Univention Bugzilla – Attachment 8440 Details for
Bug 43592
gnupg: Multiple issues (ES 3.3)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0047-random-Hash-continuous-areas-in-the-csprng-pool.patch
0047-random-Hash-continuous-areas-in-the-csprng-pool.patch (text/plain), 2.97 KB, created by
Arvid Requate
on 2017-02-21 00:32 CET
(
hide
)
Description:
0047-random-Hash-continuous-areas-in-the-csprng-pool.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2017-02-21 00:32 CET
Size:
2.97 KB
patch
obsolete
>From c6dbfe89903d0c8191cf50ecf1abb3c8458b427a Mon Sep 17 00:00:00 2001 >From: Werner Koch <wk@gnupg.org> >Date: Wed, 17 Aug 2016 11:15:50 +0200 >Subject: [PATCH 2/2] random: Hash continuous areas in the csprng pool. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >* cipher/random.c (mix_pool): Store the first hash at the end of the >pool. >-- > >This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG. >An attacker who obtains 580 bytes of the random number from the >standard RNG can trivially predict the next 20 bytes of output. > >This bug does not affect the default generation of >keys because running gpg for key creation creates at most 2 keys from >the pool: For a single 4096 bit RSA key 512 byte of random are >required and thus for the second key (encryption subkey), 20 bytes >could be predicted from the the first key. However, the security of >an OpenPGP key depends on the primary key (which was generated first) >and thus the 20 predictable bytes should not be a problem. For the >default key length of 2048 bit nothing will be predictable. > >For the former default of DSA+Elgamal key it is complicate to give an >answer: For 2048 bit keys a pool of 30 non-secret candidate primes of >about 300 bits each are first created. This reads at least 1140 bytes >from the pool and thus parts could be predicted. At some point a 256 >bit secret is read from the pool; which in the worst case might be >partly predictable. > >The bug was found and reported by Felix Dörre and Vladimir Klebanov, >Karlsruhe Institute of Technology. A paper describing the problem in >detail will shortly be published. > >CVE-id: CVE-2016-6313 >Signed-off-by: Werner Koch <wk@gnupg.org> >--- > cipher/random.c | 15 +++++++-------- > 1 file changed, 7 insertions(+), 8 deletions(-) > >diff --git a/cipher/random.c b/cipher/random.c >index be2f51a..5f7de51 100644 >--- a/cipher/random.c >+++ b/cipher/random.c >@@ -360,23 +360,21 @@ mix_pool(byte *pool) > #if DIGESTLEN != 20 > #error must have a digest length of 20 for ripe-md-160 > #endif >- /* loop over the pool */ >+ /* pool -> pool' */ > pend = pool + POOLSIZE; > memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN ); > memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN); > rmd160_mixblock( &md, hashbuf); > memcpy(pool, hashbuf, 20 ); > >+ /* Loop for the remaining iterations. */ > p = pool; > for( n=1; n < POOLBLOCKS; n++ ) { >- memcpy(hashbuf, p, DIGESTLEN ); >- >- p += DIGESTLEN; >- if( p+DIGESTLEN+BLOCKLEN < pend ) >- memcpy(hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN); >+ if( p + BLOCKLEN < pend ) >+ memcpy(hashbuf, p, BLOCKLEN); > else { >- char *pp = p+DIGESTLEN; >- for(i=DIGESTLEN; i < BLOCKLEN; i++ ) { >+ char *pp = p; >+ for(i=0; i < BLOCKLEN; i++ ) { > if( pp >= pend ) > pp = pool; > hashbuf[i] = *pp++; >@@ -384,6 +382,7 @@ mix_pool(byte *pool) > } > > rmd160_mixblock( &md, hashbuf); >+ p += DIGESTLEN; > memcpy(p, hashbuf, 20 ); > } > burn_stack (384); /* for the rmd160_mixblock() */ >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
Actions:
View
|
Diff
Attachments on
bug 43592
: 8440