Re: reviewing OpenSSL's lib/libssl/src/crypto/asn1

2014-04-20 Thread Bob Beck
On Sun, Apr 20, 2014 at 5:06 PM, Dirk Engling erdge...@erdgeist.org wrote: Dear openbsd devs, I've just put on my rubber gloves to help with your heroic efforts on OpenSSL. I started to dive into OpenSSL's ASN.1 implementation and now wonder how to share my findings, patches and requests

Re: reviewing OpenSSL's lib/libssl/src/crypto/asn1

2014-04-21 Thread Bob Beck
Not quite, because now you avoid the potential double free and instead leak ret itself because of how ASN1_STRING_free works.. You need to do this slightly differently. On Sun, Apr 20, 2014 at 9:37 PM, Dirk Engling erdge...@erdgeist.org wrote: On 21.04.14 04:56, Ted Unangst wrote: Also, can

Re: more axeing at openssl

2014-04-22 Thread Bob Beck
I don't think we want to do this yet. RAND_bytes and RAND_pseudo_bytes will not be going away. On Mon, Apr 21, 2014 at 9:24 PM, Jean-Philippe Ouellet jean-phili...@ouellet.biz wrote: Here's another pass. This replaces RAND_{,pseudo_}bytes() calls with equivelant arc4random_buf(3) calls for

Re: reviewing OpenSSL's lib/libssl/src/crypto/asn1

2014-04-22 Thread Bob Beck
My bad Dirk - you're right with that one. I'll take a look at this when I get home, and either apply your fix or disentangle this in a hopefully more obvious way. On Mon, Apr 21, 2014 at 1:53 PM, Dirk Engling erdge...@erdgeist.org wrote: On 21.04.14 19:01, Bob Beck wrote: Not quite, because

Re: reviewing OpenSSL's lib/libssl/src/crypto/asn1

2014-04-22 Thread Bob Beck
Post diffs one per message per thing you're trying to do - example fix leak in foo.c - etc. You may have slow replies for a few days, people are travelling On Tue, Apr 22, 2014 at 12:12 PM, Dirk Engling erdge...@erdgeist.org wrote: On 22.04.14 19:16, Bob Beck wrote: I'll take a look

Re: [patch mountd.c] replace malloc memset with calloc

2014-04-22 Thread Bob Beck
Note you can often have this problem if you cut and paste your diff into a mail message Normally best to use something that allows you to just include the diff from a file inline. To check it, mail *yourself* the diff. If you can save the email message raw and apply the diff just by running

Re: reviewing OpenSSL's lib/libssl/src/crypto/asn1

2014-04-22 Thread Bob Beck
Thanks ted. now I don't have to do it :) Send more diffs Dirk :) On Tue, Apr 22, 2014 at 2:38 PM, Ted Unangst t...@tedunangst.com wrote: On Mon, Apr 21, 2014 at 05:37, Dirk Engling wrote: On 21.04.14 04:56, Ted Unangst wrote: Also, can you include diffs inline please? One diff per email.

Re: [PATCH] remove macros only used once

2014-04-22 Thread Bob Beck
I will be a minute reading this. The comment from the context at the bottom of the diff has me laughing and crying again... On Tue, Apr 22, 2014 at 5:43 PM, Dirk Engling erdge...@erdgeist.org wrote: remove M_ASN1_New_Malloc, M_ASN1_New, M_ASN1_New_Error marcos, they hide a malloc and are only

Re: [PATCH] remove macros only used once

2014-04-22 Thread Bob Beck
I hate the amount of useless garbage API this thing exposes externally, that we then have to wonder WTF out there might use it G. Dirk the right way to do this is leave the macros for now (ick) but change the internals of all our stuff to use intrinsics without the use of the macros. We

Re: [PATCH] remove macros only used once

2014-04-22 Thread Bob Beck
can use! I must use it! On Tue, Apr 22, 2014 at 6:23 PM, Bob Beck b...@obtuse.com wrote: I hate the amount of useless garbage API this thing exposes externally, that we then have to wonder WTF out there might use it G. Dirk the right way to do this is leave the macros for now (ick

Re: small patch: CRYPTO_memcmp

2014-04-22 Thread Bob Beck
Nope. One of those things is not like the other.. On Tue, Apr 22, 2014 at 7:05 PM, Michael W. Bombardieri m...@ii.net wrote: Hi tech@, Sending this patch for comment... CRYPTO_memcmp() is different to memcmp() because it can only check for equality, not greater-than/less-than. If we check

Re: [PATCH] Use sizeof() to pass buffer size to cleanser

2014-04-22 Thread Bob Beck
Looks good, but if you chase something like this, it's ok to send a diff that kills all of them at once in the same file, like this. which replaces everywhere the original author didn't know about sizeof(buf) :) -Bob Index: n_pkey.c

Re: [PATCH| zero a freed pointer passed in a struct, to prevent reuse after free

2014-04-22 Thread Bob Beck
Yes, ok committed On Wed, Apr 23, 2014 at 03:55:19AM +0200, Dirk Engling wrote: Index: x_x509.c === RCS file: /cvs/src/lib/libssl/src/crypto/asn1/x_x509.c,v retrieving revision 1.12 diff -u -r1.12 x_x509.c --- x_x509.c 18

Re: small patch: CRYPTO_memcmp

2014-04-22 Thread Bob Beck
On Wed, Apr 23, 2014 at 04:39:01AM +, Miod Vallat wrote: + while (n-- 0) + x |= a[n] ^ b[n]; Won't compare the bytes at [0]. Uh? It will, n gets decremented after the test but before the x |= statement. Heh. you're right. And both Ted and I were dumbasses. I have tied

Re: [patch sbin/nfsd/nfsd.c] replace malloc memset with calloc

2014-04-24 Thread Bob Beck
Now is not the time for this diff Please wait a week or so till the ports mysteries are sorted Patch updated. ok? Index: nfsd.c === RCS file: /cvs/src/sbin/nfsd/nfsd.c,v retrieving revision 1.32 diff -u -p -u -r1.32 nfsd.c ---

Re: data modified on freelist, tmpfs-related?

2014-04-30 Thread Bob Beck
This is probably the simplest way to solve the problem for now. if we want to mess with sys/queue we can do that separately. On Wed, Apr 30, 2014 at 8:55 AM, Mark Kettenis mark.kette...@xs4all.nl wrote: From: Mike Belopuhov m...@belopuhov.com Date: Wed, 30 Apr 2014 16:00:45 +0200 On 30

Re: polling SSL kerberos and srp support

2014-04-30 Thread Bob Beck
If I had to guess at this point - SRP may have a future. I'm betting kssl does not, and this should probably go away. On Tue, Apr 29, 2014 at 4:06 PM, Stefan Fritsch s...@sfritsch.de wrote: Am Montag, 28. April 2014, 21:40:30 schrieb Ted Unangst: Also note that I'm not really interested in

Re: malloc freelists

2014-05-01 Thread Bob Beck
Lots of things get allocated with malloc. Including structures with function pointers in them. I don't count myself as an exploit expert, but I do know if I can manage to get to a situation where I have a writable, predictable location in memory that I know will get called in short order by

New errata released for OpenBSD 5.4/5.5

2014-05-01 Thread Bob Beck
From http://www.openbsd.org/errata55.html: untrusted comment: signature from openbsd 5.5 base secret key RWRGy8gxk9N9321DQnPP+9IApvSKgX2JT78ZuEZ9HWNUESOfE91CMPQIevj7Yrafs1Zc/KNELplMHCwmFTL8CBjPjuXfEG9y+gU= OpenBSD 5.5 errata 5, May 1, 2014: An attacker can trigger generation of an SSL alert

Re: malloc freelists

2014-05-01 Thread Bob Beck
because it's better than one. frankly, it's a starting point. if 8 or 42 is better we can tune from there. or replace it with something that's better to do the same thing - if that can be come up with. Do you have a better suggestion? On Thu, May 1, 2014 at 12:52 PM, Marc Espie es...@nerim.net

Re: [RFC] Ai_ADDRCONFIG^WAIAIAIAIAIAIAEEEEEEEEE tweaks?

2014-05-02 Thread Bob Beck
Honestly folks, I'm sick of the attitude of The future is nigh, the mystic portal awaits! V6 is coming! as an excuse for we *MUST* change things related to this. We've been hearing the mystic portal awaits for 15 years - and yet MANY of us in MANY parts of the world still can not get reasonable

Re: [RFC] Ai_ADDRCONFIG^WAIAIAIAIAIAIAEEEEEEEEE tweaks?

2014-05-02 Thread Bob Beck
, and the burden is on the v6 diff submitter to prove it, not tell everyone else it's the way and they should prove otherwise. On Fri, May 2, 2014 at 11:39 AM, Kenneth Westerback kwesterb...@gmail.com wrote: On 2 May 2014 13:24, Bob Beck b...@obtuse.com wrote: Honestly folks, I'm sick

Re: libc: #define to remove support for %n from printf(3)?

2014-05-02 Thread Bob Beck
What's their hangup with %n? We normally don't like polluting the world with #ifdef OPENSSL_NO_PERCENT_N... We normally nuke stuff like that On 2 May 2014 16:19, enh e...@google.com wrote: i maintain Android's C library which, as you may know, contains a lot of OpenBSD code. i've been working

Re: 9p

2014-05-30 Thread Bob Beck
I actually agree that it might not be a bad thing. However, as we've seen with lots of things that touch vfs it's pretty easy to get to 80 or 90 percent functionality and then the last 10% is a royal red pain in the butt, with possibly awful crashing bugs. So I'm certainly not averse to someone

Re: 9p

2014-05-30 Thread Bob Beck
Yes, that's true. you *WILL* have awful crashing or hanging bugs to chase ;) Welcome to the midlayer. Wine bottles are optional but highly recommended. On Fri, May 30, 2014 at 2:55 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: However, as we've seen with lots of things that touch vfs it's

Re: 9p

2014-05-30 Thread Bob Beck
Most VFS hackers would say there is a third purpose. but don't scare him away yet... On Fri, May 30, 2014 at 3:01 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: Yes, that's true. you *WILL* have awful crashing or hanging bugs to chase ;) Welcome to the midlayer. Wine bottles are

Re: 9p

2014-05-30 Thread Bob Beck
You pick. But before you do think about how to test it. On 30 May 2014 19:19, M Farkas-Dyck strake...@gmail.com wrote: Stefan Fritsch s...@sfritsch.de wrote: [1] https://bitbucket.org/iru/o9fs/overview Thanks for the link; this could be useful. Bob Beck b...@obtuse.com wrote: So I'm

Re: LibreSSL and ASN.1 encodings

2014-05-31 Thread Bob Beck
Done. Thanks for the giggle. I needed it today. -Bob On Sat, May 31, 2014 at 07:20:56PM +0200, D. Spindel wrote: a short plea from someone who just had to dig through OpenSSL code and figuring out why I was getting T.61 strings instead of UTF8Strings. Would you _please_ and kindly change

Re: [PATCH 2/2] remove uses of internally-deprecated OPENSSL_malloc/free

2014-05-31 Thread Bob Beck
You should change this so it doesnt check for null before the free. free handles NULL. On 31 May 2014 16:39, Brent Cook bust...@gmail.com wrote: --- ecdh/ecdhtest.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ecdh/ecdhtest.c b/ecdh/ecdhtest.c index

Re: [PATCH 1/3] Check output of write() to stdout

2014-06-02 Thread Bob Beck
abort? are you insane? no no no no... On Sun, Jun 1, 2014 at 8:28 PM, Brent Cook bust...@gmail.com wrote: Check for errors on write. Since SIGPIPE is ignored, play nicely with pipelines by aborting on EPIPE. --- src/apps/s_server.c | 7 +-- 1 file changed, 5 insertions(+), 2

Re: new OpenSSL flaws

2014-06-05 Thread Bob Beck
We are not on a linux distros mailing list, because we are not a linux distribution. And this private mailing list is not really an acknowledged conduit for vulnerability release. I was asked by someone privately if *I* would be on that mailing list on June 2nd. I said I would consider it, but

Re: new OpenSSL flaws

2014-06-05 Thread Bob Beck
I may also remind people that those lists are acknowledged right at the top as experimental. They also do not allow for non personal subscriptions, so they aren't very practical for this. What if I was away for a day or three.. Or more.. Essentially this is a nice experiment, but not really a

ANONCVS MIRROR MAINTAINERS PLEASE READ!

2014-06-06 Thread Bob Beck
If you or someone you love runs an anoncvs server, they need to see this. We recently added commitid support to our cvs repo. all works fine with cvs and this. However, we ran into a problem with cvsync in ports. Most mirror maintianers use cvsync to fetch the repository from anoncvs.ca - it had

Re: libressl compilation issues (?)

2014-06-08 Thread Bob Beck
Yeah. Sorry folks I screwed this up on the fanout machine while starting and stopping daemons and cron jobs chasing the cvsync commitid issue. My bad. On 8 Jun 2014 14:20, Stuart Henderson st...@openbsd.org wrote: On 2014/06/08 20:58, Stuart Henderson wrote: On 2014/06/08 11:49, Loganaden

Re: sys/msdosfs: off by one

2014-06-17 Thread Bob Beck
On 17 Jun 2014 18:22, Kenneth Westerback kwesterb...@gmail.com wrote: On 17 June 2014 17:43, Tobias Stoeckmann tob...@stoeckmann.org wrote: On Mon, Jun 16, 2014 at 04:43:02PM -0700, John-Mark Gurney wrote: FreeBSD fixed this by increasing the malloc size:

Re: compare memcmp with 0

2014-06-20 Thread Bob Beck
OMFG.. Ingo you just made my morning. I'm laughing so hard. And I needed the laugh -Bob On Fri, Jun 20, 2014 at 04:54:15PM +0200, Ingo Schwarze wrote: Hi Theo, Theo de Raadt wrote on Thu, Jun 19, 2014 at 09:58:01PM -0600: It could be argued that the bcmp manual page does a poor job

ANONCVS MIRROR MAINTAINERS.. YOU NEED TO READ THIS!

2014-06-25 Thread Bob Beck
If you or someone you love runs an anoncvs server, they need to see this. As you know we recently added commitid support to cvs, and we had you update your cvsync binary. Unfortunately, the fix wasn't quite right. We ran into problems with the synching of commitid files. naddy managed to cook a

Re: sshd add back hmac-sha1

2014-07-11 Thread Bob Beck
yes please. On Fri, Jul 11, 2014 at 3:32 AM, Ted Unangst t...@tedunangst.com wrote: I think the proposal rampaging went one algorithm too far. sha1 is the best algorithm supported by many clients and it's still pretty secure. without it, a lot of clients have stopped working. temporarily

First release of LibreSSL portable is available.

2014-07-11 Thread Bob Beck
The first release of LibreSSL portable has been released. LibreSSL can be found in the LibreSSL directory of your favorite OpenBSD mirror. http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors will soon. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux,

Re: First release of LibreSSL portable is available.

2014-07-11 Thread Bob Beck
It's already fixed, so will be on the next tarball roll On Fri, Jul 11, 2014 at 3:07 PM, Piotr Sikora piotr.sik...@frickle.com wrote: Hello, libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OSX, and FreeBSD. This is intended as an initial release to

Re: CVS: cvs.openbsd.org: src

2014-07-11 Thread Bob Beck
PM, Stuart Henderson s...@spacehopper.org wrote: On 2014/07/11 15:21, Bob Beck wrote: CVSROOT: /cvs Module name: src Changes by: b...@cvs.openbsd.org2014/07/11 15:21:59 Modified files: lib/libssl/src/crypto: opensslv.h Log message: Provide LIBRESSL_VERSION_NUMBER

Re: CVS: cvs.openbsd.org: src

2014-07-11 Thread Bob Beck
And seeing as how they moved 0.0.4 revisons in 9 years, call that 0.0.05 revisions per year, they have approximately 194 years of OpenSSL releases before the version numbering space will collide. On Fri, Jul 11, 2014 at 4:41 PM, Bob Beck b...@obtuse.com wrote: The OPENSSL_VERSION number

Re: CVS: cvs.openbsd.org: src

2014-07-11 Thread Bob Beck
Dempsky matt...@dempsky.org wrote: On Fri, Jul 11, 2014 at 3:41 PM, Bob Beck b...@obtuse.com wrote: The OPENSSL_VERSION number is a guarantee for a certain version of the ABI. As we dont' provide that (in fact much of the ABI in LIbreSSL is beyond 1.0.1g, it is not accurate to use the old

Re: libressl portable and openssh portable causes segfault

2014-07-11 Thread Bob Beck
You need a more recent OpenSSH. The old versions of OpenSSH did a foolish thing with their portable arc4random, and called RAND_BYTES. New OpenSSH does not do this. On Fri, Jul 11, 2014 at 6:07 PM, Hanno Böck ha...@hboeck.de wrote: Hi, I just noted that when I recompiled openssh against

Re: libressl portable and openssh portable causes segfault

2014-07-11 Thread Bob Beck
PM, Hanno Böck ha...@hboeck.de wrote: On Fri, 11 Jul 2014 18:12:49 -0600 Bob Beck b...@obtuse.com wrote: You need a more recent OpenSSH. The old versions of OpenSSH did a foolish thing with their portable arc4random, and called RAND_BYTES. New OpenSSH does not do this. I use 6.6p1 which

Re: First release of LibreSSL portable is available.

2014-07-12 Thread Bob Beck
On Fri, Jul 11, 2014 at 9:52 PM, tekk t...@parlementum.net wrote: Thanks Bob and all the other LibreSSL hackers. Thanks - While I seem to have been quasi defaulted into the public face for this thing (probably due to size and volume) I hope you can emphasize the all the other hackers. Yes, I've

LibreSSL 2.0.1 released

2014-07-13 Thread Bob Beck
We have released an update, LibreSSL 2.0.1 This release includes a number of portability fixes based on the initial feedback we have received from the community. This includes among other things two new configure options to set OPENSSLDIR and ENGINESDIR. We have removed a few hardcoded compiler

Re: LibreSSL 2.0.1 released

2014-07-13 Thread Bob Beck
Also starting with this release the directory includes SHA256 signatures which are signed using signify. The signify public key for libressl is: untrusted comment: LibreSSL Portable public key RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe On Sun, Jul 13, 2014 at 5:07 AM, Bob Beck b

Re: apmd -C tweak

2014-07-13 Thread Bob Beck
I would like this. On Sun, Jul 13, 2014 at 8:06 AM, Ted Unangst t...@tedunangst.com wrote: for reference, i use this. faster query interval and when not idle, slam high immediately. Index: apmd.c === RCS file:

Re: remaining compression function stubs (patch and potential discussoin)

2014-07-14 Thread Bob Beck
Hi hanno, we've been discussing it extensively here. It's been out and back in and out and back in ;) the problem is there are multiple pieces of software, all of which test for this stuff rather badly. and either way we do it seems to break things. On Mon, Jul 14, 2014 at 6:55 AM, Hanno Böck

Re: LibreSSL 2.0.1 released - installation extra_mode

2014-07-14 Thread Bob Beck
What problem are you trying to solve here. On Mon, Jul 14, 2014 at 12:28 PM, Jan Engelhardt jeng...@inai.de wrote: On Monday 2014-07-14 20:16, Toni Mueller wrote: Hi Jan, On Sun, Jul 13, 2014 at 08:30:38PM +0200, Jan Engelhardt wrote: On Sunday 2014-07-13 13:07, Bob Beck wrote: We have

Re: [portable] OpenPGP signatures on release checksums (#12)

2014-07-14 Thread Bob Beck
To answer a number of questions about this all at once. No. we don't sign releases with GnuPG or OpenPGP. GnuPG alone is a compressed tarball of 4.2 MB of code I have occasionally had to glance at. I do not have enough energy in my life to clean up two poorly written crypto code bases. The world

Re: [portable] OpenPGP signatures on release checksums (#12)

2014-07-14 Thread Bob Beck
It's also here :) 8-- untrusted comment: LibreSSL Portable public key RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe On Mon, Jul 14, 2014 at 8:52 PM, Bob Beck b...@obtuse.com wrote: Once we are back in North America where we can do it (the master signature box is airgapped

LibreSSL portable 2.0.2 released.

2014-07-15 Thread Bob Beck
We have release an update, LibreSSL 2.0.2 This release addresses the Linux forking and pid wrap issue reported recently in the press. As noted before, we welcome feedback from the broader community. Enjoy -Bob

Re: LibreSSL portable 2.0.2 released.

2014-07-16 Thread Bob Beck
please commit that mark On Wed, Jul 16, 2014 at 3:14 AM, Mark Kettenis mark.kette...@xs4all.nl wrote: Date: Wed, 16 Jul 2014 11:03:12 +0200 From: Martin Hecht he...@hlrs.de On 07/16/2014 05:40 AM, Bob Beck wrote: We have release an update, LibreSSL 2.0.2 This release addresses

Re: LibreSSL portable 2.0.2 released.

2014-07-16 Thread Bob Beck
yep - running it now, it takes a few minutes On Wed, Jul 16, 2014 at 8:28 AM, Mark Kettenis mark.kette...@xs4all.nl wrote: From: Bob Beck b...@openbsd.org Date: Wed, 16 Jul 2014 07:55:16 -0600 please commit that mark committed to cvs (with HAVE_GETAUXVAL instead of HAVE_AUXVAL) guess

Re: Probably you already know but http://www.openbsd.org/cgi-bin/cvsweb/ is returning HTTP 403 Forbidden

2014-07-16 Thread Bob Beck
I've disabled it due to persistant DOS attacks. It may come back later. On Wed, Jul 16, 2014 at 12:11 PM, Rafael Neves rafaelne...@gmail.com wrote: Hi Beck, Probably you already know http://www.openbsd.org/cgi-bin/cvsweb/ is returning HTTP 403 Forbidden. This is recent, maybe two or three

Re: Miscellaneous LibreSSL portability fixes

2014-07-16 Thread Bob Beck
Hi Jonas, While you make a few good points and they will be considered, but really, custom hobby os is not really on our radar right now. We have our hands full enough with portable dealing with the major distros and libc's, and fending off all the haters. On Wed, Jul 16, 2014 at 4:02 PM, Jonas

Re: Miscellaneous LibreSSL portability fixes

2014-07-16 Thread Bob Beck
Steve, sorry, but GNU/kFreeBSD is not going to happen right now. We are too busy with other things. On Wed, Jul 16, 2014 at 6:26 PM, Steven Chamberlain ste...@pyro.eu.org wrote: Hi, On 16/07/14 23:02, Jonas 'Sortie' Termansen wrote: * Consider using _DEFAULT_SOURCE or _ALL_SOURCE as feature

Re: lynx: disable old protocols

2014-07-18 Thread Bob Beck
ftp -o - http://ftp.openbsd.org/pub/OpenBSD/snapshots/ftplist | some script, or maybe your eyes and pick one. On Fri, Jul 18, 2014 at 4:29 PM, Ville Valkonen weezeld...@gmail.com wrote: On 17 July 2014 00:10, Stuart Henderson st...@openbsd.org wrote: On 2014/07/16 16:00, Jean-Philippe Ouellet

LibreSSL 2.0.3 released

2014-07-21 Thread Bob Beck
We have released an update, LibreSSL 2.0.3 - which should be arriving in the LibreSSL directory of an OpenBSD mirror near you very soon. This release includes a number of portability fixes based on the the feedback

Re: [PATCH, libressl] discuss: removal of padding extension?

2014-07-23 Thread Bob Beck
An interesting thought Hanno - do we know what other implementations (Polar, GnuTLS, etc.) do by default? I'm inclined to agree that it never should have been done. Having said that, before we nuke it we kind of need to know if this is has become de-facto standard behaviour thanks to OpenSSL

Re: [PATCH, libressl] discuss: removal of padding extension?

2014-07-23 Thread Bob Beck
I think we can consider removing it, but I think it might be best to wait until after the forthcoming OpenBSD release. On Wed, Jul 23, 2014 at 8:01 AM, Brent Cook bust...@gmail.com wrote: On Jul 23, 2014, at 8:04 AM, Bob Beck b...@obtuse.com wrote: An interesting thought Hanno - do we know

Re: LibreSSL: why is support for CMS disabled?

2014-08-03 Thread Bob Beck
Security problems: CRIME, BREACH, and other crud. Compression was slapped into TLS without any thought to the consequences or side effects. - effecively doing this in TLS should not be considered a mature protocol, and nobody who takes security seriously should use that until it is - if ever. On

LibreSSL 2.0.4 released

2014-08-03 Thread Bob Beck
We have released LibreSSL 2.0.4, which should be arriving n the LibreSSL directory of an OpenBSD mirror near you very soon. This version includes more portability changes, as well as other work. most noticable may be the deletion of the of the SRP code (which has not been enabled in any LibreSSL

Re: LibreSSL: why is support for CMS disabled?

2014-08-03 Thread Bob Beck
Oops. Derp derp... On 3 Aug 2014 17:53, Philip Guenther guent...@gmail.com wrote: On Sun, Aug 3, 2014 at 11:07 AM, Bob Beck b...@obtuse.com wrote: Security problems: CRIME, BREACH, and other crud. Compression was slapped into TLS without any thought to the consequences or side effects

LibreSSL 2.1.0 released.

2014-10-12 Thread Bob Beck
We have released LibreSSL 2.1.0 - which should be arriving in the LIbreSSL directory of an OpenBSD mirror near you very soon. This release continues on with further work from after OpenBSD 5.6 code freeze. Our intention is to finalize LibreSSL 2.1 with OpenBSD 5.7 As noted before, we welcome

Re: LibreSSL 2.1.0 released.

2014-10-13 Thread Bob Beck
normally tech@openbsd.org would be the place to start contributing. If you have fixes, post diffs there. On Sun, Oct 12, 2014 at 9:26 PM, Jiri Navratil j...@navratil.cz wrote: Sun, Oct 12, 2014 at 07:36:02PM CEST, b...@openbsd.org napsal(a): We have released LibreSSL 2.1.0 - which should be

LibreSSL 2.1.1 released.

2014-10-16 Thread Bob Beck
We have released LibreSSL 2.1.1- which should be arriving in the LIbreSSL directory of an OpenBSD mirror near you very soon. This release includes: * Address POODLE attack by disabling SSLv3 by default * Fix Eliptical Curve cipher selection bug

Re: LibreSSL: GOST ciphers implementation

2014-11-06 Thread Bob Beck
We have and will continue to publicly state that we will welcome implementations of government-mandated ciphers as long as the implementations are clean and they are appropriately licensed, and everyone does *not* need to use them. This is the reason, for example, that we include the french

Re: LibreSSL: GOST ciphers implementation

2014-11-06 Thread Bob Beck
And that has nothing do to with what I said Alexey. Go troll somewhere else.. On Thu, Nov 6, 2014 at 2:05 PM, Alexey Suslikov alexey.susli...@gmail.com wrote: Bob Beck beck at openbsd.org writes: 1) It can't mess up the code base for everyone. 2) Everyone should not need to eat the dog food

Re: CVS issue?

2013-06-24 Thread Bob Beck
likely from when I killed your process. Have you thought of trying a mirror lately.. On Mon, Jun 24, 2013 at 5:38 AM, Ian McWilliam kaosa...@tpg.com.au wrote: Anybody else seeing this updating ports via cvs? CVSROOT anon...@anoncvs1.ca.openbsd.org:/cvs cvs update: ignoring

Re: bump time_t/other type fixes to spamd

2013-08-21 Thread Bob Beck
I think this would be the way to go. On Wed, Aug 21, 2013 at 9:14 AM, Todd C. Miller todd.mil...@courtesan.com wrote: Speaking of spamd, I've been running the following diff for five months or so. It removes the use of time_t in the greylist db file and provides backwards compat for 32-bit

Re: CVS: cvs.openbsd.org: src

2013-11-19 Thread Bob Beck
I'm inclined to agree with marc here - we bump minors on api additions - and yes, it was stubbed there before so it's not really an addition but it was stubbed to fail and had to be worked around - bump the minor - not like it's a big deal. On Tue, Nov 19, 2013 at 12:02 AM, Marc Espie

Re: remove disksort()

2013-11-22 Thread Bob Beck
An emphatic ok from me for this one. On Wed, Nov 20, 2013 at 3:21 AM, David Gwynne da...@gwynne.id.au wrote: the subject says it all really. this is sort of inspired by 5d2ecd5224 in bitrig except this brings all the architectures and device drivers forward (i didnt get to delete any to

The OpenBSD Foundation now accepts BitCoin donations...

2013-11-26 Thread Bob Beck
I'm happy to announce the OpenBSD foundation can now accept donations to assist in funding project activities in BTC. We are using BitPay.com to host our BitCoin donations, which are converted to CAD for use by the project. If you have been interested in making donations in BitCoin, please visit

Re: Request for Funding our Electricity

2014-01-14 Thread Bob Beck
Just to bring this issue back to the forefront. In light of shrinking funding, we do need to look for a source to cover project expenses. If need be the OpenBSD Foundation can be involved in receiving donations to cover project electrical costs. But the fact is right now, OpenBSD will shut

Re: Request for Funding our Electricity

2014-01-14 Thread Bob Beck
, and often, you (the people who use it and work with it) need to make the case to them that their support is important - far better that explanation comes from you rather than someone they don't know. -Bob On Tue, Jan 14, 2014 at 1:03 PM, Bob Beck b...@openbsdfoundation.org wrote: Just to bring

Re: Request for Funding our Electricity

2014-01-14 Thread Bob Beck
an idea we'd probably like to put up - as it gets that crowdsourcing type interest going. But in this case it would likely not be 20K, more like a 150K yearly goal would be best. On Tue, Jan 14, 2014 at 2:16 PM, Kirill Bychkov ki...@linklevel.net wrote: On Wed, January 15, 2014 00:03, Bob Beck wrote

asdasd

2014-01-20 Thread Bob Beck
Greetings All, About a week ago I warned you all that the OpenBSD project did not have the funds to cover our bills for the past year (especially the ability to handle the electricity) and that our funding sources were not sustainable. As most of you know the news of our predicament has been

OpenBSD Foundation Fundraising for 2014

2014-01-20 Thread Bob Beck
Greetings All, About a week ago I warned you all that the OpenBSD project did not have the funds to cover our bills for the past year (especially the ability to handle the electricity) and that our funding sources were not sustainable. As most of you know the news of our predicament has been

Re: signed packages

2014-01-22 Thread Bob Beck
Yeah. Ok mister chicken before egg.. We should validate this thing shipped in a release using dnssec with a root of trust depending on root certs shipped with the release...Love that idea.. But maybe I'll just buy a CD. On 22 Jan 2014 05:13, Jiri B ji...@devio.us wrote: On Wed, Jan 22,

Re: signed packages

2014-01-22 Thread Bob Beck
OpenBSD Foundation funding campaign by suggesting that you're not actually not real people, but a helpful-suggestions-posting-bot sponsored by the NSA.. Or maybe it's that they've infiltrated our educational systems... Please get our your tinfoil hats kids. On Wed, Jan 22, 2014 at 5:39 AM, Bob Beck

Re: signed packages

2014-01-22 Thread Bob Beck
I think I'll make sure to advertise the next OpenBSD Foundation funding campaign by suggesting that you're not actually not real people, but a helpful-suggestions-posting-bot sponsored by the NSA.. Or maybe it's that they've infiltrated our educational systems... Please get our your tinfoil

Re: quick fix for uvm deadlocks

2014-02-05 Thread Bob Beck
On Wed, Feb 5, 2014 at 3:17 PM, Ted Unangst t...@tedunangst.com wrote: We are missing back pressure channels from uvm to the buf cache. The buf cache will happily sit on 9000 free pages while uvm churns around trying to scavenge up one more page. Indeed, those are it's minimums (I presume in

Re: quick fix for uvm deadlocks

2014-02-05 Thread Bob Beck
talked about :) I think we can make that a lot better with some NOCACHE.. On Wed, Feb 5, 2014 at 9:03 PM, Ted Unangst t...@tedunangst.com wrote: On Wed, Feb 05, 2014 at 17:53, Bob Beck wrote: On Wed, Feb 5, 2014 at 3:17 PM, Ted Unangst t...@tedunangst.com wrote: We are missing back pressure

Google Summer Of Code 2014.

2014-02-24 Thread Bob Beck
together with students to accomplish things that may become useful to the community at large. This will be our first year doing this, so we hope to learn from the experience and see if it will work out in future years. -Bob Beck - The OpenBSD Foundation.

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
If you're using windows bootloader, you need to re-get the openbsd.pbr file to the windows side like you did in the first place according to the instructions here: http://www.openbsd.org/faq/faq4.html#Multibooting Someone really needs to put it in the multiboot FAQ that if you're booting with

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
Meaning that the pbr must be updated with the new location. It doesn't just tend to move around (ie. tend == prone to move). It moves every time, since it is using mkstemp to create a new file. Hmm.. yeah that'll be fun to deal with in multi-boot setups.

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
No, because moving it means that you have to manually redo it every time you install a snap. which is really a pita. On Fri, Mar 7, 2014 at 9:44 AM, Mark Kettenis mark.kette...@xs4all.nl wrote: From: Theo de Raadt dera...@cvs.openbsd.org Date: Fri, 07 Mar 2014 09:24:13 -0700 Whereas new

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
, Mar 7, 2014 at 9:49 AM, Bob Beck b...@obtuse.com wrote: No, because moving it means that you have to manually redo it every time you install a snap. which is really a pita. On Fri, Mar 7, 2014 at 9:44 AM, Mark Kettenis mark.kette...@xs4all.nl wrote: From: Theo de Raadt dera

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
actually more painful than having to boot windows is to always have something handy to boot the snap from in order to dd the bootblock off in case you forget to do it before rebooting, or you're fucked. On Fri, Mar 7, 2014 at 9:50 AM, Bob Beck b...@obtuse.com wrote: before it was just that you

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
It will affect everyone who needs windows on a laptop for work - or filling out pdf forms for foundations, things like that. It is a good way to ensure snaps get tested less on real hardware. On Fri, Mar 7, 2014 at 10:13 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: actually more painful

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
Message- From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of Bob Beck Sent: Friday, March 07, 2014 12:15 PM To: Theo de Raadt Cc: Mark Kettenis; Stuart Henderson; Jean-Philippe Luiggi; OpenBSD technical list Subject: Re: 5.5 and dual-boot It will affect everyone

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
a batch fie to activate partition *3* on disk 0 with diskpart :) I might even buy them a beer or 13 for it. On Fri, Mar 7, 2014 at 11:43 AM, Bob Beck b...@obtuse.com wrote: Why I hadn't thought of going back to that I don't know.. It actually works better for me since I don't then normally have

Re: 5.5 and dual-boot

2014-03-07 Thread Bob Beck
...@meridium.com wrote: Put the following in a txt file then: diskpart /s c:\openbsd_me.txt Untested, but that's the idea. And yep in windows world the disks starts at 0 and the partitions at 1 Select disk 0 Select part 3 Active Exit -Original Message- From: Bob Beck [mailto:b

Re: 27 Mar 2014 amd64 snapshot

2014-03-28 Thread Bob Beck
Does your proxy do http? no ftp protocol in new installers - we're killing it with fire. On Fri, Mar 28, 2014 at 9:30 AM, Michael W. Lucas mwlu...@michaelwlucas.com wrote: Hi, Trying to upgrade to $SUBJECT. Have done so on this same host many times before. Boot bsd.rd. Type U, enter x 5.

Re: OpenSSH hole, April 9

2014-04-09 Thread Bob Beck
On Wed, Apr 09, 2014 at 02:49:21PM -0600, Devin Reade wrote: Quoting Theo de Raadt dera...@cvs.openbsd.org: If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? Would you mind clarifying this a bit? Was the post strictly a (justified) comment

OpenBSD Foundation 2014 Fundraising Campaign.

2014-04-10 Thread Bob Beck
The OpenBSD Foundation is happy to report that the $150,000 goal of the 2014 fundraising campaign has been reached. We wish to thank our contributors large and small. We will continue our fundraising efforts both in the current year and next year. The success of this year's effort has allowed

Re: OpenSSH hole, April 9

2014-04-10 Thread Bob Beck
On 9 Apr 2014 15:46, Bob Beck b...@obtuse.com wrote: On Wed, Apr 09, 2014 at 02:49:21PM -0600, Devin Reade wrote: Quoting Theo de Raadt dera...@cvs.openbsd.org: If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? Would you mind clarifying

  1   2   3   4   5   >