src/libgcrypt-config.in | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

---

random/ChangeLog | 5 5 + 0 - 0 !
random/rndlinux.c | 50 30 + 20 - 0 !
random/rndunix.c | 3 2 + 1 - 0 !
3 files changed, 37 insertions(+), 21 deletions(-)

 [patch 04/17] fix a problem with select and high fds.

If on systems where the maximum number of fds may be dynamically
configured to a value of FD_MAXSIZE or higher and the RNG is first
used after more than FD_SETSIZE-1 descriptors are in use, we disable
the progress messages from the RNG.  A better solution would be too
use poll but that requires more tests.

The same problem exists in rndunix.c - however this rng is only used
on old Unices and I assume that they don't feature dynamically
configured maximum fd sizes.

mpi/mpicoder.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 10/17] avoid dereferencing pointer right after the end

* mpi/mpicoder.c (do_get_buffer): Check the length before derefing P.
--

Christian Grothoff found this bug using Valgrind.

cipher/rijndael.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 16/17] fix segv with aes-ni on some platforms.

* cipher/rijndael.c (RIJNDAEL_context): Align on 16 bytes.
--

The trigger for this problem is the allocation of the context in the
selftest functions.  The other code paths use a 16 byte alignment
anyway by means of the allocation of the context in cipher.c
Thanks to Gentoo hacker Joakim Tjernlund for figuring out the reason
of this problem.

GnuPG-bug-id: 1452

cipher/rijndael.c | 24 20 + 4 - 0 !
1 file changed, 20 insertions(+), 4 deletions(-)

 [patch 17/17] libgcrypt-1.5: rinjdael: fix use of sse2 outside
 USE_AESNI/ctx->use_aesni

* cipher/rijndael.c (_gcry_aes_cbc_enc, _gcry_aes_cbc_dec): Check if
AES-NI is enabled before calling aesni_prepare() and aesni_cleanup().
--

aesni_cleanup() contains SSE2 instructions that are interpreted as MMX on CPUs
without SSE2 support (Pentium-III, etc). In above functions, aesni_cleanup()
was called outside use_aesni checks. This causes x87 register state to be
poisoned, causing crashes later on when program tries to use floating point
registers.

Add missing '#ifdef USE_AESNI' and 'if (ctx->use_aesni)' for aesni_cleanup()
and, while at it, for aesni_prepare() too.

Reported-by: Mitsutoshi NAKANO <bkbin005@rinku.zaq.ne.jp>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>

mpi/mpi-pow.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 [patch 1/2] fix a special case bug in mpi_powm for e==0.

* mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that
the result has been allocated.
--

This code triggered the problem:

    modulus = gcry_mpi_set_ui(NULL, 100);
    generator = gcry_mpi_set_ui(NULL, 3);
    exponent = gcry_mpi_set_ui(NULL, 0);
    result = gcry_mpi_new(0);
    gcry_mpi_powm(result, generator, exponent, modulus);

gcry_mpi_new(0) does not allocate the limb space thus it is not
possible to write even into the first limb.  Workaround was to use
gcry_mpi_new (1) but a real fix is better.

Reported-by: Ian Goldberg
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6e1adb05d290aeeb1c230c763970695f4a538526)

mpi/mpi-pow.c | 13 11 + 2 - 0 !
1 file changed, 11 insertions(+), 2 deletions(-)

 [patch 2/2] mitigate a flush+reload cache attack on rsa secret
 exponents.

* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
--

The attack is published as http://eprint.iacr.org/2013/448 :

Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.

  Flush+Reload is a cache side-channel attack that monitors access to
  data in shared pages. In this paper we demonstrate how to use the
  attack to extract private encryption keys from GnuPG.  The high
  resolution and low noise of the Flush+Reload attack enables a spy
  program to recover over 98% of the bits of the private key in a
  single decryption or signing round. Unlike previous attacks, the
  attack targets the last level L3 cache. Consequently, the spy
  program and the victim do not need to share the execution core of
  the CPU. The attack is not limited to a traditional OS and can be
  used in a virtualised environment, where it can attack programs

mpi/mpi-pow.c | 2 1 + 1 - 0 !
mpi/mpih-div.c | 5 2 + 3 - 0 !
src/g10lib.h | 2 2 + 0 - 0 !
src/misc.c | 8 8 + 0 - 0 !
4 files changed, 13 insertions(+), 4 deletions(-)

 [patch 1/2] replace deliberate division by zero with
 _gcry_divide_by_zero.

* mpi/mpi-pow.c: Replace 1 / msize.
* mpi/mpih-div.c: Replace 1 / dsize.
* src/misc.c: Add _gcry_divide_by_zero.
--

1) Division by zero doesn't "provoke a signal" on architectures
   like PowerPC.

2) C compilers like clang will optimize away these divisions, even
   though the code tries "to make the compiler not remove" them.

This patch redirects these cases to _gcry_divide_by_zero.

(cherry picked from commit 2c54c4da19d3a79e9f749740828026dd41f0521a)

mpi/mpi-pow.c | 454 454 + 0 - 0 !
1 file changed, 454 insertions(+)

 [patch 2/2] mpi: mpi-pow improvement.

* mpi/mpi-pow.c (gcry_mpi_powm): New implementation of left-to-right
k-ary exponentiation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

For the Yarom/Falkner flush+reload cache side-channel attack, we
changed the code so that it always calls the multiplication routine
(even if we can skip it to get result).  This results some performance
regression.

This change is for recovering performance with efficient algorithm.

(cherry picked from commit 45aa6131e93fac89d46733b3436d960f35fb99b2)

cipher/elgamal.c | 46 41 + 5 - 0 !
1 file changed, 41 insertions(+), 5 deletions(-)

 [patch] cipher: use ciphertext blinding for elgamal decryption.

* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--

CVE-id: CVE-2014-3591

As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption.  This
is similar to what we are doing with RSA. This patch is a backport of
the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b.

Unfortunately, the performance impact of Elgamal blinding is quite
noticeable (i5-2410M CPU @ 2.30GHz TP 220):

  Algorithm         generate  100*priv  100*public
  

mpi/mpiutil.c | 25 25 + 0 - 0 !
src/mpi.h | 3 3 + 0 - 0 !
2 files changed, 28 insertions(+)

 [patch] mpi: add mpi_set_cond.

* mpi/mpiutil.c (_gcry_mpi_set_cond): New.
(_gcry_mpi_swap_cond): Fix types.
* src/mpi.h (mpi_set_cond): New.

mpi/mpi-pow.c | 60 18 + 42 - 0 !
1 file changed, 18 insertions(+), 42 deletions(-)

 [patch] mpi: revise mpi_powm.

* mpi/mpi-pow.c (_gcry_mpi_powm): Rename the table to PRECOMP.

--

The name of precomputed table was b_2i3 which stands for BASE^(2*I+3).
But it's too cryptic, so, it's renamed.  Besides, we needed to
distinguish the case of I==0, that was not good.  Since it's OK to
increase the size of table by one, it's BASE^(2*I+1), now.

mpi/mpi-pow.c | 51 45 + 6 - 0 !
1 file changed, 45 insertions(+), 6 deletions(-)

 [patch] mpi: avoid data-dependent timing variations in mpi_powm.

* mpi/mpi-pow.c (mpi_powm): Access all data in the table by
mpi_set_cond.

--

Access to the precomputed table was indexed by a portion of EXPO,
which could be mounted by a side channel attack.  This change fixes
this particular data-dependent access pattern.

Cherry-picked from commit  5e72b6c76ebee720f69b8a5c212f52d38eb50287
in LIBGCRYPT-1-6-BRANCH.

mpi/ec.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix addition of ec points.

* mpi/ec.c (_gcry_mpi_ec_add_points): Fix case of P1 given in affine
coordinates.
--

This was a plain copy and paste error, which was found due to explicit
use of affine coordinates by GNUnet's new pseudonyms code.

Signed-off-by: Werner Koch <wk@gnupg.org>

mpi/ec.c | 21 17 + 4 - 0 !
1 file changed, 17 insertions(+), 4 deletions(-)

 [patch] fix multiply by zero in gcry_mpi_ec_mul.

* mpi/ec.c (_gcry_mpi_ec_mul_point): Handle case of SCALAR == 0.
--
This is backport from master leaving out the test case.

Signed-off-by: Werner Koch <wk@gnupg.org>

cipher/ecc.c | 11 9 + 2 - 0 !
mpi/ec.c | 226 135 + 91 - 0 !
src/mpi.h | 2 1 + 1 - 0 !
3 files changed, 145 insertions(+), 94 deletions(-)

 [patch] ecc: fix for chosen cipher text attacks.

* src/mpi.h (_gcry_mpi_ec_curve_point): New internal function.
* cipher/ecc.c (ecc_decrypt_raw): Validate input.  Remove duplicated
point_free.
* mpi/ec.c (_gcry_mpi_ec_mul_point):Use simple left-to-right binary
method for when SCALAR is secure.
(_gcry_mpi_ec_curve_point): New.

--

CVE-id: CVE-2015-7511

Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran
Tromer.   http://www.cs.tau.ac.IL/~tromer/ecdh/

This could be an effective contermeasure to some chosen cipher text
attacks.

(backport from master
 commit 88e1358962e902ff1cbec8d53ba3eee46407851a)
(backport from LIBGCRYPT-1-6-BRANCH
 commit 28eb424e4427b320ec1c9c4ce56af25d495230bd)

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>