1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
|
Description: Fix CVE-2013-1445
In PyCrypto before v2.6.1, the Crypto.Random pseudo-random number generator
(PRNG) exhibits a race condition that may cause it to generate the same
'random' output in multiple processes that are forked from each other.
Depending on the application, this could reveal sensitive information or
cryptographic keys to remote attackers.
.
An application may be affected if, within 100 milliseconds, it performs the
following steps:
.
1. Read from the Crypto.Random PRNG, causing an internal reseed;
2. Fork the process and invoke Crypto.Random.atfork() in the child;
3. Read from the Crypto.Random PRNG again, in at least two different
processes (parent and child, or multiple children).
.
Only applications that invoke Crypto.Random.atfork() and perform the above
steps are affected by this issue. Other applications are unaffected.
.
Note: Some PyCrypto functions, such as key generation and PKCS#1-related
functions, implicitly read from the Crypto.Random PRNG.
Origin: upstream,
https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175
Last-Update: 2013-10-17
Index: python-crypto-2.1.0/lib/Crypto/Random/Fortuna/FortunaAccumulator.py
===================================================================
--- python-crypto-2.1.0.orig/lib/Crypto/Random/Fortuna/FortunaAccumulator.py 2013-10-15 08:37:01.000000000 -0700
+++ python-crypto-2.1.0/lib/Crypto/Random/Fortuna/FortunaAccumulator.py 2013-10-15 08:37:29.000000000 -0700
@@ -103,6 +103,15 @@
self.pools = [FortunaPool() for i in range(32)] # 32 pools
assert(self.pools[0] is not self.pools[1])
+ def _forget_last_reseed(self):
+ # This is not part of the standard Fortuna definition, and using this
+ # function frequently can weaken Fortuna's ability to resist a state
+ # compromise extension attack, but we need this in order to properly
+ # implement Crypto.Random.atfork(). Otherwise, forked child processes
+ # might continue to use their parent's PRNG state for up to 100ms in
+ # some cases. (e.g. CVE-2013-1445)
+ self.last_reseed = None
+
def random_data(self, bytes):
current_time = time.time()
if self.last_reseed > current_time:
Index: python-crypto-2.1.0/lib/Crypto/Random/_UserFriendlyRNG.py
===================================================================
--- python-crypto-2.1.0.orig/lib/Crypto/Random/_UserFriendlyRNG.py 2013-10-15 08:37:01.000000000 -0700
+++ python-crypto-2.1.0/lib/Crypto/Random/_UserFriendlyRNG.py 2013-10-15 08:37:29.000000000 -0700
@@ -88,9 +88,24 @@
"""Initialize the random number generator and seed it with entropy from
the operating system.
"""
+
+ # Save the pid (helps ensure that Crypto.Random.atfork() gets called)
self._pid = os.getpid()
+
+ # Collect entropy from the operating system and feed it to
+ # FortunaAccumulator
self._ec.reinit()
+ # Override FortunaAccumulator's 100ms minimum re-seed interval. This
+ # is necessary to avoid a race condition between this function and
+ # self.read(), which that can otherwise cause forked child processes to
+ # produce identical output. (e.g. CVE-2013-1445)
+ #
+ # Note that if this function can be called frequently by an attacker,
+ # (and if the bits from OSRNG are insufficiently random) it will weaken
+ # Fortuna's ability to resist a state compromise extension attack.
+ self._fa._forget_last_reseed()
+
def close(self):
self.closed = True
self._osrng = None
Index: python-crypto-2.1.0/lib/Crypto/SelfTest/Random/__init__.py
===================================================================
--- python-crypto-2.1.0.orig/lib/Crypto/SelfTest/Random/__init__.py 2013-10-15 08:37:01.000000000 -0700
+++ python-crypto-2.1.0/lib/Crypto/SelfTest/Random/__init__.py 2013-10-15 08:37:29.000000000 -0700
@@ -32,6 +32,7 @@
import OSRNG; tests += OSRNG.get_tests(config=config)
import test_random; tests += test_random.get_tests(config=config)
import test_rpoolcompat; tests += test_rpoolcompat.get_tests(config=config)
+ import test__UserFriendlyRNG; tests += test__UserFriendlyRNG.get_tests(config=config)
return tests
if __name__ == '__main__':
Index: python-crypto-2.1.0/lib/Crypto/SelfTest/Random/test__UserFriendlyRNG.py
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ python-crypto-2.1.0/lib/Crypto/SelfTest/Random/test__UserFriendlyRNG.py 2013-10-15 08:38:29.000000000 -0700
@@ -0,0 +1,168 @@
+# -*- coding: utf-8 -*-
+# Self-tests for the user-friendly Crypto.Random interface
+#
+# Written in 2013 by Dwayne C. Litzenberger <dlitz@dlitz.net>
+#
+# ===================================================================
+# The contents of this file are dedicated to the public domain. To
+# the extent that dedication to the public domain is not available,
+# everyone is granted a worldwide, perpetual, royalty-free,
+# non-exclusive license to exercise all rights associated with the
+# contents of this file for any purpose whatsoever.
+# No rights are reserved.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# ===================================================================
+
+"""Self-test suite for generic Crypto.Random stuff """
+
+from __future__ import nested_scopes
+
+__revision__ = "$Id$"
+
+import binascii
+import pprint
+import unittest
+import os
+import time
+import sys
+
+try:
+ import multiprocessing
+except ImportError:
+ multiprocessing = None
+
+import Crypto.Random._UserFriendlyRNG
+import Crypto.Random.random
+
+class RNGForkTest(unittest.TestCase):
+
+ def _get_reseed_count(self):
+ """
+ Get `FortunaAccumulator.reseed_count`, the global count of the
+ number of times that the PRNG has been reseeded.
+ """
+ rng_singleton = Crypto.Random._UserFriendlyRNG._get_singleton()
+ rng_singleton._lock.acquire()
+ try:
+ return rng_singleton._fa.reseed_count
+ finally:
+ rng_singleton._lock.release()
+
+ def runTest(self):
+ # Regression test for CVE-2013-1445. We had a bug where, under the
+ # right conditions, two processes might see the same random sequence.
+
+ if sys.platform.startswith('win'): # windows can't fork
+ assert not hasattr(os, 'fork') # ... right?
+ return
+
+ # Wait 150 ms so that we don't trigger the rate-limit prematurely.
+ time.sleep(0.15)
+
+ reseed_count_before = self._get_reseed_count()
+
+ # One or both of these calls together should trigger a reseed right here.
+ Crypto.Random._UserFriendlyRNG._get_singleton().reinit()
+ Crypto.Random.get_random_bytes(1)
+
+ reseed_count_after = self._get_reseed_count()
+ self.assertNotEqual(reseed_count_before, reseed_count_after) # sanity check: test should reseed parent before forking
+
+ rfiles = []
+ for i in range(10):
+ rfd, wfd = os.pipe()
+ if os.fork() == 0:
+ # child
+ os.close(rfd)
+ f = os.fdopen(wfd, "wb")
+
+ Crypto.Random.atfork()
+
+ data = Crypto.Random.get_random_bytes(16)
+
+ f.write(data)
+ f.close()
+ os._exit(0)
+ # parent
+ os.close(wfd)
+ rfiles.append(os.fdopen(rfd, "rb"))
+
+ results = []
+ results_dict = {}
+ for f in rfiles:
+ data = binascii.hexlify(f.read())
+ results.append(data)
+ results_dict[data] = 1
+ f.close()
+
+ if len(results) != len(results_dict.keys()):
+ raise AssertionError("RNG output duplicated across fork():\n%s" %
+ (pprint.pformat(results)))
+
+
+# For RNGMultiprocessingForkTest
+def _task_main(q):
+ a = Crypto.Random.get_random_bytes(16)
+ time.sleep(0.1) # wait 100 ms
+ b = Crypto.Random.get_random_bytes(16)
+ q.put(binascii.b2a_hex(a))
+ q.put(binascii.b2a_hex(b))
+ q.put(None) # Wait for acknowledgment
+
+
+class RNGMultiprocessingForkTest(unittest.TestCase):
+
+ def runTest(self):
+ # Another regression test for CVE-2013-1445. This is basically the
+ # same as RNGForkTest, but less compatible with old versions of Python,
+ # and a little easier to read.
+
+ n_procs = 5
+ manager = multiprocessing.Manager()
+ queues = [manager.Queue(1) for i in range(n_procs)]
+
+ # Reseed the pool
+ time.sleep(0.15)
+ Crypto.Random._UserFriendlyRNG._get_singleton().reinit()
+ Crypto.Random.get_random_bytes(1)
+
+ # Start the child processes
+ pool = multiprocessing.Pool(processes=n_procs, initializer=Crypto.Random.atfork)
+ map_result = pool.map_async(_task_main, queues)
+
+ # Get the results, ensuring that no pool processes are reused.
+ aa = [queues[i].get(30) for i in range(n_procs)]
+ bb = [queues[i].get(30) for i in range(n_procs)]
+ res = list(zip(aa, bb))
+
+ # Shut down the pool
+ map_result.get(30)
+ pool.close()
+ pool.join()
+
+ # Check that the results are unique
+ if len(set(aa)) != len(aa) or len(set(res)) != len(res):
+ raise AssertionError("RNG output duplicated across fork():\n%s" %
+ (pprint.pformat(res),))
+
+
+def get_tests(config={}):
+ tests = []
+ tests += [RNGForkTest()]
+ if multiprocessing is not None:
+ tests += [RNGMultiprocessingForkTest()]
+ return tests
+
+if __name__ == '__main__':
+ suite = lambda: unittest.TestSuite(get_tests())
+ unittest.main(defaultTest='suite')
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
|
