[Pkg-openssl-devel] Valgrind patch leftovers
Kurt Roeckx
kurt at roeckx.be
Thu Aug 29 17:12:34 UTC 2013
On Thu, Aug 29, 2013 at 02:06:48PM +0000, Ernst-Udo Wallenborn wrote:
>
> Luca Bruno writes:
>
> >Hi,
> >I'm not sure if it has been already discussed here, but I see that
> >after the latest Valgrind related problem, not the whole patch has been
> >dropped [0].
Yes, it comes up from time to time. There is nothing wrong with
the current patch.
> Eric Wong's proof-of-concept mentioned by Martin Boßlet on his blog [1] consists of a parent process that calls RAND_bytes once and then starts forking child processes until the system begins to recycle pids. The first child prints its pid and 4 bytes from the rnd stream, and a while later the next child that gets the same pid does the same. The program then exits. With Debian's libssl the output is:
>
> me at debian-vm:~$ gcc -o random random.c -lssl
> me at debian-vm:~$ ./random
> pid=4904 \x12\x78\x03\x3b
> pid=4904 \x12\x78\x03\x3b
The "proof-of-concept" just shows that after a fork you should
make sure that you reseed the RNG and that OpenSSL doesn't
do this automaticly for you. OpenSSL has some basic workaround
for this by also mixing in the PID, but that's cleary not
enough. You can hardly say that the PID has entropy.
> So both children produce the same sequence of random numbers. Debian seems to be the only linux to do that, I tried it on a SLES 11p2 and on an OpenSuSE and got differing random number sequences. From SLES sources I can tell that they don't apply anything like the valgrind.patch. When I rebuild the Debian openssl library without the valgrind.patch, I get
>
> me at debian-vm:~$ ./random
> pid=5419 \x81\xc7\x69\x6f
> pid=5419 \x83\xa4\x39\x8c
>
> as expected.
There is nothing "expected" about this. The difference is that
without the valgrind patch it adds some information that might
or might not contain entropy.
I guess with a 1 line change to the proof-of-concept code, you
will see the same behavior without this valgrind patch. That
is clearing buf[] before the call to RAND_bytes().
Kurt
More information about the Pkg-openssl-devel
mailing list