Kyle Hamilton wrote:
Debian &c suffered from simply removing all calls to seed the random
number generator with enough entropy to make it secure.
When it comes to entropy, every little bit helps. The calls to add
uninitialized static variable locations are never relied upon to seed
the PRNG with enough entropy, but they are used to "stir the pot" just
a little bit more.
This is probably one of the most-frequently asked questions.
http://openssl.org/support/faq.html#PROG14 (I think the 'answer' for
that needs to be changed to include some of the prior discussion on
the topic...)
Beware, the current situation is that enabling -DPURIFY no longer makes
openssl valgrind free as it used to be. The patch just makes it work
again, nothing more, nothing less.
Best Regards,
Frederic Heem.
This is probably also one of the most-frequently answered questions.
Look in the openssl-users and openssl-dev archives for the past year
and you'll see people with much more knowledge of entropy than me
discussing this topic, at length.
-Kyle H
On Fri, Jul 18, 2008 at 9:47 AM, Frederic Heem <[EMAIL PROTECTED]> wrote:
Hi,
The previous patch didn't fully work due a mysterious valgrind issue
(something related to loading libssl multiple time through dl_open). This
patch is simply what has Robert suggested.
By the way, can someone explain me why some "uninitialized" static variables
are used create a random number ? At least, on some embedded system, static
variables are initialized to 0, therefore, can the keys be weak on these
system ? I just want to avoid the security hole Debian&Co have suffered
recently.
Best Regards,
Frederic Heem
______________________________________________________________________________
--- NOTICE ---
This email and any attachments are confidential and are intended for
the
addressee only. If you have received this message by mistake, please
contact
us immediately and then delete the message from your system. You must
not
copy, distribute, disclose or act upon the contents of this email.
Personal
and corporate data submitted will be used in a correct, transparent and
lawful
manner. The data collected will be processed in paper or computerized form
for
the performance of contractual and lawful obligations as well as for
the
effective management of business relationship. The data processor is
Telsey
S.p.A. The data subject may exercise all the rights set forth in art. 7
of
Law by Decree 30.06.2003 n. 196 as reported in the following
url
http://www.telsey.com/privacy.asp.
______________________________________________________________________________
798t8RfNa6Dl8Ilf
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
--
---
Frederic Heem - Innovation Hub Senior Engineer
Telsey Telecommunications S.p.A.
email: [EMAIL PROTECTED]
Departement: Innovation Hub
UK: Vanguard Centre, ATU II, Unit 8 Sir William Lyons Road University of
Warwick Science Park CV4 7EZ Coventry
Tel. direct phone (+39) 0422 377760
Central Bureau Viale dell'Industria, 1
31055 Quinto di Treviso (TV) - Italy
Tel.: +39 0422470840 Fax: +39 0422470920
Web: www.telsey.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
