From patchwork Mon Feb 12 13:54:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 39193 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 506F5C48297 for ; Mon, 12 Feb 2024 13:54:39 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.web11.6803.1707746073748105990 for ; Mon, 12 Feb 2024 05:54:33 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=mJYHXe4P; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-6e09a890341so1154328b3a.3 for ; Mon, 12 Feb 2024 05:54:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1707746073; x=1708350873; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jYJDBnIMq/LIaC3QEZA1K2gLt/fUNq7hFR7jqGaRrYU=; b=mJYHXe4Psf7ZyBaElVSh+N3DbO+E1h28oPtN+ETjjFrYg7q5SjYqHb6PELOANvsHto sgiL8yh8UaaV0ND/KLs4p9N6oS/lOV/QEJ1/qn5F2LHzFg1kGDIcv1lueSj7yWk4kJq7 gofw2Xex7kqq+AhXM8481bX3le/OgGOR7YyygJT2y7fxCmy97gwWv8M79OOtEt0Xyt7F YBclHctpyq+OiEBTTzZyLaIRQIK8ByuzGnq1myX0fPU/QmM3fW0lEi/Nzx/ht5A5vQZ7 r9cZk6uQYZNxkegqYQfPo4OGpYHuvsVyYUxSsZdXEa/N4tBEiSK9ZNCXEL7HFt6fmfRe 6pIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707746073; x=1708350873; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jYJDBnIMq/LIaC3QEZA1K2gLt/fUNq7hFR7jqGaRrYU=; b=CEqzqambODg6t63HGsjw7LoJtso9FUNhp0a2v7mA7PMX88zKYG2lZ53XUeekxLQsWw u3yDyqZr9zdM5NxmwlLuJfeNz571g1AMQAW0gDIbk7obyYKYOP6qQuM8PwkU1V6MmOGt sxqE9+ATpIj/1UUXeBy1V6AebVUrNdpwO83SpdFQEY5L5k53Mzfg6g/sCfsvjgj5fhRw NY8zYO6QSU/SdWu0de/2DV0UmGTe+BnPQA7DC3tKsjBvfgBajwaZSHk4Hp8DYNjBtKVM a+lyNumZe0vxYV3fa1mTHBgw1MXxlwpIQmTczT2WrpBZOSsI99qQ1yJxk+nhXNhDatD+ HCuQ== X-Gm-Message-State: AOJu0Yz16OSsByCDUFq249Zq99LJ6xzCPt0iAVPO1h5IoGcD/GiJ2GhI rRHNDSdgy52q7XBC7eJ01n4pUfeu0iWp3U7gy/ACB8QKcrQUwfOpPvHSxnGFijOrkfh/sEy9wt0 xjWk= X-Google-Smtp-Source: AGHT+IHl3kmSHj+J8kxl+UjmBb6T+FEnSRWP+YnviXquQ4/3eXsafH6tYlA1szjoaB1PWefhOCoKlg== X-Received: by 2002:a05:6a20:9d94:b0:19e:a1a1:5360 with SMTP id mu20-20020a056a209d9400b0019ea1a15360mr5047908pzb.23.1707746072857; Mon, 12 Feb 2024 05:54:32 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id k69-20020a638448000000b005dc421f8889sm439889pgd.26.2024.02.12.05.54.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 05:54:32 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/8] libxml2: Fix for CVE-2024-25062 Date: Mon, 12 Feb 2024 03:54:12 -1000 Message-Id: <55027bc882cf6cab830f4e4f21fa9a2ffb4ad72e.1707745886.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 13:54:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195322 From: Vijay Anusuri Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2024-25062.patch | 33 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch new file mode 100644 index 0000000000..5365d5546a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch @@ -0,0 +1,33 @@ +From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 14 Oct 2023 22:45:54 +0200 +Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when + backtracking + +Fixes a use-after-free if XML Reader if used with DTD validation and +XInclude expansion. + +Fixes #604. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7] +CVE: CVE-2024-25062 +Signed-off-by: Vijay Anusuri +--- + xmlreader.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xmlreader.c b/xmlreader.c +index 979385a13..fefd68e0b 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -1443,6 +1443,7 @@ node_found: + * Handle XInclude if asked for + */ + if ((reader->xinclude) && (reader->in_xinclude == 0) && ++ (reader->state != XML_TEXTREADER_BACKTRACK) && + (reader->node != NULL) && + (reader->node->type == XML_ELEMENT_NODE) && + (reader->node->ns != NULL) && +-- +GitLab + diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 533a6dae01..2b7e9999d9 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -31,6 +31,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2023-39615-0002.patch \ file://CVE-2023-45322-1.patch \ file://CVE-2023-45322-2.patch \ + file://CVE-2024-25062.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Mon Feb 12 13:54:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 39196 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5705BC48BC0 for ; Mon, 12 Feb 2024 13:54:49 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web11.6808.1707746086215675222 for ; Mon, 12 Feb 2024 05:54:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=WW04h9zl; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-6e06c06c0f6so2431440b3a.0 for ; Mon, 12 Feb 2024 05:54:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1707746085; x=1708350885; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kTX6mw4PlNw5FSEOoeOI/g1FaYo5UdL6dmmj2gfWxME=; b=WW04h9zlTVF81IW46OZ/hjDsjENj7NY8f4f55SyHRKllxjlY4nmV6YQWN0fIilQyPl xzSo0QDF4lJbHi0b0Y0xPUhEvMlCKUXhIuGTRDA/p7FTBntQnlKCkIHgnygCQXe5PLRp KxuQhtwb4YjM5TejKBdvpOKO8B6g9NouKBJXXo8eRZn/YSuAX/XMzMqcXhc3cn5foQe2 rsVaKK9pth7xTg1IvWBOl2Z0Q3ehbzpACJNfnXn0ld3jQ474W5PA91YocZLQ7usiCSmA YdfUFHcHlgxE/OdFWkVirV/4SgNVltJZuxflwMAcX0UjwaYgPs27MbqEpd3eBq8Zz79M e+pQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707746085; x=1708350885; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kTX6mw4PlNw5FSEOoeOI/g1FaYo5UdL6dmmj2gfWxME=; b=c65YIRKXZ2bEVofokTlDVYQbueGWKVv6ad5vdv5s6lNPlVmwMESKfBrdGjrwe5jBIl 0ztkSLVEDwey25V6pnFxc4S1Ep3t7Bpz5iF/taZvoR1ZOyAr5vn2UorEscaKUVXnuZyn hfNwWHKCOEDg/S7AO5RIWAoKh/4bWgFwpltbIglP3lAgVggn9oIenmj9PjkgFWvwRGnP 5y1a5JEEquUy2DitbdB0GpB2hDxn83hFclOzGoTC5w1Eaa80tl2xaAhWhbyJ/uuIJhKJ p2fHZwePBc6eF+hUdFUreefPwHg5J6nlNXIcOnWglmJiiwlTSEzprjBURYPM54mR+ikm yxCg== X-Gm-Message-State: AOJu0Ywcjuo9zr2lbeWak9iOwMhqrdCUzhaN3AwJJ+fhgxIUHXfl+tLu tEZDfKch8K1uXx6Nrq9atrn09pQ9K79kkNq6R5J7rfxDsuS2RqTQio4b1IqmgoBs39jmED9wcsH Dn+Q= X-Google-Smtp-Source: AGHT+IEiXmWhwI7EzEgrA/+if13eG0/4uwNOupuT1c4N+T/uBxwVQGSWqaCm7VyQ8sTZ1EjCz81YEw== X-Received: by 2002:a05:6a21:3984:b0:1a0:5bd6:a926 with SMTP id ad4-20020a056a21398400b001a05bd6a926mr633991pzc.26.1707746083883; Mon, 12 Feb 2024 05:54:43 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id k69-20020a638448000000b005dc421f8889sm439889pgd.26.2024.02.12.05.54.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 05:54:43 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/8] go: Fix CVE-2023-45285 and CVE-2023-45287 Date: Mon, 12 Feb 2024 03:54:13 -1000 Message-Id: <616857b9918e8d2e576239b3db2f9f077d1a7222.1707745886.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 13:54:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195323 From: Soumya Sambu CVE-2023-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). CVE-2023-45287: Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45285 https://nvd.nist.gov/vuln/detail/CVE-2023-45287 https://security-tracker.debian.org/tracker/CVE-2023-45285 https://security-tracker.debian.org/tracker/CVE-2023-45287 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 2 + .../go/go-1.20/CVE-2023-45285.patch | 110 ++ .../go/go-1.20/CVE-2023-45287.patch | 1695 +++++++++++++++++ 3 files changed, 1807 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 95c4461d3e..6fc07bb910 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -48,6 +48,8 @@ SRC_URI += "\ file://CVE-2023-39319.patch \ file://CVE-2023-39318.patch \ file://CVE-2023-39326.patch \ + file://CVE-2023-45285.patch \ + file://CVE-2023-45287.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" diff --git a/meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch b/meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch new file mode 100644 index 0000000000..0459ae0a1a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch @@ -0,0 +1,110 @@ +From 46bc33819ac86a9596b8059235842f0e0c7469bd Mon Sep 17 00:00:00 2001 +From: Bryan C. Mills +Date: Thu, 2 Nov 2023 15:06:35 -0400 +Subject: [PATCH] cmd/go/internal/vcs: error out if the requested repo does not + support a secure protocol + +Updates #63845. +Fixes #63972. + +Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8 +Reviewed-on: https://go-review.googlesource.com/c/go/+/539321 +Reviewed-by: Michael Matloob +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Roland Shoemaker +Auto-Submit: Bryan Mills +(cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3) +Reviewed-on: https://go-review.googlesource.com/c/go/+/540335 +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Dmitri Shuralyov + +CVE: CVE-2023-45285 + +Upstream-Status: Backport [https://github.com/golang/go/commit/46bc33819ac86a9596b8059235842f0e0c7469bd] + +Signed-off-by: Soumya Sambu +--- + src/cmd/go/internal/vcs/vcs.go | 25 +++++++++++++---- + .../script/mod_insecure_issue63845.txt | 28 +++++++++++++++++++ + 2 files changed, 47 insertions(+), 6 deletions(-) + create mode 100644 src/cmd/go/testdata/script/mod_insecure_issue63845.txt + +diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go +index ab42424..0e2882d 100644 +--- a/src/cmd/go/internal/vcs/vcs.go ++++ b/src/cmd/go/internal/vcs/vcs.go +@@ -891,19 +891,32 @@ func repoRootFromVCSPaths(importPath string, security web.SecurityMode, vcsPaths + if !srv.schemelessRepo { + repoURL = match["repo"] + } else { +- scheme := vcs.Scheme[0] // default to first scheme + repo := match["repo"] +- if vcs.PingCmd != "" { +- // If we know how to test schemes, scan to find one. ++ scheme, err := func() (string, error) { + for _, s := range vcs.Scheme { + if security == web.SecureOnly && !vcs.isSecureScheme(s) { + continue + } +- if vcs.Ping(s, repo) == nil { +- scheme = s +- break ++ ++ // If we know how to ping URL schemes for this VCS, ++ // check that this repo works. ++ // Otherwise, default to the first scheme ++ // that meets the requested security level. ++ if vcs.PingCmd == "" { ++ return s, nil ++ } ++ if err := vcs.Ping(s, repo); err == nil { ++ return s, nil + } + } ++ securityFrag := "" ++ if security == web.SecureOnly { ++ securityFrag = "secure " ++ } ++ return "", fmt.Errorf("no %sprotocol found for repository", securityFrag) ++ }() ++ if err != nil { ++ return nil, err + } + repoURL = scheme + "://" + repo + } +diff --git a/src/cmd/go/testdata/script/mod_insecure_issue63845.txt b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt +new file mode 100644 +index 0000000..5fa6a4f +--- /dev/null ++++ b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt +@@ -0,0 +1,28 @@ ++# Regression test for https://go.dev/issue/63845: ++# If 'git ls-remote' fails for all secure protocols, ++# we should fail instead of falling back to an arbitrary protocol. ++# ++# Note that this test does not use the local vcweb test server ++# (vcs-test.golang.org), because the hook for redirecting to that ++# server bypasses the "ping to determine protocol" logic ++# in cmd/go/internal/vcs. ++ ++[!net] skip ++[!git] skip ++[short] skip 'tries to access a nonexistent external Git repo' ++ ++env GOPRIVATE=golang.org ++env CURLOPT_TIMEOUT_MS=100 ++env GIT_SSH_COMMAND=false ++ ++! go get -x golang.org/nonexist.git@latest ++stderr '^git ls-remote https://golang.org/nonexist$' ++stderr '^git ls-remote git\+ssh://golang.org/nonexist' ++stderr '^git ls-remote ssh://golang.org/nonexist$' ++! stderr 'git://' ++stderr '^go: golang.org/nonexist.git@latest: no secure protocol found for repository$' ++ ++-- go.mod -- ++module example ++ ++go 1.19 +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch b/meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch new file mode 100644 index 0000000000..477e3c98ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch @@ -0,0 +1,1695 @@ +From 8a81fdf165facdcefa06531de5af98a4db343035 Mon Sep 17 00:00:00 2001 +From: Lúcás Meier +Date: Tue Jun 8 21:36:06 2021 +0200 +Subject: [PATCH] crypto/rsa: replace big.Int for encryption and decryption + +Infamously, big.Int does not provide constant-time arithmetic, making +its use in cryptographic code quite tricky. RSA uses big.Int +pervasively, in its public API, for key generation, precomputation, and +for encryption and decryption. This is a known problem. One mitigation, +blinding, is already in place during decryption. This helps mitigate the +very leaky exponentiation operation. Because big.Int is fundamentally +not constant-time, it's unfortunately difficult to guarantee that +mitigations like these are completely effective. + +This patch removes the use of big.Int for encryption and decryption, +replacing it with an internal nat type instead. Signing and verification +are also affected, because they depend on encryption and decryption. + +Overall, this patch degrades performance by 55% for private key +operations, and 4-5x for (much faster) public key operations. +(Signatures do both, so the slowdown is worse than decryption.) + +name old time/op new time/op delta +DecryptPKCS1v15/2048-8 1.50ms ± 0% 2.34ms ± 0% +56.44% (p=0.000 n=8+10) +DecryptPKCS1v15/3072-8 4.40ms ± 0% 6.79ms ± 0% +54.33% (p=0.000 n=10+9) +DecryptPKCS1v15/4096-8 9.31ms ± 0% 15.14ms ± 0% +62.60% (p=0.000 n=10+10) +EncryptPKCS1v15/2048-8 8.16µs ± 0% 355.58µs ± 0% +4258.90% (p=0.000 n=10+9) +DecryptOAEP/2048-8 1.50ms ± 0% 2.34ms ± 0% +55.68% (p=0.000 n=10+9) +EncryptOAEP/2048-8 8.51µs ± 0% 355.95µs ± 0% +4082.75% (p=0.000 n=10+9) +SignPKCS1v15/2048-8 1.51ms ± 0% 2.69ms ± 0% +77.94% (p=0.000 n=10+10) +VerifyPKCS1v15/2048-8 7.25µs ± 0% 354.34µs ± 0% +4789.52% (p=0.000 n=9+9) +SignPSS/2048-8 1.51ms ± 0% 2.70ms ± 0% +78.80% (p=0.000 n=9+10) +VerifyPSS/2048-8 8.27µs ± 1% 355.65µs ± 0% +4199.39% (p=0.000 n=10+10) + +Keep in mind that this is without any assembly at all, and that further +improvements are likely possible. I think having a review of the logic +and the cryptography would be a good idea at this stage, before we +complicate the code too much through optimization. + +The bulk of the work is in nat.go. This introduces two new types: nat, +representing natural numbers, and modulus, representing moduli used in +modular arithmetic. + +A nat has an "announced size", which may be larger than its "true size", +the number of bits needed to represent this number. Operations on a nat +will only ever leak its announced size, never its true size, or other +information about its value. The size of a nat is always clear based on +how its value is set. For example, x.mod(y, m) will make the announced +size of x match that of m, since x is reduced modulo m. + +Operations assume that the announced size of the operands match what's +expected (with a few exceptions). For example, x.modAdd(y, m) assumes +that x and y have the same announced size as m, and that they're reduced +modulo m. + +Nats are represented over unsatured bits.UintSize - 1 bit limbs. This +means that we can't reuse the assembly routines for big.Int, which use +saturated bits.UintSize limbs. The advantage of unsaturated limbs is +that it makes Montgomery multiplication faster, by needing fewer +registers in a hot loop. This makes exponentiation faster, which +consists of many Montgomery multiplications. + +Moduli use nat internally. Unlike nat, the true size of a modulus always +matches its announced size. When creating a modulus, any zero padding is +removed. Moduli will also precompute constants when created, which is +another reason why having a separate type is desirable. + +Updates #20654 + +Co-authored-by: Filippo Valsorda +Change-Id: I73b61f87d58ab912e80a9644e255d552cbadcced +Reviewed-on: https://go-review.googlesource.com/c/go/+/326012 +Run-TryBot: Filippo Valsorda +TryBot-Result: Gopher Robot +Reviewed-by: Roland Shoemaker +Reviewed-by: Joedian Reid + +CVE: CVE-2023-45287 + +Upstream-Status: Backport [https://github.com/golang/go/commit/8a81fdf165facdcefa06531de5af98a4db343035] + +Signed-off-by: Soumya Sambu +--- + src/crypto/rsa/example_test.go | 21 +- + src/crypto/rsa/nat.go | 626 +++++++++++++++++++++++++++++++++ + src/crypto/rsa/nat_test.go | 384 ++++++++++++++++++++ + src/crypto/rsa/pkcs1v15.go | 47 +-- + src/crypto/rsa/pss.go | 49 ++- + src/crypto/rsa/pss_test.go | 10 +- + src/crypto/rsa/rsa.go | 172 ++++----- + 7 files changed, 1140 insertions(+), 169 deletions(-) + create mode 100644 src/crypto/rsa/nat.go + create mode 100644 src/crypto/rsa/nat_test.go + +diff --git a/src/crypto/rsa/example_test.go b/src/crypto/rsa/example_test.go +index ce5c2d9..52e5639 100644 +--- a/src/crypto/rsa/example_test.go ++++ b/src/crypto/rsa/example_test.go +@@ -12,7 +12,6 @@ import ( + "crypto/sha256" + "encoding/hex" + "fmt" +- "io" + "os" + ) + +@@ -36,21 +35,17 @@ import ( + // a buffer that contains a random key. Thus, if the RSA result isn't + // well-formed, the implementation uses a random key in constant time. + func ExampleDecryptPKCS1v15SessionKey() { +- // crypto/rand.Reader is a good source of entropy for blinding the RSA +- // operation. +- rng := rand.Reader +- + // The hybrid scheme should use at least a 16-byte symmetric key. Here + // we read the random key that will be used if the RSA decryption isn't + // well-formed. + key := make([]byte, 32) +- if _, err := io.ReadFull(rng, key); err != nil { ++ if _, err := rand.Read(key); err != nil { + panic("RNG failure") + } + + rsaCiphertext, _ := hex.DecodeString("aabbccddeeff") + +- if err := DecryptPKCS1v15SessionKey(rng, rsaPrivateKey, rsaCiphertext, key); err != nil { ++ if err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, rsaCiphertext, key); err != nil { + // Any errors that result will be “public” – meaning that they + // can be determined without any secret information. (For + // instance, if the length of key is impossible given the RSA +@@ -86,10 +81,6 @@ func ExampleDecryptPKCS1v15SessionKey() { + } + + func ExampleSignPKCS1v15() { +- // crypto/rand.Reader is a good source of entropy for blinding the RSA +- // operation. +- rng := rand.Reader +- + message := []byte("message to be signed") + + // Only small messages can be signed directly; thus the hash of a +@@ -99,7 +90,7 @@ func ExampleSignPKCS1v15() { + // of writing (2016). + hashed := sha256.Sum256(message) + +- signature, err := SignPKCS1v15(rng, rsaPrivateKey, crypto.SHA256, hashed[:]) ++ signature, err := SignPKCS1v15(nil, rsaPrivateKey, crypto.SHA256, hashed[:]) + if err != nil { + fmt.Fprintf(os.Stderr, "Error from signing: %s\n", err) + return +@@ -151,11 +142,7 @@ func ExampleDecryptOAEP() { + ciphertext, _ := hex.DecodeString("4d1ee10e8f286390258c51a5e80802844c3e6358ad6690b7285218a7c7ed7fc3a4c7b950fbd04d4b0239cc060dcc7065ca6f84c1756deb71ca5685cadbb82be025e16449b905c568a19c088a1abfad54bf7ecc67a7df39943ec511091a34c0f2348d04e058fcff4d55644de3cd1d580791d4524b92f3e91695582e6e340a1c50b6c6d78e80b4e42c5b4d45e479b492de42bbd39cc642ebb80226bb5200020d501b24a37bcc2ec7f34e596b4fd6b063de4858dbf5a4e3dd18e262eda0ec2d19dbd8e890d672b63d368768360b20c0b6b8592a438fa275e5fa7f60bef0dd39673fd3989cc54d2cb80c08fcd19dacbc265ee1c6014616b0e04ea0328c2a04e73460") + label := []byte("orders") + +- // crypto/rand.Reader is a good source of entropy for blinding the RSA +- // operation. +- rng := rand.Reader +- +- plaintext, err := DecryptOAEP(sha256.New(), rng, test2048Key, ciphertext, label) ++ plaintext, err := DecryptOAEP(sha256.New(), nil, test2048Key, ciphertext, label) + if err != nil { + fmt.Fprintf(os.Stderr, "Error from decryption: %s\n", err) + return +diff --git a/src/crypto/rsa/nat.go b/src/crypto/rsa/nat.go +new file mode 100644 +index 0000000..da521c2 +--- /dev/null ++++ b/src/crypto/rsa/nat.go +@@ -0,0 +1,626 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package rsa ++ ++import ( ++ "math/big" ++ "math/bits" ++) ++ ++const ( ++ // _W is the number of bits we use for our limbs. ++ _W = bits.UintSize - 1 ++ // _MASK selects _W bits from a full machine word. ++ _MASK = (1 << _W) - 1 ++) ++ ++// choice represents a constant-time boolean. The value of choice is always ++// either 1 or 0. We use an int instead of bool in order to make decisions in ++// constant time by turning it into a mask. ++type choice uint ++ ++func not(c choice) choice { return 1 ^ c } ++ ++const yes = choice(1) ++const no = choice(0) ++ ++// ctSelect returns x if on == 1, and y if on == 0. The execution time of this ++// function does not depend on its inputs. If on is any value besides 1 or 0, ++// the result is undefined. ++func ctSelect(on choice, x, y uint) uint { ++ // When on == 1, mask is 0b111..., otherwise mask is 0b000... ++ mask := -uint(on) ++ // When mask is all zeros, we just have y, otherwise, y cancels with itself. ++ return y ^ (mask & (y ^ x)) ++} ++ ++// ctEq returns 1 if x == y, and 0 otherwise. The execution time of this ++// function does not depend on its inputs. ++func ctEq(x, y uint) choice { ++ // If x != y, then either x - y or y - x will generate a carry. ++ _, c1 := bits.Sub(x, y, 0) ++ _, c2 := bits.Sub(y, x, 0) ++ return not(choice(c1 | c2)) ++} ++ ++// ctGeq returns 1 if x >= y, and 0 otherwise. The execution time of this ++// function does not depend on its inputs. ++func ctGeq(x, y uint) choice { ++ // If x < y, then x - y generates a carry. ++ _, carry := bits.Sub(x, y, 0) ++ return not(choice(carry)) ++} ++ ++// nat represents an arbitrary natural number ++// ++// Each nat has an announced length, which is the number of limbs it has stored. ++// Operations on this number are allowed to leak this length, but will not leak ++// any information about the values contained in those limbs. ++type nat struct { ++ // limbs is a little-endian representation in base 2^W with ++ // W = bits.UintSize - 1. The top bit is always unset between operations. ++ // ++ // The top bit is left unset to optimize Montgomery multiplication, in the ++ // inner loop of exponentiation. Using fully saturated limbs would leave us ++ // working with 129-bit numbers on 64-bit platforms, wasting a lot of space, ++ // and thus time. ++ limbs []uint ++} ++ ++// expand expands x to n limbs, leaving its value unchanged. ++func (x *nat) expand(n int) *nat { ++ for len(x.limbs) > n { ++ if x.limbs[len(x.limbs)-1] != 0 { ++ panic("rsa: internal error: shrinking nat") ++ } ++ x.limbs = x.limbs[:len(x.limbs)-1] ++ } ++ if cap(x.limbs) < n { ++ newLimbs := make([]uint, n) ++ copy(newLimbs, x.limbs) ++ x.limbs = newLimbs ++ return x ++ } ++ extraLimbs := x.limbs[len(x.limbs):n] ++ for i := range extraLimbs { ++ extraLimbs[i] = 0 ++ } ++ x.limbs = x.limbs[:n] ++ return x ++} ++ ++// reset returns a zero nat of n limbs, reusing x's storage if n <= cap(x.limbs). ++func (x *nat) reset(n int) *nat { ++ if cap(x.limbs) < n { ++ x.limbs = make([]uint, n) ++ return x ++ } ++ for i := range x.limbs { ++ x.limbs[i] = 0 ++ } ++ x.limbs = x.limbs[:n] ++ return x ++} ++ ++// clone returns a new nat, with the same value and announced length as x. ++func (x *nat) clone() *nat { ++ out := &nat{make([]uint, len(x.limbs))} ++ copy(out.limbs, x.limbs) ++ return out ++} ++ ++// natFromBig creates a new natural number from a big.Int. ++// ++// The announced length of the resulting nat is based on the actual bit size of ++// the input, ignoring leading zeroes. ++func natFromBig(x *big.Int) *nat { ++ xLimbs := x.Bits() ++ bitSize := bigBitLen(x) ++ requiredLimbs := (bitSize + _W - 1) / _W ++ ++ out := &nat{make([]uint, requiredLimbs)} ++ outI := 0 ++ shift := 0 ++ for i := range xLimbs { ++ xi := uint(xLimbs[i]) ++ out.limbs[outI] |= (xi << shift) & _MASK ++ outI++ ++ if outI == requiredLimbs { ++ return out ++ } ++ out.limbs[outI] = xi >> (_W - shift) ++ shift++ // this assumes bits.UintSize - _W = 1 ++ if shift == _W { ++ shift = 0 ++ outI++ ++ } ++ } ++ return out ++} ++ ++// fillBytes sets bytes to x as a zero-extended big-endian byte slice. ++// ++// If bytes is not long enough to contain the number or at least len(x.limbs)-1 ++// limbs, or has zero length, fillBytes will panic. ++func (x *nat) fillBytes(bytes []byte) []byte { ++ if len(bytes) == 0 { ++ panic("nat: fillBytes invoked with too small buffer") ++ } ++ for i := range bytes { ++ bytes[i] = 0 ++ } ++ shift := 0 ++ outI := len(bytes) - 1 ++ for i, limb := range x.limbs { ++ remainingBits := _W ++ for remainingBits >= 8 { ++ bytes[outI] |= byte(limb) << shift ++ consumed := 8 - shift ++ limb >>= consumed ++ remainingBits -= consumed ++ shift = 0 ++ outI-- ++ if outI < 0 { ++ if limb != 0 || i < len(x.limbs)-1 { ++ panic("nat: fillBytes invoked with too small buffer") ++ } ++ return bytes ++ } ++ } ++ bytes[outI] = byte(limb) ++ shift = remainingBits ++ } ++ return bytes ++} ++ ++// natFromBytes converts a slice of big-endian bytes into a nat. ++// ++// The announced length of the output depends on the length of bytes. Unlike ++// big.Int, creating a nat will not remove leading zeros. ++func natFromBytes(bytes []byte) *nat { ++ bitSize := len(bytes) * 8 ++ requiredLimbs := (bitSize + _W - 1) / _W ++ ++ out := &nat{make([]uint, requiredLimbs)} ++ outI := 0 ++ shift := 0 ++ for i := len(bytes) - 1; i >= 0; i-- { ++ bi := bytes[i] ++ out.limbs[outI] |= uint(bi) << shift ++ shift += 8 ++ if shift >= _W { ++ shift -= _W ++ out.limbs[outI] &= _MASK ++ outI++ ++ if shift > 0 { ++ out.limbs[outI] = uint(bi) >> (8 - shift) ++ } ++ } ++ } ++ return out ++} ++ ++// cmpEq returns 1 if x == y, and 0 otherwise. ++// ++// Both operands must have the same announced length. ++func (x *nat) cmpEq(y *nat) choice { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ equal := yes ++ for i := 0; i < size; i++ { ++ equal &= ctEq(xLimbs[i], yLimbs[i]) ++ } ++ return equal ++} ++ ++// cmpGeq returns 1 if x >= y, and 0 otherwise. ++// ++// Both operands must have the same announced length. ++func (x *nat) cmpGeq(y *nat) choice { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ var c uint ++ for i := 0; i < size; i++ { ++ c = (xLimbs[i] - yLimbs[i] - c) >> _W ++ } ++ // If there was a carry, then subtracting y underflowed, so ++ // x is not greater than or equal to y. ++ return not(choice(c)) ++} ++ ++// assign sets x <- y if on == 1, and does nothing otherwise. ++// ++// Both operands must have the same announced length. ++func (x *nat) assign(on choice, y *nat) *nat { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ for i := 0; i < size; i++ { ++ xLimbs[i] = ctSelect(on, yLimbs[i], xLimbs[i]) ++ } ++ return x ++} ++ ++// add computes x += y if on == 1, and does nothing otherwise. It returns the ++// carry of the addition regardless of on. ++// ++// Both operands must have the same announced length. ++func (x *nat) add(on choice, y *nat) (c uint) { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ for i := 0; i < size; i++ { ++ res := xLimbs[i] + yLimbs[i] + c ++ xLimbs[i] = ctSelect(on, res&_MASK, xLimbs[i]) ++ c = res >> _W ++ } ++ return ++} ++ ++// sub computes x -= y if on == 1, and does nothing otherwise. It returns the ++// borrow of the subtraction regardless of on. ++// ++// Both operands must have the same announced length. ++func (x *nat) sub(on choice, y *nat) (c uint) { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ for i := 0; i < size; i++ { ++ res := xLimbs[i] - yLimbs[i] - c ++ xLimbs[i] = ctSelect(on, res&_MASK, xLimbs[i]) ++ c = res >> _W ++ } ++ return ++} ++ ++// modulus is used for modular arithmetic, precomputing relevant constants. ++// ++// Moduli are assumed to be odd numbers. Moduli can also leak the exact ++// number of bits needed to store their value, and are stored without padding. ++// ++// Their actual value is still kept secret. ++type modulus struct { ++ // The underlying natural number for this modulus. ++ // ++ // This will be stored without any padding, and shouldn't alias with any ++ // other natural number being used. ++ nat *nat ++ leading int // number of leading zeros in the modulus ++ m0inv uint // -nat.limbs[0]⁻¹ mod _W ++} ++ ++// minusInverseModW computes -x⁻¹ mod _W with x odd. ++// ++// This operation is used to precompute a constant involved in Montgomery ++// multiplication. ++func minusInverseModW(x uint) uint { ++ // Every iteration of this loop doubles the least-significant bits of ++ // correct inverse in y. The first three bits are already correct (1⁻¹ = 1, ++ // 3⁻¹ = 3, 5⁻¹ = 5, and 7⁻¹ = 7 mod 8), so doubling five times is enough ++ // for 61 bits (and wastes only one iteration for 31 bits). ++ // ++ // See https://crypto.stackexchange.com/a/47496. ++ y := x ++ for i := 0; i < 5; i++ { ++ y = y * (2 - x*y) ++ } ++ return (1 << _W) - (y & _MASK) ++} ++ ++// modulusFromNat creates a new modulus from a nat. ++// ++// The nat should be odd, nonzero, and the number of significant bits in the ++// number should be leakable. The nat shouldn't be reused. ++func modulusFromNat(nat *nat) *modulus { ++ m := &modulus{} ++ m.nat = nat ++ size := len(m.nat.limbs) ++ for m.nat.limbs[size-1] == 0 { ++ size-- ++ } ++ m.nat.limbs = m.nat.limbs[:size] ++ m.leading = _W - bitLen(m.nat.limbs[size-1]) ++ m.m0inv = minusInverseModW(m.nat.limbs[0]) ++ return m ++} ++ ++// bitLen is a version of bits.Len that only leaks the bit length of n, but not ++// its value. bits.Len and bits.LeadingZeros use a lookup table for the ++// low-order bits on some architectures. ++func bitLen(n uint) int { ++ var len int ++ // We assume, here and elsewhere, that comparison to zero is constant time ++ // with respect to different non-zero values. ++ for n != 0 { ++ len++ ++ n >>= 1 ++ } ++ return len ++} ++ ++// bigBitLen is a version of big.Int.BitLen that only leaks the bit length of x, ++// but not its value. big.Int.BitLen uses bits.Len. ++func bigBitLen(x *big.Int) int { ++ xLimbs := x.Bits() ++ fullLimbs := len(xLimbs) - 1 ++ topLimb := uint(xLimbs[len(xLimbs)-1]) ++ return fullLimbs*bits.UintSize + bitLen(topLimb) ++} ++ ++// modulusSize returns the size of m in bytes. ++func modulusSize(m *modulus) int { ++ bits := len(m.nat.limbs)*_W - int(m.leading) ++ return (bits + 7) / 8 ++} ++ ++// shiftIn calculates x = x << _W + y mod m. ++// ++// This assumes that x is already reduced mod m, and that y < 2^_W. ++func (x *nat) shiftIn(y uint, m *modulus) *nat { ++ d := new(nat).resetFor(m) ++ ++ // Eliminate bounds checks in the loop. ++ size := len(m.nat.limbs) ++ xLimbs := x.limbs[:size] ++ dLimbs := d.limbs[:size] ++ mLimbs := m.nat.limbs[:size] ++ ++ // Each iteration of this loop computes x = 2x + b mod m, where b is a bit ++ // from y. Effectively, it left-shifts x and adds y one bit at a time, ++ // reducing it every time. ++ // ++ // To do the reduction, each iteration computes both 2x + b and 2x + b - m. ++ // The next iteration (and finally the return line) will use either result ++ // based on whether the subtraction underflowed. ++ needSubtraction := no ++ for i := _W - 1; i >= 0; i-- { ++ carry := (y >> i) & 1 ++ var borrow uint ++ for i := 0; i < size; i++ { ++ l := ctSelect(needSubtraction, dLimbs[i], xLimbs[i]) ++ ++ res := l<<1 + carry ++ xLimbs[i] = res & _MASK ++ carry = res >> _W ++ ++ res = xLimbs[i] - mLimbs[i] - borrow ++ dLimbs[i] = res & _MASK ++ borrow = res >> _W ++ } ++ // See modAdd for how carry (aka overflow), borrow (aka underflow), and ++ // needSubtraction relate. ++ needSubtraction = ctEq(carry, borrow) ++ } ++ return x.assign(needSubtraction, d) ++} ++ ++// mod calculates out = x mod m. ++// ++// This works regardless how large the value of x is. ++// ++// The output will be resized to the size of m and overwritten. ++func (out *nat) mod(x *nat, m *modulus) *nat { ++ out.resetFor(m) ++ // Working our way from the most significant to the least significant limb, ++ // we can insert each limb at the least significant position, shifting all ++ // previous limbs left by _W. This way each limb will get shifted by the ++ // correct number of bits. We can insert at least N - 1 limbs without ++ // overflowing m. After that, we need to reduce every time we shift. ++ i := len(x.limbs) - 1 ++ // For the first N - 1 limbs we can skip the actual shifting and position ++ // them at the shifted position, which starts at min(N - 2, i). ++ start := len(m.nat.limbs) - 2 ++ if i < start { ++ start = i ++ } ++ for j := start; j >= 0; j-- { ++ out.limbs[j] = x.limbs[i] ++ i-- ++ } ++ // We shift in the remaining limbs, reducing modulo m each time. ++ for i >= 0 { ++ out.shiftIn(x.limbs[i], m) ++ i-- ++ } ++ return out ++} ++ ++// expandFor ensures out has the right size to work with operations modulo m. ++// ++// This assumes that out has as many or fewer limbs than m, or that the extra ++// limbs are all zero (which may happen when decoding a value that has leading ++// zeroes in its bytes representation that spill over the limb threshold). ++func (out *nat) expandFor(m *modulus) *nat { ++ return out.expand(len(m.nat.limbs)) ++} ++ ++// resetFor ensures out has the right size to work with operations modulo m. ++// ++// out is zeroed and may start at any size. ++func (out *nat) resetFor(m *modulus) *nat { ++ return out.reset(len(m.nat.limbs)) ++} ++ ++// modSub computes x = x - y mod m. ++// ++// The length of both operands must be the same as the modulus. Both operands ++// must already be reduced modulo m. ++func (x *nat) modSub(y *nat, m *modulus) *nat { ++ underflow := x.sub(yes, y) ++ // If the subtraction underflowed, add m. ++ x.add(choice(underflow), m.nat) ++ return x ++} ++ ++// modAdd computes x = x + y mod m. ++// ++// The length of both operands must be the same as the modulus. Both operands ++// must already be reduced modulo m. ++func (x *nat) modAdd(y *nat, m *modulus) *nat { ++ overflow := x.add(yes, y) ++ underflow := not(x.cmpGeq(m.nat)) // x < m ++ ++ // Three cases are possible: ++ // ++ // - overflow = 0, underflow = 0 ++ // ++ // In this case, addition fits in our limbs, but we can still subtract away ++ // m without an underflow, so we need to perform the subtraction to reduce ++ // our result. ++ // ++ // - overflow = 0, underflow = 1 ++ // ++ // The addition fits in our limbs, but we can't subtract m without ++ // underflowing. The result is already reduced. ++ // ++ // - overflow = 1, underflow = 1 ++ // ++ // The addition does not fit in our limbs, and the subtraction's borrow ++ // would cancel out with the addition's carry. We need to subtract m to ++ // reduce our result. ++ // ++ // The overflow = 1, underflow = 0 case is not possible, because y is at ++ // most m - 1, and if adding m - 1 overflows, then subtracting m must ++ // necessarily underflow. ++ needSubtraction := ctEq(overflow, uint(underflow)) ++ ++ x.sub(needSubtraction, m.nat) ++ return x ++} ++ ++// montgomeryRepresentation calculates x = x * R mod m, with R = 2^(_W * n) and ++// n = len(m.nat.limbs). ++// ++// Faster Montgomery multiplication replaces standard modular multiplication for ++// numbers in this representation. ++// ++// This assumes that x is already reduced mod m. ++func (x *nat) montgomeryRepresentation(m *modulus) *nat { ++ for i := 0; i < len(m.nat.limbs); i++ { ++ x.shiftIn(0, m) // x = x * 2^_W mod m ++ } ++ return x ++} ++ ++// montgomeryMul calculates d = a * b / R mod m, with R = 2^(_W * n) and ++// n = len(m.nat.limbs), using the Montgomery Multiplication technique. ++// ++// All inputs should be the same length, not aliasing d, and already ++// reduced modulo m. d will be resized to the size of m and overwritten. ++func (d *nat) montgomeryMul(a *nat, b *nat, m *modulus) *nat { ++ // See https://bearssl.org/bigint.html#montgomery-reduction-and-multiplication ++ // for a description of the algorithm. ++ ++ // Eliminate bounds checks in the loop. ++ size := len(m.nat.limbs) ++ aLimbs := a.limbs[:size] ++ bLimbs := b.limbs[:size] ++ dLimbs := d.resetFor(m).limbs[:size] ++ mLimbs := m.nat.limbs[:size] ++ ++ var overflow uint ++ for i := 0; i < size; i++ { ++ f := ((dLimbs[0] + aLimbs[i]*bLimbs[0]) * m.m0inv) & _MASK ++ carry := uint(0) ++ for j := 0; j < size; j++ { ++ // z = d[j] + a[i] * b[j] + f * m[j] + carry <= 2^(2W+1) - 2^(W+1) + 2^W ++ hi, lo := bits.Mul(aLimbs[i], bLimbs[j]) ++ z_lo, c := bits.Add(dLimbs[j], lo, 0) ++ z_hi, _ := bits.Add(0, hi, c) ++ hi, lo = bits.Mul(f, mLimbs[j]) ++ z_lo, c = bits.Add(z_lo, lo, 0) ++ z_hi, _ = bits.Add(z_hi, hi, c) ++ z_lo, c = bits.Add(z_lo, carry, 0) ++ z_hi, _ = bits.Add(z_hi, 0, c) ++ if j > 0 { ++ dLimbs[j-1] = z_lo & _MASK ++ } ++ carry = z_hi<<1 | z_lo>>_W // carry <= 2^(W+1) - 2 ++ } ++ z := overflow + carry // z <= 2^(W+1) - 1 ++ dLimbs[size-1] = z & _MASK ++ overflow = z >> _W // overflow <= 1 ++ } ++ // See modAdd for how overflow, underflow, and needSubtraction relate. ++ underflow := not(d.cmpGeq(m.nat)) // d < m ++ needSubtraction := ctEq(overflow, uint(underflow)) ++ d.sub(needSubtraction, m.nat) ++ ++ return d ++} ++ ++// modMul calculates x *= y mod m. ++// ++// x and y must already be reduced modulo m, they must share its announced ++// length, and they may not alias. ++func (x *nat) modMul(y *nat, m *modulus) *nat { ++ // A Montgomery multiplication by a value out of the Montgomery domain ++ // takes the result out of Montgomery representation. ++ xR := x.clone().montgomeryRepresentation(m) // xR = x * R mod m ++ return x.montgomeryMul(xR, y, m) // x = xR * y / R mod m ++} ++ ++// exp calculates out = x^e mod m. ++// ++// The exponent e is represented in big-endian order. The output will be resized ++// to the size of m and overwritten. x must already be reduced modulo m. ++func (out *nat) exp(x *nat, e []byte, m *modulus) *nat { ++ // We use a 4 bit window. For our RSA workload, 4 bit windows are faster ++ // than 2 bit windows, but use an extra 12 nats worth of scratch space. ++ // Using bit sizes that don't divide 8 are more complex to implement. ++ table := make([]*nat, (1<<4)-1) // table[i] = x ^ (i+1) ++ table[0] = x.clone().montgomeryRepresentation(m) ++ for i := 1; i < len(table); i++ { ++ table[i] = new(nat).expandFor(m) ++ table[i].montgomeryMul(table[i-1], table[0], m) ++ } ++ ++ out.resetFor(m) ++ out.limbs[0] = 1 ++ out.montgomeryRepresentation(m) ++ t0 := new(nat).expandFor(m) ++ t1 := new(nat).expandFor(m) ++ for _, b := range e { ++ for _, j := range []int{4, 0} { ++ // Square four times. ++ t1.montgomeryMul(out, out, m) ++ out.montgomeryMul(t1, t1, m) ++ t1.montgomeryMul(out, out, m) ++ out.montgomeryMul(t1, t1, m) ++ ++ // Select x^k in constant time from the table. ++ k := uint((b >> j) & 0b1111) ++ for i := range table { ++ t0.assign(ctEq(k, uint(i+1)), table[i]) ++ } ++ ++ // Multiply by x^k, discarding the result if k = 0. ++ t1.montgomeryMul(out, t0, m) ++ out.assign(not(ctEq(k, 0)), t1) ++ } ++ } ++ ++ // By Montgomery multiplying with 1 not in Montgomery representation, we ++ // convert out back from Montgomery representation, because it works out to ++ // dividing by R. ++ t0.assign(yes, out) ++ t1.resetFor(m) ++ t1.limbs[0] = 1 ++ out.montgomeryMul(t0, t1, m) ++ ++ return out ++} +diff --git a/src/crypto/rsa/nat_test.go b/src/crypto/rsa/nat_test.go +new file mode 100644 +index 0000000..3e6eb10 +--- /dev/null ++++ b/src/crypto/rsa/nat_test.go +@@ -0,0 +1,384 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package rsa ++ ++import ( ++ "bytes" ++ "math/big" ++ "math/bits" ++ "math/rand" ++ "reflect" ++ "testing" ++ "testing/quick" ++) ++ ++// Generate generates an even nat. It's used by testing/quick to produce random ++// *nat values for quick.Check invocations. ++func (*nat) Generate(r *rand.Rand, size int) reflect.Value { ++ limbs := make([]uint, size) ++ for i := 0; i < size; i++ { ++ limbs[i] = uint(r.Uint64()) & ((1 << _W) - 2) ++ } ++ return reflect.ValueOf(&nat{limbs}) ++} ++ ++func testModAddCommutative(a *nat, b *nat) bool { ++ mLimbs := make([]uint, len(a.limbs)) ++ for i := 0; i < len(mLimbs); i++ { ++ mLimbs[i] = _MASK ++ } ++ m := modulusFromNat(&nat{mLimbs}) ++ aPlusB := a.clone() ++ aPlusB.modAdd(b, m) ++ bPlusA := b.clone() ++ bPlusA.modAdd(a, m) ++ return aPlusB.cmpEq(bPlusA) == 1 ++} ++ ++func TestModAddCommutative(t *testing.T) { ++ err := quick.Check(testModAddCommutative, &quick.Config{}) ++ if err != nil { ++ t.Error(err) ++ } ++} ++ ++func testModSubThenAddIdentity(a *nat, b *nat) bool { ++ mLimbs := make([]uint, len(a.limbs)) ++ for i := 0; i < len(mLimbs); i++ { ++ mLimbs[i] = _MASK ++ } ++ m := modulusFromNat(&nat{mLimbs}) ++ original := a.clone() ++ a.modSub(b, m) ++ a.modAdd(b, m) ++ return a.cmpEq(original) == 1 ++} ++ ++func TestModSubThenAddIdentity(t *testing.T) { ++ err := quick.Check(testModSubThenAddIdentity, &quick.Config{}) ++ if err != nil { ++ t.Error(err) ++ } ++} ++ ++func testMontgomeryRoundtrip(a *nat) bool { ++ one := &nat{make([]uint, len(a.limbs))} ++ one.limbs[0] = 1 ++ aPlusOne := a.clone() ++ aPlusOne.add(1, one) ++ m := modulusFromNat(aPlusOne) ++ monty := a.clone() ++ monty.montgomeryRepresentation(m) ++ aAgain := monty.clone() ++ aAgain.montgomeryMul(monty, one, m) ++ return a.cmpEq(aAgain) == 1 ++} ++ ++func TestMontgomeryRoundtrip(t *testing.T) { ++ err := quick.Check(testMontgomeryRoundtrip, &quick.Config{}) ++ if err != nil { ++ t.Error(err) ++ } ++} ++ ++func TestFromBig(t *testing.T) { ++ expected := []byte{0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} ++ theBig := new(big.Int).SetBytes(expected) ++ actual := natFromBig(theBig).fillBytes(make([]byte, len(expected))) ++ if !bytes.Equal(actual, expected) { ++ t.Errorf("%+x != %+x", actual, expected) ++ } ++} ++ ++func TestFillBytes(t *testing.T) { ++ xBytes := []byte{0xAA, 0xFF, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88} ++ x := natFromBytes(xBytes) ++ for l := 20; l >= len(xBytes); l-- { ++ buf := make([]byte, l) ++ rand.Read(buf) ++ actual := x.fillBytes(buf) ++ expected := make([]byte, l) ++ copy(expected[l-len(xBytes):], xBytes) ++ if !bytes.Equal(actual, expected) { ++ t.Errorf("%d: %+v != %+v", l, actual, expected) ++ } ++ } ++ for l := len(xBytes) - 1; l >= 0; l-- { ++ (func() { ++ defer func() { ++ if recover() == nil { ++ t.Errorf("%d: expected panic", l) ++ } ++ }() ++ x.fillBytes(make([]byte, l)) ++ })() ++ } ++} ++ ++func TestFromBytes(t *testing.T) { ++ f := func(xBytes []byte) bool { ++ if len(xBytes) == 0 { ++ return true ++ } ++ actual := natFromBytes(xBytes).fillBytes(make([]byte, len(xBytes))) ++ if !bytes.Equal(actual, xBytes) { ++ t.Errorf("%+x != %+x", actual, xBytes) ++ return false ++ } ++ return true ++ } ++ ++ err := quick.Check(f, &quick.Config{}) ++ if err != nil { ++ t.Error(err) ++ } ++ ++ f([]byte{0xFF, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}) ++ f(bytes.Repeat([]byte{0xFF}, _W)) ++} ++ ++func TestShiftIn(t *testing.T) { ++ if bits.UintSize != 64 { ++ t.Skip("examples are only valid in 64 bit") ++ } ++ examples := []struct { ++ m, x, expected []byte ++ y uint64 ++ }{{ ++ m: []byte{13}, ++ x: []byte{0}, ++ y: 0x7FFF_FFFF_FFFF_FFFF, ++ expected: []byte{7}, ++ }, { ++ m: []byte{13}, ++ x: []byte{7}, ++ y: 0x7FFF_FFFF_FFFF_FFFF, ++ expected: []byte{11}, ++ }, { ++ m: []byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d}, ++ x: make([]byte, 9), ++ y: 0x7FFF_FFFF_FFFF_FFFF, ++ expected: []byte{0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, ++ }, { ++ m: []byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d}, ++ x: []byte{0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, ++ y: 0, ++ expected: []byte{0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08}, ++ }} ++ ++ for i, tt := range examples { ++ m := modulusFromNat(natFromBytes(tt.m)) ++ got := natFromBytes(tt.x).expandFor(m).shiftIn(uint(tt.y), m) ++ if got.cmpEq(natFromBytes(tt.expected).expandFor(m)) != 1 { ++ t.Errorf("%d: got %x, expected %x", i, got, tt.expected) ++ } ++ } ++} ++ ++func TestModulusAndNatSizes(t *testing.T) { ++ // These are 126 bit (2 * _W on 64-bit architectures) values, serialized as ++ // 128 bits worth of bytes. If leading zeroes are stripped, they fit in two ++ // limbs, if they are not, they fit in three. This can be a problem because ++ // modulus strips leading zeroes and nat does not. ++ m := modulusFromNat(natFromBytes([]byte{ ++ 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff})) ++ x := natFromBytes([]byte{ ++ 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}) ++ x.expandFor(m) // must not panic for shrinking ++} ++ ++func TestExpand(t *testing.T) { ++ sliced := []uint{1, 2, 3, 4} ++ examples := []struct { ++ in []uint ++ n int ++ out []uint ++ }{{ ++ []uint{1, 2}, ++ 4, ++ []uint{1, 2, 0, 0}, ++ }, { ++ sliced[:2], ++ 4, ++ []uint{1, 2, 0, 0}, ++ }, { ++ []uint{1, 2}, ++ 2, ++ []uint{1, 2}, ++ }, { ++ []uint{1, 2, 0}, ++ 2, ++ []uint{1, 2}, ++ }} ++ ++ for i, tt := range examples { ++ got := (&nat{tt.in}).expand(tt.n) ++ if len(got.limbs) != len(tt.out) || got.cmpEq(&nat{tt.out}) != 1 { ++ t.Errorf("%d: got %x, expected %x", i, got, tt.out) ++ } ++ } ++} ++ ++func TestMod(t *testing.T) { ++ m := modulusFromNat(natFromBytes([]byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d})) ++ x := natFromBytes([]byte{0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}) ++ out := new(nat) ++ out.mod(x, m) ++ expected := natFromBytes([]byte{0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09}) ++ if out.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", out, expected) ++ } ++} ++ ++func TestModSub(t *testing.T) { ++ m := modulusFromNat(&nat{[]uint{13}}) ++ x := &nat{[]uint{6}} ++ y := &nat{[]uint{7}} ++ x.modSub(y, m) ++ expected := &nat{[]uint{12}} ++ if x.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", x, expected) ++ } ++ x.modSub(y, m) ++ expected = &nat{[]uint{5}} ++ if x.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", x, expected) ++ } ++} ++ ++func TestModAdd(t *testing.T) { ++ m := modulusFromNat(&nat{[]uint{13}}) ++ x := &nat{[]uint{6}} ++ y := &nat{[]uint{7}} ++ x.modAdd(y, m) ++ expected := &nat{[]uint{0}} ++ if x.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", x, expected) ++ } ++ x.modAdd(y, m) ++ expected = &nat{[]uint{7}} ++ if x.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", x, expected) ++ } ++} ++ ++func TestExp(t *testing.T) { ++ m := modulusFromNat(&nat{[]uint{13}}) ++ x := &nat{[]uint{3}} ++ out := &nat{[]uint{0}} ++ out.exp(x, []byte{12}, m) ++ expected := &nat{[]uint{1}} ++ if out.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", out, expected) ++ } ++} ++ ++func makeBenchmarkModulus() *modulus { ++ m := make([]uint, 32) ++ for i := 0; i < 32; i++ { ++ m[i] = _MASK ++ } ++ return modulusFromNat(&nat{limbs: m}) ++} ++ ++func makeBenchmarkValue() *nat { ++ x := make([]uint, 32) ++ for i := 0; i < 32; i++ { ++ x[i] = _MASK - 1 ++ } ++ return &nat{limbs: x} ++} ++ ++func makeBenchmarkExponent() []byte { ++ e := make([]byte, 256) ++ for i := 0; i < 32; i++ { ++ e[i] = 0xFF ++ } ++ return e ++} ++ ++func BenchmarkModAdd(b *testing.B) { ++ x := makeBenchmarkValue() ++ y := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ x.modAdd(y, m) ++ } ++} ++ ++func BenchmarkModSub(b *testing.B) { ++ x := makeBenchmarkValue() ++ y := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ x.modSub(y, m) ++ } ++} ++ ++func BenchmarkMontgomeryRepr(b *testing.B) { ++ x := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ x.montgomeryRepresentation(m) ++ } ++} ++ ++func BenchmarkMontgomeryMul(b *testing.B) { ++ x := makeBenchmarkValue() ++ y := makeBenchmarkValue() ++ out := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ out.montgomeryMul(x, y, m) ++ } ++} ++ ++func BenchmarkModMul(b *testing.B) { ++ x := makeBenchmarkValue() ++ y := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ x.modMul(y, m) ++ } ++} ++ ++func BenchmarkExpBig(b *testing.B) { ++ out := new(big.Int) ++ exponentBytes := makeBenchmarkExponent() ++ x := new(big.Int).SetBytes(exponentBytes) ++ e := new(big.Int).SetBytes(exponentBytes) ++ n := new(big.Int).SetBytes(exponentBytes) ++ one := new(big.Int).SetUint64(1) ++ n.Add(n, one) ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ out.Exp(x, e, n) ++ } ++} ++ ++func BenchmarkExp(b *testing.B) { ++ x := makeBenchmarkValue() ++ e := makeBenchmarkExponent() ++ out := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ out.exp(x, e, m) ++ } ++} +diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go +index 0cbd6d0..90233bb 100644 +--- a/src/crypto/rsa/pkcs1v15.go ++++ b/src/crypto/rsa/pkcs1v15.go +@@ -9,7 +9,6 @@ import ( + "crypto/subtle" + "errors" + "io" +- "math/big" + + "crypto/internal/randutil" + ) +@@ -58,14 +57,11 @@ func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) ([]byte, error) + em[len(em)-len(msg)-1] = 0 + copy(mm, msg) + +- m := new(big.Int).SetBytes(em) +- c := encrypt(new(big.Int), pub, m) +- +- return c.FillBytes(em), nil ++ return encrypt(pub, em), nil + } + + // DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS #1 v1.5. +-// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks. ++// The random parameter is legacy and ignored, and it can be as nil. + // + // Note that whether this function returns an error or not discloses secret + // information. If an attacker can cause this function to run repeatedly and +@@ -76,7 +72,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt + if err := checkPub(&priv.PublicKey); err != nil { + return nil, err + } +- valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext) ++ valid, out, index, err := decryptPKCS1v15(priv, ciphertext) + if err != nil { + return nil, err + } +@@ -87,7 +83,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt + } + + // DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS #1 v1.5. +-// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks. ++// The random parameter is legacy and ignored, and it can be as nil. + // It returns an error if the ciphertext is the wrong length or if the + // ciphertext is greater than the public modulus. Otherwise, no error is + // returned. If the padding is valid, the resulting plaintext message is copied +@@ -114,7 +110,7 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by + return ErrDecryption + } + +- valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext) ++ valid, em, index, err := decryptPKCS1v15(priv, ciphertext) + if err != nil { + return err + } +@@ -130,26 +126,24 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by + return nil + } + +-// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if +-// rand is not nil. It returns one or zero in valid that indicates whether the +-// plaintext was correctly structured. In either case, the plaintext is +-// returned in em so that it may be read independently of whether it was valid +-// in order to maintain constant memory access patterns. If the plaintext was +-// valid then index contains the index of the original message in em. +-func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) { ++// decryptPKCS1v15 decrypts ciphertext using priv. It returns one or zero in ++// valid that indicates whether the plaintext was correctly structured. ++// In either case, the plaintext is returned in em so that it may be read ++// independently of whether it was valid in order to maintain constant memory ++// access patterns. If the plaintext was valid then index contains the index of ++// the original message in em, to allow constant time padding removal. ++func decryptPKCS1v15(priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) { + k := priv.Size() + if k < 11 { + err = ErrDecryption + return + } + +- c := new(big.Int).SetBytes(ciphertext) +- m, err := decrypt(rand, priv, c) ++ em, err = decrypt(priv, ciphertext) + if err != nil { + return + } + +- em = m.FillBytes(make([]byte, k)) + firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) + secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2) + +@@ -221,8 +215,7 @@ var hashPrefixes = map[crypto.Hash][]byte{ + // function. If hash is zero, hashed is signed directly. This isn't + // advisable except for interoperability. + // +-// If rand is not nil then RSA blinding will be used to avoid timing +-// side-channel attacks. ++// The random parameter is legacy and ignored, and it can be as nil. + // + // This function is deterministic. Thus, if the set of possible + // messages is small, an attacker may be able to build a map from +@@ -249,13 +242,7 @@ func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []b + copy(em[k-tLen:k-hashLen], prefix) + copy(em[k-hashLen:k], hashed) + +- m := new(big.Int).SetBytes(em) +- c, err := decryptAndCheck(rand, priv, m) +- if err != nil { +- return nil, err +- } +- +- return c.FillBytes(em), nil ++ return decryptAndCheck(priv, em) + } + + // VerifyPKCS1v15 verifies an RSA PKCS #1 v1.5 signature. +@@ -282,9 +269,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) + return ErrVerification + } + +- c := new(big.Int).SetBytes(sig) +- m := encrypt(new(big.Int), pub, c) +- em := m.FillBytes(make([]byte, k)) ++ em := encrypt(pub, sig) + // EM = 0x00 || 0x01 || PS || 0x00 || T + + ok := subtle.ConstantTimeByteEq(em[0], 0) +diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go +index 814522d..aeb6148 100644 +--- a/src/crypto/rsa/pss.go ++++ b/src/crypto/rsa/pss.go +@@ -12,7 +12,6 @@ import ( + "errors" + "hash" + "io" +- "math/big" + ) + + // Per RFC 8017, Section 9.1 +@@ -207,19 +206,26 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error { + // Note that hashed must be the result of hashing the input message using the + // given hash function. salt is a random sequence of bytes whose length will be + // later used to verify the signature. +-func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) { +- emBits := priv.N.BitLen() - 1 ++func signPSSWithSalt(priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) { ++ emBits := bigBitLen(priv.N) - 1 + em, err := emsaPSSEncode(hashed, emBits, salt, hash.New()) + if err != nil { + return nil, err + } +- m := new(big.Int).SetBytes(em) +- c, err := decryptAndCheck(rand, priv, m) +- if err != nil { +- return nil, err ++ // RFC 8017: "Note that the octet length of EM will be one less than k if ++ // modBits - 1 is divisible by 8 and equal to k otherwise, where k is the ++ // length in octets of the RSA modulus n." ++ // ++ // This is extremely annoying, as all other encrypt and decrypt inputs are ++ // always the exact same size as the modulus. Since it only happens for ++ // weird modulus sizes, fix it by padding inefficiently. ++ if emLen, k := len(em), priv.Size(); emLen < k { ++ emNew := make([]byte, k) ++ copy(emNew[k-emLen:], em) ++ em = emNew + } +- s := make([]byte, priv.Size()) +- return c.FillBytes(s), nil ++ ++ return decryptAndCheck(priv, em) + } + + const ( +@@ -269,7 +275,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, + saltLength := opts.saltLength() + switch saltLength { + case PSSSaltLengthAuto: +- saltLength = (priv.N.BitLen()-1+7)/8 - 2 - hash.Size() ++ saltLength = (bigBitLen(priv.N)-1+7)/8 - 2 - hash.Size() + case PSSSaltLengthEqualsHash: + saltLength = hash.Size() + } +@@ -278,7 +284,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, + if _, err := io.ReadFull(rand, salt); err != nil { + return nil, err + } +- return signPSSWithSalt(rand, priv, hash, digest, salt) ++ return signPSSWithSalt(priv, hash, digest, salt) + } + + // VerifyPSS verifies a PSS signature. +@@ -291,13 +297,22 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts + if len(sig) != pub.Size() { + return ErrVerification + } +- s := new(big.Int).SetBytes(sig) +- m := encrypt(new(big.Int), pub, s) +- emBits := pub.N.BitLen() - 1 ++ ++ emBits := bigBitLen(pub.N) - 1 + emLen := (emBits + 7) / 8 +- if m.BitLen() > emLen*8 { +- return ErrVerification ++ em := encrypt(pub, sig) ++ ++ // Like in signPSSWithSalt, deal with mismatches between emLen and the size ++ // of the modulus. The spec would have us wire emLen into the encoding ++ // function, but we'd rather always encode to the size of the modulus and ++ // then strip leading zeroes if necessary. This only happens for weird ++ // modulus sizes anyway. ++ for len(em) > emLen && len(em) > 0 { ++ if em[0] != 0 { ++ return ErrVerification ++ } ++ em = em[1:] + } +- em := m.FillBytes(make([]byte, emLen)) ++ + return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New()) + } +diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go +index c3a6d46..d018b43 100644 +--- a/src/crypto/rsa/pss_test.go ++++ b/src/crypto/rsa/pss_test.go +@@ -233,7 +233,10 @@ func TestPSSSigning(t *testing.T) { + } + } + +-func TestSignWithPSSSaltLengthAuto(t *testing.T) { ++func TestPSS513(t *testing.T) { ++ // See Issue 42741, and separately, RFC 8017: "Note that the octet length of ++ // EM will be one less than k if modBits - 1 is divisible by 8 and equal to ++ // k otherwise, where k is the length in octets of the RSA modulus n." + key, err := GenerateKey(rand.Reader, 513) + if err != nil { + t.Fatal(err) +@@ -246,8 +249,9 @@ func TestSignWithPSSSaltLengthAuto(t *testing.T) { + if err != nil { + t.Fatal(err) + } +- if len(signature) == 0 { +- t.Fatal("empty signature returned") ++ err = VerifyPSS(&key.PublicKey, crypto.SHA256, digest[:], signature, nil) ++ if err != nil { ++ t.Error(err) + } + } + +diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go +index 6fd59b3..20c1fe1 100644 +--- a/src/crypto/rsa/rsa.go ++++ b/src/crypto/rsa/rsa.go +@@ -19,13 +19,17 @@ + // over the public key primitive, the PrivateKey type implements the + // Decrypter and Signer interfaces from the crypto package. + // +-// The RSA operations in this package are not implemented using constant-time algorithms. ++// Operations in this package are implemented using constant-time algorithms, ++// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate]. ++// Every other operation only leaks the bit size of the involved values, which ++// all depend on the selected key size. + package rsa + + import ( + "crypto" + "crypto/rand" + "crypto/subtle" ++ "encoding/binary" + "errors" + "hash" + "io" +@@ -35,7 +39,6 @@ import ( + "crypto/internal/randutil" + ) + +-var bigZero = big.NewInt(0) + var bigOne = big.NewInt(1) + + // A PublicKey represents the public part of an RSA key. +@@ -50,7 +53,7 @@ type PublicKey struct { + // Size returns the modulus size in bytes. Raw signatures and ciphertexts + // for or by this public key will have the same size. + func (pub *PublicKey) Size() int { +- return (pub.N.BitLen() + 7) / 8 ++ return (bigBitLen(pub.N) + 7) / 8 + } + + // Equal reports whether pub and x have the same value. +@@ -384,10 +387,18 @@ func mgf1XOR(out []byte, hash hash.Hash, seed []byte) { + // too large for the size of the public key. + var ErrMessageTooLong = errors.New("crypto/rsa: message too long for RSA public key size") + +-func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int { +- e := big.NewInt(int64(pub.E)) +- c.Exp(m, e, pub.N) +- return c ++func encrypt(pub *PublicKey, plaintext []byte) []byte { ++ N := modulusFromNat(natFromBig(pub.N)) ++ m := natFromBytes(plaintext).expandFor(N) ++ ++ e := make([]byte, 8) ++ binary.BigEndian.PutUint64(e, uint64(pub.E)) ++ for len(e) > 1 && e[0] == 0 { ++ e = e[1:] ++ } ++ ++ out := make([]byte, modulusSize(N)) ++ return new(nat).exp(m, e, N).fillBytes(out) + } + + // EncryptOAEP encrypts the given message with RSA-OAEP. +@@ -437,12 +448,7 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l + mgf1XOR(db, hash, seed) + mgf1XOR(seed, hash, db) + +- m := new(big.Int) +- m.SetBytes(em) +- c := encrypt(new(big.Int), pub, m) +- +- out := make([]byte, k) +- return c.FillBytes(out), nil ++ return encrypt(pub, em), nil + } + + // ErrDecryption represents a failure to decrypt a message. +@@ -484,98 +490,70 @@ func (priv *PrivateKey) Precompute() { + } + } + +-// decrypt performs an RSA decryption, resulting in a plaintext integer. If a +-// random source is given, RSA blinding is used. +-func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) { +- // TODO(agl): can we get away with reusing blinds? +- if c.Cmp(priv.N) > 0 { +- err = ErrDecryption +- return ++// decrypt performs an RSA decryption of ciphertext into out. ++func decrypt(priv *PrivateKey, ciphertext []byte) ([]byte, error) { ++ N := modulusFromNat(natFromBig(priv.N)) ++ c := natFromBytes(ciphertext).expandFor(N) ++ if c.cmpGeq(N.nat) == 1 { ++ return nil, ErrDecryption + } + if priv.N.Sign() == 0 { + return nil, ErrDecryption + } + +- var ir *big.Int +- if random != nil { +- randutil.MaybeReadByte(random) +- +- // Blinding enabled. Blinding involves multiplying c by r^e. +- // Then the decryption operation performs (m^e * r^e)^d mod n +- // which equals mr mod n. The factor of r can then be removed +- // by multiplying by the multiplicative inverse of r. +- +- var r *big.Int +- ir = new(big.Int) +- for { +- r, err = rand.Int(random, priv.N) +- if err != nil { +- return +- } +- if r.Cmp(bigZero) == 0 { +- r = bigOne +- } +- ok := ir.ModInverse(r, priv.N) +- if ok != nil { +- break +- } +- } +- bigE := big.NewInt(int64(priv.E)) +- rpowe := new(big.Int).Exp(r, bigE, priv.N) // N != 0 +- cCopy := new(big.Int).Set(c) +- cCopy.Mul(cCopy, rpowe) +- cCopy.Mod(cCopy, priv.N) +- c = cCopy +- } +- ++ // Note that because our private decryption exponents are stored as big.Int, ++ // we potentially leak the exact number of bits of these exponents. This ++ // isn't great, but should be fine. + if priv.Precomputed.Dp == nil { +- m = new(big.Int).Exp(c, priv.D, priv.N) +- } else { +- // We have the precalculated values needed for the CRT. +- m = new(big.Int).Exp(c, priv.Precomputed.Dp, priv.Primes[0]) +- m2 := new(big.Int).Exp(c, priv.Precomputed.Dq, priv.Primes[1]) +- m.Sub(m, m2) +- if m.Sign() < 0 { +- m.Add(m, priv.Primes[0]) +- } +- m.Mul(m, priv.Precomputed.Qinv) +- m.Mod(m, priv.Primes[0]) +- m.Mul(m, priv.Primes[1]) +- m.Add(m, m2) +- +- for i, values := range priv.Precomputed.CRTValues { +- prime := priv.Primes[2+i] +- m2.Exp(c, values.Exp, prime) +- m2.Sub(m2, m) +- m2.Mul(m2, values.Coeff) +- m2.Mod(m2, prime) +- if m2.Sign() < 0 { +- m2.Add(m2, prime) +- } +- m2.Mul(m2, values.R) +- m.Add(m, m2) +- } +- } +- +- if ir != nil { +- // Unblind. +- m.Mul(m, ir) +- m.Mod(m, priv.N) +- } +- +- return ++ out := make([]byte, modulusSize(N)) ++ return new(nat).exp(c, priv.D.Bytes(), N).fillBytes(out), nil ++ } ++ ++ t0 := new(nat) ++ P := modulusFromNat(natFromBig(priv.Primes[0])) ++ Q := modulusFromNat(natFromBig(priv.Primes[1])) ++ // m = c ^ Dp mod p ++ m := new(nat).exp(t0.mod(c, P), priv.Precomputed.Dp.Bytes(), P) ++ // m2 = c ^ Dq mod q ++ m2 := new(nat).exp(t0.mod(c, Q), priv.Precomputed.Dq.Bytes(), Q) ++ // m = m - m2 mod p ++ m.modSub(t0.mod(m2, P), P) ++ // m = m * Qinv mod p ++ m.modMul(natFromBig(priv.Precomputed.Qinv).expandFor(P), P) ++ // m = m * q mod N ++ m.expandFor(N).modMul(t0.mod(Q.nat, N), N) ++ // m = m + m2 mod N ++ m.modAdd(m2.expandFor(N), N) ++ ++ for i, values := range priv.Precomputed.CRTValues { ++ p := modulusFromNat(natFromBig(priv.Primes[2+i])) ++ // m2 = c ^ Exp mod p ++ m2.exp(t0.mod(c, p), values.Exp.Bytes(), p) ++ // m2 = m2 - m mod p ++ m2.modSub(t0.mod(m, p), p) ++ // m2 = m2 * Coeff mod p ++ m2.modMul(natFromBig(values.Coeff).expandFor(p), p) ++ // m2 = m2 * R mod N ++ R := natFromBig(values.R).expandFor(N) ++ m2.expandFor(N).modMul(R, N) ++ // m = m + m2 mod N ++ m.modAdd(m2, N) ++ } ++ ++ out := make([]byte, modulusSize(N)) ++ return m.fillBytes(out), nil + } + +-func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) { +- m, err = decrypt(random, priv, c) ++func decryptAndCheck(priv *PrivateKey, ciphertext []byte) (m []byte, err error) { ++ m, err = decrypt(priv, ciphertext) + if err != nil { + return nil, err + } + + // In order to defend against errors in the CRT computation, m^e is + // calculated, which should match the original ciphertext. +- check := encrypt(new(big.Int), &priv.PublicKey, m) +- if c.Cmp(check) != 0 { ++ check := encrypt(&priv.PublicKey, m) ++ if subtle.ConstantTimeCompare(ciphertext, check) != 1 { + return nil, errors.New("rsa: internal error") + } + return m, nil +@@ -587,9 +565,7 @@ func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int + // Encryption and decryption of a given message must use the same hash function + // and sha256.New() is a reasonable choice. + // +-// The random parameter, if not nil, is used to blind the private-key operation +-// and avoid timing side-channel attacks. Blinding is purely internal to this +-// function – the random data need not match that used when encrypting. ++// The random parameter is legacy and ignored, and it can be as nil. + // + // The label parameter must match the value given when encrypting. See + // EncryptOAEP for details. +@@ -603,9 +579,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext + return nil, ErrDecryption + } + +- c := new(big.Int).SetBytes(ciphertext) +- +- m, err := decrypt(random, priv, c) ++ em, err := decrypt(priv, ciphertext) + if err != nil { + return nil, err + } +@@ -614,10 +588,6 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext + lHash := hash.Sum(nil) + hash.Reset() + +- // We probably leak the number of leading zeros. +- // It's not clear that we can do anything about this. +- em := m.FillBytes(make([]byte, k)) +- + firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) + + seed := em[1 : hash.Size()+1] +-- +2.40.0 From patchwork Mon Feb 12 13:54:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 39195 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42035C4829D for ; Mon, 12 Feb 2024 13:54:49 +0000 (UTC) Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52]) by mx.groups.io with SMTP id smtpd.web11.6809.1707746087167295839 for ; Mon, 12 Feb 2024 05:54:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MoVhE0+r; spf=softfail (domain: sakoman.com, ip: 209.85.210.52, mailfrom: steve@sakoman.com) Received: by mail-ot1-f52.google.com with SMTP id 46e09a7af769-6dbcebaf9a9so2291749a34.3 for ; Mon, 12 Feb 2024 05:54:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1707746086; x=1708350886; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=679vEnyEKusdWQ89LU1siVl2KFLwRkbQfeUmOYuyhok=; b=MoVhE0+rHwQHEUjGGnYtZoy2V8ISEktR+NBFpkkC5J479e42fpvABprQBnMQaJfhzL qe9Xgpr17QXnyZRRjdAGV7AecRvkuIjVPqYsZlQw1bZX7fGLGE92tWa1glrCcJ7vqjUo 18npyyqkFis2FpBo0BeEBlyQvJ3tMvqRbubxKJWyzeMo6CGBy5+tWLrzum6ub53e0IpI I2QcpXR+GfEFbdI0gm8ausOyrWxjl1h/uNIpesZjpc93RFIcBpqqrKfcilqrVxWTQ2bp Prwpm4g+Er7oUBF0ILkNXZtvikk3XinpdWvKdOWCpZ2cDYQjegr+Zqulz3hy9axO5182 TXwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707746086; x=1708350886; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=679vEnyEKusdWQ89LU1siVl2KFLwRkbQfeUmOYuyhok=; b=MIMQVZeuRNFIH5djcWyzKuR+Pbo7LMvq0Gx+aIRKHqTVSHTNb4V4ArszW3GaBCuFgx V17kDX77WCzBUTKilGRn8ggx9UCRjDFTfe5EKFydzpzOIdv6Xb71zWUaukds7JYaOoZx 3QlRhnPWYK/Q0WLQrdlga3cV2cOnPpnayLhIbiR2IN+2C1olwSbz3MU/Yfq6iNvHaIbd lFm0GKz11Eq5jN9SRTCMQ9HgW5j5nx7tRCAKb/d1WJTHTjioIRyJYw55K/TmdHkq1/e0 XJrdZiD8lN72qtXtXmGiovVECMUNdhA8HGamwwzy32zgRBKbkG0TYJCn3JOH5RsGcyDH Pjjw== X-Gm-Message-State: AOJu0YxAr9P6DbIl9+vqmBeaf88QA5EetbspV+Bg5SR2P3oAcxfdiQDt rMM6BEqDoBzm4c25giik3WcdpYMnS8dEpRohays16EbU8YU5Zr+jWPA8AhjNCXX177jG46BSZep SY5g= X-Google-Smtp-Source: AGHT+IHoM0DjGOxTiEf0f0tUhHiwzfgnNGmKH4CTsPPBHytID7ocFMUQb4pIelQY0uN+5lCw05qtKA== X-Received: by 2002:a05:6358:d392:b0:176:5a5e:4bfc with SMTP id mp18-20020a056358d39200b001765a5e4bfcmr9047604rwb.3.1707746085975; Mon, 12 Feb 2024 05:54:45 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id k69-20020a638448000000b005dc421f8889sm439889pgd.26.2024.02.12.05.54.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 05:54:45 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/8] curl: Fix CVE-2023-46219 Date: Mon, 12 Feb 2024 03:54:14 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 13:54:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195324 From: Archana Polampalli When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2023-46219-0001.patch | 42 ++++++ .../curl/curl/CVE-2023-46219-0002.patch | 133 ++++++++++++++++++ .../curl/curl/CVE-2023-46219-0003.patch | 81 +++++++++++ meta/recipes-support/curl/curl_7.82.0.bb | 3 + 4 files changed, 259 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch new file mode 100644 index 0000000000..55e8f6fac9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch @@ -0,0 +1,42 @@ +From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001 +From: SaltyMilk +Date: Mon, 10 Jul 2023 21:43:28 +0200 +Subject: [PATCH] fopen: optimize + +Closes #11419 + +CVE: CVE-2023-46219 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/0c667188e0c6] + +Signed-off-by: Archana Polampalli +--- + lib/fopen.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index ad3691b..92f39cf 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + int fd = -1; + *tempname = NULL; + +- if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { +- /* a non-regular file, fallback to direct fopen() */ +- *fh = fopen(filename, FOPEN_WRITETEXT); +- if(*fh) +- return CURLE_OK; ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(!*fh) + goto fail; +- } ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ return CURLE_OK; ++ fclose(*fh); ++ *fh = NULL; + + result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); + if(result) +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch new file mode 100644 index 0000000000..f432fabbb1 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch @@ -0,0 +1,133 @@ +From 73b65e94f3531179de45c6f3c836a610e3d0a846 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 23 Nov 2023 08:23:17 +0100 +Subject: [PATCH] fopen: create short(er) temporary file name + +Only using random letters in the name plus a ".tmp" extension. Not by +appending characters to the final file name. + +Reported-by: Maksymilian Arciemowicz + +Closes #12388 + +CVE: CVE-2023-46219 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/73b65e94f3531179] + +Signed-off-by: Archana Polampalli +--- + lib/fopen.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 59 insertions(+), 4 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index 92f39cf..1670e32 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -39,6 +39,50 @@ + #include "curl_memory.h" + #include "memdebug.h" + ++ ++/* ++ The dirslash() function breaks a null-terminated pathname string into ++ directory and filename components then returns the directory component up ++ to, *AND INCLUDING*, a final '/'. If there is no directory in the path, ++ this instead returns a "" string. ++ This function returns a pointer to malloc'ed memory. ++ The input path to this function is expected to have a file name part. ++*/ ++ ++#ifdef _WIN32 ++#define PATHSEP "\\" ++#define IS_SEP(x) (((x) == '/') || ((x) == '\\')) ++#elif defined(MSDOS) || defined(__EMX__) || defined(OS2) ++#define PATHSEP "\\" ++#define IS_SEP(x) ((x) == '\\') ++#else ++#define PATHSEP "/" ++#define IS_SEP(x) ((x) == '/') ++#endif ++ ++static char *dirslash(const char *path) ++{ ++ size_t n; ++ struct dynbuf out; ++ DEBUGASSERT(path); ++ Curl_dyn_init(&out, CURL_MAX_INPUT_LENGTH); ++ n = strlen(path); ++ if(n) { ++ /* find the rightmost path separator, if any */ ++ while(n && !IS_SEP(path[n-1])) ++ --n; ++ /* skip over all the path separators, if any */ ++ while(n && IS_SEP(path[n-1])) ++ --n; ++ } ++ if(Curl_dyn_addn(&out, path, n)) ++ return NULL; ++ /* if there was a directory, append a single trailing slash */ ++ if(n && Curl_dyn_addn(&out, PATHSEP, 1)) ++ return NULL; ++ return Curl_dyn_ptr(&out); ++} ++ + /* + * Curl_fopen() opens a file for writing with a temp name, to be renamed + * to the final name when completed. If there is an existing file using this +@@ -50,25 +94,34 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + FILE **fh, char **tempname) + { + CURLcode result = CURLE_WRITE_ERROR; +- unsigned char randsuffix[9]; ++ unsigned char randbuf[41]; + char *tempstore = NULL; + struct_stat sb; + int fd = -1; ++ char *dir; + *tempname = NULL; + ++ dir = dirslash(filename); ++ if(!dir) ++ goto fail; ++ + *fh = fopen(filename, FOPEN_WRITETEXT); + if(!*fh) + goto fail; +- if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)){ ++ free(dir); + return CURLE_OK; ++ } + fclose(*fh); + *fh = NULL; + +- result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ result = Curl_rand_hex(data, randbuf, sizeof(randbuf)); + if(result) + goto fail; + +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ /* The temp file name should not end up too long for the target file ++ system */ ++ tempstore = aprintf("%s%s.tmp", dir, randbuf); + if(!tempstore) { + result = CURLE_OUT_OF_MEMORY; + goto fail; +@@ -95,6 +148,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(!*fh) + goto fail; + ++ free(dir); + *tempname = tempstore; + return CURLE_OK; + +@@ -107,6 +161,7 @@ fail: + free(tempstore); + + *tempname = NULL; ++ free(dir); + return result; + } + +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch b/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch new file mode 100644 index 0000000000..3b6f756549 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch @@ -0,0 +1,81 @@ +From f27b8dba73295cb5296a50f2c19c0739b502eb94 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 24 Nov 2023 09:46:32 +0100 +Subject: [PATCH] fopen: allocate the dir after fopen + +Move the allocation of the directory name down to after the fopen() call +to allow that shortcut code path to avoid a superfluous malloc+free +cycle. + +Follow-up to 73b65e94f35311 + +Closes #12398 + +CVE: CVE-2023-46219 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/f27b8dba73295cb529] + +Signed-off-by: Archana Polampalli +--- + lib/fopen.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index 1670e32..b663f8b 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -98,18 +98,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + char *tempstore = NULL; + struct_stat sb; + int fd = -1; +- char *dir; ++ char *dir = NULL; + *tempname = NULL; + +- dir = dirslash(filename); +- if(!dir) +- goto fail; +- + *fh = fopen(filename, FOPEN_WRITETEXT); + if(!*fh) + goto fail; + if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)){ +- free(dir); + return CURLE_OK; + } + fclose(*fh); +@@ -119,9 +114,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(result) + goto fail; + +- /* The temp file name should not end up too long for the target file +- system */ +- tempstore = aprintf("%s%s.tmp", dir, randbuf); ++ dir = dirslash(filename); ++ if(dir) { ++ /* The temp file name should not end up too long for the target file ++ system */ ++ tempstore = aprintf("%s%s.tmp", dir, randbuf); ++ free(dir); ++ } + if(!tempstore) { + result = CURLE_OUT_OF_MEMORY; + goto fail; +@@ -148,7 +147,6 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(!*fh) + goto fail; + +- free(dir); + *tempname = tempstore; + return CURLE_OK; + +@@ -161,7 +159,6 @@ fail: + free(tempstore); + + *tempname = NULL; +- free(dir); + return result; + } + +-- +2.40.0 diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 965f05bc98..de69d3d53b 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -54,6 +54,9 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2023-38545.patch \ file://CVE-2023-38546.patch \ file://CVE-2023-46218.patch \ + file://CVE-2023-46219-0001.patch \ + file://CVE-2023-46219-0002.patch \ + file://CVE-2023-46219-0003.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" From patchwork Mon Feb 12 13:54:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 39194 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 364E5C48297 for ; Mon, 12 Feb 2024 13:54:49 +0000 (UTC) Received: from mail-oo1-f52.google.com (mail-oo1-f52.google.com [209.85.161.52]) by mx.groups.io with SMTP id smtpd.web10.6783.1707746088875367263 for ; Mon, 12 Feb 2024 05:54:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=j/uemTca; spf=softfail (domain: sakoman.com, ip: 209.85.161.52, mailfrom: steve@sakoman.com) Received: by mail-oo1-f52.google.com with SMTP id 006d021491bc7-59d11e0b9e1so2013540eaf.1 for ; Mon, 12 Feb 2024 05:54:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1707746088; x=1708350888; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=41SXOgT+4JGs/AtCMMuLv+XqRx+FTIPoFI77ecFWIXY=; b=j/uemTcaf4uQNid0GvPINKtsbgPcoHhgw9nFutcgnS8Ac/IBrmi92jnR+d9ZZb/xSu XIA9d+9ESQ3NowIHtTkuP5whztnqbvwajAjCvyWI2UBO898INJsHU6HHpEFePEXRW+F8 IWvX9fmldYZI+EMTWn3plXvwqikTP7Q+4gQY1fUG8clWNiRz9vjIgARWU8Vuti0M8dtd /JereFla8xewqqOPBTDB9cc4KVWLZ8MpshPSDBNZMTeKqEhoi2Cn4LC8odiWvKNk3buH 1KLHXN7abHrtcfpRzDDb87EIHEXHmRYFGi7GfcZZBEfBv6AizDS1tq1roqK5HHaAbNqT ayaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707746088; x=1708350888; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=41SXOgT+4JGs/AtCMMuLv+XqRx+FTIPoFI77ecFWIXY=; b=aN0b2D/R+lzhbv7s3tl6lBvj6x42cnsPlHeie8KsyIa7EGDNpnP5fWy9rBBaK/SY8j +Vh6Im/jy1fqwxovNml/ghP2VqGSdSvNUglc4q+vPl6VKekDleFZMmOeW4My5SDtLf90 RlJIX0Vbl3DDFR+oGRvLh+3tbj0I/ucIxRBzw8K5q2UQANjPH/E7Jow3JNd60XiNqNK4 TqUvzlG1T7QtR1jk5lIz8epu7j4yn+04tHXF1SjPCcarUcWNOn2+wLTswjd5yzjXrR/s NJJanXoBoPaaUpRTPw2TOa1wRbQpi0jOJLHYkNSQaSqMzYZbdHCy+kPYqDKFT/cbnM7Q /ziQ== X-Gm-Message-State: AOJu0YwRgin6p+tGsubHvK5shIqks3IOZJQ+3P8vCGQT5uVnuk2CA/r7 wRQAJ1IYxKY8Dl0OWvVkbFOjKR8N0m+2Wm8Urb1Yt0XE9qGMjC3tLjq0dYfaIguj0u0ElBr38YM GgGg= X-Google-Smtp-Source: AGHT+IGbs7fHk6ygAinU97XSPAFkHzBwPrzUuqRjRikmxxknaRNWzEQz5TbZQaan0iDoxkEn4MR93w== X-Received: by 2002:a05:6358:9894:b0:178:7630:fb46 with SMTP id q20-20020a056358989400b001787630fb46mr10364344rwa.29.1707746087800; Mon, 12 Feb 2024 05:54:47 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id k69-20020a638448000000b005dc421f8889sm439889pgd.26.2024.02.12.05.54.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 05:54:47 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/8] libgit2: Fix CVE-2024-24575 and CVE-2024-24577 Date: Mon, 12 Feb 2024 03:54:15 -1000 Message-Id: <942254eb3ef29c8672a35015c086721c4fbe5a4f.1707745886.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 13:54:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195325 From: Soumya Sambu CVE-2024-24575: libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2. CVE-2024-24577: libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2. References: https://nvd.nist.gov/vuln/detail/CVE-2024-24575 https://security-tracker.debian.org/tracker/CVE-2024-24575 https://nvd.nist.gov/vuln/detail/CVE-2024-24577 https://security-tracker.debian.org/tracker/CVE-2024-24577 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../libgit2/libgit2/CVE-2024-24575.patch | 56 +++++++++++++++++++ .../libgit2/libgit2/CVE-2024-24577.patch | 52 +++++++++++++++++ meta/recipes-support/libgit2/libgit2_1.4.5.bb | 5 +- 3 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch create mode 100644 meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch diff --git a/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch b/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch new file mode 100644 index 0000000000..d3957ac5d0 --- /dev/null +++ b/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch @@ -0,0 +1,56 @@ +From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001 +From: Edward Thomson +Date: Fri, 17 Nov 2023 16:54:47 +0000 +Subject: [PATCH] revparse: fix parsing bug for trailing `@` + +When parsing a revspec that ends with a trailing `@`, explicitly stop +parsing. Introduce a sentinel variable to explicitly stop parsing. + +Prior to this, we would set `spec` to `HEAD`, but were looping on the +value of `spec[pos]`, so we would continue walking the (new) `spec` +at offset `pos`, looking for a NUL. This is obviously an out-of-bounds +read. + +Credit to Michael Rodler (@f0rki) and Amazon AWS Security. + +CVE: CVE-2024-24575 + +Upstream-Status: Backport [https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf] + +Signed-off-by: Soumya Sambu +--- + src/revparse.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/revparse.c b/src/revparse.c +index 9bc28e9fc..d3bbe840b 100644 +--- a/src/revparse.c ++++ b/src/revparse.c +@@ -685,6 +685,7 @@ static int revparse( + git_object *base_rev = NULL; + + bool should_return_reference = true; ++ bool parsed = false; + + GIT_ASSERT_ARG(object_out); + GIT_ASSERT_ARG(reference_out); +@@ -694,7 +695,7 @@ static int revparse( + *object_out = NULL; + *reference_out = NULL; + +- while (spec[pos]) { ++ while (!parsed && spec[pos]) { + switch (spec[pos]) { + case '^': + should_return_reference = false; +@@ -801,6 +802,8 @@ static int revparse( + break; + } else if (spec[pos+1] == '\0') { + spec = "HEAD"; ++ identifier_len = 4; ++ parsed = true; + break; + } + /* fall through */ +-- +2.40.0 diff --git a/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch b/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch new file mode 100644 index 0000000000..3469f9d099 --- /dev/null +++ b/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch @@ -0,0 +1,52 @@ +From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001 +From: Edward Thomson +Date: Sat, 16 Dec 2023 11:19:07 +0000 +Subject: [PATCH] index: correct index has_dir_name check + +`has_dir_name` is used to check for directory/file collisions, +and attempts to determine whether the index contains a file with +a directory name that is a proper subset of the new index entry +that we're trying to add. + +To determine directory name, the function would walk the path string +backwards to identify a `/`, stopping at the end of the string. However, +the function assumed that the strings did not start with a `/`. If the +paths contain only a single `/` at the beginning of the string, then the +function would continue the loop, erroneously, when they should have +stopped at the first character. + +Correct the order of the tests to terminate properly. + +Credit to Michael Rodler (@f0rki) and Amazon AWS Security. + +CVE: CVE-2024-24577 + +Upstream-Status: Backport [https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3] + +Signed-off-by: Soumya Sambu +--- + src/index.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/index.c b/src/index.c +index aa97c6421..e8ff82e1a 100644 +--- a/src/index.c ++++ b/src/index.c +@@ -1148,10 +1148,13 @@ static int has_dir_name(git_index *index, + size_t len, pos; + + for (;;) { +- if (*--slash == '/') +- break; ++ slash--; ++ + if (slash <= entry->path) + return 0; ++ ++ if (*slash == '/') ++ break; + } + len = slash - name; + +-- +2.40.0 diff --git a/meta/recipes-support/libgit2/libgit2_1.4.5.bb b/meta/recipes-support/libgit2/libgit2_1.4.5.bb index aadfe4ad02..ad8b9a536a 100644 --- a/meta/recipes-support/libgit2/libgit2_1.4.5.bb +++ b/meta/recipes-support/libgit2/libgit2_1.4.5.bb @@ -5,7 +5,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e5a9227de4cb6afb5d35ed7b0fdf480d" DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2" -SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https" +SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https \ + file://CVE-2024-24575.patch \ + file://CVE-2024-24577.patch \ + " SRCREV = "cd6f679af401eda1f172402006ef8265f8bd58ea" S = "${WORKDIR}/git" From patchwork Mon Feb 12 13:54:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 39198 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3EE6BC4829D for ; Mon, 12 Feb 2024 13:54:59 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.6784.1707746090806236085 for ; Mon, 12 Feb 2024 05:54:50 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=lXjQcDRM; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-6e0a4c6c2adso709193b3a.1 for ; Mon, 12 Feb 2024 05:54:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1707746090; x=1708350890; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=m+tR4AWyV1zsNHCDT/86aKdlO8GKcCOpvHJBhmslRR0=; b=lXjQcDRMy/dNZrZRBUo44Wx+YVD6LfjbquzoH4sCv6rkLaqRFBUVMVSY6dRcaZnnFe bEoOVjelzEcMAHqb6Cm93XiXfAcVDWGhFPG5TiV1/AZQgE2CR+cTq8DqJ2//UplUcIXF +c7PuQ6jOAO0IbbU3cvk5BGUAUb/NlCU0XjOn0mx2NQ/LeG60FNKWyWRJGPkHl/vvDs/ h+bU0W0U/bawvCm2N4eSKROuTJEXywdgWIbmFapB8FXqUxmeHLn9q3/LrR8a/yR9TaZy E4pPbgXayOUY8/kO+zjGt4Sh+MmZ040eoyvyuU8xNNk4gqAwQYSO1W0DvFvwgwiVm1HL eQow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707746090; x=1708350890; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=m+tR4AWyV1zsNHCDT/86aKdlO8GKcCOpvHJBhmslRR0=; b=hPOLNGarO8gkvO0vq7Ofb7s2sv4QSQbCLY2O+weUteyjlruCzz/zxz+MuxoK5NbizZ HDGit+CGIKI1fQ03bx360iUmPqdzNDSFX2MJduoWeipt+pdhLH6bwcyDws166ugi8h60 HB2H2hsGHyd0jZ2LgfhP23SVIWibB6c19GpZVPsWo/Wat4y90PUxDDQupAci8iqAvPxJ mwnnOcAjJS690vrfgFg2BEz/xYyaK65bBWGGgcDIS12AsuD3hMBTJQbwf3Y+uNx8X5X7 wf7EAgXfoqS1aLdxhHFYTQt958gsQOWh9InqGo9uUk5dHQrhOTjEkLErUF3ZNqpYQNkq qutQ== X-Gm-Message-State: AOJu0Yx1lBx7LhkyLW7J3EwTopzw3wVxNkRLXXeIKASdVeaRJX/VFhG1 3SvvDeJgZvggwzgsbs9IlFa8Vzws0vs3ULMebGfv4Qnm/mlJCSzuylwksJfc120CZx4+FvGinUY QgN8= X-Google-Smtp-Source: AGHT+IEOOQkmlGPNnwF3RiusCW9c3IXuyqcOcqqRcoWU/nmvRejkxs020rC/DA21Jsdzi5ZKtcZ76g== X-Received: by 2002:a05:6a21:3115:b0:19e:b15c:c8d0 with SMTP id yz21-20020a056a21311500b0019eb15cc8d0mr6472855pzb.18.1707746089755; Mon, 12 Feb 2024 05:54:49 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id k69-20020a638448000000b005dc421f8889sm439889pgd.26.2024.02.12.05.54.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 05:54:49 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/8] python3-pycryptodome: Fix CVE-2023-52323 Date: Mon, 12 Feb 2024 03:54:16 -1000 Message-Id: <04c9b6b081914005209bac8eeb9f417e7b989cca.1707745886.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 13:54:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195326 From: Narpat Mali PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack. References: https://security-tracker.debian.org/tracker/CVE-2023-52323 https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst Signed-off-by: Narpat Mali Signed-off-by: Steve Sakoman --- .../python3-pycryptodome/CVE-2023-52323.patch | 436 ++++++++++++++++++ .../python/python3-pycryptodome_3.14.1.bb | 1 + .../CVE-2023-52323.patch | 436 ++++++++++++++++++ .../python/python3-pycryptodomex_3.14.1.bb | 2 + 4 files changed, 875 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch create mode 100644 meta/recipes-devtools/python/python3-pycryptodomex/CVE-2023-52323.patch diff --git a/meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch b/meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch new file mode 100644 index 0000000000..be3090eb8d --- /dev/null +++ b/meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch @@ -0,0 +1,436 @@ +From 73bbed822fadddf3c0ab4a945ee6ab16bbca6961 Mon Sep 17 00:00:00 2001 +From: Helder Eijs +Date: Thu, 1 Feb 2024 13:43:44 +0000 +Subject: [PATCH] Use constant-time (faster) padding decoding also for OAEP + +CVE: CVE-2023-52323 + +Upstream-Status: Backport [https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd] + +Signed-off-by: Narpat Mali +--- + lib/Crypto/Cipher/PKCS1_OAEP.py | 38 +++++------- + lib/Crypto/Cipher/PKCS1_v1_5.py | 31 +--------- + lib/Crypto/Cipher/_pkcs1_oaep_decode.py | 41 +++++++++++++ + src/pkcs1_decode.c | 79 +++++++++++++++++++++++-- + src/test/test_pkcs1.c | 22 +++---- + 5 files changed, 145 insertions(+), 66 deletions(-) + create mode 100644 lib/Crypto/Cipher/_pkcs1_oaep_decode.py + +diff --git a/lib/Crypto/Cipher/PKCS1_OAEP.py b/lib/Crypto/Cipher/PKCS1_OAEP.py +index 57a982b..6974584 100644 +--- a/lib/Crypto/Cipher/PKCS1_OAEP.py ++++ b/lib/Crypto/Cipher/PKCS1_OAEP.py +@@ -23,11 +23,13 @@ + from Crypto.Signature.pss import MGF1 + import Crypto.Hash.SHA1 + +-from Crypto.Util.py3compat import bord, _copy_bytes ++from Crypto.Util.py3compat import _copy_bytes + import Crypto.Util.number +-from Crypto.Util.number import ceil_div, bytes_to_long, long_to_bytes +-from Crypto.Util.strxor import strxor ++from Crypto.Util.number import ceil_div, bytes_to_long, long_to_bytes ++from Crypto.Util.strxor import strxor + from Crypto import Random ++from ._pkcs1_oaep_decode import oaep_decode ++ + + class PKCS1OAEP_Cipher: + """Cipher object for PKCS#1 v1.5 OAEP. +@@ -68,7 +70,7 @@ class PKCS1OAEP_Cipher: + if mgfunc: + self._mgf = mgfunc + else: +- self._mgf = lambda x,y: MGF1(x,y,self._hashObj) ++ self._mgf = lambda x, y: MGF1(x, y, self._hashObj) + + self._label = _copy_bytes(None, None, label) + self._randfunc = randfunc +@@ -105,7 +107,7 @@ class PKCS1OAEP_Cipher: + + # See 7.1.1 in RFC3447 + modBits = Crypto.Util.number.size(self._key.n) +- k = ceil_div(modBits, 8) # Convert from bits to bytes ++ k = ceil_div(modBits, 8) # Convert from bits to bytes + hLen = self._hashObj.digest_size + mLen = len(message) + +@@ -159,11 +161,11 @@ class PKCS1OAEP_Cipher: + + # See 7.1.2 in RFC3447 + modBits = Crypto.Util.number.size(self._key.n) +- k = ceil_div(modBits,8) # Convert from bits to bytes ++ k = ceil_div(modBits, 8) # Convert from bits to bytes + hLen = self._hashObj.digest_size + + # Step 1b and 1c +- if len(ciphertext) != k or k k: +- size = _pkcs1_decode(em, b'', expected_pt_len, output) ++ size = pkcs1_decode(em, b'', expected_pt_len, output) + if size < 0: + return sentinel + else: + return output[size:] + + # Step 3 (somewhat constant time) +- size = _pkcs1_decode(em, sentinel, expected_pt_len, output) ++ size = pkcs1_decode(em, sentinel, expected_pt_len, output) + return output[size:] + + +diff --git a/lib/Crypto/Cipher/_pkcs1_oaep_decode.py b/lib/Crypto/Cipher/_pkcs1_oaep_decode.py +new file mode 100644 +index 0000000..fc07528 +--- /dev/null ++++ b/lib/Crypto/Cipher/_pkcs1_oaep_decode.py +@@ -0,0 +1,41 @@ ++from Crypto.Util._raw_api import (load_pycryptodome_raw_lib, c_size_t, ++ c_uint8_ptr) ++ ++ ++_raw_pkcs1_decode = load_pycryptodome_raw_lib("Crypto.Cipher._pkcs1_decode", ++ """ ++ int pkcs1_decode(const uint8_t *em, size_t len_em, ++ const uint8_t *sentinel, size_t len_sentinel, ++ size_t expected_pt_len, ++ uint8_t *output); ++ ++ int oaep_decode(const uint8_t *em, ++ size_t em_len, ++ const uint8_t *lHash, ++ size_t hLen, ++ const uint8_t *db, ++ size_t db_len); ++ """) ++ ++ ++def pkcs1_decode(em, sentinel, expected_pt_len, output): ++ if len(em) != len(output): ++ raise ValueError("Incorrect output length") ++ ++ ret = _raw_pkcs1_decode.pkcs1_decode(c_uint8_ptr(em), ++ c_size_t(len(em)), ++ c_uint8_ptr(sentinel), ++ c_size_t(len(sentinel)), ++ c_size_t(expected_pt_len), ++ c_uint8_ptr(output)) ++ return ret ++ ++ ++def oaep_decode(em, lHash, db): ++ ret = _raw_pkcs1_decode.oaep_decode(c_uint8_ptr(em), ++ c_size_t(len(em)), ++ c_uint8_ptr(lHash), ++ c_size_t(len(lHash)), ++ c_uint8_ptr(db), ++ c_size_t(len(db))) ++ return ret +diff --git a/src/pkcs1_decode.c b/src/pkcs1_decode.c +index 207b198..74cb4a2 100644 +--- a/src/pkcs1_decode.c ++++ b/src/pkcs1_decode.c +@@ -130,7 +130,7 @@ STATIC size_t safe_select_idx(size_t in1, size_t in2, uint8_t choice) + * - in1[] is NOT equal to in2[] where neq_mask[] is 0xFF. + * Return non-zero otherwise. + */ +-STATIC uint8_t safe_cmp(const uint8_t *in1, const uint8_t *in2, ++STATIC uint8_t safe_cmp_masks(const uint8_t *in1, const uint8_t *in2, + const uint8_t *eq_mask, const uint8_t *neq_mask, + size_t len) + { +@@ -187,7 +187,7 @@ STATIC size_t safe_search(const uint8_t *in1, uint8_t c, size_t len) + return result; + } + +-#define EM_PREFIX_LEN 10 ++#define PKCS1_PREFIX_LEN 10 + + /* + * Decode and verify the PKCS#1 padding, then put either the plaintext +@@ -222,13 +222,13 @@ EXPORT_SYM int pkcs1_decode(const uint8_t *em, size_t len_em_output, + if (NULL == em || NULL == output || NULL == sentinel) { + return -1; + } +- if (len_em_output < (EM_PREFIX_LEN + 2)) { ++ if (len_em_output < (PKCS1_PREFIX_LEN + 2)) { + return -1; + } + if (len_sentinel > len_em_output) { + return -1; + } +- if (expected_pt_len > 0 && expected_pt_len > (len_em_output - EM_PREFIX_LEN - 1)) { ++ if (expected_pt_len > 0 && expected_pt_len > (len_em_output - PKCS1_PREFIX_LEN - 1)) { + return -1; + } + +@@ -240,7 +240,7 @@ EXPORT_SYM int pkcs1_decode(const uint8_t *em, size_t len_em_output, + memcpy(padded_sentinel + (len_em_output - len_sentinel), sentinel, len_sentinel); + + /** The first 10 bytes must follow the pattern **/ +- match = safe_cmp(em, ++ match = safe_cmp_masks(em, + (const uint8_t*)"\x00\x02" "\x00\x00\x00\x00\x00\x00\x00\x00", + (const uint8_t*)"\xFF\xFF" "\x00\x00\x00\x00\x00\x00\x00\x00", + (const uint8_t*)"\x00\x00" "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", +@@ -283,3 +283,72 @@ end: + free(padded_sentinel); + return result; + } ++ ++/* ++ * Decode and verify the OAEP padding in constant time. ++ * ++ * The function returns the number of bytes to ignore at the beginning ++ * of db (the rest is the plaintext), or -1 in case of problems. ++ */ ++ ++EXPORT_SYM int oaep_decode(const uint8_t *em, ++ size_t em_len, ++ const uint8_t *lHash, ++ size_t hLen, ++ const uint8_t *db, ++ size_t db_len) /* em_len - 1 - hLen */ ++{ ++ int result; ++ size_t one_pos, search_len, i; ++ uint8_t wrong_padding; ++ uint8_t *eq_mask = NULL; ++ uint8_t *neq_mask = NULL; ++ uint8_t *target_db = NULL; ++ ++ if (NULL == em || NULL == lHash || NULL == db) { ++ return -1; ++ } ++ ++ if (em_len < 2*hLen+2 || db_len != em_len-1-hLen) { ++ return -1; ++ } ++ ++ /* Allocate */ ++ eq_mask = (uint8_t*) calloc(1, db_len); ++ neq_mask = (uint8_t*) calloc(1, db_len); ++ target_db = (uint8_t*) calloc(1, db_len); ++ if (NULL == eq_mask || NULL == neq_mask || NULL == target_db) { ++ result = -1; ++ goto cleanup; ++ } ++ ++ /* Step 3g */ ++ search_len = db_len - hLen; ++ ++ one_pos = safe_search(db + hLen, 0x01, search_len); ++ if (SIZE_T_MAX == one_pos) { ++ result = -1; ++ goto cleanup; ++ } ++ ++ memset(eq_mask, 0xAA, db_len); ++ memcpy(target_db, lHash, hLen); ++ memset(eq_mask, 0xFF, hLen); ++ ++ for (i=0; i +Date: Thu, 8 Feb 2024 09:09:35 +0000 +Subject: [PATCH] Use constant-time (faster) padding decoding also for OAEP + +CVE: CVE-2023-52323 + +Upstream-Status: Backport [https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd] + +Signed-off-by: Narpat Mali +--- + lib/Cryptodome/Cipher/PKCS1_OAEP.py | 38 +++++----- + lib/Cryptodome/Cipher/PKCS1_v1_5.py | 31 +------- + lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py | 41 +++++++++++ + src/pkcs1_decode.c | 79 +++++++++++++++++++-- + src/test/test_pkcs1.c | 22 +++--- + 5 files changed, 145 insertions(+), 66 deletions(-) + create mode 100644 lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py + +diff --git a/lib/Cryptodome/Cipher/PKCS1_OAEP.py b/lib/Cryptodome/Cipher/PKCS1_OAEP.py +index 7525c5d..653df04 100644 +--- a/lib/Cryptodome/Cipher/PKCS1_OAEP.py ++++ b/lib/Cryptodome/Cipher/PKCS1_OAEP.py +@@ -23,11 +23,13 @@ + from Cryptodome.Signature.pss import MGF1 + import Cryptodome.Hash.SHA1 + +-from Cryptodome.Util.py3compat import bord, _copy_bytes ++from Crypto.Util.py3compat import _copy_bytes + import Cryptodome.Util.number +-from Cryptodome.Util.number import ceil_div, bytes_to_long, long_to_bytes +-from Cryptodome.Util.strxor import strxor ++from Crypto.Util.number import ceil_div, bytes_to_long, long_to_bytes ++from Crypto.Util.strxor import strxor + from Cryptodome import Random ++from ._pkcs1_oaep_decode import oaep_decode ++ + + class PKCS1OAEP_Cipher: + """Cipher object for PKCS#1 v1.5 OAEP. +@@ -68,7 +70,7 @@ class PKCS1OAEP_Cipher: + if mgfunc: + self._mgf = mgfunc + else: +- self._mgf = lambda x,y: MGF1(x,y,self._hashObj) ++ self._mgf = lambda x, y: MGF1(x, y, self._hashObj) + + self._label = _copy_bytes(None, None, label) + self._randfunc = randfunc +@@ -105,7 +107,7 @@ class PKCS1OAEP_Cipher: + + # See 7.1.1 in RFC3447 + modBits = Cryptodome.Util.number.size(self._key.n) +- k = ceil_div(modBits, 8) # Convert from bits to bytes ++ k = ceil_div(modBits, 8) # Convert from bits to bytes + hLen = self._hashObj.digest_size + mLen = len(message) + +@@ -159,11 +161,11 @@ class PKCS1OAEP_Cipher: + + # See 7.1.2 in RFC3447 + modBits = Cryptodome.Util.number.size(self._key.n) +- k = ceil_div(modBits,8) # Convert from bits to bytes ++ k = ceil_div(modBits, 8) # Convert from bits to bytes + hLen = self._hashObj.digest_size + + # Step 1b and 1c +- if len(ciphertext) != k or k k: +- size = _pkcs1_decode(em, b'', expected_pt_len, output) ++ size = pkcs1_decode(em, b'', expected_pt_len, output) + if size < 0: + return sentinel + else: + return output[size:] + + # Step 3 (somewhat constant time) +- size = _pkcs1_decode(em, sentinel, expected_pt_len, output) ++ size = pkcs1_decode(em, sentinel, expected_pt_len, output) + return output[size:] + + +diff --git a/lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py b/lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py +new file mode 100644 +index 0000000..fc07528 +--- /dev/null ++++ b/lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py +@@ -0,0 +1,41 @@ ++from Crypto.Util._raw_api import (load_pycryptodome_raw_lib, c_size_t, ++ c_uint8_ptr) ++ ++ ++_raw_pkcs1_decode = load_pycryptodome_raw_lib("Crypto.Cipher._pkcs1_decode", ++ """ ++ int pkcs1_decode(const uint8_t *em, size_t len_em, ++ const uint8_t *sentinel, size_t len_sentinel, ++ size_t expected_pt_len, ++ uint8_t *output); ++ ++ int oaep_decode(const uint8_t *em, ++ size_t em_len, ++ const uint8_t *lHash, ++ size_t hLen, ++ const uint8_t *db, ++ size_t db_len); ++ """) ++ ++ ++def pkcs1_decode(em, sentinel, expected_pt_len, output): ++ if len(em) != len(output): ++ raise ValueError("Incorrect output length") ++ ++ ret = _raw_pkcs1_decode.pkcs1_decode(c_uint8_ptr(em), ++ c_size_t(len(em)), ++ c_uint8_ptr(sentinel), ++ c_size_t(len(sentinel)), ++ c_size_t(expected_pt_len), ++ c_uint8_ptr(output)) ++ return ret ++ ++ ++def oaep_decode(em, lHash, db): ++ ret = _raw_pkcs1_decode.oaep_decode(c_uint8_ptr(em), ++ c_size_t(len(em)), ++ c_uint8_ptr(lHash), ++ c_size_t(len(lHash)), ++ c_uint8_ptr(db), ++ c_size_t(len(db))) ++ return ret +diff --git a/src/pkcs1_decode.c b/src/pkcs1_decode.c +index 207b198..74cb4a2 100644 +--- a/src/pkcs1_decode.c ++++ b/src/pkcs1_decode.c +@@ -130,7 +130,7 @@ STATIC size_t safe_select_idx(size_t in1, size_t in2, uint8_t choice) + * - in1[] is NOT equal to in2[] where neq_mask[] is 0xFF. + * Return non-zero otherwise. + */ +-STATIC uint8_t safe_cmp(const uint8_t *in1, const uint8_t *in2, ++STATIC uint8_t safe_cmp_masks(const uint8_t *in1, const uint8_t *in2, + const uint8_t *eq_mask, const uint8_t *neq_mask, + size_t len) + { +@@ -187,7 +187,7 @@ STATIC size_t safe_search(const uint8_t *in1, uint8_t c, size_t len) + return result; + } + +-#define EM_PREFIX_LEN 10 ++#define PKCS1_PREFIX_LEN 10 + + /* + * Decode and verify the PKCS#1 padding, then put either the plaintext +@@ -222,13 +222,13 @@ EXPORT_SYM int pkcs1_decode(const uint8_t *em, size_t len_em_output, + if (NULL == em || NULL == output || NULL == sentinel) { + return -1; + } +- if (len_em_output < (EM_PREFIX_LEN + 2)) { ++ if (len_em_output < (PKCS1_PREFIX_LEN + 2)) { + return -1; + } + if (len_sentinel > len_em_output) { + return -1; + } +- if (expected_pt_len > 0 && expected_pt_len > (len_em_output - EM_PREFIX_LEN - 1)) { ++ if (expected_pt_len > 0 && expected_pt_len > (len_em_output - PKCS1_PREFIX_LEN - 1)) { + return -1; + } + +@@ -240,7 +240,7 @@ EXPORT_SYM int pkcs1_decode(const uint8_t *em, size_t len_em_output, + memcpy(padded_sentinel + (len_em_output - len_sentinel), sentinel, len_sentinel); + + /** The first 10 bytes must follow the pattern **/ +- match = safe_cmp(em, ++ match = safe_cmp_masks(em, + (const uint8_t*)"\x00\x02" "\x00\x00\x00\x00\x00\x00\x00\x00", + (const uint8_t*)"\xFF\xFF" "\x00\x00\x00\x00\x00\x00\x00\x00", + (const uint8_t*)"\x00\x00" "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", +@@ -283,3 +283,72 @@ end: + free(padded_sentinel); + return result; + } ++ ++/* ++ * Decode and verify the OAEP padding in constant time. ++ * ++ * The function returns the number of bytes to ignore at the beginning ++ * of db (the rest is the plaintext), or -1 in case of problems. ++ */ ++ ++EXPORT_SYM int oaep_decode(const uint8_t *em, ++ size_t em_len, ++ const uint8_t *lHash, ++ size_t hLen, ++ const uint8_t *db, ++ size_t db_len) /* em_len - 1 - hLen */ ++{ ++ int result; ++ size_t one_pos, search_len, i; ++ uint8_t wrong_padding; ++ uint8_t *eq_mask = NULL; ++ uint8_t *neq_mask = NULL; ++ uint8_t *target_db = NULL; ++ ++ if (NULL == em || NULL == lHash || NULL == db) { ++ return -1; ++ } ++ ++ if (em_len < 2*hLen+2 || db_len != em_len-1-hLen) { ++ return -1; ++ } ++ ++ /* Allocate */ ++ eq_mask = (uint8_t*) calloc(1, db_len); ++ neq_mask = (uint8_t*) calloc(1, db_len); ++ target_db = (uint8_t*) calloc(1, db_len); ++ if (NULL == eq_mask || NULL == neq_mask || NULL == target_db) { ++ result = -1; ++ goto cleanup; ++ } ++ ++ /* Step 3g */ ++ search_len = db_len - hLen; ++ ++ one_pos = safe_search(db + hLen, 0x01, search_len); ++ if (SIZE_T_MAX == one_pos) { ++ result = -1; ++ goto cleanup; ++ } ++ ++ memset(eq_mask, 0xAA, db_len); ++ memcpy(target_db, lHash, hLen); ++ memset(eq_mask, 0xFF, hLen); ++ ++ for (i=0; i X-Patchwork-Id: 39197 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37E52C48297 for ; Mon, 12 Feb 2024 13:54:59 +0000 (UTC) Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) by mx.groups.io with SMTP id smtpd.web11.6811.1707746092420944654 for ; Mon, 12 Feb 2024 05:54:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=z/F90A4s; spf=softfail (domain: sakoman.com, ip: 209.85.210.53, mailfrom: steve@sakoman.com) Received: by mail-ot1-f53.google.com with SMTP id 46e09a7af769-6e2edb28554so188628a34.2 for ; Mon, 12 Feb 2024 05:54:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1707746091; x=1708350891; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6FGwgp937DsuMA/7j1yLSrvc1p1ozzllVCo70P99m10=; b=z/F90A4sKwL7ZZt58Bs1LfdsaUkn/wDjmpKmM6l8DB4wqdM5CD1m77UEpHEa1VHB1E fBL3Nd5fk4ZmN/5f+i7wKjk93UWT0kCoYeapUzOO5ObzcSQeIWCpBlTdgkV+ZLhW/tLj BxIudZx1V4calJPDMJnBQFsQCjPpS08iB41C+j4sZyEM58T2x/B7Z3C4HOCGR7S5bxGj qOC47MWgTNxehGhaZx2QvnDocPAnYJQyzPM2ScUoJbNP2J5OtF6zNkdIKuT5gEYybpH4 ibQCy8u2Tu3G7LOfpdKetSpxarXtr71m02ahgt7XiXHDuhGwATMwssvvaKXIKe1Nzg79 bvjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707746091; x=1708350891; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6FGwgp937DsuMA/7j1yLSrvc1p1ozzllVCo70P99m10=; b=FrjaFGkpUxyQ6H7fSd51qDw995VYXEzrL8wh8NUGFTLhIJzLMVh7IAikEgGtJVoQmH 1dDx0tkcoQXv7vdkz+787HDNLUlg2nETSmpLcI64mcEFBc2y8fl/S6QtPgl0uLoMlILb TUH3S/1X1GvWLK81xk6PiHZM4SqvnG9/vWX8SknraasZDdF5PT82YHQt5BTfvNzU7zlk K9CUY06yfpoypBM+G8QtE9f8Ub5eBrmYxC/gk00ykkT0/3xRpB47Y6U88Qe2bFX2ISP+ GJVnJIsOlHIeuubHg3FWHQvxs/cqDdKWiM4iS5OhcS5q9RypduaCwVEzYMbxt8jW/TZk wXow== X-Gm-Message-State: AOJu0YzEi4fW2g3c4V69rpGA9eZLQNA0PZdw9in+i6LHKb8F4+/SAsk3 F9o6ur+cfPkL8qBNtJH0MM48k+sFrhaN7pqKpwVYifpZR9Saz8Fg73T5vBudo4D1SgyMl0ETpQ/ RCqI= X-Google-Smtp-Source: AGHT+IHExEGJiJ70puW1390FCeN8BfOa40ue3tOrWTLFYUm+dHkdDrBUhJToQXlLvOlX39lK2RlD7g== X-Received: by 2002:a05:6358:1202:b0:176:4f31:75de with SMTP id h2-20020a056358120200b001764f3175demr9079970rwi.6.1707746091568; Mon, 12 Feb 2024 05:54:51 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id k69-20020a638448000000b005dc421f8889sm439889pgd.26.2024.02.12.05.54.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 05:54:51 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/8] systemd: Only add myhostname to nsswitch.conf if in PACKAGECONFIG Date: Mon, 12 Feb 2024 03:54:17 -1000 Message-Id: <17e20ce90b5b3abb5a597d4a5b470c8eaa3fd296.1707745886.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 13:54:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195327 From: Jermain Horsman Currently myhostname is always added to nsswitch.conf even if it is not included in PACKAGECONFIG. This is based on changes made in OE-core rev: ba3a78c08cb0ce08afde049610d3172b9e3b0695 Cc: Chen Qi Signed-off-by: Jermain Horsman Signed-off-by: Steve Sakoman --- meta/recipes-core/systemd/systemd_250.5.bb | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/meta/recipes-core/systemd/systemd_250.5.bb b/meta/recipes-core/systemd/systemd_250.5.bb index 889473ee1f..80a797cf2c 100644 --- a/meta/recipes-core/systemd/systemd_250.5.bb +++ b/meta/recipes-core/systemd/systemd_250.5.bb @@ -776,15 +776,19 @@ ALTERNATIVE_LINK_NAME[runlevel] = "${base_sbindir}/runlevel" ALTERNATIVE_PRIORITY[runlevel] ?= "300" pkg_postinst:${PN}:libc-glibc () { - sed -e '/^hosts:/s/\s*\//' \ - -e 's/\(^hosts:.*\)\(\\)\(.*\)\(\\)\(.*\)/\1\2 myhostname \3\4\5/' \ - -i $D${sysconfdir}/nsswitch.conf + if ${@bb.utils.contains('PACKAGECONFIG', 'myhostname', 'true', 'false', d)}; then + sed -e '/^hosts:/s/\s*\//' \ + -e 's/\(^hosts:.*\)\(\\)\(.*\)\(\\)\(.*\)/\1\2 myhostname \3\4\5/' \ + -i $D${sysconfdir}/nsswitch.conf + fi } pkg_prerm:${PN}:libc-glibc () { - sed -e '/^hosts:/s/\s*\//' \ - -e '/^hosts:/s/\s*myhostname//' \ - -i $D${sysconfdir}/nsswitch.conf + if ${@bb.utils.contains('PACKAGECONFIG', 'myhostname', 'true', 'false', d)}; then + sed -e '/^hosts:/s/\s*\//' \ + -e '/^hosts:/s/\s*myhostname//' \ + -i $D${sysconfdir}/nsswitch.conf + fi } PACKAGE_WRITE_DEPS += "qemu-native" From patchwork Mon Feb 12 13:54:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 39200 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49EE9C4829B for ; Mon, 12 Feb 2024 13:54:59 +0000 (UTC) Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com [209.85.210.54]) by mx.groups.io with SMTP id smtpd.web11.6812.1707746094313449631 for ; Mon, 12 Feb 2024 05:54:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=3DUbO/Gp; spf=softfail (domain: sakoman.com, ip: 209.85.210.54, mailfrom: steve@sakoman.com) Received: by mail-ot1-f54.google.com with SMTP id 46e09a7af769-6e2dfaa93c5so545677a34.3 for ; Mon, 12 Feb 2024 05:54:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1707746093; x=1708350893; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/u/Cmy71x+Ew3bBW7h41oOkK2HWNLgCKc4ifFchk1uU=; b=3DUbO/GpyzVHLAxFryAi+jljRyDC8qJ33K+bQfD2o+6ZgfYZH9Mr40otSCdDC0JsHR 1tEQiGB6Nip+VoFZMEdP7yYop8vIf/xPWNeNhM90mrHcYiH/UhZUygAvpT/mIHa840ZY tNrPFP8JHhv2O5c7s8Ub+mIwvddPN8/8fil0/LVg7Bq8dH+j7GYYvTfACfk91ZgiCJNl MwmkGxTYhziUONkSB/yz5YFTl0kHs4v0Yf+V34WmiEQXrQx9upSYa5jJ3Sg6jYNLcpj+ gk7FeweEKwAoAv3ZphVLTCbqGG99i/9vvVerahAU0KC86RM3kb3J9dBNYMMixnPX8I7w YdhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707746093; x=1708350893; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/u/Cmy71x+Ew3bBW7h41oOkK2HWNLgCKc4ifFchk1uU=; b=Q9AaeCLCqUGsWopPwFftQXlHdnJYiU7rWgJGIqc5DXhuXbsDt+3dPFvjmF9KkMDqoX ByAOyqkhEPTj+0JTuRtKv2dYWo61E2VJMHSQOlIJk4W8/Are9byIv+tJqzEJmcohEq8J vCz4cgm44KiwNXBLCltjB/9t1MHZWR1nik4gnvasVyJkh29NF5xZ9UA3Wx1ETOfPnUYD s7mSzSeqICUz3kVacc0Krs7YCqPDv2VNUO3QyZevoxjF3vowg/lM9yQBK+sFW9BCLjhZ kW97OFJJ4u/nJAKh6DpJqEngis2AqjK0uAYU6hK8Jj30hCzwTDLX7bDQNOn8RAkdWHqa VJxw== X-Gm-Message-State: AOJu0YzkvrzdBnCErKTN1ABzPXu3Ml1COmm2texKp+0EDvmreaIPuKbP r7gYcx65mLExp8k9LndEbzuIgR8s/RTjDXEukTF8aPE/dJnJXZJN1Xot063XAakSVLEic229cZm NGCw= X-Google-Smtp-Source: AGHT+IGOFoazf7my1d2PabWafF/acQkbfV3WSzFRupWKiZ9P9Z7ITVmQk9LH31/l0DiNZk/2xAJvKw== X-Received: by 2002:a05:6358:921a:b0:178:f497:ab3f with SMTP id d26-20020a056358921a00b00178f497ab3fmr4596901rwb.14.1707746093400; Mon, 12 Feb 2024 05:54:53 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id k69-20020a638448000000b005dc421f8889sm439889pgd.26.2024.02.12.05.54.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 05:54:53 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 7/8] kernel: fix localversion in v6.3+ Date: Mon, 12 Feb 2024 03:54:18 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 13:54:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195328 From: Bruce Ashfield During testing of the v6.4 reference kernel, it was noticed that on-target modules no longer matched the magic value of the running kernel. This was due to a different localversion in the cross built kernel and the scripts / resources created on target. This was due to changes in the setlocalversion script introduced in the v6.3 series. The .scmversion file is no longer used (or packaged) to inhibit the addition of a "+" (through querying of the git status of the kernel) or the setting of a local version. We recently introduced the KERNEL_LOCALVERSION variable to allow recipes to place a value in .scmversion, so we extend the use of that variable to kernel-arch.bbclass and use it to set the exported variable LOCALVERSION. We must do it at the kernel-arch level, as the variable must be exported in any kernel build to ensure that setlocalversion always correctly sets the localversion. Signed-off-by: Bruce Ashfield Signed-off-by: Richard Purdie Cherry-picked from master 765b13b7305c8d2f222cfc66d77c02e6a088c691 Signed-off-by: Andreas Helbech Kleist Signed-off-by: Steve Sakoman --- meta/classes/kernel-arch.bbclass | 7 +++++++ meta/classes/kernel.bbclass | 10 ++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/meta/classes/kernel-arch.bbclass b/meta/classes/kernel-arch.bbclass index 4cd08b96fb..0a79dea0af 100644 --- a/meta/classes/kernel-arch.bbclass +++ b/meta/classes/kernel-arch.bbclass @@ -66,3 +66,10 @@ KERNEL_LD = "${CCACHE}${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}" KERNEL_AR = "${CCACHE}${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}" TOOLCHAIN ?= "gcc" +# 6.3+ requires the variable LOCALVERSION to be set to not get a "+" in +# the local version. Having it empty means nothing will be added, and any +# value will be appended to the local kernel version. This replaces the +# use of .scmversion file for setting a localversion without using +# the CONFIG_LOCALVERSION option. +KERNEL_LOCALVERSION ??= "" +export LOCALVERSION ?= "${KERNEL_LOCALVERSION}" diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass index 5951347361..940f1a3cf4 100644 --- a/meta/classes/kernel.bbclass +++ b/meta/classes/kernel.bbclass @@ -418,7 +418,7 @@ do_compile_kernelmodules() { if (grep -q -i -e '^CONFIG_MODULES=y$' ${B}/.config); then oe_runmake -C ${B} ${PARALLEL_MAKE} modules ${KERNEL_EXTRA_ARGS} - # Module.symvers gets updated during the + # Module.symvers gets updated during the # building of the kernel modules. We need to # update this in the shared workdir since some # external kernel modules has a dependency on @@ -635,7 +635,13 @@ kernel_do_configure() { # $ scripts/setlocalversion . => + # $ make kernelversion => 2.6.37 # $ make kernelrelease => 2.6.37+ - touch ${B}/.scmversion ${S}/.scmversion + # See kernel-arch.bbclass for post v6.3 removal of the extra + # + in localversion. .scmversion is no longer used, and the + # variable LOCALVERSION must be used + if [ ! -e ${B}/.scmversion -a ! -e ${S}/.scmversion ]; then + echo ${KERNEL_LOCALVERSION} > ${B}/.scmversion + echo ${KERNEL_LOCALVERSION} > ${S}/.scmversion + fi if [ "${S}" != "${B}" ] && [ -f "${S}/.config" ] && [ ! -f "${B}/.config" ]; then mv "${S}/.config" "${B}/.config" From patchwork Mon Feb 12 13:54:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 39199 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5335CC48BC0 for ; Mon, 12 Feb 2024 13:54:59 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.web11.6813.1707746095786396115 for ; Mon, 12 Feb 2024 05:54:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=BT05Ywfa; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-6e0939748ecso2268157b3a.0 for ; Mon, 12 Feb 2024 05:54:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1707746095; x=1708350895; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=H05dsQvF5xuAcIGe+YfF6lte8hn1xuAVKbkR0iNWE9Y=; b=BT05YwfaVimfAZxafTNoN2LeHUxzfkjpJVXKQP9ZafyCpEneoEbk5W2TqAw0/E+eku WAQ9tLd0p56JiaE6J2wsaMRrtw+fsKK+6GAKFkMDaHtzF0eA/GXXcqZIz8/XTKQt2K1U TKiJWETrhdqAvsCEoo8GqcieAPzUbHMHadOgLs0vRgUmffT5MtfvpCQSHdLqHVz6QgCj ZJ9S/++UcigaGW2SD3SPWTfsKt0lZRXrimJcmulManmOrmW5mCoZyCDBRW3EimGiE3hh m0HQUoVYFX1ycCqUcP2WbJoppRE0lg81l4JQ2VyyuucOBO1dl8fuj5BwBCFLo/GDMDBt QEIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707746095; x=1708350895; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=H05dsQvF5xuAcIGe+YfF6lte8hn1xuAVKbkR0iNWE9Y=; b=E7LuKvx4KjHCBRdV8jpIeMMqrY9l1SdTkwQmGLVxIJp255kt8J/7Owz8Q3Z83sS+rK Y74wW7uZ/f+MQpbXGNhcG0sAnLJuKwPlel9I4beHB+5BZq2fYnKzMbilZqJd8c948taQ 9LpF4pydbczT3ZBVofueHmbWxKYrZFFVsU/XgwMBz61lpoD+cKmPj8/N2bFXafqfOMeQ noEyynbVan1/ntlnxnv7BHJ/q31pvwRqS79DPxuNmzXKRD7q2OoApII8f/jEVx1nr7MR LPwX/QX/ZSf3aaOPvOIdTDU5qfpVuYsSCkoJraa0TO997t9nItPW2OZ4oHCkfZkRBjen P38Q== X-Gm-Message-State: AOJu0YwMWRM7/+68fd1NPNwC8dGz60WULJhevDBKorREVw8QjEXAVzI4 PSLRXqsbmZHFaqpMzDyHPyHd+Aejf4WSxf24dj7xiq50iz8xwcaaLyYzI17maOrrnJfj4jrqvCy QLTg= X-Google-Smtp-Source: AGHT+IGzLZ+pvRoMQcSB4GV7NlSxcqL2gFpi7X6EpRDhF/l2e1xx+kMwWMufsVKxV6HjxZTcs1XcKQ== X-Received: by 2002:a05:6a00:2fc3:b0:6de:5e6:8ade with SMTP id fn3-20020a056a002fc300b006de05e68ademr7072101pfb.24.1707746095051; Mon, 12 Feb 2024 05:54:55 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id k69-20020a638448000000b005dc421f8889sm439889pgd.26.2024.02.12.05.54.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 05:54:54 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 8/8] ghostscript: correct LICENSE with AGPLv3 Date: Mon, 12 Feb 2024 03:54:19 -1000 Message-Id: <8e192a2e0c2fdad18ea4c08774493225f31931a0.1707745886.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 12 Feb 2024 13:54:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/195329 From: Kai Kang The license of ghostscript has switched to Affero GPL since version 9.07 via commit: * 3cc5318 Switch Ghostscript/GhostPDL to Affero GPL https://github.com/ArtifexSoftware/ghostpdl/commit/3cc5318 Correct it with `AGPL-3.0-or-later`. Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index e0d1e4618f..e99c740685 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -10,7 +10,7 @@ dot-matrix, inkjet and laser models. \ HOMEPAGE = "http://www.ghostscript.com" SECTION = "console/utils" -LICENSE = "GPL-3.0-only" +LICENSE = "AGPL-3.0-or-later" LIC_FILES_CHKSUM = "file://LICENSE;md5=f98ffa763e50cded76f49bce73aade16" DEPENDS = "ghostscript-native tiff jpeg fontconfig cups libpng"