-
Notifications
You must be signed in to change notification settings - Fork 324
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-xqhj-fmc7-f8mv
ecdsautils: verify: fix signature verification (CVE-2022-24884)
- Loading branch information
Showing
7 changed files
with
108 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
73 changes: 73 additions & 0 deletions
73
.../packages/packages/0004-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
From: Matthias Schiffer <mschiffer@universe-factory.net> | ||
Date: Wed, 27 Apr 2022 19:01:39 +0200 | ||
Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884) | ||
|
||
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> | ||
|
||
diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile | ||
index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644 | ||
--- a/utils/ecdsautils/Makefile | ||
+++ b/utils/ecdsautils/Makefile | ||
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk | ||
|
||
PKG_NAME:=ecdsautils | ||
PKG_VERSION:=0.3.2.20160630 | ||
-PKG_RELEASE:=1 | ||
+PKG_RELEASE:=2 | ||
PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46 | ||
PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net> | ||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz | ||
diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch | ||
new file mode 100644 | ||
index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba | ||
--- /dev/null | ||
+++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch | ||
@@ -0,0 +1,48 @@ | ||
+From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001 | ||
+Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net> | ||
+From: Matthias Schiffer <mschiffer@universe-factory.net> | ||
+Date: Wed, 20 Apr 2022 22:04:07 +0200 | ||
+Subject: [PATCH] verify: fix signature verification (CVE-2022-24884) | ||
+ | ||
+Verify that r and s are non-zero. Without these checks, an all-zero | ||
+signature is always considered valid. | ||
+ | ||
+While it would be nicer to error out in ecdsa_verify_prepare_legacy() | ||
+already, that would require users of libecdsautil to check a return value | ||
+of the prepare step. To be safe, implement the fix in an API/ABI-compatible | ||
+way that doesn't need changes to the users. | ||
+--- | ||
+ src/lib/ecdsa.c | 10 ++++++++++ | ||
+ 1 file changed, 10 insertions(+) | ||
+ | ||
+diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c | ||
+index 8cd7722be8cd..a661b56bd7c8 100644 | ||
+--- a/src/lib/ecdsa.c | ||
++++ b/src/lib/ecdsa.c | ||
+@@ -135,6 +135,12 @@ regenerate: | ||
+ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) { | ||
+ ecc_int256_t w, u1, tmp; | ||
+ | ||
++ if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) { | ||
++ // Signature is invalid, mark by setting ctx->r to an invalid value | ||
++ memset(&ctx->r, 0, sizeof(ctx->r)); | ||
++ return; | ||
++ } | ||
++ | ||
+ ctx->r = signature->r; | ||
+ | ||
+ ecc_25519_gf_recip(&w, &signature->s); | ||
+@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work | ||
+ ecc_25519_work_t s2, work; | ||
+ ecc_int256_t w, tmp; | ||
+ | ||
++ // Signature was detected as invalid in prepare step | ||
++ if (ecc_25519_gf_is_zero(&ctx->r)) | ||
++ return false; | ||
++ | ||
+ ecc_25519_scalarmult(&s2, &ctx->u2, pubkey); | ||
+ ecc_25519_add(&work, &ctx->s1, &s2); | ||
+ ecc_25519_store_xy_legacy(&w, NULL, &work); | ||
+-- | ||
+2.36.0 | ||
+ |