From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42307) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fTZIo-0002Vq-6z for guix-patches@gnu.org; Thu, 14 Jun 2018 16:57:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fTZIl-0004fl-0u for guix-patches@gnu.org; Thu, 14 Jun 2018 16:57:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:40690) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fTZIk-0004f9-LW for guix-patches@gnu.org; Thu, 14 Jun 2018 16:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fTZIk-0003rE-9H for guix-patches@gnu.org; Thu, 14 Jun 2018 16:57:02 -0400 Subject: [bug#31833] Updated patch for OpenSSL 1.1.0 CVE-2018-{0495,0732} References: In-Reply-To: Resent-Message-ID: Date: Thu, 14 Jun 2018 16:56:11 -0400 From: Leo Famulari Message-ID: <20180614205611.GA11105@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="V0207lvV8h4k8FAm" Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 31833@debbugs.gnu.org --V0207lvV8h4k8FAm Content-Type: multipart/mixed; boundary="fUYQa+Pmc3FrFX/N" Content-Disposition: inline --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sorry, my previous patch did not work. The patch for CVE-2018-0495 failed to apply a hunk to the upstream changelog. --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-OpenSSL-1.1.0-Fix-CVE-2018-0495-0732.patch" Content-Transfer-Encoding: quoted-printable =46rom d8952c1d3b2ebe885ed6b6f316dcce09ee8eeba1 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Thu, 14 Jun 2018 16:30:57 -0400 Subject: [PATCH] gnu: OpenSSL 1.1.0: Fix CVE-2018-{0495,0732}. * gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch, gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/tls.scm (openssl-next)[source]: Use them. --- gnu/local.mk | 2 + .../patches/openssl-1.1.0-CVE-2018-0495.patch | 152 ++++++++++++++++++ .../patches/openssl-1.1.0-CVE-2018-0732.patch | 50 ++++++ gnu/packages/tls.scm | 4 +- 4 files changed, 207 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch create mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch diff --git a/gnu/local.mk b/gnu/local.mk index e9d572922..27fb18a05 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -975,6 +975,8 @@ dist_patch_DATA =3D \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \ + %D%/packages/patches/openssl-1.1.0-CVE-2018-0495.patch \ + %D%/packages/patches/openssl-1.1.0-CVE-2018-0732.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch b/gnu/p= ackages/patches/openssl-1.1.0-CVE-2018-0495.patch new file mode 100644 index 000000000..15dedbcbd --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch @@ -0,0 +1,152 @@ +Fix CVE-2018-0495: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-0495 +https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-th= e-hidden-number-problem/ + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a5= 56b7017a + +From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:=3D k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s :=3D k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz +--- + CHANGES | 4 +++ + crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++----- + 2 files changed, 67 insertions(+), 7 deletions(-) + +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 72e2f0f28b..449be0e92a 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dg= st, int dgst_len, + EC_KEY *eckey) + { + int ok =3D 0, i; +- BIGNUM *kinv =3D NULL, *s, *m =3D NULL, *tmp =3D NULL; ++ BIGNUM *kinv =3D NULL, *s, *m =3D NULL, *tmp =3D NULL, *blind =3D NUL= L; ++ BIGNUM *blindm =3D NULL; + const BIGNUM *order, *ckinv; + BN_CTX *ctx =3D NULL; + const EC_GROUP *group; +@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *d= gst, int dgst_len, + } + s =3D ret->s; +=20 +- if ((ctx =3D BN_CTX_new()) =3D=3D NULL || +- (tmp =3D BN_new()) =3D=3D NULL || (m =3D BN_new()) =3D=3D NULL) { ++ ctx =3D BN_CTX_secure_new(); ++ if (ctx =3D=3D NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ tmp =3D BN_CTX_get(ctx); ++ m =3D BN_CTX_get(ctx); ++ blind =3D BN_CTX_get(ctx); ++ blindm =3D BN_CTX_get(ctx); ++ if (blindm =3D=3D NULL) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *= dgst, int dgst_len, + } + } +=20 +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s :=3D k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s :=3D k^-1 * blind^-1 * (blind * m + blind * r * priv_key) = mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, ++ BN_RAND_BOTTOM_ANY)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp :=3D blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ ++ /* blindm :=3D blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : =3D (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:=3D s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) =3D=3D NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s :=3D s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to +@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dg= st, int dgst_len, + ECDSA_SIG_free(ret); + ret =3D NULL; + } ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- BN_clear_free(m); +- BN_clear_free(tmp); + BN_clear_free(kinv); + return ret; + } +--=20 +2.17.1 + diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch b/gnu/p= ackages/patches/openssl-1.1.0-CVE-2018-0732.patch new file mode 100644 index 000000000..dfea6e7d0 --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch @@ -0,0 +1,50 @@ +Fix CVE-2018-0732: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-0732 + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4= da69f4f4 + +From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 +From: Guido Vranken +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index fce9ff47f3..58003d7087 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -78,10 +78,15 @@ static int generate_key(DH *dh) + int ok =3D 0; + int generate_new_key =3D 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx =3D NULL; + BN_MONT_CTX *mont =3D NULL; + BIGNUM *pub_key =3D NULL, *priv_key =3D NULL; +=20 ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx =3D BN_CTX_new(); + if (ctx =3D=3D NULL) + goto err; +--=20 +2.17.1 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index a582fb152..3912d9e2f 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -415,7 +415,9 @@ required structures.") (string-append "ftp://ftp.openssl.org/source/old/" (string-trim-right version char-set= :letter) "/" name "-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch" + "openssl-1.1.0-CVE-2018-0495.patch" + "openssl-1.1.0-CVE-2018-0732.patch"= )) (sha256 (base32 "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq")))) --=20 2.17.1 --fUYQa+Pmc3FrFX/N-- --V0207lvV8h4k8FAm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlsi1msACgkQJkb6MLrK fwjxURAAxvB9V9f9RxOyji61J5HrX0seezQjzer9KDHmIFoGpOdatkXbncnjh6JY fOS1846ilzcl4IBzKozp6Rz4DGrypm0slmiyWsl2ub1deTkfwoRgxwhCyheatg0h TV5h4AaJ961fhUtllcSG7P5MYdOpSo3vtvsfUOhRdXR2SFFKzp9/eD7nkdPT8xD+ FpQrWpYxggHnFdhow0r3Lc/XLas8Om6kmGr1c4rAFrtZdiyRe1B2yeJ4z9zP5FDj qdHI/Sz9n2V31hIecy/Nl+H2A2d4umDksDByqpk6WXNd4J3zbRMeQBhhQZCqU7Ko nbpTZutXDMhIObdqIvKcy80b5jtmdtjwouNIv0kCB4paVcBL2RQHIOTRpi9TtHF7 ZrqGQBJZtIyoOdgOcRgjt02wuiEesK/qMs+VtLsJU2qcaHySo7J7uZ8DPaff/bT/ VBNkGZUmDXfVW7twqZSHrhM9uDox3jrTZpuQJZYdNw90GKlSVFB37Fy/8GNWOk7m JhTnf8DBCAYqYLR6u32FLp4eE0sSqmos78hVJQHRB3hrq/39IUk94WsrJdfdF9DH IH+6DdkpbHHy4D1tvLoh5e6u5OvcOQHiBd/PNgH3xaPVaGK920VddvOgUu0QOLRl coNHVS47RSuLhGC8NziSFPdASrJuoLrZZqbziOUG/YyMMwvfA3s= =j+uP -----END PGP SIGNATURE----- --V0207lvV8h4k8FAm--