GNU bug report logs - #31833
[PATCH 2/2] gnu: OpenSSL 1.1.0: Fix CVE-2018-{0495,0732}.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 14 Jun 2018 20:44:01 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31833 in the body.
You can then email your comments to 31833 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#31833; Package guix-patches. (Thu, 14 Jun 2018 20:44:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 14 Jun 2018 20:44:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH 2/2] gnu: OpenSSL 1.1.0: Fix CVE-2018-{0495,0732}.
Date: Thu, 14 Jun 2018 16:43:15 -0400
* gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch,
gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/tls.scm (openssl-next)[source]: Use them.
---
 gnu/local.mk                                  |   2 +
 .../patches/openssl-1.1.0-CVE-2018-0495.patch | 167 ++++++++++++++++++
 .../patches/openssl-1.1.0-CVE-2018-0732.patch |  50 ++++++
 gnu/packages/tls.scm                          |   4 +-
 4 files changed, 222 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch
 create mode 100644 gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index e9d572922..27fb18a05 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -975,6 +975,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/openssl-runpath.patch			\
   %D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch	\
   %D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch	\
+  %D%/packages/patches/openssl-1.1.0-CVE-2018-0495.patch	\
+  %D%/packages/patches/openssl-1.1.0-CVE-2018-0732.patch	\
   %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch		\
   %D%/packages/patches/openssl-c-rehash-in.patch		\
   %D%/packages/patches/orpheus-cast-errors-and-includes.patch	\
diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch
new file mode 100644
index 000000000..6b7de5d64
--- /dev/null
+++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch
@@ -0,0 +1,167 @@
+Fix CVE-2018-0495:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
+https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
+
+Patch copied from upstream source repository:
+
+https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a556b7017a
+
+From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt <at> openssl.org>
+Date: Fri, 25 May 2018 12:10:13 +0100
+Subject: [PATCH] Add blinding to an ECDSA signature
+
+Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
+ECDSA signature operation. During signing the signer calculates:
+
+s:= k^-1 * (m + r * priv_key) mod order
+
+The addition operation above provides a sufficient signal for a
+flush+reload attack to derive the private key given sufficient signature
+operations.
+
+As a mitigation (based on a suggestion from Keegan) we add blinding to
+the operation so that:
+
+s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
+
+Since this attack is a localhost side channel only no CVE is assigned.
+
+Reviewed-by: Rich Salz <rsalz <at> openssl.org>
+---
+ CHANGES                |  4 +++
+ crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++-----
+ 2 files changed, 67 insertions(+), 7 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index bfd0bcd402..b749d9ed96 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -9,6 +9,10 @@
+ 
+  Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
+ 
++  *) Add blinding to an ECDSA signature to protect against side channel attacks
++     discovered by Keegan Ryan (NCC Group).
++     [Matt Caswell]
++
+   *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+      now allow empty (zero character) pass phrases.
+      [Richard Levitte]
+diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
+index 72e2f0f28b..449be0e92a 100644
+--- a/crypto/ec/ecdsa_ossl.c
++++ b/crypto/ec/ecdsa_ossl.c
+@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+                                EC_KEY *eckey)
+ {
+     int ok = 0, i;
+-    BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL;
++    BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL;
++    BIGNUM *blindm = NULL;
+     const BIGNUM *order, *ckinv;
+     BN_CTX *ctx = NULL;
+     const EC_GROUP *group;
+@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+     }
+     s = ret->s;
+ 
+-    if ((ctx = BN_CTX_new()) == NULL ||
+-        (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
++    ctx = BN_CTX_secure_new();
++    if (ctx == NULL) {
++        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    BN_CTX_start(ctx);
++    tmp = BN_CTX_get(ctx);
++    m = BN_CTX_get(ctx);
++    blind = BN_CTX_get(ctx);
++    blindm = BN_CTX_get(ctx);
++    if (blindm == NULL) {
+         ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+         goto err;
+     }
+@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+             }
+         }
+ 
+-        if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
++        /*
++         * The normal signature calculation is:
++         *
++         *   s := k^-1 * (m + r * priv_key) mod order
++         *
++         * We will blind this to protect against side channel attacks
++         *
++         *   s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order
++         */
++
++        /* Generate a blinding value */
++        do {
++            if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY,
++                         BN_RAND_BOTTOM_ANY))
++                goto err;
++        } while (BN_is_zero(blind));
++        BN_set_flags(blind, BN_FLG_CONSTTIME);
++        BN_set_flags(blindm, BN_FLG_CONSTTIME);
++        BN_set_flags(tmp, BN_FLG_CONSTTIME);
++
++        /* tmp := blind * priv_key * r mod order */
++        if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) {
+             ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
+-        if (!BN_mod_add_quick(s, tmp, m, order)) {
++        if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) {
+             ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
++
++        /* blindm := blind * m mod order */
++        if (!BN_mod_mul(blindm, blind, m, order, ctx)) {
++            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* s : = (blind * priv_key * r) + (blind * m) mod order */
++        if (!BN_mod_add_quick(s, tmp, blindm, order)) {
++            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* s:= s * blind^-1 mod order */
++        if (BN_mod_inverse(blind, blind, order, ctx) == NULL) {
++            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            goto err;
++        }
++        if (!BN_mod_mul(s, s, blind, order, ctx)) {
++            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            goto err;
++        }
++
++        /* s := s * k^-1 mod order */
+         if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
+             ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
++
+         if (BN_is_zero(s)) {
+             /*
+              * if kinv and r have been supplied by the caller don't to
+@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+         ECDSA_SIG_free(ret);
+         ret = NULL;
+     }
++    BN_CTX_end(ctx);
+     BN_CTX_free(ctx);
+-    BN_clear_free(m);
+-    BN_clear_free(tmp);
+     BN_clear_free(kinv);
+     return ret;
+ }
+-- 
+2.17.1
+
diff --git a/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch
new file mode 100644
index 000000000..dfea6e7d0
--- /dev/null
+++ b/gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch
@@ -0,0 +1,50 @@
+Fix CVE-2018-0732:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
+
+Patch copied from upstream source repository:
+
+https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4
+
+From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001
+From: Guido Vranken <guidovranken <at> gmail.com>
+Date: Mon, 11 Jun 2018 19:38:54 +0200
+Subject: [PATCH] Reject excessively large primes in DH key generation.
+
+CVE-2018-0732
+
+Signed-off-by: Guido Vranken <guidovranken <at> gmail.com>
+
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
+
+Reviewed-by: Tim Hudson <tjh <at> openssl.org>
+Reviewed-by: Matt Caswell <matt <at> openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6457)
+---
+ crypto/dh/dh_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index fce9ff47f3..58003d7087 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -78,10 +78,15 @@ static int generate_key(DH *dh)
+     int ok = 0;
+     int generate_new_key = 0;
+     unsigned l;
+-    BN_CTX *ctx;
++    BN_CTX *ctx = NULL;
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
+ 
++    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
++        return 0;
++    }
++
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
+-- 
+2.17.1
+
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index a582fb152..3912d9e2f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -415,7 +415,9 @@ required structures.")
                         (string-append "ftp://ftp.openssl.org/source/old/"
                                        (string-trim-right version char-set:letter)
                                        "/" name "-" version ".tar.gz")))
-              (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
+              (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"
+                                       "openssl-1.1.0-CVE-2018-0495.patch"
+                                       "openssl-1.1.0-CVE-2018-0732.patch"))
               (sha256
                (base32
                 "05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq"))))
-- 
2.17.1





Information forwarded to guix-patches <at> gnu.org:
bug#31833; Package guix-patches. (Thu, 14 Jun 2018 20:57:02 GMT) Full text and rfc822 format available.

Message #8 received at 31833 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 31833 <at> debbugs.gnu.org
Subject: Updated patch for OpenSSL 1.1.0 CVE-2018-{0495,0732}
Date: Thu, 14 Jun 2018 16:56:11 -0400
[Message part 1 (text/plain, inline)]
Sorry, my previous patch did not work. The patch for CVE-2018-0495
failed to apply a hunk to the upstream changelog.
[0001-gnu-OpenSSL-1.1.0-Fix-CVE-2018-0495-0732.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to guix-patches <at> gnu.org:
bug#31833; Package guix-patches. (Sat, 16 Jun 2018 16:10:01 GMT) Full text and rfc822 format available.

Message #11 received at 31833 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 31833 <at> debbugs.gnu.org
Subject: Re: [bug#31833] Updated patch for OpenSSL 1.1.0 CVE-2018-{0495,0732}
Date: Sat, 16 Jun 2018 18:09:05 +0200
Hi Leo,

Leo Famulari <leo <at> famulari.name> skribis:

> From d8952c1d3b2ebe885ed6b6f316dcce09ee8eeba1 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Thu, 14 Jun 2018 16:30:57 -0400
> Subject: [PATCH] gnu: OpenSSL 1.1.0: Fix CVE-2018-{0495,0732}.
>
> * gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch,
> gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/tls.scm (openssl-next)[source]: Use them.

LGTM, thank you!

Ludo’.




Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Mon, 18 Jun 2018 16:07:01 GMT) Full text and rfc822 format available.

Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Mon, 18 Jun 2018 16:07:02 GMT) Full text and rfc822 format available.

Message #16 received at 31833-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
Cc: 31833-done <at> debbugs.gnu.org
Subject: Re: [bug#31833] Updated patch for OpenSSL 1.1.0 CVE-2018-{0495,0732}
Date: Mon, 18 Jun 2018 12:06:05 -0400
[Message part 1 (text/plain, inline)]
On Sat, Jun 16, 2018 at 06:09:05PM +0200, Ludovic Courtès wrote:
> Hi Leo,
> 
> Leo Famulari <leo <at> famulari.name> skribis:
> 
> > From d8952c1d3b2ebe885ed6b6f316dcce09ee8eeba1 Mon Sep 17 00:00:00 2001
> > From: Leo Famulari <leo <at> famulari.name>
> > Date: Thu, 14 Jun 2018 16:30:57 -0400
> > Subject: [PATCH] gnu: OpenSSL 1.1.0: Fix CVE-2018-{0495,0732}.
> >
> > * gnu/packages/patches/openssl-1.1.0-CVE-2018-0495.patch,
> > gnu/packages/patches/openssl-1.1.0-CVE-2018-0732.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/tls.scm (openssl-next)[source]: Use them.
> 
> LGTM, thank you!

Thanks! Pushed as 9f162c0ab42d8adecc1e23375ce8cb8090714399
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 17 Jul 2018 11:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 5 years and 256 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.