2 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
new file mode 100644
index 0000000000..e67926fe50
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
@@ -0,0 +1,52 @@
+# HG changeset patch
+# User Billy Brumley <bbrumley@gmail.com>
+# Date 1595283525 0
+# Node ID aeb2e583ee957a699d949009c7ba37af76515c20
+# Parent  ca207655b4b7cb1d3a5e438c1fb9b90d45596da6
+Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche
+Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.
+Timing attack countermeasures are now applied more generally deeper in
+the call stack.
+Differential Revision: https://phabricator.services.mozilla.com/D82011
+Upstream-Status: Backport
+CVE: CVE-2020-1240
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: nss-3.51.1/nss/lib/freebl/ec.c
+===================================================================
+--- nss-3.51.1.orig/nss/lib/freebl/ec.c
+++ nss-3.51.1/nss/lib/freebl/ec.c
+@@ -724,27 +724,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k
+     }
+ 
+     /*
+-    ** We do not want timing information to leak the length of k,
+-    ** so we compute k*G using an equivalent scalar of fixed
+-    ** bit-length.
+-    ** Fix based on patch for ECDSA timing attack in the paper
+-    ** by Billy Bob Brumley and Nicola Tuveri at
+-    **   http://eprint.iacr.org/2011/232
+-    **
+-    ** How do we convert k to a value of a fixed bit-length?
+-    ** k starts off as an integer satisfying 0 <= k < n.  Hence,
+-    ** n <= k+n < 2n, which means k+n has either the same number
+-    ** of bits as n or one more bit than n.  If k+n has the same
+-    ** number of bits as n, the second addition ensures that the
+-    ** final value has exactly one more bit than n.  Thus, we
+-    ** always end up with a value that exactly one more bit than n.
+-    */
+-    CHECK_MPI_OK(mp_add(&k, &n, &k));
+-    if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
+-        CHECK_MPI_OK(mp_add(&k, &n, &k));
+-    }
+-
+-    /*
+     ** ANSI X9.62, Section 5.3.2, Step 2
+     **
+     ** Compute kG
diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb
index c00bd34cb2..3e3c3a3fdf 100644
--- a/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
           file://riscv.patch \
           file://0001-Enable-uint128-on-mips64.patch \
           file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
+           file://CVE-2020-12401.patch \
           "
 SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"

diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch new file mode 100644 index 0000000000..e67926fe50 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch
@@ -0,0 +1,52 @@
		1	# HG changeset patch
		2	# User Billy Brumley <bbrumley@gmail.com>
		3	# Date 1595283525 0
		4	# Node ID aeb2e583ee957a699d949009c7ba37af76515c20
		5	# Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6
		6	Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche
		7
		8	Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.
		9
		10	Timing attack countermeasures are now applied more generally deeper in
		11	the call stack.
		12
		13	Differential Revision: https://phabricator.services.mozilla.com/D82011
		14
		15
		16	Upstream-Status: Backport
		17
		18	CVE: CVE-2020-1240
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	Index: nss-3.51.1/nss/lib/freebl/ec.c
		22	===================================================================
		23	--- nss-3.51.1.orig/nss/lib/freebl/ec.c
		24	+++ nss-3.51.1/nss/lib/freebl/ec.c
		25	@@ -724,27 +724,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k
		26	}
		27
		28	/*
		29	- ** We do not want timing information to leak the length of k,
		30	- ** so we compute k*G using an equivalent scalar of fixed
		31	- ** bit-length.
		32	- ** Fix based on patch for ECDSA timing attack in the paper
		33	- ** by Billy Bob Brumley and Nicola Tuveri at
		34	- ** http://eprint.iacr.org/2011/232
		35	- **
		36	- ** How do we convert k to a value of a fixed bit-length?
		37	- ** k starts off as an integer satisfying 0 <= k < n. Hence,
		38	- ** n <= k+n < 2n, which means k+n has either the same number
		39	- ** of bits as n or one more bit than n. If k+n has the same
		40	- ** number of bits as n, the second addition ensures that the
		41	- ** final value has exactly one more bit than n. Thus, we
		42	- ** always end up with a value that exactly one more bit than n.
		43	- */
		44	- CHECK_MPI_OK(mp_add(&k, &n, &k));
		45	- if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
		46	- CHECK_MPI_OK(mp_add(&k, &n, &k));
		47	- }
		48	-
		49	- /*
		50	** ANSI X9.62, Section 5.3.2, Step 2
		51	**
		52	** Compute kG


diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb index c00bd34cb2..3e3c3a3fdf 100644 --- a/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
35	file://riscv.patch \	35	file://riscv.patch \
36	file://0001-Enable-uint128-on-mips64.patch \	36	file://0001-Enable-uint128-on-mips64.patch \
37	file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \	37	file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \
		38	file://CVE-2020-12401.patch \
38	"	39	"
39		40
40	SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"	41	SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"