[oe-commits] [openembedded-core] 10/19: libgcrypt: Security fix CVE-2015-7511
git at git.openembedded.org
git at git.openembedded.org
Thu Mar 3 11:13:42 UTC 2016
rpurdie pushed a commit to branch fido
in repository openembedded-core.
commit 88ba5ea3f3a421ac91d670e450f4b0645a53d733
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sat Feb 13 09:34:00 2016 -0800
libgcrypt: Security fix CVE-2015-7511
CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves
affects libgcrypt < 1.6.5
adjust SRC_URI + for this version.
Patch 1 is a dependancy patch. simple macro name change.
Patch 2 is the cve fix.
(From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c)
Signed-off-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock at intel.com>
---
.../libgcrypt/files/CVE-2015-7511_1.patch | 245 +++++++++++++++++++++
.../libgcrypt/files/CVE-2015-7511_2.patch | 55 +++++
meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb | 5 +
3 files changed, 305 insertions(+)
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch
new file mode 100644
index 0000000..14c25b9
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch
@@ -0,0 +1,245 @@
+From 2ef48ba59c32bfa1a9265d5eea8ab225a658903a Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 9 Jan 2014 19:14:09 +0100
+Subject: [PATCH] ecc: Make a macro shorter.
+
+* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS. CHnage
+all users.
+* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
+comment.
+* mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards.
+(add_points_twistededwards): Rename to add_points_edwards.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+
+Upstream-Status: Backport
+2ef48ba59c32bfa1a9265d5eea8ab225a658903a
+
+CVE: CVE-2015-7511 depend patch
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ cipher/ecc-curves.c | 22 +++++++++++++++++++---
+ cipher/ecc-misc.c | 4 ++--
+ cipher/ecc.c | 8 ++++----
+ mpi/ec.c | 22 +++++++++++-----------
+ src/mpi.h | 11 ++++++++---
+ 5 files changed, 44 insertions(+), 23 deletions(-)
+
+Index: libgcrypt-1.6.3/cipher/ecc-curves.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc-curves.c
++++ libgcrypt-1.6.3/cipher/ecc-curves.c
+@@ -105,7 +105,7 @@ static const ecc_domain_parms_t domain_p
+ {
+ /* (-x^2 + y^2 = 1 + dx^2y^2) */
+ "Ed25519", 256, 0,
+- MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519,
++ MPI_EC_EDWARDS, ECC_DIALECT_ED25519,
+ "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+ "-0x01",
+ "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+@@ -113,6 +113,22 @@ static const ecc_domain_parms_t domain_p
+ "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+ "0x6666666666666666666666666666666666666666666666666666666666666658"
+ },
++#if 0 /* No real specs yet found. */
++ {
++ /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */
++ "Curve3617",
++ "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF",
++ MPI_EC_EDWARDS, 0,
++ "0x01",
++ "0x0e21",
++ "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF"
++ "706022B36F1C0338AD63CF181B0E71A5E106AF79",
++ "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D"
++ "6D6BA111301A73FAA8537C64C4FD3812F3CBC595",
++ "0x22"
++ },
++#endif /*0*/
+ {
+ "NIST P-192", 192, 1,
+ MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+@@ -404,7 +420,7 @@ _gcry_ecc_fill_in_curve (unsigned int nb
+ switch (domain_parms[idx].model)
+ {
+ case MPI_EC_WEIERSTRASS:
+- case MPI_EC_TWISTEDEDWARDS:
++ case MPI_EC_EDWARDS:
+ break;
+ case MPI_EC_MONTGOMERY:
+ return GPG_ERR_NOT_SUPPORTED;
+@@ -1039,7 +1055,7 @@ _gcry_ecc_get_mpi (const char *name, mpi
+ if (name[1] != '@')
+ return _gcry_mpi_ec_ec2os (ec->Q, ec);
+
+- if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS)
++ if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS)
+ {
+ unsigned char *encpk;
+ unsigned int encpklen;
+Index: libgcrypt-1.6.3/cipher/ecc-misc.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc-misc.c
++++ libgcrypt-1.6.3/cipher/ecc-misc.c
+@@ -79,7 +79,7 @@ _gcry_ecc_model2str (enum gcry_mpi_ec_mo
+ {
+ case MPI_EC_WEIERSTRASS: str = "Weierstrass"; break;
+ case MPI_EC_MONTGOMERY: str = "Montgomery"; break;
+- case MPI_EC_TWISTEDEDWARDS: str = "Twisted Edwards"; break;
++ case MPI_EC_EDWARDS: str = "Edwards"; break;
+ }
+ return str;
+ }
+@@ -252,7 +252,7 @@ _gcry_ecc_compute_public (mpi_point_t Q,
+
+ if (!d || !G || !ec->p || !ec->a)
+ return NULL;
+- if (ec->model == MPI_EC_TWISTEDEDWARDS && !ec->b)
++ if (ec->model == MPI_EC_EDWARDS && !ec->b)
+ return NULL;
+
+ if (ec->dialect == ECC_DIALECT_ED25519
+Index: libgcrypt-1.6.3/cipher/ecc.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc.c
++++ libgcrypt-1.6.3/cipher/ecc.c
+@@ -642,7 +642,7 @@ ecc_check_secret_key (gcry_sexp_t keypar
+ if (!curvename)
+ {
+ sk.E.model = ((flags & PUBKEY_FLAG_EDDSA)
+- ? MPI_EC_TWISTEDEDWARDS
++ ? MPI_EC_EDWARDS
+ : MPI_EC_WEIERSTRASS);
+ sk.E.dialect = ((flags & PUBKEY_FLAG_EDDSA)
+ ? ECC_DIALECT_ED25519
+@@ -774,7 +774,7 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_
+ if (!curvename)
+ {
+ sk.E.model = ((ctx.flags & PUBKEY_FLAG_EDDSA)
+- ? MPI_EC_TWISTEDEDWARDS
++ ? MPI_EC_EDWARDS
+ : MPI_EC_WEIERSTRASS);
+ sk.E.dialect = ((ctx.flags & PUBKEY_FLAG_EDDSA)
+ ? ECC_DIALECT_ED25519
+@@ -938,7 +938,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp
+ if (!curvename)
+ {
+ pk.E.model = ((sigflags & PUBKEY_FLAG_EDDSA)
+- ? MPI_EC_TWISTEDEDWARDS
++ ? MPI_EC_EDWARDS
+ : MPI_EC_WEIERSTRASS);
+ pk.E.dialect = ((sigflags & PUBKEY_FLAG_EDDSA)
+ ? ECC_DIALECT_ED25519
+@@ -1528,7 +1528,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_s
+ if (!curvename)
+ {
+ model = ((flags & PUBKEY_FLAG_EDDSA)
+- ? MPI_EC_TWISTEDEDWARDS
++ ? MPI_EC_EDWARDS
+ : MPI_EC_WEIERSTRASS);
+ dialect = ((flags & PUBKEY_FLAG_EDDSA)
+ ? ECC_DIALECT_ED25519
+Index: libgcrypt-1.6.3/mpi/ec.c
+===================================================================
+--- libgcrypt-1.6.3.orig/mpi/ec.c
++++ libgcrypt-1.6.3/mpi/ec.c
+@@ -605,7 +605,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, g
+ }
+ return -1;
+
+- case MPI_EC_TWISTEDEDWARDS:
++ case MPI_EC_EDWARDS:
+ {
+ gcry_mpi_t z;
+
+@@ -725,7 +725,7 @@ dup_point_montgomery (mpi_point_t result
+
+ /* RESULT = 2 * POINT (Twisted Edwards version). */
+ static void
+-dup_point_twistededwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
++dup_point_edwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
+ {
+ #define X1 (point->x)
+ #define Y1 (point->y)
+@@ -811,8 +811,8 @@ _gcry_mpi_ec_dup_point (mpi_point_t resu
+ case MPI_EC_MONTGOMERY:
+ dup_point_montgomery (result, point, ctx);
+ break;
+- case MPI_EC_TWISTEDEDWARDS:
+- dup_point_twistededwards (result, point, ctx);
++ case MPI_EC_EDWARDS:
++ dup_point_edwards (result, point, ctx);
+ break;
+ }
+ }
+@@ -977,9 +977,9 @@ add_points_montgomery (mpi_point_t resul
+
+ /* RESULT = P1 + P2 (Twisted Edwards version).*/
+ static void
+-add_points_twistededwards (mpi_point_t result,
+- mpi_point_t p1, mpi_point_t p2,
+- mpi_ec_t ctx)
++add_points_edwards (mpi_point_t result,
++ mpi_point_t p1, mpi_point_t p2,
++ mpi_ec_t ctx)
+ {
+ #define X1 (p1->x)
+ #define Y1 (p1->y)
+@@ -1087,8 +1087,8 @@ _gcry_mpi_ec_add_points (mpi_point_t res
+ case MPI_EC_MONTGOMERY:
+ add_points_montgomery (result, p1, p2, ctx);
+ break;
+- case MPI_EC_TWISTEDEDWARDS:
+- add_points_twistededwards (result, p1, p2, ctx);
++ case MPI_EC_EDWARDS:
++ add_points_edwards (result, p1, p2, ctx);
+ break;
+ }
+ }
+@@ -1106,7 +1106,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
+ unsigned int i, loops;
+ mpi_point_struct p1, p2, p1inv;
+
+- if (ctx->model == MPI_EC_TWISTEDEDWARDS)
++ if (ctx->model == MPI_EC_EDWARDS)
+ {
+ /* Simple left to right binary method. GECC Algorithm 3.27 */
+ unsigned int nbits;
+@@ -1269,7 +1269,7 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point
+ log_fatal ("%s: %s not yet supported\n",
+ "_gcry_mpi_ec_curve_point", "Montgomery");
+ break;
+- case MPI_EC_TWISTEDEDWARDS:
++ case MPI_EC_EDWARDS:
+ {
+ /* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */
+ ec_pow2 (x, x, ctx);
+Index: libgcrypt-1.6.3/src/mpi.h
+===================================================================
+--- libgcrypt-1.6.3.orig/src/mpi.h
++++ libgcrypt-1.6.3/src/mpi.h
+@@ -245,13 +245,18 @@ void _gcry_mpi_snatch_point (gcry_mpi_t
+ /* Models describing an elliptic curve. */
+ enum gcry_mpi_ec_models
+ {
+-
++ /* The Short Weierstrass equation is
++ y^2 = x^3 + ax + b
++ */
+ MPI_EC_WEIERSTRASS = 0,
++ /* The Montgomery equation is
++ by^2 = x^3 + ax^2 + x
++ */
+ MPI_EC_MONTGOMERY,
+- MPI_EC_TWISTEDEDWARDS
+- /* The equation for Twisted Edwards curves is
++ /* The Twisted Edwards equation is
+ ax^2 + y^2 = 1 + bx^2y^2
+ Note that we use 'b' instead of the commonly used 'd'. */
++ MPI_EC_EDWARDS
+ };
+
+ /* Dialects used with elliptic curves. It is easier to keep the
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch
new file mode 100644
index 0000000..8093a18
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch
@@ -0,0 +1,55 @@
+From 88e1358962e902ff1cbec8d53ba3eee46407851a Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Wed, 25 Nov 2015 12:46:19 +0900
+Subject: [PATCH] ecc: Constant-time multiplication for Weierstrass curve.
+
+* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
+method for Weierstrass curve when SCALAR is secure.
+
+Upstream-Status: Backport
+
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a
+
+CVE: CVE-2015-7511 fix
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ mpi/ec.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+Index: libgcrypt-1.6.3/mpi/ec.c
+===================================================================
+--- libgcrypt-1.6.3.orig/mpi/ec.c
++++ libgcrypt-1.6.3/mpi/ec.c
+@@ -1106,16 +1106,27 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
+ unsigned int i, loops;
+ mpi_point_struct p1, p2, p1inv;
+
+- if (ctx->model == MPI_EC_EDWARDS)
++ if (ctx->model == MPI_EC_EDWARDS
++ || (ctx->model == MPI_EC_WEIERSTRASS
++ && mpi_is_secure (scalar)))
+ {
+ /* Simple left to right binary method. GECC Algorithm 3.27 */
+ unsigned int nbits;
+ int j;
+
+ nbits = mpi_get_nbits (scalar);
+- mpi_set_ui (result->x, 0);
+- mpi_set_ui (result->y, 1);
+- mpi_set_ui (result->z, 1);
++ if (ctx->model == MPI_EC_WEIERSTRASS)
++ {
++ mpi_set_ui (result->x, 1);
++ mpi_set_ui (result->y, 1);
++ mpi_set_ui (result->z, 0);
++ }
++ else
++ {
++ mpi_set_ui (result->x, 0);
++ mpi_set_ui (result->y, 1);
++ mpi_set_ui (result->z, 1);
++ }
+
+ if (mpi_is_secure (scalar))
+ {
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
index c49c0e7..40b7387 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb
@@ -1,4 +1,9 @@
require libgcrypt.inc
+SRC_URI += "\
+ file://CVE-2015-7511_1.patch \
+ file://CVE-2015-7511_2.patch \
+ "
+
SRC_URI[md5sum] = "d19adc062edff0ebc7e887212733ef1f"
SRC_URI[sha256sum] = "936921644b9c81e2395e18a554a9a5f9252aae3976f8afc3e4229ee9d785e627"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list