Bug#709490: marked as done (Two disastrous bugs in RHash in Wheezy)

To: Aleksey Kravchenko <rhash.admin@gmail.com>
Subject: Bug#709490: marked as done (Two disastrous bugs in RHash in Wheezy)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 15 Jun 2013 10:24:05 +0000
Message-id: <handler.709490.D709490.137129171432726.ackdone@bugs.debian.org>
References: <51BC4035.20602@gmail.com> <519E3ABC.3030702@gmail.com>

Your message dated Sat, 15 Jun 2013 17:21:41 +0700
with message-id <51BC4035.20602@gmail.com>
and subject line The bug is fixed
has caused the Debian Bug report #709490,
regarding Two disastrous bugs in RHash in Wheezy
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
709490: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709490
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: Two disastrous bugs in RHash in Wheezy
From: Aleksey <aleksey14@gmail.com>
Date: Thu, 23 May 2013 22:50:20 +0700
Message-id: <519E3ABC.3030702@gmail.com>

Package: release.debian.org

Dear stable release managers,
The RHash 1.2.9-8 utility in Wheezy contains two security bugs:

1. it incorrectly calculates SHA-512 hash sum for files of certain size;
2. it incorrectly calculates GOST hash on non-x86/amd64 CPUs on certain
messages.

Please accept the fix (see below) into security archive.

In more detail.
1. SHA-512 is incorrectly calculated for files with size
112 <= (file_size % 128) < 120.
The bug occurs only when several files are sequentually hashed.

Internal buffer of SHA-512 context was not fully cleared by zeroes, when
processing final block of data.
See also the related SF-Bug: https://sourceforge.net/p/rhash/bugs/31/

Steps to reproduce:
perl -e 'print "\xff"x112' > msg.bin
rhash --sha512 --openssl="" msg.bin msg.bin
Expected output:
91078b0922e575edeb26558219603518141f167d6edeb7dfd56225beddd5482b0ab282d4feccffbe52eeb8fa0eff9b9d331c5fc55ad0d1d4b1b71cb29f2a0060
msg.bin
91078b0922e575edeb26558219603518141f167d6edeb7dfd56225beddd5482b0ab282d4feccffbe52eeb8fa0eff9b9d331c5fc55ad0d1d4b1b71cb29f2a0060
msg.bin

2. Hashes of messages containing byte sequences of 0xFF are incorrectly
calculated on ARM and non-Intel CPU's.

Steps to reproduce (on ARM or non-Intel CPU):
perl -e 'print "\xff"x112' > msg.bin
rhash --gost msg.bin
Expected output:
c6a27541b302df03366345955c0e45be0c6ea8639e4147ec7f37b11eee9e2370 msg.bin

How two fix.
The fix is available as RHash 1.2.9-9 [1] in Testing for some time, so
it should be well tested for now.
This package contain two small patches (see attachments) backported from RHash 1.2.10.

[1] http://packages.debian.org/testing/rhash

With best wishes,
Aleksey

Description: Fix GOST on non x86 CPUs for some specific messages
 The patch fixes GOST hash calculation for some messages containg sequences of
 0xFFFFFFFF words. The patch also adds two test vectors to check for the bug:
 .
 GOST( 64 of 0xFF ) =
    13416C4EC74A63C3EC90CB1748FD462C7572C6C6B41844E48CC1184D1E916098
 GOST-CRYPTOPRO ( 64 of 0xFF ) =
    58504D26B3677E756BA3F4A9FD2F14B3BA5457066A4AA1D700659B90DCDDD3C6
 .
 Those test vectors can be verified by OpenSSL console utility 'gostsum'.
 The bug does not occur on x86 and x86-64, because on these  archs
 assembly code replaces C.

Author: Aleksey Kravchenko <rhash.admin@gmail.com>
Origin: upstream https://github.com/rhash/RHash/commit/d2f4378043d13f5e61ef408eb2c7bf021feb1b69
Forwarded: not-needed
Last-Update: 2012-12-31

---
 librhash/gost.c        | 4 ++--
 librhash/test_hashes.c | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/librhash/gost.c b/librhash/gost.c
index 0d1612c..a6d8404 100644
--- a/librhash/gost.c
+++ b/librhash/gost.c
@@ -325,10 +325,10 @@ static void rhash_gost_compute_sum_and_hash(gost_ctx * ctx, const unsigned* bloc
 
 	/* compute the 256-bit sum */
 	for(i = 0; i < 8; i++) {
-		const unsigned old = ctx->sum[i];
 		LOAD_BLOCK_LE(i);
 		ctx->sum[i] += block_le[i] + carry;
-		carry = (ctx->sum[i] < old || ctx->sum[i] < block_le[i] ? 1 : 0);
+		carry = (ctx->sum[i] < block_le[i] ? 1 :
+			ctx->sum[i] == block_le[i] ? carry : 0);
 	}
 #endif /* USE_GCC_ASM_IA32 */
 
diff --git a/librhash/test_hashes.c b/librhash/test_hashes.c
index e712493..85bdbdd 100644
--- a/librhash/test_hashes.c
+++ b/librhash/test_hashes.c
@@ -605,7 +605,9 @@ static void test_long_strings(void)
 		assert_rep_hash(tests[count].hash_id, 'a', 1000000, tests[count].expected_hash);
 	}
 
-	/* note: it would be better to check with more complex pre-generated messages */
+	/* now we verify some specific cases */
+	assert_rep_hash(RHASH_GOST, 0xFF, 64, "13416C4EC74A63C3EC90CB1748FD462C7572C6C6B41844E48CC1184D1E916098");
+	assert_rep_hash(RHASH_GOST_CRYPTOPRO, 0xFF, 64, "58504D26B3677E756BA3F4A9FD2F14B3BA5457066A4AA1D700659B90DCDDD3C6");
 
 	/* these messages verified by eMule LinkCreator (which uses eMule variant of ED2K hash) */
 	assert_rep_hash(RHASH_ED2K, 0, 9728000, "FC21D9AF828F92A8DF64BEAC3357425D");
--

Description: Fix incorrect claculation of SHA-512 for some files
 SHA-512 was not correctly calculated for files with size
   112 <= (file_size % 128) < 120.
 The bug occurs only when several files are sequentually hashed.
 .
 Internal buffer of SHA-512 context was not fully cleared by zeroes,
 when processing final block of data.
 See also SF-Bug: https://sourceforge.net/p/rhash/bugs/31/

Author: Aleksey Kravchenko <rhash.admin@gmail.com>
Origin: upstream https://github.com/rhash/RHash/commit/43acddb523a94ddc5207449e9560a504faa26e68
Forwarded: not-needed
Last-Update: 2012-12-31

---
 librhash/sha512.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/librhash/sha512.c b/librhash/sha512.c
index 0999e72..7eb55d3 100644
--- a/librhash/sha512.c
+++ b/librhash/sha512.c
@@ -238,6 +238,7 @@ void rhash_sha512_final(sha512_ctx *ctx, unsigned char* result)
 
 	/* if no room left in the message to store 64-bit message length */
 	if(index >= 15) {
+		if(index == 15) ctx->message[index] = 0;
 		rhash_sha512_process_block(ctx->hash, ctx->message);
 		index = 0;
 	}
--

--- End Message ---

--- Begin Message ---

To: 709490-done@bugs.debian.org

Subject: The bug is fixed

From: Aleksey Kravchenko <rhash.admin@gmail.com>

Date: Sat, 15 Jun 2013 17:21:41 +0700

Message-id: <51BC4035.20602@gmail.com>
Fixed in the RHash version 1.2.9-8+deb7u1 :)
Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to:

Prev by Date: Re: Bug#707843: gbirthday: recommends python-evolution which is no longer built
Next by Date: Processed: Re: The bug is fixed
Previous by thread: Re: Bug#707843: gbirthday: recommends python-evolution which is no longer built
Next by thread: Bug#709490: The bug is fixed
Index(es):
- Date
- Thread