[git] GCRYPT - branch, master, updated. libgcrypt-1.8.1-109-g319f55e

by Werner Koch cvs at cvs.gnupg.org
Fri Oct 26 13:23:47 CEST 2018


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  319f55e6e5793c59f1ba4cfe481b562bca42194d (commit)
       via  2e2e68ad4874a4678cfbe452b70ae987e0402eca (commit)
      from  a755bd0ea09af2ae5a66e3f5aeb8707673c687cf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 319f55e6e5793c59f1ba4cfe481b562bca42194d
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Oct 26 13:22:16 2018 +0200

    random: Make sure to re-open /dev/random after a fork
    
    * random/rndlinux.c (_gcry_rndlinux_gather_random): Detect fork and
    re-open devices.
    --
    
    This mitigates about ill-behaving software which has closed the
    standard fds but later dups them to /dev/null.
    
    GnuPG-bug-id: 3491
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/random/rndlinux.c b/random/rndlinux.c
index 1bb7c76..f70bc21 100644
--- a/random/rndlinux.c
+++ b/random/rndlinux.c
@@ -104,9 +104,10 @@ open_device (const char *name, int retry)
 
 
 /* Note that the caller needs to make sure that this function is only
-   called by one thread at a time.  The function returns 0 on success
-   or true on failure (in which case the caller will signal a fatal
-   error).  */
+ * called by one thread at a time.  The function returns 0 on success
+ * or true on failure (in which case the caller will signal a fatal
+ * error).  This function should be entered only by one thread at a
+ * time. */
 int
 _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
                                           enum random_origins),
@@ -117,6 +118,11 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
   static int fd_random = -1;
   static int only_urandom = -1;
   static unsigned char ever_opened;
+  static volatile pid_t my_pid; /* The volatile is there to make sure
+                                 * the compiler does not optimize the
+                                 * code away in case the getpid
+                                 * function is badly attributed. */
+  volatile pid_t apid;
   int fd;
   int n;
   byte buffer[768];
@@ -130,13 +136,13 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
    * use only urandom.  */
   if (only_urandom == -1)
     {
+      my_pid = getpid ();
       if ((_gcry_random_read_conf () & RANDOM_CONF_ONLY_URANDOM))
         only_urandom = 1;
       else
         only_urandom = 0;
     }
 
-
   if (!add)
     {
       /* Special mode to close the descriptors.  */
@@ -153,6 +159,25 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
       return 0;
     }
 
+  /* Detect a fork and close the devices so that we don't use the old
+   * file descriptors.  Note that open_device will be called in retry
+   * mode if the devices was opened by the parent process.  */
+  apid = getpid ();
+  if (my_pid != apid)
+    {
+      if (fd_random != -1)
+        {
+          close (fd_random);
+          fd_random = -1;
+        }
+      if (fd_urandom != -1)
+        {
+          close (fd_urandom);
+          fd_urandom = -1;
+        }
+      my_pid = apid;
+    }
+
 
   /* First read from a hardware source.  However let it account only
      for up to 50% (or 25% for RDRAND) of the requested bytes.  */

commit 2e2e68ad4874a4678cfbe452b70ae987e0402eca
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Oct 26 12:57:30 2018 +0200

    primes: Avoid leaking bits of the prime test to pageable memory.
    
    * cipher/primegen.c (gen_prime): Allocate MODS in secure memory.
    --
    
    This increases the pressure on the secure memory by about 1400 byte
    but given that we can meanwhile increase the size of the secmem area,
    this is acceptable.
    
    GnuPG-bug-id: 3848
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/cipher/primegen.c b/cipher/primegen.c
index ce5ad3c..e24de4d 100644
--- a/cipher/primegen.c
+++ b/cipher/primegen.c
@@ -758,7 +758,8 @@ gen_prime (unsigned int nbits, int secret, int randomlevel,
   if (nbits < 16)
     log_fatal ("can't generate a prime with less than %d bits\n", 16);
 
-  mods = xmalloc (no_of_small_prime_numbers * sizeof *mods);
+  mods = (secret? xmalloc_secure (no_of_small_prime_numbers * sizeof *mods)
+          /* */ : xmalloc (no_of_small_prime_numbers * sizeof *mods));
   /* Make nbits fit into gcry_mpi_t implementation. */
   val_2  = mpi_alloc_set_ui( 2 );
   val_3 = mpi_alloc_set_ui( 3);

-----------------------------------------------------------------------

Summary of changes:
 cipher/primegen.c |  3 ++-
 random/rndlinux.c | 33 +++++++++++++++++++++++++++++----
 2 files changed, 31 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org




More information about the Gnupg-commits mailing list