1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
Backport of:
From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 15:19:19 +0100
Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
* testsuite/ecdsa-verify-test.c (test_main): Add test case that
triggers an assert on 64-bit platforms, without above fix.
* testsuite/ecdsa-sign-test.c (test_main): Test case generating
the same signature.
(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
Upstream-Status: Backport
https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
CVE: CVE-2021-20305 dep3
[Minor fixup on _nettle_secp_224r1]
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 10 +++++++++-
ecc-ecdsa-verify.c | 4 ++--
testsuite/ecdsa-sign-test.c | 13 +++++++++++++
testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++
4 files changed, 44 insertions(+), 3 deletions(-)
#diff --git a/ChangeLog b/ChangeLog
#index 2a9217a6..63848f53 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,7 +1,15 @@
# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
#+ to compute the scalars used for ecc multiplication.
#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that
#+ triggers an assert on 64-bit platforms, without above fix.
#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating
#+ the same signature.
#+
#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
#
# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
Index: nettle-3.5.1/ecc-ecdsa-verify.c
===================================================================
--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
+++ nettle-3.5.1/ecc-ecdsa-verify.c
@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
/* u1 = h / s, P1 = u1 * G */
ecc_hash (&ecc->q, hp, length, digest);
- ecc_modq_mul (ecc, u1, hp, sinv);
+ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
/* u2 = r / s, P2 = u2 * Y */
- ecc_modq_mul (ecc, u2, rp, sinv);
+ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
/* Total storage: 5*ecc->p.size + ecc->mul_itch */
ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
===================================================================
--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
+++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
+ /* Producing the signature for corresponding test in
+ ecdsa-verify-test.c, with special u1 and u2. */
+ test_ecdsa (&_nettle_secp_224r1,
+ "99b5b787484def12894ca507058b3bf5"
+ "43d72d82fa7721d2e805e5e6",
+ "2",
+ SHEX("cdb887ac805a3b42e22d224c85482053"
+ "16c755d4a736bb2032c92553"),
+ "706a46dc76dcb76798e60e6d89474788"
+ "d16dc18032d268fd1a704fa6", /* r */
+ "3a41e1423b1853e8aa89747b1f987364"
+ "44705d6d6d8371ea1f578f2e"); /* s */
+
/* Test cases for the smaller groups, verified with a
proof-of-concept implementation done for Yubico AB. */
test_ecdsa (&_nettle_secp_192r1,
Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
===================================================================
--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
+++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
+ /* Corresponds to nonce k = 2 and private key z =
+ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
+ hash are chosen so that intermediate scalars in the verify
+ equations are u1 = 0x6b245680e700, u2 =
+ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
+ reduction of the scalars. Bug caused by missing canonical
+ reduction reported by Guido Vranken. */
+ test_ecdsa (&_nettle_secp_224r1,
+ "9e7e6cc6b1bdfa8ee039b66ad85e5490"
+ "7be706a900a3cba1c8fdd014", /* x */
+ "74855db3f7c1b4097ae095745fc915e3"
+ "8a79d2a1de28f282eafb22ba", /* y */
+
+ SHEX("cdb887ac805a3b42e22d224c85482053"
+ "16c755d4a736bb2032c92553"),
+ "706a46dc76dcb76798e60e6d89474788"
+ "d16dc18032d268fd1a704fa6", /* r */
+ "3a41e1423b1853e8aa89747b1f987364"
+ "44705d6d6d8371ea1f578f2e"); /* s */
+
/* From RFC 4754 */
test_ecdsa (&_nettle_secp_256r1,
"2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
|