blob: 5dcde1f9cb221883b920f14225cca9b783856b08 [file] [log] [blame]
Patrick Williamsc124f4f2015-09-15 14:41:29 -05001Upstream-Status: Backport
Patrick Williamsd8c66bc2016-06-20 12:57:21 -05002CVE: CVE-2013-4576
Patrick Williamsc124f4f2015-09-15 14:41:29 -05003
4Index: gnupg-1.4.7/cipher/dsa.c
5===================================================================
6--- gnupg-1.4.7.orig/cipher/dsa.c 2006-12-12 02:27:21.000000000 +0800
7+++ gnupg-1.4.7/cipher/dsa.c 2014-01-23 11:30:17.300915919 +0800
8@@ -287,6 +287,8 @@
9 MPI kinv;
10 MPI tmp;
11
12+ mpi_normalize (hash);
13+
14 /* select a random k with 0 < k < q */
15 k = gen_k( skey->q );
16
17Index: gnupg-1.4.7/cipher/elgamal.c
18===================================================================
19--- gnupg-1.4.7.orig/cipher/elgamal.c 2006-12-12 03:08:05.000000000 +0800
20+++ gnupg-1.4.7/cipher/elgamal.c 2014-01-23 11:30:17.300915919 +0800
21@@ -376,6 +376,9 @@
22 {
23 MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
24
25+ mpi_normalize (a);
26+ mpi_normalize (b);
27+
28 /* output = b/(a^x) mod p */
29 mpi_powm( t1, a, skey->x, skey->p );
30 mpi_invm( t1, t1, skey->p );
31Index: gnupg-1.4.7/cipher/random.c
32===================================================================
33--- gnupg-1.4.7.orig/cipher/random.c 2006-11-03 18:09:39.000000000 +0800
34+++ gnupg-1.4.7/cipher/random.c 2014-01-23 11:31:53.993495462 +0800
35@@ -273,6 +273,18 @@
36 }
37
38
39+/* Randomize the MPI */
40+void
41+randomize_mpi (MPI mpi, size_t nbits, int level)
42+{
43+ unsigned char *buffer;
44+
45+ buffer = get_random_bits (nbits, level, mpi_is_secure (mpi));
46+ mpi_set_buffer (mpi, buffer, (nbits+7)/8, 0);
47+ xfree (buffer);
48+}
49+
50+
51 int
52 random_is_faked()
53 {
54Index: gnupg-1.4.7/cipher/random.h
55===================================================================
56--- gnupg-1.4.7.orig/cipher/random.h 2006-02-09 19:29:29.000000000 +0800
57+++ gnupg-1.4.7/cipher/random.h 2014-01-23 11:30:17.300915919 +0800
58@@ -32,6 +32,7 @@
59 int random_is_faked(void);
60 void random_disable_locking (void);
61 void randomize_buffer( byte *buffer, size_t length, int level );
62+void randomize_mpi (MPI mpi, size_t nbits, int level);
63 byte *get_random_bits( size_t nbits, int level, int secure );
64 void fast_random_poll( void );
65
66Index: gnupg-1.4.7/cipher/rsa.c
67===================================================================
68--- gnupg-1.4.7.orig/cipher/rsa.c 2006-12-12 03:09:00.000000000 +0800
69+++ gnupg-1.4.7/cipher/rsa.c 2014-01-23 11:35:04.330639125 +0800
70@@ -301,9 +301,26 @@
71 #if 0
72 mpi_powm( output, input, skey->d, skey->n );
73 #else
74- MPI m1 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
75- MPI m2 = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
76- MPI h = mpi_alloc_secure( mpi_get_nlimbs(skey->n)+1 );
77+ int nlimbs = mpi_get_nlimbs (skey->n)+1;
78+ MPI m1 = mpi_alloc_secure (nlimbs);
79+ MPI m2 = mpi_alloc_secure (nlimbs);
80+ MPI h = mpi_alloc_secure (nlimbs);
81+# if 1
82+ MPI bdata= mpi_alloc_secure (nlimbs);
83+ MPI r = mpi_alloc_secure (nlimbs);
84+# endif
85+
86+ /* Remove superfluous leading zeroes from INPUT. */
87+ mpi_normalize (input);
88+
89+# if 1
90+ /* Blind: bdata = (data * r^e) mod n */
91+ randomize_mpi (r, mpi_get_nbits (skey->n), 0);
92+ mpi_fdiv_r (r, r, skey->n);
93+ mpi_powm (bdata, r, skey->e, skey->n);
94+ mpi_mulm (bdata, bdata, input, skey->n);
95+ input = bdata;
96+# endif
97
98 /* m1 = c ^ (d mod (p-1)) mod p */
99 mpi_sub_ui( h, skey->p, 1 );
100@@ -321,8 +338,15 @@
101 /* m = m2 + h * p */
102 mpi_mul ( h, h, skey->p );
103 mpi_add ( output, m1, h );
104- /* ready */
105-
106+
107+# if 1
108+ mpi_free (bdata);
109+ /* Unblind: output = (output * r^(-1)) mod n */
110+ mpi_invm (r, r, skey->n);
111+ mpi_mulm (output, output, r, skey->n);
112+ mpi_free (r);
113+# endif
114+
115 mpi_free ( h );
116 mpi_free ( m1 );
117 mpi_free ( m2 );
118@@ -397,6 +421,7 @@
119 rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
120 {
121 RSA_secret_key sk;
122+ MPI input;
123
124 if( algo != 1 && algo != 2 )
125 return G10ERR_PUBKEY_ALGO;
126@@ -407,8 +432,14 @@
127 sk.p = skey[3];
128 sk.q = skey[4];
129 sk.u = skey[5];
130- *result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
131- secret( *result, data[0], &sk );
132+
133+ /* Mitigates side-channel attacks (CVE-2013-4576). */
134+ input = mpi_alloc (0);
135+ mpi_normalize (data[0]);
136+ mpi_fdiv_r (input, data[0], sk.n);
137+ *result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
138+ secret (*result, input, &sk);
139+ mpi_free (input);
140 return 0;
141 }
142
143Index: gnupg-1.4.7/g10/gpgv.c
144===================================================================
145--- gnupg-1.4.7.orig/g10/gpgv.c 2006-12-13 19:25:04.000000000 +0800
146+++ gnupg-1.4.7/g10/gpgv.c 2014-01-23 11:30:17.300915919 +0800
147@@ -390,6 +390,7 @@
148 void random_dump_stats(void) {}
149 int quick_random_gen( int onoff ) { return -1;}
150 void randomize_buffer( byte *buffer, size_t length, int level ) {}
151+void randomize_mpi (MPI mpi, size_t nbits, int level) {}
152 int random_is_faked() { return -1;}
153 byte *get_random_bits( size_t nbits, int level, int secure ) { return NULL;}
154 void set_random_seed_file( const char *name ) {}