diff options
author | Yong Zhang <yong.zhang@windriver.com> | 2014-03-26 16:32:13 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-03-27 09:42:05 +0000 |
commit | 0ba78399f462618156c5853822eb8d73a297289b (patch) | |
tree | e748b065854411148d488552d74c7f7b4ba9a683 /meta | |
parent | 0abd9418b1bb15555457eafef1c8ac9670de39a0 (diff) | |
download | poky-0ba78399f462618156c5853822eb8d73a297289b.tar.gz |
gnupg: CVE-2013-4576
GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions
with certain patterns that introduce a side channel, which allows physically
proximate attackers to extract RSA keys via a chosen-ciphertext attack and
acoustic cryptanalysis during decryption. NOTE: applications are not typically
expected to protect themselves from acoustic side-channel attacks, since this
is arguably the responsibility of the physical device. Accordingly, issues of
this type would not normally receive a CVE identifier. However, for this
issue, the developer has specified a security policy in which GnuPG should
offer side-channel resistance, and developer-specified security-policy
violations are within the scope of CVE.
(From OE-Core rev: 46b80c80b0e008820b34f4360054e1697df2650d)
Signed-off-by: Yong Zhang <yong.zhang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch | 153 | ||||
-rw-r--r-- | meta/recipes-support/gnupg/gnupg_1.4.7.bb | 1 |
2 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch new file mode 100644 index 0000000000..b1a22f5853 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch | |||
@@ -0,0 +1,153 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Index: gnupg-1.4.7/cipher/dsa.c | ||
4 | =================================================================== | ||
5 | --- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800 | ||
6 | +++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800 | ||
7 | @@ -287,6 +287,8 @@ | ||
8 | MPI kinv; | ||
9 | MPI tmp; | ||
10 | |||
11 | + mpi_normalize (hash); | ||
12 | + | ||
13 | /* select a random k with 0 < k < q */ | ||
14 | k = gen_k( skey->q ); | ||
15 | |||
16 | Index: gnupg-1.4.7/cipher/elgamal.c | ||
17 | =================================================================== | ||
18 | --- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800 | ||
19 | +++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800 | ||
20 | @@ -376,6 +376,9 @@ | ||
21 | { | ||
22 | MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); | ||
23 | |||
24 | + mpi_normalize (a); | ||
25 | + mpi_normalize (b); | ||
26 | + | ||
27 | /* output = b/(a^x) mod p */ | ||
28 | mpi_powm( t1, a, skey->x, skey->p ); | ||
29 | mpi_invm( t1, t1, skey->p ); | ||
30 | Index: gnupg-1.4.7/cipher/random.c | ||
31 | =================================================================== | ||
32 | --- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800 | ||
33 | +++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800 | ||
34 | @@ -273,6 +273,18 @@ | ||
35 | } | ||
36 | |||
37 | |||
38 | +/* Randomize the MPI */ | ||
39 | +void | ||
40 | +randomize_mpi (MPI mpi, size_t nbits, int level) | ||
41 | +{ | ||
42 | + unsigned char *buffer; | ||
43 | + | ||
44 | + buffer = get_random_bits (nbits, level, mpi_is_secure (mpi)); | ||
45 | + mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0); | ||
46 | + xfree (buffer); | ||
47 | +} | ||
48 | + | ||
49 | + | ||
50 | int | ||
51 | random_is_faked() | ||
52 | { | ||
53 | Index: gnupg-1.4.7/cipher/random.h | ||
54 | =================================================================== | ||
55 | --- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800 | ||
56 | +++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800 | ||
57 | @@ -32,6 +32,7 @@ | ||
58 | int random_is_faked(void); | ||
59 | void random_disable_locking (void); | ||
60 | void randomize_buffer( byte *buffer, size_t length, int level ); | ||
61 | +void randomize_mpi (MPI mpi, size_t nbits, int level); | ||
62 | byte *get_random_bits( size_t nbits, int level, int secure ); | ||
63 | void fast_random_poll( void ); | ||
64 | |||
65 | Index: gnupg-1.4.7/cipher/rsa.c | ||
66 | =================================================================== | ||
67 | --- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800 | ||
68 | +++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800 | ||
69 | @@ -301,9 +301,26 @@ | ||
70 | #if 0 | ||
71 | mpi_powm( output, input, skey->d, skey->n ); | ||
72 | #else | ||
73 | - MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); | ||
74 | - MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); | ||
75 | - MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 ); | ||
76 | + int nlimbs = mpi_get_nlimbs (skey->n)+1; | ||
77 | + MPI m1 = mpi_alloc_secure (nlimbs); | ||
78 | + MPI m2 = mpi_alloc_secure (nlimbs); | ||
79 | + MPI h = mpi_alloc_secure (nlimbs); | ||
80 | +# if 1 | ||
81 | + MPI bdata= mpi_alloc_secure (nlimbs); | ||
82 | + MPI r = mpi_alloc_secure (nlimbs); | ||
83 | +# endif | ||
84 | + | ||
85 | + /* Remove superfluous leading zeroes from INPUT. */ | ||
86 | + mpi_normalize (input); | ||
87 | + | ||
88 | +# if 1 | ||
89 | + /* Blind: bdata = (data * r^e) mod n */ | ||
90 | + randomize_mpi (r, mpi_get_nbits (skey->n), 0); | ||
91 | + mpi_fdiv_r (r, r, skey->n); | ||
92 | + mpi_powm (bdata, r, skey->e, skey->n); | ||
93 | + mpi_mulm (bdata, bdata, input, skey->n); | ||
94 | + input = bdata; | ||
95 | +# endif | ||
96 | |||
97 | /* m1 = c ^ (d mod (p-1)) mod p */ | ||
98 | mpi_sub_ui( h, skey->p, 1 ); | ||
99 | @@ -321,8 +338,15 @@ | ||
100 | /* m = m2 + h * p */ | ||
101 | mpi_mul ( h, h, skey->p ); | ||
102 | mpi_add ( output, m1, h ); | ||
103 | - /* ready */ | ||
104 | - | ||
105 | + | ||
106 | +# if 1 | ||
107 | + mpi_free (bdata); | ||
108 | + /* Unblind: output = (output * r^(-1)) mod n */ | ||
109 | + mpi_invm (r, r, skey->n); | ||
110 | + mpi_mulm (output, output, r, skey->n); | ||
111 | + mpi_free (r); | ||
112 | +# endif | ||
113 | + | ||
114 | mpi_free ( h ); | ||
115 | mpi_free ( m1 ); | ||
116 | mpi_free ( m2 ); | ||
117 | @@ -397,6 +421,7 @@ | ||
118 | rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey ) | ||
119 | { | ||
120 | RSA_secret_key sk; | ||
121 | + MPI input; | ||
122 | |||
123 | if( algo != 1 && algo != 2 ) | ||
124 | return G10ERR_PUBKEY_ALGO; | ||
125 | @@ -407,8 +432,14 @@ | ||
126 | sk.p = skey[3]; | ||
127 | sk.q = skey[4]; | ||
128 | sk.u = skey[5]; | ||
129 | - *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) ); | ||
130 | - secret( *result, data[0], &sk ); | ||
131 | + | ||
132 | + /* Mitigates side-channel attacks (CVE-2013-4576). */ | ||
133 | + input = mpi_alloc (0); | ||
134 | + mpi_normalize (data[0]); | ||
135 | + mpi_fdiv_r (input, data[0], sk.n); | ||
136 | + *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n)); | ||
137 | + secret (*result, input, &sk); | ||
138 | + mpi_free (input); | ||
139 | return 0; | ||
140 | } | ||
141 | |||
142 | Index: gnupg-1.4.7/g10/gpgv.c | ||
143 | =================================================================== | ||
144 | --- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800 | ||
145 | +++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800 | ||
146 | @@ -390,6 +390,7 @@ | ||
147 | void random_dump_stats(void) {} | ||
148 | int quick_random_gen( int onoff ) { return -1;} | ||
149 | void randomize_buffer( byte *buffer, size_t length, int level ) {} | ||
150 | +void randomize_mpi (MPI mpi, size_t nbits, int level) {} | ||
151 | int random_is_faked() { return -1;} | ||
152 | byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;} | ||
153 | void set_random_seed_file( const char *name ) {} | ||
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb index 83d8fabb5d..e8f797d4f4 100644 --- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb +++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb | |||
@@ -16,6 +16,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \ | |||
16 | file://GnuPG1-CVE-2012-6085.patch \ | 16 | file://GnuPG1-CVE-2012-6085.patch \ |
17 | file://curl_typeof_fix_backport.patch \ | 17 | file://curl_typeof_fix_backport.patch \ |
18 | file://CVE-2013-4351.patch \ | 18 | file://CVE-2013-4351.patch \ |
19 | file://CVE-2013-4576.patch \ | ||
19 | " | 20 | " |
20 | 21 | ||
21 | SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" | 22 | SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" |