libgcrypt: Security fix CVE-2015-7511

CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves affects libgcrypt < 1.6.5 adjust SRC_URI + for this version. Patch 1 is a dependancy patch. simple macro name change. Patch 2 is the cve fix. (From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c) (From OE-Core rev: 88ba5ea3f3a421ac91d670e450f4b0645a53d733) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-02-13 09:34:00 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-03 11:11:40 +0000
commit: d25973e203b8298005389983bf17f613c940c40e (patch)
tree: c4c01eac73f17ebf2a6697162aa0ff28a38cea60
parent: e1a2fb6e857c0d15c12324be64654ff0a314cc57 (diff)
download: poky-d25973e203b8298005389983bf17f613c940c40e.tar.gz
3 files changed, 305 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch
new file mode 100644
index 0000000000..14c25b9ad2
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch
@@ -0,0 +1,245 @@
+From 2ef48ba59c32bfa1a9265d5eea8ab225a658903a Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 9 Jan 2014 19:14:09 +0100
+Subject: [PATCH] ecc: Make a macro shorter.
+* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS.  CHnage
+all users.
+* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
+comment.
+* mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards.
+(add_points_twistededwards): Rename to add_points_edwards.
+Signed-off-by: Werner Koch <wk@gnupg.org>
+Upstream-Status: Backport
+2ef48ba59c32bfa1a9265d5eea8ab225a658903a
+CVE: CVE-2015-7511 depend patch
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ cipher/ecc-curves.c | 22 +++++++++++++++++++---
+ cipher/ecc-misc.c   |  4 ++--
+ cipher/ecc.c        |  8 ++++----
+ mpi/ec.c            | 22 +++++++++++-----------
+ src/mpi.h           | 11 ++++++++---
+ 5 files changed, 44 insertions(+), 23 deletions(-)
+Index: libgcrypt-1.6.3/cipher/ecc-curves.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc-curves.c
+++ libgcrypt-1.6.3/cipher/ecc-curves.c
+@@ -105,7 +105,7 @@ static const ecc_domain_parms_t domain_p
+     {
+       /* (-x^2 + y^2 = 1 + dx^2y^2) */
+       "Ed25519", 256, 0,
+-      MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519,
+      MPI_EC_EDWARDS, ECC_DIALECT_ED25519,
+       "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+       "-0x01",
+       "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+@@ -113,6 +113,22 @@ static const ecc_domain_parms_t domain_p
+       "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+       "0x6666666666666666666666666666666666666666666666666666666666666658"
+     },
+#if 0 /* No real specs yet found.  */
+    {
+      /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */
+      "Curve3617",
+      "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF",
+      MPI_EC_EDWARDS, 0,
+      "0x01",
+      "0x0e21",
+      "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF"
+      "706022B36F1C0338AD63CF181B0E71A5E106AF79",
+      "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D"
+      "6D6BA111301A73FAA8537C64C4FD3812F3CBC595",
+      "0x22"
+    },
+#endif /*0*/
+     {
+       "NIST P-192", 192, 1,
+       MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+@@ -404,7 +420,7 @@ _gcry_ecc_fill_in_curve (unsigned int nb
+   switch (domain_parms[idx].model)
+     {
+     case MPI_EC_WEIERSTRASS:
+-    case MPI_EC_TWISTEDEDWARDS:
+    case MPI_EC_EDWARDS:
+       break;
+     case MPI_EC_MONTGOMERY:
+       return GPG_ERR_NOT_SUPPORTED;
+@@ -1039,7 +1055,7 @@ _gcry_ecc_get_mpi (const char *name, mpi
+       if (name[1] != '@')
+         return _gcry_mpi_ec_ec2os (ec->Q, ec);
+ 
+-      if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS)
+      if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS)
+         {
+           unsigned char *encpk;
+           unsigned int encpklen;
+Index: libgcrypt-1.6.3/cipher/ecc-misc.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc-misc.c
+++ libgcrypt-1.6.3/cipher/ecc-misc.c
+@@ -79,7 +79,7 @@ _gcry_ecc_model2str (enum gcry_mpi_ec_mo
+     {
+     case MPI_EC_WEIERSTRASS:    str = "Weierstrass"; break;
+     case MPI_EC_MONTGOMERY:     str = "Montgomery";  break;
+-    case MPI_EC_TWISTEDEDWARDS: str = "Twisted Edwards"; break;
+    case MPI_EC_EDWARDS:        str = "Edwards"; break;
+     }
+   return str;
+ }
+@@ -252,7 +252,7 @@ _gcry_ecc_compute_public (mpi_point_t Q,
+ 
+   if (!d || !G || !ec->p || !ec->a)
+     return NULL;
+-  if (ec->model == MPI_EC_TWISTEDEDWARDS && !ec->b)
+  if (ec->model == MPI_EC_EDWARDS && !ec->b)
+     return NULL;
+ 
+   if (ec->dialect == ECC_DIALECT_ED25519
+Index: libgcrypt-1.6.3/cipher/ecc.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc.c
+++ libgcrypt-1.6.3/cipher/ecc.c
+@@ -642,7 +642,7 @@ ecc_check_secret_key (gcry_sexp_t keypar
+   if (!curvename)
+     {
+       sk.E.model = ((flags & PUBKEY_FLAG_EDDSA)
+-               ? MPI_EC_TWISTEDEDWARDS
+               ? MPI_EC_EDWARDS
+                : MPI_EC_WEIERSTRASS);
+       sk.E.dialect = ((flags & PUBKEY_FLAG_EDDSA)
+                       ? ECC_DIALECT_ED25519
+@@ -774,7 +774,7 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_
+   if (!curvename)
+     {
+       sk.E.model = ((ctx.flags & PUBKEY_FLAG_EDDSA)
+-                    ? MPI_EC_TWISTEDEDWARDS
+                    ? MPI_EC_EDWARDS
+                     : MPI_EC_WEIERSTRASS);
+       sk.E.dialect = ((ctx.flags & PUBKEY_FLAG_EDDSA)
+                       ? ECC_DIALECT_ED25519
+@@ -938,7 +938,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp
+   if (!curvename)
+     {
+       pk.E.model = ((sigflags & PUBKEY_FLAG_EDDSA)
+-                    ? MPI_EC_TWISTEDEDWARDS
+                    ? MPI_EC_EDWARDS
+                     : MPI_EC_WEIERSTRASS);
+       pk.E.dialect = ((sigflags & PUBKEY_FLAG_EDDSA)
+                       ? ECC_DIALECT_ED25519
+@@ -1528,7 +1528,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_s
+   if (!curvename)
+     {
+       model = ((flags & PUBKEY_FLAG_EDDSA)
+-               ? MPI_EC_TWISTEDEDWARDS
+               ? MPI_EC_EDWARDS
+                : MPI_EC_WEIERSTRASS);
+       dialect = ((flags & PUBKEY_FLAG_EDDSA)
+                  ? ECC_DIALECT_ED25519
+Index: libgcrypt-1.6.3/mpi/ec.c
+===================================================================
+--- libgcrypt-1.6.3.orig/mpi/ec.c
+++ libgcrypt-1.6.3/mpi/ec.c
+@@ -605,7 +605,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, g
+       }
+       return -1;
+ 
+-    case MPI_EC_TWISTEDEDWARDS:
+    case MPI_EC_EDWARDS:
+       {
+         gcry_mpi_t z;
+ 
+@@ -725,7 +725,7 @@ dup_point_montgomery (mpi_point_t result
+ 
+ /*  RESULT = 2 * POINT  (Twisted Edwards version). */
+ static void
+-dup_point_twistededwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
+dup_point_edwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
+ {
+ #define X1 (point->x)
+ #define Y1 (point->y)
+@@ -811,8 +811,8 @@ _gcry_mpi_ec_dup_point (mpi_point_t resu
+     case MPI_EC_MONTGOMERY:
+       dup_point_montgomery (result, point, ctx);
+       break;
+-    case MPI_EC_TWISTEDEDWARDS:
+-      dup_point_twistededwards (result, point, ctx);
+    case MPI_EC_EDWARDS:
+      dup_point_edwards (result, point, ctx);
+       break;
+     }
+ }
+@@ -977,9 +977,9 @@ add_points_montgomery (mpi_point_t resul
+ 
+ /* RESULT = P1 + P2  (Twisted Edwards version).*/
+ static void
+-add_points_twistededwards (mpi_point_t result,
+-                           mpi_point_t p1, mpi_point_t p2,
+-                           mpi_ec_t ctx)
+add_points_edwards (mpi_point_t result,
+                    mpi_point_t p1, mpi_point_t p2,
+                    mpi_ec_t ctx)
+ {
+ #define X1 (p1->x)
+ #define Y1 (p1->y)
+@@ -1087,8 +1087,8 @@ _gcry_mpi_ec_add_points (mpi_point_t res
+     case MPI_EC_MONTGOMERY:
+       add_points_montgomery (result, p1, p2, ctx);
+       break;
+-    case MPI_EC_TWISTEDEDWARDS:
+-      add_points_twistededwards (result, p1, p2, ctx);
+    case MPI_EC_EDWARDS:
+      add_points_edwards (result, p1, p2, ctx);
+       break;
+     }
+ }
+@@ -1106,7 +1106,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
+   unsigned int i, loops;
+   mpi_point_struct p1, p2, p1inv;
+ 
+-  if (ctx->model == MPI_EC_TWISTEDEDWARDS)
+  if (ctx->model == MPI_EC_EDWARDS)
+     {
+       /* Simple left to right binary method.  GECC Algorithm 3.27 */
+       unsigned int nbits;
+@@ -1269,7 +1269,7 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point
+       log_fatal ("%s: %s not yet supported\n",
+                  "_gcry_mpi_ec_curve_point", "Montgomery");
+       break;
+-    case MPI_EC_TWISTEDEDWARDS:
+    case MPI_EC_EDWARDS:
+       {
+         /* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */
+         ec_pow2 (x, x, ctx);
+Index: libgcrypt-1.6.3/src/mpi.h
+===================================================================
+--- libgcrypt-1.6.3.orig/src/mpi.h
+++ libgcrypt-1.6.3/src/mpi.h
+@@ -245,13 +245,18 @@ void _gcry_mpi_snatch_point (gcry_mpi_t
+ /* Models describing an elliptic curve.  */
+ enum gcry_mpi_ec_models
+   {
+-
+    /* The Short Weierstrass equation is
+          y^2 = x^3 + ax + b
+     */
+     MPI_EC_WEIERSTRASS = 0,
+    /* The Montgomery equation is
+          by^2 = x^3 + ax^2 + x
+     */
+     MPI_EC_MONTGOMERY,
+-    MPI_EC_TWISTEDEDWARDS
+-    /* The equation for Twisted Edwards curves is
+    /* The Twisted Edwards equation is
+           ax^2 + y^2 = 1 + bx^2y^2
+        Note that we use 'b' instead of the commonly used 'd'.  */
+    MPI_EC_EDWARDS
+   };
+ 
+ /* Dialects used with elliptic curves.  It is easier to keep the
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch
new file mode 100644
index 0000000000..8093a18cf3
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch
@@ -0,0 +1,55 @@
+From 88e1358962e902ff1cbec8d53ba3eee46407851a Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 25 Nov 2015 12:46:19 +0900
+Subject: [PATCH] ecc: Constant-time multiplication for Weierstrass curve.
+* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
+method for Weierstrass curve when SCALAR is secure.
+Upstream-Status: Backport
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a
+CVE: CVE-2015-7511 fix
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ mpi/ec.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+Index: libgcrypt-1.6.3/mpi/ec.c
+===================================================================
+--- libgcrypt-1.6.3.orig/mpi/ec.c
+++ libgcrypt-1.6.3/mpi/ec.c
+@@ -1106,16 +1106,27 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
+   unsigned int i, loops;
+   mpi_point_struct p1, p2, p1inv;
+ 
+-  if (ctx->model == MPI_EC_EDWARDS)
+  if (ctx->model == MPI_EC_EDWARDS
+      || (ctx->model == MPI_EC_WEIERSTRASS
+          && mpi_is_secure (scalar)))
+     {
+       /* Simple left to right binary method.  GECC Algorithm 3.27 */
+       unsigned int nbits;
+       int j;
+ 
+       nbits = mpi_get_nbits (scalar);
+-      mpi_set_ui (result->x, 0);
+-      mpi_set_ui (result->y, 1);
+-      mpi_set_ui (result->z, 1);
+      if (ctx->model == MPI_EC_WEIERSTRASS)
+        {
+          mpi_set_ui (result->x, 1);
+          mpi_set_ui (result->y, 1);
+          mpi_set_ui (result->z, 0);
+        }
+      else
+        {
+          mpi_set_ui (result->x, 0);
+          mpi_set_ui (result->y, 1);
+          mpi_set_ui (result->z, 1);
+        }
+ 
+       if (mpi_is_secure (scalar))
+         {
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
index c49c0e7c17..40b7387b34 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
@@ -1,4 +1,9 @@
 require libgcrypt.inc
+SRC_URI += "\
+        file://CVE-2015-7511_1.patch \
+        file://CVE-2015-7511_2.patch \
+        "
 SRC_URI[md5sum] = "d19adc062edff0ebc7e887212733ef1f"
 SRC_URI[sha256sum] = "936921644b9c81e2395e18a554a9a5f9252aae3976f8afc3e4229ee9d785e627"
author	Armin Kuster <akuster@mvista.com>	2016-02-13 09:34:00 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-03 11:11:40 +0000
commit	d25973e203b8298005389983bf17f613c940c40e (patch)
tree	c4c01eac73f17ebf2a6697162aa0ff28a38cea60
parent	e1a2fb6e857c0d15c12324be64654ff0a314cc57 (diff)
download	poky-d25973e203b8298005389983bf17f613c940c40e.tar.gz

diff --git a/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch new file mode 100644 index 0000000000..14c25b9ad2 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch
@@ -0,0 +1,245 @@
		1	From 2ef48ba59c32bfa1a9265d5eea8ab225a658903a Mon Sep 17 00:00:00 2001
		2	From: Werner Koch <wk@gnupg.org>
		3	Date: Thu, 9 Jan 2014 19:14:09 +0100
		4	Subject: [PATCH] ecc: Make a macro shorter.
		5
		6	* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS. CHnage
		7	all users.
		8	* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
		9	comment.
		10	* mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards.
		11	(add_points_twistededwards): Rename to add_points_edwards.
		12
		13	Signed-off-by: Werner Koch <wk@gnupg.org>
		14
		15	Upstream-Status: Backport
		16	2ef48ba59c32bfa1a9265d5eea8ab225a658903a
		17
		18	CVE: CVE-2015-7511 depend patch
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	cipher/ecc-curves.c \| 22 +++++++++++++++++++---
		23	cipher/ecc-misc.c \| 4 ++--
		24	cipher/ecc.c \| 8 ++++----
		25	mpi/ec.c \| 22 +++++++++++-----------
		26	src/mpi.h \| 11 ++++++++---
		27	5 files changed, 44 insertions(+), 23 deletions(-)
		28
		29	Index: libgcrypt-1.6.3/cipher/ecc-curves.c
		30	===================================================================
		31	--- libgcrypt-1.6.3.orig/cipher/ecc-curves.c
		32	+++ libgcrypt-1.6.3/cipher/ecc-curves.c
		33	@@ -105,7 +105,7 @@ static const ecc_domain_parms_t domain_p
		34	{
		35	/* (-x^2 + y^2 = 1 + dx^2y^2) */
		36	"Ed25519", 256, 0,
		37	- MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519,
		38	+ MPI_EC_EDWARDS, ECC_DIALECT_ED25519,
		39	"0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
		40	"-0x01",
		41	"-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
		42	@@ -113,6 +113,22 @@ static const ecc_domain_parms_t domain_p
		43	"0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
		44	"0x6666666666666666666666666666666666666666666666666666666666666658"
		45	},
		46	+#if 0 /* No real specs yet found. */
		47	+ {
		48	+ /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */
		49	+ "Curve3617",
		50	+ "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
		51	+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF",
		52	+ MPI_EC_EDWARDS, 0,
		53	+ "0x01",
		54	+ "0x0e21",
		55	+ "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF"
		56	+ "706022B36F1C0338AD63CF181B0E71A5E106AF79",
		57	+ "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D"
		58	+ "6D6BA111301A73FAA8537C64C4FD3812F3CBC595",
		59	+ "0x22"
		60	+ },
		61	+#endif /0/
		62	{
		63	"NIST P-192", 192, 1,
		64	MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
		65	@@ -404,7 +420,7 @@ _gcry_ecc_fill_in_curve (unsigned int nb
		66	switch (domain_parms[idx].model)
		67	{
		68	case MPI_EC_WEIERSTRASS:
		69	- case MPI_EC_TWISTEDEDWARDS:
		70	+ case MPI_EC_EDWARDS:
		71	break;
		72	case MPI_EC_MONTGOMERY:
		73	return GPG_ERR_NOT_SUPPORTED;
		74	@@ -1039,7 +1055,7 @@ _gcry_ecc_get_mpi (const char *name, mpi
		75	if (name[1] != '@')
		76	return _gcry_mpi_ec_ec2os (ec->Q, ec);
		77
		78	- if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS)
		79	+ if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS)
		80	{
		81	unsigned char *encpk;
		82	unsigned int encpklen;
		83	Index: libgcrypt-1.6.3/cipher/ecc-misc.c
		84	===================================================================
		85	--- libgcrypt-1.6.3.orig/cipher/ecc-misc.c
		86	+++ libgcrypt-1.6.3/cipher/ecc-misc.c
		87	@@ -79,7 +79,7 @@ _gcry_ecc_model2str (enum gcry_mpi_ec_mo
		88	{
		89	case MPI_EC_WEIERSTRASS: str = "Weierstrass"; break;
		90	case MPI_EC_MONTGOMERY: str = "Montgomery"; break;
		91	- case MPI_EC_TWISTEDEDWARDS: str = "Twisted Edwards"; break;
		92	+ case MPI_EC_EDWARDS: str = "Edwards"; break;
		93	}
		94	return str;
		95	}
		96	@@ -252,7 +252,7 @@ _gcry_ecc_compute_public (mpi_point_t Q,
		97
		98	if (!d \|\| !G \|\| !ec->p \|\| !ec->a)
		99	return NULL;
		100	- if (ec->model == MPI_EC_TWISTEDEDWARDS && !ec->b)
		101	+ if (ec->model == MPI_EC_EDWARDS && !ec->b)
		102	return NULL;
		103
		104	if (ec->dialect == ECC_DIALECT_ED25519
		105	Index: libgcrypt-1.6.3/cipher/ecc.c
		106	===================================================================
		107	--- libgcrypt-1.6.3.orig/cipher/ecc.c
		108	+++ libgcrypt-1.6.3/cipher/ecc.c
		109	@@ -642,7 +642,7 @@ ecc_check_secret_key (gcry_sexp_t keypar
		110	if (!curvename)
		111	{
		112	sk.E.model = ((flags & PUBKEY_FLAG_EDDSA)
		113	- ? MPI_EC_TWISTEDEDWARDS
		114	+ ? MPI_EC_EDWARDS
		115	: MPI_EC_WEIERSTRASS);
		116	sk.E.dialect = ((flags & PUBKEY_FLAG_EDDSA)
		117	? ECC_DIALECT_ED25519
		118	@@ -774,7 +774,7 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_
		119	if (!curvename)
		120	{
		121	sk.E.model = ((ctx.flags & PUBKEY_FLAG_EDDSA)
		122	- ? MPI_EC_TWISTEDEDWARDS
		123	+ ? MPI_EC_EDWARDS
		124	: MPI_EC_WEIERSTRASS);
		125	sk.E.dialect = ((ctx.flags & PUBKEY_FLAG_EDDSA)
		126	? ECC_DIALECT_ED25519
		127	@@ -938,7 +938,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp
		128	if (!curvename)
		129	{
		130	pk.E.model = ((sigflags & PUBKEY_FLAG_EDDSA)
		131	- ? MPI_EC_TWISTEDEDWARDS
		132	+ ? MPI_EC_EDWARDS
		133	: MPI_EC_WEIERSTRASS);
		134	pk.E.dialect = ((sigflags & PUBKEY_FLAG_EDDSA)
		135	? ECC_DIALECT_ED25519
		136	@@ -1528,7 +1528,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_s
		137	if (!curvename)
		138	{
		139	model = ((flags & PUBKEY_FLAG_EDDSA)
		140	- ? MPI_EC_TWISTEDEDWARDS
		141	+ ? MPI_EC_EDWARDS
		142	: MPI_EC_WEIERSTRASS);
		143	dialect = ((flags & PUBKEY_FLAG_EDDSA)
		144	? ECC_DIALECT_ED25519
		145	Index: libgcrypt-1.6.3/mpi/ec.c
		146	===================================================================
		147	--- libgcrypt-1.6.3.orig/mpi/ec.c
		148	+++ libgcrypt-1.6.3/mpi/ec.c
		149	@@ -605,7 +605,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, g
		150	}
		151	return -1;
		152
		153	- case MPI_EC_TWISTEDEDWARDS:
		154	+ case MPI_EC_EDWARDS:
		155	{
		156	gcry_mpi_t z;
		157
		158	@@ -725,7 +725,7 @@ dup_point_montgomery (mpi_point_t result
		159
		160	/* RESULT = 2 * POINT (Twisted Edwards version). */
		161	static void
		162	-dup_point_twistededwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
		163	+dup_point_edwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
		164	{
		165	#define X1 (point->x)
		166	#define Y1 (point->y)
		167	@@ -811,8 +811,8 @@ _gcry_mpi_ec_dup_point (mpi_point_t resu
		168	case MPI_EC_MONTGOMERY:
		169	dup_point_montgomery (result, point, ctx);
		170	break;
		171	- case MPI_EC_TWISTEDEDWARDS:
		172	- dup_point_twistededwards (result, point, ctx);
		173	+ case MPI_EC_EDWARDS:
		174	+ dup_point_edwards (result, point, ctx);
		175	break;
		176	}
		177	}
		178	@@ -977,9 +977,9 @@ add_points_montgomery (mpi_point_t resul
		179
		180	/* RESULT = P1 + P2 (Twisted Edwards version).*/
		181	static void
		182	-add_points_twistededwards (mpi_point_t result,
		183	- mpi_point_t p1, mpi_point_t p2,
		184	- mpi_ec_t ctx)
		185	+add_points_edwards (mpi_point_t result,
		186	+ mpi_point_t p1, mpi_point_t p2,
		187	+ mpi_ec_t ctx)
		188	{
		189	#define X1 (p1->x)
		190	#define Y1 (p1->y)
		191	@@ -1087,8 +1087,8 @@ _gcry_mpi_ec_add_points (mpi_point_t res
		192	case MPI_EC_MONTGOMERY:
		193	add_points_montgomery (result, p1, p2, ctx);
		194	break;
		195	- case MPI_EC_TWISTEDEDWARDS:
		196	- add_points_twistededwards (result, p1, p2, ctx);
		197	+ case MPI_EC_EDWARDS:
		198	+ add_points_edwards (result, p1, p2, ctx);
		199	break;
		200	}
		201	}
		202	@@ -1106,7 +1106,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
		203	unsigned int i, loops;
		204	mpi_point_struct p1, p2, p1inv;
		205
		206	- if (ctx->model == MPI_EC_TWISTEDEDWARDS)
		207	+ if (ctx->model == MPI_EC_EDWARDS)
		208	{
		209	/* Simple left to right binary method. GECC Algorithm 3.27 */
		210	unsigned int nbits;
		211	@@ -1269,7 +1269,7 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point
		212	log_fatal ("%s: %s not yet supported\n",
		213	"_gcry_mpi_ec_curve_point", "Montgomery");
		214	break;
		215	- case MPI_EC_TWISTEDEDWARDS:
		216	+ case MPI_EC_EDWARDS:
		217	{
		218	/* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */
		219	ec_pow2 (x, x, ctx);
		220	Index: libgcrypt-1.6.3/src/mpi.h
		221	===================================================================
		222	--- libgcrypt-1.6.3.orig/src/mpi.h
		223	+++ libgcrypt-1.6.3/src/mpi.h
		224	@@ -245,13 +245,18 @@ void _gcry_mpi_snatch_point (gcry_mpi_t
		225	/* Models describing an elliptic curve. */
		226	enum gcry_mpi_ec_models
		227	{
		228	-
		229	+ /* The Short Weierstrass equation is
		230	+ y^2 = x^3 + ax + b
		231	+ */
		232	MPI_EC_WEIERSTRASS = 0,
		233	+ /* The Montgomery equation is
		234	+ by^2 = x^3 + ax^2 + x
		235	+ */
		236	MPI_EC_MONTGOMERY,
		237	- MPI_EC_TWISTEDEDWARDS
		238	- /* The equation for Twisted Edwards curves is
		239	+ /* The Twisted Edwards equation is
		240	ax^2 + y^2 = 1 + bx^2y^2
		241	Note that we use 'b' instead of the commonly used 'd'. */
		242	+ MPI_EC_EDWARDS
		243	};
		244
		245	/* Dialects used with elliptic curves. It is easier to keep the


diff --git a/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch new file mode 100644 index 0000000000..8093a18cf3 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch
@@ -0,0 +1,55 @@
		1	From 88e1358962e902ff1cbec8d53ba3eee46407851a Mon Sep 17 00:00:00 2001
		2	From: NIIBE Yutaka <gniibe@fsij.org>
		3	Date: Wed, 25 Nov 2015 12:46:19 +0900
		4	Subject: [PATCH] ecc: Constant-time multiplication for Weierstrass curve.
		5
		6	* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
		7	method for Weierstrass curve when SCALAR is secure.
		8
		9	Upstream-Status: Backport
		10
		11	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a
		12
		13	CVE: CVE-2015-7511 fix
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16	---
		17	mpi/ec.c \| 19 +++++++++++++++----
		18	1 file changed, 15 insertions(+), 4 deletions(-)
		19
		20	Index: libgcrypt-1.6.3/mpi/ec.c
		21	===================================================================
		22	--- libgcrypt-1.6.3.orig/mpi/ec.c
		23	+++ libgcrypt-1.6.3/mpi/ec.c
		24	@@ -1106,16 +1106,27 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
		25	unsigned int i, loops;
		26	mpi_point_struct p1, p2, p1inv;
		27
		28	- if (ctx->model == MPI_EC_EDWARDS)
		29	+ if (ctx->model == MPI_EC_EDWARDS
		30	+ \|\| (ctx->model == MPI_EC_WEIERSTRASS
		31	+ && mpi_is_secure (scalar)))
		32	{
		33	/* Simple left to right binary method. GECC Algorithm 3.27 */
		34	unsigned int nbits;
		35	int j;
		36
		37	nbits = mpi_get_nbits (scalar);
		38	- mpi_set_ui (result->x, 0);
		39	- mpi_set_ui (result->y, 1);
		40	- mpi_set_ui (result->z, 1);
		41	+ if (ctx->model == MPI_EC_WEIERSTRASS)
		42	+ {
		43	+ mpi_set_ui (result->x, 1);
		44	+ mpi_set_ui (result->y, 1);
		45	+ mpi_set_ui (result->z, 0);
		46	+ }
		47	+ else
		48	+ {
		49	+ mpi_set_ui (result->x, 0);
		50	+ mpi_set_ui (result->y, 1);
		51	+ mpi_set_ui (result->z, 1);
		52	+ }
		53
		54	if (mpi_is_secure (scalar))
		55	{


diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb index c49c0e7c17..40b7387b34 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
@@ -1,4 +1,9 @@
1	require libgcrypt.inc	1	require libgcrypt.inc
2		2
		3	SRC_URI += "\
		4	file://CVE-2015-7511_1.patch \
		5	file://CVE-2015-7511_2.patch \
		6	"
		7
3	SRC_URI[md5sum] = "d19adc062edff0ebc7e887212733ef1f"	8	SRC_URI[md5sum] = "d19adc062edff0ebc7e887212733ef1f"
4	SRC_URI[sha256sum] = "936921644b9c81e2395e18a554a9a5f9252aae3976f8afc3e4229ee9d785e627"	9	SRC_URI[sha256sum] = "936921644b9c81e2395e18a554a9a5f9252aae3976f8afc3e4229ee9d785e627"