From the code base on which the FreeBSD 13 release was based, the code with the implementation of the WireGuard VPN protocol, developed by order of Netgate without consultation with the developers of the original WireGuard, and already included in stable releases of the pfSense distribution, was removed with a scandal. After reviewing the code by Jason A. Donenfeld, the author of the original WireGuard, it turned out that the proposed FreeBSD implementation of WireGuard was a piece of low-grade code that was riddled with buffer overflows and violated the GPL license.
Catastrophic flaws in the cryptography code were found in the implementation, part of the WireGuard protocol was omitted, there were errors that led to the crash of the kernel and bypass of protection methods, fixed-size buffers were used for input data. A lot about the quality of the code is the presence of stubs instead of checks that always return the value "true", as well as forgotten debug printfs with the output of parameters used for encryption, and the use of the sleep function to prevent race conditions.
Some parts of the code, such as the crypto_xor function, have been ported from the Linux implementation of WireGuard in violation of the GPL. As a result, Jason Donenfield, along with Kyle Evans and Matt Dunwoodie (author of the WireGuard port for OpenBSD), set about reworking the problematic implementation and in a week completely replaced all the code of the developer hired by Netgate. The reworked version was released as a separate set of patches, placed in the WireGuard project repository and has not yet been included in FreeBSD.
Interestingly, initially nothing boded trouble, Netgate, who wanted to be able to use WireGuard in the pfSense distribution, hired Matthew Macy, who is well versed in the FreeBSD kernel and networking stack, involved in bug fixing and has experience in developing network drivers for this operating system. Macy was given a free schedule with no deadlines or intermediate checks. Developers who crossed paths with Macy while working on FreeBSD characterized him as a talented and professional programmer, making no more mistakes than others and adequately responding to criticism. The deplorable code quality of the FreeBSD implementation of WireGuard took them by surprise.
After 9 months of work last December, Macy added his implementation to the HEAD branch, which was used to shape the FreeBSD 13 release, without completing any peer review or testing. In February, Netgate integrated WireGuard into the stable release of pfSense 2.5.0 and began shipping wireguards based on it. After issues were identified, the WireGuard code was removed from pfSense.
Critical vulnerabilities were identified in the added code, which were used in 0-day exploits, but Netgate at first did not recognize the existence of vulnerabilities and tried to accuse the developer of the original WireGuard of attacks and bias, which negatively affected its reputation. The developer of the port initially dismissed the claims to code quality as exaggerated, but after showing the bugs, he noticed that the really important problem was the lack of proper review of code quality in FreeBSD, because the problems remained unnoticed for many months (Netgate representatives indicated that the public the review was launched as early as August 2020, but individual FreeBSD developers noted that in Phabricator, the review was closed by Macy with no execution and ignoring comments). The FreeBSD Core Team responded to the incident with a promise to modernize their code review processes.
Matthew Macy, the developer of the problematic port for FreeBSD, commented that he made a big mistake by taking on the job, not being ready to implement this project. Macy explains the resulting result with emotional burnout and the result of problems that have arisen due to the post-COVID syndrome. At the same time, Macy did not find the determination to abandon the obligations already undertaken and tried to bring the project to the end.
Macy's condition may also have been affected by a recent prison term, which he received for illegal actions in an attempt to evict tenants from a house he bought who did not want to move out voluntarily. Instead, with his wife, they sawed the floor beams and broke holes in the floors to make the house uninhabitable, and also tried to intimidate the tenants, broke into the inhabited apartments and took out the belongings (the action was qualified as a burglary). In order to avoid responsibility for his actions, Macy fled to Italy with his wife, but was extradited to the United States and served more than four years in prison.
Source: opennet.ru