lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 13 Jun 2007 00:29:51 -0500
From:	Matt Mackall <mpm@...enic.com>
To:	linux@...izon.com, akpm@...ux-foundation.org
Cc:	bgilbert@...cmu.edu, linux-kernel@...r.kernel.org,
	Theodore Tso <tytso@....edu>
Subject: [PATCH] random: fix folding

On Tue, Jun 12, 2007 at 01:05:44AM -0400, linux@...izon.com wrote:
> I also noticed a glaring BUG in the folding at the end of extract_buf at
> drivers/char/random.c:797.  That should be:
> 
> 	/*
> 	 * In case the hash function has some recognizable
> 	 * output pattern, we fold it in half.
> 	 */
> 
> 	buf[0] ^= buf[4];
> 	buf[1] ^= buf[3];
> 	buf[2] ^= rol32(buf[2], 16);	// <--- Bug was here
> 	memcpy(out, buf, EXTRACT_SIZE);
> 	memset(buf, 0, sizeof(buf));
> 
> if the code is to match the comment.

Conveniently, the random.c maintainer is reading this thread. Good
spotting, not sure how I bungled that.

----
random: fix output buffer folding

(As reported by linux@...izon.com)

Folding is done to minimize the theoretical possibility of systematic
weakness in the particular bits of the SHA1 hash output. The result of
this bug is that 16 out of 80 bits are un-folded. Without a major new
vulnerability being found in SHA1, this is harmless, but still worth
fixing.

Signed-off-by: Matt Mackall <mpm@...enic.com>

Index: mm/drivers/char/random.c
===================================================================
--- mm.orig/drivers/char/random.c	2007-06-12 23:50:54.000000000 -0500
+++ mm/drivers/char/random.c	2007-06-12 23:51:51.000000000 -0500
@@ -794,7 +794,7 @@ static void extract_buf(struct entropy_s
 
 	buf[0] ^= buf[3];
 	buf[1] ^= buf[4];
-	buf[0] ^= rol32(buf[3], 16);
+	buf[2] ^= rol32(buf[2], 16);
 	memcpy(out, buf, EXTRACT_SIZE);
 	memset(buf, 0, sizeof(buf));
 }


-- 
Mathematics is the supreme nostalgia of our time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ