diff options
| author | Peter Marko <peter.marko@siemens.com> | 2025-01-22 21:41:45 +0100 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-02-05 06:54:35 -0800 |
| commit | 3d240823a31f2366fe92683225c68a80226d3dc4 (patch) | |
| tree | 130645089dab18089fbe21916788a90f772002a5 /meta | |
| parent | 1f103ae930662bbb099b7decbd692be3d09551e4 (diff) | |
| download | poky-3d240823a31f2366fe92683225c68a80226d3dc4.tar.gz | |
openssl: patch CVE-2024-13176
Picked [1] per link in [2].
[1] https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-13176
(From OE-Core rev: cb18163c11d7f8b62b829f203b00a4e14513c6cf)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch | 125 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.0.15.bb | 1 |
2 files changed, 126 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch new file mode 100644 index 0000000000..0076003db1 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch | |||
| @@ -0,0 +1,125 @@ | |||
| 1 | From 07272b05b04836a762b4baa874958af51d513844 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Tomas Mraz <tomas@openssl.org> | ||
| 3 | Date: Wed, 15 Jan 2025 18:27:02 +0100 | ||
| 4 | Subject: [PATCH] Fix timing side-channel in ECDSA signature computation | ||
| 5 | |||
| 6 | There is a timing signal of around 300 nanoseconds when the top word of | ||
| 7 | the inverted ECDSA nonce value is zero. This can happen with significant | ||
| 8 | probability only for some of the supported elliptic curves. In particular | ||
| 9 | the NIST P-521 curve is affected. To be able to measure this leak, the | ||
| 10 | attacker process must either be located in the same physical computer or | ||
| 11 | must have a very fast network connection with low latency. | ||
| 12 | |||
| 13 | Attacks on ECDSA nonce are also known as Minerva attack. | ||
| 14 | |||
| 15 | Fixes CVE-2024-13176 | ||
| 16 | |||
| 17 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 18 | Reviewed-by: Neil Horman <nhorman@openssl.org> | ||
| 19 | Reviewed-by: Paul Dale <ppzgs1@gmail.com> | ||
| 20 | (Merged from https://github.com/openssl/openssl/pull/26429) | ||
| 21 | |||
| 22 | (cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203) | ||
| 23 | |||
| 24 | CVE: CVE-2024-13176 | ||
| 25 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844] | ||
| 26 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 27 | --- | ||
| 28 | crypto/bn/bn_exp.c | 21 +++++++++++++++------ | ||
| 29 | crypto/ec/ec_lib.c | 7 ++++--- | ||
| 30 | include/crypto/bn.h | 3 +++ | ||
| 31 | 3 files changed, 22 insertions(+), 9 deletions(-) | ||
| 32 | |||
| 33 | diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c | ||
| 34 | index 598a592ca1397..d84c7de18a6b6 100644 | ||
| 35 | --- a/crypto/bn/bn_exp.c | ||
| 36 | +++ b/crypto/bn/bn_exp.c | ||
| 37 | @@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, | ||
| 38 | * out by Colin Percival, | ||
| 39 | * http://www.daemonology.net/hyperthreading-considered-harmful/) | ||
| 40 | */ | ||
| 41 | -int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, | ||
| 42 | +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, | ||
| 43 | const BIGNUM *m, BN_CTX *ctx, | ||
| 44 | BN_MONT_CTX *in_mont) | ||
| 45 | { | ||
| 46 | @@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, | ||
| 47 | unsigned int t4 = 0; | ||
| 48 | #endif | ||
| 49 | |||
| 50 | - bn_check_top(a); | ||
| 51 | - bn_check_top(p); | ||
| 52 | - bn_check_top(m); | ||
| 53 | - | ||
| 54 | if (!BN_is_odd(m)) { | ||
| 55 | ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); | ||
| 56 | return 0; | ||
| 57 | @@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, | ||
| 58 | goto err; | ||
| 59 | } else | ||
| 60 | #endif | ||
| 61 | - if (!BN_from_montgomery(rr, &tmp, mont, ctx)) | ||
| 62 | + if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) | ||
| 63 | goto err; | ||
| 64 | ret = 1; | ||
| 65 | err: | ||
| 66 | @@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, | ||
| 67 | return ret; | ||
| 68 | } | ||
| 69 | |||
| 70 | +int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, | ||
| 71 | + const BIGNUM *m, BN_CTX *ctx, | ||
| 72 | + BN_MONT_CTX *in_mont) | ||
| 73 | +{ | ||
| 74 | + bn_check_top(a); | ||
| 75 | + bn_check_top(p); | ||
| 76 | + bn_check_top(m); | ||
| 77 | + if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) | ||
| 78 | + return 0; | ||
| 79 | + bn_correct_top(rr); | ||
| 80 | + return 1; | ||
| 81 | +} | ||
| 82 | + | ||
| 83 | int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, | ||
| 84 | const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) | ||
| 85 | { | ||
| 86 | diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c | ||
| 87 | index b1696d93bd6dd..1f0bf1ec795fa 100644 | ||
| 88 | --- a/crypto/ec/ec_lib.c | ||
| 89 | +++ b/crypto/ec/ec_lib.c | ||
| 90 | @@ -20,6 +20,7 @@ | ||
| 91 | #include <openssl/err.h> | ||
| 92 | #include <openssl/opensslv.h> | ||
| 93 | #include "crypto/ec.h" | ||
| 94 | +#include "crypto/bn.h" | ||
| 95 | #include "internal/nelem.h" | ||
| 96 | #include "ec_local.h" | ||
| 97 | |||
| 98 | @@ -1262,10 +1263,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, | ||
| 99 | if (!BN_sub(e, group->order, e)) | ||
| 100 | goto err; | ||
| 101 | /*- | ||
| 102 | - * Exponent e is public. | ||
| 103 | - * No need for scatter-gather or BN_FLG_CONSTTIME. | ||
| 104 | + * Although the exponent is public we want the result to be | ||
| 105 | + * fixed top. | ||
| 106 | */ | ||
| 107 | - if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) | ||
| 108 | + if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) | ||
| 109 | goto err; | ||
| 110 | |||
| 111 | ret = 1; | ||
| 112 | diff --git a/include/crypto/bn.h b/include/crypto/bn.h | ||
| 113 | index c5f328156d3a9..59a629b9f6288 100644 | ||
| 114 | --- a/include/crypto/bn.h | ||
| 115 | +++ b/include/crypto/bn.h | ||
| 116 | @@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); | ||
| 117 | */ | ||
| 118 | int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, | ||
| 119 | BN_MONT_CTX *mont, BN_CTX *ctx); | ||
| 120 | +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, | ||
| 121 | + const BIGNUM *m, BN_CTX *ctx, | ||
| 122 | + BN_MONT_CTX *in_mont); | ||
| 123 | int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, | ||
| 124 | BN_CTX *ctx); | ||
| 125 | int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb index 5f7e7c0000..295f05729f 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb | |||
| @@ -13,6 +13,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op | |||
| 13 | file://afalg.patch \ | 13 | file://afalg.patch \ |
| 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ |
| 15 | file://CVE-2024-9143.patch \ | 15 | file://CVE-2024-9143.patch \ |
| 16 | file://CVE-2024-13176.patch \ | ||
| 16 | " | 17 | " |
| 17 | 18 | ||
| 18 | SRC_URI:append:class-nativesdk = " \ | 19 | SRC_URI:append:class-nativesdk = " \ |
