From owner-freebsd-security@freebsd.org Mon Jul 11 16:48:54 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22C6EB92F06 for ; Mon, 11 Jul 2016 16:48:54 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f48.google.com (mail-lf0-f48.google.com [209.85.215.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BFF851D37 for ; Mon, 11 Jul 2016 16:48:53 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f48.google.com with SMTP id h129so77999558lfh.1 for ; Mon, 11 Jul 2016 09:48:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=CYVA2YsFSkLRJUbACdmTc91LJTjbebRR6nfrbMRiKoI=; b=QSw3Yf/aG4Z5Jz+6pv9WOL7RJJRCWmFPzVzctO2a3BdvnLzmukMzV1OFGGpHcWYwAu E8hyzCob4MvEip04d4q7T8DlbA8nH2WOMXvshtmppTO66GiWvU9VvfYRpcCXP5/W//Qx T7IO9UcJGEZtxQL8JsrDUBw402+nIbvwrV1E6zQRVKC9Q4TGVK61u8vtVX8wD5Tfm585 ecCrGM/wnC96AUEhjvOYuiFh8JRKgf5g4SrWj1kQoLGO0huKtBYU1HhTLyR37mDPN0Sk PJsJjjX+E1HSvpgq3eDbYhzlwwSQ7uhca58IPEvWl0Bu21O9brmFUnPZktzEMAexLE+6 Nbwg== X-Gm-Message-State: ALyK8tJhp+Mle8aaEbZ739hcYawpezNsJMY7tZc44fuJmFPQWmeQUH3PKsQKnN4TnKB/JA== X-Received: by 10.25.144.16 with SMTP id s16mr5237774lfd.8.1468255725932; Mon, 11 Jul 2016 09:48:45 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id 29sm766621lfu.43.2016.07.11.09.48.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 09:48:45 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Slawa Olhovchenkov , Mark Felder References: <20160710133019.GD20831@zxy.spb.ru> <20160710150143.GK46309@zxy.spb.ru> <9ead7cd7-7d1b-2dd8-eea8-43f7766d92a9@freebsd.org> <20160711102906.GN46309@zxy.spb.ru> <1468253073.695754.662984777.1E8F9C28@webmail.messagingengine.com> <20160711162902.GO46309@zxy.spb.ru> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Andrey Chernov Message-ID: Date: Mon, 11 Jul 2016 19:48:44 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160711162902.GO46309@zxy.spb.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 16:48:54 -0000 On 11.07.2016 19:29, Slawa Olhovchenkov wrote: > On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote: > >> >> >> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote: >>> >>> I.e. GOST will be available in openssl. >>> Under BSD-like license. >>> Can be this engine import in base system and enabled at time 1.1.0? >>> And can be GOST enabled now? >>> >> >> I think the wrong question is being asked here. Instead we need to focus >> on decoupling openssl from base so this can all be handled by ports. > > This is wrong direction with current policy. > ports: unsupported by FreeBSD core and securite team, no guaranted to comaptible > between options and applications. > > base: supported by FreeBSD core and securite team, covered by CI, > checked for forward and backward API and ABI compatibility. > Ports are supported by secteam, and recently I notice "headsup" mail with intention to make base openssl private and switch all ports to security/openssl port. Adding of GOST as 3rd party plugin is technically possible in both (base, ports) cases, the rest of decision is up to FreeBSD openssl maintainers and possible contributors efforts. I need to specially point to "patches" section of the 3rd party GOST plugin, from just viewing I don't understand, are those additional openssl patches should be applied to openssl for GOST, or they are just reflect existent changes in the openssl.