summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2018-11-02 16:02:13 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-11-07 23:08:54 +0000
commitd5fe5c654b7d36dcbea03231320cb6edbb6788c0 (patch)
treeaa8253e0c986fbcb91618d14b0b29056720b61e6
parent05c548c5f41cb7aa74984a0697b8ee8e0dceeb20 (diff)
downloadpoky-d5fe5c654b7d36dcbea03231320cb6edbb6788c0.tar.gz
openssl: fix CVE-2018-0734 for both 1.0.2p and 1.1.1
Backport patches to fix CVE-2018-0734 for both openssl 1.0.2p and 1.1.1 versions. (From OE-Core rev: 9d5c6a87eb72a8b8b8d417126a831565982ca9a6) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch108
-rw-r--r--meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch33
-rw-r--r--meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb1
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.1.1.bb1
4 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch b/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
new file mode 100644
index 0000000000..2a3e03fe2a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
@@ -0,0 +1,108 @@
1Backport patch to fix CVE-2018-0734. Remove a section which only remove a
2space. It can't be applied because the context is different.
3
4CVE: CVE-2018-0734
5Upstream-Status: Backport
6
7Signed-off-by: Kai Kang <kai.kang@windriver.com>
8
9From 8abfe72e8c1de1b95f50aa0d9134803b4d00070f Mon Sep 17 00:00:00 2001
10From: Pauli <paul.dale@oracle.com>
11Date: Wed, 24 Oct 2018 07:42:46 +1000
12Subject: [PATCH] Timing vulnerability in DSA signature generation
13 (CVE-2018-0734).
14
15Avoid a timing attack that leaks information via a side channel that
16triggers when a BN is resized. Increasing the size of the BNs
17prior to doing anything with them suppresses the attack.
18
19Thanks due to Samuel Weiser for finding and locating this.
20
21Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
22(Merged from https://github.com/openssl/openssl/pull/7486)
23
24(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)
25---
26 crypto/dsa/dsa_ossl.c | 28 +++++++++++++++-------------
27 1 file changed, 15 insertions(+), 13 deletions(-)
28
29diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
30index ca20811200..2dd2d7489a 100644
31--- a/crypto/dsa/dsa_ossl.c
32+++ b/crypto/dsa/dsa_ossl.c
33@@ -9,6 +9,7 @@
34
35 #include <stdio.h>
36 #include "internal/cryptlib.h"
37+#include "internal/bn_int.h"
38 #include <openssl/bn.h>
39 #include <openssl/sha.h>
40 #include "dsa_locl.h"
41@@ -180,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
42 {
43 BN_CTX *ctx = NULL;
44 BIGNUM *k, *kinv = NULL, *r = *rp;
45- BIGNUM *l, *m;
46+ BIGNUM *l;
47 int ret = 0;
48- int q_bits;
49+ int q_bits, q_words;
50
51 if (!dsa->p || !dsa->q || !dsa->g) {
52 DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
53@@ -191,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
54
55 k = BN_new();
56 l = BN_new();
57- m = BN_new();
58- if (k == NULL || l == NULL || m == NULL)
59+ if (k == NULL || l == NULL)
60 goto err;
61
62 if (ctx_in == NULL) {
63@@ -203,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
64
65 /* Preallocate space */
66 q_bits = BN_num_bits(dsa->q);
67- if (!BN_set_bit(k, q_bits)
68- || !BN_set_bit(l, q_bits)
69- || !BN_set_bit(m, q_bits))
70+ q_words = bn_get_top(dsa->q);
71+ if (!bn_wexpand(k, q_words + 2)
72+ || !bn_wexpand(l, q_words + 2))
73 goto err;
74
75 /* Get random k */
76@@ -240,14 +240,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
77 * small timing information leakage. We then choose the sum that is
78 * one bit longer than the modulus.
79 *
80- * TODO: revisit the BN_copy aiming for a memory access agnostic
81- * conditional copy.
82+ * There are some concerns about the efficacy of doing this. More
83+ * specificly refer to the discussion starting with:
84+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
85+ * The fix is to rework BN so these gymnastics aren't required.
86 */
87 if (!BN_add(l, k, dsa->q)
88- || !BN_add(m, l, dsa->q)
89- || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
90+ || !BN_add(k, l, dsa->q))
91 goto err;
92
93+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
94+
95 if ((dsa)->meth->bn_mod_exp != NULL) {
96 if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
97 dsa->method_mont_p))
98@@ -275,7 +278,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
99 BN_CTX_free(ctx);
100 BN_clear_free(k);
101 BN_clear_free(l);
102- BN_clear_free(m);
103 return ret;
104 }
105
106--
1072.17.0
108
diff --git a/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch b/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch
new file mode 100644
index 0000000000..b9865a69b5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch
@@ -0,0 +1,33 @@
1CVE: CVE-2018-0734
2
3Upstream-Status: Backport
4
5Signed-off-by: Kai Kang <kai.kang@windriver.com>
6
7From 43e6a58d4991a451daf4891ff05a48735df871ac Mon Sep 17 00:00:00 2001
8From: Pauli <paul.dale@oracle.com>
9Date: Mon, 29 Oct 2018 08:24:22 +1000
10Subject: [PATCH] Merge DSA reallocation timing fix CVE-2018-0734.
11
12Reviewed-by: Richard Levitte <levitte@openssl.org>
13(Merged from https://github.com/openssl/openssl/pull/7513)
14---
15 crypto/dsa/dsa_ossl.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
19index 2dcfedeeee..100e269268 100644
20--- a/crypto/dsa/dsa_ossl.c
21+++ b/crypto/dsa/dsa_ossl.c
22@@ -279,7 +279,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
23 goto err;
24
25 /* Preallocate space */
26- q_bits = BN_num_bits(dsa->q);
27+ q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16;
28 if (!BN_set_bit(&k, q_bits)
29 || !BN_set_bit(&l, q_bits)
30 || !BN_set_bit(&m, q_bits))
31--
322.17.0
33
diff --git a/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb b/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
index 766110958e..4325940701 100644
--- a/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
+++ b/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
40 file://0001-Fix-build-with-clang-using-external-assembler.patch \ 40 file://0001-Fix-build-with-clang-using-external-assembler.patch \
41 file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \ 41 file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \
42 file://0001-allow-manpages-to-be-disabled.patch \ 42 file://0001-allow-manpages-to-be-disabled.patch \
43 file://0001-fix-CVE-2018-0734.patch \
43 " 44 "
44 45
45SRC_URI_append_class-target = " \ 46SRC_URI_append_class-target = " \
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
index af9038abd5..052f246aad 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
15 file://run-ptest \ 15 file://run-ptest \
16 file://openssl-c_rehash.sh \ 16 file://openssl-c_rehash.sh \
17 file://0001-skip-test_symbol_presence.patch \ 17 file://0001-skip-test_symbol_presence.patch \
18 file://0002-fix-CVE-2018-0734.patch \
18 " 19 "
19 20
20SRC_URI_append_class-nativesdk = " \ 21SRC_URI_append_class-nativesdk = " \