[git] GCRYPT - branch, master, updated. libgcrypt-1.8.0-16-geb8f352
by Werner Koch
cvs at cvs.gnupg.org
Sun Aug 27 09:40:13 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, master has been updated
via eb8f35243916132e10125e9e9edb066e8f1edd08 (commit)
via 80fd8615048c3897b91a315cca22ab139b056ccd (commit)
via bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9 (commit)
via 5417a29336426d310c3e012b148bcb20ef9ca85c (commit)
from a7bd2cbd3eabda88fb3cac5cbc13c21c97a7b315 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit eb8f35243916132e10125e9e9edb066e8f1edd08
Author: Werner Koch <wk at gnupg.org>
Date: Sun Aug 27 09:36:37 2017 +0200
Post release updates
--
diff --git a/NEWS b/NEWS
index 39f70a3..8ae0d12 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+Noteworthy changes in version 1.8.2 (unreleased) [C22/A2/R2]
+------------------------------------------------
+
+
Noteworthy changes in version 1.8.1 (2017-08-27) [C22/A2/R1]
------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 7a78e30..e24e710 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,7 +30,7 @@ min_automake_version="1.14"
# for the LT versions.
m4_define(mym4_version_major, [1])
m4_define(mym4_version_minor, [8])
-m4_define(mym4_version_micro, [1])
+m4_define(mym4_version_micro, [2])
# Below is m4 magic to extract and compute the revision number, the
# decimalized short revision number, a beta version string, and a flag
commit 80fd8615048c3897b91a315cca22ab139b056ccd
Author: Werner Koch <wk at gnupg.org>
Date: Sun Aug 27 09:22:09 2017 +0200
Release 1.8.1
* configure.ac: Set LT version to C22/A2/R1.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/NEWS b/NEWS
index 4ca8bc2..39f70a3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,19 @@
-Noteworthy changes in version 1.8.1 (unreleased) [C22/A2/R_]
+Noteworthy changes in version 1.8.1 (2017-08-27) [C22/A2/R1]
------------------------------------------------
+ * Bug fixes:
+
+ - Mitigate a local side-channel attack on Curve25519 dubbed "May
+ the Fourth be With You". [CVE-2017-0379] [also in 1.7.9]
+
+ - Add more extra bytes to the pool after reading a seed file.
+
+ - Add the OID SHA384WithECDSA from RFC-7427 to SHA-384.
+
+ - Fix build problems with the Jitter RNG
+
+ - Fix assembler code build problems on Rasbian (ARMv8/AArch32-CE).
+
Noteworthy changes in version 1.8.0 (2017-07-18) [C22/A2/R0]
------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 66e7cd6..7a78e30 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,7 +56,7 @@ AC_INIT([libgcrypt],[mym4_full_version],[http://bugs.gnupg.org])
# (No interfaces changed: REVISION++)
LIBGCRYPT_LT_CURRENT=22
LIBGCRYPT_LT_AGE=2
-LIBGCRYPT_LT_REVISION=0
+LIBGCRYPT_LT_REVISION=1
# If the API is changed in an incompatible way: increment the next counter.
commit bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Fri Aug 25 18:13:28 2017 +0900
ecc: Add input validation for X25519.
* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
(_gcry_mpi_ec_bad_point): New.
--
Following is the paper describing the attack:
May the Fourth Be With You: A Microarchitectural Side Channel Attack
on Real-World Applications of Curve25519
by Daniel Genkin, Luke Valenta, and Yuval Yarom
In the current implementation, we do output checking and it results an
error for those bad points. However, when attacked, the computation
will done with leak of private key, even it will results errors. To
mitigate leak, we added input validation.
Note that we only list bad points with MSB=0. By X25519, MSB is
always cleared.
In future, we should implement constant-time field computation. Then,
this input validation could be removed, if performance is important
and we are sure for no leak.
CVE-id: CVE-2017-0379
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
diff --git a/cipher/ecc.c b/cipher/ecc.c
index e25bf09..4e3e5b1 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -1628,9 +1628,22 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
if (DBG_CIPHER)
log_printpnt ("ecc_decrypt kG", &kG, NULL);
- if (!(flags & PUBKEY_FLAG_DJB_TWEAK)
+ if ((flags & PUBKEY_FLAG_DJB_TWEAK))
+ {
/* For X25519, by its definition, validation should not be done. */
- && !_gcry_mpi_ec_curve_point (&kG, ec))
+ /* (Instead, we do output check.)
+ *
+ * However, to mitigate secret key leak from our implementation,
+ * we also do input validation here. For constant-time
+ * implementation, we can remove this input validation.
+ */
+ if (_gcry_mpi_ec_bad_point (&kG, ec))
+ {
+ rc = GPG_ERR_INV_DATA;
+ goto leave;
+ }
+ }
+ else if (!_gcry_mpi_ec_curve_point (&kG, ec))
{
rc = GPG_ERR_INV_DATA;
goto leave;
diff --git a/mpi/ec.c b/mpi/ec.c
index a0f7357..4c16603 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -396,6 +396,29 @@ ec_get_two_inv_p (mpi_ec_t ec)
}
+static const char *curve25519_bad_points[] = {
+ "0x0000000000000000000000000000000000000000000000000000000000000000",
+ "0x0000000000000000000000000000000000000000000000000000000000000001",
+ "0x00b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0",
+ "0x57119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c5f",
+ "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec",
+ "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed",
+ "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee",
+ NULL
+};
+
+static gcry_mpi_t
+scanval (const char *string)
+{
+ gpg_err_code_t rc;
+ gcry_mpi_t val;
+
+ rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL);
+ if (rc)
+ log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc));
+ return val;
+}
+
/* This function initialized a context for elliptic curve based on the
field GF(p). P is the prime specifying this field, A is the first
@@ -434,9 +457,17 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,
_gcry_mpi_ec_get_reset (ctx);
- /* Allocate scratch variables. */
- for (i=0; i< DIM(ctx->t.scratch); i++)
- ctx->t.scratch[i] = mpi_alloc_like (ctx->p);
+ if (model == MPI_EC_MONTGOMERY)
+ {
+ for (i=0; i< DIM(ctx->t.scratch) && curve25519_bad_points[i]; i++)
+ ctx->t.scratch[i] = scanval (curve25519_bad_points[i]);
+ }
+ else
+ {
+ /* Allocate scratch variables. */
+ for (i=0; i< DIM(ctx->t.scratch); i++)
+ ctx->t.scratch[i] = mpi_alloc_like (ctx->p);
+ }
/* Prepare for fast reduction. */
/* FIXME: need a test for NIST values. However it does not gain us
@@ -1572,3 +1603,17 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx)
return res;
}
+
+
+int
+_gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx)
+{
+ int i;
+ gcry_mpi_t x_bad;
+
+ for (i = 0; (x_bad = ctx->t.scratch[i]); i++)
+ if (!mpi_cmp (point->x, x_bad))
+ return 1;
+
+ return 0;
+}
diff --git a/src/mpi.h b/src/mpi.h
index b5385b5..aeba7f8 100644
--- a/src/mpi.h
+++ b/src/mpi.h
@@ -296,6 +296,7 @@ void _gcry_mpi_ec_mul_point (mpi_point_t result,
gcry_mpi_t scalar, mpi_point_t point,
mpi_ec_t ctx);
int _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx);
+int _gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx);
gcry_mpi_t _gcry_mpi_ec_ec2os (gcry_mpi_point_t point, mpi_ec_t ectx);
commit 5417a29336426d310c3e012b148bcb20ef9ca85c
Author: Werner Koch <wk at gnupg.org>
Date: Thu Aug 24 11:43:05 2017 +0200
indent: Typo fix.
--
diff --git a/random/random-csprng.c b/random/random-csprng.c
index 650c438..8cb35e7 100644
--- a/random/random-csprng.c
+++ b/random/random-csprng.c
@@ -115,7 +115,7 @@ static size_t pool_writepos;
static size_t pool_readpos;
/* This flag is set to true as soon as the pool has been completely
- filled the first time. This may happen either by rereading a seed
+ filled the first time. This may happen either by reading a seed
file or by adding enough entropy. */
static int pool_filled;
-----------------------------------------------------------------------
Summary of changes:
NEWS | 19 ++++++++++++++++++-
cipher/ecc.c | 17 +++++++++++++++--
configure.ac | 4 ++--
mpi/ec.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++---
random/random-csprng.c | 2 +-
src/mpi.h | 1 +
6 files changed, 85 insertions(+), 9 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits
More information about the Gcrypt-devel
mailing list