OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
OpenBSD has started a massive strip-down and cleanup of OpenSSL
Contributed by phessler on Tue Apr 15 09:29:08 2014 (GMT)
from the how-i-learned-to-stop-worrying-and-shine-the-turd dept.

The denizens of lobste.rs (and no doubt you, eagle-eyed reader!) have made note of the ongoing rototilling of the OpenSSL code in OpenBSD, and Joshua Stein (jcs@) has chimed in with a quick breakdown of the action thus far:

Changes so far to OpenSSL 1.0.1g since the 11th include:

  • Splitting up libcrypto and libssl build directories
  • Fixing a use-after-free bug
  • Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
  • Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
  • Removal of most (all?) backend engines, some of which didn’t even have appropriate licensing
  • Ripping out some windows-specific cruft
  • Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
  • KNF of most C files
  • Removal of weak entropy additions
  • Removal of all heartbeat functionality which resulted in Heartbleed

To clarify, not all of the cryptographic engines were removed; the padlock and aesni engines are still in place.

As always, it's heartening to see a concentrated effort on such a critical software component.

[topicsecurity]
[ 7 comments 41m ago ] (flat) (expanded)

OpenBSD Foundation Funding Goals Reached
Contributed by pitrh on Thu Apr 10 19:38:08 2014 (GMT)
from the banking on Puffy dept.

Bob Beck (beck@) writes in to tell us that the OpenBSD Foundation 2014 fundrasing campaign has reached its goals:

The OpenBSD Foundation is happy to report that the $150,000 goal of the 2014 fundraising campaign has been reached.

We wish to thank our contributors large and small. We will continue our fundraising efforts both in the current year and next year.

Read more...
[topicopenbsd]
[ 3 comments 11m ago ] (flat) (expanded)

heartbleed vs malloc.conf (updated)
Contributed by tbert on Thu Apr 10 13:40:19 2014 (GMT)
from the exploit-mitigation-mitigation dept.

Ted Unangst (tedu@) has posted an article about how OpenSSL has managed to sidestep OpenBSD's malloc.conf(3) protections:

About two years ago, OpenSSL introduced a new feature that you’ve never used or even heard about until yesterday, after somebody discovered a bug that could be used to read process memory.

As they say, read the whole thing.

Update:
tedu@ has a follow up post in which he finds a particularly nasty bug in the code which sidesteps the malloc.conf options, which means that it cannot, unpatched, be disabled:

Instead of telling people to find themselves a better malloc, OpenSSL incorporated a one-off LIFO freelist. You guessed it. OpenSSL misuses the LIFO freelist. In fact, the bug I’m about to describe can only exist and go unnoticed precisely because the freelist is LIFO.

As they say, read this other thing.

[topicsecurity]
[ 6 comments 1d16:58 ago ] (flat) (expanded)

Patches for OpenSSL bounds checking bug
Contributed by tbert on Tue Apr 8 06:56:09 2014 (GMT)
from the oh SSLeeping hearts dept.

Patches for the so called heartbleed OpenSSL bug have been released by the OpenBSD project for OpenBSD 5.3-stable, OpenBSD 5.4-stable and OpenBSD 5.5

In the short statement contained in the commit message, Theo de Raadt (deraadt@) noted that OpenSSH is unaffected.

Read more...
[topicsecurity]
[ 10 comments 6d12:48 ago ] (flat) (expanded)

Call for testing: acpiec(4) clear events on attach and resume
Contributed by pitrh on Fri Mar 28 06:10:13 2014 (GMT)
from the acpi-easy-event dept.

Paul Irofti (pirofti@) wrote in about his ongoing effort to untangle acpiec events. Paul writes,

The following patch attempts to fix an issue where multiple ACPI EC events pile up during suspend and fill a buffer that upon resume prevent further event notifications.

The fix clears up the event queue early on during resume and also upon initial acpiec(4) attach.

And of course there's a patch to test - description and download link after the fold.

Read more...
[topichardware]
[ 0 comments ] (flat) (expanded)

OpenBSD 5.5 preorders have been enabled
Contributed by weerd on Fri Mar 28 08:16:30 2014 (GMT)
from the high-five-dot-five dept.

OpenBSD 5.5 preorders have been enabled on the ordering page.

With this commit, Theo de Raadt (deraadt@) enabled pre-orders for the upcoming release:

Module name:	www
Changes by:	deraadt@cvs.openbsd.org	2014/03/26 20:09:10

Modified files:
	.              : errata55.html index.html older.html orders.html 

Log message:
activate 5.5 pre-orders; wonder which of the regulars win this time

Pre-orders tend to arrive early (before official release date), grab the chance to have early access! You won't be the winner if you just learned about it now, since at least one guy on misc@ has already beaten you to it :-)

[topicopenbsd]
[ 9 comments 16d15:01 ago ] (flat) (expanded)

Call for Testing: upd(4)
Contributed by tbert on Thu Mar 20 10:51:50 2014 (GMT)
from the no-breaks-for-the-wicked dept.

Andre de Oliveira (andre@) has committed the upd(4) driver, which detects uninterruptible power supplies (UPS) attached to USB, which will show up in the dmesg:

uhidev0 at uhub1 port 1 configuration 1 interface 0 "American Power Conversion Back-UPS RS 500 FW:30.j5.I USB FW:j5" rev 1.10/0.06 addr 2
uhidev0: iclass 3/0, 98 report ids
upd0 at uhidev0

Read more...
[topichardware]
[ 5 comments 24d2:20 ago ] (flat) (expanded)

hp300, mvme68k, and mvme88k Arches Move to the Attic
Contributed by tbert on Wed Mar 19 19:25:55 2014 (GMT)
from the to-the-great-/dev/null-in-the-sky dept.

In a recent commit, miod@ removed support for some of the older platforms that were supported by OpenBSD:

Retire hp300, mvme68k and mvme88k ports. These ports have no users, keeping
this hardware alive is becoming increasingly difficult, and I should heed the
message sent by the three disks which have died on me over the last few days.

Noone sane will mourn these ports anyway. So long, and thanks for the fish.

[topichardware]
[ 5 comments 22d11:21 ago ] (flat) (expanded)

Heads Up: Apache Removed from Base
Contributed by jj on Fri Mar 14 09:01:27 2014 (GMT)
from the puffy-vs-geronimo dept.

In a series of commits, Florian Obser (florian@) has unhooked Apache from the OpenBSD base build. This means you need to pay special attention when upgrading your systems:

/usr/sbin/httpd and the associated tools and files have been removed. Consider using nginx(8) for your http serving needs, but note that nginx is not a drop-in replacement. For people who need the old httpd(8) and cannot switch at this time, see the port www/apache-httpd-openbsd.

Read more...
[topicnetworking]
[ 20 comments 7:48 ago ] (flat) (expanded)

Support OpenBSD!

Donate to OpenBSD

Buy OpenBSD products

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Older Stuff
Thursday, March 13
05:29 OpenSMTPd Now the Default MTA in OpenBSD (38)
Tuesday, March 11
08:12 USB 3.0 support beginning to emerge for -current (1)
Friday, March 07
12:52 From the trenches: espie@ reports on recent experiments in package building (13)
Wednesday, March 05
21:28 Slashdot Taking Questions for Interview with Theo de Raadt (0)
16:48 OpenSMTPD 5.4.2 Released (0)
13:15 BSDCan 2014 Registrations Open (0)
Friday, February 28
23:32 Call for Testing: USB Installation Images (4)
07:59 Yes, You Too Can Be An Evil Network Overlord - On The Cheap With OpenBSD, pflow And nfsen (0)
Tuesday, February 25
09:44 OpenBSD Participating in Google Summer of Code 2014 (4)

Older Stuff...
Yesterday's Edition...

OpenBSD Errata
[xml]

OpenBSD Resources

XML/RSS/RDF
Users wishing RSS/RDF summary files of OpenBSD Journal, can retrieve: [xml]


[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2009 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with thttpd (plus patches) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]