LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for August 28, 2008

Fedora, Red Hat, and distributor security

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Cryptographic weakness on Debian systems

Cryptographic weakness on Debian systems

Posted May 13, 2008 16:38 UTC (Tue) by IkeTo (subscriber, #2122)
In reply to: Cryptographic weakness on Debian systems by pharm
Parent article: Cryptographic weakness on Debian systems 

> It does seem a little weird: if that was the only source of randomness,
> then it's not a very good source & needs fixing!

Only if that part is really to "add uninitialised data"!  Note that the comment is added by
the original Debian patch, not in the original SSL library.  The "buf" argument is actually
passed by a call to the "add" function of the rand_meth_st interface, the interface defining
how to collect random data for various pluggable methods.  My thinking is that it might
actually not be uninitialized data at all, but is instead the content handed over by a part of
the interface for SSL random number pool that actually accept random data and add them to the
pool, i.e., most of the "real" randomness available.

(Log in to post comments)

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:01 UTC (Tue) by pharm (guest, #22305) [Link]

My thinking is that it might actually not be uninitialized data at all, but is instead the content handed over by a part of the interface for SSL random number pool that actually accept random data and add them to the pool, i.e., most of the "real" randomness available.

Which makes perfect sense, except that I don't understand why purify & valgrind would complain about it in that case. Oh well. No doubt all will become clear eventually & I don't have time to chase down the logic right now...

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:19 UTC (Tue) by welinder (guest, #4699) [Link] 

Purify/Valgrind will complain if you read more than the
initialized part.

Still, whoever took out the entire initialization should
not be trusted with security intensive code.

Cryptographic weakness on Debian systems

Posted May 14, 2008 12:42 UTC (Wed) by dion (subscriber, #2764) [Link] 

That would be Kurt Roeckx:

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/r...
http://alioth.debian.org/users/kroeckx/

Cryptographic weakness on Debian systems

Posted May 14, 2008 13:01 UTC (Wed) by tv (subscriber, #32991) [Link]

Kurt did ask about it on the upstream list, too.

Cryptographic weakness on Debian systems

Posted May 14, 2008 18:55 UTC (Wed) by dion (subscriber, #2764) [Link] 

Yes, that should ward off the tar+feathers.

When even openssl developers can't tell that the change is catastrophic then he might be
excused.

This does illustrate why blindly fixing warnings is a dangerous and bad idea, though.

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:12 UTC (Tue) by tialaramex (subscriber, #21167) [Link] 

It looks like someone found a screw sticking out, and having a hammer handy, decided to bash
it flat. As you'd expect in security software, the result was disastrous.

Something, somewhere, calls this function with potentially uninitialised data (or perhaps, a
dodgy piece of analysis software only thinks it is unintialised because it can't find the
initialiser). Maybe it's actually a test routine. Maybe it's one uninitialised byte caused by
an off-by-one error somewhere. Either way it's irrelevant to this function. Rather than find
and fix that minor mistake, someone with Debian checkin privileges "fixed" it by removing
critical code from this function, silencing the warning and disabling Debian's security.

I guess the Debian Security people will need to re-assess who gets to modify critical packages
like this. It's one thing to trust that someone isn't going to deliberately sabotage a package
(they could just as easily add malware to GNOME Games as to OpenSSL) and quite another to
trust that they know what they're doing modifying complicated software like this to try to
"fix" security problems.

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:35 UTC (Tue) by IkeTo (subscriber, #2122) [Link] 

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 if you wanna see the process that
creates the bug.

Cryptographic weakness on Debian systems

Posted May 13, 2008 22:10 UTC (Tue) by philh (subscriber, #14797) [Link]

... quite another to trust that they know what they're doing modifying complicated software like this to try to "fix" security problems.

Well, that would be fair comment if Kurt Roeckx (one of the Debian openssl maintainers) had taken it upon himself to make this change in isolation, but as you can see from this thread, the patch was mentioned to the openssl-dev list, without provoking negative comment, so it's difficult to know who one should be pointing fingers at.

Mistakes happen -- looking for someone to blame isn't overly productive at the best of times, and when it is based on false premises, not at all.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds