rpms/libgcrypt
7
0
Fork 0
Code Issues Pull Requests Releases Activity

allow empty passphrase in PBKDF2 needed for cryptsetup (=891266)

Browse Source
This commit is contained in:
Tomas Mraz 2013-01-03 14:54:02 +01:00
parent 07b385d5db
commit 02a80de472
2 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
libgcrypt-1.5.0-empty-passphrase.patch Normal file
View File

@ -0,0 +1,54 @@
commit 8528f1ba40e587dc17e02822e529fbd7ac69a189
Author: Milan Broz <mbroz@redhat.com>
Date: Mon Oct 29 17:18:09 2012 +0100
PBKDF2: Allow empty passphrase.
* cipher/kdf.c (gcry_kdf_derive): Allow empty passphrase for PBKDF2.
* tests/t-kdf.c (check_pbkdf2): Add test case for above.
--
While it is insecure, the PBKDF2 implementations usually
allows to derive key only from salt.
This particular case is used e.g. in cryptsetup when
you use empty file as keyfile for LUKS keyslot.
Test vector is compared with two independent implementations.
Signed-off-by: Milan Broz <mbroz@redhat.com>
diff --git a/cipher/kdf.c b/cipher/kdf.c
index d981022..46e8550 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -238,7 +238,7 @@ gcry_kdf_derive (const void *passphrase, size_t passphraselen,
{
gpg_err_code_t ec;
- if (!passphrase || !passphraselen)
+ if (!passphrase || (!passphraselen && algo != GCRY_KDF_PBKDF2))
{
ec = GPG_ERR_INV_DATA;
goto leave;
diff --git a/tests/t-kdf.c b/tests/t-kdf.c
index 7209525..06c0026 100644
--- a/tests/t-kdf.c
+++ b/tests/t-kdf.c
@@ -917,7 +917,15 @@ check_pbkdf2 (void)
16,
"\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37"
"\xd7\xf0\x34\x25\xe0\xc3"
- }
+ },
+ { /* empty password test, not in RFC-6070 */
+ "", 0,
+ "salt", 4,
+ 2,
+ 20,
+ "\x13\x3a\x4c\xe8\x37\xb4\xd2\x52\x1e\xe2"
+ "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97"
+ },
};
int tvidx;
gpg_error_t err;

8
libgcrypt.spec
View File

@ -1,6 +1,6 @@
Name: libgcrypt Name: libgcrypt
Version: 1.5.0 Version: 1.5.0
Release: 8%{?dist} Release: 9%{?dist}
URL: http://www.gnupg.org/ URL: http://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.bz2 Source0: libgcrypt-%{version}-hobbled.tar.bz2
# The original libgcrypt sources now contain potentially patented ECC # The original libgcrypt sources now contain potentially patented ECC
@ -25,6 +25,8 @@ Patch7: libgcrypt-1.5.0-fips-cavs.patch
Patch8: libgcrypt-1.5.0-set-enforced-mode.patch Patch8: libgcrypt-1.5.0-set-enforced-mode.patch
# fix for memory leaks an other errors found by Coverity scan # fix for memory leaks an other errors found by Coverity scan
Patch9: libgcrypt-1.5.0-leak.patch Patch9: libgcrypt-1.5.0-leak.patch
# allow empty passphrase (upstreamed)
Patch10: libgcrypt-1.5.0-empty-passphrase.patch
# Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction. # Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
# Documentation and some utilities are GPLv2+ licensed. These files # Documentation and some utilities are GPLv2+ licensed. These files
@ -66,6 +68,7 @@ applications using libgcrypt.
%patch7 -p1 -b .cavs %patch7 -p1 -b .cavs
%patch8 -p1 -b .enforce %patch8 -p1 -b .enforce
%patch9 -p1 -b .leak %patch9 -p1 -b .leak
%patch10 -p1 -b .emptypass
mv AUTHORS AUTHORS.iso88591 mv AUTHORS AUTHORS.iso88591
iconv -f ISO-8859-1 -t UTF-8 AUTHORS.iso88591 >AUTHORS iconv -f ISO-8859-1 -t UTF-8 AUTHORS.iso88591 >AUTHORS
@ -179,6 +182,9 @@ exit 0
%doc COPYING %doc COPYING
%changelog %changelog
* Thu Jan 3 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-9
- allow empty passphrase in PBKDF2 needed for cryptsetup (=891266)
* Mon Dec 3 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-8 * Mon Dec 3 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-8
- fix multilib conflict in libgcrypt-config - fix multilib conflict in libgcrypt-config
- fix minor memory leaks and other bugs found by Coverity scan - fix minor memory leaks and other bugs found by Coverity scan