Re: OpenSSL change for review.
On Sat, Jun 09, 2012 at 11:51:41AM +0300, Gleb Kurtsou wrote: > On (31/05/2012 21:48), Pawel Jakub Dawidek wrote: > > As learned on someone else's mistakes, I'd like to ask for a review of > > those changes related to random data handling: > > > > http://people.freebsd.org/~pjd/patches/libc_arc4random.c.patch > > http://people.freebsd.org/~pjd/patches/openssl_rand_unix.c.patch > > > > The first patch changes arc4random() to use sysctl to obtain random data > > instead of opening /dev/random. The main reason here is to make it more > > sandbox-friendly. Once closed in sandbox, a process can no longer open > > files, so it has no access to proper random data. As a side-effect it > > should be a bit faster as instead of three system calls (open, read and > > close) we use only one (__sysctl). > > > > The second patch enables the use of libc's arc4random(3) in OpenSSL. > > While at it, did you consider replacing default homegrown OpenSSL random > generator (ssleay_rand_*) with something standard (this "hash > uninitialized user buffer to increase entropy" thing makes me nervous, > which was also the source of well known Debian RSA key generation issue). Nope, sorry. This is out of my scope currently. > Patches are good to commit, IMHO. Thanks for review. -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl pgpXJLqTYXqFG.pgp Description: PGP signature
Re: FreeBSD Security Advisory FreeBSD-SA-12:04.sysret
On Tue, Jun 12, 2012 at 01:26:33PM +, FreeBSD Security Advisories wrote: > IV. Workaround > > No workaround is available. > > However FreeBSD/amd64 running on AMD CPUs is not vulnerable to this > particular problem. > > Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 > kernel are not vulnerable, nor are systems running on different > processor architectures. I found these last two paragraphs a little confusing. Is the correct interpretation that FreeBSD/amd64 running on Intel CPUs is the vulnerable combination? -- Greg Lewis Email : gle...@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : gle...@freebsd.org ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: FreeBSD Security Advisory FreeBSD-SA-12:04.sysret
On 6/14/12, Greg Lewis wrote: > On Tue, Jun 12, 2012 at 01:26:33PM +, FreeBSD Security Advisories > wrote: >> IV. Workaround >> >> No workaround is available. >> >> However FreeBSD/amd64 running on AMD CPUs is not vulnerable to this >> particular problem. >> >> Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 >> kernel are not vulnerable, nor are systems running on different >> processor architectures. > > I found these last two paragraphs a little confusing. Is the correct > interpretation that FreeBSD/amd64 running on Intel CPUs is the vulnerable > combination? > > -- > Greg Lewis Email : gle...@eyesbeyond.com > Eyes Beyond Web : http://www.eyesbeyond.com > Information Technology FreeBSD : gle...@freebsd.org > ___ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" > http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=649219&SearchOrder=4 ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: FreeBSD Security Advisory FreeBSD-SA-12:04.sysret
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/13/12 15:37, Greg Lewis wrote: > On Tue, Jun 12, 2012 at 01:26:33PM +, FreeBSD Security > Advisories wrote: >> IV. Workaround >> >> No workaround is available. >> >> However FreeBSD/amd64 running on AMD CPUs is not vulnerable to >> this particular problem. >> >> Systems with 64 bit capable CPUs, but running the 32 bit >> FreeBSD/i386 kernel are not vulnerable, nor are systems running >> on different processor architectures. > > I found these last two paragraphs a little confusing. Is the > correct interpretation that FreeBSD/amd64 running on Intel CPUs is > the vulnerable combination? Correct. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBCAAGBQJP2S/WAAoJEG80Jeu8UPuz9JMIALQwTqb6SDKAUwLkxupOgyEa 7dSHYAxwbNWKNvjbK0brS05kx5RdEmxdkoRqdKOlPcY8JnbqpbROWIbUHA8XIfCW igHIISTgQhiw5nx8XqMMoEfzztPR7UKr9rE+CToWLT8GbHWEpiYlE1RpIQgoZ0TK ldlQSOOMZ32zushxbM1ZncSM0/Rm9ie+ISezGfCV/lXqQUycVxnxjV/Euf6OKzxC xQC2nI21UIu1nZi8sfT0Qnlz8o/ehEYMmHDJgkphxLxMqtWW6l/WqdPMtEGWwBVB rBGRVQvkCrqu8aKBUsOFmX9+vZ4riDtggrXjSadAUGVQNMtBlHBPJ83vmyiQ5LA= =Qpu0 -END PGP SIGNATURE- ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: FreeBSD Security Advisory FreeBSD-SA-12:04.sysret
On Thu, Jun 14, 2012 at 02:23:02AM +0200, Oliver Pinter wrote: > On 6/14/12, Greg Lewis wrote: > > On Tue, Jun 12, 2012 at 01:26:33PM +, FreeBSD Security Advisories > > wrote: > >> IV. Workaround > >> > >> No workaround is available. > >> > >> However FreeBSD/amd64 running on AMD CPUs is not vulnerable to this > >> particular problem. > >> > >> Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 > >> kernel are not vulnerable, nor are systems running on different > >> processor architectures. > > > > I found these last two paragraphs a little confusing. Is the correct > > interpretation that FreeBSD/amd64 running on Intel CPUs is the vulnerable > > combination? > > http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=649219&SearchOrder=4 Thanks :). That was much clearer. -- Greg Lewis Email : gle...@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : gle...@freebsd.org ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
