new file mode 100644
@@ -0,0 +1,67 @@
+From 932feeb38783b539ee49e7ba3c1729830984f019 Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <jack@randombit.net>
+Date: Sat, 19 Oct 2024 07:43:18 -0400
+Subject: [PATCH] Add more value barriers to avoid compiler induced side
+ channels
+
+The paper https://arxiv.org/pdf/2410.13489 claims that on specific
+architectures Clang and GCC may introduce jumps here. The donna128
+issues only affect 32-bit processors, which explains why we would not
+see it in the x86-64 valgrind runs.
+
+The GHASH leak would seem to be generic but the authors only observed
+it on RISC-V.
+
+CVE: CVE-2024-50382
+CVE: CVE-2024-50383
+Upstream-Status: Backport [https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/lib/utils/donna128.h | 5 +++--
+ src/lib/utils/ghash/ghash.cpp | 2 +-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/utils/donna128.h b/src/lib/utils/donna128.h
+index ff57190..dbf2f38 100644
+--- a/src/lib/utils/donna128.h
++++ b/src/lib/utils/donna128.h
+@@ -8,6 +8,7 @@
+ #ifndef BOTAN_CURVE25519_DONNA128_H_
+ #define BOTAN_CURVE25519_DONNA128_H_
+
++#include <botan/internal/ct_utils.h>
+ #include <botan/mul128.h>
+
+ namespace Botan {
+@@ -61,7 +62,7 @@ class donna128 final
+ l += x.l;
+ h += x.h;
+
+- const uint64_t carry = (l < x.l);
++ const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x.l).if_set_return(1);;
+ h += carry;
+ return *this;
+ }
+@@ -69,7 +70,7 @@ class donna128 final
+ donna128& operator+=(uint64_t x)
+ {
+ l += x;
+- const uint64_t carry = (l < x);
++ const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x).if_set_return(1);
+ h += carry;
+ return *this;
+ }
+diff --git a/src/lib/utils/ghash/ghash.cpp b/src/lib/utils/ghash/ghash.cpp
+index e24f5e0..8f0afa7 100644
+--- a/src/lib/utils/ghash/ghash.cpp
++++ b/src/lib/utils/ghash/ghash.cpp
+@@ -139,7 +139,7 @@ void GHASH::key_schedule(const uint8_t key[], size_t length)
+ m_HM[4*j+2*i+1] = H1;
+
+ // GCM's bit ops are reversed so we carry out of the bottom
+- const uint64_t carry = R * (H1 & 1);
++ const uint64_t carry = CT::Mask<uint64_t>::expand(H1 & 1).if_set_return(R);
+ H1 = (H1 >> 1) | (H0 << 63);
+ H0 = (H0 >> 1) ^ carry;
+ }
@@ -10,6 +10,7 @@ SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz \
file://0003-FIX-missing-validation-of-authority-of-delegation-re.patch \
file://0004-review-comments.patch \
file://0001-Address-various-name-constraint-bugs.patch \
+ file://0001-Add-more-value-barriers-to-avoid-compiler-induced-si.patch \
"
SRC_URI[sha256sum] = "e26e00cfefda64082afdd540d3c537924f645d6a674afed2cd171005deff5560"
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-50382 https://nvd.nist.gov/vuln/detail/CVE-2024-50383 Pick patch mentioned in the URL list of the nist page - the same patch fixes both vulnerabilities. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- ...arriers-to-avoid-compiler-induced-si.patch | 67 +++++++++++++++++++ meta-oe/recipes-crypto/botan/botan_2.19.1.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta-oe/recipes-crypto/botan/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-si.patch