ecc: Add input validation for X25519. * cipher/ecc.c (ecc_decrypt_raw): Add input validation. * mpi/ec.c (ec_p_init): Use scratch buffer for bad points. (_gcry_mpi_ec_bad_point): New. -- Following is the paper describing the attack: May the Fourth Be With You: A Microarchitectural Side Channel Attack on Real-World Applications of Curve25519 by Daniel Genkin, Luke Valenta, and Yuval Yarom In the current implementation, we do output checking and it results an error for those bad points. However, when attacked, the computation will done with leak of private key, even it will results errors. To mitigate leak, we added input validation. Note that we only list bad points with MSB=0. By X25519, MSB is always cleared. In future, we should implement constant-time field computation. Then, this input validation could be removed, if performance is important and we are sure for no leak. CVE-id: CVE-2017-0379 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
commit 45abd63abc6644b6e177c057b5b42d894dbf8e29 (HEAD -> master, origin/master, origin/HEAD) Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Mon Aug 28 12:24:42 2017 +0200 dev-libs/libgcrypt: New upstream version 1.8.1 Package-Manager: Portage-2.3.6, Repoman-2.3.1
The paper is available at https://eprint.iacr.org/2017/806
alpha stable
ppc stable
ppc64 stable
ia64 stable
amd64/x86 stable
arm stable
hppa/sparc stable (thanks to Dakon) Last arches are done.
@maintainer(s), please cleanup the vulnerable versions.
(In reply to Aaron Bauman from comment #10) > @maintainer(s), please cleanup the vulnerable versions. GLSA Vote: No
commit 1b01a3c4660b9ca76210427160fa1f1472d77f3f (HEAD -> master, origin/master, origin/HEAD) Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Sat Sep 9 02:39:35 2017 +0200 dev-libs/libgcrypt: cleanup old Package-Manager: Portage-2.3.6, Repoman-2.3.1