|
 |
241384 |
diff -up libgcrypt-1.5.3/random/random-csprng.c.rng-predictable libgcrypt-1.5.3/random/random-csprng.c
|
|
|
241384 |
--- libgcrypt-1.5.3/random/random-csprng.c.rng-predictable 2015-08-11 14:31:35.904275580 +0200
|
|
|
241384 |
+++ libgcrypt-1.5.3/random/random-csprng.c 2016-08-17 23:35:15.691980751 +0200
|
|
|
241384 |
@@ -561,41 +561,46 @@ _gcry_rngcsprng_randomize (void *buffer,
|
|
|
241384 |
|
|
|
241384 |
|
|
|
241384 |
/*
|
|
|
241384 |
- Mix the pool:
|
|
|
241384 |
-
|
|
|
241384 |
- |........blocks*20byte........|20byte|..44byte..|
|
|
|
241384 |
- <..44byte..> <20byte>
|
|
|
241384 |
- | |
|
|
|
241384 |
- | +------+
|
|
|
241384 |
- +---------------------------|----------+
|
|
|
241384 |
- v v
|
|
|
241384 |
- |........blocks*20byte........|20byte|..44byte..|
|
|
|
241384 |
- <.....64bytes.....>
|
|
|
241384 |
- |
|
|
|
241384 |
- +----------------------------------+
|
|
|
241384 |
- Hash
|
|
|
241384 |
- v
|
|
|
241384 |
- |.............................|20byte|..44byte..|
|
|
|
241384 |
- <20byte><20byte><..44byte..>
|
|
|
241384 |
- | |
|
|
|
241384 |
- | +---------------------+
|
|
|
241384 |
- +-----------------------------+ |
|
|
|
241384 |
- v v
|
|
|
241384 |
- |.............................|20byte|..44byte..|
|
|
|
241384 |
- <.....64byte......>
|
|
|
241384 |
- |
|
|
|
241384 |
- +-------------------------+
|
|
|
241384 |
- Hash
|
|
|
241384 |
- v
|
|
|
241384 |
- |.............................|20byte|..44byte..|
|
|
|
241384 |
- <20byte><20byte><..44byte..>
|
|
|
241384 |
-
|
|
|
241384 |
- and so on until we did this for all blocks.
|
|
|
241384 |
-
|
|
|
241384 |
- To better protect against implementation errors in this code, we
|
|
|
241384 |
- xor a digest of the entire pool into the pool before mixing.
|
|
|
241384 |
-
|
|
|
241384 |
- Note: this function must only be called with a locked pool.
|
|
|
241384 |
+ * Mix the 600 byte pool. Note that the 64 byte scratch area directly
|
|
|
241384 |
+ * follows the pool. The numbers in the diagram give the number of
|
|
|
241384 |
+ * bytes.
|
|
|
241384 |
+ * <................600...............> <.64.>
|
|
|
241384 |
+ * pool |------------------------------------| |------|
|
|
|
241384 |
+ * <20><.24.> <20>
|
|
|
241384 |
+ * | | +-----+
|
|
|
241384 |
+ * +-----|-------------------------------|-+
|
|
|
241384 |
+ * +-------------------------------|-|-+
|
|
|
241384 |
+ * v v v
|
|
|
241384 |
+ * |------|
|
|
|
241384 |
+ * <hash>
|
|
|
241384 |
+ * +---------------------------------------+
|
|
|
241384 |
+ * v
|
|
|
241384 |
+ * <20>
|
|
|
241384 |
+ * pool' |------------------------------------|
|
|
|
241384 |
+ * <20><20><.24.>
|
|
|
241384 |
+ * +---|-----|---------------------------+
|
|
|
241384 |
+ * +-----|---------------------------|-+
|
|
|
241384 |
+ * +---------------------------|-|-+
|
|
|
241384 |
+ * v v v
|
|
|
241384 |
+ * |------|
|
|
|
241384 |
+ * <hash>
|
|
|
241384 |
+ * |
|
|
|
241384 |
+ * +-----------------------------------+
|
|
|
241384 |
+ * v
|
|
|
241384 |
+ * <20>
|
|
|
241384 |
+ * pool'' |------------------------------------|
|
|
|
241384 |
+ * <20><20><20><.24.>
|
|
|
241384 |
+ * +---|-----|-----------------------+
|
|
|
241384 |
+ * +-----|-----------------------|-+
|
|
|
241384 |
+ * +-----------------------|-|-+
|
|
|
241384 |
+ * v v v
|
|
|
241384 |
+ *
|
|
|
241384 |
+ * and so on until we did this for all 30 blocks.
|
|
|
241384 |
+ *
|
|
|
241384 |
+ * To better protect against implementation errors in this code, we
|
|
|
241384 |
+ * xor a digest of the entire pool into the pool before mixing.
|
|
|
241384 |
+ *
|
|
|
241384 |
+ * Note: this function must only be called with a locked pool.
|
|
|
241384 |
*/
|
|
|
241384 |
static void
|
|
|
241384 |
mix_pool(unsigned char *pool)
|
|
|
241384 |
@@ -615,32 +620,30 @@ mix_pool(unsigned char *pool)
|
|
|
241384 |
gcry_assert (pool_is_locked);
|
|
|
241384 |
_gcry_rmd160_init( &md );
|
|
|
241384 |
|
|
|
241384 |
- /* Loop over the pool. */
|
|
|
241384 |
+ /* pool_0 -> pool'. */
|
|
|
241384 |
pend = pool + POOLSIZE;
|
|
|
241384 |
- memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN );
|
|
|
241384 |
- memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
|
|
|
241384 |
- _gcry_rmd160_mixblock( &md, hashbuf);
|
|
|
241384 |
- memcpy(pool, hashbuf, 20 );
|
|
|
241384 |
+ memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN);
|
|
|
241384 |
+ memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
|
|
|
241384 |
+ _gcry_rmd160_mixblock (&md, hashbuf);
|
|
|
241384 |
+ memcpy (pool, hashbuf, DIGESTLEN);
|
|
|
241384 |
|
|
|
241384 |
if (failsafe_digest_valid && pool == rndpool)
|
|
|
241384 |
{
|
|
|
241384 |
- for (i=0; i < 20; i++)
|
|
|
241384 |
+ for (i=0; i < DIGESTLEN; i++)
|
|
|
241384 |
pool[i] ^= failsafe_digest[i];
|
|
|
241384 |
}
|
|
|
241384 |
|
|
|
241384 |
+ /* Loop for the remaining iterations. */
|
|
|
241384 |
p = pool;
|
|
|
241384 |
for (n=1; n < POOLBLOCKS; n++)
|
|
|
241384 |
{
|
|
|
241384 |
- memcpy (hashbuf, p, DIGESTLEN);
|
|
|
241384 |
-
|
|
|
241384 |
- p += DIGESTLEN;
|
|
|
241384 |
- if (p+DIGESTLEN+BLOCKLEN < pend)
|
|
|
241384 |
- memcpy (hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN);
|
|
|
241384 |
+ if (p + BLOCKLEN < pend)
|
|
|
241384 |
+ memcpy (hashbuf, p, BLOCKLEN);
|
|
|
241384 |
else
|
|
|
241384 |
{
|
|
|
241384 |
- unsigned char *pp = p + DIGESTLEN;
|
|
|
241384 |
+ unsigned char *pp = p;
|
|
|
241384 |
|
|
|
241384 |
- for (i=DIGESTLEN; i < BLOCKLEN; i++ )
|
|
|
241384 |
+ for (i=0; i < BLOCKLEN; i++ )
|
|
|
241384 |
{
|
|
|
241384 |
if ( pp >= pend )
|
|
|
241384 |
pp = pool;
|
|
|
241384 |
@@ -648,8 +651,9 @@ mix_pool(unsigned char *pool)
|
|
|
241384 |
}
|
|
|
241384 |
}
|
|
|
241384 |
|
|
|
241384 |
- _gcry_rmd160_mixblock ( &md, hashbuf);
|
|
|
241384 |
- memcpy(p, hashbuf, 20 );
|
|
|
241384 |
+ _gcry_rmd160_mixblock (&md, hashbuf);
|
|
|
241384 |
+ p += DIGESTLEN;
|
|
|
241384 |
+ memcpy (p, hashbuf, DIGESTLEN);
|
|
|
241384 |
}
|
|
|
241384 |
|
|
|
241384 |
/* Our hash implementation does only leave small parts (64 bytes)
|