oss-sec mailing list archives

Re: CVE Request: static IV used in Percona XtraBackup

From: Florian Weimer <fweimer () redhat com>
Date: Tue, 26 Nov 2013 19:17:40 +0100

On 11/26/2013 11:52 AM, Marcus Meissner wrote:

Hi,

This came to our desk:
https://bugzilla.novell.com/show_bug.cgi?id=852224
https://bugs.launchpad.net/percona-xtrabackup/+bug/1185343

constant IV used in CTR Mode, allowing plaintext retrieval
attacks.


Is suppose this is part of the fix.

+void
+xb_crypt_init_iv()
+{
+       uint seed = time(NULL);
+       srandom(seed);
+}
+
+void
+xb_crypt_create_iv(void* ivbuf, size_t ivlen)
+{
+       size_t i;
+       ulong rndval;
+
+       for (i = 0; i < ivlen; i++) {
+               if (i % 4 == 0) {
+                       rndval = (ulong) random();
+               }
+               ((uchar*)ivbuf)[i] = ((uchar*)&rndval)[i % 4];
+       }
+}

This still risks keystream reuse because time() is fairly coarse.

What's worse, on 64-bit big-endian architectures, it results in aconstant zero IV because RAND_MAX is not large enough to reach the upper32 bits in the first four bytes of the rndval variable.


--
Florian Weimer / Red Hat Product Security Team

Current thread:

CVE Request: static IV used in Percona XtraBackup Marcus Meissner (Nov 26)
- Re: CVE Request: static IV used in Percona XtraBackup Kurt Seifried (Nov 26)
  - Re: CVE Request: static IV used in Percona XtraBackup P J P (Nov 27)
- Re: CVE Request: static IV used in Percona XtraBackup Florian Weimer (Nov 26)
  - Re: CVE Request: static IV used in Percona XtraBackup Michael Samuel (Nov 26)