8 files changed, 68 insertions, 29 deletions

diff --git a/NEWS b/NEWS
index 3378a060..6a7b8159 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 Noteworthy changes in version 1.4.1
 ------------------------------------------------
 
+ * Fixed a bug introduced by 1.3.1 led to the comsumption of far too
+   much entropy for the intial seeding.
 
 
 Noteworthy changes in version 1.4.0 (2007-12-10)
diff --git a/THANKS b/THANKS
index d7fda1f5..a40c208a 100644
--- a/THANKS
+++ b/THANKS
@@ -27,6 +27,7 @@ Detlef Lannert		   lannert@lannert.rz.uni-duesseldorf.de
 Dirk Lattermann 	   dlatt@t-online.de
 Dirk Stoecker              gcrypt@dstoecker.de
 Ed Boraas		   ecxjo@esperanto.org
+Elie De Brauwer            elie@de-brauwer.be
 Enzo Michelangeli	   em@MailAndNews.com
 Ernst Molitor		   ernst.molitor@uni-bonn.de
 Fabio Coatti		   cova@felix.unife.it
diff --git a/cipher/ChangeLog b/cipher/ChangeLog
index e8cd0a1a..3dec8a95 100644
--- a/cipher/ChangeLog
+++ b/cipher/ChangeLog
@@ -1,3 +1,12 @@
+2008-01-08  Werner Koch  <wk@g10code.com>
+
+	* random.c (add_randomness): Do not just increment
+	POOL_FILLED_COUNTER but update it by the actual amount of data.
+
+2007-12-13  Werner Koch  <wk@g10code.com>
+
+	* pubkey.c (sexp_data_to_mpi): Support SHA-224.
+
 2007-12-05  Werner Koch  <wk@g10code.com>
 
 	* rijndael.c (USE_PADLOCK): Depend on ENABLE_PADLOCK_SUPPORT.
diff --git a/cipher/pubkey.c b/cipher/pubkey.c
index fc57b40a..5a39f3e7 100644
--- a/cipher/pubkey.c
+++ b/cipher/pubkey.c
@@ -1097,7 +1097,7 @@ sexp_to_sig (gcry_sexp_t sexp, gcry_mpi_t **retarray,
  * Take sexp and return an array of MPI as used for our internal decrypt
  * function.
  * s_data = (enc-val
- *           [(flags [pkcs1])
+ *           [(flags [pkcs1])]
  *	      (<algo>
  *		(<param_name1> <mpi>)
  *		...
@@ -1403,6 +1403,7 @@ sexp_data_to_mpi (gcry_sexp_t input, unsigned int nbits, gcry_mpi_t *ret_mpi,
             { "rmd160", GCRY_MD_RMD160 },
             { "sha384", GCRY_MD_SHA384 },
             { "sha512", GCRY_MD_SHA512 },
+            { "sha224", GCRY_MD_SHA224 },
             { "md2",    GCRY_MD_MD2 },
             { "md4",    GCRY_MD_MD4 },
             { "tiger",  GCRY_MD_TIGER },
@@ -1764,7 +1765,10 @@ gcry_pk_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t s_skey)
               (<algo>
                 (<param_name1> <mpi>)
                 ...
-                (<param_namen> <mpi>))) 
+                (<param_namen> <mpi>))
+             [(hash algo)]) 
+
+  Note that (hash algo) in R_SIG is not used.
 */
 gcry_error_t
 gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey)
diff --git a/cipher/random.c b/cipher/random.c
index c5469805..f145116f 100644
--- a/cipher/random.c
+++ b/cipher/random.c
@@ -1115,6 +1115,7 @@ static void
 add_randomness (const void *buffer, size_t length, enum random_origins origin)
 {
   const unsigned char *p = buffer;
+  size_t count = 0;
 
   assert (pool_is_locked);
 
@@ -1123,6 +1124,7 @@ add_randomness (const void *buffer, size_t length, enum random_origins origin)
   while (length-- )
     {
       rndpool[pool_writepos++] ^= *p++;
+      count++;
       if (pool_writepos >= POOLSIZE )
         {
           /* It is possible that we are invoked before the pool is
@@ -1132,7 +1134,9 @@ add_randomness (const void *buffer, size_t length, enum random_origins origin)
              separately.  See also the remarks about the seed file. */
           if (origin >= RANDOM_ORIGIN_SLOWPOLL && !pool_filled)
             {
-              if (++pool_filled_counter >= POOLSIZE)
+              pool_filled_counter += count;
+              count = 0;
+              if (pool_filled_counter >= POOLSIZE)
                 pool_filled = 1;
             }
           pool_writepos = 0;
diff --git a/cipher/sha256.c b/cipher/sha256.c
index 9d47b837..bc439c3d 100644
--- a/cipher/sha256.c
+++ b/cipher/sha256.c
@@ -333,7 +333,7 @@ static byte asn256[19] = /* Object ID is  2.16.840.1.101.3.4.2.1 */
 
 static gcry_md_oid_spec_t oid_spec_sha256[] =
   {
-    /* According to the OpenPGG draft rfc2440-bis06 */
+    /* According to the OpenPGP draft rfc2440-bis06 */
     { "2.16.840.1.101.3.4.2.1" }, 
     /* PKCS#1 sha256WithRSAEncryption */
     { "1.2.840.113549.1.1.11" },
diff --git a/doc/ChangeLog b/doc/ChangeLog
index ad3644e0..b9cb198d 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,13 @@
+2008-01-04  Werner Koch  <wk@g10code.com>
+
+	* gcrypt.texi (Controlling the library): Add remark that the
+	theoritical attack on a seed file is not feasible under Linux.
+
+2007-12-11  Werner Koch  <wk@g10code.com>
+
+	* gcrypt.texi: Various minor corrections as reported by Elie De
+	Brauer more than a year ago.
+
 2007-06-15  Werner Koch  <wk@g10code.com>
 
 	* gcrypt.texi (Controlling the library): Clarified the use of
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
index 0cb78750..b6d36214 100644
--- a/doc/gcrypt.texi
+++ b/doc/gcrypt.texi
@@ -563,7 +563,13 @@ This command disables the use of secure memory and drops the priviliges
 of the current process.  FIXME.
 
 @item GCRYCTL_DISABLE_SECMEM
-This command disables the use of secure memory.  FIXME.
+This command disables the use of secure memory. 
+
+Many applications do not require secure memory, so they should disable
+it right away.  There won't be a problem if not disabling it unless one
+makes use of a feature which requires secure memory - in that case the
+process will abort because the secmem is not initialized.
+
 
 @item GCRYCTL_INIT_SECMEM
 @item GCRYCTL_TERM_SECMEM
@@ -596,13 +602,16 @@ pool and then race for updating it (the last update overwrites earlier
 updates).  They will differentiate only by the weak entropy that is
 added in read_seed_file based on the PID and clock, and up to 16 bytes
 of weak random non-blockingly.  The consequence is that the output of
-these different instances is correlated to some extent.  In the perfect
-scenario, the attacker can control (or at least guess) the PID and clock
-of the application, and drain the system's entropy pool to reduce the
-"up to 16 bytes" above to 0.  Then the dependencies of the inital states
-of the pools are completely known.  Note that this is not an issue if
-random of @code{GCRY_VERY_STRONG_RANDOM} quality is requested as in this
-case enough extra entropy gets mixed.
+these different instances is correlated to some extent.  In a perfect
+attack scenario, the attacker can control (or at least guess) the PID
+and clock of the application, and drain the system's entropy pool to
+reduce the "up to 16 bytes" above to 0.  Then the dependencies of the
+inital states of the pools are completely known.  Note that this is not
+an issue if random of @code{GCRY_VERY_STRONG_RANDOM} quality is
+requested as in this case enough extra entropy gets mixed.  It is also
+not an issue when using Linux (rndlinux driver), because this one
+guarantees to read full 16 bytes from /dev/urandom and thus there is no
+way for an attacker without kernel access to conrol these 16 bytes.
 
 @item GCRYCTL_SET_VERBOSITY
 
@@ -2178,10 +2187,10 @@ interface allows to add more algorithms in the future.
 @node Used S-expressions
 @section Used S-expressions
 
-Libgcrypt's API for asymmetric cryptography is based on data
-structures called S-expressions (see XXXX) and does not work with
-contexts as most of the other building blocks of Libgcrypt
-do.
+Libgcrypt's API for asymmetric cryptography is based on data structures
+called S-expressions (see
+@uref{http://people.csail.mit.edu/@/rivest/@/sexp.html}) and does not work
+with contexts as most of the other building blocks of Libgcrypt do.
 
 The following information are stored in S-expressions:
 
@@ -3095,9 +3104,9 @@ Destroys the data set @var{data}.
 
 @deftypefun gcry_error_t gcry_ac_data_set (gcry_ac_data_t @var{data}, unsigned int @var{flags}, char *@var{name}, gcry_mpi_t @var{mpi})
 Add the value @var{mpi} to @var{data} with the label @var{name}.  If
-@var{flags} contains GCRY_AC_FLAG_DATA_COPY, the data set will contain
+@var{flags} contains GCRY_AC_FLAG_COPY, the data set will contain
 copies of @var{name} and @var{mpi}.  If @var{flags} contains
-GCRY_AC_FLAG_DATA_DEALLOC or GCRY_AC_FLAG_DATA_COPY, the values
+GCRY_AC_FLAG_DEALLOC or GCRY_AC_FLAG_COPY, the values
 contained in the data set will be deallocated when they are to be
 removed from the data set.
 @end deftypefun
@@ -3241,10 +3250,10 @@ Creates a new handle for the algorithm @var{algorithm} and stores it
 in @var{handle}.  @var{flags} is not used currently.
 
 @var{algorithm} must be a valid algorithm ID, see @xref{Available
-algorithms}, for a list of supported algorithms and the according
-constants.  Besides using the listed constants directly, the functions
-@code{gcry_pk_name_to_id} may be used to convert the textual name of
-an algorithm into the according numeric ID.
+asymmetric algorithms}, for a list of supported algorithms and the
+according constants.  Besides using the listed constants directly, the
+functions @code{gcry_pk_name_to_id} may be used to convert the textual
+name of an algorithm into the according numeric ID.
 @end deftypefun
 
 @deftypefun void gcry_ac_close (gcry_ac_handle_t @var{handle})
@@ -3258,9 +3267,9 @@ Destroys the handle @var{handle}.
 Defined constants:
 
 @table @code
-@item GCRY_AC_KEY_TYPE_SECRET
+@item GCRY_AC_KEY_SECRET
 Specifies a secret key.
-@item GCRY_AC_KEY_TYPE_PUBLIC
+@item GCRY_AC_KEY_PUBLIC
 Specifies a public key.
 @end table
 @end deftp
@@ -3320,15 +3329,15 @@ Example code:
 @example
 @{
   gcry_ac_key_pair_t key_pair;
-  gcry_ac_key_spec_rsa_t  rsa_spec;
+  gcry_ac_key_spec_rsa_t rsa_spec;
 
   rsa_spec.e = gcry_mpi_new (0);
-  gcry_mpi_set_ui (rsa_spec.e, 1)
+  gcry_mpi_set_ui (rsa_spec.e, 1);
 
   err = gcry_ac_open  (&handle, GCRY_AC_RSA, 0);
   assert (! err);
 
-  err = gcry_ac_key_pair_generate (handle, &key_pair, 1024, (void *) &rsa_spec);
+  err = gcry_ac_key_pair_generate (handle, 1024, &rsa_spec, &key_pair, NULL);
   assert (! err);
 @}
 @end example
@@ -3394,7 +3403,7 @@ through schemes.
 
 What follows is a description of the cryptographic primitives.
 
-@deftypefun gcry_error_t gcry_ac_data_encrypt (gcry_ac_handle_t @var{handle}, unsigned int @var{flags}, gcry_ac_key_t @var{key}, gcry_mpi_t @var{data_plain}, gcry_ac_data_t **@var{data_encrypted})
+@deftypefun gcry_error_t gcry_ac_data_encrypt (gcry_ac_handle_t @var{handle}, unsigned int @var{flags}, gcry_ac_key_t @var{key}, gcry_mpi_t @var{data_plain}, gcry_ac_data_t *@var{data_encrypted})
 Encrypts the plain text MPI value @var{data_plain} with the key public
 @var{key} under the control of the flags @var{flags} and stores the
 resulting data set into @var{data_encrypted}.
@@ -3964,7 +3973,7 @@ representation of an MPI and the internal one of Libgcrypt.
 Convert the external representation of an integer stored in @var{buffer}
 with a length of @var{buflen} into a newly created MPI returned which
 will be stored at the address of @var{r_mpi}.  For certain formats the
-length argument is not required and may be passed as @code{0}.  After a
+length argument is not required and should be passed as @code{0}.  After a
 successful operation the variable @var{nscanned} receives the number of
 bytes actually scanned unless @var{nscanned} was given as
 @code{NULL}. @var{format} describes the format of the MPI as stored in