dev-libs/openssl: add patch for CVE-2018-0734

Package-Manager: Portage-2.3.51, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

2 files changed, 132 insertions, 0 deletions

diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch
new file mode 100644
index 000000000000..47b082f4085f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch
@@ -0,0 +1,131 @@
+CVE-2018-0734
+https://github.com/openssl/openssl/commit/415c33563528667868c3c653a612e6fc8736fd79
+https://github.com/openssl/openssl/commit/ef11e19d1365eea2b1851e6f540a0bf365d303e7
+
+--- a/crypto/dsa/dsa_ossl.c
++++ b/crypto/dsa/dsa_ossl.c
+@@ -11,6 +11,7 @@
+ 
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
++#include "internal/bn_int.h"
+ #include <openssl/bn.h>
+ #include <openssl/sha.h>
+ #include "dsa_locl.h"
+@@ -25,6 +26,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
+                          DSA_SIG *sig, DSA *dsa);
+ static int dsa_init(DSA *dsa);
+ static int dsa_finish(DSA *dsa);
++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
++                                      BN_CTX *ctx);
+ 
+ static DSA_METHOD openssl_dsa_meth = {
+     "OpenSSL DSA method",
+@@ -180,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ {
+     BN_CTX *ctx = NULL;
+     BIGNUM *k, *kinv = NULL, *r = *rp;
+-    BIGNUM *l, *m;
++    BIGNUM *l;
+     int ret = 0;
+-    int q_bits;
++    int q_bits, q_words;
+ 
+     if (!dsa->p || !dsa->q || !dsa->g) {
+         DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
+@@ -191,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ 
+     k = BN_new();
+     l = BN_new();
+-    m = BN_new();
+-    if (k == NULL || l == NULL || m == NULL)
++    if (k == NULL || l == NULL)
+         goto err;
+ 
+     if (ctx_in == NULL) {
+@@ -203,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ 
+     /* Preallocate space */
+     q_bits = BN_num_bits(dsa->q);
+-    if (!BN_set_bit(k, q_bits)
+-        || !BN_set_bit(l, q_bits)
+-        || !BN_set_bit(m, q_bits))
++    q_words = bn_get_top(dsa->q);
++    if (!bn_wexpand(k, q_words + 2)
++        || !bn_wexpand(l, q_words + 2))
+         goto err;
+ 
+     /* Get random k */
+@@ -240,14 +242,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+      * small timing information leakage.  We then choose the sum that is
+      * one bit longer than the modulus.
+      *
+-     * TODO: revisit the BN_copy aiming for a memory access agnostic
+-     * conditional copy.
++     * There are some concerns about the efficacy of doing this.  More
++     * specificly refer to the discussion starting with:
++     *     https://github.com/openssl/openssl/pull/7486#discussion_r228323705
++     * The fix is to rework BN so these gymnastics aren't required.
+      */
+     if (!BN_add(l, k, dsa->q)
+-        || !BN_add(m, l, dsa->q)
+-        || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
++        || !BN_add(k, l, dsa->q))
+         goto err;
+ 
++    BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
++
+     if ((dsa)->meth->bn_mod_exp != NULL) {
+             if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
+                                        dsa->method_mont_p))
+@@ -260,8 +265,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+     if (!BN_mod(r, r, dsa->q, ctx))
+         goto err;
+ 
+-    /* Compute  part of 's = inv(k) (m + xr) mod q' */
+-    if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
++    /* Compute part of 's = inv(k) (m + xr) mod q' */
++    if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
+         goto err;
+ 
+     BN_clear_free(*kinvp);
+@@ -275,7 +280,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+         BN_CTX_free(ctx);
+     BN_clear_free(k);
+     BN_clear_free(l);
+-    BN_clear_free(m);
+     return ret;
+ }
+ 
+@@ -395,3 +399,31 @@ static int dsa_finish(DSA *dsa)
+     BN_MONT_CTX_free(dsa->method_mont_p);
+     return (1);
+ }
++
++/*
++ * Compute the inverse of k modulo q.
++ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
++ * mod-exp operation.  Both the exponent and modulus are public information
++ * so a mod-exp that doesn't leak the base is sufficient.  A newly allocated
++ * BIGNUM is returned which the caller must free.
++ */
++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
++                                      BN_CTX *ctx)
++{
++    BIGNUM *res = NULL;
++    BIGNUM *r, *e;
++
++    if ((r = BN_new()) == NULL)
++        return NULL;
++
++    BN_CTX_start(ctx);
++    if ((e = BN_CTX_get(ctx)) != NULL
++            && BN_set_word(r, 2)
++            && BN_sub(e, q, r)
++            && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
++        res = r;
++    else
++        BN_free(r);
++    BN_CTX_end(ctx);
++    return res;
++}
diff --git a/dev-libs/openssl/openssl-1.1.0i-r1.ebuild b/dev-libs/openssl/openssl-1.1.0i-r2.ebuild
index 4cc9eb656d0e..f38621117297 100644
--- a/dev-libs/openssl/openssl-1.1.0i-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0i-r2.ebuild
@@ -56,6 +56,7 @@ MULTILIB_WRAPPED_HEADERS=(
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+	"${FILESDIR}"/${P}-CVE-2018-0734.patch
 	"${FILESDIR}"/${P}-CVE-2018-0735.patch
 )