Backport of: From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niels=20M=C3=B6ller?= Date: Sat, 13 Mar 2021 15:19:19 +0100 Subject: [PATCH] Fix bug in ecc_ecdsa_verify. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical to compute the scalars used for ecc multiplication. * testsuite/ecdsa-verify-test.c (test_main): Add test case that triggers an assert on 64-bit platforms, without above fix. * testsuite/ecdsa-sign-test.c (test_main): Test case generating the same signature. (cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f) Upstream-Status: Backport https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch CVE: CVE-2021-20305 dep3 [Minor fixup on _nettle_secp_224r1] Signed-off-by: Armin Kuster --- ChangeLog | 10 +++++++++- ecc-ecdsa-verify.c | 4 ++-- testsuite/ecdsa-sign-test.c | 13 +++++++++++++ testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++ 4 files changed, 44 insertions(+), 3 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 2a9217a6..63848f53 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,7 +1,15 @@ # 2021-03-13 Niels Möller # #- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. #+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical #+ to compute the scalars used for ecc multiplication. #+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that #+ triggers an assert on 64-bit platforms, without above fix. #+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating #+ the same signature. #+ #+2021-03-13 Niels Möller # #+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. # 2021-03-11 Niels Möller # # * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): Index: nettle-3.5.1/ecc-ecdsa-verify.c =================================================================== --- nettle-3.5.1.orig/ecc-ecdsa-verify.c +++ nettle-3.5.1/ecc-ecdsa-verify.c @@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve /* u1 = h / s, P1 = u1 * G */ ecc_hash (&ecc->q, hp, length, digest); - ecc_modq_mul (ecc, u1, hp, sinv); + ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); /* u2 = r / s, P2 = u2 * Y */ - ecc_modq_mul (ecc, u2, rp, sinv); + ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c =================================================================== --- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c +++ nettle-3.5.1/testsuite/ecdsa-sign-test.c @@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc, void test_main (void) { + /* Producing the signature for corresponding test in + ecdsa-verify-test.c, with special u1 and u2. */ + test_ecdsa (&_nettle_secp_224r1, + "99b5b787484def12894ca507058b3bf5" + "43d72d82fa7721d2e805e5e6", + "2", + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* Test cases for the smaller groups, verified with a proof-of-concept implementation done for Yubico AB. */ test_ecdsa (&_nettle_secp_192r1, Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c =================================================================== --- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c +++ nettle-3.5.1/testsuite/ecdsa-verify-test.c @@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc, void test_main (void) { + /* Corresponds to nonce k = 2 and private key z = + 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and + hash are chosen so that intermediate scalars in the verify + equations are u1 = 0x6b245680e700, u2 = + 259da6542d4ba7d21ad916c3bd57f811. These values require canonical + reduction of the scalars. Bug caused by missing canonical + reduction reported by Guido Vranken. */ + test_ecdsa (&_nettle_secp_224r1, + "9e7e6cc6b1bdfa8ee039b66ad85e5490" + "7be706a900a3cba1c8fdd014", /* x */ + "74855db3f7c1b4097ae095745fc915e3" + "8a79d2a1de28f282eafb22ba", /* y */ + + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* From RFC 4754 */ test_ecdsa (&_nettle_secp_256r1, "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"