mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
nss: Security fix CVE-2020-12401
Source: Mozilla.org MR: 106876 Type: Security Fix Disposition: Backport from https://hg.mozilla.org/projects/nss/raw-rev/aeb2e583ee957a699d949009c7ba37af76515c20 ChangeID: a61d4926f8ab5afc54c23e58cd86b4a7609c9708 Description: Fixes CVE-2020-12401 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
0d76683416
commit
7b55e1ec32
@@ -0,0 +1,52 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User Billy Brumley <bbrumley@gmail.com>
|
||||||
|
# Date 1595283525 0
|
||||||
|
# Node ID aeb2e583ee957a699d949009c7ba37af76515c20
|
||||||
|
# Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6
|
||||||
|
Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche
|
||||||
|
|
||||||
|
Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.
|
||||||
|
|
||||||
|
Timing attack countermeasures are now applied more generally deeper in
|
||||||
|
the call stack.
|
||||||
|
|
||||||
|
Differential Revision: https://phabricator.services.mozilla.com/D82011
|
||||||
|
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
|
||||||
|
CVE: CVE-2020-1240
|
||||||
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||||
|
|
||||||
|
Index: nss-3.51.1/nss/lib/freebl/ec.c
|
||||||
|
===================================================================
|
||||||
|
--- nss-3.51.1.orig/nss/lib/freebl/ec.c
|
||||||
|
+++ nss-3.51.1/nss/lib/freebl/ec.c
|
||||||
|
@@ -724,27 +724,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- ** We do not want timing information to leak the length of k,
|
||||||
|
- ** so we compute k*G using an equivalent scalar of fixed
|
||||||
|
- ** bit-length.
|
||||||
|
- ** Fix based on patch for ECDSA timing attack in the paper
|
||||||
|
- ** by Billy Bob Brumley and Nicola Tuveri at
|
||||||
|
- ** http://eprint.iacr.org/2011/232
|
||||||
|
- **
|
||||||
|
- ** How do we convert k to a value of a fixed bit-length?
|
||||||
|
- ** k starts off as an integer satisfying 0 <= k < n. Hence,
|
||||||
|
- ** n <= k+n < 2n, which means k+n has either the same number
|
||||||
|
- ** of bits as n or one more bit than n. If k+n has the same
|
||||||
|
- ** number of bits as n, the second addition ensures that the
|
||||||
|
- ** final value has exactly one more bit than n. Thus, we
|
||||||
|
- ** always end up with a value that exactly one more bit than n.
|
||||||
|
- */
|
||||||
|
- CHECK_MPI_OK(mp_add(&k, &n, &k));
|
||||||
|
- if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
|
||||||
|
- CHECK_MPI_OK(mp_add(&k, &n, &k));
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
** ANSI X9.62, Section 5.3.2, Step 2
|
||||||
|
**
|
||||||
|
** Compute kG
|
||||||
@@ -35,6 +35,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
|
|||||||
file://riscv.patch \
|
file://riscv.patch \
|
||||||
file://0001-Enable-uint128-on-mips64.patch \
|
file://0001-Enable-uint128-on-mips64.patch \
|
||||||
file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
|
file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
|
||||||
|
file://CVE-2020-12401.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"
|
SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"
|
||||||
|
|||||||
Reference in New Issue
Block a user