[OE-core] [PATCH] libgcrypt: fix CVE-2019-13627
Trevor Gamblin
trevor.gamblin at windriver.com
Sat Oct 19 13:22:30 UTC 2019
On 10/18/19 7:15 PM, Randy MacLeod wrote:
> On 10/18/19 3:32 PM, Trevor Gamblin wrote:
>> Note that there are two patch files added for this fix.
>>
>> Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
>> ---
>> ...cdsa-Fix-use-of-nonce-use-larger-one.patch | 126 ++++++++++++++++++
>> ...Add-mitigation-against-timing-attack.patch | 68 ++++++++++
>> .../libgcrypt/libgcrypt_1.8.4.bb | 2 +
>
> NAK.
>
> 1.8.5 has been released and it DOES contain a fix for this CVE.
>
> On master the commits are:
> 7c294330 dsa,ecdsa: Fix use of nonce, use larger one.
> b9577f7c ecc: Add mitigation against timing attack.
>
> but they are not part of a tagged release:
> $ git tag --contains 7c294330 -> NULL
> $ git tag --contains b9577f7c -> NULL
>
> BUT, if you look at:
>
> $ git log --oneline libgcrypt-1.8.4..libgcrypt-1.8.5 | \
> grep -i mitigation
> d5407b78 ecc: Add mitigation against timing attack.
>
> $ git log --oneline libgcrypt-1.8.4..libgcrypt-1.8.5 | \
> grep -i nonce
> db4e9976 dsa,ecdsa: Fix use of nonce, use larger one.
>
>
> and if you look at those logs, you'll see that these commits
> were cherry-picked from master.
>
> Also note the branch:
> $ git branch -a --contains d5407b78
> remotes/origin/LIBGCRYPT-1.8-BRANCH
>
> so that makes sense. I wasn't able to the branch without the -a
> so I was concerned that the repo was being handled in a way
> that I didn't understand.
>
> ../Randy
>
>> 3 files changed, 196 insertions(+)
>> create mode 100644
>> meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
>> create mode 100644
>> meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
>>
>> diff --git
>> a/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
>> b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
>>
>> new file mode 100644
>> index 0000000000..fdc3873ba1
>> --- /dev/null
>> +++
>> b/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
>> @@ -0,0 +1,126 @@
>> +From 7c2943309d14407b51c8166c4dcecb56a3628567 Mon Sep 17 00:00:00 2001
>> +From: NIIBE Yutaka <gniibe at fsij.org>
>> +Date: Thu, 8 Aug 2019 17:42:02 +0900
>> +Subject: [PATCH] dsa,ecdsa: Fix use of nonce, use larger one.
>> +
>> +* cipher/dsa-common.c (_gcry_dsa_modify_k): New.
>> +* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
>> +* cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
>> +* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
>> +* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
>> +
>> +CVE-id: CVE-2019-13627
>> +GnuPG-bug-id: 4626
>> +Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
>> +---
>> + cipher/dsa-common.c | 24 ++++++++++++++++++++++++
>> + cipher/dsa.c | 2 ++
>> + cipher/ecc-ecdsa.c | 10 +---------
>> + cipher/ecc-gost.c | 2 ++
>> + cipher/pubkey-internal.h | 1 +
>> + 5 files changed, 30 insertions(+), 9 deletions(-)
>> +
>> +Upstream-Status: Backport
>> [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d1]
>> +This backport is one of two upstream patches addressing CVE-2019-13627.
>> +
>> +CVE: CVE-2019-13627
>> +
>> +Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
>> +
>> +diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c
>> +index 8c0a6843..fe49248d 100644
>> +--- a/cipher/dsa-common.c
>> ++++ b/cipher/dsa-common.c
>> +@@ -29,6 +29,30 @@
>> + #include "pubkey-internal.h"
>> +
>> +
>> ++/*
>> ++ * Modify K, so that computation time difference can be small,
>> ++ * by making K large enough.
>> ++ *
>> ++ * Originally, (EC)DSA computation requires k where 0 < k < q. Here,
>> ++ * we add q (the order), to keep k in a range: q < k < 2*q (or,
>> ++ * addming more q, to keep k in a range: 2*q < k < 3*q), so that
>> ++ * timing difference of the EC multiply (or exponentiation) operation
>> ++ * can be small. The result of (EC)DSA computation is same.
>> ++ */
>> ++void
>> ++_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits)
>> ++{
>> ++ gcry_mpi_t k1 = mpi_new (qbits+2);
>> ++
>> ++ mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB);
>> ++ k->nlimbs = k->alloced;
>> ++ mpi_add (k, k, q);
>> ++ mpi_add (k1, k, q);
>> ++ mpi_set_cond (k, k1, !mpi_test_bit (k, qbits));
>> ++
>> ++ mpi_free (k1);
>> ++}
>> ++
>> + /*
>> + * Generate a random secret exponent K less than Q.
>> + * Note that ECDSA uses this code also to generate D.
>> +diff --git a/cipher/dsa.c b/cipher/dsa.c
>> +index 22d8d782..24a53528 100644
>> +--- a/cipher/dsa.c
>> ++++ b/cipher/dsa.c
>> +@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t
>> input, DSA_secret_key *skey,
>> + k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
>> + }
>> +
>> ++ _gcry_dsa_modify_k (k, skey->q, qbits);
>> ++
>> + /* r = (a^k mod p) mod q */
>> + mpi_powm( r, skey->g, k, skey->p );
>> + mpi_fdiv_r( r, r, skey->q );
>> +diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
>> +index 84a1cf84..97966c3a 100644
>> +--- a/cipher/ecc-ecdsa.c
>> ++++ b/cipher/ecc-ecdsa.c
>> +@@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
>> ECC_secret_key *skey,
>> + else
>> + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
>> +
>> +- /* Originally, ECDSA computation requires k where 0 < k < n.
>> +- * Here, we add n (the order of curve), to keep k in a
>> +- * range: n < k < 2*n, or, addming more n, keep k in a
>> range:
>> +- * 2*n < k < 3*n, so that timing difference of the EC
>> +- * multiply operation can be small. The result is same.
>> +- */
>> +- mpi_add (k, k, skey->E.n);
>> +- if (!mpi_test_bit (k, qbits))
>> +- mpi_add (k, k, skey->E.n);
>> ++ _gcry_dsa_modify_k (k, skey->E.n, qbits);
>> +
>> + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
>> + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
>> +diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
>> +index a34fa084..0362a6c7 100644
>> +--- a/cipher/ecc-gost.c
>> ++++ b/cipher/ecc-gost.c
>> +@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input,
>> ECC_secret_key *skey,
>> + mpi_free (k);
>> + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
>> +
>> ++ _gcry_dsa_modify_k (k, skey->E.n, qbits);
>> ++
>> + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
>> + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
>> + {
>> +diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h
>> +index b8167c77..d31e26f3 100644
>> +--- a/cipher/pubkey-internal.h
>> ++++ b/cipher/pubkey-internal.h
>> +@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t
>> encoded,
>> +
>> +
>> + /*-- dsa-common.c --*/
>> ++void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits);
>> + gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level);
>> + gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
>> + gcry_mpi_t dsa_q,
>> gcry_mpi_t dsa_x,
>> +--
>> +2.23.0
>> +
>> diff --git
>> a/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
>> b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
>>
>> new file mode 100644
>> index 0000000000..66402d6187
>> --- /dev/null
>> +++
>> b/meta/recipes-support/libgcrypt/files/0001-ecc-Add-mitigation-against-timing-attack.patch
>> @@ -0,0 +1,68 @@
>> +From b9577f7c89b4327edc09f2231bc8b31521102c79 Mon Sep 17 00:00:00 2001
>> +From: NIIBE Yutaka <gniibe at fsij.org>
>> +Date: Wed, 17 Jul 2019 12:44:50 +0900
>> +Subject: [PATCH] ecc: Add mitigation against timing attack.
>> +MIME-Version: 1.0
>> +Content-Type: text/plain; charset=UTF-8
>> +Content-Transfer-Encoding: 8bit
>> +
>> +* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
>> +* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.
>> +
>> +CVE-id: CVE-2019-13627
>> +GnuPG-bug-id: 4626
>> +Co-authored-by: Ján Jančár <johny at neuromancer.sk>
>> +Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
>> +---
>> + cipher/ecc-ecdsa.c | 10 ++++++++++
>> + mpi/ec.c | 6 +++++-
>> + 2 files changed, 15 insertions(+), 1 deletion(-)
>> +
>> +Upstream-Status: Backport
>> [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b]
>> +This backport is one of two upstream patches addressing CVE-2019-13627.
>> +
>> +CVE: CVE-2019-13627
>> +
>> +Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
>> +
>> +diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
>> +index 140e8c09..84a1cf84 100644
>> +--- a/cipher/ecc-ecdsa.c
>> ++++ b/cipher/ecc-ecdsa.c
>> +@@ -114,6 +114,16 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input,
>> ECC_secret_key *skey,
>> + else
>> + k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
>> +
>> ++ /* Originally, ECDSA computation requires k where 0 < k < n.
>> ++ * Here, we add n (the order of curve), to keep k in a
>> ++ * range: n < k < 2*n, or, addming more n, keep k in a
>> range:
>> ++ * 2*n < k < 3*n, so that timing difference of the EC
>> ++ * multiply operation can be small. The result is same.
>> ++ */
>> ++ mpi_add (k, k, skey->E.n);
>> ++ if (!mpi_test_bit (k, qbits))
>> ++ mpi_add (k, k, skey->E.n);
>> ++
>> + _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
>> + if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
>> + {
>> +diff --git a/mpi/ec.c b/mpi/ec.c
>> +index 97afbfed..ed936d74 100644
>> +--- a/mpi/ec.c
>> ++++ b/mpi/ec.c
>> +@@ -1509,7 +1509,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
>> + unsigned int nbits;
>> + int j;
>> +
>> +- nbits = mpi_get_nbits (scalar);
>> ++ if (mpi_cmp (scalar, ctx->p) >= 0)
>> ++ nbits = mpi_get_nbits (scalar);
>> ++ else
>> ++ nbits = mpi_get_nbits (ctx->p);
>> ++
>> + if (ctx->model == MPI_EC_WEIERSTRASS)
>> + {
>> + mpi_set_ui (result->x, 1);
>> +--
>> +2.23.0
>> +
>> diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
>> b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
>> index fda68a2938..9d649e49a3 100644
>> --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
>> +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
>> @@ -21,6 +21,8 @@ SRC_URI =
>> "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
>> file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \
>> file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
>> file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \
>> + file://0001-ecc-Add-mitigation-against-timing-attack.patch \
>> + file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \
>> "
>> SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"
>> SRC_URI[sha256sum] =
>> "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"
>>
>
>
Thanks for the catch. Will send a new patch shortly.
More information about the Openembedded-core
mailing list