From owner-freebsd-security@freebsd.org Sun Jul 17 15:15:16 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C30C3B9CF6C for ; Sun, 17 Jul 2016 15:15:16 +0000 (UTC) (envelope-from david.i.noel@gmail.com) Received: from mail-vk0-x22a.google.com (mail-vk0-x22a.google.com [IPv6:2607:f8b0:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BBCC1520 for ; Sun, 17 Jul 2016 15:15:16 +0000 (UTC) (envelope-from david.i.noel@gmail.com) Received: by mail-vk0-x22a.google.com with SMTP id s189so2507314vkh.1 for ; Sun, 17 Jul 2016 08:15:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=bSlgOdw2+YtqIFVKSKcR7hkRD158JOIVxGLqtvRBrRE=; b=GgiAyCiEygGMv81TOgMsdgc1/sq743SypfNynHjR3+lD4g1DQTZhOQxBb8KbwKXGLH rFhcWEenbweyGDWQZ9y01W5lBb25ZXn3lE+QFgYpLDAwWVPDvcVthA+kVd74EUmobzpZ BkpsHmrxPSjG2Q025fc/EucZd9kqn++fsItskvtgoD4UjIRIw+JBxjwvJkPzimL35GVT l36F/5w8QE5U+uwQQRwxkoutK6Jru5l+dE71STACgrWAfky9otGdGIVkoZblJg4mdiof ABTHYdpSQVAwZusCFsy9uYqCAG+qqqaGP0PvEMlqjhRiSHkHpCRiODlg0dggXcxcegM4 Faig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=bSlgOdw2+YtqIFVKSKcR7hkRD158JOIVxGLqtvRBrRE=; b=Xaa68xijhMg1d4I0o3tKn12mWQeHVfN71Umet262S/K8I59U67hTnG3QgB2do0NjjA 242hZJlk9qJFeFgCFHfF/Q+i33XQuY3ZUesOQqdYaFiIGFTQKr9ZsWX12KrSLU4PkUJQ 7ibW8IWyxCsRsy/wOWw7jku+N6+/RUw3U1OF5rBtlSS8ib9GEX6OpVgt0ElCVTNdUwIK O0O7Bz9F7mZ/HOCeEg6ny2P4NtAAeu19Nuw27kjuEKKvAIaMZfB7QhwZHb/JkrxW2iTx YzmJlpfWKa7bZH7tNgF5Gajf/ndoTlJYwiF6J4M7SN8NE2o1h8ohaGlYqEzGTvSfqgfK J16A== X-Gm-Message-State: ALyK8tKDV5W3eMnfXKwlwhU3o3IF3/R2r/ilnrrJFE7M9rM52S8V5ts0lImBPY7YCDyWAoDUwGljm4u7hnWFUg== X-Received: by 10.31.219.197 with SMTP id s188mr13426897vkg.31.1468768515572; Sun, 17 Jul 2016 08:15:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.100.66 with HTTP; Sun, 17 Jul 2016 08:15:14 -0700 (PDT) Reply-To: David.I.Noel@gmail.com In-Reply-To: References: <44255.1467112146@server1.tristatelogic.com> From: David I Noel Date: Sun, 17 Jul 2016 10:15:14 -0500 Message-ID: Subject: Re: Stuff I don't understand, and maybe never will. To: David I Noel Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2016 15:15:16 -0000 >On 6/29/16, David I Noel wrote: > Also, highlighting the continued relevance of fuzzing and the shared > frustration at the lack of its more wide-spread adoption and > recognition as a useful, relevant, and valid tool for finding bugs in > code. > > Is anyone actively fuzzing FreeBSD? > > As far as the kernel, all I can see is that it's listed as an =E2=80=9CId= ea=E2=80=9D > on the Wiki (https://wiki.freebsd.org/IdeasPage -- 5.4). > > Beyond the kernel, what about the ports collection? Some of them are > an absolute^W^W^W could probably use a once-over with AFL or others. > > Why not start a =E2=80=9CFizz[2.1] *BSD Day=E2=80=9D?[2.2] http://thread.gmane.org/gmane.comp.security.oss.general/19946 Congrats to the OpenBSD Dev team for taking the initiative and making their code-base more secure. From owner-freebsd-security@freebsd.org Mon Jul 18 12:12:15 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C2F5B9D782; Mon, 18 Jul 2016 12:12:15 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from prod2.absolight.net (prod2.absolight.net [79.143.243.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plouf.absolight.net", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 40F0D1A69; Mon, 18 Jul 2016 12:12:15 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from prod2.absolight.net (localhost [127.0.0.1]) by prod2.absolight.net (Postfix) with ESMTP id 88CE4BE155; Mon, 18 Jul 2016 14:12:11 +0200 (CEST) Received: from gw.in.absolight.net (gw-ecl.in.absolight.net [79.143.241.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.in.absolight.net", Issuer "CA Cert Signing Authority" (not verified)) by prod2.absolight.net (Postfix) with ESMTPSA id 810D7BE154; Mon, 18 Jul 2016 14:12:11 +0200 (CEST) Received: from ogg.in.absolight.net (ogg.in.absolight.net [79.143.241.239]) by gw.in.absolight.net (Postfix) with ESMTP id 62A3B612C; Mon, 18 Jul 2016 14:12:10 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by ogg.in.absolight.net (Postfix) with ESMTP id 1BA242BFB76B; Mon, 18 Jul 2016 14:12:10 +0200 (CEST) Date: Mon, 18 Jul 2016 14:12:09 +0200 From: Mathieu Arnold To: Slawa Olhovchenkov , Jung-uk Kim cc: Andrey Chernov , FreeBSD-current , freebsd-security Subject: Re: GOST in OPENSSL_BASE Message-ID: In-Reply-To: <20160711195600.GQ46309@zxy.spb.ru> References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <20160711195600.GQ46309@zxy.spb.ru> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========23F474E5A545A9C3DF6D==========" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2016 12:12:15 -0000 --==========23F474E5A545A9C3DF6D========== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov wrote: | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote: |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && |> > ${SSL_DEFAULT} == base BROKEN= OpenSSL from the base system does not |> > support GOST, add \ DEFAULT_VERSIONS+=ssl=openssl to your |> > /etc/make.conf and rebuild everything \ that needs SSL. |> > .endif |> |> FreeBSD 9.3 is still supported but GOST is not available there. It | | Thanks for clarifications. | |> seems the ports maintainer didn't want to break it on 9.3 (CC added). |> Version check may be needed there. | | Thanks! The idea is that you can't have mixed openssl usage. If you link half your ports with openssl from base, and half with openssl from ports, you are going to have dragons attacks, and core dumps. Also, if you are using openssl from ports, you cannot use GSSAPI from base, for the same reasons. -- Mathieu Arnold --==========23F474E5A545A9C3DF6D========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJXjMeZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzQUI2OTc4OUQyRUQxMjEwNjQ0MEJBNUIz QTQ1MTZGMzUxODNDRTQ4AAoJEDpFFvNRg85ICzMP/1o+8RjpxtYqVnZk3oxX4OVe ZyoCn3gn2OJy48+uPVCxrECHgBUUjtQNuwTZBrWARQJpUSBCvsOFk+8T08bUHzHJ +Tgtl3/FEHZotnOfE9UYEXVvx5aMQ6D7qtDdK6TP7P7zHyzm5FBe6e9ErvnQ4iaG A7GsJyE1q45Au+hjRnuRblA+vIHJW4uNRfhiqxQE9kD7obuJWTSSop0FtlTmhXgz nl84t4NMHGpsfhepebDuZ29us4Dnh6x4ex6B3T4ScfTi5SC+URNpBdaNxYCVV44O XwUTIZXMtCPTsYvxsf+R/OH/zYurDm2tnc8ggcu15tRMQZvVa0YmYF2VRf1cawlb S5/WziQZsxhnJ88sFr5B6yMrDxr5koewNTLiUb1naCvIiQjMOrbJWxhSwF3nCBZq 5dXFPI3NM4R2qvlaIMVD6RTHahHdZsnUU3+ujSV9vmWC1L8ACqSbIRb/w+4d6p+M Xw3Mvds8TvgNozqHszDI72fy370sPcVj8z3sIRxp6dQu345PUzPkQ6GFbv0Birim lt7cwoZJHKj1ehHMZM0H05yu+a3hVPmtHbByOwkgTr0ZTlnebXSs2cFb7PB7CpSr HJXTSRFQcceL83cc3nOpjI+y4bOsp/8YRunbBEfkwN5lfOQReD+g4JLYYrqMQTfC KGrSsyj2tIF2qMrmEkFu =YRKc -----END PGP SIGNATURE----- --==========23F474E5A545A9C3DF6D==========-- From owner-freebsd-security@freebsd.org Mon Jul 18 16:39:47 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB574B9C6CF; Mon, 18 Jul 2016 16:39:47 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 2599312E4; Mon, 18 Jul 2016 16:39:47 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Subject: Re: GOST in OPENSSL_BASE To: Mathieu Arnold , Slawa Olhovchenkov References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <20160711195600.GQ46309@zxy.spb.ru> Cc: Andrey Chernov , FreeBSD-current , freebsd-security From: Jung-uk Kim Message-ID: <9d8ac537-45bb-066a-956b-3f7c7e11bcb7@FreeBSD.org> Date: Mon, 18 Jul 2016 12:39:46 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="b8VoWTsTS6XsRNfiMhkO8hUnxmmIiwMpu" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2016 16:39:47 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --b8VoWTsTS6XsRNfiMhkO8hUnxmmIiwMpu Content-Type: multipart/mixed; boundary="FEUMhQl0agtAMbvoFX6wDwNgDF1W264ir" From: Jung-uk Kim To: Mathieu Arnold , Slawa Olhovchenkov Cc: Andrey Chernov , FreeBSD-current , freebsd-security Message-ID: <9d8ac537-45bb-066a-956b-3f7c7e11bcb7@FreeBSD.org> Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <20160711195600.GQ46309@zxy.spb.ru> In-Reply-To: --FEUMhQl0agtAMbvoFX6wDwNgDF1W264ir Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 07/18/16 08:12 AM, Mathieu Arnold wrote: > Hi, >=20 > +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov > wrote: > | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote: > |> > .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > |> > ${SSL_DEFAULT} =3D=3D base BROKEN=3D OpenSSL from the base system = does not > |> > support GOST, add \ DEFAULT_VERSIONS+=3Dssl=3Dopenssl to your > |> > /etc/make.conf and rebuild everything \ that needs SSL. > |> > .endif > |>=20 > |> FreeBSD 9.3 is still supported but GOST is not available there. It > |=20 > | Thanks for clarifications. > |=20 > |> seems the ports maintainer didn't want to break it on 9.3 (CC added)= =2E > |> Version check may be needed there. > |=20 > | Thanks! >=20 >=20 > The idea is that you can't have mixed openssl usage. If you link half = your > ports with openssl from base, and half with openssl from ports, you are= > going to have dragons attacks, and core dumps. Also, if you are using > openssl from ports, you cannot use GSSAPI from base, for the same reaso= ns. Exactly. That's why we should *allow* using base OpenSSL for 10.x and later because many packages are already linked against base OpenSSL by default. Jung-uk Kim --FEUMhQl0agtAMbvoFX6wDwNgDF1W264ir-- --b8VoWTsTS6XsRNfiMhkO8hUnxmmIiwMpu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXjQZSAAoJEHyflib82/FGOQYIAJ9c4NZv6GvfymMAbRHSP076 62/uMzSaIIztBq6KTxyxsCPLQ97OkRqjUW5FoenmiLLysOwMRnozt4MvjC1za7SO rrhh4dS8TxrV664wSsAiVYtmzG/FnuxcTwBt9/bKZJsnrbPFQYOXmdPY76/qgFGs FzwiISxyqpZD7VKpjOT9PsLcGMn4OnEQQ5IIOQW9j6sHPl0Rpri4lefWNj3GLFgC f4KYgfmvS/LSVJDH5O595BmB4OBN+6A74olJs5n88w2h4WBaofw2ZPfVLHGSzwwB ghwjhBmCE5ca5KUK9PPn5ghJZrYbHHH1X2U4OwV4GPaJpXeRxcdXurI4HZp3YNU= =jqJW -----END PGP SIGNATURE----- --b8VoWTsTS6XsRNfiMhkO8hUnxmmIiwMpu--