|
| 1 | +From: Matthias Schiffer <mschiffer@universe-factory.net> |
| 2 | +Date: Wed, 27 Apr 2022 19:01:39 +0200 |
| 3 | +Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884) |
| 4 | + |
| 5 | +Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> |
| 6 | + |
| 7 | +diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile |
| 8 | +index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644 |
| 9 | +--- a/utils/ecdsautils/Makefile |
| 10 | ++++ b/utils/ecdsautils/Makefile |
| 11 | +@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk |
| 12 | + |
| 13 | + PKG_NAME:=ecdsautils |
| 14 | + PKG_VERSION:=0.3.2.20160630 |
| 15 | +-PKG_RELEASE:=1 |
| 16 | ++PKG_RELEASE:=2 |
| 17 | + PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46 |
| 18 | + PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net> |
| 19 | + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz |
| 20 | +diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch |
| 21 | +new file mode 100644 |
| 22 | +index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba |
| 23 | +--- /dev/null |
| 24 | ++++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch |
| 25 | +@@ -0,0 +1,48 @@ |
| 26 | ++From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001 |
| 27 | ++Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net> |
| 28 | ++From: Matthias Schiffer <mschiffer@universe-factory.net> |
| 29 | ++Date: Wed, 20 Apr 2022 22:04:07 +0200 |
| 30 | ++Subject: [PATCH] verify: fix signature verification (CVE-2022-24884) |
| 31 | ++ |
| 32 | ++Verify that r and s are non-zero. Without these checks, an all-zero |
| 33 | ++signature is always considered valid. |
| 34 | ++ |
| 35 | ++While it would be nicer to error out in ecdsa_verify_prepare_legacy() |
| 36 | ++already, that would require users of libecdsautil to check a return value |
| 37 | ++of the prepare step. To be safe, implement the fix in an API/ABI-compatible |
| 38 | ++way that doesn't need changes to the users. |
| 39 | ++--- |
| 40 | ++ src/lib/ecdsa.c | 10 ++++++++++ |
| 41 | ++ 1 file changed, 10 insertions(+) |
| 42 | ++ |
| 43 | ++diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c |
| 44 | ++index 8cd7722be8cd..a661b56bd7c8 100644 |
| 45 | ++--- a/src/lib/ecdsa.c |
| 46 | +++++ b/src/lib/ecdsa.c |
| 47 | ++@@ -135,6 +135,12 @@ regenerate: |
| 48 | ++ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) { |
| 49 | ++ ecc_int256_t w, u1, tmp; |
| 50 | ++ |
| 51 | +++ if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) { |
| 52 | +++ // Signature is invalid, mark by setting ctx->r to an invalid value |
| 53 | +++ memset(&ctx->r, 0, sizeof(ctx->r)); |
| 54 | +++ return; |
| 55 | +++ } |
| 56 | +++ |
| 57 | ++ ctx->r = signature->r; |
| 58 | ++ |
| 59 | ++ ecc_25519_gf_recip(&w, &signature->s); |
| 60 | ++@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work |
| 61 | ++ ecc_25519_work_t s2, work; |
| 62 | ++ ecc_int256_t w, tmp; |
| 63 | ++ |
| 64 | +++ // Signature was detected as invalid in prepare step |
| 65 | +++ if (ecc_25519_gf_is_zero(&ctx->r)) |
| 66 | +++ return false; |
| 67 | +++ |
| 68 | ++ ecc_25519_scalarmult(&s2, &ctx->u2, pubkey); |
| 69 | ++ ecc_25519_add(&work, &ctx->s1, &s2); |
| 70 | ++ ecc_25519_store_xy_legacy(&w, NULL, &work); |
| 71 | ++-- |
| 72 | ++2.36.0 |
| 73 | ++ |
0 commit comments