RE: [PATCH] PURIFY and valgrind

[zooko]

re: http://www.mail-archive.com/openssl-dev@openssl.org/msg24270.html

I don't quite approve of the established openssl tradition of using  
uninitialized memory for entropy, but I wanted to point out that if  
you want to do that, and you want valgrind to understand that those  
bits count as valid and should not trigger warnings when your  
control flow branches based on those bits, or when you use those bits  
are arguments to a system call, then you can just call  
VALGRIND_MAKE_MEM_DEFINED_IF_ADDRESSABLE, as described in the  
valgrind manual on this page: [1].  A nice explanation of what this  
means in valgrind's elegant error detection scheme is on this page: [2].


I haven't tried this myself, but if it works as advertised then it  
allows openssl to continue functioning the same way when in valgrind  
mode, and completely suppresses the false alarms without suppressing  
any other weirdness that might show up.


Regards,

Zooko

[1] http://valgrind.org/docs/manual/mc-manual.html#mc-manual.clientreqs
[2] http://valgrind.org/docs/manual/mc-manual.html#mc-manual.machine
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [PATCH] PURIFY and valgrind, 2nd round

[Frederic Heem]

Kyle Hamilton wrote:

Debian c suffered from simply removing all calls to seed the random
number generator with enough entropy to make it secure.

When it comes to entropy, every little bit helps.  The calls to add
uninitialized static variable locations are never relied upon to seed
the PRNG with enough entropy, but they are used to stir the pot just
a little bit more.

This is probably one of the most-frequently asked questions.
http://openssl.org/support/faq.html#PROG14  (I think the 'answer' for
that needs to be changed to include some of the prior discussion on
the topic...)

  
Beware, the current situation is that enabling -DPURIFY no longer makes 
openssl valgrind free as it used to be. The patch just makes it work 
again, nothing more, nothing less.

Best Regards,
Frederic Heem.


This is probably also one of the most-frequently answered questions.
Look in the openssl-users and openssl-dev archives for the past year
and you'll see people with much more knowledge of entropy than me
discussing this topic, at length.

-Kyle H

On Fri, Jul 18, 2008 at 9:47 AM, Frederic Heem [EMAIL PROTECTED] wrote:
  

Hi,
The previous patch didn't fully work due a mysterious valgrind issue
(something related to loading libssl multiple time through dl_open). This
patch is simply what has Robert suggested.
By the way, can someone explain me why some uninitialized static variables
are used create a random number ? At least, on some embedded system, static
variables are initialized to 0, therefore, can the keys be weak on these
system ? I just want to avoid the security hole DebianCo have suffered
recently.
Best Regards,
Frederic Heem



__

--- NOTICE ---

This  email  and  any  attachments  are  confidential and are intended for
the
addressee  only.  If you have received this message by mistake, please
contact
us  immediately and  then  delete the message from your system.   You must
not
copy, distribute, disclose  or  act upon the contents of this email.
 Personal
and corporate data submitted will be used in a correct, transparent and
lawful
manner. The data collected will be processed in paper or computerized form
for
the  performance  of  contractual  and  lawful  obligations as well as for
the
effective  management of business relationship.   The data processor is
Telsey
S.p.A.   The  data  subject may exercise all the rights set forth in art. 7
of
Law  by  Decree  30.06.2003  n.  196   as   reported   in  the  following
 url
http://www.telsey.com/privacy.asp.

__
798t8RfNa6Dl8Ilf



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]
  



--
---

Frederic Heem - Innovation Hub Senior Engineer
Telsey Telecommunications S.p.A.
email: [EMAIL PROTECTED]
Departement: Innovation Hub
UK: Vanguard Centre, ATU II, Unit 8Sir William Lyons Road University of 
Warwick Science ParkCV4 7EZ Coventry
Tel. direct phone (+39) 0422 377760
Central Bureau   Viale dell'Industria, 1
31055 Quinto di Treviso (TV)  - Italy
Tel.: +39 0422470840  Fax: +39 0422470920
Web: www.telsey.com



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[PATCH] PURIFY and valgrind

[Frederic Heem]

Dear,
Please find attached a patch which makes valgrind and friends happy. 
Some changes had been done in md_rand.c which broke the purpose of 
PURIFY. Needless to say that the define PURIFY is *not* for production 
system...

Best Regards,
Frederic Heem






__

--- NOTICE ---

This  email  and  any  attachments  are  confidential and are intended for the
addressee  only.  If you have received this message by mistake, please contact
us  immediately and  then  delete the message from your system.   You must not
copy, distribute, disclose  or  act upon the contents of this email.  Personal
and corporate data submitted will be used in a correct, transparent and lawful
manner. The data collected will be processed in paper or computerized form for
the  performance  of  contractual  and  lawful  obligations as well as for the
effective  management of business relationship.   The data processor is Telsey
S.p.A.   The  data  subject may exercise all the rights set forth in art. 7 of
Law  by  Decree  30.06.2003  n.  196   as   reported   in  the  following  url
http://www.telsey.com/privacy.asp.

__
798t8RfNa6Dl8Ilf
--- ../../../tmp/openssl-0.9.8h/crypto/rand/md_rand.c	2007-01-21 13:16:36.0 +
+++ md_rand.c	2008-07-17 17:53:01.0 +0100
@@ -331,7 +331,27 @@
 	pid_t curr_pid = getpid();
 #endif
 	int do_stir_pool = 0;
-
+#ifdef PURIFY
+  /*  DO NOT USE PURIFY FOR PRODUCTION SYSTEM 
+ this makes valgrind and friends happy.
+ Numbers below doesn't follow any particular rule, they are just not equal to 0 */
+  static int once = 0;
+  if(once == 0){
+once = 1;
+md_count[0] = 3;
+md_count[0] = 7;
+for(i = 0; i  MD_DIGEST_LENGTH; i++){
+  md[i] = i * i + 1;
+}
+for(i = 0; i  num; i++){
+  buf[i] = i * i + 2;
+}
+for(i = 0; i  (STATE_SIZE + MD_DIGEST_LENGTH); i++){
+  state[i] = i * i + 3;
+}
+  }
+  memset(buf, 1, num);
+#endif
 #ifdef PREDICT
 	if (rand_predictable)
 		{
@@ -464,9 +484,7 @@
 #endif
 		MD_Update(m,local_md,MD_DIGEST_LENGTH);
 		MD_Update(m,(unsigned char *)(md_c[0]),sizeof(md_c));
-#ifndef PURIFY
 		MD_Update(m,buf,j); /* purify complains */
-#endif
 		k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
 		if (k  0)
 			{

Re: [PATCH] PURIFY and valgrind

[Richard Salz]

Leave everything as all zero's; that will make it real obvious not to use 
this in production code.
#ifdef PURIFY
memset(buf, 0, num);
memset(md_c, 0, sizeof md_c);
memset(local_md, 0, sizeof local_md);
#endif

--
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [PATCH] PURIFY and valgrind

[Bodo Moeller]

On Thu, Jul 17, 2008 at 7:07 PM, Frederic Heem [EMAIL PROTECTED] wrote:

 Please find attached a patch which makes valgrind and friends happy. Some
 changes had been done in md_rand.c which broke the purpose of PURIFY.
 Needless to say that the define PURIFY is *not* for production system...

Defining PURIFY should never make the PRNG weak.  If Valgrind finds
data that is used uninitialized, then a PURIFY patch should only
ensure that those exact bytes of data are initialized with some data.
Never overwrite a byte that actually may have been initialized.

Bodo
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [PATCH] PURIFY and valgrind

[Geoff Thorpe]

On Friday 18 July 2008 10:57:50 Bodo Moeller wrote:
 On Thu, Jul 17, 2008 at 7:07 PM, Frederic Heem [EMAIL PROTECTED] 
wrote:
  Please find attached a patch which makes valgrind and friends happy. Some
  changes had been done in md_rand.c which broke the purpose of PURIFY.
  Needless to say that the define PURIFY is *not* for production system...

 Defining PURIFY should never make the PRNG weak.  If Valgrind finds
 data that is used uninitialized, then a PURIFY patch should only
 ensure that those exact bytes of data are initialized with some data.
 Never overwrite a byte that actually may have been initialized.

Agreed, though where possible it's preferable for PURIFY-handling to simply 
not use the uninitialised data at all, rather than initialising it before 
use. (NB, I know this yields the same quality result, but appearances in the 
code are often as important as the outcome of the executable - particularly 
where package maintainers are concerned...) IIRC, it's complicated to remove 
the (uninitialised) loads here without also removing the desired stores, in 
which case I totally agree that memset(,0,) is a more obvious 
PURIFY(/valgrind) workaround. But where it's possible to trim our use of an 
input buffer so that we don't take some uninitialised trimmings, then the 
intent of the code would be much clearer. Moreover, it's more likely valgrind 
would then find bugs in the PRNG code (if ever we accidently debianise it 
ourselves) - whereas wholesale memset()s kind of limit the effectiveness of 
such debugging tools.

Or put another way, -1 to the suggested patch. Also, -1 to the general 
statement that PURIFY is *not* for production system. That is not our call 
to make! If the production system is experiencing problems and is being 
diagnosed - it may very well make sense to run it under PURIFY/valgrind to 
help track down problems that have only been observed in production. (Anyone 
who has ever tried to gaze into a crystal ball and invent a test-case to 
reproduce sporadic problems from a production system will know what I'm 
talking about).

Cheers,
Geoff

-- 
Un terrien, c'est un singe avec des clefs de char...
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [PATCH] PURIFY and valgrind

[Bodo Moeller]

On Fri, Jul 18, 2008 at 6:00 PM, Geoff Thorpe [EMAIL PROTECTED] wrote:
 On Friday 18 July 2008 10:57:50 Bodo Moeller wrote:
 On Thu, Jul 17, 2008 at 7:07 PM, Frederic Heem [EMAIL PROTECTED] wrote:

  Please find attached a patch which makes valgrind and friends happy. Some
  changes had been done in md_rand.c which broke the purpose of PURIFY.
  Needless to say that the define PURIFY is *not* for production system...

 Defining PURIFY should never make the PRNG weak.  If Valgrind finds
 data that is used uninitialized, then a PURIFY patch should only
 ensure that those exact bytes of data are initialized with some data.
 Never overwrite a byte that actually may have been initialized.

 Agreed, though where possible it's preferable for PURIFY-handling to simply
 not use the uninitialised data at all, rather than initialising it before
 use.

Absolutely true!  Thanks for adding this aspect to the picture.

Bodo
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[PATCH] PURIFY and valgrind, 2nd round

[Frederic Heem]

Hi,
The previous patch didn't fully work due a mysterious valgrind issue 
(something related to loading libssl multiple time through dl_open). 
This patch is simply what has Robert suggested.
By the way, can someone explain me why some uninitialized static 
variables are used create a random number ? At least, on some embedded 
system, static variables are initialized to 0, therefore, can the keys 
be weak on these system ? I just want to avoid the security hole 
DebianCo have suffered recently.

Best Regards,
Frederic Heem



__

--- NOTICE ---

This  email  and  any  attachments  are  confidential and are intended for the
addressee  only.  If you have received this message by mistake, please contact
us  immediately and  then  delete the message from your system.   You must not
copy, distribute, disclose  or  act upon the contents of this email.  Personal
and corporate data submitted will be used in a correct, transparent and lawful
manner. The data collected will be processed in paper or computerized form for
the  performance  of  contractual  and  lawful  obligations as well as for the
effective  management of business relationship.   The data processor is Telsey
S.p.A.   The  data  subject may exercise all the rights set forth in art. 7 of
Law  by  Decree  30.06.2003  n.  196   as   reported   in  the  following  url
http://www.telsey.com/privacy.asp.

__
798t8RfNa6Dl8Ilf
--- openssl-0.9.8h-old/crypto/rand/md_rand.c	2007-01-21 13:16:36.0 +
+++ openssl-0.9.8h/crypto/rand/md_rand.c	2008-07-18 16:34:18.0 +0100
@@ -332,6 +332,13 @@
 #endif
 	int do_stir_pool = 0;
 
+#ifdef PURIFY
+  /*  DO NOT USE PURIFY FOR PRODUCTION SYSTEM 
+ this makes valgrind and friends happy. */
+  memset(state, 0, STATE_SIZE + MD_DIGEST_LENGTH);
+  memset(md, 0, MD_DIGEST_LENGTH);
+  memset(buf, 0, num);
+#endif
 #ifdef PREDICT
 	if (rand_predictable)
 		{

Re: [PATCH] PURIFY and valgrind, 2nd round

[Kyle Hamilton]

Debian c suffered from simply removing all calls to seed the random
number generator with enough entropy to make it secure.

When it comes to entropy, every little bit helps.  The calls to add
uninitialized static variable locations are never relied upon to seed
the PRNG with enough entropy, but they are used to stir the pot just
a little bit more.

This is probably one of the most-frequently asked questions.
http://openssl.org/support/faq.html#PROG14  (I think the 'answer' for
that needs to be changed to include some of the prior discussion on
the topic...)

This is probably also one of the most-frequently answered questions.
Look in the openssl-users and openssl-dev archives for the past year
and you'll see people with much more knowledge of entropy than me
discussing this topic, at length.

-Kyle H

On Fri, Jul 18, 2008 at 9:47 AM, Frederic Heem [EMAIL PROTECTED] wrote:
 Hi,
 The previous patch didn't fully work due a mysterious valgrind issue
 (something related to loading libssl multiple time through dl_open). This
 patch is simply what has Robert suggested.
 By the way, can someone explain me why some uninitialized static variables
 are used create a random number ? At least, on some embedded system, static
 variables are initialized to 0, therefore, can the keys be weak on these
 system ? I just want to avoid the security hole DebianCo have suffered
 recently.
 Best Regards,
 Frederic Heem



 __

 --- NOTICE ---

 This  email  and  any  attachments  are  confidential and are intended for
 the
 addressee  only.  If you have received this message by mistake, please
 contact
 us  immediately and  then  delete the message from your system.   You must
 not
 copy, distribute, disclose  or  act upon the contents of this email.
  Personal
 and corporate data submitted will be used in a correct, transparent and
 lawful
 manner. The data collected will be processed in paper or computerized form
 for
 the  performance  of  contractual  and  lawful  obligations as well as for
 the
 effective  management of business relationship.   The data processor is
 Telsey
 S.p.A.   The  data  subject may exercise all the rights set forth in art. 7
 of
 Law  by  Decree  30.06.2003  n.  196   as   reported   in  the  following
  url
 http://www.telsey.com/privacy.asp.

 __
 798t8RfNa6Dl8Ilf

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: [PATCH] PURIFY and valgrind

[David Schwartz]

 Agreed, though where possible it's preferable for PURIFY-handling
 to simply
 not use the uninitialised data at all, rather than initialising it before
 use. (NB, I know this yields the same quality result, but
 appearances in the
 code are often as important as the outcome of the executable -
 particularly
 where package maintainers are concerned...) IIRC, it's
 complicated to remove
 the (uninitialised) loads here without also removing the desired
 stores, in
 which case I totally agree that memset(,0,) is a more obvious
 PURIFY(/valgrind) workaround. But where it's possible to trim our
 use of an
 input buffer so that we don't take some uninitialised
 trimmings, then the
 intent of the code would be much clearer. Moreover, it's more
 likely valgrind
 would then find bugs in the PRNG code (if ever we accidently debianise it
 ourselves) - whereas wholesale memset()s kind of limit the
 effectiveness of
 such debugging tools.

FWIW, I don't agree. Defining PURIFY should not make algorithmic changes.
How much data a call passes to the PRNG is an algorithmic change.
Initializing data to zeroes that would otherwise be uninitialized (and could
be zeroes anyway for all we know) is much more palatable than passing a
different length down a call chain.

 Or put another way, -1 to the suggested patch. Also, -1 to the general
 statement that PURIFY is *not* for production system. That is
 not our call
 to make! If the production system is experiencing problems and is being
 diagnosed - it may very well make sense to run it under
 PURIFY/valgrind to
 help track down problems that have only been observed in
 production. (Anyone
 who has ever tried to gaze into a crystal ball and invent a test-case to
 reproduce sporadic problems from a production system will know what I'm
 talking about).

I agree. PURIFY should not make any algorithmic changes, unless they are
absolutely necessary.

Ideally, IMO, defining PURIFY should cause all, and only, uninitialized data
to be zeroed. That way, if we don't initialize something we meant to, it
will still be caught.

Just zeroing things we plan to set to other values later is an inferior
solution. But changing the amount of data we pass to the PRNG is an inferior
solution too.

DS


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]