From d87e547702bcffdf0eb3948409a94f146538afb8 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 15 Aug 2018 00:24:17 +0200 Subject: [PATCH] gnu: openssl@1.1: Update to 1.1.0i [fix CVE-2018-0737]. Also includes a fix for CVE-2018-0732, and a different approach to fixing CVE-2018-0495. * gnu/packages/tls.scm (openssl-next): Update to 1.1.0i. [sources]: Remove CVE patches. * gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch: Delete... * gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch: ...both files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 2 - .../patches/openssl-1.1.0-CVE-2018-0495.patch | 152 ------------------ .../patches/openssl-1.1.0-CVE-2018-0732.patch | 50 ------ gnu/packages/tls.scm | 10 +- 4 files changed, 4 insertions(+), 210 deletions(-) delete mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch delete mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch diff --git a/gnu/local.mk b/gnu/local.mk index f433da46e2..e8f1dbe661 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -999,8 +999,6 @@ dist_patch_DATA = \ %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \ %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \ - %D%/packages/patches/openssl-1.1.0-CVE-2018-0495.patch \ - %D%/packages/patches/openssl-1.1.0-CVE-2018-0732.patch \ %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch deleted file mode 100644 index 15dedbcbd0..0000000000 --- a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch +++ /dev/null @@ -1,152 +0,0 @@ -Fix CVE-2018-0495: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 -https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ - -Patch copied from upstream source repository: - -https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a556b7017a - -From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 25 May 2018 12:10:13 +0100 -Subject: [PATCH] Add blinding to an ECDSA signature - -Keegan Ryan (NCC Group) has demonstrated a side channel attack on an -ECDSA signature operation. During signing the signer calculates: - -s:= k^-1 * (m + r * priv_key) mod order - -The addition operation above provides a sufficient signal for a -flush+reload attack to derive the private key given sufficient signature -operations. - -As a mitigation (based on a suggestion from Keegan) we add blinding to -the operation so that: - -s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order - -Since this attack is a localhost side channel only no CVE is assigned. - -Reviewed-by: Rich Salz ---- - CHANGES | 4 +++ - crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++----- - 2 files changed, 67 insertions(+), 7 deletions(-) - -diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c -index 72e2f0f28b..449be0e92a 100644 ---- a/crypto/ec/ecdsa_ossl.c -+++ b/crypto/ec/ecdsa_ossl.c -@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, - EC_KEY *eckey) - { - int ok = 0, i; -- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL; -+ BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; -+ BIGNUM *blindm = NULL; - const BIGNUM *order, *ckinv; - BN_CTX *ctx = NULL; - const EC_GROUP *group; -@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, - } - s = ret->s; - -- if ((ctx = BN_CTX_new()) == NULL || -- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { -+ ctx = BN_CTX_secure_new(); -+ if (ctx == NULL) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ -+ BN_CTX_start(ctx); -+ tmp = BN_CTX_get(ctx); -+ m = BN_CTX_get(ctx); -+ blind = BN_CTX_get(ctx); -+ blindm = BN_CTX_get(ctx); -+ if (blindm == NULL) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); - goto err; - } -@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, - } - } - -- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { -+ /* -+ * The normal signature calculation is: -+ * -+ * s := k^-1 * (m + r * priv_key) mod order -+ * -+ * We will blind this to protect against side channel attacks -+ * -+ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order -+ */ -+ -+ /* Generate a blinding value */ -+ do { -+ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, -+ BN_RAND_BOTTOM_ANY)) -+ goto err; -+ } while (BN_is_zero(blind)); -+ BN_set_flags(blind, BN_FLG_CONSTTIME); -+ BN_set_flags(blindm, BN_FLG_CONSTTIME); -+ BN_set_flags(tmp, BN_FLG_CONSTTIME); -+ -+ /* tmp := blind * priv_key * r mod order */ -+ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } -- if (!BN_mod_add_quick(s, tmp, m, order)) { -+ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } -+ -+ /* blindm := blind * m mod order */ -+ if (!BN_mod_mul(blindm, blind, m, order, ctx)) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); -+ goto err; -+ } -+ -+ /* s : = (blind * priv_key * r) + (blind * m) mod order */ -+ if (!BN_mod_add_quick(s, tmp, blindm, order)) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); -+ goto err; -+ } -+ -+ /* s:= s * blind^-1 mod order */ -+ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); -+ goto err; -+ } -+ if (!BN_mod_mul(s, s, blind, order, ctx)) { -+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); -+ goto err; -+ } -+ -+ /* s := s * k^-1 mod order */ - if (!BN_mod_mul(s, s, ckinv, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } -+ - if (BN_is_zero(s)) { - /* - * if kinv and r have been supplied by the caller don't to -@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, - ECDSA_SIG_free(ret); - ret = NULL; - } -+ BN_CTX_end(ctx); - BN_CTX_free(ctx); -- BN_clear_free(m); -- BN_clear_free(tmp); - BN_clear_free(kinv); - return ret; - } --- -2.17.1 - diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch deleted file mode 100644 index dfea6e7d06..0000000000 --- a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch +++ /dev/null @@ -1,50 +0,0 @@ -Fix CVE-2018-0732: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732 - -Patch copied from upstream source repository: - -https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4 - -From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001 -From: Guido Vranken -Date: Mon, 11 Jun 2018 19:38:54 +0200 -Subject: [PATCH] Reject excessively large primes in DH key generation. - -CVE-2018-0732 - -Signed-off-by: Guido Vranken - -(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) - -Reviewed-by: Tim Hudson -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/6457) ---- - crypto/dh/dh_key.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index fce9ff47f3..58003d7087 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -78,10 +78,15 @@ static int generate_key(DH *dh) - int ok = 0; - int generate_new_key = 0; - unsigned l; -- BN_CTX *ctx; -+ BN_CTX *ctx = NULL; - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; --- -2.17.1 - diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index cafe71bd41..28d2ea5fd5 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -410,7 +410,7 @@ required structures.") (package (inherit openssl) (name "openssl") - (version "1.1.0h") + (version "1.1.0i") (source (origin (method url-fetch) (uri (list (string-append "https://www.openssl.org/source/openssl-" @@ -420,14 +420,12 @@ required structures.") (string-append "ftp://ftp.openssl.org/source/old/" (string-trim-right version char-set:letter) "/" name "-" version ".tar.gz"))) - (patches (search-patches "openssl-1.1.0-c-rehash-in.patch" - "openssl-1.1.0-CVE-2018-0495.patch" - "openssl-1.1.0-CVE-2018-0732.patch")) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) (sha256 (base32 - "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq")))) + "16fgaf113p6s5ixw227sycvihh3zx6f6rf0hvjjhxk68m12cigzb")))) (outputs '("out" - "doc" ;1.3MiB of man3 pages + "doc" ; 1.3MiB of man3 pages "static")) ; 5.5MiB of .a files (arguments (substitute-keyword-arguments (package-arguments openssl)