From 3ca9f90dffad3907ceec605a851ae949dd3b6bd6 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Wed, 19 Jul 2017 14:27:32 +0100
Subject: libgcrypt: fix CVE-2017-9526

In libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from
side-channel observation during the signing process) can easily recover the
long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this
session key in secure memory, to ensure that constant-time point operations are
used in the MPI library.

(From OE-Core rev: fb28c54347fcf4957b9b8ee7dee423d859eb7820)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-support/libgcrypt/libgcrypt.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'meta/recipes-support/libgcrypt/libgcrypt.inc')

diff --git a/meta/recipes-support/libgcrypt/libgcrypt.inc b/meta/recipes-support/libgcrypt/libgcrypt.inc
index 404f870db0..8e7a38f894 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt.inc
+++ b/meta/recipes-support/libgcrypt/libgcrypt.inc
@@ -18,6 +18,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-${PV}.tar.gz \
            file://add-pkgconfig-support.patch \
            file://libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
            file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \
+           file://0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch \
            file://CVE-2017-7526.patch \
 "
 
-- 
cgit v1.2.3-54-g00ecf