diff options
3 files changed, 442 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch new file mode 100644 index 0000000000..ac3a638e72 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch | |||
@@ -0,0 +1,277 @@ | |||
1 | From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
3 | Date: Tue, 8 Jun 2021 21:31:39 +0200 | ||
4 | Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size. | ||
5 | |||
6 | Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug. | ||
7 | |||
8 | (cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c) | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2021-3580 dep#1 | ||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | ChangeLog | 17 +++++++++- | ||
16 | rsa-decrypt-tr.c | 7 ++--- | ||
17 | rsa-internal.h | 4 +-- | ||
18 | rsa-sec-decrypt.c | 9 ++++-- | ||
19 | rsa-sign-tr.c | 61 +++++++++++++++++------------------- | ||
20 | testsuite/rsa-encrypt-test.c | 14 ++++++++- | ||
21 | 6 files changed, 69 insertions(+), 43 deletions(-) | ||
22 | |||
23 | Index: nettle-3.5.1/rsa-decrypt-tr.c | ||
24 | =================================================================== | ||
25 | --- nettle-3.5.1.orig/rsa-decrypt-tr.c | ||
26 | +++ nettle-3.5.1/rsa-decrypt-tr.c | ||
27 | @@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k | ||
28 | mp_size_t key_limb_size; | ||
29 | int res; | ||
30 | |||
31 | - key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); | ||
32 | + key_limb_size = mpz_size(pub->n); | ||
33 | |||
34 | TMP_GMP_ALLOC (m, key_limb_size); | ||
35 | TMP_GMP_ALLOC (em, key->size); | ||
36 | + mpz_limbs_copy(m, gibberish, key_limb_size); | ||
37 | |||
38 | - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, | ||
39 | - mpz_limbs_read(gibberish), | ||
40 | - mpz_size(gibberish)); | ||
41 | + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); | ||
42 | |||
43 | mpn_get_base256 (em, key->size, m, key_limb_size); | ||
44 | |||
45 | Index: nettle-3.5.1/rsa-internal.h | ||
46 | =================================================================== | ||
47 | --- nettle-3.5.1.orig/rsa-internal.h | ||
48 | +++ nettle-3.5.1/rsa-internal.h | ||
49 | @@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p | ||
50 | mp_limb_t *scratch); | ||
51 | |||
52 | /* Safe side-channel silent variant, using RSA blinding, and checking the | ||
53 | - * result after CRT. */ | ||
54 | + * result after CRT. In-place calls, with x == m, is allowed. */ | ||
55 | int | ||
56 | _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, | ||
57 | const struct rsa_private_key *key, | ||
58 | void *random_ctx, nettle_random_func *random, | ||
59 | - mp_limb_t *x, const mp_limb_t *m, size_t mn); | ||
60 | + mp_limb_t *x, const mp_limb_t *m); | ||
61 | |||
62 | #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */ | ||
63 | Index: nettle-3.5.1/rsa-sec-decrypt.c | ||
64 | =================================================================== | ||
65 | --- nettle-3.5.1.orig/rsa-sec-decrypt.c | ||
66 | +++ nettle-3.5.1/rsa-sec-decrypt.c | ||
67 | @@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_ | ||
68 | TMP_GMP_ALLOC (m, mpz_size(pub->n)); | ||
69 | TMP_GMP_ALLOC (em, key->size); | ||
70 | |||
71 | - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, | ||
72 | - mpz_limbs_read(gibberish), | ||
73 | - mpz_size(gibberish)); | ||
74 | + /* We need a copy because m can be shorter than key_size, | ||
75 | + * but _rsa_sec_compute_root_tr expect all inputs to be | ||
76 | + * normalized to a key_size long buffer length */ | ||
77 | + mpz_limbs_copy(m, gibberish, mpz_size(pub->n)); | ||
78 | + | ||
79 | + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); | ||
80 | |||
81 | mpn_get_base256 (em, key->size, m, mpz_size(pub->n)); | ||
82 | |||
83 | Index: nettle-3.5.1/rsa-sign-tr.c | ||
84 | =================================================================== | ||
85 | --- nettle-3.5.1.orig/rsa-sign-tr.c | ||
86 | +++ nettle-3.5.1/rsa-sign-tr.c | ||
87 | @@ -131,35 +131,34 @@ int | ||
88 | _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, | ||
89 | const struct rsa_private_key *key, | ||
90 | void *random_ctx, nettle_random_func *random, | ||
91 | - mp_limb_t *x, const mp_limb_t *m, size_t mn) | ||
92 | + mp_limb_t *x, const mp_limb_t *m) | ||
93 | { | ||
94 | + mp_size_t nn; | ||
95 | mpz_t mz; | ||
96 | mpz_t xz; | ||
97 | int res; | ||
98 | |||
99 | - mpz_init(mz); | ||
100 | mpz_init(xz); | ||
101 | |||
102 | - mpn_copyi(mpz_limbs_write(mz, mn), m, mn); | ||
103 | - mpz_limbs_finish(mz, mn); | ||
104 | + nn = mpz_size (pub->n); | ||
105 | |||
106 | - res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz); | ||
107 | + res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, | ||
108 | + mpz_roinit_n(mz, m, nn)); | ||
109 | |||
110 | if (res) | ||
111 | - mpz_limbs_copy(x, xz, mpz_size(pub->n)); | ||
112 | + mpz_limbs_copy(x, xz, nn); | ||
113 | |||
114 | - mpz_clear(mz); | ||
115 | mpz_clear(xz); | ||
116 | return res; | ||
117 | } | ||
118 | #else | ||
119 | /* Blinds m, by computing c = m r^e (mod n), for a random r. Also | ||
120 | - returns the inverse (ri), for use by rsa_unblind. */ | ||
121 | + returns the inverse (ri), for use by rsa_unblind. Must have c != m, | ||
122 | + no in-place operation.*/ | ||
123 | static void | ||
124 | rsa_sec_blind (const struct rsa_public_key *pub, | ||
125 | void *random_ctx, nettle_random_func *random, | ||
126 | - mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m, | ||
127 | - mp_size_t mn) | ||
128 | + mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m) | ||
129 | { | ||
130 | const mp_limb_t *ep = mpz_limbs_read (pub->e); | ||
131 | const mp_limb_t *np = mpz_limbs_read (pub->n); | ||
132 | @@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k | ||
133 | |||
134 | /* c = m*(r^e) mod n */ | ||
135 | itch = mpn_sec_powm_itch(nn, ebn, nn); | ||
136 | - i2 = mpn_sec_mul_itch(nn, mn); | ||
137 | + i2 = mpn_sec_mul_itch(nn, nn); | ||
138 | itch = MAX(itch, i2); | ||
139 | - i2 = mpn_sec_div_r_itch(nn + mn, nn); | ||
140 | + i2 = mpn_sec_div_r_itch(2*nn, nn); | ||
141 | itch = MAX(itch, i2); | ||
142 | i2 = mpn_sec_invert_itch(nn); | ||
143 | itch = MAX(itch, i2); | ||
144 | |||
145 | - TMP_GMP_ALLOC (tp, nn + mn + itch); | ||
146 | - scratch = tp + nn + mn; | ||
147 | + TMP_GMP_ALLOC (tp, 2*nn + itch); | ||
148 | + scratch = tp + 2*nn; | ||
149 | |||
150 | /* ri = r^(-1) */ | ||
151 | do | ||
152 | @@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k | ||
153 | while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch)); | ||
154 | |||
155 | mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch); | ||
156 | - /* normally mn == nn, but m can be smaller in some cases */ | ||
157 | - mpn_sec_mul (tp, c, nn, m, mn, scratch); | ||
158 | - mpn_sec_div_r (tp, nn + mn, np, nn, scratch); | ||
159 | + mpn_sec_mul (tp, c, nn, m, nn, scratch); | ||
160 | + mpn_sec_div_r (tp, 2*nn, np, nn, scratch); | ||
161 | mpn_copyi(c, tp, nn); | ||
162 | |||
163 | TMP_GMP_FREE (r); | ||
164 | @@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k | ||
165 | TMP_GMP_FREE (tp); | ||
166 | } | ||
167 | |||
168 | -/* m = c ri mod n */ | ||
169 | +/* m = c ri mod n. Allows x == c. */ | ||
170 | static void | ||
171 | rsa_sec_unblind (const struct rsa_public_key *pub, | ||
172 | mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c) | ||
173 | @@ -299,7 +297,7 @@ int | ||
174 | _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, | ||
175 | const struct rsa_private_key *key, | ||
176 | void *random_ctx, nettle_random_func *random, | ||
177 | - mp_limb_t *x, const mp_limb_t *m, size_t mn) | ||
178 | + mp_limb_t *x, const mp_limb_t *m) | ||
179 | { | ||
180 | TMP_GMP_DECL (c, mp_limb_t); | ||
181 | TMP_GMP_DECL (ri, mp_limb_t); | ||
182 | @@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs | ||
183 | size_t key_limb_size; | ||
184 | int ret; | ||
185 | |||
186 | - key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); | ||
187 | + key_limb_size = mpz_size(pub->n); | ||
188 | |||
189 | /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the | ||
190 | key is invalid and rejected by rsa_private_key_prepare. However, | ||
191 | @@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs | ||
192 | } | ||
193 | |||
194 | assert(mpz_size(pub->n) == key_limb_size); | ||
195 | - assert(mn <= key_limb_size); | ||
196 | |||
197 | TMP_GMP_ALLOC (c, key_limb_size); | ||
198 | TMP_GMP_ALLOC (ri, key_limb_size); | ||
199 | TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); | ||
200 | |||
201 | - rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn); | ||
202 | + rsa_sec_blind (pub, random_ctx, random, c, ri, m); | ||
203 | |||
204 | - _rsa_sec_compute_root(key, c, x, scratch); | ||
205 | + _rsa_sec_compute_root(key, x, c, scratch); | ||
206 | |||
207 | - ret = rsa_sec_check_root(pub, c, x); | ||
208 | + ret = rsa_sec_check_root(pub, x, c); | ||
209 | |||
210 | - rsa_sec_unblind(pub, x, ri, c); | ||
211 | + rsa_sec_unblind(pub, x, ri, x); | ||
212 | |||
213 | cnd_mpn_zero(1 - ret, x, key_limb_size); | ||
214 | |||
215 | @@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub | ||
216 | mpz_t x, const mpz_t m) | ||
217 | { | ||
218 | TMP_GMP_DECL (l, mp_limb_t); | ||
219 | + mp_size_t nn = mpz_size(pub->n); | ||
220 | int res; | ||
221 | |||
222 | - mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); | ||
223 | - TMP_GMP_ALLOC (l, l_size); | ||
224 | + TMP_GMP_ALLOC (l, nn); | ||
225 | + mpz_limbs_copy(l, m, nn); | ||
226 | |||
227 | - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, | ||
228 | - mpz_limbs_read(m), mpz_size(m)); | ||
229 | + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l); | ||
230 | if (res) { | ||
231 | - mp_limb_t *xp = mpz_limbs_write (x, l_size); | ||
232 | - mpn_copyi (xp, l, l_size); | ||
233 | - mpz_limbs_finish (x, l_size); | ||
234 | + mp_limb_t *xp = mpz_limbs_write (x, nn); | ||
235 | + mpn_copyi (xp, l, nn); | ||
236 | + mpz_limbs_finish (x, nn); | ||
237 | } | ||
238 | |||
239 | TMP_GMP_FREE (l); | ||
240 | Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
241 | =================================================================== | ||
242 | --- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c | ||
243 | +++ nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
244 | @@ -19,6 +19,7 @@ test_main(void) | ||
245 | uint8_t after; | ||
246 | |||
247 | mpz_t gibberish; | ||
248 | + mpz_t zero; | ||
249 | |||
250 | rsa_private_key_init(&key); | ||
251 | rsa_public_key_init(&pub); | ||
252 | @@ -101,6 +102,17 @@ test_main(void) | ||
253 | ASSERT(decrypted[decrypted_length] == after); | ||
254 | ASSERT(decrypted[0] == 'A'); | ||
255 | |||
256 | + /* Test zero input. */ | ||
257 | + mpz_init_set_ui (zero, 0); | ||
258 | + decrypted_length = msg_length; | ||
259 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero)); | ||
260 | + ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
261 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
262 | + &decrypted_length, decrypted, zero)); | ||
263 | + ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
264 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
265 | + decrypted_length, decrypted, zero)); | ||
266 | + ASSERT(decrypted_length == msg_length); | ||
267 | |||
268 | /* Test invalid key. */ | ||
269 | mpz_add_ui (key.q, key.q, 2); | ||
270 | @@ -112,6 +124,6 @@ test_main(void) | ||
271 | rsa_private_key_clear(&key); | ||
272 | rsa_public_key_clear(&pub); | ||
273 | mpz_clear(gibberish); | ||
274 | + mpz_clear(zero); | ||
275 | free(decrypted); | ||
276 | } | ||
277 | - | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch new file mode 100644 index 0000000000..18e952ddf7 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch | |||
@@ -0,0 +1,163 @@ | |||
1 | From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
3 | Date: Tue, 8 Jun 2021 21:32:38 +0200 | ||
4 | Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions. | ||
5 | |||
6 | (cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-3580 | ||
10 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
11 | |||
12 | --- | ||
13 | ChangeLog | 10 +++++++++- | ||
14 | rsa-decrypt-tr.c | 4 ++++ | ||
15 | rsa-decrypt.c | 10 ++++++++++ | ||
16 | rsa-sec-decrypt.c | 4 ++++ | ||
17 | rsa.h | 5 +++-- | ||
18 | testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------ | ||
19 | 6 files changed, 62 insertions(+), 9 deletions(-) | ||
20 | |||
21 | Index: nettle-3.5.1/rsa-decrypt-tr.c | ||
22 | =================================================================== | ||
23 | --- nettle-3.5.1.orig/rsa-decrypt-tr.c | ||
24 | +++ nettle-3.5.1/rsa-decrypt-tr.c | ||
25 | @@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k | ||
26 | mp_size_t key_limb_size; | ||
27 | int res; | ||
28 | |||
29 | + /* First check that input is in range. */ | ||
30 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) | ||
31 | + return 0; | ||
32 | + | ||
33 | key_limb_size = mpz_size(pub->n); | ||
34 | |||
35 | TMP_GMP_ALLOC (m, key_limb_size); | ||
36 | Index: nettle-3.5.1/rsa-decrypt.c | ||
37 | =================================================================== | ||
38 | --- nettle-3.5.1.orig/rsa-decrypt.c | ||
39 | +++ nettle-3.5.1/rsa-decrypt.c | ||
40 | @@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key | ||
41 | int res; | ||
42 | |||
43 | mpz_init(m); | ||
44 | + | ||
45 | + /* First check that input is in range. Since we don't have the | ||
46 | + public key available here, we need to reconstruct n. */ | ||
47 | + mpz_mul (m, key->p, key->q); | ||
48 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0) | ||
49 | + { | ||
50 | + mpz_clear (m); | ||
51 | + return 0; | ||
52 | + } | ||
53 | + | ||
54 | rsa_compute_root(key, m, gibberish); | ||
55 | |||
56 | res = pkcs1_decrypt (key->size, m, length, message); | ||
57 | Index: nettle-3.5.1/rsa-sec-decrypt.c | ||
58 | =================================================================== | ||
59 | --- nettle-3.5.1.orig/rsa-sec-decrypt.c | ||
60 | +++ nettle-3.5.1/rsa-sec-decrypt.c | ||
61 | @@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_ | ||
62 | TMP_GMP_DECL (em, uint8_t); | ||
63 | int res; | ||
64 | |||
65 | + /* First check that input is in range. */ | ||
66 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) | ||
67 | + return 0; | ||
68 | + | ||
69 | TMP_GMP_ALLOC (m, mpz_size(pub->n)); | ||
70 | TMP_GMP_ALLOC (em, key->size); | ||
71 | |||
72 | Index: nettle-3.5.1/rsa.h | ||
73 | =================================================================== | ||
74 | --- nettle-3.5.1.orig/rsa.h | ||
75 | +++ nettle-3.5.1/rsa.h | ||
76 | @@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_ | ||
77 | size_t length, uint8_t *message, | ||
78 | const mpz_t gibberish); | ||
79 | |||
80 | -/* Compute x, the e:th root of m. Calling it with x == m is allowed. */ | ||
81 | +/* Compute x, the e:th root of m. Calling it with x == m is allowed. | ||
82 | + It is required that 0 <= m < n. */ | ||
83 | void | ||
84 | rsa_compute_root(const struct rsa_private_key *key, | ||
85 | mpz_t x, const mpz_t m); | ||
86 | |||
87 | /* Safer variant, using RSA blinding, and checking the result after | ||
88 | - CRT. */ | ||
89 | + CRT. It is required that 0 <= m < n. */ | ||
90 | int | ||
91 | rsa_compute_root_tr(const struct rsa_public_key *pub, | ||
92 | const struct rsa_private_key *key, | ||
93 | Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
94 | =================================================================== | ||
95 | --- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c | ||
96 | +++ nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
97 | @@ -19,11 +19,12 @@ test_main(void) | ||
98 | uint8_t after; | ||
99 | |||
100 | mpz_t gibberish; | ||
101 | - mpz_t zero; | ||
102 | + mpz_t bad_input; | ||
103 | |||
104 | rsa_private_key_init(&key); | ||
105 | rsa_public_key_init(&pub); | ||
106 | mpz_init(gibberish); | ||
107 | + mpz_init(bad_input); | ||
108 | |||
109 | knuth_lfib_init(&lfib, 17); | ||
110 | |||
111 | @@ -103,15 +104,40 @@ test_main(void) | ||
112 | ASSERT(decrypted[0] == 'A'); | ||
113 | |||
114 | /* Test zero input. */ | ||
115 | - mpz_init_set_ui (zero, 0); | ||
116 | + mpz_set_ui (bad_input, 0); | ||
117 | decrypted_length = msg_length; | ||
118 | - ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero)); | ||
119 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
120 | ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
121 | &lfib, (nettle_random_func *) knuth_lfib_random, | ||
122 | - &decrypted_length, decrypted, zero)); | ||
123 | + &decrypted_length, decrypted, bad_input)); | ||
124 | ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
125 | &lfib, (nettle_random_func *) knuth_lfib_random, | ||
126 | - decrypted_length, decrypted, zero)); | ||
127 | + decrypted_length, decrypted, bad_input)); | ||
128 | + ASSERT(decrypted_length == msg_length); | ||
129 | + | ||
130 | + /* Test input that is slightly larger than n */ | ||
131 | + mpz_add(bad_input, gibberish, pub.n); | ||
132 | + decrypted_length = msg_length; | ||
133 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
134 | + ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
135 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
136 | + &decrypted_length, decrypted, bad_input)); | ||
137 | + ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
138 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
139 | + decrypted_length, decrypted, bad_input)); | ||
140 | + ASSERT(decrypted_length == msg_length); | ||
141 | + | ||
142 | + /* Test input that is considerably larger than n */ | ||
143 | + mpz_mul_2exp (bad_input, pub.n, 100); | ||
144 | + mpz_add (bad_input, bad_input, gibberish); | ||
145 | + decrypted_length = msg_length; | ||
146 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
147 | + ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
148 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
149 | + &decrypted_length, decrypted, bad_input)); | ||
150 | + ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
151 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
152 | + decrypted_length, decrypted, bad_input)); | ||
153 | ASSERT(decrypted_length == msg_length); | ||
154 | |||
155 | /* Test invalid key. */ | ||
156 | @@ -124,6 +150,6 @@ test_main(void) | ||
157 | rsa_private_key_clear(&key); | ||
158 | rsa_public_key_clear(&pub); | ||
159 | mpz_clear(gibberish); | ||
160 | - mpz_clear(zero); | ||
161 | + mpz_clear(bad_input); | ||
162 | free(decrypted); | ||
163 | } | ||
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb index b2ec24b36c..9212d9deb5 100644 --- a/meta/recipes-support/nettle/nettle_3.5.1.bb +++ b/meta/recipes-support/nettle/nettle_3.5.1.bb | |||
@@ -18,6 +18,8 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ | |||
18 | file://Add-target-to-only-build-tests-not-run-them.patch \ | 18 | file://Add-target-to-only-build-tests-not-run-them.patch \ |
19 | file://run-ptest \ | 19 | file://run-ptest \ |
20 | file://check-header-files-of-openssl-only-if-enable_.patch \ | 20 | file://check-header-files-of-openssl-only-if-enable_.patch \ |
21 | file://CVE-2021-3580_1.patch \ | ||
22 | file://CVE-2021-3580_2.patch \ | ||
21 | " | 23 | " |
22 | 24 | ||
23 | SRC_URI_append_class-target = "\ | 25 | SRC_URI_append_class-target = "\ |