[git] GCRYPT - branch, master, updated. libgcrypt-1.8.0-16-geb8f352

by Werner Koch cvs at cvs.gnupg.org
Sun Aug 27 09:40:13 CEST 2017


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  eb8f35243916132e10125e9e9edb066e8f1edd08 (commit)
       via  80fd8615048c3897b91a315cca22ab139b056ccd (commit)
       via  bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9 (commit)
       via  5417a29336426d310c3e012b148bcb20ef9ca85c (commit)
      from  a7bd2cbd3eabda88fb3cac5cbc13c21c97a7b315 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit eb8f35243916132e10125e9e9edb066e8f1edd08
Author: Werner Koch <wk at gnupg.org>
Date:   Sun Aug 27 09:36:37 2017 +0200

    Post release updates
    
    --

diff --git a/NEWS b/NEWS
index 39f70a3..8ae0d12 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+Noteworthy changes in version 1.8.2 (unreleased)  [C22/A2/R2]
+------------------------------------------------
+
+
 Noteworthy changes in version 1.8.1 (2017-08-27)  [C22/A2/R1]
 ------------------------------------------------
 
diff --git a/configure.ac b/configure.ac
index 7a78e30..e24e710 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,7 +30,7 @@ min_automake_version="1.14"
 # for the LT versions.
 m4_define(mym4_version_major, [1])
 m4_define(mym4_version_minor, [8])
-m4_define(mym4_version_micro, [1])
+m4_define(mym4_version_micro, [2])
 
 # Below is m4 magic to extract and compute the revision number, the
 # decimalized short revision number, a beta version string, and a flag

commit 80fd8615048c3897b91a315cca22ab139b056ccd
Author: Werner Koch <wk at gnupg.org>
Date:   Sun Aug 27 09:22:09 2017 +0200

    Release 1.8.1
    
    * configure.ac: Set LT version to C22/A2/R1.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/NEWS b/NEWS
index 4ca8bc2..39f70a3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,19 @@
-Noteworthy changes in version 1.8.1 (unreleased)  [C22/A2/R_]
+Noteworthy changes in version 1.8.1 (2017-08-27)  [C22/A2/R1]
 ------------------------------------------------
 
+ * Bug fixes:
+
+   - Mitigate a local side-channel attack on Curve25519 dubbed "May
+     the Fourth be With You".  [CVE-2017-0379] [also in 1.7.9]
+
+   - Add more extra bytes to the pool after reading a seed file.
+
+   - Add the OID SHA384WithECDSA from RFC-7427 to SHA-384.
+
+   - Fix build problems with the Jitter RNG
+
+   - Fix assembler code build problems on Rasbian (ARMv8/AArch32-CE).
+
 
 Noteworthy changes in version 1.8.0 (2017-07-18)  [C22/A2/R0]
 ------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 66e7cd6..7a78e30 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,7 +56,7 @@ AC_INIT([libgcrypt],[mym4_full_version],[http://bugs.gnupg.org])
 #   (No interfaces changed:                   REVISION++)
 LIBGCRYPT_LT_CURRENT=22
 LIBGCRYPT_LT_AGE=2
-LIBGCRYPT_LT_REVISION=0
+LIBGCRYPT_LT_REVISION=1
 
 
 # If the API is changed in an incompatible way: increment the next counter.

commit bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Fri Aug 25 18:13:28 2017 +0900

    ecc: Add input validation for X25519.
    
    * cipher/ecc.c (ecc_decrypt_raw): Add input validation.
    * mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
    (_gcry_mpi_ec_bad_point): New.
    
    --
    
    Following is the paper describing the attack:
    
        May the Fourth Be With You: A Microarchitectural Side Channel Attack
        on Real-World Applications of Curve25519
        by Daniel Genkin, Luke Valenta, and Yuval Yarom
    
    In the current implementation, we do output checking and it results an
    error for those bad points.  However, when attacked, the computation
    will done with leak of private key, even it will results errors.  To
    mitigate leak, we added input validation.
    
    Note that we only list bad points with MSB=0.  By X25519, MSB is
    always cleared.
    
    In future, we should implement constant-time field computation.  Then,
    this input validation could be removed, if performance is important
    and we are sure for no leak.
    
    CVE-id: CVE-2017-0379
    Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>

diff --git a/cipher/ecc.c b/cipher/ecc.c
index e25bf09..4e3e5b1 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -1628,9 +1628,22 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   if (DBG_CIPHER)
     log_printpnt ("ecc_decrypt    kG", &kG, NULL);
 
-  if (!(flags & PUBKEY_FLAG_DJB_TWEAK)
+  if ((flags & PUBKEY_FLAG_DJB_TWEAK))
+    {
       /* For X25519, by its definition, validation should not be done.  */
-      && !_gcry_mpi_ec_curve_point (&kG, ec))
+      /* (Instead, we do output check.)
+       *
+       * However, to mitigate secret key leak from our implementation,
+       * we also do input validation here.  For constant-time
+       * implementation, we can remove this input validation.
+       */
+      if (_gcry_mpi_ec_bad_point (&kG, ec))
+        {
+          rc = GPG_ERR_INV_DATA;
+          goto leave;
+        }
+    }
+  else if (!_gcry_mpi_ec_curve_point (&kG, ec))
     {
       rc = GPG_ERR_INV_DATA;
       goto leave;
diff --git a/mpi/ec.c b/mpi/ec.c
index a0f7357..4c16603 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -396,6 +396,29 @@ ec_get_two_inv_p (mpi_ec_t ec)
 }
 
 
+static const char *curve25519_bad_points[] = {
+  "0x0000000000000000000000000000000000000000000000000000000000000000",
+  "0x0000000000000000000000000000000000000000000000000000000000000001",
+  "0x00b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0",
+  "0x57119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c5f",
+  "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec",
+  "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed",
+  "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee",
+  NULL
+};
+
+static gcry_mpi_t
+scanval (const char *string)
+{
+  gpg_err_code_t rc;
+  gcry_mpi_t val;
+
+  rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL);
+  if (rc)
+    log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc));
+  return val;
+}
+
 
 /* This function initialized a context for elliptic curve based on the
    field GF(p).  P is the prime specifying this field, A is the first
@@ -434,9 +457,17 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,
 
   _gcry_mpi_ec_get_reset (ctx);
 
-  /* Allocate scratch variables.  */
-  for (i=0; i< DIM(ctx->t.scratch); i++)
-    ctx->t.scratch[i] = mpi_alloc_like (ctx->p);
+  if (model == MPI_EC_MONTGOMERY)
+    {
+      for (i=0; i< DIM(ctx->t.scratch) && curve25519_bad_points[i]; i++)
+        ctx->t.scratch[i] = scanval (curve25519_bad_points[i]);
+    }
+  else
+    {
+      /* Allocate scratch variables.  */
+      for (i=0; i< DIM(ctx->t.scratch); i++)
+        ctx->t.scratch[i] = mpi_alloc_like (ctx->p);
+    }
 
   /* Prepare for fast reduction.  */
   /* FIXME: need a test for NIST values.  However it does not gain us
@@ -1572,3 +1603,17 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx)
 
   return res;
 }
+
+
+int
+_gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx)
+{
+  int i;
+  gcry_mpi_t x_bad;
+
+  for (i = 0; (x_bad = ctx->t.scratch[i]); i++)
+    if (!mpi_cmp (point->x, x_bad))
+      return 1;
+
+  return 0;
+}
diff --git a/src/mpi.h b/src/mpi.h
index b5385b5..aeba7f8 100644
--- a/src/mpi.h
+++ b/src/mpi.h
@@ -296,6 +296,7 @@ void _gcry_mpi_ec_mul_point (mpi_point_t result,
                              gcry_mpi_t scalar, mpi_point_t point,
                              mpi_ec_t ctx);
 int  _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx);
+int _gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx);
 
 gcry_mpi_t _gcry_mpi_ec_ec2os (gcry_mpi_point_t point, mpi_ec_t ectx);
 

commit 5417a29336426d310c3e012b148bcb20ef9ca85c
Author: Werner Koch <wk at gnupg.org>
Date:   Thu Aug 24 11:43:05 2017 +0200

    indent: Typo fix.
    
    --

diff --git a/random/random-csprng.c b/random/random-csprng.c
index 650c438..8cb35e7 100644
--- a/random/random-csprng.c
+++ b/random/random-csprng.c
@@ -115,7 +115,7 @@ static size_t pool_writepos;
 static size_t pool_readpos;
 
 /* This flag is set to true as soon as the pool has been completely
-   filled the first time.  This may happen either by rereading a seed
+   filled the first time.  This may happen either by reading a seed
    file or by adding enough entropy.  */
 static int pool_filled;
 

-----------------------------------------------------------------------

Summary of changes:
 NEWS                   | 19 ++++++++++++++++++-
 cipher/ecc.c           | 17 +++++++++++++++--
 configure.ac           |  4 ++--
 mpi/ec.c               | 51 +++++++++++++++++++++++++++++++++++++++++++++++---
 random/random-csprng.c |  2 +-
 src/mpi.h              |  1 +
 6 files changed, 85 insertions(+), 9 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org


_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits




More information about the Gcrypt-devel mailing list