FreeBSD 13/WireGuard/pfSense 2.5

Vesalius

Member
Nov 25, 2019
88
48
18
Most have probably seen some things about this flair up. Best I can tell netgate hired a guy to port wireguard over to FreeBSD (glad they did). The netagate contractor did so, but rebuffed or ignored attempts from the wireguard founder to help and evaluate the port with first offer at least back in feb 2020. Port was finished internally and moved into freebsd 13 RC and the big marketing write ups from netgate after they released it backported to their freebsd 12.2 based pfSense 2.5.

then in a mad rush code review to vet this merge before FreeBSD 13 is released publicly the major brouhaha started and the netgate founder went on offense privately and publicly although less than they did against opnsense in years past.

pfsense 2.5 and the not yet released 2.5.1 candidates are still running the old implementation that was weighed, measured and found wanting by both the wireguard lead and FreeBSD security devs.

 

texteditor

New Member
Oct 8, 2019
13
2
3
There's a lot to unpack here on this story and every bit of it makes the PFSense guys looks like assholes, but I would like to point out something I feel is getting massively under-reported about this story - this is the guy PFSense saw fit to hire to code their (bad) patch for them:


FreeBSD developer Kip Macy charged with tenant terror

Exclusive: 'Landlord from Hell' Defends Terrorizing Apartment Tenants


Kip Macy, 39, and his wife, Nicole Macy, also 39, were deemed "landlords of hell" by authorities for menacing the tenants of their San Francisco apartment building.
In what authorities called a 17-month lawless rampage, the couple burglarized apartments, sabotaged the building's structure, and even sawed up through a horrified tenant's apartment floor, according to district attorney George Gascon.
From September 2005 to December 2007, Kip and Nicole Macy tried to make their tenants leave by any means necessary according to the DA, including asking a city inspector what beams to cut to make their building deemed unfit to live in -- and then actually doing it.
"They used a power saw and tried to compromise the structure of the building so the floor would actually collapse," DA Gascon said.
The two also cut phone lines, shut off power, and boarded up the windows of occupied apartments. Kip and Nicole Macy even removed tenants' belongings from their apartments.
"I regret, you know, having moved the Mexicans' stuff into the hallway," Kip Macy said. "I don't see how that was burglary, or theft, since I neither stole their stuff."
Eventually he and Nicole Macy were arrested at Kip Macy's parents' house in 2008 and released on $500,000 bond, for which Kip Macy's parents drained much of their retirement savings to pay. His mother Marie even sold her jewelry to help finance their release. Once free, Kip and Nicole Macy jumped bail, fleeing to Italy, leaving Kip Macy's father and mother, potentially at a loss of half a million dollars.

That's psychopath behavior, and that's just the highlights I got skimming the articles about it
 

Vesalius

Member
Nov 25, 2019
88
48
18
Seems like Jamie Thompson and Scott, from pfSense, and Kip share several character traits when they feel wronged.

Feel bad for all the good people working for and depending on netgate for their livelihood, when the head guy acts this way most of them have to just grin and bear it unless they can somehow band together and depose the immature figurehead. Would have have made for a good episode of Silicon Valley on HBO.
 
Last edited:
  • Like
Reactions: Layla and Marjan

texteditor

New Member
Oct 8, 2019
13
2
3
Would have have made for a good episode of Silicon Valley on HBO.
Maybe but this is funny because it's absurd

Where this is just messed up:
When civil attorneys got involved in the overall case, Nicole Macy impersonated one of the victims with an e-mail and curtly fired his lawyer, prosecutors said. Then, still impersonating the victim by e-mail, she threatened to kidnap and dismember the children of one of her own attorneys.


"One day you are going to come home ... and find (your three children) missing," she e-mailed, according to the grand jury transcript. "Then each day a package will arrive with a piece of them. You are f- with the wrong person."


From the article is it clear that one should *not* use the WireGuard implementation included in the 2.5 pfsense release?
I mean, I wouldn't - here are some notes from Wireguard's founder, who reviewed it and wrote the replacement after failing to adequately fix the PFSense implementation that was so broken

[ANNOUNCE] WireGuard for FreeBSD in development for 13.y – and a note of how we got here

Code:
There were random sleeps added to “fix” race conditions, validation
functions that just returned true, catastrophic cryptographic
vulnerabilities, whole parts of the protocol unimplemented, kernel
panics, security bypasses, overflows, random printf statements deep in
crypto code, the most spectacular buffer overflows, and the whole litany
of awful things that go wrong when people aren’t careful when they write
C.
Code:
One curious thing of note is that there were 40,000 lines of optimized
crypto implementations pulled out of the Linux kernel compat module but
not really wired up correctly, and mangled beyond repair with mazes of
Linux→FreeBSD ifdefs. I wound up replacing this with an 1,800 line file,
crypto.c [1], containing all of the cryptographic primitives needed to
implement WireGuard.
 
  • Like
Reactions: Layla
Jun 22, 2015
67
32
18
What's great about Linus is that he made superb things happen without much drama. And all the stuffs developed under his leadership stands the test of time. I used git for many years before knowing that he developed it. He may not have created everything, but his personality just made everything flow smoothly. He is truly our best opensource shepherd.
 
  • Like
Reactions: Layla

Sean Ho

seanho.com
Nov 19, 2019
45
17
8
Vancouver, BC
seanho.com
OPNSense has been using userland wg-go; I would expect it not to be affected by wg being pulled from the kernel tree. Even if the `if_wg` kernel implementation stays in ports indefinitely, OPN could switch to it quite easily down the line.
 

zer0sum

Active Member
Mar 8, 2013
454
164
43
Wow...this just keeps getting worse!! :(


Macy's code included...
  • Sleep to mitigate race conditions
  • Validation functions which simply return true
  • Catastrophic cryptographic vulnerabilities
  • Pieces of the wg protocol left unimplemented
  • Kernel panics
  • Security bypasses
  • Printf statements deep in crypto code
  • "Spectacular" buffer overflows
  • Mazes of Linux→FreeBSD ifdefs
 

beren

New Member
Oct 25, 2018
11
0
1
OpnSense has the offical wireguard-kmod in experimental now, not the pulled module. I hear it's a lot faster.