1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
Backport of:
From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 16:42:21 +0100
Subject: [PATCH] Similar fix for eddsa.
* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
reduced. Two of the three call sites need that.
(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
Upstream-Status: Backport
https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
CVE: CVE-2021-20305
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 3 +++
eddsa-hash.c | 10 +++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
#diff --git a/ChangeLog b/ChangeLog
#index 5f8a22c2..ce330831 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,5 +1,8 @@
# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
#+ reduced. Two of the three call sites need that.
#+
# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
# to compute the scalars used for ecc multiplication.
#
Index: nettle-3.5.1/eddsa-hash.c
===================================================================
--- nettle-3.5.1.orig/eddsa-hash.c
+++ nettle-3.5.1/eddsa-hash.c
@@ -46,7 +46,12 @@ void
_eddsa_hash (const struct ecc_modulo *m,
mp_limb_t *rp, const uint8_t *digest)
{
+ mp_limb_t cy;
size_t nbytes = 1 + m->bit_size / 8;
mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes);
m->mod (m, rp);
+ mpn_copyi (rp + m->size, rp, m->size);
+ /* Ensure canonical reduction. */
+ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
+ cnd_copy (cy, rp, rp + m->size, m->size);
}
|
