From: Matt Mackall <mpm@selenic.com>
To: linux@horizon.com, akpm@linux-foundation.org
Cc: bgilbert@cs.cmu.edu, linux-kernel@vger.kernel.org,
Theodore Tso <tytso@mit.edu>
Subject: [PATCH] random: fix folding
Date: Wed, 13 Jun 2007 00:29:51 -0500 [thread overview]
Message-ID: <20070613052951.GI11166@waste.org> (raw)
In-Reply-To: <20070612050544.23957.qmail@science.horizon.com>
On Tue, Jun 12, 2007 at 01:05:44AM -0400, linux@horizon.com wrote:
> I also noticed a glaring BUG in the folding at the end of extract_buf at
> drivers/char/random.c:797. That should be:
>
> /*
> * In case the hash function has some recognizable
> * output pattern, we fold it in half.
> */
>
> buf[0] ^= buf[4];
> buf[1] ^= buf[3];
> buf[2] ^= rol32(buf[2], 16); // <--- Bug was here
> memcpy(out, buf, EXTRACT_SIZE);
> memset(buf, 0, sizeof(buf));
>
> if the code is to match the comment.
Conveniently, the random.c maintainer is reading this thread. Good
spotting, not sure how I bungled that.
----
random: fix output buffer folding
(As reported by linux@horizon.com)
Folding is done to minimize the theoretical possibility of systematic
weakness in the particular bits of the SHA1 hash output. The result of
this bug is that 16 out of 80 bits are un-folded. Without a major new
vulnerability being found in SHA1, this is harmless, but still worth
fixing.
Signed-off-by: Matt Mackall <mpm@selenic.com>
Index: mm/drivers/char/random.c
===================================================================
--- mm.orig/drivers/char/random.c 2007-06-12 23:50:54.000000000 -0500
+++ mm/drivers/char/random.c 2007-06-12 23:51:51.000000000 -0500
@@ -794,7 +794,7 @@ static void extract_buf(struct entropy_s
buf[0] ^= buf[3];
buf[1] ^= buf[4];
- buf[0] ^= rol32(buf[3], 16);
+ buf[2] ^= rol32(buf[2], 16);
memcpy(out, buf, EXTRACT_SIZE);
memset(buf, 0, sizeof(buf));
}
--
Mathematics is the supreme nostalgia of our time.
next prev parent reply other threads:[~2007-06-13 5:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-11 7:53 [PATCH 2/3] [CRYPTO] Add optimized SHA-1 implementation for i486+ linux
2007-06-11 19:17 ` Benjamin Gilbert
2007-06-12 5:05 ` linux
2007-06-13 5:29 ` Matt Mackall [this message]
2007-06-13 5:45 ` [PATCH] random: fix folding linux
2007-06-13 6:08 ` Matt Mackall
2007-06-13 5:50 ` [PATCH 2/3] [CRYPTO] Add optimized SHA-1 implementation for i486+ Matt Mackall
2007-06-13 6:46 ` linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070613052951.GI11166@waste.org \
--to=mpm@selenic.com \
--cc=akpm@linux-foundation.org \
--cc=bgilbert@cs.cmu.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox