#755 ✓wontfix
steve

Libgcrypt 1.9.x

Reported by steve | January 20th, 2021 @ 01:21 AM

Noteworthy changes in Libgcrypt 1.9.0:

  • New and extended interfaces:

    • New curves Ed448, X448, and SM2.
    • New cipher mode EAX.
    • New cipher algo SM4.
    • New hash algo SM3.
    • New hash algo variants SHA512/224 and SHA512/256.
    • New MAC algos for Blake-2 algorithms, the new SHA512 variants, SM3, SM4 and for a GOST variant.
    • New convenience function gcry_mpi_get_ui.
    • gcry_sexp_extract_param understands new format specifiers to directly store to integers and strings.
    • New function gcry_ecc_mul_point and curve constants for Curve448 and Curve25519. [#4293]
    • New function gcry_ecc_get_algo_keylen.
    • New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the secure memory area. Also in 1.8.2 as an undocumented feature.

  • Performance:

    • Optimized implementations for Aarch64.
    • Faster implementations for Poly1305 and ChaCha. Also for PowerPC. [b9a471ccf5,172ad09cbe,#4460]
    • Optimized implementations of AES and SHA-256 on PowerPC. [#4529,#4530]
    • Improved use of AES-NI to speed up AES-XTS (6 times faster). [a00c5b2988]
    • Improved use of AES-NI for OCB. [eacbd59b13,e924ce456d]
    • Speedup AES-XTS on ARMv8/CE (2.5 times faster). [93503c127a]
    • New AVX and AVX2 implementations for Blake-2 (1.3/1.4 times faster). [af7fc732f9, da58a62ac1]
    • Use Intel SHA extension for SHA-1 and SHA-256 (4.0/3.7 times faster). [d02958bd30, 0b3ec359e2]
    • Use ARMv7/NEON accelerated GCM implementation (3 times faster). [2445cf7431]
    • Use of i386/SSSE3 for SHA-512 (4.5 times faster on Ryzen 7). [b52dde8609]
    • Use 64 bit ARMv8/CE PMULL for CRC (7 times faster). [14c8a593ed]
    • Improve CAST5 (40% to 70% faster). [4ec566b368]
    • Improve Blowfish (60% to 80% faster). [ced7508c85]

  • Bug fixes:

    • Fix infinite loop due to applications using fork the wrong way. [#3491][also in 1.8.4]
    • Fix possible leak of a few bits of secret primes to pageable memory. [#3848][also in 1.8.4]
    • Fix possible hang in the RNG (1.8.3 only). [#4034][also in 1.8.4]
    • Several minor fixes. [#4102,#4208,#4209,#4210,#4211,#4212] [also in 1.8.4]
    • On Linux always make use of getrandom if possible and then use its /dev/urandom behaviour. [#3894][also in 1.8.4]
    • Use blinding for ECDSA signing to mitigate a novel side-channel attack. [#4011,CVE-2018-0495] [also in 1.8.3, 1.7.10]
    • Fix incorrect counter overflow handling for GCM when using an IV size other than 96 bit. [#3764] [also in 1.8.3, 1.7.10]
    • Fix incorrect output of AES-keywrap mode for in-place encryption on some platforms. [also in 1.8.3, 1.7.10]
    • Fix the gcry_mpi_ec_curve_point point validation function. [also in 1.8.3, 1.7.10]
    • Fix rare assertion failure in gcry_prime_check. [also in 1.8.3]
    • Do not use /dev/srandom on OpenBSD. [also in 1.8.2]
    • Fix test suite failure on systems with large pages. [#3351] [also in 1.8.2]
    • Fix test suite to not use mmap on Windows. [also in 1.8.2]
    • Fix fatal out of secure memory status in the s-expression parser on heavy loaded systems. [also in 1.8.2]
    • Fix build problems on OpenIndiana et al. [#4818, also in 1.8.6]
    • Fix GCM bug on arm64 which troubles for example OMEMO. [#4986, also in 1.8.6]
    • Detect a div-by-zero in a debug helper tool. [#4868, also in 1.8.6]
    • Use a constant time mpi_inv and related changes. [#4869, partly also in 1.8.6]
    • Fix mpi_copy to correctly handle flags of opaque MPIs. [also in 1.8.6]
    • Fix mpi_cmp to consider +0 and -0 the same. [also in 1.8.6]
    • Fix extra entropy collection via clock_gettime. Note that this fallback code path is not used on any decent hardware. [#4966, also in 1.8.7]
    • Support opaque MPI with gcry_mpi_print. [#4872, also in 1.8.7]
    • Allow for a Unicode random seed file on Windows. [#5098, also in 1.8.7]

  • Other features:

    • Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519. [also in 1.8.6]
    • Add mitigation against ECC timing attack CVE-2019-13626. [#4626]
    • Internal cleanup of the ECC implementation.
    • Support reading EC point in compressed format for some curves. [#4951]

For a list of interface changes and links to commits and bug numbers
see the release info at https://dev.gnupg.org/T4294

Comments and changes to this ticket

  • steve

    steve January 26th, 2021 @ 12:19 AM

    • State changed from “new” to “verified”
    • Assigned user set to “Luke Le”
    • Milestone set to 2.2.27

    macOS 10.15.7
    GPG Suite 2985n
    verified

  • steve

    steve January 29th, 2021 @ 01:37 PM

    • State changed from “verified” to “new”
    • Assigned user cleared.
    • Milestone cleared.

    reverting to 1.8.x for now. keeping this open until we add 1.9.x

  • steve

    steve January 29th, 2021 @ 01:37 PM

    • Title changed from “Libgcrypt 1.9.0” to “Libgcrypt 1.9.x”
  • steve

    steve January 29th, 2021 @ 01:38 PM

    Noteworthy changes in Libgcrypt 1.9.1:

    • Bug fixes:

      • Fix exploitable bug in hash functions introduced with 1.9.0. [#5275]
      • Return an error if a negative MPI is used with sexp scan functions. [#4964]
      • Check for operational FIPS in the random and KDF functions. [#5243]
      • Fix compile error on ARMv7 with NEON disabled. [#5251]
      • Fix self-test in KDF module. [#5254]
      • Improve assembler checks for better LTO support. [#5255]
      • Fix assember problem on macOS running on M1. [#5157]
      • Support older macOS without posix_spawn. [#5159]
      • Fix 32-bit cross build on x86. [#5257]
      • Fix non-NEON ARM assembly implementation for SHA512. [#5263]
      • Fix build problems with the cipher_bulk_ops_t typedef. [#5264]
      • Fix Ed25519 private key handling for preceding ZEROs. [#5267]
      • Fix overflow in modular inverse implementation. [#5269]
      • Fix register access for AVX/AVX2 implementations of Blake2. [#5271].

    • Performance:

      • Add optimized cipher and hash functions for s390x/zSeries.
      • Use hardware bit counting functionx when available.

    • Internal changes:

      • The macOS getentropy syscall is used when available. [#5268]
      • Update DSA functions to match FIPS 186-3. [30ed9593f6]
      • New self-tests for CMACs and KDFs. [385a89e35b,7a0da24925]
      • Add bulk cipher functions for OFB and GCM modes. [f12b6788f2,f4e63e92dc]

    For a list of links to commits and bug numbers
    see the release info at https://dev.gnupg.org/T5259

  • steve

    steve February 17th, 2021 @ 01:05 PM

    Noteworthy changes in Libgcrypt 1.9.2

    • Bug fixes:

      • Fix build problem for macOS in the random code. [#5268]
      • Fix building with --disable-asm on x86. [#5277]
      • Check public key for ECDSA verify operation. [#5282]
      • Make sure gcry_get_config (NULL) returns a nul-terminated string. [8716e4b2ad]
      • Fix a memory leak in the ECDH code. [289543544e]
      • Fix a reading beyond end of input buffer in SHA2-avx2. [24af2a55d8]

    • Other features:

      • New test driver to allow for standalone regression tests. [b142da4c88]

    For a list of links to commits and bug numbers
    see the release info at https://dev.gnupg.org/T5276

  • steve

    steve March 30th, 2022 @ 02:20 PM

    • State changed from “new” to “wontfix”

    decision was made to stay on 1.8 LTS for now.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Shared Ticket Bins

People watching this ticket

Pages