openssl: fix CVE-2018-0734 for both 1.0.2p and 1.1.1

Backport patches to fix CVE-2018-0734 for both openssl 1.0.2p and 1.1.1 versions. (From OE-Core rev: 9d5c6a87eb72a8b8b8d417126a831565982ca9a6) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2018-11-02 16:02:13 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-07 23:08:54 +0000
commit: d5fe5c654b7d36dcbea03231320cb6edbb6788c0 (patch)
tree: aa8253e0c986fbcb91618d14b0b29056720b61e6 /meta/recipes-connectivity/openssl
parent: 05c548c5f41cb7aa74984a0697b8ee8e0dceeb20 (diff)
download: poky-d5fe5c654b7d36dcbea03231320cb6edbb6788c0.tar.gz
4 files changed, 143 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch b/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
new file mode 100644
index 0000000000..2a3e03fe2a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
@@ -0,0 +1,108 @@
+Backport patch to fix CVE-2018-0734. Remove a section which only remove a
+space. It can't be applied because the context is different.
+CVE: CVE-2018-0734
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 8abfe72e8c1de1b95f50aa0d9134803b4d00070f Mon Sep 17 00:00:00 2001
+From: Pauli <paul.dale@oracle.com>
+Date: Wed, 24 Oct 2018 07:42:46 +1000
+Subject: [PATCH] Timing vulnerability in DSA signature generation
+ (CVE-2018-0734).
+Avoid a timing attack that leaks information via a side channel that
+triggers when a BN is resized.  Increasing the size of the BNs
+prior to doing anything with them suppresses the attack.
+Thanks due to Samuel Weiser for finding and locating this.
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+(Merged from https://github.com/openssl/openssl/pull/7486)
+(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)
+---
+ crypto/dsa/dsa_ossl.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
+index ca20811200..2dd2d7489a 100644
+--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
+@@ -9,6 +9,7 @@
+ 
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
+#include "internal/bn_int.h"
+ #include <openssl/bn.h>
+ #include <openssl/sha.h>
+ #include "dsa_locl.h"
+@@ -180,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ {
+     BN_CTX *ctx = NULL;
+     BIGNUM *k, *kinv = NULL, *r = *rp;
+-    BIGNUM *l, *m;
+    BIGNUM *l;
+     int ret = 0;
+-    int q_bits;
+    int q_bits, q_words;
+ 
+     if (!dsa->p || !dsa->q || !dsa->g) {
+         DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
+@@ -191,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ 
+     k = BN_new();
+     l = BN_new();
+-    m = BN_new();
+-    if (k == NULL || l == NULL || m == NULL)
+    if (k == NULL || l == NULL)
+         goto err;
+ 
+     if (ctx_in == NULL) {
+@@ -203,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ 
+     /* Preallocate space */
+     q_bits = BN_num_bits(dsa->q);
+-    if (!BN_set_bit(k, q_bits)
+-        || !BN_set_bit(l, q_bits)
+-        || !BN_set_bit(m, q_bits))
+    q_words = bn_get_top(dsa->q);
+    if (!bn_wexpand(k, q_words + 2)
+        || !bn_wexpand(l, q_words + 2))
+         goto err;
+ 
+     /* Get random k */
+@@ -240,14 +240,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+      * small timing information leakage.  We then choose the sum that is
+      * one bit longer than the modulus.
+      *
+-     * TODO: revisit the BN_copy aiming for a memory access agnostic
+-     * conditional copy.
+     * There are some concerns about the efficacy of doing this.  More
+     * specificly refer to the discussion starting with:
+     *     https://github.com/openssl/openssl/pull/7486#discussion_r228323705
+     * The fix is to rework BN so these gymnastics aren't required.
+      */
+     if (!BN_add(l, k, dsa->q)
+-        || !BN_add(m, l, dsa->q)
+-        || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
+        || !BN_add(k, l, dsa->q))
+         goto err;
+ 
+    BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
+
+     if ((dsa)->meth->bn_mod_exp != NULL) {
+             if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
+                                        dsa->method_mont_p))
+@@ -275,7 +278,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+         BN_CTX_free(ctx);
+     BN_clear_free(k);
+     BN_clear_free(l);
+-    BN_clear_free(m);
+     return ret;
+ }
+ 
+-- 
+2.17.0
diff --git a/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch b/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch
new file mode 100644
index 0000000000..b9865a69b5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch
@@ -0,0 +1,33 @@
+CVE: CVE-2018-0734
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 43e6a58d4991a451daf4891ff05a48735df871ac Mon Sep 17 00:00:00 2001
+From: Pauli <paul.dale@oracle.com>
+Date: Mon, 29 Oct 2018 08:24:22 +1000
+Subject: [PATCH] Merge DSA reallocation timing fix CVE-2018-0734.
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7513)
+---
+ crypto/dsa/dsa_ossl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
+index 2dcfedeeee..100e269268 100644
+--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
+@@ -279,7 +279,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+         goto err;
+ 
+     /* Preallocate space */
+-    q_bits = BN_num_bits(dsa->q);
+    q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16;
+     if (!BN_set_bit(&k, q_bits)
+         || !BN_set_bit(&l, q_bits)
+         || !BN_set_bit(&m, q_bits))
+-- 
+2.17.0
diff --git a/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb b/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
index 766110958e..4325940701 100644
--- a/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
+++ b/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://0001-Fix-build-with-clang-using-external-assembler.patch \
           file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \
           file://0001-allow-manpages-to-be-disabled.patch \
+           file://0001-fix-CVE-2018-0734.patch \
           "
 SRC_URI_append_class-target = " \
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
index af9038abd5..052f246aad 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://run-ptest \
           file://openssl-c_rehash.sh \
           file://0001-skip-test_symbol_presence.patch \
+           file://0002-fix-CVE-2018-0734.patch \
           "
 SRC_URI_append_class-nativesdk = " \
author	Kai Kang <kai.kang@windriver.com>	2018-11-02 16:02:13 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-11-07 23:08:54 +0000
commit	d5fe5c654b7d36dcbea03231320cb6edbb6788c0 (patch)
tree	aa8253e0c986fbcb91618d14b0b29056720b61e6 /meta/recipes-connectivity/openssl
parent	05c548c5f41cb7aa74984a0697b8ee8e0dceeb20 (diff)
download	poky-d5fe5c654b7d36dcbea03231320cb6edbb6788c0.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch b/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch new file mode 100644 index 0000000000..2a3e03fe2a --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
@@ -0,0 +1,108 @@
		1	Backport patch to fix CVE-2018-0734. Remove a section which only remove a
		2	space. It can't be applied because the context is different.
		3
		4	CVE: CVE-2018-0734
		5	Upstream-Status: Backport
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8
		9	From 8abfe72e8c1de1b95f50aa0d9134803b4d00070f Mon Sep 17 00:00:00 2001
		10	From: Pauli <paul.dale@oracle.com>
		11	Date: Wed, 24 Oct 2018 07:42:46 +1000
		12	Subject: [PATCH] Timing vulnerability in DSA signature generation
		13	(CVE-2018-0734).
		14
		15	Avoid a timing attack that leaks information via a side channel that
		16	triggers when a BN is resized. Increasing the size of the BNs
		17	prior to doing anything with them suppresses the attack.
		18
		19	Thanks due to Samuel Weiser for finding and locating this.
		20
		21	Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
		22	(Merged from https://github.com/openssl/openssl/pull/7486)
		23
		24	(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)
		25	---
		26	crypto/dsa/dsa_ossl.c \| 28 +++++++++++++++-------------
		27	1 file changed, 15 insertions(+), 13 deletions(-)
		28
		29	diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
		30	index ca20811200..2dd2d7489a 100644
		31	--- a/crypto/dsa/dsa_ossl.c
		32	+++ b/crypto/dsa/dsa_ossl.c
		33	@@ -9,6 +9,7 @@
		34
		35	#include <stdio.h>
		36	#include "internal/cryptlib.h"
		37	+#include "internal/bn_int.h"
		38	#include <openssl/bn.h>
		39	#include <openssl/sha.h>
		40	#include "dsa_locl.h"
		41	@@ -180,9 +181,9 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
		42	{
		43	BN_CTX *ctx = NULL;
		44	BIGNUM k, kinv = NULL, r = rp;
		45	- BIGNUM l, m;
		46	+ BIGNUM *l;
		47	int ret = 0;
		48	- int q_bits;
		49	+ int q_bits, q_words;
		50
		51	if (!dsa->p \|\| !dsa->q \|\| !dsa->g) {
		52	DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
		53	@@ -191,8 +192,7 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
		54
		55	k = BN_new();
		56	l = BN_new();
		57	- m = BN_new();
		58	- if (k == NULL \|\| l == NULL \|\| m == NULL)
		59	+ if (k == NULL \|\| l == NULL)
		60	goto err;
		61
		62	if (ctx_in == NULL) {
		63	@@ -203,9 +203,9 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
		64
		65	/* Preallocate space */
		66	q_bits = BN_num_bits(dsa->q);
		67	- if (!BN_set_bit(k, q_bits)
		68	- \|\| !BN_set_bit(l, q_bits)
		69	- \|\| !BN_set_bit(m, q_bits))
		70	+ q_words = bn_get_top(dsa->q);
		71	+ if (!bn_wexpand(k, q_words + 2)
		72	+ \|\| !bn_wexpand(l, q_words + 2))
		73	goto err;
		74
		75	/* Get random k */
		76	@@ -240,14 +240,17 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
		77	* small timing information leakage. We then choose the sum that is
		78	* one bit longer than the modulus.
		79	*
		80	- * TODO: revisit the BN_copy aiming for a memory access agnostic
		81	- * conditional copy.
		82	+ * There are some concerns about the efficacy of doing this. More
		83	+ * specificly refer to the discussion starting with:
		84	+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
		85	+ * The fix is to rework BN so these gymnastics aren't required.
		86	*/
		87	if (!BN_add(l, k, dsa->q)
		88	- \|\| !BN_add(m, l, dsa->q)
		89	- \|\| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
		90	+ \|\| !BN_add(k, l, dsa->q))
		91	goto err;
		92
		93	+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
		94	+
		95	if ((dsa)->meth->bn_mod_exp != NULL) {
		96	if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
		97	dsa->method_mont_p))
		98	@@ -275,7 +278,6 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
		99	BN_CTX_free(ctx);
		100	BN_clear_free(k);
		101	BN_clear_free(l);
		102	- BN_clear_free(m);
		103	return ret;
		104	}
		105
		106	--
		107	2.17.0
		108


diff --git a/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch b/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch new file mode 100644 index 0000000000..b9865a69b5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch
@@ -0,0 +1,33 @@
		1	CVE: CVE-2018-0734
		2
		3	Upstream-Status: Backport
		4
		5	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		6
		7	From 43e6a58d4991a451daf4891ff05a48735df871ac Mon Sep 17 00:00:00 2001
		8	From: Pauli <paul.dale@oracle.com>
		9	Date: Mon, 29 Oct 2018 08:24:22 +1000
		10	Subject: [PATCH] Merge DSA reallocation timing fix CVE-2018-0734.
		11
		12	Reviewed-by: Richard Levitte <levitte@openssl.org>
		13	(Merged from https://github.com/openssl/openssl/pull/7513)
		14	---
		15	crypto/dsa/dsa_ossl.c \| 2 +-
		16	1 file changed, 1 insertion(+), 1 deletion(-)
		17
		18	diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
		19	index 2dcfedeeee..100e269268 100644
		20	--- a/crypto/dsa/dsa_ossl.c
		21	+++ b/crypto/dsa/dsa_ossl.c
		22	@@ -279,7 +279,7 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM **kinvp,
		23	goto err;
		24
		25	/* Preallocate space */
		26	- q_bits = BN_num_bits(dsa->q);
		27	+ q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16;
		28	if (!BN_set_bit(&k, q_bits)
		29	\|\| !BN_set_bit(&l, q_bits)
		30	\|\| !BN_set_bit(&m, q_bits))
		31	--
		32	2.17.0
		33


diff --git a/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb b/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb index 766110958e..4325940701 100644 --- a/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb +++ b/meta/recipes-connectivity/openssl/openssl10_1.0.2p.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
40	file://0001-Fix-build-with-clang-using-external-assembler.patch \	40	file://0001-Fix-build-with-clang-using-external-assembler.patch \
41	file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \	41	file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \
42	file://0001-allow-manpages-to-be-disabled.patch \	42	file://0001-allow-manpages-to-be-disabled.patch \
		43	file://0001-fix-CVE-2018-0734.patch \
43	"	44	"
44		45
45	SRC_URI_append_class-target = " \	46	SRC_URI_append_class-target = " \


diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb index af9038abd5..052f246aad 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
15	file://run-ptest \	15	file://run-ptest \
16	file://openssl-c_rehash.sh \	16	file://openssl-c_rehash.sh \
17	file://0001-skip-test_symbol_presence.patch \	17	file://0001-skip-test_symbol_presence.patch \
		18	file://0002-fix-CVE-2018-0734.patch \
18	"	19	"
19		20
20	SRC_URI_append_class-nativesdk = " \	21	SRC_URI_append_class-nativesdk = " \