Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629160 (CVE-2017-0379) - <dev-libs/libgcrypt-1.8.1: Side channel attack on Curve25519
Summary: <dev-libs/libgcrypt-1.8.1: Side channel attack on Curve25519
Status: RESOLVED FIXED
Alias: CVE-2017-0379
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://git.gnupg.org/cgi-bin/gitweb....
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-7526
  Show dependency tree
 
Reported: 2017-08-28 10:15 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-09-10 22:58 UTC (History)
3 users (show)

See Also:
Package list:
dev-libs/libgcrypt-1.8.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-08-28 10:15:49 UTC
ecc: Add input validation for X25519.

* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
(_gcry_mpi_ec_bad_point): New.

--

Following is the paper describing the attack:

    May the Fourth Be With You: A Microarchitectural Side Channel Attack
    on Real-World Applications of Curve25519
    by Daniel Genkin, Luke Valenta, and Yuval Yarom

In the current implementation, we do output checking and it results an
error for those bad points.  However, when attacked, the computation
will done with leak of private key, even it will results errors.  To
mitigate leak, we added input validation.

Note that we only list bad points with MSB=0.  By X25519, MSB is
always cleared.

In future, we should implement constant-time field computation.  Then,
this input validation could be removed, if performance is important
and we are sure for no leak.

CVE-id: CVE-2017-0379
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-08-28 10:27:07 UTC
commit 45abd63abc6644b6e177c057b5b42d894dbf8e29 (HEAD -> master, origin/master, origin/HEAD)
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Mon Aug 28 12:24:42 2017 +0200

    dev-libs/libgcrypt: New upstream version 1.8.1
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.1
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-08-29 08:38:47 UTC
The paper is available at https://eprint.iacr.org/2017/806
Comment 3 Matt Turner gentoo-dev 2017-08-29 19:47:05 UTC
alpha stable
Comment 4 Matt Turner gentoo-dev 2017-08-29 19:48:50 UTC
ppc stable
Comment 5 Matt Turner gentoo-dev 2017-08-29 19:48:57 UTC
ppc64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-29 22:02:05 UTC
ia64 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-09-02 20:00:09 UTC
amd64/x86 stable
Comment 8 Markus Meier gentoo-dev 2017-09-07 19:40:32 UTC
arm stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 22:14:15 UTC
hppa/sparc stable (thanks to Dakon)

Last arches are done.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-09-08 23:41:25 UTC
@maintainer(s), please cleanup the vulnerable versions.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-09-08 23:42:51 UTC
(In reply to Aaron Bauman from comment #10)
> @maintainer(s), please cleanup the vulnerable versions.

GLSA Vote: No
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-09 00:42:06 UTC
commit 1b01a3c4660b9ca76210427160fa1f1472d77f3f (HEAD -> master, origin/master, origin/HEAD)
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Sat Sep 9 02:39:35 2017 +0200

    dev-libs/libgcrypt: cleanup old
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.1