LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Input was perfect!

Input was perfect!

Posted May 21, 2008 13:42 UTC (Wed) by khim (subscriber, #9252)
In reply to: Testing by bvdm
Parent article: Open Source Security Report

There are nothing subtle there. OpenSSL used very good source of high entropy: /dev/random. Also there was good PRNG to produce a lot of lower quality entropy. The thing that was at fault was tiny procedure responsible to transfer high entropy to the PRNG pool. In the end it just ignored good source of entropy but shook the pool. So verification of input will be useless: input was not at fault. And verification of output will be hard (as discussed above).

(Log in to post comments)

Input was perfect!

Posted May 22, 2008 3:07 UTC (Thu) by bvdm (guest, #42755) [Link] 

You are being disingenuous. Tests can be added at any or multiple levels. And the bug was
subtle, just reading the actual code (as in a previous LWN article) does not raise any
immediate suspicions.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds