#10 encryption improperly used?

closed-out-of-date
Bishop
None
5
2006-11-26
2004-09-07
No

Quite some time ago, OpenFortress did and audit of
vtund and found that the encryption was not well used,
opening up several security issues. He provided a patch
for this. This patch does not seem to be present in CVS
or in the proposed 3.0 release. Have you guys heard of
this and rejected it, or did you never hear of it?

Discussion

  • Curt Sampson

    Curt Sampson - 2004-09-07
    • summary: encryption improperly used --> encryption improperly used?
     
  • Curt Sampson

    Curt Sampson - 2004-09-07

    Logged In: YES
    user_id=9917

    Darn, it's hard to attach a file here! One more try.....

     
  • Curt Sampson

    Curt Sampson - 2004-09-07

    Logged In: YES
    user_id=9917

    Darn, it's hard to attach a file here! One more try.....

     
  • Curt Sampson

    Curt Sampson - 2004-09-07

    Logged In: YES
    user_id=9917

    Yet another try at file upload, gzipped this time so that
    sourceforge doesn't complain about it being too large.

     
  • Curt Sampson

    Curt Sampson - 2004-09-07

    Logged In: YES
    user_id=9917

    Will it accept the upload this time?

     
  • Curt Sampson

    Curt Sampson - 2004-09-07

    OpenFortress security patches for vtun 2.6

     
  • Bishop

    Bishop - 2004-09-07

    Logged In: YES
    user_id=10830

    Never heard of OpenFortress or the apparent review, which
    didn't seem to reach my mailbox.

    The only Review I've ever seen was the one by the guy
    pushing a product that serves the same space ('competing',
    if you will).

    I'm happy to see any patch. It's been code-reviewed by an
    OpenFortress rep, also?

    - bish

    I must be stunned, as I'm still not seeing the diff
    attachment . It was a long and profane night, though. Can
    you drop it in my email as a patch vs cvs? As well, can you
    send me URLs to this review?

     
  • Bishop

    Bishop - 2004-09-07
    • assigned_to: nobody --> mtbishop
    • status: open --> pending
     
  • Bishop

    Bishop - 2004-09-07
    • assigned_to: mtbishop --> nobody
     
  • Curt Sampson

    Curt Sampson - 2004-09-07
    • status: pending --> open
     
  • Dale Fountain

    Dale Fountain - 2004-09-08

    Logged In: YES
    user_id=925685

    Hello cjs,

    Thanks for the links.

    I have seen both analyses before, although not the patch.

    I have this to say about the second analysis
    (http://diswww.mit.edu/bloom-picayune/crypto/14238): it is
    pure garbage. The analyst simply failed to do his homework.

    The first one you quoted is merely outdated and/or being
    addressed with respect to VTun's encryption offerings. See
    the 2.9.9x series.

    Thanks for mentioning the OpenFortress patch. You may see
    some improvements incorporated into 3.0 from it. However,
    please keep in mind that it looks like the main thrust of
    the patch is to support their own hardware. It will all be
    evaluated before inclusion of any part is considered.

    Regards,

    -Dale

     
  • Nobody/Anonymous

    Logged In: NO

    Hi! The non-sslauth randomness bit, at least, is already
    fairly well-known and the patch exists in Debian's vtun 2.6
    (I put it there :p).

    As far as I can remember, I was told that was going to be
    committed to CVS, but it seems it never made it. You can
    find the patch in debian/patches/00-sslauth.dpatch, it would
    probably be a decent idea to merge it.

     
  • Nobody/Anonymous

    Logged In: NO

    debian/patches does not exist.

    Can you send a URL? After the OpenFortress patch components
    are applied or rejected, we can look it over and see what's
    left.

    I don't have the conversation about this patch in my
    archives, or it's not showing up on a search. Can you give
    me more info to help me find it?

     
  • Bishop

    Bishop - 2006-11-26
    • assigned_to: nobody --> mtbishop
    • status: open --> closed-out-of-date
     
  • Bishop

    Bishop - 2006-11-26

    Logged In: YES
    user_id=10830
    Originator: NO

    Oh well. I'm gonna close this one due to lack of updated from the submitter. It's too old and stale to apply to the current source, the in its current form seems to disable the same already-disabled code to which Mr Gutmann is hopelessly drawn in his horribly researched piece.

    If a better patch is submitted, I'd love to merge it in. Maybe for 3.0.1 .

     

Log in to post a comment.