main/nettle: security fix (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805). Fixes #5169

author: Leonardo Arena <rnalrd@alpinelinux.org> 2016-02-26 11:01:34 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2016-02-26 11:01:34 +0000
commit: bc1b8cdb81f24f01d962fc29e48ca02bf09d6ec7 (patch)
tree: e0290cad0b1dbc03e7e8b0a32a2b951fb96233b9
parent: 5c6f6540495a819f4ee6722fa9299f96060b713f (diff)
download: aports-bc1b8cdb81f24f01d962fc29e48ca02bf09d6ec7.tar.bz2
aports-bc1b8cdb81f24f01d962fc29e48ca02bf09d6ec7.tar.xz
3 files changed, 294 insertions, 5 deletions
diff --git a/main/nettle/APKBUILD b/main/nettle/APKBUILD
index baf7e49897..940e3e3677 100644
--- a/main/nettle/APKBUILD
+++ b/main/nettle/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch
 pkgname=nettle
 pkgver=2.7.1
-pkgrel=0
+pkgrel=1
 pkgdesc="A low-level cryptographic library"
 url="http://www.lysator.liu.se/~nisse/nettle/"
 arch="all"
@@ -13,7 +13,11 @@ makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-dev $pkgname-utils"
 source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
-	nettle-2.4-makefile.patch"
+	nettle-2.4-makefile.patch
+	CVE-2015-8803_5.patch
+	CVE-2015-8804.patch
+	"
+
 _builddir="$srcdir"/$pkgname-$pkgver
 
 prepare() {
@@ -56,8 +60,14 @@ utils() {
 }
 
 md5sums="003d5147911317931dd453520eb234a5  nettle-2.7.1.tar.gz
-b3a89964557b9fca040a84e9217b4b01  nettle-2.4-makefile.patch"
+b3a89964557b9fca040a84e9217b4b01  nettle-2.4-makefile.patch
+e35c5dea56ca63711108db17862fcc72  CVE-2015-8803_5.patch
+1a0fb19bbb937b6bc814f1fd440bde54  CVE-2015-8804.patch"
 sha256sums="bc71ebd43435537d767799e414fce88e521b7278d48c860651216e1fc6555b40  nettle-2.7.1.tar.gz
-e903bc46375df777d3074e44f9ee9ee166058cc8bb103d748f7981195031b797  nettle-2.4-makefile.patch"
+e903bc46375df777d3074e44f9ee9ee166058cc8bb103d748f7981195031b797  nettle-2.4-makefile.patch
+561f6ad4bf8d7cd4ecd763ce13c80c2bf17256b6a11e45ad14bd58a141ea1bec  CVE-2015-8803_5.patch
+1a72891c6e153e507cbabb3f8fa7a433e01fee4f106689c58e3f3f414a3d709a  CVE-2015-8804.patch"
 sha512sums="297c69e90bbd448f72e854abe5cc7868c08d710e1c1bcd6a14adf06e25629d58a3ef4d65ab588d001ec7091aa583032312ad15b416ea5479e5bf0ea63717f473  nettle-2.7.1.tar.gz
-c7d9741a7a37d225f3f0db16d355e13b04cc0f1ac56882a6ff31ef15c1a1a0aee7a70cf1ec8bbf2c46b9b0dcec153da7a7aa6b8909a72d76dd4d669cbbaceaa4  nettle-2.4-makefile.patch"
+c7d9741a7a37d225f3f0db16d355e13b04cc0f1ac56882a6ff31ef15c1a1a0aee7a70cf1ec8bbf2c46b9b0dcec153da7a7aa6b8909a72d76dd4d669cbbaceaa4  nettle-2.4-makefile.patch
+0ee74c2bd8a9cab9c6745ffdd7150cba942073c345aa4446fc7d108ce404f86d7e779b6edabe10d2c5896dacb6cfd8e73bb529b4453c4ec35ce319bdb3e4e460  CVE-2015-8803_5.patch
+a6d33daff6df8bf3cd01376905023d013153894fc5a2e9714993d3f56fee24fc28fd855f5b04485f2dedd85d0ae556fde0e2201f3ae85bb031b930067a57aa16  CVE-2015-8804.patch"
diff --git a/main/nettle/CVE-2015-8803_5.patch b/main/nettle/CVE-2015-8803_5.patch
new file mode 100644
index 0000000000..dda1f0f400
--- /dev/null
+++ b/main/nettle/CVE-2015-8803_5.patch
@@ -0,0 +1,27 @@
+From: Niels Möller <nisse@lysator.liu.se>
+Origin: upstream, https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
+Subject: CVE-2015-8803 and CVE-2015-8805: Miscomputation bugs in secp-256r1 modulo functions.
+
+--- a/ecc-256.c
++++ b/ecc-256.c
+@@ -108,7 +119,10 @@ ecc_256_modp (const struct ecc_curve *ec
+       u0 -= t;
+       t = (u1 < cy);
+       u1 -= cy;
+-      u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3);
++
++      cy = cnd_add_n (t, rp + n - 4, ecc->p, 2);
++      u0 += cy;
++      u1 += (u0 < cy);
+       u1 -= (-t) & 0xffffffff;
+     }
+   rp[2] = u0;
+@@ -195,7 +209,7 @@ ecc_256_modq (const struct ecc_curve *ec
+ 
+       /* Conditional add of p */
+       u1 += t;
+-      u2 += (t<<32) + (u0 < t);
++      u2 += (t<<32) + (u1 < t);
+ 
+       t = cnd_add_n (t, rp + n - 4, ecc->q, 2);
+       u1 += t;
diff --git a/main/nettle/CVE-2015-8804.patch b/main/nettle/CVE-2015-8804.patch
new file mode 100644
index 0000000000..767a51ab49
--- /dev/null
+++ b/main/nettle/CVE-2015-8804.patch
@@ -0,0 +1,252 @@
+Origin: upstream, https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7
+From: Niels Möller <nisse@lysator.liu.se>
+Subject: CVE-2015-8804: Carry folding bug in x86_64 ecc_384_modp.
+
+--- a/x86_64/ecc-384-modp.asm
++++ b/x86_64/ecc-384-modp.asm
+@@ -20,7 +20,7 @@ C MA 02111-1301, USA.
+ 	.file "ecc-384-modp.asm"
+ 
+ define(<RP>, <%rsi>)
+-define(<D4>, <%rax>)
++define(<D5>, <%rax>)
+ define(<T0>, <%rbx>)
+ define(<T1>, <%rcx>)
+ define(<T2>, <%rdx>)
+@@ -35,8 +35,8 @@ define(<H4>, <%r13>)
+ define(<H5>, <%r14>)
+ define(<C2>, <%r15>)
+ define(<C0>, H5)	C Overlap
+-define(<D0>, RP)	C Overlap
+-define(<TMP>, H4)	C Overlap
++define(<TMP>, RP)	C Overlap
++
+ 
+ PROLOGUE(nettle_ecc_384_modp)
+ 	W64_ENTRY(2, 0)
+@@ -48,34 +48,38 @@ PROLOGUE(nettle_ecc_384_modp)
+ 	push	%r14
+ 	push	%r15
+ 
+-	C First get top 2 limbs, which need folding twice
++	C First get top 2 limbs, which need folding twice.
++	C B^10 = B^6 + B^4 + 2^32 (B-1)B^4.
++	C We handle the terms as follow:
+ 	C
+-	C   H5 H4
+-	C     -H5
+-	C  ------
+-	C   H0 D4
++	C B^6: Folded immediatly.
+ 	C
+-	C Then shift right, (H1,H0,D4)  <--  (H0,D4) << 32
+-	C and add
++	C B^4: Delayed, added in in the next folding.
+ 	C
+-	C     H5 H4
+-	C     H1 H0
+-	C ----------
+-	C  C2 H1 H0
+-
+-	mov	80(RP), D4
+-	mov	88(RP), H0
+-	mov	D4, H4
+-	mov	H0, H5
+-	sub	H0, D4
+-	sbb	$0, H0
+-
+-	mov	D4, T2
+-	mov	H0, H1
+-	shl	$32, H0
+-	shr	$32, T2
++	C 2^32(B-1) B^4: Low half limb delayed until the next
++	C folding. Top 1.5 limbs subtracted and shifter now, resulting
++	C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added
++	C in.
++
++	mov	80(RP), H4
++	mov	88(RP), H5
++	C Shift right 32 bits, into H1, H0
++	mov	H4, H0
++	mov	H5, H1
++	mov	H5, D5
+ 	shr	$32, H1
+-	or	T2, H0
++	shl	$32, D5
++	shr	$32, H0
++	or	D5, H0
++
++	C	H1 H0
++	C       -  H1 H0
++	C       --------
++	C       H1 H0 D5
++	mov	H0, D5
++	neg	D5
++	sbb	H1, H0
++	sbb	$0, H1
+ 
+ 	xor	C2, C2
+ 	add	H4, H0
+@@ -114,118 +118,95 @@ PROLOGUE(nettle_ecc_384_modp)
+ 	adc	H3, T5
+ 	adc	$0, C0
+ 
+-	C   H3 H2 H1 H0  0
+-	C - H4 H3 H2 H1 H0
+-	C  ---------------
+-	C   H3 H2 H1 H0 D0
+-
+-	mov	XREG(D4), XREG(D4)
+-	mov	H0, D0
+-	neg	D0
+-	sbb	H1, H0
+-	sbb	H2, H1
+-	sbb	H3, H2
+-	sbb	H4, H3
+-	sbb	$0, D4
+-
+-	C Shift right. High bits are sign, to be added to C0.
+-	mov	D4, TMP
+-	sar	$32, TMP
+-	shl	$32, D4
+-	add	TMP, C0
+-
++	C Shift left, including low half of H4
+ 	mov	H3, TMP
++	shl	$32, H4
+ 	shr	$32, TMP
+-	shl	$32, H3
+-	or	TMP, D4
++	or	TMP, H4
+ 
+ 	mov	H2, TMP
++	shl	$32, H3
+ 	shr	$32, TMP
+-	shl	$32, H2
+ 	or	TMP, H3
+ 
+ 	mov	H1, TMP
++	shl	$32, H2
+ 	shr	$32, TMP
+-	shl	$32, H1
+ 	or	TMP, H2
+ 
+ 	mov	H0, TMP
++	shl	$32, H1
+ 	shr	$32, TMP
+-	shl	$32, H0
+ 	or	TMP, H1
+ 
+-	mov	D0, TMP
+-	shr	$32, TMP
+-	shl	$32, D0
+-	or	TMP, H0
++	shl	$32, H0
++
++	C   H4 H3 H2 H1 H0  0
++	C  -   H4 H3 H2 H1 H0
++	C  ---------------
++	C   H4 H3 H2 H1 H0 TMP
+ 
+-	add	D0, T0
++	mov	H0, TMP
++	neg	TMP
++	sbb	H1, H0
++	sbb	H2, H1
++	sbb	H3, H2
++	sbb	H4, H3
++	sbb	$0, H4
++
++	add	TMP, T0
+ 	adc	H0, T1
+ 	adc	H1, T2
+ 	adc	H2, T3
+ 	adc	H3, T4
+-	adc	D4, T5
++	adc	H4, T5
+ 	adc	$0, C0
+ 
+ 	C Remains to add in C2 and C0
+-	C                         C0  C0<<32  (-2^32+1)C0
+-	C    C2  C2<<32  (-2^32+1)C2
+-	C where C2 is always positive, while C0 may be -1.
++	C Set H1, H0 = (2^96 - 2^32 + 1) C0
+ 	mov	C0, H0
+ 	mov	C0, H1
+-	mov	C0, H2
+-	sar	$63, C0		C Get sign
+ 	shl	$32, H1
+-	sub	H1, H0		C Gives borrow iff C0 > 0
++	sub	H1, H0
+ 	sbb	$0, H1
+-	add	C0, H2
+ 
++	C Set H3, H2 = (2^96 - 2^32 + 1) C2
++	mov	C2, H2
++	mov	C2, H3
++	shl	$32, H3
++	sub	H3, H2
++	sbb	$0, H3
++	add	C0, H2		C No carry. Could use lea trick
++
++	xor	C0, C0
+ 	add	H0, T0
+ 	adc	H1, T1
+-	adc	$0, H2
+-	adc	$0, C0
+-
+-	C Set (H1 H0)  <-- C2 << 96 - C2 << 32 + 1
+-	mov	C2, H0
+-	mov	C2, H1
+-	shl	$32, H1
+-	sub	H1, H0
+-	sbb	$0, H1
+-
+-	add	H2, H0
+-	adc	C0, H1
+-	adc	C2, C0
+-	mov	C0, H2
+-	sar	$63, C0
+-	add	H0, T2
+-	adc	H1, T3
+-	adc	H2, T4
+-	adc	C0, T5
+-	sbb	C0, C0
++	adc	H2, T2
++	adc	H3, T3
++	adc	C2, T4
++	adc	D5, T5		C Value delayed from initial folding
++	adc	$0, C0		C Use sbb and switch sign?
+ 
+ 	C Final unlikely carry
+ 	mov	C0, H0
+ 	mov	C0, H1
+-	mov	C0, H2
+-	sar	$63, C0
+ 	shl	$32, H1
+ 	sub	H1, H0
+ 	sbb	$0, H1
+-	add	C0, H2
+ 
+ 	pop	RP
+ 
+-	sub	H0, T0
++	add	H0, T0
+ 	mov	T0, (RP)
+-	sbb	H1, T1
++	adc	H1, T1
+ 	mov	T1, 8(RP)
+-	sbb	H2, T2
++	adc	C0, T2
+ 	mov	T2, 16(RP)
+-	sbb	C0, T3
++	adc	$0, T3
+ 	mov	T3, 24(RP)
+-	sbb	C0, T4
++	adc	$0, T4
+ 	mov	T4, 32(RP)
+-	sbb	C0, T5
++	adc	$0, T5
+ 	mov	T5, 40(RP)
+ 
+ 	pop	%r15
author	Leonardo Arena <rnalrd@alpinelinux.org>	2016-02-26 11:01:34 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2016-02-26 11:01:34 +0000
commit	bc1b8cdb81f24f01d962fc29e48ca02bf09d6ec7 (patch)
tree	e0290cad0b1dbc03e7e8b0a32a2b951fb96233b9
parent	5c6f6540495a819f4ee6722fa9299f96060b713f (diff)
download	aports-bc1b8cdb81f24f01d962fc29e48ca02bf09d6ec7.tar.bz2 aports-bc1b8cdb81f24f01d962fc29e48ca02bf09d6ec7.tar.xz