Bug#922442: There is a security weakness in p7zip password encryption. IV for AES-CBC is generated from a very poor RNG (poorly seeded) and half of it is always zeroes.

3lbios Fri, 15 Feb 2019 16:39:58 -0800

Package: p7zip
Version: 9.20.1~dfsg.1-4.1+deb8u3
Severity: normal
Tags: security patch




-- System Information:
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 8.0 (jessie)
Release:        8.0
Codename:       jessie
Architecture: armv6l

Kernel: Linux 4.14.90+
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages p7zip depends on:
ii  libc6       2.19-18+deb8u10
ii  libgcc1     1:4.9.2-10+deb8u2
ii  libstdc++6  4.9.2-10+deb8u2

p7zip recommends no packages.

Versions of packages p7zip suggests:
pn  p7zip-full  <none>

-- no debconf information

>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek <m...@semihalf.com>
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG used for AES
 IV.

Mix in OS randomness for RNG seed. Increase KDF iterations from 1000 to 10000 to get it closer to modern standards.
Use full 16 bytes for AES IV instead of just 8.
---
 CPP/7zip/Crypto/7zAes.cpp   | 2 +-
 CPP/7zip/Crypto/RandGen.cpp | 9 +++++++++
 CPP/7zip/Crypto/WzAes.cpp   | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CPP/7zip/Crypto/7zAes.cpp b/CPP/7zip/Crypto/7zAes.cpp
index d33b562..64fe7b6 100644
--- a/CPP/7zip/Crypto/7zAes.cpp
+++ b/CPP/7zip/Crypto/7zAes.cpp
@@ -164,7 +164,7 @@ STDMETHODIMP CEncoder::ResetInitVector()
 {
   for (unsigned i = 0; i < sizeof(_iv); i++)
     _iv[i] = 0;
-  _ivSize = 8;
+  _ivSize = 16;
   g_RandomGenerator.Generate(_iv, _ivSize);
   return S_OK;
 }
diff --git a/CPP/7zip/Crypto/RandGen.cpp b/CPP/7zip/Crypto/RandGen.cpp
index f5ea31f..c141806 100644
--- a/CPP/7zip/Crypto/RandGen.cpp
+++ b/CPP/7zip/Crypto/RandGen.cpp
@@ -10,6 +10,8 @@
 
 #ifndef _WIN32
 #include <unistd.h>
+#include <sys/random.h>
+#include <stdint.h>
 #define USE_POSIX_TIME
 #define USE_POSIX_TIME2
 #endif
@@ -58,6 +60,13 @@ void CRandomGenerator::Init()
     LARGE_INTEGER v;
     if (::QueryPerformanceCounter(&v))
       HASH_UPD(v.QuadPart);
+    #else
+    // get real randomness from the OS and mix it in
+    uint64_t randbytes;
+    ssize_t rv = 0;
+    while (rv != sizeof(randbytes))
+      rv = getrandom((void *)&randbytes, sizeof(randbytes), 0);
+    HASH_UPD(randbytes);
     #endif
 
     #ifdef USE_POSIX_TIME
diff --git a/CPP/7zip/Crypto/WzAes.cpp b/CPP/7zip/Crypto/WzAes.cpp
index 4572f06..db81a39 100644
--- a/CPP/7zip/Crypto/WzAes.cpp
+++ b/CPP/7zip/Crypto/WzAes.cpp
@@ -24,7 +24,7 @@ namespace NWzAes {
 
 const unsigned kAesKeySizeMax = 32;
 
-static const UInt32 kNumKeyGenIterations = 1000;
+static const UInt32 kNumKeyGenIterations = 10000;
 
 STDMETHODIMP CBaseCoder::CryptoSetPassword(const Byte *data, UInt32 size)
 {
-- 
2.17.1

>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek <m...@semihalf.com>
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG used for AES
 IV.

Mix in OS randomness for RNG seed. Increase KDF iterations from 1000 to 10000 to get it closer to modern standards.
Use full 16 bytes for AES IV instead of just 8.
---
 CPP/7zip/Crypto/7zAes.cpp   | 2 +-
 CPP/7zip/Crypto/RandGen.cpp | 9 +++++++++
 CPP/7zip/Crypto/WzAes.cpp   | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CPP/7zip/Crypto/7zAes.cpp b/CPP/7zip/Crypto/7zAes.cpp
index d33b562..64fe7b6 100644
--- a/CPP/7zip/Crypto/7zAes.cpp
+++ b/CPP/7zip/Crypto/7zAes.cpp
@@ -164,7 +164,7 @@ STDMETHODIMP CEncoder::ResetInitVector()
 {
   for (unsigned i = 0; i < sizeof(_iv); i++)
     _iv[i] = 0;
-  _ivSize = 8;
+  _ivSize = 16;
   g_RandomGenerator.Generate(_iv, _ivSize);
   return S_OK;
 }
diff --git a/CPP/7zip/Crypto/RandGen.cpp b/CPP/7zip/Crypto/RandGen.cpp
index f5ea31f..c141806 100644
--- a/CPP/7zip/Crypto/RandGen.cpp
+++ b/CPP/7zip/Crypto/RandGen.cpp
@@ -10,6 +10,8 @@
 
 #ifndef _WIN32
 #include <unistd.h>
+#include <sys/random.h>
+#include <stdint.h>
 #define USE_POSIX_TIME
 #define USE_POSIX_TIME2
 #endif
@@ -58,6 +60,13 @@ void CRandomGenerator::Init()
     LARGE_INTEGER v;
     if (::QueryPerformanceCounter(&v))
       HASH_UPD(v.QuadPart);
+    #else
+    // get real randomness from the OS and mix it in
+    uint64_t randbytes;
+    ssize_t rv = 0;
+    while (rv != sizeof(randbytes))
+      rv = getrandom((void *)&randbytes, sizeof(randbytes), 0);
+    HASH_UPD(randbytes);
     #endif
 
     #ifdef USE_POSIX_TIME
diff --git a/CPP/7zip/Crypto/WzAes.cpp b/CPP/7zip/Crypto/WzAes.cpp
index 4572f06..db81a39 100644
--- a/CPP/7zip/Crypto/WzAes.cpp
+++ b/CPP/7zip/Crypto/WzAes.cpp
@@ -24,7 +24,7 @@ namespace NWzAes {
 
 const unsigned kAesKeySizeMax = 32;
 
-static const UInt32 kNumKeyGenIterations = 1000;
+static const UInt32 kNumKeyGenIterations = 10000;
 
 STDMETHODIMP CBaseCoder::CryptoSetPassword(const Byte *data, UInt32 size)
 {
-- 
2.17.1

>From eb9809b3236084fbfbdcdd4f7c5b7fe0fcd6524c Mon Sep 17 00:00:00 2001
From: Michal Stanek <m...@semihalf.com>
Date: Tue, 12 Feb 2019 23:54:51 +0100
Subject: [PATCH] Fix cryptography weaknesses in KDF and the RNG used for AES
 IV.

Mix in OS randomness for RNG seed. Increase KDF iterations from 1000 to 10000 to get it closer to modern standards.
Use full 16 bytes for AES IV instead of just 8.
---
 CPP/7zip/Crypto/7zAes.cpp   | 2 +-
 CPP/7zip/Crypto/RandGen.cpp | 9 +++++++++
 CPP/7zip/Crypto/WzAes.cpp   | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CPP/7zip/Crypto/7zAes.cpp b/CPP/7zip/Crypto/7zAes.cpp
index d33b562..64fe7b6 100644
--- a/CPP/7zip/Crypto/7zAes.cpp
+++ b/CPP/7zip/Crypto/7zAes.cpp
@@ -164,7 +164,7 @@ STDMETHODIMP CEncoder::ResetInitVector()
 {
   for (unsigned i = 0; i < sizeof(_iv); i++)
     _iv[i] = 0;
-  _ivSize = 8;
+  _ivSize = 16;
   g_RandomGenerator.Generate(_iv, _ivSize);
   return S_OK;
 }
diff --git a/CPP/7zip/Crypto/RandGen.cpp b/CPP/7zip/Crypto/RandGen.cpp
index f5ea31f..c141806 100644
--- a/CPP/7zip/Crypto/RandGen.cpp
+++ b/CPP/7zip/Crypto/RandGen.cpp
@@ -10,6 +10,8 @@
 
 #ifndef _WIN32
 #include <unistd.h>
+#include <sys/random.h>
+#include <stdint.h>
 #define USE_POSIX_TIME
 #define USE_POSIX_TIME2
 #endif
@@ -58,6 +60,13 @@ void CRandomGenerator::Init()
     LARGE_INTEGER v;
     if (::QueryPerformanceCounter(&v))
       HASH_UPD(v.QuadPart);
+    #else
+    // get real randomness from the OS and mix it in
+    uint64_t randbytes;
+    ssize_t rv = 0;
+    while (rv != sizeof(randbytes))
+      rv = getrandom((void *)&randbytes, sizeof(randbytes), 0);
+    HASH_UPD(randbytes);
     #endif
 
     #ifdef USE_POSIX_TIME
diff --git a/CPP/7zip/Crypto/WzAes.cpp b/CPP/7zip/Crypto/WzAes.cpp
index 4572f06..db81a39 100644
--- a/CPP/7zip/Crypto/WzAes.cpp
+++ b/CPP/7zip/Crypto/WzAes.cpp
@@ -24,7 +24,7 @@ namespace NWzAes {
 
 const unsigned kAesKeySizeMax = 32;
 
-static const UInt32 kNumKeyGenIterations = 1000;
+static const UInt32 kNumKeyGenIterations = 10000;
 
 STDMETHODIMP CBaseCoder::CryptoSetPassword(const Byte *data, UInt32 size)
 {
-- 
2.17.1

Bug#922442: There is a security weakness in p7zip password encryption. IV for AES-CBC is generated from a very poor RNG (poorly seeded) and half of it is always zeroes.

Reply via email to