[git] GCRYPT - branch, master, updated. libgcrypt-1.5.0-450-ga6b9304
by Werner Koch
cvs at cvs.gnupg.org
Mon Dec 16 11:56:36 CET 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, master has been updated
via a6b9304a889397ac98e1c2c4ac3e178669d94492 (commit)
via 5a7ce59396fe56f0d681df314bfbdb5f7732d4b1 (commit)
via dec048b2ec79271a2f4405be5b87b1e768b3f1a9 (commit)
from 953535a7de68cf62b5b1ad6f96ea3a9edd83762c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a6b9304a889397ac98e1c2c4ac3e178669d94492
Author: Werner Koch <wk at gnupg.org>
Date: Mon Dec 16 11:43:22 2013 +0100
Add configure option --enable-large-data-tests.
* configure.ac: Add option --enable-large-data-tests.
* tests/hashtest-256g.in: New.
* tests/Makefile.am (EXTRA_DIST): Add hashtest-256g.in.
(TESTS): Split up into tests_bin, tests_bin_last, tests_sh, and
tests_sh_last.
(tests_sh_last): Add hashtest-256g
(noinst_PROGRAMS): Add only tests_bin and tests_bin_last.
(bench-slope.log, hashtest-256g.log): New rules to enforce serial run.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/README b/README
index ff3ce9c..558e008 100644
--- a/README
+++ b/README
@@ -80,6 +80,10 @@
Here is a list of configure options which are sometimes useful
for installation.
+ --enable-large-data-tests
+ With this option a "make check" will take really
+ long due to extra checks for the hash algorithms.
+
--enable-m-guard
Enable the integrated malloc checking code. Please
note that this feature does not work on all CPUs
diff --git a/configure.ac b/configure.ac
index 9088d02..571e156 100644
--- a/configure.ac
+++ b/configure.ac
@@ -524,6 +524,16 @@ if test "$use_m_guard" = yes ; then
AC_DEFINE(M_GUARD,1,[Define to use the (obsolete) malloc guarding feature])
fi
+# Implementation of the --enable-large-data-tests switch.
+AC_MSG_CHECKING([whether to run large data tests])
+AC_ARG_ENABLE(large-data-tests,
+ AC_HELP_STRING([--enable-large-data-tests],
+ [Enable the real long ruinning large data tests]),
+ large_data_tests=$enableval,large_data_tests=no)
+AC_MSG_RESULT($large_data_tests)
+AC_SUBST(RUN_LARGE_DATA_TESTS, $large_data_tests)
+
+
# Implementation of the --with-capabilities switch.
# Check whether we want to use Linux capabilities
AC_MSG_CHECKING([whether use of capabilities is requested])
@@ -1914,6 +1924,7 @@ src/libgcrypt-config
src/versioninfo.rc
tests/Makefile
])
+AC_CONFIG_FILES([tests/hashtest-256g], [chmod +x tests/hashtest-256g])
AC_OUTPUT
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 3fb9fd6..f5b5b9f 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -18,13 +18,24 @@
## Process this file with automake to produce Makefile.in
-TESTS = version mpitests tsexp t-convert \
+tests_bin = \
+ version mpitests tsexp t-convert \
t-mpi-bit t-mpi-point curves \
prime basic keygen pubkey hmac hashtest t-kdf keygrip \
fips186-dsa aeswrap pkcs1v2 random dsa-rfc6979 t-ed25519
-# The last tests to run.
-TESTS += benchmark bench-slope
+tests_bin_last = benchmark bench-slope
+
+tests_sh =
+
+tests_sh_last = hashtest-256g
+
+TESTS = $(tests_bin) $(tests_sh) $(tests_bin_last) $(tests_sh_last)
+
+# Force sequential run of some tests.
+bench-slope.log: benchmark.log
+hashtest-256g.log: bench-slope.log
+
TESTS_ENVIRONMENT = GCRYPT_IN_REGRESSION_TEST=1
@@ -37,8 +48,8 @@ AM_CFLAGS = $(GPG_ERROR_CFLAGS)
LDADD = ../src/libgcrypt.la $(DL_LIBS) ../compat/libcompat.la $(GPG_ERROR_LIBS)
EXTRA_PROGRAMS = testapi pkbench
-noinst_PROGRAMS = $(TESTS) fipsdrv rsacvt genhashdata
+noinst_PROGRAMS = $(tests_bin) $(tests_bin_last) fipsdrv rsacvt genhashdata
EXTRA_DIST = README rsa-16k.key cavs_tests.sh cavs_driver.pl \
pkcs1v2-oaep.h pkcs1v2-pss.h pkcs1v2-v15c.h pkcs1v2-v15s.h \
- t-ed25519.inp stopwatch.h
+ t-ed25519.inp stopwatch.h hashtest-256g.in
diff --git a/tests/hashtest-256g.in b/tests/hashtest-256g.in
new file mode 100755
index 0000000..02ab3f6
--- /dev/null
+++ b/tests/hashtest-256g.in
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+algos="SHA1 SHA256"
+
+test "@RUN_LARGE_DATA_TESTS@" = yes || exit 77
+echo " now running 256 GiB tests for $algos - this takes looong"
+exec ./hashtest --gigs 256 $algos
commit 5a7ce59396fe56f0d681df314bfbdb5f7732d4b1
Author: Werner Koch <wk at gnupg.org>
Date: Mon Dec 16 09:45:02 2013 +0100
random: Call random progress handler more often.
* random/rndlinux.c (_gcry_rndlinux_gather_random): Update progress
indicator earlier.
--
GnuPG-bug-id: 1531
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/random/rndlinux.c b/random/rndlinux.c
index 21ea8c4..89ac203 100644
--- a/random/rndlinux.c
+++ b/random/rndlinux.c
@@ -183,6 +183,18 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
struct timeval tv;
int rc;
+ /* If we collected some bytes update the progress indicator. We
+ do this always and not just if the select timed out because
+ often just a few bytes are gathered within the timeout
+ period. */
+ if (any_need_entropy || last_so_far != (want - length) )
+ {
+ last_so_far = want - length;
+ _gcry_random_progress ("need_entropy", 'X',
+ (int)last_so_far, (int)want);
+ any_need_entropy = 1;
+ }
+
/* If the system has no limit on the number of file descriptors
and we encounter an fd which is larger than the fd_set size,
we don't use the select at all. The select code is only used
@@ -198,13 +210,7 @@ _gcry_rndlinux_gather_random (void (*add)(const void*, size_t,
tv.tv_usec = delay? 0 : 100000;
if ( !(rc=select(fd+1, &rfds, NULL, NULL, &tv)) )
{
- if (!any_need_entropy || last_so_far != (want - length) )
- {
- last_so_far = want - length;
- _gcry_random_progress ("need_entropy", 'X',
- (int)last_so_far, (int)want);
- any_need_entropy = 1;
- }
+ any_need_entropy = 1;
delay = 3; /* Use 3 seconds henceforth. */
continue;
}
commit dec048b2ec79271a2f4405be5b87b1e768b3f1a9
Author: Werner Koch <wk at gnupg.org>
Date: Mon Dec 16 09:22:10 2013 +0100
cipher: Normalize the MPIs used as input to secret key functions.
* cipher/dsa.c (sign): Normalize INPUT.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Reduce DATA before passing to secret.
--
mpi_normalize is in general not required because extra leading zeroes
do not harm the computation. However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks.
This is an extra pre-caution in case RSA blinding has been disabled.
CVE-id: CVE-2013-4576
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/cipher/dsa.c b/cipher/dsa.c
index 5d29ba4..50bdab1 100644
--- a/cipher/dsa.c
+++ b/cipher/dsa.c
@@ -583,7 +583,10 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey,
mpi_rshift (hash, hash, abits - qbits);
}
else
- hash = input;
+ {
+ mpi_normalize (input);
+ hash = input;
+ }
again:
/* Create the K value. */
diff --git a/cipher/elgamal.c b/cipher/elgamal.c
index 3645e7d..a71a9bc 100644
--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
@@ -497,10 +497,13 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
static void
-decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
{
gcry_mpi_t t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
+ mpi_normalize (a);
+ mpi_normalize (b);
+
/* output = b/(a^x) mod p */
mpi_powm( t1, a, skey->x, skey->p );
mpi_invm( t1, t1, skey->p );
diff --git a/cipher/rsa.c b/cipher/rsa.c
index a97dcfd..e595e38 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -712,6 +712,9 @@ stronger_key_check ( RSA_secret_key *skey )
static void
secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
{
+ /* Remove superfluous leading zeroes from INPUT. */
+ mpi_normalize (input);
+
if (!skey->p || !skey->q || !skey->u)
{
mpi_powm (output, input, skey->d, skey->n);
@@ -997,6 +1000,13 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
}
}
+ /* Better make sure that there are no superfluous leading zeroes in
+ the input and it has not been "padded" using multiples of N.
+ This mitigates side-channel attacks (CVE-2013-4576). */
+ mpi_normalize (data);
+ mpi_fdiv_r (data, data, sk.n);
+
+ /* Allocate MPI for the plaintext. */
plain = mpi_snew (ctx.nbits);
/* We use blinding by default to mitigate timing attacks which can
-----------------------------------------------------------------------
Summary of changes:
README | 4 ++++
cipher/dsa.c | 5 ++++-
cipher/elgamal.c | 5 ++++-
cipher/rsa.c | 10 ++++++++++
configure.ac | 11 +++++++++++
random/rndlinux.c | 20 +++++++++++++-------
tests/Makefile.am | 21 ++++++++++++++++-----
tests/hashtest-256g.in | 7 +++++++
8 files changed, 69 insertions(+), 14 deletions(-)
create mode 100755 tests/hashtest-256g.in
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
More information about the Gnupg-commits
mailing list