[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-259-gc17f84b

by Werner Koch cvs at cvs.gnupg.org
Tue Sep 1 07:35:36 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  c17f84bd02d7ee93845e92e20f6ddba814961588 (commit)
       via  dd87639abd38afc91a6f27af33f0ba17402ad02d (commit)
      from  a785cc3db0c4e8eb8ebbf784b833a40d2c42ec3e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c17f84bd02d7ee93845e92e20f6ddba814961588
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Aug 31 23:13:27 2015 +0200

    rsa: Add verify after sign to avoid Lenstra's CRT attack.
    
    * cipher/rsa.c (rsa_sign): Check the CRT.
    --
    
    Failures in the computation of the CRT (e.g. due faulty hardware) can
    lead to a leak of the private key.  The standard precaution against
    this is to verify the signature after signing.  GnuPG does this itself
    and even has an option to disable this.  However, the low performance
    impact of this extra precaution suggest that it should always be done
    and Libgcrypt is the right place here.  For decryption is not done
    because the application will detect the failure due to garbled
    plaintext and in any case no key derived material will be send to the
    user.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/cipher/rsa.c b/cipher/rsa.c
index e4f73d5..45a481b 100644
--- a/cipher/rsa.c
+++ b/cipher/rsa.c
@@ -1112,7 +1112,9 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   struct pk_encoding_ctx ctx;
   gcry_mpi_t data = NULL;
   RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL};
+  RSA_public_key pk;
   gcry_mpi_t sig = NULL;
+  gcry_mpi_t result = NULL;
 
   _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN,
                                    rsa_get_nbits (keyparms));
@@ -1148,11 +1150,25 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
         }
     }
 
-  /* Do RSA computation and build the result.  */
+  /* Do RSA computation.  */
   sig = mpi_new (0);
   secret (sig, data, &sk);
   if (DBG_CIPHER)
     log_printmpi ("rsa_sign    res", sig);
+
+  /* Check that the created signature is good.  This detects a failure
+     of the CRT algorithm  (Lenstra's attack on RSA's use of the CRT).  */
+  result = mpi_new (0);
+  pk.n = sk.n;
+  pk.e = sk.e;
+  public (result, sig, &pk);
+  if (mpi_cmp (result, data))
+    {
+      rc = GPG_ERR_BAD_SIGNATURE;
+      goto leave;
+    }
+
+  /* Convert the result.  */
   if ((ctx.flags & PUBKEY_FLAG_FIXEDLEN))
     {
       /* We need to make sure to return the correct length to avoid
@@ -1172,6 +1188,7 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
 
 
  leave:
+  _gcry_mpi_release (result);
   _gcry_mpi_release (sig);
   _gcry_mpi_release (sk.n);
   _gcry_mpi_release (sk.e);

commit dd87639abd38afc91a6f27af33f0ba17402ad02d
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Aug 31 22:41:12 2015 +0200

    Add pubkey algo id for EdDSA.
    
    * src/gcrypt.h.in (GCRY_PK_EDDSA): New.
    --
    
    These ids are not actually used by Libgcrypt but other software makes
    use of such algorithm ids.  Thus we provide them here.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/NEWS b/NEWS
index d90ee6d..22565ed 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,7 @@ Noteworthy changes in version 1.7.0 (unreleased)
  GCRY_CIPHER_MODE_OCB            NEW.
  GCRYCTL_SET_TAGLEN              NEW.
  gcry_cipher_final               NEW macro.
+ GCRY_PK_EDDSA                   NEW constant.
 
 
 Noteworthy changes in version 1.6.0 (2013-12-16)
diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
index 884034c..585da6a 100644
--- a/src/gcrypt.h.in
+++ b/src/gcrypt.h.in
@@ -1053,8 +1053,9 @@ enum gcry_pk_algos
     GCRY_PK_DSA   = 17,     /* Digital Signature Algorithm.  */
     GCRY_PK_ECC   = 18,     /* Generic ECC.  */
     GCRY_PK_ELG   = 20,     /* Elgamal       */
-    GCRY_PK_ECDSA = 301,    /* (deprecated: use 18).  */
-    GCRY_PK_ECDH  = 302     /* (deprecated: use 18).  */
+    GCRY_PK_ECDSA = 301,    /* (only for external use).  */
+    GCRY_PK_ECDH  = 302,    /* (only for external use).  */
+    GCRY_PK_EDDSA = 303     /* (only for external use).  */
   };
 
 /* Flags describing usage capabilities of a PK algorithm. */

-----------------------------------------------------------------------

Summary of changes:
 NEWS            |  1 +
 cipher/rsa.c    | 19 ++++++++++++++++++-
 src/gcrypt.h.in |  5 +++--
 3 files changed, 22 insertions(+), 3 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org

More information about the Gnupg-commits mailing list