Claims of FBI backdoors in OpenBSD cryptographic code

FreeBSD Security Officer cperciva at
Thu Dec 16 08:26:57 UTC 2010

Hash: SHA1

Hi all,

We are aware of the email forwarded by Theo de Raadt to the openbsd-tech
mailing list concerning alleged backdoor(s) in OpenBSD's IPSec stack and/or
other cryptographic code.  The FreeBSD operating system contains code derived
from OpenBSD, including the crypto(4) driver, the IPSec stack, OpenSSH, and
the pf firewall.  As we do with all such derived code, we keep an eye on the
upstream projects so that we can respond promptly to any vulnerabilities
which are found.  It is worth noting, however, that vulnerabilities are found
in upstream codebases on a regular basis, and even if some are found in the
alleged areas it does not necessarily imply that they were deliberately

One of the great advantages of open source software is that it is possible
for many people to audit it; the "many eyes" theory, however, depends on
having many people who actually _do_ look at the code, not merely having many
people who _can_ look at the code, and to that end we always encourage more
independent auditing of code in FreeBSD.  In the case of code which came to
FreeBSD via other projects, this is no less important: For a variety of
reasons, the code in FreeBSD is almost never identical to the code in upstream
projects, and in bringing code to FreeBSD it is entirely possible for bugs to
be added or removed.

As always, anyone who believes that they have found a vulnerability affecting
FreeBSD is requested to contact secteam at

- -- 
Colin Percival
Security Officer, FreeBSD | | The power to serve
Founder / author, Tarsnap | | Online backups for the truly paranoid
Version: GnuPG v1.4.10 (FreeBSD)


More information about the freebsd-security mailing list