Backport of: From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niels=20M=C3=B6ller?= Date: Sat, 13 Mar 2021 17:26:37 +0100 Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison. * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. (cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906) Upstream-Status: Backport https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch CVE: CVE-2021-20305 dep2 Signed-off-by: Armin Kuster --- ChangeLog | 4 ++++ eddsa-verify.c | 9 ++------- 2 files changed, 6 insertions(+), 7 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 5cc5c188..2a9217a6 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,7 @@ #+2021-03-13 Niels Möller #+ #+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. #+ # 2021-03-11 Niels Möller # # * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): Index: nettle-3.5.1/eddsa-verify.c =================================================================== --- nettle-3.5.1.orig/eddsa-verify.c +++ nettle-3.5.1/eddsa-verify.c @@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p, #define t0 scratch #define t1 (scratch + p->size) - ecc_mod_mul (p, t0, x1, z2); - if (mpn_cmp (t0, p->m, p->size) >= 0) - mpn_sub_n (t0, t0, p->m, p->size); - - ecc_mod_mul (p, t1, x2, z1); - if (mpn_cmp (t1, p->m, p->size) >= 0) - mpn_sub_n (t1, t1, p->m, p->size); + ecc_mod_mul_canonical (p, t0, x1, z2, t0); + ecc_mod_mul_canonical (p, t1, x2, z1, t1); return mpn_cmp (t0, t1, p->size) == 0;