18:53 Sun, 20 Nov 2005 PST -0800

Fixing ptrace(pt_deny_attach, ...) on Mac OS X 10.4 Tiger

NOTE: For information on Mac OS X Leopard (10.5), refer to this article.

PT_DENY_ATTACH is a non-standard ptrace() request type available on Mac OS X that prevents a debugger from attaching to the calling process. This article will cover disabling PT_DENY_ATTACH for all processes on Mac OS X 10.4. For more information on how the request type is implemented, please refer to the previous article.

Click here to read more ...

[/code/macosx] permanent link

[/code/macosx] permanent link

18:48 Sun, 20 Nov 2005 PST -0800

Fixing ptrace(pt_deny_attach, ...)

NOTE: For information on Mac OS X Tiger, refer to this article.

In Mac OS X, Apple introduced an additional, non-standard request type to the ptrace() system call - PT_DENY_ATTACH. While an understandable addition, especially in terms of providing plausible defense for their DRM applications, PT_DENY_ATTACH has come to be used by a number of third party developers in an attempt to provide further copy protection.

This is unfortunate for those of us with a genuine need to attach a debugger; There are several circumstances when this ability is necessary, including working with libSystem, writing a runtime patch with APE, writing a kext, writing an input manager, or software auditing.

There are several possible ways to work around this behavior; breaking on ptrace(2) in gdb, recompiling your kernel, or writing a kext. I choose to write a kext that hooks ptrace(2).

Click here to read more ...

[/code/macosx] permanent link

20:12 Sun, 06 Nov 2005 PST -0800

Bacula Encryption - First Milestone Reached

File Daemon Signing Support Implemented

I just committed support for cryptographic signatures in the File Daemon. The signatures are stored using the ASN.1 syntax I previously outlined. The code supports multiple signers, but the configuration file only supports the specification of a single signing key. You can, however, specify multiple trusted public keys, and any signatures made with those keys will be accepted.

Click here to read more ...

[/code/bacula] permanent link

14:04 Sun, 09 Oct 2005 PDT -0700

OpenVPN Auth-LDAP Plugin 1.0.3 Released

Changes include the addition of an autoconf-based build system and support for Linux.

More information is available from the OpenVPN Auth-LDAP Plugin page

[/code/ldap] permanent link

11:15 Sat, 01 Oct 2005 PDT -0700

Bacula Encryption Update: ASN.1 Signing Syntax


After spending last weekend studying the PKCS #7 and CMS (RFC 3852) specifications, I dedicated this weekend to assembling a Bacula ASN.1 syntax for signing file data and implementing the requisite changes in the backup, verification , and digest handling code paths.

While I would have liked to make use of either PKCS #7 or RFC 3852, OpenSSL's current BER encoder and PKCS #7 API are not capable of handling streaming encoding and decoding. As such, I've designed an ASN.1 syntax inspired by RFC 3852, working around the lack of streaming support by using detached signatures and session key information.

Additionally, I've added support for SHA-256 and SHA-512 digests when using OpenSSL 0.9.8 or greater and completed a great deal of code cleanup. You can find the full ChangeLog below.

Next Up:

The latest patchset is available here: bacula-crypto-3.diff.gz

Click here to read more ...

[/code/bacula] permanent link

01:59 Wed, 24 Aug 2005 PDT -0700

Bacula Encryption Update: Crypto API and Message Digest Refactor

In the interest of providing visibility into my on-going work, I will be posting regular snapshots of my encryption support diffs, along with some hopefully understandable explanations.

To get the project started, I've modified the OpenSSL autoconf macros to define an additional preprocessor directive, HAVE_CRYPTO. In conjunction with this, I've started implementing the abstract cryptography API in src/lib/crypto.c. As with the TLS implementation, I am attempting to abstract the details of OpenSSL from the rest of the Bacula codebase.

One of the first steps necessary to implement signed message digests is a refactoring of the digest code used by the file daemon. I've created a new digest API in src/lib/crypto.c, and updated all clients of the previous digest API. The new implementation supports MD5 and SHA-1 hashes for both basic digests and signing. If OpenSSL 0.9.8 is available, SHA-512 is used for signed digests.

Additionally, I've migrated the OpenSSL initialization code to crypto.c, and added code for reading -- and signing with -- PEM-encoded x509 certificates and RSA and DSA private keys. I've also added encryption configuration options to the various daemons.

If you would like to take a look at the current patchset in all its glory, you can find it here: bacula-crypto-1.diff.gz

The next task on my list is storage of signed message digests and per-session symmetric keys in both the catalog and volume. I will be out on holiday next week, but I hope to have another patchset available shortly after I return.

[/code/bacula] permanent link

00:27 Sun, 14 Aug 2005 PDT -0700

Bacula Encryption Fund-Raising Project - UPDATE!

A few weeks ago we officially announced the Bacula data encryption project -- an endeavor to add data encryption support to Bacula and raise funds for the Electronic Frontier Foundation.

The community's response has been wonderful, and we've managed to raise a total of $1,165. Your donations are appreciated! With your continued support, I hope we can meet our goal of $3,000.

Below is a list of the donors to-date. If I have missed anyone, or any information is incorrect, please send me an e-mail.

	Donor:			Amount:
	WingNET Internet	$500
	Timo Neuvonen		$250
	Ed Grether		$25
	Charles Reinehr		$100
	Michael Proto		$25
	Phil Cordier		$100
	Dan Langille		$100
	Tom Plancon		$65
			Total:	$1,165

The EFF has taken notice:

"In addition, huge thanks to Landon Fuller and the Bacula Project for helping to raise money for EFF..."

"Grassroots fundraising efforts like these give EFF the energy (and funds!) to keep on fighting the good fight - defending free speech, fair use, innovation, and privacy on the electronic frontier. By supporting EFF, you help carry the banner to protect digital civil liberties."

Thank you for your donations!

[/code/bacula] permanent link

21:44 Tue, 09 Aug 2005 PDT -0700

Bacula Encryption Fund-Raising Project

Bacula is an excellent backup solution available for the BSDs, Linux, Mac OS X, Windows, and other operating systems.

As the original contributor of Bacula's network encryption support, I recently volunteered to implement on-disk backup encryption -- with one catch. In exchange for implementing data encryption support, I would like the Bacula community to donate $3,000 to the Electronic Frontier Foundation.

To quote the official announcement: "Can your company contribute $250 or $500? How about $100? And if your budget is really tight, why not forego a couple of fast food meals and contribute $20?. Bacula is a community project, and this can be your way of helping make Bacula an even better product for the good of the whole community."

Information on how to donate can be found in the official announcement.

[/code/bacula] permanent link

21:06 Tue, 09 Aug 2005 PDT -0700

Accessing My Sources Using Arch

GNU Arch, while incredibly obtuse, has a relatively unique featureset that I've come to appreciate. As such, I've begun using it for my externally available source code. There are two projects currently available in my arch repository - the project containing this web log, and TclObjC, a Tcl<->Obj-C bridge that I have been working on.

If you want to browse my arch repository, just point your web browser at my ArchZoom interface. To access the repository directly, you'll need the arch client, tla. If you're using Mac OS X or Darwin, you can use DarwinPorts to install it. Once you have arch installed, use the commands below to access my archive.

Click here to read more ...

[/code] permanent link

Installing and Using the MinGW Cross-Compiler on Mac OS X

MinGW supplies header files, import libraries, and a compiler tool-chain based on GNU cc and binutils for building native Windows executables and libraries with no dependencies on third party libraries.

I am using the MinGW tool-chain to compile the Win32 port of OpenDarwin libFoundation. To cross-compile the library on my Mac OS X machine, I created DarwinPorts Portfiles for the MinGW tool-chain.

In this article I'll document how to install the MinGW ports, build a "Hello, World" example, and run the result on a x86 machine using Wine.

Click here to read more ...

[/code/win32] permanent link

Gathering Interface Statistics with PF


Yesterday, I wanted to gather bandwith usage statistics on my FreeBSD pf(4) based firewall in order to graph incoming and outgoing bandwidth utilization.

pfctl(8) provides the '-s info' flag, which can provide statistics on a single interface at a time. The interface can be chosen with the either the "loginterface" directive in pf.conf, or by using the DIOCSETSTATUSIF ioctl. However, I needed statics for all the network interfaces, not just one.

Fortunately, pf(4) also provides the DIOCIGETIFACES ioctl, which allows me to gather packet and byte statistics on all interfaces at once. This article will provide an introduction to using the pf(4) ioctl interface to gather network interface traffic statistics. Full example source code can be downloaded here. Note that PF does not maintain statistics on traffic that does not pass through PF. If you don't use PF, all the counters will be zero.

Click here to read more ...

[/code/bsd] permanent link

OpenVPN Auth-LDAP Plugin

Yesterday I implemented a LDAP authentication plugin for OpenVPN 2.x. OpenVPN's new plugin architecture makes it surprisingly easy to extend the software in very useful ways.

More information and the source code are available on this page

[/code/ldap] permanent link

Introduction / Implementation

For quite some time I have wanted an easy means of sharing information in a semi-attractive format while expending the least possible effort. To this end, I have finally assembled a web log based on Blosxom, Arch, and duct tape.

All my modifications to blosxom and various blosxom plugins can be accessed via my arch repository. See this post for details on accessing the arch repository.

[/code] permanent link