OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
ChaCha20 and Poly1305 in OpenSSH
Contributed by jcr on Wed Dec 4 09:02:00 2013 (GMT)
from the the-poly-cha-cha-is-the-new-dance-craze dept.

OpenBSD developer Damien Miller (djm@) wrote a great post titled "ChaCha20 and Poly1305 in OpenSSH" and below is a small excerpt:

Recently, I committed support for a new authenticated encryption cipher for OpenSSH, This cipher combines two primitives from Daniel J. Bernstein: the ChaCha20 cipher and the Poly1305 MAC (Message Authentication Code) and was inspired by Adam Langley's similar proposal for TLS.

Why another cipher and MAC? A few reasons... First, we would like a high-performance cipher to replace RC4 since it is pretty close to broken now, we'd also like an authenticated encryption mode to complement AES-GCM - which is great if your hardware supports it, but takes significant voodoo to make run in constant time and, finally, having an authenticated encryption mode that is based on a stream cipher allows us to encrypt the packet lengths again.

Wait, what do you mean by "encrypt the packet lengths again"? (last rhetorical question, I promise) Well, it's a long story that requires a little background...

[ 6 comments 194d22:04 ago ] (flat) (expanded)

BSDNow Episode 013: Bridging the Gap - OpenBSD Router Part 2
Contributed by jcr on Tue Dec 3 07:02:30 2013 (GMT)
from the gaps-bridged dept.

In BSDNow "Episode 013: Bridging the Gap" they bring us their usual round of general BSD news and an interview with one of the FreeBSD developers and co-founders, Jordan Hubbard, along with improvements and continuations on their "OpenBSD Router" tutorial.

The BSDNow show is recorded live on Wednesdays at 2pm Eastern Standard Time and then the live recording is edited into the video and audio files released the following Friday afternoon. Due to time constraints and live recordings, it's always best to check their website show notes and tutorial pages for updated information. As TJ said, "It's a community-driven project," so if you want to help out, you can send questions, comments, show ideas/topics, or stories you want mentioned on the show to

Available audio and video recordings:
SD Video | HD Video | MP3 Audio | OGG Audio | Youtube | Torrent | iTunes MP3 | Roku

[ 1 comment 1356d6:10 ago ] (flat) (expanded)

Is Your Stack Protector Working?
Contributed by tbert on Mon Dec 2 07:57:57 2013 (GMT)
from the no-slack-stack dept.

OpenBSD developer Ted Unangst (tedu@) recently wrote a blog post titled, "Is Your Stack Protector Working?" and with permission it's reposted below:

Veracode has a new blog post "A Tale of Two Compilers" about differing behavior when two compilers are faced with a subtle buffer overflow. It's somewhat tangential to the main point, but I noticed that even though the compilers Veracode tested had stack overflow protection enabled, neither detected the bug or prevented the exploit. Detection and prevention of precisely this bug was a headline feature of the original ProPolice implementation. The version of gcc(1) used in OpenBSD has changed several times since then, so I tested it to make sure it still works.

[ 7 comments 1356d5:15 ago ] (flat) (expanded)

Support For Shared Named Semaphores
Contributed by jcr on Thu Nov 28 02:50:36 2013 (GMT)
from the lord-voldebert-is-out-to-lunch dept.

OpenBSD developer Ted Unangst (tedu@) recently wrote a blog post on Shared Named Semaphores and with permission it's reposted below:

Support for shared named semaphores, ala sem_open(3), recently arrived in OpenBSD. OpenBSD already supported single process thread shared semaphores, ala sem_init(3), and the old school SysV semaphores, ala semget(2). There are still a few tweaks being made, but the internal design hasn't changed in 24 hours so I figure it's safe to discuss the implementation.

[ 0 comments ] (flat) (expanded)

The 2013 Chuck Yerkes Award Goes To...
Contributed by jcr on Thu Nov 28 02:48:08 2013 (GMT)
from the contributions-remembered dept.

For those who have joined OpenBSD during the last decade, you've missed out on someone special, Chuck Yerkes. Chuck contributed a lot to sendmail(8) and the various OpenBSD mailing lists. He was always willing to help others and took the time to provide useful and accurate advice. Chuck also had a vivid sense of humor ("Shirt, Shoes, Sober... --Pick Two").

LOPSA (League Of Professional System Administrators) recently announced the winner of the 2013 Chuck Yerkes Award:

For those of you who never got to know him, Chuck Yerkes was known for always being willing to help and mentor others both in person and on sysadmin mailing lists in the 1990's and early 2000's. Countless sysadmins over the years have learned from his postings. Chuck's intelligence, knowledge, and dedication to doing things right is something that is missing all too frequently in the on-line community. Unfortunately Chuck passed away in late 2004 after being involved in an accident on his way home from work.

In 2005 an award was created in his memory to annually honor a sysadmin who most embodies Chuck's spirit in assisting and mentoring other sysadmins. Each year the LOPSA awards committee sifts through sysadmin blogs, the LOPSA IRC channels, mailing lists, web forums and other sysadmin on-line resources in search of someone who is leading in contributions to the sysadmin community as Chuck did.

[ 0 comments ] (flat) (expanded)

OpenBSD Foundation Now Accepts Bitcoin Donations
Contributed by jcr on Thu Nov 28 02:51:19 2013 (GMT)
from the BeckLovesSeePlusPlus dept.

In a message to the misc@ mailing list, Bob Beck (beck@) of the OpenBSD Foundation announced Bitcoin donations:

I'm happy to announce the OpenBSD Foundation can now accept donations to assist in funding project activities in BTC. We are using to host our Bitcoin donations, which are converted to CAD for use by the project. If you have been interested in making donations in Bitcoin, please visit and visit the Bitcoin donation link at the bottom of the page.

Thanks, Bob

[ 3 comments 1358d14:42 ago ] (flat) (expanded)

ruBSD 2013 Has Theo, Henning, and Mike Speaking
Contributed by jcr on Thu Nov 28 03:27:30 2013 (GMT)
from the this-isnt-/. dept.

The ruBSD 2013 Conference (translated) will take place on Saturday December 14, 2013 at 10:30am in Moscow, Russia. Yandex will hold the conference at their offices in their "Extropolis" hall.

ruBSD 2013 - the first Russian technical conference on family operating system BSD. It is intended for system administrators and programmers. Objectives of the conference: the lighting of new technologies in the BSD world and discuss examples of BSD-based systems.

Participation is free, but register is necessary. Seats are limited. If you register, but you can not come, please let us know in advance.

There will be three OpenBSD related talks:

  • Theo de Raadt (deraadt@) of OpenBSD "The bane of backwards compatibility"
  • Henning Brauer (henning@) of BS Web Services GmbH "OpenBSD's pf: Design, Implementation and Future"
  • Mike Belopuhov (mikeb@) of .vantronix secure systems "OpenBSD: Where crypto is going?"

[ 3 comments 1351d8:34 ago ] (flat) (expanded)

BSDNow Episode 012: Collecting SSHells - A guide to SSH and tmux
Contributed by jcr on Tue Nov 26 06:35:48 2013 (GMT)
from the just-muxing-around dept.

In "Episode 012: Collecting SSHells" the media magicians of BSDNow bring us the BSD news of the week along with their weekly tutorial, "A guide to SSH and tmux". OpenBSD is the reference and development platform for both OpenSSH and tmux, so all of the newest features show up here first. Since they're both written to be portable and have an unrestrictive, freely reusable license, everyone can use them and many operating systems and/or distributions include them.

Available audio and video recordings:
SD Video | HD Video | MP3 Audio | OGG Audio | Youtube | Torrent | iTunes MP3 | Roku

[ 1 comment 1363d9:14 ago ] (flat) (expanded)

Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
Contributed by jcr on Mon Nov 25 04:14:12 2013 (GMT)
from the easier-to-create-than-to-destroy dept.

Philipp Buehler ("double-p" or formerly pb@) wrote in to tell us about how he handles the problem of tearing down a stalled ipsec(4) connection when running tons of busy and important tunnels.

Since the early days of ipsec.conf(5) it's rather easy to add IPsec connections throughout the networks, so ipsec.conf(5) keeps getting longer and longer. The isakmpd(8) daemon is playing nice with it's (new) peers and the sun is shining - until it isn't. Think of five, ten or 25 tunnels humming critical traffic, and this new peer is just not accepting proposals or doing wrong in so many other ways. One ends up with half-up Phase 1 or Phase 2 connections, where either peer is trying hard to get its proposals through and one can only watch it.

Restart the whole thing? Eventually it will end with a working configuration for weirdo-peer, but it also gains angry customers losing their tunnels until it was figured out. Additionally, the mighty defaults of lifetimes will likely end in CPU spiking while calculating new keys all at the same time.

What to do about it? Obviously, it's per-tunnel configuration and especially bring-up and tear-down of individual working or not-so-working tunnels.

[ 1 comment 194d23:10 ago ] (flat) (expanded)

Support OpenBSD!

Donate to OpenBSD

Buy OpenBSD products


We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Older Stuff
Friday, November 22
13:15 FOSDEM 2014 Call For Presentations In BSD Developer Room (0)
10:17 NYCBSDCon 2014 Date Change - Can't Compete With The Superb Owl (0)
15:31 OpenBSD Developer Videos From AsiaBSDCon 2013 (2)
Thursday, November 21
05:03 vBSDCon with Reyk Floeter (reyk@) and Henning Brauer (henning@) (0)
Wednesday, November 20
12:05 Donation Request: Older Thinkpad X60 or X60s (X200, X200s, T400, T400s, T500) (3)
Tuesday, November 19
10:15 NYCBSDCon 2014 Call For Papers And ExposÚs (0)
Monday, November 18
07:24 BSDNow Episode 011 Shows Their Ultimate OpenBSD Router Tutorial (7)
06:03 Donation Request: Funds for an amd64 laptop (2)
Friday, November 15
08:45 Videos of Absolute OpenBSD author, Michael Lucas, talk at (4)

Older Stuff...
Yesterday's Edition...

OpenBSD Errata

OpenBSD Resources

Users wishing RSS/RDF summary files of OpenBSD Journal, can retrieve: [xml]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]