summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2025-01-22 21:41:45 +0100
committerSteve Sakoman <steve@sakoman.com>2025-02-05 06:54:35 -0800
commit3d240823a31f2366fe92683225c68a80226d3dc4 (patch)
tree130645089dab18089fbe21916788a90f772002a5 /meta
parent1f103ae930662bbb099b7decbd692be3d09551e4 (diff)
downloadpoky-3d240823a31f2366fe92683225c68a80226d3dc4.tar.gz
openssl: patch CVE-2024-13176
Picked [1] per link in [2]. [1] https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-13176 (From OE-Core rev: cb18163c11d7f8b62b829f203b00a4e14513c6cf) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch125
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.0.15.bb1
2 files changed, 126 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
new file mode 100644
index 0000000000..0076003db1
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
@@ -0,0 +1,125 @@
1From 07272b05b04836a762b4baa874958af51d513844 Mon Sep 17 00:00:00 2001
2From: Tomas Mraz <tomas@openssl.org>
3Date: Wed, 15 Jan 2025 18:27:02 +0100
4Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
5
6There is a timing signal of around 300 nanoseconds when the top word of
7the inverted ECDSA nonce value is zero. This can happen with significant
8probability only for some of the supported elliptic curves. In particular
9the NIST P-521 curve is affected. To be able to measure this leak, the
10attacker process must either be located in the same physical computer or
11must have a very fast network connection with low latency.
12
13Attacks on ECDSA nonce are also known as Minerva attack.
14
15Fixes CVE-2024-13176
16
17Reviewed-by: Tim Hudson <tjh@openssl.org>
18Reviewed-by: Neil Horman <nhorman@openssl.org>
19Reviewed-by: Paul Dale <ppzgs1@gmail.com>
20(Merged from https://github.com/openssl/openssl/pull/26429)
21
22(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203)
23
24CVE: CVE-2024-13176
25Upstream-Status: Backport [https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844]
26Signed-off-by: Peter Marko <peter.marko@siemens.com>
27---
28 crypto/bn/bn_exp.c | 21 +++++++++++++++------
29 crypto/ec/ec_lib.c | 7 ++++---
30 include/crypto/bn.h | 3 +++
31 3 files changed, 22 insertions(+), 9 deletions(-)
32
33diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
34index 598a592ca1397..d84c7de18a6b6 100644
35--- a/crypto/bn/bn_exp.c
36+++ b/crypto/bn/bn_exp.c
37@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
38 * out by Colin Percival,
39 * http://www.daemonology.net/hyperthreading-considered-harmful/)
40 */
41-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
42+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
43 const BIGNUM *m, BN_CTX *ctx,
44 BN_MONT_CTX *in_mont)
45 {
46@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
47 unsigned int t4 = 0;
48 #endif
49
50- bn_check_top(a);
51- bn_check_top(p);
52- bn_check_top(m);
53-
54 if (!BN_is_odd(m)) {
55 ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
56 return 0;
57@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
58 goto err;
59 } else
60 #endif
61- if (!BN_from_montgomery(rr, &tmp, mont, ctx))
62+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
63 goto err;
64 ret = 1;
65 err:
66@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
67 return ret;
68 }
69
70+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
71+ const BIGNUM *m, BN_CTX *ctx,
72+ BN_MONT_CTX *in_mont)
73+{
74+ bn_check_top(a);
75+ bn_check_top(p);
76+ bn_check_top(m);
77+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
78+ return 0;
79+ bn_correct_top(rr);
80+ return 1;
81+}
82+
83 int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
84 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
85 {
86diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
87index b1696d93bd6dd..1f0bf1ec795fa 100644
88--- a/crypto/ec/ec_lib.c
89+++ b/crypto/ec/ec_lib.c
90@@ -20,6 +20,7 @@
91 #include <openssl/err.h>
92 #include <openssl/opensslv.h>
93 #include "crypto/ec.h"
94+#include "crypto/bn.h"
95 #include "internal/nelem.h"
96 #include "ec_local.h"
97
98@@ -1262,10 +1263,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
99 if (!BN_sub(e, group->order, e))
100 goto err;
101 /*-
102- * Exponent e is public.
103- * No need for scatter-gather or BN_FLG_CONSTTIME.
104+ * Although the exponent is public we want the result to be
105+ * fixed top.
106 */
107- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
108+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
109 goto err;
110
111 ret = 1;
112diff --git a/include/crypto/bn.h b/include/crypto/bn.h
113index c5f328156d3a9..59a629b9f6288 100644
114--- a/include/crypto/bn.h
115+++ b/include/crypto/bn.h
116@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
117 */
118 int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
119 BN_MONT_CTX *mont, BN_CTX *ctx);
120+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
121+ const BIGNUM *m, BN_CTX *ctx,
122+ BN_MONT_CTX *in_mont);
123 int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
124 BN_CTX *ctx);
125 int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
index 5f7e7c0000..295f05729f 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
13 file://afalg.patch \ 13 file://afalg.patch \
14 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 14 file://0001-Configure-do-not-tweak-mips-cflags.patch \
15 file://CVE-2024-9143.patch \ 15 file://CVE-2024-9143.patch \
16 file://CVE-2024-13176.patch \
16 " 17 "
17 18
18SRC_URI:append:class-nativesdk = " \ 19SRC_URI:append:class-nativesdk = " \