LWN.net Logo

Advertisement

Embedded Android Training, Hands-On

AOSP, Kernel Androidisms, System Server, Internals / 5-days / O'Reilly Author Instructor

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Impact of the Debian OpenSSL vulnerability

Impact of the Debian OpenSSL vulnerability

Posted May 16, 2008 20:21 UTC (Fri) by socket (guest, #43)
Parent article: Impact of the Debian OpenSSL vulnerability

I've been following this here on LWN, but haven't really looked too deep at the technical details yet. I somehow got the impression that the kernel crowd has figured out entropy sources adequate for providing for the needs of both security-sensitive (/dev/random) and less sensitive (/dev/urandom) software.

I'm curious about why OpenSSL considers /dev/random insufficient? Is it in fact insufficient? Can somebody provide a link about this?

(Log in to post comments)

Impact of the Debian OpenSSL vulnerability

Posted May 16, 2008 21:15 UTC (Fri) by rfunk (subscriber, #4054) [Link] 

OpenSSL supports systems that don't have /dev/random, but provides the 
same API to everyone.  So when /dev/random is available, it's used as a 
seed for OpenSSL's pseudo-random number generator, rather than being used 
directly.  If they used /dev/random directly they'd need totally separate 
code paths depending on whether it was available.

I wonder how the OpenBSD folks handle it.....

Impact of the Debian OpenSSL vulnerability

Posted May 17, 2008 2:35 UTC (Sat) by ianburrell (subscriber, #47313) [Link] 

OpenSSL does use /dev/random for entropy if it is available.  My guess is that goes through
the interface that was commented out.  The security hole is that someone removed the hook that
entered all buffers into the entropy pool while trying to just remove unitialized buffers.  So
/dev/random was being used but it didn't do any good.

Impact of the Debian OpenSSL vulnerability

Posted May 17, 2008 12:10 UTC (Sat) by pflugstad (subscriber, #224) [Link]

Yes, this is exactly what happened.

OpenSSL has an internal random number generator. It uses MD5, SHA or some other hash (that's what the MD_Update function is that was commented out: Message Digests or hash function) over a pool of data.

When you first start up OpenSSL, and periodically during it's use, it/you add (or seed) more entropy to the pool by calling RAND_add. Typically, you'd call RAND_add, passing it a buffer of data from /dev/random or /dev/urandom. You keep doing this until until it got to a certain level of entropy. And then periodically call it again as entropy is used up.

Well, RAND_add maps to one of the functions that was patched by Debian to remove the MD_Update line that takes the provided buffer and stirs it into the pool. So basically, the only entropy left in the pool are basic things the OpenSSL like the process id.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds