[3.4] libgcrypt: Possible timing attack on EdDSA session key (CVE-2017-9526)
An attacker who learns the EdDSA session key from side-channel
observation during the signing process, can easily recover the
long-term secret key. Storing the session key in secure memory ensures
that constant time point operations are used in the MPI library.
Fixed In Version:
libgcrypt 1.7.7
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9526
Patches:
1.7.x:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56
Curve Ed25519 signing and verification inplemented in 1.6.0 with
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=bc5199a02abe428ad377443280b3eda60141a1d6
and following refactorings.
(from redmine: issue id 7434, created on 2017-06-15, closed on 2017-07-05)
- Relations:
- parent #7431 (closed)
- Changesets:
- Revision 03d53aaa by Natanael Copa on 2017-07-05T08:22:34Z:
main/libgcrypt: security upgrade to 1.7.8 (CVE-2017-7526,CVE-2017-9526)
fixes #7478
fixes #7434