1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Tue, 8 Jun 2021 21:32:38 +0200
Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions.
(cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe)
Upstream-Status: Backport
CVE: CVE-2021-3580
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 10 +++++++++-
rsa-decrypt-tr.c | 4 ++++
rsa-decrypt.c | 10 ++++++++++
rsa-sec-decrypt.c | 4 ++++
rsa.h | 5 +++--
testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------
6 files changed, 62 insertions(+), 9 deletions(-)
Index: nettle-3.5.1/rsa-decrypt-tr.c
===================================================================
--- nettle-3.5.1.orig/rsa-decrypt-tr.c
+++ nettle-3.5.1/rsa-decrypt-tr.c
@@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k
mp_size_t key_limb_size;
int res;
+ /* First check that input is in range. */
+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
+ return 0;
+
key_limb_size = mpz_size(pub->n);
TMP_GMP_ALLOC (m, key_limb_size);
Index: nettle-3.5.1/rsa-decrypt.c
===================================================================
--- nettle-3.5.1.orig/rsa-decrypt.c
+++ nettle-3.5.1/rsa-decrypt.c
@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key
int res;
mpz_init(m);
+
+ /* First check that input is in range. Since we don't have the
+ public key available here, we need to reconstruct n. */
+ mpz_mul (m, key->p, key->q);
+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0)
+ {
+ mpz_clear (m);
+ return 0;
+ }
+
rsa_compute_root(key, m, gibberish);
res = pkcs1_decrypt (key->size, m, length, message);
Index: nettle-3.5.1/rsa-sec-decrypt.c
===================================================================
--- nettle-3.5.1.orig/rsa-sec-decrypt.c
+++ nettle-3.5.1/rsa-sec-decrypt.c
@@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_
TMP_GMP_DECL (em, uint8_t);
int res;
+ /* First check that input is in range. */
+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
+ return 0;
+
TMP_GMP_ALLOC (m, mpz_size(pub->n));
TMP_GMP_ALLOC (em, key->size);
Index: nettle-3.5.1/rsa.h
===================================================================
--- nettle-3.5.1.orig/rsa.h
+++ nettle-3.5.1/rsa.h
@@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_
size_t length, uint8_t *message,
const mpz_t gibberish);
-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
+/* Compute x, the e:th root of m. Calling it with x == m is allowed.
+ It is required that 0 <= m < n. */
void
rsa_compute_root(const struct rsa_private_key *key,
mpz_t x, const mpz_t m);
/* Safer variant, using RSA blinding, and checking the result after
- CRT. */
+ CRT. It is required that 0 <= m < n. */
int
rsa_compute_root_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
===================================================================
--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
+++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
@@ -19,11 +19,12 @@ test_main(void)
uint8_t after;
mpz_t gibberish;
- mpz_t zero;
+ mpz_t bad_input;
rsa_private_key_init(&key);
rsa_public_key_init(&pub);
mpz_init(gibberish);
+ mpz_init(bad_input);
knuth_lfib_init(&lfib, 17);
@@ -103,15 +104,40 @@ test_main(void)
ASSERT(decrypted[0] == 'A');
/* Test zero input. */
- mpz_init_set_ui (zero, 0);
+ mpz_set_ui (bad_input, 0);
decrypted_length = msg_length;
- ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
ASSERT(!rsa_decrypt_tr(&pub, &key,
&lfib, (nettle_random_func *) knuth_lfib_random,
- &decrypted_length, decrypted, zero));
+ &decrypted_length, decrypted, bad_input));
ASSERT(!rsa_sec_decrypt(&pub, &key,
&lfib, (nettle_random_func *) knuth_lfib_random,
- decrypted_length, decrypted, zero));
+ decrypted_length, decrypted, bad_input));
+ ASSERT(decrypted_length == msg_length);
+
+ /* Test input that is slightly larger than n */
+ mpz_add(bad_input, gibberish, pub.n);
+ decrypted_length = msg_length;
+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_decrypt_tr(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_sec_decrypt(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ decrypted_length, decrypted, bad_input));
+ ASSERT(decrypted_length == msg_length);
+
+ /* Test input that is considerably larger than n */
+ mpz_mul_2exp (bad_input, pub.n, 100);
+ mpz_add (bad_input, bad_input, gibberish);
+ decrypted_length = msg_length;
+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_decrypt_tr(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_sec_decrypt(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ decrypted_length, decrypted, bad_input));
ASSERT(decrypted_length == msg_length);
/* Test invalid key. */
@@ -124,6 +150,6 @@ test_main(void)
rsa_private_key_clear(&key);
rsa_public_key_clear(&pub);
mpz_clear(gibberish);
- mpz_clear(zero);
+ mpz_clear(bad_input);
free(decrypted);
}
|
