Braindump

  • Home
  • Projects

  • Cryptography everywhere

    Last summer, while looking for a new mail client, I stumbled upon Trojitá, a lightweight IMAP client based on Qt. The largest drawback from my point of view was the missing support for PGP and S/MIME. After looking at the code I figured I could try to implement the missing features.

    The result was a partially working branch full of little hacks, which supported sending of encrypted and signed PGP messages. Checking of signatures worked most of the time and reading of encrypted messages required looking at the debug output most of the time.

    Following the development and fixing some small bugs provided me with more insight on the code base of Trojitá and the idea of a clean rewrite of my code came up. As the clean solution required the design of a new model representing the parts of a message, a task I didn’t really feel up to, it didn’t evolve any further for quite some time.

    The turning point was the announcement of KDE taking part in this years Google Summer of Code. As Trojitá is part of the KDE project this provided a great opportunity. I am able to use my participation in GSoC for my studies in computer science and with this I can concentrate on the required changes better and invest more time in a clean solution.

    In the past few weeks I was able to develop a model that can provide the original, unencrypted message parts as well as decrypted ones. I was able to reuse most of the PGP related code and I am currently working on cleaning up my code so it can me merged into Trojitá’s master branch.

    After that I’ll start integrating the decryption of S/MIME messages as well as checking PGP and S/MIME signatures. I’ll try to keep you posted on my progress.

  • How I found an integer overflow in PHP-FPM

    This week I solved a stange problem I had with my personel ownCloud instance. When uploading a file I always got an error that the uploaded file was larger than MAX_FILE_UPLOAD.

    After some digging in the ownCloud PHP code I tracked this down to an error 2 ( UPLOAD_ERR_FORM_SIZE) in the PHP built-in array $_FILES used for file uploads. This indicates that the uploaded file was larger than MAX_FILE_UPLOAD.

    At this point I was stuck to a while. I looked for a solution and only found people with low values for upload_max_filesize in their php.ini. This was definitely not the issue in my case as this value was set to 8G in my php.ini.

    Finally a friend of mine brought up an idea I had once but didn’t investigate: What if the MAX_FILE_SIZE is not to small but to large. Meaning there is an overflow somewhere. Dividing that value by about 1000 in a test form I wrote showed it was a good trail. Suddenly I could upload files.

    After some binary search I had the largest value for MAX_FILE_SIZE that worked: 2147483647 (2^31-1). This looks a lot like an integer overflow of a signed int. Using my test form and my test php script on a different machine (CentOS with an Apache2 and mod-php) didn’t show that error so I assume it’s a bug in the implementation of php-fpm.

    Setting upload_max_filesize to 2000M (2G is just to large) fixed the problem and I can upload files to my server now. As a final action I filed a bug in the bug tracker of php and now I’m waiting for it to be fixed.

    Update: The bug report can be found here

  • Setting up your own Gitorious installation

    In the following I will describe how to install gitorious on a server running Ubuntu Server 10.04.4 LTS. This article describes my way of installing gitorious based on the howto on silly-science.co.uk

    Run the following commands as root if not stated otherwise.

    1. Install ALL teh dependencies

      aptitude update
      aptitude install build-essential zlib1g-dev tcl-dev libexpat-dev libcurl4-openssl-dev apache2 mysql-server
        mysql-client apg geoip-bin libgeoip1 libgeoip-dev sqlite3 libsqlite3-dev imagemagick libpcre3 libpcre3-dev
        zlib1g zlib1g-dev libyaml-dev libmysqlclient15-dev apache2-dev libonig-dev libmagick++-dev zip
        unzip memcached git-core git-svn git-doc git-cvs irb sphinxsearch libxslt-dev libxml2-dev
      

      (optionally also install postfix and phpmyadmin. as I’m already running a postfix on another machine I don’t need it and I don’t need phpmyadmin at all)

    2. Install ActiveMQ

      aptitude install uuid uuid-dev openjdk-6-jre
      cd /tmp
      wget http://www.powertech.no/apache/dist/activemq/apache-activemq/5.5.1/apache-activemq-5.5.1-bin.tar.gz
      tar xzvf apache-activemq-5.5.1-bin.tar.gz -C /usr/local/
      echo "export ACTIVEMQ_HOME=/usr/local/apache-activemq-5.5.1" >> /etc/activemq.conf
      echo "export JAVA_HOME=/usr/" >> /etc/activemq.conf
      adduser --system --no-create-home activemq
      chown -R activemq /usr/local/apache-activemq-5.5.1/data
      
    3. Disable multicasting of ActiveMQ. Open /usr/local/apache-activemq-5.5.1/conf/activemq.xml and change the following lines:

      <transportConnectors>
          <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
      </transportConnectors>
      

      to something like this:

      <transportConnectors>
          <transportConnector name="openwire" uri="static://(tcp://127.0.0.1:61616)"/>
      </transportConnectors>
      
    4. Setup the startup script for ActiveMQ and start it

      wget http://launchpadlibrarian.net/15645459/activemq
      mv activemq /etc/init.d/activemq
      chmod +x /etc/init.d/activemq
      update-rc.d activemq defaults
      service activemq start
      
    5. Download and install Ruby Enterprise Edition

      wget http://rubyenterpriseedition.googlecode.com/files/ruby-enterprise_1.8.7-2012.02_amd64_ubuntu10.04.deb
      dpkg -i ruby-enterprise_1.8.7-2012.02_amd64_ubuntu10.04.deb
      
    6. Download and install RubyGems

      wget http://rubyforge.org/frs/download.php/75856/rubygems-1.8.17.tgz
      tar xzvf rubygems-1.8.17.tgz
      cd rubygems-1.8.17
      ruby setup.rb
      
    7. Install the required Gems

      gem install -b --no-ri --no-rdoc rmagick chronic geoip daemons hoe echoe ruby-yadis ruby-openid mime-types
        diff-lcs json rack ruby-hmac rake stompserver passenger rails ultrasphinx mysql
      gem install -b --no-ri --no-rdoc -v 1.0.1 rack
      gem install -b --no-ri --no-rdoc -v 1.3.1.1 rdiscount
      gem install -b --no-ri --no-rdoc -v 1.1 stomp
      
    8. Clone the gitorious repository (in the following we assume that /var/www/gitorious is the installation path of gitorious)

      cd /var/www/
      git clone git://gitorious.org/gitorious/mainline.git /var/www/gitorious
      git submodule init
      git submodule update
      
    9. Copy the required init-scripts

      cp /var/www/gitorious/doc/templates/ubuntu/git-daemon /etc/init.d/
      cp /var/www/gitorious/doc/templates/ubuntu/git-ultrasphinx /etc/init.d/
      
    10. Change the paths in /etc/init.d/git-daemon to fit your installation.

      RUBY_HOME="/usr/local"
      GIT_DAEMON="bundle exec $RUBY_HOME/bin/ruby $GITORIOUS_HOME/script/git-daemon -d"
      
    11. It is advised to use bundle exec for rake so change the following lines in /etc/init.d/git-ultrasphinx

      START_CMD="cd $GITORIOUS_HOME && bundle exec rake ultrasphinx:daemon:start RAILS_ENV=production"
      STOP_CMD="cd $GITORIOUS_HOME && bundle exec rake ultrasphinx:daemon:stop RAILS_ENV=production"
      RESTART_CMD="cd $GITORIOUS_HOME && bundle exec rake ultrasphinx:daemon:restart RAILS_ENV=production"
      STATUS_CMD="cd $GITORIOUS_HOME && bundle exec rake ultrasphinx:daemon:status RAILS_ENV=production"
      
    12. Create the init-scripts for git-poller and stomp from the gitorious tutorial

    13. Change the path of stompserver in /etc/init.d/stomp to /usr/local/bin/stompserver

    14. Set the correct permissions and activate the initialisation files:

      chmod 755 /etc/init.d/git-ultrasphinx /etc/init.d/git-daemon /etc/init.d/stomp /etc/init.d/git-poller
      update-rc.d stomp defaults
      update-rc.d git-daemon defaults
      update-rc.d git-ultrasphinx defaults
      update-rc.d git-poller defaults
      
    15. Run apache setup script and follow the instructions. When asked to edit the Apache config copy the stated config into /etc/apache2/mods-available/passenger.load:

      /usr/local/bin/passenger-install-apache2-module
      
    16. Enable the required Apache2 modules

      a2enmod passenger
      a2enmod rewrite
      a2enmod ssl
      a2ensite default-ssl
      
    17. Restart apache:

      service apache2 restart
      
    18. Add a ‘git’ user to MySQL with global create privileges. Also give it all privileges on gitorious_production.

      mysql -p
      > CREATE USER 'git'@'localhost' IDENTIFIED BY '\*\*\*\*\*\*\*\*';
      > GRANT CREATE ON \*.\* TO 'git'@'localhost';
      > GRANT ALL ON 'gitorious_production'.\* TO 'git'@'localhost';
      > EXIT
      
    19. Create /etc/apache2/sites-available/gitorious and /etc/apache2/sites-available/gitorious-ssl using the listings on the gitorious tutorial (the SSL is required for login!)

      a2dissite default
      a2dissite default-ssl
      a2ensite gitorious
      a2ensite gitorious-ssl
      
    20. Add a user ‘git’ to the system:

      adduser --system --home /var/www/gitorious/ --no-create-home --group --shell /bin/bash git
      
    21. Set permissions on the gitorious tree:

      chown -R git:git /var/www/gitorious 
      
    22. Now run the following sequence of commands:

      su - git
      cd /var/www/gitorious
      mkdir .ssh
      touch .ssh/authorized_keys
      chmod 700 .ssh
      chmod 600 .ssh/authorized_keys
      mkdir tmp/pids
      mkdir repositories
      mkdir tarballs
      cp config/database.sample.yml config/database.yml
      cp config/gitorious.sample.yml config/gitorious.yml
      cp config/broker.yml.example config/broker.yml
      
    23. If you have a seperate partition or disk for the repositories create the corresponding entry in /etc/fstab and run

      mount -a
      
    24. Edit config/database.yml: Remove every section but production and change the database parameter to fit your setup (i.e. change username and password)

    25. Edit config/gitorious.yml: Remove every section but production (so at the top tab level only production: should exist)

    26. Check the settings in config/gitorious.yml and modify the following lines:

      gitorious_client_host: localhost
      gitorious_host: example.org
      repository_base_path: "/var/www/gitorious/repositories"
      archive_cache_dir: "/var/www/gitorious/tarballs"
      archive_work_dir: "/tmp/tarballs-work"
      cookie_secret: ssssht (use `apg -m 64` to generate a key)
      exception_notification_emails: notify@example.org
      sender_email_address: "Example.org <no-reply@example.org>"
      
    27. To use an external mail server change the following lines in config/environments/production.rb

      config.action_mailer.delivery_method = :smtp
      config.action_mailer.smtp_settings = {
               :address => "mail.comsound.de",
               :port => 25,
               :domain => "kitty"
      }
      
    28. Run the following as root:

      cd /var/www/gitorious
      bundle install
      
    29. Insert the following line at the beginning of Rakefile and config/environment.rb

      require 'thread'
      
    30. Run the following as git user (note if you have to drop out to root again because it tells you that you missed some gems then remember to do the export again when you have su’d back into the git user!):

      export RAILS_ENV=production
      bundle exec rake db:create
      mysql -u root -p
      > GRANT ALL ON 'gitorious_production'.* TO 'git'@'localhost';
      > EXIT
      bundle exec rake db:migrate
      bundle exec rake ultrasphinx:bootstrap
      
    31. Add the following line to the crontab (run crontab -e as user ‘git’ to edit the crontab):

      * * * * * cd /var/www/gitorious && /usr/bin/rake ultrasphinx:index RAILS_ENV=production
      
    32. Now create an admin user. Therefore run the following as git user:

      bundle exec ruby script/create_admin
      
    33. Restart apache as root

      service apache2 restart
      
    34. Start the daemons

      service stomp start
      service git-daemon start
      service git-ultrasphinx start
      service git-poller start
      

    Troubleshooting:

    • If css and js are missing it’s likely you forgot to run git submodule init and git submodule update. Do that now and run bundle exec rake assets:clear

    • If you see something like ‘Mysql::Error: Lock wait timeout exceeded’ in the log files, stompserver isn’t running. Check if it’s running and if you updated all paths in /etc/init.d/stomp

Impressum