ecdsautils: verify: fix signature verification (CVE-2022-24884)

A vulnerability was found in ecdsautils which allows forgery of ECDSA signatures. An adversary exploiting this vulnerability can create an update manifest accepted by the autoupdater, which can be used to distribute malicious firmware updates by spoofing a Gluon node's connection to the update server.
2022-04-27 19:02:43 +02:00 · 2022-04-27 19:02:43 +02:00 · 6eb0720e50
commit 6eb0720e50
parent 570680459d
1 changed files with 73 additions and 0 deletions
--- a/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch
+++ b/patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch
@ -0,0 +1,73 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Wed, 27 Apr 2022 19:01:39 +0200
+Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884)
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile
+index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644
+--- a/utils/ecdsautils/Makefile
+++ b/utils/ecdsautils/Makefile
+@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=ecdsautils
+ PKG_VERSION:=0.3.2.20160630
+-PKG_RELEASE:=1
+PKG_RELEASE:=2
+ PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba
+--- /dev/null
+++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+@@ -0,0 +1,48 @@
+From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001
+Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net>
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Wed, 20 Apr 2022 22:04:07 +0200
+Subject: [PATCH] verify: fix signature verification (CVE-2022-24884)
+
+Verify that r and s are non-zero. Without these checks, an all-zero
+signature is always considered valid.
+
+While it would be nicer to error out in ecdsa_verify_prepare_legacy()
+already, that would require users of libecdsautil to check a return value
+of the prepare step. To be safe, implement the fix in an API/ABI-compatible
+way that doesn't need changes to the users.
+---
+ src/lib/ecdsa.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c
+index 8cd7722be8cd..a661b56bd7c8 100644
+--- a/src/lib/ecdsa.c
++++ b/src/lib/ecdsa.c
+@@ -135,6 +135,12 @@ regenerate:
+ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
+   ecc_int256_t w, u1, tmp;
+ 
++  if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
++    // Signature is invalid, mark by setting ctx->r to an invalid value
++    memset(&ctx->r, 0, sizeof(ctx->r));
++    return;
++  }
++
+   ctx->r = signature->r;
+ 
+   ecc_25519_gf_recip(&w, &signature->s);
+@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
+   ecc_25519_work_t s2, work;
+   ecc_int256_t w, tmp;
+ 
++  // Signature was detected as invalid in prepare step
++  if (ecc_25519_gf_is_zero(&ctx->r))
++    return false;
++
+   ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
+   ecc_25519_add(&work, &ctx->s1, &s2);
+   ecc_25519_store_xy_legacy(&w, NULL, &work);
+-- 
+2.36.0
+