LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Cryptographic weakness on Debian systems

Cryptographic weakness on Debian systems

Posted May 13, 2008 18:42 UTC (Tue) by tialaramex (subscriber, #21167)
In reply to: Cryptographic weakness on Debian systems by tialaramex
Parent article: Cryptographic weakness on Debian systems 

Let me offer a thought experiment that helps to show what's going on here, so far as I can
figure it out (and it's a bad sign that Debian's bug for this never gets anywhere near this
level of analysis)

Suppose I write a function int average(char *values, int count)

it takes 'count' bytes from the array pointed at by 'values' and is supposed to return an
arithmetic average, the mean value.

{
  /* for simplicity let's not worry about overflow right now */
  int total = 0;
  for (int k = 0; k < count; ++k) {
    total += values[k];
  }
  return total / count;
}

If you declare an array of 16 bytes, and pass it to me with the count of 16, then I will
return the average of those 16 bytes. Suppose you screw up, with an off-by-one error, and only
fill out 15 bytes, but still set the count parameter to 16, the size of your array. My
function will still work, it won't ever crash, and the result will be almost correct, since
whatever the value of the 16th byte, it will be dwarfed by the other 15 values in calculating
an average.

Now, when you run valgrind over the resulting program, it will report that my average()
function is faulty, it accesses an unintialised value.

Apparently at this point the Debian developers would say "Aha, stupid average function, we'll
soon fix that" and comment out the line total += values[k]; which is of course completely the
wrong fix.

(Log in to post comments)

Cryptographic weakness on Debian systems

Posted May 13, 2008 20:02 UTC (Tue) by bcl (subscriber, #17631) [Link] 

That's a pretty good analogy. It isn't too obvious from just looking at the diff, but once you
see the context you realize that they effectivly gutted ssleay_rand_bytes() and
ssleay_rand_add(), and apparently the fix only fixes one of those? So it looks like there is
still a problem.

Cryptographic weakness on Debian systems

Posted May 13, 2008 21:15 UTC (Tue) by lambda (subscriber, #40735) [Link]

No, ssleay_rand_bytes is supposed to be returning a random number generated from the current state of the random number generator. It happened to be mixing in some entropy from the (uninitialized) output buffer passed in, which is not particularly helpful nor harmful, other than messing with Valgrind. It's only in the ssleay_rand_add function that commenting out the line causes any particular problems, because the whole point of ssleay_rand_add is to seed the random number generator.

You can check the documentation in man RAND_bytes and man RAND_add for more information on how these are supposed to work.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds