libgcrypt: fix CVE-2017-7526

Fixes CVE-2017-7526, 'flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster"'. (From OE-Core rev: 1a713fb654a31a6dd218dc1b5b810e2b380ecbb1) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2017-07-19 14:27:31 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-07-19 15:13:46 +0100
commit: ccc964cf9fde0d71d289c22c2a231f0021461012 (patch)
tree: 00e6e7730ad97cf0288ba74dddf2ec877f865be6
parent: 50fdd784231299bedb008f20adeaeeca3eb1452d (diff)
download: poky-ccc964cf9fde0d71d289c22c2a231f0021461012.tar.gz
2 files changed, 456 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch
new file mode 100644
index 0000000000..c9541d44f3
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch
@@ -0,0 +1,455 @@
+Flush+reload side-channel attack on RSA secret keys dubbed "Sliding right
+into disaster".
+CVE: CVE-2017-7526
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 8ae178108eb3c64b40dcb4d1c1943205a86db724 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 4 Apr 2017 17:38:05 +0900
+Subject: [PATCH 1/5] mpi: Simplify mpi_powm.
+* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.
+--
+This fix is not a solution for the problem reported (yet).  The
+problem is that the current algorithm of _gcry_mpi_powm depends on
+exponent and some information leaks is possible.
+Reported-by: Andreas Zankl <andreas.zankl@aisec.fraunhofer.de>
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(backport from master commit:
+719468e53133d3bdf12156c5bfdea2bf15f9f6f1)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ mpi/mpi-pow.c | 105 +++++++++++++++++-----------------------------------------
+ 1 file changed, 30 insertions(+), 75 deletions(-)
+diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
+index 70bf9e84..c00cfed3 100644
+--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
+@@ -613,12 +613,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
+       if (e == 0)
+         {
+           j += c;
+-          i--;
+-          if ( i < 0 )
+-            {
+-              c = 0;
+-              break;
+-            }
+          if ( --i < 0 )
+            break;
+ 
+           e = ep[i];
+           c = BITS_PER_MPI_LIMB;
+@@ -633,38 +629,33 @@ _gcry_mpi_powm (gcry_mpi_t res,
+           c -= c0;
+           j += c0;
+ 
+          e0 = (e >> (BITS_PER_MPI_LIMB - W));
+           if (c >= W)
+-            {
+-              e0 = (e >> (BITS_PER_MPI_LIMB - W));
+-              e = (e << W);
+-              c -= W;
+-            }
+            c0 = 0;
+           else
+             {
+-              i--;
+-              if ( i < 0 )
+              if ( --i < 0 )
+                 {
+-                  e = (e >> (BITS_PER_MPI_LIMB - c));
+-                  break;
+                  e0 = (e >> (BITS_PER_MPI_LIMB - c));
+                  j += c - W;
+                  goto last_step;
+                }
+              else
+                {
+                  c0 = c;
+                  e = ep[i];
+                  c = BITS_PER_MPI_LIMB;
+                  e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0)));
+                 }
+-
+-              c0 = c;
+-              e0 = (e >> (BITS_PER_MPI_LIMB - W))
+-                | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0));
+-              e = (ep[i] << (W - c0));
+-              c = BITS_PER_MPI_LIMB - W + c0;
+             }
+ 
+          e = e << (W - c0);
+          c -= (W - c0);
+
+        last_step:
+           count_trailing_zeros (c0, e0);
+           e0 = (e0 >> c0) >> 1;
+ 
+-          for (j += W - c0; j; j--)
+-            {
+-              mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
+-              tp = rp; rp = xp; xp = tp;
+-              rsize = xsize;
+-            }
+-
+           /*
+            *  base_u <= precomp[e0]
+            *  base_u_size <= precomp_size[e0]
+@@ -681,25 +672,23 @@ _gcry_mpi_powm (gcry_mpi_t res,
+               u.d = precomp[k];
+ 
+               mpi_set_cond (&w, &u, k == e0);
+-              base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
+              base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
+             }
+ 
+-          mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
+-                   mp, msize, &karactx);
+-          tp = rp; rp = xp; xp = tp;
+-          rsize = xsize;
+          for (j += W - c0; j >= 0; j--)
+            {
+              mul_mod (xp, &xsize, rp, rsize,
+                       j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
+                       mp, msize, &karactx);
+              tp = rp; rp = xp; xp = tp;
+              rsize = xsize;
+            }
+ 
+           j = c0;
+          if ( i < 0 )
+            break;
+         }
+ 
+-    if (c != 0)
+-      {
+-        j += c;
+-        count_trailing_zeros (c, e);
+-        e = (e >> c);
+-        j -= c;
+-      }
+-
+     while (j--)
+       {
+         mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
+@@ -707,40 +696,6 @@ _gcry_mpi_powm (gcry_mpi_t res,
+         rsize = xsize;
+       }
+ 
+-    if (e != 0)
+-      {
+-        /*
+-         * base_u <= precomp[(e>>1)]
+-         * base_u_size <= precomp_size[(e>>1)]
+-         */
+-        base_u_size = 0;
+-        for (k = 0; k < (1<< (W - 1)); k++)
+-          {
+-            struct gcry_mpi w, u;
+-            w.alloced = w.nlimbs = precomp_size[k];
+-            u.alloced = u.nlimbs = precomp_size[k];
+-            w.sign = u.sign = 0;
+-            w.flags = u.flags = 0;
+-            w.d = base_u;
+-            u.d = precomp[k];
+-
+-            mpi_set_cond (&w, &u, k == (e>>1));
+-            base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) );
+-          }
+-
+-        mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
+-                 mp, msize, &karactx);
+-        tp = rp; rp = xp; xp = tp;
+-        rsize = xsize;
+-
+-        for (; c; c--)
+-          {
+-            mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
+-            tp = rp; rp = xp; xp = tp;
+-            rsize = xsize;
+-          }
+-      }
+-
+     /* We shifted MOD, the modulo reduction argument, left
+        MOD_SHIFT_CNT steps.  Adjust the result by reducing it with the
+        original MOD.
+-- 
+2.11.0
+From ab6d34849f33d16e1da2b09e3d938bcb0f48f682 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Sat, 24 Jun 2017 20:46:20 +0900
+Subject: [PATCH 2/5] Same computation for square and multiply.
+* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size.  Move
+the assignment to base_u into the loop.  Copy content refered by RP to
+BASE_U except the last of the loop.
+--
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(backport from master commit:
+78130828e9a140a9de4dafadbc844dbb64cb709a)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ mpi/mpi-pow.c | 50 +++++++++++++++++++++++++++++---------------------
+ 1 file changed, 29 insertions(+), 21 deletions(-)
+diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
+index c00cfed3..0d74f28c 100644
+--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
+@@ -577,6 +577,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
+         MPN_COPY (precomp[i], rp, rsize);
+       }
+ 
+    if (msize > max_u_size)
+      max_u_size = msize;
+     base_u = mpi_alloc_limb_space (max_u_size, esec);
+     MPN_ZERO (base_u, max_u_size);
+ 
+@@ -623,6 +625,10 @@ _gcry_mpi_powm (gcry_mpi_t res,
+         {
+           int c0;
+           mpi_limb_t e0;
+          struct gcry_mpi w, u;
+          w.sign = u.sign = 0;
+          w.flags = u.flags = 0;
+          w.d = base_u;
+ 
+           count_leading_zeros (c0, e);
+           e = (e << c0);
+@@ -656,29 +662,31 @@ _gcry_mpi_powm (gcry_mpi_t res,
+           count_trailing_zeros (c0, e0);
+           e0 = (e0 >> c0) >> 1;
+ 
+-          /*
+-           *  base_u <= precomp[e0]
+-           *  base_u_size <= precomp_size[e0]
+-           */
+-          base_u_size = 0;
+-          for (k = 0; k < (1<< (W - 1)); k++)
+-            {
+-              struct gcry_mpi w, u;
+-              w.alloced = w.nlimbs = precomp_size[k];
+-              u.alloced = u.nlimbs = precomp_size[k];
+-              w.sign = u.sign = 0;
+-              w.flags = u.flags = 0;
+-              w.d = base_u;
+-              u.d = precomp[k];
+-
+-              mpi_set_cond (&w, &u, k == e0);
+-              base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
+-            }
+-
+           for (j += W - c0; j >= 0; j--)
+             {
+-              mul_mod (xp, &xsize, rp, rsize,
+-                       j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
+
+              /*
+               *  base_u <= precomp[e0]
+               *  base_u_size <= precomp_size[e0]
+               */
+              base_u_size = 0;
+              for (k = 0; k < (1<< (W - 1)); k++)
+                {
+                  w.alloced = w.nlimbs = precomp_size[k];
+                  u.alloced = u.nlimbs = precomp_size[k];
+                  u.d = precomp[k];
+
+                  mpi_set_cond (&w, &u, k == e0);
+                  base_u_size |= ( precomp_size[k] & (0UL - (k == e0)) );
+                }
+
+              w.alloced = w.nlimbs = rsize;
+              u.alloced = u.nlimbs = rsize;
+              u.d = rp;
+              mpi_set_cond (&w, &u, j != 0);
+              base_u_size ^= ((base_u_size ^ rsize)  & (0UL - (j != 0)));
+
+              mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
+                        mp, msize, &karactx);
+               tp = rp; rp = xp; xp = tp;
+               rsize = xsize;
+-- 
+2.11.0
+From b5370d527612d2c453a366729f07892974b28ba8 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 29 Jun 2017 11:48:44 +0900
+Subject: [PATCH 3/5] rsa: Add exponent blinding.
+* cipher/rsa.c (secret): Blind secret D with randomized nonce R for
+mpi_powm computation.
+--
+Co-authored-by: Werner Koch <wk@gnupg.org>
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+The paper describing attack: https://eprint.iacr.org/2017/627
+Sliding right into disaster: Left-to-right sliding windows leak
+by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and
+Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and
+Christine van Vredendaal and Yuval Yarom
+  It is well known that constant-time implementations of modular
+  exponentiation cannot use sliding windows. However, software
+  libraries such as Libgcrypt, used by GnuPG, continue to use sliding
+  windows. It is widely believed that, even if the complete pattern of
+  squarings and multiplications is observed through a side-channel
+  attack, the number of exponent bits leaked is not sufficient to
+  carry out a full key-recovery attack against RSA. Specifically,
+  4-bit sliding windows leak only 40% of the bits, and 5-bit sliding
+  windows leak only 33% of the bits.
+  In this paper we demonstrate a complete break of RSA-1024 as
+  implemented in Libgcrypt. Our attack makes essential use of the fact
+  that Libgcrypt uses the left-to-right method for computing the
+  sliding-window expansion. We show for the first time that the
+  direction of the encoding matters: the pattern of squarings and
+  multiplications in left-to-right sliding windows leaks significantly
+  more information about exponent bits than for right-to-left. We show
+  how to incorporate this additional information into the
+  Heninger-Shacham algorithm for partial key reconstruction, and use
+  it to obtain very efficient full key recovery for RSA-1024. We also
+  provide strong evidence that the same attack works for RSA-2048 with
+  only moderately more computation.
+Exponent blinding is a kind of workaround to add noise.  Signal (leak)
+is still there for non-constant-time implementation.
+(backported from master commit:
+8725c99ffa41778f382ca97233183bcd687bb0ce)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ cipher/rsa.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 0b98b6a8..d8658476 100644
+--- a/cipher/rsa.c
+++ b/cipher/rsa.c
+@@ -724,15 +724,33 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
+       gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+       gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+       gcry_mpi_t h  = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-
+-      /* m1 = c ^ (d mod (p-1)) mod p */
+      gcry_mpi_t D_blind = mpi_alloc_secure ( mpi_get_nlimbs(skey->n) + 1 );
+      gcry_mpi_t r;
+      unsigned int r_nbits;
+
+      r_nbits = mpi_get_nbits (skey->p) / 4;
+      if (r_nbits < 96)
+        r_nbits = 96;
+      r = mpi_alloc_secure ((r_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB);
+
+      /* d_blind = (d mod (p-1)) + (p-1) * r */
+      /* m1 = c ^ d_blind mod p */
+      _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
+      mpi_set_highbit (r, r_nbits - 1);
+       mpi_sub_ui( h, skey->p, 1  );
+-      mpi_fdiv_r( h, skey->d, h );
+-      mpi_powm( m1, input, h, skey->p );
+-      /* m2 = c ^ (d mod (q-1)) mod q */
+      mpi_mul ( D_blind, h, r );
+      mpi_fdiv_r ( h, skey->d, h );
+      mpi_add ( D_blind, D_blind, h );
+      mpi_powm( m1, input, D_blind, skey->p );
+      /* d_blind = (d mod (q-1)) + (q-1) * r */
+      /* m2 = c ^ d_blind mod q */
+      _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
+      mpi_set_highbit (r, r_nbits - 1);
+       mpi_sub_ui( h, skey->q, 1  );
+-      mpi_fdiv_r( h, skey->d, h );
+-      mpi_powm( m2, input, h, skey->q );
+      mpi_mul ( D_blind, h, r );
+      mpi_fdiv_r ( h, skey->d, h );
+      mpi_add ( D_blind, D_blind, h );
+      mpi_powm( m2, input, D_blind, skey->q );
+       /* h = u * ( m2 - m1 ) mod q */
+       mpi_sub( h, m2, m1 );
+       if ( mpi_has_sign ( h ) )
+-- 
+2.11.0
+From b7c572550b8759f2b0e45ee72df0494700b26da1 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 29 Jun 2017 12:36:27 +0900
+Subject: [PATCH 4/5] rsa: Fix exponent blinding.
+* cipher/rsa.c (secret): Free D_BLIND.
+--
+Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ cipher/rsa.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index d8658476..9474fe89 100644
+--- a/cipher/rsa.c
+++ b/cipher/rsa.c
+@@ -760,6 +760,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
+       mpi_mul ( h, h, skey->p );
+       mpi_add ( output, m1, h );
+ 
+      mpi_free ( D_blind );
+       mpi_free ( h );
+       mpi_free ( m1 );
+       mpi_free ( m2 );
+-- 
+2.11.0
+From e5a5f14bdd8d6265f85264575a1f3c3307306849 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 29 Jun 2017 12:40:19 +0900
+Subject: [PATCH 5/5] rsa: More fix.
+* cipher/rsa.c (secret): Free R.
+--
+Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ cipher/rsa.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 9474fe89..b151b39f 100644
+--- a/cipher/rsa.c
+++ b/cipher/rsa.c
+@@ -760,6 +760,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
+       mpi_mul ( h, h, skey->p );
+       mpi_add ( output, m1, h );
+ 
+      mpi_free ( r );
+       mpi_free ( D_blind );
+       mpi_free ( h );
+       mpi_free ( m1 );
+-- 
+2.11.0
diff --git a/meta/recipes-support/libgcrypt/libgcrypt.inc b/meta/recipes-support/libgcrypt/libgcrypt.inc
index 5478253e06..404f870db0 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt.inc
+++ b/meta/recipes-support/libgcrypt/libgcrypt.inc
@@ -18,6 +18,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-${PV}.tar.gz \
           file://add-pkgconfig-support.patch \
           file://libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
           file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \
+           file://CVE-2017-7526.patch \
 "
 BINCONFIG = "${bindir}/libgcrypt-config"
author	Ross Burton <ross.burton@intel.com>	2017-07-19 14:27:31 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-07-19 15:13:46 +0100
commit	ccc964cf9fde0d71d289c22c2a231f0021461012 (patch)
tree	00e6e7730ad97cf0288ba74dddf2ec877f865be6
parent	50fdd784231299bedb008f20adeaeeca3eb1452d (diff)
download	poky-ccc964cf9fde0d71d289c22c2a231f0021461012.tar.gz

diff --git a/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch new file mode 100644 index 0000000000..c9541d44f3 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch
@@ -0,0 +1,455 @@
		1	Flush+reload side-channel attack on RSA secret keys dubbed "Sliding right
		2	into disaster".
		3
		4	CVE: CVE-2017-7526
		5	Upstream-Status: Backport
		6	Signed-off-by: Ross Burton <ross.burton@intel.com>
		7
		8	From 8ae178108eb3c64b40dcb4d1c1943205a86db724 Mon Sep 17 00:00:00 2001
		9	From: NIIBE Yutaka <gniibe@fsij.org>
		10	Date: Tue, 4 Apr 2017 17:38:05 +0900
		11	Subject: [PATCH 1/5] mpi: Simplify mpi_powm.
		12
		13	* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.
		14
		15	--
		16
		17	This fix is not a solution for the problem reported (yet). The
		18	problem is that the current algorithm of _gcry_mpi_powm depends on
		19	exponent and some information leaks is possible.
		20
		21	Reported-by: Andreas Zankl <andreas.zankl@aisec.fraunhofer.de>
		22	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		23
		24	(backport from master commit:
		25	719468e53133d3bdf12156c5bfdea2bf15f9f6f1)
		26
		27	Signed-off-by: Ross Burton <ross.burton@intel.com>
		28	---
		29	mpi/mpi-pow.c \| 105 +++++++++++++++++-----------------------------------------
		30	1 file changed, 30 insertions(+), 75 deletions(-)
		31
		32	diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
		33	index 70bf9e84..c00cfed3 100644
		34	--- a/mpi/mpi-pow.c
		35	+++ b/mpi/mpi-pow.c
		36	@@ -613,12 +613,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
		37	if (e == 0)
		38	{
		39	j += c;
		40	- i--;
		41	- if ( i < 0 )
		42	- {
		43	- c = 0;
		44	- break;
		45	- }
		46	+ if ( --i < 0 )
		47	+ break;
		48
		49	e = ep[i];
		50	c = BITS_PER_MPI_LIMB;
		51	@@ -633,38 +629,33 @@ _gcry_mpi_powm (gcry_mpi_t res,
		52	c -= c0;
		53	j += c0;
		54
		55	+ e0 = (e >> (BITS_PER_MPI_LIMB - W));
		56	if (c >= W)
		57	- {
		58	- e0 = (e >> (BITS_PER_MPI_LIMB - W));
		59	- e = (e << W);
		60	- c -= W;
		61	- }
		62	+ c0 = 0;
		63	else
		64	{
		65	- i--;
		66	- if ( i < 0 )
		67	+ if ( --i < 0 )
		68	{
		69	- e = (e >> (BITS_PER_MPI_LIMB - c));
		70	- break;
		71	+ e0 = (e >> (BITS_PER_MPI_LIMB - c));
		72	+ j += c - W;
		73	+ goto last_step;
		74	+ }
		75	+ else
		76	+ {
		77	+ c0 = c;
		78	+ e = ep[i];
		79	+ c = BITS_PER_MPI_LIMB;
		80	+ e0 \|= (e >> (BITS_PER_MPI_LIMB - (W - c0)));
		81	}
		82	-
		83	- c0 = c;
		84	- e0 = (e >> (BITS_PER_MPI_LIMB - W))
		85	- \| (ep[i] >> (BITS_PER_MPI_LIMB - W + c0));
		86	- e = (ep[i] << (W - c0));
		87	- c = BITS_PER_MPI_LIMB - W + c0;
		88	}
		89
		90	+ e = e << (W - c0);
		91	+ c -= (W - c0);
		92	+
		93	+ last_step:
		94	count_trailing_zeros (c0, e0);
		95	e0 = (e0 >> c0) >> 1;
		96
		97	- for (j += W - c0; j; j--)
		98	- {
		99	- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
		100	- tp = rp; rp = xp; xp = tp;
		101	- rsize = xsize;
		102	- }
		103	-
		104	/*
		105	* base_u <= precomp[e0]
		106	* base_u_size <= precomp_size[e0]
		107	@@ -681,25 +672,23 @@ _gcry_mpi_powm (gcry_mpi_t res,
		108	u.d = precomp[k];
		109
		110	mpi_set_cond (&w, &u, k == e0);
		111	- base_u_size \|= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
		112	+ base_u_size \|= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
		113	}
		114
		115	- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
		116	- mp, msize, &karactx);
		117	- tp = rp; rp = xp; xp = tp;
		118	- rsize = xsize;
		119	+ for (j += W - c0; j >= 0; j--)
		120	+ {
		121	+ mul_mod (xp, &xsize, rp, rsize,
		122	+ j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
		123	+ mp, msize, &karactx);
		124	+ tp = rp; rp = xp; xp = tp;
		125	+ rsize = xsize;
		126	+ }
		127
		128	j = c0;
		129	+ if ( i < 0 )
		130	+ break;
		131	}
		132
		133	- if (c != 0)
		134	- {
		135	- j += c;
		136	- count_trailing_zeros (c, e);
		137	- e = (e >> c);
		138	- j -= c;
		139	- }
		140	-
		141	while (j--)
		142	{
		143	mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
		144	@@ -707,40 +696,6 @@ _gcry_mpi_powm (gcry_mpi_t res,
		145	rsize = xsize;
		146	}
		147
		148	- if (e != 0)
		149	- {
		150	- /*
		151	- * base_u <= precomp[(e>>1)]
		152	- * base_u_size <= precomp_size[(e>>1)]
		153	- */
		154	- base_u_size = 0;
		155	- for (k = 0; k < (1<< (W - 1)); k++)
		156	- {
		157	- struct gcry_mpi w, u;
		158	- w.alloced = w.nlimbs = precomp_size[k];
		159	- u.alloced = u.nlimbs = precomp_size[k];
		160	- w.sign = u.sign = 0;
		161	- w.flags = u.flags = 0;
		162	- w.d = base_u;
		163	- u.d = precomp[k];
		164	-
		165	- mpi_set_cond (&w, &u, k == (e>>1));
		166	- base_u_size \|= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) );
		167	- }
		168	-
		169	- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
		170	- mp, msize, &karactx);
		171	- tp = rp; rp = xp; xp = tp;
		172	- rsize = xsize;
		173	-
		174	- for (; c; c--)
		175	- {
		176	- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
		177	- tp = rp; rp = xp; xp = tp;
		178	- rsize = xsize;
		179	- }
		180	- }
		181	-
		182	/* We shifted MOD, the modulo reduction argument, left
		183	MOD_SHIFT_CNT steps. Adjust the result by reducing it with the
		184	original MOD.
		185	--
		186	2.11.0
		187
		188
		189	From ab6d34849f33d16e1da2b09e3d938bcb0f48f682 Mon Sep 17 00:00:00 2001
		190	From: NIIBE Yutaka <gniibe@fsij.org>
		191	Date: Sat, 24 Jun 2017 20:46:20 +0900
		192	Subject: [PATCH 2/5] Same computation for square and multiply.
		193
		194	* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move
		195	the assignment to base_u into the loop. Copy content refered by RP to
		196	BASE_U except the last of the loop.
		197
		198	--
		199
		200	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		201	(backport from master commit:
		202	78130828e9a140a9de4dafadbc844dbb64cb709a)
		203
		204	Signed-off-by: Ross Burton <ross.burton@intel.com>
		205	---
		206	mpi/mpi-pow.c \| 50 +++++++++++++++++++++++++++++---------------------
		207	1 file changed, 29 insertions(+), 21 deletions(-)
		208
		209	diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
		210	index c00cfed3..0d74f28c 100644
		211	--- a/mpi/mpi-pow.c
		212	+++ b/mpi/mpi-pow.c
		213	@@ -577,6 +577,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
		214	MPN_COPY (precomp[i], rp, rsize);
		215	}
		216
		217	+ if (msize > max_u_size)
		218	+ max_u_size = msize;
		219	base_u = mpi_alloc_limb_space (max_u_size, esec);
		220	MPN_ZERO (base_u, max_u_size);
		221
		222	@@ -623,6 +625,10 @@ _gcry_mpi_powm (gcry_mpi_t res,
		223	{
		224	int c0;
		225	mpi_limb_t e0;
		226	+ struct gcry_mpi w, u;
		227	+ w.sign = u.sign = 0;
		228	+ w.flags = u.flags = 0;
		229	+ w.d = base_u;
		230
		231	count_leading_zeros (c0, e);
		232	e = (e << c0);
		233	@@ -656,29 +662,31 @@ _gcry_mpi_powm (gcry_mpi_t res,
		234	count_trailing_zeros (c0, e0);
		235	e0 = (e0 >> c0) >> 1;
		236
		237	- /*
		238	- * base_u <= precomp[e0]
		239	- * base_u_size <= precomp_size[e0]
		240	- */
		241	- base_u_size = 0;
		242	- for (k = 0; k < (1<< (W - 1)); k++)
		243	- {
		244	- struct gcry_mpi w, u;
		245	- w.alloced = w.nlimbs = precomp_size[k];
		246	- u.alloced = u.nlimbs = precomp_size[k];
		247	- w.sign = u.sign = 0;
		248	- w.flags = u.flags = 0;
		249	- w.d = base_u;
		250	- u.d = precomp[k];
		251	-
		252	- mpi_set_cond (&w, &u, k == e0);
		253	- base_u_size \|= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
		254	- }
		255	-
		256	for (j += W - c0; j >= 0; j--)
		257	{
		258	- mul_mod (xp, &xsize, rp, rsize,
		259	- j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
		260	+
		261	+ /*
		262	+ * base_u <= precomp[e0]
		263	+ * base_u_size <= precomp_size[e0]
		264	+ */
		265	+ base_u_size = 0;
		266	+ for (k = 0; k < (1<< (W - 1)); k++)
		267	+ {
		268	+ w.alloced = w.nlimbs = precomp_size[k];
		269	+ u.alloced = u.nlimbs = precomp_size[k];
		270	+ u.d = precomp[k];
		271	+
		272	+ mpi_set_cond (&w, &u, k == e0);
		273	+ base_u_size \|= ( precomp_size[k] & (0UL - (k == e0)) );
		274	+ }
		275	+
		276	+ w.alloced = w.nlimbs = rsize;
		277	+ u.alloced = u.nlimbs = rsize;
		278	+ u.d = rp;
		279	+ mpi_set_cond (&w, &u, j != 0);
		280	+ base_u_size ^= ((base_u_size ^ rsize) & (0UL - (j != 0)));
		281	+
		282	+ mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
		283	mp, msize, &karactx);
		284	tp = rp; rp = xp; xp = tp;
		285	rsize = xsize;
		286	--
		287	2.11.0
		288
		289
		290	From b5370d527612d2c453a366729f07892974b28ba8 Mon Sep 17 00:00:00 2001
		291	From: NIIBE Yutaka <gniibe@fsij.org>
		292	Date: Thu, 29 Jun 2017 11:48:44 +0900
		293	Subject: [PATCH 3/5] rsa: Add exponent blinding.
		294
		295	* cipher/rsa.c (secret): Blind secret D with randomized nonce R for
		296	mpi_powm computation.
		297
		298	--
		299
		300	Co-authored-by: Werner Koch <wk@gnupg.org>
		301	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		302
		303	The paper describing attack: https://eprint.iacr.org/2017/627
		304
		305	Sliding right into disaster: Left-to-right sliding windows leak
		306	by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and
		307	Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and
		308	Christine van Vredendaal and Yuval Yarom
		309
		310	It is well known that constant-time implementations of modular
		311	exponentiation cannot use sliding windows. However, software
		312	libraries such as Libgcrypt, used by GnuPG, continue to use sliding
		313	windows. It is widely believed that, even if the complete pattern of
		314	squarings and multiplications is observed through a side-channel
		315	attack, the number of exponent bits leaked is not sufficient to
		316	carry out a full key-recovery attack against RSA. Specifically,
		317	4-bit sliding windows leak only 40% of the bits, and 5-bit sliding
		318	windows leak only 33% of the bits.
		319
		320	In this paper we demonstrate a complete break of RSA-1024 as
		321	implemented in Libgcrypt. Our attack makes essential use of the fact
		322	that Libgcrypt uses the left-to-right method for computing the
		323	sliding-window expansion. We show for the first time that the
		324	direction of the encoding matters: the pattern of squarings and
		325	multiplications in left-to-right sliding windows leaks significantly
		326	more information about exponent bits than for right-to-left. We show
		327	how to incorporate this additional information into the
		328	Heninger-Shacham algorithm for partial key reconstruction, and use
		329	it to obtain very efficient full key recovery for RSA-1024. We also
		330	provide strong evidence that the same attack works for RSA-2048 with
		331	only moderately more computation.
		332
		333	Exponent blinding is a kind of workaround to add noise. Signal (leak)
		334	is still there for non-constant-time implementation.
		335
		336	(backported from master commit:
		337	8725c99ffa41778f382ca97233183bcd687bb0ce)
		338
		339	Signed-off-by: Ross Burton <ross.burton@intel.com>
		340	---
		341	cipher/rsa.c \| 32 +++++++++++++++++++++++++-------
		342	1 file changed, 25 insertions(+), 7 deletions(-)
		343
		344	diff --git a/cipher/rsa.c b/cipher/rsa.c
		345	index 0b98b6a8..d8658476 100644
		346	--- a/cipher/rsa.c
		347	+++ b/cipher/rsa.c
		348	@@ -724,15 +724,33 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
		349	gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		350	gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		351	gcry_mpi_t h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		352	-
		353	- /* m1 = c ^ (d mod (p-1)) mod p */
		354	+ gcry_mpi_t D_blind = mpi_alloc_secure ( mpi_get_nlimbs(skey->n) + 1 );
		355	+ gcry_mpi_t r;
		356	+ unsigned int r_nbits;
		357	+
		358	+ r_nbits = mpi_get_nbits (skey->p) / 4;
		359	+ if (r_nbits < 96)
		360	+ r_nbits = 96;
		361	+ r = mpi_alloc_secure ((r_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB);
		362	+
		363	+ /* d_blind = (d mod (p-1)) + (p-1) * r */
		364	+ /* m1 = c ^ d_blind mod p */
		365	+ _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
		366	+ mpi_set_highbit (r, r_nbits - 1);
		367	mpi_sub_ui( h, skey->p, 1 );
		368	- mpi_fdiv_r( h, skey->d, h );
		369	- mpi_powm( m1, input, h, skey->p );
		370	- /* m2 = c ^ (d mod (q-1)) mod q */
		371	+ mpi_mul ( D_blind, h, r );
		372	+ mpi_fdiv_r ( h, skey->d, h );
		373	+ mpi_add ( D_blind, D_blind, h );
		374	+ mpi_powm( m1, input, D_blind, skey->p );
		375	+ /* d_blind = (d mod (q-1)) + (q-1) * r */
		376	+ /* m2 = c ^ d_blind mod q */
		377	+ _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
		378	+ mpi_set_highbit (r, r_nbits - 1);
		379	mpi_sub_ui( h, skey->q, 1 );
		380	- mpi_fdiv_r( h, skey->d, h );
		381	- mpi_powm( m2, input, h, skey->q );
		382	+ mpi_mul ( D_blind, h, r );
		383	+ mpi_fdiv_r ( h, skey->d, h );
		384	+ mpi_add ( D_blind, D_blind, h );
		385	+ mpi_powm( m2, input, D_blind, skey->q );
		386	/* h = u * ( m2 - m1 ) mod q */
		387	mpi_sub( h, m2, m1 );
		388	if ( mpi_has_sign ( h ) )
		389	--
		390	2.11.0
		391
		392
		393	From b7c572550b8759f2b0e45ee72df0494700b26da1 Mon Sep 17 00:00:00 2001
		394	From: NIIBE Yutaka <gniibe@fsij.org>
		395	Date: Thu, 29 Jun 2017 12:36:27 +0900
		396	Subject: [PATCH 4/5] rsa: Fix exponent blinding.
		397
		398	* cipher/rsa.c (secret): Free D_BLIND.
		399
		400	--
		401
		402	Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
		403	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		404	Signed-off-by: Ross Burton <ross.burton@intel.com>
		405	---
		406	cipher/rsa.c \| 1 +
		407	1 file changed, 1 insertion(+)
		408
		409	diff --git a/cipher/rsa.c b/cipher/rsa.c
		410	index d8658476..9474fe89 100644
		411	--- a/cipher/rsa.c
		412	+++ b/cipher/rsa.c
		413	@@ -760,6 +760,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
		414	mpi_mul ( h, h, skey->p );
		415	mpi_add ( output, m1, h );
		416
		417	+ mpi_free ( D_blind );
		418	mpi_free ( h );
		419	mpi_free ( m1 );
		420	mpi_free ( m2 );
		421	--
		422	2.11.0
		423
		424
		425	From e5a5f14bdd8d6265f85264575a1f3c3307306849 Mon Sep 17 00:00:00 2001
		426	From: NIIBE Yutaka <gniibe@fsij.org>
		427	Date: Thu, 29 Jun 2017 12:40:19 +0900
		428	Subject: [PATCH 5/5] rsa: More fix.
		429
		430	* cipher/rsa.c (secret): Free R.
		431
		432	--
		433
		434	Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
		435	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		436	Signed-off-by: Ross Burton <ross.burton@intel.com>
		437	---
		438	cipher/rsa.c \| 1 +
		439	1 file changed, 1 insertion(+)
		440
		441	diff --git a/cipher/rsa.c b/cipher/rsa.c
		442	index 9474fe89..b151b39f 100644
		443	--- a/cipher/rsa.c
		444	+++ b/cipher/rsa.c
		445	@@ -760,6 +760,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
		446	mpi_mul ( h, h, skey->p );
		447	mpi_add ( output, m1, h );
		448
		449	+ mpi_free ( r );
		450	mpi_free ( D_blind );
		451	mpi_free ( h );
		452	mpi_free ( m1 );
		453	--
		454	2.11.0
		455


diff --git a/meta/recipes-support/libgcrypt/libgcrypt.inc b/meta/recipes-support/libgcrypt/libgcrypt.inc index 5478253e06..404f870db0 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt.inc +++ b/meta/recipes-support/libgcrypt/libgcrypt.inc
@@ -18,6 +18,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-${PV}.tar.gz \
18	file://add-pkgconfig-support.patch \	18	file://add-pkgconfig-support.patch \
19	file://libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \	19	file://libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
20	file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \	20	file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \
		21	file://CVE-2017-7526.patch \
21	"	22	"
22		23
23	BINCONFIG = "${bindir}/libgcrypt-config"	24	BINCONFIG = "${bindir}/libgcrypt-config"