diff options
Diffstat (limited to 'meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch')
-rw-r--r-- | meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch new file mode 100644 index 0000000000..15a892ecdf --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch @@ -0,0 +1,122 @@ +Backport of: + +From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> +Date: Sat, 13 Mar 2021 15:19:19 +0100 +Subject: [PATCH] Fix bug in ecc_ecdsa_verify. + +* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical +to compute the scalars used for ecc multiplication. +* testsuite/ecdsa-verify-test.c (test_main): Add test case that +triggers an assert on 64-bit platforms, without above fix. +* testsuite/ecdsa-sign-test.c (test_main): Test case generating +the same signature. + +(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f) + +Upstream-Status: Backport +https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch +CVE: CVE-2021-20305 dep3 +[Minor fixup on _nettle_secp_224r1] +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 10 +++++++++- + ecc-ecdsa-verify.c | 4 ++-- + testsuite/ecdsa-sign-test.c | 13 +++++++++++++ + testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++ + 4 files changed, 44 insertions(+), 3 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index 2a9217a6..63848f53 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,7 +1,15 @@ +# 2021-03-13 Niels Möller <nisse@lysator.liu.se> +# +#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. +#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical +#+ to compute the scalars used for ecc multiplication. +#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that +#+ triggers an assert on 64-bit platforms, without above fix. +#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating +#+ the same signature. +#+ +#+2021-03-13 Niels Möller <nisse@lysator.liu.se> +# +#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. +# 2021-03-11 Niels Möller <nisse@lysator.liu.se> +# +# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): +Index: nettle-3.5.1/ecc-ecdsa-verify.c +=================================================================== +--- nettle-3.5.1.orig/ecc-ecdsa-verify.c ++++ nettle-3.5.1/ecc-ecdsa-verify.c +@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve + + /* u1 = h / s, P1 = u1 * G */ + ecc_hash (&ecc->q, hp, length, digest); +- ecc_modq_mul (ecc, u1, hp, sinv); ++ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); + + /* u2 = r / s, P2 = u2 * Y */ +- ecc_modq_mul (ecc, u2, rp, sinv); ++ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); + + /* Total storage: 5*ecc->p.size + ecc->mul_itch */ + ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); +Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c +=================================================================== +--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c ++++ nettle-3.5.1/testsuite/ecdsa-sign-test.c +@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc, + void + test_main (void) + { ++ /* Producing the signature for corresponding test in ++ ecdsa-verify-test.c, with special u1 and u2. */ ++ test_ecdsa (&_nettle_secp_224r1, ++ "99b5b787484def12894ca507058b3bf5" ++ "43d72d82fa7721d2e805e5e6", ++ "2", ++ SHEX("cdb887ac805a3b42e22d224c85482053" ++ "16c755d4a736bb2032c92553"), ++ "706a46dc76dcb76798e60e6d89474788" ++ "d16dc18032d268fd1a704fa6", /* r */ ++ "3a41e1423b1853e8aa89747b1f987364" ++ "44705d6d6d8371ea1f578f2e"); /* s */ ++ + /* Test cases for the smaller groups, verified with a + proof-of-concept implementation done for Yubico AB. */ + test_ecdsa (&_nettle_secp_192r1, +Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c +=================================================================== +--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c ++++ nettle-3.5.1/testsuite/ecdsa-verify-test.c +@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc, + void + test_main (void) + { ++ /* Corresponds to nonce k = 2 and private key z = ++ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and ++ hash are chosen so that intermediate scalars in the verify ++ equations are u1 = 0x6b245680e700, u2 = ++ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical ++ reduction of the scalars. Bug caused by missing canonical ++ reduction reported by Guido Vranken. */ ++ test_ecdsa (&_nettle_secp_224r1, ++ "9e7e6cc6b1bdfa8ee039b66ad85e5490" ++ "7be706a900a3cba1c8fdd014", /* x */ ++ "74855db3f7c1b4097ae095745fc915e3" ++ "8a79d2a1de28f282eafb22ba", /* y */ ++ ++ SHEX("cdb887ac805a3b42e22d224c85482053" ++ "16c755d4a736bb2032c92553"), ++ "706a46dc76dcb76798e60e6d89474788" ++ "d16dc18032d268fd1a704fa6", /* r */ ++ "3a41e1423b1853e8aa89747b1f987364" ++ "44705d6d6d8371ea1f578f2e"); /* s */ ++ + /* From RFC 4754 */ + test_ecdsa (&_nettle_secp_256r1, + "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" |