[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[hurd] 11/25: random: Hash continuous areas in the csprng pool.
|
From: |
Samuel Thibault |
|
Subject: |
[hurd] 11/25: random: Hash continuous areas in the csprng pool. |
|
Date: |
Mon, 24 Oct 2016 00:16:44 +0000 |
This is an automated email from the git hooks/post-receive script.
sthibault pushed a commit to branch upstream
in repository hurd.
commit 4fb81a7e92d0cd6d854a4a020f34b948ad6ce29b
Author: Justus Winter <address@hidden>
Date: Tue Sep 6 09:47:02 2016 +0200
random: Hash continuous areas in the csprng pool.
* random/gnupg-random.c (mix_pool): Store the first hash at the end of
the pool.
--
This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG.
An attacker who obtains 580 bytes of the random number from the
standard RNG can trivially predict the next 20 bytes of output.
The bug was found and reported by Felix Dörre and Vladimir Klebanov,
Karlsruhe Institute of Technology. A paper describing the problem in
detail will shortly be published.
This is a port of c6dbfe89 from the GnuPG classic branch.
CVE-id: CVE-2016-6313
---
random/gnupg-random.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/random/gnupg-random.c b/random/gnupg-random.c
index 3cf7812..a4df694 100644
--- a/random/gnupg-random.c
+++ b/random/gnupg-random.c
@@ -276,23 +276,21 @@ mix_pool(byte *pool)
#if DIGESTLEN != 20
#error must have a digest length of 20 for ripe-md-160
#endif
- /* loop over the pool */
+ /* pool -> pool' */
pend = pool + POOLSIZE;
memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN );
memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
rmd160_mixblock( &md, hashbuf);
- memcpy(pool, hashbuf, 20 );
+ memcpy(pool, hashbuf, DIGESTLEN);
+ /* Loop for the remaining iterations. */
p = pool;
for( n=1; n < POOLBLOCKS; n++ ) {
- memcpy(hashbuf, p, DIGESTLEN );
-
- p += DIGESTLEN;
- if( p+DIGESTLEN+BLOCKLEN < pend )
- memcpy(hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN);
+ if( p + BLOCKLEN < pend )
+ memcpy(hashbuf, p, BLOCKLEN);
else {
- byte *pp = p+DIGESTLEN;
- for(i=DIGESTLEN; i < BLOCKLEN; i++ ) {
+ byte *pp = p;
+ for(i=0; i < BLOCKLEN; i++ ) {
if( pp >= pend )
pp = pool;
hashbuf[i] = *pp++;
@@ -300,7 +298,8 @@ mix_pool(byte *pool)
}
rmd160_mixblock( &md, hashbuf);
- memcpy(p, hashbuf, 20 );
+ p += DIGESTLEN;
+ memcpy(p, hashbuf, DIGESTLEN);
}
burn_stack (200); /* for the rmd160_mixblock() */
}
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-hurd/hurd.git
- [hurd] 24/25: Avoid warnings if increasing a threads priority fails., (continued)
- [hurd] 24/25: Avoid warnings if increasing a threads priority fails., Samuel Thibault, 2016/10/23
- [hurd] 18/25: ext2fs: Rename parameter., Samuel Thibault, 2016/10/23
- [hurd] 09/25: Fix installing runsystem.hurd, Samuel Thibault, 2016/10/23
- [hurd] 12/25: fakeroot: set FAKED_MODE, Samuel Thibault, 2016/10/23
- [hurd] 14/25: ext2fs: Disable option to specify alternate superblock., Samuel Thibault, 2016/10/23
- [hurd] 17/25: trans/crash: Fix setting core file template at runtime., Samuel Thibault, 2016/10/23
- [hurd] 21/25: fshelp: Fix fetching the control port., Samuel Thibault, 2016/10/23
- [hurd] 06/25: startup: Fix looping over runsystem, Samuel Thibault, 2016/10/23
- [hurd] 16/25: trans/crash: Use empty core file templates to disable the feature., Samuel Thibault, 2016/10/23
- [hurd] 13/25: libdiskfs: Fix short-circuiting translators., Samuel Thibault, 2016/10/23
- [hurd] 11/25: random: Hash continuous areas in the csprng pool.,
Samuel Thibault <=
- [hurd] 23/25: procfs: Gracefully degrade meminfo., Samuel Thibault, 2016/10/23
- [hurd] 22/25: Fix some RPC request headers #ifdef guards, Samuel Thibault, 2016/10/23