summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-13 17:34:00 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-03 11:11:40 (GMT)
commitd25973e203b8298005389983bf17f613c940c40e (patch)
treec4c01eac73f17ebf2a6697162aa0ff28a38cea60
parente1a2fb6e857c0d15c12324be64654ff0a314cc57 (diff)
downloadpoky-d25973e203b8298005389983bf17f613c940c40e.tar.gz
libgcrypt: Security fix CVE-2015-7511
CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves affects libgcrypt < 1.6.5 adjust SRC_URI + for this version. Patch 1 is a dependancy patch. simple macro name change. Patch 2 is the cve fix. (From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c) (From OE-Core rev: 88ba5ea3f3a421ac91d670e450f4b0645a53d733) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch245
-rw-r--r--meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch55
-rw-r--r--meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb5
3 files changed, 305 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch
new file mode 100644
index 0000000..14c25b9
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch
@@ -0,0 +1,245 @@
1From 2ef48ba59c32bfa1a9265d5eea8ab225a658903a Mon Sep 17 00:00:00 2001
2From: Werner Koch <wk@gnupg.org>
3Date: Thu, 9 Jan 2014 19:14:09 +0100
4Subject: [PATCH] ecc: Make a macro shorter.
5
6* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS. CHnage
7all users.
8* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
9comment.
10* mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards.
11(add_points_twistededwards): Rename to add_points_edwards.
12
13Signed-off-by: Werner Koch <wk@gnupg.org>
14
15Upstream-Status: Backport
162ef48ba59c32bfa1a9265d5eea8ab225a658903a
17
18CVE: CVE-2015-7511 depend patch
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 cipher/ecc-curves.c | 22 +++++++++++++++++++---
23 cipher/ecc-misc.c | 4 ++--
24 cipher/ecc.c | 8 ++++----
25 mpi/ec.c | 22 +++++++++++-----------
26 src/mpi.h | 11 ++++++++---
27 5 files changed, 44 insertions(+), 23 deletions(-)
28
29Index: libgcrypt-1.6.3/cipher/ecc-curves.c
30===================================================================
31--- libgcrypt-1.6.3.orig/cipher/ecc-curves.c
32+++ libgcrypt-1.6.3/cipher/ecc-curves.c
33@@ -105,7 +105,7 @@ static const ecc_domain_parms_t domain_p
34 {
35 /* (-x^2 + y^2 = 1 + dx^2y^2) */
36 "Ed25519", 256, 0,
37- MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519,
38+ MPI_EC_EDWARDS, ECC_DIALECT_ED25519,
39 "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
40 "-0x01",
41 "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
42@@ -113,6 +113,22 @@ static const ecc_domain_parms_t domain_p
43 "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
44 "0x6666666666666666666666666666666666666666666666666666666666666658"
45 },
46+#if 0 /* No real specs yet found. */
47+ {
48+ /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */
49+ "Curve3617",
50+ "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
51+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF",
52+ MPI_EC_EDWARDS, 0,
53+ "0x01",
54+ "0x0e21",
55+ "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF"
56+ "706022B36F1C0338AD63CF181B0E71A5E106AF79",
57+ "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D"
58+ "6D6BA111301A73FAA8537C64C4FD3812F3CBC595",
59+ "0x22"
60+ },
61+#endif /*0*/
62 {
63 "NIST P-192", 192, 1,
64 MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
65@@ -404,7 +420,7 @@ _gcry_ecc_fill_in_curve (unsigned int nb
66 switch (domain_parms[idx].model)
67 {
68 case MPI_EC_WEIERSTRASS:
69- case MPI_EC_TWISTEDEDWARDS:
70+ case MPI_EC_EDWARDS:
71 break;
72 case MPI_EC_MONTGOMERY:
73 return GPG_ERR_NOT_SUPPORTED;
74@@ -1039,7 +1055,7 @@ _gcry_ecc_get_mpi (const char *name, mpi
75 if (name[1] != '@')
76 return _gcry_mpi_ec_ec2os (ec->Q, ec);
77
78- if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS)
79+ if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS)
80 {
81 unsigned char *encpk;
82 unsigned int encpklen;
83Index: libgcrypt-1.6.3/cipher/ecc-misc.c
84===================================================================
85--- libgcrypt-1.6.3.orig/cipher/ecc-misc.c
86+++ libgcrypt-1.6.3/cipher/ecc-misc.c
87@@ -79,7 +79,7 @@ _gcry_ecc_model2str (enum gcry_mpi_ec_mo
88 {
89 case MPI_EC_WEIERSTRASS: str = "Weierstrass"; break;
90 case MPI_EC_MONTGOMERY: str = "Montgomery"; break;
91- case MPI_EC_TWISTEDEDWARDS: str = "Twisted Edwards"; break;
92+ case MPI_EC_EDWARDS: str = "Edwards"; break;
93 }
94 return str;
95 }
96@@ -252,7 +252,7 @@ _gcry_ecc_compute_public (mpi_point_t Q,
97
98 if (!d || !G || !ec->p || !ec->a)
99 return NULL;
100- if (ec->model == MPI_EC_TWISTEDEDWARDS && !ec->b)
101+ if (ec->model == MPI_EC_EDWARDS && !ec->b)
102 return NULL;
103
104 if (ec->dialect == ECC_DIALECT_ED25519
105Index: libgcrypt-1.6.3/cipher/ecc.c
106===================================================================
107--- libgcrypt-1.6.3.orig/cipher/ecc.c
108+++ libgcrypt-1.6.3/cipher/ecc.c
109@@ -642,7 +642,7 @@ ecc_check_secret_key (gcry_sexp_t keypar
110 if (!curvename)
111 {
112 sk.E.model = ((flags & PUBKEY_FLAG_EDDSA)
113- ? MPI_EC_TWISTEDEDWARDS
114+ ? MPI_EC_EDWARDS
115 : MPI_EC_WEIERSTRASS);
116 sk.E.dialect = ((flags & PUBKEY_FLAG_EDDSA)
117 ? ECC_DIALECT_ED25519
118@@ -774,7 +774,7 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_
119 if (!curvename)
120 {
121 sk.E.model = ((ctx.flags & PUBKEY_FLAG_EDDSA)
122- ? MPI_EC_TWISTEDEDWARDS
123+ ? MPI_EC_EDWARDS
124 : MPI_EC_WEIERSTRASS);
125 sk.E.dialect = ((ctx.flags & PUBKEY_FLAG_EDDSA)
126 ? ECC_DIALECT_ED25519
127@@ -938,7 +938,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp
128 if (!curvename)
129 {
130 pk.E.model = ((sigflags & PUBKEY_FLAG_EDDSA)
131- ? MPI_EC_TWISTEDEDWARDS
132+ ? MPI_EC_EDWARDS
133 : MPI_EC_WEIERSTRASS);
134 pk.E.dialect = ((sigflags & PUBKEY_FLAG_EDDSA)
135 ? ECC_DIALECT_ED25519
136@@ -1528,7 +1528,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_s
137 if (!curvename)
138 {
139 model = ((flags & PUBKEY_FLAG_EDDSA)
140- ? MPI_EC_TWISTEDEDWARDS
141+ ? MPI_EC_EDWARDS
142 : MPI_EC_WEIERSTRASS);
143 dialect = ((flags & PUBKEY_FLAG_EDDSA)
144 ? ECC_DIALECT_ED25519
145Index: libgcrypt-1.6.3/mpi/ec.c
146===================================================================
147--- libgcrypt-1.6.3.orig/mpi/ec.c
148+++ libgcrypt-1.6.3/mpi/ec.c
149@@ -605,7 +605,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, g
150 }
151 return -1;
152
153- case MPI_EC_TWISTEDEDWARDS:
154+ case MPI_EC_EDWARDS:
155 {
156 gcry_mpi_t z;
157
158@@ -725,7 +725,7 @@ dup_point_montgomery (mpi_point_t result
159
160 /* RESULT = 2 * POINT (Twisted Edwards version). */
161 static void
162-dup_point_twistededwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
163+dup_point_edwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
164 {
165 #define X1 (point->x)
166 #define Y1 (point->y)
167@@ -811,8 +811,8 @@ _gcry_mpi_ec_dup_point (mpi_point_t resu
168 case MPI_EC_MONTGOMERY:
169 dup_point_montgomery (result, point, ctx);
170 break;
171- case MPI_EC_TWISTEDEDWARDS:
172- dup_point_twistededwards (result, point, ctx);
173+ case MPI_EC_EDWARDS:
174+ dup_point_edwards (result, point, ctx);
175 break;
176 }
177 }
178@@ -977,9 +977,9 @@ add_points_montgomery (mpi_point_t resul
179
180 /* RESULT = P1 + P2 (Twisted Edwards version).*/
181 static void
182-add_points_twistededwards (mpi_point_t result,
183- mpi_point_t p1, mpi_point_t p2,
184- mpi_ec_t ctx)
185+add_points_edwards (mpi_point_t result,
186+ mpi_point_t p1, mpi_point_t p2,
187+ mpi_ec_t ctx)
188 {
189 #define X1 (p1->x)
190 #define Y1 (p1->y)
191@@ -1087,8 +1087,8 @@ _gcry_mpi_ec_add_points (mpi_point_t res
192 case MPI_EC_MONTGOMERY:
193 add_points_montgomery (result, p1, p2, ctx);
194 break;
195- case MPI_EC_TWISTEDEDWARDS:
196- add_points_twistededwards (result, p1, p2, ctx);
197+ case MPI_EC_EDWARDS:
198+ add_points_edwards (result, p1, p2, ctx);
199 break;
200 }
201 }
202@@ -1106,7 +1106,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
203 unsigned int i, loops;
204 mpi_point_struct p1, p2, p1inv;
205
206- if (ctx->model == MPI_EC_TWISTEDEDWARDS)
207+ if (ctx->model == MPI_EC_EDWARDS)
208 {
209 /* Simple left to right binary method. GECC Algorithm 3.27 */
210 unsigned int nbits;
211@@ -1269,7 +1269,7 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point
212 log_fatal ("%s: %s not yet supported\n",
213 "_gcry_mpi_ec_curve_point", "Montgomery");
214 break;
215- case MPI_EC_TWISTEDEDWARDS:
216+ case MPI_EC_EDWARDS:
217 {
218 /* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */
219 ec_pow2 (x, x, ctx);
220Index: libgcrypt-1.6.3/src/mpi.h
221===================================================================
222--- libgcrypt-1.6.3.orig/src/mpi.h
223+++ libgcrypt-1.6.3/src/mpi.h
224@@ -245,13 +245,18 @@ void _gcry_mpi_snatch_point (gcry_mpi_t
225 /* Models describing an elliptic curve. */
226 enum gcry_mpi_ec_models
227 {
228-
229+ /* The Short Weierstrass equation is
230+ y^2 = x^3 + ax + b
231+ */
232 MPI_EC_WEIERSTRASS = 0,
233+ /* The Montgomery equation is
234+ by^2 = x^3 + ax^2 + x
235+ */
236 MPI_EC_MONTGOMERY,
237- MPI_EC_TWISTEDEDWARDS
238- /* The equation for Twisted Edwards curves is
239+ /* The Twisted Edwards equation is
240 ax^2 + y^2 = 1 + bx^2y^2
241 Note that we use 'b' instead of the commonly used 'd'. */
242+ MPI_EC_EDWARDS
243 };
244
245 /* Dialects used with elliptic curves. It is easier to keep the
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch
new file mode 100644
index 0000000..8093a18
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch
@@ -0,0 +1,55 @@
1From 88e1358962e902ff1cbec8d53ba3eee46407851a Mon Sep 17 00:00:00 2001
2From: NIIBE Yutaka <gniibe@fsij.org>
3Date: Wed, 25 Nov 2015 12:46:19 +0900
4Subject: [PATCH] ecc: Constant-time multiplication for Weierstrass curve.
5
6* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
7method for Weierstrass curve when SCALAR is secure.
8
9Upstream-Status: Backport
10
11http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a
12
13CVE: CVE-2015-7511 fix
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 mpi/ec.c | 19 +++++++++++++++----
18 1 file changed, 15 insertions(+), 4 deletions(-)
19
20Index: libgcrypt-1.6.3/mpi/ec.c
21===================================================================
22--- libgcrypt-1.6.3.orig/mpi/ec.c
23+++ libgcrypt-1.6.3/mpi/ec.c
24@@ -1106,16 +1106,27 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
25 unsigned int i, loops;
26 mpi_point_struct p1, p2, p1inv;
27
28- if (ctx->model == MPI_EC_EDWARDS)
29+ if (ctx->model == MPI_EC_EDWARDS
30+ || (ctx->model == MPI_EC_WEIERSTRASS
31+ && mpi_is_secure (scalar)))
32 {
33 /* Simple left to right binary method. GECC Algorithm 3.27 */
34 unsigned int nbits;
35 int j;
36
37 nbits = mpi_get_nbits (scalar);
38- mpi_set_ui (result->x, 0);
39- mpi_set_ui (result->y, 1);
40- mpi_set_ui (result->z, 1);
41+ if (ctx->model == MPI_EC_WEIERSTRASS)
42+ {
43+ mpi_set_ui (result->x, 1);
44+ mpi_set_ui (result->y, 1);
45+ mpi_set_ui (result->z, 0);
46+ }
47+ else
48+ {
49+ mpi_set_ui (result->x, 0);
50+ mpi_set_ui (result->y, 1);
51+ mpi_set_ui (result->z, 1);
52+ }
53
54 if (mpi_is_secure (scalar))
55 {
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
index c49c0e7..40b7387 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
@@ -1,4 +1,9 @@
1require libgcrypt.inc 1require libgcrypt.inc
2 2
3SRC_URI += "\
4 file://CVE-2015-7511_1.patch \
5 file://CVE-2015-7511_2.patch \
6 "
7
3SRC_URI[md5sum] = "d19adc062edff0ebc7e887212733ef1f" 8SRC_URI[md5sum] = "d19adc062edff0ebc7e887212733ef1f"
4SRC_URI[sha256sum] = "936921644b9c81e2395e18a554a9a5f9252aae3976f8afc3e4229ee9d785e627" 9SRC_URI[sha256sum] = "936921644b9c81e2395e18a554a9a5f9252aae3976f8afc3e4229ee9d785e627"