diff options
| -rw-r--r-- | package/nettle/0002-fix-CVE-2016-6489.patch | 181 | ||||
| -rw-r--r-- | package/nettle/nettle.hash | 2 | ||||
| -rw-r--r-- | package/nettle/nettle.mk | 4 |
3 files changed, 2 insertions, 185 deletions
diff --git a/package/nettle/0002-fix-CVE-2016-6489.patch b/package/nettle/0002-fix-CVE-2016-6489.patch deleted file mode 100644 index 8c99ff72f..000000000 --- a/package/nettle/0002-fix-CVE-2016-6489.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 6450224f3e3c78fdfa37eadbe6ada8301279f6c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> -Date: Mon, 20 Jun 2016 20:04:56 +0200 -Subject: Use mpz_powm_sec. -Subject: Check for invalid keys, with even p, in dsa_sign. -Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr. -Subject: Reject invalid RSA keys with even modulo. - -Patch status: upstream - -Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> - -diff --git a/bignum.h b/bignum.h -index 24158e0..0d30534 100644 ---- a/bignum.h -+++ b/bignum.h -@@ -53,6 +53,8 @@ - # define mpz_combit mpz_combit - # define mpz_import mpz_import - # define mpz_export mpz_export -+/* Side-channel silent powm not available in mini-gmp. */ -+# define mpz_powm_sec mpz_powm - #else - # include <gmp.h> - #endif -diff --git a/configure.ac b/configure.ac -index e1ee64c..1e88477 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -236,9 +236,9 @@ fi - # Checks for libraries - if test "x$enable_public_key" = "xyes" ; then - if test "x$enable_mini_gmp" = "xno" ; then -- AC_CHECK_LIB(gmp, __gmpz_getlimbn,, -+ AC_CHECK_LIB(gmp, __gmpz_powm_sec,, - [AC_MSG_WARN( -- [GNU MP not found, or not 3.1 or up, see http://gmplib.org/. -+ [GNU MP not found, or too old. GMP-5.0 or later is needed, see http://gmplib.org/. - Support for public key algorithms will be unavailable.])] - enable_public_key=no) - -diff --git a/dsa-sign.c b/dsa-sign.c -index 62c7d4a..b713743 100644 ---- a/dsa-sign.c -+++ b/dsa-sign.c -@@ -56,6 +56,11 @@ dsa_sign(const struct dsa_params *params, - mpz_t tmp; - int res; - -+ /* Check that p is odd, so that invalid keys don't result in a crash -+ inside mpz_powm_sec. */ -+ if (mpz_even_p (params->p)) -+ return 0; -+ - /* Select k, 0<k<q, randomly */ - mpz_init_set(tmp, params->q); - mpz_sub_ui(tmp, tmp, 1); -@@ -65,7 +70,7 @@ dsa_sign(const struct dsa_params *params, - mpz_add_ui(k, k, 1); - - /* Compute r = (g^k (mod p)) (mod q) */ -- mpz_powm(tmp, params->g, k, params->p); -+ mpz_powm_sec(tmp, params->g, k, params->p); - mpz_fdiv_r(signature->r, tmp, params->q); - - /* Compute hash */ -diff --git a/rsa-blind.c b/rsa-blind.c -index 7662f50..16b03d7 100644 ---- a/rsa-blind.c -+++ b/rsa-blind.c -@@ -61,7 +61,7 @@ _rsa_blind (const struct rsa_public_key *pub, - while (!mpz_invert (ri, r, pub->n)); - - /* c = c*(r^e) mod n */ -- mpz_powm(r, r, pub->e, pub->n); -+ mpz_powm_sec(r, r, pub->e, pub->n); - mpz_mul(c, c, r); - mpz_fdiv_r(c, c, pub->n); - -diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c -index 3d80ed4..8542cae 100644 ---- a/rsa-sign-tr.c -+++ b/rsa-sign-tr.c -@@ -60,7 +60,7 @@ rsa_blind (const struct rsa_public_key *pub, - while (!mpz_invert (ri, r, pub->n)); - - /* c = c*(r^e) mod n */ -- mpz_powm(r, r, pub->e, pub->n); -+ mpz_powm_sec(r, r, pub->e, pub->n); - mpz_mul(c, m, r); - mpz_fdiv_r(c, c, pub->n); - -@@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, - int res; - mpz_t t, mb, xb, ri; - -+ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the -+ key is invalid and rejected by rsa_private_key_prepare. However, -+ some applications, notably gnutls, don't use this function, and -+ we don't want an invalid key to lead to a crash down inside -+ mpz_powm_sec. So do an additional check here. */ -+ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) -+ return 0; -+ - mpz_init (mb); - mpz_init (xb); - mpz_init (ri); -@@ -97,7 +105,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub, - - rsa_compute_root (key, xb, mb); - -- mpz_powm(t, xb, pub->e, pub->n); -+ mpz_powm_sec(t, xb, pub->e, pub->n); - res = (mpz_cmp(mb, t) == 0); - - if (res) -diff --git a/rsa-sign.c b/rsa-sign.c -index eba7388..4832352 100644 ---- a/rsa-sign.c -+++ b/rsa-sign.c -@@ -96,11 +96,11 @@ rsa_compute_root(const struct rsa_private_key *key, - - /* Compute xq = m^d % q = (m%q)^b % q */ - mpz_fdiv_r(xq, m, key->q); -- mpz_powm(xq, xq, key->b, key->q); -+ mpz_powm_sec(xq, xq, key->b, key->q); - - /* Compute xp = m^d % p = (m%p)^a % p */ - mpz_fdiv_r(xp, m, key->p); -- mpz_powm(xp, xp, key->a, key->p); -+ mpz_powm_sec(xp, xp, key->a, key->p); - - /* Set xp' = (xp - xq) c % p. */ - mpz_sub(xp, xp, xq); -diff --git a/rsa.c b/rsa.c -index 19d93de..f594140 100644 ---- a/rsa.c -+++ b/rsa.c -@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key) - } - - /* Computes the size, in octets, of a the modulo. Returns 0 if the -- * modulo is too small to be useful. */ -- -+ * modulo is too small to be useful, or otherwise appears invalid. */ - size_t - _rsa_check_size(mpz_t n) - { - /* Round upwards */ -- size_t size = (mpz_sizeinbase(n, 2) + 7) / 8; -+ size_t size; -+ -+ /* Even moduli are invalid, and not supported by mpz_powm_sec. */ -+ if (mpz_even_p (n)) -+ return 0; -+ -+ size = (mpz_sizeinbase(n, 2) + 7) / 8; - - if (size < RSA_MINIMUM_N_OCTETS) - return 0; -diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c -index e9b1c03..a429664 100644 ---- a/testsuite/rsa-test.c -+++ b/testsuite/rsa-test.c -@@ -57,6 +57,13 @@ test_main(void) - - test_rsa_sha512(&pub, &key, expected); - -+ /* Test detection of invalid keys with even modulo */ -+ mpz_clrbit (pub.n, 0); -+ ASSERT (!rsa_public_key_prepare (&pub)); -+ -+ mpz_clrbit (key.p, 0); -+ ASSERT (!rsa_private_key_prepare (&key)); -+ - /* 777-bit key, generated by - * - * lsh-keygen -a rsa -l 777 -f advanced-hex --- -2.7.3 - diff --git a/package/nettle/nettle.hash b/package/nettle/nettle.hash index 6332e13a6..cd911c0d1 100644 --- a/package/nettle/nettle.hash +++ b/package/nettle/nettle.hash @@ -1,2 +1,2 @@ # Locally calculated after checking pgp signature -sha256 ea4283def236413edab5a4cf9cf32adf540c8df1b9b67641cfc2302fca849d97 nettle-3.2.tar.gz +sha256 46942627d5d0ca11720fec18d81fc38f7ef837ea4197c1f630e71ce0d470b11e nettle-3.3.tar.gz diff --git a/package/nettle/nettle.mk b/package/nettle/nettle.mk index 0fbe57b85..31789ec28 100644 --- a/package/nettle/nettle.mk +++ b/package/nettle/nettle.mk @@ -4,7 +4,7 @@ # ################################################################################ -NETTLE_VERSION = 3.2 +NETTLE_VERSION = 3.3 NETTLE_SITE = http://www.lysator.liu.se/~nisse/archive NETTLE_DEPENDENCIES = gmp NETTLE_INSTALL_STAGING = YES @@ -13,8 +13,6 @@ NETTLE_LICENSE_FILES = COPYING.LESSERv3 COPYINGv2 # don't include openssl support for (unused) examples as it has problems # with static linking NETTLE_CONF_OPTS = --disable-openssl -# For 0002-fix-CVE-2016-6489.patch -NETTLE_AUTORECONF = YES # ARM assembly requires v6+ ISA ifeq ($(BR2_ARM_CPU_ARMV4)$(BR2_ARM_CPU_ARMV5)$(BR2_ARM_CPU_ARMV7M),y) |