From 35aec9eee20ce171162bd40cd06ce831197ad970 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Sun, 10 Feb 2002 21:34:27 +0000
Subject: * random.c (add_randomness): Xor new data into the pool and not just
 copy it.  This avoids any choosen input attacks which are not serious in our
 setting because an outsider won't be able to mix data in and even then we
 keep going with a PRNG.  Thanks to Stefan Keller for pointing this out. *
 random.c (mix_pool): Carry an extra failsafe_digest buffer around to make the
 function more robust.

---
 cipher/ChangeLog | 13 +++++++++++++
 cipher/random.c  | 18 ++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/cipher/ChangeLog b/cipher/ChangeLog
index b94deee9b..9e0de9aea 100644
--- a/cipher/ChangeLog
+++ b/cipher/ChangeLog
@@ -1,3 +1,16 @@
+2002-02-10  Werner Koch  <wk@gnupg.org>
+
+	* random.c (mix_pool): Carry an extra failsafe_digest buffer
+	around to make the function more robust.
+
+2002-02-08  Werner Koch  <wk@gnupg.org>
+
+	* random.c (add_randomness): Xor new data into the pool and not
+	just copy it.  This avoids any choosen input attacks which are not
+	serious in our setting because an outsider won't be able to mix
+	data in and even then we keep going with a PRNG.  Thanks to Stefan
+	Keller for pointing this out.
+
 2002-01-02  Stefan Bellon  <sbellon@sbellon.de>
 
 	* rndriscos.c [__riscos__]: Updated include file name.
diff --git a/cipher/random.c b/cipher/random.c
index 14ca87f4d..c263f7d68 100644
--- a/cipher/random.c
+++ b/cipher/random.c
@@ -57,6 +57,7 @@
 #include "random.h"
 #include "rand-internal.h"
 #include "dynload.h"
+#include "cipher.h" /* only used for the rmd160_hash_buffer() prototype */
 
 
 #ifndef RAND_MAX   /* for SunOS */
@@ -100,6 +101,9 @@ static int did_initial_extra_seeding;
 static char *seed_file_name;
 static int allow_seed_file_update;
 
+static unsigned char failsafe_digest[DIGESTLEN];
+static int failsafe_digest_valid;
+
 static int secure_alloc;
 static int quick_test;
 static int faked_rng;
@@ -259,6 +263,11 @@ mix_pool(byte *pool)
     memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
     rmd160_mixblock( &md, hashbuf);
     memcpy(pool, hashbuf, 20 );
+    if (failsafe_digest_valid && (char*)pool == rndpool)
+      {
+        for (i=0; i < 20; i++)
+          pool[i] ^= failsafe_digest[i];
+      }
 
     p = pool;
     for( n=1; n < POOLBLOCKS; n++ ) {
@@ -279,7 +288,12 @@ mix_pool(byte *pool)
 	rmd160_mixblock( &md, hashbuf);
 	memcpy(p, hashbuf, 20 );
     }
-    burn_stack (200); /* for the rmd160_mixblock() */
+    if ((char*)pool == rndpool)
+      {
+        rmd160_hash_buffer (failsafe_digest, pool, POOLSIZE);
+        failsafe_digest_valid = 1;
+      }
+    burn_stack (384); /* for the rmd160_mixblock(), rmd160_hash_buffer */
 }
 
 
@@ -528,7 +542,7 @@ add_randomness( const void *buffer, size_t length, int source )
     rndstats.addbytes += length;
     rndstats.naddbytes++;
     while( length-- ) {
-	rndpool[pool_writepos++] = *p++;
+	rndpool[pool_writepos++] ^= *p++;
 	if( pool_writepos >= POOLSIZE ) {
 	    if( source > 1 )
 		pool_filled = 1;
-- 
cgit v1.2.3