[openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
1 GB works as expected:

    $ openssl rand 1000000000 | wc -c
    1000000000

But 10 GB does not:

    $ apps/openssl rand 10000000000 | wc -c
    1410065408

2 GB +1 is also bad:

    $ openssl rand 2147483649 | wc -c
    rand: Use -help for summary.
    0

2 GB -1 is good:

    $ apps/openssl rand 2147483647 | wc -c
    2147483647

It seems the counter (num in rand.c) is a 32-bit int. These days it
should at least be 64-bit.

In any case there should be a decent error message if the number is
out of the supported range.

I am a bit worried when I see C-beginner mistakes like this in a
security suite: When using sscanf on data you have not produced
yourself, you should always assume they will be bigger that your
largest buffer/variable and deal correctly with that.


Tested on:

openssl-1.1.0-pre1
git-6ac11bd0b


/Ole

_______________________________________________
openssl-bugs-mod mailing list
[hidden email]
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
> I am a bit worried when I see C-beginner mistakes like this in a security suite:
> When using sscanf on data you have not produced yourself, you should
> always assume they will be bigger that your largest buffer/variable and deal
> correctly with that.

That's a bit of an exaggeration here.  It's not network data coming in from somewhere else, it's a number typed on the command line in a local program.


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Viktor Dukhovni

> On Jan 11, 2016, at 7:01 PM, Salz, Rich via RT <[hidden email]> wrote:
>
>> I am a bit worried when I see C-beginner mistakes like this in a security suite:
>> When using sscanf on data you have not produced yourself, you should
>> always assume they will be bigger that your largest buffer/variable and deal
>> correctly with that.
>
> That's a bit of an exaggeration here.  It's not network data coming in from somewhere else, it's a number typed on the command line in a local program.

And, in new code, we do try to do better, this is from s_client.c
in master used to parse decimal integers 0..255, but deals with
overflow/underflow to ensure that we get exactly what the user
typed.  Similar code could be used to parse the requested byte
count for rand(1).  Not necessarily an urgent priority, but
something we should get to at some point, so I'd keep the ticket
open, at low priority.

static ossl_ssize_t checked_uint8(const char **inptr, void *out)
{
    uint8_t *result = (uint8_t *)out;
    const char *in = *inptr;
    char *endp;
    long v;
    int e;

    save_errno();
    v = strtol(in, &endp, 10);
    e = restore_errno();

    if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) ||
        endp == in || !isspace(*endp) ||
        v != (*result = (uint8_t) v)) {
        return -1;
    }
    for (in = endp; isspace(*in); ++in)
        continue;

    *inptr = in;
    return 1;
}

--
        Viktor.

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT

> On Jan 11, 2016, at 7:01 PM, Salz, Rich via RT <[hidden email]> wrote:
>
>> I am a bit worried when I see C-beginner mistakes like this in a security suite:
>> When using sscanf on data you have not produced yourself, you should
>> always assume they will be bigger that your largest buffer/variable and deal
>> correctly with that.
>
> That's a bit of an exaggeration here.  It's not network data coming in from somewhere else, it's a number typed on the command line in a local program.

And, in new code, we do try to do better, this is from s_client.c
in master used to parse decimal integers 0..255, but deals with
overflow/underflow to ensure that we get exactly what the user
typed.  Similar code could be used to parse the requested byte
count for rand(1).  Not necessarily an urgent priority, but
something we should get to at some point, so I'd keep the ticket
open, at low priority.

static ossl_ssize_t checked_uint8(const char **inptr, void *out)
{
    uint8_t *result = (uint8_t *)out;
    const char *in = *inptr;
    char *endp;
    long v;
    int e;

    save_errno();
    v = strtol(in, &endp, 10);
    e = restore_errno();

    if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) ||
        endp == in || !isspace(*endp) ||
        v != (*result = (uint8_t) v)) {
        return -1;
    }
    for (in = endp; isspace(*in); ++in)
        continue;

    *inptr = in;
    return 1;
}

--
        Viktor.


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
In reply to this post by Viktor Dukhovni
And also opt_int and opt_long in apps/opt.c are useful.


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
In reply to this post by Rich Salz via RT
On 01/11/2016 06:01 PM, Salz, Rich via RT wrote:
>> I am a bit worried when I see C-beginner mistakes like this in a security suite:
>> When using sscanf on data you have not produced yourself, you should
>> always assume they will be bigger that your largest buffer/variable and deal
>> correctly with that.
> That's a bit of an exaggeration here.  It's not network data coming in from somewhere else, it's a number typed on the command line in a local program.
>

There's also the part where asking 'openssl rand' for gigabytes of data
is not necessarily a good idea -- I believe in the default configuration
on unix, it ends up reading 32 bytes from /dev/random and using that to
seed EAY's md_rand.c scheme, which is not exactly a state-of-the-art
CSPRNG these days...


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
On Tue, Jan 12, 2016 at 4:36 AM, Kaduk, Ben via RT <[hidden email]> wrote:
> On 01/11/2016 06:01 PM, Salz, Rich via RT wrote:
>>> I am a bit worried when I see C-beginner mistakes like this in a security suite:
>>> When using sscanf on data you have not produced yourself, you should
>>> always assume they will be bigger that your largest buffer/variable and deal
>>> correctly with that.

>> That's a bit of an exaggeration here.  It's not network data coming in from somewhere else, it's a number typed on the command line in a local program.

The worry is not about this particular case (where it does not seem to
be possible to abuse), but as a general observation: If the rest of
the code has the same quality, then we will be screwed.

> There's also the part where asking 'openssl rand' for gigabytes of data
> is not necessarily a good idea -- I believe in the default configuration
> on unix, it ends up reading 32 bytes from /dev/random and using that to
> seed EAY's md_rand.c scheme, which is not exactly a state-of-the-art
> CSPRNG these days...

We do not know what they will be using these data for (in my case a
user wanted it for overwriting a harddrive, so the quality mattered
less than the speed). But if it is unsafe for generating GB's of data
based on a 32-byte seed, then by all means read another 32-byte seed
now and then (but please do it from /dev/urandom:
http://www.2uo.de/myths-about-urandom/).


/Ole


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Dr Paul Dale
In reply to this post by Rich Salz via RT

On Tue, 12 Jan 2016 03:36:59 AM Kaduk, Ben via RT wrote:

> There's also the part where asking 'openssl rand' for gigabytes of data

> is not necessarily a good idea -- I believe in the default configuration

> on unix, it ends up reading 32 bytes from /dev/random and using that to

> seed EAY's md_rand.c scheme, which is not exactly a state-of-the-art

> CSPRNG these days...

 

This matches my understanding, although I thought these bytes would be read from /dev/urandom first.

 

The unwritten but implied part is that, in the default configuration, the deterministic generator is never reseeded -- those 32 bytes are all the entropy it will ever get.

 

 

Pauli

--

Oracle

Dr Paul Dale | Cryptographer | Network Security & Encryption

Phone +61 7 3031 7217

Oracle Australia

 


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
On Tue, 12 Jan 2016 03:36:59 AM Kaduk, Ben via RT wrote:
> There's also the part where asking 'openssl rand' for gigabytes of data
> is not necessarily a good idea -- I believe in the default configuration
> on unix, it ends up reading 32 bytes from /dev/random and using that to
> seed EAY's md_rand.c scheme, which is not exactly a state-of-the-art
> CSPRNG these days...

This matches my understanding, although I thought these bytes would be read from /dev/urandom first.

The unwritten but implied part is that, in the default configuration, the deterministic generator is never reseeded -- those 32 bytes are all the entropy it will ever get.


Pauli
--
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
In reply to this post by Rich Salz via RT

> The worry is not about this particular case (where it does not seem to be
> possible to abuse), but as a general observation: If the rest of the code has
> the same quality, then we will be screwed.

Shrug.  We do the best we can.  We try to do a good job.  Almost everyone would agree that the code is getting better.


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev