Fwd: EccGnuPG Bug Report

Sergi Blanch i Torne sbt at megacceso.com
Sat Mar 31 00:37:13 CEST 2007 

Maybe, is there a solution (or this is what I want to try).

The problem was in the call to wipememory(_ptr,_len), exactly in the _len 
parameter. With an 'sizeof _ptr', could be some architectures where it does 
not work fine.

A candidate to patch is:
http://www.calcurco.cat/eccGnuPG/src/gnupg-1.4.7-ecc0.2.0beta2rc1.diff
http://www.calcurco.cat/eccGnuPG/src/gnupg-1.4.7-ecc0.1.7rc1.diff

As far as I know, the call to 'mpi_get_secure_buffer(MPI a,unsigned 
*nbytes,int *sign)' that returns the pointer that will be wiped, also show 
the size with in 'nbytes'. Then a call like 'wipememory(hash_inp_buf,nbytes)' 
had the data from a previous call 
like 'hash_inp_buf=mpi_get_secure_buffer(input,&nbytes,&sign);', isn't it?

Only one doubt. In the function 'sha256_hashing()' use two vbles related with 
this problem: 'byte *hash_inp_buf;' and 'byte hash_out_buf[32];'. The first 
one, use this call to 'mpi_get_secure_buffer()' does not need it. IMHO I 
should be enough with 'wipememory(hash_out_buf,32*sizeof(byte));', isn't it?

I will wait for your comments

/Sergi.

A Divendres, 30 de Març de 2007 23:19, Sergi Blanch i Torne va escriure:
> Hi,
>
> To day I receive a bug report. The affected functions are not in the
> Libgcrypt port. The solution was discussed also to day with Timo, but the
> patch is not yet. Sorry, I will do as soon as possible.
>
> This bad use of the wipememory() function can be found in sha256_hashing()
> and aes256_{encrypting,decrypting}() functions.
>
> Oh, this bug affect also the other branch, the 0.1.
>
> Thanks Timo
>
> /Sergi.
>
> ----------  Missatge reenviat  ----------
>
> Subject: EccGnuPG Bug Report
> Date: Divendres, 30 de Març de 2007 13:20
> From: Timo Schulz <twoaday at gmx.net>
> To: d4372211 at alumnes.eup.udl.es
>
> Hi,
>
> based on your 0.2.0beta1 patch, I'm couldn't find any information
> that this problem has been reported before, there is a 'bug' in
> the way you use the wipememory function:
>
> byte *hash_input_buf;
>
> wipememory( hash_inp_buf, sizeof hash_inp_buf );
>
>
> actually it should be
> wipememory (hash_inp_buf, nbytes);
> otherwise only sizeof (unsigned char *) == (4 or 8)
> bytes would be overwritten.
>
>
> 	Timo
>
> -------------------------------------------------------
>
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel

More information about the Gnupg-devel mailing list