new file mode 100644

@@ -0,0 +1,72 @@

+From 9010d1576e278a4274ad3f4aa15776c28f6ba965 Mon Sep 17 00:00:00 2001

+From: NIIBE Yutaka <gniibe@fsij.org>

+Date: Wed, 13 Jun 2018 15:28:58 +0900

+Subject: [PATCH] ecc: Add blinding for ECDSA.

+

+* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with

+randomized nonce B.

+

+--

+

+Reported-by: Keegan Ryan <Keegan.Ryan@nccgroup.trust>

+CVE-id: CVE-2018-0495

+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

+---

+ cipher/ecc-ecdsa.c | 20 ++++++++++++++++++--

+ 1 file changed, 18 insertions(+), 2 deletions(-)

+

+diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c

+index 1484830..140e8c0 100644

+--- a/cipher/ecc-ecdsa.c

+@@ -50,6 +50,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,

+   const void *abuf;

+   unsigned int abits, qbits;

+   mpi_ec_t ctx;

++  gcry_mpi_t b;                /* Random number needed for blinding.  */

++  gcry_mpi_t bi;               /* multiplicative inverse of B.        */

+ 

+   if (DBG_CIPHER)

+     log_mpidump ("ecdsa sign hash  ", input );

+@@ -61,6 +63,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,

+   if (rc)

+     return rc;

+ 

++  b  = mpi_snew (qbits);

++  bi = mpi_snew (qbits);

++  do

++    {

++      _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);

++      mpi_mod (b, b, skey->E.n);

++    }

++  while (!mpi_invm (bi, b, skey->E.n));

++

+   k = NULL;

+   dr = mpi_alloc (0);

+   sum = mpi_alloc (0);

+@@ -115,8 +126,11 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,

+         }

+       while (!mpi_cmp_ui (r, 0));

+ 

+-      mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n  */

+-      mpi_addm (sum, hash, dr, skey->E.n);  /* sum = hash + (d*r) mod n  */

++      mpi_mulm (dr, b, skey->d, skey->E.n);

++      mpi_mulm (dr, dr, r, skey->E.n);      /* dr = d*r mod n (blinded with b) */

++      mpi_mulm (sum, b, hash, skey->E.n);

++      mpi_addm (sum, sum, dr, skey->E.n);   /* sum = hash + (d*r) mod n  (blinded with b) */

++      mpi_mulm (sum, bi, sum, skey->E.n);   /* undo blinding by b^-1 */

+       mpi_invm (k_1, k, skey->E.n);         /* k_1 = k^(-1) mod n  */

+       mpi_mulm (s, k_1, sum, skey->E.n);    /* s = k^(-1)*(hash+(d*r)) mod n */

+     }

+@@ -129,6 +143,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,

+     }

+ 

+  leave:

++  mpi_free (b);

++  mpi_free (bi);

+   _gcry_mpi_ec_free (ctx);

+   point_free (&I);

+   mpi_free (x);

+-- 

+2.7.4

+

@@ -1,11 +1,12 @@

 Summary:	Crypto Libraries

 Name:		libgcrypt

 Version:	1.8.1

-Release:	1%{?dist}

+Release:	2%{?dist}

 License:        GPLv2+ and LGPLv2+

 URL:            http://www.gnu.org/software/libgcrypt/

 Source0:        ftp://ftp.gnupg.org/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2

 %define sha1 libgcrypt=dd35f00da45602afe81e01f4d60c40bbdd826fe6

+Patch0:         libgcrypt-CVE-2018-0495.patch

 Group:		System Environment/Libraries

 Vendor:		VMware, Inc.

 BuildRequires:	libgpg-error-devel

@@ -25,6 +26,8 @@ developing applications that use libgcrypt.

 %prep

 %setup -q

+%patch0 -p1

+

 %build

 ./configure \

 	--prefix=%{_prefix}

@@ -50,6 +53,8 @@ make %{?_smp_mflags} check

 %{_includedir}/*.h

 %{_libdir}/*.so

 %changelog

+*   Mon Sep 03 2018 Ankit Jain <ankitja@vmware.com> 1.8.1-2

+-   Fix for CVE-2018-0495

 *   Tue Oct 10 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.8.1-1

 -   Udpated to v1.8.1 to address CVE-2017-0379

 *   Tue Apr 04 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.7.6-1