[PATCH] random: fix folding

From: Matt Mackall
Date: Wed Jun 13 2007 - 01:31:42 EST


On Tue, Jun 12, 2007 at 01:05:44AM -0400, linux@xxxxxxxxxxx wrote:
> I also noticed a glaring BUG in the folding at the end of extract_buf at
> drivers/char/random.c:797. That should be:
>
> /*
> * In case the hash function has some recognizable
> * output pattern, we fold it in half.
> */
>
> buf[0] ^= buf[4];
> buf[1] ^= buf[3];
> buf[2] ^= rol32(buf[2], 16); // <--- Bug was here
> memcpy(out, buf, EXTRACT_SIZE);
> memset(buf, 0, sizeof(buf));
>
> if the code is to match the comment.

Conveniently, the random.c maintainer is reading this thread. Good
spotting, not sure how I bungled that.

----
random: fix output buffer folding

(As reported by linux@xxxxxxxxxxx)

Folding is done to minimize the theoretical possibility of systematic
weakness in the particular bits of the SHA1 hash output. The result of
this bug is that 16 out of 80 bits are un-folded. Without a major new
vulnerability being found in SHA1, this is harmless, but still worth
fixing.

Signed-off-by: Matt Mackall <mpm@xxxxxxxxxxx>

Index: mm/drivers/char/random.c
===================================================================
--- mm.orig/drivers/char/random.c 2007-06-12 23:50:54.000000000 -0500
+++ mm/drivers/char/random.c 2007-06-12 23:51:51.000000000 -0500
@@ -794,7 +794,7 @@ static void extract_buf(struct entropy_s

buf[0] ^= buf[3];
buf[1] ^= buf[4];
- buf[0] ^= rol32(buf[3], 16);
+ buf[2] ^= rol32(buf[2], 16);
memcpy(out, buf, EXTRACT_SIZE);
memset(buf, 0, sizeof(buf));
}


--
Mathematics is the supreme nostalgia of our time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/