From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9666358973 for ; Wed, 10 Feb 2016 22:57:06 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BB0D4E0869; Wed, 10 Feb 2016 22:57:05 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4C894E0869 for ; Wed, 10 Feb 2016 22:57:05 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 19D05340A15 for ; Wed, 10 Feb 2016 22:57:04 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C5BA28DF for ; Wed, 10 Feb 2016 22:57:00 +0000 (UTC) From: "Kristian Fiskerstrand" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kristian Fiskerstrand" Message-ID: <1455145390.5715a323e4f467888f71be6ddc6bbbc8873fd914.k_f@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/libgcrypt/, dev-libs/libgcrypt/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: dev-libs/libgcrypt/files/libgcrypt-1.5.4-CVE-2015-7511.patch dev-libs/libgcrypt/libgcrypt-1.5.4-r101.ebuild dev-libs/libgcrypt/libgcrypt-1.5.4-r2.ebuild X-VCS-Directories: dev-libs/libgcrypt/files/ dev-libs/libgcrypt/ X-VCS-Committer: k_f X-VCS-Committer-Name: Kristian Fiskerstrand X-VCS-Revision: 5715a323e4f467888f71be6ddc6bbbc8873fd914 X-VCS-Branch: master Date: Wed, 10 Feb 2016 22:57:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c6839f06-4509-445e-9395-2f09b8e66a5d X-Archives-Hash: 62dbfe7a18c53717fed81df2053141ba commit: 5715a323e4f467888f71be6ddc6bbbc8873fd914 Author: Kristian Fiskerstrand gentoo org> AuthorDate: Wed Feb 10 23:02:11 2016 +0000 Commit: Kristian Fiskerstrand gentoo org> CommitDate: Wed Feb 10 23:03:10 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5715a323 dev-libs/libgcrypt: Add backported 1.5-branch fix for CVE-2015-7511 Package-Manager: portage-2.2.27 .../files/libgcrypt-1.5.4-CVE-2015-7511.patch | 326 +++++++++++++++++++++ dev-libs/libgcrypt/libgcrypt-1.5.4-r101.ebuild | 59 ++++ dev-libs/libgcrypt/libgcrypt-1.5.4-r2.ebuild | 58 ++++ 3 files changed, 443 insertions(+) diff --git a/dev-libs/libgcrypt/files/libgcrypt-1.5.4-CVE-2015-7511.patch b/dev-libs/libgcrypt/files/libgcrypt-1.5.4-CVE-2015-7511.patch new file mode 100644 index 0000000..9ab0b4c --- /dev/null +++ b/dev-libs/libgcrypt/files/libgcrypt-1.5.4-CVE-2015-7511.patch @@ -0,0 +1,326 @@ +From fcbb9fcc2e6983ea61bf565b6ee2e29816b8cd57 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Wed, 10 Feb 2016 17:43:03 +0900 +Subject: [PATCH] ecc: Fix for chosen cipher text attacks. + +* src/mpi.h (_gcry_mpi_ec_curve_point): New internal function. +* cipher/ecc.c (ecc_decrypt_raw): Validate input. Remove duplicated +point_free. +* mpi/ec.c (_gcry_mpi_ec_mul_point):Use simple left-to-right binary +method for when SCALAR is secure. +(_gcry_mpi_ec_curve_point): New. + +-- + +CVE-id: CVE-2015-7511 + +Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran +Tromer. http://www.cs.tau.ac.IL/~tromer/ecdh/ + +This could be an effective contermeasure to some chosen cipher text +attacks. + +(backport from master + commit 88e1358962e902ff1cbec8d53ba3eee46407851a) +(backport from LIBGCRYPT-1-6-BRANCH + commit 28eb424e4427b320ec1c9c4ce56af25d495230bd) + +Signed-off-by: NIIBE Yutaka +--- + cipher/ecc.c | 11 ++- + mpi/ec.c | 226 +++++++++++++++++++++++++++++++++++------------------------ + src/mpi.h | 2 +- + 3 files changed, 145 insertions(+), 94 deletions(-) + +diff --git a/cipher/ecc.c b/cipher/ecc.c +index b8487dc..80b67ae 100644 +--- a/cipher/ecc.c ++++ b/cipher/ecc.c +@@ -1535,12 +1535,19 @@ ecc_decrypt_raw (int algo, gcry_mpi_t *result, gcry_mpi_t *data, + + ctx = _gcry_mpi_ec_init (sk.E.p, sk.E.a); + ++ if (!_gcry_mpi_ec_curve_point (&kG, sk.E.b, ctx)) ++ { ++ point_free (&kG); ++ point_free (&sk.E.G); ++ point_free (&sk.Q); ++ _gcry_mpi_ec_free (ctx); ++ return GPG_ERR_INV_DATA; ++ } ++ + /* R = dkG */ + point_init (&R); + _gcry_mpi_ec_mul_point (&R, sk.d, &kG, ctx); + +- point_free (&kG); +- + /* The following is false: assert( mpi_cmp_ui( R.x, 1 )==0 );, so: */ + { + gcry_mpi_t x, y; +diff --git a/mpi/ec.c b/mpi/ec.c +index fa00818..bdb155a 100644 +--- a/mpi/ec.c ++++ b/mpi/ec.c +@@ -612,110 +612,154 @@ _gcry_mpi_ec_mul_point (mpi_point_t *result, + gcry_mpi_t scalar, mpi_point_t *point, + mpi_ec_t ctx) + { +-#if 0 +- /* Simple left to right binary method. GECC Algorithm 3.27 */ +- unsigned int nbits; +- int i; +- +- nbits = mpi_get_nbits (scalar); +- mpi_set_ui (result->x, 1); +- mpi_set_ui (result->y, 1); +- mpi_set_ui (result->z, 0); +- +- for (i=nbits-1; i >= 0; i--) ++ if (mpi_is_secure(scalar)) + { +- _gcry_mpi_ec_dup_point (result, result, ctx); +- if (mpi_test_bit (scalar, i) == 1) +- _gcry_mpi_ec_add_points (result, result, point, ctx); +- } +- +-#else +- gcry_mpi_t x1, y1, z1, k, h, yy; +- unsigned int i, loops; +- mpi_point_t p1, p2, p1inv; +- +- x1 = mpi_alloc_like (ctx->p); +- y1 = mpi_alloc_like (ctx->p); +- h = mpi_alloc_like (ctx->p); +- k = mpi_copy (scalar); +- yy = mpi_copy (point->y); ++ /* Simple left to right binary method. GECC Algorithm 3.27 */ ++ unsigned int nbits; ++ int i; ++ mpi_point_t tmppnt; + +- if ( mpi_is_neg (k) ) +- { +- k->sign = 0; +- ec_invm (yy, yy, ctx); +- } ++ nbits = mpi_get_nbits (scalar); ++ mpi_set_ui (result->x, 1); ++ mpi_set_ui (result->y, 1); ++ mpi_set_ui (result->z, 0); + +- if (!mpi_cmp_ui (point->z, 1)) +- { +- mpi_set (x1, point->x); +- mpi_set (y1, yy); ++ point_init (&tmppnt); ++ for (i=nbits-1; i >= 0; i--) ++ { ++ _gcry_mpi_ec_dup_point (result, result, ctx); ++ _gcry_mpi_ec_add_points (&tmppnt, result, point, ctx); ++ if (mpi_test_bit (scalar, i) == 1) ++ point_set (result, &tmppnt); ++ } ++ point_free (&tmppnt); + } + else + { +- gcry_mpi_t z2, z3; +- +- z2 = mpi_alloc_like (ctx->p); +- z3 = mpi_alloc_like (ctx->p); +- ec_mulm (z2, point->z, point->z, ctx); +- ec_mulm (z3, point->z, z2, ctx); +- ec_invm (z2, z2, ctx); +- ec_mulm (x1, point->x, z2, ctx); +- ec_invm (z3, z3, ctx); +- ec_mulm (y1, yy, z3, ctx); +- mpi_free (z2); +- mpi_free (z3); +- } +- z1 = mpi_copy (ctx->one); ++ gcry_mpi_t x1, y1, z1, k, h, yy; ++ unsigned int i, loops; ++ mpi_point_t p1, p2, p1inv; + +- mpi_mul (h, k, ctx->three); /* h = 3k */ +- loops = mpi_get_nbits (h); +- if (loops < 2) +- { +- /* If SCALAR is zero, the above mpi_mul sets H to zero and thus +- LOOPs will be zero. To avoid an underflow of I in the main +- loop we set LOOP to 2 and the result to (0,0,0). */ +- loops = 2; +- mpi_clear (result->x); +- mpi_clear (result->y); +- mpi_clear (result->z); +- } +- else +- { +- mpi_set (result->x, point->x); +- mpi_set (result->y, yy); +- mpi_set (result->z, point->z); +- } +- mpi_free (yy); yy = NULL; ++ x1 = mpi_alloc_like (ctx->p); ++ y1 = mpi_alloc_like (ctx->p); ++ h = mpi_alloc_like (ctx->p); ++ k = mpi_copy (scalar); ++ yy = mpi_copy (point->y); + +- p1.x = x1; x1 = NULL; +- p1.y = y1; y1 = NULL; +- p1.z = z1; z1 = NULL; +- point_init (&p2); +- point_init (&p1inv); ++ if ( mpi_is_neg (k) ) ++ { ++ k->sign = 0; ++ ec_invm (yy, yy, ctx); ++ } + +- for (i=loops-2; i > 0; i--) +- { +- _gcry_mpi_ec_dup_point (result, result, ctx); +- if (mpi_test_bit (h, i) == 1 && mpi_test_bit (k, i) == 0) ++ if (!mpi_cmp_ui (point->z, 1)) ++ { ++ mpi_set (x1, point->x); ++ mpi_set (y1, yy); ++ } ++ else + { +- point_set (&p2, result); +- _gcry_mpi_ec_add_points (result, &p2, &p1, ctx); ++ gcry_mpi_t z2, z3; ++ ++ z2 = mpi_alloc_like (ctx->p); ++ z3 = mpi_alloc_like (ctx->p); ++ ec_mulm (z2, point->z, point->z, ctx); ++ ec_mulm (z3, point->z, z2, ctx); ++ ec_invm (z2, z2, ctx); ++ ec_mulm (x1, point->x, z2, ctx); ++ ec_invm (z3, z3, ctx); ++ ec_mulm (y1, yy, z3, ctx); ++ mpi_free (z2); ++ mpi_free (z3); + } +- if (mpi_test_bit (h, i) == 0 && mpi_test_bit (k, i) == 1) ++ z1 = mpi_copy (ctx->one); ++ ++ mpi_mul (h, k, ctx->three); /* h = 3k */ ++ loops = mpi_get_nbits (h); ++ if (loops < 2) + { +- point_set (&p2, result); +- /* Invert point: y = p - y mod p */ +- point_set (&p1inv, &p1); +- ec_subm (p1inv.y, ctx->p, p1inv.y, ctx); +- _gcry_mpi_ec_add_points (result, &p2, &p1inv, ctx); ++ /* If SCALAR is zero, the above mpi_mul sets H to zero and thus ++ LOOPs will be zero. To avoid an underflow of I in the main ++ loop we set LOOP to 2 and the result to (0,0,0). */ ++ loops = 2; ++ mpi_clear (result->x); ++ mpi_clear (result->y); ++ mpi_clear (result->z); ++ } ++ else ++ { ++ mpi_set (result->x, point->x); ++ mpi_set (result->y, yy); ++ mpi_set (result->z, point->z); ++ } ++ mpi_free (yy); yy = NULL; ++ ++ p1.x = x1; x1 = NULL; ++ p1.y = y1; y1 = NULL; ++ p1.z = z1; z1 = NULL; ++ point_init (&p2); ++ point_init (&p1inv); ++ ++ for (i=loops-2; i > 0; i--) ++ { ++ _gcry_mpi_ec_dup_point (result, result, ctx); ++ if (mpi_test_bit (h, i) == 1 && mpi_test_bit (k, i) == 0) ++ { ++ point_set (&p2, result); ++ _gcry_mpi_ec_add_points (result, &p2, &p1, ctx); ++ } ++ if (mpi_test_bit (h, i) == 0 && mpi_test_bit (k, i) == 1) ++ { ++ point_set (&p2, result); ++ /* Invert point: y = p - y mod p */ ++ point_set (&p1inv, &p1); ++ ec_subm (p1inv.y, ctx->p, p1inv.y, ctx); ++ _gcry_mpi_ec_add_points (result, &p2, &p1inv, ctx); ++ } + } ++ ++ point_free (&p1); ++ point_free (&p2); ++ point_free (&p1inv); ++ mpi_free (h); ++ mpi_free (k); + } ++} ++ ++ ++/* Return true if POINT is on the curve described by CTX. */ ++int ++_gcry_mpi_ec_curve_point (mpi_point_t *point, gcry_mpi_t b, mpi_ec_t ctx) ++{ ++ int res = 0; ++ gcry_mpi_t x, y, w; ++ gcry_mpi_t xxx; ++ ++ x = mpi_new (0); ++ y = mpi_new (0); ++ w = mpi_new (0); ++ xxx = mpi_new (0); ++ ++ if (_gcry_mpi_ec_get_affine (x, y, point, ctx)) ++ goto leave; ++ ++ /* y^2 == x^3 + a·x + b */ ++ ec_mulm (y, y, y, ctx); ++ ++ ec_mulm (xxx, x, x, ctx); ++ ec_mulm (xxx, xxx, x, ctx); ++ ec_mulm (w, ctx->a, x, ctx); ++ ec_addm (w, w, b, ctx); ++ ec_addm (w, w, xxx, ctx); ++ ++ if (!mpi_cmp (y, w)) ++ res = 1; ++ ++ leave: ++ _gcry_mpi_release (xxx); ++ _gcry_mpi_release (w); ++ _gcry_mpi_release (x); ++ _gcry_mpi_release (y); + +- point_free (&p1); +- point_free (&p2); +- point_free (&p1inv); +- mpi_free (h); +- mpi_free (k); +-#endif ++ return res; + } +diff --git a/src/mpi.h b/src/mpi.h +index 65a4f97..adc65e2 100644 +--- a/src/mpi.h ++++ b/src/mpi.h +@@ -257,7 +257,7 @@ void _gcry_mpi_ec_add_points (mpi_point_t *result, + void _gcry_mpi_ec_mul_point (mpi_point_t *result, + gcry_mpi_t scalar, mpi_point_t *point, + mpi_ec_t ctx); +- ++int _gcry_mpi_ec_curve_point (mpi_point_t *point, gcry_mpi_t b, mpi_ec_t ctx); + + + #endif /*G10_MPI_H*/ +-- +2.1.4 + diff --git a/dev-libs/libgcrypt/libgcrypt-1.5.4-r101.ebuild b/dev-libs/libgcrypt/libgcrypt-1.5.4-r101.ebuild new file mode 100644 index 0000000..9848675 --- /dev/null +++ b/dev-libs/libgcrypt/libgcrypt-1.5.4-r101.ebuild @@ -0,0 +1,59 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +AUTOTOOLS_AUTORECONF=1 + +inherit autotools-multilib + +DESCRIPTION="General purpose crypto library based on the code used in GnuPG" +HOMEPAGE="http://www.gnupg.org/" +SRC_URI="mirror://gnupg/${PN}/${P}.tar.bz2" + +LICENSE="LGPL-2.1 MIT" +SLOT="11/11" # subslot = soname major version +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="" + +RDEPEND=">=dev-libs/libgpg-error-1.12[${MULTILIB_USEDEP}] + !dev-libs/libgcrypt:0/11 + abi_x86_32? ( + !<=app-emulation/emul-linux-x86-baselibs-20131008-r19 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32] + )" +DEPEND="${RDEPEND}" + +DOCS=( AUTHORS ChangeLog NEWS README THANKS TODO ) + +PATCHES=( + "${FILESDIR}"/${PN}-1.5.0-uscore.patch + "${FILESDIR}"/${PN}-multilib-syspath.patch + "${FILESDIR}"/${P}-clang-arm.patch + "${FILESDIR}"/${P}-CVE-2015-7511.patch +) + +src_configure() { + local myeconfargs=( + --disable-padlock-support # bug 201917 + --disable-dependency-tracking + --enable-noexecstack + --disable-O-flag-munging + + # disabled due to various applications requiring privileges + # after libgcrypt drops them (bug #468616) + --without-capabilities + + # http://trac.videolan.org/vlc/ticket/620 + # causes bus-errors on sparc64-solaris + $([[ ${CHOST} == *86*-darwin* ]] && echo "--disable-asm") + $([[ ${CHOST} == sparcv9-*-solaris* ]] && echo "--disable-asm") + ) + autotools-multilib_src_configure +} + +src_install() { + autotools-multilib_src_install + + rm -r "${ED%/}"/usr/{bin,include,lib*/*.so,share} || die +} diff --git a/dev-libs/libgcrypt/libgcrypt-1.5.4-r2.ebuild b/dev-libs/libgcrypt/libgcrypt-1.5.4-r2.ebuild new file mode 100644 index 0000000..afc1b20 --- /dev/null +++ b/dev-libs/libgcrypt/libgcrypt-1.5.4-r2.ebuild @@ -0,0 +1,58 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +AUTOTOOLS_AUTORECONF=1 + +inherit autotools-multilib + +DESCRIPTION="General purpose crypto library based on the code used in GnuPG" +HOMEPAGE="http://www.gnupg.org/" +SRC_URI="mirror://gnupg/${PN}/${P}.tar.bz2" + +LICENSE="LGPL-2.1 MIT" +SLOT="0/11" # subslot = soname major version +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="static-libs" + +RDEPEND=">=dev-libs/libgpg-error-1.12[${MULTILIB_USEDEP}] + !dev-libs/libgcrypt:11 + abi_x86_32? ( + !<=app-emulation/emul-linux-x86-baselibs-20131008-r19 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32] + )" +DEPEND="${RDEPEND}" + +DOCS=( AUTHORS ChangeLog NEWS README THANKS TODO ) + +PATCHES=( + "${FILESDIR}"/${PN}-1.5.0-uscore.patch + "${FILESDIR}"/${PN}-multilib-syspath.patch + "${FILESDIR}"/${P}-clang-arm.patch + "${FILESDIR}"/${P}-CVE-2015-7511.patch +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/libgcrypt-config +) + +src_configure() { + local myeconfargs=( + --disable-padlock-support # bug 201917 + --disable-dependency-tracking + --enable-noexecstack + --disable-O-flag-munging + $(use_enable static-libs static) + + # disabled due to various applications requiring privileges + # after libgcrypt drops them (bug #468616) + --without-capabilities + + # http://trac.videolan.org/vlc/ticket/620 + # causes bus-errors on sparc64-solaris + $([[ ${CHOST} == *86*-darwin* ]] && echo "--disable-asm") + $([[ ${CHOST} == sparcv9-*-solaris* ]] && echo "--disable-asm") + ) + autotools-multilib_src_configure +}