libgcrypt-1.9.1

[Pierre Labastie]

New minor version

[Pierre Labastie]

Noteworthy changes in Libgcrypt 1.9.0
-------------------------------------

 * New and extended interfaces:
   - New curves Ed448, X448, and SM2.
   - New cipher mode EAX.
   - New cipher algo SM4.
   - New hash algo SM3.
   - New hash algo variants SHA512/224 and SHA512/256.
   - New MAC algos for Blake-2 algorithms, the new SHA512 variants,
     SM3, SM4 and for a GOST variant.
   - New convenience function gcry_mpi_get_ui.
   - gcry_sexp_extract_param understands new format specifiers to
     directly store to integers and strings.
   - New function gcry_ecc_mul_point and curve constants for Curve448
     and Curve25519.  [#4293]
   - New function gcry_ecc_get_algo_keylen.
   - New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the
     secure memory area.  Also in 1.8.2 as an undocumented feature.

 * Performance:
   - Optimized implementations for Aarch64.
   - Faster implementations for Poly1305 and ChaCha.  Also for
     PowerPC.  [b9a471ccf5,172ad09cbe,#4460]
   - Optimized implementations of AES and SHA-256 on PowerPC.
     [#4529,#4530]
   - Improved use of AES-NI to speed up AES-XTS (6 times faster).
     [a00c5b2988]
   - Improved use of AES-NI for OCB.  [eacbd59b13,e924ce456d]
   - Speedup AES-XTS on ARMv8/CE (2.5 times faster).  [93503c127a]
   - New AVX and AVX2 implementations for Blake-2 (1.3/1.4 times
     faster).  [af7fc732f9, da58a62ac1]
   - Use Intel SHA extension for SHA-1 and SHA-256 (4.0/3.7 times
     faster).  [d02958bd30, 0b3ec359e2]
   - Use ARMv7/NEON accelerated GCM implementation (3 times faster).
     [2445cf7431]
   - Use of i386/SSSE3 for SHA-512 (4.5 times faster on Ryzen 7).
     [b52dde8609]
   - Use 64 bit ARMv8/CE PMULL for CRC (7 times faster).  [14c8a593ed]
   - Improve CAST5 (40% to 70% faster).  [4ec566b368]
   - Improve Blowfish (60% to 80% faster).  [ced7508c85]

 * Bug fixes:
   - Fix infinite loop due to applications using fork the wrong
     way.  [#3491][also in 1.8.4]
   - Fix possible leak of a few bits of secret primes to pageable
     memory.  [#3848][also in 1.8.4]
   - Fix possible hang in the RNG (1.8.3 only).  [#4034][also in 1.8.4]
   - Several minor fixes.  [#4102,#4208,#4209,#4210,#4211,#4212]
     [also in 1.8.4]
   - On Linux always make use of getrandom if possible and then use
     its /dev/urandom behaviour.  [#3894][also in 1.8.4]
   - Use blinding for ECDSA signing to mitigate a novel side-channel
     attack.  [#4011,CVE-2018-0495] [also in 1.8.3, 1.7.10]
   - Fix incorrect counter overflow handling for GCM when using an IV
     size other than 96 bit.  [#3764] [also in 1.8.3, 1.7.10]
   - Fix incorrect output of AES-keywrap mode for in-place encryption
     on some platforms.  [also in 1.8.3, 1.7.10]
   - Fix the gcry_mpi_ec_curve_point point validation function.
     [also in 1.8.3, 1.7.10]
   - Fix rare assertion failure in gcry_prime_check.  [also in 1.8.3]
   - Do not use /dev/srandom on OpenBSD.  [also in 1.8.2]
   - Fix test suite failure on systems with large pages. [#3351]
     [also in 1.8.2]
   - Fix test suite to not use mmap on Windows.  [also in 1.8.2]
   - Fix fatal out of secure memory status in the s-expression parser
     on heavy loaded systems.  [also in 1.8.2]
   - Fix build problems on OpenIndiana et al. [#4818, also in 1.8.6]
   - Fix GCM bug on arm64 which troubles for example OMEMO.  [#4986,
     also in 1.8.6]
   - Detect a div-by-zero in a debug helper tool.  [#4868, also in 1.8.6]
   - Use a constant time mpi_inv and related changes.  [#4869, partly
     also in 1.8.6]
   - Fix mpi_copy to correctly handle flags of opaque MPIs.
     [also in 1.8.6]
   - Fix mpi_cmp to consider +0 and -0 the same.  [also in 1.8.6]
   - Fix extra entropy collection via clock_gettime.  Note that this
     fallback code path is not used on any decent hardware.  [#4966,
     also in 1.8.7]
   - Support opaque MPI with gcry_mpi_print.  [#4872, also in 1.8.7]
   - Allow for a Unicode random seed file on Windows.  [#5098, also in
     1.8.7]

 * Other features:
   - Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519.
     [also in 1.8.6]
   - Add mitigation against ECC timing attack CVE-2019-13626.  [#4626]
   - Internal cleanup of the ECC implementation.
   - Support reading EC point in compressed format for some curves.
     [#4951]

[Douglas R. Reno]

Now 1.9.1

Hello!

We have to announce the availability of Libgcrypt version 1.9.1.
This version fixes a *critical security bug* in the recently released
version 1.9.0.  If you are already using 1.9.0 please update immediately
to 1.9.1.

Libgcrypt is a general purpose library of cryptographic building blocks.
It is originally based on code used by GnuPG.  It does not provide any
implementation of OpenPGP or other protocols.  Thorough understanding of
applied cryptography is required to use Libgcrypt.


Impact and timeline
===================

Only one released version is affected:

 - Libgcrypt 1.9.0 (released 2021-01-19)

All other versions are not affected.

On 2021-01-28 Tavis Ormandy contacted us to report a severe bug in 1.9.0
which he found while testing GnuPG:

  There is a heap buffer overflow in libgcrypt due to an incorrect
  assumption in the block buffer management code. Just decrypting some
  data can overflow a heap buffer with attacker controlled data, no
  verification or signature is validated before the vulnerability
  occurs.

The bug was introduced during the the 1.9 development phase about two
years ago with commit e76617cbab018dd8f41fd6b4ec6740b5303f7e13 (Reduce
overhead on generic hash write function).

Exploiting this bug is simple and thus immediate action for 1.9.0 users
is required.  A CVE-id has not yet been assigned.  We track this bug at
https://dev.gnupg.org/T5275.  The 1.9.0 tarballs on our FTP server have
been renamed so that scripts won't be able to get this version anymore.


Solution
========

If Libgcrypt versions 1.9.0 is in use please update immediately to
version 1.9.1.

If you are using the 1.8 LTS branch you are not affected.  While you are
checking anyway please make sure that you have at least 1.8.5.

If you are using a development version build taken from our Git
repository you need to update as well.  NB: The use of non-released
versions in a production environment is strongly discouraged.

There is yet no released GnuPG version hich requires Libgcrypt 1.9


Noteworthy changes in Libgcrypt 1.9.1
=====================================

 * Bug fixes:

   - *Fix exploitable bug* in hash functions introduced with 1.9.0.
     [#5275]

   - Return an error if a negative MPI is used with sexp scan
     functions.  [#4964]

   - Check for operational FIPS in the random and KDF functions.
     [#5243]

   - Fix compile error on ARMv7 with NEON disabled.  [#5251]

   - Fix self-test in KDF module.  [#5254]

   - Improve assembler checks for better LTO support.  [#5255]

   - Fix assember problem on macOS running on M1.  [#5157]

   - Support older macOS without posix_spawn. [#5159]

   - Fix 32-bit cross build on x86.  [#5257]

   - Fix non-NEON ARM assembly implementation for SHA512.  [#5263]

   - Fix build problems with the cipher_bulk_ops_t typedef.  [#5264]

   - Fix Ed25519 private key handling for preceding ZEROs. [#5267]

   - Fix overflow in modular inverse implementation.  [#5269]

   - Fix register access for AVX/AVX2 implementations of Blake2.
     [#5271].

 * Performance:

   - Add optimized cipher and hash functions for s390x/zSeries.

   - Use hardware bit counting functionx when available.

 * Internal changes:

   - The macOS getentropy syscall is used when available.  [#5268]

   - Update DSA functions to match FIPS 186-3.  [30ed9593f6]

   - New self-tests for CMACs and KDFs.  [385a89e35b,7a0da24925]

   - Add bulk cipher functions for OFB and GCM modes.
     [f12b6788f2,f4e63e92dc]

 For a list of links to commits and bug numbers
 see the release info at https://dev.gnupg.org/T5259

Even though we don't have 1.9.0 in the book right now, if anyone did install it, please make sure that you update ASAP.

[Douglas R. Reno]

Fixed at r24154

[ken@…]

Belatedly marking as High because of CVE-2021-3345.

For some reason I had thought we did not include this in the book.