From 5e6bac4e5241546689114ccde7d5428ea6ff0f35 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Wed, 27 Apr 2022 19:02:43 +0200 Subject: [PATCH] ecdsautils: verify: fix signature verification (CVE-2022-24884) A vulnerability was found in ecdsautils which allows forgery of ECDSA signatures. An adversary exploiting this vulnerability can create an update manifest accepted by the autoupdater, which can be used to distribute malicious firmware updates by spoofing a Gluon node's connection to the update server. --- ...ignature-verification-CVE-2022-24884.patch | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch diff --git a/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch b/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch new file mode 100644 index 00000000..de11528c --- /dev/null +++ b/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch @@ -0,0 +1,73 @@ +From: Matthias Schiffer +Date: Wed, 27 Apr 2022 19:01:39 +0200 +Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884) + +Signed-off-by: Matthias Schiffer + +diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile +index e6f5a916e63e9914369ae7e47106230346f9322c..096827494befad193c5904e1748c4e6768bbb15e 100644 +--- a/utils/ecdsautils/Makefile ++++ b/utils/ecdsautils/Makefile +@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk + + PKG_NAME:=ecdsautils + PKG_VERSION:=0.3.2.20160630 +-PKG_RELEASE:=1 ++PKG_RELEASE:=2 + + PKG_SOURCE_PROTO:=git + PKG_SOURCE_URL:=https://github.com/freifunk-gluon/ecdsautils +diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch +new file mode 100644 +index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba +--- /dev/null ++++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch +@@ -0,0 +1,48 @@ ++From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001 ++Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net> ++From: Matthias Schiffer ++Date: Wed, 20 Apr 2022 22:04:07 +0200 ++Subject: [PATCH] verify: fix signature verification (CVE-2022-24884) ++ ++Verify that r and s are non-zero. Without these checks, an all-zero ++signature is always considered valid. ++ ++While it would be nicer to error out in ecdsa_verify_prepare_legacy() ++already, that would require users of libecdsautil to check a return value ++of the prepare step. To be safe, implement the fix in an API/ABI-compatible ++way that doesn't need changes to the users. ++--- ++ src/lib/ecdsa.c | 10 ++++++++++ ++ 1 file changed, 10 insertions(+) ++ ++diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c ++index 8cd7722be8cd..a661b56bd7c8 100644 ++--- a/src/lib/ecdsa.c +++++ b/src/lib/ecdsa.c ++@@ -135,6 +135,12 @@ regenerate: ++ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) { ++ ecc_int256_t w, u1, tmp; ++ +++ if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) { +++ // Signature is invalid, mark by setting ctx->r to an invalid value +++ memset(&ctx->r, 0, sizeof(ctx->r)); +++ return; +++ } +++ ++ ctx->r = signature->r; ++ ++ ecc_25519_gf_recip(&w, &signature->s); ++@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work ++ ecc_25519_work_t s2, work; ++ ecc_int256_t w, tmp; ++ +++ // Signature was detected as invalid in prepare step +++ if (ecc_25519_gf_is_zero(&ctx->r)) +++ return false; +++ ++ ecc_25519_scalarmult(&s2, &ctx->u2, pubkey); ++ ecc_25519_add(&work, &ctx->s1, &s2); ++ ecc_25519_store_xy_legacy(&w, NULL, &work); ++-- ++2.36.0 ++