diff options
6 files changed, 496 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch new file mode 100644 index 0000000000..cfc0f382fa --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch | |||
@@ -0,0 +1,215 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Thu, 11 Mar 2021 19:37:41 +0100 | ||
6 | Subject: [PATCH] New functions ecc_mod_mul_canonical and | ||
7 | ecc_mod_sqr_canonical. | ||
8 | |||
9 | * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
10 | New functions. | ||
11 | * ecc-internal.h: Declare and document new functions. | ||
12 | * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. | ||
13 | * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. | ||
14 | * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. | ||
15 | * ecc-j-to-a.c (ecc_j_to_a): Likewise. | ||
16 | * ecc-mul-m.c (ecc_mul_m): Likewise. | ||
17 | |||
18 | (cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c) | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch | ||
22 | CVE: CVE-2021-20305 dep1 | ||
23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
24 | |||
25 | --- | ||
26 | ChangeLog | 11 +++++++++++ | ||
27 | curve25519-eh-to-x.c | 6 +----- | ||
28 | curve448-eh-to-x.c | 5 +---- | ||
29 | ecc-eh-to-a.c | 12 ++---------- | ||
30 | ecc-internal.h | 15 +++++++++++++++ | ||
31 | ecc-j-to-a.c | 15 +++------------ | ||
32 | ecc-mod-arith.c | 24 ++++++++++++++++++++++++ | ||
33 | ecc-mul-m.c | 6 ++---- | ||
34 | 8 files changed, 59 insertions(+), 35 deletions(-) | ||
35 | |||
36 | #diff --git a/ChangeLog b/ChangeLog | ||
37 | #index fd138d82..5cc5c188 100644 | ||
38 | #--- a/ChangeLog | ||
39 | #+++ b/ChangeLog | ||
40 | #@@ -1,3 +1,14 @@ | ||
41 | #+2021-03-11 Niels Möller <nisse@lysator.liu.se> | ||
42 | #+ | ||
43 | #+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
44 | #+ New functions. | ||
45 | #+ * ecc-internal.h: Declare and document new functions. | ||
46 | #+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. | ||
47 | #+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. | ||
48 | #+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. | ||
49 | #+ * ecc-j-to-a.c (ecc_j_to_a): Likewise. | ||
50 | #+ * ecc-mul-m.c (ecc_mul_m): Likewise. | ||
51 | #+ | ||
52 | # 2021-02-17 Niels Möller <nisse@lysator.liu.se> | ||
53 | # | ||
54 | # * Released Nettle-3.7.1. | ||
55 | Index: nettle-3.5.1/curve25519-eh-to-x.c | ||
56 | =================================================================== | ||
57 | --- nettle-3.5.1.orig/curve25519-eh-to-x.c | ||
58 | +++ nettle-3.5.1/curve25519-eh-to-x.c | ||
59 | @@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const | ||
60 | #define t2 (scratch + 2*ecc->p.size) | ||
61 | |||
62 | const struct ecc_curve *ecc = &_nettle_curve25519; | ||
63 | - mp_limb_t cy; | ||
64 | |||
65 | /* If u = U/W and v = V/W are the coordiantes of the point on the | ||
66 | Edwards curve we get the curve25519 x coordinate as | ||
67 | @@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const | ||
68 | ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); | ||
69 | |||
70 | ecc_modp_add (ecc, t0, wp, vp); | ||
71 | - ecc_modp_mul (ecc, t2, t0, t1); | ||
72 | - | ||
73 | - cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); | ||
74 | - cnd_copy (cy, xp, t2, ecc->p.size); | ||
75 | + ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2); | ||
76 | #undef vp | ||
77 | #undef wp | ||
78 | #undef t0 | ||
79 | Index: nettle-3.5.1/ecc-eh-to-a.c | ||
80 | =================================================================== | ||
81 | --- nettle-3.5.1.orig/ecc-eh-to-a.c | ||
82 | +++ nettle-3.5.1/ecc-eh-to-a.c | ||
83 | @@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc | ||
84 | /* Needs 2*size + scratch for the invert call. */ | ||
85 | ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); | ||
86 | |||
87 | - ecc_modp_mul (ecc, tp, xp, izp); | ||
88 | - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); | ||
89 | - cnd_copy (cy, r, tp, ecc->p.size); | ||
90 | + ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); | ||
91 | |||
92 | if (op) | ||
93 | { | ||
94 | @@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc | ||
95 | } | ||
96 | return; | ||
97 | } | ||
98 | - ecc_modp_mul (ecc, tp, yp, izp); | ||
99 | - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); | ||
100 | - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); | ||
101 | + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); | ||
102 | } | ||
103 | Index: nettle-3.5.1/ecc-internal.h | ||
104 | =================================================================== | ||
105 | --- nettle-3.5.1.orig/ecc-internal.h | ||
106 | +++ nettle-3.5.1/ecc-internal.h | ||
107 | @@ -49,6 +49,8 @@ | ||
108 | #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 | ||
109 | #define ecc_mod_mul _nettle_ecc_mod_mul | ||
110 | #define ecc_mod_sqr _nettle_ecc_mod_sqr | ||
111 | +#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical | ||
112 | +#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical | ||
113 | #define ecc_mod_random _nettle_ecc_mod_random | ||
114 | #define ecc_mod _nettle_ecc_mod | ||
115 | #define ecc_mod_inv _nettle_ecc_mod_inv | ||
116 | @@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m, | ||
117 | #define ecc_modq_mul(ecc, r, a, b) \ | ||
118 | ecc_mod_mul (&(ecc)->q, (r), (a), (b)) | ||
119 | |||
120 | +/* These mul and sqr functions produce a canonical result, 0 <= R < M. | ||
121 | + Requirements on input and output areas are similar to the above | ||
122 | + functions, except that it is *not* allowed to pass rp = rp + | ||
123 | + m->size. | ||
124 | + */ | ||
125 | +void | ||
126 | +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, | ||
127 | + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); | ||
128 | + | ||
129 | +void | ||
130 | +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, | ||
131 | + const mp_limb_t *ap, mp_limb_t *tp); | ||
132 | + | ||
133 | /* mod q operations. */ | ||
134 | void | ||
135 | ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, | ||
136 | Index: nettle-3.5.1/ecc-j-to-a.c | ||
137 | =================================================================== | ||
138 | --- nettle-3.5.1.orig/ecc-j-to-a.c | ||
139 | +++ nettle-3.5.1/ecc-j-to-a.c | ||
140 | @@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc, | ||
141 | #define izBp (scratch + 3*ecc->p.size) | ||
142 | #define tp scratch | ||
143 | |||
144 | - mp_limb_t cy; | ||
145 | - | ||
146 | if (ecc->use_redc) | ||
147 | { | ||
148 | /* Set v = (r_z / B^2)^-1, | ||
149 | @@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc, | ||
150 | ecc_modp_sqr (ecc, iz2p, izp); | ||
151 | } | ||
152 | |||
153 | - ecc_modp_mul (ecc, iz3p, iz2p, p); | ||
154 | - /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so | ||
155 | - do a conditional subtraction. */ | ||
156 | - cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); | ||
157 | - cnd_copy (cy, r, iz3p, ecc->p.size); | ||
158 | + ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); | ||
159 | |||
160 | if (op) | ||
161 | { | ||
162 | /* Skip y coordinate */ | ||
163 | if (op > 1) | ||
164 | { | ||
165 | + mp_limb_t cy; | ||
166 | /* Also reduce the x coordinate mod ecc->q. It should | ||
167 | already be < 2*ecc->q, so one subtraction should | ||
168 | suffice. */ | ||
169 | @@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc, | ||
170 | return; | ||
171 | } | ||
172 | ecc_modp_mul (ecc, iz3p, iz2p, izp); | ||
173 | - ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); | ||
174 | - /* And a similar subtraction. */ | ||
175 | - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); | ||
176 | - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); | ||
177 | + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p); | ||
178 | |||
179 | #undef izp | ||
180 | #undef up | ||
181 | Index: nettle-3.5.1/ecc-mod-arith.c | ||
182 | =================================================================== | ||
183 | --- nettle-3.5.1.orig/ecc-mod-arith.c | ||
184 | +++ nettle-3.5.1/ecc-mod-arith.c | ||
185 | @@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m, | ||
186 | } | ||
187 | |||
188 | void | ||
189 | +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, | ||
190 | + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) | ||
191 | +{ | ||
192 | + mp_limb_t cy; | ||
193 | + mpn_mul_n (tp + m->size, ap, bp, m->size); | ||
194 | + m->reduce (m, tp + m->size); | ||
195 | + | ||
196 | + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); | ||
197 | + cnd_copy (cy, rp, tp + m->size, m->size); | ||
198 | +} | ||
199 | + | ||
200 | +void | ||
201 | +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, | ||
202 | + const mp_limb_t *ap, mp_limb_t *tp) | ||
203 | +{ | ||
204 | + mp_limb_t cy; | ||
205 | + mpn_sqr (tp + m->size, ap, m->size); | ||
206 | + m->reduce (m, tp + m->size); | ||
207 | + | ||
208 | + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); | ||
209 | + cnd_copy (cy, rp, tp + m->size, m->size); | ||
210 | +} | ||
211 | + | ||
212 | +void | ||
213 | ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, | ||
214 | const mp_limb_t *ap) | ||
215 | { | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch new file mode 100644 index 0000000000..bb56b14c8c --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 17:26:37 +0100 | ||
6 | Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison. | ||
7 | |||
8 | * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
9 | |||
10 | (cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906) | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch | ||
14 | CVE: CVE-2021-20305 dep2 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | ChangeLog | 4 ++++ | ||
19 | eddsa-verify.c | 9 ++------- | ||
20 | 2 files changed, 6 insertions(+), 7 deletions(-) | ||
21 | |||
22 | #diff --git a/ChangeLog b/ChangeLog | ||
23 | #index 5cc5c188..2a9217a6 100644 | ||
24 | #--- a/ChangeLog | ||
25 | #+++ b/ChangeLog | ||
26 | #@@ -1,3 +1,7 @@ | ||
27 | #+2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
28 | #+ | ||
29 | #+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
30 | #+ | ||
31 | # 2021-03-11 Niels Möller <nisse@lysator.liu.se> | ||
32 | # | ||
33 | # * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
34 | Index: nettle-3.5.1/eddsa-verify.c | ||
35 | =================================================================== | ||
36 | --- nettle-3.5.1.orig/eddsa-verify.c | ||
37 | +++ nettle-3.5.1/eddsa-verify.c | ||
38 | @@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p, | ||
39 | #define t0 scratch | ||
40 | #define t1 (scratch + p->size) | ||
41 | |||
42 | - ecc_mod_mul (p, t0, x1, z2); | ||
43 | - if (mpn_cmp (t0, p->m, p->size) >= 0) | ||
44 | - mpn_sub_n (t0, t0, p->m, p->size); | ||
45 | - | ||
46 | - ecc_mod_mul (p, t1, x2, z1); | ||
47 | - if (mpn_cmp (t1, p->m, p->size) >= 0) | ||
48 | - mpn_sub_n (t1, t1, p->m, p->size); | ||
49 | + ecc_mod_mul_canonical (p, t0, x1, z2, t0); | ||
50 | + ecc_mod_mul_canonical (p, t1, x2, z1, t1); | ||
51 | |||
52 | return mpn_cmp (t0, t1, p->size) == 0; | ||
53 | |||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch new file mode 100644 index 0000000000..15a892ecdf --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 15:19:19 +0100 | ||
6 | Subject: [PATCH] Fix bug in ecc_ecdsa_verify. | ||
7 | |||
8 | * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical | ||
9 | to compute the scalars used for ecc multiplication. | ||
10 | * testsuite/ecdsa-verify-test.c (test_main): Add test case that | ||
11 | triggers an assert on 64-bit platforms, without above fix. | ||
12 | * testsuite/ecdsa-sign-test.c (test_main): Test case generating | ||
13 | the same signature. | ||
14 | |||
15 | (cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f) | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch | ||
19 | CVE: CVE-2021-20305 dep3 | ||
20 | [Minor fixup on _nettle_secp_224r1] | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | ChangeLog | 10 +++++++++- | ||
25 | ecc-ecdsa-verify.c | 4 ++-- | ||
26 | testsuite/ecdsa-sign-test.c | 13 +++++++++++++ | ||
27 | testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++ | ||
28 | 4 files changed, 44 insertions(+), 3 deletions(-) | ||
29 | |||
30 | #diff --git a/ChangeLog b/ChangeLog | ||
31 | #index 2a9217a6..63848f53 100644 | ||
32 | #--- a/ChangeLog | ||
33 | #+++ b/ChangeLog | ||
34 | #@@ -1,7 +1,15 @@ | ||
35 | # 2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
36 | # | ||
37 | #- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
38 | #+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical | ||
39 | #+ to compute the scalars used for ecc multiplication. | ||
40 | #+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that | ||
41 | #+ triggers an assert on 64-bit platforms, without above fix. | ||
42 | #+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating | ||
43 | #+ the same signature. | ||
44 | #+ | ||
45 | #+2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
46 | # | ||
47 | #+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
48 | # 2021-03-11 Niels Möller <nisse@lysator.liu.se> | ||
49 | # | ||
50 | # * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
51 | Index: nettle-3.5.1/ecc-ecdsa-verify.c | ||
52 | =================================================================== | ||
53 | --- nettle-3.5.1.orig/ecc-ecdsa-verify.c | ||
54 | +++ nettle-3.5.1/ecc-ecdsa-verify.c | ||
55 | @@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve | ||
56 | |||
57 | /* u1 = h / s, P1 = u1 * G */ | ||
58 | ecc_hash (&ecc->q, hp, length, digest); | ||
59 | - ecc_modq_mul (ecc, u1, hp, sinv); | ||
60 | + ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); | ||
61 | |||
62 | /* u2 = r / s, P2 = u2 * Y */ | ||
63 | - ecc_modq_mul (ecc, u2, rp, sinv); | ||
64 | + ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); | ||
65 | |||
66 | /* Total storage: 5*ecc->p.size + ecc->mul_itch */ | ||
67 | ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); | ||
68 | Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c | ||
69 | =================================================================== | ||
70 | --- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c | ||
71 | +++ nettle-3.5.1/testsuite/ecdsa-sign-test.c | ||
72 | @@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc, | ||
73 | void | ||
74 | test_main (void) | ||
75 | { | ||
76 | + /* Producing the signature for corresponding test in | ||
77 | + ecdsa-verify-test.c, with special u1 and u2. */ | ||
78 | + test_ecdsa (&_nettle_secp_224r1, | ||
79 | + "99b5b787484def12894ca507058b3bf5" | ||
80 | + "43d72d82fa7721d2e805e5e6", | ||
81 | + "2", | ||
82 | + SHEX("cdb887ac805a3b42e22d224c85482053" | ||
83 | + "16c755d4a736bb2032c92553"), | ||
84 | + "706a46dc76dcb76798e60e6d89474788" | ||
85 | + "d16dc18032d268fd1a704fa6", /* r */ | ||
86 | + "3a41e1423b1853e8aa89747b1f987364" | ||
87 | + "44705d6d6d8371ea1f578f2e"); /* s */ | ||
88 | + | ||
89 | /* Test cases for the smaller groups, verified with a | ||
90 | proof-of-concept implementation done for Yubico AB. */ | ||
91 | test_ecdsa (&_nettle_secp_192r1, | ||
92 | Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c | ||
93 | =================================================================== | ||
94 | --- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c | ||
95 | +++ nettle-3.5.1/testsuite/ecdsa-verify-test.c | ||
96 | @@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc, | ||
97 | void | ||
98 | test_main (void) | ||
99 | { | ||
100 | + /* Corresponds to nonce k = 2 and private key z = | ||
101 | + 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and | ||
102 | + hash are chosen so that intermediate scalars in the verify | ||
103 | + equations are u1 = 0x6b245680e700, u2 = | ||
104 | + 259da6542d4ba7d21ad916c3bd57f811. These values require canonical | ||
105 | + reduction of the scalars. Bug caused by missing canonical | ||
106 | + reduction reported by Guido Vranken. */ | ||
107 | + test_ecdsa (&_nettle_secp_224r1, | ||
108 | + "9e7e6cc6b1bdfa8ee039b66ad85e5490" | ||
109 | + "7be706a900a3cba1c8fdd014", /* x */ | ||
110 | + "74855db3f7c1b4097ae095745fc915e3" | ||
111 | + "8a79d2a1de28f282eafb22ba", /* y */ | ||
112 | + | ||
113 | + SHEX("cdb887ac805a3b42e22d224c85482053" | ||
114 | + "16c755d4a736bb2032c92553"), | ||
115 | + "706a46dc76dcb76798e60e6d89474788" | ||
116 | + "d16dc18032d268fd1a704fa6", /* r */ | ||
117 | + "3a41e1423b1853e8aa89747b1f987364" | ||
118 | + "44705d6d6d8371ea1f578f2e"); /* s */ | ||
119 | + | ||
120 | /* From RFC 4754 */ | ||
121 | test_ecdsa (&_nettle_secp_256r1, | ||
122 | "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch new file mode 100644 index 0000000000..54b4fa584c --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 16:27:50 +0100 | ||
6 | Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced. | ||
7 | |||
8 | * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to | ||
9 | canonical range. | ||
10 | |||
11 | (cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398) | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch | ||
15 | CVE: CVE-2021-20305 dep4 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | ChangeLog | 3 +++ | ||
20 | ecc-ecdsa-sign.c | 3 +-- | ||
21 | 2 files changed, 4 insertions(+), 2 deletions(-) | ||
22 | |||
23 | #diff --git a/ChangeLog b/ChangeLog | ||
24 | #index 63848f53..fb2d7f66 100644 | ||
25 | #--- a/ChangeLog | ||
26 | #+++ b/ChangeLog | ||
27 | #@@ -1,5 +1,8 @@ | ||
28 | # 2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
29 | # | ||
30 | #+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to | ||
31 | #+ canonical range. | ||
32 | #+ | ||
33 | # * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical | ||
34 | # to compute the scalars used for ecc multiplication. | ||
35 | # * testsuite/ecdsa-verify-test.c (test_main): Add test case that | ||
36 | --- a/ecc-ecdsa-sign.c | ||
37 | +++ b/ecc-ecdsa-sign.c | ||
38 | @@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve * | ||
39 | |||
40 | ecc_modq_mul (ecc, tp, zp, rp); | ||
41 | ecc_modq_add (ecc, hp, hp, tp); | ||
42 | - ecc_modq_mul (ecc, tp, hp, kinv); | ||
43 | + ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); | ||
44 | |||
45 | - mpn_copyi (sp, tp, ecc->p.size); | ||
46 | #undef P | ||
47 | #undef hp | ||
48 | #undef kinv | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch new file mode 100644 index 0000000000..468ff66266 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 16:42:21 +0100 | ||
6 | Subject: [PATCH] Similar fix for eddsa. | ||
7 | |||
8 | * eddsa-hash.c (_eddsa_hash): Ensure result is canonically | ||
9 | reduced. Two of the three call sites need that. | ||
10 | |||
11 | (cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288) | ||
12 | |||
13 | |||
14 | Upstream-Status: Backport | ||
15 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch | ||
16 | CVE: CVE-2021-20305 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | ChangeLog | 3 +++ | ||
21 | eddsa-hash.c | 10 +++++++--- | ||
22 | 2 files changed, 10 insertions(+), 3 deletions(-) | ||
23 | |||
24 | #diff --git a/ChangeLog b/ChangeLog | ||
25 | #index 5f8a22c2..ce330831 100644 | ||
26 | #--- a/ChangeLog | ||
27 | #+++ b/ChangeLog | ||
28 | #@@ -1,5 +1,8 @@ | ||
29 | # 2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
30 | # | ||
31 | #+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically | ||
32 | #+ reduced. Two of the three call sites need that. | ||
33 | #+ | ||
34 | # * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical | ||
35 | # to compute the scalars used for ecc multiplication. | ||
36 | # | ||
37 | Index: nettle-3.5.1/eddsa-hash.c | ||
38 | =================================================================== | ||
39 | --- nettle-3.5.1.orig/eddsa-hash.c | ||
40 | +++ nettle-3.5.1/eddsa-hash.c | ||
41 | @@ -46,7 +46,12 @@ void | ||
42 | _eddsa_hash (const struct ecc_modulo *m, | ||
43 | mp_limb_t *rp, const uint8_t *digest) | ||
44 | { | ||
45 | + mp_limb_t cy; | ||
46 | size_t nbytes = 1 + m->bit_size / 8; | ||
47 | mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes); | ||
48 | m->mod (m, rp); | ||
49 | + mpn_copyi (rp + m->size, rp, m->size); | ||
50 | + /* Ensure canonical reduction. */ | ||
51 | + cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); | ||
52 | + cnd_copy (cy, rp, rp + m->size, m->size); | ||
53 | } | ||
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb index 9212d9deb5..192fd295e9 100644 --- a/meta/recipes-support/nettle/nettle_3.5.1.bb +++ b/meta/recipes-support/nettle/nettle_3.5.1.bb | |||
@@ -20,6 +20,11 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ | |||
20 | file://check-header-files-of-openssl-only-if-enable_.patch \ | 20 | file://check-header-files-of-openssl-only-if-enable_.patch \ |
21 | file://CVE-2021-3580_1.patch \ | 21 | file://CVE-2021-3580_1.patch \ |
22 | file://CVE-2021-3580_2.patch \ | 22 | file://CVE-2021-3580_2.patch \ |
23 | file://CVE-2021-20305-1.patch \ | ||
24 | file://CVE-2021-20305-2.patch \ | ||
25 | file://CVE-2021-20305-3.patch \ | ||
26 | file://CVE-2021-20305-4.patch \ | ||
27 | file://CVE-2021-20305-5.patch \ | ||
23 | " | 28 | " |
24 | 29 | ||
25 | SRC_URI_append_class-target = "\ | 30 | SRC_URI_append_class-target = "\ |