libgcrypt: fix CVE-2017-7526

Fixes CVE-2017-7526, 'flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster"'. (From OE-Core rev: 4442811291ff8b15d5562be0a68a11516183b502) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2017-07-18 23:07:09 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-07-19 11:30:22 +0100
commit: 0920b28c93632ed53e1d50c24f260f9359fcc150 (patch)
tree: e7d0b7e50a61c0a87f0eb09cbbad2648f8d529e3
parent: 74bfe85d5ceabe351ff7151423a5279d6adc0a37 (diff)
download: poky-0920b28c93632ed53e1d50c24f260f9359fcc150.tar.gz
2 files changed, 456 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch
new file mode 100644
index 0000000000..384fa964ae
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch
@@ -0,0 +1,455 @@
+Flush+reload side-channel attack on RSA secret keys dubbed "Sliding right
+into disaster".
+CVE: CVE-2017-7526
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 12ee400c39e0ebb5fb819c3926d459c278fc99fd Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 4 Apr 2017 17:38:05 +0900
+Subject: [PATCH 1/5] mpi: Simplify mpi_powm.
+* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.
+--
+This fix is not a solution for the problem reported (yet).  The
+problem is that the current algorithm of _gcry_mpi_powm depends on
+exponent and some information leaks is possible.
+Reported-by: Andreas Zankl <andreas.zankl@aisec.fraunhofer.de>
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(backport from master commit:
+719468e53133d3bdf12156c5bfdea2bf15f9f6f1)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ mpi/mpi-pow.c | 105 +++++++++++++++++-----------------------------------------
+ 1 file changed, 30 insertions(+), 75 deletions(-)
+diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
+index a780ebd1..7b3dc318 100644
+--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
+@@ -609,12 +609,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
+       if (e == 0)
+         {
+           j += c;
+-          i--;
+-          if ( i < 0 )
+-            {
+-              c = 0;
+-              break;
+-            }
+          if ( --i < 0 )
+            break;
+ 
+           e = ep[i];
+           c = BITS_PER_MPI_LIMB;
+@@ -629,38 +625,33 @@ _gcry_mpi_powm (gcry_mpi_t res,
+           c -= c0;
+           j += c0;
+ 
+          e0 = (e >> (BITS_PER_MPI_LIMB - W));
+           if (c >= W)
+-            {
+-              e0 = (e >> (BITS_PER_MPI_LIMB - W));
+-              e = (e << W);
+-              c -= W;
+-            }
+            c0 = 0;
+           else
+             {
+-              i--;
+-              if ( i < 0 )
+              if ( --i < 0 )
+                 {
+-                  e = (e >> (BITS_PER_MPI_LIMB - c));
+-                  break;
+                  e0 = (e >> (BITS_PER_MPI_LIMB - c));
+                  j += c - W;
+                  goto last_step;
+                }
+              else
+                {
+                  c0 = c;
+                  e = ep[i];
+                  c = BITS_PER_MPI_LIMB;
+                  e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0)));
+                 }
+-
+-              c0 = c;
+-              e0 = (e >> (BITS_PER_MPI_LIMB - W))
+-                | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0));
+-              e = (ep[i] << (W - c0));
+-              c = BITS_PER_MPI_LIMB - W + c0;
+             }
+ 
+          e = e << (W - c0);
+          c -= (W - c0);
+
+        last_step:
+           count_trailing_zeros (c0, e0);
+           e0 = (e0 >> c0) >> 1;
+ 
+-          for (j += W - c0; j; j--)
+-            {
+-              mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
+-              tp = rp; rp = xp; xp = tp;
+-              rsize = xsize;
+-            }
+-
+           /*
+            *  base_u <= precomp[e0]
+            *  base_u_size <= precomp_size[e0]
+@@ -677,25 +668,23 @@ _gcry_mpi_powm (gcry_mpi_t res,
+               u.d = precomp[k];
+ 
+               mpi_set_cond (&w, &u, k == e0);
+-              base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
+              base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
+             }
+ 
+-          mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
+-                   mp, msize, &karactx);
+-          tp = rp; rp = xp; xp = tp;
+-          rsize = xsize;
+          for (j += W - c0; j >= 0; j--)
+            {
+              mul_mod (xp, &xsize, rp, rsize,
+                       j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
+                       mp, msize, &karactx);
+              tp = rp; rp = xp; xp = tp;
+              rsize = xsize;
+            }
+ 
+           j = c0;
+          if ( i < 0 )
+            break;
+         }
+ 
+-    if (c != 0)
+-      {
+-        j += c;
+-        count_trailing_zeros (c, e);
+-        e = (e >> c);
+-        j -= c;
+-      }
+-
+     while (j--)
+       {
+         mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
+@@ -703,40 +692,6 @@ _gcry_mpi_powm (gcry_mpi_t res,
+         rsize = xsize;
+       }
+ 
+-    if (e != 0)
+-      {
+-        /*
+-         * base_u <= precomp[(e>>1)]
+-         * base_u_size <= precomp_size[(e>>1)]
+-         */
+-        base_u_size = 0;
+-        for (k = 0; k < (1<< (W - 1)); k++)
+-          {
+-            struct gcry_mpi w, u;
+-            w.alloced = w.nlimbs = precomp_size[k];
+-            u.alloced = u.nlimbs = precomp_size[k];
+-            w.sign = u.sign = 0;
+-            w.flags = u.flags = 0;
+-            w.d = base_u;
+-            u.d = precomp[k];
+-
+-            mpi_set_cond (&w, &u, k == (e>>1));
+-            base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) );
+-          }
+-
+-        mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
+-                 mp, msize, &karactx);
+-        tp = rp; rp = xp; xp = tp;
+-        rsize = xsize;
+-
+-        for (; c; c--)
+-          {
+-            mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
+-            tp = rp; rp = xp; xp = tp;
+-            rsize = xsize;
+-          }
+-      }
+-
+     /* We shifted MOD, the modulo reduction argument, left
+        MOD_SHIFT_CNT steps.  Adjust the result by reducing it with the
+        original MOD.
+-- 
+2.11.0
+From a4b275c4d5378837e820fdc84f4ada876f9c8ccd Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Sat, 24 Jun 2017 20:46:20 +0900
+Subject: [PATCH 2/5] Same computation for square and multiply.
+* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size.  Move
+the assignment to base_u into the loop.  Copy content refered by RP to
+BASE_U except the last of the loop.
+--
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(backport from master commit:
+78130828e9a140a9de4dafadbc844dbb64cb709a)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ mpi/mpi-pow.c | 50 +++++++++++++++++++++++++++++---------------------
+ 1 file changed, 29 insertions(+), 21 deletions(-)
+diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
+index 7b3dc318..3cba6903 100644
+--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
+@@ -573,6 +573,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
+         MPN_COPY (precomp[i], rp, rsize);
+       }
+ 
+    if (msize > max_u_size)
+      max_u_size = msize;
+     base_u = mpi_alloc_limb_space (max_u_size, esec);
+     MPN_ZERO (base_u, max_u_size);
+ 
+@@ -619,6 +621,10 @@ _gcry_mpi_powm (gcry_mpi_t res,
+         {
+           int c0;
+           mpi_limb_t e0;
+          struct gcry_mpi w, u;
+          w.sign = u.sign = 0;
+          w.flags = u.flags = 0;
+          w.d = base_u;
+ 
+           count_leading_zeros (c0, e);
+           e = (e << c0);
+@@ -652,29 +658,31 @@ _gcry_mpi_powm (gcry_mpi_t res,
+           count_trailing_zeros (c0, e0);
+           e0 = (e0 >> c0) >> 1;
+ 
+-          /*
+-           *  base_u <= precomp[e0]
+-           *  base_u_size <= precomp_size[e0]
+-           */
+-          base_u_size = 0;
+-          for (k = 0; k < (1<< (W - 1)); k++)
+-            {
+-              struct gcry_mpi w, u;
+-              w.alloced = w.nlimbs = precomp_size[k];
+-              u.alloced = u.nlimbs = precomp_size[k];
+-              w.sign = u.sign = 0;
+-              w.flags = u.flags = 0;
+-              w.d = base_u;
+-              u.d = precomp[k];
+-
+-              mpi_set_cond (&w, &u, k == e0);
+-              base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
+-            }
+-
+           for (j += W - c0; j >= 0; j--)
+             {
+-              mul_mod (xp, &xsize, rp, rsize,
+-                       j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
+
+              /*
+               *  base_u <= precomp[e0]
+               *  base_u_size <= precomp_size[e0]
+               */
+              base_u_size = 0;
+              for (k = 0; k < (1<< (W - 1)); k++)
+                {
+                  w.alloced = w.nlimbs = precomp_size[k];
+                  u.alloced = u.nlimbs = precomp_size[k];
+                  u.d = precomp[k];
+
+                  mpi_set_cond (&w, &u, k == e0);
+                  base_u_size |= ( precomp_size[k] & (0UL - (k == e0)) );
+                }
+
+              w.alloced = w.nlimbs = rsize;
+              u.alloced = u.nlimbs = rsize;
+              u.d = rp;
+              mpi_set_cond (&w, &u, j != 0);
+              base_u_size ^= ((base_u_size ^ rsize)  & (0UL - (j != 0)));
+
+              mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
+                        mp, msize, &karactx);
+               tp = rp; rp = xp; xp = tp;
+               rsize = xsize;
+-- 
+2.11.0
+From 129c1960e55603ec3f6fd1cd9cd51b22e9a9a7ef Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 29 Jun 2017 11:48:44 +0900
+Subject: [PATCH 3/5] rsa: Add exponent blinding.
+* cipher/rsa.c (secret): Blind secret D with randomized nonce R for
+mpi_powm computation.
+--
+Co-authored-by: Werner Koch <wk@gnupg.org>
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+The paper describing attack: https://eprint.iacr.org/2017/627
+Sliding right into disaster: Left-to-right sliding windows leak
+by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and
+Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and
+Christine van Vredendaal and Yuval Yarom
+  It is well known that constant-time implementations of modular
+  exponentiation cannot use sliding windows. However, software
+  libraries such as Libgcrypt, used by GnuPG, continue to use sliding
+  windows. It is widely believed that, even if the complete pattern of
+  squarings and multiplications is observed through a side-channel
+  attack, the number of exponent bits leaked is not sufficient to
+  carry out a full key-recovery attack against RSA. Specifically,
+  4-bit sliding windows leak only 40% of the bits, and 5-bit sliding
+  windows leak only 33% of the bits.
+  In this paper we demonstrate a complete break of RSA-1024 as
+  implemented in Libgcrypt. Our attack makes essential use of the fact
+  that Libgcrypt uses the left-to-right method for computing the
+  sliding-window expansion. We show for the first time that the
+  direction of the encoding matters: the pattern of squarings and
+  multiplications in left-to-right sliding windows leaks significantly
+  more information about exponent bits than for right-to-left. We show
+  how to incorporate this additional information into the
+  Heninger-Shacham algorithm for partial key reconstruction, and use
+  it to obtain very efficient full key recovery for RSA-1024. We also
+  provide strong evidence that the same attack works for RSA-2048 with
+  only moderately more computation.
+Exponent blinding is a kind of workaround to add noise.  Signal (leak)
+is still there for non-constant-time implementation.
+(backported from master commit:
+8725c99ffa41778f382ca97233183bcd687bb0ce)
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ cipher/rsa.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index b6c73741..25e29b5c 100644
+--- a/cipher/rsa.c
+++ b/cipher/rsa.c
+@@ -1021,15 +1021,33 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
+       gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+       gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+       gcry_mpi_t h  = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-
+-      /* m1 = c ^ (d mod (p-1)) mod p */
+      gcry_mpi_t D_blind = mpi_alloc_secure ( mpi_get_nlimbs(skey->n) + 1 );
+      gcry_mpi_t r;
+      unsigned int r_nbits;
+
+      r_nbits = mpi_get_nbits (skey->p) / 4;
+      if (r_nbits < 96)
+        r_nbits = 96;
+      r = mpi_alloc_secure ((r_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB);
+
+      /* d_blind = (d mod (p-1)) + (p-1) * r */
+      /* m1 = c ^ d_blind mod p */
+      _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
+      mpi_set_highbit (r, r_nbits - 1);
+       mpi_sub_ui( h, skey->p, 1  );
+-      mpi_fdiv_r( h, skey->d, h );
+-      mpi_powm( m1, input, h, skey->p );
+-      /* m2 = c ^ (d mod (q-1)) mod q */
+      mpi_mul ( D_blind, h, r );
+      mpi_fdiv_r ( h, skey->d, h );
+      mpi_add ( D_blind, D_blind, h );
+      mpi_powm( m1, input, D_blind, skey->p );
+      /* d_blind = (d mod (q-1)) + (q-1) * r */
+      /* m2 = c ^ d_blind mod q */
+      _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
+      mpi_set_highbit (r, r_nbits - 1);
+       mpi_sub_ui( h, skey->q, 1  );
+-      mpi_fdiv_r( h, skey->d, h );
+-      mpi_powm( m2, input, h, skey->q );
+      mpi_mul ( D_blind, h, r );
+      mpi_fdiv_r ( h, skey->d, h );
+      mpi_add ( D_blind, D_blind, h );
+      mpi_powm( m2, input, D_blind, skey->q );
+       /* h = u * ( m2 - m1 ) mod q */
+       mpi_sub( h, m2, m1 );
+       if ( mpi_has_sign ( h ) )
+-- 
+2.11.0
+From 8e1a6289b7d11a8bf6c94affa06c9794e7216e26 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 29 Jun 2017 12:36:27 +0900
+Subject: [PATCH 4/5] rsa: Fix exponent blinding.
+* cipher/rsa.c (secret): Free D_BLIND.
+--
+Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ cipher/rsa.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 25e29b5c..33f92ebd 100644
+--- a/cipher/rsa.c
+++ b/cipher/rsa.c
+@@ -1057,6 +1057,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
+       mpi_mul ( h, h, skey->p );
+       mpi_add ( output, m1, h );
+ 
+      mpi_free ( D_blind );
+       mpi_free ( h );
+       mpi_free ( m1 );
+       mpi_free ( m2 );
+-- 
+2.11.0
+From 4e5497752172edc444029af645f28cb88ce93906 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 29 Jun 2017 12:40:19 +0900
+Subject: [PATCH 5/5] rsa: More fix.
+* cipher/rsa.c (secret): Free R.
+--
+Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ cipher/rsa.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 33f92ebd..8d8d157b 100644
+--- a/cipher/rsa.c
+++ b/cipher/rsa.c
+@@ -1057,6 +1057,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
+       mpi_mul ( h, h, skey->p );
+       mpi_add ( output, m1, h );
+ 
+      mpi_free ( r );
+       mpi_free ( D_blind );
+       mpi_free ( h );
+       mpi_free ( m1 );
+-- 
+2.11.0
diff --git a/meta/recipes-support/libgcrypt/libgcrypt.inc b/meta/recipes-support/libgcrypt/libgcrypt.inc
index e95c059c87..3403579a70 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt.inc
+++ b/meta/recipes-support/libgcrypt/libgcrypt.inc
@@ -21,6 +21,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.gz \
           file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \
           file://fix-undefined-reference-to-pthread.patch \
           file://0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch \
+           file://CVE-2017-7526.patch \
 "
 BINCONFIG = "${bindir}/libgcrypt-config"
author	Ross Burton <ross.burton@intel.com>	2017-07-18 23:07:09 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-07-19 11:30:22 +0100
commit	0920b28c93632ed53e1d50c24f260f9359fcc150 (patch)
tree	e7d0b7e50a61c0a87f0eb09cbbad2648f8d529e3
parent	74bfe85d5ceabe351ff7151423a5279d6adc0a37 (diff)
download	poky-0920b28c93632ed53e1d50c24f260f9359fcc150.tar.gz

diff --git a/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch new file mode 100644 index 0000000000..384fa964ae --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch
@@ -0,0 +1,455 @@
		1	Flush+reload side-channel attack on RSA secret keys dubbed "Sliding right
		2	into disaster".
		3
		4	CVE: CVE-2017-7526
		5	Upstream-Status: Backport
		6	Signed-off-by: Ross Burton <ross.burton@intel.com>
		7
		8	From 12ee400c39e0ebb5fb819c3926d459c278fc99fd Mon Sep 17 00:00:00 2001
		9	From: NIIBE Yutaka <gniibe@fsij.org>
		10	Date: Tue, 4 Apr 2017 17:38:05 +0900
		11	Subject: [PATCH 1/5] mpi: Simplify mpi_powm.
		12
		13	* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop.
		14
		15	--
		16
		17	This fix is not a solution for the problem reported (yet). The
		18	problem is that the current algorithm of _gcry_mpi_powm depends on
		19	exponent and some information leaks is possible.
		20
		21	Reported-by: Andreas Zankl <andreas.zankl@aisec.fraunhofer.de>
		22	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		23
		24	(backport from master commit:
		25	719468e53133d3bdf12156c5bfdea2bf15f9f6f1)
		26
		27	Signed-off-by: Ross Burton <ross.burton@intel.com>
		28	---
		29	mpi/mpi-pow.c \| 105 +++++++++++++++++-----------------------------------------
		30	1 file changed, 30 insertions(+), 75 deletions(-)
		31
		32	diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
		33	index a780ebd1..7b3dc318 100644
		34	--- a/mpi/mpi-pow.c
		35	+++ b/mpi/mpi-pow.c
		36	@@ -609,12 +609,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
		37	if (e == 0)
		38	{
		39	j += c;
		40	- i--;
		41	- if ( i < 0 )
		42	- {
		43	- c = 0;
		44	- break;
		45	- }
		46	+ if ( --i < 0 )
		47	+ break;
		48
		49	e = ep[i];
		50	c = BITS_PER_MPI_LIMB;
		51	@@ -629,38 +625,33 @@ _gcry_mpi_powm (gcry_mpi_t res,
		52	c -= c0;
		53	j += c0;
		54
		55	+ e0 = (e >> (BITS_PER_MPI_LIMB - W));
		56	if (c >= W)
		57	- {
		58	- e0 = (e >> (BITS_PER_MPI_LIMB - W));
		59	- e = (e << W);
		60	- c -= W;
		61	- }
		62	+ c0 = 0;
		63	else
		64	{
		65	- i--;
		66	- if ( i < 0 )
		67	+ if ( --i < 0 )
		68	{
		69	- e = (e >> (BITS_PER_MPI_LIMB - c));
		70	- break;
		71	+ e0 = (e >> (BITS_PER_MPI_LIMB - c));
		72	+ j += c - W;
		73	+ goto last_step;
		74	+ }
		75	+ else
		76	+ {
		77	+ c0 = c;
		78	+ e = ep[i];
		79	+ c = BITS_PER_MPI_LIMB;
		80	+ e0 \|= (e >> (BITS_PER_MPI_LIMB - (W - c0)));
		81	}
		82	-
		83	- c0 = c;
		84	- e0 = (e >> (BITS_PER_MPI_LIMB - W))
		85	- \| (ep[i] >> (BITS_PER_MPI_LIMB - W + c0));
		86	- e = (ep[i] << (W - c0));
		87	- c = BITS_PER_MPI_LIMB - W + c0;
		88	}
		89
		90	+ e = e << (W - c0);
		91	+ c -= (W - c0);
		92	+
		93	+ last_step:
		94	count_trailing_zeros (c0, e0);
		95	e0 = (e0 >> c0) >> 1;
		96
		97	- for (j += W - c0; j; j--)
		98	- {
		99	- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
		100	- tp = rp; rp = xp; xp = tp;
		101	- rsize = xsize;
		102	- }
		103	-
		104	/*
		105	* base_u <= precomp[e0]
		106	* base_u_size <= precomp_size[e0]
		107	@@ -677,25 +668,23 @@ _gcry_mpi_powm (gcry_mpi_t res,
		108	u.d = precomp[k];
		109
		110	mpi_set_cond (&w, &u, k == e0);
		111	- base_u_size \|= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
		112	+ base_u_size \|= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
		113	}
		114
		115	- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
		116	- mp, msize, &karactx);
		117	- tp = rp; rp = xp; xp = tp;
		118	- rsize = xsize;
		119	+ for (j += W - c0; j >= 0; j--)
		120	+ {
		121	+ mul_mod (xp, &xsize, rp, rsize,
		122	+ j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
		123	+ mp, msize, &karactx);
		124	+ tp = rp; rp = xp; xp = tp;
		125	+ rsize = xsize;
		126	+ }
		127
		128	j = c0;
		129	+ if ( i < 0 )
		130	+ break;
		131	}
		132
		133	- if (c != 0)
		134	- {
		135	- j += c;
		136	- count_trailing_zeros (c, e);
		137	- e = (e >> c);
		138	- j -= c;
		139	- }
		140	-
		141	while (j--)
		142	{
		143	mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
		144	@@ -703,40 +692,6 @@ _gcry_mpi_powm (gcry_mpi_t res,
		145	rsize = xsize;
		146	}
		147
		148	- if (e != 0)
		149	- {
		150	- /*
		151	- * base_u <= precomp[(e>>1)]
		152	- * base_u_size <= precomp_size[(e>>1)]
		153	- */
		154	- base_u_size = 0;
		155	- for (k = 0; k < (1<< (W - 1)); k++)
		156	- {
		157	- struct gcry_mpi w, u;
		158	- w.alloced = w.nlimbs = precomp_size[k];
		159	- u.alloced = u.nlimbs = precomp_size[k];
		160	- w.sign = u.sign = 0;
		161	- w.flags = u.flags = 0;
		162	- w.d = base_u;
		163	- u.d = precomp[k];
		164	-
		165	- mpi_set_cond (&w, &u, k == (e>>1));
		166	- base_u_size \|= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) );
		167	- }
		168	-
		169	- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
		170	- mp, msize, &karactx);
		171	- tp = rp; rp = xp; xp = tp;
		172	- rsize = xsize;
		173	-
		174	- for (; c; c--)
		175	- {
		176	- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx);
		177	- tp = rp; rp = xp; xp = tp;
		178	- rsize = xsize;
		179	- }
		180	- }
		181	-
		182	/* We shifted MOD, the modulo reduction argument, left
		183	MOD_SHIFT_CNT steps. Adjust the result by reducing it with the
		184	original MOD.
		185	--
		186	2.11.0
		187
		188
		189	From a4b275c4d5378837e820fdc84f4ada876f9c8ccd Mon Sep 17 00:00:00 2001
		190	From: NIIBE Yutaka <gniibe@fsij.org>
		191	Date: Sat, 24 Jun 2017 20:46:20 +0900
		192	Subject: [PATCH 2/5] Same computation for square and multiply.
		193
		194	* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move
		195	the assignment to base_u into the loop. Copy content refered by RP to
		196	BASE_U except the last of the loop.
		197
		198	--
		199
		200	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		201	(backport from master commit:
		202	78130828e9a140a9de4dafadbc844dbb64cb709a)
		203
		204	Signed-off-by: Ross Burton <ross.burton@intel.com>
		205	---
		206	mpi/mpi-pow.c \| 50 +++++++++++++++++++++++++++++---------------------
		207	1 file changed, 29 insertions(+), 21 deletions(-)
		208
		209	diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
		210	index 7b3dc318..3cba6903 100644
		211	--- a/mpi/mpi-pow.c
		212	+++ b/mpi/mpi-pow.c
		213	@@ -573,6 +573,8 @@ _gcry_mpi_powm (gcry_mpi_t res,
		214	MPN_COPY (precomp[i], rp, rsize);
		215	}
		216
		217	+ if (msize > max_u_size)
		218	+ max_u_size = msize;
		219	base_u = mpi_alloc_limb_space (max_u_size, esec);
		220	MPN_ZERO (base_u, max_u_size);
		221
		222	@@ -619,6 +621,10 @@ _gcry_mpi_powm (gcry_mpi_t res,
		223	{
		224	int c0;
		225	mpi_limb_t e0;
		226	+ struct gcry_mpi w, u;
		227	+ w.sign = u.sign = 0;
		228	+ w.flags = u.flags = 0;
		229	+ w.d = base_u;
		230
		231	count_leading_zeros (c0, e);
		232	e = (e << c0);
		233	@@ -652,29 +658,31 @@ _gcry_mpi_powm (gcry_mpi_t res,
		234	count_trailing_zeros (c0, e0);
		235	e0 = (e0 >> c0) >> 1;
		236
		237	- /*
		238	- * base_u <= precomp[e0]
		239	- * base_u_size <= precomp_size[e0]
		240	- */
		241	- base_u_size = 0;
		242	- for (k = 0; k < (1<< (W - 1)); k++)
		243	- {
		244	- struct gcry_mpi w, u;
		245	- w.alloced = w.nlimbs = precomp_size[k];
		246	- u.alloced = u.nlimbs = precomp_size[k];
		247	- w.sign = u.sign = 0;
		248	- w.flags = u.flags = 0;
		249	- w.d = base_u;
		250	- u.d = precomp[k];
		251	-
		252	- mpi_set_cond (&w, &u, k == e0);
		253	- base_u_size \|= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) );
		254	- }
		255	-
		256	for (j += W - c0; j >= 0; j--)
		257	{
		258	- mul_mod (xp, &xsize, rp, rsize,
		259	- j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize,
		260	+
		261	+ /*
		262	+ * base_u <= precomp[e0]
		263	+ * base_u_size <= precomp_size[e0]
		264	+ */
		265	+ base_u_size = 0;
		266	+ for (k = 0; k < (1<< (W - 1)); k++)
		267	+ {
		268	+ w.alloced = w.nlimbs = precomp_size[k];
		269	+ u.alloced = u.nlimbs = precomp_size[k];
		270	+ u.d = precomp[k];
		271	+
		272	+ mpi_set_cond (&w, &u, k == e0);
		273	+ base_u_size \|= ( precomp_size[k] & (0UL - (k == e0)) );
		274	+ }
		275	+
		276	+ w.alloced = w.nlimbs = rsize;
		277	+ u.alloced = u.nlimbs = rsize;
		278	+ u.d = rp;
		279	+ mpi_set_cond (&w, &u, j != 0);
		280	+ base_u_size ^= ((base_u_size ^ rsize) & (0UL - (j != 0)));
		281	+
		282	+ mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size,
		283	mp, msize, &karactx);
		284	tp = rp; rp = xp; xp = tp;
		285	rsize = xsize;
		286	--
		287	2.11.0
		288
		289
		290	From 129c1960e55603ec3f6fd1cd9cd51b22e9a9a7ef Mon Sep 17 00:00:00 2001
		291	From: NIIBE Yutaka <gniibe@fsij.org>
		292	Date: Thu, 29 Jun 2017 11:48:44 +0900
		293	Subject: [PATCH 3/5] rsa: Add exponent blinding.
		294
		295	* cipher/rsa.c (secret): Blind secret D with randomized nonce R for
		296	mpi_powm computation.
		297
		298	--
		299
		300	Co-authored-by: Werner Koch <wk@gnupg.org>
		301	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		302
		303	The paper describing attack: https://eprint.iacr.org/2017/627
		304
		305	Sliding right into disaster: Left-to-right sliding windows leak
		306	by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and
		307	Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and
		308	Christine van Vredendaal and Yuval Yarom
		309
		310	It is well known that constant-time implementations of modular
		311	exponentiation cannot use sliding windows. However, software
		312	libraries such as Libgcrypt, used by GnuPG, continue to use sliding
		313	windows. It is widely believed that, even if the complete pattern of
		314	squarings and multiplications is observed through a side-channel
		315	attack, the number of exponent bits leaked is not sufficient to
		316	carry out a full key-recovery attack against RSA. Specifically,
		317	4-bit sliding windows leak only 40% of the bits, and 5-bit sliding
		318	windows leak only 33% of the bits.
		319
		320	In this paper we demonstrate a complete break of RSA-1024 as
		321	implemented in Libgcrypt. Our attack makes essential use of the fact
		322	that Libgcrypt uses the left-to-right method for computing the
		323	sliding-window expansion. We show for the first time that the
		324	direction of the encoding matters: the pattern of squarings and
		325	multiplications in left-to-right sliding windows leaks significantly
		326	more information about exponent bits than for right-to-left. We show
		327	how to incorporate this additional information into the
		328	Heninger-Shacham algorithm for partial key reconstruction, and use
		329	it to obtain very efficient full key recovery for RSA-1024. We also
		330	provide strong evidence that the same attack works for RSA-2048 with
		331	only moderately more computation.
		332
		333	Exponent blinding is a kind of workaround to add noise. Signal (leak)
		334	is still there for non-constant-time implementation.
		335
		336	(backported from master commit:
		337	8725c99ffa41778f382ca97233183bcd687bb0ce)
		338
		339	Signed-off-by: Ross Burton <ross.burton@intel.com>
		340	---
		341	cipher/rsa.c \| 32 +++++++++++++++++++++++++-------
		342	1 file changed, 25 insertions(+), 7 deletions(-)
		343
		344	diff --git a/cipher/rsa.c b/cipher/rsa.c
		345	index b6c73741..25e29b5c 100644
		346	--- a/cipher/rsa.c
		347	+++ b/cipher/rsa.c
		348	@@ -1021,15 +1021,33 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
		349	gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		350	gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		351	gcry_mpi_t h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		352	-
		353	- /* m1 = c ^ (d mod (p-1)) mod p */
		354	+ gcry_mpi_t D_blind = mpi_alloc_secure ( mpi_get_nlimbs(skey->n) + 1 );
		355	+ gcry_mpi_t r;
		356	+ unsigned int r_nbits;
		357	+
		358	+ r_nbits = mpi_get_nbits (skey->p) / 4;
		359	+ if (r_nbits < 96)
		360	+ r_nbits = 96;
		361	+ r = mpi_alloc_secure ((r_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB);
		362	+
		363	+ /* d_blind = (d mod (p-1)) + (p-1) * r */
		364	+ /* m1 = c ^ d_blind mod p */
		365	+ _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
		366	+ mpi_set_highbit (r, r_nbits - 1);
		367	mpi_sub_ui( h, skey->p, 1 );
		368	- mpi_fdiv_r( h, skey->d, h );
		369	- mpi_powm( m1, input, h, skey->p );
		370	- /* m2 = c ^ (d mod (q-1)) mod q */
		371	+ mpi_mul ( D_blind, h, r );
		372	+ mpi_fdiv_r ( h, skey->d, h );
		373	+ mpi_add ( D_blind, D_blind, h );
		374	+ mpi_powm( m1, input, D_blind, skey->p );
		375	+ /* d_blind = (d mod (q-1)) + (q-1) * r */
		376	+ /* m2 = c ^ d_blind mod q */
		377	+ _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM);
		378	+ mpi_set_highbit (r, r_nbits - 1);
		379	mpi_sub_ui( h, skey->q, 1 );
		380	- mpi_fdiv_r( h, skey->d, h );
		381	- mpi_powm( m2, input, h, skey->q );
		382	+ mpi_mul ( D_blind, h, r );
		383	+ mpi_fdiv_r ( h, skey->d, h );
		384	+ mpi_add ( D_blind, D_blind, h );
		385	+ mpi_powm( m2, input, D_blind, skey->q );
		386	/* h = u * ( m2 - m1 ) mod q */
		387	mpi_sub( h, m2, m1 );
		388	if ( mpi_has_sign ( h ) )
		389	--
		390	2.11.0
		391
		392
		393	From 8e1a6289b7d11a8bf6c94affa06c9794e7216e26 Mon Sep 17 00:00:00 2001
		394	From: NIIBE Yutaka <gniibe@fsij.org>
		395	Date: Thu, 29 Jun 2017 12:36:27 +0900
		396	Subject: [PATCH 4/5] rsa: Fix exponent blinding.
		397
		398	* cipher/rsa.c (secret): Free D_BLIND.
		399
		400	--
		401
		402	Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
		403	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		404	Signed-off-by: Ross Burton <ross.burton@intel.com>
		405	---
		406	cipher/rsa.c \| 1 +
		407	1 file changed, 1 insertion(+)
		408
		409	diff --git a/cipher/rsa.c b/cipher/rsa.c
		410	index 25e29b5c..33f92ebd 100644
		411	--- a/cipher/rsa.c
		412	+++ b/cipher/rsa.c
		413	@@ -1057,6 +1057,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
		414	mpi_mul ( h, h, skey->p );
		415	mpi_add ( output, m1, h );
		416
		417	+ mpi_free ( D_blind );
		418	mpi_free ( h );
		419	mpi_free ( m1 );
		420	mpi_free ( m2 );
		421	--
		422	2.11.0
		423
		424
		425	From 4e5497752172edc444029af645f28cb88ce93906 Mon Sep 17 00:00:00 2001
		426	From: NIIBE Yutaka <gniibe@fsij.org>
		427	Date: Thu, 29 Jun 2017 12:40:19 +0900
		428	Subject: [PATCH 5/5] rsa: More fix.
		429
		430	* cipher/rsa.c (secret): Free R.
		431
		432	--
		433
		434	Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c
		435	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		436	Signed-off-by: Ross Burton <ross.burton@intel.com>
		437	---
		438	cipher/rsa.c \| 1 +
		439	1 file changed, 1 insertion(+)
		440
		441	diff --git a/cipher/rsa.c b/cipher/rsa.c
		442	index 33f92ebd..8d8d157b 100644
		443	--- a/cipher/rsa.c
		444	+++ b/cipher/rsa.c
		445	@@ -1057,6 +1057,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey )
		446	mpi_mul ( h, h, skey->p );
		447	mpi_add ( output, m1, h );
		448
		449	+ mpi_free ( r );
		450	mpi_free ( D_blind );
		451	mpi_free ( h );
		452	mpi_free ( m1 );
		453	--
		454	2.11.0
		455


diff --git a/meta/recipes-support/libgcrypt/libgcrypt.inc b/meta/recipes-support/libgcrypt/libgcrypt.inc index e95c059c87..3403579a70 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt.inc +++ b/meta/recipes-support/libgcrypt/libgcrypt.inc
@@ -21,6 +21,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.gz \
21	file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \	21	file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \
22	file://fix-undefined-reference-to-pthread.patch \	22	file://fix-undefined-reference-to-pthread.patch \
23	file://0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch \	23	file://0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch \
		24	file://CVE-2017-7526.patch \
24	"	25	"
25		26
26	BINCONFIG = "${bindir}/libgcrypt-config"	27	BINCONFIG = "${bindir}/libgcrypt-config"