Re: valgrind and openssl

Tue, 20 May 2008 23:07:32 -0700 

Think back to what tripped this whole discussion.

valgrind isn't complaining because the data has been pre-filled, it's
complaining because it's never been touched.
i.e if it were attacker providable "buffer contents" then this whole
discussion wouldn't have happened.

If the "attacker" can pre-seed uninitialized data in the process, then they
can read generated keys directly - and that's far easier than by trying to
second guess the RNG.

Peter



                                                                                
                                        
  From:       dean gaudet <[EMAIL PROTECTED]>                                   
                                          
                                                                                
                                        
  To:         openssl-dev@openssl.org                                           
                                        
                                                                                
                                        
  Date:       05/21/2008 03:44 PM                                               
                                        
                                                                                
                                        
  Subject:    Re: valgrind and openssl                                          
                                        
                                                                                
                                        





On Tue, 20 May 2008, Richard Salz wrote:

> > on the other hand it may be a known plaintext attack.
>
> Using those words in this context makes it sound that you not only don't
> understand what is being discussed right here and now, but also that you
> don't understand the term you just used. Are you sure you understood,
> e.g., Ted Tso's postings in this thread? Perhaps I'm missing something,
> but can you show me something that talks about known plaintext attacks in

> the context of hashing/digests?

yes i abused the term.

the so-called "uninitialized" data is actually from the stack right?  an
attacker generally controls that (i.e. earlier use of the stack probably
includes char buf[] which is controllable).  i don't know what ordering
the entropy is added to the PRNG, but if all the useful entropy goes in
first then an attacker might get to control the last 1KiB passed through
the SHA1.

yes it's unlikely given what we know today that an attacker could
manipulate the state down to a sufficiently small number of outputs, but i
really don't see the point of letting an attacker have that sort of
control.

-dean
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to