gnupg-0.9.1 -- bug in cipher/rndunix.c

Steven Bakker steven at icoe.att.com
Wed Jan 20 12:09:06 CET 1999 

Hi folks,

  I recently downloaded gnupg-0.9.1 and compiled it on my Solaris
7 box (gcc v2.8.1).  I ran "gpg --gen-key" and after entering my
pass phrase, gpg entered an infinite loop.  I managed to track
this down to gather_random() in cipher/rndunix.c.

Consider the (snipped) code below:

   672  static int
   673  gather_random( void (*add)(const void*, size_t, int), int requester,
   674                 size_t length, int level )
   675  {

	...

   703      while( length ) {

   	...

   732          n = msg.ndata;
   733          if( n > length )
   734              n = length;
   735          (*add)( msg.data, n, requester );
   736
   737          /* this is the trick how e cope with the goodness */
   738          length -= (ulong)n * goodness / 100;
   739      }

Now, if the remaining length is 1 (happened to me), the following
happens:

	msg.ndata == 500
	goodness  == 86
	length    == 1

   732          n = msg.ndata;

	goodness  == 86
	length    == 1
	n         == 500

   733          if( n > length )
   734              n = length;

	goodness  == 86
	length    == 1
	n         == 1

   735          (*add)( msg.data, n, requester );
   736
   737          /* this is the trick how e cope with the goodness */
   738          length -= (ulong)n * goodness / 100;

	(ulong)n * goodness / 100 == 0
	length == 1

   739      }

Result: infinite loop.
There are two ways around this:

-----
   737      {
   738		/* This is the trick how we cope with the goodness. */
   739 		ulong subtract = (ulong)n * goodness / 100;
   740          length -= subtract ? subtract : 1;
   741      }
-----

Or:

-----
   737      {
   738		/* This is the trick how we cope with the goodness. */
   739 		ulong subtract = (ulong)msg.ndata * goodness / 100;
   740          length -= subtract <= length ? subtract : length;
   741      }
-----

The second one tends to use less iterations (with high goodness and low
length, one iteration is usually enough), while the first one typically
takes more (in my case 4 versus 1).

I chose to use the first, on the assumption that more iterations give
me more randomness, but that's more a gut feeling than anything else.
Either way it works.

Lemme know if I'm completely off (or marginally right).

Cheers,
Steven

More information about the Gnupg-devel mailing list