nettle: Security fix for CVE-2021-20305

Source: Debian.org MR: 110174 Type: Security Fix Disposition: Backport from https://sources.debian.org/patches/nettle/3.4.1-1+deb10u1/ ChangeID: 47746f3e58c03a62fef572797d0ae6e0cd865092 Description: Affects: Nettle < 3.7.2 Minor fixup for nettle_secp_224r1 to _nettle_secp_224r1 to match 3.5.1 (From OE-Core rev: 10f2333afd739669013a65112f6471f09e13d124) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-09-17 16:58:05 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-30 00:02:22 +0100
commit: 584252a0dc45eb1b876ed978800810c679b72415 (patch)
tree: fd435e19920c8ed277c4e1456ed9f1d81b307c30
parent: 33d7811e07e0b5d9fca6fdc0414ecbad181c73b6 (diff)
download: poky-584252a0dc45eb1b876ed978800810c679b72415.tar.gz
6 files changed, 496 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
new file mode 100644
index 0000000000..cfc0f382fa
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
@@ -0,0 +1,215 @@
+Backport of:
+From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Thu, 11 Mar 2021 19:37:41 +0100
+Subject: [PATCH] New functions ecc_mod_mul_canonical and
+ ecc_mod_sqr_canonical.
+* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+New functions.
+* ecc-internal.h: Declare and document new functions.
+* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+* ecc-j-to-a.c (ecc_j_to_a): Likewise.
+* ecc-mul-m.c (ecc_mul_m): Likewise.
+(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch
+CVE: CVE-2021-20305 dep1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog            | 11 +++++++++++
+ curve25519-eh-to-x.c |  6 +-----
+ curve448-eh-to-x.c   |  5 +----
+ ecc-eh-to-a.c        | 12 ++----------
+ ecc-internal.h       | 15 +++++++++++++++
+ ecc-j-to-a.c         | 15 +++------------
+ ecc-mod-arith.c      | 24 ++++++++++++++++++++++++
+ ecc-mul-m.c          |  6 ++----
+ 8 files changed, 59 insertions(+), 35 deletions(-)
+#diff --git a/ChangeLog b/ChangeLog
+#index fd138d82..5cc5c188 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,14 @@
+#+2021-03-11  Niels MÃ¶ller  <nisse@lysator.liu.se>
+#+
+#+      * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+#+      New functions.
+#+      * ecc-internal.h: Declare and document new functions.
+#+      * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+#+      * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+#+      * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+#+      * ecc-j-to-a.c (ecc_j_to_a): Likewise.
+#+      * ecc-mul-m.c (ecc_mul_m): Likewise.
+#+
+# 2021-02-17  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#       * Released Nettle-3.7.1.
+Index: nettle-3.5.1/curve25519-eh-to-x.c
+===================================================================
+--- nettle-3.5.1.orig/curve25519-eh-to-x.c
+++ nettle-3.5.1/curve25519-eh-to-x.c
+@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+ #define t2 (scratch + 2*ecc->p.size)
+ 
+   const struct ecc_curve *ecc = &_nettle_curve25519;
+-  mp_limb_t cy;
+ 
+   /* If u = U/W and v = V/W are the coordiantes of the point on the
+      Edwards curve we get the curve25519 x coordinate as
+@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+   ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
+   
+   ecc_modp_add (ecc, t0, wp, vp);
+-  ecc_modp_mul (ecc, t2, t0, t1);
+-
+-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, xp, t2, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
+ #undef vp
+ #undef wp
+ #undef t0
+Index: nettle-3.5.1/ecc-eh-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-eh-to-a.c
+++ nettle-3.5.1/ecc-eh-to-a.c
+@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+   /* Needs 2*size + scratch for the invert call. */
+   ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
+ 
+-  ecc_modp_mul (ecc, tp, xp, izp);
+-  cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
+ 
+   if (op)
+     {
+@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+        }
+       return;
+     }
+-  ecc_modp_mul (ecc, tp, yp, izp);
+-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
+ }
+Index: nettle-3.5.1/ecc-internal.h
+===================================================================
+--- nettle-3.5.1.orig/ecc-internal.h
+++ nettle-3.5.1/ecc-internal.h
+@@ -49,6 +49,8 @@
+ #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
+ #define ecc_mod_mul _nettle_ecc_mod_mul
+ #define ecc_mod_sqr _nettle_ecc_mod_sqr
+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
+ #define ecc_mod_random _nettle_ecc_mod_random
+ #define ecc_mod _nettle_ecc_mod
+ #define ecc_mod_inv _nettle_ecc_mod_inv
+@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m,
+ #define ecc_modq_mul(ecc, r, a, b) \
+   ecc_mod_mul (&(ecc)->q, (r), (a), (b))
+ 
+/* These mul and sqr functions produce a canonical result, 0 <= R < M.
+   Requirements on input and output areas are similar to the above
+   functions, except that it is *not* allowed to pass rp = rp +
+   m->size.
+ */
+void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+                      const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+                      const mp_limb_t *ap, mp_limb_t *tp);
+
+ /* mod q operations. */
+ void
+ ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
+Index: nettle-3.5.1/ecc-j-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-j-to-a.c
+++ nettle-3.5.1/ecc-j-to-a.c
+@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ #define izBp (scratch + 3*ecc->p.size)
+ #define tp    scratch
+ 
+-  mp_limb_t cy;
+-
+   if (ecc->use_redc)
+     {
+       /* Set v = (r_z / B^2)^-1,
+@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+       ecc_modp_sqr (ecc, iz2p, izp);
+     }
+ 
+-  ecc_modp_mul (ecc, iz3p, iz2p, p);
+-  /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so
+-     do a conditional subtraction. */
+-  cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r, iz3p, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
+ 
+   if (op)
+     {
+       /* Skip y coordinate */
+       if (op > 1)
+        {
+         mp_limb_t cy;
+          /* Also reduce the x coordinate mod ecc->q. It should
+             already be < 2*ecc->q, so one subtraction should
+             suffice. */
+@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+       return;
+     }
+   ecc_modp_mul (ecc, iz3p, iz2p, izp);
+-  ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size);
+-  /* And a similar subtraction. */
+-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
+ 
+ #undef izp
+ #undef up
+Index: nettle-3.5.1/ecc-mod-arith.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-mod-arith.c
+++ nettle-3.5.1/ecc-mod-arith.c
+@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
+ }
+ 
+ void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+                      const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
+{
+  mp_limb_t cy;
+  mpn_mul_n (tp + m->size, ap, bp, m->size);
+  m->reduce (m, tp + m->size);
+
+  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+                      const mp_limb_t *ap, mp_limb_t *tp)
+{
+  mp_limb_t cy;
+  mpn_sqr (tp + m->size, ap, m->size);
+  m->reduce (m, tp + m->size);
+
+  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
+ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
+             const mp_limb_t *ap)
+ {
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
new file mode 100644
index 0000000000..bb56b14c8c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
@@ -0,0 +1,53 @@
+Backport of:
+From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 17:26:37 +0100
+Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison.
+* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+(cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906)
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch
+CVE: CVE-2021-20305 dep2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog      | 4 ++++
+ eddsa-verify.c | 9 ++-------
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+#diff --git a/ChangeLog b/ChangeLog
+#index 5cc5c188..2a9217a6 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,7 @@
+#+2021-03-13  Niels MÃ¶ller  <nisse@lysator.liu.se>
+#+
+#+      * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+
+# 2021-03-11  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#       * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/eddsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-verify.c
+++ nettle-3.5.1/eddsa-verify.c
+@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p,
+ #define t0 scratch
+ #define t1 (scratch + p->size)
+ 
+-  ecc_mod_mul (p, t0, x1, z2);
+-  if (mpn_cmp (t0, p->m, p->size) >= 0)
+-    mpn_sub_n (t0, t0, p->m, p->size);
+-
+-  ecc_mod_mul (p, t1, x2, z1);
+-  if (mpn_cmp (t1, p->m, p->size) >= 0)
+-    mpn_sub_n (t1, t1, p->m, p->size);
+  ecc_mod_mul_canonical (p, t0, x1, z2, t0);
+  ecc_mod_mul_canonical (p, t1, x2, z1, t1);
+ 
+   return mpn_cmp (t0, t1, p->size) == 0;
+ 
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
new file mode 100644
index 0000000000..15a892ecdf
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
@@ -0,0 +1,122 @@
+Backport of:
+From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 15:19:19 +0100
+Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
+* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+to compute the scalars used for ecc multiplication.
+* testsuite/ecdsa-verify-test.c (test_main): Add test case that
+triggers an assert on 64-bit platforms, without above fix.
+* testsuite/ecdsa-sign-test.c (test_main): Test case generating
+the same signature.
+(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
+CVE: CVE-2021-20305 dep3
+[Minor fixup on _nettle_secp_224r1]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog                     | 10 +++++++++-
+ ecc-ecdsa-verify.c            |  4 ++--
+ testsuite/ecdsa-sign-test.c   | 13 +++++++++++++
+ testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++
+ 4 files changed, 44 insertions(+), 3 deletions(-)
+#diff --git a/ChangeLog b/ChangeLog
+#index 2a9217a6..63848f53 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,7 +1,15 @@
+# 2021-03-13  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#-      * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+      * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+#+      to compute the scalars used for ecc multiplication.
+#+      * testsuite/ecdsa-verify-test.c (test_main): Add test case that
+#+      triggers an assert on 64-bit platforms, without above fix.
+#+      * testsuite/ecdsa-sign-test.c (test_main): Test case generating
+#+      the same signature.
+#+
+#+2021-03-13  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#+      * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+# 2021-03-11  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#       * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/ecc-ecdsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
+++ nettle-3.5.1/ecc-ecdsa-verify.c
+@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
+ 
+   /* u1 = h / s, P1 = u1 * G */
+   ecc_hash (&ecc->q, hp, length, digest);
+-  ecc_modq_mul (ecc, u1, hp, sinv);
+  ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
+ 
+   /* u2 = r / s, P2 = u2 * Y */
+-  ecc_modq_mul (ecc, u2, rp, sinv);
+  ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
+ 
+    /* Total storage: 5*ecc->p.size + ecc->mul_itch */
+   ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
+Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
+++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
+@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
+  /* Producing the signature for corresponding test in
+     ecdsa-verify-test.c, with special u1 and u2. */
+  test_ecdsa (&_nettle_secp_224r1,
+             "99b5b787484def12894ca507058b3bf5"
+             "43d72d82fa7721d2e805e5e6",
+             "2",
+             SHEX("cdb887ac805a3b42e22d224c85482053"
+                  "16c755d4a736bb2032c92553"),
+             "706a46dc76dcb76798e60e6d89474788"
+             "d16dc18032d268fd1a704fa6", /* r */
+             "3a41e1423b1853e8aa89747b1f987364"
+             "44705d6d6d8371ea1f578f2e"); /* s */
+
+   /* Test cases for the smaller groups, verified with a
+      proof-of-concept implementation done for Yubico AB. */
+   test_ecdsa (&_nettle_secp_192r1,
+Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
+++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
+@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
+  /* Corresponds to nonce k = 2 and private key z =
+     0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
+     hash are chosen so that intermediate scalars in the verify
+     equations are u1 = 0x6b245680e700, u2 =
+     259da6542d4ba7d21ad916c3bd57f811. These values require canonical
+     reduction of the scalars. Bug caused by missing canonical
+     reduction reported by Guido Vranken. */
+  test_ecdsa (&_nettle_secp_224r1,
+             "9e7e6cc6b1bdfa8ee039b66ad85e5490"
+             "7be706a900a3cba1c8fdd014", /* x */
+             "74855db3f7c1b4097ae095745fc915e3"
+             "8a79d2a1de28f282eafb22ba", /* y */
+
+             SHEX("cdb887ac805a3b42e22d224c85482053"
+                  "16c755d4a736bb2032c92553"),
+             "706a46dc76dcb76798e60e6d89474788"
+             "d16dc18032d268fd1a704fa6", /* r */
+             "3a41e1423b1853e8aa89747b1f987364"
+             "44705d6d6d8371ea1f578f2e"); /* s */
+
+   /* From RFC 4754 */
+   test_ecdsa (&_nettle_secp_256r1,
+              "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
new file mode 100644
index 0000000000..54b4fa584c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
@@ -0,0 +1,48 @@
+Backport of:
+From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:27:50 +0100
+Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced.
+* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
+canonical range.
+(cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398)
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch
+CVE: CVE-2021-20305 dep4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog        | 3 +++
+ ecc-ecdsa-sign.c | 3 +--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+#diff --git a/ChangeLog b/ChangeLog
+#index 63848f53..fb2d7f66 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#+      * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
+#+      canonical range.
+#+
+#       * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+#       to compute the scalars used for ecc multiplication.
+#       * testsuite/ecdsa-verify-test.c (test_main): Add test case that
+--- a/ecc-ecdsa-sign.c
+++ b/ecc-ecdsa-sign.c
+@@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve *
+ 
+   ecc_modq_mul (ecc, tp, zp, rp);
+   ecc_modq_add (ecc, hp, hp, tp);
+-  ecc_modq_mul (ecc, tp, hp, kinv);
+  ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp);
+ 
+-  mpn_copyi (sp, tp, ecc->p.size);
+ #undef P
+ #undef hp
+ #undef kinv
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
new file mode 100644
index 0000000000..468ff66266
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
@@ -0,0 +1,53 @@
+Backport of:
+From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:42:21 +0100
+Subject: [PATCH] Similar fix for eddsa.
+* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+reduced. Two of the three call sites need that.
+(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
+CVE: CVE-2021-20305 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog    |  3 +++
+ eddsa-hash.c | 10 +++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+#diff --git a/ChangeLog b/ChangeLog
+#index 5f8a22c2..ce330831 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#+      * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+#+      reduced. Two of the three call sites need that.
+#+
+#       * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
+#       to compute the scalars used for ecc multiplication.
+# 
+Index: nettle-3.5.1/eddsa-hash.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-hash.c
+++ nettle-3.5.1/eddsa-hash.c
+@@ -46,7 +46,12 @@ void
+ _eddsa_hash (const struct ecc_modulo *m,
+             mp_limb_t *rp, const uint8_t *digest)
+ {
+  mp_limb_t cy;
+   size_t nbytes = 1 + m->bit_size / 8;
+   mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes);
+   m->mod (m, rp);
+  mpn_copyi (rp + m->size, rp, m->size);
+  /* Ensure canonical reduction. */
+  cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, rp + m->size, m->size);
+ }
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb
index 9212d9deb5..192fd295e9 100644
--- a/meta/recipes-support/nettle/nettle_3.5.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.5.1.bb
@@ -20,6 +20,11 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
           file://check-header-files-of-openssl-only-if-enable_.patch \
           file://CVE-2021-3580_1.patch \
           file://CVE-2021-3580_2.patch \
+           file://CVE-2021-20305-1.patch \
+           file://CVE-2021-20305-2.patch \
+           file://CVE-2021-20305-3.patch \
+           file://CVE-2021-20305-4.patch \
+           file://CVE-2021-20305-5.patch \
           "
 SRC_URI_append_class-target = "\
author	Armin Kuster <akuster@mvista.com>	2021-09-17 16:58:05 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-30 00:02:22 +0100
commit	584252a0dc45eb1b876ed978800810c679b72415 (patch)
tree	fd435e19920c8ed277c4e1456ed9f1d81b307c30
parent	33d7811e07e0b5d9fca6fdc0414ecbad181c73b6 (diff)
download	poky-584252a0dc45eb1b876ed978800810c679b72415.tar.gz

diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch new file mode 100644 index 0000000000..cfc0f382fa --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
@@ -0,0 +1,215 @@
		1	Backport of:
		2
		3	From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
		4	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
		5	Date: Thu, 11 Mar 2021 19:37:41 +0100
		6	Subject: [PATCH] New functions ecc_mod_mul_canonical and
		7	ecc_mod_sqr_canonical.
		8
		9	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
		10	New functions.
		11	* ecc-internal.h: Declare and document new functions.
		12	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
		13	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
		14	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
		15	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
		16	* ecc-mul-m.c (ecc_mul_m): Likewise.
		17
		18	(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
		19
		20	Upstream-Status: Backport
		21	https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch
		22	CVE: CVE-2021-20305 dep1
		23	Signed-off-by: Armin Kuster <akuster@mvista.com>
		24
		25	---
		26	ChangeLog \| 11 +++++++++++
		27	curve25519-eh-to-x.c \| 6 +-----
		28	curve448-eh-to-x.c \| 5 +----
		29	ecc-eh-to-a.c \| 12 ++----------
		30	ecc-internal.h \| 15 +++++++++++++++
		31	ecc-j-to-a.c \| 15 +++------------
		32	ecc-mod-arith.c \| 24 ++++++++++++++++++++++++
		33	ecc-mul-m.c \| 6 ++----
		34	8 files changed, 59 insertions(+), 35 deletions(-)
		35
		36	#diff --git a/ChangeLog b/ChangeLog
		37	#index fd138d82..5cc5c188 100644
		38	#--- a/ChangeLog
		39	#+++ b/ChangeLog
		40	#@@ -1,3 +1,14 @@
		41	#+2021-03-11 Niels MÃ¶ller <nisse@lysator.liu.se>
		42	#+
		43	#+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
		44	#+ New functions.
		45	#+ * ecc-internal.h: Declare and document new functions.
		46	#+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
		47	#+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
		48	#+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
		49	#+ * ecc-j-to-a.c (ecc_j_to_a): Likewise.
		50	#+ * ecc-mul-m.c (ecc_mul_m): Likewise.
		51	#+
		52	# 2021-02-17 Niels MÃ¶ller <nisse@lysator.liu.se>
		53	#
		54	# * Released Nettle-3.7.1.
		55	Index: nettle-3.5.1/curve25519-eh-to-x.c
		56	===================================================================
		57	--- nettle-3.5.1.orig/curve25519-eh-to-x.c
		58	+++ nettle-3.5.1/curve25519-eh-to-x.c
		59	@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
		60	#define t2 (scratch + 2*ecc->p.size)
		61
		62	const struct ecc_curve *ecc = &_nettle_curve25519;
		63	- mp_limb_t cy;
		64
		65	/* If u = U/W and v = V/W are the coordiantes of the point on the
		66	Edwards curve we get the curve25519 x coordinate as
		67	@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
		68	ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
		69
		70	ecc_modp_add (ecc, t0, wp, vp);
		71	- ecc_modp_mul (ecc, t2, t0, t1);
		72	-
		73	- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
		74	- cnd_copy (cy, xp, t2, ecc->p.size);
		75	+ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
		76	#undef vp
		77	#undef wp
		78	#undef t0
		79	Index: nettle-3.5.1/ecc-eh-to-a.c
		80	===================================================================
		81	--- nettle-3.5.1.orig/ecc-eh-to-a.c
		82	+++ nettle-3.5.1/ecc-eh-to-a.c
		83	@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc
		84	/* Needs 2size + scratch for the invert call. /
		85	ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
		86
		87	- ecc_modp_mul (ecc, tp, xp, izp);
		88	- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
		89	- cnd_copy (cy, r, tp, ecc->p.size);
		90	+ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
		91
		92	if (op)
		93	{
		94	@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc
		95	}
		96	return;
		97	}
		98	- ecc_modp_mul (ecc, tp, yp, izp);
		99	- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
		100	- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
		101	+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
		102	}
		103	Index: nettle-3.5.1/ecc-internal.h
		104	===================================================================
		105	--- nettle-3.5.1.orig/ecc-internal.h
		106	+++ nettle-3.5.1/ecc-internal.h
		107	@@ -49,6 +49,8 @@
		108	#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
		109	#define ecc_mod_mul _nettle_ecc_mod_mul
		110	#define ecc_mod_sqr _nettle_ecc_mod_sqr
		111	+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
		112	+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
		113	#define ecc_mod_random _nettle_ecc_mod_random
		114	#define ecc_mod _nettle_ecc_mod
		115	#define ecc_mod_inv _nettle_ecc_mod_inv
		116	@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m,
		117	#define ecc_modq_mul(ecc, r, a, b) \
		118	ecc_mod_mul (&(ecc)->q, (r), (a), (b))
		119
		120	+/* These mul and sqr functions produce a canonical result, 0 <= R < M.
		121	+ Requirements on input and output areas are similar to the above
		122	+ functions, except that it is not allowed to pass rp = rp +
		123	+ m->size.
		124	+ */
		125	+void
		126	+ecc_mod_mul_canonical (const struct ecc_modulo m, mp_limb_t rp,
		127	+ const mp_limb_t ap, const mp_limb_t bp, mp_limb_t *tp);
		128	+
		129	+void
		130	+ecc_mod_sqr_canonical (const struct ecc_modulo m, mp_limb_t rp,
		131	+ const mp_limb_t ap, mp_limb_t tp);
		132	+
		133	/* mod q operations. */
		134	void
		135	ecc_mod_random (const struct ecc_modulo m, mp_limb_t xp,
		136	Index: nettle-3.5.1/ecc-j-to-a.c
		137	===================================================================
		138	--- nettle-3.5.1.orig/ecc-j-to-a.c
		139	+++ nettle-3.5.1/ecc-j-to-a.c
		140	@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
		141	#define izBp (scratch + 3*ecc->p.size)
		142	#define tp scratch
		143
		144	- mp_limb_t cy;
		145	-
		146	if (ecc->use_redc)
		147	{
		148	/* Set v = (r_z / B^2)^-1,
		149	@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc,
		150	ecc_modp_sqr (ecc, iz2p, izp);
		151	}
		152
		153	- ecc_modp_mul (ecc, iz3p, iz2p, p);
		154	- /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so
		155	- do a conditional subtraction. */
		156	- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
		157	- cnd_copy (cy, r, iz3p, ecc->p.size);
		158	+ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
		159
		160	if (op)
		161	{
		162	/* Skip y coordinate */
		163	if (op > 1)
		164	{
		165	+ mp_limb_t cy;
		166	/* Also reduce the x coordinate mod ecc->q. It should
		167	already be < 2*ecc->q, so one subtraction should
		168	suffice. */
		169	@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
		170	return;
		171	}
		172	ecc_modp_mul (ecc, iz3p, iz2p, izp);
		173	- ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size);
		174	- /* And a similar subtraction. */
		175	- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
		176	- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
		177	+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
		178
		179	#undef izp
		180	#undef up
		181	Index: nettle-3.5.1/ecc-mod-arith.c
		182	===================================================================
		183	--- nettle-3.5.1.orig/ecc-mod-arith.c
		184	+++ nettle-3.5.1/ecc-mod-arith.c
		185	@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
		186	}
		187
		188	void
		189	+ecc_mod_mul_canonical (const struct ecc_modulo m, mp_limb_t rp,
		190	+ const mp_limb_t ap, const mp_limb_t bp, mp_limb_t *tp)
		191	+{
		192	+ mp_limb_t cy;
		193	+ mpn_mul_n (tp + m->size, ap, bp, m->size);
		194	+ m->reduce (m, tp + m->size);
		195	+
		196	+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
		197	+ cnd_copy (cy, rp, tp + m->size, m->size);
		198	+}
		199	+
		200	+void
		201	+ecc_mod_sqr_canonical (const struct ecc_modulo m, mp_limb_t rp,
		202	+ const mp_limb_t ap, mp_limb_t tp)
		203	+{
		204	+ mp_limb_t cy;
		205	+ mpn_sqr (tp + m->size, ap, m->size);
		206	+ m->reduce (m, tp + m->size);
		207	+
		208	+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
		209	+ cnd_copy (cy, rp, tp + m->size, m->size);
		210	+}
		211	+
		212	+void
		213	ecc_mod_sqr (const struct ecc_modulo m, mp_limb_t rp,
		214	const mp_limb_t *ap)
		215	{


diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch new file mode 100644 index 0000000000..bb56b14c8c --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
@@ -0,0 +1,53 @@
		1	Backport of:
		2
		3	From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001
		4	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
		5	Date: Sat, 13 Mar 2021 17:26:37 +0100
		6	Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison.
		7
		8	* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
		9
		10	(cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906)
		11
		12	Upstream-Status: Backport
		13	https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch
		14	CVE: CVE-2021-20305 dep2
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	ChangeLog \| 4 ++++
		19	eddsa-verify.c \| 9 ++-------
		20	2 files changed, 6 insertions(+), 7 deletions(-)
		21
		22	#diff --git a/ChangeLog b/ChangeLog
		23	#index 5cc5c188..2a9217a6 100644
		24	#--- a/ChangeLog
		25	#+++ b/ChangeLog
		26	#@@ -1,3 +1,7 @@
		27	#+2021-03-13 Niels MÃ¶ller <nisse@lysator.liu.se>
		28	#+
		29	#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
		30	#+
		31	# 2021-03-11 Niels MÃ¶ller <nisse@lysator.liu.se>
		32	#
		33	# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
		34	Index: nettle-3.5.1/eddsa-verify.c
		35	===================================================================
		36	--- nettle-3.5.1.orig/eddsa-verify.c
		37	+++ nettle-3.5.1/eddsa-verify.c
		38	@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p,
		39	#define t0 scratch
		40	#define t1 (scratch + p->size)
		41
		42	- ecc_mod_mul (p, t0, x1, z2);
		43	- if (mpn_cmp (t0, p->m, p->size) >= 0)
		44	- mpn_sub_n (t0, t0, p->m, p->size);
		45	-
		46	- ecc_mod_mul (p, t1, x2, z1);
		47	- if (mpn_cmp (t1, p->m, p->size) >= 0)
		48	- mpn_sub_n (t1, t1, p->m, p->size);
		49	+ ecc_mod_mul_canonical (p, t0, x1, z2, t0);
		50	+ ecc_mod_mul_canonical (p, t1, x2, z1, t1);
		51
		52	return mpn_cmp (t0, t1, p->size) == 0;
		53


diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch new file mode 100644 index 0000000000..15a892ecdf --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
@@ -0,0 +1,122 @@
		1	Backport of:
		2
		3	From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
		4	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
		5	Date: Sat, 13 Mar 2021 15:19:19 +0100
		6	Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
		7
		8	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
		9	to compute the scalars used for ecc multiplication.
		10	* testsuite/ecdsa-verify-test.c (test_main): Add test case that
		11	triggers an assert on 64-bit platforms, without above fix.
		12	* testsuite/ecdsa-sign-test.c (test_main): Test case generating
		13	the same signature.
		14
		15	(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
		16
		17	Upstream-Status: Backport
		18	https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
		19	CVE: CVE-2021-20305 dep3
		20	[Minor fixup on _nettle_secp_224r1]
		21	Signed-off-by: Armin Kuster <akuster@mvista.com>
		22
		23	---
		24	ChangeLog \| 10 +++++++++-
		25	ecc-ecdsa-verify.c \| 4 ++--
		26	testsuite/ecdsa-sign-test.c \| 13 +++++++++++++
		27	testsuite/ecdsa-verify-test.c \| 20 ++++++++++++++++++++
		28	4 files changed, 44 insertions(+), 3 deletions(-)
		29
		30	#diff --git a/ChangeLog b/ChangeLog
		31	#index 2a9217a6..63848f53 100644
		32	#--- a/ChangeLog
		33	#+++ b/ChangeLog
		34	#@@ -1,7 +1,15 @@
		35	# 2021-03-13 Niels MÃ¶ller <nisse@lysator.liu.se>
		36	#
		37	#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
		38	#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
		39	#+ to compute the scalars used for ecc multiplication.
		40	#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that
		41	#+ triggers an assert on 64-bit platforms, without above fix.
		42	#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating
		43	#+ the same signature.
		44	#+
		45	#+2021-03-13 Niels MÃ¶ller <nisse@lysator.liu.se>
		46	#
		47	#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
		48	# 2021-03-11 Niels MÃ¶ller <nisse@lysator.liu.se>
		49	#
		50	# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
		51	Index: nettle-3.5.1/ecc-ecdsa-verify.c
		52	===================================================================
		53	--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
		54	+++ nettle-3.5.1/ecc-ecdsa-verify.c
		55	@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
		56
		57	/* u1 = h / s, P1 = u1 * G */
		58	ecc_hash (&ecc->q, hp, length, digest);
		59	- ecc_modq_mul (ecc, u1, hp, sinv);
		60	+ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
		61
		62	/* u2 = r / s, P2 = u2 * Y */
		63	- ecc_modq_mul (ecc, u2, rp, sinv);
		64	+ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
		65
		66	/* Total storage: 5ecc->p.size + ecc->mul_itch /
		67	ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
		68	Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
		69	===================================================================
		70	--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
		71	+++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
		72	@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
		73	void
		74	test_main (void)
		75	{
		76	+ /* Producing the signature for corresponding test in
		77	+ ecdsa-verify-test.c, with special u1 and u2. */
		78	+ test_ecdsa (&_nettle_secp_224r1,
		79	+ "99b5b787484def12894ca507058b3bf5"
		80	+ "43d72d82fa7721d2e805e5e6",
		81	+ "2",
		82	+ SHEX("cdb887ac805a3b42e22d224c85482053"
		83	+ "16c755d4a736bb2032c92553"),
		84	+ "706a46dc76dcb76798e60e6d89474788"
		85	+ "d16dc18032d268fd1a704fa6", /* r */
		86	+ "3a41e1423b1853e8aa89747b1f987364"
		87	+ "44705d6d6d8371ea1f578f2e"); /* s */
		88	+
		89	/* Test cases for the smaller groups, verified with a
		90	proof-of-concept implementation done for Yubico AB. */
		91	test_ecdsa (&_nettle_secp_192r1,
		92	Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
		93	===================================================================
		94	--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
		95	+++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
		96	@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
		97	void
		98	test_main (void)
		99	{
		100	+ /* Corresponds to nonce k = 2 and private key z =
		101	+ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
		102	+ hash are chosen so that intermediate scalars in the verify
		103	+ equations are u1 = 0x6b245680e700, u2 =
		104	+ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
		105	+ reduction of the scalars. Bug caused by missing canonical
		106	+ reduction reported by Guido Vranken. */
		107	+ test_ecdsa (&_nettle_secp_224r1,
		108	+ "9e7e6cc6b1bdfa8ee039b66ad85e5490"
		109	+ "7be706a900a3cba1c8fdd014", /* x */
		110	+ "74855db3f7c1b4097ae095745fc915e3"
		111	+ "8a79d2a1de28f282eafb22ba", /* y */
		112	+
		113	+ SHEX("cdb887ac805a3b42e22d224c85482053"
		114	+ "16c755d4a736bb2032c92553"),
		115	+ "706a46dc76dcb76798e60e6d89474788"
		116	+ "d16dc18032d268fd1a704fa6", /* r */
		117	+ "3a41e1423b1853e8aa89747b1f987364"
		118	+ "44705d6d6d8371ea1f578f2e"); /* s */
		119	+
		120	/* From RFC 4754 */
		121	test_ecdsa (&_nettle_secp_256r1,
		122	"2442A5CC 0ECD015F A3CA31DC 8E2BBC70"


diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch new file mode 100644 index 0000000000..54b4fa584c --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
@@ -0,0 +1,48 @@
		1	Backport of:
		2
		3	From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001
		4	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
		5	Date: Sat, 13 Mar 2021 16:27:50 +0100
		6	Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced.
		7
		8	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
		9	canonical range.
		10
		11	(cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398)
		12
		13	Upstream-Status: Backport
		14	https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch
		15	CVE: CVE-2021-20305 dep4
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	ChangeLog \| 3 +++
		20	ecc-ecdsa-sign.c \| 3 +--
		21	2 files changed, 4 insertions(+), 2 deletions(-)
		22
		23	#diff --git a/ChangeLog b/ChangeLog
		24	#index 63848f53..fb2d7f66 100644
		25	#--- a/ChangeLog
		26	#+++ b/ChangeLog
		27	#@@ -1,5 +1,8 @@
		28	# 2021-03-13 Niels MÃ¶ller <nisse@lysator.liu.se>
		29	#
		30	#+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
		31	#+ canonical range.
		32	#+
		33	# * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
		34	# to compute the scalars used for ecc multiplication.
		35	# * testsuite/ecdsa-verify-test.c (test_main): Add test case that
		36	--- a/ecc-ecdsa-sign.c
		37	+++ b/ecc-ecdsa-sign.c
		38	@@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve *
		39
		40	ecc_modq_mul (ecc, tp, zp, rp);
		41	ecc_modq_add (ecc, hp, hp, tp);
		42	- ecc_modq_mul (ecc, tp, hp, kinv);
		43	+ ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp);
		44
		45	- mpn_copyi (sp, tp, ecc->p.size);
		46	#undef P
		47	#undef hp
		48	#undef kinv


diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch new file mode 100644 index 0000000000..468ff66266 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
@@ -0,0 +1,53 @@
		1	Backport of:
		2
		3	From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
		4	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
		5	Date: Sat, 13 Mar 2021 16:42:21 +0100
		6	Subject: [PATCH] Similar fix for eddsa.
		7
		8	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
		9	reduced. Two of the three call sites need that.
		10
		11	(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
		12
		13
		14	Upstream-Status: Backport
		15	https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
		16	CVE: CVE-2021-20305
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	ChangeLog \| 3 +++
		21	eddsa-hash.c \| 10 +++++++---
		22	2 files changed, 10 insertions(+), 3 deletions(-)
		23
		24	#diff --git a/ChangeLog b/ChangeLog
		25	#index 5f8a22c2..ce330831 100644
		26	#--- a/ChangeLog
		27	#+++ b/ChangeLog
		28	#@@ -1,5 +1,8 @@
		29	# 2021-03-13 Niels MÃ¶ller <nisse@lysator.liu.se>
		30	#
		31	#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
		32	#+ reduced. Two of the three call sites need that.
		33	#+
		34	# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
		35	# to compute the scalars used for ecc multiplication.
		36	#
		37	Index: nettle-3.5.1/eddsa-hash.c
		38	===================================================================
		39	--- nettle-3.5.1.orig/eddsa-hash.c
		40	+++ nettle-3.5.1/eddsa-hash.c
		41	@@ -46,7 +46,12 @@ void
		42	_eddsa_hash (const struct ecc_modulo *m,
		43	mp_limb_t rp, const uint8_t digest)
		44	{
		45	+ mp_limb_t cy;
		46	size_t nbytes = 1 + m->bit_size / 8;
		47	mpn_set_base256_le (rp, 2m->size, digest, 2nbytes);
		48	m->mod (m, rp);
		49	+ mpn_copyi (rp + m->size, rp, m->size);
		50	+ /* Ensure canonical reduction. */
		51	+ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
		52	+ cnd_copy (cy, rp, rp + m->size, m->size);
		53	}


diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb index 9212d9deb5..192fd295e9 100644 --- a/meta/recipes-support/nettle/nettle_3.5.1.bb +++ b/meta/recipes-support/nettle/nettle_3.5.1.bb
@@ -20,6 +20,11 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
20	file://check-header-files-of-openssl-only-if-enable_.patch \	20	file://check-header-files-of-openssl-only-if-enable_.patch \
21	file://CVE-2021-3580_1.patch \	21	file://CVE-2021-3580_1.patch \
22	file://CVE-2021-3580_2.patch \	22	file://CVE-2021-3580_2.patch \
		23	file://CVE-2021-20305-1.patch \
		24	file://CVE-2021-20305-2.patch \
		25	file://CVE-2021-20305-3.patch \
		26	file://CVE-2021-20305-4.patch \
		27	file://CVE-2021-20305-5.patch \
23	"	28	"
24		29
25	SRC_URI_append_class-target = "\	30	SRC_URI_append_class-target = "\