| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
--
|
|
|
|
| |
* configure.ac: Set LT version to C19/A8/R4.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/mpi.h (_gcry_mpi_ec_curve_point): New internal function.
* cipher/ecc.c (ecc_decrypt_raw): Validate input. Remove duplicated
point_free.
* mpi/ec.c (_gcry_mpi_ec_mul_point):Use simple left-to-right binary
method for when SCALAR is secure.
(_gcry_mpi_ec_curve_point): New.
--
CVE-id: CVE-2015-7511
Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran
Tromer. http://www.cs.tau.ac.IL/~tromer/ecdh/
This could be an effective contermeasure to some chosen cipher text
attacks.
(backport from master
commit 88e1358962e902ff1cbec8d53ba3eee46407851a)
(backport from LIBGCRYPT-1-6-BRANCH
commit 28eb424e4427b320ec1c9c4ce56af25d495230bd)
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--
CVE-id: CVE-2014-3591
As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption. This
is similar to what we are doing with RSA. This patch is a backport of
the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b.
Unfortunately, the performance impact of Elgamal blinding is quite
noticeable (i5-2410M CPU @ 2.30GHz TP 220):
Algorithm generate 100*priv 100*public
------------------------------------------------
ELG 1024 bit - 100ms 90ms
ELG 2048 bit - 330ms 350ms
ELG 3072 bit - 660ms 790ms
Algorithm generate 100*priv 100*public
------------------------------------------------
ELG 1024 bit - 150ms 90ms
ELG 2048 bit - 520ms 360ms
ELG 3072 bit - 1100ms 800ms
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 410d70bad9a650e3837055e36f157894ae49a57d)
Resolved conflicts:
cipher/elgamal.c.
|
|
|
|
|
|
|
| |
--
Note that the 1.6 branch and later versions were not vulnerable
because they already used the sliding window method.
|
|
|
|
| |
--
|
|
|
|
| |
* configure.ac: Set LT version to C19/A8/R3.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-pow.c (gcry_mpi_powm) [USE_ALGORITHM_SIMPLE_EXPONENTIATION]:
Fix for the case where BASE is negative.
* tests/mpitests.c (test_powm): Add a test case of (-17)^6 mod 19.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit c56080c26186d25dec05f01831494c77d8d07e13)
Resolved conflicts:
tests/mpitests.c - Use replacements for gcry_mpi_new and
gcry_mpi_is_neg.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-pow.c (gcry_mpi_powm): New implementation of left-to-right
k-ary exponentiation.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
For the Yarom/Falkner flush+reload cache side-channel attack, we
changed the code so that it always calls the multiplication routine
(even if we can skip it to get result). This results some performance
regression.
This change is for recovering performance with efficient algorithm.
(cherry picked from commit 45aa6131e93fac89d46733b3436d960f35fb99b2)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-pow.c: Replace 1 / msize.
* mpi/mpih-div.c: Replace 1 / dsize.
* src/misc.c: Add _gcry_divide_by_zero.
--
1) Division by zero doesn't "provoke a signal" on architectures
like PowerPC.
2) C compilers like clang will optimize away these divisions, even
though the code tries "to make the compiler not remove" them.
This patch redirects these cases to _gcry_divide_by_zero.
(cherry picked from commit 2c54c4da19d3a79e9f749740828026dd41f0521a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-bit.c (_gcry_mpi_set_bit, _gcry_mpi_set_highbit): Clear
allocated but not used bits before resizing.
* tests/t-mpi-bits.c (set_bit_with_resize): New.
--
Reported-by: Martin Sewelies.
This bug is probably with us for many years. Probably due to
different memory allocation patterns, it did first revealed itself
with 1.6. It could be the reason for other heisenbugs.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
| |
--
|
|
|
|
|
|
| |
* tests/bench-slope.c: New. This is a stripped down version taken
from master.
* tests/Makefile.am (noinst_PROGRAMS): Add bench-slope.
|
|
|
|
|
|
|
|
| |
* src/Makefile.am (install-def-file): Create libdir first.
--
Reported-by: LRN <lrn1986@gmail.com>
(cherry picked from commit 4e46d8bc78008ba06f106b368cefb0dddf15fe38)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-internal.h (MPN_COPY_INCR): Make it work.
--
This bug has been with us since the version 0.0.0 of GnuPG.
Fortunately it only affects an optimized code path which is rarely
used in practice: If the shift size matches the size of a
limb (i.e.. 32 or 64); this is is_prime in primegen.c. Over there the
Rabin-Miller test may fail with a probability of 2^-31 (that is if the
to be tested prime - 1 has the low 32 bits cleared). In practice the
probability is even much less because we first do a Fermat test on the
randomly generated candidates which sorts out the majority of
composite numbers.
The bug in MPN_COPY_INCR was found by Sven Bjorn.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit a7a9cdcaaf3979baa18dad51e722882581349f45)
|
|
|
|
| |
--
|
|
|
|
| |
* configure.ac: Set LT version to C19/A8/R2.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
--
The attack is published as http://eprint.iacr.org/2013/448 :
Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that
the result has been allocated.
--
This code triggered the problem:
modulus = gcry_mpi_set_ui(NULL, 100);
generator = gcry_mpi_set_ui(NULL, 3);
exponent = gcry_mpi_set_ui(NULL, 0);
result = gcry_mpi_new(0);
gcry_mpi_powm(result, generator, exponent, modulus);
gcry_mpi_new(0) does not allocate the limb space thus it is not
possible to write even into the first limb. Workaround was to use
gcry_mpi_new (1) but a real fix is better.
Reported-by: Ian Goldberg
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6e1adb05d290aeeb1c230c763970695f4a538526)
|
|
|
|
| |
--
|
| |
|
|
|
|
| |
--
|
|
|
|
| |
* configure.ac: Set LT version to C19/A8/R1.
|
|
|
|
|
|
|
| |
* cipher/Makefile.am (o_flag_munging): Yet another fix.
--
(cherry picked from commit 03557687a09b9c8878c77cbfdd0f5049940c72da)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rijndael.c (do_setkey): Remove dummy padlock key generation case
and use the standard one.
--
This is really a brown paper bag bug. I should have been able to
fix it by a bit of code staring or bi-secting it myself. Instead
Rafaël Carré did this and with the donation of a VIA nano board from
Stefan Krüger. Thanks to both of you.
(regression since commit b825c5db17292988d261fefdc83cbc43d97d4b02)
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
| |
* cipher/idea.c (cipher): Rework parameter use to fix alignment
problems.
* cipher/idea.c (FNCCAST_SETKEY, FNCCAST_CRYPT): Remove unused macros.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/md4.c (transform): Add const attribute.
* cipher/md5.c (transform): Ditto.
* cipher/rmd160.c (transform): Ditto.
--
This is the same as
http://bzr.savannah.gnu.org/lh/grub/trunk/grub/revision/3685
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/serpent.c (serpent_key_prepare): Fix misaligned access.
(serpent_setkey): Likewise.
(serpent_encrypt_internal): Likewise.
(serpent_decrypt_internal): Likewise.
(serpent_encrypt): Don't put an alignment-increasing cast.
(serpent_decrypt): Likewise.
(serpent_test): Likewise.
--
This is a port of the fix for the Libgcrypt code in GRUB:
http://bzr.savannah.gnu.org/lh/grub/trunk/grub/revision/3685
GRUB is FSF copyrighted and thus we can use this code without a DCO.
Note that the above fix was not correct and failed the selftests, thus
I fixed this fix.
GnuPG-bug-id: 1384
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
| |
* mpi/ec.c (_gcry_mpi_ec_mul_point): Handle case of SCALAR == 0.
--
This is backport from master leaving out the test case.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* mpi/ec.c (_gcry_mpi_ec_add_points): Fix case of P1 given in affine
coordinates.
--
This was a plain copy and paste error, which was found due to explicit
use of affine coordinates by GNUnet's new pseudonyms code.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
|
|
|
| |
* cipher/idea.c (do_setkey): Execute selftest when first called.
(decrypt_block): Remove commented-out code.
(selftest): Execute all selftests. Return NULL on success, or
string in case of error.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adapt idea.c to the Libgcrypt framework.
Add IDEA to cipher_table and to the build system.
Patents on IDEA have expired:
Europe: EP0482154 on 2011-05-16,
Japan: JP3225440 on 2011-05-16,
U.S.: 5,214,703 on 2012-01-07.
* configure.ac: Add idea to the list of available ciphers.
Define USE_IDEA if idea is enabled.
* cipher/cipher.c (cipher_table): Add entry for IDEA.
* cipher/idea.c: Update comment about patents.
Include proper header files and remove redundant declarations.
(expand_key, cipher, do_setkey, encrypt_block, decrypt_block):
Define function arguments as const where appropriate.
(cipher): Test for !WORDS_BIGENDIAN instead of LITTLE_ENDIAN_HOST.
(do_setkey, decrypt_block): Don't call selftest.
(idea_setkey): New function, wrapper for do_setkey.
(idea_encrypt): New function, wrapper for encrypt_block.
(_gcry_cipher_spec_idea): Define.
* cipher/Makefile.am (EXTRA_libcipher_la_SOURCES): Add idea.c.
* src/cipher.h (_gcry_cipher_spec_idea): Declare.
* tests/basic.c (check_ciphers): Add GCRY_CIPHER_IDEA.
|
|
|
|
|
|
|
| |
The code is the old IDEA test code, written by me back in 1997 and
distributed on a Danish FTP server. This commit is only for
reference. To use the code it has to be adjusted to the Libgcrypt
framework.
|
|
|
|
|
|
|
| |
* configure.ac: Use AC_CONFIG_HEADERS.
--
GnuPG-bug-id: 1459
|
|
|
|
| |
--
|
| |
|
|
|
|
|
|
| |
* autogen.sh <--build-w32>: Support the w64-mingw32 toolchain. Also
prepare for 64 bit building.
<git-setup>: Remove option -c from chmod.
|
|
|
|
| |
--
|
|
|
|
| |
--
|
|
|
|
|
|
|
| |
* configure.ac: Set LT version to C19/A8/R0.
--
(This LT version change has been coordinated with master.)
|
|
|
|
|
|
|
|
|
| |
* compile, config.guess, config.rpath, config.sub, depcomp,
* install-sh, mkinstalldirs: Update to Feb 25 versions from gnulib.
--
Some of them have not been updated here in over 8 years, time to fix
that.
|
|
|
|
|
|
|
|
|
| |
* src/gcrypt.h.in (GCRYPT_VERSION_NUMBER): New.
* configure.ac (VERSION_NUMBER): New ac_subst.
* compat/compat.c (_gcry_compat_identification): Include revision and
timestamp.
* src/global.c (_gcry_vcontrol): Move call to above function ...
(gcry_check_version): .. here.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scripts/git-log-fix: New file.
* scripts/git-log-footer: New file.
* doc/HACKING: Describe the ChangeLog policy
* ChangeLog: New file.
* Makefile.am (EXTRA_DIST): Add new files.
(gen-ChangeLog): New.
(dist-hook): Run gen-ChangeLog.
Rename all ChangeLog files to ChangeLog-2011.
|
|
|
|
|
| |
* configure.ac: Add all the required m4 magic. Add some autoconf
portability fixes.
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac [freebsd]: Do not add /usr/local to CPPFLAGS and
LDFLAGS.
--
Back in ~2000 we introduced a quick hack to make building of Libgcrypt
on FreeBSD easier by always adding -I/usr/local/include and
-L/usr/local/lib . It turned out that this is a bad idea if one wants
to build with library version which is not installed in /usr/local.
|
|
|
|
|
|
|
| |
* mpi/amd64/mpi-asm-defs.h: New.
--
Debian-bug-id: 698404
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/sexp.c (gcry_sexp_nth): Return a proper list for ST_DATA.
--
Bug:
The function gcry_sexp_car seems buggy to me (tested on libgcrypt
version 1.4.6, 1.5.0, 1.6.0-git6078b05): it doesn't return any result
on S-expression starting with a data element. For example, applied to
the S-expression (hello "123"), it returns an empty S-expression (I
expect the S-expression (hello)).
|
|
|
|
|
|
|
| |
* cipher/Makefile.am (o_flag_munging): Take -Ofast in account.
--
GnuPG-bug-id: 1468
|