[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-259-gc17f84b

Florian Weimer fweimer at redhat.com
Wed Sep 2 15:46:58 CEST 2015

On 09/01/2015 07:35 AM, by Werner Koch wrote:

> commit c17f84bd02d7ee93845e92e20f6ddba814961588
> Author: Werner Koch <wk at gnupg.org>
> Date:   Mon Aug 31 23:13:27 2015 +0200
>     rsa: Add verify after sign to avoid Lenstra's CRT attack.
>     * cipher/rsa.c (rsa_sign): Check the CRT.
>     --
>     Failures in the computation of the CRT (e.g. due faulty hardware) can
>     lead to a leak of the private key.  The standard precaution against
>     this is to verify the signature after signing.  GnuPG does this itself
>     and even has an option to disable this.  However, the low performance
>     impact of this extra precaution suggest that it should always be done
>     and Libgcrypt is the right place here.  For decryption is not done
>     because the application will detect the failure due to garbled
>     plaintext and in any case no key derived material will be send to the
>     user.

Some background information on this change is available here:


We computed quite a few RSA signatures on x86_64, i386, ppc64, ppc64le,
and s390x, but could not observe any key leaks, so we consider this
change merely hardening as far as libgcrypt is concerned.

Florian Weimer / Red Hat Product Security

More information about the Gcrypt-devel mailing list