[git] GCRYPT - branch, LIBGCRYPT-1-6-BRANCH, updated. libgcrypt-1.6.4-7-gde7db12

by NIIBE Yutaka cvs at cvs.gnupg.org
Tue Feb 9 10:11:21 CET 2016


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, LIBGCRYPT-1-6-BRANCH has been updated
       via  de7db12fa04016e12dffb2b678632f45eba15ec4 (commit)
       via  070f0c4e14298c53785ea8caa8db71e30d134a1d (commit)
       via  28eb424e4427b320ec1c9c4ce56af25d495230bd (commit)
      from  df3cfdb32c332b57822d54040fc911bcb0594acb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit de7db12fa04016e12dffb2b678632f45eba15ec4
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Wed Nov 25 12:46:19 2015 +0900

    ecc: Constant-time multiplication for Weierstrass curve.
    
    * mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
    method for Weierstrass curve when SCALAR is secure.
    
    --
    
    Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
    
    CVE-id: CVE-2015-7511
    
    Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran
    Tromer.   http://www.cs.tau.ac.IL/~tromer/ecdh/
    
    This could be an effective contermeasure to some chosen cipher text
    attacks.
    
    (backport from master
     commit 88e1358962e902ff1cbec8d53ba3eee46407851a)

diff --git a/mpi/ec.c b/mpi/ec.c
index ccaed29..cb4113c 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -1106,16 +1106,27 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
   unsigned int i, loops;
   mpi_point_struct p1, p2, p1inv;
 
-  if (ctx->model == MPI_EC_TWISTEDEDWARDS)
+  if (ctx->model == MPI_EC_TWISTEDEDWARDS
+      || (ctx->model == MPI_EC_WEIERSTRASS
+          && mpi_is_secure (scalar)))
     {
       /* Simple left to right binary method.  GECC Algorithm 3.27 */
       unsigned int nbits;
       int j;
 
       nbits = mpi_get_nbits (scalar);
-      mpi_set_ui (result->x, 0);
-      mpi_set_ui (result->y, 1);
-      mpi_set_ui (result->z, 1);
+      if (ctx->model == MPI_EC_WEIERSTRASS)
+        {
+          mpi_set_ui (result->x, 1);
+          mpi_set_ui (result->y, 1);
+          mpi_set_ui (result->z, 0);
+        }
+      else
+        {
+          mpi_set_ui (result->x, 0);
+          mpi_set_ui (result->y, 1);
+          mpi_set_ui (result->z, 1);
+        }
 
       if (mpi_is_secure (scalar))
         {

commit 070f0c4e14298c53785ea8caa8db71e30d134a1d
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Thu Nov 26 11:37:47 2015 +0900

    ecc: minor improvement of point multiplication.
    
    * mpi/ec.c (_gcry_mpi_ec_mul_point): Move ec_subm out of the loop.
    
    --
    
    (backport from master
     commit 3658afd09c3b03b4398aaa5748387220c93b1a94)

diff --git a/mpi/ec.c b/mpi/ec.c
index 168076f..ccaed29 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -1205,6 +1205,10 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
   point_init (&p2);
   point_init (&p1inv);
 
+  /* Invert point: y = p - y mod p  */
+  point_set (&p1inv, &p1);
+  ec_subm (p1inv.y, ctx->p, p1inv.y, ctx);
+
   for (i=loops-2; i > 0; i--)
     {
       _gcry_mpi_ec_dup_point (result, result, ctx);
@@ -1216,9 +1220,6 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
       if (mpi_test_bit (h, i) == 0 && mpi_test_bit (k, i) == 1)
         {
           point_set (&p2, result);
-          /* Invert point: y = p - y mod p  */
-          point_set (&p1inv, &p1);
-          ec_subm (p1inv.y, ctx->p, p1inv.y, ctx);
           _gcry_mpi_ec_add_points (result, &p2, &p1inv, ctx);
         }
     }

commit 28eb424e4427b320ec1c9c4ce56af25d495230bd
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Wed Nov 25 08:41:41 2015 +0900

    ecc: input validation on ECDH.
    
    * cipher/ecc.c (ecc_decrypt_raw): Validate the point.

diff --git a/cipher/ecc.c b/cipher/ecc.c
index 9dd2482..9b05d46 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -1382,6 +1382,12 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
   ec = _gcry_mpi_ec_p_internal_new (sk.E.model, sk.E.dialect, 0,
                                     sk.E.p, sk.E.a, sk.E.b);
 
+  if (!_gcry_mpi_ec_curve_point (&kG, ec))
+    {
+      point_free (&kG);
+      return GPG_ERR_INV_DATA;
+    }
+
   /* R = dkG */
   _gcry_mpi_ec_mul_point (&R, sk.d, &kG, ec);
 

-----------------------------------------------------------------------

Summary of changes:
 cipher/ecc.c |  6 ++++++
 mpi/ec.c     | 26 +++++++++++++++++++-------
 2 files changed, 25 insertions(+), 7 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org




More information about the Gnupg-commits mailing list