In message <20100615164403.ga38...@openssl.org> on Tue, 15 Jun 2010 18:44:03 +0200, "Dr. Stephen Henson" <st...@openssl.org> said:
steve> On Mon, Jun 14, 2010, Nicholas Maniscalco wrote: steve> steve> > William A. Rowe Jr. wrote: steve> >> On 6/14/2010 7:59 PM, Nicholas Maniscalco wrote: steve> >>> Is using OpenSSL built with the PURIFY flag considered "secure"? steve> >>> I ask because I came across this comment, in md_rand.c: steve> >>> steve> >>> #ifndef PURIFY /* purify complains */ steve> >>> /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ steve> >>> if (!MD_Update(&m,buf,j)) steve> >>> goto err; steve> >>> /* We know that line may cause programs such as steve> >>> purify and valgrind to complain about use of steve> >>> uninitialized data. */ steve> >>> #endif steve> >> The last time someone went by such nonsense[1], they created an entirely steve> >> exploitable set of keys on all debian/ubuntu-derived distributions. Good steve> >> luck with that, and please let us know what you are maintaining, so that steve> >> we might avoid such distributions and products. steve> >> [1] http://www.debian.org/security/2008/dsa-1571 steve> > steve> > Thanks, William. I am familiar with the Debian issue. steve> > steve> > The code I pasted above is from ssleay_rand_bytes. Perhaps you were steve> > thinking I was talking about the call in ssleay_rand_add? I am quite aware steve> > that removing the call from ssleay_rand_add is a very bad idea :) steve> > steve> > Are you still of the opinion that an OpenSSL built with PURIFY is insecure? steve> > David Schwartz, indicated otherwise in a similar thread I started a few steve> > weeks back (see his last sentence), steve> > steve> > http://www.mail-archive.com/openssl-dev@openssl.org/msg27732.html steve> > steve> > I was satisfied with his answer until I saw the comment above, hence the steve> > new thread. Again, I'm just trying to get a definitive answer on whether steve> > the PURIFY flag is considered secure. Thanks. steve> steve> Well I can give you an initial provisional opinion... I'm being very guarded steve> when commenting on the PRNG based on past history ;-) steve> steve> I think that extra comment within the #ifndef PURIFY was added in error. That steve> call just uses the (possibly unitialised) buffer passed into steve> ssleay_rand_bytes() as a very minor source of entropy and is not part of steve> PURIFY builds with no ill effects other than removing that minor source of steve> entropy. steve> steve> Richard, it was your commit. Would you care to comment? Sure. I added those comments in direct reaction to the Debian issue. At the time, the removal of both the MD_update() in ssleay_rand_add() and in ssleay_rand_bytes() were pointed out as problem sources, so I added that comment on both. However, the trouble here seems not to be so much about the comments as they are about the use of PURIFY. For all I care, the condition can be removed, leaving that piece of code to be compiled with purify as well as without. I've honestly not made much analysis about the code that's talked about here. Randomness on this level is not my strong point, so I'd rather listen to those for who it is. If that piece of code is such a small source of entropy, it's quite possible we can remove it safely. I don't dare, though! ;-) Cheers, Richard -- Richard Levitte rich...@levitte.org http://richard.levitte.org/ "Life is a tremendous celebration - and I'm invited!" -- from a friend's blog, translated from Swedish ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
