[git] GCRYPT - branch, LIBGCRYPT-1-5-BRANCH, updated. libgcrypt-1.5.2-5-g64b8f6b
by Werner Koch
cvs at cvs.gnupg.org
Thu Jul 25 12:04:39 CEST 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, LIBGCRYPT-1-5-BRANCH has been updated
via 64b8f6b7d5d8fd40df2561dedf21729466d0412a (commit)
via a3eabcb6e97a88031f8fd56b7b650447cdda4206 (commit)
via e2202ff2b704623efc6277fb5256e4e15bac5676 (commit)
from 366e7b1925cfebb259cc268ed3eb6687e9c8fd77 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 64b8f6b7d5d8fd40df2561dedf21729466d0412a
Author: Werner Koch <wk at gnupg.org>
Date: Thu Jul 25 11:34:14 2013 +0200
Post release updates.
--
diff --git a/NEWS b/NEWS
index 172abbb..88c7aea 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,6 @@
+Noteworthy changes in version 1.5.4 (unreleased)
+------------------------------------------------
+
Noteworthy changes in version 1.5.3 (2013-07-25)
------------------------------------------------
diff --git a/configure.ac b/configure.ac
index b2ca882..00da265 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,7 +30,7 @@ min_automake_version="1.11"
# for the LT versions.
m4_define(mym4_version_major, [1])
m4_define(mym4_version_minor, [5])
-m4_define(mym4_version_micro, [3])
+m4_define(mym4_version_micro, [4])
# Below is m4 magic to extract and compute the revision number, the
# decimalized short revision number, a beta version string, and a flag
diff --git a/doc/announce.txt b/doc/announce.txt
index 56dfdf6..9fcd17b 100644
--- a/doc/announce.txt
+++ b/doc/announce.txt
@@ -4,47 +4,41 @@ Cc: gcrypt-devel at gnupg.org
Hello!
-The GNU project is pleased to announce the availability of Libgcrypt
-version 1.5.2. This is a maintenance release for the stable branch.
+I am pleased to announce the availability of Libgcrypt version 1.5.3.
+This is a *security fix* release for the stable branch.
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
-Noteworthy changes in version 1.5.2:
-
- * Added support for IDEA.
-
- * Made the Padlock code work again (regression since 1.5.0).
-
- * Fixed alignment problems for Serpent.
-
- * Fixed two bugs in ECC computations.
+Noteworthy changes in version 1.5.3:
+ * Mitigate the Yarom/Falkner flush+reload side-channel attack on
+ RSA secret keys. See <http://eprint.iacr.org/2013/448>.
Source code is hosted at the GnuPG FTP server and its mirrors as
listed at http://www.gnupg.org/download/mirrors.html . On the primary
server the source file and its digital signatures is:
- ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.bz2 (1.5M)
- ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.bz2.sig
+ ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3.tar.bz2 (1.5M)
+ ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3.tar.bz2.sig
This file is bzip2 compressed. A gzip compressed version is also
available:
- ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.gz (1.8M)
- ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.gz.sig
+ ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3.tar.gz (1.8M)
+ ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.3.tar.gz.sig
-Alternativley you may upgrade version 1.5.1 using this patch file:
+Alternativley you may upgrade version 1.5.2 using this patch file:
- ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.1-1.5.2.diff.bz2 (12k)
+ ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2-1.5.3.diff.bz2 (4k)
The SHA-1 checksums are:
-c9998383532ba3e8bcaf690f2f0d65e814b48d2f libgcrypt-1.5.2.tar.bz2
-fb54bfea3e276a366009c5a6296eb83cf5e7c14b libgcrypt-1.5.2.tar.gz
-086ac76cf91987f66666872cc7d5d5d33c68967e libgcrypt-1.5.1-1.5.2.diff.bz2
+2c6553cc17f2a1616d512d6870fe95edf6b0e26e libgcrypt-1.5.3.tar.bz2
+184405c91d1ab4877caefb1a6458767e5f0b639e libgcrypt-1.5.3.tar.gz
+b711fe3ddf534bb6f11823542036eb4a32e0c914 libgcrypt-1.5.2-1.5.3.diff.bz2
For help on developing with Libgcrypt you should read the included
commit a3eabcb6e97a88031f8fd56b7b650447cdda4206
Author: Werner Koch <wk at gnupg.org>
Date: Thu Jul 25 11:21:12 2013 +0200
Release 1.5.3.
* configure.ac: Set LT version to C19/A8/R2.
diff --git a/NEWS b/NEWS
index 8abe6fe..172abbb 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
-Noteworthy changes in version 1.5.3 (unreleased)
+Noteworthy changes in version 1.5.3 (2013-07-25)
------------------------------------------------
+ * Mitigate the Yarom/Falkner flush+reload side-channel attack on
+ RSA secret keys. See <http://eprint.iacr.org/2013/448>.
+
Noteworthy changes in version 1.5.2 (2013-04-18)
------------------------------------------------
diff --git a/configure.ac b/configure.ac
index e631c94..b2ca882 100644
--- a/configure.ac
+++ b/configure.ac
@@ -59,7 +59,7 @@ AC_INIT([libgcrypt],[mym4_full_version],[http://bugs.gnupg.org])
#
LIBGCRYPT_LT_CURRENT=19
LIBGCRYPT_LT_AGE=8
-LIBGCRYPT_LT_REVISION=1
+LIBGCRYPT_LT_REVISION=2
# If the API is changed in an incompatible way: increment the next counter.
commit e2202ff2b704623efc6277fb5256e4e15bac5676
Author: Werner Koch <wk at gnupg.org>
Date: Thu Jul 25 11:17:52 2013 +0200
Mitigate a flush+reload cache attack on RSA secret exponents.
* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
--
The attack is published as http://eprint.iacr.org/2013/448 :
Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.
diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
index f4aebdb..a63fc6d 100644
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@@ -1,6 +1,7 @@
/* mpi-pow.c - MPI functions for exponentiation
* Copyright (C) 1994, 1996, 1998, 2000, 2002
* 2003 Free Software Foundation, Inc.
+ * 2013 g10 Code GmbH
*
* This file is part of Libgcrypt.
*
@@ -235,7 +236,13 @@ gcry_mpi_powm (gcry_mpi_t res,
tp = rp; rp = xp; xp = tp;
rsize = xsize;
- if ( (mpi_limb_signed_t)e < 0 )
+ /* To mitigate the Yarom/Falkner flush+reload cache
+ * side-channel attack on the RSA secret exponent, we do
+ * the multiplication regardless of the value of the
+ * high-bit of E. But to avoid this performance penalty
+ * we do it only if the exponent has been stored in secure
+ * memory and we can thus assume it is a secret exponent. */
+ if (esec || (mpi_limb_signed_t)e < 0)
{
/*mpih_mul( xp, rp, rsize, bp, bsize );*/
if( bsize < KARATSUBA_THRESHOLD )
@@ -250,7 +257,9 @@ gcry_mpi_powm (gcry_mpi_t res,
_gcry_mpih_divrem(xp + msize, 0, xp, xsize, mp, msize);
xsize = msize;
}
-
+ }
+ if ( (mpi_limb_signed_t)e < 0 )
+ {
tp = rp; rp = xp; xp = tp;
rsize = xsize;
}
-----------------------------------------------------------------------
Summary of changes:
NEWS | 8 +++++++-
configure.ac | 4 ++--
doc/announce.txt | 34 ++++++++++++++--------------------
mpi/mpi-pow.c | 13 +++++++++++--
4 files changed, 34 insertions(+), 25 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
More information about the Gnupg-commits
mailing list