gnutls: Backport fix for CVE-2023-5981

Upstream-Status: Backport [import from debian https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.7.3-4ubuntu1.3/gnutls28_3.7.3-4ubuntu1.3.debian.tar.xz Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d] References: https://ubuntu.com/security/CVE-2023-5981 (From OE-Core rev: 421b468cf48f0d2c493356f482d92e61e39d7e0e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-12-11 13:34:56 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-12-15 04:00:33 -1000
commit: 82802901c6219b53c02f325cfc0c63f8d161f980 (patch)
tree: 874e5416d55fcec423109edc278306151934f863
parent: f22a96e5ccc6e0f1e7f87e1de2c47b4c5c165512 (diff)
download: poky-82802901c6219b53c02f325cfc0c63f8d161f980.tar.gz
2 files changed, 207 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
new file mode 100644
index 0000000000..33e498b8e5
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
@@ -0,0 +1,206 @@
+Backport of:
+From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 23 Oct 2023 09:26:57 +0900
+Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
+This removes branching that depends on secret data, porting changes
+for regular RSA key exchange from
+4804febddc2ed958e5ae774de2a8f85edeeff538 and
+80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
+allow_wrong_pms as it was used sorely to control debug output
+depending on the branching.
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Upstream-Status: Backport [import from debian https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.7.3-4ubuntu1.3/gnutls28_3.7.3-4ubuntu1.3.debian.tar.xz
+Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
+CVE: CVE-2023-5981
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/auth/rsa.c     |  2 +-
+ lib/auth/rsa_psk.c | 90 ++++++++++++++++++----------------------------
+ lib/gnutls_int.h   |  4 ---
+ lib/priority.c     |  1 -
+ 4 files changed, 35 insertions(+), 62 deletions(-)
+--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
+@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess
+                                     session->key.key.size);
+        /* After this point, any conditional on failure that cause differences
+         * in execution may create a timing or cache access pattern side
+-        * channel that can be used as an oracle, so treat very carefully */
+        * channel that can be used as an oracle, so tread carefully */
+ 
+        /* Error handling logic:
+         * In case decryption fails then don't inform the peer. Just use the
+--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
+@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+ {
+        gnutls_datum_t username;
+        psk_auth_info_t info;
+-       gnutls_datum_t plaintext;
+        gnutls_datum_t ciphertext;
+        gnutls_datum_t pwd_psk = { NULL, 0 };
+        int ret, dsize;
+-       int randomize_key = 0;
+        ssize_t data_size = _data_size;
+        gnutls_psk_server_credentials_t cred;
+        gnutls_datum_t premaster_secret = { NULL, 0 };
+       volatile uint8_t ver_maj, ver_min;
+ 
+        cred = (gnutls_psk_server_credentials_t)
+            _gnutls_get_cred(session, GNUTLS_CRD_PSK);
+@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+        }
+        ciphertext.size = dsize;
+ 
+-       ret =
+-           gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
+-                                       &ciphertext, &plaintext);
+-       if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
+-               /* In case decryption fails then don't inform
+-                * the peer. Just use a random key. (in order to avoid
+-                * attack against pkcs-1 formatting).
+-                */
+-               gnutls_assert();
+-               _gnutls_debug_log
+-                   ("auth_rsa_psk: Possible PKCS #1 format attack\n");
+-               if (ret >= 0) {
+-                       gnutls_free(plaintext.data);
+-               }
+-               randomize_key = 1;
+-       } else {
+-               /* If the secret was properly formatted, then
+-                * check the version number.
+-                */
+-               if (_gnutls_get_adv_version_major(session) !=
+-                   plaintext.data[0]
+-                   || (session->internals.allow_wrong_pms == 0
+-                       && _gnutls_get_adv_version_minor(session) !=
+-                       plaintext.data[1])) {
+-                       /* No error is returned here, if the version number check
+-                        * fails. We proceed normally.
+-                        * That is to defend against the attack described in the paper
+-                        * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
+-                        * Ondej Pokorny and Tomas Rosa.
+-                        */
+-                       gnutls_assert();
+-                       _gnutls_debug_log
+-                           ("auth_rsa: Possible PKCS #1 version check format attack\n");
+-               }
+-       }
+       ver_maj = _gnutls_get_adv_version_major(session);
+       ver_min = _gnutls_get_adv_version_minor(session);
+ 
+       premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+       if (premaster_secret.data == NULL) {
+               gnutls_assert();
+               return GNUTLS_E_MEMORY_ERROR;
+       }
+       premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+-       if (randomize_key != 0) {
+-               premaster_secret.size = GNUTLS_MASTER_SIZE;
+-               premaster_secret.data =
+-                   gnutls_malloc(premaster_secret.size);
+-               if (premaster_secret.data == NULL) {
+-                       gnutls_assert();
+-                       return GNUTLS_E_MEMORY_ERROR;
+-               }
+-
+-               /* we do not need strong random numbers here.
+-                */
+-               ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-                                 premaster_secret.size);
+-               if (ret < 0) {
+-                       gnutls_assert();
+-                       goto cleanup;
+-               }
+-       } else {
+-               premaster_secret.data = plaintext.data;
+-               premaster_secret.size = plaintext.size;
+       /* Fallback value when decryption fails. Needs to be unpredictable. */
+       ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+                        premaster_secret.size);
+       if (ret < 0) {
+               gnutls_assert();
+               goto cleanup;
+        }
+ 
+       gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+                                    &ciphertext, premaster_secret.data,
+                                    premaster_secret.size);
+       /* After this point, any conditional on failure that cause differences
+        * in execution may create a timing or cache access pattern side
+        * channel that can be used as an oracle, so tread carefully */
+
+       /* Error handling logic:
+        * In case decryption fails then don't inform the peer. Just use the
+        * random key previously generated. (in order to avoid attack against
+        * pkcs-1 formatting).
+        *
+        * If we get version mismatches no error is returned either. We
+        * proceed normally. This is to defend against the attack described
+        * in the paper "Attacking RSA-based sessions in SSL/TLS" by
+        * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+        */
+
+        /* This is here to avoid the version check attack
+         * discussed above.
+         */
+-
+-       premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
+-       premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
+       premaster_secret.data[0] = ver_maj;
+       premaster_secret.data[1] = ver_min;
+ 
+        /* find the key of this username
+         */
+--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
+@@ -974,7 +974,6 @@ struct gnutls_priority_st {
+        bool _no_etm;
+        bool _no_ext_master_secret;
+        bool _allow_key_usage_violation;
+-       bool _allow_wrong_pms;
+        bool _dumbfw;
+        unsigned int _dh_prime_bits;    /* old (deprecated) variable */
+ 
+@@ -992,7 +991,6 @@ struct gnutls_priority_st {
+              (x)->no_etm = 1; \
+              (x)->no_ext_master_secret = 1; \
+              (x)->allow_key_usage_violation = 1; \
+-             (x)->allow_wrong_pms = 1; \
+              (x)->dumbfw = 1
+ 
+ #define ENABLE_PRIO_COMPAT(x) \
+@@ -1001,7 +999,6 @@ struct gnutls_priority_st {
+              (x)->_no_etm = 1; \
+              (x)->_no_ext_master_secret = 1; \
+              (x)->_allow_key_usage_violation = 1; \
+-             (x)->_allow_wrong_pms = 1; \
+              (x)->_dumbfw = 1
+ 
+ /* DH and RSA parameters types.
+@@ -1126,7 +1123,6 @@ typedef struct {
+        bool no_etm;
+        bool no_ext_master_secret;
+        bool allow_key_usage_violation;
+-       bool allow_wrong_pms;
+        bool dumbfw;
+ 
+        /* old (deprecated) variable. This is used for both srp_prime_bits
+--- a/lib/priority.c
+++ b/lib/priority.c
+@@ -690,7 +690,6 @@ gnutls_priority_set(gnutls_session_t ses
+        COPY_TO_INTERNALS(no_etm);
+        COPY_TO_INTERNALS(no_ext_master_secret);
+        COPY_TO_INTERNALS(allow_key_usage_violation);
+-       COPY_TO_INTERNALS(allow_wrong_pms);
+        COPY_TO_INTERNALS(dumbfw);
+        COPY_TO_INTERNALS(dh_prime_bits);
+ 
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index fcd9af05dc..25f730b801 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
           file://arm_eabi.patch \
           file://CVE-2022-2509.patch \
           file://CVE-2023-0361.patch \
+           file://CVE-2023-5981.patch \
           "
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-12-11 13:34:56 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-12-15 04:00:33 -1000
commit	82802901c6219b53c02f325cfc0c63f8d161f980 (patch)
tree	874e5416d55fcec423109edc278306151934f863
parent	f22a96e5ccc6e0f1e7f87e1de2c47b4c5c165512 (diff)
download	poky-82802901c6219b53c02f325cfc0c63f8d161f980.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch new file mode 100644 index 0000000000..33e498b8e5 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
@@ -0,0 +1,206 @@
		1	Backport of:
		2
		3	From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
		4	From: Daiki Ueno <ueno@gnu.org>
		5	Date: Mon, 23 Oct 2023 09:26:57 +0900
		6	Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
		7
		8	This removes branching that depends on secret data, porting changes
		9	for regular RSA key exchange from
		10	4804febddc2ed958e5ae774de2a8f85edeeff538 and
		11	80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the
		12	allow_wrong_pms as it was used sorely to control debug output
		13	depending on the branching.
		14
		15	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		16
		17	Upstream-Status: Backport [import from debian https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.7.3-4ubuntu1.3/gnutls28_3.7.3-4ubuntu1.3.debian.tar.xz
		18	Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
		19	CVE: CVE-2023-5981
		20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		21	---
		22	lib/auth/rsa.c \| 2 +-
		23	lib/auth/rsa_psk.c \| 90 ++++++++++++++++++----------------------------
		24	lib/gnutls_int.h \| 4 ---
		25	lib/priority.c \| 1 -
		26	4 files changed, 35 insertions(+), 62 deletions(-)
		27
		28	--- a/lib/auth/rsa.c
		29	+++ b/lib/auth/rsa.c
		30	@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess
		31	session->key.key.size);
		32	/* After this point, any conditional on failure that cause differences
		33	* in execution may create a timing or cache access pattern side
		34	- * channel that can be used as an oracle, so treat very carefully */
		35	+ * channel that can be used as an oracle, so tread carefully */
		36
		37	/* Error handling logic:
		38	* In case decryption fails then don't inform the peer. Just use the
		39	--- a/lib/auth/rsa_psk.c
		40	+++ b/lib/auth/rsa_psk.c
		41	@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
		42	{
		43	gnutls_datum_t username;
		44	psk_auth_info_t info;
		45	- gnutls_datum_t plaintext;
		46	gnutls_datum_t ciphertext;
		47	gnutls_datum_t pwd_psk = { NULL, 0 };
		48	int ret, dsize;
		49	- int randomize_key = 0;
		50	ssize_t data_size = _data_size;
		51	gnutls_psk_server_credentials_t cred;
		52	gnutls_datum_t premaster_secret = { NULL, 0 };
		53	+ volatile uint8_t ver_maj, ver_min;
		54
		55	cred = (gnutls_psk_server_credentials_t)
		56	_gnutls_get_cred(session, GNUTLS_CRD_PSK);
		57	@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
		58	}
		59	ciphertext.size = dsize;
		60
		61	- ret =
		62	- gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
		63	- &ciphertext, &plaintext);
		64	- if (ret < 0 \|\| plaintext.size != GNUTLS_MASTER_SIZE) {
		65	- /* In case decryption fails then don't inform
		66	- * the peer. Just use a random key. (in order to avoid
		67	- * attack against pkcs-1 formatting).
		68	- */
		69	- gnutls_assert();
		70	- _gnutls_debug_log
		71	- ("auth_rsa_psk: Possible PKCS #1 format attack\n");
		72	- if (ret >= 0) {
		73	- gnutls_free(plaintext.data);
		74	- }
		75	- randomize_key = 1;
		76	- } else {
		77	- /* If the secret was properly formatted, then
		78	- * check the version number.
		79	- */
		80	- if (_gnutls_get_adv_version_major(session) !=
		81	- plaintext.data[0]
		82	- \|\| (session->internals.allow_wrong_pms == 0
		83	- && _gnutls_get_adv_version_minor(session) !=
		84	- plaintext.data[1])) {
		85	- /* No error is returned here, if the version number check
		86	- * fails. We proceed normally.
		87	- * That is to defend against the attack described in the paper
		88	- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
		89	- * Ondej Pokorny and Tomas Rosa.
		90	- */
		91	- gnutls_assert();
		92	- _gnutls_debug_log
		93	- ("auth_rsa: Possible PKCS #1 version check format attack\n");
		94	- }
		95	- }
		96	+ ver_maj = _gnutls_get_adv_version_major(session);
		97	+ ver_min = _gnutls_get_adv_version_minor(session);
		98
		99	+ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
		100	+ if (premaster_secret.data == NULL) {
		101	+ gnutls_assert();
		102	+ return GNUTLS_E_MEMORY_ERROR;
		103	+ }
		104	+ premaster_secret.size = GNUTLS_MASTER_SIZE;
		105
		106	- if (randomize_key != 0) {
		107	- premaster_secret.size = GNUTLS_MASTER_SIZE;
		108	- premaster_secret.data =
		109	- gnutls_malloc(premaster_secret.size);
		110	- if (premaster_secret.data == NULL) {
		111	- gnutls_assert();
		112	- return GNUTLS_E_MEMORY_ERROR;
		113	- }
		114	-
		115	- /* we do not need strong random numbers here.
		116	- */
		117	- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
		118	- premaster_secret.size);
		119	- if (ret < 0) {
		120	- gnutls_assert();
		121	- goto cleanup;
		122	- }
		123	- } else {
		124	- premaster_secret.data = plaintext.data;
		125	- premaster_secret.size = plaintext.size;
		126	+ /* Fallback value when decryption fails. Needs to be unpredictable. */
		127	+ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
		128	+ premaster_secret.size);
		129	+ if (ret < 0) {
		130	+ gnutls_assert();
		131	+ goto cleanup;
		132	}
		133
		134	+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
		135	+ &ciphertext, premaster_secret.data,
		136	+ premaster_secret.size);
		137	+ /* After this point, any conditional on failure that cause differences
		138	+ * in execution may create a timing or cache access pattern side
		139	+ * channel that can be used as an oracle, so tread carefully */
		140	+
		141	+ /* Error handling logic:
		142	+ * In case decryption fails then don't inform the peer. Just use the
		143	+ * random key previously generated. (in order to avoid attack against
		144	+ * pkcs-1 formatting).
		145	+ *
		146	+ * If we get version mismatches no error is returned either. We
		147	+ * proceed normally. This is to defend against the attack described
		148	+ * in the paper "Attacking RSA-based sessions in SSL/TLS" by
		149	+ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
		150	+ */
		151	+
		152	/* This is here to avoid the version check attack
		153	* discussed above.
		154	*/
		155	-
		156	- premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
		157	- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
		158	+ premaster_secret.data[0] = ver_maj;
		159	+ premaster_secret.data[1] = ver_min;
		160
		161	/* find the key of this username
		162	*/
		163	--- a/lib/gnutls_int.h
		164	+++ b/lib/gnutls_int.h
		165	@@ -974,7 +974,6 @@ struct gnutls_priority_st {
		166	bool _no_etm;
		167	bool _no_ext_master_secret;
		168	bool _allow_key_usage_violation;
		169	- bool _allow_wrong_pms;
		170	bool _dumbfw;
		171	unsigned int _dh_prime_bits; /* old (deprecated) variable */
		172
		173	@@ -992,7 +991,6 @@ struct gnutls_priority_st {
		174	(x)->no_etm = 1; \
		175	(x)->no_ext_master_secret = 1; \
		176	(x)->allow_key_usage_violation = 1; \
		177	- (x)->allow_wrong_pms = 1; \
		178	(x)->dumbfw = 1
		179
		180	#define ENABLE_PRIO_COMPAT(x) \
		181	@@ -1001,7 +999,6 @@ struct gnutls_priority_st {
		182	(x)->_no_etm = 1; \
		183	(x)->_no_ext_master_secret = 1; \
		184	(x)->_allow_key_usage_violation = 1; \
		185	- (x)->_allow_wrong_pms = 1; \
		186	(x)->_dumbfw = 1
		187
		188	/* DH and RSA parameters types.
		189	@@ -1126,7 +1123,6 @@ typedef struct {
		190	bool no_etm;
		191	bool no_ext_master_secret;
		192	bool allow_key_usage_violation;
		193	- bool allow_wrong_pms;
		194	bool dumbfw;
		195
		196	/* old (deprecated) variable. This is used for both srp_prime_bits
		197	--- a/lib/priority.c
		198	+++ b/lib/priority.c
		199	@@ -690,7 +690,6 @@ gnutls_priority_set(gnutls_session_t ses
		200	COPY_TO_INTERNALS(no_etm);
		201	COPY_TO_INTERNALS(no_ext_master_secret);
		202	COPY_TO_INTERNALS(allow_key_usage_violation);
		203	- COPY_TO_INTERNALS(allow_wrong_pms);
		204	COPY_TO_INTERNALS(dumbfw);
		205	COPY_TO_INTERNALS(dh_prime_bits);
		206


diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index fcd9af05dc..25f730b801 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
23	file://arm_eabi.patch \	23	file://arm_eabi.patch \
24	file://CVE-2022-2509.patch \	24	file://CVE-2022-2509.patch \
25	file://CVE-2023-0361.patch \	25	file://CVE-2023-0361.patch \
		26	file://CVE-2023-5981.patch \
26	"	27	"
27		28
28	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"	29	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"