Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Alon Bar-Lev <alonbl@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/nettle/, dev-libs/nettle/files/
Date: Thu, 04 Aug 2016 19:42:16
Message-Id: 1470339703.e564743466a473d0c5df5d97f2bb8c0b5377f5fd.alonbl@gentoo
1 commit: e564743466a473d0c5df5d97f2bb8c0b5377f5fd
2 Author: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org>
3 AuthorDate: Thu Aug 4 19:40:43 2016 +0000
4 Commit: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org>
5 CommitDate: Thu Aug 4 19:41:43 2016 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5647434
7
8 dev-libs/nettle - fix CVE-2016-6489
9
10 Bug: 590484
11
12 Package-Manager: portage-2.2.28
13
14 .../nettle/files/nettle-3.2-CVE-2016-6489.patch | 177 +++++++++++++++++++++
15 dev-libs/nettle/nettle-3.2-r1.ebuild | 67 ++++++++
16 2 files changed, 244 insertions(+)
17
18 diff --git a/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch b/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch
19 new file mode 100644
20 index 0000000..4776a20
21 --- /dev/null
22 +++ b/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch
23 @@ -0,0 +1,177 @@
24 +From 6450224f3e3c78fdfa37eadbe6ada8301279f6c1 Mon Sep 17 00:00:00 2001
25 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@×××××××××××.se>
26 +Date: Mon, 20 Jun 2016 20:04:56 +0200
27 +Subject: Use mpz_powm_sec.
28 +Subject: Check for invalid keys, with even p, in dsa_sign.
29 +Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr.
30 +Subject: Reject invalid RSA keys with even modulo.
31 +
32 +diff --git a/bignum.h b/bignum.h
33 +index 24158e0..0d30534 100644
34 +--- a/bignum.h
35 ++++ b/bignum.h
36 +@@ -53,6 +53,8 @@
37 + # define mpz_combit mpz_combit
38 + # define mpz_import mpz_import
39 + # define mpz_export mpz_export
40 ++/* Side-channel silent powm not available in mini-gmp. */
41 ++# define mpz_powm_sec mpz_powm
42 + #else
43 + # include <gmp.h>
44 + #endif
45 +diff --git a/configure.ac b/configure.ac
46 +index e1ee64c..1e88477 100644
47 +--- a/configure.ac
48 ++++ b/configure.ac
49 +@@ -236,9 +236,9 @@ fi
50 + # Checks for libraries
51 + if test "x$enable_public_key" = "xyes" ; then
52 + if test "x$enable_mini_gmp" = "xno" ; then
53 +- AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
54 ++ AC_CHECK_LIB(gmp, __gmpz_powm_sec,,
55 + [AC_MSG_WARN(
56 +- [GNU MP not found, or not 3.1 or up, see http://gmplib.org/.
57 ++ [GNU MP not found, or too old. GMP-5.0 or later is needed, see http://gmplib.org/.
58 + Support for public key algorithms will be unavailable.])]
59 + enable_public_key=no)
60 +
61 +diff --git a/dsa-sign.c b/dsa-sign.c
62 +index 62c7d4a..b713743 100644
63 +--- a/dsa-sign.c
64 ++++ b/dsa-sign.c
65 +@@ -56,6 +56,11 @@ dsa_sign(const struct dsa_params *params,
66 + mpz_t tmp;
67 + int res;
68 +
69 ++ /* Check that p is odd, so that invalid keys don't result in a crash
70 ++ inside mpz_powm_sec. */
71 ++ if (mpz_even_p (params->p))
72 ++ return 0;
73 ++
74 + /* Select k, 0<k<q, randomly */
75 + mpz_init_set(tmp, params->q);
76 + mpz_sub_ui(tmp, tmp, 1);
77 +@@ -65,7 +70,7 @@ dsa_sign(const struct dsa_params *params,
78 + mpz_add_ui(k, k, 1);
79 +
80 + /* Compute r = (g^k (mod p)) (mod q) */
81 +- mpz_powm(tmp, params->g, k, params->p);
82 ++ mpz_powm_sec(tmp, params->g, k, params->p);
83 + mpz_fdiv_r(signature->r, tmp, params->q);
84 +
85 + /* Compute hash */
86 +diff --git a/rsa-blind.c b/rsa-blind.c
87 +index 7662f50..16b03d7 100644
88 +--- a/rsa-blind.c
89 ++++ b/rsa-blind.c
90 +@@ -61,7 +61,7 @@ _rsa_blind (const struct rsa_public_key *pub,
91 + while (!mpz_invert (ri, r, pub->n));
92 +
93 + /* c = c*(r^e) mod n */
94 +- mpz_powm(r, r, pub->e, pub->n);
95 ++ mpz_powm_sec(r, r, pub->e, pub->n);
96 + mpz_mul(c, c, r);
97 + mpz_fdiv_r(c, c, pub->n);
98 +
99 +diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c
100 +index 3d80ed4..8542cae 100644
101 +--- a/rsa-sign-tr.c
102 ++++ b/rsa-sign-tr.c
103 +@@ -60,7 +60,7 @@ rsa_blind (const struct rsa_public_key *pub,
104 + while (!mpz_invert (ri, r, pub->n));
105 +
106 + /* c = c*(r^e) mod n */
107 +- mpz_powm(r, r, pub->e, pub->n);
108 ++ mpz_powm_sec(r, r, pub->e, pub->n);
109 + mpz_mul(c, m, r);
110 + mpz_fdiv_r(c, c, pub->n);
111 +
112 +@@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
113 + int res;
114 + mpz_t t, mb, xb, ri;
115 +
116 ++ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
117 ++ key is invalid and rejected by rsa_private_key_prepare. However,
118 ++ some applications, notably gnutls, don't use this function, and
119 ++ we don't want an invalid key to lead to a crash down inside
120 ++ mpz_powm_sec. So do an additional check here. */
121 ++ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
122 ++ return 0;
123 ++
124 + mpz_init (mb);
125 + mpz_init (xb);
126 + mpz_init (ri);
127 +@@ -97,7 +105,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
128 +
129 + rsa_compute_root (key, xb, mb);
130 +
131 +- mpz_powm(t, xb, pub->e, pub->n);
132 ++ mpz_powm_sec(t, xb, pub->e, pub->n);
133 + res = (mpz_cmp(mb, t) == 0);
134 +
135 + if (res)
136 +diff --git a/rsa-sign.c b/rsa-sign.c
137 +index eba7388..4832352 100644
138 +--- a/rsa-sign.c
139 ++++ b/rsa-sign.c
140 +@@ -96,11 +96,11 @@ rsa_compute_root(const struct rsa_private_key *key,
141 +
142 + /* Compute xq = m^d % q = (m%q)^b % q */
143 + mpz_fdiv_r(xq, m, key->q);
144 +- mpz_powm(xq, xq, key->b, key->q);
145 ++ mpz_powm_sec(xq, xq, key->b, key->q);
146 +
147 + /* Compute xp = m^d % p = (m%p)^a % p */
148 + mpz_fdiv_r(xp, m, key->p);
149 +- mpz_powm(xp, xp, key->a, key->p);
150 ++ mpz_powm_sec(xp, xp, key->a, key->p);
151 +
152 + /* Set xp' = (xp - xq) c % p. */
153 + mpz_sub(xp, xp, xq);
154 +diff --git a/rsa.c b/rsa.c
155 +index 19d93de..f594140 100644
156 +--- a/rsa.c
157 ++++ b/rsa.c
158 +@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key)
159 + }
160 +
161 + /* Computes the size, in octets, of a the modulo. Returns 0 if the
162 +- * modulo is too small to be useful. */
163 +-
164 ++ * modulo is too small to be useful, or otherwise appears invalid. */
165 + size_t
166 + _rsa_check_size(mpz_t n)
167 + {
168 + /* Round upwards */
169 +- size_t size = (mpz_sizeinbase(n, 2) + 7) / 8;
170 ++ size_t size;
171 ++
172 ++ /* Even moduli are invalid, and not supported by mpz_powm_sec. */
173 ++ if (mpz_even_p (n))
174 ++ return 0;
175 ++
176 ++ size = (mpz_sizeinbase(n, 2) + 7) / 8;
177 +
178 + if (size < RSA_MINIMUM_N_OCTETS)
179 + return 0;
180 +diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c
181 +index e9b1c03..a429664 100644
182 +--- a/testsuite/rsa-test.c
183 ++++ b/testsuite/rsa-test.c
184 +@@ -57,6 +57,13 @@ test_main(void)
185 +
186 + test_rsa_sha512(&pub, &key, expected);
187 +
188 ++ /* Test detection of invalid keys with even modulo */
189 ++ mpz_clrbit (pub.n, 0);
190 ++ ASSERT (!rsa_public_key_prepare (&pub));
191 ++
192 ++ mpz_clrbit (key.p, 0);
193 ++ ASSERT (!rsa_private_key_prepare (&key));
194 ++
195 + /* 777-bit key, generated by
196 + *
197 + * lsh-keygen -a rsa -l 777 -f advanced-hex
198 +--
199 +2.7.3
200 +
201
202 diff --git a/dev-libs/nettle/nettle-3.2-r1.ebuild b/dev-libs/nettle/nettle-3.2-r1.ebuild
203 new file mode 100644
204 index 0000000..3ed9631
205 --- /dev/null
206 +++ b/dev-libs/nettle/nettle-3.2-r1.ebuild
207 @@ -0,0 +1,67 @@
208 +# Copyright 1999-2016 Gentoo Foundation
209 +# Distributed under the terms of the GNU General Public License v2
210 +# $Id$
211 +
212 +EAPI=6
213 +
214 +inherit autotools eutils multilib-build multilib-minimal multilib toolchain-funcs
215 +
216 +DESCRIPTION="Low-level cryptographic library"
217 +HOMEPAGE="http://www.lysator.liu.se/~nisse/nettle/"
218 +SRC_URI="mirror://gnu/${PN}/${P}.tar.gz"
219 +
220 +LICENSE="|| ( LGPL-3 LGPL-2.1 )"
221 +SLOT="0/6" # subslot = libnettle soname version
222 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x86-solaris"
223 +IUSE="doc +gmp neon static-libs test cpu_flags_x86_aes"
224 +
225 +DEPEND="gmp? ( >=dev-libs/gmp-5.0:0[${MULTILIB_USEDEP}] )"
226 +RDEPEND="${DEPEND}
227 + abi_x86_32? (
228 + !<=app-emulation/emul-linux-x86-baselibs-20131008-r17
229 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
230 + )"
231 +
232 +PATCHES=(
233 + "${FILESDIR}/${P}-CVE-2016-6489.patch"
234 +)
235 +
236 +MULTILIB_WRAPPED_HEADERS=(
237 + /usr/include/nettle/nettle-stdint.h
238 + /usr/include/nettle/version.h
239 +)
240 +
241 +src_prepare() {
242 + default
243 +
244 + sed -e '/CFLAGS=/s: -ggdb3::' \
245 + -e 's/solaris\*)/sunldsolaris*)/' \
246 + -i configure.ac || die
247 +
248 + # conditionally build tests and examples required by tests
249 + use test || sed -i '/SUBDIRS/s/testsuite examples//' Makefile.in || die
250 +
251 + eautoreconf
252 +}
253 +
254 +multilib_src_configure() {
255 + # --disable-openssl bug #427526
256 + ECONF_SOURCE="${S}" econf \
257 + --libdir="${EPREFIX}"/usr/$(get_libdir) \
258 + --disable-openssl \
259 + --disable-fat \
260 + $(use_enable gmp public-key) \
261 + $(use_enable static-libs static) \
262 + $(tc-is-static-only && echo --disable-shared) \
263 + $(use_enable doc documentation) \
264 + $(use_enable neon arm-neon) \
265 + $(use_enable cpu_flags_x86_aes x86-aesni)
266 +}
267 +
268 +multilib_src_install_all() {
269 + einstalldocs
270 + if use doc ; then
271 + dohtml nettle.html
272 + dodoc nettle.pdf
273 + fi
274 +}
Report Message
Find on MARC Find on Google Groups