Re: Is openssl actually safe now? (was: debian infrastructure ssh key logins disabled, passwords reset)
- Date: Wed, 14 May 2008 15:33:52 -0400 (EDT)
- From: Ivan Jager <aij+debian@xxxxxxxxxxxxxx>
- Subject: Re: Is openssl actually safe now? (was: debian infrastructure ssh key logins disabled, passwords reset)
On Wed, 14 May 2008, David Härdeman wrote:
If the entropy pool is properly coded, there is no negative effect of
adding data which may or may not be truly random to the pool (i.e. you
cannot degrade the quality of the pool no matter what you add). Therefore
step b) might add some entropy or it might do nothing at all, depending on
how truly random the uninitialized data is, but it won't hurt.
I think that might depend on how not truly random the data is. For
example, suppose the pool is coded to simply xor the new entropy with the
pool. This works great when the entropy is distributed evenly through all
the bits. If you treat it as a black box, it may seem that no matter what
entropy you add, you can't make the pool any worse. However, if the
entropy you add happens to be a copy of the pool...
Anyways, that doesn't really apply, since it isn't adding unitialized
memory to the pool, it's simply using it as the initial value for the
pool. I guess it's possible the uninitialized values just happen to cancel
out the entropy that would later be added to the pool, but that seems
extremely unlikely. In general, I think it would increase the entropy a
little.
I'm pretty sure openssl uses something better than xor, but I don't see
how you could code a pool so it wouldn't be possible to degrade the
quality by adding the right fake entropy.
The goal of the patch that was used in Debian's OpenSSL was to placate
valgrind by removing step b) as valgrind complained about the use of
uninitialized memory (here it was one of the few cases where it might be
legit to do so).
Unfortunately, step d) was *also* removed by that patch. And therein lies
the bug.
What made me really sad, was that b) already had an #ifndef PURIFY around
it. The ./Configure script already had an option that would do the right
thing. If you simply google for purify, you would quickly find out it is a
proprietary valgrind equivalent.
Did the person who came up with the patch not wonder why there was an
#ifndef around the thing he was commenting out? It seems really silly to
leave an #ifndef around a comment, without bothering to check what it was
supposed to change.
Anyways, Debian is still my favorite distro, even though it's becoming a
bit too nebie oriented for my liking. (This seems to be a common trend.)
Not a DD,
Ivan