summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support
diff options
context:
space:
mode:
authorYong Zhang <yong.zhang@windriver.com>2014-03-26 16:32:13 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-03-27 09:42:05 +0000
commit0ba78399f462618156c5853822eb8d73a297289b (patch)
treee748b065854411148d488552d74c7f7b4ba9a683 /meta/recipes-support
parent0abd9418b1bb15555457eafef1c8ac9670de39a0 (diff)
downloadpoky-0ba78399f462618156c5853822eb8d73a297289b.tar.gz
gnupg: CVE-2013-4576
GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE. (From OE-Core rev: 46b80c80b0e008820b34f4360054e1697df2650d) Signed-off-by: Yong Zhang <yong.zhang@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r--meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch153
-rw-r--r--meta/recipes-support/gnupg/gnupg_1.4.7.bb1
2 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
new file mode 100644
index 0000000000..b1a22f5853
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
@@ -0,0 +1,153 @@
1Upstream-Status: Backport
2
3Index: gnupg-1.4.7/cipher/dsa.c
4===================================================================
5--- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800
6+++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800
7@@ -287,6 +287,8 @@
8 MPI kinv;
9 MPI tmp;
10
11+ mpi_normalize (hash);
12+
13 /* select a random k with 0 < k < q */
14 k = gen_k( skey->q );
15
16Index: gnupg-1.4.7/cipher/elgamal.c
17===================================================================
18--- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800
19+++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800
20@@ -376,6 +376,9 @@
21 {
22 MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
23
24+ mpi_normalize (a);
25+ mpi_normalize (b);
26+
27 /* output = b/(a^x) mod p */
28 mpi_powm( t1, a, skey->x, skey->p );
29 mpi_invm( t1, t1, skey->p );
30Index: gnupg-1.4.7/cipher/random.c
31===================================================================
32--- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800
33+++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
34@@ -273,6 +273,18 @@
35 }
36
37
38+/* Randomize the MPI */
39+void
40+randomize_mpi (MPI mpi, size_t nbits, int level)
41+{
42+ unsigned char *buffer;
43+
44+ buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
45+ mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
46+ xfree (buffer);
47+}
48+
49+
50 int
51 random_is_faked()
52 {
53Index: gnupg-1.4.7/cipher/random.h
54===================================================================
55--- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800
56+++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
57@@ -32,6 +32,7 @@
58 int random_is_faked(void);
59 void random_disable_locking (void);
60 void randomize_buffer( byte *buffer, size_t length, int level );
61+void randomize_mpi (MPI mpi, size_t nbits, int level);
62 byte *get_random_bits( size_t nbits, int level, int secure );
63 void fast_random_poll( void );
64
65Index: gnupg-1.4.7/cipher/rsa.c
66===================================================================
67--- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800
68+++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800
69@@ -301,9 +301,26 @@
70 #if 0
71 mpi_powm( output, input, skey->d, skey->n );
72 #else
73- MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
74- MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
75- MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
76+ int nlimbs = mpi_get_nlimbs (skey->n)+1;
77+ MPI m1 = mpi_alloc_secure (nlimbs);
78+ MPI m2 = mpi_alloc_secure (nlimbs);
79+ MPI h = mpi_alloc_secure (nlimbs);
80+# if 1
81+ MPI bdata= mpi_alloc_secure (nlimbs);
82+ MPI r = mpi_alloc_secure (nlimbs);
83+# endif
84+
85+ /* Remove superfluous leading zeroes from INPUT. */
86+ mpi_normalize (input);
87+
88+# if 1
89+ /* Blind: bdata = (data * r^e) mod n */
90+ randomize_mpi (r, mpi_get_nbits (skey->n), 0);
91+ mpi_fdiv_r (r, r, skey->n);
92+ mpi_powm (bdata, r, skey->e, skey->n);
93+ mpi_mulm (bdata, bdata, input, skey->n);
94+ input = bdata;
95+# endif
96
97 /* m1 = c ^ (d mod (p-1)) mod p */
98 mpi_sub_ui( h, skey->p, 1 );
99@@ -321,8 +338,15 @@
100 /* m = m2 + h * p */
101 mpi_mul ( h, h, skey->p );
102 mpi_add ( output, m1, h );
103- /* ready */
104-
105+
106+# if 1
107+ mpi_free (bdata);
108+ /* Unblind: output = (output * r^(-1)) mod n */
109+ mpi_invm (r, r, skey->n);
110+ mpi_mulm (output, output, r, skey->n);
111+ mpi_free (r);
112+# endif
113+
114 mpi_free ( h );
115 mpi_free ( m1 );
116 mpi_free ( m2 );
117@@ -397,6 +421,7 @@
118 rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
119 {
120 RSA_secret_key sk;
121+ MPI input;
122
123 if( algo != 1 && algo != 2 )
124 return G10ERR_PUBKEY_ALGO;
125@@ -407,8 +432,14 @@
126 sk.p = skey[3];
127 sk.q = skey[4];
128 sk.u = skey[5];
129- *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
130- secret( *result, data[0], &sk );
131+
132+ /* Mitigates side-channel attacks (CVE-2013-4576). */
133+ input = mpi_alloc (0);
134+ mpi_normalize (data[0]);
135+ mpi_fdiv_r (input, data[0], sk.n);
136+ *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
137+ secret (*result, input, &sk);
138+ mpi_free (input);
139 return 0;
140 }
141
142Index: gnupg-1.4.7/g10/gpgv.c
143===================================================================
144--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
145+++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800
146@@ -390,6 +390,7 @@
147 void random_dump_stats(void) {}
148 int quick_random_gen( int onoff ) { return -1;}
149 void randomize_buffer( byte *buffer, size_t length, int level ) {}
150+void randomize_mpi (MPI mpi, size_t nbits, int level) {}
151 int random_is_faked() { return -1;}
152 byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
153 void set_random_seed_file( const char *name ) {}
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
index 83d8fabb5d..e8f797d4f4 100644
--- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb
+++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
16 file://GnuPG1-CVE-2012-6085.patch \ 16 file://GnuPG1-CVE-2012-6085.patch \
17 file://curl_typeof_fix_backport.patch \ 17 file://curl_typeof_fix_backport.patch \
18 file://CVE-2013-4351.patch \ 18 file://CVE-2013-4351.patch \
19 file://CVE-2013-4576.patch \
19 " 20 "
20 21
21SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" 22SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"