summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOvidiu Panait <ovidiu.panait@windriver.com>2020-07-14 11:18:13 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-04 23:17:38 +0100
commit20757f3bb4bdb2c90ddd9cf3433605a5007bb1b5 (patch)
tree97916277c2ed88df93042c8361a1f5d0504f3dbf
parentcb791c2755d238305707281c3b9b0c8c34022952 (diff)
downloadpoky-20757f3bb4bdb2c90ddd9cf3433605a5007bb1b5.tar.gz
nss: Fix CVE-2020-12399
Master (nss version 3.54) is not affected by this issue. This is a backport from nss version 3.54. NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9. Upstream patch: https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e (From OE-Core rev: c447b32c1ec0c117748a4be68dda02d375c81b85) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch110
-rw-r--r--meta/recipes-support/nss/nss_3.45.bb1
2 files changed, 111 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch b/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
new file mode 100644
index 0000000000..517c277ae0
--- /dev/null
+++ b/meta/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
@@ -0,0 +1,110 @@
1From 5942c26888ba12ad5e0d92fb62f23d7cde6dc159 Mon Sep 17 00:00:00 2001
2From: Ovidiu Panait <ovidiu.panait@windriver.com>
3Date: Mon, 13 Jul 2020 06:25:56 +0000
4Subject: [PATCH] Bug 1631576 - Force a fixed length for DSA exponentiation
5 r=pereida,bbrumley
6
7Differential Revision: https://phabricator.services.mozilla.com/D72011
8
9Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e]
10
11Authored-by: Robert Relyea <rrelyea@redhat.com>
12Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
13---
14 nss/lib/freebl/dsa.c | 45 ++++++++++++++++++++++++++++++++++----------
15 1 file changed, 35 insertions(+), 10 deletions(-)
16
17diff --git a/nss/lib/freebl/dsa.c b/nss/lib/freebl/dsa.c
18index aef3539..389c9de 100644
19--- a/nss/lib/freebl/dsa.c
20+++ b/nss/lib/freebl/dsa.c
21@@ -313,13 +313,14 @@ DSA_NewKeyFromSeed(const PQGParams *params,
22
23 static SECStatus
24 dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
25- const unsigned char *kb)
26+ const unsigned char *kbytes)
27 {
28 mp_int p, q, g; /* PQG parameters */
29 mp_int x, k; /* private key & pseudo-random integer */
30 mp_int r, s; /* tuple (r, s) is signature) */
31 mp_int t; /* holding tmp values */
32 mp_int ar; /* holding blinding values */
33+ mp_digit fuzz; /* blinding multiplier for q */
34 mp_err err = MP_OKAY;
35 SECStatus rv = SECSuccess;
36 unsigned int dsa_subprime_len, dsa_signature_len, offset;
37@@ -373,6 +374,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
38 CHECK_MPI_OK(mp_init(&s));
39 CHECK_MPI_OK(mp_init(&t));
40 CHECK_MPI_OK(mp_init(&ar));
41+
42 /*
43 ** Convert stored PQG and private key into MPI integers.
44 */
45@@ -380,14 +382,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
46 SECITEM_TO_MPINT(key->params.subPrime, &q);
47 SECITEM_TO_MPINT(key->params.base, &g);
48 SECITEM_TO_MPINT(key->privateValue, &x);
49- OCTETS_TO_MPINT(kb, &k, dsa_subprime_len);
50+ OCTETS_TO_MPINT(kbytes, &k, dsa_subprime_len);
51+
52+ /* k blinding create a single value that has the high bit set in
53+ * the mp_digit*/
54+ if (RNG_GenerateGlobalRandomBytes(&fuzz, sizeof(mp_digit)) != SECSuccess) {
55+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
56+ rv = SECFailure;
57+ goto cleanup;
58+ }
59+ fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1));
60 /*
61 ** FIPS 186-1, Section 5, Step 1
62 **
63 ** r = (g**k mod p) mod q
64 */
65- CHECK_MPI_OK(mp_exptmod(&g, &k, &p, &r)); /* r = g**k mod p */
66- CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */
67+ CHECK_MPI_OK(mp_mul_d(&q, fuzz, &t)); /* t = q*fuzz */
68+ CHECK_MPI_OK(mp_add(&k, &t, &t)); /* t = k+q*fuzz */
69+ /* length of t is now fixed, bits in k have been blinded */
70+ CHECK_MPI_OK(mp_exptmod(&g, &t, &p, &r)); /* r = g**t mod p */
71+ /* r is now g**(k+q*fuzz) == g**k mod p */
72+ CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q */
73+
74 /*
75 ** FIPS 186-1, Section 5, Step 2
76 **
77@@ -411,15 +427,24 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
78 /* Using mp_invmod on k directly would leak bits from k. */
79 CHECK_MPI_OK(mp_mul(&k, &ar, &k)); /* k = k * ar */
80 CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
81- CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
82+ /* k is now k*t*ar */
83+ CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
84+ /* k is now (k*t*ar)**-1 */
85 CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
86- SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
87+ /* k is now (k*ar)**-1 */
88+ SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M) */
89 /* To avoid leaking secret bits here the addition is blinded. */
90- CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
91- CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
92+ CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
93+ /* x is now x*ar */
94+ CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
95+ /* x is now x*r*ar */
96 CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */
97- CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
98- CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
99+ /* t is now hash(M)*ar */
100+ CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
101+ /* s is now (HASH(M)+x*r)*ar */
102+ CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
103+ /* s is now (HASH(M)+x*r)*ar*(k*ar)**-1 = (k**-1)*(HASH(M)+x*r) */
104+
105 /*
106 ** verify r != 0 and s != 0
107 ** mentioned as optional in FIPS 186-1.
108--
1092.18.1
110
diff --git a/meta/recipes-support/nss/nss_3.45.bb b/meta/recipes-support/nss/nss_3.45.bb
index c8005a5b3a..9fe27af5db 100644
--- a/meta/recipes-support/nss/nss_3.45.bb
+++ b/meta/recipes-support/nss/nss_3.45.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
32 file://blank-cert9.db \ 32 file://blank-cert9.db \
33 file://blank-key4.db \ 33 file://blank-key4.db \
34 file://system-pkcs11.txt \ 34 file://system-pkcs11.txt \
35 file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
35 " 36 "
36 37
37SRC_URI[md5sum] = "f1752d7223ee9d910d551e57264bafa8" 38SRC_URI[md5sum] = "f1752d7223ee9d910d551e57264bafa8"