RE: valgrind and openssl

[David Schwartz]

  You mean you're not testing *all* of the real code. That's
  fine, you can't
  debug everythign at once.

 if you haven't tested your final production binary then you
 haven't tested
 anything at all.

You: Two plus two is five.

Me: Are you crazy? Two plus two is not five.

You: If you don't realize that three plus three is six, then you don't know
any math at all.

Err, what?!

What does testing your final production binary have to do with debugging on
code other than your final production binary?

  Good luck finding people who agree with you. I've been a professional
  software developer for about 18 years and I've worked on debugging with

 i've been a professional for longer than you.  big whoop.

 -dean

It really doesn't matter how long you've been doing it when you spout
nonsense like the above.

DS


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: valgrind and openssl

[David Schwartz]

 on the other hand it may be a known plaintext attack.

 what are you guys smoking?

 -dean

This argument has already been refuted in the posts you are replying to.

Such an attack would require the algorithm to not meet its specific design
security objectives. In other words, you are arguing that this might be a
problem if the algorithm is fundamentally broken. Well, duh, using it might
be a problem if the algorithm is fundamentally broken.

A primary security objective of the PRNG is that mixing in known data can
never, ever hurt you. It may not increase the entropy in the PRNG, but it
cannot decrease it. This is a specific design object, and you can rely on
the PRNG to meet this object. If you don't think the PRNG meets this
objective, you should not use it at all because this is one of its primary
objectives and the entire design is premised on it.

The only issue is that you might not mix in enough unknown data. Mixing in
known data can never hurt you. If it can, the PRNG is totally and completely
broken.

If you have any reason to think it is, please explain why. We will all
change the algorithm because this would be a major breakage.

You might as well argue that after you sign something with RSA, you should
keep the signature secret. After all, there might be some attack where the
signature leaks parts of the private key. Sure, there might be. But if you
really thought there was any chance of that, you'd abandon the signature
algorithm, not work harder to keep the signatures secret.

DS


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

REQUEST TO MODERATOR: valgrind and openssl

[Paul Sheer]

Hi there,

Can you please unsubscribe anyone who posts on this subject again.

The participants should long ago have taken this debate off list.

It's degenerated into a discussion without any value whatsoever.

Kind regards

-paul
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [CVS] OpenSSL: OpenSSL_0_9_8-stable: openssl/crypto/rand/ randfile.c

[Ben Laurie]

Lutz Jaenicke wrote:

  OpenSSL CVS Repository
  http://cvs.openssl.org/
  

  Server: cvs.openssl.org  Name:   Lutz Jaenicke
  Root:   /v/openssl/cvs   Email:  [EMAIL PROTECTED]
  Module: openssl  Date:   16-May-2008 09:14:58
  Branch: OpenSSL_0_9_8-stable Handle: 2008051608145800

  Modified files:   (Branch: OpenSSL_0_9_8-stable)
openssl/crypto/rand randfile.c

  Log:
Another occurance of possible valgrind/purify uninitialized memory
complaint related to the PRNG: with PURIFY policy don't feed uninitialized
memory into the PRNG.

Submitted by: Bodo Moeller [EMAIL PROTECTED] :-)


  Summary:
RevisionChanges Path
1.47.2.3+4  -0  openssl/crypto/rand/randfile.c
  

  patch -p0 '@@ .'
  Index: openssl/crypto/rand/randfile.c
  
  $ cvs diff -u -r1.47.2.2 -r1.47.2.3 randfile.c
  --- openssl/crypto/rand/randfile.c2 Mar 2007 17:44:55 -   1.47.2.2
  +++ openssl/crypto/rand/randfile.c16 May 2008 07:14:58 -  1.47.2.3
  @@ -127,7 +127,11 @@
i=fread(buf,1,n,in);
if (i = 0) break;
/* even if n != i, use the full array */


This comment should be inside the #else clause :-)


  +#ifdef PURIFY
  + RAND_add(buf,i,(double)i);
  +#else
RAND_add(buf,n,(double)i);
  +#endif
ret+=i;
if (bytes  0)
{
  @@ .
__
OpenSSL Project http://www.openssl.org
CVS Repository Commit List [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]





--
http://www.apache-ssl.org/ben.html   http://www.links.org/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: valgrind and openssl

[Richard Salz]

 on the other hand it may be a known plaintext attack.

Using those words in this context makes it sound that you not only don't 
understand what is being discussed right here and now, but also that you 
don't understand the term you just used. Are you sure you understood, 
e.g., Ted Tso's postings in this thread? Perhaps I'm missing something, 
but can you show me something that talks about known plaintext attacks in 
the context of hashing/digests?

 what are you guys smoking?

Indeed.

/r$

--
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/

[openssl.org #1675] RSA_set_method(3) inconsistency

[Vladimir Kotal via RT]

2 issues with RSA_set_method(3) man page:

   1. the function prototypes for RSA sign and verify functions in 
RSA_set_method(3) man page do not match reality
 - crypto/rsa/rsa.h lists them as:

int (*rsa_sign)(int type,
const unsigned char *m, unsigned int m_length,
unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
int (*rsa_verify)(int dtype,
const unsigned char *m, unsigned int m_length,
const unsigned char *sigbuf, unsigned int siglen,
const RSA *rsa);


  but the man page says this:

  /* sign. For backward compatibility, this is used only
* if (flags  RSA_FLAG_SIGN_VER)
*/
  int (*rsa_sign)(int type, unsigned char *m, unsigned int 
m_len,
 unsigned char *sigret, unsigned int *siglen, RSA *rsa);

   /* verify. For backward compatibility, this is used only
* if (flags  RSA_FLAG_SIGN_VER)
*/
  int (*rsa_verify)(int type, unsigned char *m, unsigned int 
m_len,
 unsigned char *sigbuf, unsigned int siglen, RSA *rsa);


  (notice ths missing 'const')


   2. the man page is missing rsa_keygen member of RSA_METHOD structure



v.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1674] bug report - fipsld not working with Solaris 9 sparc (64 bit architecture) for 32 bit shared library creation.

[Satyadev Sain via RT]

Hi,

 

I am using fipsld to create 32 bit (using -m32) statically linked shared
object library from fips capable openssl on SOLARIS 9 SPARC. But fipsld
hangs at link step (when creating shared object lib).I guess this is a bug
in fipsld script or openssl?

 

To reproduce the problem please follow the steps mentioned in attached
document.  

 

System info:

uname -a: SunOS qa-sun9 5.9 Generic_117171-12 sun4u sparc SUNW, UltraAX-i2

 

Thanks 

Satyadev

 










Hi,



I am using fipsld to create 32 bit (using m32)
statically linked shared object library from fips capable openssl on SOLARIS 9
SPARC. But fipsld hangs at link step (when creating shared object lib).I guess
this is a bug in fipsld script or openssl?



To reproduce the problem please follow the steps mentioned
in attached document. 



System info:

uname a: SunOS qa-sun9 5.9 Generic_117171-12 sun4u
sparc SUNW, UltraAX-i2



Thanks 

Satyadev










Steps followed on solaris.doc
Description: MS-Word document

How get encoding EC_params fro EC_KEY?

[Mark Shnaider]

Hello,
I can get  encoding of  an ANSI X9.62  ECDSA public key
from previously generated EC_KEY using function i2d_EC_PUBKEY.
Is where way to get Ec_params  encoding of  an ANSI X9.62  
 from EC_KEY?
I did not found function for this purpose.
Best regards
Mark

 

Mark Shnaider | Software engineer | ARX 
phone: +972.3.9279543 | mobile: +972.54.2448543 | email: [EMAIL PROTECTED] | 
www.arx.com 

Re: valgrind and openssl

[Geoff Thorpe]

On Monday 19 May 2008 15:27:24 dean gaudet wrote:
  Note that you should always build with no-asm if you're doing this kind
  of debug analysis. The assembly optimisations are likely to operate at
  granularities and in ways that valgrind could easily complain about. I
  don't know that this is the case, but it would certainly make sense to
  compare before posting a bug report.

 you know, this is sheer stupidity.

 you're suggesting that testing the no-asm code is a valid way of testing
 the assembly code?

Whoa, you're getting a tad trigger happy there. I'm not suggesting that 
testing the no-asm code is a valid way of testing the assembly code, you're 
putting words in my mouth. I think my last sentence is pretty clear. 
Debugging and optimising the assembly code is a different ball-game than 
identifying C-level leaks or other bugs in openssl. That's why I suggested 
comparing with a no-asm build. If valgrind sees equivalent problems in both, 
fine. If it sees it only with the assembly optimisations, that's useful 
information too, right?

 additionally the suggestion of -DPURIFY as a way of testing the code is
 also completely broken software engineering practice.

No, it's not. This is a PRNG, not a menu widget. You might also want to test 
with support for symbols and core-dumps, but run without either in 
production. Heisenburgs can also up when running in a debugger vs not running 
a debugger, using optimisation flags selectively, [...]. We have a PRNG, the 
accent is on the R, not the P. This is not valgrind's fault, just a 
one-off incompatibility with the notion that uninitialised==catastrophe.

 any special case changes for testing means you're not testing the REAL
 CODE.

With respect, please check the though shalts at the door, thanks.

 for example if you build -DPURIFY then you also won't get notified of
 problems with other PRNG seeds which are supposed to be providing random
 *initialized* data.

This is not true. -DPURIFY does *NOT* compile out the use of *initialised* 
data - that is the whole point. It compiles out any use of *uninitialized* 
data. (Or at least it's supposed to, Bodo thinks there's another case where 
an #ifdef would be needed in the corner case where there's a short width 
parameter - that's beside the point.)

 not to mention that a system compiled that way is 
 insecure -- so you either have to link your binaries static (to avoid the
 danger of an insecure shared lib), or set up a chroot for testing.

Also not true.

 in any event YOU'RE NOT TESTING THE REAL CODE.  which is to say you're
 wasting your time if you test under any of these conditions.

You haven't got your facts straight. In fact, I'm starting to suspect you've 
got them deliberately organised in a circle, for the sake of argument. Please 
make sure you're aware of *precisely* what's going on here, and *precisely* 
what -DPURIFY changes in openssl. Otherwise your second sentence is 
theologic, at best.

 openssl should not be relying on uninitialized data for anything.  even if
 it doesn't matter from the point of view of the PRNG, it should be pretty
 damn clear it's horrible software engineering practice.

More thou shalts. As for your other mail;

On Monday 19 May 2008 23:48:14 dean gaudet wrote:
 On Thu, 15 May 2008, Bodo Moeller wrote:
   The use of unititialized data in this case is stupid because the
   entropy of this random data is close to zero.
 
  It may be zero, but it may be more, depending on what happened earlier
  in the program if the same memory locations have been in use before.
  This may very well include data that would be unpredictable to
  adversaries -- i.e., entropy; that's the point here.

 on the other hand it may be a known plaintext attack.

For that sentence to be other than BS, it is a minimum requirement that the 
PRNG be fundamentally broken algorithmically. Please publish, or refrain from 
muddling the issue.

 what are you guys smoking?

The charred remains of a debian package, it's very noxious.

Cheers,
Geoff
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Make ssleay_rand_bytes more deterministic

[Richard Stoughton]

On Tue, May 20, 2008 at 12:09 AM, Bodo Moeller [EMAIL PROTECTED] wrote:
 On Mon, May 19, 2008 at 11:57 PM, Richard Stoughton [EMAIL PROTECTED] wrote:

  - do not mix the PID into the internal entropy pool, and

 The OpenSSL PRNG uses the PID twice:

 Once it is used as part of the intitial seeding on Unix machines, to
 get some data that might provide a little actual entropy.  This part
 wasn't functional in the Debian version, because the content of each
 and every seed byte was ignored.

 But then the PRNG also mixes the PID into the output (via a hash).
 This is why the PID did influence the output bytes on Debian.  The
 point in using the PID here is *not* to collect entropy.  Rather, it
 is to ensure that after a fork() both processes will see different
 random numbers.  Without this feature, many typical Unix-style server
 programs would be utterly broken.

I see.

As far as I can understand the code, the suggested usage pattern for
the RNG would be

 ssleay_rand_bytes(ssleay_rand_add ^ n) with n  0.

If consecutive calls to ssleay_rand_bytes without intermediate calls
to ssleay_rand_add are allowed, your objection is obviously more than
justified.

  - do not mix bits of the given output buffer into the internal entropy pool.

 Note that the second improvement may totally break already broken
 client software.

 Why would it?

Clients that do not call ssleay_rand_add at all would probably get a
random series with even less variance than the debianized one has.

However, I cannot see that the second point would make the correctly
used RNG weaker. Would it?
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: valgrind and openssl

[dean gaudet]

On Tue, 20 May 2008, Richard Salz wrote:

  on the other hand it may be a known plaintext attack.
 
 Using those words in this context makes it sound that you not only don't 
 understand what is being discussed right here and now, but also that you 
 don't understand the term you just used. Are you sure you understood, 
 e.g., Ted Tso's postings in this thread? Perhaps I'm missing something, 
 but can you show me something that talks about known plaintext attacks in 
 the context of hashing/digests?

yes i abused the term.

the so-called uninitialized data is actually from the stack right?  an 
attacker generally controls that (i.e. earlier use of the stack probably 
includes char buf[] which is controllable).  i don't know what ordering 
the entropy is added to the PRNG, but if all the useful entropy goes in 
first then an attacker might get to control the last 1KiB passed through 
the SHA1.

yes it's unlikely given what we know today that an attacker could 
manipulate the state down to a sufficiently small number of outputs, but i 
really don't see the point of letting an attacker have that sort of 
control.

-dean
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]