From owner-freebsd-security@FreeBSD.ORG Wed Apr 23 08:51:05 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E05581E7 for ; Wed, 23 Apr 2014 08:51:04 +0000 (UTC) Received: from mail-qa0-x230.google.com (mail-qa0-x230.google.com [IPv6:2607:f8b0:400d:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A246A1443 for ; Wed, 23 Apr 2014 08:51:04 +0000 (UTC) Received: by mail-qa0-f48.google.com with SMTP id dc16so575258qab.7 for ; Wed, 23 Apr 2014 01:51:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=wB/PqxmTVX0BihqMX4by3uNX5L1zch4rFthrA2FQ3R0=; b=PdG6ymokLWOY+zaEdQi/45JCCbxVp7dPJI5Yn+feLrZldm6nXqv24QeQ7P5qCe3y5t gFz/MCWO8vxVOjxBqmnyYxGH5B6OUO0ortxba+xbA17fWAVokyk+yKl/NCQNLr3gVO2a kTe6mncOsurpLse4gFWl6IR7V+r3oV12yQZM0ODr7iCen/njigfSewBfIN8OZjzWJNV4 HZhGFLnVO6DNLRQ271emxAZt1s07DdI1mNIuRnxTtKN80FPDIVmZGXv9BTdDjmvY0+bN 60mJRBI6aUX+dniFkFC1EzSv8jXSj6oDR8GHam6xQ2D0S6t1422VYQjn2Bu8E1jcY2fj nW4g== MIME-Version: 1.0 X-Received: by 10.224.147.77 with SMTP id k13mr54635848qav.64.1398243063777; Wed, 23 Apr 2014 01:51:03 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.96.162.196 with HTTP; Wed, 23 Apr 2014 01:51:03 -0700 (PDT) In-Reply-To: <8783.1398202137@server1.tristatelogic.com> References: <8783.1398202137@server1.tristatelogic.com> Date: Wed, 23 Apr 2014 09:51:03 +0100 X-Google-Sender-Auth: zVIynTHwHJHCBhVfVDigojqMsCE Message-ID: Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? From: Ben Laurie To: "Ronald F. Guilmette" Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 08:51:05 -0000 On 22 April 2014 22:28, Ronald F. Guilmette wrote: > > In message , > Charles Swiger wrote: > >>On Apr 21, 2014, at 6:38 PM, Ronald F. Guilmette wrote >>: >>> In the aftermath of this whole OpenSSL brouhaha... which none other than >>> Bruce Schneier publically pronounced to be a 12, on a scale from 1 to 10, >>> in terms of awfulness... I do wonder if anyone has taken the time or effort >>> to run the OpenSSL sources through any kind of analyzer to try to obtain >>> some of the standard sorts of software science metrics on it. >> >>Sure. Running clang's static analyzer against openssl-1.0.1g yields: >> >>Bug Type Quantity >>All Bugs 182 >> >>Dead store >> Dead assignment 121 >> Dead increment 12 >> Dead initialization 2 >> >>Logic error >> Assigned value is garbage or undefined 3 >> Branch condition evaluates to a garbage value 1 >> Dereference of null pointer 27 >> Division by zero 1 >> Result of operation is garbage or undefined 9 >> Uninitialized argument value 2 >> Unix API 4 > > Thank you for doing this. > > Perhaps it goes without aying, but I'll say it anyway. The above results > are at once both enlightening and disgusting. > > Apparently, the OpenBSD guys are reorganizing/rewriting OpenSSL. I hope > that they take the time to do what you have done *and* also to drive every > bleedin' last one of these numbers to zero. I feel sure that the vast > majority of the issues uncovered by clang are not in any sense exploitable, > however its the one or two or three that are that worry me. > > > Regards, > rfg > > > P.S. I was reading last night about VP8. In that case, apparently, > the formal specification for that protocol *is* the code. (See RFC > 6386, Section 1.) > > If you have time, Charles, perhaps you could run this same analysis on > that code too, and report numbers for that as well. > > I am *not* looking forward to the day when I'll be rooted because I was > watching funny kitten videos on YouTube. So where are your patches to fix these issues?