gnutls: fix CVE-2023-0361 timing side-channel in the TLS RSA key exchange code

Remove branching that depends on secret data. since the `ok` variable isn't used any more, we can remove all code used to calculate it (From OE-Core rev: 05b1222815bec400d573f7b06c0ad6b7b2d78a80) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2023-03-07 22:07:49 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-20 17:20:44 +0000
commit: 347ea091f51a173895dee864b2f143eebb2c2b43 (patch)
tree: ca9e3a4d0de554b0b6e0a74cf4407f1883a08756
parent: 8b82794b62609a6408c42e2a2724570d539f076a (diff)
download: poky-347ea091f51a173895dee864b2f143eebb2c2b43.tar.gz
2 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
new file mode 100644
index 0000000000..943f4ca704
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
@@ -0,0 +1,85 @@
+From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 9 Aug 2022 16:05:53 +0200
+Subject: [PATCH] auth/rsa: side-step potential side-channel
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+Tested-by: Hubert Kario <hkario@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a
+                           https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558]
+CVE: CVE-2023-0361
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ lib/auth/rsa.c | 30 +++---------------------------
+ 1 file changed, 3 insertions(+), 27 deletions(-)
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 8108ee8..858701f 100644
+--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
+@@ -155,13 +155,10 @@ static int
+ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+                   size_t _data_size)
+ {
+-       const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
+        gnutls_datum_t ciphertext;
+        int ret, dsize;
+        ssize_t data_size = _data_size;
+        volatile uint8_t ver_maj, ver_min;
+-       volatile uint8_t check_ver_min;
+-       volatile uint32_t ok;
+ #ifdef ENABLE_SSL3
+        if (get_num_version(session) == GNUTLS_SSL3) {
+@@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+        ver_maj = _gnutls_get_adv_version_major(session);
+        ver_min = _gnutls_get_adv_version_minor(session);
+-       check_ver_min = (session->internals.allow_wrong_pms == 0);
+        session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+        if (session->key.key.data == NULL) {
+@@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+                return ret;
+        }
+-       ret =
+-           gnutls_privkey_decrypt_data2(session->internals.selected_key,
+-                                        0, &ciphertext, session->key.key.data,
+-                                        session->key.key.size);
+       gnutls_privkey_decrypt_data2(session->internals.selected_key,
+                                    0, &ciphertext, session->key.key.data,
+                                    session->key.key.size);
+        /* After this point, any conditional on failure that cause differences
+         * in execution may create a timing or cache access pattern side
+         * channel that can be used as an oracle, so treat very carefully */
+@@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+         * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+         */
+-       /* ok is 0 in case of error and 1 in case of success. */
+-
+-       /* if ret < 0 */
+-       ok = CONSTCHECK_EQUAL(ret, 0);
+-       /* session->key.key.data[0] must equal ver_maj */
+-       ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+-       /* if check_ver_min then session->key.key.data[1] must equal ver_min */
+-       ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+-               CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+-
+-       if (ok) {
+-               /* call logging function unconditionally so all branches are
+-                * indistinguishable for timing and cache access when debug
+-                * logging is disabled */
+-               _gnutls_no_log("%s", attack_error);
+-       } else {
+-               _gnutls_debug_log("%s", attack_error);
+-       }
+-
+        /* This is here to avoid the version check attack
+         * discussed above.
+         */
+--
+2.25.1
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index fb06337efb..fcd9af05dc 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -22,6 +22,7 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
           file://arm_eabi.patch \
           file://CVE-2022-2509.patch \
+           file://CVE-2023-0361.patch \
           "
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
author	Vivek Kumbhar <vkumbhar@mvista.com>	2023-03-07 22:07:49 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-20 17:20:44 +0000
commit	347ea091f51a173895dee864b2f143eebb2c2b43 (patch)
tree	ca9e3a4d0de554b0b6e0a74cf4407f1883a08756
parent	8b82794b62609a6408c42e2a2724570d539f076a (diff)
download	poky-347ea091f51a173895dee864b2f143eebb2c2b43.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch new file mode 100644 index 0000000000..943f4ca704 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
@@ -0,0 +1,85 @@
		1	From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001
		2	From: Alexander Sosedkin <asosedkin@redhat.com>
		3	Date: Tue, 9 Aug 2022 16:05:53 +0200
		4	Subject: [PATCH] auth/rsa: side-step potential side-channel
		5
		6	Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
		7	Signed-off-by: Hubert Kario <hkario@redhat.com>
		8	Tested-by: Hubert Kario <hkario@redhat.com>
		9	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a
		10	https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558]
		11	CVE: CVE-2023-0361
		12	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		13	---
		14	lib/auth/rsa.c \| 30 +++---------------------------
		15	1 file changed, 3 insertions(+), 27 deletions(-)
		16
		17	diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
		18	index 8108ee8..858701f 100644
		19	--- a/lib/auth/rsa.c
		20	+++ b/lib/auth/rsa.c
		21	@@ -155,13 +155,10 @@ static int
		22	proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
		23	size_t _data_size)
		24	{
		25	- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
		26	gnutls_datum_t ciphertext;
		27	int ret, dsize;
		28	ssize_t data_size = _data_size;
		29	volatile uint8_t ver_maj, ver_min;
		30	- volatile uint8_t check_ver_min;
		31	- volatile uint32_t ok;
		32
		33	#ifdef ENABLE_SSL3
		34	if (get_num_version(session) == GNUTLS_SSL3) {
		35	@@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
		36
		37	ver_maj = _gnutls_get_adv_version_major(session);
		38	ver_min = _gnutls_get_adv_version_minor(session);
		39	- check_ver_min = (session->internals.allow_wrong_pms == 0);
		40
		41	session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
		42	if (session->key.key.data == NULL) {
		43	@@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
		44	return ret;
		45	}
		46
		47	- ret =
		48	- gnutls_privkey_decrypt_data2(session->internals.selected_key,
		49	- 0, &ciphertext, session->key.key.data,
		50	- session->key.key.size);
		51	+ gnutls_privkey_decrypt_data2(session->internals.selected_key,
		52	+ 0, &ciphertext, session->key.key.data,
		53	+ session->key.key.size);
		54	/* After this point, any conditional on failure that cause differences
		55	* in execution may create a timing or cache access pattern side
		56	* channel that can be used as an oracle, so treat very carefully */
		57	@@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
		58	* Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
		59	*/
		60
		61	- /* ok is 0 in case of error and 1 in case of success. */
		62	-
		63	- /* if ret < 0 */
		64	- ok = CONSTCHECK_EQUAL(ret, 0);
		65	- /* session->key.key.data[0] must equal ver_maj */
		66	- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
		67	- /* if check_ver_min then session->key.key.data[1] must equal ver_min */
		68	- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
		69	- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
		70	-
		71	- if (ok) {
		72	- /* call logging function unconditionally so all branches are
		73	- * indistinguishable for timing and cache access when debug
		74	- * logging is disabled */
		75	- _gnutls_no_log("%s", attack_error);
		76	- } else {
		77	- _gnutls_debug_log("%s", attack_error);
		78	- }
		79	-
		80	/* This is here to avoid the version check attack
		81	* discussed above.
		82	*/
		83	--
		84	2.25.1
		85


diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index fb06337efb..fcd9af05dc 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -22,6 +22,7 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
22	SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \	22	SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
23	file://arm_eabi.patch \	23	file://arm_eabi.patch \
24	file://CVE-2022-2509.patch \	24	file://CVE-2022-2509.patch \
		25	file://CVE-2023-0361.patch \
25	"	26	"
26		27
27	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"	28	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"