OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
It's Official: The OpenSSL Overhaul Is A Fork: Welcome LibreSSL in OpenBSD 5.6
Contributed by weerd on Tue Apr 22 22:18:46 2014 (GMT)
from the must-have-missed-starssl-then dept.

Yes, it's official. The recent work in cleaning up OpenSSL is now officially a fork, with its own website and donation link.

The project's name going forward is LibreSSL, and according to the (so far spartan) website, the first release will be included in OpenBSD 5.6, which is expected to be released November 1st, 2014.

Read more...
[topiccrypto]
[ 41 comments 7:29 ago ] (flat) (expanded)

Faster and more capable whatis(1)/apropos(1)
Contributed by tbert on Tue Apr 22 15:02:20 2014 (GMT)
from the search me, man! dept.

Not one to get lost in the OpenSSL/m2k14 shuffle, Ingo Schwarze (schwarze@) has, after much work and improvement, updated the man page search functionality:

Date: Fri, 18 Apr 2014 04:00:48 -0600 (MDT)
From: Ingo Schwarze 
To: source-changes@cvs.openbsd.org
Subject: CVS: cvs.openbsd.org: src

CVSROOT:        /cvs
Module name:    src
Changes by:     schwarze@cvs.openbsd.org        2014/04/18 04:00:48

Modified files:
        etc            : weekly
        libexec        : Makefile
        usr.bin        : Makefile
        usr.bin/mandoc : Makefile
        usr.sbin/pkg_add/OpenBSD: Add.pm Delete.pm Paths.pm PkgCreate.pm
        share/man      : Makefile
        share/man/man8 : daily.8

Log message:
Switch to the new makewhatis(8)/apropos(1)/whatis(1) combo.
"commit the switch now" espie@  "go for it" deraadt@

See the apropos(1) manual for a description of what's new.
On machines where you want the full functionality,
run "sudo makewhatis" and put "MAKEWHATISARGS=' '" into weekly.local(8).
Otherwise, when upgrading via source, run "sudo makewhatis -Q".

Read more...
[topicsysadmin]
[ 1 comment 7:57 ago ] (flat) (expanded)

Call for Testing: vlan(4) improvements (Update updated)
Contributed by tbert on Tue Apr 22 17:19:36 2014 (GMT)
from the tag-you're-it dept.

Henning Brauer (henning@) writes in to let us know that he has some vlan(4) improvements in the pipeline:

so, on vlan, to insert the vlan tag, we right now:
-copy (most of) the existing ethernet header into a ether_vlan_header
 on the stack
-fill the extra fields (tag, inside ether type) in ether_vlan_header
-set the ether type
-m_adj() to make room for the extra space ether_vlan_header needs
-m_copyback the ether_vlan_header into the mbuf

that involves moving data around, which isn't all that cheap.

now it turns out it is trivial to have ether_output prepend the
ether_vlan_header instead of the regular ethernet header, which makes
the vlan tagging essentially free in most cases.

you need a very current src tree to test this, relies on the code
shuffling in if_ethersubr.c I did a few hours ago.

If you have a setup that involves vlan(4), you can test by applying the patch the updated patch building from source and pushing some packets. As always, widespread testing is key to the continued quality of our releases.

[topicopenbsd]
[ 0 comments ] (flat) (expanded)

ALTQ removed from -current
Contributed by pitrh on Sat Apr 19 11:44:47 2014 (GMT)
from the Shapin' up good, Puffy! dept.

In between all the OpenSSL sound and fury it could have been easy to miss, but one of the likely Big News candidates for OpenBSD 5.6 just happened: Removal of the ALTQ traffic shaping system.

The commit message by Henning Brauer (henning@) reads:

CVSROOT:	/cvs
Module name:	src
Changes by:	henning@cvs.openbsd.org	2014/04/19 04:07:44

Modified files:
	sys/conf       : GENERIC 

Log message:
-option ALTQ

Read more...
[topicpf2]
[ 2 comments 3d17:51 ago ] (flat) (expanded)

One week of OpenSSL cleanup
Contributed by weerd on Fri Apr 18 15:28:55 2014 (GMT)
from the its-not-a-race-and-everybody-is-winning dept.

After the news of heartbleed broke early last week, the OpenBSD team dove in and started axing it up into shape. Leading this effort are Ted Unangst (tedu@) and Miod Vallat (miod@), who are head-to-head on a pure commit count basis with both having around 50 commits in this part of the tree in the week since Ted's first commit in this area. They are followed closely by Joel Sing (jsing@) who is systematically going through every nook and cranny and applying some basic KNF. Next in line are Theo de Raadt (deraadt@) and Bob Beck (beck@) who've been both doing a lot of cleanup, ripping out weird layers of abstraction for standard system or library calls.

Then Jonathan Grey (jsg@) and Reyk Flöter (reyk@) come next, followed by a group of late starters. Also, an honorable mention for Christian Weisgerber (naddy@), who has been fixing issues in ports related to this work.

All combined, there've been over 250 commits cleaning up OpenSSL. In one week. Some of these are simple or small changes, while other commits carry more weight. Of course, occasionally mistakes get made but these are also quickly fixed again, but the general direction is clear: move the tree forward towards a better, more readable, less buggy crypto library.

[topiccrypto]
[ 21 comments 14:04 ago ] (flat) (expanded)

m2k14: Hackathon Begins
Contributed by tbert on Thu Apr 17 17:52:43 2014 (GMT)
from the save-me-a-seat-in-asgard dept.

As is their wont, a number of developers have congregated for another hackathon, this time in sunny Morocco.

You can, of course, follow the commits on source-changes, but the war cries that lead us down the road to Valhalla are being collected for your inspiration and amusement at OpenSSL Valhalla Rampage.

As always, it is your donations that make it possible for our berserkers to greet the Valkyries!

[topicm2k14]
[ 0 comments ] (flat) (expanded)

OpenBSD has started a massive strip-down and cleanup of OpenSSL
Contributed by phessler on Tue Apr 15 09:29:08 2014 (GMT)
from the how-i-learned-to-stop-worrying-and-shine-the-turd dept.

The denizens of lobste.rs (and no doubt you, eagle-eyed reader!) have made note of the ongoing rototilling of the OpenSSL code in OpenBSD, and Joshua Stein (jcs@) has chimed in with a quick breakdown of the action thus far:

Changes so far to OpenSSL 1.0.1g since the 11th include:

  • Splitting up libcrypto and libssl build directories
  • Fixing a use-after-free bug
  • Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
  • Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
  • Removal of most (all?) backend engines, some of which didn’t even have appropriate licensing
  • Ripping out some windows-specific cruft
  • Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
  • KNF of most C files
  • Removal of weak entropy additions
  • Removal of all heartbeat functionality which resulted in Heartbleed

To clarify, not all of the cryptographic engines were removed; the padlock and aesni engines are still in place.

As always, it's heartening to see a concentrated effort on such a critical software component.

[topicsecurity]
[ 41 comments 14:30 ago ] (flat) (expanded)

OpenBSD Foundation Funding Goals Reached
Contributed by pitrh on Thu Apr 10 19:38:08 2014 (GMT)
from the banking on Puffy dept.

Bob Beck (beck@) writes in to tell us that the OpenBSD Foundation 2014 fundrasing campaign has reached its goals:

The OpenBSD Foundation is happy to report that the $150,000 goal of the 2014 fundraising campaign has been reached.

We wish to thank our contributors large and small. We will continue our fundraising efforts both in the current year and next year.

Read more...
[topicopenbsd]
[ 5 comments 1d12:32 ago ] (flat) (expanded)

heartbleed vs malloc.conf (updated)
Contributed by tbert on Thu Apr 10 13:40:19 2014 (GMT)
from the exploit-mitigation-mitigation dept.

Ted Unangst (tedu@) has posted an article about how OpenSSL has managed to sidestep OpenBSD's malloc.conf(3) protections:

About two years ago, OpenSSL introduced a new feature that you’ve never used or even heard about until yesterday, after somebody discovered a bug that could be used to read process memory.

As they say, read the whole thing.

Update:
tedu@ has a follow up post in which he finds a particularly nasty bug in the code which sidesteps the malloc.conf options, which means that it cannot, unpatched, be disabled:

Instead of telling people to find themselves a better malloc, OpenSSL incorporated a one-off LIFO freelist. You guessed it. OpenSSL misuses the LIFO freelist. In fact, the bug I’m about to describe can only exist and go unnoticed precisely because the freelist is LIFO.

As they say, read this other thing.

[topicsecurity]
[ 6 comments 9d17:14 ago ] (flat) (expanded)

Support OpenBSD!

Donate to OpenBSD

Buy OpenBSD products

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Older Stuff
Tuesday, April 08
06:56 Patches for OpenSSL bounds checking bug (10)
Friday, March 28
06:10 Call for testing: acpiec(4) clear events on attach and resume (0)
Thursday, March 27
08:16 OpenBSD 5.5 preorders have been enabled (9)
Thursday, March 20
10:51 Call for Testing: upd(4) (5)
Wednesday, March 19
19:25 hp300, mvme68k, and mvme88k Arches Move to the Attic (5)
Friday, March 14
09:01 Heads Up: Apache Removed from Base (21)
Thursday, March 13
05:29 OpenSMTPd Now the Default MTA in OpenBSD (38)
Tuesday, March 11
08:12 USB 3.0 support beginning to emerge for -current (1)
Friday, March 07
12:52 From the trenches: espie@ reports on recent experiments in package building (13)

Older Stuff...
Yesterday's Edition...

OpenBSD Errata
[xml]

OpenBSD Resources

XML/RSS/RDF
Users wishing RSS/RDF summary files of OpenBSD Journal, can retrieve: [xml]


[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2009 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with thttpd (plus patches) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]