diff options
author | Trevor Gamblin <trevor.gamblin@windriver.com> | 2019-11-05 08:05:52 -0500 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-13 22:02:15 +0000 |
commit | f3ba167c21e018e854910aafd8a7c3f17bbefb4f (patch) | |
tree | 76d7dc62e6433ff3aaff2502b8e4cd9c031826d2 /meta | |
parent | 6949ba6d41b82a04f81d20c783dce283d7431ebe (diff) | |
download | poky-f3ba167c21e018e854910aafd8a7c3f17bbefb4f.tar.gz |
libgcrypt: fix CVE-2019-13627
Backport two fixes for CVE-2019-13627 from upstream
to zeus.
(From OE-Core rev: 3361760dbb46cca2e00f053286404b5df39590b3)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
3 files changed, 200 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch new file mode 100644 index 0000000000..211e041303 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch | |||
@@ -0,0 +1,128 @@ | |||
1 | From db4e9976cc31b314aafad6626b2894e86ee44d60 Mon Sep 17 00:00:00 2001 | ||
2 | From: NIIBE Yutaka <gniibe@fsij.org> | ||
3 | Date: Thu, 8 Aug 2019 17:42:02 +0900 | ||
4 | Subject: [PATCH] dsa,ecdsa: Fix use of nonce, use larger one. | ||
5 | |||
6 | Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc3] | ||
7 | CVE: CVE-2019-13627 | ||
8 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
9 | |||
10 | * cipher/dsa-common.c (_gcry_dsa_modify_k): New. | ||
11 | * cipher/pubkey-internal.h (_gcry_dsa_modify_k): New. | ||
12 | * cipher/dsa.c (sign): Use _gcry_dsa_modify_k. | ||
13 | * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise. | ||
14 | * cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise. | ||
15 | |||
16 | -- | ||
17 | |||
18 | Cherry-picked master commit of: | ||
19 | 7c2943309d14407b51c8166c4dcecb56a3628567 | ||
20 | |||
21 | CVE-id: CVE-2019-13627 | ||
22 | GnuPG-bug-id: 4626 | ||
23 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> | ||
24 | --- | ||
25 | cipher/dsa-common.c | 24 ++++++++++++++++++++++++ | ||
26 | cipher/dsa.c | 2 ++ | ||
27 | cipher/ecc-ecdsa.c | 10 +--------- | ||
28 | cipher/ecc-gost.c | 2 ++ | ||
29 | cipher/pubkey-internal.h | 1 + | ||
30 | 5 files changed, 30 insertions(+), 9 deletions(-) | ||
31 | |||
32 | diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c | ||
33 | index 8c0a6843..fe49248d 100644 | ||
34 | --- a/cipher/dsa-common.c | ||
35 | +++ b/cipher/dsa-common.c | ||
36 | @@ -29,6 +29,30 @@ | ||
37 | #include "pubkey-internal.h" | ||
38 | |||
39 | |||
40 | +/* | ||
41 | + * Modify K, so that computation time difference can be small, | ||
42 | + * by making K large enough. | ||
43 | + * | ||
44 | + * Originally, (EC)DSA computation requires k where 0 < k < q. Here, | ||
45 | + * we add q (the order), to keep k in a range: q < k < 2*q (or, | ||
46 | + * addming more q, to keep k in a range: 2*q < k < 3*q), so that | ||
47 | + * timing difference of the EC multiply (or exponentiation) operation | ||
48 | + * can be small. The result of (EC)DSA computation is same. | ||
49 | + */ | ||
50 | +void | ||
51 | +_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits) | ||
52 | +{ | ||
53 | + gcry_mpi_t k1 = mpi_new (qbits+2); | ||
54 | + | ||
55 | + mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB); | ||
56 | + k->nlimbs = k->alloced; | ||
57 | + mpi_add (k, k, q); | ||
58 | + mpi_add (k1, k, q); | ||
59 | + mpi_set_cond (k, k1, !mpi_test_bit (k, qbits)); | ||
60 | + | ||
61 | + mpi_free (k1); | ||
62 | +} | ||
63 | + | ||
64 | /* | ||
65 | * Generate a random secret exponent K less than Q. | ||
66 | * Note that ECDSA uses this code also to generate D. | ||
67 | diff --git a/cipher/dsa.c b/cipher/dsa.c | ||
68 | index 22d8d782..24a53528 100644 | ||
69 | --- a/cipher/dsa.c | ||
70 | +++ b/cipher/dsa.c | ||
71 | @@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey, | ||
72 | k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM); | ||
73 | } | ||
74 | |||
75 | + _gcry_dsa_modify_k (k, skey->q, qbits); | ||
76 | + | ||
77 | /* r = (a^k mod p) mod q */ | ||
78 | mpi_powm( r, skey->g, k, skey->p ); | ||
79 | mpi_fdiv_r( r, r, skey->q ); | ||
80 | diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c | ||
81 | index 84a1cf84..97966c3a 100644 | ||
82 | --- a/cipher/ecc-ecdsa.c | ||
83 | +++ b/cipher/ecc-ecdsa.c | ||
84 | @@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, | ||
85 | else | ||
86 | k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); | ||
87 | |||
88 | - /* Originally, ECDSA computation requires k where 0 < k < n. | ||
89 | - * Here, we add n (the order of curve), to keep k in a | ||
90 | - * range: n < k < 2*n, or, addming more n, keep k in a range: | ||
91 | - * 2*n < k < 3*n, so that timing difference of the EC | ||
92 | - * multiply operation can be small. The result is same. | ||
93 | - */ | ||
94 | - mpi_add (k, k, skey->E.n); | ||
95 | - if (!mpi_test_bit (k, qbits)) | ||
96 | - mpi_add (k, k, skey->E.n); | ||
97 | + _gcry_dsa_modify_k (k, skey->E.n, qbits); | ||
98 | |||
99 | _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); | ||
100 | if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) | ||
101 | diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c | ||
102 | index a34fa084..0362a6c7 100644 | ||
103 | --- a/cipher/ecc-gost.c | ||
104 | +++ b/cipher/ecc-gost.c | ||
105 | @@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey, | ||
106 | mpi_free (k); | ||
107 | k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); | ||
108 | |||
109 | + _gcry_dsa_modify_k (k, skey->E.n, qbits); | ||
110 | + | ||
111 | _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); | ||
112 | if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) | ||
113 | { | ||
114 | diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h | ||
115 | index b8167c77..d31e26f3 100644 | ||
116 | --- a/cipher/pubkey-internal.h | ||
117 | +++ b/cipher/pubkey-internal.h | ||
118 | @@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded, | ||
119 | |||
120 | |||
121 | /*-- dsa-common.c --*/ | ||
122 | +void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits); | ||
123 | gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level); | ||
124 | gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k, | ||
125 | gcry_mpi_t dsa_q, gcry_mpi_t dsa_x, | ||
126 | -- | ||
127 | 2.23.0 | ||
128 | |||
diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch new file mode 100644 index 0000000000..db5a55ed26 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 Mon Sep 17 00:00:00 2001 | ||
2 | From: NIIBE Yutaka <gniibe@fsij.org> | ||
3 | Date: Wed, 17 Jul 2019 12:44:50 +0900 | ||
4 | Subject: [PATCH] ecc: Add mitigation against timing attack. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78c] | ||
10 | CVE: CVE-2019-13627 | ||
11 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
12 | |||
13 | * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K. | ||
14 | * mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger. | ||
15 | |||
16 | -- | ||
17 | |||
18 | Cherry-picked master commit of: | ||
19 | b9577f7c89b4327edc09f2231bc8b31521102c79 | ||
20 | |||
21 | CVE-id: CVE-2019-13627 | ||
22 | GnuPG-bug-id: 4626 | ||
23 | Co-authored-by: Ján Jančár <johny@neuromancer.sk> | ||
24 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> | ||
25 | --- | ||
26 | cipher/ecc-ecdsa.c | 10 ++++++++++ | ||
27 | mpi/ec.c | 6 +++++- | ||
28 | 2 files changed, 15 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c | ||
31 | index 140e8c09..84a1cf84 100644 | ||
32 | --- a/cipher/ecc-ecdsa.c | ||
33 | +++ b/cipher/ecc-ecdsa.c | ||
34 | @@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, | ||
35 | else | ||
36 | k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); | ||
37 | |||
38 | + /* Originally, ECDSA computation requires k where 0 < k < n. | ||
39 | + * Here, we add n (the order of curve), to keep k in a | ||
40 | + * range: n < k < 2*n, or, addming more n, keep k in a range: | ||
41 | + * 2*n < k < 3*n, so that timing difference of the EC | ||
42 | + * multiply operation can be small. The result is same. | ||
43 | + */ | ||
44 | + mpi_add (k, k, skey->E.n); | ||
45 | + if (!mpi_test_bit (k, qbits)) | ||
46 | + mpi_add (k, k, skey->E.n); | ||
47 | + | ||
48 | _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); | ||
49 | if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) | ||
50 | { | ||
51 | diff --git a/mpi/ec.c b/mpi/ec.c | ||
52 | index 89077cd9..adb02600 100644 | ||
53 | --- a/mpi/ec.c | ||
54 | +++ b/mpi/ec.c | ||
55 | @@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result, | ||
56 | unsigned int nbits; | ||
57 | int j; | ||
58 | |||
59 | - nbits = mpi_get_nbits (scalar); | ||
60 | + if (mpi_cmp (scalar, ctx->p) >= 0) | ||
61 | + nbits = mpi_get_nbits (scalar); | ||
62 | + else | ||
63 | + nbits = mpi_get_nbits (ctx->p); | ||
64 | + | ||
65 | if (ctx->model == MPI_EC_WEIERSTRASS) | ||
66 | { | ||
67 | mpi_set_ui (result->x, 1); | ||
68 | -- | ||
69 | 2.23.0 | ||
70 | |||
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb index 11d078d44a..1bd355133e 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb | |||
@@ -24,6 +24,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ | |||
24 | file://0001-Prefetch-GCM-look-up-tables.patch \ | 24 | file://0001-Prefetch-GCM-look-up-tables.patch \ |
25 | file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ | 25 | file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ |
26 | file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ | 26 | file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ |
27 | file://0001-ecc-Add-mitigation-against-timing-attack.patch \ | ||
28 | file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \ | ||
27 | " | 29 | " |
28 | SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" | 30 | SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" |
29 | SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" | 31 | SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" |