From owner-freebsd-security@FreeBSD.ORG Sun Jul 31 14:07:30 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95B8016A41F; Sun, 31 Jul 2005 14:07:30 +0000 (GMT) (envelope-from phk@phk.freebsd.dk) Received: from haven.freebsd.dk (haven.freebsd.dk [130.225.244.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F81243D48; Sun, 31 Jul 2005 14:07:30 +0000 (GMT) (envelope-from phk@phk.freebsd.dk) Received: from phk.freebsd.dk (unknown [192.168.48.2]) by haven.freebsd.dk (Postfix) with ESMTP id AB291BC69; Sun, 31 Jul 2005 14:07:27 +0000 (UTC) To: Allan Fields From: "Poul-Henning Kamp" In-Reply-To: Your message of "Sun, 31 Jul 2005 09:59:19 EDT." <20050731135919.GA43753@afields.ca> Date: Sun, 31 Jul 2005 16:07:27 +0200 Message-ID: <10601.1122818847@phk.freebsd.dk> Sender: phk@phk.freebsd.dk Cc: Pawel Jakub Dawidek , freebsd-geom , freebsd-hackers , freebsd-security , Alexander Leidinger , "Ronnel P. Maglasang" Subject: Re: Kernel Source Divergence, Security (was: booting gbde-encrypted filesystem) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 14:07:30 -0000 In message <20050731135919.GA43753@afields.ca>, Allan Fields writes: >Yes, this is all very nice, but when is someone actually going to >commit it? ;) I'm (as always) short of time, and GBDE is not the top priority for me for the time being. So I am more than happy to see people band together and improve gbde. The main work necessary is to polish the userland program and that is relatively trivial programming, so anyone should be able to pick that up: just go for it. Giving gbde a taste function so that the root filesystem can be protected by GBDE, this is also OK by me in principle, but I'd like to review the patch before it gets committed because there are a large number of dragons. In P4:phk_gbde there is the beginning of hw-crypto support through opencrypto(9), if somebody wants to work on that, get in touch with me. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Sun Jul 31 15:08:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFAC616A41F; Sun, 31 Jul 2005 15:08:47 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06C8643D48; Sun, 31 Jul 2005 15:08:47 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 68E02ACBD2; Sun, 31 Jul 2005 17:08:45 +0200 (CEST) Date: Sun, 31 Jul 2005 17:08:45 +0200 From: Pawel Jakub Dawidek To: Poul-Henning Kamp Message-ID: <20050731150845.GJ636@darkness.comp.waw.pl> References: <20050731135919.GA43753@afields.ca> <10601.1122818847@phk.freebsd.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gMR3gsNFwZpnI/Ts" Content-Disposition: inline In-Reply-To: <10601.1122818847@phk.freebsd.dk> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 Cc: freebsd-geom , freebsd-hackers , freebsd-security , Allan Fields , Alexander Leidinger , "Ronnel P. Maglasang" Subject: Re: Kernel Source Divergence, Security (was: booting gbde-encrypted filesystem) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 15:08:48 -0000 --gMR3gsNFwZpnI/Ts Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 31, 2005 at 04:07:27PM +0200, Poul-Henning Kamp wrote: +> In message <20050731135919.GA43753@afields.ca>, Allan Fields writes: +>=20 +> >Yes, this is all very nice, but when is someone actually going to +> >commit it? ;) +>=20 +> I'm (as always) short of time, and GBDE is not the top priority +> for me for the time being. +>=20 +> So I am more than happy to see people band together and improve +> gbde. +>=20 +> The main work necessary is to polish the userland program and that +> is relatively trivial programming, so anyone should be able to pick +> that up: just go for it. +>=20 +> Giving gbde a taste function so that the root filesystem can be +> protected by GBDE, this is also OK by me in principle, but I'd like +> to review the patch before it gets committed because there are a +> large number of dragons. +>=20 +> In P4:phk_gbde there is the beginning of hw-crypto support through +> opencrypto(9), if somebody wants to work on that, get in touch with +> me. I'm starting to wonder if we couldn't create one storage-crypto-base and rewrite gbde, geli on top of it. geli(8) is complete, ie. you can use any command on attached and detached providers, you can backup your metadata, protect your passphrase with PKCS#5v2, use files as a key part, etc. gbde(8) (userland tool) is not finished (all those things I've in geli already are on its todo list). I've plan for another crypto-storage class, which will provide privacy and integrity verification (the very thing we are missing now). I want another class, because it will be slower than geli in both crypto-time and disk-access-time aspects. Another possibility is to integrate two classes and allow user to decide if he wants privacy, integrity verification or both. If someone can spend time on integreting gbde crypto scheme into geli where userland part is complete, where crypto(9) is used already, etc. that'd be cool. The truth is, that the main difference between gbde/geli is how crypto is used on disk, the other elements (managing keys, protecting passphrases, metadata backups, encrypted root partition, etc.) are or could be the same. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --gMR3gsNFwZpnI/Ts Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFC7Ol9ForvXbEpPzQRAi4TAJ9CF+1bk001L51nLuv1W1zyZvlX9ACeOD0Z kn+CkQGHGOlJE3grlw5YElk= =TU/M -----END PGP SIGNATURE----- --gMR3gsNFwZpnI/Ts-- From owner-freebsd-security@FreeBSD.ORG Sun Jul 31 15:11:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47C4216A420; Sun, 31 Jul 2005 15:11:22 +0000 (GMT) (envelope-from phk@phk.freebsd.dk) Received: from haven.freebsd.dk (haven.freebsd.dk [130.225.244.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F3EF43D48; Sun, 31 Jul 2005 15:11:19 +0000 (GMT) (envelope-from phk@phk.freebsd.dk) Received: from phk.freebsd.dk (unknown [192.168.48.2]) by haven.freebsd.dk (Postfix) with ESMTP id A5A47BC66; Sun, 31 Jul 2005 15:11:16 +0000 (UTC) To: Pawel Jakub Dawidek From: "Poul-Henning Kamp" In-Reply-To: Your message of "Sun, 31 Jul 2005 17:08:45 +0200." <20050731150845.GJ636@darkness.comp.waw.pl> Date: Sun, 31 Jul 2005 17:11:16 +0200 Message-ID: <10880.1122822676@phk.freebsd.dk> Sender: phk@phk.freebsd.dk Cc: freebsd-geom , freebsd-hackers , freebsd-security , Allan Fields , Alexander Leidinger , "Ronnel P. Maglasang" Subject: Re: Kernel Source Divergence, Security (was: booting gbde-encrypted filesystem) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 15:11:22 -0000 In message <20050731150845.GJ636@darkness.comp.waw.pl>, Pawel Jakub Dawidek writes: >I'm starting to wonder if we couldn't create one storage-crypto-base >and rewrite gbde, geli on top of it. Could be, it all depends how much you actually gain from generalizing common code. Best way to find out is to try :-) -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Thu Aug 4 20:54:20 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6649C16A41F for ; Thu, 4 Aug 2005 20:54:20 +0000 (GMT) (envelope-from eric@dmcontact.com) Received: from mailthree.albionnewsletter.com (mailthree.albionnewsletter.com [69.90.37.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2AA43D48 for ; Thu, 4 Aug 2005 20:54:20 +0000 (GMT) (envelope-from eric@dmcontact.com) Received: from s142-179-101-223.bc.hsia.telus.net (s142-179-101-223.bc.hsia.telus.net [142.179.101.223]) by mailthree.albionnewsletter.com (Postfix) with ESMTP id 5D923994CC for ; Thu, 4 Aug 2005 13:54:19 -0700 (PDT) Received: from L19.dmcontact.com (unknown [192.168.0.163]) by s142-179-101-223.bc.hsia.telus.net (Postfix) with ESMTP id D88BF556 for ; Thu, 4 Aug 2005 13:54:20 -0700 (PDT) Message-Id: <6.1.1.1.2.20050804135502.03dac840@mail.kwinternet.com> X-Sender: eric%dmcontact.com@mail.dmcontact.com X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1 Date: Thu, 04 Aug 2005 13:56:09 -0700 To: freebsd-security@freebsd.org From: Eric Frazier Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: zlib X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 20:54:20 -0000 Hi, Does the latest zlib issue not affect 4.11?? I would expect that it does, but I can't find any information that is not referring to 5.x Thanks, Eric From owner-freebsd-security@FreeBSD.ORG Thu Aug 4 21:18:40 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6CDF16A41F for ; Thu, 4 Aug 2005 21:18:40 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C0DC43D48 for ; Thu, 4 Aug 2005 21:18:40 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id A1DC511B07; Thu, 4 Aug 2005 23:18:38 +0200 (CEST) Date: Thu, 4 Aug 2005 23:18:38 +0200 From: "Simon L. Nielsen" To: Eric Frazier Message-ID: <20050804211837.GC852@zaphod.nitro.dk> References: <6.1.1.1.2.20050804135502.03dac840@mail.kwinternet.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Bu8it7iiRSEf40bY" Content-Disposition: inline In-Reply-To: <6.1.1.1.2.20050804135502.03dac840@mail.kwinternet.com> User-Agent: Mutt/1.5.9i Cc: freebsd-security@freebsd.org Subject: Re: zlib X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 21:18:40 -0000 --Bu8it7iiRSEf40bY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.08.04 13:56:09 -0700, Eric Frazier wrote: > Does the latest zlib issue not affect 4.11?? I would expect that it does,= =20 > but I can't find any information that is not referring to 5.x It doesn't affects FreeBSD 4.X, since it's only zlib 1.2.X that is vulnerable and FreeBSD 4.X contains zlib 1.1.X. --=20 Simon L. Nielsen FreeBSD Security Team --Bu8it7iiRSEf40bY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC8oYth9pcDSc1mlERAkOFAJ0Tuuoxuh38Gzh+p7PJ9W+YWVWbBgCcCfhk lmI1zd/X1ie7mzPPWGAaFws= =L5gu -----END PGP SIGNATURE----- --Bu8it7iiRSEf40bY--