Hello community, here is the log from the commit of package libgcrypt for openSUSE:Leap:15.2 checked in at 2020-05-12 11:31:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libgcrypt (Old) and /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgcrypt" Tue May 12 11:31:51 2020 rev:45 rq:801282 version:1.8.2 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libgcrypt/libgcrypt.changes 2020-05-04 08:22:18.676320007 +0200 +++ /work/SRC/openSUSE:Leap:15.2/.libgcrypt.new.2738/libgcrypt.changes 2020-05-12 11:32:07.227709086 +0200 @@ -1,0 +2,11 @@ +Mon Apr 27 08:55:12 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- FIPS: libgcrypt: Double free in test_keys() on failed signature + verification [bsc#1169944] + * Use safer gcry_mpi_release() instead of mpi_free() +- Update patches: + * libgcrypt-PCT-DSA.patch + * libgcrypt-PCT-RSA.patch + * libgcrypt-PCT-ECC.patch + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgcrypt.spec ++++++ --- /var/tmp/diff_new_pack.ReYxTO/_old 2020-05-12 11:32:08.223711179 +0200 +++ /var/tmp/diff_new_pack.ReYxTO/_new 2020-05-12 11:32:08.227711187 +0200 @@ -139,7 +139,7 @@ Requires: %{libsoname} = %{version} Requires: glibc-devel Requires: libgpg-error-devel >= 1.13 -#Requires(post): %{install_info_prereq} +Requires(post): %{install_info_prereq} %description devel Libgcrypt is a general purpose library of cryptographic building ++++++ libgcrypt-PCT-DSA.patch ++++++ --- /var/tmp/diff_new_pack.ReYxTO/_old 2020-05-12 11:32:08.367711481 +0200 +++ /var/tmp/diff_new_pack.ReYxTO/_new 2020-05-12 11:32:08.367711481 +0200 @@ -2,7 +2,7 @@ =================================================================== --- libgcrypt-1.8.2.orig/cipher/dsa.c +++ libgcrypt-1.8.2/cipher/dsa.c -@@ -181,24 +181,88 @@ test_keys (DSA_secret_key *sk, unsigned +@@ -181,24 +181,91 @@ test_keys (DSA_secret_key *sk, unsigned /* Create a random plaintext. */ _gcry_mpi_randomize (data, qbits, GCRY_WEAK_RANDOM); @@ -16,6 +16,8 @@ + gcry_sexp_t r_sig = NULL; + gcry_sexp_t s_hash = NULL; + gcry_md_hd_t hd = NULL; ++ gcry_mpi_t r_sig_mpi = NULL; ++ gcry_mpi_t s_sig_mpi = NULL; + unsigned char *buf = NULL; + size_t buflen; + @@ -28,6 +30,8 @@ + _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, data); + _gcry_md_write (hd, buf, buflen); + ++ xfree (buf); ++ + /* build DSA private key sexp in s_skey */ + sexp_build (&s_skey, NULL, "(private-key (dsa(p %m)(q %m)(g %m)(y %m)(x %m)))", + sk->p, sk->q, sk->g, sk->y, sk->x); @@ -39,8 +43,6 @@ + } + + /* Check that the signature and the original plaintext differ. */ -+ gcry_mpi_t r_sig_mpi = NULL; -+ gcry_mpi_t s_sig_mpi = NULL; + if (_gcry_sexp_extract_param (r_sig, NULL, "rs", &r_sig_mpi, &s_sig_mpi, NULL)) + { + log_debug ("extracting signature data failed\n"); @@ -55,7 +57,6 @@ + + _gcry_sexp_release (s_hash); + _gcry_md_close (hd); -+ xfree (buf); + + /* build DSA public key sexp in s_pkey */ + sexp_build (&s_pkey, NULL, "(public-key (dsa(p %m)(q %m)(g %m)(y %m)))", @@ -68,6 +69,8 @@ + _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, data); + _gcry_md_write (hd, buf, buflen); + ++ xfree (buf); ++ + /* verify the signature */ + if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey)) + { @@ -91,14 +94,14 @@ _gcry_mpi_release (sig_b); _gcry_mpi_release (sig_a); _gcry_mpi_release (data); ++ + _gcry_sexp_release (s_skey); + _gcry_sexp_release (s_pkey); + _gcry_sexp_release (s_hash); + _gcry_sexp_release (r_sig); -+ mpi_free (r_sig_mpi); -+ mpi_free (s_sig_mpi); ++ _gcry_mpi_release (r_sig_mpi); ++ _gcry_mpi_release (s_sig_mpi); + _gcry_md_close (hd); -+ xfree (buf); + return result; } ++++++ libgcrypt-PCT-ECC.patch ++++++ --- /var/tmp/diff_new_pack.ReYxTO/_old 2020-05-12 11:32:08.379711506 +0200 +++ /var/tmp/diff_new_pack.ReYxTO/_new 2020-05-12 11:32:08.379711506 +0200 @@ -70,7 +70,7 @@ ECC_public_key pk; gcry_mpi_t test = mpi_new (nbits); mpi_point_struct R_; -@@ -297,17 +310,149 @@ test_keys (ECC_secret_key *sk, unsigned +@@ -297,17 +310,161 @@ test_keys (ECC_secret_key *sk, unsigned _gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM); @@ -79,21 +79,25 @@ + /* Use the gcry_pk_sign_md API in order to comply with FIPS 140-2, + * which requires full signature operation for PCT (hashing + + * asymmetric operation). */ ++ gcry_sexp_t r_sig = NULL; ++ gcry_sexp_t s_skey = NULL; ++ gcry_sexp_t s_pkey = NULL; ++ gcry_sexp_t s_hash = NULL; ++ gcry_mpi_t s_sig_mpi = NULL; + gcry_md_hd_t hd = NULL; + unsigned char *buf = NULL; + size_t buflen; ++ mpi_ec_t ctx; ++ int flags = 0; ++ + if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0)) + log_debug ("gcry_pk_sign failed: _gcry_md_open\n"); + + _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, test); + _gcry_md_write (hd, buf, buflen); + -+ mpi_ec_t ctx; -+ int flags = 0; -+ gcry_sexp_t r_sig = NULL; -+ gcry_sexp_t s_hash = NULL; -+ gcry_sexp_t s_pkey = NULL; -+ gcry_sexp_t s_skey = NULL; ++ xfree (buf); ++ + sexp_build (&s_hash, NULL, "(data (flags rfc6979)(hash-algo sha256))"); + + /* Assemble the point Q from affine coordinates by simple @@ -145,9 +149,16 @@ + memcpy (q + 1 + rawqxlen, rawqy, rawqylen); + qlen = 1 + rawqxlen + rawqylen; + ++ _gcry_mpi_release (Qx); ++ _gcry_mpi_release (Qy); ++ xfree (rawqx); ++ xfree (rawqy); + +- if (_gcry_ecc_ecdsa_verify (test, &pk, r, s)) + /* build ECC private key sexp in s_skey */ + if (sk->E.name) -+ { + { +- log_fatal ("ECDSA operation: sign, verify failed\n"); + if (sexp_build (&s_skey, NULL, + "(private-key (ecc (curve %s)(d %m)(q %b)))", + sk->E.name, sk->d, qlen, q)) @@ -170,7 +181,6 @@ + } + + /* Check that the signature and the original test differ. */ -+ gcry_mpi_t s_sig_mpi = NULL; + if (_gcry_sexp_extract_param (r_sig, NULL, "s", &s_sig_mpi, NULL)) + { + log_debug ("extracting signature data failed\n"); @@ -200,17 +210,19 @@ + log_debug ("ecc: Failed to build sexp for private key.\n"); + } + ++ _gcry_md_close (hd); ++ + if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0)) + log_debug ("gcry_pk_verify failed: _gcry_md_open\n"); + + _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, test); + _gcry_md_write (hd, buf, buflen); - -- if (_gcry_ecc_ecdsa_verify (test, &pk, r, s)) ++ ++ xfree (buf); ++ + /* verify the signature */ + if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey)) - { -- log_fatal ("ECDSA operation: sign, verify failed\n"); ++ { + log_debug ("ecc: gcry_pk_verify failed\n"); + goto leave; /* Signature does not match. */ } @@ -220,26 +232,22 @@ + result = 0; /* The test succeeded. */ + -+leave: ++ leave: point_free (&pk.Q); _gcry_ecc_curve_free (&pk.E); -@@ -317,6 +462,20 @@ test_keys (ECC_secret_key *sk, unsigned +@@ -317,6 +474,16 @@ test_keys (ECC_secret_key *sk, unsigned mpi_free (out); mpi_free (c); mpi_free (test); ++ ++ _gcry_sexp_release (r_sig); + _gcry_sexp_release (s_skey); + _gcry_sexp_release (s_pkey); + _gcry_sexp_release (s_hash); -+ _gcry_sexp_release (r_sig); ++ _gcry_mpi_release (s_sig_mpi); + _gcry_md_close (hd); -+ mpi_free (Qx); -+ mpi_free (Qy); -+ mpi_free (s_sig_mpi); -+ xfree (buf); + xfree (ctx); -+ xfree (rawqx); -+ xfree (rawqy); + + return result; } ++++++ libgcrypt-PCT-RSA.patch ++++++ --- /var/tmp/diff_new_pack.ReYxTO/_old 2020-05-12 11:32:08.391711532 +0200 +++ /var/tmp/diff_new_pack.ReYxTO/_new 2020-05-12 11:32:08.391711532 +0200 @@ -2,7 +2,7 @@ =================================================================== --- libgcrypt-1.8.2.orig/cipher/rsa.c +++ libgcrypt-1.8.2/cipher/rsa.c -@@ -159,19 +159,73 @@ test_keys (RSA_secret_key *sk, unsigned +@@ -159,27 +159,93 @@ test_keys (RSA_secret_key *sk, unsigned /* Create another random plaintext as data for signature checking. */ _gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM); @@ -16,6 +16,7 @@ + gcry_sexp_t r_sig = NULL; + gcry_sexp_t s_hash = NULL; + gcry_md_hd_t hd = NULL; ++ gcry_mpi_t r_sig_mpi = NULL; + unsigned char *buf = NULL; + size_t buflen; @@ -32,12 +33,14 @@ + if (_gcry_md_open (&hd, GCRY_MD_SHA256, 0)) + { + log_debug ("gcry_pk_sign failed\n"); -+ goto leave; ++ goto leave_hash; + } + + _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, plaintext); + _gcry_md_write (hd, buf, buflen); + ++ xfree (buf); ++ + /* build RSA private key sexp in s_skey */ + sexp_build (&s_skey, NULL, + "(private-key (rsa(n %m)(e %m)(d %m)(p %m)(q %m)))", @@ -48,26 +51,24 @@ + if (_gcry_pk_sign_md (&r_sig, hd, s_hash, s_skey)) + { + log_debug ("gcry_pk_sign failed\n"); -+ goto leave; ++ goto leave_hash; + } + + /* Check that the signature and the original plaintext differ. */ -+ gcry_mpi_t r_sig_mpi = NULL; + if (_gcry_sexp_extract_param (r_sig, "sig-val!rsa", "s", &r_sig_mpi, NULL)) + { + log_debug ("extracting signature data failed\n"); -+ goto leave; ++ goto leave_hash; + } + + if (!mpi_cmp (r_sig_mpi, plaintext)) + { + log_debug ("Signature failed\n"); -+ goto leave; /* Signature and plaintext match but should not. */ ++ goto leave_hash; /* Signature and plaintext match but should not. */ + } + + _gcry_sexp_release (s_hash); + _gcry_md_close (hd); -+ xfree (buf); + + /* build RSA public key sexp in s_pkey */ + sexp_build (&s_pkey, NULL, "(public-key (rsa(n %m)(e %m)))", pk.n, pk.e); @@ -79,29 +80,35 @@ + _gcry_mpi_aprint (GCRYMPI_FMT_STD, &buf, &buflen, plaintext); + _gcry_md_write (hd, buf, buflen); + ++ xfree (buf); ++ + /* verify the signature */ + if (_gcry_pk_verify_md (r_sig, hd, s_hash, s_pkey)) + { + log_debug ("gcry_pk_verify failed\n"); -+ goto leave; /* Signature does not match. */ ++ goto leave_hash; /* Signature does not match. */ + } result = 0; /* All tests succeeded. */ -@@ -180,6 +234,12 @@ test_keys (RSA_secret_key *sk, unsigned - _gcry_mpi_release (decr_plaintext); - _gcry_mpi_release (ciphertext); - _gcry_mpi_release (plaintext); ++ leave_hash: + _gcry_sexp_release (s_skey); + _gcry_sexp_release (s_pkey); + _gcry_sexp_release (s_hash); + _gcry_sexp_release (r_sig); + _gcry_md_close (hd); -+ mpi_free (r_sig_mpi); ++ _gcry_mpi_release (r_sig_mpi); ++ + leave: + _gcry_mpi_release (signature); + _gcry_mpi_release (decr_plaintext); + _gcry_mpi_release (ciphertext); + _gcry_mpi_release (plaintext); ++ return result; } -@@ -1903,7 +1963,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc +@@ -1903,7 +1969,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gc /* This sexp trickery is to prevent the use of blinding. * The flag doesn't get inherited by encr, so we have to * derive a new sexp from the ciphertext */
