[git] GCRYPT - branch, LIBGCRYPT-1.8-BRANCH, updated. libgcrypt-1.8.3-13-g0973c3f
by Daniel Kahn Gillmor
cvs at cvs.gnupg.org
Fri Oct 26 13:52:18 CEST 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, LIBGCRYPT-1.8-BRANCH has been updated
via 0973c3f9ee7a9ad7c97b77849ed33ecd6789c787 (commit)
via 60885655756dd0427872b8f01c06da14eab5af70 (commit)
via 5b1d022293c5779b1150a7653cce4e3bf494a07c (commit)
from 99a5babfd1e759310db8ab8b11d182f2e139dfb1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0973c3f9ee7a9ad7c97b77849ed33ecd6789c787
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Sep 5 10:34:04 2018 -0400
random: use getrandom() on Linux where available
* random/rndlinux.c (_gcry_rndlinux_gather_random): use the
getrandom() syscall on Linux if it exists, regardless of what kind of
entropy was requested.
--
This change avoids the serious usability problem of unnecessary
blocking on /dev/random when the kernel's PRNG is already seeded,
without introducing the risk of pulling from an uninitialized PRNG.
It only has an effect on Linux systems with a functioning getrandom()
syscall. If that syscall is unavailable or fails, it should fall
through to the pre-existing behavior.
GnuPG-bug-id: 3894
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
(cherry picked from commit 7e662680c170968661ee0105d132813f8281d229)
diff --git a/random/rndlinux.c b/random/rndlinux.c
index f70bc21..fefc3c3 100644
--- a/random/rndlinux.c
+++ b/random/rndlinux.c
@@ -245,17 +245,16 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
struct timeval tv;
int rc;
- /* If we have a modern Linux kernel and we want to read from the
- * the non-blocking /dev/urandom, we first try to use the new
+ /* If we have a modern Linux kernel, we first try to use the new
* getrandom syscall. That call guarantees that the kernel's
* RNG has been properly seeded before returning any data. This
* is different from /dev/urandom which may, due to its
* non-blocking semantics, return data even if the kernel has
- * not been properly seeded. Unfortunately we need to use a
+ * not been properly seeded. And it differs from /dev/random by never
+ * blocking once the kernel is seeded. Unfortunately we need to use a
* syscall and not a new device and thus we are not able to use
* select(2) to have a timeout. */
#if defined(__linux__) && defined(HAVE_SYSCALL) && defined(__NR_getrandom)
- if (fd == fd_urandom)
{
long ret;
size_t nbytes;
@@ -272,7 +271,7 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
}
while (ret == -1 && errno == EINTR);
if (ret == -1 && errno == ENOSYS)
- ; /* The syscall is not supported - fallback to /dev/urandom. */
+ ; /* The syscall is not supported - fallback to pulling from fd. */
else
{ /* The syscall is supported. Some sanity checks. */
if (ret == -1)
commit 60885655756dd0427872b8f01c06da14eab5af70
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 26 13:22:16 2018 +0200
random: Make sure to re-open /dev/random after a fork
* random/rndlinux.c (_gcry_rndlinux_gather_random): Detect fork and
re-open devices.
--
This mitigates about ill-behaving software which has closed the
standard fds but later dups them to /dev/null.
GnuPG-bug-id: 3491
Signed-off-by: Werner Koch <wk at gnupg.org>
(cherry picked from commit 319f55e6e5793c59f1ba4cfe481b562bca42194d)
diff --git a/random/rndlinux.c b/random/rndlinux.c
index 1bb7c76..f70bc21 100644
--- a/random/rndlinux.c
+++ b/random/rndlinux.c
@@ -104,9 +104,10 @@ open_device (const char *name, int retry)
/* Note that the caller needs to make sure that this function is only
- called by one thread at a time. The function returns 0 on success
- or true on failure (in which case the caller will signal a fatal
- error). */
+ * called by one thread at a time. The function returns 0 on success
+ * or true on failure (in which case the caller will signal a fatal
+ * error). This function should be entered only by one thread at a
+ * time. */
int
_gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
enum random_origins),
@@ -117,6 +118,11 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
static int fd_random = -1;
static int only_urandom = -1;
static unsigned char ever_opened;
+ static volatile pid_t my_pid; /* The volatile is there to make sure
+ * the compiler does not optimize the
+ * code away in case the getpid
+ * function is badly attributed. */
+ volatile pid_t apid;
int fd;
int n;
byte buffer[768];
@@ -130,13 +136,13 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
* use only urandom. */
if (only_urandom == -1)
{
+ my_pid = getpid ();
if ((_gcry_random_read_conf () & RANDOM_CONF_ONLY_URANDOM))
only_urandom = 1;
else
only_urandom = 0;
}
-
if (!add)
{
/* Special mode to close the descriptors. */
@@ -153,6 +159,25 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
return 0;
}
+ /* Detect a fork and close the devices so that we don't use the old
+ * file descriptors. Note that open_device will be called in retry
+ * mode if the devices was opened by the parent process. */
+ apid = getpid ();
+ if (my_pid != apid)
+ {
+ if (fd_random != -1)
+ {
+ close (fd_random);
+ fd_random = -1;
+ }
+ if (fd_urandom != -1)
+ {
+ close (fd_urandom);
+ fd_urandom = -1;
+ }
+ my_pid = apid;
+ }
+
/* First read from a hardware source. However let it account only
for up to 50% (or 25% for RDRAND) of the requested bytes. */
commit 5b1d022293c5779b1150a7653cce4e3bf494a07c
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 26 12:57:30 2018 +0200
primes: Avoid leaking bits of the prime test to pageable memory.
* cipher/primegen.c (gen_prime): Allocate MODS in secure memory.
--
This increases the pressure on the secure memory by about 1400 byte
but given that we can meanwhile increase the size of the secmem area,
this is acceptable.
GnuPG-bug-id: 3848
Signed-off-by: Werner Koch <wk at gnupg.org>
(cherry picked from commit 2e2e68ad4874a4678cfbe452b70ae987e0402eca)
diff --git a/cipher/primegen.c b/cipher/primegen.c
index ce5ad3c..e24de4d 100644
--- a/cipher/primegen.c
+++ b/cipher/primegen.c
@@ -758,7 +758,8 @@ gen_prime (unsigned int nbits, int secret, int randomlevel,
if (nbits < 16)
log_fatal ("can't generate a prime with less than %d bits\n", 16);
- mods = xmalloc (no_of_small_prime_numbers * sizeof *mods);
+ mods = (secret? xmalloc_secure (no_of_small_prime_numbers * sizeof *mods)
+ /* */ : xmalloc (no_of_small_prime_numbers * sizeof *mods));
/* Make nbits fit into gcry_mpi_t implementation. */
val_2 = mpi_alloc_set_ui( 2 );
val_3 = mpi_alloc_set_ui( 3);
-----------------------------------------------------------------------
Summary of changes:
cipher/primegen.c | 3 ++-
random/rndlinux.c | 42 +++++++++++++++++++++++++++++++++---------
2 files changed, 35 insertions(+), 10 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
More information about the Gnupg-commits
mailing list