Re: qmail starttls patch does not seed the random number generator

[Wojciech Purczynski <wp () supermedia pl>]

Hi,

The way you fixed the problem is not secure. It works in most cases but it
may fail in some cases. Your patch does not check for error codes that may
be returned by open() and if read() returns less characters than 33 your
code just skips seeding the PRNG without returning any error.

As we can read in kernel sources, open("/dev/urandom") and read() should
not return error but you can't depend on this if you wan't to provide
secure fix. If kernel changes your code may become insecure and would need
to be fixed again and again...

Cheers,
wp

> openssl-0.9.6b does not allow ssl/tls connections when the random number
> has not been seeded.  This is a good idea, and it exposes that the
> starttls patch for qmail does not seed the random number generator.
>
> Here is a small patch that fixes the problem in qmail-remote for systems
> that support /dev/urandom (the same can be done for qmail-smtpd but I
> can't test it right now).  Not seeding the random number generator is a
> serious bug and it completely compromises the cryptographic privacy of
> TLS encrypted emails.
>
> Felix
>
> --- qmail-1.03/qmail-remote.c Wed Aug 15 02:52:23 2001
> +++ qmail-1.03-diet/qmail-remote.c    Wed Aug 15 02:43:07 2001
> @@ -431,6 +431,13 @@
>        SSL_set_fd(ssl,smtpfd);
>
>        alarm(timeout);
> +      {
> +     int randfd=open_read("/dev/urandom");
> +     char buf[64];
> +     int len=read(randfd,buf,64);
> +     close(randfd);
> +     if (len>32) RAND_seed(buf,len);
> +      }
>        r = SSL_connect(ssl); saveerrno = errno;
>        alarm(0);
>        if (flagtimedout)

_________________________________________________________________
 Wojciech Purczyński | Security Officer | http://cliph.linux.pl/
-----------------------------------------------------------------
 Murphy's law says that there is always one more bug...
               ...but he forgot to mention if it is exploitable.