* random.c (add_randomness): Xor new data into the pool and not

just copy it. This avoids any choosen input attacks which are not serious in our setting because an outsider won't be able to mix data in and even then we keep going with a PRNG. Thanks to Stefan Keller for pointing this out. * random.c (mix_pool): Carry an extra failsafe_digest buffer around to make the function more robust.
2024-12-23 10:29:58 +01:00 · 2002-02-10 21:34:27 +00:00 · 2002-02-10 21:34:27 +00:00 · 35aec9eee2
commit 35aec9eee2
parent 22f32c9472
2 changed files with 29 additions and 2 deletions
--- a/cipher/ChangeLog
+++ b/cipher/ChangeLog
@ -1,3 +1,16 @@
+2002-02-10  Werner Koch  <wk@gnupg.org>
+
+	* random.c (mix_pool): Carry an extra failsafe_digest buffer
+	around to make the function more robust.
+
+2002-02-08  Werner Koch  <wk@gnupg.org>
+
+	* random.c (add_randomness): Xor new data into the pool and not
+	just copy it.  This avoids any choosen input attacks which are not
+	serious in our setting because an outsider won't be able to mix
+	data in and even then we keep going with a PRNG.  Thanks to Stefan
+	Keller for pointing this out.
+
 2002-01-02  Stefan Bellon  <sbellon@sbellon.de>

 	* rndriscos.c [__riscos__]: Updated include file name.
--- a/cipher/random.c
+++ b/cipher/random.c
@ -57,6 +57,7 @@
 #include "random.h"
 #include "rand-internal.h"
 #include "dynload.h"
+#include "cipher.h" /* only used for the rmd160_hash_buffer() prototype */


 #ifndef RAND_MAX   /* for SunOS */
@ -100,6 +101,9 @@ static int did_initial_extra_seeding;
 static char *seed_file_name;
 static int allow_seed_file_update;

+static unsigned char failsafe_digest[DIGESTLEN];
+static int failsafe_digest_valid;
+
 static int secure_alloc;
 static int quick_test;
 static int faked_rng;
@ -259,6 +263,11 @@ mix_pool(byte *pool)
    memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
    rmd160_mixblock( &md, hashbuf);
    memcpy(pool, hashbuf, 20 );
+    if (failsafe_digest_valid && (char*)pool == rndpool)
+      {
+        for (i=0; i < 20; i++)
+          pool[i] ^= failsafe_digest[i];
+      }

    p = pool;
    for( n=1; n < POOLBLOCKS; n++ ) {
@ -279,7 +288,12 @@ mix_pool(byte *pool)
 	rmd160_mixblock( &md, hashbuf);
 	memcpy(p, hashbuf, 20 );
    }
-    burn_stack (200); /* for the rmd160_mixblock() */
+    if ((char*)pool == rndpool)
+      {
+        rmd160_hash_buffer (failsafe_digest, pool, POOLSIZE);
+        failsafe_digest_valid = 1;
+      }
+    burn_stack (384); /* for the rmd160_mixblock(), rmd160_hash_buffer */
 }


@ -528,7 +542,7 @@ add_randomness( const void *buffer, size_t length, int source )
    rndstats.addbytes += length;
    rndstats.naddbytes++;
    while( length-- ) {
-	rndpool[pool_writepos++] = *p++;
+	rndpool[pool_writepos++] ^= *p++;
 	if( pool_writepos >= POOLSIZE ) {
 	    if( source > 1 )
 		pool_filled = 1;