PGP source code

Ben Laurie ben at algroup.co.uk
Mon, 03 Sep 2001 13:26:30 +0100 

Charles Lindsey wrote:
> 
>         On Sun, 02 Sep 2001 17:38:32 +0100
>         Ben Laurie <ben@algroup.co.uk> said...
> 
> >
> > Charles Lindsey wrote:
> > >
> > > Actually, the main reason I would want to compile it would be to verify
> > > that the result was the same binary as I had already obtainrd (legally)
> > > from NAI. (How easy is it to do that check in practice?)
> >
> > In my experience, impossible - the problem being that parts of the
> > binary (padding, typically) tend to be from uninitialised data.
> 
> I don't think that makes it impossible - just difficult. What you
> need to show is that everything present in the source code is present
> (and correct) in the binary. Where the source code says "here be an
> uninitialized array", you don't care what is in the binary.

Yes, I meant impossible in the sense of "harder than I have ever been
bothered to make work".

> Other things that can be different arise from 'date of compilation'
> and suchlike embedded in the source code; different order of assembly
> of segments by the loader, thus jumps will apparently go to different
> places; different optimizations performed by the two compilers (which
> may be different versions of the same compiler); different register
> allocations by the two compilations; and so on.

I was assuming you use the same compiler (meaning the same version with
the same options). Though now I think of it things like the use of
libraries that get continually rebuilt could cause major reordering even
then (OpenSSL is a good example of this).

> These problems are all in principle solvable. My question was whether
> this problem had been looked at at all, and whether there were tools
> around to do it.
> 
> For example, if you had binary 1, and used my compiler to produce
> binary2, and then used a decompiler on binary1 and binary2 to procude
> pseudo-source1 and pseudo-source2, and then tried to compare the two
> pseudo-sources, would that be an easier task?

No idea.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff