From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 12:33:52 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0BFE16A41F for ; Sun, 11 Dec 2005 12:33:52 +0000 (GMT) (envelope-from robert@guldan.demon.nl) Received: from post-25.mail.nl.demon.net (post-25.mail.nl.demon.net [194.159.73.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id E986C43D66 for ; Sun, 11 Dec 2005 12:33:51 +0000 (GMT) (envelope-from robert@guldan.demon.nl) Received: from guldan-dsl.demon.nl ([83.160.7.100]:50032) by post-25.mail.nl.demon.net with esmtp (Exim 4.51) id 1ElQOk-000C4K-Hm for freebsd-security@freebsd.org; Sun, 11 Dec 2005 12:33:50 +0000 Received: from bombur.guldan.demon.nl ([192.168.201.3] helo=localhost) by guldan-dsl.demon.nl with esmtp (Exim 4.24; FreeBSD) id 1ElQOg-000AVV-Rs for freebsd-security@freebsd.org; Sun, 11 Dec 2005 13:33:46 +0100 Date: Sun, 11 Dec 2005 13:33:46 +0100 From: Robert Blacquiere To: freebsd-security Message-ID: <20051211123346.GK98018@bombur.guldan.demon.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Spam-Score: 0.0 (/) Subject: geli or gbde encryption of slices X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 12:33:52 -0000 Hello, I was playing around with geli an gbde after last EuroBSDCon. I liked the idea of encrypting my data which resides in /home/$user. Since this is a "single" user laptop i intended to encrypt the whole /home partition. Well no problems with that. But i wanted the lockfile or keyfile on a seperate usb disc. Which would be mounted or used during boot of the system. I also used gshsec on the usb disc to even make things more difficult. Well here is what i found. You can't use a none mounted disc for the keys, to take things further geli asks for the access passphrease before any filesystems except / is mounted. Gbde fails also because the system can't do interactivaly query for the passphrase. I wanted to use a 3 way authentication for the slice, encrypted fs, a usb key and passphrase. I can use geli without the usb key (keyfile). But that would render a possible bruteforce entry. Is there a way to have something similar like this working? I even thought of using something like vendor, product and serial ids for the "keyfile" which could be used with any usbdevice on the usb bus. Have any of you thought about these things and have a way to do this sort of thing (keyfile on usbdrive). Robert -- Microsoft: Where do you want to go today? Linux: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? OpenBSD: Hey guys you left some holes out there! From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 13:52:16 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF3C916A41F for ; Sun, 11 Dec 2005 13:52:16 +0000 (GMT) (envelope-from freebsd.macgregor@blueyonder.co.uk) Received: from the-macgregors.org (82-46-96-19.cable.ubr06.stav.blueyonder.co.uk [82.46.96.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 141E743D69 for ; Sun, 11 Dec 2005 13:52:15 +0000 (GMT) (envelope-from freebsd.macgregor@blueyonder.co.uk) X-Urban-Legend: Mail headers contain urban legends Received: from fire (rob@fire.macgregor [192.168.32.100]) (user=freebsd mech=LOGIN bits=0) by the-macgregors.org (8.13.5/8.13.5) with ESMTP id jBBDqBpL005484 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Sun, 11 Dec 2005 13:52:11 GMT From: "Rob MacGregor" To: Date: Sun, 11 Dec 2005 13:52:11 -0000 Message-ID: <000601c5fe5a$15d612f0$0100a8c0@macgregor> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <20051210232126.GH1066@zi025.glh.mhn.de> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcX94fUCfDzY9zT6SJ6zeL5Yu/PhggAd8yow X-Virus-Scanned: by amavisd-new Subject: RE: OpenSSL tools are not installed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 13:52:17 -0000 On Saturday, December 10, 2005 11:21 PM when we last met our heroes, owner-freebsd-security@freebsd.org <> was heard to say: > Hi, > > I just had some issues with unvalidated certificates after > the update of the mail/fetchmail port. Which update? AFAIK 6.3.0_2 should solve that (certainly it did for me, and the whole point of that update was to solve the problem you (and I) saw. You'd probably have had more response if you'd posted this to -ports, given that it is an issue with the ports :) -- Rob | Oh my God! They killed init! You bastards! From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 15:12:25 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C02316A41F for ; Sun, 11 Dec 2005 15:12:25 +0000 (GMT) (envelope-from barner@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.21]) by mx1.FreeBSD.org (Postfix) with SMTP id 8C72443D4C for ; Sun, 11 Dec 2005 15:12:24 +0000 (GMT) (envelope-from barner@gmx.de) Received: (qmail invoked by alias); 11 Dec 2005 15:12:23 -0000 Received: from unknown (EHLO zi025.glh.mhn.de) [129.187.43.241] by mail.gmx.net (mp021) with SMTP; 11 Dec 2005 16:12:23 +0100 X-Authenticated: #147403 Received: by zi025.glh.mhn.de (Postfix, from userid 1000) id 6AB16C25D; Sun, 11 Dec 2005 16:12:23 +0100 (CET) Date: Sun, 11 Dec 2005 16:12:23 +0100 From: Simon Barner To: Rob MacGregor Message-ID: <20051211151223.GC33001@zi025.glh.mhn.de> References: <20051210232126.GH1066@zi025.glh.mhn.de> <000601c5fe5a$15d612f0$0100a8c0@macgregor> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GyRA7555PLgSTuth" Content-Disposition: inline In-Reply-To: <000601c5fe5a$15d612f0$0100a8c0@macgregor> User-Agent: Mutt/1.5.11 X-Y-GMX-Trusted: 0 Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL tools are not installed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 15:12:25 -0000 --GyRA7555PLgSTuth Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Rob MacGregor wrote: > On Saturday, December 10, 2005 11:21 PM when we last met our heroes, > owner-freebsd-security@freebsd.org <> was heard to say: > > Hi, > >=20 > > I just had some issues with unvalidated certificates after > > the update of the mail/fetchmail port. >=20 > Which update? AFAIK 6.3.0_2 should solve that (certainly it did for me, = and the > whole point of that update was to solve the problem you (and I) saw. Sorry if I was a bit unclear: I meant the initial update from fetchmail-6.2.5.2_4 to fetchmail-6.3.0 which introduced these warnings. >=20 > You'd probably have had more response if you'd posted this to -ports, giv= en that > it is an issue with the ports :) No, my it's a problem with the base system because the c_rehash tool is not installed (the security/openssl port does this). If I don't get a response here, I'll move this thread to -current. --=20 Best regards / Viele Gr=FC=DFe, barner@FreeBSD.= org Simon Barner barner@gmx.de --GyRA7555PLgSTuth Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDnEHWCkn+/eutqCoRArfAAJ90BVDa6v82Lp8MvirfgzqHCMmEaACdE/cE +U6zt9XVN5+Krt65QU8pqZ4= =o3oY -----END PGP SIGNATURE----- --GyRA7555PLgSTuth-- From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 16:12:09 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8BC516A41F for ; Sun, 11 Dec 2005 16:12:09 +0000 (GMT) (envelope-from ertr1013@student.uu.se) Received: from pne-smtpout2-sn1.fre.skanova.net (pne-smtpout2-sn1.fre.skanova.net [81.228.11.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEC3443D67 for ; Sun, 11 Dec 2005 16:11:59 +0000 (GMT) (envelope-from ertr1013@student.uu.se) Received: from falcon.midgard.homeip.net (83.253.29.241) by pne-smtpout2-sn1.fre.skanova.net (7.2.069.1) id 43995FC600078E83 for freebsd-security@FreeBSD.org; Sun, 11 Dec 2005 17:11:58 +0100 Received: (qmail 41027 invoked by uid 1001); 11 Dec 2005 17:11:57 +0100 Date: Sun, 11 Dec 2005 17:11:57 +0100 From: Erik Trulsson To: Simon Barner Message-ID: <20051211161156.GA40986@falcon.midgard.homeip.net> Mail-Followup-To: Simon Barner , freebsd-security@FreeBSD.org References: <20051210232126.GH1066@zi025.glh.mhn.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051210232126.GH1066@zi025.glh.mhn.de> User-Agent: Mutt/1.5.11 Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSL tools are not installed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 16:12:09 -0000 On Sun, Dec 11, 2005 at 12:21:26AM +0100, Simon Barner wrote: > Hi, > > I just had some issues with unvalidated certificates after the update of > the mail/fetchmail port. > > The solution was to add the missing certificates manually, but that > involved running the c_rehash script, that currently isn't installed. > > Of course, I could run it directly from src/crypto/openssl/tools/, but > that isn't an option for users that don't have the source installed. > > So, is there a reaon why the scripts are not installed, or was it just > an oversight? One reason is probably that c_rehash is a Perl script, and Perl is not included in the base system, so you would not be able to run the script anyway without first installing Perl. -- Erik Trulsson ertr1013@student.uu.se From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 16:24:20 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9BFA16A41F for ; Sun, 11 Dec 2005 16:24:20 +0000 (GMT) (envelope-from barner@gmx.de) Received: from mail.gmx.net (mail.gmx.de [213.165.64.21]) by mx1.FreeBSD.org (Postfix) with SMTP id 596D543D60 for ; Sun, 11 Dec 2005 16:24:18 +0000 (GMT) (envelope-from barner@gmx.de) Received: (qmail invoked by alias); 11 Dec 2005 16:24:17 -0000 Received: from unknown (EHLO zi025.glh.mhn.de) [129.187.43.241] by mail.gmx.net (mp030) with SMTP; 11 Dec 2005 17:24:17 +0100 X-Authenticated: #147403 Received: by zi025.glh.mhn.de (Postfix, from userid 1000) id F3EEFC25D; Sun, 11 Dec 2005 17:24:16 +0100 (CET) Date: Sun, 11 Dec 2005 17:24:16 +0100 From: Simon Barner To: freebsd-security@FreeBSD.org Message-ID: <20051211162416.GB38604@zi025.glh.mhn.de> References: <20051210232126.GH1066@zi025.glh.mhn.de> <20051211161156.GA40986@falcon.midgard.homeip.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="l76fUT7nc3MelDdI" Content-Disposition: inline In-Reply-To: <20051211161156.GA40986@falcon.midgard.homeip.net> User-Agent: Mutt/1.5.11 X-Y-GMX-Trusted: 0 Cc: dinoex@FreeBSD.org Subject: Re: OpenSSL tools are not installed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 16:24:20 -0000 --l76fUT7nc3MelDdI Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Erik Trulsson wrote: > > So, is there a reaon why the scripts are not installed, or was it just > > an oversight? >=20 > One reason is probably that c_rehash is a Perl script, and Perl is not > included in the base system, so you would not be able to run the script > anyway without first installing Perl. Good point... :-) So, I'd opt for creating a security/openssl-tools port (and removing c_rehash from security/openssl). That way OpenSSL from the base system and from the ports would match a bit more. [Cc'ing dinox@, the openssl port maintainer] --=20 Best regards / Viele Gr=FC=DFe, barner@FreeBSD.= org Simon Barner barner@gmx.de --l76fUT7nc3MelDdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDnFKwCkn+/eutqCoRAgeNAJ9e3/J+j0ZUsaT0Sn6VryCbyIto6ACdES5q gSTHOWg1hD8NDe/1pMWClPE= =0rOS -----END PGP SIGNATURE----- --l76fUT7nc3MelDdI-- From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 17:08:09 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C00EF16A41F; Sun, 11 Dec 2005 17:08:09 +0000 (GMT) (envelope-from Gabor@Zahemszky.HU) Received: from fuz.mail.t-online.hu (fuz.mail.t-online.hu [195.228.240.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0F1543D46; Sun, 11 Dec 2005 17:08:08 +0000 (GMT) (envelope-from Gabor@Zahemszky.HU) Received: from [192.168.1.3] (dsl51B68256.pool.t-online.hu [81.182.130.86]) by fuz.mail.t-online.hu (8.13.4/8.12.11) with ESMTP id jBBH80DT037249; Sun, 11 Dec 2005 18:08:04 +0100 (CET) Message-ID: <439C5E30.9090605@Zahemszky.HU> Date: Sun, 11 Dec 2005 18:13:20 +0100 From: =?ISO-8859-2?Q?Zahemszky_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: simon@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-vbmsrv: scanned Cc: Subject: bug? in making security/isakmpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 17:08:10 -0000 Hi! There is a little problem in the security/isakmpd port. There are some gen*.sh scripts in it, which generate some C header (and src) files. These scripts are using awk, tr, etc - some generic UNIX tools. One of the tools has problems with some localisations, so these scripts generate incorrect C-code. Eg, I have Hungarian localisation set, so I have the following in my environ: LANG=hu_HU.ISO8859-2 But with it, I get so many errors, like this: $ cd /usr/ports/security/isakmpd $ make So many lines deleted .... cc -O2 -fno-strict-aliasing -pipe -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -DNEED_SYSDEP_APP -I/usr/ports/security/isakmpd/work/isakmpd -I/usr/ports/security/isakmpd/work/isakmpd/sysdep/freebsd -I. -DHAVE_GETIFADDRS -DHAVE_PCAP -I/usr/ports/security/isakmpd/work/isakmpd/sysdep/common -I/usr/include -I/usr/include/openssl -I/usr/local/include -I/usr/local/include/openssl -DUSE_TRIPLEDES -DUSE_DES -DUSE_BLOWFISH -DUSE_CAST -DUSE_X509 -DUSE_EC -DUSE_AGGRESSIVE -DUSE_DEBUG -DUSE_RAWKEY -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -DUSE_LIBCRYPTO -DUSE_PF_KEY_V2 -c attribute.c In file included from isakmp.h:36, from attribute.c:40: isakmp_fld.h:28: error: stray '\223' in program isakmp_fld.h:28: error: syntax error before "_paxload_maps" isakmp_fld.h:37: error: stray '\223' in program isakmp_fld.h:37: error: syntax error before "xpe_maps" isakmp_fld.h:59: error: stray '\223' in program isakmp_fld.h:59: error: syntax error before "_paxload_maps" isakmp_fld.h:72: error: stray '\223' in program isakmp_fld.h:72: error: stray '\223' in program isakmp_fld.h:72: error: syntax error before "r_fld" isakmp_fld.h:76: error: stray '\223' in program isakmp_fld.h:76: error: stray '\223' in program isakmp_fld.h:76: error: syntax error before "r_" isakmp_fld.h:76: error: stray '\223' in program isakmp_fld.h:108: error: stray '\223' in program isakmp_fld.h:108: error: syntax error before "o_maps" isakmp_fld.h:124: error: stray '\223' in program isakmp_fld.h:124: error: syntax error before "ransform_fld" isakmp_fld.h:165: error: stray '\223' in program isakmp_fld.h:165: error: syntax error before "_fld" isakmp_fld.h:169: error: stray '\223' in program isakmp_fld.h:169: error: syntax error before "_encoding_maps" isakmp_fld.h:177: error: stray '\223' in program isakmp_fld.h:177: error: syntax error before "req_fld" isakmp_fld.h:181: error: stray '\223' in program isakmp_fld.h:181: error: syntax error before "req_" isakmp_fld.h:181: error: stray '\223' in program isakmp_fld.h:210: error: stray '\223' in program isakmp_fld.h:210: error: syntax error before "ifx_fld" isakmp_fld.h:214: error: stray '\223' in program isakmp_fld.h:214: error: syntax error before "ifx_doi_maps" isakmp_fld.h:219: error: stray '\223' in program isakmp_fld.h:219: error: syntax error before "ifx_pro" isakmp_fld.h:219: error: stray '\223' in program isakmp_fld.h:228: error: stray '\223' in program isakmp_fld.h:228: error: syntax error before "ifx_msg_" isakmp_fld.h:228: error: stray '\223' in program isakmp_fld.h:236: error: stray '\223' in program isakmp_fld.h:236: error: syntax error before "e_fld" isakmp_fld.h:240: error: stray '\223' in program isakmp_fld.h:240: error: syntax error before "e_doi_maps" isakmp_fld.h:245: error: stray '\223' in program isakmp_fld.h:245: error: syntax error before "e_pro" isakmp_fld.h:245: error: stray '\223' in program isakmp_fld.h:261: error: stray '\251' in program isakmp_fld.h:261: error: syntax error before "endor_fld" isakmp_fld.h:268: error: stray '\223' in program isakmp_fld.h:268: error: stray '\223' in program isakmp_fld.h:268: error: syntax error before "rib" isakmp_fld.h:268: error: stray '\254' in program isakmp_fld.h:268: error: stray '\223' in program isakmp_fld.h:272: error: stray '\223' in program isakmp_fld.h:272: error: stray '\223' in program isakmp_fld.h:272: error: syntax error before "rib" isakmp_fld.h:272: error: stray '\254' in program isakmp_fld.h:272: error: stray '\223' in program isakmp_fld.h:272: error: stray '\223' in program isakmp_fld.h:288: error: stray '\223' in program isakmp_fld.h:288: error: syntax error before "_d_fld" isakmp_fld.h:295: error: stray '\223' in program isakmp_fld.h:295: error: syntax error before "_oa_fld" In file included from isakmp.h:37, from attribute.c:40: isakmp_num.h:3:18: warning: extra tokens at end of #ifndef directive isakmp_num.h:4:18: warning: ISO C requires whitespace after the macro name In file included from isakmp.h:37, from attribute.c:40: isakmp_num.h:63: error: stray '\223' in program isakmp_num.h:63: error: syntax error before "enc_cst" isakmp_num.h:82: error: stray '\223' in program isakmp_num.h:82: error: syntax error before "ifx_cst" isakmp_num.h:130: error: stray '\251' in program isakmp_num.h:130:36: invalid suffix "_no" on integer constant isakmp_num.h:130: error: syntax error before numeric constant isakmp_num.h:130: error: stray '\223' in program isakmp_num.h:169: error: stray '\223' in program isakmp_num.h:169: error: syntax error before "o_cst" isakmp_num.h:184: error: stray '\223' in program isakmp_num.h:184: error: stray '\223' in program isakmp_num.h:184: error: syntax error before "r_cst" isakmp_num.h:213: error: stray '\223' in program isakmp_num.h:213: error: syntax error before "xpe_cst" attribute.c: In function `attribute_set_basic': attribute.c:46: error: stray '\223' in program attribute.c:46: error: stray '\223' in program attribute.c:46: error: `isakmp_a' undeclared (first use in this function) attribute.c:46: error: (Each undeclared identifier is reported only once attribute.c:46: error: for each function it appears in.) attribute.c:46: error: syntax error before "r_fld" attribute.c:47: error: stray '\223' in program attribute.c:47: error: stray '\223' in program attribute.c:47: error: syntax error before "r_fld" attribute.c: In function `attribute_set_var': attribute.c:55: error: stray '\223' in program attribute.c:55: error: stray '\223' in program attribute.c:55: error: `isakmp_a' undeclared (first use in this function) attribute.c:55: error: syntax error before "r_fld" attribute.c:56: error: stray '\223' in program attribute.c:56: error: stray '\223' in program attribute.c:56: error: syntax error before "r_fld" attribute.c: In function `attribute_map': attribute.c:80: error: stray '\223' in program attribute.c:80: error: stray '\223' in program attribute.c:80: error: `isakmp_a' undeclared (first use in this function) attribute.c:80: error: syntax error before "r_fld" attribute.c:86: error: stray '\223' in program attribute.c:86: error: stray '\223' in program attribute.c:86: error: syntax error before "r_fld" *** Error code 1 Stop in /usr/ports/security/isakmpd/work/isakmpd. *** Error code 1 Stop in /usr/ports/security/isakmpd. $ If I correct this file, I get another problem with another file - all of the files (6 or 7) generated with these scripts - has errors. (But with LANG=C - or without any LANG - I can compile isakmpd.) I think the real problem is the bug in tr/awk - maybe somebody has to look at it, too. By, Gabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!';IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set -- $Z;for i;{ [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set -- $Z;for i;{ [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 17:11:53 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE68C16A41F for ; Sun, 11 Dec 2005 17:11:53 +0000 (GMT) (envelope-from freebsd.macgregor@blueyonder.co.uk) Received: from the-macgregors.org (82-46-96-19.cable.ubr06.stav.blueyonder.co.uk [82.46.96.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 523E543D9A for ; Sun, 11 Dec 2005 17:11:37 +0000 (GMT) (envelope-from freebsd.macgregor@blueyonder.co.uk) X-Urban-Legend: Mail headers contain urban legends Received: from fire (rob@fire.macgregor [192.168.32.100]) (user=freebsd mech=LOGIN bits=0) by the-macgregors.org (8.13.5/8.13.5) with ESMTP id jBBHBUvQ011844 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Sun, 11 Dec 2005 17:11:30 GMT From: "Rob MacGregor" To: Date: Sun, 11 Dec 2005 17:11:30 -0000 Message-ID: <003e01c5fe75$ee13c930$0100a8c0@macgregor> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <20051211151223.GC33001@zi025.glh.mhn.de> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcX+ZW33fD2BOxFfSA284ox8MypvuQAEGvwg X-Virus-Scanned: by amavisd-new Subject: RE: OpenSSL tools are not installed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 17:11:53 -0000 On Sunday, December 11, 2005 3:12 PM when we last met our heroes, Simon Barner was heard to say: > Sorry if I was a bit unclear: I meant the initial update from > fetchmail-6.2.5.2_4 to fetchmail-6.3.0 which introduced these > warnings. Try the _2 update - it'll fix it. -- Rob | Oh my God! They killed init! You bastards! From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 17:38:09 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB40316A41F for ; Sun, 11 Dec 2005 17:38:09 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67C0043D69 for ; Sun, 11 Dec 2005 17:38:09 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 38709114AF; Sun, 11 Dec 2005 18:38:08 +0100 (CET) Date: Sun, 11 Dec 2005 18:38:08 +0100 From: "Simon L. Nielsen" To: Zahemszky =?iso-8859-1?Q?G=E1bor?= Message-ID: <20051211173807.GA6202@zaphod.nitro.dk> References: <439C5E30.9090605@Zahemszky.HU> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline In-Reply-To: <439C5E30.9090605@Zahemszky.HU> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: bug? in making security/isakmpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 17:38:10 -0000 --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.12.11 18:13:20 +0100, Zahemszky G=E1bor wrote: > There is a little problem in the security/isakmpd port. There are some=20 > gen*.sh scripts in it, which generate some C header (and src) files.=20 > These scripts are using awk, tr, etc - some generic UNIX tools. One of=20 > the tools has problems with some localisations, so these scripts=20 > generate incorrect C-code. Eg, I have Hungarian localisation set, so I=20 > have the following in my environ: >=20 > LANG=3Dhu_HU.ISO8859-2 Yes, this is a known problem with the isakmpd build code which I unfortunately haven't gotten around to fixing. AFAIR it also fails with German locale. I suspect the simple fix is to set LC_ALL=3DC in the build environment for the port. > I think the real problem is the bug in tr/awk - maybe somebody has to=20 > look at it, too. Without having looked at the details, I think it's more likely that the isakmpd build scripts misuses tr/awk, e.g. doing something like 'tr [a-z] [A-Z] ' to upper case a string (should be 'tr [:lower:] [:upper:]'). --=20 Simon L. Nielsen --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDnGP/h9pcDSc1mlERAiTIAKCo/0NRCQQTfNQyXjsjas0QVEAi9wCdHGGq PWsXE7nRiz/fbS3uihHPVOQ= =yMzt -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 17:49:43 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFB3A16A41F for ; Sun, 11 Dec 2005 17:49:43 +0000 (GMT) (envelope-from barner@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.21]) by mx1.FreeBSD.org (Postfix) with SMTP id C370943D6A for ; Sun, 11 Dec 2005 17:49:42 +0000 (GMT) (envelope-from barner@gmx.de) Received: (qmail invoked by alias); 11 Dec 2005 17:49:41 -0000 Received: from unknown (EHLO zi025.glh.mhn.de) [129.187.43.241] by mail.gmx.net (mp010) with SMTP; 11 Dec 2005 18:49:41 +0100 X-Authenticated: #147403 Received: by zi025.glh.mhn.de (Postfix, from userid 1000) id B9006C38A; Sun, 11 Dec 2005 18:49:41 +0100 (CET) Date: Sun, 11 Dec 2005 18:49:41 +0100 From: Simon Barner To: Rob MacGregor Message-ID: <20051211174941.GD38604@zi025.glh.mhn.de> References: <20051211151223.GC33001@zi025.glh.mhn.de> <003e01c5fe75$ee13c930$0100a8c0@macgregor> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9dgjiU4MmWPVapMU" Content-Disposition: inline In-Reply-To: <003e01c5fe75$ee13c930$0100a8c0@macgregor> User-Agent: Mutt/1.5.11 X-Y-GMX-Trusted: 0 Cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSL tools are not installed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 17:49:43 -0000 --9dgjiU4MmWPVapMU Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Rob MacGregor wrote: > On Sunday, December 11, 2005 3:12 PM when we last met our heroes, > Simon Barner was heard to say: >=20 > > Sorry if I was a bit unclear: I meant the initial update from > > fetchmail-6.2.5.2_4 to fetchmail-6.3.0 which introduced these > > warnings. >=20 > Try the _2 update - it'll fix it. I know about the _2 update, I am the maintainer of the port, and I have committed the fix. My email was about the fact that c_rehash is not available if you don't have the base system sources installed. c_rehash is needed if you want to add certificates that are not signed by one of the root authorities whose certificates are available form security/ca-roots. --=20 Best regards / Viele Gr=FC=DFe, barner@FreeBSD.= org Simon Barner barner@gmx.de --9dgjiU4MmWPVapMU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDnGa1Ckn+/eutqCoRAufoAJ0Uo2NNcr/ic96X5xckzW28G11dGACfTJAs uRXvYHWlHYYtT/Wx6mdGAlo= =U+kb -----END PGP SIGNATURE----- --9dgjiU4MmWPVapMU-- From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 18:12:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3211316A420 for ; Sun, 11 Dec 2005 18:12:14 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7052743D58 for ; Sun, 11 Dec 2005 18:12:13 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 5A1FE114AF; Sun, 11 Dec 2005 19:12:12 +0100 (CET) Date: Sun, 11 Dec 2005 19:12:12 +0100 From: "Simon L. Nielsen" To: Zahemszky =?iso-8859-1?Q?G=E1bor?= Message-ID: <20051211181211.GC6202@zaphod.nitro.dk> References: <439C5E30.9090605@Zahemszky.HU> <20051211173807.GA6202@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mvpLiMfbWzRoNl4x" Content-Disposition: inline In-Reply-To: <20051211173807.GA6202@zaphod.nitro.dk> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: bug? in making security/isakmpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 18:12:14 -0000 --mvpLiMfbWzRoNl4x Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.12.11 18:38:08 +0100, Simon L. Nielsen wrote: > On 2005.12.11 18:13:20 +0100, Zahemszky G=E1bor wrote: >=20 > > There is a little problem in the security/isakmpd port. There are some= =20 > > gen*.sh scripts in it, which generate some C header (and src) files.=20 > > These scripts are using awk, tr, etc - some generic UNIX tools. One of= =20 > > the tools has problems with some localisations, so these scripts=20 > > generate incorrect C-code. Eg, I have Hungarian localisation set, so I= =20 > > have the following in my environ: > >=20 > > LANG=3Dhu_HU.ISO8859-2 >=20 > Yes, this is a known problem with the isakmpd build code which I > unfortunately haven't gotten around to fixing. AFAIR it also fails > with German locale. I suspect the simple fix is to set LC_ALL=3DC in > the build environment for the port. I just committed an update to the port which should fix the problem. Could you check if that works? Sorry for taking so long to fix this. --=20 Simon L. Nielsen --mvpLiMfbWzRoNl4x Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDnGv7h9pcDSc1mlERAg5IAKCEihXbkf6jq1NgacMLNnOxIUlCQgCfRVgc 61WH5b2tZEoZG60tK6PYSh4= =ug3p -----END PGP SIGNATURE----- --mvpLiMfbWzRoNl4x-- From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 18:21:09 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 443D916A420 for ; Sun, 11 Dec 2005 18:21:09 +0000 (GMT) (envelope-from daniel@roe.ch) Received: from dragon.roe.ch (dragon.roe.ch [212.53.102.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC72343D76 for ; Sun, 11 Dec 2005 18:21:01 +0000 (GMT) (envelope-from daniel@roe.ch) Received: from roe by dragon.roe.ch (envelope-from ) with LOCAL id 1ElVoi-0003Py-00 for freebsd-security@freebsd.org; Sun, 11 Dec 2005 19:21:00 +0100 Date: Sun, 11 Dec 2005 19:21:00 +0100 From: Daniel Roethlisberger To: freebsd-security@freebsd.org Message-ID: <20051211182059.GB12228@dragon.roe.ch> Mail-Followup-To: freebsd-security@freebsd.org References: <439C5E30.9090605@Zahemszky.HU> <20051211173807.GA6202@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline In-Reply-To: <20051211173807.GA6202@zaphod.nitro.dk> User-Agent: Mutt/1.5.4i Subject: Re: bug? in making security/isakmpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 18:21:09 -0000 --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Simon L. Nielsen 2005-12-11: > > I think the real problem is the bug in tr/awk - maybe somebody has > > to look at it, too. >=20 > Without having looked at the details, I think it's more likely that > the isakmpd build scripts misuses tr/awk, e.g. doing something like > 'tr [a-z] [A-Z] ' to upper case a string (should be 'tr [:lower:] > [:upper:]'). As ports breaking with localized CTYPE is not too uncommon, adding ENV['LC_ALL'] ||=3D 'C' to your pkgtools.conf might make sense. Cheers, Dan --=20 Daniel Roethlisberger GnuPG (PGP) key id 0x39740E98804A06B1 --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFDnG4LOXQOmIBKBrERAqd2AJ9oYnu02ZxEb/Sr634qRC0CgsSzeACcCSH5 6FrZPfBC7zNvlV9wy4hG05o= =/AIh -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5-- From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 19:41:21 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F34E16A420; Sun, 11 Dec 2005 19:41:21 +0000 (GMT) (envelope-from Gabor@Zahemszky.HU) Received: from akac.mail.t-online.hu (akac.mail.t-online.hu [195.228.240.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id E85AD43D5D; Sun, 11 Dec 2005 19:41:18 +0000 (GMT) (envelope-from Gabor@Zahemszky.HU) Received: from [192.168.1.3] (dsl51B68256.pool.t-online.hu [81.182.130.86]) by akac.mail.t-online.hu (8.13.4/8.12.11) with ESMTP id jBBJfB3Y066571; Sun, 11 Dec 2005 20:41:15 +0100 (CET) Message-ID: <439C820A.20005@Zahemszky.HU> Date: Sun, 11 Dec 2005 20:46:18 +0100 From: =?ISO-8859-2?Q?Zahemszky_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Simon L. Nielsen" References: <439C5E30.9090605@Zahemszky.HU> <20051211173807.GA6202@zaphod.nitro.dk> <20051211181211.GC6202@zaphod.nitro.dk> In-Reply-To: <20051211181211.GC6202@zaphod.nitro.dk> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-vbmsrv: scanned Cc: freebsd-security@FreeBSD.org Subject: Re: bug? in making security/isakmpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 19:41:21 -0000 Simon L. Nielsen wrote: > I just committed an update to the port which should fix the problem. > Could you check if that works? Yes, I've just downloaded it, and works fine. Thanks! Gabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!';IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set -- $Z;for i;{ [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set -- $Z;for i;{ [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 19:47:32 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D8B616A41F for ; Sun, 11 Dec 2005 19:47:32 +0000 (GMT) (envelope-from Gabor@Zahemszky.HU) Received: from fuz.mail.t-online.hu (fuz.mail.t-online.hu [195.228.240.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2014043D70 for ; Sun, 11 Dec 2005 19:47:21 +0000 (GMT) (envelope-from Gabor@Zahemszky.HU) Received: from [192.168.1.3] (dsl51B68256.pool.t-online.hu [81.182.130.86]) by fuz.mail.t-online.hu (8.13.4/8.12.11) with ESMTP id jBBJlJOn035848 for ; Sun, 11 Dec 2005 20:47:20 +0100 (CET) Message-ID: <439C8386.5090500@Zahemszky.HU> Date: Sun, 11 Dec 2005 20:52:38 +0100 From: =?ISO-8859-2?Q?Zahemszky_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <439C5E30.9090605@Zahemszky.HU> <20051211173807.GA6202@zaphod.nitro.dk> <20051211182059.GB12228@dragon.roe.ch> In-Reply-To: <20051211182059.GB12228@dragon.roe.ch> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-vbmsrv: scanned Subject: Re: bug? in making security/isakmpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 19:47:32 -0000 Daniel Roethlisberger wrote: > As ports breaking with localized CTYPE is not too uncommon, adding > > ENV['LC_ALL'] ||= 'C' > > to your pkgtools.conf might make sense. Yes, you're right - with it, I couldn't have found it. And no, because the correct way is to find a problem, report it (maybe with a solution/patch) - and the maintainer corrects it. As in this case. Thanks, Simon! Zahy < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!';IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set -- $Z;for i;{ [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set -- $Z;for i;{ [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" From owner-freebsd-security@FreeBSD.ORG Mon Dec 12 10:12:38 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29E5916A420 for ; Mon, 12 Dec 2005 10:12:38 +0000 (GMT) (envelope-from freebsd.macgregor@blueyonder.co.uk) Received: from the-macgregors.org (82-46-96-19.cable.ubr06.stav.blueyonder.co.uk [82.46.96.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F89443D62 for ; Mon, 12 Dec 2005 10:12:35 +0000 (GMT) (envelope-from freebsd.macgregor@blueyonder.co.uk) X-Urban-Legend: Mail headers contain urban legends Received: from fire (rob@fire.macgregor [192.168.32.100]) (user=freebsd mech=LOGIN bits=0) by the-macgregors.org (8.13.5/8.13.5) with ESMTP id jBCACUgG000652 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 12 Dec 2005 10:12:31 GMT From: "Rob MacGregor" To: Date: Mon, 12 Dec 2005 10:12:30 -0000 Message-ID: <004a01c5ff04$902038b0$0100a8c0@macgregor> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 In-reply-to: <20051211174941.GD38604@zi025.glh.mhn.de> Thread-Index: AcX+e2ik3YpFW4MzRXmMs0x9x5pq/QAiC9aw X-Virus-Scanned: by amavisd-new Cc: Subject: RE: OpenSSL tools are not installed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Dec 2005 10:12:38 -0000 On Sunday, December 11, 2005 5:50 PM when we last met our heroes, Simon Barner was heard to say: > I know about the _2 update, I am the maintainer of the port, > and I have > committed the fix. My email was about the fact that c_rehash is not > available if you don't have the base system sources > installed. c_rehash > is needed if you want to add certificates that are not signed > by one of > the root authorities whose certificates are available form > security/ca-roots. Ah, yes. I came across that part of the problem myself. I think my only comment to your suggestion (creating a separate port and removing c_rehash from security/openssl) would be to ensure that the same path was used by both the base and the port. As it is right now it's a bit of a mess: base - /etc/ssl/certs c_rehash from source tree - /usr/local/ssl/certs security/openssl - /usr/local/openssl/certs security/ca-roots - /usr/local/share/certs That's 4 different paths from the bits I know about. Goodness knows about those I don't know about. -- Rob | Oh my God! They killed init! You bastards! From owner-freebsd-security@FreeBSD.ORG Tue Dec 13 16:02:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFE3A16A41F for ; Tue, 13 Dec 2005 16:02:34 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from sollube.sarenet.es (mx1.sarenet.es [194.30.0.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3553243D69 for ; Tue, 13 Dec 2005 16:02:33 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by sollube.sarenet.es (Postfix) with ESMTP id 890991370 for ; Tue, 13 Dec 2005 17:00:01 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v746.2) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Borja Marcos Date: Tue, 13 Dec 2005 16:59:54 +0100 X-Mailer: Apple Mail (2.746.2) Subject: Useful addition to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 16:02:35 -0000 Hello, I've found myself in a situation where a simple data inspection capability added to ipfw would be very useful. I'm not thinking about anything especially sophisticated, but what about adding an option to check byte values (or flags, similar to tcpdump)? An example rule could be: add deny udp from any to me 12345 udp[4]&234 being the rule true if byte 4 in the UDP packet AND the number 234 is not zero. P.S: I'm thinking about controlling some types of UDP packets than can be identified by simple flags present in the packet data. Opinions? Borja. From owner-freebsd-security@FreeBSD.ORG Tue Dec 13 19:03:35 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7DD716A41F for ; Tue, 13 Dec 2005 19:03:35 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from 0.mail.spammertrap.net (0.mail.spammertrap.net [204.89.241.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CC9343D5C for ; Tue, 13 Dec 2005 19:03:30 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 9864D18F3E7 for ; Tue, 13 Dec 2005 14:03:28 -0500 (EST) Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 5B50F18F3E0 for ; Tue, 13 Dec 2005 14:03:22 -0500 (EST) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Tue, 13 Dec 2005 14:03:22 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Useful addition to ipfw Thread-Index: AcX//5JptsrM5O0DQ3+3k/66ViFxGgAGCyiw From: "Michael Scheidell" To: "Borja Marcos" , X-Virus-Scanned: SpammerTrap(tm) SME-250 1.45 at spammertrap.net X-Spam-Status: No, score=-7.323 tagged_above=-999 required=6.9 tests=[AWL=0.199, BAYES_00=-2.599, LOCAL_RCVD=-5, TW_PF=0.077] X-Spam-Score: -7.323 X-Spam-Level: Cc: Subject: RE: Useful addition to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2005 19:03:35 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org=20 > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Borja Marcos > Sent: Tuesday, December 13, 2005 11:00 AM > To: freebsd-security@freebsd.org > Subject: Useful addition to ipfw >=20 >=20 > Hello, >=20 > I've found myself in a situation where a simple data=20 > inspection capability added to ipfw would be very useful. >=20 Use divert option and reinject it back in? From owner-freebsd-security@FreeBSD.ORG Wed Dec 14 00:16:06 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22BAF16A41F for ; Wed, 14 Dec 2005 00:16:06 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id A38AC43D5F for ; Wed, 14 Dec 2005 00:16:03 +0000 (GMT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id jBE0GAOw021058; Wed, 14 Dec 2005 11:16:10 +1100 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id jBE0G9T4021056; Wed, 14 Dec 2005 11:16:09 +1100 (EST) From: Darren Reed Message-Id: <200512140016.jBE0G9T4021056@caligula.anu.edu.au> To: borjamar@sarenet.es (Borja Marcos) Date: Wed, 14 Dec 2005 11:16:09 +1100 (Australia/ACT) In-Reply-To: from "Borja Marcos" at Dec 13, 2005 04:59:54 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Useful addition to ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2005 00:16:06 -0000 In some mail from Borja Marcos, sie said: > > > Hello, > > I've found myself in a situation where a simple data inspection > capability added to ipfw would be very useful. > > I'm not thinking about anything especially sophisticated, but what > about adding an option to check byte values (or flags, similar to > tcpdump)? > > An example rule could be: add deny udp from any to me 12345 udp[4]&234 > > being the rule true if byte 4 in the UDP packet AND the number 234 is > not zero. I believe you could do that today, with IPFilter, if you expressed the entire packet-matching part of the rule with BPF. Darren From owner-freebsd-security@FreeBSD.ORG Wed Dec 14 15:02:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50EC716A41F for ; Wed, 14 Dec 2005 15:02:37 +0000 (GMT) (envelope-from tony@crosswinds.net) Received: from out-mx1.crosswinds.net (out-mx1.crosswinds.net [216.18.117.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF21843D5E for ; Wed, 14 Dec 2005 15:02:34 +0000 (GMT) (envelope-from tony@crosswinds.net) Received: from admin.crosswinds.net (out-mx1.crosswinds.net [216.18.117.38]) by out-mx1.crosswinds.net (Postfix) with ESMTP id C0EB92BBFE for ; Wed, 14 Dec 2005 10:02:33 -0500 (EST) Received: by admin.crosswinds.net (Postfix, from userid 1001) id A19DE4056; Wed, 14 Dec 2005 10:02:33 -0500 (EST) Date: Wed, 14 Dec 2005 10:02:33 -0500 From: Tony Holmes To: freebsd-security@freebsd.org Message-ID: <20051214150233.GA36436@crosswinds.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Not-So-Newbie Openssl Question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2005 15:02:37 -0000 Hi all and TIA for any help, I find myself in an imposed quandry. I am using cPanel on 4.11-RELEASE-p13 boxes. 99% of the system works well, but I've come across an issue with ssl. It's caused my certs to suddenly crap out and SSL connections from payment processors no longer work (making my customers a tad angry) The base system has openssl-0.9.7d and the ports are linked against openssl-0.9.8a (installed from ports). cPanel mostly uses the ports/packages system (good choice on their part) *EXCEPT* for apache. The cpanel apache/ssl build links against the base system, while everything else (including php which is built in the same procedure) is linked against the port openssl. This is frustrating to no end. Now, I first tried installing the openssl overwriting the base. I worked around the conflict error by definig the shlib version to 3, then sshd stops working with "I am linked against 0.9.7" (doh of course) so I back that out since I cannot determine how to get that and any other base system tools to link against 0.9.8a (after a week of first identifying this problem and attempting to fix it has made my brain slightly squishier than usual). Is there any way to safely bring the base system openssl up to 0.9.8a (do not mind making world/kernels) so the ports and base system match? -- Tony Holmes Ph: (416) 993-1219 Founder and Senior Systems Architect Crosswinds Internet Communications Inc. From owner-freebsd-security@FreeBSD.ORG Wed Dec 14 15:57:50 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBA1716A41F for ; Wed, 14 Dec 2005 15:57:50 +0000 (GMT) (envelope-from tony@crosswinds.net) Received: from out-mx1.crosswinds.net (out-mx1.crosswinds.net [216.18.117.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF17943D58 for ; Wed, 14 Dec 2005 15:57:49 +0000 (GMT) (envelope-from tony@crosswinds.net) Received: from admin.crosswinds.net (out-mx1.crosswinds.net [216.18.117.38]) by out-mx1.crosswinds.net (Postfix) with ESMTP id 7B6722BC67; Wed, 14 Dec 2005 10:57:49 -0500 (EST) Received: by admin.crosswinds.net (Postfix, from userid 1001) id 50C3C403D; Wed, 14 Dec 2005 10:57:49 -0500 (EST) Date: Wed, 14 Dec 2005 10:57:49 -0500 From: Tony Holmes To: Roman Volf Message-ID: <20051214155749.GA42448@crosswinds.net> References: <20051214150233.GA36436@crosswinds.net> <43A03D72.4060103@keystreams.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43A03D72.4060103@keystreams.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org Subject: Re: Not-So-Newbie Openssl Question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2005 15:57:51 -0000 > Have you trying doing OVERWRITE_BASE=yes or whatever it is when you > build the port? Yes, that was my first attempt. It gives a conflict error. So I override the SHLIB version, it compiles, install, but all system utils compiled against 0.9.7d then fail (like sshd which is kinda important since this is remote connection). -- Tony Holmes Ph: (416) 993-1219 Founder and Senior Systems Architect Crosswinds Internet Communications Inc. From owner-freebsd-security@FreeBSD.ORG Thu Dec 15 10:34:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AC3716A41F for ; Thu, 15 Dec 2005 10:34:47 +0000 (GMT) (envelope-from barner@gmx.de) Received: from mail.gmx.net (mail.gmx.de [213.165.64.21]) by mx1.FreeBSD.org (Postfix) with SMTP id 89BDA43D64 for ; Thu, 15 Dec 2005 10:34:46 +0000 (GMT) (envelope-from barner@gmx.de) Received: (qmail invoked by alias); 15 Dec 2005 10:34:45 -0000 Received: from unknown (EHLO zi025.glh.mhn.de) [129.187.43.241] by mail.gmx.net (mp039) with SMTP; 15 Dec 2005 11:34:45 +0100 X-Authenticated: #147403 Received: by zi025.glh.mhn.de (Postfix, from userid 1000) id 6A94DC207; Thu, 15 Dec 2005 11:34:57 +0100 (CET) Date: Thu, 15 Dec 2005 11:34:57 +0100 From: Simon Barner To: Tony Holmes Message-ID: <20051215103457.GA68072@zi025.glh.mhn.de> References: <20051214150233.GA36436@crosswinds.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <20051214150233.GA36436@crosswinds.net> User-Agent: Mutt/1.5.11 X-Y-GMX-Trusted: 0 Cc: freebsd-security@freebsd.org Subject: Re: Not-So-Newbie Openssl Question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2005 10:34:47 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, is remove OpenSSL entirely form the base system and rebuilding that port that were linked against it an option for you? The should pick up OpenSSL from ports, and after moving your certificates to the right location everything should work just fine. Having tow instances of a library on the system is not desirable. If you choose this path, be sure to include NO_OPENSSL into your /etc/make.conf. If you do this, you should also install OpenSSH from the ports system: (from make.conf(5)): NO_OPENSSL (bool) Set to not build OpenSSL (implies NO_KERBEROS and NO_OPENSSH). --=20 Best regards / Viele Gr=FC=DFe, barner@FreeBSD.= org Simon Barner barner@gmx.de --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDoUbRCkn+/eutqCoRAmqMAJwN0bSjo7JXO7kjOj3aSMo12Bp24ACfawoF iN8kbkpIUw4a2Yc1vf2/JH8= =hUGo -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- From owner-freebsd-security@FreeBSD.ORG Fri Dec 16 19:19:36 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33B1816A41F for ; Fri, 16 Dec 2005 19:19:36 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB11443D5D for ; Fri, 16 Dec 2005 19:19:29 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id A92FE52C39; Fri, 16 Dec 2005 20:19:25 +0100 (CET) Received: from localhost (dkc150.neoplus.adsl.tpnet.pl [83.24.6.150]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 77F8550F93; Fri, 16 Dec 2005 20:19:18 +0100 (CET) Date: Fri, 16 Dec 2005 20:18:28 +0100 From: Pawel Jakub Dawidek To: Robert Blacquiere Message-ID: <20051216191828.GA56737@garage.freebsd.pl> References: <20051211123346.GK98018@bombur.guldan.demon.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline In-Reply-To: <20051211123346.GK98018@bombur.guldan.demon.nl> X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-0.5 required=3.0 tests=BAYES_00,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 Cc: freebsd-security Subject: Re: geli or gbde encryption of slices X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2005 19:19:36 -0000 --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 11, 2005 at 01:33:46PM +0100, Robert Blacquiere wrote: +> Hello, +>=20 +> I was playing around with geli an gbde after last EuroBSDCon.=20 +> I liked the idea of encrypting my data which resides in /home/$user. +> Since this is a "single" user laptop i intended to encrypt the +> whole /home partition. Well no problems with that. But i wanted +> the lockfile or keyfile on a seperate usb disc. Which would be +> mounted or used during boot of the system. I also used gshsec on +> the usb disc to even make things more difficult.=20 +>=20 +> Well here is what i found. You can't use a none mounted disc for=20 +> the keys, to take things further geli asks for the access passphrease +> before any filesystems except / is mounted. Gbde fails also because +> the system can't do interactivaly query for the passphrase.=20 Unfortunately we needed to make a choice here: allow to encrypt /usr/, etc. or allow for getting keys from more sources. You can still do what you want, but not via rc.d/geli directly. Geli(8) itself allows to use key from the raw device or anything else, rc.d/geli is the thing which is not such flexible. You may want to try adding some code to /etc/rc.local (which will take part of the key from passphrase, part from USB Pen Drive and part for gshsec(8) device): (cat /mnt/pendrive/keyfile.bin && dd if=3D/dev/shsec/key bs=3D64k count=3D= 1) | /sbin/geli attach -k /dev/stdin /dev/ad0s1e fsck_ffs -p /dev/ad0s1e.eli mount /dev/ad0s1e.eli /mnt/secure Assuming that /mnt/pendrive is already mounted (it should be if placed in /etc/fstab). +> I wanted to use a 3 way authentication for the slice, encrypted fs,=20 +> a usb key and passphrase. I can use geli without the usb key (keyfile). +> But that would render a possible bruteforce entry.=20 Even when you use passphrase only, geli(8) provides PKCS#5v2 to strength it. I'm using it with 131072 iterations, so it is 2^17 times harder to brute-force my passphrase and takes about 2-3 seconds to attach encrypted device on my laptop. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDoxMEForvXbEpPzQRAkS8AJ9kLdnFesPmZoQDCpCbAkcVBkr0WgCfV5b5 UM3hSEIKge0RIQ4KAPzF5WU= =FcDF -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- From owner-freebsd-security@FreeBSD.ORG Fri Dec 16 19:27:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE92916A424; Fri, 16 Dec 2005 19:27:57 +0000 (GMT) (envelope-from oxy@field.hu) Received: from dumballah.tvnet.hu (dumballah.tvnet.hu [195.38.96.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id BED9B43DA7; Fri, 16 Dec 2005 19:27:42 +0000 (GMT) (envelope-from oxy@field.hu) Received: from localhost (localhost.localdomain [127.0.0.1]) by dumballah.tvnet.hu (Postfix) with ESMTP id 7087F1018E5; Fri, 16 Dec 2005 20:27:35 +0100 (CET) Received: from dumballah.tvnet.hu ([127.0.0.1]) by localhost (dumballah.tvnet.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06960-11; Fri, 16 Dec 2005 20:27:35 +0100 (CET) Received: from oxy (dsl195-38-110-3.pool.tvnet.hu [195.38.110.3]) by dumballah.tvnet.hu (Postfix) with SMTP id CC2E91018C9; Fri, 16 Dec 2005 20:27:34 +0100 (CET) Message-ID: <005601c60276$caa18fa0$0201a8c0@oxy> From: "OxY" To: "Pawel Jakub Dawidek" , "Robert Blacquiere" References: <20051211123346.GK98018@bombur.guldan.demon.nl> <20051216191828.GA56737@garage.freebsd.pl> Date: Fri, 16 Dec 2005 20:27:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-2"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Virus-Scanned: by amavisd-new at tvnet.hu Cc: freebsd-security Subject: Re: geli or gbde encryption of slices X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2005 19:27:58 -0000 i have a question about chosing geli or gbde.. which one is faster (read/write)? i use gbde, and it's quite slow.. may i create the .bde partition again with larger sector size? which size is optimal? thanks! On Sun, Dec 11, 2005 at 01:33:46PM +0100, Robert Blacquiere wrote: +> Hello, +> +> I was playing around with geli an gbde after last EuroBSDCon. +> I liked the idea of encrypting my data which resides in /home/$user. +> Since this is a "single" user laptop i intended to encrypt the +> whole /home partition. Well no problems with that. But i wanted +> the lockfile or keyfile on a seperate usb disc. Which would be +> mounted or used during boot of the system. I also used gshsec on +> the usb disc to even make things more difficult. +> +> Well here is what i found. You can't use a none mounted disc for +> the keys, to take things further geli asks for the access passphrease +> before any filesystems except / is mounted. Gbde fails also because +> the system can't do interactivaly query for the passphrase. Unfortunately we needed to make a choice here: allow to encrypt /usr/, etc. or allow for getting keys from more sources. You can still do what you want, but not via rc.d/geli directly. Geli(8) itself allows to use key from the raw device or anything else, rc.d/geli is the thing which is not such flexible. You may want to try adding some code to /etc/rc.local (which will take part of the key from passphrase, part from USB Pen Drive and part for gshsec(8) device): (cat /mnt/pendrive/keyfile.bin && dd if=/dev/shsec/key bs=64k count=1) | /sbin/geli attach -k /dev/stdin /dev/ad0s1e fsck_ffs -p /dev/ad0s1e.eli mount /dev/ad0s1e.eli /mnt/secure Assuming that /mnt/pendrive is already mounted (it should be if placed in /etc/fstab). +> I wanted to use a 3 way authentication for the slice, encrypted fs, +> a usb key and passphrase. I can use geli without the usb key (keyfile). +> But that would render a possible bruteforce entry. Even when you use passphrase only, geli(8) provides PKCS#5v2 to strength it. I'm using it with 131072 iterations, so it is 2^17 times harder to brute-force my passphrase and takes about 2-3 seconds to attach encrypted device on my laptop. -- Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! ----- Original Message ----- From: "Pawel Jakub Dawidek" To: "Robert Blacquiere" Cc: "freebsd-security" Sent: Friday, December 16, 2005 8:18 PM Subject: Re: geli or gbde encryption of slices