diff options
Diffstat (limited to 'meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch')
-rw-r--r-- | meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch | 163 |
1 files changed, 163 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch new file mode 100644 index 0000000000..18e952ddf7 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch | |||
@@ -0,0 +1,163 @@ | |||
1 | From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
3 | Date: Tue, 8 Jun 2021 21:32:38 +0200 | ||
4 | Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions. | ||
5 | |||
6 | (cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-3580 | ||
10 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
11 | |||
12 | --- | ||
13 | ChangeLog | 10 +++++++++- | ||
14 | rsa-decrypt-tr.c | 4 ++++ | ||
15 | rsa-decrypt.c | 10 ++++++++++ | ||
16 | rsa-sec-decrypt.c | 4 ++++ | ||
17 | rsa.h | 5 +++-- | ||
18 | testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------ | ||
19 | 6 files changed, 62 insertions(+), 9 deletions(-) | ||
20 | |||
21 | Index: nettle-3.5.1/rsa-decrypt-tr.c | ||
22 | =================================================================== | ||
23 | --- nettle-3.5.1.orig/rsa-decrypt-tr.c | ||
24 | +++ nettle-3.5.1/rsa-decrypt-tr.c | ||
25 | @@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k | ||
26 | mp_size_t key_limb_size; | ||
27 | int res; | ||
28 | |||
29 | + /* First check that input is in range. */ | ||
30 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) | ||
31 | + return 0; | ||
32 | + | ||
33 | key_limb_size = mpz_size(pub->n); | ||
34 | |||
35 | TMP_GMP_ALLOC (m, key_limb_size); | ||
36 | Index: nettle-3.5.1/rsa-decrypt.c | ||
37 | =================================================================== | ||
38 | --- nettle-3.5.1.orig/rsa-decrypt.c | ||
39 | +++ nettle-3.5.1/rsa-decrypt.c | ||
40 | @@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key | ||
41 | int res; | ||
42 | |||
43 | mpz_init(m); | ||
44 | + | ||
45 | + /* First check that input is in range. Since we don't have the | ||
46 | + public key available here, we need to reconstruct n. */ | ||
47 | + mpz_mul (m, key->p, key->q); | ||
48 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0) | ||
49 | + { | ||
50 | + mpz_clear (m); | ||
51 | + return 0; | ||
52 | + } | ||
53 | + | ||
54 | rsa_compute_root(key, m, gibberish); | ||
55 | |||
56 | res = pkcs1_decrypt (key->size, m, length, message); | ||
57 | Index: nettle-3.5.1/rsa-sec-decrypt.c | ||
58 | =================================================================== | ||
59 | --- nettle-3.5.1.orig/rsa-sec-decrypt.c | ||
60 | +++ nettle-3.5.1/rsa-sec-decrypt.c | ||
61 | @@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_ | ||
62 | TMP_GMP_DECL (em, uint8_t); | ||
63 | int res; | ||
64 | |||
65 | + /* First check that input is in range. */ | ||
66 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) | ||
67 | + return 0; | ||
68 | + | ||
69 | TMP_GMP_ALLOC (m, mpz_size(pub->n)); | ||
70 | TMP_GMP_ALLOC (em, key->size); | ||
71 | |||
72 | Index: nettle-3.5.1/rsa.h | ||
73 | =================================================================== | ||
74 | --- nettle-3.5.1.orig/rsa.h | ||
75 | +++ nettle-3.5.1/rsa.h | ||
76 | @@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_ | ||
77 | size_t length, uint8_t *message, | ||
78 | const mpz_t gibberish); | ||
79 | |||
80 | -/* Compute x, the e:th root of m. Calling it with x == m is allowed. */ | ||
81 | +/* Compute x, the e:th root of m. Calling it with x == m is allowed. | ||
82 | + It is required that 0 <= m < n. */ | ||
83 | void | ||
84 | rsa_compute_root(const struct rsa_private_key *key, | ||
85 | mpz_t x, const mpz_t m); | ||
86 | |||
87 | /* Safer variant, using RSA blinding, and checking the result after | ||
88 | - CRT. */ | ||
89 | + CRT. It is required that 0 <= m < n. */ | ||
90 | int | ||
91 | rsa_compute_root_tr(const struct rsa_public_key *pub, | ||
92 | const struct rsa_private_key *key, | ||
93 | Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
94 | =================================================================== | ||
95 | --- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c | ||
96 | +++ nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
97 | @@ -19,11 +19,12 @@ test_main(void) | ||
98 | uint8_t after; | ||
99 | |||
100 | mpz_t gibberish; | ||
101 | - mpz_t zero; | ||
102 | + mpz_t bad_input; | ||
103 | |||
104 | rsa_private_key_init(&key); | ||
105 | rsa_public_key_init(&pub); | ||
106 | mpz_init(gibberish); | ||
107 | + mpz_init(bad_input); | ||
108 | |||
109 | knuth_lfib_init(&lfib, 17); | ||
110 | |||
111 | @@ -103,15 +104,40 @@ test_main(void) | ||
112 | ASSERT(decrypted[0] == 'A'); | ||
113 | |||
114 | /* Test zero input. */ | ||
115 | - mpz_init_set_ui (zero, 0); | ||
116 | + mpz_set_ui (bad_input, 0); | ||
117 | decrypted_length = msg_length; | ||
118 | - ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero)); | ||
119 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
120 | ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
121 | &lfib, (nettle_random_func *) knuth_lfib_random, | ||
122 | - &decrypted_length, decrypted, zero)); | ||
123 | + &decrypted_length, decrypted, bad_input)); | ||
124 | ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
125 | &lfib, (nettle_random_func *) knuth_lfib_random, | ||
126 | - decrypted_length, decrypted, zero)); | ||
127 | + decrypted_length, decrypted, bad_input)); | ||
128 | + ASSERT(decrypted_length == msg_length); | ||
129 | + | ||
130 | + /* Test input that is slightly larger than n */ | ||
131 | + mpz_add(bad_input, gibberish, pub.n); | ||
132 | + decrypted_length = msg_length; | ||
133 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
134 | + ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
135 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
136 | + &decrypted_length, decrypted, bad_input)); | ||
137 | + ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
138 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
139 | + decrypted_length, decrypted, bad_input)); | ||
140 | + ASSERT(decrypted_length == msg_length); | ||
141 | + | ||
142 | + /* Test input that is considerably larger than n */ | ||
143 | + mpz_mul_2exp (bad_input, pub.n, 100); | ||
144 | + mpz_add (bad_input, bad_input, gibberish); | ||
145 | + decrypted_length = msg_length; | ||
146 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
147 | + ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
148 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
149 | + &decrypted_length, decrypted, bad_input)); | ||
150 | + ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
151 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
152 | + decrypted_length, decrypted, bad_input)); | ||
153 | ASSERT(decrypted_length == msg_length); | ||
154 | |||
155 | /* Test invalid key. */ | ||
156 | @@ -124,6 +150,6 @@ test_main(void) | ||
157 | rsa_private_key_clear(&key); | ||
158 | rsa_public_key_clear(&pub); | ||
159 | mpz_clear(gibberish); | ||
160 | - mpz_clear(zero); | ||
161 | + mpz_clear(bad_input); | ||
162 | free(decrypted); | ||
163 | } | ||