meta/recipes-support/libgcrypt/files/CVE-2015-7511_1.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

From 2ef48ba59c32bfa1a9265d5eea8ab225a658903a Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 9 Jan 2014 19:14:09 +0100
Subject: [PATCH] ecc: Make a macro shorter.

* src/mpi.h (MPI_EC_TWISTEDEDWARDS): Rename to MPI_EC_EDWARDS.  CHnage
all users.
* cipher/ecc-curves.c (domain_parms): Add parameters for Curve3617 as
comment.
* mpi/ec.c (dup_point_twistededwards): Rename to dup_point_edwards.
(add_points_twistededwards): Rename to add_points_edwards.

Signed-off-by: Werner Koch <wk@gnupg.org>

Upstream-Status: Backport
2ef48ba59c32bfa1a9265d5eea8ab225a658903a

CVE: CVE-2015-7511 depend patch
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 cipher/ecc-curves.c | 22 +++++++++++++++++++---
 cipher/ecc-misc.c   |  4 ++--
 cipher/ecc.c        |  8 ++++----
 mpi/ec.c            | 22 +++++++++++-----------
 src/mpi.h           | 11 ++++++++---
 5 files changed, 44 insertions(+), 23 deletions(-)

Index: libgcrypt-1.6.3/cipher/ecc-curves.c
===================================================================
--- libgcrypt-1.6.3.orig/cipher/ecc-curves.c
+++ libgcrypt-1.6.3/cipher/ecc-curves.c
@@ -105,7 +105,7 @@ static const ecc_domain_parms_t domain_p
     {
       /* (-x^2 + y^2 = 1 + dx^2y^2) */
       "Ed25519", 256, 0,
-      MPI_EC_TWISTEDEDWARDS, ECC_DIALECT_ED25519,
+      MPI_EC_EDWARDS, ECC_DIALECT_ED25519,
       "0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED",
       "-0x01",
       "-0x2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A",
@@ -113,6 +113,22 @@ static const ecc_domain_parms_t domain_p
       "0x216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A",
       "0x6666666666666666666666666666666666666666666666666666666666666658"
     },
+#if 0 /* No real specs yet found.  */
+    {
+      /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */
+      "Curve3617",
+      "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF",
+      MPI_EC_EDWARDS, 0,
+      "0x01",
+      "0x0e21",
+      "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF"
+      "706022B36F1C0338AD63CF181B0E71A5E106AF79",
+      "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D"
+      "6D6BA111301A73FAA8537C64C4FD3812F3CBC595",
+      "0x22"
+    },
+#endif /*0*/
     {
       "NIST P-192", 192, 1,
       MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
@@ -404,7 +420,7 @@ _gcry_ecc_fill_in_curve (unsigned int nb
   switch (domain_parms[idx].model)
     {
     case MPI_EC_WEIERSTRASS:
-    case MPI_EC_TWISTEDEDWARDS:
+    case MPI_EC_EDWARDS:
       break;
     case MPI_EC_MONTGOMERY:
       return GPG_ERR_NOT_SUPPORTED;
@@ -1039,7 +1055,7 @@ _gcry_ecc_get_mpi (const char *name, mpi
       if (name[1] != '@')
         return _gcry_mpi_ec_ec2os (ec->Q, ec);
 
-      if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_TWISTEDEDWARDS)
+      if (!strcmp (name+2, "eddsa") && ec->model == MPI_EC_EDWARDS)
         {
           unsigned char *encpk;
           unsigned int encpklen;
Index: libgcrypt-1.6.3/cipher/ecc-misc.c
===================================================================
--- libgcrypt-1.6.3.orig/cipher/ecc-misc.c
+++ libgcrypt-1.6.3/cipher/ecc-misc.c
@@ -79,7 +79,7 @@ _gcry_ecc_model2str (enum gcry_mpi_ec_mo
     {
     case MPI_EC_WEIERSTRASS:    str = "Weierstrass"; break;
     case MPI_EC_MONTGOMERY:     str = "Montgomery";  break;
-    case MPI_EC_TWISTEDEDWARDS: str = "Twisted Edwards"; break;
+    case MPI_EC_EDWARDS:        str = "Edwards"; break;
     }
   return str;
 }
@@ -252,7 +252,7 @@ _gcry_ecc_compute_public (mpi_point_t Q,
 
   if (!d || !G || !ec->p || !ec->a)
     return NULL;
-  if (ec->model == MPI_EC_TWISTEDEDWARDS && !ec->b)
+  if (ec->model == MPI_EC_EDWARDS && !ec->b)
     return NULL;
 
   if (ec->dialect == ECC_DIALECT_ED25519
Index: libgcrypt-1.6.3/cipher/ecc.c
===================================================================
--- libgcrypt-1.6.3.orig/cipher/ecc.c
+++ libgcrypt-1.6.3/cipher/ecc.c
@@ -642,7 +642,7 @@ ecc_check_secret_key (gcry_sexp_t keypar
   if (!curvename)
     {
       sk.E.model = ((flags & PUBKEY_FLAG_EDDSA)
-               ? MPI_EC_TWISTEDEDWARDS
+               ? MPI_EC_EDWARDS
                : MPI_EC_WEIERSTRASS);
       sk.E.dialect = ((flags & PUBKEY_FLAG_EDDSA)
                       ? ECC_DIALECT_ED25519
@@ -774,7 +774,7 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_
   if (!curvename)
     {
       sk.E.model = ((ctx.flags & PUBKEY_FLAG_EDDSA)
-                    ? MPI_EC_TWISTEDEDWARDS
+                    ? MPI_EC_EDWARDS
                     : MPI_EC_WEIERSTRASS);
       sk.E.dialect = ((ctx.flags & PUBKEY_FLAG_EDDSA)
                       ? ECC_DIALECT_ED25519
@@ -938,7 +938,7 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp
   if (!curvename)
     {
       pk.E.model = ((sigflags & PUBKEY_FLAG_EDDSA)
-                    ? MPI_EC_TWISTEDEDWARDS
+                    ? MPI_EC_EDWARDS
                     : MPI_EC_WEIERSTRASS);
       pk.E.dialect = ((sigflags & PUBKEY_FLAG_EDDSA)
                       ? ECC_DIALECT_ED25519
@@ -1528,7 +1528,7 @@ compute_keygrip (gcry_md_hd_t md, gcry_s
   if (!curvename)
     {
       model = ((flags & PUBKEY_FLAG_EDDSA)
-               ? MPI_EC_TWISTEDEDWARDS
+               ? MPI_EC_EDWARDS
                : MPI_EC_WEIERSTRASS);
       dialect = ((flags & PUBKEY_FLAG_EDDSA)
                  ? ECC_DIALECT_ED25519
Index: libgcrypt-1.6.3/mpi/ec.c
===================================================================
--- libgcrypt-1.6.3.orig/mpi/ec.c
+++ libgcrypt-1.6.3/mpi/ec.c
@@ -605,7 +605,7 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, g
       }
       return -1;
 
-    case MPI_EC_TWISTEDEDWARDS:
+    case MPI_EC_EDWARDS:
       {
         gcry_mpi_t z;
 
@@ -725,7 +725,7 @@ dup_point_montgomery (mpi_point_t result
 
 /*  RESULT = 2 * POINT  (Twisted Edwards version). */
 static void
-dup_point_twistededwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
+dup_point_edwards (mpi_point_t result, mpi_point_t point, mpi_ec_t ctx)
 {
 #define X1 (point->x)
 #define Y1 (point->y)
@@ -811,8 +811,8 @@ _gcry_mpi_ec_dup_point (mpi_point_t resu
     case MPI_EC_MONTGOMERY:
       dup_point_montgomery (result, point, ctx);
       break;
-    case MPI_EC_TWISTEDEDWARDS:
-      dup_point_twistededwards (result, point, ctx);
+    case MPI_EC_EDWARDS:
+      dup_point_edwards (result, point, ctx);
       break;
     }
 }
@@ -977,9 +977,9 @@ add_points_montgomery (mpi_point_t resul
 
 /* RESULT = P1 + P2  (Twisted Edwards version).*/
 static void
-add_points_twistededwards (mpi_point_t result,
-                           mpi_point_t p1, mpi_point_t p2,
-                           mpi_ec_t ctx)
+add_points_edwards (mpi_point_t result,
+                    mpi_point_t p1, mpi_point_t p2,
+                    mpi_ec_t ctx)
 {
 #define X1 (p1->x)
 #define Y1 (p1->y)
@@ -1087,8 +1087,8 @@ _gcry_mpi_ec_add_points (mpi_point_t res
     case MPI_EC_MONTGOMERY:
       add_points_montgomery (result, p1, p2, ctx);
       break;
-    case MPI_EC_TWISTEDEDWARDS:
-      add_points_twistededwards (result, p1, p2, ctx);
+    case MPI_EC_EDWARDS:
+      add_points_edwards (result, p1, p2, ctx);
       break;
     }
 }
@@ -1106,7 +1106,7 @@ _gcry_mpi_ec_mul_point (mpi_point_t resu
   unsigned int i, loops;
   mpi_point_struct p1, p2, p1inv;
 
-  if (ctx->model == MPI_EC_TWISTEDEDWARDS)
+  if (ctx->model == MPI_EC_EDWARDS)
     {
       /* Simple left to right binary method.  GECC Algorithm 3.27 */
       unsigned int nbits;
@@ -1269,7 +1269,7 @@ _gcry_mpi_ec_curve_point (gcry_mpi_point
       log_fatal ("%s: %s not yet supported\n",
                  "_gcry_mpi_ec_curve_point", "Montgomery");
       break;
-    case MPI_EC_TWISTEDEDWARDS:
+    case MPI_EC_EDWARDS:
       {
         /* a · x^2 + y^2 - 1 - b · x^2 · y^2 == 0 */
         ec_pow2 (x, x, ctx);
Index: libgcrypt-1.6.3/src/mpi.h
===================================================================
--- libgcrypt-1.6.3.orig/src/mpi.h
+++ libgcrypt-1.6.3/src/mpi.h
@@ -245,13 +245,18 @@ void _gcry_mpi_snatch_point (gcry_mpi_t
 /* Models describing an elliptic curve.  */
 enum gcry_mpi_ec_models
   {
-
+    /* The Short Weierstrass equation is
+          y^2 = x^3 + ax + b
+     */
     MPI_EC_WEIERSTRASS = 0,
+    /* The Montgomery equation is
+          by^2 = x^3 + ax^2 + x
+     */
     MPI_EC_MONTGOMERY,
-    MPI_EC_TWISTEDEDWARDS
-    /* The equation for Twisted Edwards curves is
+    /* The Twisted Edwards equation is
           ax^2 + y^2 = 1 + bx^2y^2
        Note that we use 'b' instead of the commonly used 'd'.  */
+    MPI_EC_EDWARDS
   };
 
 /* Dialects used with elliptic curves.  It is easier to keep the