Allegations of a Backdoor in OpenBSD Are Not Confirmed
Some allegations regarding backdoors implemented at FBI’s request in OpenBSD’s IPsec stack were made earlier this month. After auditing the code, Theo de Raadt, the founder of OpenBSD, has concluded that there are no such threats in the open source operating system.
Theo de Raadt, a software engineer who founded the OpenBSD and OpenSSH projects, reported that he received a private email from Gregory Perry, a former CTO at NETSEC who took care of funding and donations for the OpenBSD Crypto Framework and also consulting for the FBI back in 2000-2001. Perry claimed that some developers planted “a number of backdoors” in the OpenBSD’s IPsec stack at FBI’s request in exchange for funding:
My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.
de Raadt published the email to a Gmane newsgroup, inviting the users of the IPsec code to audit it in order to find out if the allegations are true:
Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.
The news has appeared on many news websites, feeding the suspicion that the US government is spying on computer communications. A week later, de Raadt published a number of conclusions of his investigation regarding the issue. Among others, he believes that “NETSEC was probably contracted to write backdoors as alleged”, but “if those were written, I don't believe they made it into our tree. They might have been deployed as their own product.” Two serious bugs were found during the audit, according to de Raadt, one of them related to the Cipher-Block Chaining (CBC) oracle attack.
Jason L. Wright, the developer mentioned by Gregory Perry as one of those who wrote the backdoors, denied all allegations:
I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF). The code I touched during that work relates mostly to device drivers to support the framework. I don't believe I ever touched isakmpd or photurisd (userland key management programs), and I rarely touched the ipsec internals (cryptodev and cryptosoft, yes). However, I welcome an audit of everything I committed to OpenBSD's tree.
The overall conclusion is that there is no backdoor in OpenBSD, but the allegations prompted some developers to check their code once more.
Todd Montgomery Dec 19, 2014