debian/0000755000000000000000000000000013311737055007173 5ustar debian/libgcrypt11-udeb.install0000644000000000000000000000003711627221436013640 0ustar debian/tmp/lib/*/lib*.so.* lib debian/libgcrypt11-dev.install0000644000000000000000000000020612156126002013464 0ustar debian/tmp/usr/include/* debian/tmp/usr/lib/*/lib*.a debian/tmp/usr/lib/*/lib*.so debian/tmp/usr/bin/* debian/tmp/usr/share/aclocal/* debian/rules0000755000000000000000000000163312247703502010253 0ustar #! /usr/bin/make -f # Build the libgcrypt package for Debian. override_dh_auto_configure: dh_auto_configure --verbose -- \ --enable-noexecstack \ --enable-ld-version-script --enable-static \ --libdir=/lib/$(DEB_HOST_MULTIARCH) override_dh_makeshlibs: dh_makeshlibs -V 'libgcrypt11 (>=1.5.0-0)' \ --add-udeb=libgcrypt11-udeb -- -c4 override_dh_auto_build-indep: cd doc && $(MAKE) stamp-vti cd doc && $(MAKE) gcrypt.ps html override_dh_auto_install: dh_auto_install --verbose mkdir -p -m755 debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH) cd debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH) \ && ln -v -s /lib/$(DEB_HOST_MULTIARCH)/`readlink ../../../lib/*/*.so` libgcrypt.so rm -v debian/tmp/lib/$(DEB_HOST_MULTIARCH)/*.so mv -v debian/tmp/lib/$(DEB_HOST_MULTIARCH)/*.a \ debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/ override_dh_strip: dh_strip --dbg-package=libgcrypt11-dbg %: dh $@ --parallel --with autoreconf debian/libgcrypt11.docs0000644000000000000000000000003312204724553012201 0ustar AUTHORS NEWS README THANKS debian/libgcrypt11.symbols0000644000000000000000000001571512155060673012757 0ustar libgcrypt.so.11 libgcrypt11 #MINVER# * Build-Depends-Package: libgcrypt11-dev GCRYPT_1.2@GCRYPT_1.2 1.4.5 gcry_ac_close@GCRYPT_1.2 1.4.5 gcry_ac_data_clear@GCRYPT_1.2 1.4.5 gcry_ac_data_copy@GCRYPT_1.2 1.4.5 gcry_ac_data_decode@GCRYPT_1.2 1.4.5 gcry_ac_data_decrypt@GCRYPT_1.2 1.4.5 gcry_ac_data_decrypt_scheme@GCRYPT_1.2 1.4.5 gcry_ac_data_destroy@GCRYPT_1.2 1.4.5 gcry_ac_data_encode@GCRYPT_1.2 1.4.5 gcry_ac_data_encrypt@GCRYPT_1.2 1.4.5 gcry_ac_data_encrypt_scheme@GCRYPT_1.2 1.4.5 gcry_ac_data_from_sexp@GCRYPT_1.2 1.4.5 gcry_ac_data_get_index@GCRYPT_1.2 1.4.5 gcry_ac_data_get_name@GCRYPT_1.2 1.4.5 gcry_ac_data_length@GCRYPT_1.2 1.4.5 gcry_ac_data_new@GCRYPT_1.2 1.4.5 gcry_ac_data_set@GCRYPT_1.2 1.4.5 gcry_ac_data_sign@GCRYPT_1.2 1.4.5 gcry_ac_data_sign_scheme@GCRYPT_1.2 1.4.5 gcry_ac_data_to_sexp@GCRYPT_1.2 1.4.5 gcry_ac_data_verify@GCRYPT_1.2 1.4.5 gcry_ac_data_verify_scheme@GCRYPT_1.2 1.4.5 gcry_ac_id_to_name@GCRYPT_1.2 1.4.5 gcry_ac_io_init@GCRYPT_1.2 1.4.5 gcry_ac_io_init_va@GCRYPT_1.2 1.4.5 gcry_ac_key_data_get@GCRYPT_1.2 1.4.5 gcry_ac_key_destroy@GCRYPT_1.2 1.4.5 gcry_ac_key_get_grip@GCRYPT_1.2 1.4.5 gcry_ac_key_get_nbits@GCRYPT_1.2 1.4.5 gcry_ac_key_init@GCRYPT_1.2 1.4.5 gcry_ac_key_pair_destroy@GCRYPT_1.2 1.4.5 gcry_ac_key_pair_extract@GCRYPT_1.2 1.4.5 gcry_ac_key_pair_generate@GCRYPT_1.2 1.4.5 gcry_ac_key_test@GCRYPT_1.2 1.4.5 gcry_ac_name_to_id@GCRYPT_1.2 1.4.5 gcry_ac_open@GCRYPT_1.2 1.4.5 gcry_calloc@GCRYPT_1.2 1.4.5 gcry_calloc_secure@GCRYPT_1.2 1.4.5 gcry_check_version@GCRYPT_1.2 1.4.5 gcry_cipher_algo_info@GCRYPT_1.2 1.4.5 gcry_cipher_algo_name@GCRYPT_1.2 1.4.5 gcry_cipher_close@GCRYPT_1.2 1.4.5 gcry_cipher_ctl@GCRYPT_1.2 1.4.5 gcry_cipher_decrypt@GCRYPT_1.2 1.4.5 gcry_cipher_encrypt@GCRYPT_1.2 1.4.5 gcry_cipher_get_algo_blklen@GCRYPT_1.2 1.4.5 gcry_cipher_get_algo_keylen@GCRYPT_1.2 1.4.5 gcry_cipher_info@GCRYPT_1.2 1.4.5 gcry_cipher_list@GCRYPT_1.2 1.4.5 gcry_cipher_map_name@GCRYPT_1.2 1.4.5 gcry_cipher_mode_from_oid@GCRYPT_1.2 1.4.5 gcry_cipher_open@GCRYPT_1.2 1.4.5 gcry_cipher_register@GCRYPT_1.2 1.4.5 gcry_cipher_setctr@GCRYPT_1.2 1.4.5 gcry_cipher_setiv@GCRYPT_1.2 1.4.5 gcry_cipher_setkey@GCRYPT_1.2 1.4.5 gcry_cipher_unregister@GCRYPT_1.2 1.4.5 gcry_control@GCRYPT_1.2 1.5.1 gcry_create_nonce@GCRYPT_1.2 1.4.5 gcry_err_code_from_errno@GCRYPT_1.2 1.4.5 gcry_err_code_to_errno@GCRYPT_1.2 1.4.5 gcry_err_make_from_errno@GCRYPT_1.2 1.4.5 gcry_error_from_errno@GCRYPT_1.2 1.4.5 gcry_free@GCRYPT_1.2 1.4.5 gcry_is_secure@GCRYPT_1.2 1.4.5 gcry_kdf_derive@GCRYPT_1.2 1.5.0 gcry_malloc@GCRYPT_1.2 1.4.5 gcry_malloc_secure@GCRYPT_1.2 1.4.5 gcry_md_algo_info@GCRYPT_1.2 1.4.5 gcry_md_algo_name@GCRYPT_1.2 1.4.5 gcry_md_close@GCRYPT_1.2 1.4.5 gcry_md_copy@GCRYPT_1.2 1.4.5 gcry_md_ctl@GCRYPT_1.2 1.4.5 gcry_md_debug@GCRYPT_1.2 1.4.5 gcry_md_enable@GCRYPT_1.2 1.4.5 gcry_md_get_algo@GCRYPT_1.2 1.4.5 gcry_md_get_algo_dlen@GCRYPT_1.2 1.4.5 gcry_md_hash_buffer@GCRYPT_1.2 1.4.5 gcry_md_info@GCRYPT_1.2 1.4.5 gcry_md_is_enabled@GCRYPT_1.2 1.4.5 gcry_md_is_secure@GCRYPT_1.2 1.4.5 gcry_md_list@GCRYPT_1.2 1.4.5 gcry_md_map_name@GCRYPT_1.2 1.4.5 gcry_md_open@GCRYPT_1.2 1.4.5 gcry_md_read@GCRYPT_1.2 1.4.5 gcry_md_register@GCRYPT_1.2 1.4.5 gcry_md_reset@GCRYPT_1.2 1.4.5 gcry_md_setkey@GCRYPT_1.2 1.4.5 gcry_md_unregister@GCRYPT_1.2 1.4.5 gcry_md_write@GCRYPT_1.2 1.4.5 gcry_mpi_add@GCRYPT_1.2 1.4.5 gcry_mpi_add_ui@GCRYPT_1.2 1.4.5 gcry_mpi_addm@GCRYPT_1.2 1.4.5 gcry_mpi_aprint@GCRYPT_1.2 1.4.5 gcry_mpi_clear_bit@GCRYPT_1.2 1.4.5 gcry_mpi_clear_flag@GCRYPT_1.2 1.4.5 gcry_mpi_clear_highbit@GCRYPT_1.2 1.4.5 gcry_mpi_cmp@GCRYPT_1.2 1.4.5 gcry_mpi_cmp_ui@GCRYPT_1.2 1.4.5 gcry_mpi_copy@GCRYPT_1.2 1.4.5 gcry_mpi_div@GCRYPT_1.2 1.4.5 gcry_mpi_dump@GCRYPT_1.2 1.4.5 gcry_mpi_gcd@GCRYPT_1.2 1.4.5 gcry_mpi_get_flag@GCRYPT_1.2 1.4.5 gcry_mpi_get_nbits@GCRYPT_1.2 1.4.5 gcry_mpi_get_opaque@GCRYPT_1.2 1.4.5 gcry_mpi_invm@GCRYPT_1.2 1.4.5 gcry_mpi_lshift@GCRYPT_1.2 1.4.5 gcry_mpi_mod@GCRYPT_1.2 1.4.5 gcry_mpi_mul@GCRYPT_1.2 1.4.5 gcry_mpi_mul_2exp@GCRYPT_1.2 1.4.5 gcry_mpi_mul_ui@GCRYPT_1.2 1.4.5 gcry_mpi_mulm@GCRYPT_1.2 1.4.5 gcry_mpi_new@GCRYPT_1.2 1.4.5 gcry_mpi_powm@GCRYPT_1.2 1.4.5 gcry_mpi_print@GCRYPT_1.2 1.4.5 gcry_mpi_randomize@GCRYPT_1.2 1.4.5 gcry_mpi_release@GCRYPT_1.2 1.4.5 gcry_mpi_rshift@GCRYPT_1.2 1.4.5 gcry_mpi_scan@GCRYPT_1.2 1.4.5 gcry_mpi_set@GCRYPT_1.2 1.4.5 gcry_mpi_set_bit@GCRYPT_1.2 1.4.5 gcry_mpi_set_flag@GCRYPT_1.2 1.4.5 gcry_mpi_set_highbit@GCRYPT_1.2 1.4.5 gcry_mpi_set_opaque@GCRYPT_1.2 1.4.5 gcry_mpi_set_ui@GCRYPT_1.2 1.4.5 gcry_mpi_snew@GCRYPT_1.2 1.4.5 gcry_mpi_sub@GCRYPT_1.2 1.4.5 gcry_mpi_sub_ui@GCRYPT_1.2 1.4.5 gcry_mpi_subm@GCRYPT_1.2 1.4.5 gcry_mpi_swap@GCRYPT_1.2 1.4.5 gcry_mpi_test_bit@GCRYPT_1.2 1.4.5 gcry_pk_algo_info@GCRYPT_1.2 1.4.5 gcry_pk_algo_name@GCRYPT_1.2 1.4.5 gcry_pk_ctl@GCRYPT_1.2 1.4.5 gcry_pk_decrypt@GCRYPT_1.2 1.4.5 gcry_pk_encrypt@GCRYPT_1.2 1.4.5 gcry_pk_genkey@GCRYPT_1.2 1.4.5 gcry_pk_get_curve@GCRYPT_1.2 1.5.0 gcry_pk_get_keygrip@GCRYPT_1.2 1.4.5 gcry_pk_get_nbits@GCRYPT_1.2 1.4.5 gcry_pk_get_param@GCRYPT_1.2 1.5.0 gcry_pk_list@GCRYPT_1.2 1.4.5 gcry_pk_map_name@GCRYPT_1.2 1.4.5 gcry_pk_register@GCRYPT_1.2 1.4.5 gcry_pk_sign@GCRYPT_1.2 1.4.5 gcry_pk_testkey@GCRYPT_1.2 1.4.5 gcry_pk_unregister@GCRYPT_1.2 1.4.5 gcry_pk_verify@GCRYPT_1.2 1.4.5 gcry_prime_check@GCRYPT_1.2 1.4.5 gcry_prime_generate@GCRYPT_1.2 1.4.5 gcry_prime_group_generator@GCRYPT_1.2 1.4.5 gcry_prime_release_factors@GCRYPT_1.2 1.4.5 gcry_random_add_bytes@GCRYPT_1.2 1.4.5 gcry_random_bytes@GCRYPT_1.2 1.4.5 gcry_random_bytes_secure@GCRYPT_1.2 1.4.5 gcry_randomize@GCRYPT_1.2 1.4.5 gcry_realloc@GCRYPT_1.2 1.4.5 gcry_set_allocation_handler@GCRYPT_1.2 1.4.5 gcry_set_fatalerror_handler@GCRYPT_1.2 1.4.5 gcry_set_gettext_handler@GCRYPT_1.2 1.4.5 gcry_set_log_handler@GCRYPT_1.2 1.4.5 gcry_set_outofcore_handler@GCRYPT_1.2 1.4.5 gcry_set_progress_handler@GCRYPT_1.2 1.4.5 gcry_sexp_alist@GCRYPT_1.2 1.4.5 gcry_sexp_append@GCRYPT_1.2 1.4.5 gcry_sexp_build@GCRYPT_1.2 1.4.5 gcry_sexp_build_array@GCRYPT_1.2 1.4.5 gcry_sexp_cadr@GCRYPT_1.2 1.4.5 gcry_sexp_canon_len@GCRYPT_1.2 1.4.5 gcry_sexp_car@GCRYPT_1.2 1.4.5 gcry_sexp_cdr@GCRYPT_1.2 1.4.5 gcry_sexp_cons@GCRYPT_1.2 1.4.5 gcry_sexp_create@GCRYPT_1.2 1.4.5 gcry_sexp_dump@GCRYPT_1.2 1.4.5 gcry_sexp_find_token@GCRYPT_1.2 1.4.5 gcry_sexp_length@GCRYPT_1.2 1.4.5 gcry_sexp_new@GCRYPT_1.2 1.4.5 gcry_sexp_nth@GCRYPT_1.2 1.4.5 gcry_sexp_nth_data@GCRYPT_1.2 1.4.5 gcry_sexp_nth_mpi@GCRYPT_1.2 1.4.5 gcry_sexp_nth_string@GCRYPT_1.2 1.4.5 gcry_sexp_prepend@GCRYPT_1.2 1.4.5 gcry_sexp_release@GCRYPT_1.2 1.4.5 gcry_sexp_sprint@GCRYPT_1.2 1.4.5 gcry_sexp_sscan@GCRYPT_1.2 1.4.5 gcry_sexp_vlist@GCRYPT_1.2 1.4.5 gcry_strdup@GCRYPT_1.2 1.4.5 gcry_strerror@GCRYPT_1.2 1.4.5 gcry_strsource@GCRYPT_1.2 1.4.5 gcry_xcalloc@GCRYPT_1.2 1.4.5 gcry_xcalloc_secure@GCRYPT_1.2 1.4.5 gcry_xmalloc@GCRYPT_1.2 1.4.5 gcry_xmalloc_secure@GCRYPT_1.2 1.4.5 gcry_xrealloc@GCRYPT_1.2 1.4.5 gcry_xstrdup@GCRYPT_1.2 1.4.5 debian/libgcrypt11-doc.install0000644000000000000000000000021611627221436013465 0ustar doc/gcrypt.ps usr/share/doc/libgcrypt11-doc doc/gcrypt.html/* usr/share/doc/libgcrypt11-doc/html doc/*.png usr/share/doc/libgcrypt11-doc/html debian/control0000644000000000000000000001001412254040057010564 0ustar Source: libgcrypt11 Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian GnuTLS Maintainers Uploaders: Andreas Metzler , Eric Dorland , James Westby , Simon Josefsson Build-Depends: debhelper (>= 9), gtk-doc-tools, libgpg-error-dev (>> 1.10-0.1), dh-autoreconf, texinfo (>= 4.6-0) Build-Depends-Indep: texlive-latex-base, texlive-generic-recommended Standards-Version: 3.9.4 #Vcs-Svn: svn://svn.debian.org/svn/pkg-gnutls/packages/libgcrypt11/trunk Vcs-Svn: svn://anonscm.debian.org/pkg-gnutls/packages/libgcrypt11/trunk #Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnutls/packages/libgcrypt11/trunk/ Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-gnutls/packages/libgcrypt11/trunk/ Homepage: http://directory.fsf.org/project/libgcrypt/ Package: libgcrypt11-doc Section: doc Architecture: all Suggests: libgcrypt11-dev Conflicts: libgcrypt7-doc, libgcrypt-doc Replaces: libgcrypt7-doc, libgcrypt-doc Depends: ${misc:Depends} Description: LGPL Crypto library - documentation libgcrypt contains cryptographic functions. Many important free ciphers, hash algorithms and public key signing algorithms have been implemented: . Arcfour, Blowfish, CAST5, DES, AES, Twofish, Serpent, rfc2268 (rc2), SEED, Camellia, IDEA, CRC, MD4, MD5, RIPE-MD160, SHA-1, SHA-256, SHA-512, Tiger, Whirlpool, DSA, DSA2, ElGamal, RSA, ECC. . This package contains developer documentation. Package: libgcrypt11-dev Section: libdevel Architecture: any Conflicts: libgcrypt-dev Provides: libgcrypt-dev Depends: libgcrypt11 (= ${binary:Version}), libc6-dev | libc-dev, libgpg-error-dev, ${misc:Depends} Suggests: libgcrypt11-doc Description: LGPL Crypto library - development files libgcrypt contains cryptographic functions. Many important free ciphers, hash algorithms and public key signing algorithms have been implemented: . Arcfour, Blowfish, CAST5, DES, AES, Twofish, Serpent, rfc2268 (rc2), SEED, Camellia, IDEA, CRC, MD4, MD5, RIPE-MD160, SHA-1, SHA-256, SHA-512, Tiger, Whirlpool, DSA, DSA2, ElGamal, RSA, ECC. . This package contains header files and libraries for static linking. Package: libgcrypt11-dbg Priority: extra Section: debug Architecture: any Depends: libgcrypt11 (= ${binary:Version}), ${misc:Depends} Multi-Arch: same Description: LGPL Crypto library - debugger files libgcrypt contains cryptographic functions. Many important free ciphers, hash algorithms and public key signing algorithms have been implemented: . Arcfour, Blowfish, CAST5, DES, AES, Twofish, Serpent, rfc2268 (rc2), SEED, Camellia, IDEA, CRC, MD4, MD5, RIPE-MD160, SHA-1, SHA-256, SHA-512, Tiger, Whirlpool, DSA, DSA2, ElGamal, RSA, ECC. . This package contains symbol tables for debugging. Package: libgcrypt11 Priority: standard Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Suggests: rng-tools Pre-Depends: ${misc:Pre-Depends} Breaks: gnupg2 (<< 2.0.17-2ubuntu2), gpgsm (<< 2.0.17-2ubuntu2), libgnutls26 (<< 2.12.7-3) Multi-Arch: same Description: LGPL Crypto library - runtime library libgcrypt contains cryptographic functions. Many important free ciphers, hash algorithms and public key signing algorithms have been implemented: . Arcfour, Blowfish, CAST5, DES, AES, Twofish, Serpent, rfc2268 (rc2), SEED, Camellia, IDEA, CRC, MD4, MD5, RIPE-MD160, SHA-1, SHA-256, SHA-512, Tiger, Whirlpool, DSA, DSA2, ElGamal, RSA, ECC. Package: libgcrypt11-udeb Section: debian-installer Package-Type: udeb Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: LGPL Crypto library - runtime library libgcrypt contains cryptographic functions. Many important free ciphers, hash algorithms and public key signing algorithms have been implemented: . Arcfour, Blowfish, CAST5, DES, AES, Twofish, Serpent, rfc2268 (rc2), SEED, Camellia, IDEA, CRC, MD4, MD5, RIPE-MD160, SHA-1, SHA-256, SHA-512, Tiger, Whirlpool, DSA, DSA2, ElGamal, RSA, ECC. debian/watch0000644000000000000000000000020012155060673010214 0ustar version=3 opts="pasv,uversionmangle=s/[_-]/\~/g" \ ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-(.*)\.tar\.bz2 debian uupdate debian/libgcrypt-config.10000644000000000000000000000374311627221436012525 0ustar .TH LIBGCRYPT 1 "26 April 2008" Version 1.4.1 .SH NAME libgcrypt-config - script to get information about the installed version of libgcrypt. .SH SYNOPSIS .B libgcrypt-config [\-\-prefix\fI[=DIR]\fP] [\-\-exec\-prefix\fI[=DIR]\fP] [\-\-version] [\-\-libs] [\-\-cflags] [LIBRARIES] .SH DESCRIPTION .PP \fIlibgcrypt-config\fP is a tool that is used to configure to determine the compiler and linker flags that should be used to compile and link programs that use \fIlibgcrypt\fP. It is also used internally to the .m4 macros for GNU autoconf that are included with \fIlibgcrypt\fP. . .SH OPTIONS \fIlibgcrypt-config\fP accepts the following options: .TP 8 .B \-\-version Print the currently installed version of \fIlibgcrypt\fP on the standard output. .TP 8 .B \-\-libs Print the linker flags that are necessary to link a \fIlibgcrypt\fP program. .TP 8 .B \-\-cflags Print the compiler flags that are necessary to compile a \fIlibgcrypt\fP program. .TP 8 .B \-\-prefix=PREFIX If specified, use PREFIX instead of the installation prefix that \fIlibgcrypt\fP was built with when computing the output for the \-\-cflags and \-\-libs options. This option is also used for the exec prefix if \-\-exec\-prefix was not specified. This option must be specified before any \-\-libs or \-\-cflags options. .TP 8 .B \-\-exec\-prefix=PREFIX If specified, use PREFIX instead of the installation exec prefix that \fIlibgcrypt\fP was built with when computing the output for the \-\-cflags and \-\-libs options. This option must be specified before any \-\-libs or \-\-cflags options. .SH SEE ALSO .BR libgnutls-config (1) .SH COPYRIGHT Copyright \(co 1998 Owen Taylor, modified for libgcrypt and gnutls by Ivo Timmermans, 2001. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. debian/libgcrypt11-dev.manpages0000644000000000000000000000005411627221436013623 0ustar debian/libgcrypt-config.1 debian/dumpsexp.8 debian/patches/0000755000000000000000000000000013311736425010622 5ustar debian/patches/CVE-2016-6313-2.patch0000644000000000000000000001353112755120510013373 0ustar From 6199cd963d1fba86e0b7b9e2de4b6c00b945193a Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 8 Aug 2016 12:54:08 +0200 Subject: [PATCH] random: Hash continuous areas in the csprng pool. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * random/random-csprng.c (mix_pool): Store the first hash at the end of the pool. -- This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG. An attacker who obtains 580 bytes of the random number from the standard RNG can trivially predict the next 20 bytes of output. For use in GnuPG this bug does not affect the default generation of keys because running gpg for key creation creates at most 2 keys from the pool: For a single 4096 bit RSA key 512 byte of random are required and thus for the second key (encryption subkey), 20 bytes could be predicted from the the first key. However, the security of an OpenPGP key depends on the primary key (which was generated first) and thus the 20 predictable bytes should not be a problem. For the default key length of 2048 bit nothing will be predictable. For the former default of DSA+Elgamal key it is complicate to give an answer: For 2048 bit keys a pool of 30 non-secret candidate primes of about 300 bits each are first created. This reads at least 1140 bytes from the pool and thus parts could be predicted. At some point a 256 bit secret is read from the pool; which in the worst case might be partly predictable. The bug was found and reported by Felix Dörre and Vladimir Klebanov, Karlsruhe Institute of Technology. A paper describing the problem in detail will shortly be published. CVE-id: CVE-2016-6313 Signed-off-by: Werner Koch --- random/random-csprng.c | 52 +++++++++++++++++++++++--------------------------- 1 file changed, 24 insertions(+), 28 deletions(-) diff --git a/random/random-csprng.c b/random/random-csprng.c index 10952d5..0fdfa6c 100644 --- a/random/random-csprng.c +++ b/random/random-csprng.c @@ -566,23 +566,22 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length, * bytes. * <................600...............> <.64.> * pool |------------------------------------| |------| - * <..44..> <20> - * | | - * | +-----+ - * +-----------------------------------|--+ - * v v + * <20><.24.> <20> + * | | +-----+ + * +-----|-------------------------------|-+ + * +-------------------------------|-|-+ + * v v v * |------| * - * | * +---------------------------------------+ * v * <20> * pool' |------------------------------------| - * <20><20><..44..> - * | | - * | +------------------------------+ - * +-------------------------------------+ | - * v v + * <20><20><.24.> + * +---|-----|---------------------------+ + * +-----|---------------------------|-+ + * +---------------------------|-|-+ + * v v v * |------| * * | @@ -590,13 +589,11 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length, * v * <20> * pool'' |------------------------------------| - * <20><20><20><..44..> - * | | - * | +--------------------------+ - * +---------------------------------+ | - * v v - * |------| - * + * <20><20><20><.24.> + * +---|-----|-----------------------+ + * +-----|-----------------------|-+ + * +-----------------------|-|-+ + * v v v * * and so on until we did this for all 30 blocks. * @@ -623,9 +620,9 @@ mix_pool(unsigned char *pool) gcry_assert (pool_is_locked); _gcry_rmd160_init( &md ); - /* Loop over the pool. */ + /* pool_0 -> pool'. */ pend = pool + POOLSIZE; - memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN ); + memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN); memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN); _gcry_rmd160_mixblock (&md, hashbuf); memcpy (pool, hashbuf, DIGESTLEN); @@ -636,19 +633,17 @@ mix_pool(unsigned char *pool) pool[i] ^= failsafe_digest[i]; } + /* Loop for the remaining iterations. */ p = pool; for (n=1; n < POOLBLOCKS; n++) { - memcpy (hashbuf, p, DIGESTLEN); - - p += DIGESTLEN; - if (p+DIGESTLEN+BLOCKLEN < pend) - memcpy (hashbuf+DIGESTLEN, p+DIGESTLEN, BLOCKLEN-DIGESTLEN); + if (p + BLOCKLEN < pend) + memcpy (hashbuf, p, BLOCKLEN); else { - unsigned char *pp = p + DIGESTLEN; + unsigned char *pp = p; - for (i=DIGESTLEN; i < BLOCKLEN; i++ ) + for (i=0; i < BLOCKLEN; i++ ) { if ( pp >= pend ) pp = pool; @@ -657,7 +652,8 @@ mix_pool(unsigned char *pool) } _gcry_rmd160_mixblock (&md, hashbuf); - memcpy(p, hashbuf, DIGESTLEN); + p += DIGESTLEN; + memcpy (p, hashbuf, DIGESTLEN); } /* Our hash implementation does only leave small parts (64 bytes) -- 2.8.0.rc3 debian/patches/CVE-2015-7511.patch0000644000000000000000000002227412656657466013271 0ustar From fcbb9fcc2e6983ea61bf565b6ee2e29816b8cd57 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 10 Feb 2016 17:43:03 +0900 Subject: [PATCH] ecc: Fix for chosen cipher text attacks. * src/mpi.h (_gcry_mpi_ec_curve_point): New internal function. * cipher/ecc.c (ecc_decrypt_raw): Validate input. Remove duplicated point_free. * mpi/ec.c (_gcry_mpi_ec_mul_point):Use simple left-to-right binary method for when SCALAR is secure. (_gcry_mpi_ec_curve_point): New. -- CVE-id: CVE-2015-7511 Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer. http://www.cs.tau.ac.IL/~tromer/ecdh/ This could be an effective contermeasure to some chosen cipher text attacks. (backport from master commit 88e1358962e902ff1cbec8d53ba3eee46407851a) (backport from LIBGCRYPT-1-6-BRANCH commit 28eb424e4427b320ec1c9c4ce56af25d495230bd) Signed-off-by: NIIBE Yutaka --- cipher/ecc.c | 11 ++- mpi/ec.c | 226 +++++++++++++++++++++++++++++++++++------------------------ src/mpi.h | 2 +- 3 files changed, 145 insertions(+), 94 deletions(-) Index: libgcrypt11-1.5.3/cipher/ecc.c =================================================================== --- libgcrypt11-1.5.3.orig/cipher/ecc.c 2016-02-10 11:02:59.381034349 -0500 +++ libgcrypt11-1.5.3/cipher/ecc.c 2016-02-10 11:02:59.377034307 -0500 @@ -1535,12 +1535,19 @@ ctx = _gcry_mpi_ec_init (sk.E.p, sk.E.a); + if (!_gcry_mpi_ec_curve_point (&kG, sk.E.b, ctx)) + { + point_free (&kG); + point_free (&sk.E.G); + point_free (&sk.Q); + _gcry_mpi_ec_free (ctx); + return GPG_ERR_INV_DATA; + } + /* R = dkG */ point_init (&R); _gcry_mpi_ec_mul_point (&R, sk.d, &kG, ctx); - point_free (&kG); - /* The following is false: assert( mpi_cmp_ui( R.x, 1 )==0 );, so: */ { gcry_mpi_t x, y; Index: libgcrypt11-1.5.3/mpi/ec.c =================================================================== --- libgcrypt11-1.5.3.orig/mpi/ec.c 2016-02-10 11:02:59.381034349 -0500 +++ libgcrypt11-1.5.3/mpi/ec.c 2016-02-10 11:02:59.377034307 -0500 @@ -612,110 +612,154 @@ gcry_mpi_t scalar, mpi_point_t *point, mpi_ec_t ctx) { -#if 0 - /* Simple left to right binary method. GECC Algorithm 3.27 */ - unsigned int nbits; - int i; - - nbits = mpi_get_nbits (scalar); - mpi_set_ui (result->x, 1); - mpi_set_ui (result->y, 1); - mpi_set_ui (result->z, 0); - - for (i=nbits-1; i >= 0; i--) - { - _gcry_mpi_ec_dup_point (result, result, ctx); - if (mpi_test_bit (scalar, i) == 1) - _gcry_mpi_ec_add_points (result, result, point, ctx); - } - -#else - gcry_mpi_t x1, y1, z1, k, h, yy; - unsigned int i, loops; - mpi_point_t p1, p2, p1inv; - - x1 = mpi_alloc_like (ctx->p); - y1 = mpi_alloc_like (ctx->p); - h = mpi_alloc_like (ctx->p); - k = mpi_copy (scalar); - yy = mpi_copy (point->y); - - if ( mpi_is_neg (k) ) + if (mpi_is_secure(scalar)) { - k->sign = 0; - ec_invm (yy, yy, ctx); - } + /* Simple left to right binary method. GECC Algorithm 3.27 */ + unsigned int nbits; + int i; + mpi_point_t tmppnt; + + nbits = mpi_get_nbits (scalar); + mpi_set_ui (result->x, 1); + mpi_set_ui (result->y, 1); + mpi_set_ui (result->z, 0); - if (!mpi_cmp_ui (point->z, 1)) - { - mpi_set (x1, point->x); - mpi_set (y1, yy); + point_init (&tmppnt); + for (i=nbits-1; i >= 0; i--) + { + _gcry_mpi_ec_dup_point (result, result, ctx); + _gcry_mpi_ec_add_points (&tmppnt, result, point, ctx); + if (mpi_test_bit (scalar, i) == 1) + point_set (result, &tmppnt); + } + point_free (&tmppnt); } else { - gcry_mpi_t z2, z3; + gcry_mpi_t x1, y1, z1, k, h, yy; + unsigned int i, loops; + mpi_point_t p1, p2, p1inv; + + x1 = mpi_alloc_like (ctx->p); + y1 = mpi_alloc_like (ctx->p); + h = mpi_alloc_like (ctx->p); + k = mpi_copy (scalar); + yy = mpi_copy (point->y); - z2 = mpi_alloc_like (ctx->p); - z3 = mpi_alloc_like (ctx->p); - ec_mulm (z2, point->z, point->z, ctx); - ec_mulm (z3, point->z, z2, ctx); - ec_invm (z2, z2, ctx); - ec_mulm (x1, point->x, z2, ctx); - ec_invm (z3, z3, ctx); - ec_mulm (y1, yy, z3, ctx); - mpi_free (z2); - mpi_free (z3); - } - z1 = mpi_copy (ctx->one); + if ( mpi_is_neg (k) ) + { + k->sign = 0; + ec_invm (yy, yy, ctx); + } - mpi_mul (h, k, ctx->three); /* h = 3k */ - loops = mpi_get_nbits (h); - if (loops < 2) - { - /* If SCALAR is zero, the above mpi_mul sets H to zero and thus - LOOPs will be zero. To avoid an underflow of I in the main - loop we set LOOP to 2 and the result to (0,0,0). */ - loops = 2; - mpi_clear (result->x); - mpi_clear (result->y); - mpi_clear (result->z); - } - else - { - mpi_set (result->x, point->x); - mpi_set (result->y, yy); - mpi_set (result->z, point->z); - } - mpi_free (yy); yy = NULL; + if (!mpi_cmp_ui (point->z, 1)) + { + mpi_set (x1, point->x); + mpi_set (y1, yy); + } + else + { + gcry_mpi_t z2, z3; - p1.x = x1; x1 = NULL; - p1.y = y1; y1 = NULL; - p1.z = z1; z1 = NULL; - point_init (&p2); - point_init (&p1inv); + z2 = mpi_alloc_like (ctx->p); + z3 = mpi_alloc_like (ctx->p); + ec_mulm (z2, point->z, point->z, ctx); + ec_mulm (z3, point->z, z2, ctx); + ec_invm (z2, z2, ctx); + ec_mulm (x1, point->x, z2, ctx); + ec_invm (z3, z3, ctx); + ec_mulm (y1, yy, z3, ctx); + mpi_free (z2); + mpi_free (z3); + } + z1 = mpi_copy (ctx->one); - for (i=loops-2; i > 0; i--) - { - _gcry_mpi_ec_dup_point (result, result, ctx); - if (mpi_test_bit (h, i) == 1 && mpi_test_bit (k, i) == 0) + mpi_mul (h, k, ctx->three); /* h = 3k */ + loops = mpi_get_nbits (h); + if (loops < 2) { - point_set (&p2, result); - _gcry_mpi_ec_add_points (result, &p2, &p1, ctx); + /* If SCALAR is zero, the above mpi_mul sets H to zero and thus + LOOPs will be zero. To avoid an underflow of I in the main + loop we set LOOP to 2 and the result to (0,0,0). */ + loops = 2; + mpi_clear (result->x); + mpi_clear (result->y); + mpi_clear (result->z); } - if (mpi_test_bit (h, i) == 0 && mpi_test_bit (k, i) == 1) + else { - point_set (&p2, result); - /* Invert point: y = p - y mod p */ - point_set (&p1inv, &p1); - ec_subm (p1inv.y, ctx->p, p1inv.y, ctx); - _gcry_mpi_ec_add_points (result, &p2, &p1inv, ctx); + mpi_set (result->x, point->x); + mpi_set (result->y, yy); + mpi_set (result->z, point->z); } + mpi_free (yy); yy = NULL; + + p1.x = x1; x1 = NULL; + p1.y = y1; y1 = NULL; + p1.z = z1; z1 = NULL; + point_init (&p2); + point_init (&p1inv); + + for (i=loops-2; i > 0; i--) + { + _gcry_mpi_ec_dup_point (result, result, ctx); + if (mpi_test_bit (h, i) == 1 && mpi_test_bit (k, i) == 0) + { + point_set (&p2, result); + _gcry_mpi_ec_add_points (result, &p2, &p1, ctx); + } + if (mpi_test_bit (h, i) == 0 && mpi_test_bit (k, i) == 1) + { + point_set (&p2, result); + /* Invert point: y = p - y mod p */ + point_set (&p1inv, &p1); + ec_subm (p1inv.y, ctx->p, p1inv.y, ctx); + _gcry_mpi_ec_add_points (result, &p2, &p1inv, ctx); + } + } + + point_free (&p1); + point_free (&p2); + point_free (&p1inv); + mpi_free (h); + mpi_free (k); } +} + + +/* Return true if POINT is on the curve described by CTX. */ +int +_gcry_mpi_ec_curve_point (mpi_point_t *point, gcry_mpi_t b, mpi_ec_t ctx) +{ + int res = 0; + gcry_mpi_t x, y, w; + gcry_mpi_t xxx; + + x = mpi_new (0); + y = mpi_new (0); + w = mpi_new (0); + xxx = mpi_new (0); + + if (_gcry_mpi_ec_get_affine (x, y, point, ctx)) + goto leave; + + /* y^2 == x^3 + a·x + b */ + ec_mulm (y, y, y, ctx); + + ec_mulm (xxx, x, x, ctx); + ec_mulm (xxx, xxx, x, ctx); + ec_mulm (w, ctx->a, x, ctx); + ec_addm (w, w, b, ctx); + ec_addm (w, w, xxx, ctx); + + if (!mpi_cmp (y, w)) + res = 1; + + leave: + _gcry_mpi_release (xxx); + _gcry_mpi_release (w); + _gcry_mpi_release (x); + _gcry_mpi_release (y); - point_free (&p1); - point_free (&p2); - point_free (&p1inv); - mpi_free (h); - mpi_free (k); -#endif + return res; } Index: libgcrypt11-1.5.3/src/mpi.h =================================================================== --- libgcrypt11-1.5.3.orig/src/mpi.h 2016-02-10 11:02:59.381034349 -0500 +++ libgcrypt11-1.5.3/src/mpi.h 2016-02-10 11:02:59.381034349 -0500 @@ -260,7 +260,7 @@ void _gcry_mpi_ec_mul_point (mpi_point_t *result, gcry_mpi_t scalar, mpi_point_t *point, mpi_ec_t ctx); - +int _gcry_mpi_ec_curve_point (mpi_point_t *point, gcry_mpi_t b, mpi_ec_t ctx); #endif /*G10_MPI_H*/ debian/patches/series0000644000000000000000000000061413311732744012040 0ustar 12_lessdeps_libgcrypt-config.diff no-global-init-thread-callbacks.diff 15_multiarchpath_in_-L.diff texinfo.diff add_gcry_divide_by_zero.patch CVE-2014-5270.patch CVE-2014-3591.patch CVE-2015-0837.patch CVE-2015-7511.patch CVE-2016-6313-1.patch CVE-2016-6313-2.patch CVE-2017-7526-1.patch CVE-2017-7526-2.patch CVE-2017-7526-3.patch CVE-2017-7526-4.patch CVE-2017-7526-5.patch CVE-2018-0495.patch debian/patches/texinfo.diff0000644000000000000000000000246512250747307013141 0ustar Index: b/doc/gcrypt.texi =================================================================== --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -2012,7 +2012,7 @@ @noindent The following information are stored in S-expressions: -@itemize @asis +@table @asis @item keys @item plain text data @@ -2021,7 +2021,7 @@ @item signatures -@end itemize +@end table @noindent To describe how Libgcrypt expect keys, we use examples. Note that Index: b/doc/lgpl.texi =================================================================== --- a/doc/lgpl.texi +++ b/doc/lgpl.texi @@ -476,12 +476,7 @@ of all derivatives of our free software and of promoting the sharing and reuse of software generally. -@iftex -@heading NO WARRANTY -@end iftex -@ifinfo -@center NO WARRANTY -@end ifinfo +NO WARRANTY @item BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO Index: b/doc/gpl.texi =================================================================== --- a/doc/gpl.texi +++ b/doc/gpl.texi @@ -287,12 +287,7 @@ of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. -@iftex -@heading NO WARRANTY -@end iftex -@ifinfo -@center NO WARRANTY -@end ifinfo +NO WARRANTY @item BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY debian/patches/CVE-2015-0837.patch0000644000000000000000000001641012504774362013253 0ustar Description: fix sidechannel attack via timing variations in mpi_powm Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=deb6f231ba85f65283c9e1deb3e2dea3b6ca46dc Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d9f002899d26dc64f1502ae5050632340a4780fe Origin: backport, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5e72b6c76ebee720f69b8a5c212f52d38eb50287 Index: libgcrypt11-1.5.4/mpi/mpi-pow.c =================================================================== --- libgcrypt11-1.5.4.orig/mpi/mpi-pow.c 2015-03-26 08:14:32.728379999 -0400 +++ libgcrypt11-1.5.4/mpi/mpi-pow.c 2015-03-26 08:14:32.720379940 -0400 @@ -381,7 +381,7 @@ *xsize_p = rsize + ssize; } -#define SIZE_B_2I3 ((1 << (5 - 1)) - 1) +#define SIZE_PRECOMP ((1 << (5 - 1))) /**************** * RES = BASE ^ EXPO mod MOD @@ -417,11 +417,12 @@ unsigned int bp_nlimbs = 0; unsigned int ep_nlimbs = 0; unsigned int xp_nlimbs = 0; - mpi_ptr_t b_2i3[SIZE_B_2I3]; /* Pre-computed array: BASE^3, ^5, ^7, ... */ - mpi_size_t b_2i3size[SIZE_B_2I3]; + mpi_ptr_t precomp[SIZE_PRECOMP]; /* Pre-computed array: BASE^1, ^3, ^5, ... */ + mpi_size_t precomp_size[SIZE_PRECOMP]; mpi_size_t W; mpi_ptr_t base_u; mpi_size_t base_u_size; + mpi_size_t max_u_size; esize = expo->nlimbs; msize = mod->nlimbs; @@ -540,7 +541,7 @@ /* Main processing. */ { - mpi_size_t i, j; + mpi_size_t i, j, k; mpi_ptr_t xp; mpi_size_t xsize; int c; @@ -555,33 +556,30 @@ memset( &karactx, 0, sizeof karactx ); negative_result = (ep[0] & 1) && bsign; - /* Precompute B_2I3[], BASE^(2 * i + 3), BASE^3, ^5, ^7, ... */ + /* Precompute PRECOMP[], BASE^(2 * i + 1), BASE^1, ^3, ^5, ... */ if (W > 1) /* X := BASE^2 */ mul_mod (xp, &xsize, bp, bsize, bp, bsize, mp, msize, &karactx); - for (i = 0; i < (1 << (W - 1)) - 1; i++) - { /* B_2I3[i] = BASE^(2 * i + 3) */ - if (i == 0) - { - base_u = bp; - base_u_size = bsize; - } - else - { - base_u = b_2i3[i-1]; - base_u_size = b_2i3size[i-1]; - } - + base_u = precomp[0] = mpi_alloc_limb_space (bsize, esec); + base_u_size = max_u_size = precomp_size[0] = bsize; + MPN_COPY (precomp[0], bp, bsize); + for (i = 1; i < (1 << (W - 1)); i++) + { /* PRECOMP[i] = BASE^(2 * i + 1) */ if (xsize >= base_u_size) mul_mod (rp, &rsize, xp, xsize, base_u, base_u_size, mp, msize, &karactx); else mul_mod (rp, &rsize, base_u, base_u_size, xp, xsize, mp, msize, &karactx); - b_2i3[i] = mpi_alloc_limb_space (rsize, esec); - b_2i3size[i] = rsize; - MPN_COPY (b_2i3[i], rp, rsize); + base_u = precomp[i] = mpi_alloc_limb_space (rsize, esec); + base_u_size = precomp_size[i] = rsize; + if (max_u_size < base_u_size) + max_u_size = base_u_size; + MPN_COPY (precomp[i], rp, rsize); } + base_u = mpi_alloc_limb_space (max_u_size, esec); + MPN_ZERO (base_u, max_u_size); + i = esize - 1; /* Main loop. @@ -667,15 +665,23 @@ rsize = xsize; } - if (e0 == 0) + /* + * base_u <= precomp[e0] + * base_u_size <= precomp_size[e0] + */ + base_u_size = 0; + for (k = 0; k < (1<< (W - 1)); k++) { - base_u = bp; - base_u_size = bsize; - } - else - { - base_u = b_2i3[e0 - 1]; - base_u_size = b_2i3size[e0 -1]; + struct gcry_mpi w, u; + w.alloced = w.nlimbs = precomp_size[k]; + u.alloced = u.nlimbs = precomp_size[k]; + w.sign = u.sign = 0; + w.flags = u.flags = 0; + w.d = base_u; + u.d = precomp[k]; + + mpi_set_cond (&w, &u, k == e0); + base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); } mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, @@ -703,15 +709,23 @@ if (e != 0) { - if ((e>>1) == 0) + /* + * base_u <= precomp[(e>>1)] + * base_u_size <= precomp_size[(e>>1)] + */ + base_u_size = 0; + for (k = 0; k < (1<< (W - 1)); k++) { - base_u = bp; - base_u_size = bsize; - } - else - { - base_u = b_2i3[(e>>1) - 1]; - base_u_size = b_2i3size[(e>>1) -1]; + struct gcry_mpi w, u; + w.alloced = w.nlimbs = precomp_size[k]; + u.alloced = u.nlimbs = precomp_size[k]; + w.sign = u.sign = 0; + w.flags = u.flags = 0; + w.d = base_u; + u.d = precomp[k]; + + mpi_set_cond (&w, &u, k == (e>>1)); + base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) ); } mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, @@ -761,8 +775,9 @@ MPN_NORMALIZE (rp, rsize); _gcry_mpih_release_karatsuba_ctx (&karactx ); - for (i = 0; i < (1 << (W - 1)) - 1; i++) - _gcry_mpi_free_limb_space( b_2i3[i], esec ? b_2i3size[i] : 0 ); + for (i = 0; i < (1 << (W - 1)); i++) + _gcry_mpi_free_limb_space( precomp[i], esec ? precomp_size[i] : 0 ); + _gcry_mpi_free_limb_space (base_u, esec ? max_u_size : 0); } /* Fixup for negative results. */ Index: libgcrypt11-1.5.4/mpi/mpiutil.c =================================================================== --- libgcrypt11-1.5.4.orig/mpi/mpiutil.c 2015-03-26 08:14:32.728379999 -0400 +++ libgcrypt11-1.5.4/mpi/mpiutil.c 2015-03-26 08:14:32.720379940 -0400 @@ -386,6 +386,31 @@ / BITS_PER_MPI_LIMB ); } +gcry_mpi_t +_gcry_mpi_set_cond (gcry_mpi_t w, const gcry_mpi_t u, unsigned long set) +{ + mpi_size_t i; + mpi_size_t nlimbs = u->alloced; + mpi_limb_t mask = ((mpi_limb_t)0) - !!set; + mpi_limb_t x; + + if (w->alloced != u->alloced) + log_bug ("mpi_set_cond: different sizes\n"); + + for (i = 0; i < nlimbs; i++) + { + x = mask & (w->d[i] ^ u->d[i]); + w->d[i] = w->d[i] ^ x; + } + + x = mask & (w->nlimbs ^ u->nlimbs); + w->nlimbs = w->nlimbs ^ x; + + x = mask & (w->sign ^ u->sign); + w->sign = w->sign ^ x; + return w; +} + gcry_mpi_t gcry_mpi_snew( unsigned int nbits ) Index: libgcrypt11-1.5.4/src/mpi.h =================================================================== --- libgcrypt11-1.5.4.orig/src/mpi.h 2015-03-26 08:14:32.728379999 -0400 +++ libgcrypt11-1.5.4/src/mpi.h 2015-03-26 08:15:07.112640773 -0400 @@ -116,8 +116,11 @@ #define mpi_swap(a,b) _gcry_mpi_swap ((a),(b)) #define mpi_new(n) _gcry_mpi_new ((n)) #define mpi_snew(n) _gcry_mpi_snew ((n)) +#define mpi_set_cond(w,u,set) _gcry_mpi_set_cond ((w),(u),(set)) void _gcry_mpi_clear( gcry_mpi_t a ); +gcry_mpi_t _gcry_mpi_set_cond (gcry_mpi_t w, const gcry_mpi_t u, + unsigned long swap); gcry_mpi_t _gcry_mpi_alloc_like( gcry_mpi_t a ); gcry_mpi_t _gcry_mpi_alloc_set_ui( unsigned long u); gcry_err_code_t _gcry_mpi_get_ui (gcry_mpi_t w, ulong *u); debian/patches/12_lessdeps_libgcrypt-config.diff0000644000000000000000000000102111627221436017113 0ustar diff -NurbBp libgcrypt-1.4.5.orig/src/libgcrypt-config.in libgcrypt-1.4.5/src/libgcrypt-config.in --- libgcrypt-1.4.5.orig/src/libgcrypt-config.in 2009-04-02 11:25:32.000000000 +0200 +++ libgcrypt-1.4.5/src/libgcrypt-config.in 2009-12-12 09:37:05.000000000 +0100 @@ -151,7 +151,8 @@ if test "$echo_libs" = "yes"; then fi # Set up `libs_final'. - libs_final="$libs_final $gpg_error_libs" + #libs_final="$libs_final $gpg_error_libs" + libs_final="-lgcrypt" tmp="" for i in $libdirs $libs_final; do debian/patches/CVE-2017-7526-2.patch0000644000000000000000000000647413126433151013414 0ustar From 0e6788517eac6f508fa32ec5d5c1cada7fb980bc Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Sat, 24 Jun 2017 20:46:20 +0900 Subject: [PATCH] Same computation for square and multiply. * mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move the assignment to base_u into the loop. Copy content refered by RP to BASE_U except the last of the loop. -- Signed-off-by: NIIBE Yutaka (backport from master commit: 78130828e9a140a9de4dafadbc844dbb64cb709a) --- mpi/mpi-pow.c | 50 +++++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 21 deletions(-) Index: libgcrypt20-1.6.5/mpi/mpi-pow.c =================================================================== --- libgcrypt20-1.6.5.orig/mpi/mpi-pow.c 2017-07-03 08:16:12.941489654 -0400 +++ libgcrypt20-1.6.5/mpi/mpi-pow.c 2017-07-03 08:16:12.937489654 -0400 @@ -577,6 +577,8 @@ _gcry_mpi_powm (gcry_mpi_t res, MPN_COPY (precomp[i], rp, rsize); } + if (msize > max_u_size) + max_u_size = msize; base_u = mpi_alloc_limb_space (max_u_size, esec); MPN_ZERO (base_u, max_u_size); @@ -623,6 +625,10 @@ _gcry_mpi_powm (gcry_mpi_t res, { int c0; mpi_limb_t e0; + struct gcry_mpi w, u; + w.sign = u.sign = 0; + w.flags = u.flags = 0; + w.d = base_u; count_leading_zeros (c0, e); e = (e << c0); @@ -656,29 +662,31 @@ _gcry_mpi_powm (gcry_mpi_t res, count_trailing_zeros (c0, e0); e0 = (e0 >> c0) >> 1; - /* - * base_u <= precomp[e0] - * base_u_size <= precomp_size[e0] - */ - base_u_size = 0; - for (k = 0; k < (1<< (W - 1)); k++) + for (j += W - c0; j >= 0; j--) { - struct gcry_mpi w, u; - w.alloced = w.nlimbs = precomp_size[k]; - u.alloced = u.nlimbs = precomp_size[k]; - w.sign = u.sign = 0; - w.flags = u.flags = 0; - w.d = base_u; - u.d = precomp[k]; - mpi_set_cond (&w, &u, k == e0); - base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); - } + /* + * base_u <= precomp[e0] + * base_u_size <= precomp_size[e0] + */ + base_u_size = 0; + for (k = 0; k < (1<< (W - 1)); k++) + { + w.alloced = w.nlimbs = precomp_size[k]; + u.alloced = u.nlimbs = precomp_size[k]; + u.d = precomp[k]; - for (j += W - c0; j >= 0; j--) - { - mul_mod (xp, &xsize, rp, rsize, - j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize, + mpi_set_cond (&w, &u, k == e0); + base_u_size |= ( precomp_size[k] & (0UL - (k == e0)) ); + } + + w.alloced = w.nlimbs = rsize; + u.alloced = u.nlimbs = rsize; + u.d = rp; + mpi_set_cond (&w, &u, j != 0); + base_u_size ^= ((base_u_size ^ rsize) & (0UL - (j != 0))); + + mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, mp, msize, &karactx); tp = rp; rp = xp; xp = tp; rsize = xsize; debian/patches/CVE-2017-7526-3.patch0000644000000000000000000001025013126433164013404 0ustar From a9f612def801c8145d551d995475e5d51a4c988c Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 29 Jun 2017 11:48:44 +0900 Subject: [PATCH] rsa: Add exponent blinding. * cipher/rsa.c (secret): Blind secret D with randomized nonce R for mpi_powm computation. -- Co-authored-by: Werner Koch Signed-off-by: NIIBE Yutaka The paper describing attack: https://eprint.iacr.org/2017/627 Sliding right into disaster: Left-to-right sliding windows leak by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and Christine van Vredendaal and Yuval Yarom It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery attack against RSA. Specifically, 4-bit sliding windows leak only 40% of the bits, and 5-bit sliding windows leak only 33% of the bits. In this paper we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion. We show for the first time that the direction of the encoding matters: the pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about exponent bits than for right-to-left. We show how to incorporate this additional information into the Heninger-Shacham algorithm for partial key reconstruction, and use it to obtain very efficient full key recovery for RSA-1024. We also provide strong evidence that the same attack works for RSA-2048 with only moderately more computation. Exponent blinding is a kind of workaround to add noise. Signal (leak) is still there for non-constant-time implementation. (backported from master commit: 8725c99ffa41778f382ca97233183bcd687bb0ce) --- cipher/rsa.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) Index: libgcrypt11-1.5.3/cipher/rsa.c =================================================================== --- libgcrypt11-1.5.3.orig/cipher/rsa.c 2017-07-03 08:20:00.697478903 -0400 +++ libgcrypt11-1.5.3/cipher/rsa.c 2017-07-03 08:20:00.673478904 -0400 @@ -711,15 +711,33 @@ secret(gcry_mpi_t output, gcry_mpi_t inp gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); gcry_mpi_t h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); + gcry_mpi_t D_blind = mpi_alloc_secure ( mpi_get_nlimbs(skey->n) + 1 ); + gcry_mpi_t r; + unsigned int r_nbits; - /* m1 = c ^ (d mod (p-1)) mod p */ + r_nbits = mpi_get_nbits (skey->p) / 4; + if (r_nbits < 96) + r_nbits = 96; + r = mpi_alloc_secure ((r_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB); + + /* d_blind = (d mod (p-1)) + (p-1) * r */ + /* m1 = c ^ d_blind mod p */ + _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM); + mpi_set_highbit (r, r_nbits - 1); mpi_sub_ui( h, skey->p, 1 ); - mpi_fdiv_r( h, skey->d, h ); - mpi_powm( m1, input, h, skey->p ); - /* m2 = c ^ (d mod (q-1)) mod q */ + mpi_mul ( D_blind, h, r ); + mpi_fdiv_r ( h, skey->d, h ); + mpi_add ( D_blind, D_blind, h ); + mpi_powm( m1, input, D_blind, skey->p ); + /* d_blind = (d mod (q-1)) + (q-1) * r */ + /* m2 = c ^ d_blind mod q */ + _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM); + mpi_set_highbit (r, r_nbits - 1); mpi_sub_ui( h, skey->q, 1 ); - mpi_fdiv_r( h, skey->d, h ); - mpi_powm( m2, input, h, skey->q ); + mpi_mul ( D_blind, h, r ); + mpi_fdiv_r ( h, skey->d, h ); + mpi_add ( D_blind, D_blind, h ); + mpi_powm( m2, input, D_blind, skey->q ); /* h = u * ( m2 - m1 ) mod q */ mpi_sub( h, m2, m1 ); if ( mpi_is_neg( h ) ) debian/patches/no-global-init-thread-callbacks.diff0000644000000000000000000000036312245441320017443 0ustar --- a/src/global.c +++ b/src/global.c @@ -445,8 +445,6 @@ case GCRYCTL_SET_THREAD_CBS: err = ath_install (va_arg (arg_ptr, void *), any_init_done); - if (! err) - global_init (); break; case GCRYCTL_FAST_POLL: debian/patches/CVE-2016-6313-1.patch0000644000000000000000000001164012755120504013374 0ustar From 98980e2fd29ad62903c78fa6521489fce651cdda Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 8 Aug 2016 12:08:43 +0200 Subject: [PATCH] random: Improve the diagram showing the random mixing * random/random-csprng.c (mix_pool): Use DIGESTLEN instead of 20. -- Signed-off-by: Werner Koch --- random/random-csprng.c | 92 +++++++++++++++++++++++++++----------------------- 1 file changed, 50 insertions(+), 42 deletions(-) diff --git a/random/random-csprng.c b/random/random-csprng.c index 096a674..10952d5 100644 --- a/random/random-csprng.c +++ b/random/random-csprng.c @@ -561,41 +561,49 @@ _gcry_rngcsprng_randomize (void *buffer, size_t length, /* - Mix the pool: - - |........blocks*20byte........|20byte|..44byte..| - <..44byte..> <20byte> - | | - | +------+ - +---------------------------|----------+ - v v - |........blocks*20byte........|20byte|..44byte..| - <.....64bytes.....> - | - +----------------------------------+ - Hash - v - |.............................|20byte|..44byte..| - <20byte><20byte><..44byte..> - | | - | +---------------------+ - +-----------------------------+ | - v v - |.............................|20byte|..44byte..| - <.....64byte......> - | - +-------------------------+ - Hash - v - |.............................|20byte|..44byte..| - <20byte><20byte><..44byte..> - - and so on until we did this for all blocks. - - To better protect against implementation errors in this code, we - xor a digest of the entire pool into the pool before mixing. - - Note: this function must only be called with a locked pool. + * Mix the 600 byte pool. Note that the 64 byte scratch area directly + * follows the pool. The numbers in the diagram give the number of + * bytes. + * <................600...............> <.64.> + * pool |------------------------------------| |------| + * <..44..> <20> + * | | + * | +-----+ + * +-----------------------------------|--+ + * v v + * |------| + * + * | + * +---------------------------------------+ + * v + * <20> + * pool' |------------------------------------| + * <20><20><..44..> + * | | + * | +------------------------------+ + * +-------------------------------------+ | + * v v + * |------| + * + * | + * +-----------------------------------+ + * v + * <20> + * pool'' |------------------------------------| + * <20><20><20><..44..> + * | | + * | +--------------------------+ + * +---------------------------------+ | + * v v + * |------| + * + * + * and so on until we did this for all 30 blocks. + * + * To better protect against implementation errors in this code, we + * xor a digest of the entire pool into the pool before mixing. + * + * Note: this function must only be called with a locked pool. */ static void mix_pool(unsigned char *pool) @@ -617,14 +625,14 @@ mix_pool(unsigned char *pool) /* Loop over the pool. */ pend = pool + POOLSIZE; - memcpy(hashbuf, pend - DIGESTLEN, DIGESTLEN ); - memcpy(hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN); - _gcry_rmd160_mixblock( &md, hashbuf); - memcpy(pool, hashbuf, 20 ); + memcpy (hashbuf, pend - DIGESTLEN, DIGESTLEN ); + memcpy (hashbuf+DIGESTLEN, pool, BLOCKLEN-DIGESTLEN); + _gcry_rmd160_mixblock (&md, hashbuf); + memcpy (pool, hashbuf, DIGESTLEN); if (failsafe_digest_valid && pool == rndpool) { - for (i=0; i < 20; i++) + for (i=0; i < DIGESTLEN; i++) pool[i] ^= failsafe_digest[i]; } @@ -648,8 +656,8 @@ mix_pool(unsigned char *pool) } } - _gcry_rmd160_mixblock ( &md, hashbuf); - memcpy(p, hashbuf, 20 ); + _gcry_rmd160_mixblock (&md, hashbuf); + memcpy(p, hashbuf, DIGESTLEN); } /* Our hash implementation does only leave small parts (64 bytes) -- 2.8.0.rc3 debian/patches/CVE-2018-0495.patch0000644000000000000000000000461613311736425013256 0ustar Backport of: From 9010d1576e278a4274ad3f4aa15776c28f6ba965 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 13 Jun 2018 15:28:58 +0900 Subject: [PATCH] ecc: Add blinding for ECDSA. * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with randomized nonce B. -- Reported-by: Keegan Ryan CVE-id: CVE-2018-0495 Signed-off-by: NIIBE Yutaka --- cipher/ecc-ecdsa.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) Index: libgcrypt11-1.5.3/cipher/ecc.c =================================================================== --- libgcrypt11-1.5.3.orig/cipher/ecc.c 2018-06-18 10:01:30.602096607 -0400 +++ libgcrypt11-1.5.3/cipher/ecc.c 2018-06-18 10:09:06.655078752 -0400 @@ -715,11 +715,25 @@ sign (gcry_mpi_t input, ECC_secret_key * gpg_err_code_t err = 0; gcry_mpi_t k, dr, sum, k_1, x; mpi_point_t I; + unsigned int qbits; mpi_ec_t ctx; + gcry_mpi_t b; /* Random number needed for blinding. */ + gcry_mpi_t bi; /* multiplicative inverse of B. */ if (DBG_CIPHER) log_mpidump ("ecdsa sign hash ", input ); + qbits = mpi_get_nbits (skey->E.n); + + b = mpi_snew (qbits); + bi = mpi_snew (qbits); + do + { + _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM); + mpi_mod (b, b, skey->E.n); + } + while (!mpi_invm (bi, b, skey->E.n)); + k = NULL; dr = mpi_alloc (0); sum = mpi_alloc (0); @@ -752,8 +766,11 @@ sign (gcry_mpi_t input, ECC_secret_key * } mpi_mod (r, x, skey->E.n); /* r = x mod n */ } - mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n */ - mpi_addm (sum, input, dr, skey->E.n); /* sum = hash + (d*r) mod n */ + mpi_mulm (dr, b, skey->d, skey->E.n); + mpi_mulm (dr, dr, r, skey->E.n); /* dr = d*r mod n (blinded with b) */ + mpi_mulm (sum, b, input, skey->E.n); + mpi_addm (sum, sum, dr, skey->E.n); /* sum = hash + (d*r) mod n (blinded with b) */ + mpi_mulm (sum, bi, sum, skey->E.n); /* undo blinding by b^-1 */ mpi_invm (k_1, k, skey->E.n); /* k_1 = k^(-1) mod n */ mpi_mulm (s, k_1, sum, skey->E.n); /* s = k^(-1)*(hash+(d*r)) mod n */ } @@ -765,6 +782,8 @@ sign (gcry_mpi_t input, ECC_secret_key * } leave: + mpi_free (b); + mpi_free (bi); _gcry_mpi_ec_free (ctx); point_free (&I); mpi_free (x); debian/patches/CVE-2014-3591.patch0000644000000000000000000000670012504774356013256 0ustar From 35cd81f134c0da4e7e6fcfe40d270ee1251f52c2 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 23 Feb 2015 11:39:58 +0100 Subject: [PATCH] cipher: Use ciphertext blinding for Elgamal decryption. * cipher/elgamal.c (USE_BLINDING): New. (decrypt): Rewrite to use ciphertext blinding. -- CVE-id: CVE-2014-3591 As a countermeasure to a new side-channel attacks on sliding windows exponentiation we blind the ciphertext for Elgamal decryption. This is similar to what we are doing with RSA. This patch is a backport of the GnuPG 1.4 commit ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b. Unfortunately, the performance impact of Elgamal blinding is quite noticeable (i5-2410M CPU @ 2.30GHz TP 220): Algorithm generate 100*priv 100*public ------------------------------------------------ ELG 1024 bit - 100ms 90ms ELG 2048 bit - 330ms 350ms ELG 3072 bit - 660ms 790ms Algorithm generate 100*priv 100*public ------------------------------------------------ ELG 1024 bit - 150ms 90ms ELG 2048 bit - 520ms 360ms ELG 3072 bit - 1100ms 800ms Signed-off-by: Werner Koch (cherry picked from commit 410d70bad9a650e3837055e36f157894ae49a57d) Resolved conflicts: cipher/elgamal.c. --- cipher/elgamal.c | 49 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/cipher/elgamal.c b/cipher/elgamal.c index ce4be85..b2c55b3 100644 --- a/cipher/elgamal.c +++ b/cipher/elgamal.c @@ -30,6 +30,12 @@ #include "mpi.h" #include "cipher.h" +/* Blinding is used to mitigate side-channel attacks. You may undef + this to speed up the operation in case the system is secured + against physical and network mounted side-channel attacks. */ +#define USE_BLINDING 1 + + typedef struct { gcry_mpi_t p; /* prime */ @@ -486,12 +492,45 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) static void decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) { - gcry_mpi_t t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); + gcry_mpi_t t1, t2, r; + unsigned int nbits = mpi_get_nbits (skey->p); + + mpi_normalize (a); + mpi_normalize (b); + + t1 = mpi_snew (nbits); + +#ifdef USE_BLINDING + + t2 = mpi_snew (nbits); + r = mpi_new (nbits); + + /* We need a random number of about the prime size. The random + number merely needs to be unpredictable; thus we use level 0. */ + _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM); + + /* t1 = r^x mod p */ + mpi_powm (t1, r, skey->x, skey->p); + /* t2 = (a * r)^-x mod p */ + mpi_mulm (t2, a, r, skey->p); + mpi_powm (t2, t2, skey->x, skey->p); + mpi_invm (t2, t2, skey->p); + /* t1 = (t1 * t2) mod p*/ + mpi_mulm (t1, t1, t2, skey->p); + + mpi_free (r); + mpi_free (t2); + +#else /*!USE_BLINDING*/ /* output = b/(a^x) mod p */ - gcry_mpi_powm( t1, a, skey->x, skey->p ); - mpi_invm( t1, t1, skey->p ); - mpi_mulm( output, b, t1, skey->p ); + mpi_powm (t1, a, skey->x, skey->p); + mpi_invm (t1, t1, skey->p); + +#endif /*!USE_BLINDING*/ + + mpi_mulm (output, b, t1, skey->p); + #if 0 if( DBG_CIPHER ) { @@ -502,7 +541,7 @@ decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) log_mpidump("elg decrypted M= ", output); } #endif - mpi_free(t1); + mpi_free (t1); } -- 2.1.4 debian/patches/CVE-2017-7526-4.patch0000644000000000000000000000155613126433301013407 0ustar From aff5fd0f2650e24cf99efcd7b499627ea48782c3 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 29 Jun 2017 12:36:27 +0900 Subject: [PATCH] rsa: Fix exponent blinding. * cipher/rsa.c (secret): Free D_BLIND. -- Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c Signed-off-by: NIIBE Yutaka --- cipher/rsa.c | 1 + 1 file changed, 1 insertion(+) Index: libgcrypt11-1.5.3/cipher/rsa.c =================================================================== --- libgcrypt11-1.5.3.orig/cipher/rsa.c 2017-07-03 08:21:19.429475187 -0400 +++ libgcrypt11-1.5.3/cipher/rsa.c 2017-07-03 08:21:19.265475195 -0400 @@ -747,6 +747,7 @@ secret(gcry_mpi_t output, gcry_mpi_t inp mpi_mul ( h, h, skey->p ); mpi_add ( output, m1, h ); + mpi_free ( D_blind ); mpi_free ( h ); mpi_free ( m1 ); mpi_free ( m2 ); debian/patches/15_multiarchpath_in_-L.diff0000644000000000000000000000144412156131214015636 0ustar Description: Do not print standard multiarch path {/usr,}/lib/i386-linux-gnu are in the standard search path, there is no need to explicitely point gcc there with a -L argument. Also we are installing the actual library and the so-symlink in different locations which makes this incorrect no matter which one we choose. Origin: vendor Forwarded: not-needed --- libgcrypt11-1.5.2.orig/src/libgcrypt-config.in +++ libgcrypt11-1.5.2/src/libgcrypt-config.in @@ -154,7 +154,7 @@ if test "$echo_libs" = "yes"; then libs_final="$libs" # Set up `libdirs'. - if test "x$libdir" != "x/usr/lib" -a "x$libdir" != "x/lib"; then + if test "x$libdir" != "x/usr/lib" -a "x$libdir" != "x/lib" -a "x$libdir" != "x/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH`" ; then libdirs="-L$libdir" fi debian/patches/CVE-2014-5270.patch0000644000000000000000000003245512374645055013256 0ustar From 62e8e1283268f1d3b6d0cfb2fc4e7835bbcdaab6 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 2 Oct 2013 09:27:09 +0900 Subject: [PATCH] mpi: mpi-pow improvement. * mpi/mpi-pow.c (gcry_mpi_powm): New implementation of left-to-right k-ary exponentiation. -- Signed-off-by: NIIBE Yutaka For the Yarom/Falkner flush+reload cache side-channel attack, we changed the code so that it always calls the multiplication routine (even if we can skip it to get result). This results some performance regression. This change is for recovering performance with efficient algorithm. (cherry picked from commit 45aa6131e93fac89d46733b3436d960f35fb99b2) --- mpi/mpi-pow.c | 454 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 454 insertions(+) diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c index 85d6fd8..469c382 100644 --- a/mpi/mpi-pow.c +++ b/mpi/mpi-pow.c @@ -34,6 +34,14 @@ #include "longlong.h" +/* + * When you need old implementation, please add compilation option + * -DUSE_ALGORITHM_SIMPLE_EXPONENTIATION + * or expose this line: +#define USE_ALGORITHM_SIMPLE_EXPONENTIATION 1 + */ + +#if defined(USE_ALGORITHM_SIMPLE_EXPONENTIATION) /**************** * RES = BASE ^ EXPO mod MOD */ @@ -336,3 +344,449 @@ gcry_mpi_powm (gcry_mpi_t res, if (tspace) _gcry_mpi_free_limb_space( tspace, 0 ); } +#else +/** + * Internal function to compute + * + * X = R * S mod M + * + * and set the size of X at the pointer XSIZE_P. + * Use karatsuba structure at KARACTX_P. + * + * Condition: + * RSIZE >= SSIZE + * Enough space for X is allocated beforehand. + * + * For generic cases, we can/should use gcry_mpi_mulm. + * This function is use for specific internal case. + */ +static void +mul_mod (mpi_ptr_t xp, mpi_size_t *xsize_p, + mpi_ptr_t rp, mpi_size_t rsize, + mpi_ptr_t sp, mpi_size_t ssize, + mpi_ptr_t mp, mpi_size_t msize, + struct karatsuba_ctx *karactx_p) +{ + if( ssize < KARATSUBA_THRESHOLD ) + _gcry_mpih_mul ( xp, rp, rsize, sp, ssize ); + else + _gcry_mpih_mul_karatsuba_case (xp, rp, rsize, sp, ssize, karactx_p); + + if (rsize + ssize > msize) + { + _gcry_mpih_divrem (xp + msize, 0, xp, rsize + ssize, mp, msize); + *xsize_p = msize; + } + else + *xsize_p = rsize + ssize; +} + +#define SIZE_B_2I3 ((1 << (5 - 1)) - 1) + +/**************** + * RES = BASE ^ EXPO mod MOD + * + * To mitigate the Yarom/Falkner flush+reload cache side-channel + * attack on the RSA secret exponent, we don't use the square + * routine but multiplication. + * + * Reference: + * Handbook of Applied Cryptography + * Algorithm 14.83: Modified left-to-right k-ary exponentiation + */ +void +gcry_mpi_powm (gcry_mpi_t res, + gcry_mpi_t base, gcry_mpi_t expo, gcry_mpi_t mod) +{ + /* Pointer to the limbs of the arguments, their size and signs. */ + mpi_ptr_t rp, ep, mp, bp; + mpi_size_t esize, msize, bsize, rsize; + int msign, bsign, rsign; + /* Flags telling the secure allocation status of the arguments. */ + int esec, msec, bsec; + /* Size of the result including space for temporary values. */ + mpi_size_t size; + /* Helper. */ + int mod_shift_cnt; + int negative_result; + mpi_ptr_t mp_marker = NULL; + mpi_ptr_t bp_marker = NULL; + mpi_ptr_t ep_marker = NULL; + mpi_ptr_t xp_marker = NULL; + unsigned int mp_nlimbs = 0; + unsigned int bp_nlimbs = 0; + unsigned int ep_nlimbs = 0; + unsigned int xp_nlimbs = 0; + mpi_ptr_t b_2i3[SIZE_B_2I3]; /* Pre-computed array: BASE^3, ^5, ^7, ... */ + mpi_size_t b_2i3size[SIZE_B_2I3]; + mpi_size_t W; + mpi_ptr_t base_u; + mpi_size_t base_u_size; + + esize = expo->nlimbs; + msize = mod->nlimbs; + size = 2 * msize; + msign = mod->sign; + + if (esize * BITS_PER_MPI_LIMB > 512) + W = 5; + else if (esize * BITS_PER_MPI_LIMB > 256) + W = 4; + else if (esize * BITS_PER_MPI_LIMB > 128) + W = 3; + else if (esize * BITS_PER_MPI_LIMB > 64) + W = 2; + else + W = 1; + + esec = mpi_is_secure(expo); + msec = mpi_is_secure(mod); + bsec = mpi_is_secure(base); + + rp = res->d; + ep = expo->d; + + if (!msize) + _gcry_divide_by_zero(); + + if (!esize) + { + /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0 depending + on if MOD equals 1. */ + res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1; + if (res->nlimbs) + { + RESIZE_IF_NEEDED (res, 1); + rp = res->d; + rp[0] = 1; + } + res->sign = 0; + goto leave; + } + + /* Normalize MOD (i.e. make its most significant bit set) as + required by mpn_divrem. This will make the intermediate values + in the calculation slightly larger, but the correct result is + obtained after a final reduction using the original MOD value. */ + mp_nlimbs = msec? msize:0; + mp = mp_marker = mpi_alloc_limb_space(msize, msec); + count_leading_zeros (mod_shift_cnt, mod->d[msize-1]); + if (mod_shift_cnt) + _gcry_mpih_lshift (mp, mod->d, msize, mod_shift_cnt); + else + MPN_COPY( mp, mod->d, msize ); + + bsize = base->nlimbs; + bsign = base->sign; + if (bsize > msize) + { + /* The base is larger than the module. Reduce it. + + Allocate (BSIZE + 1) with space for remainder and quotient. + (The quotient is (bsize - msize + 1) limbs.) */ + bp_nlimbs = bsec ? (bsize + 1):0; + bp = bp_marker = mpi_alloc_limb_space( bsize + 1, bsec ); + MPN_COPY ( bp, base->d, bsize ); + /* We don't care about the quotient, store it above the + * remainder, at BP + MSIZE. */ + _gcry_mpih_divrem( bp + msize, 0, bp, bsize, mp, msize ); + bsize = msize; + /* Canonicalize the base, since we are going to multiply with it + quite a few times. */ + MPN_NORMALIZE( bp, bsize ); + } + else + bp = base->d; + + if (!bsize) + { + res->nlimbs = 0; + res->sign = 0; + goto leave; + } + + + /* Make BASE, EXPO and MOD not overlap with RES. */ + if ( rp == bp ) + { + /* RES and BASE are identical. Allocate temp. space for BASE. */ + gcry_assert (!bp_marker); + bp_nlimbs = bsec? bsize:0; + bp = bp_marker = mpi_alloc_limb_space( bsize, bsec ); + MPN_COPY(bp, rp, bsize); + } + if ( rp == ep ) + { + /* RES and EXPO are identical. Allocate temp. space for EXPO. */ + ep_nlimbs = esec? esize:0; + ep = ep_marker = mpi_alloc_limb_space( esize, esec ); + MPN_COPY(ep, rp, esize); + } + if ( rp == mp ) + { + /* RES and MOD are identical. Allocate temporary space for MOD.*/ + gcry_assert (!mp_marker); + mp_nlimbs = msec?msize:0; + mp = mp_marker = mpi_alloc_limb_space( msize, msec ); + MPN_COPY(mp, rp, msize); + } + + /* Copy base to the result. */ + if (res->alloced < size) + { + mpi_resize (res, size); + rp = res->d; + } + + /* Main processing. */ + { + mpi_size_t i, j; + mpi_ptr_t xp; + mpi_size_t xsize; + int c; + mpi_limb_t e; + mpi_limb_t carry_limb; + struct karatsuba_ctx karactx; + mpi_ptr_t tp; + + xp_nlimbs = msec? (2 * (msize + 1)):0; + xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); + + memset( &karactx, 0, sizeof karactx ); + negative_result = (ep[0] & 1) && bsign; + + /* Precompute B_2I3[], BASE^(2 * i + 3), BASE^3, ^5, ^7, ... */ + if (W > 1) /* X := BASE^2 */ + mul_mod (xp, &xsize, bp, bsize, bp, bsize, mp, msize, &karactx); + for (i = 0; i < (1 << (W - 1)) - 1; i++) + { /* B_2I3[i] = BASE^(2 * i + 3) */ + if (i == 0) + { + base_u = bp; + base_u_size = bsize; + } + else + { + base_u = b_2i3[i-1]; + base_u_size = b_2i3size[i-1]; + } + + if (xsize >= base_u_size) + mul_mod (rp, &rsize, xp, xsize, base_u, base_u_size, + mp, msize, &karactx); + else + mul_mod (rp, &rsize, base_u, base_u_size, xp, xsize, + mp, msize, &karactx); + b_2i3[i] = mpi_alloc_limb_space (rsize, esec); + b_2i3size[i] = rsize; + MPN_COPY (b_2i3[i], rp, rsize); + } + + i = esize - 1; + + /* Main loop. + + Make the result be pointed to alternately by XP and RP. This + helps us avoid block copying, which would otherwise be + necessary with the overlap restrictions of + _gcry_mpih_divmod. With 50% probability the result after this + loop will be in the area originally pointed by RP (==RES->d), + and with 50% probability in the area originally pointed to by XP. */ + rsign = 0; + if (W == 1) + { + rsize = bsize; + } + else + { + rsize = msize; + MPN_ZERO (rp, rsize); + } + MPN_COPY ( rp, bp, bsize ); + + e = ep[i]; + count_leading_zeros (c, e); + e = (e << c) << 1; + c = BITS_PER_MPI_LIMB - 1 - c; + + j = 0; + + for (;;) + if (e == 0) + { + j += c; + i--; + if ( i < 0 ) + { + c = 0; + break; + } + + e = ep[i]; + c = BITS_PER_MPI_LIMB; + } + else + { + int c0; + mpi_limb_t e0; + + count_leading_zeros (c0, e); + e = (e << c0); + c -= c0; + j += c0; + + if (c >= W) + { + e0 = (e >> (BITS_PER_MPI_LIMB - W)); + e = (e << W); + c -= W; + } + else + { + i--; + if ( i < 0 ) + { + e = (e >> (BITS_PER_MPI_LIMB - c)); + break; + } + + c0 = c; + e0 = (e >> (BITS_PER_MPI_LIMB - W)) + | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0)); + e = (ep[i] << (W - c0)); + c = BITS_PER_MPI_LIMB - W + c0; + } + + count_trailing_zeros (c0, e0); + e0 = (e0 >> c0) >> 1; + + for (j += W - c0; j; j--) + { + mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; + } + + if (e0 == 0) + { + base_u = bp; + base_u_size = bsize; + } + else + { + base_u = b_2i3[e0 - 1]; + base_u_size = b_2i3size[e0 -1]; + } + + mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, + mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; + + j = c0; + } + + if (c != 0) + { + j += c; + count_trailing_zeros (c, e); + e = (e >> c); + j -= c; + } + + while (j--) + { + mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; + } + + if (e != 0) + { + if ((e>>1) == 0) + { + base_u = bp; + base_u_size = bsize; + } + else + { + base_u = b_2i3[(e>>1) - 1]; + base_u_size = b_2i3size[(e>>1) -1]; + } + + mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, + mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; + + for (; c; c--) + { + mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; + } + } + + /* We shifted MOD, the modulo reduction argument, left + MOD_SHIFT_CNT steps. Adjust the result by reducing it with the + original MOD. + + Also make sure the result is put in RES->d (where it already + might be, see above). */ + if ( mod_shift_cnt ) + { + carry_limb = _gcry_mpih_lshift( res->d, rp, rsize, mod_shift_cnt); + rp = res->d; + if ( carry_limb ) + { + rp[rsize] = carry_limb; + rsize++; + } + } + else if (res->d != rp) + { + MPN_COPY (res->d, rp, rsize); + rp = res->d; + } + + if ( rsize >= msize ) + { + _gcry_mpih_divrem(rp + msize, 0, rp, rsize, mp, msize); + rsize = msize; + } + + /* Remove any leading zero words from the result. */ + if ( mod_shift_cnt ) + _gcry_mpih_rshift( rp, rp, rsize, mod_shift_cnt); + MPN_NORMALIZE (rp, rsize); + + _gcry_mpih_release_karatsuba_ctx (&karactx ); + for (i = 0; i < (1 << (W - 1)) - 1; i++) + _gcry_mpi_free_limb_space( b_2i3[i], esec ? b_2i3size[i] : 0 ); + } + + /* Fixup for negative results. */ + if ( negative_result && rsize ) + { + if ( mod_shift_cnt ) + _gcry_mpih_rshift( mp, mp, msize, mod_shift_cnt); + _gcry_mpih_sub( rp, mp, msize, rp, rsize); + rsize = msize; + rsign = msign; + MPN_NORMALIZE(rp, rsize); + } + gcry_assert (res->d == rp); + res->nlimbs = rsize; + res->sign = rsign; + + leave: + if (mp_marker) + _gcry_mpi_free_limb_space( mp_marker, mp_nlimbs ); + if (bp_marker) + _gcry_mpi_free_limb_space( bp_marker, bp_nlimbs ); + if (ep_marker) + _gcry_mpi_free_limb_space( ep_marker, ep_nlimbs ); + if (xp_marker) + _gcry_mpi_free_limb_space( xp_marker, xp_nlimbs ); +} +#endif -- 1.7.10.4 debian/patches/CVE-2017-7526-1.patch0000644000000000000000000001224513126433031013401 0ustar From fbd10abc057453789017f11c7f1fc8e6c61b79a3 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 4 Apr 2017 17:38:05 +0900 Subject: [PATCH] mpi: Simplify mpi_powm. * mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop. -- This fix is not a solution for the problem reported (yet). The problem is that the current algorithm of _gcry_mpi_powm depends on exponent and some information leaks is possible. Reported-by: Andreas Zankl Signed-off-by: NIIBE Yutaka (backport from master commit: 719468e53133d3bdf12156c5bfdea2bf15f9f6f1) --- mpi/mpi-pow.c | 105 +++++++++++++++++----------------------------------------- 1 file changed, 30 insertions(+), 75 deletions(-) Index: libgcrypt20-1.6.5/mpi/mpi-pow.c =================================================================== --- libgcrypt20-1.6.5.orig/mpi/mpi-pow.c 2017-07-03 08:16:07.341489918 -0400 +++ libgcrypt20-1.6.5/mpi/mpi-pow.c 2017-07-03 08:16:07.341489918 -0400 @@ -613,12 +613,8 @@ _gcry_mpi_powm (gcry_mpi_t res, if (e == 0) { j += c; - i--; - if ( i < 0 ) - { - c = 0; - break; - } + if ( --i < 0 ) + break; e = ep[i]; c = BITS_PER_MPI_LIMB; @@ -633,38 +629,33 @@ _gcry_mpi_powm (gcry_mpi_t res, c -= c0; j += c0; + e0 = (e >> (BITS_PER_MPI_LIMB - W)); if (c >= W) - { - e0 = (e >> (BITS_PER_MPI_LIMB - W)); - e = (e << W); - c -= W; - } + c0 = 0; else { - i--; - if ( i < 0 ) + if ( --i < 0 ) { - e = (e >> (BITS_PER_MPI_LIMB - c)); - break; + e0 = (e >> (BITS_PER_MPI_LIMB - c)); + j += c - W; + goto last_step; + } + else + { + c0 = c; + e = ep[i]; + c = BITS_PER_MPI_LIMB; + e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0))); } - - c0 = c; - e0 = (e >> (BITS_PER_MPI_LIMB - W)) - | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0)); - e = (ep[i] << (W - c0)); - c = BITS_PER_MPI_LIMB - W + c0; } + e = e << (W - c0); + c -= (W - c0); + + last_step: count_trailing_zeros (c0, e0); e0 = (e0 >> c0) >> 1; - for (j += W - c0; j; j--) - { - mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - } - /* * base_u <= precomp[e0] * base_u_size <= precomp_size[e0] @@ -681,25 +672,23 @@ _gcry_mpi_powm (gcry_mpi_t res, u.d = precomp[k]; mpi_set_cond (&w, &u, k == e0); - base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); + base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); } - mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, - mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; + for (j += W - c0; j >= 0; j--) + { + mul_mod (xp, &xsize, rp, rsize, + j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize, + mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; + } j = c0; + if ( i < 0 ) + break; } - if (c != 0) - { - j += c; - count_trailing_zeros (c, e); - e = (e >> c); - j -= c; - } - while (j--) { mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); @@ -707,40 +696,6 @@ _gcry_mpi_powm (gcry_mpi_t res, rsize = xsize; } - if (e != 0) - { - /* - * base_u <= precomp[(e>>1)] - * base_u_size <= precomp_size[(e>>1)] - */ - base_u_size = 0; - for (k = 0; k < (1<< (W - 1)); k++) - { - struct gcry_mpi w, u; - w.alloced = w.nlimbs = precomp_size[k]; - u.alloced = u.nlimbs = precomp_size[k]; - w.sign = u.sign = 0; - w.flags = u.flags = 0; - w.d = base_u; - u.d = precomp[k]; - - mpi_set_cond (&w, &u, k == (e>>1)); - base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) ); - } - - mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, - mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - - for (; c; c--) - { - mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - } - } - /* We shifted MOD, the modulo reduction argument, left MOD_SHIFT_CNT steps. Adjust the result by reducing it with the original MOD. debian/patches/CVE-2017-7526-5.patch0000644000000000000000000000153213126433310013402 0ustar From 312101e1f266314b4391fcdbe11c03de5c147e38 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 29 Jun 2017 12:40:19 +0900 Subject: [PATCH] rsa: More fix. * cipher/rsa.c (secret): Free R. -- Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c Signed-off-by: NIIBE Yutaka --- cipher/rsa.c | 1 + 1 file changed, 1 insertion(+) Index: libgcrypt11-1.5.3/cipher/rsa.c =================================================================== --- libgcrypt11-1.5.3.orig/cipher/rsa.c 2017-07-03 08:21:25.889474882 -0400 +++ libgcrypt11-1.5.3/cipher/rsa.c 2017-07-03 08:21:25.873474883 -0400 @@ -747,6 +747,7 @@ secret(gcry_mpi_t output, gcry_mpi_t inp mpi_mul ( h, h, skey->p ); mpi_add ( output, m1, h ); + mpi_free ( r ); mpi_free ( D_blind ); mpi_free ( h ); mpi_free ( m1 ); debian/patches/add_gcry_divide_by_zero.patch0000644000000000000000000000510212374645046016500 0ustar From 6c3598f1f6a6f2548b60a31ce3c0dd9885558a4f Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 14 Aug 2012 18:54:40 -0400 Subject: [PATCH] Replace deliberate division by zero with _gcry_divide_by_zero. * mpi/mpi-pow.c: Replace 1 / msize. * mpi/mpih-div.c: Replace 1 / dsize. * src/misc.c: Add _gcry_divide_by_zero. -- 1) Division by zero doesn't "provoke a signal" on architectures like PowerPC. 2) C compilers like clang will optimize away these divisions, even though the code tries "to make the compiler not remove" them. This patch redirects these cases to _gcry_divide_by_zero. (cherry picked from commit 2c54c4da19d3a79e9f749740828026dd41f0521a) --- mpi/mpi-pow.c | 2 +- mpi/mpih-div.c | 5 ++--- src/g10lib.h | 2 ++ src/misc.c | 8 ++++++++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c index a63fc6d..85d6fd8 100644 --- a/mpi/mpi-pow.c +++ b/mpi/mpi-pow.c @@ -77,7 +77,7 @@ gcry_mpi_powm (gcry_mpi_t res, ep = expo->d; if (!msize) - msize = 1 / msize; /* Provoke a signal. */ + _gcry_divide_by_zero(); if (!esize) { diff --git a/mpi/mpih-div.c b/mpi/mpih-div.c index 224b810..b33dcbf 100644 --- a/mpi/mpih-div.c +++ b/mpi/mpih-div.c @@ -212,9 +212,8 @@ _gcry_mpih_divrem( mpi_ptr_t qp, mpi_size_t qextra_limbs, switch(dsize) { case 0: - /* We are asked to divide by zero, so go ahead and do it! (To make - the compiler not remove this statement, return the value.) */ - return 1 / dsize; + _gcry_divide_by_zero(); + break; case 1: { diff --git a/src/g10lib.h b/src/g10lib.h index 30706a2..9e017b1 100644 --- a/src/g10lib.h +++ b/src/g10lib.h @@ -101,6 +101,8 @@ void _gcry_bug (const char *file, int line); void _gcry_assert_failed (const char *expr, const char *file, int line); #endif +void _gcry_divide_by_zero (void) JNLIB_GCC_A_NR; + const char *_gcry_gettext (const char *key) GCC_ATTR_FORMAT_ARG(1); void _gcry_fatal_error(int rc, const char *text ) JNLIB_GCC_A_NR; void _gcry_log( int level, const char *fmt, ... ) JNLIB_GCC_A_PRINTF(2,3); diff --git a/src/misc.c b/src/misc.c index 17bd546..ed72ed6 100644 --- a/src/misc.c +++ b/src/misc.c @@ -19,6 +19,7 @@ */ #include +#include #include #include #include @@ -296,3 +297,10 @@ _gcry_burn_stack (int bytes) if (bytes > 0) _gcry_burn_stack (bytes); } + +void +_gcry_divide_by_zero (void) +{ + gpg_err_set_errno (EDOM); + _gcry_fatal_error (gpg_err_code_from_errno (errno), "divide by zero"); +} -- 1.7.10.4 debian/libgcrypt11-doc.doc-base0000644000000000000000000000064211627221436013477 0ustar Document: gcrypt Title: The Libgcrypt Reference Manual Author: Werner Koch, Moritz Schulte Abstract: gcrypt library manual Section: Programming/C Format: HTML Index: /usr/share/doc/libgcrypt11-doc/html/index.html Files: /usr/share/doc/libgcrypt11-doc/html/* Format: PostScript Files: /usr/share/doc/libgcrypt11-doc/gcrypt.ps.gz Format: Info Index: /usr/share/info/gcrypt.info.gz Files: /usr/share/info/gcrypt.info* debian/compat0000644000000000000000000000000212161575226010373 0ustar 9 debian/copyright0000644000000000000000000001710312155060673011130 0ustar This package was debianized by Ivo Timmermans on Fri, 3 Aug 2001 10:02:38 +0200. It was taken over by Matthias Urlichs , and is now maintained by Andreas Metzler Eric Dorland , James Westby It was downloaded from http://ftp.gnupg.org/gcrypt/libgcrypt/. Up to end of 2012 libgcrypt copyright was owned solely by FSF, since then contributions without copyright assignment to the FSF have been integrated. Upstream Authors (from AUTHORS) -------------------------------------------- Authors with a FSF copyright assignment ======================================= GNUPG Werner Koch 1998-02-23 Assigns GNU Privacy Guard and future changes. Assignment for future changes terminated on 2012-12-04. wk@gnupg.org Designed and implemented GnuPG. GNUPG Matthew Skala 1998-08-10 Disclaims changes. mskala@ansuz.sooke.bc.ca Wrote cipher/twofish.c. GNUPG Natural Resources Canada 1998-08-11 Disclaims changes by Matthew Skala. GNUPG Michael Roth Germany 1998-09-17 Assigns changes. mroth@nessie.de Wrote cipher/des.c. Changes and bug fixes all over the place. GNUPG Niklas Hernaeus 1998-09-18 Disclaims changes. nh@df.lth.se Weak key patches. GNUPG Rémi Guyomarch 1999-05-25 Assigns past and future changes. (g10/compress.c, g10/encr-data.c, g10/free-packet.c, g10/mdfilter.c, g10/plaintext.c, util/iobuf.c) rguyom@mail.dotcom.fr ANY g10 Code GmbH 2001-06-07 Assignment for future changes in Libgcrypt terminated on 2012-12-04. Code marked with ChangeLog entries of g10 Code employees. LIBGCRYPT Timo Schulz 2001-08-31 Assigns past and future changes. twoaday@freakmail.de LIBGCRYPT Simon Josefsson 2002-10-25 Assigns past and future changes to FSF (cipher/{md4,crc}.c, CTR mode, CTS/MAC flags, self test improvements) simon@josefsson.org LIBGCRYPT Moritz Schulte 2003-04-17 Assigns past and future changes. moritz@g10code.com GNUTLS Nikolaos Mavrogiannopoulos 2003-11-22 nmav@gnutls.org Original code for cipher/rfc2268.c. LIBGCRYPT The Written Word 2005-04-15 Assigns past and future changes. (new: src/libgcrypt.pc.in, src/Makefile.am, src/secmem.c, mpi/hppa1.1/mpih-mul3.S, mpi/hppa1.1/udiv-qrnnd.S, mpi/hppa1.1/mpih-mul2.S, mpi/hppa1.1/mpih-mul1.S, mpi/Makefile.am, tests/prime.c, tests/register.c, tests/ac.c, tests/basic.c, tests/tsexp.c, tests/keygen.c, tests/pubkey.c, configure.ac, acinclude.m4) LIBGCRYPT Brad Hards 2006-02-09 Assigns Past and Future Changes bradh@frogmouth.net (Added OFB mode. Changed cipher/cipher.c, test/basic.c doc/gcrypt.tex. added SHA-224, changed cipher/sha256.c, added HMAC tests.) LIBGCRYPT Hye-Shik Chang 2006-09-07 Assigns Past and Future Changes perky@freebsd.org (SEED cipher) LIBGCRYPT Werner Dittmann 2009-05-20 Assigns Past and Future Changes werner.dittmann@t-online.de (mpi/amd64, tests/mpitests.c) GNUPG David Shaw Assigns past and future changes. dshaw@jabberwocky.com (cipher/camellia-glue.c and related stuff) LIBGCRYPT Andrey Jivsov 2010-12-09 Assigns Past and Future Changes openpgp@brainhub.org (cipher/ecc.c and related files) Authors with a DCO ================== DCO:2012-04-16:Tomas Mraz DCO:2012-04-20:Rafaël Carré DCO:2012-11-14:Jussi Kivilinna DCO:2012-12-05:Werner Koch DCO:2012-12-14:Dmitry Kasatkin DCO:2013-02-26:Christian Aistleitner More credits ============ The ATH implementation (src/ath*) has been taken from GPGME and relicensed to the LGPL by the copyright holder of GPGME (g10 Code GmbH); it is now considered to be a part of Libgcrypt. Most of the stuff in mpi has been taken from an old GMP library version by Torbjorn Granlund . The files cipher/rndunix.c and cipher/rndw32.c are based on those files from Cryptlib. Copyright Peter Gutmann, Paul Kendall, and Chris Wedgwood 1996-1999. The ECC code cipher/ecc.c was based on code by Sergi Blanch i Torne, sergi at calcurco dot org. The implementation of the Camellia cipher has been been taken from the original NTT provided GPL source. The CAVS testing program tests/cavs_driver.pl is not to be considered a part of libgcrypt proper. We distribute it merely for convenience. It has a permissive license and is copyrighted by atsec information security corporation. See the file for details. -------------------------------------------- Copyright: Most of the package is licensed under the GNU Lesser General Public License (LGPL) version 2.1 (or later), except for helper and debugging binaries. See below for details. The documentation is licensed under the GPLv2 (or later), see below. Excerpt from upstream's README: The library is distributed under the terms of the GNU Lesser General Public License (LGPL); see the file COPYING.LIB for the actual terms. The helper programs (e.g. gcryptrnd and getrandom) as well as the documentation are distributed under the terms of the GNU General Public License (GPL); see the file COPYING for the actual terms. This library used to be available under the GPL - this was changed with version 1.1.7 with the rationale that there are now many free crypto libraries available and many of them come with capabilities similar to Libcrypt. We decided that to foster the use of cryptography in Free Software an LGPLed library would make more sense because it avoids problems due to license incompatibilities between some Free Software licenses and the GPL. Please note that in many cases it is better for a library to be licensed under the GPL, so that it provides an advantage for free software projects. The Lesser GPL is so named because it does less to protect the freedom of the users of the code that it covers. See http://www.gnu.org/philosophy/why-not-lgpl.html for more explanation. An example of the license headers of the LGPL is ------------- Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2006 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. This file is part of Libgcrypt. Libgcrypt is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. Libgcrypt is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this program; if not, see . ------------- On Debian GNU/Linux systems, the complete text of the GNU Lesser General Public License can be found in `/usr/share/common-licenses/LGPL'; The documentation licensed under the GPL ------------- Copyright @copyright{} 2000, 2002, 2003, 2004, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. @quotation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. The text of the license can be found in the section entitled ``GNU General Public License''. ------------- On Debian GNU/Linux systems, the text of the GNU General Public License, version 2 can be found in `/usr/share/common-licenses/GPL-2'. debian/libgcrypt11.install0000644000000000000000000000003311627221436012717 0ustar debian/tmp/lib/*/lib*.so.* debian/source/0000755000000000000000000000000012204724655010475 5ustar debian/source/format0000644000000000000000000000001411627221436011700 0ustar 3.0 (quilt) debian/dumpsexp.80000644000000000000000000000227311627221436011134 0ustar .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.36. .TH DUMPSEXP "1" "October 2007" "dumpsexp (Libgcrypt) 1.3.1" "User Commands" .SH NAME dumpsexp \- Debug tool for S-expressions .SH SYNOPSIS .B dumpsexp [\fIOPTIONS\fR] [\fIfile\fR] .SH DESCRIPTION dumpsexp (Libgcrypt) 1.3.1 Copyright (C) 2007 Free Software Foundation, Inc. License GPLv2+: GNU GPL version 2 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. .PP Debug tool for S\-expressions .TP \fB\-\-decimal\fR Print offsets using decimal notation .TP \fB\-\-assume\-hex\fR Assume input is a hex dump .TP \fB\-\-verbose\fR Show what we are doing .TP \fB\-\-version\fR Print version of the program and exit .TP \fB\-\-help\fR Display this help and exit .SH "REPORTING BUGS" Report bugs to . .SH COPYRIGHT Copyright \(co 2007 Free Software Foundation, Inc. License GPLv2+: GNU GPL version 2 or later .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. debian/libgcrypt11-doc.info0000644000000000000000000000002111627221436012744 0ustar doc/gcrypt.info* debian/changelog0000644000000000000000000010324113311733200011032 0ustar libgcrypt11 (1.5.3-2ubuntu4.6) trusty-security; urgency=medium * SECURITY UPDATE: memory-cache side-channel attack on ECDSA signatures - debian/patches/CVE-2018-0495.patch: add blinding for ECDSA in cipher/ecc. - CVE-2018-0495 -- Marc Deslauriers Mon, 18 Jun 2018 09:40:59 -0400 libgcrypt11 (1.5.3-2ubuntu4.5) trusty-security; urgency=medium * SECURITY UPDATE: full RSA key recovery via side-channel attack - debian/patches/CVE-2017-7526-1.patch: simplify loop in mpi/mpi-pow.c. - debian/patches/CVE-2017-7526-2.patch: use same computation for square and multiply in mpi/mpi-pow.c. - debian/patches/CVE-2017-7526-3.patch: add exponent blinding in cipher/rsa.c. - debian/patches/CVE-2017-7526-4.patch: add free to cipher/rsa.c. - debian/patches/CVE-2017-7526-5.patch: add free to cipher/rsa.c. - CVE-2017-7526 -- Marc Deslauriers Mon, 03 Jul 2017 08:21:32 -0400 libgcrypt11 (1.5.3-2ubuntu4.4) trusty-security; urgency=medium * SECURITY UPDATE: random number generator prediction - debian/patches/CVE-2016-6313-1.patch: improve the diagram showing the random mixing in random/random-csprng.c. - debian/patches/CVE-2016-6313-2.patch: hash continuous areas in the csprng pool in random/random-csprng.c. - CVE-2016-6313 -- Marc Deslauriers Wed, 17 Aug 2016 13:39:25 -0400 libgcrypt11 (1.5.3-2ubuntu4.3) trusty-security; urgency=medium * SECURITY UPDATE: side-channel attack on ECDH - debian/patches/CVE-2015-7511.patch: perform input validation in cipher/ecc.c, src/mpi.h, use constant-time multiplication in mpi/ec.c. - CVE-2015-7511 -- Marc Deslauriers Wed, 10 Feb 2016 11:03:08 -0500 libgcrypt11 (1.5.3-2ubuntu4.2) trusty-security; urgency=medium * SECURITY UPDATE: sidechannel attack on Elgamal - debian/patches/CVE-2014-3591.patch: use ciphertext blinding in cipher/elgamal.c. - CVE-2014-3591 * SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm - debian/patches/CVE-2015-0837.patch: avoid timing variations in mpi/mpi-pow.c, mpi/mpiutil.c, src/mpi.h. - CVE-2015-0837 -- Marc Deslauriers Thu, 26 Mar 2015 08:18:00 -0400 libgcrypt11 (1.5.3-2ubuntu4.1) trusty-security; urgency=medium * SECURITY UPDATE: side-channel attack on Elgamal encryption subkeys - debian/patches/add_gcry_divide_by_zero.patch: replace deliberate division by zero with new _gcry_divide_by_zero(). - debian/patches/CVE-2014-5270.patch: use sliding window method for exponentiation algorithm in mpi/mpi-pow.c. - CVE-2014-5270 -- Marc Deslauriers Tue, 19 Aug 2014 08:59:30 -0400 libgcrypt11 (1.5.3-2ubuntu4) trusty; urgency=medium * Move texinfo to Build-Depends. -- Matthias Klose Tue, 17 Dec 2013 13:12:52 +0100 libgcrypt11 (1.5.3-2ubuntu3) trusty; urgency=medium * Fix build failure with texinfo 5.1. -- Matthias Klose Sun, 08 Dec 2013 02:37:55 +0100 libgcrypt11 (1.5.3-2ubuntu2) trusty; urgency=low * Build using dh-autoreonf. -- Matthias Klose Wed, 04 Dec 2013 20:49:51 +0100 libgcrypt11 (1.5.3-2ubuntu1) trusty; urgency=low * Merge from Debian unstable. Remaining changes: - no-global-init-thread-callbacks.diff: Do not call global_init when setting thread callbacks -- Seth Arnold Wed, 27 Nov 2013 10:36:27 -0800 libgcrypt11 (1.5.3-2) unstable; urgency=low * Convert to dh and move building of ps and html docs to override_dh_auto_build-indep. Enable parallel building. -- Andreas Metzler Tue, 20 Aug 2013 19:21:29 +0200 libgcrypt11 (1.5.3-1) unstable; urgency=high * New upstream bugfix release. (CVE-2013-4242) -- Andreas Metzler Thu, 25 Jul 2013 14:24:43 +0200 libgcrypt11 (1.5.2-3) unstable; urgency=low * Install libgcrypt.a and libgcrypt.so to /usr. * [15_multiarchpath_in_-L.diff] Do not print -L/lib/i386-linux-gnu on "libgcrypt-config --libs". * Use debhelper v9 mode. This allows us to mark libgcrypt11-dbg Multi-Arch: same. -- Andreas Metzler Sun, 23 Jun 2013 15:55:26 +0200 libgcrypt11 (1.5.2-2) unstable; urgency=low * Upload to unstable. * Fix vcs-field-not-canonical lintian error by refering to anonscm instead of svn.debian.org. * Update info in debian/copyright from upstream's README, fixing typo 'teh'. * Delete some outdated and unused code in debian/rules. -- Andreas Metzler Sun, 09 Jun 2013 08:54:56 +0200 libgcrypt11 (1.5.2-1) experimental; urgency=low * New upstream version. + IDEA support added. * Move list of supported algorithms to a separate paragraph in description to decrease work-load of translators. Closes: #640261 * Move TeX-packages from b-d to Build-Depends-Indep. (Thanks, P. J. McDermott) Closes: #682597 -- Andreas Metzler Sun, 21 Apr 2013 14:31:51 +0200 libgcrypt11 (1.5.1-1) experimental; urgency=low * Point watchfile to stable release. * New upstream version. * Drop superfluous patches: 29_Fix-a-problem-with-select-and-high-fds.patch 30_Avoid-dereferencing-pointer-right-after-the-end.patch 31_Fix-segv-with-AES-NI-on-some-platforms.patch 32_libgcrypt-1.5-rinjdael-Fix-use-of-SSE2-outside-USE_A.patch * Bump version gcry_control@GCRYPT_1.2 in debian/libgcrypt11.symbols from 1.4.5 to 1.5.1 since its argument enum has a new member. -- Andreas Metzler Thu, 21 Mar 2013 19:43:39 +0100 libgcrypt11 (1.5.0-5) unstable; urgency=low * While we are at it also pick 29_Fix-a-problem-with-select-and-high-fds.patch LP: #1084279 -- Andreas Metzler Sun, 24 Feb 2013 18:38:55 +0100 libgcrypt11 (1.5.0-4) unstable; urgency=low * Pull patches from upstream LIBGCRYPT-1-5-BRANCH: 30_Avoid-dereferencing-pointer-right-after-the-end.patch 31_Fix-segv-with-AES-NI-on-some-platforms.patch LP: #1105758 32_libgcrypt-1.5-rinjdael-Fix-use-of-SSE2-outside-USE_A.patch Closes: #699034 -- Andreas Metzler Sun, 24 Feb 2013 17:43:09 +0100 libgcrypt11 (1.5.0-3ubuntu3) saucy; urgency=low * SECURITY UPDATE: The path of execution in an exponentiation function may depend upon secret key data, allowing a local attacker to determine the contents of the secret key through a side-channel attack. - debian/patches/CVE-2013-4242.diff: always perform the mpi_mul for exponents in secure memory. Based on upstream patch. - CVE-2013-4242 -- Seth Arnold Tue, 13 Aug 2013 08:56:30 -0400 libgcrypt11 (1.5.0-3ubuntu2.1) raring; urgency=low * Reverts previous upload since it broke graphical login with gnupg-agent installed (LP: #1076906) -- Adam Stokes Fri, 09 Nov 2012 11:09:25 -0500 libgcrypt11 (1.5.0-3ubuntu2) raring-proposed; urgency=low [Howard Chu] * debian/patches/enable-global-init-secure-memory.patch: Fix regression during disable/suspend of secure memory (LP: #1013798) -- Adam Stokes Mon, 05 Nov 2012 11:05:59 -0500 libgcrypt11 (1.5.0-3ubuntu1) quantal; urgency=low * Do not call global_init when setting thread callbacks (LP: #423252) -- Adam Stokes Tue, 15 May 2012 13:56:17 -0400 libgcrypt11 (1.5.0-3) unstable; urgency=low * Upload to unstable. * Drop 20_workaroundarmgcc.diff (1.4.6/unstable). It seems to be unnecessary with 1.5.0. * libgcrypt11 Breaks gnupg2|gpgsm (<< 2.0.17-2ubuntu2) and libgnutls26 (<< 2.12.7-3). See https://bugs.launchpad.net/bugs/815190 and https://lists.gnu.org/archive/html/gnutls-devel/2011-07/msg00001.html -- Andreas Metzler Thu, 01 Sep 2011 18:53:49 +0200 libgcrypt11 (1.5.0-2) experimental; urgency=low * Add a symbols file (Based on binary shipped in squeeze.) Closes: #550077 -- Andreas Metzler Fri, 19 Aug 2011 13:20:19 +0200 libgcrypt11 (1.5.0-1) experimental; urgency=low * Merge multi-arch changes (1.4.6-6 and 1.4.6-7), drop libtool la file. * Drop CFLAGS += -Wall again, it has become unnecessary. * New upstream version. * Bump shlibs -- Andreas Metzler Sat, 02 Jul 2011 12:09:09 +0200 libgcrypt11 (1.5.0~beta1-1) experimental; urgency=low * Development release. * Drop 13_ftbfs_gold.diff. (applied upstream) * Bump shlibs. * Run ./configure with --enable-static option, it is disabled by default now. * Set CFLAGS += -Wall, the latest combination of cdbs + dpkg-dev does not seem to set it by default. -- Andreas Metzler Sat, 26 Feb 2011 19:34:14 +0100 libgcrypt11 (1.4.6-9) unstable; urgency=low * Also enable the gcc bug 633458 workaround on sparc. -- Andreas Metzler Sun, 07 Aug 2011 16:56:56 +0200 libgcrypt11 (1.4.6-8) unstable; urgency=medium * [20_workaroundarmgcc.diff] Set __attribute__((noinline)) on do_decrypt_aligned() if DEB_BUILD_ARCH=arm. This works around gcc bug 633458. -- Andreas Metzler Wed, 27 Jul 2011 19:09:35 +0200 libgcrypt11 (1.4.6-7) unstable; urgency=low * Do not use multiarch path in udeb. (Thanks, Colin Watson) -- Andreas Metzler Sat, 25 Jun 2011 19:21:16 +0200 libgcrypt11 (1.4.6-6) unstable; urgency=low * Stop shipping libtool la file. This should take care of LP: #751142 * Convert to multi-arch. + configure with --libdir=/lib/$(DEB_HOST_MULTIARCH), update *.install accordingly. + Bump cdbs Build-Depends to 0.4.93 (required for expanding $(DEB_HOST_MULTIARCH)). + Bump debhelper b-d to 8.1.3 (for ${misc:Pre-Depends}). + runtime library is Multi-Arch: same and has Pre-Depends: ${misc:Pre-Depends}. + This is based on 1.4.6-5ubuntu1, however some differences remain. -dbg package is not Multi-Arch: same (Due to usr/lib/debug/usr/bin/*). We ship the so-symlink in /lib/$(DEB_HOST_MULTIARCH) instead of /usr/lib/$(DEB_HOST_MULTIARCH). -- Andreas Metzler Sat, 25 Jun 2011 17:52:12 +0200 libgcrypt11 (1.4.6-5) unstable; urgency=low * Upload to unstable. -- Andreas Metzler Sat, 12 Feb 2011 16:15:28 +0100 libgcrypt11 (1.4.6-4) experimental; urgency=low * Stricter version requirement (>> 1.10-0.1 instead of >= 1.4) on the libgpg-error-dev build-dependency, to get correct dependencies in the udeb. * Use debhelper compatibility level 7. -- Andreas Metzler Sat, 15 Jan 2011 15:02:27 +0100 libgcrypt11 (1.4.6-3) experimental; urgency=low * debian/patches/13_ftbfs_gold.diff fix build failure with binutils-gold. Closes: #555179 * Add libgcrypt11-udeb. Closes: #608504 (Thanks for the patch, Jonas Meurer) * Sync with Ubuntu: - Disable tests when cross-building. - Keep la file in /usr/lib, with a symlink in /lib. -- Andreas Metzler Sat, 01 Jan 2011 14:55:59 +0100 libgcrypt11 (1.4.6-2) experimental; urgency=low * Move library to /lib. Closes: #604944 -- Andreas Metzler Sat, 11 Dec 2010 13:03:43 +0100 libgcrypt11 (1.4.6-1) experimental; urgency=low * New upstream version. * Drop debian/patches/20_ftbfsmips.diff, included upstream. * Includes tiger message-digest variant with commonly used output print order. Closes: #575038 * Interface extended (GCRY_MD_TIGER1 GCRY_MD_TIGER2 GCRY_CIPHER_MODE_AESWRAP), bump shlibs. * Policy 3.9. I have kept the conflicts for libgcrypt{,7}-{doc,dev} unchanged instead of trying to convert them to Breaks. These would only trigger on upgrades from installations older than Sarge (3.1). -- Andreas Metzler Sat, 17 Jul 2010 15:15:09 +0200 libgcrypt11 (1.4.5-2) unstable; urgency=low * Fix FTBFS on mips(el). Thank you, Aurelien Jarno. Closes: #561475 -- Andreas Metzler Wed, 03 Feb 2010 19:02:07 +0100 libgcrypt11 (1.4.5-1) unstable; urgency=low * New upstream version. + Does not try to use SPARC32 assembly code on SPARC64. Closes: #560028 * Drop patches included upstream: 21_cpuid.diff 20_padlock.diff. * Switch to 3.0 (quilt) format. * Update copyright stanza for documentation. * Simplify debian/rules. There should not be any reason to disable the pubkey test on specific archs anymore since GCRYCTL_ENABLE_QUICK_RANDOM is set. (#385805). Also tests/register et al. are run by upstream's check target, there is no need for manual invocation. -- Andreas Metzler Sat, 12 Dec 2009 10:44:53 +0100 libgcrypt11 (1.4.4-6) unstable; urgency=low * Sync priorities with override file, libgcrypt11 is priority standard now. * [patches/21_cpuid.diff] Fix CPUID detection. (Thank's, Ben Hutchings.) Closes: #519391 -- Andreas Metzler Sun, 29 Nov 2009 13:54:31 +0100 libgcrypt11 (1.4.4-5) unstable; urgency=low * Use makeinfo -html instead of texi2html to generate html docs. Closes: #552947 * Ship png figures used in html documentation. -- Andreas Metzler Sat, 31 Oct 2009 09:32:52 +0100 libgcrypt11 (1.4.4-4) unstable; urgency=low * Update homepage location. Closes: #540468 * Empty dependency_libs in la-file. * Stop double installing info files with both dh_install and dh_installinfo. -- Andreas Metzler Tue, 25 Aug 2009 20:24:31 +0200 libgcrypt11 (1.4.4-3) unstable; urgency=low * 20_padlock.diff: Fix stack smashing on VIA processors with Padlock RNG (patch by Tomas Mraz of Red Hat; thanks to Roberto Rosario for the archaeology, forwarded from Ubuntu by Colin Watson). Closes: #535456 * Standards-Version: 3.8.2, no changes required. * Sync section settings in control with override file. -- Andreas Metzler Sat, 04 Jul 2009 13:47:23 +0200 libgcrypt11 (1.4.4-2) unstable; urgency=low * Upload to unstable. -- Andreas Metzler Sat, 21 Feb 2009 13:46:58 +0100 libgcrypt11 (1.4.4-1) experimental; urgency=low * Add Simon Josefsson to uploaders. * New upstream version. * Fixes test failure on sparc. (Closes: #499542) * Lintian: Add ${misc:Depends} to all package dependencies. * Standards-Version 3.8.0, rename debian/README.source_and_patches to debian/README.source * Add Homepage field to debian/control. * Also run new fips186-dsa test at build time. -- Andreas Metzler Sat, 24 Jan 2009 15:48:32 +0100 libgcrypt11 (1.4.3-1) experimental; urgency=low * New upstream version. * Add texlive-generic-recommended to Build-Depends (needed for epsf.tex), drop tetex-bin alternatives. * New symbols added, bump shlibs. -- Andreas Metzler Thu, 18 Sep 2008 19:40:18 +0200 libgcrypt11 (1.4.1-1) unstable; urgency=low * New upstream version. - includes debian/patches/13_fixexcessiverandom.diff * Add Vcs-Svn: and Vcs-Browser control fields. * Register libgcrypt11-doc with doc-base. (Closes: #472292) * Use passive ftp instead of http in watchfile. * Fix format errors in libgcrypt-config.1 (lintian) * Stop (Build-)Depending on -0 versions (lintian) -- Andreas Metzler Sat, 26 Apr 2008 11:38:29 +0200 libgcrypt11 (1.4.0-3) unstable; urgency=low * Added debian/patches/13_fixexcessiverandom.diff: Patch by upstream reducing /dev/*random usage for initialising the RNG to less than 1/100. This bug had been introduced in 1.3.1. -- Andreas Metzler Tue, 08 Jan 2008 19:49:13 +0100 libgcrypt11 (1.4.0-2) unstable; urgency=low * Bump shlibs, new symbols added. (Should have been done in 1.4.0-1.) * B-d on libgpg-error-dev (>= 1.4). * First upload of 1.4.x to unstable, including alll changes from 1.3.0-1 to 1.4.0-1: - gcrypt now uses abort() instead of exit() for critical errors (missing /dev/random) Closes: #412408 -- Andreas Metzler Wed, 12 Dec 2007 20:02:34 +0100 libgcrypt11 (1.4.0-1) experimental; urgency=low * New upstream stable version. * Standards-Version: 3.7.3. ${binary:Version} instead of ${Source-Version}. -- Andreas Metzler Mon, 10 Dec 2007 19:14:29 +0100 libgcrypt11 (1.3.2-1) experimental; urgency=low * New upstream version. - Remove 14_ftbfs_hppa_448377.diff (already included). - gcrypt now uses abort() instead of exit() for critical errors (missing /dev/random) Closes: #412408 - Pull new copyright header from source, getting rid of old-fsf-address-in-copyright-file error. -- Andreas Metzler Thu, 6 Dec 2007 19:02:35 +0100 libgcrypt11 (1.3.1-2) experimental; urgency=low * Add patches/14_ftbfs_hppa_448377.diff to actually make use of asm routines. Fixes FTBFS on HPPA. Closes: #448377 * Make dumpsexp.8 more useful. -- Andreas Metzler Thu, 1 Nov 2007 09:02:17 +0100 libgcrypt11 (1.3.1-1) experimental; urgency=low * New upstream version. - includes dumpsexp, a tool for debugging s-expressions. Ship it in libgcrypt11-dev and add are minimal manpage (generated by help2man). * Update debian/copyright. * Change build-dep to prefer texlive-latex-base over tetex-bin. * Drop docbook-utils, docbook-to-man and jade from build-deps. * Drop 13_fixPIC.diff 14_udiv_asm_fix_1253.diff 50_re_autofoo.diff -- Andreas Metzler Fri, 26 Oct 2007 17:56:18 +0200 libgcrypt11 (1.3.0-2) experimental; urgency=low * 14_udiv_asm_fix_1253: Pulled from upstream SVN 1252:1253. Fix build-failure on hppa. (Closes: #424616) * 50_re_autofoo.diff regenerated and renamed. -- Andreas Metzler Sun, 20 May 2007 09:12:06 +0200 libgcrypt11 (1.3.0-1) experimental; urgency=low * New upstream development release 1.3.0. - includes 11_gcrypt_h_362636.patch and 13_powerpc64_284609.diff - Support for SEED cipher and SHA-224 and HMAC using SHA-384 and SHA-512. * Pulled from SVN: - 13_fixPIC.diff to fix shlib-with-non-pic-code. * run auto* 14_re_autofoo.diff * bump shlibs to 1.3.0. -- Andreas Metzler Mon, 9 Apr 2007 12:57:15 +0200 libgcrypt11 (1.2.4-2) unstable; urgency=low * Upload to unstable. * Drop -lgpg-error from libgcrypt-config --libs output. (Closes: #405238) * Switch to debhelper v5 mode. * New upstream version closes filehandles in gcry_rndlinux_gather_random(). (Closes: #403613) -- Andreas Metzler Mon, 9 Apr 2007 11:22:41 +0200 libgcrypt11 (1.2.4-1) experimental; urgency=low [ Andreas Metzler ] * Add a watch file. * Update download URL and example copyright statement in debian/copyright. * New upstream version. * Update patches/11_gcrypt_h_362636.patch to change gcrypt.h.in instead of gcrypt.h. -- Andreas Metzler Sat, 3 Feb 2007 13:58:51 +0100 libgcrypt11 (1.2.3-2) unstable; urgency=low [ Andreas Metzler ] * Actually the keygen test does not access /dev/random, the pubkey test is the entropy expensive one. Disable running pubkey test on arm, s390 and sparc where it caused FTBFS. Re-enable keygen on s390. (closes: #385805) -- Andreas Metzler Mon, 4 Sep 2006 19:44:50 +0200 libgcrypt11 (1.2.3-1) unstable; urgency=low [ Andreas Metzler ] * Mark libgcrypt11-dbg as Priority: extra in debian/control * New upstream version. -- Andreas Metzler Sat, 2 Sep 2006 15:13:46 +0200 libgcrypt11 (1.2.2-3) unstable; urgency=low [ Andreas Metzler ] * Don't run keygen test on s390 as the buildd seems to be entropy-starved (closes: #377526) -- Andreas Metzler Sat, 29 Jul 2006 12:54:49 +0200 libgcrypt11 (1.2.2-2) unstable; urgency=low [ James Westby ] * New maintainer team. Thanks, Matthias for all the work you did. * Set maintainer to alioth mailinglist. * Drop build-dependency on binutils (>= 2.14.90.0.7), even sarge has 2.15-6. * Standards-Version: 3.7.2, no changes required. * Clean packaging against upstream tarball. * Drop debian/*.dirs as dh_* will create the necessary directories. * Remove code from debian/rules to update config.sub and config.guess as it is handled by cdbs. Build-Depends on autotools-dev. * Pass --enable-noexecstack to ./configure (closes: #321720) * Use cdbs' simple-patchsys.mk. - add debian/README.source_and_patches - add debian/patches/11_gcrypt_h_362636 (closes: #362636) - add debian/patches/20_doc_gcrypt_texi_typos.patch to correct a small typo in doc/gcrypt.texi (not a new patch) * Tidied up the debian/copyright file. Noted that the documentation is now licensed under the GPL (closes: #323458) * Remove Build-Depends-Indep as it contained no packages that are not in Build-Depends. * Remove the change to doc/gcrpyt.texi that rendered incorrectly. * Use symbol versioning by passing --enable-ld-version-script in DEB_CONFIGURE_EXTRA_FLAGS in debian/rules. [ Andreas Metzler ] * Add patches/13_powerpc64_284609.diff (not a new patch). * Set DEB_MAKE_CHECK_TARGET = check to run included testsuite. -- Andreas Metzler Sat, 8 Jul 2006 13:06:34 +0200 libgcrypt11 (1.2.2-1) unstable; urgency=low * Updated to new Upstream version. * Update shlibdep version to 1.2.2 * Update copyright file with pointers to the current SCM archives. -- Matthias Urlichs Tue, 18 Oct 2005 18:27:03 +0200 libgcrypt11 (1.2.1-5) unstable; urgency=low * Added shlibdep flag. Closes:#330019 * Skip tests if cross-building. Closes:#286619 * Fix the debian/copyright file. Closes:#323458 - Also add a Suggests: libgcrypt11-doc to debian/control (same bug). -- Matthias Urlichs Mon, 17 Oct 2005 19:20:23 +0200 libgcrypt11 (1.2.1-4) unstable; urgency=low * Fix HTML documentation generation (texi2html update). Closes: #318520: FTBFS: Cannot install docs -- Matthias Urlichs Mon, 18 Jul 2005 00:02:52 +0200 libgcrypt11 (1.2.1-3) unstable; urgency=low * Rewrote Description: in debian/control. Closes: #291984: DSA is not a hash function * Added Priority: important to the runtime library, because it is. * Added a missing period to doc/gcrypt.texi. Closes: #317474: install-info errors during installation * Updated Standards-Version: to 3.6.2; no changes. -- Matthias Urlichs Thu, 14 Jul 2005 05:55:01 +0200 libgcrypt11 (1.2.1-2) unstable; urgency=low * Fix FTBFS due to missing /usr/share/misc/config.guess file. -- Matthias Urlichs Thu, 14 Jul 2005 05:55:01 +0200 libgcrypt11 (1.2.1-1) unstable; urgency=low * Merge with Upstream: v1.2.1 Closes: #284905: FTBFS (amd64/gcc-4.0): invalid storage class for function 'serpent_test' * Add Suggests: rng-tools. Closes: #286448: should suggest rng-tools -- Matthias Urlichs Mon, 4 Jul 2005 01:06:34 +0200 libgcrypt11 (1.2.0-12) unstable; urgency=low * Suggest rng-tools (support for hardware random number generators on recent mainboards). From Marc Haber. Closes: #286448. -- Matthias Urlichs Mon, 20 Dec 2004 15:24:13 +0100 libgcrypt11 (1.2.0-11) unstable; urgency=low * Support ppc64. Patch by Rafael Ávila de Espíndola Closes:#284609 -- Matthias Urlichs Wed, 8 Dec 2004 16:59:34 +0100 libgcrypt11 (1.2.0-10) unstable; urgency=high * Revert accidental version number change in configure.ac. (Accidentally-applied patch while pulling bugfixes from CVS.) Sorry about that. -- Matthias Urlichs Mon, 11 Oct 2004 09:28:53 +0200 libgcrypt11 (1.2.0-9) unstable; urgency=medium * Also add a Replaces: for -doc. *Sigh*. -- Matthias Urlichs Tue, 5 Oct 2004 08:46:15 +0200 libgcrypt11 (1.2.0-8) unstable; urgency=medium * Let libgcrypt11-doc onflict with libgcrypt-doc - Closes: #274769 * Fix FTBFS in test, due to latest glibc headers -- Matthias Urlichs Mon, 4 Oct 2004 09:01:53 +0200 libgcrypt11 (1.2.0-7) unstable; urgency=medium * Added build-dep on binutils (>= 2.14.90.0.7) - Closes: #265255 * Merged latest Upstream maintainance changes. -- Matthias Urlichs Sun, 12 Sep 2004 01:26:41 +0200 libgcrypt11 (1.2.0-6) unstable; urgency=medium * Memory leak found by Modestas Vainius . - Closes: #264428. * Revert hppa assembly code to old version; Upstream's new code isn't relocatable on Linux. (This change was included in the manually-built 1.2.0-4 on hppa.) -- Matthias Urlichs Sun, 8 Aug 2004 23:32:53 +0200 libgcrypt11 (1.2.0-5) unstable; urgency=low * Include debugging package. -- Matthias Urlichs Sun, 8 Aug 2004 23:12:16 +0200 libgcrypt11 (1.2.0-4) unstable; urgency=medium * Ported rijndael.c alignment patches from gcrypt7. -- Matthias Urlichs Thu, 15 Jul 2004 23:40:56 +0200 libgcrypt11 (1.2.0-3) unstable; urgency=low * Fix AC_DEFUN name quoting. * Disable maintainer mode. -- Matthias Urlichs Wed, 14 Jul 2004 09:43:56 +0200 libgcrypt11 (1.2.0-2) experimental; urgency=low * Taken over the package from Ivo Timmerman * run those tests which don't read /dev/random -- Matthias Urlichs Mon, 14 Jun 2004 17:06:35 +0200 libgcrypt11 (1.2.0-1) experimental; urgency=low * New upstream version. * README.Debian: removed. * control: Removed warning about usability from the package descriptions. -- Ivo Timmermans Thu, 15 Apr 2004 12:33:56 +0200 libgcrypt11 (1.1.93-0.1) experimental; urgency=low * new Upstream version -- Matthias Urlichs Mon, 8 Mar 2004 11:59:32 +0100 libgcrypt7 (1.1.90-1.1) unstable; urgency=high * NMU * [debian/control] Duplicate Build-Depends-Indep into Build-Depends as the buildds ignore Build-Depends-Indep. (Closes: #224588) -- J.H.M. Dassen (Ray) Mon, 29 Dec 2003 11:44:14 +0100 libgcrypt7 (1.1.90-1) unstable; urgency=low * New upstream version. -- Ivo Timmermans Thu, 4 Dec 2003 13:36:02 +0100 libgcrypt7 (1.1.44-1) experimental; urgency=low * New upstream version. -- Ivo Timmermans Fri, 31 Oct 2003 18:12:19 +0100 libgcrypt7 (1.1.43-1) experimental; urgency=low * New upstream version (Closes: #205081); renamed source to libgcrypt7. * debian/rules: * Rewritten to use CDBS; * Install HTML documentation (generated with texi2html); * Don't install the DVI version of the manual. * debian/control: * Added build dependencies on cdbs, libgpg-error-dev, auto*, libtool, texi2html; * Updated Standards-Version. -- Ivo Timmermans Thu, 30 Oct 2003 23:59:54 +0100 libgcrypt (1.1.12-4) unstable; urgency=low * debian/libgcrypt-doc.info: Remove everything except gcrypt.info. (Closes: #213743) -- Ivo Timmermans Fri, 3 Oct 2003 12:35:53 +0200 libgcrypt (1.1.12-3) unstable; urgency=high * src/Makefile.am: Revert Robert Millan's patch (thanks Marcus). It appears libgcrypt can adapt itself to any threading environment by using weak symbols, so explicit linking to pthread will break things. (Closes: #193097) -- Ivo Timmermans Tue, 27 May 2003 10:43:03 +0200 libgcrypt (1.1.12-2) unstable; urgency=low * src/Makefile.am: Apply patch by Robert Millan to fix build problems on hurd. (Closes: 187309) * debian/control: Change section of libgcrypt-dev to libdevel. -- Ivo Timmermans Sun, 4 May 2003 16:54:35 +0200 libgcrypt (1.1.12-1) unstable; urgency=low * New upstream release. -- Ivo Timmermans Mon, 20 Jan 2003 13:59:54 +0100 libgcrypt (1.1.11-4) unstable; urgency=low * src/libgcrypt.vers: Fix typo (doh!) -- Ivo Timmermans Tue, 7 Jan 2003 00:06:34 +0100 libgcrypt (1.1.11-3) unstable; urgency=low * src/libgcrypt.vers: Applied a workaround for GNUTLS by Werner Koch. -- Ivo Timmermans Mon, 6 Jan 2003 21:16:29 +0100 libgcrypt (1.1.11-2) unstable; urgency=low * debian/rules: Eh, undo silliness. -- Ivo Timmermans Mon, 6 Jan 2003 19:02:05 +0100 libgcrypt (1.1.11-1) unstable; urgency=low * New upstream release. * debian/libgcrypt1.shlibs: Updated. -- Ivo Timmermans Mon, 6 Jan 2003 17:18:34 +0100 libgcrypt (1.1.10-2) unstable; urgency=low * debian/control: libgcrypt-doc changed section to doc. * debian/libgcrypt-doc.files: New file; install info pages. * debian/libgcrypt-doc.dirs: Added usr/share/info. -- Ivo Timmermans Thu, 31 Oct 2002 00:07:39 +0100 libgcrypt (1.1.10-1) unstable; urgency=low * New upstream release. (Closes: #167077) * debian/libgcrypt1.dirs: Remove empty dir /usr/lib/libgcrypt. (Closes: #156117) -- Ivo Timmermans Wed, 30 Oct 2002 19:26:51 +0100 libgcrypt (1.1.8-2) unstable; urgency=low * Fixing build/upload screwups. -- Ivo Timmermans Fri, 9 Aug 2002 14:55:39 +0200 libgcrypt (1.1.8-1) unstable; urgency=low * New upstream release. * Changes from Ray Dassen: - debian/libgcrypt1.shlibs: Depend on libgcrypt1 >> 1.1.8-0 - debian/rules: Removed bashism in install target. - scripts/autogen.sh: invoke automake --copy --add-missing. -- Ivo Timmermans Thu, 8 Aug 2002 10:15:42 +0200 libgcrypt (1.1.7-3) unstable; urgency=low * Updated debian/copyright to contain the copyright and license information about the GPL, LGPL and FDL. (Closes: #150011) * Package descriptions changed to "LGPL Crypto library". * libgcrypt1.shlibs: Depend on libgcrypt1 >> 1.1.7-0 * Fix @direntry in gcrypt.texi. (Closes: #150010) -- Ivo Timmermans Sat, 15 Jun 2002 14:52:55 +0200 libgcrypt (1.1.7-2) unstable; urgency=low * Moved libgcrypt-dev to devel. * New upload with correct Maintainer field in .changes :-) * Closes: #126368, #135514, #127863, #130642, #133978 -- Ivo Timmermans Fri, 14 Jun 2002 11:33:30 +0200 libgcrypt (1.1.7-1) unstable; urgency=low * New upstream release. (Closes: #126368) * Changed description of -doc, -dev packages to mention differences. (Closes: #135514) * NMU ACK; Closes: #127863, #130642, #133978) * Cleaned up debian/rules:- * Don't call autoconf or automake. As a result, the build dependencies are much lighter. * Support DEB_BUILD_OPTIONS and cross compilation. * Updated shlibs file. -- Ivo Timmermans Fri, 14 Jun 2002 09:37:59 +0200 libgcrypt (1.1.5-4) unstable; urgency=low * Old maintainer. Yay. -- Ivo Timmermans Sat, 25 May 2002 20:35:58 +0200 libgcrypt (1.1.5-3.4) unstable; urgency=low * NMU * Reapply hppa patch that has gone missing. (Closes: #127863) -- Randolph Chung Tue, 16 Apr 2002 22:31:34 -0700 libgcrypt (1.1.5-3.3) unstable; urgency=low * NMU * move from non-US to main. -- LaMont Jones Fri, 29 Mar 2002 17:41:18 -0700 libgcrypt (1.1.5-3.2) unstable; urgency=low * Non-Maintainer Upload, during BSP #7. * configure.ac: applied patch from James Troup to fix build problems on Sparc (closes: #133978). * Ran autoconf; automake on the source tree. -- Jordi Mallach Sun, 17 Feb 2002 22:23:59 +0100 libgcrypt (1.1.5-3.1) unstable; urgency=medium * NMU * Fixes compile problems on powerpc/alpha/m68k (Closes: #130642) * Fixes compile problems on Hurd (Closes: #126368) -- Randolph Chung Tue, 5 Feb 2002 04:46:43 +0000 libgcrypt (1.1.5-3) unstable; urgency=medium * Applied patch from LaMont Jones to not build documentation in binary-arch (closes: #129286). * debian/control: + removed Build-Depends which should be in B-D-Indep (closes: #128743). + fixed typos in descriptions (closes: #125622, #125623, #125624). * debian/copyright: fixed lintian warning. * debian/docs: removed BUGS (empty) and INSTALL (unneeded); added THANKS and TODO. * debian/libgcrypt1.shlibs: updated for 1.1.5 (related to #129103). * debian/rules: fixed clean target. * Above fixes by Jordi Mallach -- Robert van der Meulen Fri, 18 Jan 2002 20:09:05 +0100 libgcrypt (1.1.5-2) unstable; urgency=low * Changed Maintainer: address * Fixed build depends (Closes: #128743) -- Robert van der Meulen Sun, 13 Jan 2002 19:44:11 +0100 libgcrypt (1.1.5-1) unstable; urgency=low * New upstream release * New maintainer * Fixed hppa build problems (Closes: #127863) * Fixed HURD build problems (Closes: #126368) -- Robert van der Meulen Thu, 10 Jan 2002 12:37:50 +0100 libgcrypt (1.1.4-4) unstable; urgency=medium * sexp.c: Fix build problem op ppc et al. (Closes: #119592) -- Ivo Timmermans Wed, 14 Nov 2001 17:06:48 +0100 libgcrypt (1.1.4-3) unstable; urgency=low * Change build system so that binary-arch and binary-indep can be built independently; update dependencies to include docbook-utils (Closes: 116515) * Update src/sexp.c to cvs version. (Closes: 118896) -- Ivo Timmermans Sat, 10 Nov 2001 20:03:17 +0100 libgcrypt (1.1.4-2) unstable; urgency=low * Split off documentation to a separate package. * Explicitly strip /usr/lib/libgcrypt/*. -- Ivo Timmermans Thu, 9 Aug 2001 23:26:59 +0200 libgcrypt (1.1.4-1) unstable; urgency=low * Initial Release. (Closes: #107498) -- Ivo Timmermans Sat, 4 Aug 2001 11:22:10 +0200