From a6852c93138f3c4596fb4df8bce5b7d19ef50478 Mon Sep 17 00:00:00 2001
From: Giulio Cesare Solaroli <giulio.cesare@clipperz.com>
Date: Thu, 19 Jun 2014 10:32:07 +0000
Subject: Mitigation for vulnerability CLP-01-018
---
(limited to 'frontend/beta/js/Clipperz/Crypto/PRNG.js')
diff --git a/frontend/beta/js/Clipperz/Crypto/PRNG.js b/frontend/beta/js/Clipperz/Crypto/PRNG.js
index b5c3f8a..92966d0 100644
--- a/frontend/beta/js/Clipperz/Crypto/PRNG.js
+++ b/frontend/beta/js/Clipperz/Crypto/PRNG.js
@@ -197,12 +197,6 @@ Clipperz.Crypto.PRNG.TimeRandomnessSource.prototype = MochiKit.Base.update(new C
},
//-------------------------------------------------------------------------
-
- 'pollingFrequency': function() {
- return 10;
- },
-
- //-------------------------------------------------------------------------
__syntaxFix__: "syntax fix"
});
@@ -245,12 +239,12 @@ Clipperz.Crypto.PRNG.MouseRandomnessSource.prototype = MochiKit.Base.update(new
var numberOfRandomBitsCollected;
numberOfRandomBitsCollected = this.numberOfRandomBitsCollected();
- collectetBits = this.randomBitsCollector() | (aValue << numberOfRandomBitsCollected);
- this.setRandomBitsCollector(collectetBits);
+ collectedBits = this.randomBitsCollector() | (aValue << numberOfRandomBitsCollected);
+ this.setRandomBitsCollector(collectedBits);
numberOfRandomBitsCollected += this.numberOfBitsToCollectAtEachEvent();
if (numberOfRandomBitsCollected == 8) {
- this.updateGeneratorWithValue(collectetBits);
+ this.updateGeneratorWithValue(collectedBits);
numberOfRandomBitsCollected = 0;
this.setRandomBitsCollector(0);
}
@@ -289,96 +283,54 @@ Clipperz.Crypto.PRNG.MouseRandomnessSource.prototype = MochiKit.Base.update(new
},
//-------------------------------------------------------------------------
-
- 'pollingFrequency': function() {
- return 10;
- },
-
- //-------------------------------------------------------------------------
__syntaxFix__: "syntax fix"
});
//*****************************************************************************
-Clipperz.Crypto.PRNG.KeyboardRandomnessSource = function(args) {
+Clipperz.Crypto.PRNG.CryptoRandomRandomnessSource = function(args) {
args = args || {};
- Clipperz.Crypto.PRNG.RandomnessSource.call(this, args);
- this._randomBitsCollector = 0;
- this._numberOfRandomBitsCollected = 0;
+ this._intervalTime = args.intervalTime || 1000;
+ this._browserCrypto = args.browserCrypto;
- MochiKit.Signal.connect(document, 'onkeypress', this, 'collectEntropy');
+ Clipperz.Crypto.PRNG.RandomnessSource.call(this, args);
+ this.collectEntropy();
return this;
}
-Clipperz.Crypto.PRNG.KeyboardRandomnessSource.prototype = MochiKit.Base.update(new Clipperz.Crypto.PRNG.RandomnessSource, {
-
- //-------------------------------------------------------------------------
-
- 'randomBitsCollector': function() {
- return this._randomBitsCollector;
- },
+Clipperz.Crypto.PRNG.CryptoRandomRandomnessSource.prototype = MochiKit.Base.update(new Clipperz.Crypto.PRNG.RandomnessSource, {
- 'setRandomBitsCollector': function(aValue) {
- this._randomBitsCollector = aValue;
+ 'intervalTime': function() {
+ return this._intervalTime;
},
-
- 'appendRandomBitToRandomBitsCollector': function(aValue) {
- var collectedBits;
- var numberOfRandomBitsCollected;
-
- numberOfRandomBitsCollected = this.numberOfRandomBitsCollected();
- collectetBits = this.randomBitsCollector() | (aValue << numberOfRandomBitsCollected);
- this.setRandomBitsCollector(collectetBits);
- numberOfRandomBitsCollected ++;
-
- if (numberOfRandomBitsCollected == 8) {
- this.updateGeneratorWithValue(collectetBits);
- numberOfRandomBitsCollected = 0;
- this.setRandomBitsCollector(0);
- }
-
- this.setNumberOfRandomBitsCollected(numberOfRandomBitsCollected)
+
+ 'browserCrypto': function () {
+ return this._browserCrypto;
},
//-------------------------------------------------------------------------
- 'numberOfRandomBitsCollected': function() {
- return this._numberOfRandomBitsCollected;
- },
-
- 'setNumberOfRandomBitsCollected': function(aValue) {
- this._numberOfRandomBitsCollected = aValue;
- },
+ 'collectEntropy': function() {
+ var bytesToCollect;
- //-------------------------------------------------------------------------
+ if (this.boostMode() == true) {
+ bytesToCollect = 8;
+ } else {
+ bytesToCollect = 32;
+ }
- 'collectEntropy': function(anEvent) {
-/*
- var mouseLocation;
- var randomBit;
-
- mouseLocation = anEvent.mouse().client;
-
- randomBit = ((mouseLocation.x ^ mouseLocation.y) & 0x1);
- this.appendRandomBitToRandomBitsCollector(randomBit);
-*/
- },
-
- //-------------------------------------------------------------------------
+ var randomValuesArray = new Uint8Array(bytesToCollect);
+ this.browserCrypto().getRandomValues(randomValuesArray);
+ for (var i = 0; i < randomValuesArray.length; i++) {
+ this.updateGeneratorWithValue(randomValuesArray[i]);
+ }
- 'numberOfRandomBits': function() {
- return 1;
+ setTimeout(this.collectEntropy, this.intervalTime());
},
//-------------------------------------------------------------------------
-
- 'pollingFrequency': function() {
- return 10;
- },
-
- //-------------------------------------------------------------------------
__syntaxFix__: "syntax fix"
});
@@ -607,21 +559,16 @@ MochiKit.Logging.logWarning("Fortuna generator has not enough entropy, yet!");
'deferredEntropyCollection': function(aValue) {
var result;
-//MochiKit.Logging.logDebug(">>> PRNG.deferredEntropyCollection");
if (this.isReadyToGenerateRandomValues()) {
-//MochiKit.Logging.logDebug("--- PRNG.deferredEntropyCollection - 1");
result = aValue;
} else {
-//MochiKit.Logging.logDebug("--- PRNG.deferredEntropyCollection - 2");
var deferredResult;
Clipperz.NotificationCenter.notify(this, 'updatedProgressState', 'collectingEntropy', true);
deferredResult = new MochiKit.Async.Deferred();
-// deferredResult.addBoth(function(res) {MochiKit.Logging.logDebug("1.2.1 - PRNG.deferredEntropyCollection - 1: " + res); return res;});
deferredResult.addCallback(MochiKit.Base.partial(MochiKit.Async.succeed, aValue));
-// deferredResult.addBoth(function(res) {MochiKit.Logging.logDebug("1.2.2 - PRNG.deferredEntropyCollection - 2: " + res); return res;});
MochiKit.Signal.connect(this,
'readyToGenerateRandomBytes',
deferredResult,
@@ -629,7 +576,6 @@ MochiKit.Logging.logWarning("Fortuna generator has not enough entropy, yet!");
result = deferredResult;
}
-//MochiKit.Logging.logDebug("<<< PRNG.deferredEntropyCollection - result: " + result);
return result;
},
@@ -643,7 +589,7 @@ MochiKit.Logging.logWarning("Fortuna generator has not enough entropy, yet!");
},
//-------------------------------------------------------------------------
-
+/*
'dump': function(appendToDoc) {
var tbl;
var i,c;
@@ -749,7 +695,7 @@ MochiKit.Logging.logWarning("Fortuna generator has not enough entropy, yet!");
return tbl;
},
-
+*/
//-----------------------------------------------------------------------------
__syntaxFix__: "syntax fix"
});
@@ -824,16 +770,26 @@ Clipperz.Crypto.PRNG.defaultRandomGenerator = function() {
//.............................................................
//
- // KeyboardRandomnessSource
+ // CryptoRandomRandomnessSource
//
//.............................................................
{
var newRandomnessSource;
+ var browserCrypto;
- newRandomnessSource = new Clipperz.Crypto.PRNG.KeyboardRandomnessSource();
- _clipperz_crypt_prng_defaultPRNG.addRandomnessSource(newRandomnessSource);
+ if (window.crypto && window.crypto.getRandomValues) {
+ browserCrypto = window.crypto;
+ } else if (window.msCrypto && window.msCrypto.getRandomValues) {
+ browserCrypto = window.msCrypto;
+ } else {
+ browserCrypto = null;
+ }
+
+ if (browserCrypto != null) {
+ newRandomnessSource = new Clipperz.Crypto.PRNG.CryptoRandomRandomnessSource({'browserCrypto':browserCrypto});
+ _clipperz_crypt_prng_defaultPRNG.addRandomnessSource(newRandomnessSource);
+ }
}
-
}
return _clipperz_crypt_prng_defaultPRNG;
--
cgit v0.9.0.2