From patchwork Sat May 4 20:59:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 43262 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6EC01C10F1A for ; Sat, 4 May 2024 21:00:30 +0000 (UTC) Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by mx.groups.io with SMTP id smtpd.web10.6327.1714856427453051080 for ; Sat, 04 May 2024 14:00:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=NP/G7tgs; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.225, mailfrom: fm-256628-202405042100231dee07a470686ceaf9-rz0l5a@rts-flowmailer.siemens.com) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202405042100231dee07a470686ceaf9 for ; Sat, 04 May 2024 23:00:24 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=UjGfXMGpI/g/Oz03LcCdQX16TcXOR+SZvYBKUSPFTHE=; b=NP/G7tgsJZOWM6zO/rg//saW7lTA3rEYYZnGkVUTRI380FFBEoaRfOze/HwPkNKlERAXrm aoDqUI2izHcHO9UZPG86Ecm+lph3Lh6ndIUwPPffbQheXv5fQ88R3P9wO1yKDQP4vzRK06qD yl7khW9yqRW50jYKgU4PDlLEvVS3I=; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-oe][kirkstone][PATCH 1/2] nss: patch CVE-2023-5388 Date: Sat, 4 May 2024 22:59:26 +0200 Message-Id: <20240504205927.3399327-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 04 May 2024 21:00:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/110254 From: Peter Marko https://nvd.nist.gov/vuln/detail/CVE-2023-5388 mentions bug 1780432 as tracking fix for this issue. Signed-off-by: Peter Marko --- ...2023-5388-Timing-attack-against-RSA-.patch | 681 ++++++++++++++++++ meta-oe/recipes-support/nss/nss_3.74.bb | 1 + 2 files changed, 682 insertions(+) create mode 100644 meta-oe/recipes-support/nss/nss/0001-Bug-1780432-CVE-2023-5388-Timing-attack-against-RSA-.patch diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1780432-CVE-2023-5388-Timing-attack-against-RSA-.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1780432-CVE-2023-5388-Timing-attack-against-RSA-.patch new file mode 100644 index 0000000000..d7c5aae50a --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1780432-CVE-2023-5388-Timing-attack-against-RSA-.patch @@ -0,0 +1,681 @@ +From 765b89613b16866c3f3241605d84917e5c5baf0d Mon Sep 17 00:00:00 2001 +From: Robert Relyea +Date: Wed, 14 Feb 2024 18:55:02 +0000 +Subject: [PATCH] Bug 1780432 (CVE-2023-5388) Timing attack against RSA + decryption (in TLS) r=jschanck + +1. Add Constant time mult mod functions. + a. constant time mul + b. use constant time montgomery reduce. + +2. Use montgomery values for blinding. + +Differential Revision: https://phabricator.services.mozilla.com/D197807 + +--HG-- +extra : moz-landing-system : lando + +CVE: CVE-2023-5388 +Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/765b89613b16866c3f3241605d84917e5c5baf0d] + +Signed-off-by: Peter Marko +--- + lib/freebl/mpi/mpi-priv.h | 3 + + lib/freebl/mpi/mpi.c | 300 +++++++++++++++++++++++++++++++++++--- + lib/freebl/mpi/mpi.h | 41 ++++++ + lib/freebl/mpi/mpmontg.c | 29 ++-- + lib/freebl/rsa.c | 16 +- + 5 files changed, 358 insertions(+), 31 deletions(-) + +diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h +index 9447a818f..b4333fb6b 100644 +--- a/lib/freebl/mpi/mpi-priv.h ++++ b/lib/freebl/mpi/mpi-priv.h +@@ -204,6 +204,9 @@ void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, + void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a, + mp_size a_len, mp_digit b, + mp_digit *c); ++void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a, ++ mp_size a_len, mp_digit b, ++ mp_digit *c, mp_size c_len); + void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a, + mp_size a_len, + mp_digit *sqrs); +diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c +index 2e6cd8466..7749dc710 100644 +--- a/lib/freebl/mpi/mpi.c ++++ b/lib/freebl/mpi/mpi.c +@@ -13,6 +13,8 @@ + #include + #endif + ++#include ++ + #if defined(__arm__) && \ + ((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__)) + /* 16-bit thumb or ARM v3 doesn't work inlined assember version */ +@@ -805,15 +807,18 @@ CLEANUP: + + /* }}} */ + +-/* {{{ mp_mul(a, b, c) */ ++/* {{{ s_mp_mulg(a, b, c) */ + + /* +- mp_mul(a, b, c) ++ s_mp_mulg(a, b, c) + +- Compute c = a * b. All parameters may be identical. ++ Compute c = a * b. All parameters may be identical. if constantTime is set, ++ then the operations are done in constant time. The original is mostly ++ constant time as long as s_mpv_mul_d_add() is constant time. This is true ++ of the x86 assembler, as well as the current c code. + */ + mp_err +-mp_mul(const mp_int *a, const mp_int *b, mp_int *c) ++s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime) + { + mp_digit *pb; + mp_int tmp; +@@ -849,7 +854,14 @@ mp_mul(const mp_int *a, const mp_int *b, mp_int *c) + goto CLEANUP; + + #ifdef NSS_USE_COMBA +- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) { ++ /* comba isn't constant time because it clamps! If we cared ++ * (we needed a constant time version of multiply that was 'faster' ++ * we could easily pass constantTime down to the comba code and ++ * get it to skip the clamp... but here are assembler versions ++ * which add comba to platforms that can't compile the normal ++ * comba's imbedded assembler which would also need to change, so ++ * for now we just skip comba when we are running constant time. */ ++ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) { + if (MP_USED(a) == 4) { + s_mp_mul_comba_4(a, b, c); + goto CLEANUP; +@@ -879,13 +891,15 @@ mp_mul(const mp_int *a, const mp_int *b, mp_int *c) + mp_digit b_i = *pb++; + + /* Inner product: Digits of a */ +- if (b_i) ++ if (constantTime || b_i) + s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib); + else + MP_DIGIT(c, ib + useda) = b_i; + } + +- s_mp_clamp(c); ++ if (!constantTime) { ++ s_mp_clamp(c); ++ } + + if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ) + SIGN(c) = ZPOS; +@@ -895,10 +909,54 @@ mp_mul(const mp_int *a, const mp_int *b, mp_int *c) + CLEANUP: + mp_clear(&tmp); + return res; ++} /* end smp_mulg() */ ++ ++/* }}} */ ++ ++/* {{{ mp_mul(a, b, c) */ ++ ++/* ++ mp_mul(a, b, c) ++ ++ Compute c = a * b. All parameters may be identical. ++ */ ++ ++mp_err ++mp_mul(const mp_int *a, const mp_int *b, mp_int *c) ++{ ++ return s_mp_mulg(a, b, c, 0); + } /* end mp_mul() */ + + /* }}} */ + ++/* {{{ mp_mulCT(a, b, c) */ ++ ++/* ++ mp_mulCT(a, b, c) ++ ++ Compute c = a * b. In constant time. Parameters may not be identical. ++ NOTE: a and b may be modified. ++ */ ++ ++mp_err ++mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize) ++{ ++ mp_err res; ++ ++ /* make the multiply values fixed length so multiply ++ * doesn't leak the length. at this point all the ++ * values are blinded, but once we finish we want the ++ * output size to be hidden (so no clamping the out put) */ ++ MP_CHECKOK(s_mp_pad(a, setSize)); ++ MP_CHECKOK(s_mp_pad(b, setSize)); ++ MP_CHECKOK(s_mp_pad(c, 2 * setSize)); ++ MP_CHECKOK(s_mp_mulg(a, b, c, 1)); ++CLEANUP: ++ return res; ++} /* end mp_mulCT() */ ++ ++/* }}} */ ++ + /* {{{ mp_sqr(a, sqr) */ + + #if MP_SQUARE +@@ -1271,6 +1329,138 @@ mp_mod(const mp_int *a, const mp_int *m, mp_int *c) + + /* }}} */ + ++/* {{{ s_mp_subCT_d(a, b, borrow, c) */ ++ ++/* ++ s_mp_subCT_d(a, b, borrow, c) ++ ++ Compute c = (a -b) - subtract in constant time. returns borrow ++ */ ++mp_digit ++s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) ++{ ++ *ret = a - b - borrow; ++ return MP_CT_LTU(a, *ret) | (MP_CT_EQ(a, *ret) & borrow); ++} /* s_mp_subCT_d() */ ++ ++/* }}} */ ++ ++/* {{{ mp_subCT(a, b, ret, borrow) */ ++ ++/* return ret= a - b and borrow in borrow. done in constant time. ++ * b could be modified. ++ */ ++mp_err ++mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow) ++{ ++ mp_size used_a = MP_USED(a); ++ mp_size i; ++ mp_err res; ++ ++ MP_CHECKOK(s_mp_pad(b, used_a)); ++ MP_CHECKOK(s_mp_pad(ret, used_a)); ++ *borrow = 0; ++ for (i = 0; i < used_a; i++) { ++ *borrow = s_mp_subCT_d(MP_DIGIT(a, i), MP_DIGIT(b, i), *borrow, ++ &MP_DIGIT(ret, i)); ++ } ++ ++ res = MP_OKAY; ++CLEANUP: ++ return res; ++} /* end mp_subCT() */ ++ ++/* }}} */ ++ ++/* {{{ mp_selectCT(cond, a, b, ret) */ ++ ++/* ++ * return ret= cond ? a : b; cond should be either 0 or 1 ++ */ ++mp_err ++mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret) ++{ ++ mp_size used_a = MP_USED(a); ++ mp_err res; ++ mp_size i; ++ ++ cond *= MP_DIGIT_MAX; ++ ++ /* we currently require these to be equal on input, ++ * we could use pad to extend one of them, but that might ++ * leak data as it wouldn't be constant time */ ++ if (used_a != MP_USED(b)) { ++ return MP_BADARG; ++ } ++ ++ MP_CHECKOK(s_mp_pad(ret, used_a)); ++ for (i = 0; i < used_a; i++) { ++ MP_DIGIT(ret, i) = MP_CT_SEL_DIGIT(cond, MP_DIGIT(a, i), MP_DIGIT(b, i)); ++ } ++ res = MP_OKAY; ++CLEANUP: ++ return res; ++} /* end mp_selectCT() */ ++ ++/* {{{ mp_reduceCT(a, m, c) */ ++ ++/* ++ mp_reduceCT(a, m, c) ++ ++ Compute c = aR^-1 (mod m) in constant time. ++ input should be in montgomery form. If input is the ++ result of a montgomery multiply then out put will be ++ in mongomery form. ++ Result will be reduced to MP_USED(m), but not be ++ clamped. ++ */ ++ ++mp_err ++mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c) ++{ ++ mp_size used_m = MP_USED(m); ++ mp_size used_c = used_m * 2 + 1; ++ mp_digit *m_digits, *c_digits; ++ mp_size i; ++ mp_digit borrow, carry; ++ mp_err res; ++ mp_int sub; ++ ++ MP_DIGITS(&sub) = 0; ++ MP_CHECKOK(mp_init_size(&sub, used_m)); ++ ++ if (a != c) { ++ MP_CHECKOK(mp_copy(a, c)); ++ } ++ MP_CHECKOK(s_mp_pad(c, used_c)); ++ m_digits = MP_DIGITS(m); ++ c_digits = MP_DIGITS(c); ++ for (i = 0; i < used_m; i++) { ++ mp_digit m_i = MP_DIGIT(c, i) * n0i; ++ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--); ++ } ++ s_mp_rshd(c, used_m); ++ /* MP_USED(c) should be used_m+1 with the high word being any carry ++ * from the previous multiply, save that carry and drop the high ++ * word for the substraction below */ ++ carry = MP_DIGIT(c, used_m); ++ MP_DIGIT(c, used_m) = 0; ++ MP_USED(c) = used_m; ++ /* mp_subCT wants c and m to be the same size, we've already ++ * guarrenteed that in the previous statement, so mp_subCT won't actually ++ * modify m, so it's safe to recast */ ++ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow)); ++ ++ /* we return c-m if c >= m no borrow or there was a borrow and a carry */ ++ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c)); ++ res = MP_OKAY; ++CLEANUP: ++ mp_clear(&sub); ++ return res; ++} /* end mp_reduceCT() */ ++ ++/* }}} */ ++ + /* {{{ mp_mod_d(a, d, c) */ + + /* +@@ -1387,6 +1577,37 @@ mp_mulmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c) + + /* }}} */ + ++/* {{{ mp_mulmontmodCT(a, b, m, c) */ ++ ++/* ++ mp_mulmontmodCT(a, b, m, c) ++ ++ Compute c = (a * b) mod m in constant time wrt a and b. either a or b ++ should be in montgomery form and the output is native. If both a and b ++ are in montgomery form, then the output will also be in montgomery form ++ and can be recovered with an mp_reduceCT call. ++ NOTE: a and b may be modified. ++ */ ++ ++mp_err ++mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, ++ mp_int *c) ++{ ++ mp_err res; ++ ++ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG); ++ ++ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY) ++ return res; ++ ++ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY) ++ return res; ++ ++ return MP_OKAY; ++} ++ ++/* }}} */ ++ + /* {{{ mp_sqrmod(a, m, c) */ + + #if MP_SQUARE +@@ -3946,15 +4167,63 @@ s_mp_mul(mp_int *a, const mp_int *b) + a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \ + a1b0 += a0b1; \ + Phi += a1b0 >> MP_HALF_DIGIT_BIT; \ +- if (a1b0 < a0b1) \ +- Phi += MP_HALF_RADIX; \ ++ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \ + a1b0 <<= MP_HALF_DIGIT_BIT; \ + Plo += a1b0; \ +- if (Plo < a1b0) \ +- ++Phi; \ ++ Phi += MP_CT_LTU(Plo, a1b0); \ + } + #endif + ++/* Constant time version of s_mpv_mul_d_add_prop. ++ * Presently, this is only used by the Constant time Montgomery arithmetic code. */ ++/* c += a * b */ ++void ++s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b, ++ mp_digit *c, mp_size c_len) ++{ ++#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD) ++ mp_digit d = 0; ++ ++ c_len -= a_len; ++ /* Inner product: Digits of a */ ++ while (a_len--) { ++ mp_word w = ((mp_word)b * *a++) + *c + d; ++ *c++ = ACCUM(w); ++ d = CARRYOUT(w); ++ } ++ ++ /* propagate the carry to the end, even if carry is zero */ ++ while (c_len--) { ++ mp_word w = (mp_word)*c + d; ++ *c++ = ACCUM(w); ++ d = CARRYOUT(w); ++ } ++#else ++ mp_digit carry = 0; ++ c_len -= a_len; ++ while (a_len--) { ++ mp_digit a_i = *a++; ++ mp_digit a0b0, a1b1; ++ MP_MUL_DxD(a_i, b, a1b1, a0b0); ++ ++ a0b0 += carry; ++ a1b1 += MP_CT_LTU(a0b0, carry); ++ a0b0 += a_i = *c; ++ a1b1 += MP_CT_LTU(a0b0, a_i); ++ ++ *c++ = a0b0; ++ carry = a1b1; ++ } ++ /* propagate the carry to the end, even if carry is zero */ ++ while (c_len--) { ++ mp_digit c_i = *c; ++ carry += c_i; ++ *c++ = carry; ++ carry = MP_CT_LTU(carry, c_i); ++ } ++#endif ++} ++ + #if !defined(MP_ASSEMBLY_MULTIPLY) + /* c = a * b */ + void +@@ -3979,8 +4248,7 @@ s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c) + MP_MUL_DxD(a_i, b, a1b1, a0b0); + + a0b0 += carry; +- if (a0b0 < carry) +- ++a1b1; ++ a1b1 += MP_CT_LTU(a0b0, carry); + *c++ = a0b0; + carry = a1b1; + } +@@ -4012,11 +4280,9 @@ s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, + MP_MUL_DxD(a_i, b, a1b1, a0b0); + + a0b0 += carry; +- if (a0b0 < carry) +- ++a1b1; ++ a1b1 += MP_CT_LTU(a0b0, carry); + a0b0 += a_i = *c; +- if (a0b0 < a_i) +- ++a1b1; ++ a1b1 += MP_CT_LTU(a0b0, a_i); + *c++ = a0b0; + carry = a1b1; + } +diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h +index 4ba9b6a4b..dd129db0d 100644 +--- a/lib/freebl/mpi/mpi.h ++++ b/lib/freebl/mpi/mpi.h +@@ -150,6 +150,38 @@ typedef int mp_sword; + /* This defines the maximum I/O base (minimum is 2) */ + #define MP_MAX_RADIX 64 + ++/* Constant Time Macros on mp_digits */ ++#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1))) ++#define MP_CT_TRUE ((mp_digit)1) ++#define MP_CT_FALSE ((mp_digit)0) ++ ++/* basic zero and non zero tests */ ++#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x))))) ++#define MP_CT_ZERO(x) (MP_CT_TRUE ^ MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x))))) ++ ++/* basic constant-time helper macro for equalities and inequalities. ++ * The inequalities will produce incorrect results if ++ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay ++ * within the range 0-MP_DIGIT_MAX/2. */ ++#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) ^ (b))) ++#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) ^ (b))) ++#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a)) ++#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b)) ++#define MP_CT_GE(a, b) (MP_CT_TRUE ^ MP_CT_LT(a, b)) ++#define MP_CT_LE(a, b) (MP_CT_TRUE ^ MP_CT_GT(a, b)) ++ ++/* use constant time result to select a boolean value ++ * or an mp digit depending on the args */ ++#define MP_CT_SEL(m, l, r) ((r) ^ ((m) & ((r) ^ (l)))) ++#define MP_CT_SELB(m, l, r) MP_CT_SEL(m, l, r) /* mask, l and r are booleans */ ++#define MP_CT_SEL_DIGIT(m, l, r) MP_CT_SEL(m, l, r) /*mask, l, and r are mp_digit */ ++ ++/* full inequalities that work with full mp_digit values */ ++#define MP_CT_OVERFLOW(a, b, c, d) \ ++ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a) ^ (b)), \ ++ (MP_CT_HIGH_TO_LOW(d)), c) ++#define MP_CT_LTU(a, b) MP_CT_OVERFLOW(a, b, MP_CT_LT(a, b), b) ++ + typedef struct { + mp_sign sign; /* sign of this quantity */ + mp_size alloc; /* how many digits allocated */ +@@ -190,7 +222,9 @@ mp_err mp_neg(const mp_int *a, mp_int *b); + /* Full arithmetic */ + mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c); + mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c); ++mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow); + mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c); ++mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize); + #if MP_SQUARE + mp_err mp_sqr(const mp_int *a, mp_int *b); + #else +@@ -217,6 +251,12 @@ mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c); + mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c); + #endif /* MP_MODARITH */ + ++/* montgomery math */ ++mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont); ++mp_digit mp_calculate_mont_n0i(const mp_int *N); ++mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct); ++mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c); ++ + /* Comparisons */ + int mp_cmp_z(const mp_int *a); + int mp_cmp_d(const mp_int *a, mp_digit d); +@@ -224,6 +264,7 @@ int mp_cmp(const mp_int *a, const mp_int *b); + int mp_cmp_mag(const mp_int *a, const mp_int *b); + int mp_isodd(const mp_int *a); + int mp_iseven(const mp_int *a); ++mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret); + + /* Number theoretic */ + mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c); +diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c +index 58f5cde2a..63842c631 100644 +--- a/lib/freebl/mpi/mpmontg.c ++++ b/lib/freebl/mpi/mpmontg.c +@@ -129,20 +129,27 @@ CLEANUP: + } + #endif + +-STATIC + mp_err +-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont) ++mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont) + { + mp_err res; + + /* xMont = x * R mod N where N is modulus */ +- MP_CHECKOK(mp_copy(x, xMont)); +- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */ +- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */ ++ if (x != xMont) { ++ MP_CHECKOK(mp_copy(x, xMont)); ++ } ++ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */ ++ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */ + CLEANUP: + return res; + } + ++mp_digit ++mp_calculate_mont_n0i(const mp_int *N) ++{ ++ return 0 - s_mp_invmod_radix(MP_DIGIT(N, 0)); ++} ++ + #ifdef MP_USING_MONT_MULF + + /* the floating point multiply is already cache safe, +@@ -198,7 +205,7 @@ mp_exptmod_f(const mp_int *montBase, + MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2)); + + mp_set(&accum1, 1); +- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); ++ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); + MP_CHECKOK(s_mp_pad(&accum1, nLen)); + + oddPowSize = 2 * nLen + 1; +@@ -478,7 +485,7 @@ mp_exptmod_i(const mp_int *montBase, + + /* set accumulator to montgomery residue of 1 */ + mp_set(&accum1, 1); +- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); ++ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); + pa1 = &accum1; + pa2 = &accum2; + +@@ -865,7 +872,7 @@ mp_exptmod_safe_i(const mp_int *montBase, + MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2)); + MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2)); + mp_set(&accum[0], 1); +- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0])); ++ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0])); + MP_CHECKOK(mp_copy(montBase, &accum[1])); + SQR(montBase, &accum[2]); + MUL_NOWEAVE(montBase, &accum[2], &accum[3]); +@@ -884,7 +891,7 @@ mp_exptmod_safe_i(const mp_int *montBase, + } else { + if (first_window == 0) { + mp_set(&accum1, 1); +- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); ++ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); + } else { + /* assert first_window == 1? */ + MP_CHECKOK(mp_copy(montBase, &accum1)); +@@ -1055,9 +1062,9 @@ mp_exptmod(const mp_int *inBase, const mp_int *exponent, + /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX + ** where n0 = least significant mp_digit of N, the modulus. + */ +- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0)); ++ mmm.n0prime = mp_calculate_mont_n0i(modulus); + +- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase)); ++ MP_CHECKOK(mp_to_mont(base, modulus, &montBase)); + + bits_in_exponent = mpl_significant_bits(exponent); + #ifdef MP_USING_CACHE_SAFE_MOD_EXP +diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c +index 200f1bd55..67d65ba2b 100644 +--- a/lib/freebl/rsa.c ++++ b/lib/freebl/rsa.c +@@ -64,6 +64,8 @@ struct RSABlindingParamsStr { + SECItem modulus; /* list element "key" */ + blindingParams *free, *bp; /* Blinding parameters queue */ + blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE]; ++ /* precalculate montegomery reduction value */ ++ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */ + }; + typedef struct RSABlindingParamsStr RSABlindingParams; + +@@ -1146,6 +1148,8 @@ generate_blinding_params(RSAPrivateKey *key, mp_int *f, mp_int *g, mp_int *n, + CHECK_MPI_OK(mp_exptmod(&k, &e, n, f)); + /* g = k**-1 mod n */ + CHECK_MPI_OK(mp_invmod(&k, n, g)); ++ /* g in montgomery form.. */ ++ CHECK_MPI_OK(mp_to_mont(g, n, g)); + cleanup: + if (kb) + PORT_ZFree(kb, modLen); +@@ -1182,13 +1186,16 @@ init_blinding_params(RSABlindingParams *rsabp, RSAPrivateKey *key, + rsabp->bp = NULL; + rsabp->free = bp; + ++ /* precalculate montgomery reduction parameter */ ++ rsabp->n0i = mp_calculate_mont_n0i(n); ++ + /* List elements are keyed using the modulus */ + return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus); + } + + static SECStatus + get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen, +- mp_int *f, mp_int *g) ++ mp_int *f, mp_int *g, mp_digit *n0i) + { + RSABlindingParams *rsabp = NULL; + blindingParams *bpUnlinked = NULL; +@@ -1248,6 +1255,7 @@ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen, + /* We've found (or created) the RSAblindingParams struct for this key. + * Now, search its list of ready blinding params for a usable one. + */ ++ *n0i = rsabp->n0i; + while (0 != (bp = rsabp->bp)) { + #ifndef UNSAFE_FUZZER_MODE + if (--(bp->counter) > 0) +@@ -1355,6 +1363,7 @@ cleanup: + if (err) { + MP_TO_SEC_ERROR(err); + } ++ *n0i = 0; + return SECFailure; + } + +@@ -1374,6 +1383,7 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, + mp_err err; + mp_int n, c, m; + mp_int f, g; ++ mp_digit n0i; + if (!key || !output || !input) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; +@@ -1401,7 +1411,7 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, + ** blinding factor + */ + if (nssRSAUseBlinding) { +- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g)); ++ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i)); + /* c' = c*f mod n */ + CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c)); + } +@@ -1422,7 +1432,7 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, + */ + if (nssRSAUseBlinding) { + /* m = m'*g mod n */ +- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m)); ++ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m)); + } + err = mp_to_fixlen_octets(&m, output, modLen); + if (err >= 0) +-- +2.30.2 + diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb index 333bbdfef0..c394c82e69 100644 --- a/meta-oe/recipes-support/nss/nss_3.74.bb +++ b/meta-oe/recipes-support/nss/nss_3.74.bb @@ -32,6 +32,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://system-pkcs11.txt \ file://nss-fix-nsinstall-build.patch \ file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ + file://0001-Bug-1780432-CVE-2023-5388-Timing-attack-against-RSA-.patch;patchdir=nss \ " SRC_URI[sha256sum] = "88928811f9f40f87d42e2eaccdf6e454562e51486067f2ddbe90aa47ea6cd056" From patchwork Sat May 4 20:59:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Marko, Peter" X-Patchwork-Id: 43263 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6DED9C4345F for ; Sat, 4 May 2024 21:00:30 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.6328.1714856429458354147 for ; Sat, 04 May 2024 14:00:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=PwgK4Wqt; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20240504210026cd4b99be1a7924bf78-o_kepu@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20240504210026cd4b99be1a7924bf78 for ; Sat, 04 May 2024 23:00:26 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=MrwbqR1a5KUepyPA/A4E7oDjzuRMsoyyY0w3f3G/SMk=; b=PwgK4Wqt12XPqZQLjRKaRe9iWynrSbpLUovECsqiLzA8SjiG6y28wDXRdLPqCyIOuwicAt Egt4xz6wBuqX3tNw35vJdlWD5B/kjLS3NYs5co80Vy/M2E+mkJxWcIMR8b3VAkaqF+hLtj2H 6oQX1CWSVUw7Zu4DLReLKnAL3r7xQ=; From: Peter Marko To: openembedded-devel@lists.openembedded.org Cc: Peter Marko Subject: [meta-oe][kirkstone][PATCH 2/2] nss: patch CVE-2024-0743 Date: Sat, 4 May 2024 22:59:27 +0200 Message-Id: <20240504205927.3399327-2-peter.marko@siemens.com> In-Reply-To: <20240504205927.3399327-1-peter.marko@siemens.com> References: <20240504205927.3399327-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 04 May 2024 21:00:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/110255 From: Peter Marko https://nvd.nist.gov/vuln/detail/CVE-2024-0743 mentions bug 1867408 as tracking fix for this issue. Signed-off-by: Peter Marko --- ...a-defensive-check-for-large-ssl_DefS.patch | 40 +++++++++++++++++++ meta-oe/recipes-support/nss/nss_3.74.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-oe/recipes-support/nss/nss/0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch new file mode 100644 index 0000000000..af32c42aec --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch @@ -0,0 +1,40 @@ +From 2e75513a13e3cf4a16626ef654242b3b07cc8f29 Mon Sep 17 00:00:00 2001 +From: John Schanck +Date: Mon, 11 Dec 2023 19:24:14 +0000 +Subject: [PATCH] Bug 1867408 - add a defensive check for large ssl_DefSend + return values. r=nkulatova + +Differential Revision: https://phabricator.services.mozilla.com/D195054 + +--HG-- +extra : moz-landing-system : lando + +CVE: CVE-2024-0743 +Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/2e75513a13e3cf4a16626ef654242b3b07cc8f29] + +Signed-off-by: Peter Marko +--- + lib/ssl/sslsecur.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c +index 59ef064c9..9e994f4b5 100644 +--- a/lib/ssl/sslsecur.c ++++ b/lib/ssl/sslsecur.c +@@ -453,7 +453,12 @@ ssl_SendSavedWriteData(sslSocket *ss) + if (rv < 0) { + return rv; + } +- ss->pendingBuf.len -= rv; ++ if (rv > ss->pendingBuf.len) { ++ PORT_Assert(0); /* This shouldn't happen */ ++ ss->pendingBuf.len = 0; ++ } else { ++ ss->pendingBuf.len -= rv; ++ } + if (ss->pendingBuf.len > 0 && rv > 0) { + /* UGH !! This shifts the whole buffer down by copying it */ + PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv, +-- +2.30.2 + diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb index c394c82e69..26baf669d1 100644 --- a/meta-oe/recipes-support/nss/nss_3.74.bb +++ b/meta-oe/recipes-support/nss/nss_3.74.bb @@ -33,6 +33,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://nss-fix-nsinstall-build.patch \ file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ file://0001-Bug-1780432-CVE-2023-5388-Timing-attack-against-RSA-.patch;patchdir=nss \ + file://0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch;patchdir=nss \ " SRC_URI[sha256sum] = "88928811f9f40f87d42e2eaccdf6e454562e51486067f2ddbe90aa47ea6cd056"