summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorTrevor Gamblin <trevor.gamblin@windriver.com>2019-11-05 08:05:52 -0500
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-13 22:02:15 +0000
commitf3ba167c21e018e854910aafd8a7c3f17bbefb4f (patch)
tree76d7dc62e6433ff3aaff2502b8e4cd9c031826d2 /meta
parent6949ba6d41b82a04f81d20c783dce283d7431ebe (diff)
downloadpoky-f3ba167c21e018e854910aafd8a7c3f17bbefb4f.tar.gz
libgcrypt: fix CVE-2019-13627
Backport two fixes for CVE-2019-13627 from upstream to zeus. (From OE-Core rev: 3361760dbb46cca2e00f053286404b5df39590b3) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch128
-rw-r--r--meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch70
-rw-r--r--meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb2
3 files changed, 200 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
new file mode 100644
index 0000000000..211e041303
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
@@ -0,0 +1,128 @@
1From db4e9976cc31b314aafad6626b2894e86ee44d60 Mon Sep 17 00:00:00 2001
2From: NIIBE Yutaka <gniibe@fsij.org>
3Date: Thu, 8 Aug 2019 17:42:02 +0900
4Subject: [PATCH] dsa,ecdsa: Fix use of nonce, use larger one.
5
6Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc3]
7CVE: CVE-2019-13627
8Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
9
10* cipher/dsa-common.c (_gcry_dsa_modify_k): New.
11* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
12* cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
13* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
14* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
15
16--
17
18Cherry-picked master commit of:
19 7c2943309d14407b51c8166c4dcecb56a3628567
20
21CVE-id: CVE-2019-13627
22GnuPG-bug-id: 4626
23Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
24---
25 cipher/dsa-common.c | 24 ++++++++++++++++++++++++
26 cipher/dsa.c | 2 ++
27 cipher/ecc-ecdsa.c | 10 +---------
28 cipher/ecc-gost.c | 2 ++
29 cipher/pubkey-internal.h | 1 +
30 5 files changed, 30 insertions(+), 9 deletions(-)
31
32diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c
33index 8c0a6843..fe49248d 100644
34--- a/cipher/dsa-common.c
35+++ b/cipher/dsa-common.c
36@@ -29,6 +29,30 @@
37 #include "pubkey-internal.h"
38
39
40+/*
41+ * Modify K, so that computation time difference can be small,
42+ * by making K large enough.
43+ *
44+ * Originally, (EC)DSA computation requires k where 0 < k < q. Here,
45+ * we add q (the order), to keep k in a range: q < k < 2*q (or,
46+ * addming more q, to keep k in a range: 2*q < k < 3*q), so that
47+ * timing difference of the EC multiply (or exponentiation) operation
48+ * can be small. The result of (EC)DSA computation is same.
49+ */
50+void
51+_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits)
52+{
53+ gcry_mpi_t k1 = mpi_new (qbits+2);
54+
55+ mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB);
56+ k->nlimbs = k->alloced;
57+ mpi_add (k, k, q);
58+ mpi_add (k1, k, q);
59+ mpi_set_cond (k, k1, !mpi_test_bit (k, qbits));
60+
61+ mpi_free (k1);
62+}
63+
64 /*
65 * Generate a random secret exponent K less than Q.
66 * Note that ECDSA uses this code also to generate D.
67diff --git a/cipher/dsa.c b/cipher/dsa.c
68index 22d8d782..24a53528 100644
69--- a/cipher/dsa.c
70+++ b/cipher/dsa.c
71@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey,
72 k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
73 }
74
75+ _gcry_dsa_modify_k (k, skey->q, qbits);
76+
77 /* r = (a^k mod p) mod q */
78 mpi_powm( r, skey->g, k, skey->p );
79 mpi_fdiv_r( r, r, skey->q );
80diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
81index 84a1cf84..97966c3a 100644
82--- a/cipher/ecc-ecdsa.c
83+++ b/cipher/ecc-ecdsa.c
84@@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
85 else
86 k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
87
88- /* Originally, ECDSA computation requires k where 0 < k < n.
89- * Here, we add n (the order of curve), to keep k in a
90- * range: n < k < 2*n, or, addming more n, keep k in a range:
91- * 2*n < k < 3*n, so that timing difference of the EC
92- * multiply operation can be small. The result is same.
93- */
94- mpi_add (k, k, skey->E.n);
95- if (!mpi_test_bit (k, qbits))
96- mpi_add (k, k, skey->E.n);
97+ _gcry_dsa_modify_k (k, skey->E.n, qbits);
98
99 _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
100 if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
101diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
102index a34fa084..0362a6c7 100644
103--- a/cipher/ecc-gost.c
104+++ b/cipher/ecc-gost.c
105@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey,
106 mpi_free (k);
107 k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
108
109+ _gcry_dsa_modify_k (k, skey->E.n, qbits);
110+
111 _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
112 if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
113 {
114diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h
115index b8167c77..d31e26f3 100644
116--- a/cipher/pubkey-internal.h
117+++ b/cipher/pubkey-internal.h
118@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded,
119
120
121 /*-- dsa-common.c --*/
122+void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits);
123 gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level);
124 gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
125 gcry_mpi_t dsa_q, gcry_mpi_t dsa_x,
126--
1272.23.0
128
diff --git a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
new file mode 100644
index 0000000000..db5a55ed26
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
@@ -0,0 +1,70 @@
1From d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 Mon Sep 17 00:00:00 2001
2From: NIIBE Yutaka <gniibe@fsij.org>
3Date: Wed, 17 Jul 2019 12:44:50 +0900
4Subject: [PATCH] ecc: Add mitigation against timing attack.
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78c]
10CVE: CVE-2019-13627
11Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
12
13* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
14* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.
15
16--
17
18Cherry-picked master commit of:
19 b9577f7c89b4327edc09f2231bc8b31521102c79
20
21CVE-id: CVE-2019-13627
22GnuPG-bug-id: 4626
23Co-authored-by: Ján Jančár <johny@neuromancer.sk>
24Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
25---
26 cipher/ecc-ecdsa.c | 10 ++++++++++
27 mpi/ec.c | 6 +++++-
28 2 files changed, 15 insertions(+), 1 deletion(-)
29
30diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
31index 140e8c09..84a1cf84 100644
32--- a/cipher/ecc-ecdsa.c
33+++ b/cipher/ecc-ecdsa.c
34@@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
35 else
36 k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
37
38+ /* Originally, ECDSA computation requires k where 0 < k < n.
39+ * Here, we add n (the order of curve), to keep k in a
40+ * range: n < k < 2*n, or, addming more n, keep k in a range:
41+ * 2*n < k < 3*n, so that timing difference of the EC
42+ * multiply operation can be small. The result is same.
43+ */
44+ mpi_add (k, k, skey->E.n);
45+ if (!mpi_test_bit (k, qbits))
46+ mpi_add (k, k, skey->E.n);
47+
48 _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
49 if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
50 {
51diff --git a/mpi/ec.c b/mpi/ec.c
52index 89077cd9..adb02600 100644
53--- a/mpi/ec.c
54+++ b/mpi/ec.c
55@@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
56 unsigned int nbits;
57 int j;
58
59- nbits = mpi_get_nbits (scalar);
60+ if (mpi_cmp (scalar, ctx->p) >= 0)
61+ nbits = mpi_get_nbits (scalar);
62+ else
63+ nbits = mpi_get_nbits (ctx->p);
64+
65 if (ctx->model == MPI_EC_WEIERSTRASS)
66 {
67 mpi_set_ui (result->x, 1);
68--
692.23.0
70
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
index 11d078d44a..1bd355133e 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
@@ -24,6 +24,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
24 file://0001-Prefetch-GCM-look-up-tables.patch \ 24 file://0001-Prefetch-GCM-look-up-tables.patch \
25 file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ 25 file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
26 file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ 26 file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
27 file://0001-ecc-Add-mitigation-against-timing-attack.patch \
28 file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \
27" 29"
28SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573" 30SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"
29SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227" 31SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"