gnupg: CVE-2013-4576

GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE. (From OE-Core rev: 46b80c80b0e008820b34f4360054e1697df2650d) Signed-off-by: Yong Zhang <yong.zhang@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yong Zhang <yong.zhang@windriver.com> 2014-03-26 16:32:13 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-03-27 09:42:05 +0000
commit: 0ba78399f462618156c5853822eb8d73a297289b (patch)
tree: e748b065854411148d488552d74c7f7b4ba9a683 /meta/recipes-support
parent: 0abd9418b1bb15555457eafef1c8ac9670de39a0 (diff)
download: poky-0ba78399f462618156c5853822eb8d73a297289b.tar.gz
2 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
new file mode 100644
index 0000000000..b1a22f5853
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
@@ -0,0 +1,153 @@
+Upstream-Status: Backport
+Index: gnupg-1.4.7/cipher/dsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/dsa.c       2006-12-12 02:27:21.000000000 +0800
+++ gnupg-1.4.7/cipher/dsa.c    2014-01-23 11:30:17.300915919 +0800
+@@ -287,6 +287,8 @@
+     MPI kinv;
+     MPI tmp;
+ 
+    mpi_normalize (hash);
+
+     /* select a random k with 0 < k < q */
+     k = gen_k( skey->q );
+ 
+Index: gnupg-1.4.7/cipher/elgamal.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/elgamal.c   2006-12-12 03:08:05.000000000 +0800
+++ gnupg-1.4.7/cipher/elgamal.c        2014-01-23 11:30:17.300915919 +0800
+@@ -376,6 +376,9 @@
+ {
+     MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
+ 
+    mpi_normalize (a);
+    mpi_normalize (b);
+
+     /* output = b/(a^x) mod p */
+     mpi_powm( t1, a, skey->x, skey->p );
+     mpi_invm( t1, t1, skey->p );
+Index: gnupg-1.4.7/cipher/random.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.c    2006-11-03 18:09:39.000000000 +0800
+++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
+@@ -273,6 +273,18 @@
+ }
+ 
+ 
+/* Randomize the MPI */ 
+void
+randomize_mpi (MPI mpi, size_t nbits, int level)
+{
+  unsigned char *buffer;
+
+  buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
+  mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
+  xfree (buffer);
+}
+
+
+ int
+ random_is_faked()
+ {
+Index: gnupg-1.4.7/cipher/random.h
+===================================================================
+--- gnupg-1.4.7.orig/cipher/random.h    2006-02-09 19:29:29.000000000 +0800
+++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
+@@ -32,6 +32,7 @@
+ int  random_is_faked(void);
+ void random_disable_locking (void);
+ void randomize_buffer( byte *buffer, size_t length, int level );
+void randomize_mpi (MPI mpi, size_t nbits, int level);
+ byte *get_random_bits( size_t nbits, int level, int secure );
+ void fast_random_poll( void );
+ 
+Index: gnupg-1.4.7/cipher/rsa.c
+===================================================================
+--- gnupg-1.4.7.orig/cipher/rsa.c       2006-12-12 03:09:00.000000000 +0800
+++ gnupg-1.4.7/cipher/rsa.c    2014-01-23 11:35:04.330639125 +0800
+@@ -301,9 +301,26 @@
+ #if 0
+     mpi_powm( output, input, skey->d, skey->n );
+ #else
+-    MPI m1   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-    MPI m2   = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+-    MPI h    = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
+    int nlimbs = mpi_get_nlimbs (skey->n)+1;
+    MPI m1   = mpi_alloc_secure (nlimbs);
+    MPI m2   = mpi_alloc_secure (nlimbs);
+    MPI h    = mpi_alloc_secure (nlimbs);
+# if 1
+    MPI bdata= mpi_alloc_secure (nlimbs);
+    MPI r    = mpi_alloc_secure (nlimbs);
+# endif
+
+    /* Remove superfluous leading zeroes from INPUT.  */
+    mpi_normalize (input);
+
+# if 1 
+    /* Blind:  bdata = (data * r^e) mod n   */
+    randomize_mpi (r, mpi_get_nbits (skey->n), 0);
+    mpi_fdiv_r (r, r, skey->n);
+    mpi_powm (bdata, r, skey->e, skey->n);
+    mpi_mulm (bdata, bdata, input, skey->n);
+    input = bdata;
+# endif
+ 
+     /* m1 = c ^ (d mod (p-1)) mod p */
+     mpi_sub_ui( h, skey->p, 1  );
+@@ -321,8 +338,15 @@
+     /* m = m2 + h * p */
+     mpi_mul ( h, h, skey->p );
+     mpi_add ( output, m1, h );
+-    /* ready */
+-    
+
+# if 1
+    mpi_free (bdata);
+    /* Unblind: output = (output * r^(-1)) mod n  */
+    mpi_invm (r, r, skey->n);
+    mpi_mulm (output, output, r, skey->n);
+    mpi_free (r);
+# endif
+
+     mpi_free ( h );
+     mpi_free ( m1 );
+     mpi_free ( m2 );
+@@ -397,6 +421,7 @@
+ rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
+ {
+     RSA_secret_key sk;
+    MPI input;
+ 
+     if( algo != 1 && algo != 2 )
+        return G10ERR_PUBKEY_ALGO;
+@@ -407,8 +432,14 @@
+     sk.p = skey[3];
+     sk.q = skey[4];
+     sk.u = skey[5];
+-    *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
+-    secret( *result, data[0], &sk );
+
+    /* Mitigates side-channel attacks (CVE-2013-4576).  */
+    input = mpi_alloc (0);
+    mpi_normalize (data[0]);
+    mpi_fdiv_r (input, data[0], sk.n);
+    *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
+    secret (*result, input, &sk);
+    mpi_free (input);
+     return 0;
+ }
+ 
+Index: gnupg-1.4.7/g10/gpgv.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
+++ gnupg-1.4.7/g10/gpgv.c      2014-01-23 11:30:17.300915919 +0800
+@@ -390,6 +390,7 @@
+ void random_dump_stats(void) {}
+ int quick_random_gen( int onoff ) { return -1;}
+ void randomize_buffer( byte *buffer, size_t length, int level ) {}
+void randomize_mpi (MPI mpi, size_t nbits, int level) {}
+ int random_is_faked() { return -1;}
+ byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
+ void set_random_seed_file( const char *name ) {}
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
index 83d8fabb5d..e8f797d4f4 100644
--- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb
+++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
           file://GnuPG1-CVE-2012-6085.patch \
           file://curl_typeof_fix_backport.patch \
           file://CVE-2013-4351.patch \
+           file://CVE-2013-4576.patch \
          "
 SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"
author	Yong Zhang <yong.zhang@windriver.com>	2014-03-26 16:32:13 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-03-27 09:42:05 +0000
commit	0ba78399f462618156c5853822eb8d73a297289b (patch)
tree	e748b065854411148d488552d74c7f7b4ba9a683 /meta/recipes-support
parent	0abd9418b1bb15555457eafef1c8ac9670de39a0 (diff)
download	poky-0ba78399f462618156c5853822eb8d73a297289b.tar.gz

diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch new file mode 100644 index 0000000000..b1a22f5853 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
@@ -0,0 +1,153 @@
		1	Upstream-Status: Backport
		2
		3	Index: gnupg-1.4.7/cipher/dsa.c
		4	===================================================================
		5	--- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800
		6	+++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800
		7	@@ -287,6 +287,8 @@
		8	MPI kinv;
		9	MPI tmp;
		10
		11	+ mpi_normalize (hash);
		12	+
		13	/* select a random k with 0 < k < q */
		14	k = gen_k( skey->q );
		15
		16	Index: gnupg-1.4.7/cipher/elgamal.c
		17	===================================================================
		18	--- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800
		19	+++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800
		20	@@ -376,6 +376,9 @@
		21	{
		22	MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
		23
		24	+ mpi_normalize (a);
		25	+ mpi_normalize (b);
		26	+
		27	/* output = b/(a^x) mod p */
		28	mpi_powm( t1, a, skey->x, skey->p );
		29	mpi_invm( t1, t1, skey->p );
		30	Index: gnupg-1.4.7/cipher/random.c
		31	===================================================================
		32	--- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800
		33	+++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
		34	@@ -273,6 +273,18 @@
		35	}
		36
		37
		38	+/* Randomize the MPI */
		39	+void
		40	+randomize_mpi (MPI mpi, size_t nbits, int level)
		41	+{
		42	+ unsigned char *buffer;
		43	+
		44	+ buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
		45	+ mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
		46	+ xfree (buffer);
		47	+}
		48	+
		49	+
		50	int
		51	random_is_faked()
		52	{
		53	Index: gnupg-1.4.7/cipher/random.h
		54	===================================================================
		55	--- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800
		56	+++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
		57	@@ -32,6 +32,7 @@
		58	int random_is_faked(void);
		59	void random_disable_locking (void);
		60	void randomize_buffer( byte *buffer, size_t length, int level );
		61	+void randomize_mpi (MPI mpi, size_t nbits, int level);
		62	byte *get_random_bits( size_t nbits, int level, int secure );
		63	void fast_random_poll( void );
		64
		65	Index: gnupg-1.4.7/cipher/rsa.c
		66	===================================================================
		67	--- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800
		68	+++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800
		69	@@ -301,9 +301,26 @@
		70	#if 0
		71	mpi_powm( output, input, skey->d, skey->n );
		72	#else
		73	- MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		74	- MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		75	- MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
		76	+ int nlimbs = mpi_get_nlimbs (skey->n)+1;
		77	+ MPI m1 = mpi_alloc_secure (nlimbs);
		78	+ MPI m2 = mpi_alloc_secure (nlimbs);
		79	+ MPI h = mpi_alloc_secure (nlimbs);
		80	+# if 1
		81	+ MPI bdata= mpi_alloc_secure (nlimbs);
		82	+ MPI r = mpi_alloc_secure (nlimbs);
		83	+# endif
		84	+
		85	+ /* Remove superfluous leading zeroes from INPUT. */
		86	+ mpi_normalize (input);
		87	+
		88	+# if 1
		89	+ /* Blind: bdata = (data * r^e) mod n */
		90	+ randomize_mpi (r, mpi_get_nbits (skey->n), 0);
		91	+ mpi_fdiv_r (r, r, skey->n);
		92	+ mpi_powm (bdata, r, skey->e, skey->n);
		93	+ mpi_mulm (bdata, bdata, input, skey->n);
		94	+ input = bdata;
		95	+# endif
		96
		97	/* m1 = c ^ (d mod (p-1)) mod p */
		98	mpi_sub_ui( h, skey->p, 1 );
		99	@@ -321,8 +338,15 @@
		100	/* m = m2 + h * p */
		101	mpi_mul ( h, h, skey->p );
		102	mpi_add ( output, m1, h );
		103	- /* ready */
		104	-
		105	+
		106	+# if 1
		107	+ mpi_free (bdata);
		108	+ /* Unblind: output = (output * r^(-1)) mod n */
		109	+ mpi_invm (r, r, skey->n);
		110	+ mpi_mulm (output, output, r, skey->n);
		111	+ mpi_free (r);
		112	+# endif
		113	+
		114	mpi_free ( h );
		115	mpi_free ( m1 );
		116	mpi_free ( m2 );
		117	@@ -397,6 +421,7 @@
		118	rsa_decrypt( int algo, MPI result, MPI data, MPI *skey )
		119	{
		120	RSA_secret_key sk;
		121	+ MPI input;
		122
		123	if( algo != 1 && algo != 2 )
		124	return G10ERR_PUBKEY_ALGO;
		125	@@ -407,8 +432,14 @@
		126	sk.p = skey[3];
		127	sk.q = skey[4];
		128	sk.u = skey[5];
		129	- *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
		130	- secret( *result, data[0], &sk );
		131	+
		132	+ /* Mitigates side-channel attacks (CVE-2013-4576). */
		133	+ input = mpi_alloc (0);
		134	+ mpi_normalize (data[0]);
		135	+ mpi_fdiv_r (input, data[0], sk.n);
		136	+ *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
		137	+ secret (*result, input, &sk);
		138	+ mpi_free (input);
		139	return 0;
		140	}
		141
		142	Index: gnupg-1.4.7/g10/gpgv.c
		143	===================================================================
		144	--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
		145	+++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800
		146	@@ -390,6 +390,7 @@
		147	void random_dump_stats(void) {}
		148	int quick_random_gen( int onoff ) { return -1;}
		149	void randomize_buffer( byte *buffer, size_t length, int level ) {}
		150	+void randomize_mpi (MPI mpi, size_t nbits, int level) {}
		151	int random_is_faked() { return -1;}
		152	byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
		153	void set_random_seed_file( const char *name ) {}


diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb index 83d8fabb5d..e8f797d4f4 100644 --- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb +++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
16	file://GnuPG1-CVE-2012-6085.patch \	16	file://GnuPG1-CVE-2012-6085.patch \
17	file://curl_typeof_fix_backport.patch \	17	file://curl_typeof_fix_backport.patch \
18	file://CVE-2013-4351.patch \	18	file://CVE-2013-4351.patch \
		19	file://CVE-2013-4576.patch \
19	"	20	"
20		21
21	SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"	22	SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"