libgcrypt: fix CVE-2019-13627

Backport two fixes for CVE-2019-13627 from upstream to zeus. (From OE-Core rev: 3361760dbb46cca2e00f053286404b5df39590b3) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Trevor Gamblin <trevor.gamblin@windriver.com> 2019-11-05 08:05:52 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-13 22:02:15 +0000
commit: f3ba167c21e018e854910aafd8a7c3f17bbefb4f (patch)
tree: 76d7dc62e6433ff3aaff2502b8e4cd9c031826d2 /meta/recipes-support
parent: 6949ba6d41b82a04f81d20c783dce283d7431ebe (diff)
download: poky-f3ba167c21e018e854910aafd8a7c3f17bbefb4f.tar.gz
3 files changed, 200 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
new file mode 100644
index 0000000000..211e041303
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
@@ -0,0 +1,128 @@
+From db4e9976cc31b314aafad6626b2894e86ee44d60 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 8 Aug 2019 17:42:02 +0900
+Subject: [PATCH] dsa,ecdsa: Fix use of nonce, use larger one.
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc3]
+CVE: CVE-2019-13627
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+* cipher/dsa-common.c (_gcry_dsa_modify_k): New.
+* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
+* cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
+* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
+* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
+--
+Cherry-picked master commit of:
+        7c2943309d14407b51c8166c4dcecb56a3628567
+CVE-id: CVE-2019-13627
+GnuPG-bug-id: 4626
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/dsa-common.c      | 24 ++++++++++++++++++++++++
+ cipher/dsa.c             |  2 ++
+ cipher/ecc-ecdsa.c       | 10 +---------
+ cipher/ecc-gost.c        |  2 ++
+ cipher/pubkey-internal.h |  1 +
+ 5 files changed, 30 insertions(+), 9 deletions(-)
+diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c
+index 8c0a6843..fe49248d 100644
+--- a/cipher/dsa-common.c
+++ b/cipher/dsa-common.c
+@@ -29,6 +29,30 @@
+ #include "pubkey-internal.h"
+ 
+ 
+/*
+ * Modify K, so that computation time difference can be small,
+ * by making K large enough.
+ *
+ * Originally, (EC)DSA computation requires k where 0 < k < q.  Here,
+ * we add q (the order), to keep k in a range: q < k < 2*q (or,
+ * addming more q, to keep k in a range: 2*q < k < 3*q), so that
+ * timing difference of the EC multiply (or exponentiation) operation
+ * can be small.  The result of (EC)DSA computation is same.
+ */
+void
+_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits)
+{
+  gcry_mpi_t k1 = mpi_new (qbits+2);
+
+  mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB);
+  k->nlimbs = k->alloced;
+  mpi_add (k, k, q);
+  mpi_add (k1, k, q);
+  mpi_set_cond (k, k1, !mpi_test_bit (k, qbits));
+
+  mpi_free (k1);
+}
+
+ /*
+  * Generate a random secret exponent K less than Q.
+  * Note that ECDSA uses this code also to generate D.
+diff --git a/cipher/dsa.c b/cipher/dsa.c
+index 22d8d782..24a53528 100644
+--- a/cipher/dsa.c
+++ b/cipher/dsa.c
+@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey,
+       k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
+     }
+ 
+  _gcry_dsa_modify_k (k, skey->q, qbits);
+
+   /* r = (a^k mod p) mod q */
+   mpi_powm( r, skey->g, k, skey->p );
+   mpi_fdiv_r( r, r, skey->q );
+diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
+index 84a1cf84..97966c3a 100644
+--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
+@@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+           else
+             k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
+ 
+-          /* Originally, ECDSA computation requires k where 0 < k < n.
+-           * Here, we add n (the order of curve), to keep k in a
+-           * range: n < k < 2*n, or, addming more n, keep k in a range:
+-           * 2*n < k < 3*n, so that timing difference of the EC
+-           * multiply operation can be small.  The result is same.
+-           */
+-          mpi_add (k, k, skey->E.n);
+-          if (!mpi_test_bit (k, qbits))
+-            mpi_add (k, k, skey->E.n);
+          _gcry_dsa_modify_k (k, skey->E.n, qbits);
+ 
+           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
+           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
+diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
+index a34fa084..0362a6c7 100644
+--- a/cipher/ecc-gost.c
+++ b/cipher/ecc-gost.c
+@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey,
+           mpi_free (k);
+           k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
+ 
+          _gcry_dsa_modify_k (k, skey->E.n, qbits);
+
+           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
+           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
+             {
+diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h
+index b8167c77..d31e26f3 100644
+--- a/cipher/pubkey-internal.h
+++ b/cipher/pubkey-internal.h
+@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded,
+ 
+ 
+ /*-- dsa-common.c --*/
+void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits);
+ gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level);
+ gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
+                                         gcry_mpi_t dsa_q, gcry_mpi_t dsa_x,
+-- 
+2.23.0
diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
new file mode 100644
index 0000000000..db5a55ed26
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
@@ -0,0 +1,70 @@
+From d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 17 Jul 2019 12:44:50 +0900
+Subject: [PATCH] ecc: Add mitigation against timing attack.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78c]
+CVE: CVE-2019-13627
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
+* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.
+--
+Cherry-picked master commit of:
+         b9577f7c89b4327edc09f2231bc8b31521102c79
+CVE-id: CVE-2019-13627
+GnuPG-bug-id: 4626
+Co-authored-by: Ján Jančár <johny@neuromancer.sk>
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/ecc-ecdsa.c | 10 ++++++++++
+ mpi/ec.c           |  6 +++++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
+index 140e8c09..84a1cf84 100644
+--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
+@@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+           else
+             k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
+ 
+          /* Originally, ECDSA computation requires k where 0 < k < n.
+           * Here, we add n (the order of curve), to keep k in a
+           * range: n < k < 2*n, or, addming more n, keep k in a range:
+           * 2*n < k < 3*n, so that timing difference of the EC
+           * multiply operation can be small.  The result is same.
+           */
+          mpi_add (k, k, skey->E.n);
+          if (!mpi_test_bit (k, qbits))
+            mpi_add (k, k, skey->E.n);
+
+           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
+           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
+             {
+diff --git a/mpi/ec.c b/mpi/ec.c
+index 89077cd9..adb02600 100644
+--- a/mpi/ec.c
+++ b/mpi/ec.c
+@@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
+       unsigned int nbits;
+       int j;
+ 
+-      nbits = mpi_get_nbits (scalar);
+      if (mpi_cmp (scalar, ctx->p) >= 0)
+        nbits = mpi_get_nbits (scalar);
+      else
+        nbits = mpi_get_nbits (ctx->p);
+
+       if (ctx->model == MPI_EC_WEIERSTRASS)
+         {
+           mpi_set_ui (result->x, 1);
+-- 
+2.23.0
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
index 11d078d44a..1bd355133e 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
@@ -24,6 +24,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
           file://0001-Prefetch-GCM-look-up-tables.patch \
           file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
           file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
+           file://0001-ecc-Add-mitigation-against-timing-attack.patch \
+           file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \
 "
 SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"
 SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"
author	Trevor Gamblin <trevor.gamblin@windriver.com>	2019-11-05 08:05:52 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-11-13 22:02:15 +0000
commit	f3ba167c21e018e854910aafd8a7c3f17bbefb4f (patch)
tree	76d7dc62e6433ff3aaff2502b8e4cd9c031826d2 /meta/recipes-support
parent	6949ba6d41b82a04f81d20c783dce283d7431ebe (diff)
download	poky-f3ba167c21e018e854910aafd8a7c3f17bbefb4f.tar.gz

diff --git a/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch new file mode 100644 index 0000000000..211e041303 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
@@ -0,0 +1,128 @@
		1	From db4e9976cc31b314aafad6626b2894e86ee44d60 Mon Sep 17 00:00:00 2001
		2	From: NIIBE Yutaka <gniibe@fsij.org>
		3	Date: Thu, 8 Aug 2019 17:42:02 +0900
		4	Subject: [PATCH] dsa,ecdsa: Fix use of nonce, use larger one.
		5
		6	Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc3]
		7	CVE: CVE-2019-13627
		8	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
		9
		10	* cipher/dsa-common.c (_gcry_dsa_modify_k): New.
		11	* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
		12	* cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
		13	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
		14	* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
		15
		16	--
		17
		18	Cherry-picked master commit of:
		19	7c2943309d14407b51c8166c4dcecb56a3628567
		20
		21	CVE-id: CVE-2019-13627
		22	GnuPG-bug-id: 4626
		23	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		24	---
		25	cipher/dsa-common.c \| 24 ++++++++++++++++++++++++
		26	cipher/dsa.c \| 2 ++
		27	cipher/ecc-ecdsa.c \| 10 +---------
		28	cipher/ecc-gost.c \| 2 ++
		29	cipher/pubkey-internal.h \| 1 +
		30	5 files changed, 30 insertions(+), 9 deletions(-)
		31
		32	diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c
		33	index 8c0a6843..fe49248d 100644
		34	--- a/cipher/dsa-common.c
		35	+++ b/cipher/dsa-common.c
		36	@@ -29,6 +29,30 @@
		37	#include "pubkey-internal.h"
		38
		39
		40	+/*
		41	+ * Modify K, so that computation time difference can be small,
		42	+ * by making K large enough.
		43	+ *
		44	+ * Originally, (EC)DSA computation requires k where 0 < k < q. Here,
		45	+ * we add q (the order), to keep k in a range: q < k < 2*q (or,
		46	+ * addming more q, to keep k in a range: 2q < k < 3q), so that
		47	+ * timing difference of the EC multiply (or exponentiation) operation
		48	+ * can be small. The result of (EC)DSA computation is same.
		49	+ */
		50	+void
		51	+_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits)
		52	+{
		53	+ gcry_mpi_t k1 = mpi_new (qbits+2);
		54	+
		55	+ mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB);
		56	+ k->nlimbs = k->alloced;
		57	+ mpi_add (k, k, q);
		58	+ mpi_add (k1, k, q);
		59	+ mpi_set_cond (k, k1, !mpi_test_bit (k, qbits));
		60	+
		61	+ mpi_free (k1);
		62	+}
		63	+
		64	/*
		65	* Generate a random secret exponent K less than Q.
		66	* Note that ECDSA uses this code also to generate D.
		67	diff --git a/cipher/dsa.c b/cipher/dsa.c
		68	index 22d8d782..24a53528 100644
		69	--- a/cipher/dsa.c
		70	+++ b/cipher/dsa.c
		71	@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey,
		72	k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
		73	}
		74
		75	+ _gcry_dsa_modify_k (k, skey->q, qbits);
		76	+
		77	/* r = (a^k mod p) mod q */
		78	mpi_powm( r, skey->g, k, skey->p );
		79	mpi_fdiv_r( r, r, skey->q );
		80	diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
		81	index 84a1cf84..97966c3a 100644
		82	--- a/cipher/ecc-ecdsa.c
		83	+++ b/cipher/ecc-ecdsa.c
		84	@@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
		85	else
		86	k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
		87
		88	- /* Originally, ECDSA computation requires k where 0 < k < n.
		89	- * Here, we add n (the order of curve), to keep k in a
		90	- * range: n < k < 2*n, or, addming more n, keep k in a range:
		91	- * 2n < k < 3n, so that timing difference of the EC
		92	- * multiply operation can be small. The result is same.
		93	- */
		94	- mpi_add (k, k, skey->E.n);
		95	- if (!mpi_test_bit (k, qbits))
		96	- mpi_add (k, k, skey->E.n);
		97	+ _gcry_dsa_modify_k (k, skey->E.n, qbits);
		98
		99	_gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
		100	if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
		101	diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
		102	index a34fa084..0362a6c7 100644
		103	--- a/cipher/ecc-gost.c
		104	+++ b/cipher/ecc-gost.c
		105	@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey,
		106	mpi_free (k);
		107	k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
		108
		109	+ _gcry_dsa_modify_k (k, skey->E.n, qbits);
		110	+
		111	_gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
		112	if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
		113	{
		114	diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h
		115	index b8167c77..d31e26f3 100644
		116	--- a/cipher/pubkey-internal.h
		117	+++ b/cipher/pubkey-internal.h
		118	@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded,
		119
		120
		121	/-- dsa-common.c --/
		122	+void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits);
		123	gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level);
		124	gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
		125	gcry_mpi_t dsa_q, gcry_mpi_t dsa_x,
		126	--
		127	2.23.0
		128


diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch new file mode 100644 index 0000000000..db5a55ed26 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
@@ -0,0 +1,70 @@
		1	From d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 Mon Sep 17 00:00:00 2001
		2	From: NIIBE Yutaka <gniibe@fsij.org>
		3	Date: Wed, 17 Jul 2019 12:44:50 +0900
		4	Subject: [PATCH] ecc: Add mitigation against timing attack.
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78c]
		10	CVE: CVE-2019-13627
		11	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
		12
		13	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
		14	* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.
		15
		16	--
		17
		18	Cherry-picked master commit of:
		19	b9577f7c89b4327edc09f2231bc8b31521102c79
		20
		21	CVE-id: CVE-2019-13627
		22	GnuPG-bug-id: 4626
		23	Co-authored-by: Ján Jančár <johny@neuromancer.sk>
		24	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		25	---
		26	cipher/ecc-ecdsa.c \| 10 ++++++++++
		27	mpi/ec.c \| 6 +++++-
		28	2 files changed, 15 insertions(+), 1 deletion(-)
		29
		30	diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
		31	index 140e8c09..84a1cf84 100644
		32	--- a/cipher/ecc-ecdsa.c
		33	+++ b/cipher/ecc-ecdsa.c
		34	@@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
		35	else
		36	k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
		37
		38	+ /* Originally, ECDSA computation requires k where 0 < k < n.
		39	+ * Here, we add n (the order of curve), to keep k in a
		40	+ * range: n < k < 2*n, or, addming more n, keep k in a range:
		41	+ * 2n < k < 3n, so that timing difference of the EC
		42	+ * multiply operation can be small. The result is same.
		43	+ */
		44	+ mpi_add (k, k, skey->E.n);
		45	+ if (!mpi_test_bit (k, qbits))
		46	+ mpi_add (k, k, skey->E.n);
		47	+
		48	_gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
		49	if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
		50	{
		51	diff --git a/mpi/ec.c b/mpi/ec.c
		52	index 89077cd9..adb02600 100644
		53	--- a/mpi/ec.c
		54	+++ b/mpi/ec.c
		55	@@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
		56	unsigned int nbits;
		57	int j;
		58
		59	- nbits = mpi_get_nbits (scalar);
		60	+ if (mpi_cmp (scalar, ctx->p) >= 0)
		61	+ nbits = mpi_get_nbits (scalar);
		62	+ else
		63	+ nbits = mpi_get_nbits (ctx->p);
		64	+
		65	if (ctx->model == MPI_EC_WEIERSTRASS)
		66	{
		67	mpi_set_ui (result->x, 1);
		68	--
		69	2.23.0
		70


diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb index 11d078d44a..1bd355133e 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
@@ -24,6 +24,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
24	file://0001-Prefetch-GCM-look-up-tables.patch \	24	file://0001-Prefetch-GCM-look-up-tables.patch \
25	file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \	25	file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
26	file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \	26	file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
		27	file://0001-ecc-Add-mitigation-against-timing-attack.patch \
		28	file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \
27	"	29	"
28	SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"	30	SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"
29	SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"	31	SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"