From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33802) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fTZ6E-0006Wa-KU for guix-patches@gnu.org; Thu, 14 Jun 2018 16:44:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fTZ6A-0001Zw-BS for guix-patches@gnu.org; Thu, 14 Jun 2018 16:44:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:40647) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fTZ6A-0001Ze-6o for guix-patches@gnu.org; Thu, 14 Jun 2018 16:44:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fTZ69-0003VM-Uf for guix-patches@gnu.org; Thu, 14 Jun 2018 16:44:01 -0400 Subject: [bug#31833] [PATCH 2/2] gnu: OpenSSL 1.1.0: Fix CVE-2018-{0495, 0732}. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33354) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fTZ5b-00060N-Os for guix-patches@gnu.org; Thu, 14 Jun 2018 16:43:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fTZ5X-00013I-GP for guix-patches@gnu.org; Thu, 14 Jun 2018 16:43:27 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:57271) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fTZ5X-00012g-7e for guix-patches@gnu.org; Thu, 14 Jun 2018 16:43:23 -0400 Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 6C95EE465F for ; Thu, 14 Jun 2018 16:43:22 -0400 (EDT) From: Leo Famulari Date: Thu, 14 Jun 2018 16:43:15 -0400 Message-Id: In-Reply-To: References: In-Reply-To: References: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 31833@debbugs.gnu.org * gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch, gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/tls.scm (openssl-next)[source]: Use them. --- gnu/local.mk | 2 + .../patches/openssl-1.1.0-CVE-2018-0495.patch | 167 ++++++++++++++++++ .../patches/openssl-1.1.0-CVE-2018-0732.patch | 50 ++++++ gnu/packages/tls.scm | 4 +- 4 files changed, 222 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch create mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch diff --git a/gnu/local.mk b/gnu/local.mk index e9d572922..27fb18a05 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -975,6 +975,8 @@ dist_patch_DATA = \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \ + %D%/packages/patches/openssl-1.1.0-CVE-2018-0495.patch \ + %D%/packages/patches/openssl-1.1.0-CVE-2018-0732.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch new file mode 100644 index 000000000..6b7de5d64 --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch @@ -0,0 +1,167 @@ +Fix CVE-2018-0495: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 +https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a556b7017a + +From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 25 May 2018 12:10:13 +0100 +Subject: [PATCH] Add blinding to an ECDSA signature + +Keegan Ryan (NCC Group) has demonstrated a side channel attack on an +ECDSA signature operation. During signing the signer calculates: + +s:= k^-1 * (m + r * priv_key) mod order + +The addition operation above provides a sufficient signal for a +flush+reload attack to derive the private key given sufficient signature +operations. + +As a mitigation (based on a suggestion from Keegan) we add blinding to +the operation so that: + +s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order + +Since this attack is a localhost side channel only no CVE is assigned. + +Reviewed-by: Rich Salz +--- + CHANGES | 4 +++ + crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++----- + 2 files changed, 67 insertions(+), 7 deletions(-) + +diff --git a/CHANGES b/CHANGES +index bfd0bcd402..b749d9ed96 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -9,6 +9,10 @@ + + Changes between 1.1.0h and 1.1.0i [xx XXX xxxx] + ++ *) Add blinding to an ECDSA signature to protect against side channel attacks ++ discovered by Keegan Ryan (NCC Group). ++ [Matt Caswell] ++ + *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we + now allow empty (zero character) pass phrases. + [Richard Levitte] +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 72e2f0f28b..449be0e92a 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + EC_KEY *eckey) + { + int ok = 0, i; +- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; ++ BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; ++ BIGNUM *blindm = NULL; + const BIGNUM *order, *ckinv; + BN_CTX *ctx = NULL; + const EC_GROUP *group; +@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + s = ret->s; + +- if ((ctx = BN_CTX_new()) == NULL || +- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ++ ctx = BN_CTX_secure_new(); ++ if (ctx == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); ++ m = BN_CTX_get(ctx); ++ blind = BN_CTX_get(ctx); ++ blindm = BN_CTX_get(ctx); ++ if (blindm == NULL) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } +@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + } + } + +- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { ++ /* ++ * The normal signature calculation is: ++ * ++ * s := k^-1 * (m + r * priv_key) mod order ++ * ++ * We will blind this to protect against side channel attacks ++ * ++ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order ++ */ ++ ++ /* Generate a blinding value */ ++ do { ++ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, ++ BN_RAND_BOTTOM_ANY)) ++ goto err; ++ } while (BN_is_zero(blind)); ++ BN_set_flags(blind, BN_FLG_CONSTTIME); ++ BN_set_flags(blindm, BN_FLG_CONSTTIME); ++ BN_set_flags(tmp, BN_FLG_CONSTTIME); ++ ++ /* tmp := blind * priv_key * r mod order */ ++ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } +- if (!BN_mod_add_quick(s, tmp, m, order)) { ++ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ ++ /* blindm := blind * m mod order */ ++ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s : = (blind * priv_key * r) + (blind * m) mod order */ ++ if (!BN_mod_add_quick(s, tmp, blindm, order)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s:= s * blind^-1 mod order */ ++ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_mul(s, s, blind, order, ctx)) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ /* s := s * k^-1 mod order */ + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } ++ + if (BN_is_zero(s)) { + /* + * if kinv and r have been supplied by the caller don't to +@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + ECDSA_SIG_free(ret); + ret = NULL; + } ++ BN_CTX_end(ctx); + BN_CTX_free(ctx); +- BN_clear_free(m); +- BN_clear_free(tmp); + BN_clear_free(kinv); + return ret; + } +-- +2.17.1 + diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch new file mode 100644 index 000000000..dfea6e7d0 --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch @@ -0,0 +1,50 @@ +Fix CVE-2018-0732: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732 + +Patch copied from upstream source repository: + +https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4 + +From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 +From: Guido Vranken +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index fce9ff47f3..58003d7087 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -78,10 +78,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +-- +2.17.1 + diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index a582fb152..3912d9e2f 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -415,7 +415,9 @@ required structures.") (string-append "ftp://ftp.openssl.org/source/old/" (string-trim-right version char-set:letter) "/" name "-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch" + "openssl-1.1.0-CVE-2018-0495.patch" + "openssl-1.1.0-CVE-2018-0732.patch")) (sha256 (base32 "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq")))) -- 2.17.1