Re: [Sks-devel] spodhuis keyserver down, pending OCaml CVE updates

[Phil Pennock]

On 2017-10-03 at 17:28 -0400, Phil Pennock wrote:
> TL;DR: sks-peer.spodhuis.org down until further notice, when I get time
> to investigate properly.  Down by administrator action.  No need to
> deconfigure peering.

> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> 
> This appears to have been publicly discussed in April 2016, but not
> patched for that OS until today.  I'm on FreeBSD.  My OCaml is 4.02.3.

It's been a lot longer than expected, but sks-peer.spodhuis.org is
peering again and is all caught up.

Grotty details follow, including details of compiling with newer OCaml.

FreeBSD is still packaging for Ports ocaml-4.02.3, which generates code
susceptible to overflow attacks.  The bug I filed,
<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223039>, has seen no
activity.  I do not know enough about the OCaml ecosystem to be
confident taking on the work myself, to upgrade the compiler without
fallout for other packages.  Having since rebuilt SKS on a newer
version, I know that there will be breakages.  OCaml's stdlib makes
backwards-incompatible changes.

I build and installed OCaml 4.05 using "ocamlbrew", which promptly
failed to install just over half of the extra packages because lwt_react
depends upon internals of lwt which were deliberately broken ... "March
2018".  But it got me ocaml and opam.  I then spent a lot of time trying
to get `gmake dep` to work, trying to figure out what the right
combination of invocation options was to get the pre-processing to work,
before finally realizing that no, `camlp4` really wasn't installed: opam
had installed a *stub*, because it hadn't installed ocaml, thus the ocaml
was "system" and came with camlp4, while ocamlbrew also didn't install,
leaving that to be a packaging system.  When I see `+system` at the end
of a package version, I don't normally conclude "stub, nothing present".

After a <configure/make/make install> cycle of camlp4, it suddenly
became possible to start actually compiling SKS.  The code patches
needed were adding `~cloexec:true` to every `Unix.socket` instantiation.
Mostly because Kristian had already done a bunch of ocamlfind stuff for
me.

I'm still using my long keyids patch, but merged in current upstream
changes.  The exact code is available at
<https://bitbucket.org/philpennock/sks-keyserver-philp>.

I don't know mercurial well enough to do proper pull requests again
for the long keyid support.  Heck, I can't even install Mercurial in the
Jail where SKS is right now, because to get better crypto for nginx it's
got my "OpenSSL 1.1.0 + Python3" package combination and Mercurial is
still Python2-only.

Full keydump after catchup at:
<http://pennocktech-pgp-keydumps.s3-website.us-east-2.amazonaws.com/20180308/>

-Phil

signature.asc
Description: Digital signature