File libgcrypt-CVE-2019-13627.patch of Package libgcrypt.15118

diff -Puri libgcrypt-1.8.2-orig/cipher/dsa.c libgcrypt-1.8.2/cipher/dsa.c
--- libgcrypt-1.8.2-orig/cipher/dsa.c	2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.2/cipher/dsa.c	2019-09-02 14:03:22.957673105 +0200
@@ -635,6 +635,8 @@
       k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
     }
 
+  _gcry_dsa_modify_k (k, skey->q, qbits);
+
   /* r = (a^k mod p) mod q */
   mpi_powm( r, skey->g, k, skey->p );
   mpi_fdiv_r( r, r, skey->q );
diff -Puri libgcrypt-1.8.2-orig/cipher/dsa-common.c libgcrypt-1.8.2/cipher/dsa-common.c
--- libgcrypt-1.8.2-orig/cipher/dsa-common.c	2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.2/cipher/dsa-common.c	2019-09-02 14:03:22.957673105 +0200
@@ -30,6 +30,30 @@
 
 
 /*
+ * Modify K, so that computation time difference can be small,
+ * by making K large enough.
+ *
+ * Originally, (EC)DSA computation requires k where 0 < k < q.  Here,
+ * we add q (the order), to keep k in a range: q < k < 2*q (or,
+ * addming more q, to keep k in a range: 2*q < k < 3*q), so that
+ * timing difference of the EC multiply (or exponentiation) operation
+ * can be small.  The result of (EC)DSA computation is same.
+ */
+void
+_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits)
+{
+  gcry_mpi_t k1 = mpi_new (qbits+2);
+
+  mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB);
+  k->nlimbs = k->alloced;
+  mpi_add (k, k, q);
+  mpi_add (k1, k, q);
+  mpi_set_cond (k, k1, !mpi_test_bit (k, qbits));
+
+  mpi_free (k1);
+}
+
+/*
  * Generate a random secret exponent K less than Q.
  * Note that ECDSA uses this code also to generate D.
  */
diff -Puri libgcrypt-1.8.2-orig/cipher/ecc-ecdsa.c libgcrypt-1.8.2/cipher/ecc-ecdsa.c
--- libgcrypt-1.8.2-orig/cipher/ecc-ecdsa.c	2019-09-02 14:02:42.193185589 +0200
+++ libgcrypt-1.8.2/cipher/ecc-ecdsa.c	2019-09-02 14:03:22.957673105 +0200
@@ -114,6 +114,8 @@
           else
             k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
 
+          _gcry_dsa_modify_k (k, skey->E.n, qbits);
+
           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
             {
diff -Puri libgcrypt-1.8.2-orig/cipher/ecc-gost.c libgcrypt-1.8.2/cipher/ecc-gost.c
--- libgcrypt-1.8.2-orig/cipher/ecc-gost.c	2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.2/cipher/ecc-gost.c	2019-09-02 14:03:22.961673154 +0200
@@ -94,6 +94,8 @@
           mpi_free (k);
           k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
 
+          _gcry_dsa_modify_k (k, skey->E.n, qbits);
+
           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
             {
diff -Puri libgcrypt-1.8.2-orig/cipher/pubkey-internal.h libgcrypt-1.8.2/cipher/pubkey-internal.h
--- libgcrypt-1.8.2-orig/cipher/pubkey-internal.h	2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.2/cipher/pubkey-internal.h	2019-09-02 14:03:22.961673154 +0200
@@ -84,6 +84,7 @@
 
 
 /*-- dsa-common.c --*/
+void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits);
 gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level);
 gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
                                         gcry_mpi_t dsa_q, gcry_mpi_t dsa_x,
diff -Puri libgcrypt-1.8.2-orig/mpi/ec.c libgcrypt-1.8.2/mpi/ec.c
--- libgcrypt-1.8.2-orig/mpi/ec.c	2017-11-23 19:16:58.000000000 +0100
+++ libgcrypt-1.8.2/mpi/ec.c	2019-09-02 14:03:22.945672961 +0200
@@ -1309,7 +1309,11 @@
       unsigned int nbits;
       int j;
 
-      nbits = mpi_get_nbits (scalar);
+      if (mpi_cmp (scalar, ctx->p) >= 0)
+        nbits = mpi_get_nbits (scalar);
+      else
+        nbits = mpi_get_nbits (ctx->p);
+
       if (ctx->model == MPI_EC_WEIERSTRASS)
         {
           mpi_set_ui (result->x, 1);