144 lines
3.3 KiB
Diff
144 lines
3.3 KiB
Diff
|
From 8044880840bcde6f15a078e267cf163072ac1878 Mon Sep 17 00:00:00 2001
|
|||
|
From: Benjamin Tissoires <benjamin.tissoires@gmail.com>
|
|||
|
Date: Tue, 4 Apr 2017 19:12:53 +0200
|
|||
|
Subject: [PATCH libICE 1/2] Use getentropy() if arc4random_buf() is not
|
|||
|
available
|
|||
|
|
|||
|
This allows to fix CVE-2017-2626 on Linux platforms without pulling in
|
|||
|
libbsd.
|
|||
|
The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
|
|||
|
For Linux, we need at least a v3.17 kernel. If the recommended
|
|||
|
arc4random_buf() function is not available, emulate it by first trying
|
|||
|
to use getentropy() on a supported glibc and kernel. If the call fails,
|
|||
|
fall back to the current (partly vulnerable) code.
|
|||
|
|
|||
|
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
|
|||
|
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
|
|||
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|||
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|||
|
---
|
|||
|
configure.ac | 2 +-
|
|||
|
src/iceauth.c | 65 ++++++++++++++++++++++++++++++++++++++++++-----------------
|
|||
|
2 files changed, 47 insertions(+), 20 deletions(-)
|
|||
|
|
|||
|
diff --git a/configure.ac b/configure.ac
|
|||
|
index 458882a..c971ab6 100644
|
|||
|
--- a/configure.ac
|
|||
|
+++ b/configure.ac
|
|||
|
@@ -38,7 +38,7 @@ AC_DEFINE(ICE_t, 1, [Xtrans transport type])
|
|||
|
|
|||
|
# Checks for library functions.
|
|||
|
AC_CHECK_LIB([bsd], [arc4random_buf])
|
|||
|
-AC_CHECK_FUNCS([asprintf arc4random_buf])
|
|||
|
+AC_CHECK_FUNCS([asprintf arc4random_buf getentropy])
|
|||
|
|
|||
|
# Allow checking code with lint, sparse, etc.
|
|||
|
XORG_WITH_LINT
|
|||
|
diff --git a/src/iceauth.c b/src/iceauth.c
|
|||
|
index ef66626..9b77eac 100644
|
|||
|
--- a/src/iceauth.c
|
|||
|
+++ b/src/iceauth.c
|
|||
|
@@ -42,31 +42,19 @@ Author: Ralph Mor, X Consortium
|
|||
|
|
|||
|
static int was_called_state;
|
|||
|
|
|||
|
-/*
|
|||
|
- * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
|
|||
|
- * the SI. It is not part of standard ICElib.
|
|||
|
- */
|
|||
|
+#ifndef HAVE_ARC4RANDOM_BUF
|
|||
|
|
|||
|
-
|
|||
|
-char *
|
|||
|
-IceGenerateMagicCookie (
|
|||
|
+static void
|
|||
|
+emulate_getrandom_buf (
|
|||
|
+ char *auth,
|
|||
|
int len
|
|||
|
)
|
|||
|
{
|
|||
|
- char *auth;
|
|||
|
-#ifndef HAVE_ARC4RANDOM_BUF
|
|||
|
long ldata[2];
|
|||
|
int seed;
|
|||
|
int value;
|
|||
|
int i;
|
|||
|
-#endif
|
|||
|
|
|||
|
- if ((auth = malloc (len + 1)) == NULL)
|
|||
|
- return (NULL);
|
|||
|
-
|
|||
|
-#ifdef HAVE_ARC4RANDOM_BUF
|
|||
|
- arc4random_buf(auth, len);
|
|||
|
-#else
|
|||
|
#ifdef ITIMER_REAL
|
|||
|
{
|
|||
|
struct timeval now;
|
|||
|
@@ -74,13 +62,13 @@ IceGenerateMagicCookie (
|
|||
|
ldata[0] = now.tv_sec;
|
|||
|
ldata[1] = now.tv_usec;
|
|||
|
}
|
|||
|
-#else
|
|||
|
+#else /* ITIMER_REAL */
|
|||
|
{
|
|||
|
long time ();
|
|||
|
ldata[0] = time ((long *) 0);
|
|||
|
ldata[1] = getpid ();
|
|||
|
}
|
|||
|
-#endif
|
|||
|
+#endif /* ITIMER_REAL */
|
|||
|
seed = (ldata[0]) + (ldata[1] << 16);
|
|||
|
srand (seed);
|
|||
|
for (i = 0; i < len; i++)
|
|||
|
@@ -88,7 +76,46 @@ IceGenerateMagicCookie (
|
|||
|
value = rand ();
|
|||
|
auth[i] = value & 0xff;
|
|||
|
}
|
|||
|
-#endif
|
|||
|
+}
|
|||
|
+
|
|||
|
+static void
|
|||
|
+arc4random_buf (
|
|||
|
+ char *auth,
|
|||
|
+ int len
|
|||
|
+)
|
|||
|
+{
|
|||
|
+ int ret;
|
|||
|
+
|
|||
|
+#if HAVE_GETENTROPY
|
|||
|
+ /* weak emulation of arc4random through the entropy libc */
|
|||
|
+ ret = getentropy (auth, len);
|
|||
|
+ if (ret == 0)
|
|||
|
+ return;
|
|||
|
+#endif /* HAVE_GETENTROPY */
|
|||
|
+
|
|||
|
+ emulate_getrandom_buf (auth, len);
|
|||
|
+}
|
|||
|
+
|
|||
|
+#endif /* !defined(HAVE_ARC4RANDOM_BUF) */
|
|||
|
+
|
|||
|
+/*
|
|||
|
+ * MIT-MAGIC-COOKIE-1 is a sample authentication method implemented by
|
|||
|
+ * the SI. It is not part of standard ICElib.
|
|||
|
+ */
|
|||
|
+
|
|||
|
+
|
|||
|
+char *
|
|||
|
+IceGenerateMagicCookie (
|
|||
|
+ int len
|
|||
|
+)
|
|||
|
+{
|
|||
|
+ char *auth;
|
|||
|
+
|
|||
|
+ if ((auth = malloc (len + 1)) == NULL)
|
|||
|
+ return (NULL);
|
|||
|
+
|
|||
|
+ arc4random_buf (auth, len);
|
|||
|
+
|
|||
|
auth[len] = '\0';
|
|||
|
return (auth);
|
|||
|
}
|
|||
|
--
|
|||
|
2.9.3
|
|||
|
|