[Pkg-gnupg-commit] [gnupg1] 21/35: random: Hash continuous areas in the csprng pool.

Mon Aug 29 14:48:41 UTC 2016

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch master
in repository gnupg1.

commit c6dbfe89903d0c8191cf50ecf1abb3c8458b427a
Author: Werner Koch <wk at gnupg.org>
Date:   Wed Aug 17 11:15:50 2016 +0200

    random: Hash continuous areas in the csprng pool.
    
    * cipher/random.c (mix_pool): Store the first hash at the end of the
    pool.
    --
    
    This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG.
    An attacker who obtains 580 bytes of the random number from the
    standard RNG can trivially predict the next 20 bytes of output.
    
    This bug does not affect the default generation of
    keys because running gpg for key creation creates at most 2 keys from
    the pool: For a single 4096 bit RSA key 512 byte of random are
    required and thus for the second key (encryption subkey), 20 bytes
    could be predicted from the the first key.  However, the security of
    an OpenPGP key depends on the primary key (which was generated first)
    and thus the 20 predictable bytes should not be a problem.  For the
    default key length of 2048 bit nothing will be predictable.
    
    For the former default of DSA+Elgamal key it is complicate to give an
    answer: For 2048 bit keys a pool of 30 non-secret candidate primes of
    about 300 bits each are first created.  This reads at least 1140 bytes
    from the pool and thus parts could be predicted.  At some point a 256
    bit secret is read from the pool; which in the worst case might be
    partly predictable.
    
    The bug was found and reported by Felix Dörre and Vladimir Klebanov,
    Karlsruhe Institute of Technology.  A paper describing the problem in
    detail will shortly be published.
    
    CVE-id: CVE-2016-6313
    Signed-off-by: Werner Koch <wk at gnupg.org>
---
 cipher/random.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/cipher/random.c b/cipher/random.c
index be2f51a..5f7de51 100644
--- a/cipher/random.c
+++ b/cipher/random.c
@@ -360,23 +360,21 @@ mix_pool(byte *pool)
 #if DIGESTLEN != 20
 #error must have a digest length of 20 for ripe-md-160
 #endif
-    /* loop over the pool */
+    /* pool -> pool' */
     pend = pool + POOLSIZE;
     memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN );
     memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
     rmd160_mixblock( &md, hashbuf);
     memcpy(pool, hashbuf, DIGESTLEN);
 
+    /* Loop for the remaining iterations.  */
     p = pool;
     for( n=1; n < POOLBLOCKS; n++ ) {
-	memcpy(hashbuf, p, DIGESTLEN );
-
-	p += DIGESTLEN;
-	if( p+DIGESTLEN+BLOCKLEN < pend )
-	    memcpy(hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN);
+	if( p + BLOCKLEN < pend )
+	    memcpy(hashbuf, p, BLOCKLEN);
 	else {
-	    char *pp = p+DIGESTLEN;
-	    for(i=DIGESTLEN; i < BLOCKLEN; i++ ) {
+	    char *pp = p;
+	    for(i=0; i < BLOCKLEN; i++ ) {
 		if( pp >= pend )
 		    pp = pool;
 		hashbuf[i] = *pp++;
@@ -384,6 +382,7 @@ mix_pool(byte *pool)
 	}
 
 	rmd160_mixblock( &md, hashbuf);
+        p += DIGESTLEN;
 	memcpy(p, hashbuf, DIGESTLEN);
     }
     burn_stack (384); /* for the rmd160_mixblock() */

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg1.git

