629160 – (CVE-2017-0379) <dev-libs/libgcrypt-1.8.1: Side channel attack on Curve25519

Bug 629160 (CVE-2017-0379) - <dev-libs/libgcrypt-1.8.1: Side channel attack on Curve25519

Summary: <dev-libs/libgcrypt-1.8.1: Side channel attack on Curve25519

Status:	RESOLVED FIXED

Alias:	CVE-2017-0379

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://git.gnupg.org/cgi-bin/gitweb....
Whiteboard:	A4 [noglsa cve]
Keywords:

Depends on:
Blocks:	CVE-2017-7526
	Show dependency tree

Reported:	2017-08-28 10:15 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2017-09-10 22:58 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	dev-libs/libgcrypt-1.8.1
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-08-28 10:15:49 UTC

ecc: Add input validation for X25519.

* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
(_gcry_mpi_ec_bad_point): New.

--

Following is the paper describing the attack:

    May the Fourth Be With You: A Microarchitectural Side Channel Attack
    on Real-World Applications of Curve25519
    by Daniel Genkin, Luke Valenta, and Yuval Yarom

In the current implementation, we do output checking and it results an
error for those bad points.  However, when attacked, the computation
will done with leak of private key, even it will results errors.  To
mitigate leak, we added input validation.

Note that we only list bad points with MSB=0.  By X25519, MSB is
always cleared.

In future, we should implement constant-time field computation.  Then,
this input validation could be removed, if performance is important
and we are sure for no leak.

CVE-id: CVE-2017-0379
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-08-28 10:27:07 UTC

commit 45abd63abc6644b6e177c057b5b42d894dbf8e29 (HEAD -> master, origin/master, origin/HEAD)
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Mon Aug 28 12:24:42 2017 +0200

    dev-libs/libgcrypt: New upstream version 1.8.1
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.1

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-08-29 08:38:47 UTC

The paper is available at https://eprint.iacr.org/2017/806

Comment 3 Matt Turner gentoo-dev

2017-08-29 19:47:05 UTC

alpha stable

Comment 4 Matt Turner gentoo-dev

2017-08-29 19:48:50 UTC

ppc stable

Comment 5 Matt Turner gentoo-dev

2017-08-29 19:48:57 UTC

ppc64 stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2017-08-29 22:02:05 UTC

ia64 stable

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2017-09-02 20:00:09 UTC

amd64/x86 stable

Comment 8 Markus Meier gentoo-dev

2017-09-07 19:40:32 UTC

arm stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-08 22:14:15 UTC

hppa/sparc stable (thanks to Dakon)

Last arches are done.

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2017-09-08 23:41:25 UTC

@maintainer(s), please cleanup the vulnerable versions.

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2017-09-08 23:42:51 UTC

(In reply to Aaron Bauman from comment #10)
> @maintainer(s), please cleanup the vulnerable versions.

GLSA Vote: No

Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-09-09 00:42:06 UTC

commit 1b01a3c4660b9ca76210427160fa1f1472d77f3f (HEAD -> master, origin/master, origin/HEAD)
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Sat Sep 9 02:39:35 2017 +0200

    dev-libs/libgcrypt: cleanup old
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.1