[OE-core][dunfell 4/8] gnutls: Backport fix for CVE-2024-0553

Fri, 26 Jan 2024 06:21:11 -0800 

From: Vijay Anusuri <vanus...@mvista.com>

CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed 
ciphertexts in RSA-PSK ClientKeyExchange differ from response times of 
ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote 
attacker to perform a timing side-channel attack in the RSA-PSK key exchange, 
potentially leading to the leakage of sensitive data. CVE-2024-0553 is 
designated as an incomplete resolution for CVE-2023-5981.

Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]

Signed-off-by: Vijay Anusuri <vanus...@mvista.com>
Signed-off-by: Steve Sakoman <st...@sakoman.com>
---
 .../gnutls/gnutls/CVE-2024-0553.patch         | 125 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 2 files changed, 126 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
new file mode 100644
index 0000000000..f15c470879
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
+From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <u...@gnu.org>
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+
+Signed-off-by: Daiki Ueno <u...@gnu.org>
+
+Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
+CVE: CVE-2024-0553
+Signed-off-by: Vijay Anusuri <vanus...@mvista.com>
+---
+ lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9..c6cfb92 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, 
uint8_t * data,
+       int ret, dsize;
+       ssize_t data_size = _data_size;
+       gnutls_psk_server_credentials_t cred;
+-      gnutls_datum_t premaster_secret = { NULL, 0 };
+       volatile uint8_t ver_maj, ver_min;
+ 
+       cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, 
uint8_t * data,
+       ver_maj = _gnutls_get_adv_version_major(session);
+       ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-      premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-      if (premaster_secret.data == NULL) {
++      /* Find the key of this username. A random value will be
++       * filled in if the key is not found.
++       */
++      ret = _gnutls_psk_pwd_find_entry(session, info->username,
++                                       strlen(info->username), &pwd_psk);
++      if (ret < 0)
++              return gnutls_assert_val(ret);
++
++      /* Allocate memory for premaster secret, and fill in the
++       * fields except the decryption result.
++       */
++      session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
++      session->key.key.data = gnutls_malloc(session->key.key.size);
++      if (session->key.key.data == NULL) {
+               gnutls_assert();
++              _gnutls_free_key_datum(&pwd_psk);
++              /* No need to zeroize, as the secret is not copied in yet */
++              _gnutls_free_datum(&session->key.key);
+               return GNUTLS_E_MEMORY_ERROR;
+       }
+-      premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+       /* Fallback value when decryption fails. Needs to be unpredictable. */
+-      ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-                       premaster_secret.size);
++      ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
++                       GNUTLS_MASTER_SIZE);
+       if (ret < 0) {
+               gnutls_assert();
+-              goto cleanup;
++              _gnutls_free_key_datum(&pwd_psk);
++              /* No need to zeroize, as the secret is not copied in yet */
++              _gnutls_free_datum(&session->key.key);
++              return ret;
+       }
+ 
++      _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
++      _gnutls_write_uint16(pwd_psk.size,
++                           &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
++      memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
++             pwd_psk.size);
++      _gnutls_free_key_datum(&pwd_psk);
++
+       gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+-                                   &ciphertext, premaster_secret.data,
+-                                   premaster_secret.size);
++                                   &ciphertext, session->key.key.data + 2,
++                                   GNUTLS_MASTER_SIZE);
+       /* After this point, any conditional on failure that cause differences
+        * in execution may create a timing or cache access pattern side
+        * channel that can be used as an oracle, so tread carefully */
+@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, 
uint8_t * data,
+       /* This is here to avoid the version check attack
+        * discussed above.
+        */
+-      premaster_secret.data[0] = ver_maj;
+-      premaster_secret.data[1] = ver_min;
++      session->key.key.data[2] = ver_maj;
++      session->key.key.data[3] = ver_min;
+ 
+-      /* find the key of this username
+-       */
+-      ret =
+-          _gnutls_psk_pwd_find_entry(session, info->username, 
strlen(info->username), &pwd_psk);
+-      if (ret < 0) {
+-              gnutls_assert();
+-              goto cleanup;
+-      }
+-
+-      ret =
+-          set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
+-      if (ret < 0) {
+-              gnutls_assert();
+-              goto cleanup;
+-      }
+-
+-      ret = 0;
+-      cleanup:
+-      _gnutls_free_key_datum(&pwd_psk);
+-      _gnutls_free_temp_key_datum(&premaster_secret);
+-
+-      return ret;
++      return 0;
+ }
+ 
+ static int
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb 
b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index 406f0b54c5..a1451daf2c 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -29,6 +29,7 @@ SRC_URI = 
"https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2021-4209.patch \
            file://CVE-2023-0361.patch \
            file://CVE-2023-5981.patch \
+           file://CVE-2024-0553.patch \
 "
 
 SRC_URI[sha256sum] = 
"5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194378): 
https://lists.openembedded.org/g/openembedded-core/message/194378
Mute This Topic: https://lists.openembedded.org/mt/103976673/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to