summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-support/libgcrypt/files/0005-ecc-Add-input-validation-for-X25519.patch158
-rw-r--r--meta/recipes-support/libgcrypt/libgcrypt_1.8.1.bb (renamed from meta/recipes-support/libgcrypt/libgcrypt_1.8.0.bb)8
2 files changed, 3 insertions, 163 deletions
diff --git a/meta/recipes-support/libgcrypt/files/0005-ecc-Add-input-validation-for-X25519.patch b/meta/recipes-support/libgcrypt/files/0005-ecc-Add-input-validation-for-X25519.patch
deleted file mode 100644
index 66fdd740b5..0000000000
--- a/meta/recipes-support/libgcrypt/files/0005-ecc-Add-input-validation-for-X25519.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From ef570e3d2773c12126e7d3fcdc4db9ef80a5e214 Mon Sep 17 00:00:00 2001
-From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Fri, 25 Aug 2017 18:13:28 +0900
-Subject: [PATCH] ecc: Add input validation for X25519.
-
-* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
-* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
-(_gcry_mpi_ec_bad_point): New.
-
---
-
-Following is the paper describing the attack:
-
- May the Fourth Be With You: A Microarchitectural Side Channel Attack
- on Real-World Applications of Curve25519
- by Daniel Genkin, Luke Valenta, and Yuval Yarom
-
-In the current implementation, we do output checking and it results an
-error for those bad points. However, when attacked, the computation
-will done with leak of private key, even it will results errors. To
-mitigate leak, we added input validation.
-
-Note that we only list bad points with MSB=0. By X25519, MSB is
-always cleared.
-
-In future, we should implement constant-time field computation. Then,
-this input validation could be removed, if performance is important
-and we are sure for no leak.
-
-CVE-id: CVE-2017-0379
-Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
-
-Upstream-Status: Backport
-CVE: CVE-2017-0379
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- cipher/ecc.c | 17 +++++++++++++++--
- mpi/ec.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++---
- src/mpi.h | 1 +
- 3 files changed, 64 insertions(+), 5 deletions(-)
-
-diff --git a/cipher/ecc.c b/cipher/ecc.c
-index e25bf09..4e3e5b1 100644
---- a/cipher/ecc.c
-+++ b/cipher/ecc.c
-@@ -1628,9 +1628,22 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
- if (DBG_CIPHER)
- log_printpnt ("ecc_decrypt kG", &kG, NULL);
-
-- if (!(flags & PUBKEY_FLAG_DJB_TWEAK)
-+ if ((flags & PUBKEY_FLAG_DJB_TWEAK))
-+ {
- /* For X25519, by its definition, validation should not be done. */
-- && !_gcry_mpi_ec_curve_point (&kG, ec))
-+ /* (Instead, we do output check.)
-+ *
-+ * However, to mitigate secret key leak from our implementation,
-+ * we also do input validation here. For constant-time
-+ * implementation, we can remove this input validation.
-+ */
-+ if (_gcry_mpi_ec_bad_point (&kG, ec))
-+ {
-+ rc = GPG_ERR_INV_DATA;
-+ goto leave;
-+ }
-+ }
-+ else if (!_gcry_mpi_ec_curve_point (&kG, ec))
- {
- rc = GPG_ERR_INV_DATA;
- goto leave;
-diff --git a/mpi/ec.c b/mpi/ec.c
-index a0f7357..4c16603 100644
---- a/mpi/ec.c
-+++ b/mpi/ec.c
-@@ -396,6 +396,29 @@ ec_get_two_inv_p (mpi_ec_t ec)
- }
-
-
-+static const char *curve25519_bad_points[] = {
-+ "0x0000000000000000000000000000000000000000000000000000000000000000",
-+ "0x0000000000000000000000000000000000000000000000000000000000000001",
-+ "0x00b8495f16056286fdb1329ceb8d09da6ac49ff1fae35616aeb8413b7c7aebe0",
-+ "0x57119fd0dd4e22d8868e1c58c45c44045bef839c55b1d0b1248c50a3bc959c5f",
-+ "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec",
-+ "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed",
-+ "0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffee",
-+ NULL
-+};
-+
-+static gcry_mpi_t
-+scanval (const char *string)
-+{
-+ gpg_err_code_t rc;
-+ gcry_mpi_t val;
-+
-+ rc = _gcry_mpi_scan (&val, GCRYMPI_FMT_HEX, string, 0, NULL);
-+ if (rc)
-+ log_fatal ("scanning ECC parameter failed: %s\n", gpg_strerror (rc));
-+ return val;
-+}
-+
-
- /* This function initialized a context for elliptic curve based on the
- field GF(p). P is the prime specifying this field, A is the first
-@@ -434,9 +457,17 @@ ec_p_init (mpi_ec_t ctx, enum gcry_mpi_ec_models model,
-
- _gcry_mpi_ec_get_reset (ctx);
-
-- /* Allocate scratch variables. */
-- for (i=0; i< DIM(ctx->t.scratch); i++)
-- ctx->t.scratch[i] = mpi_alloc_like (ctx->p);
-+ if (model == MPI_EC_MONTGOMERY)
-+ {
-+ for (i=0; i< DIM(ctx->t.scratch) && curve25519_bad_points[i]; i++)
-+ ctx->t.scratch[i] = scanval (curve25519_bad_points[i]);
-+ }
-+ else
-+ {
-+ /* Allocate scratch variables. */
-+ for (i=0; i< DIM(ctx->t.scratch); i++)
-+ ctx->t.scratch[i] = mpi_alloc_like (ctx->p);
-+ }
-
- /* Prepare for fast reduction. */
- /* FIXME: need a test for NIST values. However it does not gain us
-@@ -1572,3 +1603,17 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx)
-
- return res;
- }
-+
-+
-+int
-+_gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx)
-+{
-+ int i;
-+ gcry_mpi_t x_bad;
-+
-+ for (i = 0; (x_bad = ctx->t.scratch[i]); i++)
-+ if (!mpi_cmp (point->x, x_bad))
-+ return 1;
-+
-+ return 0;
-+}
-diff --git a/src/mpi.h b/src/mpi.h
-index b5385b5..aeba7f8 100644
---- a/src/mpi.h
-+++ b/src/mpi.h
-@@ -296,6 +296,7 @@ void _gcry_mpi_ec_mul_point (mpi_point_t result,
- gcry_mpi_t scalar, mpi_point_t point,
- mpi_ec_t ctx);
- int _gcry_mpi_ec_curve_point (gcry_mpi_point_t point, mpi_ec_t ctx);
-+int _gcry_mpi_ec_bad_point (gcry_mpi_point_t point, mpi_ec_t ctx);
-
- gcry_mpi_t _gcry_mpi_ec_ec2os (gcry_mpi_point_t point, mpi_ec_t ectx);
-
---
-1.8.3.1
-
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.0.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.1.bb
index 02982f03c6..5bd815ae55 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.0.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.1.bb
@@ -15,16 +15,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
DEPENDS = "libgpg-error"
UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
-SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.gz \
+SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
file://0001-Add-and-use-pkg-config-for-libgcrypt-instead-of-conf.patch \
file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \
file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \
- file://0005-ecc-Add-input-validation-for-X25519.patch \
- file://0006-Fix-building-AArch32-CE-implementations-when-target-.patch \
"
-SRC_URI[md5sum] = "110ce4352f9ea6f560bdc6c5644ae93c"
-SRC_URI[sha256sum] = "f6e470b7f2d3a703e8747f05a8c19d9e10e26ebf2d5f3d71ff75a40f504e12ee"
+SRC_URI[md5sum] = "b21817f9d850064d2177285f1073ec55"
+SRC_URI[sha256sum] = "7a2875f8b1ae0301732e878c0cca2c9664ff09ef71408f085c50e332656a78b3"
BINCONFIG = "${bindir}/libgcrypt-config"