From ef71f175674e69f14774920a6951105802b9953ad30fc7ebac12bb4ff039140d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Sat, 3 Jun 2017 18:51:04 +0000 Subject: [PATCH 1/2] Accepting request 500599 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Added libgcrypt-secure-EdDSA-session-key.patch [bsc#1042326] * Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. OBS-URL: https://build.opensuse.org/request/show/500599 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=92 --- libgcrypt-secure-EdDSA-session-key.patch | 34 ++++++++++++++++++++++++ libgcrypt.changes | 7 +++++ libgcrypt.spec | 3 +++ 3 files changed, 44 insertions(+) create mode 100644 libgcrypt-secure-EdDSA-session-key.patch diff --git a/libgcrypt-secure-EdDSA-session-key.patch b/libgcrypt-secure-EdDSA-session-key.patch new file mode 100644 index 0000000..6bc892a --- /dev/null +++ b/libgcrypt-secure-EdDSA-session-key.patch @@ -0,0 +1,34 @@ +From 5a22de904a0a366ae79f03ff1e13a1232a89e26b Mon Sep 17 00:00:00 2001 +From: Jo Van Bulck +Date: Thu, 19 Jan 2017 17:00:15 +0100 +Subject: [PATCH] ecc: Store EdDSA session key in secure memory. + +* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate +session key. +-- + +An attacker who learns the EdDSA session key from side-channel +observation during the signing process, can easily revover the long- +term secret key. Storing the session key in secure memory ensures that +constant time point operations are used in the MPI library. + +Signed-off-by: Jo Van Bulck +--- + cipher/ecc-eddsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +index f91f848..813e030 100644 +--- a/cipher/ecc-eddsa.c ++++ b/cipher/ecc-eddsa.c +@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + a = mpi_snew (0); + x = mpi_new (0); + y = mpi_new (0); +- r = mpi_new (0); ++ r = mpi_snew (0); + ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, + skey->E.p, skey->E.a, skey->E.b); + b = (ctx->nbits+7)/8; +-- +2.8.0.rc3 diff --git a/libgcrypt.changes b/libgcrypt.changes index eb0db6f..a733d2c 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Jun 2 10:05:18 UTC 2017 - pmonrealgonzalez@suse.com + +- Added libgcrypt-secure-EdDSA-session-key.patch [bsc#1042326] + * Store the session key in secure memory to ensure that constant + time point operations are used in the MPI library. + ------------------------------------------------------------------- Fri Jan 20 09:41:15 UTC 2017 - rmaliska@suse.com diff --git a/libgcrypt.spec b/libgcrypt.spec index 677176a..e717e63 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -56,6 +56,8 @@ Patch30: drbg_test.patch #PATCH-FIX-SUSE run FIPS self-test from constructor Patch32: libgcrypt-fips_run_selftest_at_constructor.patch Patch34: libgcrypt-1.6.3-aliasing.patch +#PATCH-FIX-UPSTREAM -- pmonrealgonzalez@suse.com bsc#1042326 timing attack on EdDSA session key +Patch35: libgcrypt-secure-EdDSA-session-key.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.13 @@ -153,6 +155,7 @@ understanding of applied cryptography is required to use Libgcrypt. %endif %patch13 -p1 %patch14 -p1 +%patch35 -p1 %build echo building with build_hmac256 set to %{build_hmac256} From c785cdbe1689b6011964700ca8046071a23d02d9f2185648243604db390550f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 5 Jun 2017 07:34:40 +0000 Subject: [PATCH 2/2] Accepting request 501007 from home:AndreasStieger:branches:devel:libraries:c_c++ libgcrypt 1.7.7 OBS-URL: https://build.opensuse.org/request/show/501007 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=93 --- libgcrypt-1.7.6.tar.bz2 | 3 -- libgcrypt-1.7.6.tar.bz2.sig | Bin 310 -> 0 bytes libgcrypt-1.7.7.tar.bz2 | 3 ++ libgcrypt-1.7.7.tar.bz2.sig | Bin 0 -> 310 bytes libgcrypt-secure-EdDSA-session-key.patch | 34 ----------------------- libgcrypt.changes | 9 ++++++ libgcrypt.spec | 5 +--- 7 files changed, 13 insertions(+), 41 deletions(-) delete mode 100644 libgcrypt-1.7.6.tar.bz2 delete mode 100644 libgcrypt-1.7.6.tar.bz2.sig create mode 100644 libgcrypt-1.7.7.tar.bz2 create mode 100644 libgcrypt-1.7.7.tar.bz2.sig delete mode 100644 libgcrypt-secure-EdDSA-session-key.patch diff --git a/libgcrypt-1.7.6.tar.bz2 b/libgcrypt-1.7.6.tar.bz2 deleted file mode 100644 index 0859c6a..0000000 --- a/libgcrypt-1.7.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:626aafee84af9d2ce253d2c143dc1c0902dda045780cc241f39970fc60be05bc -size 2897695 diff --git a/libgcrypt-1.7.6.tar.bz2.sig b/libgcrypt-1.7.6.tar.bz2.sig deleted file mode 100644 index cf8de2f3d6f5d40f25179bb27f7967f13aa79b7d076af82a1b0542909edab02a..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j-KX(1!T23_i24?49Zn>o@?CF8aQ0$6`_YXAxf5G0#9 z(oZGhw!(%80D~9@yQh`pZ&6YI+`^*u53d}wFCV-%E6P()?N;}|d;rU=0Tg;L8;J$N z(N#@ppf@-;cNf2p&IDT!2k@V3LeqrYJV1@^Nz-NdPaZ(%$j(cdeJDN6!BoF%Vhmx? zh!7)`c{+)k2g!c_Jh+U)c@s0^i*9wJAU#!&>_3@3xDl2a5puI5`cpUdrScr^59&<$wH2Z@}|bY=H>e?8m*qtvvw@K2kS z--=>>o8fo_l?krA$mJH9Mco6{ZBys|AjAUJb+&zaG8lZGB}hy8WCAr-57=_a!4-Hp I*yjnKL7v# diff --git a/libgcrypt-1.7.7.tar.bz2 b/libgcrypt-1.7.7.tar.bz2 new file mode 100644 index 0000000..2da4818 --- /dev/null +++ b/libgcrypt-1.7.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b9b85eba0793ea3e6e66b896eb031fa05e1a4517277cc9ab10816b359254cd9a +size 2861190 diff --git a/libgcrypt-1.7.7.tar.bz2.sig b/libgcrypt-1.7.7.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..3000b23f6a464a37ff1ff91c8444fadf30804b564eaa149f628049392736390c GIT binary patch literal 310 zcmV-60m=S}0W$;u0SEvc79j-KX(1!T23_i24?49Zn>o@?CF8aQ0$DK-$p8uo5G0#9 z(oZGhwjRz0|5x>#tV-&}^ME16Ci$S8b^pFUZ#|I-zKpY}WU{21VFeNS!j(y`%hkA% zMGU3V>DAvUq8~`4Qf6LaTZGVa({>qeSjlTnWxCVig1$J^YoZq3Ub4B< z*C=ma=j8LmO{{Ak=IZN(Y*1Z_S-}7F6+OVnm6SuVh_gDLUW$8Fj`IKfke5EmJ~h-S z94`k(Gmg@?{fw5{Kl=O)u5~V=Pa3&3bP%?;46>^y7HVhgC!P0+wr2uHd#Du)lOdfM I$xqca)R=OZWdHyG literal 0 HcmV?d00001 diff --git a/libgcrypt-secure-EdDSA-session-key.patch b/libgcrypt-secure-EdDSA-session-key.patch deleted file mode 100644 index 6bc892a..0000000 --- a/libgcrypt-secure-EdDSA-session-key.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 5a22de904a0a366ae79f03ff1e13a1232a89e26b Mon Sep 17 00:00:00 2001 -From: Jo Van Bulck -Date: Thu, 19 Jan 2017 17:00:15 +0100 -Subject: [PATCH] ecc: Store EdDSA session key in secure memory. - -* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate -session key. --- - -An attacker who learns the EdDSA session key from side-channel -observation during the signing process, can easily revover the long- -term secret key. Storing the session key in secure memory ensures that -constant time point operations are used in the MPI library. - -Signed-off-by: Jo Van Bulck ---- - cipher/ecc-eddsa.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c -index f91f848..813e030 100644 ---- a/cipher/ecc-eddsa.c -+++ b/cipher/ecc-eddsa.c -@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, - a = mpi_snew (0); - x = mpi_new (0); - y = mpi_new (0); -- r = mpi_new (0); -+ r = mpi_snew (0); - ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, - skey->E.p, skey->E.a, skey->E.b); - b = (ctx->nbits+7)/8; --- -2.8.0.rc3 diff --git a/libgcrypt.changes b/libgcrypt.changes index a733d2c..427def0 100644 --- a/libgcrypt.changes +++ b/libgcrypt.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Sun Jun 4 19:26:12 UTC 2017 - astieger@suse.com + +- libgcrypt 1.7.7: + * Fix possible timing attack on EdDSA session key (previously + patched, drop libgcrypt-secure-EdDSA-session-key.patch) + * Fix long standing bug in secure memory implementation which + could lead to a segv on free + ------------------------------------------------------------------- Fri Jun 2 10:05:18 UTC 2017 - pmonrealgonzalez@suse.com diff --git a/libgcrypt.spec b/libgcrypt.spec index e717e63..ab7a059 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -21,7 +21,7 @@ %define libsoname %{name}20 %define cavs_dir %{_libexecdir}/%{name}/cavs Name: libgcrypt -Version: 1.7.6 +Version: 1.7.7 Release: 0 Summary: The GNU Crypto Library License: GPL-2.0+ and LGPL-2.1+ and GPL-3.0+ @@ -56,8 +56,6 @@ Patch30: drbg_test.patch #PATCH-FIX-SUSE run FIPS self-test from constructor Patch32: libgcrypt-fips_run_selftest_at_constructor.patch Patch34: libgcrypt-1.6.3-aliasing.patch -#PATCH-FIX-UPSTREAM -- pmonrealgonzalez@suse.com bsc#1042326 timing attack on EdDSA session key -Patch35: libgcrypt-secure-EdDSA-session-key.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.13 @@ -155,7 +153,6 @@ understanding of applied cryptography is required to use Libgcrypt. %endif %patch13 -p1 %patch14 -p1 -%patch35 -p1 %build echo building with build_hmac256 set to %{build_hmac256}