes resulting in another Heartbleed:
To protect against exploiting such bugs, one should ensure that buffer overflows do not have access to memory containing private data. The memory containing private keys and similar kinds of data should be protected, meaning nothing should be allowed to read from them, not even the web server itself.
He then talks about using memory protection and process separation to isolate a server's private keys from anything which can be exploited to send them over the network.
This technique has already been utilized in an stunnel-like server, and it remains to be seen when others will follow.
Thanks for the tip, Anonymous Coward!
Check out the build details after the break. Read more...X Font Service Protocol & Font metadata file handling issues in libXfont CVE-2014-0209: integer overflow of allocations in font metadata file parsing CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies CVE-2014-0211: integer overflows calculating memory needs for xfs replies Please see the advisory for more information. http://lists.x.org/archives/xorg-announce/2014-May/002431.html
I'll be doing a webcast on O'Reilly's community site called "Beyond Security: OpenBSD's Real Purpose." This will go out live on Tuesday, 27 May, 1PM EDT. I'll take questions at the end.
The talk will focus on OpenBSD as a pressure cooker to change the world. If only I had a really good example of this whole "pressure cooker" idea from, say, the last month or so, then the talk would feel really current and attract a lot of interest from the outside world.
If only, indeed!
Another BSDCan has come and gone, and for those of you who missed the fun, the OpenBSD presentations are now online:
BSDCan started for me with a long flight over from Europe. 9 hours before I collected one of my favourite souvenirs from a trip (the passport stamp), pop into Tim Hortons to grab a coffee (North American drip coffee is just that. Drip.) before running to bounce up to Ottawa.Read more...
There is also a lunchtime OpenBSD, libressl and stuff BOF session that may produce interesting results.
Recently, Ted Unangst (tedu@) committed a tweak for malloc(3) freelists:
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2014/05/12 13:02:20 Modified files: lib/libc/stdlib: malloc.c Log message: change to having four freelists per size, to reduce another source of deterministic behavior. four selected because it's more than three, less than five. i.e., no particular reason.
These changes make it much harder for bugs which require the immediate recycling of freed memory, an example of which was famously unearthed during the heartbleed fallout, to go undiscovered.
Book of PF author and Undeadly editor Peter Hansteen asks the following question:
Does enforced password change at set intervals actually enhance security?
Given the increasing sophistication of password cracking techniques, and potentially insecure methods for two-factor authentication, what can administrators do to strike the balance between utility and security?
BSDNow Episode 36 is out, with the titular segment featuring RAID setups on both FreeBSD and OpenBSD.
It also features an overview of the April issue of BSDMag, an interview with FreeBSD developer David Chisnall, using FreeBSD in the cloud, a new episode of BSDTalk, and a weekly update from PCBSD.
Although much internet hand wringing has been performed in the service of "Won't someone think of the child^H^H^H^H^Hportability!", the OpenBSD devs are making changes in OpenBSD itself which will make the upcoming release of LibreSSL more easily portable to other operating systems:
CVSROOT: /cvs Module name: src Changes by: email@example.com 2014/05/08 15:43:49 Modified files: lib/libc/stdlib: Makefile.inc malloc.c Added files: lib/libc/stdlib: reallocarray.c Log message: move reallocarray() to a seperate file so that -portable applications can avoid reinventing the wheel ok guenther schwarze
reallocarray(3) was added to address issues found in the OpenSSL source, and now exists as a single, freely-licensed, easily-included file for any and all who require it to make LibreSSL work on their system, as long as that system isn't Irix running Visual C 1.5.2.
Over at Servicevirtualization.com, Bob Beck (beck@) was interviewed for a piece called Dead Code Walking: What Companies Can Do to Mitigate Old, Bad Code about the Heartbleed bug and the subsequent LibreSSL fork. A favorite quote:
ServiceVirtualization: What can organizations do to ensure they are building applications using high-quality, open-source components?
Beck: This is not an open source problem. It’s a problem with any codebase you incorporate or reuse. Examine where they come from, have competent developers look at what they are bringing in, and know what the motivations of the organization is that is developing them. OpenBSD can stand well on its own track record. We are security-focused developers.
Martynas Venckus (martynas@) has committed a pair of security-related enhancements to OpenBSD's gcc(1), improving the bug- and exploit-resistance of the entire system.
The first, a new -fstack-shuffle option, hopes to find bugs that were slipping through due to the ordering of variables on the stack.
Read more...CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2014/05/06 17:22:33 Modified files: gnu/gcc/gcc : cfgexpand.c common.opt Log message: Introduce -fstack-shuffle, which randomizes local stack variables. This will make the environment more hostile and help detect bugs that depend on overrunning one variable into another, with almost no performance cost. Discussed with Theo at m2k14 hackathon. "oh god yes" tedu@, "oh nice" djm@
i maintain Android's C library which, as you may know, contains a lot of OpenBSD code. i've been working to clean up our mess and get us back in sync with upstream, and currently have 173 files that are exactly the same as current upstream OpenBSD. (more than we have from the other two BSDs put together.)
There's more after the fold: Read more...
OpenBSD users and developers know to appreciate that our favorite operating system is a sanely constructed, modern Unix with a well deserved reputation for an emphasis on security. That is perhaps one of the reasons why the LibreSSL initiative has caused so much excitement, to the point where several people have independently started efforts to port the OpenBSD project's work in progress LibreSSL code to other platforms.
The main takeway is:
OpenBSD functions may be more secure than counterparts elsewhereRead more...
Starting today, we're going to try sending patches out via email so you don't miss them.
Several previous errata have also been recently published for OpenBSD 5.4 and 5.5. We won't be mailing them out individually since they aren't new, but you should check the web site for details.
Refer to http://www.openbsd.org/errata55.html and errata54.html.
(Also note that OpenBSD 5.3 is officially end of life and will not be receiving any more patches.)
When I arrived in Marocco I had a few small things I wanted to look at, which I naturally ended up spending most of my time on. While Puppet generally works great on OpenBSD, the port itself was in dire need of some cleaning and pushing patches upstream. While working on the port I finally sat down to iron out some (the last?) bugs in the "ensure => latest" patch we have to update packages to their latest version. Moving Puppet and all the related components of the stack to use Ruby 2.0 (instead of 1.9) concludes my work on Puppet for m2k14.Read more...
Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 "unprepared" about what I was going to do.
Au menu des nouveautés pour cette release:
les sets d’installs et les paquets sont maintenant signés par signify(1). Oui, nous sommes bien en 2014.
un mode d’installation scripté est disponible dans l’installeur, et des images iso à dumper sur des clefs usb sont fournies. Il était déja possible d’installer OpenBSD depuis une clef usb, c’est maintenant encore plus simple!
coté hardware, le support du multiprocesseur sur alpha, OpenBSD/vax est passé à GCC3, ont été ajoutés un certain nombre de nouveaux drivers (ubcmtp(4), qla(4)…) pour le support matériel ainsi que le support virtuel : vmx(4), vmwpvs(4), vioscsi(4)… qui a dit qu’OpenBSD supportait mal la virtualisation en client ?
une impressionante liste de changements dans iked(8) (support d’OCSP, authentification par clef RSA, allocation d’IP aux clients via un pool d’adresses) et smtpd(8) (support partiel de DSN et ENHANCEDSTATUSCODES, de SNI, beaucoup d’améliorations dans smtpctl(8))
le générateur de nombres aléatoire est maintenant initialisé dès le boot pour plus de parano!
Dans les ports/packages, GNOME 3.10.2, KDE 4.11.5 (FINALLY \o/), toujours Xfce 4.10, Firefox 26, Chromium 32, 4 différentes versions de ruby, 2 de python, 2 de php.. tout ce qu’il faut pour faire un desktop, ou un serveur de dev/web.
Et enfin, une foultitude d’autres changements dans OpenSSH, mais la je vais vous laisser aller lire la liste comme des grands.
Of course, un guide d’upgrade est fourni, faire spécialement attention à cause du changement d’ABI causé par time_t..
Stay tuned for 5.6, qui va roxer des mamans ours avec des choses comme smtpd et nginx par défaut, libressl, nsd/unbound, et plein d’autres trucs qui brillent!
Looking at the release announcement and other sources such as the release page, it's easy to see that there are numerous goodies in store for you: A whole new traffic shaping system to replace ALTQ, 64-bit time_t, cryptographically signed base sets and packages, automatic installation features, improved hardware support, and more.
And if you haven't already, a good way to say a big thank you to Theo and the other developers is to go to the orders site and buy CD sets, T-shirts and other items. Direct donations are welcome too, of course.
One more data point for why OpenBSD 5.6 will be, for lack of a better word, awesome.
Hi there. I'm trying to find somebody who is actually using either Kerberos or SRP support in libssl. I'm inclined to remove support for them. While the bulk of the code sits off to the side, the integration requires adding several additional cases to some of the most critical paths.
For reference, OpenBSD hasn't ever compiled support for either of these features and I haven't seen many complaints. The code has all the hallmarks of something that somebody needed once, threw over the fence, and has been barely maintained on life support ever since. That said, we'd rather not be too hasty in deleting it because unbeknownst to us, it could be useful.
We're looking for somebody to stand up and say "Not only do I need SRP support, but I'm sufficiently invested that I'd like to help maintain it."
Note that I'm not looking for negative responses. You don't need to tell me you think it's ok to delete these features. I already think that.
Also note that I'm not really interested in rumors or whispers. You don't need to tell me that it's possible somebody else uses Kerberos. I know it's possible, that's why I'm asking. I'd like to know who.
If you or one of your loved ones has a need for this, speak now or resurrect the code from the attic.
The OpenBSD Foundation is very pleased to announce that Google has granted us five student slots for GSOC 2014.
The five projects that we will undertaking as a result are:
- Proper YACC parsers for dhcpd and dhclient.
- Systemd-like support for ports.
- GPT and UEFI.
- Improved dhcpd.
Kudos to the winning students and the generous volunteers who will serve as mentors for the projects.
We're looking forward to seeing the results of the student's work, mentored by notable OpenBSD developers!
I set off for Marrakech planning to look at updating DB in ports and taking care of changes needed in ports for a UVM diff for mpi@, but ended up getting swept away by the wave of destruction in ports from removal of the dangerous RAND_egd API in libssl, removal of Heimdal Kerberos from the base OS and (to a lesser extent) the final removal of altq, so frequent port builds and mopping up were the order of the day, and other projects were put on the back-burner.
Not one to get lost in the OpenSSL/m2k14 shuffle, Ingo Schwarze (schwarze@) has, after much work and improvement, updated the man page search functionality:
Read more...Date: Fri, 18 Apr 2014 04:00:48 -0600 (MDT) From: Ingo Schwarze To: email@example.com Subject: CVS: cvs.openbsd.org: src CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2014/04/18 04:00:48 Modified files: etc : weekly libexec : Makefile usr.bin : Makefile usr.bin/mandoc : Makefile usr.sbin/pkg_add/OpenBSD: Add.pm Delete.pm Paths.pm PkgCreate.pm share/man : Makefile share/man/man8 : daily.8 Log message: Switch to the new makewhatis(8)/apropos(1)/whatis(1) combo. "commit the switch now" espie@ "go for it" deraadt@ See the apropos(1) manual for a description of what's new. On machines where you want the full functionality, run "sudo makewhatis" and put "MAKEWHATISARGS=' '" into weekly.local(8). Otherwise, when upgrading via source, run "sudo makewhatis -Q".
The commit message by Henning Brauer (henning@) reads:
Read more...CVSROOT: /cvs Module name: src Changes by: email@example.com 2014/04/19 04:07:44 Modified files: sys/conf : GENERIC Log message: -option ALTQ
After the news of heartbleed broke early last week, the OpenBSD team dove in and started axing it up into shape. Leading this effort are Ted Unangst (tedu@) and Miod Vallat (miod@), who are head-to-head on a pure commit count basis with both having around 50 commits in this part of the tree in the week since Ted's first commit in this area. They are followed closely by Joel Sing (jsing@) who is systematically going through every nook and cranny and applying some basic KNF. Next in line are Theo de Raadt (deraadt@) and Bob Beck (beck@) who've been both doing a lot of cleanup, ripping out weird layers of abstraction for standard system or library calls.
Then Jonathan Grey (jsg@) and Reyk Flöter (reyk@) come next, followed by a group of late starters. Also, an honorable mention for Christian Weisgerber (naddy@), who has been fixing issues in ports related to this work.
All combined, there've been over 250 commits cleaning up OpenSSL. In one week. Some of these are simple or small changes, while other commits carry more weight. Of course, occasionally mistakes get made but these are also quickly fixed again, but the general direction is clear: move the tree forward towards a better, more readable, less buggy crypto library.
As is their wont, a number of developers have congregated for another hackathon, this time in sunny Morocco.
You can, of course, follow the commits on source-changes, but the war cries that lead us down the road to Valhalla are being collected for your inspiration and amusement at OpenSSL Valhalla Rampage.
As always, it is your donations that make it possible for our berserkers to greet the Valkyries!
Changes so far to OpenSSL 1.0.1g since the 11th include:
- Splitting up libcrypto and libssl build directories
- Fixing a use-after-free bug
- Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
- Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
- Removal of most (all?) backend engines, some of which didn’t even have appropriate licensing
- Ripping out some windows-specific cruft
- Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
- KNF of most C files
- Removal of weak entropy additions
- Removal of all heartbeat functionality which resulted in Heartbleed
To clarify, not all of the cryptographic engines were removed; the padlock and aesni engines are still in place.
As always, it's heartening to see a concentrated effort on such a critical software component.
The OpenBSD Foundation is happy to report that the $150,000 goal of the 2014 fundraising campaign has been reached.
We wish to thank our contributors large and small. We will continue our fundraising efforts both in the current year and next year.
About two years ago, OpenSSL introduced a new feature that you’ve never used or even heard about until yesterday, after somebody discovered a bug that could be used to read process memory.
As they say, read the whole thing.
tedu@ has a follow up post in which he finds a particularly nasty bug in the code which sidesteps the malloc.conf options, which means that it cannot, unpatched, be disabled:
Instead of telling people to find themselves a better malloc, OpenSSL incorporated a one-off LIFO freelist. You guessed it. OpenSSL misuses the LIFO freelist. In fact, the bug I’m about to describe can only exist and go unnoticed precisely because the freelist is LIFO.
As they say, read this other thing.
In the short statement contained in the commit message, Theo de Raadt (deraadt@) noted that OpenSSH is unaffected.