[update] net/wiresep-0.11.3
Here is a new point release that contains some reliability fixes for potential deadlocks, as well as some fixes in printing sessions ids on macppc. Index: Makefile === RCS file: /cvs/ports/net/wiresep/Makefile,v retrieving revision 1.7 diff -u -p -r1.7 Makefile --- Makefile24 Apr 2020 20:50:15 - 1.7 +++ Makefile26 Apr 2020 15:37:07 - @@ -2,7 +2,7 @@ COMMENT = privilege separated implementation of WireGuard -DISTNAME = wiresep-0.11.2 +DISTNAME = wiresep-0.11.3 MASTER_SITES = https://netsend.nl/wiresep/archive/ CATEGORIES = net security Index: distinfo === RCS file: /cvs/ports/net/wiresep/distinfo,v retrieving revision 1.5 diff -u -p -r1.5 distinfo --- distinfo24 Apr 2020 20:50:15 - 1.5 +++ distinfo26 Apr 2020 15:37:07 - @@ -1,2 +1,2 @@ -SHA256 (wiresep-0.11.2.tar.gz) = 7ajqpCYcrVeH1dZruknNol6WBOGxgSObRqfq1/mSgic= -SIZE (wiresep-0.11.2.tar.gz) = 396400 +SHA256 (wiresep-0.11.3.tar.gz) = uvhWBE7V9C7Zqms7ApSiFODi7thN7jO+QM2BBtFFBK8= +SIZE (wiresep-0.11.3.tar.gz) = 396804
Re: [update] net/wiresep-0.11.2
Stuart Henderson wrote: > On 2020/04/24 00:22, Tim Kuijsten wrote: > > New upstream release that includes patches by Klemens Nanni that > > fix an endless loop on platforms where char is unsigned, e.g. macppc. > > thanks - as this is a noop (the only thing that changes is the package > version number) I think there's no benefit to pushing it to ports before > 6.7. no problem, thanks for letting me know. I do have another change I made this morning that fixes a deadlock when the queue runs full. If all goes well I probably wrap it in another bugfix release this weekend.
[update] net/wiresep-0.11.2
New upstream release that includes patches by Klemens Nanni that fix an endless loop on platforms where char is unsigned, e.g. macppc. Index: Makefile === RCS file: /cvs/ports/net/wiresep/Makefile,v retrieving revision 1.6 diff -u -p -r1.6 Makefile --- Makefile 20 Apr 2020 20:45:12 - 1.6 +++ Makefile 23 Apr 2020 22:14:53 - @@ -2,8 +2,7 @@ COMMENT = privilege separated implementation of WireGuard -DISTNAME = wiresep-0.11.1 -REVISION = 0 +DISTNAME = wiresep-0.11.2 MASTER_SITES = https://netsend.nl/wiresep/archive/ CATEGORIES = net security Index: distinfo === RCS file: /cvs/ports/net/wiresep/distinfo,v retrieving revision 1.4 diff -u -p -r1.4 distinfo --- distinfo 7 Apr 2020 17:45:32 - 1.4 +++ distinfo 23 Apr 2020 22:14:53 - @@ -1,2 +1,2 @@ -SHA256 (wiresep-0.11.1.tar.gz) = CpaX21JT7q5RAteZCy2VDJNtZ/35NzZpBHFqxNCIxEI= -SIZE (wiresep-0.11.1.tar.gz) = 396242 +SHA256 (wiresep-0.11.2.tar.gz) = 7ajqpCYcrVeH1dZruknNol6WBOGxgSObRqfq1/mSgic= +SIZE (wiresep-0.11.2.tar.gz) = 396400 Index: patches/patch-master_c === RCS file: patches/patch-master_c diff -N patches/patch-master_c --- patches/patch-master_c 20 Apr 2020 20:45:12 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,18 +0,0 @@ -$OpenBSD: patch-master_c,v 1.1 2020/04/20 20:45:12 kn Exp $ - -getopt(3) returns int not char; fix endless loop on platforms where char -is unsigned, e.g. macppc. - -Index: master.c master.c.orig -+++ master.c -@@ -133,7 +133,8 @@ main(int argc, char **argv) - int configtest, foreground, stdopen, masterport, stat; - pid_t pid; - const char *errstr; -- char c, *eargs[4], *eenv[1], *logfacilitystr, *oldprogname; -+ char *eargs[4], *eenv[1], *logfacilitystr, *oldprogname; -+ int c; - - /* should endup in a configure script */ - if (sizeof(struct msgwginit) != 148) Index: patches/patch-wiresep-keygen_c === RCS file: patches/patch-wiresep-keygen_c diff -N patches/patch-wiresep-keygen_c --- patches/patch-wiresep-keygen_c 20 Apr 2020 20:45:12 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,17 +0,0 @@ -$OpenBSD: patch-wiresep-keygen_c,v 1.1 2020/04/20 20:45:12 kn Exp $ - -getopt(3) returns int not char; fix endless loop on platforms where char -is unsigned, e.g. macppc. - -Index: wiresep-keygen.c wiresep-keygen.c.orig -+++ wiresep-keygen.c -@@ -121,7 +121,7 @@ main(int argc, char **argv) - uint8_t privkey[X25519_KEY_LENGTH], pubkey[X25519_KEY_LENGTH]; - char b64privkey[46], b64pubkey[46]; - int i, fd, wd, ret; -- char c; -+ int c; - char *keypath, *presharedkey, *filename; - - presharedkey = NULL;
Re: [update] net/wiresep 0.10.1 => 0.11.1
Whoops, the previous patch was based on an old tree, here the same patch based
on the latest ports tree.
Tim Kuijsten wrote:
> This is the latest and greatest.
>
> Please note I've moved away from GitHub to my own domain.
> Index: Makefile
> ===
> RCS file: /cvs/ports/net/wiresep/Makefile,v
> retrieving revision 1.3
> diff -u -p -r1.3 Makefile
> --- Makefile 18 Mar 2020 22:22:25 - 1.3
> +++ Makefile 7 Apr 2020 16:40:40 -
> @@ -2,11 +2,12 @@
>
> COMMENT = privilege separated implementation of WireGuard
>
> -GH_ACCOUNT = timkuijsten
> -GH_PROJECT = wiresep
> -GH_TAGNAME = v0.9.0
> +DISTNAME = wiresep-0.11.1
> +MASTER_SITES = https://netsend.nl/wiresep/archive/
>
> -CATEGORIES = net
> +CATEGORIES = net security
> +
> +HOMEPAGE = https://netsend.nl/wiresep/
>
> MAINTAINER = Tim Kuijsten
>
> Index: distinfo
> ===
> RCS file: /cvs/ports/net/wiresep/distinfo,v
> retrieving revision 1.2
> diff -u -p -r1.2 distinfo
> --- distinfo 18 Mar 2020 22:22:25 - 1.2
> +++ distinfo 7 Apr 2020 16:40:40 -
> @@ -1,2 +1,2 @@
> -SHA256 (wiresep-0.9.0.tar.gz) = SNdzSCMFfvRsssMRW3DbkbVj+H3pq9NpJQcNiR0oTEE=
> -SIZE (wiresep-0.9.0.tar.gz) = 97932
> +SHA256 (wiresep-0.11.1.tar.gz) = CpaX21JT7q5RAteZCy2VDJNtZ/35NzZpBHFqxNCIxEI=
> +SIZE (wiresep-0.11.1.tar.gz) = 396242
> Index: pkg/README
> ===
> RCS file: /cvs/ports/net/wiresep/pkg/README,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 README
> --- pkg/README15 Mar 2020 22:02:04 - 1.1.1.1
> +++ pkg/README7 Apr 2020 16:40:40 -
> @@ -8,8 +8,7 @@ Basics
> ==
>
> Create a new configuration file in ${SYSCONFDIR}/wiresep/wiresep.conf and
> create
> -a new private key with wiresep-keygen(1) and store it in
> -${SYSCONFDIR}/wiresep/tun0.key.
> +a new private key with wiresep-keygen(1).
>
> See wiresep.conf(5) and ${PREFIX}/share/examples/wiresep/wiresep.conf.example
> for a basic example configuration.
> @@ -18,4 +17,4 @@ After you have created a config file and
> started with `rcctl start wiresep`. If you want to enable wiresep on startup
> run
> `rcctl enable wiresep`.
>
> -Additional information on wiresep can be found in wiresep(8).
> +Additional information can be found in wiresep(8).
Index: Makefile
===
RCS file: /cvs/ports/net/wiresep/Makefile,v
retrieving revision 1.4
diff -u -p -r1.4 Makefile
--- Makefile31 Mar 2020 19:00:59 - 1.4
+++ Makefile7 Apr 2020 17:14:51 -
@@ -2,11 +2,12 @@
COMMENT = privilege separated implementation of WireGuard
-GH_ACCOUNT = timkuijsten
-GH_PROJECT = wiresep
-GH_TAGNAME = v0.10.1
+DISTNAME = wiresep-0.11.1
+MASTER_SITES = https://netsend.nl/wiresep/archive/
-CATEGORIES = net
+CATEGORIES = net security
+
+HOMEPAGE = https://netsend.nl/wiresep
MAINTAINER = Tim Kuijsten
Index: distinfo
===
RCS file: /cvs/ports/net/wiresep/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo31 Mar 2020 19:00:59 - 1.3
+++ distinfo7 Apr 2020 17:14:51 -
@@ -1,2 +1,2 @@
-SHA256 (wiresep-0.10.1.tar.gz) = Dps3BN8zgtwKGbiG8mAAGMZ5jqA5oooVEHQhpdm8a48=
-SIZE (wiresep-0.10.1.tar.gz) = 99830
+SHA256 (wiresep-0.11.1.tar.gz) = CpaX21JT7q5RAteZCy2VDJNtZ/35NzZpBHFqxNCIxEI=
+SIZE (wiresep-0.11.1.tar.gz) = 396242
Index: pkg/README
===
RCS file: /cvs/ports/net/wiresep/pkg/README,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 README
--- pkg/README 15 Mar 2020 22:02:04 - 1.1.1.1
+++ pkg/README 7 Apr 2020 17:14:51 -
@@ -8,8 +8,7 @@ Basics
==
Create a new configuration file in ${SYSCONFDIR}/wiresep/wiresep.conf and
create
-a new private key with wiresep-keygen(1) and store it in
-${SYSCONFDIR}/wiresep/tun0.key.
+a new private key with wiresep-keygen(1).
See wiresep.conf(5) and ${PREFIX}/share/examples/wiresep/wiresep.conf.example
for a basic example configuration.
@@ -18,4 +17,4 @@ After you have created a config file and
started with `rcctl start wiresep`. If you want to enable wiresep on startup
run
`rcctl enable wiresep`.
-Additional information on wiresep can be found in wiresep(8).
+Additional information can be found in wiresep(8).
[update] net/wiresep 0.10.1 => 0.11.1
This is the latest and greatest.
Please note I've moved away from GitHub to my own domain.
Index: Makefile
===
RCS file: /cvs/ports/net/wiresep/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- Makefile18 Mar 2020 22:22:25 - 1.3
+++ Makefile7 Apr 2020 16:40:40 -
@@ -2,11 +2,12 @@
COMMENT= privilege separated implementation of WireGuard
-GH_ACCOUNT = timkuijsten
-GH_PROJECT = wiresep
-GH_TAGNAME = v0.9.0
+DISTNAME = wiresep-0.11.1
+MASTER_SITES = https://netsend.nl/wiresep/archive/
-CATEGORIES = net
+CATEGORIES = net security
+
+HOMEPAGE = https://netsend.nl/wiresep/
MAINTAINER = Tim Kuijsten
Index: distinfo
===
RCS file: /cvs/ports/net/wiresep/distinfo,v
retrieving revision 1.2
diff -u -p -r1.2 distinfo
--- distinfo18 Mar 2020 22:22:25 - 1.2
+++ distinfo7 Apr 2020 16:40:40 -
@@ -1,2 +1,2 @@
-SHA256 (wiresep-0.9.0.tar.gz) = SNdzSCMFfvRsssMRW3DbkbVj+H3pq9NpJQcNiR0oTEE=
-SIZE (wiresep-0.9.0.tar.gz) = 97932
+SHA256 (wiresep-0.11.1.tar.gz) = CpaX21JT7q5RAteZCy2VDJNtZ/35NzZpBHFqxNCIxEI=
+SIZE (wiresep-0.11.1.tar.gz) = 396242
Index: pkg/README
===
RCS file: /cvs/ports/net/wiresep/pkg/README,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 README
--- pkg/README 15 Mar 2020 22:02:04 - 1.1.1.1
+++ pkg/README 7 Apr 2020 16:40:40 -
@@ -8,8 +8,7 @@ Basics
==
Create a new configuration file in ${SYSCONFDIR}/wiresep/wiresep.conf and
create
-a new private key with wiresep-keygen(1) and store it in
-${SYSCONFDIR}/wiresep/tun0.key.
+a new private key with wiresep-keygen(1).
See wiresep.conf(5) and ${PREFIX}/share/examples/wiresep/wiresep.conf.example
for a basic example configuration.
@@ -18,4 +17,4 @@ After you have created a config file and
started with `rcctl start wiresep`. If you want to enable wiresep on startup
run
`rcctl enable wiresep`.
-Additional information on wiresep can be found in wiresep(8).
+Additional information can be found in wiresep(8).
[UPDATED] net/wiresep 0.9.0 -> 0.10.1
Here is WireSep version 0.10.1. I've upstreamed both patches and incorporated some feedback I got from Klemens Nannie and Janne Johansson, big thanks! -Tim wiresep-0.10.1.tgz Description: GNU Zip compressed data
Re: The great find(1) cleanup
> Missing type checks should be easily added to every incovation lacking > them, they're clearer to read and might even speed things up by > preventing direcctory names to be matched against "*.orig" for example. > > When both primaries are present, `-type' should occur first for similar > reasons: if you're looking for files with specific names, you don't want > to string compare names first only to discard the file later on because > it is a directory or symbolic link; some invocations do `-name' before > `-type' and I'd argue that swapping their order is both safe to do and > actually a bit faster (for big file trees (with slow I/O)). I've always thought *not* using -type and matching purely on -name is faster because the name is in the directory entry while the type is stored in an inode which needs to be be fetched separately... of course the performance of string comparison depends on the actual name you're looking for and the file hierachy.
[update] tor-0.4.1.6 -> 0.4.1.9
Tor v0.4.1.9 fixes a high-severity security issue, CVE-2020-10592. This is intended for 6.6-stable. Index: Makefile === RCS file: /cvs/ports/net/tor/Makefile,v retrieving revision 1.126 diff -u -p -r1.126 Makefile --- Makefile23 Sep 2019 13:52:05 - 1.126 +++ Makefile19 Mar 2020 02:04:00 - @@ -2,7 +2,7 @@ COMMENT= anonymity service using onion routing -DISTNAME= tor-0.4.1.6 +DISTNAME= tor-0.4.1.9 CATEGORIES=net HOMEPAGE= https://www.torproject.org/ Index: distinfo === RCS file: /cvs/ports/net/tor/distinfo,v retrieving revision 1.103 diff -u -p -r1.103 distinfo --- distinfo23 Sep 2019 13:52:05 - 1.103 +++ distinfo19 Mar 2020 02:04:00 - @@ -1,2 +1,2 @@ -SHA256 (tor-0.4.1.6.tar.gz) = KohSTOQmB5+5uCi8G3ifLIrePtU8EwhREC3rw1GL7XE= -SIZE (tor-0.4.1.6.tar.gz) = 7390096 +SHA256 (tor-0.4.1.9.tar.gz) = p2PCQ2LGIg6tNF+iMtWzQ/zl4awKSVSdCjoiU9YP0oo= +SIZE (tor-0.4.1.9.tar.gz) = 7516581
Re: net/mlvpn ioctl(TUNSIFMODE): Invalid argument
Solene Rapenne wrote: > On Thu, Nov 28, 2019 at 01:35:11PM +0100, Tim Kuijsten wrote: > > Looking at [1] I see they don't set tuninfo.type. This should be set to > > IFT_TUNNEL: > > net/if_types.h:#define IFT_TUNNEL 0x83 > > > > Does that help? > > > > [1] https://github.com/zehome/MLVPN/blob/2.3.2/src/tuntap_bsd.c#L146-L150 > > > > with the following patch it starts but I can't see any mlvpn process > running, but it starts without any error message. > I'll try setting up a server now and see if it works. > > Thanks for the help! I personally set tunnel interfaces in wiresep to non-PTP and respect whatever other flag was already set by default [1]. In PTP mode my address assignment code fails later on, I assume because of prefix masks. [1] https://github.com/timkuijsten/wiresep/blob/v0.8.4/ifn.c#L2502-L2508
Re: net/mlvpn ioctl(TUNSIFMODE): Invalid argument
Looking at [1] I see they don't set tuninfo.type. This should be set to
IFT_TUNNEL:
net/if_types.h:#define IFT_TUNNEL 0x83
Does that help?
[1] https://github.com/zehome/MLVPN/blob/2.3.2/src/tuntap_bsd.c#L146-L150
Solene Rapenne wrote:
> On Thu, Nov 28, 2019 at 10:26:32AM +0100, Solene Rapenne wrote:
> > Hi,
> >
> > not sure ports@ is the best place for that, but either mlvpn doesn't work
> > anymore or I made something wrong (I guess it's the latter).
> >
> > I'm trying to make a mlvpn tunnel and it refuses to start on both side
> > (server and client) with the exact same issue.
> >
> > mlvpn doesn't ship with specific instructions so I guess default install
> > should
> > work.
> >
> > Server is running 6.6 and client -current
> >
> > this is the client configuration, but the server configuration is quite
> > identical.
> >
>
> This update mlvpn to last version but I still can't start it though.
> I disabled filters because we don't have PCAP_NETMASK_UNKNOWN
>
> The error message is less cryptic.
>
> solene# mlvpn --debug --user _mlvpn -c /etc/mlvpn/mlvpn.conf
> 2019-11-28T12:33:14 [INFO/config] new password set
> 2019-11-28T12:33:14 [INFO/config] dsl1 tunnel added
> mlvpn: ioctl(TUNSIFMODE): Invalid argument
> 2019-11-28T12:33:14 [WARN/tuntap] unable to open /dev/tun0 read/write.
> MAKEDEV ?
> 2019-11-28T12:33:14 [CRIT/fatal] cannot create tunnel device
>
>
>
> Index: Makefile
> ===
> RCS file: /data/cvs/ports/net/mlvpn/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 12 Jul 2019 20:48:32 - 1.8
> +++ Makefile 28 Nov 2019 10:31:22 -
> @@ -2,11 +2,10 @@
>
> COMMENT =link-aggregation VPN software
>
> -V = 2.2.2
> +V = 2.3.2
> DISTNAME = mlvpn-$V
> DISTFILES = ${DISTNAME}{$V}.tar.gz
> WRKDIST =${WRKDIR}/MLVPN-$V
> -REVISION = 3
>
> CATEGORIES = net
>
> @@ -26,6 +25,7 @@ CONFIGURE_STYLE = autoreconf
> CONFIGURE_ENV += CPPFLAGS="-I${LOCALBASE}/include" \
> LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib" \
> ac_cv_header_valgrind_valgrind_h=no
> +CONFIGURE_ARGS +=--enable-filters=no
>
> AUTOCONF_VERSION = 2.69
> AUTOMAKE_VERSION = 1.14
> Index: distinfo
> ===
> RCS file: /data/cvs/ports/net/mlvpn/distinfo,v
> retrieving revision 1.2
> diff -u -p -r1.2 distinfo
> --- distinfo 24 Oct 2015 08:32:14 - 1.2
> +++ distinfo 28 Nov 2019 10:08:58 -
> @@ -1,2 +1,2 @@
> -SHA256 (mlvpn-2.2.2.tar.gz) = +kVbV9jmdlUNAc/lUkjVtZX8qBLM69ql6tJBLEMgVF8=
> -SIZE (mlvpn-2.2.2.tar.gz) = 78919
> +SHA256 (mlvpn-2.3.2.tar.gz) = AsnFd+bw7Df8uyLTyUOSXBrCKnjDZORMgsTRpzsrUCw=
> +SIZE (mlvpn-2.3.2.tar.gz) = 85639
> Index: pkg/PLIST
> ===
> RCS file: /data/cvs/ports/net/mlvpn/pkg/PLIST,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 PLIST
> --- pkg/PLIST 23 Oct 2015 09:28:58 - 1.1.1.1
> +++ pkg/PLIST 28 Nov 2019 10:31:54 -
> @@ -1,6 +1,7 @@
> @comment $OpenBSD: PLIST,v 1.1.1.1 2015/10/23 09:28:58 sthen Exp $
> @newgroup _mlvpn:758
> @newuser _mlvpn:758:_mlvpn:daemon:mlvpn user:/var/empty:/sbin/nologin
> +@rcscript ${RCDIR}/mlvpn
> @man man/man1/mlvpn.1
> @man man/man5/mlvpn.conf.5
> @bin sbin/mlvpn
> @@ -13,10 +14,11 @@ share/doc/mlvpn/README.debug.md
> share/doc/mlvpn/README.md
> share/doc/mlvpn/mlvpn.default
> share/doc/mlvpn/mlvpn.init.d
> +share/doc/mlvpn/mlvpn.rc
> share/examples/mlvpn/
> +@mode 770
> @owner root
> @group wheel
> -@mode 770
> @sample ${SYSCONFDIR}/mlvpn/
> @mode
> share/examples/mlvpn/mlvpn.conf
> @@ -26,7 +28,3 @@ share/examples/mlvpn/mlvpn.conf
> share/examples/mlvpn/mlvpn_updown.sh
> @mode 700
> @sample ${SYSCONFDIR}/mlvpn/mlvpn_updown.sh
> -@mode
> -@owner
> -@group
> -@rcscript ${RCDIR}/mlvpn
Re: [NEW] net/wiresep
> Looking in sample config,
>
> : # pick an unprivileged user/id
> : user 1109
>
> Please use @newuser/@newgroup in pkg/PLIST to add a user and set the sample
> config to use it. For the actual number, pick the next available uid from
> ports/infrastructure/db/user.list and include a diff to add to that file too.
done, using _wiresep as a default user if not overruled in the configuration
of the daemon.
> Building,
>
> : ===> Building for wiresep-0.8.3
> : cc -Wall -Wextra -pedantic-errors -c tai64n.c
> : cc -Wall -Wextra -pedantic-errors -c blake2s-ref.c
> [..]
>
> Missing C opt/debug flags, changing your patch as follows fixes that:
>
> -CFLAGS = -Wall -Wextra -pedantic-errors -O0 -g
> +CFLAGS += -Wall -Wextra -pedantic-errors
I made it look like this in my original Makefile so that we don't need a patch
for the package.
Index: user.list
===
RCS file: /cvs/ports/infrastructure/db/user.list,v
retrieving revision 1.354
diff -u -p -r1.354 user.list
--- user.list 4 Oct 2019 20:30:27 - 1.354
+++ user.list 20 Nov 2019 00:28:22 -
@@ -14,6 +14,7 @@ id user group port options
502 _mysql _mysql databases/mariadb,-server
503 _postgresql_postgresql databases/postgresql,-server
504 _mailman _mailmanmail/mailman
+505 _wiresep _wiresepnet/wiresep
506 _spamdaemon_spamdaemon mail/p5-Mail-SpamAssassin
507 _postfix _postfixmail/postfix/{snapshot,stable}
508_postdrop mail/postfix/{snapshot,stable}
wiresep-0.8.4.tgz
Description: GNU Zip compressed data
Re: [NEW] net/wiresep
> Looking in sample config,
>
> : # pick an unprivileged user/id
> : user 1109
>
> Please use @newuser/@newgroup in pkg/PLIST to add a user and set the sample
> config to use it. For the actual number, pick the next available uid from
> ports/infrastructure/db/user.list and include a diff to add to that file too.
I have some questions about the optimal number of users with regard to
privilege separation and the different processes of my program. I hope it's ok
to ask about it here, if not, please let me know.
Background about the [design]:
In wiresep I have three types of processes, an untrusted and insignificant
proxy (pledge("stdio", "")), a fully trusted enclave (pledge("stdio", "")),
and a semi-trusted ifn process (pledge("stdio inet", "")). There is always
exactly one instance of the proxy and one instance of the enclave process, but
there can be more than one ifn process. One per configured tunnel interface.
Threat model:
If the enclave is exploited, long term secrets leak and we're hosed. It should
be fairly easy to audit the 1300+ LoC of enclave.c and get some sense about
the risk whether or not this will happen one day.
(about the LoC: cc -E enclave.c | wc -l = 6214)
Then the process per tunnel interface, "ifn". This is where most complexity
goes and what touches the decrypted plain text network packets. This process
only has short term session keys and the idea is that if someone manages to
exploit one "ifn" process it won't be able to read/write packets of any other
"ifn" process not access the long term secrets. (but yes, all packets with all
peers on that single exploited interface might leak/be manipulated)
Questions:
1a. Can one process that pledged ("stdio inet", "") somehow access/directly
influence other processes that run by the same user id? I only know of
ptrace(2) and both because of pledge and because none of the mentioned
processes are descendants of each other it should be safe as long as
kern.global_ptrace=0, which currently is the default.
1b. In the case of wiresep, if one ifn process gets exploited, would other ifn
processes be protected from the exploited one if the user ids are different
from each other, and is a different user id really needed for that protection?
Of course it ultimately depends on the integrity of the IPC and shared
resources, about the last I can say, apart from the host, only the proxy and
enclave are shared between all ifn processes and only through a tightly
defined IPC (see [design] and wireprot.h if you're interested).
1c. And lastly, would it be advantageous to run the enclave under a separate
userid than the other processes? (I do that in my setup to be cautious, but
I'm not sure if it's really beneficial to the overall security)
I know most daemons simply use one separate user, but i.e. Dovecot uses one
dovecot user and one separate dovenull user for all the login processes. Also
smtpd has two user ids. So I'm not quite sure which one to pick from "one user
per program" vs "one user per type of process/security domain" vs "one user
per actual process".
Thanks,
Tim
[design] https://github.com/timkuijsten/wiresep/blob/master/doc/design.md
Re: [NEW] net/wiresep
> Forgot to mention, rather than the patch + SUBST_CMD dance, you can just
> override make variables on the command line;
>
> MAKE_FLAGS = PREFIX=${PREFIX} ETCDIR=${SYSCONFDIR}
again, now including the above fix as well.
wiresep-0.8.3.tgz
Description: GNU Zip compressed data
Re: [NEW] net/wiresep
here a fixed version:
* drop complex use of DISTNAME for -rc.x support, not needed now
* simplify rc script
* align ruler length in README
Stuart Henderson wrote:
> On 2019/11/18 22:19, Tim Kuijsten wrote:
> > Here is a new updated port of wiresep based on v0.8.3.
> >
> > It incorporates all the feedback I got:
> > * don't change the process name, keep wiresep
> > * let resource limits take the configuration into account
> > (fixes a pre-mature exit of the enclave on the octeon platform)
> > * treat OOM errors in the main loop as transient
> > * don't notify proxy to destroy unsent sessions
> >
> > Thanks Bjorn, Janne and Stuart for all the feedback!
> >
> > Stuart Henderson wrote:
> > > On 2019/11/18 18:42, Tim Kuijsten wrote:
> > > > > Btw, could we make the proctitle slightly nicer on the cpu-bearing
> > > > > process?
> > > > >
> > > > > PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU
> > > > > COMMAND
> > > > > 19404 wsep 390 1440K 3232K onproc/1 - 0:07 27.88%
> > > > > tun0
> > > >
> > > > You mean make it more clear in top(1) that tun0 is a process of wiresep?
> > > >
> > > > What about prefixing all processes with "ws" so that we would get:
> > > > root 82906 0.0 0.0 608 1844 ?? Ip Sun11PM0:00.01
> > > > wsmaster (wiresep)
> > > > 3901 8190 0.0 0.1 728 2352 ?? Ip Sun11PM0:11.39
> > > > wstun0 (wiresep)
> > > > 3900 50475 0.0 0.0 672 2072 ?? Ip Sun11PM0:00.04
> > > > wsproxy (wiresep)
> > > > 3900 84443 0.0 0.1 656 2196 ?? Ip Sun11PM0:00.47
> > > > wsenclave (wiresep)
> > > >
> > >
> > > most daemons that change their proctitle still have the process name
> > > first, e.g.
> > >
> > > wiresep (master), wiresep (tun0), ..
> > >
> > > or
> > >
> > > wiresep: master, wiresep: tun0, ..
> >
> >
>
>
> - the custom rc_check and rc_stop don't seem to be needed, it's better
> to just adjust pexp (with .* if necessary)
>
> - the "underline" in README should be the same number of chars as the
> text on the line above
>
> - rather than the complex
>
> DISTNAME = ${GH_PROJECT}-${GH_TAGNAME:C/^v//:C/-rc./rc/}
>
> I think it would be better to let the ports infrastructure handle
> DISTNAME and just reset PKGNAME, which then only needs simple subst
> rather than regex i.e. PKGNAME = ${DISTNAME:S/-rc./rc/}
wiresep-0.8.3.tgz
Description: GNU Zip compressed data
Re: [NEW] net/wiresep
Here is a new updated port of wiresep based on v0.8.3. It incorporates all the feedback I got: * don't change the process name, keep wiresep * let resource limits take the configuration into account (fixes a pre-mature exit of the enclave on the octeon platform) * treat OOM errors in the main loop as transient * don't notify proxy to destroy unsent sessions Thanks Bjorn, Janne and Stuart for all the feedback! Stuart Henderson wrote: > On 2019/11/18 18:42, Tim Kuijsten wrote: > > > Btw, could we make the proctitle slightly nicer on the cpu-bearing > > > process? > > > > > > PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU > > > COMMAND > > > 19404 wsep 390 1440K 3232K onproc/1 - 0:07 27.88% tun0 > > > > You mean make it more clear in top(1) that tun0 is a process of wiresep? > > > > What about prefixing all processes with "ws" so that we would get: > > root 82906 0.0 0.0 608 1844 ?? Ip Sun11PM0:00.01 wsmaster > > (wiresep) > > 3901 8190 0.0 0.1 728 2352 ?? Ip Sun11PM0:11.39 wstun0 > > (wiresep) > > 3900 50475 0.0 0.0 672 2072 ?? Ip Sun11PM0:00.04 wsproxy > > (wiresep) > > 3900 84443 0.0 0.1 656 2196 ?? Ip Sun11PM0:00.47 > > wsenclave (wiresep) > > > > most daemons that change their proctitle still have the process name first, > e.g. > > wiresep (master), wiresep (tun0), .. > > or > > wiresep: master, wiresep: tun0, .. wiresep-0.8.3.tgz Description: GNU Zip compressed data
Re: [NEW] net/wiresep
> Btw, could we make the proctitle slightly nicer on the cpu-bearing process? > > PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND > 19404 wsep 390 1440K 3232K onproc/1 - 0:07 27.88% tun0 You mean make it more clear in top(1) that tun0 is a process of wiresep? What about prefixing all processes with "ws" so that we would get: root 82906 0.0 0.0 608 1844 ?? Ip Sun11PM0:00.01 wsmaster (wiresep) 3901 8190 0.0 0.1 728 2352 ?? Ip Sun11PM0:11.39 wstun0 (wiresep) 3900 50475 0.0 0.0 672 2072 ?? Ip Sun11PM0:00.04 wsproxy (wiresep) 3900 84443 0.0 0.1 656 2196 ?? Ip Sun11PM0:00.47 wsenclave (wiresep)
Re: [NEW] net/wiresep
> enclave[46390]: decreasing current data limit from 17179869184 to 1048576 > > enclave[46390]: decreasing maximum data limit from 17179869184 to 1048576 In the next branch I have patched the enclave to relax the heap limit to at least 2M instead of 1M (plus some extra dependant on the number of configured interfaces and peers). doas wiresep -dvv ... enclave[16625]: decreasing current data limit from 34359738368 to 2097624 enclave[16625]: decreasing maximum data limit from 34359738368 to 2097624 could you try with these patches? https://github.com/timkuijsten/wiresep/tree/next
Re: [NEW] net/wiresep
This is a new version of the port which fixes all my previous
questions (thanks Bjorn Ketelaars for all the help).
This is based on the final v0.8.2 which I released today and includes
some additional tweaks and fixes (is the version number v0.8.2
semantically higher in ports compared to v0.8.2-rc.3?).
Hope somebody can test or comment on it.
For completeness a link to the homepage and a short description which I
forgot to mention yesterday: https://github.com/timkuijsten/wiresep
WireSep is a privilege separated implementation of WireGuard for
OpenBSD.
WireGuard is a VPN that aims to be simpler and faster than IPsec
and OpenVPN. Simpler both in configuration and in implementation.
Cheers!
Tim
Tim Kuijsten wrote:
> Hi all,
>
> This is a port of my implementation of WireGuard.
>
> I had some trouble with the following when creating the port:
>
> 1. I was not able to set "SEPARATE_BUILD = Yes", I get the error "cannot open
> Makefile":
>
> /usr/ports/net/wiresep/ $ make build
> ===> Verifying specs: c crypto
> ===> found c.95.1 crypto.45.5
> ===> Checking files for wiresep-0.8.2-rc.3
> `/usr/ports/distfiles/wiresep-0.8.2-rc.3.tar.gz' is up to date.
> >> (SHA256) wiresep-0.8.2-rc.3.tar.gz: OK
> ===> Extracting for wiresep-0.8.2-rc.3
> ===> Patching for wiresep-0.8.2-rc.3
> ===> Compiler link: clang -> /usr/bin/clang
> ===> Compiler link: clang++ -> /usr/bin/clang++
> ===> Compiler link: cc -> /usr/bin/cc
> ===> Compiler link: c++ -> /usr/bin/c++
> ===> Generating configure for wiresep-0.8.2-rc.3
> ===> Configuring for wiresep-0.8.2-rc.3
> ===> Building for wiresep-0.8.2-rc.3
> make: cannot open Makefile.
> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2800
> '/usr/ports/pobj/wiresep-0.8.2-rc.3/build-amd64/.build_done')
> *** Error 1 in /usr/ports/net/wiresep
> (/usr/ports/infrastructure/mk/bsd.port.mk:2466 'build')
>
>
> 2. somehow `rcctl stop wiresep` does not execute my custom rc_stop
> function in /etc/rc.d/wiresep
>
> 3. portcheck(1) issues "hardcoded paths detected in pkg/MESSAGE,
> consider using SUBST_VARS and TRUEPREFIX/LOCALBASE/LOCALSTATEDIR/VARBASE"
>
> When I try to replace "/usr/local" with ${TRUEPREFIX} it does not
> get substituted and is displayed verbatim when the MESSAGE file is
> displayed right after installing the package with `doas make install`.
>
> Kind regards,
>
> Tim
wiresep.tgz
Description: GNU Zip compressed data
[NEW] wiresep - privilege separated implementation of WireGuard
Hi all,
This is a port of my implementation of WireGuard.
I had some trouble with the following when creating the port:
1. I was not able to set "SEPARATE_BUILD = Yes", I get the error "cannot open
Makefile":
/usr/ports/net/wiresep/ $ make build
===> Verifying specs: c crypto
===> found c.95.1 crypto.45.5
===> Checking files for wiresep-0.8.2-rc.3
`/usr/ports/distfiles/wiresep-0.8.2-rc.3.tar.gz' is up to date.
>> (SHA256) wiresep-0.8.2-rc.3.tar.gz: OK
===> Extracting for wiresep-0.8.2-rc.3
===> Patching for wiresep-0.8.2-rc.3
===> Compiler link: clang -> /usr/bin/clang
===> Compiler link: clang++ -> /usr/bin/clang++
===> Compiler link: cc -> /usr/bin/cc
===> Compiler link: c++ -> /usr/bin/c++
===> Generating configure for wiresep-0.8.2-rc.3
===> Configuring for wiresep-0.8.2-rc.3
===> Building for wiresep-0.8.2-rc.3
make: cannot open Makefile.
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2800
'/usr/ports/pobj/wiresep-0.8.2-rc.3/build-amd64/.build_done')
*** Error 1 in /usr/ports/net/wiresep
(/usr/ports/infrastructure/mk/bsd.port.mk:2466 'build')
2. somehow `rcctl stop wiresep` does not execute my custom rc_stop
function in /etc/rc.d/wiresep
3. portcheck(1) issues "hardcoded paths detected in pkg/MESSAGE,
consider using SUBST_VARS and TRUEPREFIX/LOCALBASE/LOCALSTATEDIR/VARBASE"
When I try to replace "/usr/local" with ${TRUEPREFIX} it does not
get substituted and is displayed verbatim when the MESSAGE file is
displayed right after installing the package with `doas make install`.
Kind regards,
Tim
wiresep.tar.gz
Description: GNU Zip compressed data
Re: new: opensmtpd clamav filter
"Theo de Raadt" wrote: > I'll add my voice to this. > > The powerful vendors writing new languages must expand their breath, > or face the consequences that some software is not going to get written > in their languages. Better is very much muted by unportable. What about gccgo? It supports more architectures than the standard Go compiler, is written and maintained by one of the core developers of the language and exists since the inception of Go[1]. (Note: I only learned about the existence of the different compilers last night when I was researching a bit and evaluating whether or not I should try Go) [1] https://commandcenter.blogspot.com/2017/09/go-ten-years-and-climbing.html
Re: [UPDATE] nagios/cnagios to 0.33
Op 28-11-16 om 15:11 schreef Kirill Bychkov: On Mon, November 28, 2016 16:51, Tim Kuijsten wrote: Op 28-11-16 om 14:37 schreef Kirill Bychkov: On Mon, November 28, 2016 02:22, Tim Kuijsten wrote: Hi ports@, I've updated cnagios to the latest release. Quite some segfaults have been fixed since 0.30. Tested on amd64. -Tim ps. I'm still looking for an easy way to use it with icinga. Maybe a cnagios package on it's own instead of being a subpackage of nagios would be better. I'm not sure.. Hmm. It tries to detect data version of status.dat on configure stage. If there is no file, configure fails. I think this is related to "Remove dependencies on live nagios instance #6" [1]. That's it. For my icinga installation it detects version3. This could be overrided with CONFIGURE_ARGS = --with-nagios-data=3. But what should be set for nagios itself? Any nagios users around? I think status file format 3 is the latest in both nagios and icinga. Thanks to sane defaults in OpenBSD packages! It is enough to install nagios and run rcctls start nagios to make it run and collect some data for local host! But cnagios tells me that nagios uses data version 4: [...] nagios var dir... /var/nagios nagios status file... /var/nagios/status.dat nagios data version... 4 [...] -Tim [1] https://github.com/dannywarren/cnagios/issues/6 WIP diff attached. Currently only icinga FLAVOR could be installed. Default flavor will fail if there is no /var/nagios/status.dat. P.S. Briefly tested with icinga. Updated patch is attached. OK to commit? There is a typo in the diff: *+Upsatream* commit 3bd27fb40e68f61ffd01bea6234b919a667b6fe4
Re: [UPDATE] nagios/cnagios to 0.33
Op 28-11-16 om 14:37 schreef Kirill Bychkov: On Mon, November 28, 2016 02:22, Tim Kuijsten wrote: Hi ports@, I've updated cnagios to the latest release. Quite some segfaults have been fixed since 0.30. Tested on amd64. -Tim ps. I'm still looking for an easy way to use it with icinga. Maybe a cnagios package on it's own instead of being a subpackage of nagios would be better. I'm not sure.. Hmm. It tries to detect data version of status.dat on configure stage. If there is no file, configure fails. I think this is related to "Remove dependencies on live nagios instance #6" [1]. For my icinga installation it detects version3. This could be overrided with CONFIGURE_ARGS = --with-nagios-data=3. But what should be set for nagios itself? Any nagios users around? I think status file format 3 is the latest in both nagios and icinga. -Tim [1] https://github.com/dannywarren/cnagios/issues/6 WIP diff attached. Currently only icinga FLAVOR could be installed. Default flavor will fail if there is no /var/nagios/status.dat. P.S. Briefly tested with icinga.
[UPDATE] nagios/cnagios to 0.33
Hi ports@,
I've updated cnagios to the latest release. Quite some segfaults have
been fixed since 0.30.
Tested on amd64.
-Tim
ps. I'm still looking for an easy way to use it with icinga. Maybe a
cnagios package on it's own instead of being a subpackage of nagios
would be better. I'm not sure..
Index: Makefile
===
RCS file: /cvs/ports/net/nagios/cnagios/Makefile,v
retrieving revision 1.22
diff -u -p -r1.22 Makefile
--- Makefile8 Jul 2016 16:48:21 - 1.22
+++ Makefile27 Nov 2016 21:29:45 -
@@ -2,9 +2,15 @@
COMMENT = console interface for nagios
-DISTNAME = cnagios-0.30
-REVISION = 1
+V =0.33
+DISTNAME = cnagios-$V
+DISTFILES =${DISTNAME}{$V}.tar.gz
+
CATEGORIES = net
+
+HOMEPAGE= https://github.com/dannywarren/cnagios
+
+MASTER_SITES= https://github.com/dannywarren/cnagios/archive/
WANTLIB = c perl pthread curses m
Index: distinfo
===
RCS file: /cvs/ports/net/nagios/cnagios/distinfo,v
retrieving revision 1.7
diff -u -p -r1.7 distinfo
--- distinfo1 Apr 2013 18:26:00 - 1.7
+++ distinfo27 Nov 2016 21:29:45 -
@@ -1,2 +1,2 @@
-SHA256 (cnagios-0.30.tar.gz) = oHd0oOs7RZGSplgQICTYdNH/dvnx9/6PIG7LADb/FDg=
-SIZE (cnagios-0.30.tar.gz) = 81813
+SHA256 (cnagios-0.33.tar.gz) = YLM89YK1cAWCAG3gVXDFsy4k2qnwQjXmG+TNSZ/CVhE=
+SIZE (cnagios-0.33.tar.gz) = 82080
$OpenBSD$
--- version.h.orig Mon Nov 28 00:28:07 2016
+++ version.h Mon Nov 28 00:28:17 2016
@@ -1 +1 @@
-#define VERSION "0.32"
+#define VERSION "0.33"
