summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVijay Anusuri <vanusuri@mvista.com>2024-01-22 09:35:27 +0530
committerSteve Sakoman <steve@sakoman.com>2024-01-31 03:51:10 -1000
commitbffa4f3051a7cae61ccb63b6d711e94f633ae32f (patch)
treef2cfc6312430c5d0e8d208ed87ffaf41702168a0
parent9bf63ee197c34508abe9817730b542e66a4037a0 (diff)
downloadpoky-bffa4f3051a7cae61ccb63b6d711e94f633ae32f.tar.gz
gnutls: Backport fix for CVE-2023-5981
Upstream-Status: Backport [import from ubuntu https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d] References: https://ubuntu.com/security/CVE-2023-5981 (From OE-Core rev: 087b7c5d8363bcc6ae801d3ca18e6490e86a1381) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch206
-rw-r--r--meta/recipes-support/gnutls/gnutls_3.6.14.bb1
2 files changed, 207 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
new file mode 100644
index 0000000000..c518cfa0ac
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
@@ -0,0 +1,206 @@
1Backport of:
2
3From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
4From: Daiki Ueno <ueno@gnu.org>
5Date: Mon, 23 Oct 2023 09:26:57 +0900
6Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
7
8This removes branching that depends on secret data, porting changes
9for regular RSA key exchange from
104804febddc2ed958e5ae774de2a8f85edeeff538 and
1180a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the
12allow_wrong_pms as it was used sorely to control debug output
13depending on the branching.
14
15Signed-off-by: Daiki Ueno <ueno@gnu.org>
16
17Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
18Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
19CVE: CVE-2023-5981
20Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
21---
22 lib/auth/rsa.c | 2 +-
23 lib/auth/rsa_psk.c | 90 ++++++++++++++++++----------------------------
24 lib/gnutls_int.h | 4 ---
25 lib/priority.c | 1 -
26 4 files changed, 35 insertions(+), 62 deletions(-)
27
28--- a/lib/auth/rsa.c
29+++ b/lib/auth/rsa.c
30@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess
31 session->key.key.size);
32 /* After this point, any conditional on failure that cause differences
33 * in execution may create a timing or cache access pattern side
34- * channel that can be used as an oracle, so treat very carefully */
35+ * channel that can be used as an oracle, so tread carefully */
36
37 /* Error handling logic:
38 * In case decryption fails then don't inform the peer. Just use the
39--- a/lib/auth/rsa_psk.c
40+++ b/lib/auth/rsa_psk.c
41@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
42 {
43 gnutls_datum_t username;
44 psk_auth_info_t info;
45- gnutls_datum_t plaintext;
46 gnutls_datum_t ciphertext;
47 gnutls_datum_t pwd_psk = { NULL, 0 };
48 int ret, dsize;
49- int randomize_key = 0;
50 ssize_t data_size = _data_size;
51 gnutls_psk_server_credentials_t cred;
52 gnutls_datum_t premaster_secret = { NULL, 0 };
53+ volatile uint8_t ver_maj, ver_min;
54
55 cred = (gnutls_psk_server_credentials_t)
56 _gnutls_get_cred(session, GNUTLS_CRD_PSK);
57@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
58 }
59 ciphertext.size = dsize;
60
61- ret =
62- gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
63- &ciphertext, &plaintext);
64- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
65- /* In case decryption fails then don't inform
66- * the peer. Just use a random key. (in order to avoid
67- * attack against pkcs-1 formatting).
68- */
69- gnutls_assert();
70- _gnutls_debug_log
71- ("auth_rsa_psk: Possible PKCS #1 format attack\n");
72- if (ret >= 0) {
73- gnutls_free(plaintext.data);
74- }
75- randomize_key = 1;
76- } else {
77- /* If the secret was properly formatted, then
78- * check the version number.
79- */
80- if (_gnutls_get_adv_version_major(session) !=
81- plaintext.data[0]
82- || (session->internals.allow_wrong_pms == 0
83- && _gnutls_get_adv_version_minor(session) !=
84- plaintext.data[1])) {
85- /* No error is returned here, if the version number check
86- * fails. We proceed normally.
87- * That is to defend against the attack described in the paper
88- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
89- * Ondej Pokorny and Tomas Rosa.
90- */
91- gnutls_assert();
92- _gnutls_debug_log
93- ("auth_rsa: Possible PKCS #1 version check format attack\n");
94- }
95- }
96+ ver_maj = _gnutls_get_adv_version_major(session);
97+ ver_min = _gnutls_get_adv_version_minor(session);
98
99+ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
100+ if (premaster_secret.data == NULL) {
101+ gnutls_assert();
102+ return GNUTLS_E_MEMORY_ERROR;
103+ }
104+ premaster_secret.size = GNUTLS_MASTER_SIZE;
105
106- if (randomize_key != 0) {
107- premaster_secret.size = GNUTLS_MASTER_SIZE;
108- premaster_secret.data =
109- gnutls_malloc(premaster_secret.size);
110- if (premaster_secret.data == NULL) {
111- gnutls_assert();
112- return GNUTLS_E_MEMORY_ERROR;
113- }
114-
115- /* we do not need strong random numbers here.
116- */
117- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
118- premaster_secret.size);
119- if (ret < 0) {
120- gnutls_assert();
121- goto cleanup;
122- }
123- } else {
124- premaster_secret.data = plaintext.data;
125- premaster_secret.size = plaintext.size;
126+ /* Fallback value when decryption fails. Needs to be unpredictable. */
127+ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
128+ premaster_secret.size);
129+ if (ret < 0) {
130+ gnutls_assert();
131+ goto cleanup;
132 }
133
134+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
135+ &ciphertext, premaster_secret.data,
136+ premaster_secret.size);
137+ /* After this point, any conditional on failure that cause differences
138+ * in execution may create a timing or cache access pattern side
139+ * channel that can be used as an oracle, so tread carefully */
140+
141+ /* Error handling logic:
142+ * In case decryption fails then don't inform the peer. Just use the
143+ * random key previously generated. (in order to avoid attack against
144+ * pkcs-1 formatting).
145+ *
146+ * If we get version mismatches no error is returned either. We
147+ * proceed normally. This is to defend against the attack described
148+ * in the paper "Attacking RSA-based sessions in SSL/TLS" by
149+ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
150+ */
151+
152 /* This is here to avoid the version check attack
153 * discussed above.
154 */
155-
156- premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
157- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
158+ premaster_secret.data[0] = ver_maj;
159+ premaster_secret.data[1] = ver_min;
160
161 /* find the key of this username
162 */
163--- a/lib/gnutls_int.h
164+++ b/lib/gnutls_int.h
165@@ -989,7 +989,6 @@ struct gnutls_priority_st {
166 bool _no_etm;
167 bool _no_ext_master_secret;
168 bool _allow_key_usage_violation;
169- bool _allow_wrong_pms;
170 bool _dumbfw;
171 unsigned int _dh_prime_bits; /* old (deprecated) variable */
172
173@@ -1007,7 +1006,6 @@ struct gnutls_priority_st {
174 (x)->no_etm = 1; \
175 (x)->no_ext_master_secret = 1; \
176 (x)->allow_key_usage_violation = 1; \
177- (x)->allow_wrong_pms = 1; \
178 (x)->dumbfw = 1
179
180 #define ENABLE_PRIO_COMPAT(x) \
181@@ -1016,7 +1014,6 @@ struct gnutls_priority_st {
182 (x)->_no_etm = 1; \
183 (x)->_no_ext_master_secret = 1; \
184 (x)->_allow_key_usage_violation = 1; \
185- (x)->_allow_wrong_pms = 1; \
186 (x)->_dumbfw = 1
187
188 /* DH and RSA parameters types.
189@@ -1141,7 +1138,6 @@ typedef struct {
190 bool no_etm;
191 bool no_ext_master_secret;
192 bool allow_key_usage_violation;
193- bool allow_wrong_pms;
194 bool dumbfw;
195
196 /* old (deprecated) variable. This is used for both srp_prime_bits
197--- a/lib/priority.c
198+++ b/lib/priority.c
199@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t ses
200 COPY_TO_INTERNALS(no_etm);
201 COPY_TO_INTERNALS(no_ext_master_secret);
202 COPY_TO_INTERNALS(allow_key_usage_violation);
203- COPY_TO_INTERNALS(allow_wrong_pms);
204 COPY_TO_INTERNALS(dumbfw);
205 COPY_TO_INTERNALS(dh_prime_bits);
206
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index 0c3392d521..406f0b54c5 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
28 file://CVE-2022-2509.patch \ 28 file://CVE-2022-2509.patch \
29 file://CVE-2021-4209.patch \ 29 file://CVE-2021-4209.patch \
30 file://CVE-2023-0361.patch \ 30 file://CVE-2023-0361.patch \
31 file://CVE-2023-5981.patch \
31" 32"
32 33
33SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" 34SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"