From 834ae8ce82fca7156e09fac5182fac4dbf8ebdf9 Mon Sep 17 00:00:00 2001 From: Gustavo Zacarias Date: Thu, 18 Aug 2016 15:34:16 -0300 Subject: [PATCH] nettle: add security patch Fixes: CVE-2016-6489 - RSA code is vulnerable to cache sharing related attacks. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- package/nettle/0002-fix-CVE-2016-6489.patch | 181 ++++++++++++++++++++ package/nettle/nettle.mk | 2 + 2 files changed, 183 insertions(+) create mode 100644 package/nettle/0002-fix-CVE-2016-6489.patch diff --git a/package/nettle/0002-fix-CVE-2016-6489.patch b/package/nettle/0002-fix-CVE-2016-6489.patch new file mode 100644 index 0000000000..8c99ff72f2 --- /dev/null +++ b/package/nettle/0002-fix-CVE-2016-6489.patch @@ -0,0 +1,181 @@ +From 6450224f3e3c78fdfa37eadbe6ada8301279f6c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= +Date: Mon, 20 Jun 2016 20:04:56 +0200 +Subject: Use mpz_powm_sec. +Subject: Check for invalid keys, with even p, in dsa_sign. +Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr. +Subject: Reject invalid RSA keys with even modulo. + +Patch status: upstream + +Signed-off-by: Gustavo Zacarias + +diff --git a/bignum.h b/bignum.h +index 24158e0..0d30534 100644 +--- a/bignum.h ++++ b/bignum.h +@@ -53,6 +53,8 @@ + # define mpz_combit mpz_combit + # define mpz_import mpz_import + # define mpz_export mpz_export ++/* Side-channel silent powm not available in mini-gmp. */ ++# define mpz_powm_sec mpz_powm + #else + # include + #endif +diff --git a/configure.ac b/configure.ac +index e1ee64c..1e88477 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -236,9 +236,9 @@ fi + # Checks for libraries + if test "x$enable_public_key" = "xyes" ; then + if test "x$enable_mini_gmp" = "xno" ; then +- AC_CHECK_LIB(gmp, __gmpz_getlimbn,, ++ AC_CHECK_LIB(gmp, __gmpz_powm_sec,, + [AC_MSG_WARN( +- [GNU MP not found, or not 3.1 or up, see http://gmplib.org/. ++ [GNU MP not found, or too old. GMP-5.0 or later is needed, see http://gmplib.org/. + Support for public key algorithms will be unavailable.])] + enable_public_key=no) + +diff --git a/dsa-sign.c b/dsa-sign.c +index 62c7d4a..b713743 100644 +--- a/dsa-sign.c ++++ b/dsa-sign.c +@@ -56,6 +56,11 @@ dsa_sign(const struct dsa_params *params, + mpz_t tmp; + int res; + ++ /* Check that p is odd, so that invalid keys don't result in a crash ++ inside mpz_powm_sec. */ ++ if (mpz_even_p (params->p)) ++ return 0; ++ + /* Select k, 0q); + mpz_sub_ui(tmp, tmp, 1); +@@ -65,7 +70,7 @@ dsa_sign(const struct dsa_params *params, + mpz_add_ui(k, k, 1); + + /* Compute r = (g^k (mod p)) (mod q) */ +- mpz_powm(tmp, params->g, k, params->p); ++ mpz_powm_sec(tmp, params->g, k, params->p); + mpz_fdiv_r(signature->r, tmp, params->q); + + /* Compute hash */ +diff --git a/rsa-blind.c b/rsa-blind.c +index 7662f50..16b03d7 100644 +--- a/rsa-blind.c ++++ b/rsa-blind.c +@@ -61,7 +61,7 @@ _rsa_blind (const struct rsa_public_key *pub, + while (!mpz_invert (ri, r, pub->n)); + + /* c = c*(r^e) mod n */ +- mpz_powm(r, r, pub->e, pub->n); ++ mpz_powm_sec(r, r, pub->e, pub->n); + mpz_mul(c, c, r); + mpz_fdiv_r(c, c, pub->n); + +diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c +index 3d80ed4..8542cae 100644 +--- a/rsa-sign-tr.c ++++ b/rsa-sign-tr.c +@@ -60,7 +60,7 @@ rsa_blind (const struct rsa_public_key *pub, + while (!mpz_invert (ri, r, pub->n)); + + /* c = c*(r^e) mod n */ +- mpz_powm(r, r, pub->e, pub->n); ++ mpz_powm_sec(r, r, pub->e, pub->n); + mpz_mul(c, m, r); + mpz_fdiv_r(c, c, pub->n); + +@@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, + int res; + mpz_t t, mb, xb, ri; + ++ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the ++ key is invalid and rejected by rsa_private_key_prepare. However, ++ some applications, notably gnutls, don't use this function, and ++ we don't want an invalid key to lead to a crash down inside ++ mpz_powm_sec. So do an additional check here. */ ++ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) ++ return 0; ++ + mpz_init (mb); + mpz_init (xb); + mpz_init (ri); +@@ -97,7 +105,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, + + rsa_compute_root (key, xb, mb); + +- mpz_powm(t, xb, pub->e, pub->n); ++ mpz_powm_sec(t, xb, pub->e, pub->n); + res = (mpz_cmp(mb, t) == 0); + + if (res) +diff --git a/rsa-sign.c b/rsa-sign.c +index eba7388..4832352 100644 +--- a/rsa-sign.c ++++ b/rsa-sign.c +@@ -96,11 +96,11 @@ rsa_compute_root(const struct rsa_private_key *key, + + /* Compute xq = m^d % q = (m%q)^b % q */ + mpz_fdiv_r(xq, m, key->q); +- mpz_powm(xq, xq, key->b, key->q); ++ mpz_powm_sec(xq, xq, key->b, key->q); + + /* Compute xp = m^d % p = (m%p)^a % p */ + mpz_fdiv_r(xp, m, key->p); +- mpz_powm(xp, xp, key->a, key->p); ++ mpz_powm_sec(xp, xp, key->a, key->p); + + /* Set xp' = (xp - xq) c % p. */ + mpz_sub(xp, xp, xq); +diff --git a/rsa.c b/rsa.c +index 19d93de..f594140 100644 +--- a/rsa.c ++++ b/rsa.c +@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key) + } + + /* Computes the size, in octets, of a the modulo. Returns 0 if the +- * modulo is too small to be useful. */ +- ++ * modulo is too small to be useful, or otherwise appears invalid. */ + size_t + _rsa_check_size(mpz_t n) + { + /* Round upwards */ +- size_t size = (mpz_sizeinbase(n, 2) + 7) / 8; ++ size_t size; ++ ++ /* Even moduli are invalid, and not supported by mpz_powm_sec. */ ++ if (mpz_even_p (n)) ++ return 0; ++ ++ size = (mpz_sizeinbase(n, 2) + 7) / 8; + + if (size < RSA_MINIMUM_N_OCTETS) + return 0; +diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c +index e9b1c03..a429664 100644 +--- a/testsuite/rsa-test.c ++++ b/testsuite/rsa-test.c +@@ -57,6 +57,13 @@ test_main(void) + + test_rsa_sha512(&pub, &key, expected); + ++ /* Test detection of invalid keys with even modulo */ ++ mpz_clrbit (pub.n, 0); ++ ASSERT (!rsa_public_key_prepare (&pub)); ++ ++ mpz_clrbit (key.p, 0); ++ ASSERT (!rsa_private_key_prepare (&key)); ++ + /* 777-bit key, generated by + * + * lsh-keygen -a rsa -l 777 -f advanced-hex +-- +2.7.3 + diff --git a/package/nettle/nettle.mk b/package/nettle/nettle.mk index a94a7fc3df..0fbe57b850 100644 --- a/package/nettle/nettle.mk +++ b/package/nettle/nettle.mk @@ -13,6 +13,8 @@ NETTLE_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2 # don't include openssl support for (unused) examples as it has problems # with static linking NETTLE_CONF_OPTS = --disable-openssl +# For 0002-fix-CVE-2016-6489.patch +NETTLE_AUTORECONF = YES # ARM assembly requires v6+ ISA ifeq ($(BR2_ARM_CPU_ARMV4)$(BR2_ARM_CPU_ARMV5)$(BR2_ARM_CPU_ARMV7M),y) -- 2.30.2