[git] GCRYPT - branch, LIBGCRYPT-1-7-BRANCH, updated. libgcrypt-1.7.2-12-gbf3388a
by Werner Koch
cvs at cvs.gnupg.org
Wed Aug 17 13:43:44 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, LIBGCRYPT-1-7-BRANCH has been updated
via bf3388a17d1871b03c630b5a66b31e2e44b44edf (commit)
via f8241874971478bdcd2bc2082d901d05db7b256d (commit)
via 8dd45ad957b54b939c288a68720137386c7f6501 (commit)
via 2f62103b4bb6d6f9ce806e01afb7fdc58aa33513 (commit)
via f38199dbc290003898a1799adc367265267784c2 (commit)
via a4d1595a2638db63ac4c73e722c8ba95fdd85ff7 (commit)
via 05a4cecae0c02d2b4ee1cadd9c08115beae3a94a (commit)
via 962b15470663db11e5c35b86768f1b5d8e600017 (commit)
via 34c64eb03178fbfd34190148fec5a189df2b8f83 (commit)
via 3d6334f8d94c2a4df10eed203ae928298a4332ef (commit)
via eee78f6e1fbce7d54c43fb7efc5aa8be9f52755f (commit)
from 62642c4be0653a94fdec0c0b1f9d38673250a156 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit bf3388a17d1871b03c630b5a66b31e2e44b44edf
Author: Werner Koch <wk at gnupg.org>
Date: Wed Aug 17 13:40:19 2016 +0200
Post release updates
--
diff --git a/NEWS b/NEWS
index c64983b..cdf1ef4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+Noteworthy changes in version 1.7.4 (unreleased) [C21/A1/R_]
+------------------------------------------------
+
+
Noteworthy changes in version 1.7.3 (2016-08-17) [C21/A1/R3]
------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 273a7d2..7f415bf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,7 +30,7 @@ min_automake_version="1.14"
# for the LT versions.
m4_define(mym4_version_major, [1])
m4_define(mym4_version_minor, [7])
-m4_define(mym4_version_micro, [3])
+m4_define(mym4_version_micro, [4])
# Below is m4 magic to extract and compute the revision number, the
# decimalized short revision number, a beta version string, and a flag
commit f8241874971478bdcd2bc2082d901d05db7b256d
Author: Werner Koch <wk at gnupg.org>
Date: Wed Aug 17 13:31:12 2016 +0200
Release 1.7.3
* configure.ac: Set LT version to C21/A1/R3.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/NEWS b/NEWS
index bca3e66..c64983b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,19 @@
-Noteworthy changes in version 1.7.3 (unreleased) [C21/A1/R_]
+Noteworthy changes in version 1.7.3 (2016-08-17) [C21/A1/R3]
------------------------------------------------
+ * Bug fixes:
+
+ - Fix critical security bug in the RNG [CVE-2016-6313]. An
+ attacker who obtains 580 bytes from the standard RNG can
+ trivially predict the next 20 bytes of output. Problem
+ detected by Felix Dörre and Vladimir Klebanov, KIT.
+
+ - Fix building of some asm modules with older compilers and CPUs.
+
+ * Performance:
+
+ - ARMv8/AArch32 improvements for AES, GCM, SHA-256, and SHA-1.
+
Noteworthy changes in version 1.7.2 (2016-07-14) [C21/A1/R2]
------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 92d3074..273a7d2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,7 +56,7 @@ AC_INIT([libgcrypt],[mym4_full_version],[http://bugs.gnupg.org])
# (No interfaces changed: REVISION++)
LIBGCRYPT_LT_CURRENT=21
LIBGCRYPT_LT_AGE=1
-LIBGCRYPT_LT_REVISION=2
+LIBGCRYPT_LT_REVISION=3
# If the API is changed in an incompatible way: increment the next counter.
commit 8dd45ad957b54b939c288a68720137386c7f6501
Author: Werner Koch <wk at gnupg.org>
Date: Mon Aug 8 12:54:08 2016 +0200
random: Hash continuous areas in the csprng pool.
* random/random-csprng.c (mix_pool): Store the first hash at the end
of the pool.
--
This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG.
An attacker who obtains 580 bytes of the random number from the
standard RNG can trivially predict the next 20 bytes of output.
For use in GnuPG this bug does not affect the default generation of
keys because running gpg for key creation creates at most 2 keys from
the pool: For a single 4096 bit RSA key 512 byte of random are
required and thus for the second key (encryption subkey), 20 bytes
could be predicted from the the first key. However, the security of
an OpenPGP key depends on the primary key (which was generated first)
and thus the 20 predictable bytes should not be a problem. For the
default key length of 2048 bit nothing will be predictable.
For the former default of DSA+Elgamal key it is complicate to give an
answer: For 2048 bit keys a pool of 30 non-secret candidate primes of
about 300 bits each are first created. This reads at least 1140 bytes
from the pool and thus parts could be predicted. At some point a 256
bit secret is read from the pool; which in the worst case might be
partly predictable.
The bug was found and reported by Felix Dörre and Vladimir Klebanov,
Karlsruhe Institute of Technology. A paper describing the problem in
detail will shortly be published.
CVE-id: CVE-2016-6313
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/random/random-csprng.c b/random/random-csprng.c
index 54ec277..5a771c2 100644
--- a/random/random-csprng.c
+++ b/random/random-csprng.c
@@ -553,23 +553,22 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length,
* bytes.
* <................600...............> <.64.>
* pool |------------------------------------| |------|
- * <..44..> <20>
- * | |
- * | +-----+
- * +-----------------------------------|--+
- * v v
+ * <20><.24.> <20>
+ * | | +-----+
+ * +-----|-------------------------------|-+
+ * +-------------------------------|-|-+
+ * v v v
* |------|
* <hash>
- * |
* +---------------------------------------+
* v
* <20>
* pool' |------------------------------------|
- * <20><20><..44..>
- * | |
- * | +------------------------------+
- * +-------------------------------------+ |
- * v v
+ * <20><20><.24.>
+ * +---|-----|---------------------------+
+ * +-----|---------------------------|-+
+ * +---------------------------|-|-+
+ * v v v
* |------|
* <hash>
* |
@@ -577,13 +576,11 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length,
* v
* <20>
* pool'' |------------------------------------|
- * <20><20><20><..44..>
- * | |
- * | +--------------------------+
- * +---------------------------------+ |
- * v v
- * |------|
- * <hash>
+ * <20><20><20><.24.>
+ * +---|-----|-----------------------+
+ * +-----|-----------------------|-+
+ * +-----------------------|-|-+
+ * v v v
*
* and so on until we did this for all 30 blocks.
*
@@ -611,9 +608,9 @@ mix_pool(unsigned char *pool)
gcry_assert (pool_is_locked);
_gcry_sha1_mixblock_init (&md);
- /* Loop over the pool. */
+ /* pool_0 -> pool'. */
pend = pool + POOLSIZE;
- memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN );
+ memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN);
memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
nburn = _gcry_sha1_mixblock (&md, hashbuf);
memcpy (pool, hashbuf, DIGESTLEN);
@@ -624,19 +621,17 @@ mix_pool(unsigned char *pool)
pool[i] ^= failsafe_digest[i];
}
+ /* Loop for the remaining iterations. */
p = pool;
for (n=1; n < POOLBLOCKS; n++)
{
- memcpy (hashbuf, p, DIGESTLEN);
-
- p += DIGESTLEN;
- if (p+DIGESTLEN+BLOCKLEN < pend)
- memcpy (hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN);
+ if (p + BLOCKLEN < pend)
+ memcpy (hashbuf, p, BLOCKLEN);
else
{
- unsigned char *pp = p + DIGESTLEN;
+ unsigned char *pp = p;
- for (i=DIGESTLEN; i < BLOCKLEN; i++ )
+ for (i=0; i < BLOCKLEN; i++ )
{
if ( pp >= pend )
pp = pool;
@@ -645,7 +640,8 @@ mix_pool(unsigned char *pool)
}
_gcry_sha1_mixblock (&md, hashbuf);
- memcpy(p, hashbuf, DIGESTLEN);
+ p += DIGESTLEN;
+ memcpy (p, hashbuf, DIGESTLEN);
}
/* Our hash implementation does only leave small parts (64 bytes)
commit 2f62103b4bb6d6f9ce806e01afb7fdc58aa33513
Author: Werner Koch <wk at gnupg.org>
Date: Mon Aug 8 12:08:43 2016 +0200
random: Improve the diagram showing the random mixing
* random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/random/random-csprng.c b/random/random-csprng.c
index a0bfc78..54ec277 100644
--- a/random/random-csprng.c
+++ b/random/random-csprng.c
@@ -548,41 +548,49 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length,
/*
- Mix the pool:
-
- |........blocks*20byte........|20byte|..44byte..|
- <..44byte..> <20byte>
- | |
- | +------+
- +---------------------------|----------+
- v v
- |........blocks*20byte........|20byte|..44byte..|
- <.....64bytes.....>
- |
- +----------------------------------+
- Hash
- v
- |.............................|20byte|..44byte..|
- <20byte><20byte><..44byte..>
- | |
- | +---------------------+
- +-----------------------------+ |
- v v
- |.............................|20byte|..44byte..|
- <.....64byte......>
- |
- +-------------------------+
- Hash
- v
- |.............................|20byte|..44byte..|
- <20byte><20byte><..44byte..>
-
- and so on until we did this for all blocks.
-
- To better protect against implementation errors in this code, we
- xor a digest of the entire pool into the pool before mixing.
-
- Note: this function must only be called with a locked pool.
+ * Mix the 600 byte pool. Note that the 64 byte scratch area directly
+ * follows the pool. The numbers in the diagram give the number of
+ * bytes.
+ * <................600...............> <.64.>
+ * pool |------------------------------------| |------|
+ * <..44..> <20>
+ * | |
+ * | +-----+
+ * +-----------------------------------|--+
+ * v v
+ * |------|
+ * <hash>
+ * |
+ * +---------------------------------------+
+ * v
+ * <20>
+ * pool' |------------------------------------|
+ * <20><20><..44..>
+ * | |
+ * | +------------------------------+
+ * +-------------------------------------+ |
+ * v v
+ * |------|
+ * <hash>
+ * |
+ * +-----------------------------------+
+ * v
+ * <20>
+ * pool'' |------------------------------------|
+ * <20><20><20><..44..>
+ * | |
+ * | +--------------------------+
+ * +---------------------------------+ |
+ * v v
+ * |------|
+ * <hash>
+ *
+ * and so on until we did this for all 30 blocks.
+ *
+ * To better protect against implementation errors in this code, we
+ * xor a digest of the entire pool into the pool before mixing.
+ *
+ * Note: this function must only be called with a locked pool.
*/
static void
mix_pool(unsigned char *pool)
@@ -605,14 +613,14 @@ mix_pool(unsigned char *pool)
/* Loop over the pool. */
pend = pool + POOLSIZE;
- memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN );
- memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
+ memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN );
+ memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
nburn = _gcry_sha1_mixblock (&md, hashbuf);
- memcpy(pool, hashbuf, 20 );
+ memcpy (pool, hashbuf, DIGESTLEN);
if (failsafe_digest_valid && pool == rndpool)
{
- for (i=0; i < 20; i++)
+ for (i=0; i < DIGESTLEN; i++)
pool[i] ^= failsafe_digest[i];
}
@@ -637,7 +645,7 @@ mix_pool(unsigned char *pool)
}
_gcry_sha1_mixblock (&md, hashbuf);
- memcpy(p, hashbuf, 20 );
+ memcpy(p, hashbuf, DIGESTLEN);
}
/* Our hash implementation does only leave small parts (64 bytes)
-----------------------------------------------------------------------
Summary of changes:
NEWS | 19 +-
cipher/Makefile.am | 5 +-
cipher/cipher-gcm-armv8-aarch32-ce.S | 235 ++++++
cipher/cipher-gcm.c | 37 +-
cipher/cipher-internal.h | 10 +
cipher/crc-intel-pclmul.c | 20 +-
cipher/rijndael-aesni.c | 33 +-
cipher/rijndael-armv8-aarch32-ce.S | 1483 ++++++++++++++++++++++++++++++++++
cipher/rijndael-armv8-ce.c | 469 +++++++++++
cipher/rijndael-internal.h | 14 +
cipher/rijndael.c | 120 ++-
cipher/sha1-armv7-neon.S | 1 +
cipher/sha1-armv8-aarch32-ce.S | 219 +++++
cipher/sha1.c | 26 +-
cipher/sha1.h | 1 +
cipher/sha256-armv8-aarch32-ce.S | 231 ++++++
cipher/sha256.c | 30 +
configure.ac | 158 +++-
random/random-csprng.c | 100 +--
src/g10lib.h | 4 +
src/hwf-arm.c | 139 +++-
src/hwfeatures.c | 6 +-
22 files changed, 3247 insertions(+), 113 deletions(-)
create mode 100644 cipher/cipher-gcm-armv8-aarch32-ce.S
create mode 100644 cipher/rijndael-armv8-aarch32-ce.S
create mode 100644 cipher/rijndael-armv8-ce.c
create mode 100644 cipher/sha1-armv8-aarch32-ce.S
create mode 100644 cipher/sha256-armv8-aarch32-ce.S
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
More information about the Gnupg-commits
mailing list