[git] GCRYPT - branch, LIBGCRYPT-1-5-BRANCH, updated. libgcrypt-1.5.5-7-g7104edf
by Werner Koch
cvs at cvs.gnupg.org
Wed Aug 17 14:22:04 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, LIBGCRYPT-1-5-BRANCH has been updated
via 7104edfcd17a51f48a2ed72640ed308f245c0942 (commit)
via 6e481d6bf0a69f8c9bd2866eb491e1e4e9b0717f (commit)
via 6199cd963d1fba86e0b7b9e2de4b6c00b945193a (commit)
via 98980e2fd29ad62903c78fa6521489fce651cdda (commit)
via 93869fe52c4e24a0e3284addd37e1c78dc0c8cf1 (commit)
from 74504ac9b0af567fe5b8f6ac5c7e7a9e59f0b348 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7104edfcd17a51f48a2ed72640ed308f245c0942
Author: Werner Koch <wk at gnupg.org>
Date: Wed Aug 17 14:19:20 2016 +0200
Post release updates
--
diff --git a/NEWS b/NEWS
index 69f5e71..14db249 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+Noteworthy changes in version 1.5.7 (unreleased) [C19/A8/R_]
+------------------------------------------------
+
+
Noteworthy changes in version 1.5.6 (2016-08-17) [C19/A8/R5]
------------------------------------------------
diff --git a/configure.ac b/configure.ac
index a3fb586..8fc66f9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,7 +30,7 @@ min_automake_version="1.11"
# for the LT versions.
m4_define(mym4_version_major, [1])
m4_define(mym4_version_minor, [5])
-m4_define(mym4_version_micro, [6])
+m4_define(mym4_version_micro, [7])
# Below is m4 magic to extract and compute the revision number, the
# decimalized short revision number, a beta version string, and a flag
commit 6e481d6bf0a69f8c9bd2866eb491e1e4e9b0717f
Author: Werner Koch <wk at gnupg.org>
Date: Wed Aug 17 14:13:21 2016 +0200
Release 1.5.6
* configure.ac: Set LT version to C19/A8/R5.
diff --git a/NEWS b/NEWS
index 13ac832..69f5e71 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
-Noteworthy changes in version 1.5.6 (unreleased) [C19/A8/R_]
+Noteworthy changes in version 1.5.6 (2016-08-17) [C19/A8/R5]
------------------------------------------------
+ * Fix critical security bug in the RNG [CVE-2016-6313]. An attacker
+ who obtains 580 bytes from the standard RNG can trivially predict
+ the next 20 bytes of output. Problem detected by Felix Dörre and
+ Vladimir Klebanov, KIT.
+
Noteworthy changes in version 1.5.5 (2016-02-18) [C19/A8/R4]
------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 367acd2..a3fb586 100644
--- a/configure.ac
+++ b/configure.ac
@@ -59,7 +59,7 @@ AC_INIT([libgcrypt],[mym4_full_version],[http://bugs.gnupg.org])
#
LIBGCRYPT_LT_CURRENT=19
LIBGCRYPT_LT_AGE=8
-LIBGCRYPT_LT_REVISION=4
+LIBGCRYPT_LT_REVISION=5
# If the API is changed in an incompatible way: increment the next counter.
commit 6199cd963d1fba86e0b7b9e2de4b6c00b945193a
Author: Werner Koch <wk at gnupg.org>
Date: Mon Aug 8 12:54:08 2016 +0200
random: Hash continuous areas in the csprng pool.
* random/random-csprng.c (mix_pool): Store the first hash at the end
of the pool.
--
This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG.
An attacker who obtains 580 bytes of the random number from the
standard RNG can trivially predict the next 20 bytes of output.
For use in GnuPG this bug does not affect the default generation of
keys because running gpg for key creation creates at most 2 keys from
the pool: For a single 4096 bit RSA key 512 byte of random are
required and thus for the second key (encryption subkey), 20 bytes
could be predicted from the the first key. However, the security of
an OpenPGP key depends on the primary key (which was generated first)
and thus the 20 predictable bytes should not be a problem. For the
default key length of 2048 bit nothing will be predictable.
For the former default of DSA+Elgamal key it is complicate to give an
answer: For 2048 bit keys a pool of 30 non-secret candidate primes of
about 300 bits each are first created. This reads at least 1140 bytes
from the pool and thus parts could be predicted. At some point a 256
bit secret is read from the pool; which in the worst case might be
partly predictable.
The bug was found and reported by Felix Dörre and Vladimir Klebanov,
Karlsruhe Institute of Technology. A paper describing the problem in
detail will shortly be published.
CVE-id: CVE-2016-6313
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/random/random-csprng.c b/random/random-csprng.c
index 10952d5..0fdfa6c 100644
--- a/random/random-csprng.c
+++ b/random/random-csprng.c
@@ -566,23 +566,22 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length,
* bytes.
* <................600...............> <.64.>
* pool |------------------------------------| |------|
- * <..44..> <20>
- * | |
- * | +-----+
- * +-----------------------------------|--+
- * v v
+ * <20><.24.> <20>
+ * | | +-----+
+ * +-----|-------------------------------|-+
+ * +-------------------------------|-|-+
+ * v v v
* |------|
* <hash>
- * |
* +---------------------------------------+
* v
* <20>
* pool' |------------------------------------|
- * <20><20><..44..>
- * | |
- * | +------------------------------+
- * +-------------------------------------+ |
- * v v
+ * <20><20><.24.>
+ * +---|-----|---------------------------+
+ * +-----|---------------------------|-+
+ * +---------------------------|-|-+
+ * v v v
* |------|
* <hash>
* |
@@ -590,13 +589,11 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length,
* v
* <20>
* pool'' |------------------------------------|
- * <20><20><20><..44..>
- * | |
- * | +--------------------------+
- * +---------------------------------+ |
- * v v
- * |------|
- * <hash>
+ * <20><20><20><.24.>
+ * +---|-----|-----------------------+
+ * +-----|-----------------------|-+
+ * +-----------------------|-|-+
+ * v v v
*
* and so on until we did this for all 30 blocks.
*
@@ -623,9 +620,9 @@ mix_pool(unsigned char *pool)
gcry_assert (pool_is_locked);
_gcry_rmd160_init( &md );
- /* Loop over the pool. */
+ /* pool_0 -> pool'. */
pend = pool + POOLSIZE;
- memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN );
+ memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN);
memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
_gcry_rmd160_mixblock (&md, hashbuf);
memcpy (pool, hashbuf, DIGESTLEN);
@@ -636,19 +633,17 @@ mix_pool(unsigned char *pool)
pool[i] ^= failsafe_digest[i];
}
+ /* Loop for the remaining iterations. */
p = pool;
for (n=1; n < POOLBLOCKS; n++)
{
- memcpy (hashbuf, p, DIGESTLEN);
-
- p += DIGESTLEN;
- if (p+DIGESTLEN+BLOCKLEN < pend)
- memcpy (hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN);
+ if (p + BLOCKLEN < pend)
+ memcpy (hashbuf, p, BLOCKLEN);
else
{
- unsigned char *pp = p + DIGESTLEN;
+ unsigned char *pp = p;
- for (i=DIGESTLEN; i < BLOCKLEN; i++ )
+ for (i=0; i < BLOCKLEN; i++ )
{
if ( pp >= pend )
pp = pool;
@@ -657,7 +652,8 @@ mix_pool(unsigned char *pool)
}
_gcry_rmd160_mixblock (&md, hashbuf);
- memcpy(p, hashbuf, DIGESTLEN);
+ p += DIGESTLEN;
+ memcpy (p, hashbuf, DIGESTLEN);
}
/* Our hash implementation does only leave small parts (64 bytes)
commit 98980e2fd29ad62903c78fa6521489fce651cdda
Author: Werner Koch <wk at gnupg.org>
Date: Mon Aug 8 12:08:43 2016 +0200
random: Improve the diagram showing the random mixing
* random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20.
--
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/random/random-csprng.c b/random/random-csprng.c
index 096a674..10952d5 100644
--- a/random/random-csprng.c
+++ b/random/random-csprng.c
@@ -561,41 +561,49 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length,
/*
- Mix the pool:
-
- |........blocks*20byte........|20byte|..44byte..|
- <..44byte..> <20byte>
- | |
- | +------+
- +---------------------------|----------+
- v v
- |........blocks*20byte........|20byte|..44byte..|
- <.....64bytes.....>
- |
- +----------------------------------+
- Hash
- v
- |.............................|20byte|..44byte..|
- <20byte><20byte><..44byte..>
- | |
- | +---------------------+
- +-----------------------------+ |
- v v
- |.............................|20byte|..44byte..|
- <.....64byte......>
- |
- +-------------------------+
- Hash
- v
- |.............................|20byte|..44byte..|
- <20byte><20byte><..44byte..>
-
- and so on until we did this for all blocks.
-
- To better protect against implementation errors in this code, we
- xor a digest of the entire pool into the pool before mixing.
-
- Note: this function must only be called with a locked pool.
+ * Mix the 600 byte pool. Note that the 64 byte scratch area directly
+ * follows the pool. The numbers in the diagram give the number of
+ * bytes.
+ * <................600...............> <.64.>
+ * pool |------------------------------------| |------|
+ * <..44..> <20>
+ * | |
+ * | +-----+
+ * +-----------------------------------|--+
+ * v v
+ * |------|
+ * <hash>
+ * |
+ * +---------------------------------------+
+ * v
+ * <20>
+ * pool' |------------------------------------|
+ * <20><20><..44..>
+ * | |
+ * | +------------------------------+
+ * +-------------------------------------+ |
+ * v v
+ * |------|
+ * <hash>
+ * |
+ * +-----------------------------------+
+ * v
+ * <20>
+ * pool'' |------------------------------------|
+ * <20><20><20><..44..>
+ * | |
+ * | +--------------------------+
+ * +---------------------------------+ |
+ * v v
+ * |------|
+ * <hash>
+ *
+ * and so on until we did this for all 30 blocks.
+ *
+ * To better protect against implementation errors in this code, we
+ * xor a digest of the entire pool into the pool before mixing.
+ *
+ * Note: this function must only be called with a locked pool.
*/
static void
mix_pool(unsigned char *pool)
@@ -617,14 +625,14 @@ mix_pool(unsigned char *pool)
/* Loop over the pool. */
pend = pool + POOLSIZE;
- memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN );
- memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
- _gcry_rmd160_mixblock( &md, hashbuf);
- memcpy(pool, hashbuf, 20 );
+ memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN );
+ memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN);
+ _gcry_rmd160_mixblock (&md, hashbuf);
+ memcpy (pool, hashbuf, DIGESTLEN);
if (failsafe_digest_valid && pool == rndpool)
{
- for (i=0; i < 20; i++)
+ for (i=0; i < DIGESTLEN; i++)
pool[i] ^= failsafe_digest[i];
}
@@ -648,8 +656,8 @@ mix_pool(unsigned char *pool)
}
}
- _gcry_rmd160_mixblock ( &md, hashbuf);
- memcpy(p, hashbuf, 20 );
+ _gcry_rmd160_mixblock (&md, hashbuf);
+ memcpy(p, hashbuf, DIGESTLEN);
}
/* Our hash implementation does only leave small parts (64 bytes)
commit 93869fe52c4e24a0e3284addd37e1c78dc0c8cf1
Author: Werner Koch <wk at gnupg.org>
Date: Wed Aug 17 10:58:22 2016 +0200
doc: Update AUTHORS
--
diff --git a/AUTHORS b/AUTHORS
index e7ffaea..45acb15 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -7,8 +7,12 @@ End-of-life: 2016-12-31
License (library): LGPLv2.1+
License (manual and tools): GPLv2+
-Libgcrypt used to be part of GnuPG but has been taken out into its own
-package on 2000-12-21.
+Libgcrypt is free software. See the files COPYING.LIB and COPYING for
+copying conditions. License copyright years may be listed using range
+notation, e.g., 2000-2013, indicating that every year in the range,
+inclusive, is a copyrightable year that would otherwise be listed
+individually. Libgcrypt used to be part of GnuPG but has been taken
+out into its own package on 2000-12-21.
Authors with a FSF copyright assignment
-----------------------------------------------------------------------
Summary of changes:
AUTHORS | 8 +++-
NEWS | 11 +++++-
configure.ac | 4 +-
random/random-csprng.c | 104 +++++++++++++++++++++++++------------------------
4 files changed, 72 insertions(+), 55 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
More information about the Gnupg-commits
mailing list