Re: Is openssl actually safe now? (was: debian infrastructure ssh key logins disabled, passwords reset)

[Richard Kettlewell <rjk@terraraq.org.uk>]

BALLABIO GERARDO <GERARDO.BALLABIO@mpsgr.it> writes:
> if I understand correctly, the problem was that openssl used some
> segment of uninitialized memory as a source of entropy, and the
> offending patch cleared it.

This is not correct.  Clearing tmpbuf before reading /dev/urandom is
harmless.  The broken change can be found at these URLs:

http://svn.debian.org/viewsvn/pkg-openssl?rev=141&view=rev
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&r1=140&r2=141

> Reverting the patch obviously restored the pristine behavior.
>
> However I wonder, is the pristine behavior correct? As far as I know, it
> is NOT justified at all to rely on the assumption that uninitialized
> memory contains random data. I read that many architectures reset it to
> some magic number, e.g., 0xdeadbeef. Is that correct?

It's harmless (it doesn't make the RNG any worse) but also pointless
(the uninitialized part of the input buffer may well be predictable).

> If so, and if that was the ONLY entropy source used in generating keys,
> then upstream openssl is (and has always been) just as broken as the
> patched Debian package. While if it was only used in addition to other
> sources, all this is probably a non-issue.

The uninitialized data is not the only source of entropy.

ttfn/rjk