diff -Nru libgcrypt11-1.5.4/debian/changelog libgcrypt11-1.5.4/debian/changelog --- libgcrypt11-1.5.4/debian/changelog 2014-08-11 17:08:54.000000000 +0000 +++ libgcrypt11-1.5.4/debian/changelog 2015-03-26 12:17:22.000000000 +0000 @@ -1,3 +1,16 @@ +libgcrypt11 (1.5.4-2ubuntu1.1) utopic-security; urgency=medium + + * SECURITY UPDATE: sidechannel attack on Elgamal + - debian/patches/CVE-2014-3591.patch: use ciphertext blinding in + cipher/elgamal.c. + - CVE-2014-3591 + * SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm + - debian/patches/CVE-2015-0837.patch: avoid timing variations in + mpi/mpi-pow.c, mpi/mpiutil.c, src/mpi.h. + - CVE-2015-0837 + + -- Marc Deslauriers Thu, 26 Mar 2015 08:17:22 -0400 + libgcrypt11 (1.5.4-2ubuntu1) utopic; urgency=medium * Merge with Debian; remaining changes: diff -Nru libgcrypt11-1.5.4/debian/patches/CVE-2014-3591.patch libgcrypt11-1.5.4/debian/patches/CVE-2014-3591.patch --- libgcrypt11-1.5.4/debian/patches/CVE-2014-3591.patch 1970-01-01 00:00:00.000000000 +0000 +++ libgcrypt11-1.5.4/debian/patches/CVE-2014-3591.patch 2015-03-26 12:17:12.000000000 +0000 @@ -0,0 +1,119 @@ +From 35cd81f134c0da4e7e6fcfe40d270ee1251f52c2 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Mon, 23 Feb 2015 11:39:58 +0100 +Subject: [PATCH] cipher: Use ciphertext blinding for Elgamal decryption. + +* cipher/elgamal.c (USE_BLINDING): New. +(decrypt): Rewrite to use ciphertext blinding. +-- + +CVE-id: CVE-2014-3591 + +As a countermeasure to a new side-channel attacks on sliding windows +exponentiation we blind the ciphertext for Elgamal decryption. This +is similar to what we are doing with RSA. This patch is a backport of +the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b. + +Unfortunately, the performance impact of Elgamal blinding is quite +noticeable (i5-2410M CPU @ 2.30GHz TP 220): + + Algorithm generate 100*priv 100*public + ------------------------------------------------ + ELG 1024 bit - 100ms 90ms + ELG 2048 bit - 330ms 350ms + ELG 3072 bit - 660ms 790ms + + Algorithm generate 100*priv 100*public + ------------------------------------------------ + ELG 1024 bit - 150ms 90ms + ELG 2048 bit - 520ms 360ms + ELG 3072 bit - 1100ms 800ms + +Signed-off-by: Werner Koch +(cherry picked from commit 410d70bad9a650e3837055e36f157894ae49a57d) + +Resolved conflicts: + cipher/elgamal.c. +--- + cipher/elgamal.c | 49 ++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 44 insertions(+), 5 deletions(-) + +diff --git a/cipher/elgamal.c b/cipher/elgamal.c +index ce4be85..b2c55b3 100644 +--- a/cipher/elgamal.c ++++ b/cipher/elgamal.c +@@ -30,6 +30,12 @@ + #include "mpi.h" + #include "cipher.h" + ++/* Blinding is used to mitigate side-channel attacks. You may undef ++ this to speed up the operation in case the system is secured ++ against physical and network mounted side-channel attacks. */ ++#define USE_BLINDING 1 ++ ++ + typedef struct + { + gcry_mpi_t p; /* prime */ +@@ -486,12 +492,45 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) + static void + decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) + { +- gcry_mpi_t t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); ++ gcry_mpi_t t1, t2, r; ++ unsigned int nbits = mpi_get_nbits (skey->p); ++ ++ mpi_normalize (a); ++ mpi_normalize (b); ++ ++ t1 = mpi_snew (nbits); ++ ++#ifdef USE_BLINDING ++ ++ t2 = mpi_snew (nbits); ++ r = mpi_new (nbits); ++ ++ /* We need a random number of about the prime size. The random ++ number merely needs to be unpredictable; thus we use level 0. */ ++ _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM); ++ ++ /* t1 = r^x mod p */ ++ mpi_powm (t1, r, skey->x, skey->p); ++ /* t2 = (a * r)^-x mod p */ ++ mpi_mulm (t2, a, r, skey->p); ++ mpi_powm (t2, t2, skey->x, skey->p); ++ mpi_invm (t2, t2, skey->p); ++ /* t1 = (t1 * t2) mod p*/ ++ mpi_mulm (t1, t1, t2, skey->p); ++ ++ mpi_free (r); ++ mpi_free (t2); ++ ++#else /*!USE_BLINDING*/ + + /* output = b/(a^x) mod p */ +- gcry_mpi_powm( t1, a, skey->x, skey->p ); +- mpi_invm( t1, t1, skey->p ); +- mpi_mulm( output, b, t1, skey->p ); ++ mpi_powm (t1, a, skey->x, skey->p); ++ mpi_invm (t1, t1, skey->p); ++ ++#endif /*!USE_BLINDING*/ ++ ++ mpi_mulm (output, b, t1, skey->p); ++ + #if 0 + if( DBG_CIPHER ) + { +@@ -502,7 +541,7 @@ decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) + log_mpidump("elg decrypted M= ", output); + } + #endif +- mpi_free(t1); ++ mpi_free (t1); + } + + +-- +2.1.4 + diff -Nru libgcrypt11-1.5.4/debian/patches/CVE-2015-0837.patch libgcrypt11-1.5.4/debian/patches/CVE-2015-0837.patch --- libgcrypt11-1.5.4/debian/patches/CVE-2015-0837.patch 1970-01-01 00:00:00.000000000 +0000 +++ libgcrypt11-1.5.4/debian/patches/CVE-2015-0837.patch 2015-03-26 12:17:16.000000000 +0000 @@ -0,0 +1,218 @@ +Description: fix sidechannel attack via timing variations in mpi_powm +Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=deb6f231ba85f65283c9e1deb3e2dea3b6ca46dc +Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d9f002899d26dc64f1502ae5050632340a4780fe +Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5e72b6c76ebee720f69b8a5c212f52d38eb50287 + +Index: libgcrypt11-1.5.4/mpi/mpi-pow.c +=================================================================== +--- libgcrypt11-1.5.4.orig/mpi/mpi-pow.c 2015-03-26 08:14:32.728379999 -0400 ++++ libgcrypt11-1.5.4/mpi/mpi-pow.c 2015-03-26 08:14:32.720379940 -0400 +@@ -381,7 +381,7 @@ + *xsize_p = rsize + ssize; + } + +-#define SIZE_B_2I3 ((1 << (5 - 1)) - 1) ++#define SIZE_PRECOMP ((1 << (5 - 1))) + + /**************** + * RES = BASE ^ EXPO mod MOD +@@ -417,11 +417,12 @@ + unsigned int bp_nlimbs = 0; + unsigned int ep_nlimbs = 0; + unsigned int xp_nlimbs = 0; +- mpi_ptr_t b_2i3[SIZE_B_2I3]; /* Pre-computed array: BASE^3, ^5, ^7, ... */ +- mpi_size_t b_2i3size[SIZE_B_2I3]; ++ mpi_ptr_t precomp[SIZE_PRECOMP]; /* Pre-computed array: BASE^1, ^3, ^5, ... */ ++ mpi_size_t precomp_size[SIZE_PRECOMP]; + mpi_size_t W; + mpi_ptr_t base_u; + mpi_size_t base_u_size; ++ mpi_size_t max_u_size; + + esize = expo->nlimbs; + msize = mod->nlimbs; +@@ -540,7 +541,7 @@ + + /* Main processing. */ + { +- mpi_size_t i, j; ++ mpi_size_t i, j, k; + mpi_ptr_t xp; + mpi_size_t xsize; + int c; +@@ -555,33 +556,30 @@ + memset( &karactx, 0, sizeof karactx ); + negative_result = (ep[0] & 1) && bsign; + +- /* Precompute B_2I3[], BASE^(2 * i + 3), BASE^3, ^5, ^7, ... */ ++ /* Precompute PRECOMP[], BASE^(2 * i + 1), BASE^1, ^3, ^5, ... */ + if (W > 1) /* X := BASE^2 */ + mul_mod (xp, &xsize, bp, bsize, bp, bsize, mp, msize, &karactx); +- for (i = 0; i < (1 << (W - 1)) - 1; i++) +- { /* B_2I3[i] = BASE^(2 * i + 3) */ +- if (i == 0) +- { +- base_u = bp; +- base_u_size = bsize; +- } +- else +- { +- base_u = b_2i3[i-1]; +- base_u_size = b_2i3size[i-1]; +- } +- ++ base_u = precomp[0] = mpi_alloc_limb_space (bsize, esec); ++ base_u_size = max_u_size = precomp_size[0] = bsize; ++ MPN_COPY (precomp[0], bp, bsize); ++ for (i = 1; i < (1 << (W - 1)); i++) ++ { /* PRECOMP[i] = BASE^(2 * i + 1) */ + if (xsize >= base_u_size) + mul_mod (rp, &rsize, xp, xsize, base_u, base_u_size, + mp, msize, &karactx); + else + mul_mod (rp, &rsize, base_u, base_u_size, xp, xsize, + mp, msize, &karactx); +- b_2i3[i] = mpi_alloc_limb_space (rsize, esec); +- b_2i3size[i] = rsize; +- MPN_COPY (b_2i3[i], rp, rsize); ++ base_u = precomp[i] = mpi_alloc_limb_space (rsize, esec); ++ base_u_size = precomp_size[i] = rsize; ++ if (max_u_size < base_u_size) ++ max_u_size = base_u_size; ++ MPN_COPY (precomp[i], rp, rsize); + } + ++ base_u = mpi_alloc_limb_space (max_u_size, esec); ++ MPN_ZERO (base_u, max_u_size); ++ + i = esize - 1; + + /* Main loop. +@@ -667,15 +665,23 @@ + rsize = xsize; + } + +- if (e0 == 0) ++ /* ++ * base_u <= precomp[e0] ++ * base_u_size <= precomp_size[e0] ++ */ ++ base_u_size = 0; ++ for (k = 0; k < (1<< (W - 1)); k++) + { +- base_u = bp; +- base_u_size = bsize; +- } +- else +- { +- base_u = b_2i3[e0 - 1]; +- base_u_size = b_2i3size[e0 -1]; ++ struct gcry_mpi w, u; ++ w.alloced = w.nlimbs = precomp_size[k]; ++ u.alloced = u.nlimbs = precomp_size[k]; ++ w.sign = u.sign = 0; ++ w.flags = u.flags = 0; ++ w.d = base_u; ++ u.d = precomp[k]; ++ ++ mpi_set_cond (&w, &u, k == e0); ++ base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); + } + + mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, +@@ -703,15 +709,23 @@ + + if (e != 0) + { +- if ((e>>1) == 0) ++ /* ++ * base_u <= precomp[(e>>1)] ++ * base_u_size <= precomp_size[(e>>1)] ++ */ ++ base_u_size = 0; ++ for (k = 0; k < (1<< (W - 1)); k++) + { +- base_u = bp; +- base_u_size = bsize; +- } +- else +- { +- base_u = b_2i3[(e>>1) - 1]; +- base_u_size = b_2i3size[(e>>1) -1]; ++ struct gcry_mpi w, u; ++ w.alloced = w.nlimbs = precomp_size[k]; ++ u.alloced = u.nlimbs = precomp_size[k]; ++ w.sign = u.sign = 0; ++ w.flags = u.flags = 0; ++ w.d = base_u; ++ u.d = precomp[k]; ++ ++ mpi_set_cond (&w, &u, k == (e>>1)); ++ base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) ); + } + + mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, +@@ -761,8 +775,9 @@ + MPN_NORMALIZE (rp, rsize); + + _gcry_mpih_release_karatsuba_ctx (&karactx ); +- for (i = 0; i < (1 << (W - 1)) - 1; i++) +- _gcry_mpi_free_limb_space( b_2i3[i], esec ? b_2i3size[i] : 0 ); ++ for (i = 0; i < (1 << (W - 1)); i++) ++ _gcry_mpi_free_limb_space( precomp[i], esec ? precomp_size[i] : 0 ); ++ _gcry_mpi_free_limb_space (base_u, esec ? max_u_size : 0); + } + + /* Fixup for negative results. */ +Index: libgcrypt11-1.5.4/mpi/mpiutil.c +=================================================================== +--- libgcrypt11-1.5.4.orig/mpi/mpiutil.c 2015-03-26 08:14:32.728379999 -0400 ++++ libgcrypt11-1.5.4/mpi/mpiutil.c 2015-03-26 08:14:32.720379940 -0400 +@@ -386,6 +386,31 @@ + / BITS_PER_MPI_LIMB ); + } + ++gcry_mpi_t ++_gcry_mpi_set_cond (gcry_mpi_t w, const gcry_mpi_t u, unsigned long set) ++{ ++ mpi_size_t i; ++ mpi_size_t nlimbs = u->alloced; ++ mpi_limb_t mask = ((mpi_limb_t)0) - !!set; ++ mpi_limb_t x; ++ ++ if (w->alloced != u->alloced) ++ log_bug ("mpi_set_cond: different sizes\n"); ++ ++ for (i = 0; i < nlimbs; i++) ++ { ++ x = mask & (w->d[i] ^ u->d[i]); ++ w->d[i] = w->d[i] ^ x; ++ } ++ ++ x = mask & (w->nlimbs ^ u->nlimbs); ++ w->nlimbs = w->nlimbs ^ x; ++ ++ x = mask & (w->sign ^ u->sign); ++ w->sign = w->sign ^ x; ++ return w; ++} ++ + + gcry_mpi_t + gcry_mpi_snew( unsigned int nbits ) +Index: libgcrypt11-1.5.4/src/mpi.h +=================================================================== +--- libgcrypt11-1.5.4.orig/src/mpi.h 2015-03-26 08:14:32.728379999 -0400 ++++ libgcrypt11-1.5.4/src/mpi.h 2015-03-26 08:15:07.112640773 -0400 +@@ -116,8 +116,11 @@ + #define mpi_swap(a,b) _gcry_mpi_swap ((a),(b)) + #define mpi_new(n) _gcry_mpi_new ((n)) + #define mpi_snew(n) _gcry_mpi_snew ((n)) ++#define mpi_set_cond(w,u,set) _gcry_mpi_set_cond ((w),(u),(set)) + + void _gcry_mpi_clear( gcry_mpi_t a ); ++gcry_mpi_t _gcry_mpi_set_cond (gcry_mpi_t w, const gcry_mpi_t u, ++ unsigned long swap); + gcry_mpi_t _gcry_mpi_alloc_like( gcry_mpi_t a ); + gcry_mpi_t _gcry_mpi_alloc_set_ui( unsigned long u); + gcry_err_code_t _gcry_mpi_get_ui (gcry_mpi_t w, ulong *u); diff -Nru libgcrypt11-1.5.4/debian/patches/series libgcrypt11-1.5.4/debian/patches/series --- libgcrypt11-1.5.4/debian/patches/series 2014-08-11 17:08:54.000000000 +0000 +++ libgcrypt11-1.5.4/debian/patches/series 2015-03-26 12:17:16.000000000 +0000 @@ -2,3 +2,5 @@ 15_multiarchpath_in_-L.diff 20_texinfo.diff no-global-init-thread-callbacks.diff +CVE-2014-3591.patch +CVE-2015-0837.patch