1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
new file mode 100644
index 0000000000..db5a55ed26
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
@@ -0,0 +1,70 @@
+From d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 17 Jul 2019 12:44:50 +0900
+Subject: [PATCH] ecc: Add mitigation against timing attack.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78c]
+CVE: CVE-2019-13627
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
+* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.
+--
+Cherry-picked master commit of:
+         b9577f7c89b4327edc09f2231bc8b31521102c79
+CVE-id: CVE-2019-13627
+GnuPG-bug-id: 4626
+Co-authored-by: Ján Jančár <johny@neuromancer.sk>
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/ecc-ecdsa.c | 10 ++++++++++
+ mpi/ec.c           |  6 +++++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
+index 140e8c09..84a1cf84 100644
+--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
+@@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+           else
+             k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
+ 
+          /* Originally, ECDSA computation requires k where 0 < k < n.
+           * Here, we add n (the order of curve), to keep k in a
+           * range: n < k < 2*n, or, addming more n, keep k in a range:
+           * 2*n < k < 3*n, so that timing difference of the EC
+           * multiply operation can be small.  The result is same.
+           */
+          mpi_add (k, k, skey->E.n);
+          if (!mpi_test_bit (k, qbits))
+            mpi_add (k, k, skey->E.n);
+
+           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
+           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
+             {
+diff --git a/mpi/ec.c b/mpi/ec.c
+index 89077cd9..adb02600 100644
+--- a/mpi/ec.c
+++ b/mpi/ec.c
+@@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
+       unsigned int nbits;
+       int j;
+ 
+-      nbits = mpi_get_nbits (scalar);
+      if (mpi_cmp (scalar, ctx->p) >= 0)
+        nbits = mpi_get_nbits (scalar);
+      else
+        nbits = mpi_get_nbits (ctx->p);
+
+       if (ctx->model == MPI_EC_WEIERSTRASS)
+         {
+           mpi_set_ui (result->x, 1);
+-- 
+2.23.0

diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch new file mode 100644 index 0000000000..db5a55ed26 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
@@ -0,0 +1,70 @@
	1	From d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 Mon Sep 17 00:00:00 2001
	2	From: NIIBE Yutaka <gniibe@fsij.org>
	3	Date: Wed, 17 Jul 2019 12:44:50 +0900
	4	Subject: [PATCH] ecc: Add mitigation against timing attack.
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78c]
	10	CVE: CVE-2019-13627
	11	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
	12
	13	* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
	14	* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.
	15
	16	--
	17
	18	Cherry-picked master commit of:
	19	b9577f7c89b4327edc09f2231bc8b31521102c79
	20
	21	CVE-id: CVE-2019-13627
	22	GnuPG-bug-id: 4626
	23	Co-authored-by: Ján Jančár <johny@neuromancer.sk>
	24	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
	25	---
	26	cipher/ecc-ecdsa.c \| 10 ++++++++++
	27	mpi/ec.c \| 6 +++++-
	28	2 files changed, 15 insertions(+), 1 deletion(-)
	29
	30	diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
	31	index 140e8c09..84a1cf84 100644
	32	--- a/cipher/ecc-ecdsa.c
	33	+++ b/cipher/ecc-ecdsa.c
	34	@@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
	35	else
	36	k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
	37
	38	+ /* Originally, ECDSA computation requires k where 0 < k < n.
	39	+ * Here, we add n (the order of curve), to keep k in a
	40	+ * range: n < k < 2*n, or, addming more n, keep k in a range:
	41	+ * 2n < k < 3n, so that timing difference of the EC
	42	+ * multiply operation can be small. The result is same.
	43	+ */
	44	+ mpi_add (k, k, skey->E.n);
	45	+ if (!mpi_test_bit (k, qbits))
	46	+ mpi_add (k, k, skey->E.n);
	47	+
	48	_gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
	49	if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
	50	{
	51	diff --git a/mpi/ec.c b/mpi/ec.c
	52	index 89077cd9..adb02600 100644
	53	--- a/mpi/ec.c
	54	+++ b/mpi/ec.c
	55	@@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
	56	unsigned int nbits;
	57	int j;
	58
	59	- nbits = mpi_get_nbits (scalar);
	60	+ if (mpi_cmp (scalar, ctx->p) >= 0)
	61	+ nbits = mpi_get_nbits (scalar);
	62	+ else
	63	+ nbits = mpi_get_nbits (ctx->p);
	64	+
	65	if (ctx->model == MPI_EC_WEIERSTRASS)
	66	{
	67	mpi_set_ui (result->x, 1);
	68	--
	69	2.23.0
	70