[git] GCRYPT - branch, LIBGCRYPT-1-5-BRANCH, updated. libgcrypt-1.5.0-11-g542d354
by Milan Broz
cvs at cvs.gnupg.org
Mon Nov 5 21:45:29 CET 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, LIBGCRYPT-1-5-BRANCH has been updated
via 542d354b902c72d7fb19f9a0e5f3f3d21909f21a (commit)
via d020143792013295f20e75e18a2b75d5b2e90c43 (commit)
from 7a37ea4a49916439474b5a0e445333fa72889f55 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 542d354b902c72d7fb19f9a0e5f3f3d21909f21a
Author: Milan Broz <mbroz at redhat.com>
Date: Mon Oct 29 17:18:09 2012 +0100
PBKDF2: Allow empty passphrase.
* cipher/kdf.c (gcry_kdf_derive): Allow empty passphrase for PBKDF2.
* tests/t-kdf.c (check_pbkdf2): Add test case for above.
--
While it is insecure, the PBKDF2 implementations usually
allows to derive key only from salt.
This particular case is used e.g. in cryptsetup when
you use empty file as keyfile for LUKS keyslot.
Test vector is compared with two independent implementations.
Signed-off-by: Milan Broz <mbroz at redhat.com>
diff --git a/cipher/kdf.c b/cipher/kdf.c
index d981022..46e8550 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -238,7 +238,7 @@ gcry_kdf_derive (const void *passphrase, size_t passphraselen,
{
gpg_err_code_t ec;
- if (!passphrase || !passphraselen)
+ if (!passphrase || (!passphraselen && algo != GCRY_KDF_PBKDF2))
{
ec = GPG_ERR_INV_DATA;
goto leave;
diff --git a/tests/t-kdf.c b/tests/t-kdf.c
index 7209525..06c0026 100644
--- a/tests/t-kdf.c
+++ b/tests/t-kdf.c
@@ -917,7 +917,15 @@ check_pbkdf2 (void)
16,
"\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37"
"\xd7\xf0\x34\x25\xe0\xc3"
- }
+ },
+ { /* empty password test, not in RFC-6070 */
+ "", 0,
+ "salt", 4,
+ 2,
+ 20,
+ "\x13\x3a\x4c\xe8\x37\xb4\xd2\x52\x1e\xe2"
+ "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97"
+ },
};
int tvidx;
gpg_error_t err;
commit d020143792013295f20e75e18a2b75d5b2e90c43
Author: Werner Koch <wk at gnupg.org>
Date: Mon Nov 5 19:01:01 2012 +0100
Avoid dereferencing pointer right after the end
* mpi/mpicoder.c (do_get_buffer): Check the length before derefing P.
--
Christian Grothoff found this bug using Valgrind.
diff --git a/mpi/mpicoder.c b/mpi/mpicoder.c
index f499796..a3435ed 100644
--- a/mpi/mpicoder.c
+++ b/mpi/mpicoder.c
@@ -270,7 +270,7 @@ do_get_buffer (gcry_mpi_t a, unsigned int *nbytes, int *sign, int force_secure)
/* This is sub-optimal but we need to do the shift operation because
the caller has to free the returned buffer. */
- for (p=buffer; !*p && *nbytes; p++, --*nbytes)
+ for (p=buffer; *nbytes && !*p; p++, --*nbytes)
;
if (p != buffer)
memmove (buffer,p, *nbytes);
-----------------------------------------------------------------------
Summary of changes:
cipher/kdf.c | 2 +-
mpi/mpicoder.c | 2 +-
tests/t-kdf.c | 10 +++++++++-
3 files changed, 11 insertions(+), 3 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
More information about the Gnupg-commits
mailing list