Lack of Entropy

Much has been said about the Debian/OpenSSL bug by people closer to it than I am. An expert view comes from Ben Laurie, who lays in to the Debian packagers for fixing an apparent bug locally, and not sharing it with upstream. In a second post, Ben clarifies some confusing issues, like whether OpenSSL is relying on uninitialised memory for entropy (not quite, but what it’s doing is not good either).

Ben’s wrath is well-deserved, but it seems to me there’s a fundamental reason why the OpenSSL folks must bear a share of the blame. Given the use of uninitialised memory, why wasn’t there a great big comment right there in the code, explaining it? Anything like that is sure to raise alarm bells in anyone reviewing the code, and send a programmer straight into fix-the-bug mode. And that’s an apparent-bug with a fix so simple that a compiler or runtime library could do it automatically. Don’t blame the Debian maintainer for fixing a blunder so trivial it must be a typo!

Why the “fix” went beyond just initialising that memory and broke it is beyond the scope of my (non-) research on the subject, and therefore this post.

UPDATE: Kudos to Michal Čihař for pointing out the upside to this sorry tale.

Posted on May 14, 2008, in debian, rants, security. Bookmark the permalink. 3 Comments.

  1. Terje Bråten

    There were 2 lines of code in completely different
    contexts. One was safe to remove, the other most certainly was not.

    Look at

    The one that was safe to remove, was the one that mixed uninitialized memory into the pool.

    The one that should not have been removed, was the one that was used to mix entropy into the pool. It was used to enter randomness from sources like /dev/urandom etc. The fault was that this second line of code looked much like the first line, and both lines got commented out, when it should be only one of them.

    The result became that the only random thing left in the seed was the pid number of the process, and it is not much randomness in that.

  2. In fairness, the openssl developers need more of the share of the blame — the contact address that Ben says the Debian packagers should have used, was effectively undocumented. A major lack of transparency there.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: