Debian Bug report logs - #363516
valgrind-clean the RNG

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is src:openssl.

Reported by: Richard Kettlewell <rjk@ncipher.com>

Date: Wed, 19 Apr 2006 15:18:15 UTC

Severity: wishlist

Found in version openssl/0.9.7e

Fixed in version openssl/0.9.8b-1

Done: Kurt Roeckx <kurt@roeckx.be>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Richard Kettlewell <rjk@ncipher.com>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Richard Kettlewell <rjk@greenend.org.uk>
To: submit@bugs.debian.org
Subject: valgrind-clean the RNG
Date: 19 Apr 2006 16:01:22 +0100
Package: openssl
Version: 0.9.7e
Severity: wishlist

Suppressions don't seem to be good enough to eliminate this
unfortunately - the uninitializedness taints all the users of the
openssl random number generator, producing valgrind hits throughout
your program, making it unnecessarily difficult to see the wood for
the trees.

ttfn/rjk

--- openssl-0.9.7e.orig/crypto/rand/rand_unix.c 2003-12-27 16:01:52.000000000 +0000
+++ openssl-0.9.7e/crypto/rand/rand_unix.c      2006-04-19 15:42:32.000000000 +0100
@@ -160,6 +160,9 @@
        const char **egdsocket = NULL;
 #endif

+       /* Keep valgrind happy */
+       memset(tmpbuf, 0, sizeof tmpbuf);
+
 #ifdef DEVRANDOM
        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
         * have this. Use /dev/urandom if you can as /dev/random may block



Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 363516@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Richard Kettlewell <rjk@ncipher.com>, 363516@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#363516: valgrind-clean the RNG
Date: Wed, 19 Apr 2006 18:56:03 +0200
On Wed, Apr 19, 2006 at 04:01:22PM +0100, Richard Kettlewell wrote:
> Package: openssl
> Version: 0.9.7e
> Severity: wishlist
> 
> Suppressions don't seem to be good enough to eliminate this
> unfortunately - the uninitializedness taints all the users of the
> openssl random number generator, producing valgrind hits throughout
> your program, making it unnecessarily difficult to see the wood for
> the trees.

This is not the proper way to fix it.  You can still find other
cases where you'll get the same results.

The problems are the following 2 pieces of code in
crypto/rand/md_rand.c:

247:
                MD_Update(&m,buf,j);

467:
#ifndef PURIFY
                MD_Update(&m,buf,j); /* purify complains */
#endif

What it's doing is adding uninitialised numbers to the pool to
create random numbers.

I've been thinking about commenting those out.

I've been told that using VALGRIND_MAKE_READABLE can be used to
suppress those errors.  So I've been pondering about building the
library with that.  I haven't tried that this works yet though.


Martin, what do you think about this?


Kurt




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Christoph Martin <martin@verwaltung.uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 363516@bugs.debian.org (full text, mbox):

From: Christoph Martin <martin@verwaltung.uni-mainz.de>
To: Kurt Roeckx <kurt@roeckx.be>, 363516@bugs.debian.org
Cc: Richard Kettlewell <rjk@ncipher.com>
Subject: Re: Bug#363516: [Pkg-openssl-devel] Bug#363516: valgrind-clean the RNG
Date: Thu, 20 Apr 2006 13:12:50 +0200
[Message part 1 (text/plain, inline)]
Hi Kurt,

Kurt Roeckx schrieb:

> What it's doing is adding uninitialised numbers to the pool to
> create random numbers.
> 
> I've been thinking about commenting those out.
> 
> I've been told that using VALGRIND_MAKE_READABLE can be used to
> suppress those errors.  So I've been pondering about building the
> library with that.  I haven't tried that this works yet though.
> 
> Martin, what do you think about this?

I am not completely shure about what this will do, but would it be
possible to only enable this for the -dbg libraries?

Christoph

-- 
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  Christoph.Martin@Verwaltung.Uni-Mainz.DE
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 363516@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Christoph Martin <martin@verwaltung.uni-mainz.de>
Cc: 363516@bugs.debian.org, Richard Kettlewell <rjk@ncipher.com>
Subject: Re: Bug#363516: [Pkg-openssl-devel] Bug#363516: valgrind-clean the RNG
Date: Thu, 20 Apr 2006 18:31:28 +0200
On Thu, Apr 20, 2006 at 01:12:50PM +0200, Christoph Martin wrote:
> Hi Kurt,
> 
> Kurt Roeckx schrieb:
> 
> > What it's doing is adding uninitialised numbers to the pool to
> > create random numbers.
> > 
> > I've been thinking about commenting those out.
> > 
> > I've been told that using VALGRIND_MAKE_READABLE can be used to
> > suppress those errors.  So I've been pondering about building the
> > library with that.  I haven't tried that this works yet though.
> > 
> > Martin, what do you think about this?
> 
> I am not completely shure about what this will do, but would it be
> possible to only enable this for the -dbg libraries?

The -dbg package is just stripped out debug symbols moved to a
different file/package.  Installing the debug package doesn't
change the normal library, it's just that the debugger can know
found the debug symbols.  The library just has a special header
saying where the debug symbols are.

Let's quote the valgrind manual:

2.7. The Client Request mechanism

   Valgrind has a trapdoor mechanism via which the client program can
   pass all manner of requests and queries to Valgrind and the current
   tool. Internally, this is used extensively to make malloc, free, etc,
   work, although you don't see that.

   For your convenience, a subset of these so-called client requests is
   provided to allow you to tell Valgrind facts about the behaviour of
   your program, and also to make queries. In particular, your program
   can tell Valgrind about changes in memory range permissions that
   Valgrind would not otherwise know about, and so allows clients to get
   Valgrind to do arbitrary custom checks.

   Clients need to include a header file to make this work. Which header
   file depends on which client requests you use. Some client requests
   are handled by the core, and are defined in the header file
   valgrind/valgrind.h. Tool-specific header files are named after the
   tool, e.g. valgrind/memcheck.h. All header files can be found in the
   include/valgrind directory of wherever Valgrind was installed.

   The macros in these header files have the magical property that they
   generate code in-line which Valgrind can spot. However, the code does
   nothing when not run on Valgrind, so you are not forced to run your
   program under Valgrind just because you use the macros in this file.
   Also, you are not required to link your program with any extra
   supporting libraries.

   The code left in your binary has negligible performance impact: on
   x86, amd64 and ppc32, the overhead is 6 simple integer instructions
   and is probably undetectable except in tight loops. However, if you
   really wish to compile out the client requests, you can compile with
   -DNVALGRIND (analogous to -DNDEBUG's effect on assert()).

   You are encouraged to copy the valgrind/*.h headers into your
   project's include directory, so your program doesn't have a
   compile-time dependency on Valgrind being installed. The Valgrind
   headers, unlike the rest of the code, are under a BSD-style license so
   you may include them without worrying about license incompatibility.


Kurt




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Christoph Martin <martin@verwaltung.uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 363516@bugs.debian.org (full text, mbox):

From: Christoph Martin <martin@verwaltung.uni-mainz.de>
To: Kurt Roeckx <kurt@roeckx.be>, 363516@bugs.debian.org
Subject: Re: Bug#363516: [Pkg-openssl-devel] Bug#363516: valgrind-clean the RNG
Date: Thu, 27 Apr 2006 10:52:18 +0200
[Message part 1 (text/plain, inline)]
Hi Kurt,

Kurt Roeckx schrieb:
> 
> The -dbg package is just stripped out debug symbols moved to a
> different file/package.  Installing the debug package doesn't
> change the normal library, it's just that the debugger can know
> found the debug symbols.  The library just has a special header
> saying where the debug symbols are.

The idea was to only compile the -dbg package with valgrind support, so
that the normal library would not be changed. If someone would like to
use valgrind to check his program he would just use the -dbg library.

Christoph

-- 
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  Christoph.Martin@Verwaltung.Uni-Mainz.DE
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 363516@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Christoph Martin <martin@verwaltung.uni-mainz.de>
Cc: 363516@bugs.debian.org
Subject: Re: Bug#363516: [Pkg-openssl-devel] Bug#363516: valgrind-clean the RNG
Date: Thu, 27 Apr 2006 19:00:59 +0200
On Thu, Apr 27, 2006 at 10:52:18AM +0200, Christoph Martin wrote:
> Hi Kurt,
> 
> Kurt Roeckx schrieb:
> > 
> > The -dbg package is just stripped out debug symbols moved to a
> > different file/package.  Installing the debug package doesn't
> > change the normal library, it's just that the debugger can know
> > found the debug symbols.  The library just has a special header
> > saying where the debug symbols are.
> 
> The idea was to only compile the -dbg package with valgrind support, so
> that the normal library would not be changed. If someone would like to
> use valgrind to check his program he would just use the -dbg library.

In that case we'll have to build things twice as much as now, and
it's not that easy to debug something by just installing the -dbg
package and getting the symbols.


Kurt




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Christoph Martin <martin@verwaltung.uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 363516@bugs.debian.org (full text, mbox):

From: Christoph Martin <martin@verwaltung.uni-mainz.de>
To: Kurt Roeckx <kurt@roeckx.be>, 363516@bugs.debian.org
Subject: Re: Bug#363516: [Pkg-openssl-devel] Bug#363516: valgrind-clean the RNG
Date: Fri, 28 Apr 2006 09:25:36 +0200
[Message part 1 (text/plain, inline)]
Hi Kurt,

Kurt Roeckx schrieb:
> On Thu, Apr 27, 2006 at 10:52:18AM +0200, Christoph Martin wrote:
>> The idea was to only compile the -dbg package with valgrind support, so
>> that the normal library would not be changed. If someone would like to
>> use valgrind to check his program he would just use the -dbg library.
> 
> In that case we'll have to build things twice as much as now, and
> it's not that easy to debug something by just installing the -dbg
> package and getting the symbols.

So, what do you propose?

Christoph

-- 
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  Christoph.Martin@Verwaltung.Uni-Mainz.DE
  Telefon: +49-6131-3926337
      Fax: +49-6131-3922856

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 363516@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Christoph Martin <martin@verwaltung.uni-mainz.de>
Cc: 363516@bugs.debian.org, Richard Kettlewell <rjk@ncipher.com>
Subject: Re: Bug#363516: [Pkg-openssl-devel] Bug#363516: valgrind-clean the RNG
Date: Fri, 28 Apr 2006 20:06:21 +0200
On Fri, Apr 28, 2006 at 09:25:36AM +0200, Christoph Martin wrote:
> Hi Kurt,
> 
> Kurt Roeckx schrieb:
> > On Thu, Apr 27, 2006 at 10:52:18AM +0200, Christoph Martin wrote:
> >> The idea was to only compile the -dbg package with valgrind support, so
> >> that the normal library would not be changed. If someone would like to
> >> use valgrind to check his program he would just use the -dbg library.
> > 
> > In that case we'll have to build things twice as much as now, and
> > it's not that easy to debug something by just installing the -dbg
> > package and getting the symbols.
> 
> So, what do you propose?

The way I see it, we have 3 options:
- mark this as wontfix
- Don't add the buffer to the pool.
- Use that valgrind thing to tell valgrind to ignore it.

I'm not really in favour of the last option.  Because:
- It's a valgrind specific solution.  And I think it's even
  specific to one of it's tools (memcheck).
- It changes the binary in a strange way that's only needed for
  debugging it.

I also don't like the first options because it can give alot of
fake warnings when using valgrind, and you basicly don't have an
idea where it's comming from if you just look at the stack trace.
I bet the submitter spent quiet alot time to even get to the
point where he did to find what the problem was.


Kurt




Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Richard Kettlewell <rjk@ncipher.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 363516-close@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: 363516-close@bugs.debian.org
Subject: Bug#363516: fixed in openssl 0.9.8b-1
Date: Sun, 14 May 2006 15:02:34 -0700
Source: openssl
Source-Version: 0.9.8b-1

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:

libcrypto0.9.8-udeb_0.9.8b-1_i386.udeb
  to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8b-1_i386.udeb
libssl-dev_0.9.8b-1_i386.deb
  to pool/main/o/openssl/libssl-dev_0.9.8b-1_i386.deb
libssl0.9.8-dbg_0.9.8b-1_i386.deb
  to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8b-1_i386.deb
libssl0.9.8_0.9.8b-1_i386.deb
  to pool/main/o/openssl/libssl0.9.8_0.9.8b-1_i386.deb
openssl_0.9.8b-1.diff.gz
  to pool/main/o/openssl/openssl_0.9.8b-1.diff.gz
openssl_0.9.8b-1.dsc
  to pool/main/o/openssl/openssl_0.9.8b-1.dsc
openssl_0.9.8b-1_i386.deb
  to pool/main/o/openssl/openssl_0.9.8b-1_i386.deb
openssl_0.9.8b.orig.tar.gz
  to pool/main/o/openssl/openssl_0.9.8b.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 363516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  4 May 2006 20:40:03 +0200
Source: openssl
Binary: libssl-dev openssl libssl0.9.8-dbg libcrypto0.9.8-udeb libssl0.9.8
Architecture: source i386
Version: 0.9.8b-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl0.9.8 - SSL shared libraries
 libssl0.9.8-dbg - Symbol tables for libssl and libcrypt
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 347612 361266 362754 363516
Changes: 
 openssl (0.9.8b-1) unstable; urgency=low
 .
   * New upstream release
     - New functions added (EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_free), bump shlibs.
     - CA.pl/CA.sh now calls openssl ca with -extensions v3_ca, setting CA:TRUE
       instead of FALSE.
     - CA.pl/CA.sh creates crlnumber now.  (Closes: #347612)
   * Run debconf-updatepo, which really already was in the 0.9.8a-8 version
     as it was uploaded.
   * Add Galician debconf translation.  Patch from
     Jacobo Tarrio <jtarrio@trasno.net>  (Closes: #361266)
   * libssl0.9.8.postinst makes uses of bashisms (local variables)
     so use #!/bin/bash
   * libssl0.9.8.postinst: Call set -e after sourcing the debconf
     script.
   * libssl0.9.8.postinst: Change list of service that may need
     to be restarted:
     - Replace ssh by openssh-server
     - Split postgresql in postgresql-7.4 postgresql-8.0 postgresql-8.1
     - Add: dovecot-common bind9 ntp-refclock ntp-simple openntpd clamcour
       fetchmail ftpd-ssl proftpd proftpd-ldap proftpd-mysql proftpd-pgsql
   * libssl0.9.8.postinst: The check to see if something was installed
     wasn't working.
   * libssl0.9.8.postinst: Add workaround to find the name of the init
     script for proftpd and dovecot.
   * libssl0.9.8.postinst: Use invoke-rc.d when it's available.
   * Change Standards-Version to 3.7.0:
     - Make use of invoke-rc.d
   * Add comment to README.Debian that rc5, mdc2 and idea have been
     disabled (since 0.9.6b-3)  (Closes: #362754)
   * Don't add uninitialised data to the random number generator.  This stop
     valgrind from giving error messages in unrelated code.
     (Closes: #363516)
   * Put the FAQ in the openssl docs.
   * Add russian debconf translations from Yuriy Talakan <yt@amur.elektra.ru>
     (Closes #367216)
Files: 
 ef206e4dc2f4a42717bfd2b9b9025d09 797 utils optional openssl_0.9.8b-1.dsc
 12cedbeb6813a0d7919dbf1f82134b86 3279283 utils optional openssl_0.9.8b.orig.tar.gz
 567d5be14294287ed60465d8e6e0dfab 40534 utils optional openssl_0.9.8b-1.diff.gz
 799356753dbe70f47f89f8b4c1c35488 996208 utils optional openssl_0.9.8b-1_i386.deb
 fd2623ed9b43a5348dfefc23a01a8479 2699952 libs important libssl0.9.8_0.9.8b-1_i386.deb
 0d03846b28784ae1ce8bd6d785cdf91e 546502 debian-installer optional libcrypto0.9.8-udeb_0.9.8b-1_i386.udeb
 290fa460e06908dc5c64d2550c018087 2036124 libdevel optional libssl-dev_0.9.8b-1_i386.deb
 b1e3c72208ea45079128fab0465869e8 5175544 libdevel extra libssl0.9.8-dbg_0.9.8b-1_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEZ5gaQdwckHJElwsRAsoEAKC/8qg0I3rca20bEQNiLmTRfhW8hACdG5q5
Hj0PRo7UU2JqNWMGpm65tNo=
=2Y0o
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 17:38:30 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Tue, 13 May 2008 19:24:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Richard Kettlewell <rjk@greenend.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #54 received at 363516@bugs.debian.org (full text, mbox):

From: Richard Kettlewell <rjk@greenend.org.uk>
To: 363516@bugs.debian.org
Subject: regarding DSA-1571
Date: Tue, 13 May 2008 20:30:19 +0100
For the benefit of people reading this bug report via slashdot or 
whatever and putting 2 and 2 together to get 5, the change that was 
actually committed is not even slightly the same as the one at the top 
of this bug report.  Please avoid drawing incorrect conclusions!

ttfn/rjk




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #59 received at 363516@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 363516@bugs.debian.org
Subject: DSA 1571 vulnerability first introduced in 0.9.8c-1
Date: Wed, 14 May 2008 09:53:37 +0200
[Message part 1 (text/plain, inline)]
For all clarity: the change in 0.9.8b-1 as indicated above did not actually 
introduce the bug described in DSA-1571 yet, but instead created a separate 
rand/md_rand.c file. It did not change the file that was actually compiled.

The bug as in DSA-1571 is only present starting with version 0.9.8c-1, that 
included this changelog entry:

  * Move the modified rand/md_rand.c file to the right place,
    really fixing #363516.

Hence, what the DSA describes as first vulnerable version is the correct one.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Benoît Dejean <benoit@placenet.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #64 received at 363516@bugs.debian.org (full text, mbox):

From: Benoît Dejean <benoit@placenet.org>
To: 363516@bugs.debian.org
Subject: explanation needed
Date: Wed, 14 May 2008 11:11:35 +0200 (CEST)
Hello, i have a few questions because the DSA isn't clear whether the
security problem is caused by Debian modification or by the fact that
openssl prng is very bad.

Does the whole openssl security rely on uninitialized memory ?

If yes isn't this bloody naive ?

Shouldn't openssl use /dev/random or stuff like this to get good entropy ?

Does Debian then advise to completely drop openssl because its PRNG is
seeded from uninitialized memory which is not guaranted to be random ?

Thanks.

-- 
Benoît Dejean <benoit@placenet.org>





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Richard Kettlewell <rjk@greenend.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #69 received at 363516@bugs.debian.org (full text, mbox):

From: Richard Kettlewell <rjk@greenend.org.uk>
To: 363516@bugs.debian.org
Cc: Benoît Dejean <benoit@placenet.org>
Subject: The actual change
Date: Wed, 14 May 2008 10:44:03 +0100
A couple of people have suggested I mention the change that was actually 
made.  These are the relevant URLs:

http://svn.debian.org/viewsvn/pkg-openssl?rev=141&view=rev
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&r1=140&r2=141

> Does the whole openssl security rely on uninitialized memory ?
>
> If yes isn't this bloody naive ?
>
> Shouldn't openssl use /dev/random or stuff like this to get good
> entropy ?

No openssl security does not "rely on uninitialized memory".  Take a few 
minutes to read the code.

ttfn/rjk




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Tim Hudson <tjh@cryptsoft.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #74 received at 363516@bugs.debian.org (full text, mbox):

From: Tim Hudson <tjh@cryptsoft.com>
To: Richard Kettlewell <rjk@greenend.org.uk>, 363516@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Cc: Benoît Dejean <benoit@placenet.org>
Subject: Re: [Pkg-openssl-devel] Bug#363516: The actual change
Date: Wed, 14 May 2008 20:35:08 +1000
Richard Kettlewell wrote:
> A couple of people have suggested I mention the change that was actually 
> made.  These are the relevant URLs:
> 
> http://svn.debian.org/viewsvn/pkg-openssl?rev=141&view=rev
> http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&r1=140&r2=141

What is missing is the context of the change. There seems to be some confusion 
around this.

Although it is the same line of code that is being changed the context is 
entirely different (and it is easy to not be aware of that context when seeing a 
diff and that certainly contributed to this change not being noticed when 
discussed on the openssl lists before it was made in the debian repository).

Basically there are two identical lines of code in completely different 
contexts. One was safe to remove, the other most certainly was not.

You can follow the context at:

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=markup

The context of the first change:

Inside ssleay_rand_add (which is called by RAND_add_bytes when using this PRNG). 
This is used when application code is adding entropy to the PRNG and it is 
entirely up to the application where that entropy is coming from - it may be 
from any source including uninitialised buffers if that is what gets passed in.

The code change commented out the *input* bytes coming from the application to 
mix into the PRNG which reduces the seeding of the PRNG to code paths which 
don't go via RAND_add_bytes of which there are few - which is reflected in the 
tool for checking for a weak key with its 250k entries in its internal table.

The context of the second change:

Inside ssleay_rand_bytes (which is called by RAND_bytes when using this PRNG).
This is used when the application code (or any logic in the rest of OpenSSL) 
needs some random data - typically in the context of key generation or random 
padding. What the original code in OpenSSL does is actually mix in the callers 
buffer into which the output is to be copied into the PRNG pool. OpenSSL made a 
change to make this code conditional on PURIFY not being defined as it is of 
course a source of a large number of reports of 'errors' in OpenSSL when using 
purify and when using valgrind where the call chain varies substantially back 
into the application code and so isn't obvious to the casual developer when 
looking at it as to what is going on.

The value of adding that output buffer into the entropy pool can be debated but 
every bit helps and a conservative approach of mixing in whatever is available 
is prudent. The annoyance of a pile of purify and valgrind errors being reported 
against OpenSSL from other packages and applications which use it without a 
clean way of disabling the tools by noting that the usage is safe is 
unfortunate. There are ways to reorganise the code to make it straight forward 
to include the known safe call chain so the other 'real' errors are not hidden 
in the stream of output from purify and valgrind about this issue.

If anyone wants some assistance at writing FAQ entries or responses for this 
then drop me a line - I used to handle vulnerability responses for all the RSA 
security related SDKs so I'm well aware of the process and the importance of 
clear notices to impacted users.

Tim Hudson
tjh@cryptsoft.com / tim.hudson@attglobal.net

---8<---

Attributing blame for this issue is a pretty pointless exercise IMHO. The code 
has been in existance for two years. It is installed on systems I myself use and 
I didn't see the context of the diff in my first reading of the patch when this 
issue was announced which makes me think it was easy to miss. It required closer 
looking at the code (and finding a URL to the actual patch and the whole file in 
context). It is an extremely serious security issue and systems should be 
patched as quickly as possible and keys regenerated.





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Tim Hudson <tim.hudson@attglobal.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #79 received at 363516@bugs.debian.org (full text, mbox):

From: Tim Hudson <tim.hudson@attglobal.net>
To: Richard Kettlewell <rjk@greenend.org.uk>, 363516@bugs.debian.org, "Package Development List for OpenSSL packages." <pkg-openssl-devel@lists.alioth.debian.org>
Cc: Benoît Dejean <benoit@placenet.org>
Subject: Re: [Pkg-openssl-devel] Bug#363516: The actual change
Date: Wed, 14 May 2008 20:51:52 +1000
[
resent not as tjh@cryptsoft.com - too many bounces from overly aggressive relays 
which trust black lists from which you seem never to be able to get removed from.

sorry to those who get two copies of this --tjh
]


Richard Kettlewell wrote:
> A couple of people have suggested I mention the change that was actually 
> made.  These are the relevant URLs:
> 
> http://svn.debian.org/viewsvn/pkg-openssl?rev=141&view=rev
> http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&r1=140&r2=141

What is missing is the context of the change. There seems to be some confusion
around this.

Although it is the same line of code that is being changed the context is
entirely different (and it is easy to not be aware of that context when seeing a
diff and that certainly contributed to this change not being noticed when
discussed on the openssl lists before it was made in the debian repository).

Basically there are two identical lines of code in completely different
contexts. One was safe to remove, the other most certainly was not.

You can follow the context at:

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=markup

The context of the first change:

Inside ssleay_rand_add (which is called by RAND_add_bytes when using this PRNG).
This is used when application code is adding entropy to the PRNG and it is
entirely up to the application where that entropy is coming from - it may be
from any source including uninitialised buffers if that is what gets passed in.

The code change commented out the *input* bytes coming from the application to
mix into the PRNG which reduces the seeding of the PRNG to code paths which
don't go via RAND_add_bytes of which there are few - which is reflected in the
tool for checking for a weak key with its 250k entries in its internal table.

The context of the second change:

Inside ssleay_rand_bytes (which is called by RAND_bytes when using this PRNG).
This is used when the application code (or any logic in the rest of OpenSSL)
needs some random data - typically in the context of key generation or random
padding. What the original code in OpenSSL does is actually mix in the callers
buffer into which the output is to be copied into the PRNG pool. OpenSSL made a
change to make this code conditional on PURIFY not being defined as it is of
course a source of a large number of reports of 'errors' in OpenSSL when using
purify and when using valgrind where the call chain varies substantially back
into the application code and so isn't obvious to the casual developer when
looking at it as to what is going on.

The value of adding that output buffer into the entropy pool can be debated but
every bit helps and a conservative approach of mixing in whatever is available
is prudent. The annoyance of a pile of purify and valgrind errors being reported
against OpenSSL from other packages and applications which use it without a
clean way of disabling the tools by noting that the usage is safe is
unfortunate. There are ways to reorganise the code to make it straight forward
to include the known safe call chain so the other 'real' errors are not hidden
in the stream of output from purify and valgrind about this issue.

If anyone wants some assistance at writing FAQ entries or responses for this
then drop me a line - I used to handle vulnerability responses for all the RSA
security related SDKs so I'm well aware of the process and the importance of
clear notices to impacted users.

Tim Hudson
tjh@cryptsoft.com / tim.hudson@attglobal.net

---8<---

Attributing blame for this issue is a pretty pointless exercise IMHO. The code
has been in existance for two years. It is installed on systems I myself use and
I didn't see the context of the diff in my first reading of the patch when this
issue was announced which makes me think it was easy to miss. It required closer
looking at the code (and finding a URL to the actual patch and the whole file in
context). It is an extremely serious security issue and systems should be
patched as quickly as possible and keys regenerated.






Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Thiago de Castro Martins <thiago@usp.br>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #84 received at 363516@bugs.debian.org (full text, mbox):

From: Thiago de Castro Martins <thiago@usp.br>
To: 363516@bugs.debian.org
Subject: ssl_rand_bytes() should not be fixed: check documentation
Date: Thu, 15 May 2008 23:10:21 -0300
I am not really comfortable to add more to this matter, but i think the 
behavior of function ssl_rand_bytes() to retrieve entropy from the 
'output' buffer is as documented.

Quoting OpenSSL documentation 
(http://www.openssl.org/docs/crypto/RAND_bytes.html#DESCRIPTION):

"The contents of buf is mixed into the entropy pool before retrieving 
the new pseudo-random bytes unless disabled at compile time"

As one can see, the 'buf' parameter, which in turn is passed to 
ssl_rand_bytes() is both an input and an output parameter.

As such, programs that use RAND_bytes() with uninitialized buffers are 
the ones to blame (while one could argue such procedure is not really 
incorrect), not the library itself.

The currently patched ssl_rand_bytes() behavior is incoherent with the 
expected from the available documentation, and the patch should be reverted.

	Thank you.

		Thiago Martins.








Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Jean-Yves Lefort <jylefort@brutele.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #89 received at 363516@bugs.debian.org (full text, mbox):

From: Jean-Yves Lefort <jylefort@brutele.be>
To: 363516@bugs.debian.org
Subject: something obvious
Date: Mon, 19 May 2008 20:11:56 +0200
[Message part 1 (text/plain, inline)]
The ssleay_rand_add() change was fairly idiotic. Even with no
understanding of that function, it is strikingly obvious that after
commenting out this statement:

	MD_Update(&m,buf,j);

the only remaining use of the buf parameter is:

	buf=(const char *)buf + j;

That is, the buf parameter becomes unused. This is a clear indication
that the person who made the change had no idea of what he was doing.

-- 
Jean-Yves Lefort <jylefort@brutele.be>
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#363516; Package openssl. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #94 received at 363516@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Jean-Yves Lefort <jylefort@brutele.be>, 363516@bugs.debian.org
Subject: Re: Bug#363516: something obvious
Date: Tue, 20 May 2008 07:15:09 +0200
[Message part 1 (text/plain, inline)]
Quoting Jean-Yves Lefort (jylefort@brutele.be):
> The ssleay_rand_add() change was fairly idiotic. Even with no
> understanding of that function, it is strikingly obvious that after
> commenting out this statement:
> 
> 	MD_Update(&m,buf,j);
> 
> the only remaining use of the buf parameter is:
> 
> 	buf=(const char *)buf + j;
> 
> That is, the buf parameter becomes unused. This is a clear indication
> that the person who made the change had no idea of what he was doing.


What is the value added by your comment, apart from rude to the
package maintainer?

(Kurt, count me in for a beer with you at Debconf, just to confirm what
you already know: not all people who speak French are morons)



[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 17 Jun 2008 07:28:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 06:33:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.