6908993 2001-08-15 02:57 +0200 /35 rader/ Felix von Leitner <felix-qmail@fefe.de> Sänt av: joel@lysator.liu.se Importerad: 2001-08-15 17:47 av Brevbäraren Extern mottagare: qmail@list.cr.yp.to Extern kopiemottagare: jos-tls@kotnet.org Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18776> Ärende: qmail starttls patch does not seed the random number generator ------------------------------------------------------------ From: Felix von Leitner <felix-qmail@fefe.de> To: qmail@list.cr.yp.to Cc: jos-tls@kotnet.org, bugtraq@securityfocus.com Message-ID: <20010815025736.A11987@codeblau.de> openssl-0.9.6b does not allow ssl/tls connections when the random number has not been seeded. This is a good idea, and it exposes that the starttls patch for qmail does not seed the random number generator. Here is a small patch that fixes the problem in qmail-remote for systems that support /dev/urandom (the same can be done for qmail-smtpd but I can't test it right now). Not seeding the random number generator is a serious bug and it completely compromises the cryptographic privacy of TLS encrypted emails. Felix --- qmail-1.03/qmail-remote.c Wed Aug 15 02:52:23 2001 +++ qmail-1.03-diet/qmail-remote.c Wed Aug 15 02:43:07 2001 @@ -431,6 +431,13 @@ SSL_set_fd(ssl,smtpfd); alarm(timeout); + { + int randfd=open_read("/dev/urandom"); + char buf[64]; + int len=read(randfd,buf,64); + close(randfd); + if (len>32) RAND_seed(buf,len); + } r = SSL_connect(ssl); saveerrno = errno; alarm(0); if (flagtimedout) (6908993) /Felix von Leitner <felix-qmail@fefe.de>/(Ombruten) 6908921 2001-08-15 17:02 +0200 /59 rader/ Wojciech Purczynski <wp@supermedia.pl> Sänt av: joel@lysator.liu.se Importerad: 2001-08-15 17:33 av Brevbäraren Extern mottagare: Felix von Leitner <felix-qmail@fefe.de> Extern kopiemottagare: qmail@list.cr.yp.to Extern kopiemottagare: jos-tls@kotnet.org Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18773> Kommentar till text 6908993 av Felix von Leitner <felix-qmail@fefe.de> Sänt: 2001-08-15 17:47 Ärende: Re: qmail starttls patch does not seed the random number generator ------------------------------------------------------------ From: Wojciech Purczynski <wp@supermedia.pl> To: Felix von Leitner <felix-qmail@fefe.de> Cc: <qmail@list.cr.yp.to>, <jos-tls@kotnet.org>, <bugtraq@securityfocus.com> Message-ID: <Pine.LNX.4.33.0108151652330.2565-100000@lama.supermedia.pl> Hi, The way you fixed the problem is not secure. It works in most cases but it may fail in some cases. Your patch does not check for error codes that may be returned by open() and if read() returns less characters than 33 your code just skips seeding the PRNG without returning any error. As we can read in kernel sources, open("/dev/urandom") and read() should not return error but you can't depend on this if you wan't to provide secure fix. If kernel changes your code may become insecure and would need to be fixed again and again... Cheers, wp > openssl-0.9.6b does not allow ssl/tls connections when the random number > has not been seeded. This is a good idea, and it exposes that the > starttls patch for qmail does not seed the random number generator. > > Here is a small patch that fixes the problem in qmail-remote for systems > that support /dev/urandom (the same can be done for qmail-smtpd but I > can't test it right now). Not seeding the random number generator is a > serious bug and it completely compromises the cryptographic privacy of > TLS encrypted emails. > > Felix > > --- qmail-1.03/qmail-remote.c Wed Aug 15 02:52:23 2001 > +++ qmail-1.03-diet/qmail-remote.c Wed Aug 15 02:43:07 2001 > @@ -431,6 +431,13 @@ > SSL_set_fd(ssl,smtpfd); > > alarm(timeout); > + { > + int randfd=open_read("/dev/urandom"); > + char buf[64]; > + int len=read(randfd,buf,64); > + close(randfd); > + if (len>32) RAND_seed(buf,len); > + } > r = SSL_connect(ssl); saveerrno = errno; > alarm(0); > if (flagtimedout) > _________________________________________________________________ Wojciech Purczyñski | Security Officer | http://cliph.linux.pl/ ----------------------------------------------------------------- Murphy's law says that there is always one more bug... ...but he forgot to mention if it is exploitable. (6908921) /Wojciech Purczynski <wp@supermedia.pl>/(Ombruten) Kommentar i text 6909697 av Jack Lloyd <lloyd@acm.jhu.edu> 6909697 2001-08-15 13:42 -0400 /59 rader/ Jack Lloyd <lloyd@acm.jhu.edu> Sänt av: joel@lysator.liu.se Importerad: 2001-08-15 20:20 av Brevbäraren Extern mottagare: Wojciech Purczynski <wp@supermedia.pl> Extern kopiemottagare: Felix von Leitner <felix-qmail@fefe.de> Extern kopiemottagare: qmail@list.cr.yp.to Extern kopiemottagare: jos-tls@kotnet.org Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18780> Kommentar till text 6908921 av Wojciech Purczynski <wp@supermedia.pl> Ärende: Re: qmail starttls patch does not seed the random number generator ------------------------------------------------------------ From: Jack Lloyd <lloyd@acm.jhu.edu> To: Wojciech Purczynski <wp@supermedia.pl> Cc: Felix von Leitner <felix-qmail@fefe.de>, <qmail@list.cr.yp.to>, <jos-tls@kotnet.org>, <bugtraq@securityfocus.com> Message-ID: <Pine.LNX.4.30.0108151324460.7141-100000@sol.galaxy.acm.jhu.edu> > The way you fixed the problem is not secure. It works in most cases but it > may fail in some cases. Your patch does not check for error codes that may > be returned by open() and if read() returns less characters than 33 your > code just skips seeding the PRNG without returning any error. > > As we can read in kernel sources, open("/dev/urandom") and read() should > not return error but you can't depend on this if you wan't to provide > secure fix. If kernel changes your code may become insecure and would need > to be fixed again and again... Not to mention the fact that /dev/random on Solaris is a pipe, and thus could (maybe) return less. Though I've never seen or used the implementation there, so I couldn't say for sure. But generally you can't rely on the fact that /dev/urandom is always going to give you as much as you want. Of course this is ignoring the fact that the only time OpenSSL will seed itself is precisely when /dev/urandom exists, so the value of this patch is questionable (but, of course, the fact that qmail doesn't seed the RNG is a serious error and should probably be fixed). [from the original post by Felix von Leitner]: > it completely compromises the cryptographic privacy of TLS encrypted > emails. 3 points I feel I have to make here: 1) If you're depending on the fact that your mail server is TLS encrypting your emails, you're asking for it. Even if it is encrypting everything going out (which seems unlikely; how many mail servers out there are configured for TLS SMTP?), more likely than not at some point it will be decrypted and sent over the wire in plaintext. It's comparable (IMO) to using telnet, on the assumption that the OS will be using IPSec. Use PGP or S/MIME if you want to secure your email. 2) IIRC, OpenSSL adds a few "random" things like pid, uid, time, etc in the creation of the key (it's possible I'm thinking about some other subsystem, so somebody tell me if I'm wrong here). But if so, I'd imagine there are at least 25-35 bits of security in the key then. Which is of course quite poor, but it would take at least a little while to break each session key, which (IMHO) is more security than you should expect from this (which is precisely that given by normal mail, none). 3) Oh, one more thing. An SSL/TLS key is negotiated between the client and server, and derived from random values sent by each of them. So I don't think the session keys would actually be vulnerable, unless TLS over SMTP uses some odd variation from the normal protocol. Unless, of course, both servers were running a qmail server that wasn't seeding the RNG. :) Regards, Jack (6909697) /Jack Lloyd <lloyd@acm.jhu.edu>/(Ombruten) 6909574 2001-08-15 10:56 -0500 /44 rader/ Brian Hatch <bugtraq@ifokr.org> Sänt av: joel@lysator.liu.se Importerad: 2001-08-15 19:45 av Brevbäraren Extern mottagare: qmail@list.cr.yp.to Extern mottagare: jos-tls@kotnet.org Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18778> Kommentar till text 6908993 av Felix von Leitner <felix-qmail@fefe.de> Ärende: Re: qmail starttls patch does not seed the random number generator ------------------------------------------------------------ > openssl-0.9.6b does not allow ssl/tls connections when the random number > has not been seeded. This is a good idea, and it exposes that the > starttls patch for qmail does not seed the random number generator. > > Here is a small patch that fixes the problem in qmail-remote for systems > that support /dev/urandom (the same can be done for qmail-smtpd but I > can't test it right now). Not seeding the random number generator is a > serious bug and it completely compromises the cryptographic privacy of > TLS encrypted emails. Not seeding the PRNG is a serious error. However OpenSSL should seed from /dev/urandom automatically without even calling RAND_seed: OpenSSL makes sure that the PRNG state is unique for each thread. On systems that provide /dev/urandom, the randomness device is used to seed the PRNG transparently. However, on all other systems, the application is responsible for seeding the PRNG by calling RAND_add(), RAND_egd(3) or RAND_load_file(3). So the question becomes *why* is in not seeding from /dev/urandom on it's own? Also you should make sure to check the return values in your code -- on systems with no /dev/urandom you will seed with 32-64 bytes of non-random data instead, giving the appearance of security where this is none. You may want to check out the RAND_egd() function which can be used to seed from a PRNG daemon. If you want to look at some rather long winded but thougrough PRNG-seeding code, see the initialize_prng function (in ssl.c) in the Stunnel source code. -- Brian Hatch Linux is like wigwam - Systems and no windows, no gates, Security Engineer apache inside. www.hackinglinuxexposed.com Every message PGP signed (6909574) /Brian Hatch <bugtraq@ifokr.org>/--------- Bilaga (application/pgp-signature) i text 6909575 6909575 2001-08-15 10:56 -0500 /10 rader/ Brian Hatch <bugtraq@ifokr.org> Importerad: 2001-08-15 19:45 av Brevbäraren Extern mottagare: qmail@list.cr.yp.to Extern mottagare: jos-tls@kotnet.org Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18779> Bilaga (text/plain) till text 6909574 Ärende: Bilaga till: Re: qmail starttls patch does not seed the random number generator ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjt6m7UACgkQbHrkO1vvTcp/FwCffjurLHKVc2pkSpoBcjOPAy97 YwUAn3qBa7BywfW+PHLJWZBLDHItYe87 =98ok -----END PGP SIGNATURE----- (6909575) /Brian Hatch <bugtraq@ifokr.org>/--------- 6916107 2001-08-16 10:22 -0700 /35 rader/ Scott Renfro <scott@renfro.org> Sänt av: joel@lysator.liu.se Importerad: 2001-08-16 19:41 av Brevbäraren Extern mottagare: Jack Lloyd <lloyd@acm.jhu.edu> Extern kopiemottagare: Wojciech Purczynski <wp@supermedia.pl> Extern kopiemottagare: Felix von Leitner <felix-qmail@fefe.de> Extern kopiemottagare: qmail@list.cr.yp.to Extern kopiemottagare: jos-tls@kotnet.org Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18799> Kommentar till text 6909697 av Jack Lloyd <lloyd@acm.jhu.edu> Ärende: Re: qmail starttls patch does not seed the random number generator ------------------------------------------------------------ From: Scott Renfro <scott@renfro.org> To: Jack Lloyd <lloyd@acm.jhu.edu> Cc: Wojciech Purczynski <wp@supermedia.pl>, Felix von Leitner <felix-qmail@fefe.de>, qmail@list.cr.yp.to, jos-tls@kotnet.org, bugtraq@securityfocus.com Message-ID: <20010816102209.I60185@bonsai.home.renfro.org> On Wed, Aug 15, 2001 at 01:42:05PM -0400, Jack Lloyd wrote: > > 2) IIRC, OpenSSL adds a few "random" things like pid, uid, time, etc > in the creation of the key On ''Unix'' platforms, it adds getpid(), getuid(), and time(NULL). Wagner and Goldberg demonstrated how very predictable these values were years ago with the Netscape browser. > 3) Oh, one more thing. An SSL/TLS key is negotiated between the > client and server, and derived from random values sent by each of > them. But the client-random and server-random values are public. The only secret input to the master secret is the pre-master secret which is entirely supplied by the client. If the PRNG used by the client to generate the pre-master secret is weak, an attacker that can sniff the packets can decrypt them with relatively little effort. In this case, you have to have a working and recognized-by-OpenSSL /dev/urandom or an alternate source of good entropy. --Scott -- Scott Renfro <scott@renfro.org> (6916107) /Scott Renfro <scott@renfro.org>/(Ombruten) 6917770 2001-08-16 22:47 +0200 /37 rader/ Frederik Vermeulen <jos-tls@kotnet.org> Sänt av: joel@lysator.liu.se Importerad: 2001-08-17 01:12 av Brevbäraren Extern mottagare: felix-qmail@fefe.de Extern kopiemottagare: qmail@list.cr.yp.to Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18801> Kommentar till text 6908993 av Felix von Leitner <felix-qmail@fefe.de> Ärende: Re: qmail starttls patch does not seed the random number generator ------------------------------------------------------------ From: Frederik Vermeulen <jos-tls@kotnet.org> To: felix-qmail@fefe.de Cc: qmail@list.cr.yp.to, bugtraq@securityfocus.com Message-ID: <200108162047.WAA04960@lion.imec.be> Felix von Leitner wrote: >openssl-0.9.6b does not allow ssl/tls connections when the random number >has not been seeded. This is a good idea, and it exposes that the >starttls patch for qmail does not seed the random number generator. I (patch maintainer) second the response of Brian Hatch in <20010815105637.A30794@ifokr.org>. On systems that support /dev/urandom, the openssl library uses it to seed the PRNG, without the need to call RAND_seed in the application. On other systems, it will fail to set up a TLS connection as you reported. This is also the case with openssl versions < 0.9.6b. I see no security problem with this behavior. The openssl library provides the possibility to provide PRNG seeding in the application. This moves the problem of providing a platform specific PRNG seeding function from the cryptographic library to the application programmer. The third way is to have the PRNG seeding code in an entropy gathering daemon (EGD). This keeps the application code platform-independent (only EGD interfacing code is needed). You report that your system has /dev/urandom, but openssl does not use it. Are you sure DEVRANDOM in openssl/e_os.h was defined to /dev/urandom when openssl was compiled? Regards, Frederik (6917770) /Frederik Vermeulen <jos-tls@kotnet.org>/- 6933948 2001-08-19 17:29 +0000 /18 rader/ D. J. Bernstein <djb@cr.yp.to> Sänt av: joel@lysator.liu.se Importerad: 2001-08-19 20:31 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern kopiemottagare: qmail@list.cr.yp.to Mottagare: Bugtraq (import) <18835> Kommentar till text 6909697 av Jack Lloyd <lloyd@acm.jhu.edu> Ärende: Re: qmail starttls patch does not seed the random number generator ------------------------------------------------------------ From: "D. J. Bernstein" <djb@cr.yp.to> To: bugtraq@securityfocus.com Cc: qmail@list.cr.yp.to Message-ID: <20010819172958.8248.qmail@cr.yp.to> Jack Lloyd writes: > the fact that qmail doesn't seed the RNG is a serious error Nonsense. There is no TLS RNG in qmail. The patch under discussion is not part of qmail. I didn't write the patch. I haven't reviewed it. I don't distribute it. I don't use it. I am not responsible for its bugs. For the record: I have authorized _none_ of the third-party patches that are available for my software. Most of those patches are garbage. ---Dan (6933948) /D. J. Bernstein <djb@cr.yp.to>/(Ombruten)