src/libgcrypt-config.in | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 drop -lgpg-error from libgcrypt-config --libs output.

src/libgcrypt-config.in | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 do not print standard multiarch path
 {/usr,}/lib/i386-linux-gnu are in the standard search path, there is no
 need to explicitely point gcc there with a -L argument.

configure.ac | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 do not pull revision info from git
 Stop trying to pull version info fom GIT  when autoconf is run.

cipher/ecc-eddsa.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 1/2] ecc: store eddsa session key in secure memory.

* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate
session key.
--

An attacker who learns the EdDSA session key from side-channel
observation during the signing process, can easily revover the long-
term secret key. Storing the session key in secure memory ensures that
constant time point operations are used in the MPI library.

Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>

src/secmem.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 [patch 2/2] secmem: fix segv and stat calculation.

* src/secmem (init_pool): Care about the header size.
(_gcry_secmem_malloc_internal): Likewise.
(_gcry_secmem_malloc_internal): Use mb->size for stats.

--

GnuPG-bug-id: 3027
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

mpi/mpi-pow.c | 105 30 + 75 - 0 !
1 file changed, 30 insertions(+), 75 deletions(-)

 [patch 1/5] mpi: simplify mpi_powm.

* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.

--

This fix is not a solution for the problem reported (yet).  The
problem is that the current algorithm of _gcry_mpi_powm depends on
exponent and some information leaks is possible.

Reported-by: Andreas Zankl <andreas.zankl@aisec.fraunhofer.de>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

(backport from master commit:
719468e53133d3bdf12156c5bfdea2bf15f9f6f1)

mpi/mpi-pow.c | 50 29 + 21 - 0 !
1 file changed, 29 insertions(+), 21 deletions(-)

 [patch 2/5] same computation for square and multiply.

* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size.  Move
the assignment to base_u into the loop.  Copy content refered by RP to
BASE_U except the last of the loop.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(backport from master commit:
78130828e9a140a9de4dafadbc844dbb64cb709a)

cipher/rsa.c | 32 25 + 7 - 0 !
1 file changed, 25 insertions(+), 7 deletions(-)

 [patch 3/5] rsa: add exponent blinding.

* cipher/rsa.c (secret): Blind secret D with randomized nonce R for
mpi_powm computation.

--

Co-authored-by: Werner Koch <wk@gnupg.org>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

The paper describing attack: https://eprint.iacr.org/2017/627

Sliding right into disaster: Left-to-right sliding windows leak
by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and
Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and
Christine van Vredendaal and Yuval Yarom

  It is well known that constant-time implementations of modular
  exponentiation cannot use sliding windows. However, software
  libraries such as Libgcrypt, used by GnuPG, continue to use sliding
  windows. It is widely believed that, even if the complete pattern of
  squarings and multiplications is observed through a side-channel
  attack, the number of exponent bits leaked is not sufficient to
  carry out a full key-recovery attack against RSA. Specifically,
  4-bit sliding windows leak only 40% of the bits, and 5-bit sliding
  windows leak only 33% of the bits.

  In this paper we demonstrate a complete break of RSA-1024 as
  implemented in Libgcrypt. Our attack makes essential use of the fact
  that Libgcrypt uses the left-to-right method for computing the
  sliding-window expansion. We show for the first time that the
  direction of the encoding matters: the pattern of squarings and
  multiplications in left-to-right sliding windows leaks significantly
  more information about exponent bits than for right-to-left. We show
  how to incorporate this additional information into the
  Heninger-Shacham algorithm for partial key reconstruction, and use
  it to obtain very efficient full key recovery for RSA-1024. We also
  provide strong evidence that the same attack works for RSA-2048 with
  only moderately more computation.

Exponent blinding is a kind of workaround to add noise.  Signal (leak)
is still there for non-constant-time implementation.

(backported from master commit:
8725c99ffa41778f382ca97233183bcd687bb0ce)

cipher/rsa.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 4/5] rsa: fix exponent blinding.

* cipher/rsa.c (secret): Free D_BLIND.

--

Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

cipher/rsa.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 5/5] rsa: more fix.

* cipher/rsa.c (secret): Free R.

--

Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

cipher/ecc.c | 17 15 + 2 - 0 !
mpi/ec.c | 51 48 + 3 - 0 !
src/mpi.h | 1 1 + 0 - 0 !
3 files changed, 64 insertions(+), 5 deletions(-)

 ecc: add input validation for x25519.

cipher/ecc-ecdsa.c | 20 18 + 2 - 0 !
1 file changed, 18 insertions(+), 2 deletions(-)

 ecc: add blinding for ecdsa.