From 47387d49975d6f626fc269ad341901f2c73a9208 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 04 2023 08:51:54 +0000 Subject: import gnutls-3.6.16-6.el8_7 --- diff --git a/SOURCES/gnutls-3.6.16-cpuid.patch b/SOURCES/gnutls-3.6.16-cpuid.patch new file mode 100644 index 0000000..e18853b --- /dev/null +++ b/SOURCES/gnutls-3.6.16-cpuid.patch @@ -0,0 +1,247 @@ +From 300c6315d2e644ae81b43fa2dd7bbf68b3afb5b2 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 18 Nov 2021 19:02:03 +0100 +Subject: [PATCH 1/2] accelerated: fix CPU feature detection for Intel CPUs + +This fixes read_cpuid_vals to correctly read the CPUID quadruple, as +well as to set the bit the ustream CRYPTOGAMS uses to identify Intel +CPUs. + +Suggested by Rafael Gieschke in: +https://gitlab.com/gnutls/gnutls/-/issues/1282 + +Signed-off-by: Daiki Ueno +--- + lib/accelerated/x86/x86-common.c | 91 +++++++++++++++++++++++++------- + 1 file changed, 71 insertions(+), 20 deletions(-) + +diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c +index 3845c6b4c9..cf615ef24f 100644 +--- a/lib/accelerated/x86/x86-common.c ++++ b/lib/accelerated/x86/x86-common.c +@@ -81,15 +81,38 @@ unsigned int _gnutls_x86_cpuid_s[4]; + # define bit_AVX 0x10000000 + #endif + +-#ifndef OSXSAVE_MASK +-/* OSXSAVE|FMA|MOVBE */ +-# define OSXSAVE_MASK (0x8000000|0x1000|0x400000) ++#ifndef bit_AVX2 ++# define bit_AVX2 0x00000020 ++#endif ++ ++#ifndef bit_AVX512F ++# define bit_AVX512F 0x00010000 ++#endif ++ ++#ifndef bit_AVX512IFMA ++# define bit_AVX512IFMA 0x00200000 ++#endif ++ ++#ifndef bit_AVX512BW ++# define bit_AVX512BW 0x40000000 ++#endif ++ ++#ifndef bit_AVX512VL ++# define bit_AVX512VL 0x80000000 ++#endif ++ ++#ifndef bit_OSXSAVE ++# define bit_OSXSAVE 0x8000000 + #endif + + #ifndef bit_MOVBE + # define bit_MOVBE 0x00400000 + #endif + ++#ifndef OSXSAVE_MASK ++# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE) ++#endif ++ + #define via_bit_PADLOCK (0x3 << 6) + #define via_bit_PADLOCK_PHE (0x3 << 10) + #define via_bit_PADLOCK_PHE_SHA512 (0x3 << 25) +@@ -127,7 +150,7 @@ static unsigned read_cpuid_vals(unsigned int vals[4]) + unsigned t1, t2, t3; + vals[0] = vals[1] = vals[2] = vals[3] = 0; + +- if (!__get_cpuid(1, &t1, &vals[0], &vals[1], &t2)) ++ if (!__get_cpuid(1, &t1, &t2, &vals[1], &vals[0])) + return 0; + /* suppress AVX512; it works conditionally on certain CPUs on the original code */ + vals[1] &= 0xfffff7ff; +@@ -145,7 +168,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx) + { + uint32_t xcr0; + +- if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK) ++ if ((ecx & bit_OSXSAVE) != bit_OSXSAVE) + return 0; + + #if defined(_MSC_VER) && !defined(__clang__) +@@ -233,10 +256,7 @@ static unsigned check_sha(void) + #ifdef ASM_X86_64 + static unsigned check_avx_movbe(void) + { +- if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0) +- return 0; +- +- return ((_gnutls_x86_cpuid_s[1] & bit_AVX)); ++ return (_gnutls_x86_cpuid_s[1] & bit_AVX); + } + + static unsigned check_pclmul(void) +@@ -514,33 +534,47 @@ void register_x86_padlock_crypto(unsigned capabilities) + } + #endif + +-static unsigned check_intel_or_amd(void) ++enum x86_cpu_vendor { ++ X86_CPU_VENDOR_OTHER, ++ X86_CPU_VENDOR_INTEL, ++ X86_CPU_VENDOR_AMD, ++}; ++ ++static enum x86_cpu_vendor check_x86_cpu_vendor(void) + { + unsigned int a, b, c, d; + +- if (!__get_cpuid(0, &a, &b, &c, &d)) +- return 0; ++ if (!__get_cpuid(0, &a, &b, &c, &d)) { ++ return X86_CPU_VENDOR_OTHER; ++ } + +- if ((memcmp(&b, "Genu", 4) == 0 && +- memcmp(&d, "ineI", 4) == 0 && +- memcmp(&c, "ntel", 4) == 0) || +- (memcmp(&b, "Auth", 4) == 0 && +- memcmp(&d, "enti", 4) == 0 && memcmp(&c, "cAMD", 4) == 0)) { +- return 1; ++ if (memcmp(&b, "Genu", 4) == 0 && ++ memcmp(&d, "ineI", 4) == 0 && ++ memcmp(&c, "ntel", 4) == 0) { ++ return X86_CPU_VENDOR_INTEL; + } + +- return 0; ++ if (memcmp(&b, "Auth", 4) == 0 && ++ memcmp(&d, "enti", 4) == 0 && ++ memcmp(&c, "cAMD", 4) == 0) { ++ return X86_CPU_VENDOR_AMD; ++ } ++ ++ return X86_CPU_VENDOR_OTHER; + } + + static + void register_x86_intel_crypto(unsigned capabilities) + { + int ret; ++ enum x86_cpu_vendor vendor; + + memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s)); + +- if (check_intel_or_amd() == 0) ++ vendor = check_x86_cpu_vendor(); ++ if (vendor == X86_CPU_VENDOR_OTHER) { + return; ++ } + + if (capabilities == 0) { + if (!read_cpuid_vals(_gnutls_x86_cpuid_s)) +@@ -549,6 +583,23 @@ void register_x86_intel_crypto(unsigned capabilities) + capabilities_to_intel_cpuid(capabilities); + } + ++ /* CRYPTOGAMS uses the (1 << 30) bit as an indicator of Intel CPUs */ ++ if (vendor == X86_CPU_VENDOR_INTEL) { ++ _gnutls_x86_cpuid_s[0] |= 1 << 30; ++ } else { ++ _gnutls_x86_cpuid_s[0] &= ~(1 << 30); ++ } ++ ++ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) { ++ _gnutls_x86_cpuid_s[1] &= ~bit_AVX; ++ ++ /* Clear AVX2 bits as well, according to what OpenSSL does. ++ * Should we clear bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, and ++ * bit_AVX512CD? */ ++ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|bit_AVX512F|bit_AVX512IFMA| ++ bit_AVX512BW|bit_AVX512BW); ++ } ++ + if (check_ssse3()) { + _gnutls_debug_log("Intel SSSE3 was detected\n"); + +-- +2.37.3 + + +From cd509dac9e6d1bf76fd12c72c1fd61f1708c254a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 15 Aug 2022 09:39:18 +0900 +Subject: [PATCH 2/2] accelerated: clear AVX bits if it cannot be queried + through XSAVE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32 +Architectures Software Developer’s Manual". + +GnuTLS previously only followed that algorithm when registering the +crypto backend, while the CRYPTOGAMS derived SHA code assembly expects +that the extension bits are propagated to _gnutls_x86_cpuid_s. + +Signed-off-by: Daiki Ueno +--- + lib/accelerated/x86/x86-common.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c +index cf615ef24f..655d0c65f2 100644 +--- a/lib/accelerated/x86/x86-common.c ++++ b/lib/accelerated/x86/x86-common.c +@@ -210,7 +210,8 @@ static void capabilities_to_intel_cpuid(unsigned capabilities) + } + + if (capabilities & INTEL_AVX) { +- if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) { ++ if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) && ++ check_4th_gen_intel_features(a[1])) { + _gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE; + } else { + _gnutls_debug_log +@@ -256,7 +257,7 @@ static unsigned check_sha(void) + #ifdef ASM_X86_64 + static unsigned check_avx_movbe(void) + { +- return (_gnutls_x86_cpuid_s[1] & bit_AVX); ++ return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE); + } + + static unsigned check_pclmul(void) +@@ -579,6 +580,19 @@ void register_x86_intel_crypto(unsigned capabilities) + if (capabilities == 0) { + if (!read_cpuid_vals(_gnutls_x86_cpuid_s)) + return; ++ if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) { ++ _gnutls_x86_cpuid_s[1] &= ~bit_AVX; ++ ++ /* Clear AVX2 bits as well, according to what ++ * OpenSSL does. Should we clear ++ * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, ++ * and bit_AVX512CD? */ ++ _gnutls_x86_cpuid_s[2] &= ~(bit_AVX2| ++ bit_AVX512F| ++ bit_AVX512IFMA| ++ bit_AVX512BW| ++ bit_AVX512BW); ++ } + } else { + capabilities_to_intel_cpuid(capabilities); + } +-- +2.37.3 + diff --git a/SOURCES/gnutls-3.7.8-rsa-kx-timing.patch b/SOURCES/gnutls-3.7.8-rsa-kx-timing.patch new file mode 100644 index 0000000..9107321 --- /dev/null +++ b/SOURCES/gnutls-3.7.8-rsa-kx-timing.patch @@ -0,0 +1,114 @@ +From c149dd0767f32789e391280cb1eb06b7eb7c6bce Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Tue, 9 Aug 2022 16:05:53 +0200 +Subject: [PATCH 1/2] auth/rsa: side-step potential side-channel + +Remove branching that depends on secret data. + +Signed-off-by: Alexander Sosedkin +Signed-off-by: Hubert Kario +Tested-by: Hubert Kario +--- + lib/auth/rsa.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c +index 8108ee841d..6b158bacb2 100644 +--- a/lib/auth/rsa.c ++++ b/lib/auth/rsa.c +@@ -155,7 +155,6 @@ static int + proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + size_t _data_size) + { +- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n"; + gnutls_datum_t ciphertext; + int ret, dsize; + ssize_t data_size = _data_size; +@@ -235,15 +234,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) & + CONSTCHECK_EQUAL(session->key.key.data[1], ver_min); + +- if (ok) { +- /* call logging function unconditionally so all branches are +- * indistinguishable for timing and cache access when debug +- * logging is disabled */ +- _gnutls_no_log("%s", attack_error); +- } else { +- _gnutls_debug_log("%s", attack_error); +- } +- + /* This is here to avoid the version check attack + * discussed above. + */ +-- +2.39.1 + + +From 7c963102ec2119eecc1789b993aabe5edfd75f3b Mon Sep 17 00:00:00 2001 +From: Hubert Kario +Date: Wed, 8 Feb 2023 14:32:09 +0100 +Subject: [PATCH 2/2] rsa: remove dead code + +since the `ok` variable isn't used any more, we can remove all code +used to calculate it + +Signed-off-by: Hubert Kario +--- + lib/auth/rsa.c | 20 +++----------------- + 1 file changed, 3 insertions(+), 17 deletions(-) + +diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c +index 6b158bacb2..858701fe6e 100644 +--- a/lib/auth/rsa.c ++++ b/lib/auth/rsa.c +@@ -159,8 +159,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + int ret, dsize; + ssize_t data_size = _data_size; + volatile uint8_t ver_maj, ver_min; +- volatile uint8_t check_ver_min; +- volatile uint32_t ok; + + #ifdef ENABLE_SSL3 + if (get_num_version(session) == GNUTLS_SSL3) { +@@ -186,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + + ver_maj = _gnutls_get_adv_version_major(session); + ver_min = _gnutls_get_adv_version_minor(session); +- check_ver_min = (session->internals.allow_wrong_pms == 0); + + session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE); + if (session->key.key.data == NULL) { +@@ -205,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + return ret; + } + +- ret = +- gnutls_privkey_decrypt_data2(session->internals.selected_key, +- 0, &ciphertext, session->key.key.data, +- session->key.key.size); ++ gnutls_privkey_decrypt_data2(session->internals.selected_key, ++ 0, &ciphertext, session->key.key.data, ++ session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side + * channel that can be used as an oracle, so treat very carefully */ +@@ -224,16 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. + */ + +- /* ok is 0 in case of error and 1 in case of success. */ +- +- /* if ret < 0 */ +- ok = CONSTCHECK_EQUAL(ret, 0); +- /* session->key.key.data[0] must equal ver_maj */ +- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj); +- /* if check_ver_min then session->key.key.data[1] must equal ver_min */ +- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) & +- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min); +- + /* This is here to avoid the version check attack + * discussed above. + */ +-- +2.39.1 + diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index 47b5062..d44e573 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -1,5 +1,5 @@ Version: 3.6.16 -Release: 5%{?dist} +Release: 6%{?dist} Patch1: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.6.4-no-now-guile.patch Patch3: gnutls-3.6.13-enable-intel-cet.patch @@ -9,6 +9,8 @@ Patch12: gnutls-3.6.16-tls12-cert-type.patch Patch13: gnutls-3.6.16-trust-ca-sha1.patch Patch14: gnutls-3.6.16-doc-p11tool-ckaid.patch Patch15: gnutls-3.6.16-pkcs7-verify.patch +Patch16: gnutls-3.6.16-cpuid.patch +Patch17: gnutls-3.7.8-rsa-kx-timing.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -293,8 +295,12 @@ fi %endif %changelog +* Thu Feb 23 2023 Zoltan Fridrich - 3.6.16-6 +- Fix x86_64 CPU feature detection when AVX is not available (#2131152) +- Fix timing side-channel in TLS RSA key exchange (#2162598) + * Mon Aug 29 2022 Daiki Ueno - 3.6.16-5 -- Fix double-free in gnutls_pkcs7_verify (#2109787) +- Fix double-free in gnutls_pkcs7_verify (#2109788) * Mon Jun 28 2021 Daiki Ueno - 3.6.16-4 - p11tool: Document ID reuse behavior when importing certs (#1776250)