Werner Koch | 27 Feb 21:39 2015
Picon

Libgcrypt 1.6.3 released (with SCA fix)

Hello!

The GNU project is pleased to announce the availability of Libgcrypt
version 1.6.3.  This is a security fix release to mitigate two new side
channel attacks.

Libgcrypt is a general purpose library of cryptographic building blocks.
It does not provide any implementation of OpenPGP or other protocols.
Thorough understanding of applied cryptography is required for proper
use Libgcrypt.

Noteworthy changes in version 1.6.3 
===================================

 * Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
   See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.

 * Fixed data-dependent timing variations in modular exponentiation
   [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
   are Practical].

 * Improved asm support for older toolchains.

Download
========

Source code is hosted at the GnuPG FTP server and its mirrors as listed
at http://www.gnupg.org/download/mirrors.html .  On the primary server
the source tarball and its digital signature are:

(Continue reading)

NIIBE Yutaka | 27 Feb 09:29 2015

mpi_powm changes and t-sexp.c change of mine

Hello,

I pushed three changes to master.  Two are forward port from 1.6
branch, and the last one is the one I found by running test program
with valgrind.

commit 505decf5369970219ddc9e78a20f97c623957b78
Author: NIIBE Yutaka <gniibe <at> fsij.org>
Date:   Fri Feb 27 17:24:49 2015 +0900

    tests: fix t-sexp.c.

    * tests/t-sexp.c (bug_1594): Free N and PUBKEY.

commit 6636c4fd0c6ceab9f79827bf96967d1e112c0b82
Author: NIIBE Yutaka <gniibe <at> fsij.org>
Date:   Thu Feb 26 21:07:01 2015 +0900

    mpi: Avoid data-dependent timing variations in mpi_powm.

    * mpi/mpi-pow.c (mpi_powm): Access all data in the table by
    mpi_set_cond.

    --

    Access to the precomputed table was indexed by a portion of EXPO,
    which could be mounted by a side channel attack.  This change fixes
    this particular data-dependent access pattern.

    Cherry-picked from commit  5e72b6c76ebee720f69b8a5c212f52d38eb50287
(Continue reading)

by NIIBE Yutaka | 27 Feb 09:26 2015
Picon

[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-171-g505decf

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  505decf5369970219ddc9e78a20f97c623957b78 (commit)
      from  6636c4fd0c6ceab9f79827bf96967d1e112c0b82 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 505decf5369970219ddc9e78a20f97c623957b78
Author: NIIBE Yutaka <gniibe <at> fsij.org>
Date:   Fri Feb 27 17:24:49 2015 +0900

    tests: fix t-sexp.c.

    * tests/t-sexp.c (bug_1594): Free N and PUBKEY.

diff --git a/tests/t-sexp.c b/tests/t-sexp.c
index 1051723..4785b17 100644
--- a/tests/t-sexp.c
+++ b/tests/t-sexp.c
 <at>  <at>  -1045,6 +1045,8  <at>  <at>  static char thing[] =
   if (gcry_sexp_nth (n_val, 1))
     fail ("extracting 1-th of car of 'n' list did not fail");
   gcry_sexp_release (n_val);
+  gcry_sexp_release (n);
(Continue reading)

by NIIBE Yutaka | 27 Feb 06:18 2015
Picon

[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-170-g6636c4f

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  6636c4fd0c6ceab9f79827bf96967d1e112c0b82 (commit)
       via  1fa8cdb933505960d4e4b4842b122d4e06953e88 (commit)
      from  410d70bad9a650e3837055e36f157894ae49a57d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6636c4fd0c6ceab9f79827bf96967d1e112c0b82
Author: NIIBE Yutaka <gniibe <at> fsij.org>
Date:   Thu Feb 26 21:07:01 2015 +0900

    mpi: Avoid data-dependent timing variations in mpi_powm.

    * mpi/mpi-pow.c (mpi_powm): Access all data in the table by
    mpi_set_cond.

    --

    Access to the precomputed table was indexed by a portion of EXPO,
    which could be mounted by a side channel attack.  This change fixes
    this particular data-dependent access pattern.

    Cherry-picked from commit  5e72b6c76ebee720f69b8a5c212f52d38eb50287
(Continue reading)

Jussi Kivilinna | 23 Feb 20:21 2015
Picon
Picon

[PATCH] Fix in-place encryption for OCB mode

* cipher/cipher-ocb.c (ocb_checksum): New.
(ocb_crypt): Move checksum calculation outside main crypt loop, do
checksum calculation for encryption before inbuf is overwritten.
* tests/basic.c (check_ocb_cipher): Rename to ...
(do_check_ocb_cipher): ... to this and add argument for testing
in-place encryption/decryption.
(check_ocb_cipher): New.
--

Signed-off-by: Jussi Kivilinna <jussi.kivilinna <at> iki.fi>
---
 cipher/cipher-ocb.c |   31 ++++++++++++++++++++++++++++---
 tests/basic.c       |   41 ++++++++++++++++++++++++++++++++++++++---
 2 files changed, 66 insertions(+), 6 deletions(-)

diff --git a/cipher/cipher-ocb.c b/cipher/cipher-ocb.c
index 25466f0..652683c 100644
--- a/cipher/cipher-ocb.c
+++ b/cipher/cipher-ocb.c
 <at>  <at>  -299,6 +299,21  <at>  <at>  _gcry_cipher_ocb_authenticate (gcry_cipher_hd_t c, const unsigned char *abuf,
 }

 
+/* Checksumming for encrypt and decrypt.  */
+static void ocb_checksum(unsigned char *chksum, const unsigned char *plainbuf,
+                         size_t nblks)
+{
+  while (nblks > 0)
+    {
+      /* Checksum_i = Checksum_{i-1} xor P_i  */
(Continue reading)

by Werner Koch | 23 Feb 11:42 2015
Picon

[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-168-g410d70b

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  410d70bad9a650e3837055e36f157894ae49a57d (commit)
      from  653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 410d70bad9a650e3837055e36f157894ae49a57d
Author: Werner Koch <wk <at> gnupg.org>
Date:   Mon Feb 23 11:39:58 2015 +0100

    cipher: Use ciphertext blinding for Elgamal decryption.

    * cipher/elgamal.c (USE_BLINDING): New.
    (decrypt): Rewrite to use ciphertext blinding.
    --

    CVE-id: CVE-2014-3591

    As a countermeasure to a new side-channel attacks on sliding windows
    exponentiation we blind the ciphertext for Elgamal decryption.  This
    is similar to what we are doing with RSA. This patch is a backport of
    the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b.

(Continue reading)

by NIIBE Yutaka | 12 Feb 11:57 2015
Picon

[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-167-g653a9fa

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288 (commit)
      from  40a7bdf50e19faaf106470897fed72af623adc50 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 653a9fa1a3a4c35a4dc1841cb57d7e2a318f3288
Author: NIIBE Yutaka <gniibe <at> fsij.org>
Date:   Wed Feb 11 21:42:22 2015 +0900

    mpi: Add mpi_set_cond.

    * mpi/mpiutil.c (_gcry_mpi_set_cond): New.
    (_gcry_mpi_swap_cond): Fix types.
    * src/mpi.h (mpi_set_cond): New.

diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c
index f74dd91..fbbd3b4 100644
--- a/mpi/mpiutil.c
+++ b/mpi/mpiutil.c
 <at>  <at>  -482,6 +482,31  <at>  <at>  _gcry_mpi_set (gcry_mpi_t w, gcry_mpi_t u)
   return w;
 }
(Continue reading)

NIIBE Yutaka | 11 Feb 13:47 2015

[PATCH] Add mpi_set_cond.

Hello,

For Curve25519, I added the internal function mpi_swap_cond last year.
I think that we should also have mpi_set_cond.

Adding mpi_set_cond, I revised the implementation of
_gcry_mpi_swap_cond.

OK to commit?  I think that it's worth to have those functions in 1.6.

    mpi: Add mpi_set_cond.

    * mpi/mpiutil.c (_gcry_mpi_set_cond): New.
    (_gcry_mpi_swap_cond): Fix types.
    * src/mpi.h (mpi_set_cond): New.

diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c
index f74dd91..e2e4db9 100644
--- a/mpi/mpiutil.c
+++ b/mpi/mpiutil.c
 <at>  <at>  -482,6 +482,31  <at>  <at>  _gcry_mpi_set (gcry_mpi_t w, gcry_mpi_t u)
   return w;
 }

+gcry_mpi_t
+_gcry_mpi_set_cond (gcry_mpi_t w, const gcry_mpi_t u, unsigned long set)
+{
+  mpi_size_t i;
+  mpi_size_t nlimbs = u->alloced;
+  mpi_limb_t mask = 0UL - !!set;
(Continue reading)

by Werner Koch | 30 Jan 17:27 2015
Picon

[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-166-g40a7bdf

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  40a7bdf50e19faaf106470897fed72af623adc50 (commit)
      from  2564d204e408b296425ac0660c6bdc6270575fb6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 40a7bdf50e19faaf106470897fed72af623adc50
Author: Werner Koch <wk <at> gnupg.org>
Date:   Fri Jan 30 16:58:02 2015 +0100

    w32: Use -static-libgcc to avoid linking to libgcc_s_sjlj-1.dll.

    * src/Makefile.am (extra_ltoptions): New.
    (libgcrypt_la_LDFLAGS): Use it.
    --

    Since gcc 4.8 there is a regression in that plain C programs may link
    to libgcc_s.a which has a dependency on libgcc_s_sjlj.dll.  This is
    for example triggered by using long long arithmetic on a 32 bit
    Windows (e.g symbol __udivdi3).

    As usual the gcc maintainers don't care about backward compatibility
    and declare that as some kind of compatibility fix and not as
(Continue reading)

by Werner Koch | 28 Jan 15:14 2015
Picon

[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-165-g2564d20

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  2564d204e408b296425ac0660c6bdc6270575fb6 (commit)
      from  ceaa97f0d849c07f3a15b642fc3a2b0a477b4a47 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2564d204e408b296425ac0660c6bdc6270575fb6
Author: Werner Koch <wk <at> gnupg.org>
Date:   Wed Jan 28 15:13:50 2015 +0100

    Fix building of GOST s-boxes when cross-compiling.

    * cipher/Makefile.am (gost-s-box): USe CC_FOR_BUILD.
    (noinst_PROGRAMS): Remove.
    (EXTRA_DIST): New.
    (CLEANFILES): New.

    Signed-off-by: Werner Koch <wk <at> gnupg.org>

diff --git a/cipher/Makefile.am b/cipher/Makefile.am
index 4a9c86d..33a68ff 100644
--- a/cipher/Makefile.am
+++ b/cipher/Makefile.am
(Continue reading)

by Jussi Kivilinna | 20 Jan 21:17 2015
Picon

[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-164-gceaa97f

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  ceaa97f0d849c07f3a15b642fc3a2b0a477b4a47 (commit)
      from  067d7d8752d4d8a98f8e0e5e9b1a5b13e1b7ff9c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ceaa97f0d849c07f3a15b642fc3a2b0a477b4a47
Author: Jussi Kivilinna <jussi.kivilinna <at> iki.fi>
Date:   Tue Jan 20 18:54:13 2015 +0200

    rijndael: fix wrong ifdef for SSSE3 setkey

    * cipher/rijndael.c (do_setkey): Use USE_SSSE3 instead of USE_AESNI
    around SSSE3 setkey selection.
    --

    Reported-by: Richard H Lee <ricardohenrylee <at> gmail.com>
    Signed-off-by: Jussi Kivilinna <jussi.kivilinna <at> iki.fi>

diff --git a/cipher/rijndael.c b/cipher/rijndael.c
index 51c36c7..a481e6f 100644
--- a/cipher/rijndael.c
+++ b/cipher/rijndael.c
(Continue reading)


Gmane