kumquat-buildroot/package/nettle/0002-fix-CVE-2016-6489.patch
Gustavo Zacarias 834ae8ce82 nettle: add security patch
Fixes:
CVE-2016-6489 - RSA code is vulnerable to cache sharing related attacks.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-08-18 23:26:03 +02:00

182 lines
5.3 KiB
Diff

From 6450224f3e3c78fdfa37eadbe6ada8301279f6c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Mon, 20 Jun 2016 20:04:56 +0200
Subject: Use mpz_powm_sec.
Subject: Check for invalid keys, with even p, in dsa_sign.
Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr.
Subject: Reject invalid RSA keys with even modulo.
Patch status: upstream
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff --git a/bignum.h b/bignum.h
index 24158e0..0d30534 100644
--- a/bignum.h
+++ b/bignum.h
@@ -53,6 +53,8 @@
# define mpz_combit mpz_combit
# define mpz_import mpz_import
# define mpz_export mpz_export
+/* Side-channel silent powm not available in mini-gmp. */
+# define mpz_powm_sec mpz_powm
#else
# include <gmp.h>
#endif
diff --git a/configure.ac b/configure.ac
index e1ee64c..1e88477 100644
--- a/configure.ac
+++ b/configure.ac
@@ -236,9 +236,9 @@ fi
# Checks for libraries
if test "x$enable_public_key" = "xyes" ; then
if test "x$enable_mini_gmp" = "xno" ; then
- AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
+ AC_CHECK_LIB(gmp, __gmpz_powm_sec,,
[AC_MSG_WARN(
- [GNU MP not found, or not 3.1 or up, see http://gmplib.org/.
+ [GNU MP not found, or too old. GMP-5.0 or later is needed, see http://gmplib.org/.
Support for public key algorithms will be unavailable.])]
enable_public_key=no)
diff --git a/dsa-sign.c b/dsa-sign.c
index 62c7d4a..b713743 100644
--- a/dsa-sign.c
+++ b/dsa-sign.c
@@ -56,6 +56,11 @@ dsa_sign(const struct dsa_params *params,
mpz_t tmp;
int res;
+ /* Check that p is odd, so that invalid keys don't result in a crash
+ inside mpz_powm_sec. */
+ if (mpz_even_p (params->p))
+ return 0;
+
/* Select k, 0<k<q, randomly */
mpz_init_set(tmp, params->q);
mpz_sub_ui(tmp, tmp, 1);
@@ -65,7 +70,7 @@ dsa_sign(const struct dsa_params *params,
mpz_add_ui(k, k, 1);
/* Compute r = (g^k (mod p)) (mod q) */
- mpz_powm(tmp, params->g, k, params->p);
+ mpz_powm_sec(tmp, params->g, k, params->p);
mpz_fdiv_r(signature->r, tmp, params->q);
/* Compute hash */
diff --git a/rsa-blind.c b/rsa-blind.c
index 7662f50..16b03d7 100644
--- a/rsa-blind.c
+++ b/rsa-blind.c
@@ -61,7 +61,7 @@ _rsa_blind (const struct rsa_public_key *pub,
while (!mpz_invert (ri, r, pub->n));
/* c = c*(r^e) mod n */
- mpz_powm(r, r, pub->e, pub->n);
+ mpz_powm_sec(r, r, pub->e, pub->n);
mpz_mul(c, c, r);
mpz_fdiv_r(c, c, pub->n);
diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c
index 3d80ed4..8542cae 100644
--- a/rsa-sign-tr.c
+++ b/rsa-sign-tr.c
@@ -60,7 +60,7 @@ rsa_blind (const struct rsa_public_key *pub,
while (!mpz_invert (ri, r, pub->n));
/* c = c*(r^e) mod n */
- mpz_powm(r, r, pub->e, pub->n);
+ mpz_powm_sec(r, r, pub->e, pub->n);
mpz_mul(c, m, r);
mpz_fdiv_r(c, c, pub->n);
@@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
int res;
mpz_t t, mb, xb, ri;
+ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
+ key is invalid and rejected by rsa_private_key_prepare. However,
+ some applications, notably gnutls, don't use this function, and
+ we don't want an invalid key to lead to a crash down inside
+ mpz_powm_sec. So do an additional check here. */
+ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
+ return 0;
+
mpz_init (mb);
mpz_init (xb);
mpz_init (ri);
@@ -97,7 +105,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
rsa_compute_root (key, xb, mb);
- mpz_powm(t, xb, pub->e, pub->n);
+ mpz_powm_sec(t, xb, pub->e, pub->n);
res = (mpz_cmp(mb, t) == 0);
if (res)
diff --git a/rsa-sign.c b/rsa-sign.c
index eba7388..4832352 100644
--- a/rsa-sign.c
+++ b/rsa-sign.c
@@ -96,11 +96,11 @@ rsa_compute_root(const struct rsa_private_key *key,
/* Compute xq = m^d % q = (m%q)^b % q */
mpz_fdiv_r(xq, m, key->q);
- mpz_powm(xq, xq, key->b, key->q);
+ mpz_powm_sec(xq, xq, key->b, key->q);
/* Compute xp = m^d % p = (m%p)^a % p */
mpz_fdiv_r(xp, m, key->p);
- mpz_powm(xp, xp, key->a, key->p);
+ mpz_powm_sec(xp, xp, key->a, key->p);
/* Set xp' = (xp - xq) c % p. */
mpz_sub(xp, xp, xq);
diff --git a/rsa.c b/rsa.c
index 19d93de..f594140 100644
--- a/rsa.c
+++ b/rsa.c
@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key)
}
/* Computes the size, in octets, of a the modulo. Returns 0 if the
- * modulo is too small to be useful. */
-
+ * modulo is too small to be useful, or otherwise appears invalid. */
size_t
_rsa_check_size(mpz_t n)
{
/* Round upwards */
- size_t size = (mpz_sizeinbase(n, 2) + 7) / 8;
+ size_t size;
+
+ /* Even moduli are invalid, and not supported by mpz_powm_sec. */
+ if (mpz_even_p (n))
+ return 0;
+
+ size = (mpz_sizeinbase(n, 2) + 7) / 8;
if (size < RSA_MINIMUM_N_OCTETS)
return 0;
diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c
index e9b1c03..a429664 100644
--- a/testsuite/rsa-test.c
+++ b/testsuite/rsa-test.c
@@ -57,6 +57,13 @@ test_main(void)
test_rsa_sha512(&pub, &key, expected);
+ /* Test detection of invalid keys with even modulo */
+ mpz_clrbit (pub.n, 0);
+ ASSERT (!rsa_public_key_prepare (&pub));
+
+ mpz_clrbit (key.p, 0);
+ ASSERT (!rsa_private_key_prepare (&key));
+
/* 777-bit key, generated by
*
* lsh-keygen -a rsa -l 777 -f advanced-hex
--
2.7.3