From 5105f4d39bd430023bca4d571c6ae9b5644bcfd4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 08 2016 03:29:44 +0000 Subject: import libgcrypt-1.5.3-13.el7_3.1 --- diff --git a/SOURCES/libgcrypt-1.5.3-rng-predictable.patch b/SOURCES/libgcrypt-1.5.3-rng-predictable.patch new file mode 100644 index 0000000..6e1d730 --- /dev/null +++ b/SOURCES/libgcrypt-1.5.3-rng-predictable.patch @@ -0,0 +1,141 @@ +diff -up libgcrypt-1.5.3/random/random-csprng.c.rng-predictable libgcrypt-1.5.3/random/random-csprng.c +--- libgcrypt-1.5.3/random/random-csprng.c.rng-predictable 2015-08-11 14:31:35.904275580 +0200 ++++ libgcrypt-1.5.3/random/random-csprng.c 2016-08-17 23:35:15.691980751 +0200 +@@ -561,41 +561,46 @@ _gcry_rngcsprng_randomize (void *buffer, + + + /* +- Mix the pool: +- +- |........blocks*20byte........|20byte|..44byte..| +- <..44byte..> <20byte> +- | | +- | +------+ +- +---------------------------|----------+ +- v v +- |........blocks*20byte........|20byte|..44byte..| +- <.....64bytes.....> +- | +- +----------------------------------+ +- Hash +- v +- |.............................|20byte|..44byte..| +- <20byte><20byte><..44byte..> +- | | +- | +---------------------+ +- +-----------------------------+ | +- v v +- |.............................|20byte|..44byte..| +- <.....64byte......> +- | +- +-------------------------+ +- Hash +- v +- |.............................|20byte|..44byte..| +- <20byte><20byte><..44byte..> +- +- and so on until we did this for all blocks. +- +- To better protect against implementation errors in this code, we +- xor a digest of the entire pool into the pool before mixing. +- +- Note: this function must only be called with a locked pool. ++ * Mix the 600 byte pool. Note that the 64 byte scratch area directly ++ * follows the pool. The numbers in the diagram give the number of ++ * bytes. ++ * <................600...............> <.64.> ++ * pool |------------------------------------| |------| ++ * <20><.24.> <20> ++ * | | +-----+ ++ * +-----|-------------------------------|-+ ++ * +-------------------------------|-|-+ ++ * v v v ++ * |------| ++ * ++ * +---------------------------------------+ ++ * v ++ * <20> ++ * pool' |------------------------------------| ++ * <20><20><.24.> ++ * +---|-----|---------------------------+ ++ * +-----|---------------------------|-+ ++ * +---------------------------|-|-+ ++ * v v v ++ * |------| ++ * ++ * | ++ * +-----------------------------------+ ++ * v ++ * <20> ++ * pool'' |------------------------------------| ++ * <20><20><20><.24.> ++ * +---|-----|-----------------------+ ++ * +-----|-----------------------|-+ ++ * +-----------------------|-|-+ ++ * v v v ++ * ++ * and so on until we did this for all 30 blocks. ++ * ++ * To better protect against implementation errors in this code, we ++ * xor a digest of the entire pool into the pool before mixing. ++ * ++ * Note: this function must only be called with a locked pool. + */ + static void + mix_pool(unsigned char *pool) +@@ -615,32 +620,30 @@ mix_pool(unsigned char *pool) + gcry_assert (pool_is_locked); + _gcry_rmd160_init( &md ); + +- /* Loop over the pool. */ ++ /* pool_0 -> pool'. */ + pend = pool + POOLSIZE; +- memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN ); +- memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN); +- _gcry_rmd160_mixblock( &md, hashbuf); +- memcpy(pool, hashbuf, 20 ); ++ memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN); ++ memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN); ++ _gcry_rmd160_mixblock (&md, hashbuf); ++ memcpy (pool, hashbuf, DIGESTLEN); + + if (failsafe_digest_valid && pool == rndpool) + { +- for (i=0; i < 20; i++) ++ for (i=0; i < DIGESTLEN; i++) + pool[i] ^= failsafe_digest[i]; + } + ++ /* Loop for the remaining iterations. */ + p = pool; + for (n=1; n < POOLBLOCKS; n++) + { +- memcpy (hashbuf, p, DIGESTLEN); +- +- p += DIGESTLEN; +- if (p+DIGESTLEN+BLOCKLEN < pend) +- memcpy (hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN); ++ if (p + BLOCKLEN < pend) ++ memcpy (hashbuf, p, BLOCKLEN); + else + { +- unsigned char *pp = p + DIGESTLEN; ++ unsigned char *pp = p; + +- for (i=DIGESTLEN; i < BLOCKLEN; i++ ) ++ for (i=0; i < BLOCKLEN; i++ ) + { + if ( pp >= pend ) + pp = pool; +@@ -648,8 +651,9 @@ mix_pool(unsigned char *pool) + } + } + +- _gcry_rmd160_mixblock ( &md, hashbuf); +- memcpy(p, hashbuf, 20 ); ++ _gcry_rmd160_mixblock (&md, hashbuf); ++ p += DIGESTLEN; ++ memcpy (p, hashbuf, DIGESTLEN); + } + + /* Our hash implementation does only leave small parts (64 bytes) diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec index dd219a2..4d0fd9d 100644 --- a/SPECS/libgcrypt.spec +++ b/SPECS/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.5.3 -Release: 12%{?dist}.1 +Release: 13%{?dist}.1 URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -47,6 +47,8 @@ Patch21: libgcrypt-1.5.3-fips-cfgrandom.patch Patch22: libgcrypt-1.5.3-fips-reqs.patch # use only urandom if /dev/random cannot be opened Patch24: libgcrypt-1.5.3-urandom-only.patch +# fix predictable PRNG output +Patch26: libgcrypt-1.5.3-rng-predictable.patch %define gcrylibdir %{_libdir} @@ -99,6 +101,7 @@ applications using libgcrypt. %patch21 -p1 -b .cfgrandom %patch22 -p1 -b .fips-reqs %patch24 -p1 -b .urandom-only +%patch26 -p1 -b .rng-predictable %build %configure --disable-static \ @@ -200,7 +203,10 @@ exit 0 %doc COPYING %changelog -* Fri Apr 10 2015 Tomáš Mráz 1.5.3-12.1 +* Tue Oct 25 2016 Tomáš Mráz 1.5.3-13.1 +- fix CVE-2016-6313 - predictable PRNG output (#1366105) + +* Fri Apr 10 2015 Tomáš Mráz 1.5.3-13 - touch only urandom in the selftest and when /dev/random is unavailable for example by SELinux confinement - fix the RSA selftest key (p q swap)