From patchwork Tue Jul 18 22:07:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 108245 Delivered-To: patch@linaro.org Received: by 10.140.101.44 with SMTP id t41csp6501618qge; Tue, 18 Jul 2017 15:07:42 -0700 (PDT) X-Received: by 10.98.201.75 with SMTP id k72mr3782343pfg.99.1500415662702; Tue, 18 Jul 2017 15:07:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1500415662; cv=none; d=google.com; s=arc-20160816; b=0KV+xcGs/q0Lp2VhsgOW8b/WCp4WA63yY+mFjSN2vjyywDDg3lZNgl9xUmvjzfTEkh hrsinlhxU9bZ9tOitQYtUK7ZAZJJzextPLb2C+5hXdmFTM6L3+n5twMrWT/eH/6ejjHh v1w4W4sg6SgVM1jeBUOuRTbx2WTQF8Q7RmiFdOP3P37edKjcY/+VKvUW65dqDboRgwgR HvoGrZB5qj4G4wcmcDUxlGC6P++po9BQzB7/CGbG/Im9+ZiXkdcQFjZE2TH+o0IGzM2s PXoYADjXOxw8lESs3LPFP4kkJ+CnUHD5tIhBb6+JvuHU675aFbdNp69qIN1TpufqDxB0 oa9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to:arc-authentication-results; bh=m7ZFSirm4zIrCkRQU0dsg39YhxvEQkWrwusrdcsIqHo=; b=X/caqaig38wXnQTJj7EPLPy58z64sA5odMLJVfUDSbszJCFFoPo5/gEaXVTUEsEF6e /v9aRyeKKaJs6RgCVBikhZiQQN6uTrohmtxn/zLJMMUTiDehRXdjC+1scr/RQ0iRChAv qxrzQSnViUzUS4eSkH0fWKhi76p+NQc0LNKuc17JJYM2DVRI162JMryNhxYqgQd3XxOR u3KgD2BCHijA2YS7Bz1BfYJF3tNDUw+NmtjSt6+fQ0wGSYhRhcWfZXI92jmvrvjXJ+BP zSgtFdEgJ8RLkgoo7ClGtTkW/qZ1DPuj8To81gA8YJNaecNyzk1LtnVttvb9UxIfuLes JOKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.b=jWxoO8fs; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id w11si2612481pfl.184.2017.07.18.15.07.42; Tue, 18 Jul 2017 15:07:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.b=jWxoO8fs; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org Received: from review.yoctoproject.org (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 5549A78208; Tue, 18 Jul 2017 22:07:40 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wr0-f175.google.com (mail-wr0-f175.google.com [209.85.128.175]) by mail.openembedded.org (Postfix) with ESMTP id ACCFE7807D for ; Tue, 18 Jul 2017 22:07:38 +0000 (UTC) Received: by mail-wr0-f175.google.com with SMTP id w4so47375797wrb.2 for ; Tue, 18 Jul 2017 15:07:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id; bh=T9C7+IZXyo+NxKSrHe0J03E7J6Hzq8mzqUeu1tOy4MA=; b=jWxoO8fsBVyowdgbz8vcgg/UsQ8KCc8FMNvEbjGS7ESb61z72IsbHi3AvGSL/Af4UN 8xyzuuJM/BYhuaUP9rX7RmUwW0Coq3KknbNuS9A2VC9btK5N7X0xGSymKVNu8cyA+4nm 5O3+KUew8JzOX/jnQWKFOd+CbPYmYDgOTE2Oyn2NZzW2etgc8n16A7V3K0KXbKMH1TTL RQ0iPn7eRimIddaaRX1rMpT7c7VjX0OdwDDItJxitgPsQHiFw2BZBuMYwyHZAkxvIASe vLXgJeXUBn53ymY4jbSOU07xxgNdMmiZivzdWFD2jb9zXIwxz+QX+IDH8idkdWHz4eCl 7LOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=T9C7+IZXyo+NxKSrHe0J03E7J6Hzq8mzqUeu1tOy4MA=; b=Nd3m2aMhsd3udhV03i5GyiZypZti6jtAmmGsHNonkoekmkypXIL7VodUnF+hNpvMiU RzuBMiO19mWVkbSk3ZXFu0DrwMP0lUhZEfJpPQTMXwmTn838+1UAos7FhqHjT6TElzOi kEeTSg+CRVw4kYNZELws8C5UJmI9I8e/1f70vh/Z3sSEiujbqSUMORLzOsF3v2aYGtAN sEWk4rk9c8cgj43X+IEhKrr5Jytzf780ynODkgEV5m/Fot4VwcH3JvdCU3lwAOgvn+Yz Z3K5MKvJXWC/kgBOAcd4nPCA6LXDmplnaW2wKakSdhn3LOehiQ2u/lc36Id8z9Mz0eMp j9rw== X-Gm-Message-State: AIVw110O/bVr2rr39AacLfuJ+JAIczXXYXSa5uQGI+bL6FU9c3hncKxI BF7ugml1wm8tI9jvx+g= X-Received: by 10.223.150.54 with SMTP id b51mr2461459wra.185.1500415659348; Tue, 18 Jul 2017 15:07:39 -0700 (PDT) Received: from flashheart.burtonini.com (home.burtonini.com. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id z108sm5690851wrb.41.2017.07.18.15.07.38 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jul 2017 15:07:38 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 18 Jul 2017 23:07:34 +0100 Message-Id: <20170718220735.6547-1-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 Subject: [OE-core] [PATCH][morty 1/2] libgcrypt: fix CVE-2017-9526 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org In libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library. Signed-off-by: Ross Burton --- ...-Store-EdDSA-session-key-in-secure-memory.patch | 39 ++++++++++++++++++++++ meta/recipes-support/libgcrypt/libgcrypt.inc | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-support/libgcrypt/files/0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch new file mode 100644 index 00000000000..f6c4ca76f33 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch @@ -0,0 +1,39 @@ +CVE: CVE-2017-9526 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From b3cab278eb9c2ceda79f980bc26460d97f260041 Mon Sep 17 00:00:00 2001 +From: Jo Van Bulck +Date: Thu, 19 Jan 2017 17:00:15 +0100 +Subject: [PATCH] ecc: Store EdDSA session key in secure memory. + +* cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate +session key. +-- + +An attacker who learns the EdDSA session key from side-channel +observation during the signing process, can easily revover the long- +term secret key. Storing the session key in secure memory ensures that +constant time point operations are used in the MPI library. + +Signed-off-by: Jo Van Bulck +--- + cipher/ecc-eddsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c +index f91f8489..813e030d 100644 +--- a/cipher/ecc-eddsa.c ++++ b/cipher/ecc-eddsa.c +@@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, + a = mpi_snew (0); + x = mpi_new (0); + y = mpi_new (0); +- r = mpi_new (0); ++ r = mpi_snew (0); + ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, + skey->E.p, skey->E.a, skey->E.b); + b = (ctx->nbits+7)/8; +-- +2.11.0 + diff --git a/meta/recipes-support/libgcrypt/libgcrypt.inc b/meta/recipes-support/libgcrypt/libgcrypt.inc index 15805cd4365..7c4c0e83b53 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt.inc +++ b/meta/recipes-support/libgcrypt/libgcrypt.inc @@ -20,6 +20,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.gz \ file://libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \ file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \ file://fix-undefined-reference-to-pthread.patch \ + file://0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch \ " BINCONFIG = "${bindir}/libgcrypt-config" From patchwork Tue Jul 18 22:07:35 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 108246 Delivered-To: patch@linaro.org Received: by 10.140.101.44 with SMTP id t41csp6501669qge; Tue, 18 Jul 2017 15:07:46 -0700 (PDT) X-Received: by 10.99.55.10 with SMTP id e10mr4018844pga.176.1500415666399; Tue, 18 Jul 2017 15:07:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1500415666; cv=none; d=google.com; s=arc-20160816; b=CyW/dKqMlAEWsQ8heh8Uu+9wMwRlU6fXP0bODk5nGA1Nk6X7X+nYLqrvvrWb+46X2T tTDc0Srwm0FlziiTBeGU88nMevsDUKl/Av/VdJ38pBZTxKokDhYcAHOVxuJOABliJs/R NIIP84653CKPfQdYO/ylPZR+n5cHyYjyX2s6gFNtADiDmQTBUnAaOlLBqF8CN0qCvg8q bHBZY6THVICDpZEmJMK9+uxd9nZAkRuvJ6QzTKw4ym2oD7liXajDYjSGUmME6gsK5L80 3n/5VfeAQShr6EXu4/ot2toIWwsA6+uZX60VRKeOVWqTvUR8cTEW258lfmJe/xzUBwYa KhdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to:arc-authentication-results; bh=1/dqVepqSt2bbk8dNKzFUlMYXKh4LzHe0JuhotOlYQc=; b=ftTEM2u9WACxDN0hvqtgFPCFppR0fL0q+jKJnTooRkgqBerZ24a1XvGA9IV+Eoec+M ADggZImuyd4M/4tZe+rUpzRTGuUvh+KJeOCWDhgcH1WTxbq1mc+SoKPvNn9V0ZrZDMPd WqVhT1WgfofWt+kn3lfjuzip1+cm0ufOYFVOZYK7N+ecHglUOFPRFNXMe1pTFDU7rdfn CBP+Hzc2AZRrWcOV4Z7oGTKZwsdE1r1lRkLWclvx4zIMvGh1i4uv9awgpphFiDejDHHX IU1AZGcOmxHuxRtwAQeyO4a7/IyPHass6QT+g0TvPvkP6tvJBh9iReODyR6/gXmygn1S Lrhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.b=Ej5rt3bk; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id t76si2608581pgc.539.2017.07.18.15.07.46; Tue, 18 Jul 2017 15:07:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.b=Ej5rt3bk; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org Received: from review.yoctoproject.org (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 5A34B7821C; Tue, 18 Jul 2017 22:07:42 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wr0-f182.google.com (mail-wr0-f182.google.com [209.85.128.182]) by mail.openembedded.org (Postfix) with ESMTP id 701E078223 for ; Tue, 18 Jul 2017 22:07:40 +0000 (UTC) Received: by mail-wr0-f182.google.com with SMTP id v105so18236636wrb.0 for ; Tue, 18 Jul 2017 15:07:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=xZ+QdxTJ8Y8ijU0UDc3rTlA7/cnqt2j7VnxWtEYZKW0=; b=Ej5rt3bk1oEOg+VtHnke951q7jqGTrGJwEJBbmQ0BB9BaQPZrfXWsln+dOn80xGXpp wc/OFCiKsd6Oa+auOz1Nn+2pqU0U8C3NLIjssQZdxRVKwjwVvMrjD1Abxv69pwW4Wbeq Uuqw0meEY32K8SQVXa0ekKMBHOfT58i+ZEvoRQULoj7NWjzOjpbV5awB0WU0n9Vg/8wE tXjRHfTEDDAuoV/tnXXO7gLDEcdgz5v4CdNpduP2XVCURyO+VhKzH6ct+dkV7aSuuKr9 l++/bcq82gq9eD20mVLirw3noUc6FPz/CmLhKPmS+TQ6uClm+Vzd7VTZCVGWTubq4OVo xkpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=xZ+QdxTJ8Y8ijU0UDc3rTlA7/cnqt2j7VnxWtEYZKW0=; b=So0CX8oJ4ocgoYSJpToFl6PXMnKCt62PoV3+jHKg/244uc2ofJbDaLi6lSbZviN1OG J/FsfHs9Tvh+8PEE3tm/PW7aq2juhth/U+O4zM9iHx9vCZP6EXf79uTgFUSlXKXDTHaG i28GWnS7abj7zLrEzg/oVLCFc4Qz/4QQRgl9tUMijwq4dJO4+L5PedlW5/BAZbXoStTc Uga0kB0O/Cs0JOxsn6F6FRPVRgva7AJJPOKUt1sN/qoN+LIdfbaM+9yEQL/alfqk0tIb MRjOW94e0m0uuMJBmDV0LltJu5zgjRxzLJu/QCW+zZwI58n3pDCroEl5Vnrp7U/8O2XE vutQ== X-Gm-Message-State: AIVw1128qmonW16XLHtl+j+sG8ZX4fi4NQzd1Z12M+fEgfJODv219TpK XSZbqyD5WdlGZ5yzrDU= X-Received: by 10.28.217.207 with SMTP id q198mr3016973wmg.45.1500415660809; Tue, 18 Jul 2017 15:07:40 -0700 (PDT) Received: from flashheart.burtonini.com (home.burtonini.com. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id z108sm5690851wrb.41.2017.07.18.15.07.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jul 2017 15:07:40 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 18 Jul 2017 23:07:35 +0100 Message-Id: <20170718220735.6547-2-ross.burton@intel.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170718220735.6547-1-ross.burton@intel.com> References: <20170718220735.6547-1-ross.burton@intel.com> Subject: [OE-core] [PATCH][morty 2/2] libgcrypt: fix CVE-2017-7526 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Fixes CVE-2017-7526, 'flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster"'. Signed-off-by: Ross Burton --- .../libgcrypt/files/CVE-2017-7526.patch | 455 +++++++++++++++++++++ meta/recipes-support/libgcrypt/libgcrypt.inc | 1 + 2 files changed, 456 insertions(+) create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch new file mode 100644 index 00000000000..7180e7af2c3 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2017-7526.patch @@ -0,0 +1,455 @@ +Flush+reload side-channel attack on RSA secret keys dubbed "Sliding right +into disaster". + +CVE: CVE-2017-7526 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 56bd068335500207dea2cece9cc662bcd9658951 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Tue, 4 Apr 2017 17:38:05 +0900 +Subject: [PATCH 1/5] mpi: Simplify mpi_powm. + +* mpi/mpi-pow.c (_gcry_mpi_powm): Simplify the loop. + +-- + +This fix is not a solution for the problem reported (yet). The +problem is that the current algorithm of _gcry_mpi_powm depends on +exponent and some information leaks is possible. + +Reported-by: Andreas Zankl +Signed-off-by: NIIBE Yutaka + +(backport from master commit: +719468e53133d3bdf12156c5bfdea2bf15f9f6f1) + +Signed-off-by: Ross Burton +--- + mpi/mpi-pow.c | 105 +++++++++++++++++----------------------------------------- + 1 file changed, 30 insertions(+), 75 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index a780ebd1..7b3dc318 100644 +--- a/mpi/mpi-pow.c ++++ b/mpi/mpi-pow.c +@@ -609,12 +609,8 @@ _gcry_mpi_powm (gcry_mpi_t res, + if (e == 0) + { + j += c; +- i--; +- if ( i < 0 ) +- { +- c = 0; +- break; +- } ++ if ( --i < 0 ) ++ break; + + e = ep[i]; + c = BITS_PER_MPI_LIMB; +@@ -629,38 +625,33 @@ _gcry_mpi_powm (gcry_mpi_t res, + c -= c0; + j += c0; + ++ e0 = (e >> (BITS_PER_MPI_LIMB - W)); + if (c >= W) +- { +- e0 = (e >> (BITS_PER_MPI_LIMB - W)); +- e = (e << W); +- c -= W; +- } ++ c0 = 0; + else + { +- i--; +- if ( i < 0 ) ++ if ( --i < 0 ) + { +- e = (e >> (BITS_PER_MPI_LIMB - c)); +- break; ++ e0 = (e >> (BITS_PER_MPI_LIMB - c)); ++ j += c - W; ++ goto last_step; ++ } ++ else ++ { ++ c0 = c; ++ e = ep[i]; ++ c = BITS_PER_MPI_LIMB; ++ e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0))); + } +- +- c0 = c; +- e0 = (e >> (BITS_PER_MPI_LIMB - W)) +- | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0)); +- e = (ep[i] << (W - c0)); +- c = BITS_PER_MPI_LIMB - W + c0; + } + ++ e = e << (W - c0); ++ c -= (W - c0); ++ ++ last_step: + count_trailing_zeros (c0, e0); + e0 = (e0 >> c0) >> 1; + +- for (j += W - c0; j; j--) +- { +- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- } +- + /* + * base_u <= precomp[e0] + * base_u_size <= precomp_size[e0] +@@ -677,25 +668,23 @@ _gcry_mpi_powm (gcry_mpi_t res, + u.d = precomp[k]; + + mpi_set_cond (&w, &u, k == e0); +- base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); ++ base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); + } + +- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, +- mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; ++ for (j += W - c0; j >= 0; j--) ++ { ++ mul_mod (xp, &xsize, rp, rsize, ++ j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize, ++ mp, msize, &karactx); ++ tp = rp; rp = xp; xp = tp; ++ rsize = xsize; ++ } + + j = c0; ++ if ( i < 0 ) ++ break; + } + +- if (c != 0) +- { +- j += c; +- count_trailing_zeros (c, e); +- e = (e >> c); +- j -= c; +- } +- + while (j--) + { + mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +@@ -703,40 +692,6 @@ _gcry_mpi_powm (gcry_mpi_t res, + rsize = xsize; + } + +- if (e != 0) +- { +- /* +- * base_u <= precomp[(e>>1)] +- * base_u_size <= precomp_size[(e>>1)] +- */ +- base_u_size = 0; +- for (k = 0; k < (1<< (W - 1)); k++) +- { +- struct gcry_mpi w, u; +- w.alloced = w.nlimbs = precomp_size[k]; +- u.alloced = u.nlimbs = precomp_size[k]; +- w.sign = u.sign = 0; +- w.flags = u.flags = 0; +- w.d = base_u; +- u.d = precomp[k]; +- +- mpi_set_cond (&w, &u, k == (e>>1)); +- base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) ); +- } +- +- mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, +- mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- +- for (; c; c--) +- { +- mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); +- tp = rp; rp = xp; xp = tp; +- rsize = xsize; +- } +- } +- + /* We shifted MOD, the modulo reduction argument, left + MOD_SHIFT_CNT steps. Adjust the result by reducing it with the + original MOD. +-- +2.11.0 + + +From 6e237c8c48d257dc315e364791d284c6bf3fa703 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Sat, 24 Jun 2017 20:46:20 +0900 +Subject: [PATCH 2/5] Same computation for square and multiply. + +* mpi/mpi-pow.c (_gcry_mpi_powm): Compare msize for max_u_size. Move +the assignment to base_u into the loop. Copy content refered by RP to +BASE_U except the last of the loop. + +-- + +Signed-off-by: NIIBE Yutaka +(backport from master commit: +78130828e9a140a9de4dafadbc844dbb64cb709a) + +Signed-off-by: Ross Burton +--- + mpi/mpi-pow.c | 50 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 21 deletions(-) + +diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c +index 7b3dc318..3cba6903 100644 +--- a/mpi/mpi-pow.c ++++ b/mpi/mpi-pow.c +@@ -573,6 +573,8 @@ _gcry_mpi_powm (gcry_mpi_t res, + MPN_COPY (precomp[i], rp, rsize); + } + ++ if (msize > max_u_size) ++ max_u_size = msize; + base_u = mpi_alloc_limb_space (max_u_size, esec); + MPN_ZERO (base_u, max_u_size); + +@@ -619,6 +621,10 @@ _gcry_mpi_powm (gcry_mpi_t res, + { + int c0; + mpi_limb_t e0; ++ struct gcry_mpi w, u; ++ w.sign = u.sign = 0; ++ w.flags = u.flags = 0; ++ w.d = base_u; + + count_leading_zeros (c0, e); + e = (e << c0); +@@ -652,29 +658,31 @@ _gcry_mpi_powm (gcry_mpi_t res, + count_trailing_zeros (c0, e0); + e0 = (e0 >> c0) >> 1; + +- /* +- * base_u <= precomp[e0] +- * base_u_size <= precomp_size[e0] +- */ +- base_u_size = 0; +- for (k = 0; k < (1<< (W - 1)); k++) +- { +- struct gcry_mpi w, u; +- w.alloced = w.nlimbs = precomp_size[k]; +- u.alloced = u.nlimbs = precomp_size[k]; +- w.sign = u.sign = 0; +- w.flags = u.flags = 0; +- w.d = base_u; +- u.d = precomp[k]; +- +- mpi_set_cond (&w, &u, k == e0); +- base_u_size |= ( precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); +- } +- + for (j += W - c0; j >= 0; j--) + { +- mul_mod (xp, &xsize, rp, rsize, +- j == 0 ? base_u : rp, j == 0 ? base_u_size : rsize, ++ ++ /* ++ * base_u <= precomp[e0] ++ * base_u_size <= precomp_size[e0] ++ */ ++ base_u_size = 0; ++ for (k = 0; k < (1<< (W - 1)); k++) ++ { ++ w.alloced = w.nlimbs = precomp_size[k]; ++ u.alloced = u.nlimbs = precomp_size[k]; ++ u.d = precomp[k]; ++ ++ mpi_set_cond (&w, &u, k == e0); ++ base_u_size |= ( precomp_size[k] & (0UL - (k == e0)) ); ++ } ++ ++ w.alloced = w.nlimbs = rsize; ++ u.alloced = u.nlimbs = rsize; ++ u.d = rp; ++ mpi_set_cond (&w, &u, j != 0); ++ base_u_size ^= ((base_u_size ^ rsize) & (0UL - (j != 0))); ++ ++ mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, + mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; +-- +2.11.0 + + +From bf059348dafc1b8d29e07b9426d870ead853db84 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Thu, 29 Jun 2017 11:48:44 +0900 +Subject: [PATCH 3/5] rsa: Add exponent blinding. + +* cipher/rsa.c (secret): Blind secret D with randomized nonce R for +mpi_powm computation. + +-- + +Co-authored-by: Werner Koch +Signed-off-by: NIIBE Yutaka + +The paper describing attack: https://eprint.iacr.org/2017/627 + +Sliding right into disaster: Left-to-right sliding windows leak +by Daniel J. Bernstein and Joachim Breitner and Daniel Genkin and +Leon Groot Bruinderink and Nadia Heninger and Tanja Lange and +Christine van Vredendaal and Yuval Yarom + + It is well known that constant-time implementations of modular + exponentiation cannot use sliding windows. However, software + libraries such as Libgcrypt, used by GnuPG, continue to use sliding + windows. It is widely believed that, even if the complete pattern of + squarings and multiplications is observed through a side-channel + attack, the number of exponent bits leaked is not sufficient to + carry out a full key-recovery attack against RSA. Specifically, + 4-bit sliding windows leak only 40% of the bits, and 5-bit sliding + windows leak only 33% of the bits. + + In this paper we demonstrate a complete break of RSA-1024 as + implemented in Libgcrypt. Our attack makes essential use of the fact + that Libgcrypt uses the left-to-right method for computing the + sliding-window expansion. We show for the first time that the + direction of the encoding matters: the pattern of squarings and + multiplications in left-to-right sliding windows leaks significantly + more information about exponent bits than for right-to-left. We show + how to incorporate this additional information into the + Heninger-Shacham algorithm for partial key reconstruction, and use + it to obtain very efficient full key recovery for RSA-1024. We also + provide strong evidence that the same attack works for RSA-2048 with + only moderately more computation. + +Exponent blinding is a kind of workaround to add noise. Signal (leak) +is still there for non-constant-time implementation. + +(backported from master commit: +8725c99ffa41778f382ca97233183bcd687bb0ce) + +Signed-off-by: Ross Burton +--- + cipher/rsa.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index b6c73741..25e29b5c 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -1021,15 +1021,33 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) + gcry_mpi_t m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); + gcry_mpi_t m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); + gcry_mpi_t h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); +- +- /* m1 = c ^ (d mod (p-1)) mod p */ ++ gcry_mpi_t D_blind = mpi_alloc_secure ( mpi_get_nlimbs(skey->n) + 1 ); ++ gcry_mpi_t r; ++ unsigned int r_nbits; ++ ++ r_nbits = mpi_get_nbits (skey->p) / 4; ++ if (r_nbits < 96) ++ r_nbits = 96; ++ r = mpi_alloc_secure ((r_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB); ++ ++ /* d_blind = (d mod (p-1)) + (p-1) * r */ ++ /* m1 = c ^ d_blind mod p */ ++ _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM); ++ mpi_set_highbit (r, r_nbits - 1); + mpi_sub_ui( h, skey->p, 1 ); +- mpi_fdiv_r( h, skey->d, h ); +- mpi_powm( m1, input, h, skey->p ); +- /* m2 = c ^ (d mod (q-1)) mod q */ ++ mpi_mul ( D_blind, h, r ); ++ mpi_fdiv_r ( h, skey->d, h ); ++ mpi_add ( D_blind, D_blind, h ); ++ mpi_powm( m1, input, D_blind, skey->p ); ++ /* d_blind = (d mod (q-1)) + (q-1) * r */ ++ /* m2 = c ^ d_blind mod q */ ++ _gcry_mpi_randomize (r, r_nbits, GCRY_WEAK_RANDOM); ++ mpi_set_highbit (r, r_nbits - 1); + mpi_sub_ui( h, skey->q, 1 ); +- mpi_fdiv_r( h, skey->d, h ); +- mpi_powm( m2, input, h, skey->q ); ++ mpi_mul ( D_blind, h, r ); ++ mpi_fdiv_r ( h, skey->d, h ); ++ mpi_add ( D_blind, D_blind, h ); ++ mpi_powm( m2, input, D_blind, skey->q ); + /* h = u * ( m2 - m1 ) mod q */ + mpi_sub( h, m2, m1 ); + if ( mpi_has_sign ( h ) ) +-- +2.11.0 + + +From 09b9df2675a24e679b7944352ad6385e9e68474f Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Thu, 29 Jun 2017 12:36:27 +0900 +Subject: [PATCH 4/5] rsa: Fix exponent blinding. + +* cipher/rsa.c (secret): Free D_BLIND. + +-- + +Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c +Signed-off-by: NIIBE Yutaka +Signed-off-by: Ross Burton +--- + cipher/rsa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index 25e29b5c..33f92ebd 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -1057,6 +1057,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) + mpi_mul ( h, h, skey->p ); + mpi_add ( output, m1, h ); + ++ mpi_free ( D_blind ); + mpi_free ( h ); + mpi_free ( m1 ); + mpi_free ( m2 ); +-- +2.11.0 + + +From 1323fdcf6f2f9fd1da8c5adf396650f15a2a1260 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Thu, 29 Jun 2017 12:40:19 +0900 +Subject: [PATCH 5/5] rsa: More fix. + +* cipher/rsa.c (secret): Free R. + +-- + +Fixes-commit: a9f612def801c8145d551d995475e5d51a4c988c +Signed-off-by: NIIBE Yutaka +Signed-off-by: Ross Burton +--- + cipher/rsa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cipher/rsa.c b/cipher/rsa.c +index 33f92ebd..8d8d157b 100644 +--- a/cipher/rsa.c ++++ b/cipher/rsa.c +@@ -1057,6 +1057,7 @@ secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) + mpi_mul ( h, h, skey->p ); + mpi_add ( output, m1, h ); + ++ mpi_free ( r ); + mpi_free ( D_blind ); + mpi_free ( h ); + mpi_free ( m1 ); +-- +2.11.0 + diff --git a/meta/recipes-support/libgcrypt/libgcrypt.inc b/meta/recipes-support/libgcrypt/libgcrypt.inc index 7c4c0e83b53..00870e3d277 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt.inc +++ b/meta/recipes-support/libgcrypt/libgcrypt.inc @@ -21,6 +21,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.gz \ file://fix-ICE-failure-on-mips-with-option-O-and-g.patch \ file://fix-undefined-reference-to-pthread.patch \ file://0001-ecc-Store-EdDSA-session-key-in-secure-memory.patch \ + file://CVE-2017-7526.patch \ " BINCONFIG = "${bindir}/libgcrypt-config"