[openssl.org #2747] valgrind suppressions file to suppress warnings from Python/openssl

Showing 1-2 of 2 messages
[openssl.org #2747] valgrind suppressions file to suppress warnings from Python/openssl "Zooko Wilcox-O'Hearn via RT" 3/2/12 3:36 AM
Folks:

The buildbot for the Tahoe-LAFS project runs CPython under valgrind on
Fedora, and valgrind emits warnings like this:

==30127== Conditional jump or move depends on uninitialised value(s)
==30127==    at 0x4C2AD01: bcmp (mc_replace_strmem.c:889)
==30127==    by 0xC1D1646: fips_get_entropy (fips_drbg_lib.c:166)
==30127==    by 0xC1D1D6E: FIPS_drbg_instantiate (fips_drbg_lib.c:234)
==30127==    by 0xC15F590: RAND_init_fips (rand_lib.c:286)
==30127==    by 0xC0F54D3: OPENSSL_init_library (o_init.c:106)
==30127==    by 0xBE76AF8: SSL_library_init (ssl_algs.c:68)
==30127==    by 0xBC2B39D: init_hashlib (in
/usr/lib64/python2.7/lib-dynload/_hashlib.so)
==30127==    by 0x4F1DB00: _PyImport_LoadDynamicModule (in
/usr/lib64/libpython2.7.so.1.0)

You can see the full output from such a buildbot run here:

https://tahoe-lafs.org/buildbot-pycryptopp/builders/Ruben%20Fedora%20syslib/builds/58/steps/test%20valgrind/logs/valgrind

Here is information about the versions of software involved:

https://tahoe-lafs.org/buildbot-pycryptopp/builders/Ruben%20Fedora%20syslib/builds/58/steps/show-tool-versions/logs/stdio

The owner of the buildslave machine says that the openssl package was
"openssl-1.0.1-0.1.beta2.fc17.x86_64".

Not having looked closer, I assume this is just a case of using
uninitialized memory as part of the initialization of the PRNG.
Accordingly, I wrote suppressions stanzas for our valgrind
suppressions file
(https://tahoe-lafs.org/trac/pycryptopp/browser/git/misc/coding_helpers/python.supp
), which made the warnings go away.

Appended are the suppression expressions.

If there's any interest, I could write a patch for openssl to zero out
memory before using it in the PRNG. I assume that you have discussed
that before now and decided against it, but if you want a patch that
does that, let me know.

I opened this ticket on launchpad.net to track the handling of this
issue in various projects such as openssl, pycryptopp, CPython,
valgrind, and Fedora:

https://bugs.launchpad.net/pycryptopp/+bug/944585

Regards,

Zooko

# generated on buildbot.rubenkerkhof.com, which had, according to Ruben
# Fedora's package "openssl-1.0.1-0.1.beta2.fc17.x86_64"
{
   buildbot.rubenkerkhof.com cond fips openssl 1
   Memcheck:Cond
   fun:bcmp
   fun:fips_get_entropy
   fun:FIPS_drbg_instantiate
   fun:RAND_init_fips
   fun:OPENSSL_init_library
   fun:SSL_library_init
   fun:init_hashlib
}

{
   buildbot.rubenkerkhof.com cond fips openssl 2
   Memcheck:Cond
   fun:fips_get_entropy
   fun:FIPS_drbg_instantiate
   fun:RAND_init_fips
   fun:OPENSSL_init_library
   fun:SSL_library_init
   fun:init_hashlib
}

{
   buildbot.rubenkerkhof.com val _x86_64_AES_encrypt_compact
   Memcheck:Value8
   fun:_x86_64_AES_encrypt_compact
   fun:AES_encrypt
}

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       opens...@openssl.org
Automated List Manager                           majo...@openssl.org

[openssl.org #2747] valgrind suppressions file to suppress warnings from Python/openssl "Stephen Henson via RT" 3/2/12 6:51 AM
> [zo...@zooko.com - Fri Mar 02 12:36:14 2012]:
>
> If there's any interest, I could write a patch for openssl to zero out
> memory before using it in the PRNG. I assume that you have discussed
> that before now and decided against it, but if you want a patch that
> does that, let me know.
>

This is an option already: try compiling OpenSSL with -DPURIFY

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org