[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is openssl actually safe now? (was: debian infrastructure ssh key logins disabled, passwords reset)

On Wed, 14 May 2008, David Härdeman wrote:
If the entropy pool is properly coded, there is no negative effect of
adding data which may or may not be truly random to the pool (i.e. you
cannot degrade the quality of the pool no matter what you add). Therefore
step b) might add some entropy or it might do nothing at all, depending on
how truly random the uninitialized data is, but it won't hurt.

I think that might depend on how not truly random the data is. For example, suppose the pool is coded to simply xor the new entropy with the pool. This works great when the entropy is distributed evenly through all the bits. If you treat it as a black box, it may seem that no matter what entropy you add, you can't make the pool any worse. However, if the entropy you add happens to be a copy of the pool...

Anyways, that doesn't really apply, since it isn't adding unitialized memory to the pool, it's simply using it as the initial value for the pool. I guess it's possible the uninitialized values just happen to cancel out the entropy that would later be added to the pool, but that seems extremely unlikely. In general, I think it would increase the entropy a little.

I'm pretty sure openssl uses something better than xor, but I don't see how you could code a pool so it wouldn't be possible to degrade the quality by adding the right fake entropy.

The goal of the patch that was used in Debian's OpenSSL was to placate
valgrind by removing step b) as valgrind complained about the use of
uninitialized memory (here it was one of the few cases where it might be
legit to do so).

Unfortunately, step d) was *also* removed by that patch. And therein lies
the bug.

What made me really sad, was that b) already had an #ifndef PURIFY around it. The ./Configure script already had an option that would do the right thing. If you simply google for purify, you would quickly find out it is a proprietary valgrind equivalent.

Did the person who came up with the patch not wonder why there was an #ifndef around the thing he was commenting out? It seems really silly to leave an #ifndef around a comment, without bothering to check what it was supposed to change.

Anyways, Debian is still my favorite distro, even though it's becoming a bit too nebie oriented for my liking. (This seems to be a common trend.)

Not a DD,

Reply to: