Blame - yocto-poky/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch - mdmillerii/openbmc

blob: b1a22f5853080d7d192db404cc6ac52f347e1544 [file] [log] [blame]

Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	1	Upstream-Status: Backport
				2
				3	Index: gnupg-1.4.7/cipher/dsa.c
				4	===================================================================
				5	--- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800
				6	+++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800
				7	@@ -287,6 +287,8 @@
				8	MPI kinv;
				9	MPI tmp;
				10
				11	+ mpi_normalize (hash);
				12	+
				13	/* select a random k with 0 < k < q */
				14	k = gen_k( skey->q );
				15
				16	Index: gnupg-1.4.7/cipher/elgamal.c
				17	===================================================================
				18	--- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800
				19	+++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800
				20	@@ -376,6 +376,9 @@
				21	{
				22	MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
				23
				24	+ mpi_normalize (a);
				25	+ mpi_normalize (b);
				26	+
				27	/* output = b/(a^x) mod p */
				28	mpi_powm( t1, a, skey->x, skey->p );
				29	mpi_invm( t1, t1, skey->p );
				30	Index: gnupg-1.4.7/cipher/random.c
				31	===================================================================
				32	--- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800
				33	+++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
				34	@@ -273,6 +273,18 @@
				35	}
				36
				37
				38	+/* Randomize the MPI */
				39	+void
				40	+randomize_mpi (MPI mpi, size_t nbits, int level)
				41	+{
				42	+ unsigned char *buffer;
				43	+
				44	+ buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
				45	+ mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
				46	+ xfree (buffer);
				47	+}
				48	+
				49	+
				50	int
				51	random_is_faked()
				52	{
				53	Index: gnupg-1.4.7/cipher/random.h
				54	===================================================================
				55	--- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800
				56	+++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
				57	@@ -32,6 +32,7 @@
				58	int random_is_faked(void);
				59	void random_disable_locking (void);
				60	void randomize_buffer( byte *buffer, size_t length, int level );
				61	+void randomize_mpi (MPI mpi, size_t nbits, int level);
				62	byte *get_random_bits( size_t nbits, int level, int secure );
				63	void fast_random_poll( void );
				64
				65	Index: gnupg-1.4.7/cipher/rsa.c
				66	===================================================================
				67	--- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800
				68	+++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800
				69	@@ -301,9 +301,26 @@
				70	#if 0
				71	mpi_powm( output, input, skey->d, skey->n );
				72	#else
				73	- MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
				74	- MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
				75	- MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
				76	+ int nlimbs = mpi_get_nlimbs (skey->n)+1;
				77	+ MPI m1 = mpi_alloc_secure (nlimbs);
				78	+ MPI m2 = mpi_alloc_secure (nlimbs);
				79	+ MPI h = mpi_alloc_secure (nlimbs);
				80	+# if 1
				81	+ MPI bdata= mpi_alloc_secure (nlimbs);
				82	+ MPI r = mpi_alloc_secure (nlimbs);
				83	+# endif
				84	+
				85	+ /* Remove superfluous leading zeroes from INPUT. */
				86	+ mpi_normalize (input);
				87	+
				88	+# if 1
				89	+ /* Blind: bdata = (data * r^e) mod n */
				90	+ randomize_mpi (r, mpi_get_nbits (skey->n), 0);
				91	+ mpi_fdiv_r (r, r, skey->n);
				92	+ mpi_powm (bdata, r, skey->e, skey->n);
				93	+ mpi_mulm (bdata, bdata, input, skey->n);
				94	+ input = bdata;
				95	+# endif
				96
				97	/* m1 = c ^ (d mod (p-1)) mod p */
				98	mpi_sub_ui( h, skey->p, 1 );
				99	@@ -321,8 +338,15 @@
				100	/* m = m2 + h * p */
				101	mpi_mul ( h, h, skey->p );
				102	mpi_add ( output, m1, h );
				103	- /* ready */
				104	-
				105	+
				106	+# if 1
				107	+ mpi_free (bdata);
				108	+ /* Unblind: output = (output * r^(-1)) mod n */
				109	+ mpi_invm (r, r, skey->n);
				110	+ mpi_mulm (output, output, r, skey->n);
				111	+ mpi_free (r);
				112	+# endif
				113	+
				114	mpi_free ( h );
				115	mpi_free ( m1 );
				116	mpi_free ( m2 );
				117	@@ -397,6 +421,7 @@
				118	rsa_decrypt( int algo, MPI result, MPI data, MPI *skey )
				119	{
				120	RSA_secret_key sk;
				121	+ MPI input;
				122
				123	if( algo != 1 && algo != 2 )
				124	return G10ERR_PUBKEY_ALGO;
				125	@@ -407,8 +432,14 @@
				126	sk.p = skey[3];
				127	sk.q = skey[4];
				128	sk.u = skey[5];
				129	- *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
				130	- secret( *result, data[0], &sk );
				131	+
				132	+ /* Mitigates side-channel attacks (CVE-2013-4576). */
				133	+ input = mpi_alloc (0);
				134	+ mpi_normalize (data[0]);
				135	+ mpi_fdiv_r (input, data[0], sk.n);
				136	+ *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
				137	+ secret (*result, input, &sk);
				138	+ mpi_free (input);
				139	return 0;
				140	}
				141
				142	Index: gnupg-1.4.7/g10/gpgv.c
				143	===================================================================
				144	--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
				145	+++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800
				146	@@ -390,6 +390,7 @@
				147	void random_dump_stats(void) {}
				148	int quick_random_gen( int onoff ) { return -1;}
				149	void randomize_buffer( byte *buffer, size_t length, int level ) {}
				150	+void randomize_mpi (MPI mpi, size_t nbits, int level) {}
				151	int random_is_faked() { return -1;}
				152	byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
				153	void set_random_seed_file( const char *name ) {}