libgcrypt: Security fix CVE-2015-7511

CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass curves

affects libgcrypt < 1.6.5

adjust SRC_URI + for this version.

Patch 1 is a dependancy patch. simple macro name change.
Patch 2 is the cve fix.

(From OE-Core master rev: c691ce99bd2d249d6fdc4ad58300719488fea12c)

(From OE-Core rev: 88ba5ea3f3a421ac91d670e450f4b0645a53d733)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch

@@ -0,0 +1,245 @@
+From 2ef48ba59c32bfa1a9265d5eea8ab225a658903a Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 9 Jan 2014 19:14:09 +0100
+Subject: [PATCH] ecc: Make a macro shorter.
+
+* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS.  CHnage
+all users.
+* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
+comment.
+* mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards.
+(add_points_twistededwards): Rename to add_points_edwards.
+
+Signed-off-by: Werner Koch <wk@gnupg.org>
+
+Upstream-Status: Backport
+2ef48ba59c32bfa1a9265d5eea8ab225a658903a
+
+CVE: CVE-2015-7511 depend patch
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ cipher/ecc-curves.c | 22 +++++++++++++++++++---
+ cipher/ecc-misc.c   |  4 ++--
+ cipher/ecc.c        |  8 ++++----
+ mpi/ec.c            | 22 +++++++++++-----------
+ src/mpi.h           | 11 ++++++++---
+ 5 files changed, 44 insertions(+), 23 deletions(-)
+
+Index: libgcrypt-1.6.3/cipher/ecc-curves.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc-curves.c
++++ libgcrypt-1.6.3/cipher/ecc-curves.c
+@@ -105,7 +105,7 @@ static const ecc_domain_parms_t domain_p
+     {
+       /* (-x^2 + y^2 = 1 + dx^2y^2) */
+       "Ed25519", 256, 0,
+-      MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519,
++      MPI_EC_EDWARDS, ECC_DIALECT_ED25519,
+       "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
+       "-0x01",
+       "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
+@@ -113,6 +113,22 @@ static const ecc_domain_parms_t domain_p
+       "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
+       "0x6666666666666666666666666666666666666666666666666666666666666658"
+     },
++#if 0 /* No real specs yet found.  */
++    {
++      /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */
++      "Curve3617",
++      "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF",
++      MPI_EC_EDWARDS, 0,
++      "0x01",
++      "0x0e21",
++      "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF"
++      "706022B36F1C0338AD63CF181B0E71A5E106AF79",
++      "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D"
++      "6D6BA111301A73FAA8537C64C4FD3812F3CBC595",
++      "0x22"
++    },
++#endif /*0*/
+     {
+       "NIST P-192", 192, 1,
+       MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+@@ -404,7 +420,7 @@ _gcry_ecc_fill_in_curve (unsigned int nb
+   switch (domain_parms[idx].model)
+     {
+     case MPI_EC_WEIERSTRASS:
+-    case MPI_EC_TWISTEDEDWARDS:
++    case MPI_EC_EDWARDS:
+       break;
+     case MPI_EC_MONTGOMERY:
+       return GPG_ERR_NOT_SUPPORTED;
+@@ -1039,7 +1055,7 @@ _gcry_ecc_get_mpi (const char *name, mpi
+       if (name[1] != '@')
+         return _gcry_mpi_ec_ec2os (ec->Q, ec);
+ 
+-      if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS)
++      if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS)
+         {
+           unsigned char *encpk;
+           unsigned int encpklen;
+Index: libgcrypt-1.6.3/cipher/ecc-misc.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc-misc.c
++++ libgcrypt-1.6.3/cipher/ecc-misc.c
+@@ -79,7 +79,7 @@ _gcry_ecc_model2str (enum gcry_mpi_ec_mo
+     {
+     case MPI_EC_WEIERSTRASS:    str = "Weierstrass"; break;
+     case MPI_EC_MONTGOMERY:     str = "Montgomery";  break;
+-    case MPI_EC_TWISTEDEDWARDS: str = "Twisted Edwards"; break;
++    case MPI_EC_EDWARDS:        str = "Edwards"; break;
+     }
+   return str;
+ }
+@@ -252,7 +252,7 @@ _gcry_ecc_compute_public (mpi_point_t Q,
+ 
+   if (!d || !G || !ec->p || !ec->a)
+     return NULL;
+-  if (ec->model == MPI_EC_TWISTEDEDWARDS && !ec->b)
++  if (ec->model == MPI_EC_EDWARDS && !ec->b)
+     return NULL;
+ 
+   if (ec->dialect == ECC_DIALECT_ED25519
+Index: libgcrypt-1.6.3/cipher/ecc.c
+===================================================================
+--- libgcrypt-1.6.3.orig/cipher/ecc.c
++++ libgcrypt-1.6.3/cipher/ecc.c
+@@ -642,7 +642,7 @@ ecc_check_secret_key (gcry_sexp_t keypar
+   if (!curvename)
+     {
+       sk.E.model = ((flags & PUBKEY_FLAG_EDDSA)
+-               ? MPI_EC_TWISTEDEDWARDS
++               ? MPI_EC_EDWARDS
+                : MPI_EC_WEIERSTRASS);
+       sk.E.dialect = ((flags & PUBKEY_FLAG_EDDSA)
+                       ? ECC_DIALECT_ED25519
+@@ -774,7 +774,7 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_
+   if (!curvename)
+     {
+       sk.E.model = ((ctx.flags & PUBKEY_FLAG_EDDSA)
+-                    ? MPI_EC_TWISTEDEDWARDS
++                    ? MPI_EC_EDWARDS
+                     : MPI_EC_WEIERSTRASS);
+       sk.E.dialect = ((ctx.flags & PUBKEY_FLAG_EDDSA)
+                       ? ECC_DIALECT_ED25519
+@@ -938,7 +938,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp
+   if (!curvename)
+     {
+       pk.E.model = ((sigflags & PUBKEY_FLAG_EDDSA)
+-                    ? MPI_EC_TWISTEDEDWARDS
++                    ? MPI_EC_EDWARDS
+                     : MPI_EC_WEIERSTRASS);
+       pk.E.dialect = ((sigflags & PUBKEY_FLAG_EDDSA)
+                       ? ECC_DIALECT_ED25519
+@@ -1528,7 +1528,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_s
+   if (!curvename)
+     {
+       model = ((flags & PUBKEY_FLAG_EDDSA)
+-               ? MPI_EC_TWISTEDEDWARDS
++               ? MPI_EC_EDWARDS
+                : MPI_EC_WEIERSTRASS);
+       dialect = ((flags & PUBKEY_FLAG_EDDSA)
+                  ? ECC_DIALECT_ED25519
+Index: libgcrypt-1.6.3/mpi/ec.c
+===================================================================
+--- libgcrypt-1.6.3.orig/mpi/ec.c
++++ libgcrypt-1.6.3/mpi/ec.c
+@@ -605,7 +605,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, g
+       }
+       return -1;
+ 
+-    case MPI_EC_TWISTEDEDWARDS:
++    case MPI_EC_EDWARDS:
+       {
+         gcry_mpi_t z;
+ 
+@@ -725,7 +725,7 @@ dup_point_montgomery (mpi_point_t result
+ 
+ /*  RESULT = 2 * POINT  (Twisted Edwards version). */
+ static void
+-dup_point_twistededwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
++dup_point_edwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
+ {
+ #define X1 (point->x)
+ #define Y1 (point->y)
+@@ -811,8 +811,8 @@ _gcry_mpi_ec_dup_point (mpi_point_t resu
+     case MPI_EC_MONTGOMERY:
+       dup_point_montgomery (result, point, ctx);
+       break;
+-    case MPI_EC_TWISTEDEDWARDS:
+-      dup_point_twistededwards (result, point, ctx);
++    case MPI_EC_EDWARDS:
++      dup_point_edwards (result, point, ctx);
+       break;
+     }
+ }
+@@ -977,9 +977,9 @@ add_points_montgomery (mpi_point_t resul
+ 
+ /* RESULT = P1 + P2  (Twisted Edwards version).*/
+ static void
+-add_points_twistededwards (mpi_point_t result,
+-                           mpi_point_t p1, mpi_point_t p2,
+-                           mpi_ec_t ctx)
++add_points_edwards (mpi_point_t result,
++                    mpi_point_t p1, mpi_point_t p2,
++                    mpi_ec_t ctx)
+ {
+ #define X1 (p1->x)
+ #define Y1 (p1->y)
+@@ -1087,8 +1087,8 @@ _gcry_mpi_ec_add_points (mpi_point_t res
+     case MPI_EC_MONTGOMERY:
+       add_points_montgomery (result, p1, p2, ctx);
+       break;
+-    case MPI_EC_TWISTEDEDWARDS:
+-      add_points_twistededwards (result, p1, p2, ctx);
++    case MPI_EC_EDWARDS:
++      add_points_edwards (result, p1, p2, ctx);
+       break;
+     }
+ }
+@@ -1106,7 +1106,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
+   unsigned int i, loops;
+   mpi_point_struct p1, p2, p1inv;
+ 
+-  if (ctx->model == MPI_EC_TWISTEDEDWARDS)
++  if (ctx->model == MPI_EC_EDWARDS)
+     {
+       /* Simple left to right binary method.  GECC Algorithm 3.27 */
+       unsigned int nbits;
+@@ -1269,7 +1269,7 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point
+       log_fatal ("%s: %s not yet supported\n",
+                  "_gcry_mpi_ec_curve_point", "Montgomery");
+       break;
+-    case MPI_EC_TWISTEDEDWARDS:
++    case MPI_EC_EDWARDS:
+       {
+         /* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */
+         ec_pow2 (x, x, ctx);
+Index: libgcrypt-1.6.3/src/mpi.h
+===================================================================
+--- libgcrypt-1.6.3.orig/src/mpi.h
++++ libgcrypt-1.6.3/src/mpi.h
+@@ -245,13 +245,18 @@ void _gcry_mpi_snatch_point (gcry_mpi_t
+ /* Models describing an elliptic curve.  */
+ enum gcry_mpi_ec_models
+   {
+-
++    /* The Short Weierstrass equation is
++          y^2 = x^3 + ax + b
++     */
+     MPI_EC_WEIERSTRASS = 0,
++    /* The Montgomery equation is
++          by^2 = x^3 + ax^2 + x
++     */
+     MPI_EC_MONTGOMERY,
+-    MPI_EC_TWISTEDEDWARDS
+-    /* The equation for Twisted Edwards curves is
++    /* The Twisted Edwards equation is
+           ax^2 + y^2 = 1 + bx^2y^2
+        Note that we use 'b' instead of the commonly used 'd'.  */
++    MPI_EC_EDWARDS
+   };
+ 
+ /* Dialects used with elliptic curves.  It is easier to keep the

meta/recipes-support/libgcrypt/files/CVE-2015-7511_2.patch

@@ -0,0 +1,55 @@
+From 88e1358962e902ff1cbec8d53ba3eee46407851a Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 25 Nov 2015 12:46:19 +0900
+Subject: [PATCH] ecc: Constant-time multiplication for Weierstrass curve.
+
+* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
+method for Weierstrass curve when SCALAR is secure.
+
+Upstream-Status: Backport
+
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a
+
+CVE: CVE-2015-7511 fix
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ mpi/ec.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+Index: libgcrypt-1.6.3/mpi/ec.c
+===================================================================
+--- libgcrypt-1.6.3.orig/mpi/ec.c
++++ libgcrypt-1.6.3/mpi/ec.c
+@@ -1106,16 +1106,27 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
+   unsigned int i, loops;
+   mpi_point_struct p1, p2, p1inv;
+ 
+-  if (ctx->model == MPI_EC_EDWARDS)
++  if (ctx->model == MPI_EC_EDWARDS
++      || (ctx->model == MPI_EC_WEIERSTRASS
++          && mpi_is_secure (scalar)))
+     {
+       /* Simple left to right binary method.  GECC Algorithm 3.27 */
+       unsigned int nbits;
+       int j;
+ 
+       nbits = mpi_get_nbits (scalar);
+-      mpi_set_ui (result->x, 0);
+-      mpi_set_ui (result->y, 1);
+-      mpi_set_ui (result->z, 1);
++      if (ctx->model == MPI_EC_WEIERSTRASS)
++        {
++          mpi_set_ui (result->x, 1);
++          mpi_set_ui (result->y, 1);
++          mpi_set_ui (result->z, 0);
++        }
++      else
++        {
++          mpi_set_ui (result->x, 0);
++          mpi_set_ui (result->y, 1);
++          mpi_set_ui (result->z, 1);
++        }
+ 
+       if (mpi_is_secure (scalar))
+         {

meta/recipes-support/libgcrypt/libgcrypt_1.6.2.bb

@@ -1,4 +1,9 @@
 require libgcrypt.inc
 
+SRC_URI += "\
+        file://CVE-2015-7511_1.patch \
+        file://CVE-2015-7511_2.patch \
+        "
+
 SRC_URI[md5sum] = "d19adc062edff0ebc7e887212733ef1f"
 SRC_URI[sha256sum] = "936921644b9c81e2395e18a554a9a5f9252aae3976f8afc3e4229ee9d785e627"