Aurich Lawson (after KC Green)
At first look, Matthew Macy appeared like a superbly cheap option to port WireGuard into the FreeBSD kernel. WireGuard is an encrypted point-to-point tunneling protocol, a part of what most individuals consider as a “VPN.” FreeBSD is a Unix-like working system that powers every little thing from Cisco and Juniper routers to Netflix’s community stack, and Macy had loads of expertise on its dev staff, together with work on a number of community drivers.
So when Jim Thompson, the CEO of Netgate, which makes FreeBSD-powered routers, determined it was time for FreeBSD to get pleasure from the identical degree of in-kernel WireGuard assist that Linux does, he reached out to supply Macy a contract. Macy would port WireGuard into the FreeBSD kernel, the place Netgate might then use it within the firm’s well-liked pfSense router distribution. The contract was supplied with out deadlines or milestones; Macy was merely to get the job achieved on his personal schedule.
With Macy’s degree of expertise—with kernel coding and community stacks specifically—the challenge seemed like a slam dunk. But issues went awry nearly instantly. WireGuard founding developer Jason Donenfeld did not hear in regards to the challenge till it surfaced on a FreeBSD mailing record, and Macy did not appear eager about Donenfeld’s help when supplied. After roughly 9 months of part-time improvement, Macy dedicated his port—largely unreviewed and inadequately examined—immediately into the HEAD part of FreeBSD’s code repository, the place it was scheduled for incorporation into FreeBSD 13.0-RELEASE.
This sudden commit raised the stakes for Donenfeld, whose challenge would finally be judged on the standard of any manufacturing launch below the WireGuard title. Donenfeld recognized quite a few issues with Macy’s code, however slightly than object to the port’s launch, Donenfeld determined to repair the problems. He collaborated with FreeBSD developer Kyle Evans and with Matt Dunwoodie, an OpenBSD developer who had labored on WireGuard for that working system. The three changed nearly all of Macy’s code in a mad week-long dash.
This went over very poorly with Netgate, which sponsored Macy’s work. Netgate had already taken Macy’s beta code from a FreeBSD 13 launch candidate and positioned it into manufacturing in pfSense’s 2.5.Zero launch. The forklift improve carried out by Donenfeld and collaborators—together with Donenfeld’s sharp characterization of Macy’s code—offered the corporate with a critical PR drawback.
Netgate’s public response included accusations of “irrational bias in opposition to mmacy and Netgate” and irresponsible disclosure of “plenty of zero-day exploits”—regardless of Netgate’s near-simultaneous declaration that no precise vulnerabilities existed.
This combative response from Netgate raised elevated scrutiny from many sources, which uncovered shocking parts of Macy’s personal previous. He and his spouse Nicole had been arrested in 2008 after two years spent trying to illegally evict tenants from a small San Francisco residence constructing the pair had purchased.
The Macys’ makes an attempt to drive their tenants out included sawing by means of ground assist joists to make the constructing unfit for human habitation, sawing holes immediately by means of the flooring of tenants’ flats, and forging extraordinarily threatening emails showing to be from the tenants themselves. The couple fled to Italy to keep away from prosecution however had been finally extradited again to the US—the place they pled responsible to a diminished set of felonies and served 4 years and 4 months every.
Macy’s historical past as a landlord, unsurprisingly, dogged him professionally—which contributed to his personal lack of consideration to the doomed WireGuard port.
“I did not even wish to do that work,” Macy finally advised us. “I used to be burned out, spent many months with post-COVID syndrome… I’d suffered by means of years of verbal abuse from non-doers and semi-non-doers within the challenge whose one large one up on me is that they are not felons. I jumped on the alternative to go away the challenge in December… I simply felt an ethical obligation to get [the WireGuard port] over the end line. So you will must forgive me if my remaining efforts had been a bit half-hearted.”
This admission solutions why such an skilled, certified developer would possibly produce inferior code—nevertheless it raises a lot bigger questions on course of and process inside the FreeBSD core committee itself.
How did a lot sub-par code make it to this point into a significant open supply working system? Where was the code evaluation which ought to have stopped it? And why did each the FreeBSD core staff and Netgate appear extra centered on the truth that the code was being disparaged than its precise high quality?
Code Quality
The first challenge is whether or not Macy’s code truly had vital issues. Donenfeld stated that it did, and he recognized plenty of main points:
- Sleep to mitigate race situations
- Validation features which merely return true
- Catastrophic cryptographic vulnerabilities
- Pieces of the wg protocol left unimplemented
- Kernel panics
- Security bypasses
- Printf statements deep in crypto code
- “Spectacular” buffer overflows
- Mazes of Linux→FreeBSD ifdefs
But Netgate argued that Donenfeld had gone overboard together with his destructive evaluation. The unique Macy code, they argued, was merely not that bad.
Despite not having any kernel builders on-staff, Ars was in a position to confirm no less than a few of Donenfeld’s claims immediately, shortly, and with out exterior help. For occasion, discovering a validation operate which merely returned true—and printf statements buried deep in cryptographic loops—required nothing extra sophisticated than grep.
Empty validation operate
In order to substantiate or deny the declare of an empty validation operate—one which at all times “returns true” slightly than truly validating the info handed to it—we looked for cases of return true or return (true) in Macy’s if_wg code, as checked into FreeBSD 13.0-HEAD.
root@banshee:~/macy-freebsd-wg/sys/dev/if_wg# grep -ir 'return.*true' . | wc -l
21This is a sufficiently small variety of returns to simply hand-audit, so we then used grep to seek out the identical knowledge however with three traces of code coming instantly earlier than and after every return true:
root@banshee:~/macy-freebsd-wg/sys/dev/if_wg# grep -ir -A3 -B3 'return.*true' .Among the legitimate makes use of of return true, we found one empty validation operate, in module/module.c:
wg_allowedip_valid(const struct wg_allowedip *wip)
{
return (true);
}It’s in all probability value mentioning that this empty validation operate is just not buried on the backside of a sprawling mass of code—module.c as written is simply 863 whole traces of code.
We didn’t try and chase down the usage of this operate any additional, nevertheless it seems to be meant to verify whether or not a packet’s supply and/or vacation spot belongs to WireGuard’s allowed-ips record, which determines what packets could also be routed down a given WireGuard tunnel.
