Contributed by rueda on from the Cooking up crypto dept.
Our next g2k16 report comes from Brent Cook (
bcook@), who writes:
One of the delicate parts of attending an OpenBSD gathering is explaining to immigration officials how you're going to be hacking on security code with people you met on the internet for a week. This is usually a ticket to a second-level security screening, or at least a raised eyebrow.
This time, after explaining in vague terms about a computer coding conference, my British Imigration official suggested 'oh, you mean a hackathon!'. So, I knew this one would be special.
Armed with a cheap Chromebook, I poked at the boot process for Rockchip RK3288-based devices, with the thought of porting OpenBSD to this fairly common class of laptops. My first goal, based on a suggestion from bmercer, was to get an unverified u-boot working, which could then be the springboard for the OpenBSD kernel.
I managed to get a u-boot image building and loading on my Asus Chromebook Flip, but didn't get much beyond an initial black screen on the device - not too exciting. In the mean time, jcs pointed out that LibreBoot put out its first release, which has support for a similar C201, and looks promising.
Aside from Chromebook exploration, I still did a fair amount work with LibreSSL. For the first couple of days, beck and I spent some time rearranging the CVS tree. The source for 'libcrypto' had always been under 'libssl' since this was a vendor import. But, since the LibreSSL fork, we had not needed to do bulk upstream imports, so it was time to move libcrypto's source under the right path. Now libcrypto and libssl look like all of the other OpenBSD libraries.
I also used a tool called 'stack' (https://css.csail.mit.edu/stack/) to look for compiler optimizations due to undefined behavior. This uncovered a couple of interesting bugs, and a few false positives as well, the most important of which are now fixed.
I also spent time backporting some constant-time changes for RSA exponentiation, which are important for avoiding some corner-case cache timing attacks, as well as looking at beck's changes backporting APIs from newer versions of OpenSSL. By the time OpenBSD 6.1 is released, ports should require fewer LibreSSL-specific patches.
I imported Tobias Pape's new callback API for libtls, which makes it easier to integrate libtls into external event libraries, or use transport objects other than sockets or file descriptors. I also got 'nc(1)' working with DTLS on top of a patch from manuels from github, though it is still a work-in-progress.
mikeb and I discussed ways to address cache-attacks on the C version of libcrypto and ipsec's AES implementation, which led to a lot of train and plane reading on the way home. I also chatted with avsm about libtls OCaml bindings and how to simplify their job. Portable openbgpd and httpd still seem to be high on people's wish list, so I also worked on early ports of those.
You could say the most important contribution I made was testing jsc's new console handling patch on my x220, which showed odd screen corruption. Thankfully he managed to work out the bugs, and now OpenBSD terminal received some much-needed comic relief!
Thanks a ton to avsm and Gemma for organizing this event, as well as awakening my latent passion for PG Tips.
Many thanks for the report, Brent!
(Comments are closed)