From: "Alon Bar-Lev" <alonbl@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/nettle/, dev-libs/nettle/files/
Date: Thu, 4 Aug 2016 19:42:08 +0000 (UTC) [thread overview]
Message-ID: <1470339703.e564743466a473d0c5df5d97f2bb8c0b5377f5fd.alonbl@gentoo> (raw)
commit: e564743466a473d0c5df5d97f2bb8c0b5377f5fd
Author: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org>
AuthorDate: Thu Aug 4 19:40:43 2016 +0000
Commit: Alon Bar-Lev <alonbl <AT> gentoo <DOT> org>
CommitDate: Thu Aug 4 19:41:43 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5647434
dev-libs/nettle - fix CVE-2016-6489
Bug: 590484
Package-Manager: portage-2.2.28
.../nettle/files/nettle-3.2-CVE-2016-6489.patch | 177 +++++++++++++++++++++
dev-libs/nettle/nettle-3.2-r1.ebuild | 67 ++++++++
2 files changed, 244 insertions(+)
diff --git a/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch b/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch
new file mode 100644
index 0000000..4776a20
--- /dev/null
+++ b/dev-libs/nettle/files/nettle-3.2-CVE-2016-6489.patch
@@ -0,0 +1,177 @@
+From 6450224f3e3c78fdfa37eadbe6ada8301279f6c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Mon, 20 Jun 2016 20:04:56 +0200
+Subject: Use mpz_powm_sec.
+Subject: Check for invalid keys, with even p, in dsa_sign.
+Subject: Reject invalid keys, with even moduli, in rsa_compute_root_tr.
+Subject: Reject invalid RSA keys with even modulo.
+
+diff --git a/bignum.h b/bignum.h
+index 24158e0..0d30534 100644
+--- a/bignum.h
++++ b/bignum.h
+@@ -53,6 +53,8 @@
+ # define mpz_combit mpz_combit
+ # define mpz_import mpz_import
+ # define mpz_export mpz_export
++/* Side-channel silent powm not available in mini-gmp. */
++# define mpz_powm_sec mpz_powm
+ #else
+ # include <gmp.h>
+ #endif
+diff --git a/configure.ac b/configure.ac
+index e1ee64c..1e88477 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -236,9 +236,9 @@ fi
+ # Checks for libraries
+ if test "x$enable_public_key" = "xyes" ; then
+ if test "x$enable_mini_gmp" = "xno" ; then
+- AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
++ AC_CHECK_LIB(gmp, __gmpz_powm_sec,,
+ [AC_MSG_WARN(
+- [GNU MP not found, or not 3.1 or up, see http://gmplib.org/.
++ [GNU MP not found, or too old. GMP-5.0 or later is needed, see http://gmplib.org/.
+ Support for public key algorithms will be unavailable.])]
+ enable_public_key=no)
+
+diff --git a/dsa-sign.c b/dsa-sign.c
+index 62c7d4a..b713743 100644
+--- a/dsa-sign.c
++++ b/dsa-sign.c
+@@ -56,6 +56,11 @@ dsa_sign(const struct dsa_params *params,
+ mpz_t tmp;
+ int res;
+
++ /* Check that p is odd, so that invalid keys don't result in a crash
++ inside mpz_powm_sec. */
++ if (mpz_even_p (params->p))
++ return 0;
++
+ /* Select k, 0<k<q, randomly */
+ mpz_init_set(tmp, params->q);
+ mpz_sub_ui(tmp, tmp, 1);
+@@ -65,7 +70,7 @@ dsa_sign(const struct dsa_params *params,
+ mpz_add_ui(k, k, 1);
+
+ /* Compute r = (g^k (mod p)) (mod q) */
+- mpz_powm(tmp, params->g, k, params->p);
++ mpz_powm_sec(tmp, params->g, k, params->p);
+ mpz_fdiv_r(signature->r, tmp, params->q);
+
+ /* Compute hash */
+diff --git a/rsa-blind.c b/rsa-blind.c
+index 7662f50..16b03d7 100644
+--- a/rsa-blind.c
++++ b/rsa-blind.c
+@@ -61,7 +61,7 @@ _rsa_blind (const struct rsa_public_key *pub,
+ while (!mpz_invert (ri, r, pub->n));
+
+ /* c = c*(r^e) mod n */
+- mpz_powm(r, r, pub->e, pub->n);
++ mpz_powm_sec(r, r, pub->e, pub->n);
+ mpz_mul(c, c, r);
+ mpz_fdiv_r(c, c, pub->n);
+
+diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c
+index 3d80ed4..8542cae 100644
+--- a/rsa-sign-tr.c
++++ b/rsa-sign-tr.c
+@@ -60,7 +60,7 @@ rsa_blind (const struct rsa_public_key *pub,
+ while (!mpz_invert (ri, r, pub->n));
+
+ /* c = c*(r^e) mod n */
+- mpz_powm(r, r, pub->e, pub->n);
++ mpz_powm_sec(r, r, pub->e, pub->n);
+ mpz_mul(c, m, r);
+ mpz_fdiv_r(c, c, pub->n);
+
+@@ -88,6 +88,14 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
+ int res;
+ mpz_t t, mb, xb, ri;
+
++ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
++ key is invalid and rejected by rsa_private_key_prepare. However,
++ some applications, notably gnutls, don't use this function, and
++ we don't want an invalid key to lead to a crash down inside
++ mpz_powm_sec. So do an additional check here. */
++ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q))
++ return 0;
++
+ mpz_init (mb);
+ mpz_init (xb);
+ mpz_init (ri);
+@@ -97,7 +105,7 @@ rsa_compute_root_tr(const struct rsa_public_key *pub,
+
+ rsa_compute_root (key, xb, mb);
+
+- mpz_powm(t, xb, pub->e, pub->n);
++ mpz_powm_sec(t, xb, pub->e, pub->n);
+ res = (mpz_cmp(mb, t) == 0);
+
+ if (res)
+diff --git a/rsa-sign.c b/rsa-sign.c
+index eba7388..4832352 100644
+--- a/rsa-sign.c
++++ b/rsa-sign.c
+@@ -96,11 +96,11 @@ rsa_compute_root(const struct rsa_private_key *key,
+
+ /* Compute xq = m^d % q = (m%q)^b % q */
+ mpz_fdiv_r(xq, m, key->q);
+- mpz_powm(xq, xq, key->b, key->q);
++ mpz_powm_sec(xq, xq, key->b, key->q);
+
+ /* Compute xp = m^d % p = (m%p)^a % p */
+ mpz_fdiv_r(xp, m, key->p);
+- mpz_powm(xp, xp, key->a, key->p);
++ mpz_powm_sec(xp, xp, key->a, key->p);
+
+ /* Set xp' = (xp - xq) c % p. */
+ mpz_sub(xp, xp, xq);
+diff --git a/rsa.c b/rsa.c
+index 19d93de..f594140 100644
+--- a/rsa.c
++++ b/rsa.c
+@@ -58,13 +58,18 @@ rsa_public_key_clear(struct rsa_public_key *key)
+ }
+
+ /* Computes the size, in octets, of a the modulo. Returns 0 if the
+- * modulo is too small to be useful. */
+-
++ * modulo is too small to be useful, or otherwise appears invalid. */
+ size_t
+ _rsa_check_size(mpz_t n)
+ {
+ /* Round upwards */
+- size_t size = (mpz_sizeinbase(n, 2) + 7) / 8;
++ size_t size;
++
++ /* Even moduli are invalid, and not supported by mpz_powm_sec. */
++ if (mpz_even_p (n))
++ return 0;
++
++ size = (mpz_sizeinbase(n, 2) + 7) / 8;
+
+ if (size < RSA_MINIMUM_N_OCTETS)
+ return 0;
+diff --git a/testsuite/rsa-test.c b/testsuite/rsa-test.c
+index e9b1c03..a429664 100644
+--- a/testsuite/rsa-test.c
++++ b/testsuite/rsa-test.c
+@@ -57,6 +57,13 @@ test_main(void)
+
+ test_rsa_sha512(&pub, &key, expected);
+
++ /* Test detection of invalid keys with even modulo */
++ mpz_clrbit (pub.n, 0);
++ ASSERT (!rsa_public_key_prepare (&pub));
++
++ mpz_clrbit (key.p, 0);
++ ASSERT (!rsa_private_key_prepare (&key));
++
+ /* 777-bit key, generated by
+ *
+ * lsh-keygen -a rsa -l 777 -f advanced-hex
+--
+2.7.3
+
diff --git a/dev-libs/nettle/nettle-3.2-r1.ebuild b/dev-libs/nettle/nettle-3.2-r1.ebuild
new file mode 100644
index 0000000..3ed9631
--- /dev/null
+++ b/dev-libs/nettle/nettle-3.2-r1.ebuild
@@ -0,0 +1,67 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit autotools eutils multilib-build multilib-minimal multilib toolchain-funcs
+
+DESCRIPTION="Low-level cryptographic library"
+HOMEPAGE="http://www.lysator.liu.se/~nisse/nettle/"
+SRC_URI="mirror://gnu/${PN}/${P}.tar.gz"
+
+LICENSE="|| ( LGPL-3 LGPL-2.1 )"
+SLOT="0/6" # subslot = libnettle soname version
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x86-solaris"
+IUSE="doc +gmp neon static-libs test cpu_flags_x86_aes"
+
+DEPEND="gmp? ( >=dev-libs/gmp-5.0:0[${MULTILIB_USEDEP}] )"
+RDEPEND="${DEPEND}
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20131008-r17
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )"
+
+PATCHES=(
+ "${FILESDIR}/${P}-CVE-2016-6489.patch"
+)
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/nettle/nettle-stdint.h
+ /usr/include/nettle/version.h
+)
+
+src_prepare() {
+ default
+
+ sed -e '/CFLAGS=/s: -ggdb3::' \
+ -e 's/solaris\*)/sunldsolaris*)/' \
+ -i configure.ac || die
+
+ # conditionally build tests and examples required by tests
+ use test || sed -i '/SUBDIRS/s/testsuite examples//' Makefile.in || die
+
+ eautoreconf
+}
+
+multilib_src_configure() {
+ # --disable-openssl bug #427526
+ ECONF_SOURCE="${S}" econf \
+ --libdir="${EPREFIX}"/usr/$(get_libdir) \
+ --disable-openssl \
+ --disable-fat \
+ $(use_enable gmp public-key) \
+ $(use_enable static-libs static) \
+ $(tc-is-static-only && echo --disable-shared) \
+ $(use_enable doc documentation) \
+ $(use_enable neon arm-neon) \
+ $(use_enable cpu_flags_x86_aes x86-aesni)
+}
+
+multilib_src_install_all() {
+ einstalldocs
+ if use doc ; then
+ dohtml nettle.html
+ dodoc nettle.pdf
+ fi
+}
next reply other threads:[~2016-08-04 19:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-04 19:42 Alon Bar-Lev [this message]
-- strict thread matches above, loose matches on Subject: below --
2017-06-14 18:02 [gentoo-commits] repo/gentoo:master commit in: dev-libs/nettle/, dev-libs/nettle/files/ Alon Bar-Lev
2017-07-23 18:09 Alon Bar-Lev
2021-01-04 21:09 Lars Wendler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1470339703.e564743466a473d0c5df5d97f2bb8c0b5377f5fd.alonbl@gentoo \
--to=alonbl@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox