diff options
author | Armin Kuster <akuster@mvista.com> | 2021-01-12 16:58:32 -0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-01-12 17:01:26 -0800 |
commit | 7b55e1ec32ae91faacfa855d10f871e2ccab187c (patch) | |
tree | b85ee3656a9b26aa9337158b3f92c80fa883731c | |
parent | 0d766834161339625ccd9f7c74b8f672aa030d3d (diff) | |
download | meta-openembedded-7b55e1ec32ae91faacfa855d10f871e2ccab187c.tar.gz |
nss: Security fix CVE-2020-12401
Source: Mozilla.org
MR: 106876
Type: Security Fix
Disposition: Backport from https://hg.mozilla.org/projects/nss/raw-rev/aeb2e583ee957a699d949009c7ba37af76515c20
ChangeID: a61d4926f8ab5afc54c23e58cd86b4a7609c9708
Description:
Fixes CVE-2020-12401
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch | 52 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch new file mode 100644 index 0000000000..e67926fe50 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch @@ -0,0 +1,52 @@ +# HG changeset patch +# User Billy Brumley <bbrumley@gmail.com> +# Date 1595283525 0 +# Node ID aeb2e583ee957a699d949009c7ba37af76515c20 +# Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6 +Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche + +Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding. + +Timing attack countermeasures are now applied more generally deeper in +the call stack. + +Differential Revision: https://phabricator.services.mozilla.com/D82011 + + +Upstream-Status: Backport + +CVE: CVE-2020-1240 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: nss-3.51.1/nss/lib/freebl/ec.c +=================================================================== +--- nss-3.51.1.orig/nss/lib/freebl/ec.c ++++ nss-3.51.1/nss/lib/freebl/ec.c +@@ -724,27 +724,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k + } + + /* +- ** We do not want timing information to leak the length of k, +- ** so we compute k*G using an equivalent scalar of fixed +- ** bit-length. +- ** Fix based on patch for ECDSA timing attack in the paper +- ** by Billy Bob Brumley and Nicola Tuveri at +- ** http://eprint.iacr.org/2011/232 +- ** +- ** How do we convert k to a value of a fixed bit-length? +- ** k starts off as an integer satisfying 0 <= k < n. Hence, +- ** n <= k+n < 2n, which means k+n has either the same number +- ** of bits as n or one more bit than n. If k+n has the same +- ** number of bits as n, the second addition ensures that the +- ** final value has exactly one more bit than n. Thus, we +- ** always end up with a value that exactly one more bit than n. +- */ +- CHECK_MPI_OK(mp_add(&k, &n, &k)); +- if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) { +- CHECK_MPI_OK(mp_add(&k, &n, &k)); +- } +- +- /* + ** ANSI X9.62, Section 5.3.2, Step 2 + ** + ** Compute kG diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb index c00bd34cb2..3e3c3a3fdf 100644 --- a/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -35,6 +35,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://riscv.patch \ file://0001-Enable-uint128-on-mips64.patch \ file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \ + file://CVE-2020-12401.patch \ " SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233" |