1 |
commit: e564743466a473d0c5df5d97f2bb8c0b5377f5fd |
2 |
Author: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Aug 4 19:40:43 2016 +0000 |
4 |
Commit: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Aug 4 19:41:43 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5647434 |
7 |
|
8 |
dev-libs/nettle - fix CVE-2016-6489 |
9 |
|
10 |
Bug: 590484 |
11 |
|
12 |
Package-Manager: portage-2.2.28 |
13 |
|
14 |
.../nettle/files/nettle-3.2-CVE-2016-6489.patch | 177 +++++++++++++++++++++ |
15 |
dev-libs/nettle/nettle-3.2-r1.ebuild | 67 ++++++++ |
16 |
2 files changed, 244 insertions(+) |
17 |
|
18 |
diff --git a/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch b/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch |
19 |
new file mode 100644 |
20 |
index 0000000..4776a20 |
21 |
--- /dev/null |
22 |
+++ b/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch |
23 |
@@ -0,0 +1,177 @@ |
24 |
+From 6450224f3e3c78fdfa37eadbe6ada8301279f6c1 Mon Sep 17 00:00:00 2001 |
25 |
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@×××××××××××.se> |
26 |
+Date: Mon, 20 Jun 2016 20:04:56 +0200 |
27 |
+Subject: Use mpz_powm_sec. |
28 |
+Subject: Check for invalid keys, with even p, in dsa_sign. |
29 |
+Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr. |
30 |
+Subject: Reject invalid RSA keys with even modulo. |
31 |
+ |
32 |
+diff --git a/bignum.h b/bignum.h |
33 |
+index 24158e0..0d30534 100644 |
34 |
+--- a/bignum.h |
35 |
++++ b/bignum.h |
36 |
+@@ -53,6 +53,8 @@ |
37 |
+ # define mpz_combit mpz_combit |
38 |
+ # define mpz_import mpz_import |
39 |
+ # define mpz_export mpz_export |
40 |
++/* Side-channel silent powm not available in mini-gmp. */ |
41 |
++# define mpz_powm_sec mpz_powm |
42 |
+ #else |
43 |
+ # include <gmp.h> |
44 |
+ #endif |
45 |
+diff --git a/configure.ac b/configure.ac |
46 |
+index e1ee64c..1e88477 100644 |
47 |
+--- a/configure.ac |
48 |
++++ b/configure.ac |
49 |
+@@ -236,9 +236,9 @@ fi |
50 |
+ # Checks for libraries |
51 |
+ if test "x$enable_public_key" = "xyes" ; then |
52 |
+ if test "x$enable_mini_gmp" = "xno" ; then |
53 |
+- AC_CHECK_LIB(gmp, __gmpz_getlimbn,, |
54 |
++ AC_CHECK_LIB(gmp, __gmpz_powm_sec,, |
55 |
+ [AC_MSG_WARN( |
56 |
+- [GNU MP not found, or not 3.1 or up, see http://gmplib.org/. |
57 |
++ [GNU MP not found, or too old. GMP-5.0 or later is needed, see http://gmplib.org/. |
58 |
+ Support for public key algorithms will be unavailable.])] |
59 |
+ enable_public_key=no) |
60 |
+ |
61 |
+diff --git a/dsa-sign.c b/dsa-sign.c |
62 |
+index 62c7d4a..b713743 100644 |
63 |
+--- a/dsa-sign.c |
64 |
++++ b/dsa-sign.c |
65 |
+@@ -56,6 +56,11 @@ dsa_sign(const struct dsa_params *params, |
66 |
+ mpz_t tmp; |
67 |
+ int res; |
68 |
+ |
69 |
++ /* Check that p is odd, so that invalid keys don't result in a crash |
70 |
++ inside mpz_powm_sec. */ |
71 |
++ if (mpz_even_p (params->p)) |
72 |
++ return 0; |
73 |
++ |
74 |
+ /* Select k, 0<k<q, randomly */ |
75 |
+ mpz_init_set(tmp, params->q); |
76 |
+ mpz_sub_ui(tmp, tmp, 1); |
77 |
+@@ -65,7 +70,7 @@ dsa_sign(const struct dsa_params *params, |
78 |
+ mpz_add_ui(k, k, 1); |
79 |
+ |
80 |
+ /* Compute r = (g^k (mod p)) (mod q) */ |
81 |
+- mpz_powm(tmp, params->g, k, params->p); |
82 |
++ mpz_powm_sec(tmp, params->g, k, params->p); |
83 |
+ mpz_fdiv_r(signature->r, tmp, params->q); |
84 |
+ |
85 |
+ /* Compute hash */ |
86 |
+diff --git a/rsa-blind.c b/rsa-blind.c |
87 |
+index 7662f50..16b03d7 100644 |
88 |
+--- a/rsa-blind.c |
89 |
++++ b/rsa-blind.c |
90 |
+@@ -61,7 +61,7 @@ _rsa_blind (const struct rsa_public_key *pub, |
91 |
+ while (!mpz_invert (ri, r, pub->n)); |
92 |
+ |
93 |
+ /* c = c*(r^e) mod n */ |
94 |
+- mpz_powm(r, r, pub->e, pub->n); |
95 |
++ mpz_powm_sec(r, r, pub->e, pub->n); |
96 |
+ mpz_mul(c, c, r); |
97 |
+ mpz_fdiv_r(c, c, pub->n); |
98 |
+ |
99 |
+diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c |
100 |
+index 3d80ed4..8542cae 100644 |
101 |
+--- a/rsa-sign-tr.c |
102 |
++++ b/rsa-sign-tr.c |
103 |
+@@ -60,7 +60,7 @@ rsa_blind (const struct rsa_public_key *pub, |
104 |
+ while (!mpz_invert (ri, r, pub->n)); |
105 |
+ |
106 |
+ /* c = c*(r^e) mod n */ |
107 |
+- mpz_powm(r, r, pub->e, pub->n); |
108 |
++ mpz_powm_sec(r, r, pub->e, pub->n); |
109 |
+ mpz_mul(c, m, r); |
110 |
+ mpz_fdiv_r(c, c, pub->n); |
111 |
+ |
112 |
+@@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, |
113 |
+ int res; |
114 |
+ mpz_t t, mb, xb, ri; |
115 |
+ |
116 |
++ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the |
117 |
++ key is invalid and rejected by rsa_private_key_prepare. However, |
118 |
++ some applications, notably gnutls, don't use this function, and |
119 |
++ we don't want an invalid key to lead to a crash down inside |
120 |
++ mpz_powm_sec. So do an additional check here. */ |
121 |
++ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) |
122 |
++ return 0; |
123 |
++ |
124 |
+ mpz_init (mb); |
125 |
+ mpz_init (xb); |
126 |
+ mpz_init (ri); |
127 |
+@@ -97,7 +105,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, |
128 |
+ |
129 |
+ rsa_compute_root (key, xb, mb); |
130 |
+ |
131 |
+- mpz_powm(t, xb, pub->e, pub->n); |
132 |
++ mpz_powm_sec(t, xb, pub->e, pub->n); |
133 |
+ res = (mpz_cmp(mb, t) == 0); |
134 |
+ |
135 |
+ if (res) |
136 |
+diff --git a/rsa-sign.c b/rsa-sign.c |
137 |
+index eba7388..4832352 100644 |
138 |
+--- a/rsa-sign.c |
139 |
++++ b/rsa-sign.c |
140 |
+@@ -96,11 +96,11 @@ rsa_compute_root(const struct rsa_private_key *key, |
141 |
+ |
142 |
+ /* Compute xq = m^d % q = (m%q)^b % q */ |
143 |
+ mpz_fdiv_r(xq, m, key->q); |
144 |
+- mpz_powm(xq, xq, key->b, key->q); |
145 |
++ mpz_powm_sec(xq, xq, key->b, key->q); |
146 |
+ |
147 |
+ /* Compute xp = m^d % p = (m%p)^a % p */ |
148 |
+ mpz_fdiv_r(xp, m, key->p); |
149 |
+- mpz_powm(xp, xp, key->a, key->p); |
150 |
++ mpz_powm_sec(xp, xp, key->a, key->p); |
151 |
+ |
152 |
+ /* Set xp' = (xp - xq) c % p. */ |
153 |
+ mpz_sub(xp, xp, xq); |
154 |
+diff --git a/rsa.c b/rsa.c |
155 |
+index 19d93de..f594140 100644 |
156 |
+--- a/rsa.c |
157 |
++++ b/rsa.c |
158 |
+@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key) |
159 |
+ } |
160 |
+ |
161 |
+ /* Computes the size, in octets, of a the modulo. Returns 0 if the |
162 |
+- * modulo is too small to be useful. */ |
163 |
+- |
164 |
++ * modulo is too small to be useful, or otherwise appears invalid. */ |
165 |
+ size_t |
166 |
+ _rsa_check_size(mpz_t n) |
167 |
+ { |
168 |
+ /* Round upwards */ |
169 |
+- size_t size = (mpz_sizeinbase(n, 2) + 7) / 8; |
170 |
++ size_t size; |
171 |
++ |
172 |
++ /* Even moduli are invalid, and not supported by mpz_powm_sec. */ |
173 |
++ if (mpz_even_p (n)) |
174 |
++ return 0; |
175 |
++ |
176 |
++ size = (mpz_sizeinbase(n, 2) + 7) / 8; |
177 |
+ |
178 |
+ if (size < RSA_MINIMUM_N_OCTETS) |
179 |
+ return 0; |
180 |
+diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c |
181 |
+index e9b1c03..a429664 100644 |
182 |
+--- a/testsuite/rsa-test.c |
183 |
++++ b/testsuite/rsa-test.c |
184 |
+@@ -57,6 +57,13 @@ test_main(void) |
185 |
+ |
186 |
+ test_rsa_sha512(&pub, &key, expected); |
187 |
+ |
188 |
++ /* Test detection of invalid keys with even modulo */ |
189 |
++ mpz_clrbit (pub.n, 0); |
190 |
++ ASSERT (!rsa_public_key_prepare (&pub)); |
191 |
++ |
192 |
++ mpz_clrbit (key.p, 0); |
193 |
++ ASSERT (!rsa_private_key_prepare (&key)); |
194 |
++ |
195 |
+ /* 777-bit key, generated by |
196 |
+ * |
197 |
+ * lsh-keygen -a rsa -l 777 -f advanced-hex |
198 |
+-- |
199 |
+2.7.3 |
200 |
+ |
201 |
|
202 |
diff --git a/dev-libs/nettle/nettle-3.2-r1.ebuild b/dev-libs/nettle/nettle-3.2-r1.ebuild |
203 |
new file mode 100644 |
204 |
index 0000000..3ed9631 |
205 |
--- /dev/null |
206 |
+++ b/dev-libs/nettle/nettle-3.2-r1.ebuild |
207 |
@@ -0,0 +1,67 @@ |
208 |
+# Copyright 1999-2016 Gentoo Foundation |
209 |
+# Distributed under the terms of the GNU General Public License v2 |
210 |
+# $Id$ |
211 |
+ |
212 |
+EAPI=6 |
213 |
+ |
214 |
+inherit autotools eutils multilib-build multilib-minimal multilib toolchain-funcs |
215 |
+ |
216 |
+DESCRIPTION="Low-level cryptographic library" |
217 |
+HOMEPAGE="http://www.lysator.liu.se/~nisse/nettle/" |
218 |
+SRC_URI="mirror://gnu/${PN}/${P}.tar.gz" |
219 |
+ |
220 |
+LICENSE="|| ( LGPL-3 LGPL-2.1 )" |
221 |
+SLOT="0/6" # subslot = libnettle soname version |
222 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x86-solaris" |
223 |
+IUSE="doc +gmp neon static-libs test cpu_flags_x86_aes" |
224 |
+ |
225 |
+DEPEND="gmp? ( >=dev-libs/gmp-5.0:0[${MULTILIB_USEDEP}] )" |
226 |
+RDEPEND="${DEPEND} |
227 |
+ abi_x86_32? ( |
228 |
+ !<=app-emulation/emul-linux-x86-baselibs-20131008-r17 |
229 |
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] |
230 |
+ )" |
231 |
+ |
232 |
+PATCHES=( |
233 |
+ "${FILESDIR}/${P}-CVE-2016-6489.patch" |
234 |
+) |
235 |
+ |
236 |
+MULTILIB_WRAPPED_HEADERS=( |
237 |
+ /usr/include/nettle/nettle-stdint.h |
238 |
+ /usr/include/nettle/version.h |
239 |
+) |
240 |
+ |
241 |
+src_prepare() { |
242 |
+ default |
243 |
+ |
244 |
+ sed -e '/CFLAGS=/s: -ggdb3::' \ |
245 |
+ -e 's/solaris\*)/sunldsolaris*)/' \ |
246 |
+ -i configure.ac || die |
247 |
+ |
248 |
+ # conditionally build tests and examples required by tests |
249 |
+ use test || sed -i '/SUBDIRS/s/testsuite examples//' Makefile.in || die |
250 |
+ |
251 |
+ eautoreconf |
252 |
+} |
253 |
+ |
254 |
+multilib_src_configure() { |
255 |
+ # --disable-openssl bug #427526 |
256 |
+ ECONF_SOURCE="${S}" econf \ |
257 |
+ --libdir="${EPREFIX}"/usr/$(get_libdir) \ |
258 |
+ --disable-openssl \ |
259 |
+ --disable-fat \ |
260 |
+ $(use_enable gmp public-key) \ |
261 |
+ $(use_enable static-libs static) \ |
262 |
+ $(tc-is-static-only && echo --disable-shared) \ |
263 |
+ $(use_enable doc documentation) \ |
264 |
+ $(use_enable neon arm-neon) \ |
265 |
+ $(use_enable cpu_flags_x86_aes x86-aesni) |
266 |
+} |
267 |
+ |
268 |
+multilib_src_install_all() { |
269 |
+ einstalldocs |
270 |
+ if use doc ; then |
271 |
+ dohtml nettle.html |
272 |
+ dodoc nettle.pdf |
273 |
+ fi |
274 |
+} |