6908993 2001-08-15 02:57 +0200  /35 rader/ Felix von Leitner <felix-qmail@fefe.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-15  17:47  av Brevbäraren
Extern mottagare: qmail@list.cr.yp.to
Extern kopiemottagare: jos-tls@kotnet.org
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18776>
Ärende: qmail starttls patch does not seed the random number generator
------------------------------------------------------------
From: Felix von Leitner <felix-qmail@fefe.de>
To: qmail@list.cr.yp.to
Cc: jos-tls@kotnet.org, bugtraq@securityfocus.com
Message-ID: <20010815025736.A11987@codeblau.de>

openssl-0.9.6b does not allow ssl/tls connections when the random
number has not been seeded.  This is a good idea, and it exposes that
the starttls patch for qmail does not seed the random number
generator.

Here is a small patch that fixes the problem in qmail-remote for
systems that support /dev/urandom (the same can be done for
qmail-smtpd but I can't test it right now).  Not seeding the random
number generator is a serious bug and it completely compromises the
cryptographic privacy of TLS encrypted emails.

Felix

--- qmail-1.03/qmail-remote.c	Wed Aug 15 02:52:23 2001
+++ qmail-1.03-diet/qmail-remote.c	Wed Aug 15 02:43:07 2001
@@ -431,6 +431,13 @@
       SSL_set_fd(ssl,smtpfd);
 
       alarm(timeout);
+      {
+	int randfd=open_read("/dev/urandom");
+	char buf[64];
+	int len=read(randfd,buf,64);
+	close(randfd);
+	if (len>32) RAND_seed(buf,len);
+      }
       r = SSL_connect(ssl); saveerrno = errno;
       alarm(0); 
       if (flagtimedout)
(6908993) /Felix von Leitner <felix-qmail@fefe.de>/(Ombruten)

6908921 2001-08-15 17:02 +0200  /59 rader/ Wojciech Purczynski <wp@supermedia.pl>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-15  17:33  av Brevbäraren
Extern mottagare: Felix von Leitner <felix-qmail@fefe.de>
Extern kopiemottagare: qmail@list.cr.yp.to
Extern kopiemottagare: jos-tls@kotnet.org
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18773>
Kommentar till text 6908993 av Felix von Leitner <felix-qmail@fefe.de>
    Sänt:     2001-08-15 17:47
Ärende: Re: qmail starttls patch does not seed the random number generator
------------------------------------------------------------
From: Wojciech Purczynski <wp@supermedia.pl>
To: Felix von Leitner <felix-qmail@fefe.de>
Cc: <qmail@list.cr.yp.to>, <jos-tls@kotnet.org>,
 <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0108151652330.2565-100000@lama.supermedia.pl>


Hi,

The way you fixed the problem is not secure. It works in most cases
but it may fail in some cases. Your patch does not check for error
codes that may be returned by open() and if read() returns less
characters than 33 your code just skips seeding the PRNG without
returning any error.

As we can read in kernel sources, open("/dev/urandom") and read()
should not return error but you can't depend on this if you wan't to
provide secure fix. If kernel changes your code may become insecure
and would need to be fixed again and again...

Cheers,
wp

> openssl-0.9.6b does not allow ssl/tls connections when the random number
> has not been seeded.  This is a good idea, and it exposes that the
> starttls patch for qmail does not seed the random number generator.
>
> Here is a small patch that fixes the problem in qmail-remote for systems
> that support /dev/urandom (the same can be done for qmail-smtpd but I
> can't test it right now).  Not seeding the random number generator is a
> serious bug and it completely compromises the cryptographic privacy of
> TLS encrypted emails.
>
> Felix
>
> --- qmail-1.03/qmail-remote.c	Wed Aug 15 02:52:23 2001
> +++ qmail-1.03-diet/qmail-remote.c	Wed Aug 15 02:43:07 2001
> @@ -431,6 +431,13 @@
>        SSL_set_fd(ssl,smtpfd);
>
>        alarm(timeout);
> +      {
> +	int randfd=open_read("/dev/urandom");
> +	char buf[64];
> +	int len=read(randfd,buf,64);
> +	close(randfd);
> +	if (len>32) RAND_seed(buf,len);
> +      }
>        r = SSL_connect(ssl); saveerrno = errno;
>        alarm(0);
>        if (flagtimedout)
>

_________________________________________________________________
 Wojciech Purczyñski | Security Officer | http://cliph.linux.pl/
-----------------------------------------------------------------
 Murphy's law says that there is always one more bug...
               ...but he forgot to mention if it is exploitable.
(6908921) /Wojciech Purczynski <wp@supermedia.pl>/(Ombruten)
Kommentar i text 6909697 av Jack Lloyd <lloyd@acm.jhu.edu>
6909697 2001-08-15 13:42 -0400  /59 rader/ Jack Lloyd <lloyd@acm.jhu.edu>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-15  20:20  av Brevbäraren
Extern mottagare: Wojciech Purczynski <wp@supermedia.pl>
Extern kopiemottagare: Felix von Leitner <felix-qmail@fefe.de>
Extern kopiemottagare: qmail@list.cr.yp.to
Extern kopiemottagare: jos-tls@kotnet.org
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18780>
Kommentar till text 6908921 av Wojciech Purczynski <wp@supermedia.pl>
Ärende: Re: qmail starttls patch does not seed the random number generator
------------------------------------------------------------
From: Jack Lloyd <lloyd@acm.jhu.edu>
To: Wojciech Purczynski <wp@supermedia.pl>
Cc: Felix von Leitner <felix-qmail@fefe.de>, <qmail@list.cr.yp.to>,
 <jos-tls@kotnet.org>, <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.30.0108151324460.7141-100000@sol.galaxy.acm.jhu.edu>

> The way you fixed the problem is not secure. It works in most cases but it
> may fail in some cases. Your patch does not check for error codes that may
> be returned by open() and if read() returns less characters than 33 your
> code just skips seeding the PRNG without returning any error.
>
> As we can read in kernel sources, open("/dev/urandom") and read() should
> not return error but you can't depend on this if you wan't to provide
> secure fix. If kernel changes your code may become insecure and would need
> to be fixed again and again...

Not to mention the fact that /dev/random on Solaris is a pipe, and
thus could (maybe) return less. Though I've never seen or used the
implementation there, so I couldn't say for sure. But generally you
can't rely on the fact that /dev/urandom is always going to give you
as much as you want.

Of course this is ignoring the fact that the only time OpenSSL will
seed itself is precisely when /dev/urandom exists, so the value of
this patch is questionable (but, of course, the fact that qmail
doesn't seed the RNG is a serious error and should probably be fixed).

[from the original post by Felix von Leitner]:
> it completely compromises the cryptographic privacy of TLS encrypted
> emails.

3 points I feel I have to make here:

  1) If you're depending on the fact that your mail server is TLS
encrypting your emails, you're asking for it. Even if it is
encrypting everything going out (which seems unlikely; how many mail
servers out there are configured for TLS SMTP?), more likely than not
at some point it will be decrypted and sent over the wire in
plaintext. It's comparable (IMO) to using telnet, on the assumption
that the OS will be using IPSec. Use PGP or S/MIME if you want to
secure your email.

  2) IIRC, OpenSSL adds a few "random" things like pid, uid, time,
etc in the creation of the key (it's possible I'm thinking about some
other subsystem, so somebody tell me if I'm wrong here). But if so,
I'd imagine there are at least 25-35 bits of security in the key
then. Which is of course quite poor, but it would take at least a
little while to break each session key, which (IMHO) is more security
than you should expect from this (which is precisely that given by
normal mail, none).

  3) Oh, one more thing. An SSL/TLS key is negotiated between the
client and server, and derived from random values sent by each of
them. So I don't think the session keys would actually be vulnerable,
unless TLS over SMTP uses some odd variation from the normal
protocol. Unless, of course, both servers were running a qmail server
that wasn't seeding the RNG. :)

Regards,

Jack
(6909697) /Jack Lloyd <lloyd@acm.jhu.edu>/(Ombruten)
6909574 2001-08-15 10:56 -0500  /44 rader/ Brian Hatch <bugtraq@ifokr.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-15  19:45  av Brevbäraren
Extern mottagare: qmail@list.cr.yp.to
Extern mottagare: jos-tls@kotnet.org
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18778>
Kommentar till text 6908993 av Felix von Leitner <felix-qmail@fefe.de>
Ärende: Re: qmail starttls patch does not seed the random number generator
------------------------------------------------------------


> openssl-0.9.6b does not allow ssl/tls connections when the random number
> has not been seeded.  This is a good idea, and it exposes that the
> starttls patch for qmail does not seed the random number generator.
> 
> Here is a small patch that fixes the problem in qmail-remote for systems
> that support /dev/urandom (the same can be done for qmail-smtpd but I
> can't test it right now).  Not seeding the random number generator is a
> serious bug and it completely compromises the cryptographic privacy of
> TLS encrypted emails.

Not seeding the PRNG is a serious error.  However OpenSSL should
seed from /dev/urandom automatically without even calling RAND_seed:

	OpenSSL makes sure that the PRNG state is unique for each
	thread. On systems that provide /dev/urandom, the
	randomness device is used to seed the PRNG transparently.
	However, on all other systems, the application is
	responsible for seeding the PRNG by calling RAND_add(),
	RAND_egd(3) or RAND_load_file(3).


So the question becomes *why* is in not seeding from /dev/urandom
on it's own?  Also you should make sure to check the return values
in your code -- on systems with no /dev/urandom you will seed with
32-64 bytes of non-random data instead, giving the appearance of
security where this is none.

You may want to check out the RAND_egd() function which can be used
to seed from a PRNG daemon.  If you want to look at some rather long
winded but thougrough PRNG-seeding code, see the initialize_prng
function (in ssl.c) in the Stunnel source code.


--
Brian Hatch                Linux is like wigwam -
   Systems and               no windows, no gates,
   Security Engineer         apache inside.
www.hackinglinuxexposed.com

Every message PGP signed
(6909574) /Brian Hatch <bugtraq@ifokr.org>/---------
Bilaga (application/pgp-signature) i text 6909575
6909575 2001-08-15 10:56 -0500  /10 rader/ Brian Hatch <bugtraq@ifokr.org>
Importerad: 2001-08-15  19:45  av Brevbäraren
Extern mottagare: qmail@list.cr.yp.to
Extern mottagare: jos-tls@kotnet.org
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18779>
Bilaga (text/plain) till text 6909574
Ärende: Bilaga till: Re: qmail starttls patch does not seed the random number generator
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjt6m7UACgkQbHrkO1vvTcp/FwCffjurLHKVc2pkSpoBcjOPAy97
YwUAn3qBa7BywfW+PHLJWZBLDHItYe87
=98ok
-----END PGP SIGNATURE-----
(6909575) /Brian Hatch <bugtraq@ifokr.org>/---------
6916107 2001-08-16 10:22 -0700  /35 rader/ Scott Renfro <scott@renfro.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-16  19:41  av Brevbäraren
Extern mottagare: Jack Lloyd <lloyd@acm.jhu.edu>
Extern kopiemottagare: Wojciech Purczynski <wp@supermedia.pl>
Extern kopiemottagare: Felix von Leitner <felix-qmail@fefe.de>
Extern kopiemottagare: qmail@list.cr.yp.to
Extern kopiemottagare: jos-tls@kotnet.org
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18799>
Kommentar till text 6909697 av Jack Lloyd <lloyd@acm.jhu.edu>
Ärende: Re: qmail starttls patch does not seed the random number generator
------------------------------------------------------------
From: Scott Renfro <scott@renfro.org>
To: Jack Lloyd <lloyd@acm.jhu.edu>
Cc: Wojciech Purczynski <wp@supermedia.pl>,
 Felix von Leitner <felix-qmail@fefe.de>, qmail@list.cr.yp.to,
 jos-tls@kotnet.org, bugtraq@securityfocus.com
Message-ID: <20010816102209.I60185@bonsai.home.renfro.org>

On Wed, Aug 15, 2001 at 01:42:05PM -0400, Jack Lloyd wrote:
> 
>   2) IIRC, OpenSSL adds a few "random" things like pid, uid, time, etc
> in the creation of the key

On ''Unix'' platforms, it adds getpid(), getuid(), and time(NULL).
Wagner and Goldberg demonstrated how very predictable these values
were years ago with the Netscape browser.

>   3) Oh, one more thing. An SSL/TLS key is negotiated between the
> client and server, and derived from random values sent by each of
> them.

But the client-random and server-random values are public.  The only
secret input to the master secret is the pre-master secret which is
entirely supplied by the client.  If the PRNG used by the client to
generate the pre-master secret is weak, an attacker that can sniff the
packets can decrypt them with relatively little effort.

In this case, you have to have a working and recognized-by-OpenSSL
/dev/urandom or an alternate source of good entropy.

--Scott

-- 
Scott Renfro <scott@renfro.org>
(6916107) /Scott Renfro <scott@renfro.org>/(Ombruten)
6917770 2001-08-16 22:47 +0200  /37 rader/ Frederik Vermeulen <jos-tls@kotnet.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-17  01:12  av Brevbäraren
Extern mottagare: felix-qmail@fefe.de
Extern kopiemottagare: qmail@list.cr.yp.to
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18801>
Kommentar till text 6908993 av Felix von Leitner <felix-qmail@fefe.de>
Ärende: Re: qmail starttls patch does not seed the random number generator
------------------------------------------------------------
From: Frederik Vermeulen <jos-tls@kotnet.org>
To: felix-qmail@fefe.de
Cc: qmail@list.cr.yp.to, bugtraq@securityfocus.com
Message-ID: <200108162047.WAA04960@lion.imec.be>



Felix von Leitner wrote:
>openssl-0.9.6b does not allow ssl/tls connections when the random number
>has not been seeded.  This is a good idea, and it exposes that the
>starttls patch for qmail does not seed the random number generator.

I (patch maintainer) second the response of Brian Hatch in
<20010815105637.A30794@ifokr.org>. On systems that
support /dev/urandom, the openssl library uses it to seed the
PRNG, without the need to call RAND_seed in the application. On other
systems, it will fail to set up a TLS connection as you
reported. This is also the case with openssl versions < 0.9.6b.
I see no security problem with this behavior.

The openssl library provides the possibility to provide PRNG
seeding in the application. This moves the problem of providing a
platform specific PRNG seeding function from the cryptographic
library to the application programmer. The third way is to have
the PRNG seeding code in an entropy gathering daemon (EGD). This
keeps the application code platform-independent (only EGD
interfacing code is needed).

You report that your system has /dev/urandom, but openssl does not
use it. Are you sure  DEVRANDOM in openssl/e_os.h was defined to
/dev/urandom when openssl was compiled?

Regards,

Frederik
(6917770) /Frederik Vermeulen <jos-tls@kotnet.org>/-
6933948 2001-08-19 17:29 +0000  /18 rader/ D. J. Bernstein <djb@cr.yp.to>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-19  20:31  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: qmail@list.cr.yp.to
Mottagare: Bugtraq (import) <18835>
Kommentar till text 6909697 av Jack Lloyd <lloyd@acm.jhu.edu>
Ärende: Re: qmail starttls patch does not seed the random number generator
------------------------------------------------------------
From: "D. J. Bernstein" <djb@cr.yp.to>
To: bugtraq@securityfocus.com
Cc: qmail@list.cr.yp.to
Message-ID: <20010819172958.8248.qmail@cr.yp.to>

Jack Lloyd writes:
> the fact that qmail doesn't seed the RNG is a serious error

Nonsense. There is no TLS RNG in qmail. The patch under discussion is
not part of qmail. I didn't write the patch. I haven't reviewed it. I
don't distribute it. I don't use it. I am not responsible for its
bugs.

For the record: I have authorized _none_ of the third-party patches
that are available for my software. Most of those patches are garbage.

---Dan
(6933948) /D. J. Bernstein <djb@cr.yp.to>/(Ombruten)