Synopsis: OpenSSL PRNG weakness (up to 0.9.6a) NetBSD versions: 1.5, 1.5.1 Thanks to: Jun-ichiro itojun Hagino Reported in NetBSD Security Advisory: NetBSD-SA2001-013 Index: md_rand.c =================================================================== RCS file: /cvsroot/basesrc/crypto/dist/openssl/crypto/rand/md_rand.c,v retrieving revision 1.1.1.1.2.1 retrieving revision 1.1.1.1.2.2 diff -c -p -r1.1.1.1.2.1 -r1.1.1.1.2.2 *** md_rand.c 2000/07/17 05:59:20 1.1.1.1.2.1 --- md_rand.c 2001/07/29 04:24:34 1.1.1.1.2.2 *************** static void ssleay_rand_initialize(void) *** 412,417 **** --- 412,418 ---- static int ssleay_rand_bytes(unsigned char *buf, int num) { int i,j,k,st_num,st_idx; + int num_ceil; int ok; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; *************** static int ssleay_rand_bytes(unsigned ch *** 431,436 **** --- 432,443 ---- } #endif + if (num <= 0) + return 1; + + /* round upwards to multiple of MD_DIGEST_LENGTH/2 */ + num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2); + /* * (Based on the rand(3) manpage:) * *************** static int ssleay_rand_bytes(unsigned ch *** 476,486 **** md_c[1] = md_count[1]; memcpy(local_md, md, sizeof md); ! state_index+=num; if (state_index > state_num) state_index %= state_num; ! /* state[st_idx], ..., state[(st_idx + num - 1) % st_num] * are now ours (but other threads may use them too) */ md_count[0] += 1; --- 483,493 ---- md_c[1] = md_count[1]; memcpy(local_md, md, sizeof md); ! state_index+=num_ceil; if (state_index > state_num) state_index %= state_num; ! /* state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num] * are now ours (but other threads may use them too) */ md_count[0] += 1; *************** static int ssleay_rand_bytes(unsigned ch *** 488,493 **** --- 495,501 ---- while (num > 0) { + /* num_ceil -= MD_DIGEST_LENGTH/2 */ j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num; num-=j; MD_Init(&m); *************** static int ssleay_rand_bytes(unsigned ch *** 498,524 **** curr_pid = 0; } #endif ! MD_Update(&m,&(local_md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); #ifndef PURIFY MD_Update(&m,buf,j); /* purify complains */ #endif ! k=(st_idx+j)-st_num; if (k > 0) { ! MD_Update(&m,&(state[st_idx]),j-k); MD_Update(&m,&(state[0]),k); } else ! MD_Update(&m,&(state[st_idx]),j); MD_Final(local_md,&m); ! for (i=0; i= st_num) st_idx=0; } } --- 506,533 ---- curr_pid = 0; } #endif ! MD_Update(&m,local_md,MD_DIGEST_LENGTH); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); #ifndef PURIFY MD_Update(&m,buf,j); /* purify complains */ #endif ! k=(st_idx+MD_DIGEST_LENGTH/2)-st_num; if (k > 0) { ! MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k); MD_Update(&m,&(state[0]),k); } else ! MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2); MD_Final(local_md,&m); ! for (i=0; i= st_num) st_idx=0; + if (i < j) + *(buf++)=local_md[i+MD_DIGEST_LENGTH/2]; } }