| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
* configure.ac: Set LT version to C19/A8/R2.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
--
The attack is published as http://eprint.iacr.org/2013/448 :
Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that
the result has been allocated.
--
This code triggered the problem:
modulus = gcry_mpi_set_ui(NULL, 100);
generator = gcry_mpi_set_ui(NULL, 3);
exponent = gcry_mpi_set_ui(NULL, 0);
result = gcry_mpi_new(0);
gcry_mpi_powm(result, generator, exponent, modulus);
gcry_mpi_new(0) does not allocate the limb space thus it is not
possible to write even into the first limb. Workaround was to use
gcry_mpi_new (1) but a real fix is better.
Reported-by: Ian Goldberg
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6e1adb05d290aeeb1c230c763970695f4a538526)
|
|
|
|
| |
--
|
| |
|
|
|
|
| |
--
|
|
|
|
| |
* configure.ac: Set LT version to C19/A8/R1.
|
|
|
|
|
|
|
| |
* cipher/Makefile.am (o_flag_munging): Yet another fix.
--
(cherry picked from commit 03557687a09b9c8878c77cbfdd0f5049940c72da)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rijndael.c (do_setkey): Remove dummy padlock key generation case
and use the standard one.
--
This is really a brown paper bag bug. I should have been able to
fix it by a bit of code staring or bi-secting it myself. Instead
Rafaël Carré did this and with the donation of a VIA nano board from
Stefan Krüger. Thanks to both of you.
(regression since commit b825c5db17292988d261fefdc83cbc43d97d4b02)
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
| |
* cipher/idea.c (cipher): Rework parameter use to fix alignment
problems.
* cipher/idea.c (FNCCAST_SETKEY, FNCCAST_CRYPT): Remove unused macros.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/md4.c (transform): Add const attribute.
* cipher/md5.c (transform): Ditto.
* cipher/rmd160.c (transform): Ditto.
--
This is the same as
http://bzr.savannah.gnu.org/lh/grub/trunk/grub/revision/3685
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/serpent.c (serpent_key_prepare): Fix misaligned access.
(serpent_setkey): Likewise.
(serpent_encrypt_internal): Likewise.
(serpent_decrypt_internal): Likewise.
(serpent_encrypt): Don't put an alignment-increasing cast.
(serpent_decrypt): Likewise.
(serpent_test): Likewise.
--
This is a port of the fix for the Libgcrypt code in GRUB:
http://bzr.savannah.gnu.org/lh/grub/trunk/grub/revision/3685
GRUB is FSF copyrighted and thus we can use this code without a DCO.
Note that the above fix was not correct and failed the selftests, thus
I fixed this fix.
GnuPG-bug-id: 1384
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
| |
* mpi/ec.c (_gcry_mpi_ec_mul_point): Handle case of SCALAR == 0.
--
This is backport from master leaving out the test case.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/ec.c (_gcry_mpi_ec_add_points): Fix case of P1 given in affine
coordinates.
--
This was a plain copy and paste error, which was found due to explicit
use of affine coordinates by GNUnet's new pseudonyms code.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
| |
* cipher/idea.c (do_setkey): Execute selftest when first called.
(decrypt_block): Remove commented-out code.
(selftest): Execute all selftests. Return NULL on success, or
string in case of error.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adapt idea.c to the Libgcrypt framework.
Add IDEA to cipher_table and to the build system.
Patents on IDEA have expired:
Europe: EP0482154 on 2011-05-16,
Japan: JP3225440 on 2011-05-16,
U.S.: 5,214,703 on 2012-01-07.
* configure.ac: Add idea to the list of available ciphers.
Define USE_IDEA if idea is enabled.
* cipher/cipher.c (cipher_table): Add entry for IDEA.
* cipher/idea.c: Update comment about patents.
Include proper header files and remove redundant declarations.
(expand_key, cipher, do_setkey, encrypt_block, decrypt_block):
Define function arguments as const where appropriate.
(cipher): Test for !WORDS_BIGENDIAN instead of LITTLE_ENDIAN_HOST.
(do_setkey, decrypt_block): Don't call selftest.
(idea_setkey): New function, wrapper for do_setkey.
(idea_encrypt): New function, wrapper for encrypt_block.
(_gcry_cipher_spec_idea): Define.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add idea.c.
* src/cipher.h (_gcry_cipher_spec_idea): Declare.
* tests/basic.c (check_ciphers): Add GCRY_CIPHER_IDEA.
|
|
|
|
|
|
|
| |
The code is the old IDEA test code, written by me back in 1997 and
distributed on a Danish FTP server. This commit is only for
reference. To use the code it has to be adjusted to the Libgcrypt
framework.
|
|
|
|
|
|
|
| |
* configure.ac: Use AC_CONFIG_HEADERS.
--
GnuPG-bug-id: 1459
|
|
|
|
| |
--
|
| |
|
|
|
|
|
|
| |
* autogen.sh <--build-w32>: Support the w64-mingw32 toolchain. Also
prepare for 64 bit building.
<git-setup>: Remove option -c from chmod.
|
|
|
|
| |
--
|
|
|
|
| |
--
|
|
|
|
|
|
|
| |
* configure.ac: Set LT version to C19/A8/R0.
--
(This LT version change has been coordinated with master.)
|
|
|
|
|
|
|
|
|
| |
* compile, config.guess, config.rpath, config.sub, depcomp,
* install-sh, mkinstalldirs: Update to Feb 25 versions from gnulib.
--
Some of them have not been updated here in over 8 years, time to fix
that.
|
|
|
|
|
|
|
|
|
| |
* src/gcrypt.h.in (GCRYPT_VERSION_NUMBER): New.
* configure.ac (VERSION_NUMBER): New ac_subst.
* compat/compat.c (_gcry_compat_identification): Include revision and
timestamp.
* src/global.c (_gcry_vcontrol): Move call to above function ...
(gcry_check_version): .. here.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scripts/git-log-fix: New file.
* scripts/git-log-footer: New file.
* doc/HACKING: Describe the ChangeLog policy
* ChangeLog: New file.
* Makefile.am (EXTRA_DIST): Add new files.
(gen-ChangeLog): New.
(dist-hook): Run gen-ChangeLog.
Rename all ChangeLog files to ChangeLog-2011.
|
|
|
|
|
| |
* configure.ac: Add all the required m4 magic. Add some autoconf
portability fixes.
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac [freebsd]: Do not add /usr/local to CPPFLAGS and
LDFLAGS.
--
Back in ~2000 we introduced a quick hack to make building of Libgcrypt
on FreeBSD easier by always adding -I/usr/local/include and
-L/usr/local/lib . It turned out that this is a bad idea if one wants
to build with library version which is not installed in /usr/local.
|
|
|
|
|
|
|
| |
* mpi/amd64/mpi-asm-defs.h: New.
--
Debian-bug-id: 698404
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/sexp.c (gcry_sexp_nth): Return a proper list for ST_DATA.
--
Bug:
The function gcry_sexp_car seems buggy to me (tested on libgcrypt
version 1.4.6, 1.5.0, 1.6.0-git6078b05): it doesn't return any result
on S-expression starting with a data element. For example, applied to
the S-expression (hello "123"), it returns an empty S-expression (I
expect the S-expression (hello)).
|
|
|
|
|
|
|
| |
* cipher/Makefile.am (o_flag_munging): Take -Ofast in account.
--
GnuPG-bug-id: 1468
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rijndael.c (_gcry_aes_cbc_enc, _gcry_aes_cbc_dec): Check if
AES-NI is enabled before calling aesni_prepare() and aesni_cleanup().
--
aesni_cleanup() contains SSE2 instructions that are interpreted as MMX on CPUs
without SSE2 support (Pentium-III, etc). In above functions, aesni_cleanup()
was called outside use_aesni checks. This causes x87 register state to be
poisoned, causing crashes later on when program tries to use floating point
registers.
Add missing '#ifdef USE_AESNI' and 'if (ctx->use_aesni)' for aesni_cleanup()
and, while at it, for aesni_prepare() too.
Reported-by: Mitsutoshi NAKANO <bkbin005@rinku.zaq.ne.jp>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rijndael.c (RIJNDAEL_context): Align on 16 bytes.
--
The trigger for this problem is the allocation of the context in the
selftest functions. The other code paths use a 16 byte alignment
anyway by means of the allocation of the context in cipher.c
Thanks to Gentoo hacker Joakim Tjernlund for figuring out the reason
of this problem.
GnuPG-bug-id: 1452
|
|
|
|
| |
* configure.ac (git_revision): Use git rev-parse.
|
|
|
|
| |
* autogen.sh: Remove option -c from chmod.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-inline.h [!G10_MPI_INLINE_DECL]: Take care of changed extern
inline semantics in gcc.
--
I am not use how this will work out with non-gcc. However, we had no
problems in the past and thus this change is the least invasive for
non-gcc compilers.
GnuPG-bug-id: 1406, 1435
|
|
|
|
|
| |
* cipher/ecc.c (check_secret_key): Restructure for easier allocation
tracking. Fix memory leak.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/kdf.c (gcry_kdf_derive): Allow empty passphrase for PBKDF2.
* tests/t-kdf.c (check_pbkdf2): Add test case for above.
--
While it is insecure, the PBKDF2 implementations usually
allows to derive key only from salt.
This particular case is used e.g. in cryptsetup when
you use empty file as keyfile for LUKS keyslot.
Test vector is compared with two independent implementations.
Signed-off-by: Milan Broz <mbroz@redhat.com>
|
|
|
|
|
|
|
| |
* mpi/mpicoder.c (do_get_buffer): Check the length before derefing P.
--
Christian Grothoff found this bug using Valgrind.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* tests/basic.c (check_one_cipher): Factor most code out to
check_one_cipher_core. Call that core function several times using
different alignment settings.
(check_one_cipher_core): New. Add extra args to allow alignment
testing.
--
As reported in bug#1384 Serpent fails on a sparc64. One problem with
the test code is that due to the bus error the error message won't be
printed.
|
|
|
|
|
|
|
|
|
|
| |
* doc/gcrypt.texi: Add documentation of the new command.
* src/fips.c (_gcry_enforced_fips_mode): Report the enforced fips mode
only when fips mode is enabled.
(_gcry_set_enforced_fips_mode): New function.
* src/g10lib.h: Add the _gcry_set_enforced_fips_mode prototype.
* src/gcrypt.h.in: Add the GCRYCTL_SET_ENFORCED_FIPS_FLAG.
* src/global.c (_gcry_vcontrol): Handle the new command.
|
| |
|
|
|
|
| |
Reported by Ivan Romanov.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If on systems where the maximum number of fds may be dynamically
configured to a value of FD_MAXSIZE or higher and the RNG is first
used after more than FD_SETSIZE-1 descriptors are in use, we disable
the progress messages from the RNG. A better solution would be too
use poll but that requires more tests.
The same problem exists in rndunix.c - however this rng is only used
on old Unices and I assume that they don't feature dynamically
configured maximum fd sizes.
|
|
|
|
|
|
| |
Contrary to the documentation those functions aborted if an invalid
algorithm was passed. The same happened for the corresponding
subcommands of gcry_cipher_algo_info.
|