Backport of: From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niels=20M=C3=B6ller?= Date: Sat, 13 Mar 2021 16:27:50 +0100 Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to canonical range. (cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398) Upstream-Status: Backport https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch CVE: CVE-2021-20305 dep4 Signed-off-by: Armin Kuster --- ChangeLog | 3 +++ ecc-ecdsa-sign.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 63848f53..fb2d7f66 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,8 @@ # 2021-03-13 Niels Möller # #+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to #+ canonical range. #+ # * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical # to compute the scalars used for ecc multiplication. # * testsuite/ecdsa-verify-test.c (test_main): Add test case that --- a/ecc-ecdsa-sign.c +++ b/ecc-ecdsa-sign.c @@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve * ecc_modq_mul (ecc, tp, zp, rp); ecc_modq_add (ecc, hp, hp, tp); - ecc_modq_mul (ecc, tp, hp, kinv); + ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); - mpn_copyi (sp, tp, ecc->p.size); #undef P #undef hp #undef kinv