Hello namesake,
Spiros said:
[...] but after I posted it I started
wondering whether there might be occasions where copying
unitialised memory might be useful.
OpenSSL uses this in order to make the random seed a little bit more
random.
Essentially was what lead to the Debian specific bug (DSA 1571,
http://www.debian.org/security/2008/dsa-1571):
With the help of valgrind. it was found out that openssl uses
uninitialised memory, and this was removed
(
http://marc.info/?t=114651088900003&r=1&w=2) - removing almost all
randomness from the random seed. I think the rest of the story is known.
No, the problem was a little bit subtler than that.
There were *two* places where code was commented out.
One of them was assimilating the (possibly uninitialized) contents of a
buffer into the entropy pool before filling that buffer with random
bytes. This was the "can't hurt, and may help" one. Removing this one
should have silenced the valgrind warnings and would have left a secure
random number generator, just one that sometimes had slightly less
entropy.
There was another place where the same operation was done (with
identical code) when the caller requested that the contents of a buffer
be added to the entropy pool. That one was also (incorrectly) removed
by an overenthusiastic patcher, and that's the one that turned the RNG
into a NRNG.
ObC: What would the DS9k[1] have done with the uninitialized buffer?
I think it's been established that it's required to accept it, since
the memory is being examined as unsigned char.
But what would the OpenSSL library actually see when it looked at the
buffer?
dave
[1] For those who weren't around a few years back: The DeathStation
9000 is a hypothetical machine that accepts and does The Right
Thing with conforming and portable C code, but fails in creative
and spectacular ways constrained only by the laws of physics when
given code that is incorrect in any way.