1 files changed, 215 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
new file mode 100644
index 0000000000..cfc0f382fa
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
@@ -0,0 +1,215 @@
+Backport of:
+From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Thu, 11 Mar 2021 19:37:41 +0100
+Subject: [PATCH] New functions ecc_mod_mul_canonical and
+ ecc_mod_sqr_canonical.
+* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+New functions.
+* ecc-internal.h: Declare and document new functions.
+* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+* ecc-j-to-a.c (ecc_j_to_a): Likewise.
+* ecc-mul-m.c (ecc_mul_m): Likewise.
+(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch
+CVE: CVE-2021-20305 dep1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog            | 11 +++++++++++
+ curve25519-eh-to-x.c |  6 +-----
+ curve448-eh-to-x.c   |  5 +----
+ ecc-eh-to-a.c        | 12 ++----------
+ ecc-internal.h       | 15 +++++++++++++++
+ ecc-j-to-a.c         | 15 +++------------
+ ecc-mod-arith.c      | 24 ++++++++++++++++++++++++
+ ecc-mul-m.c          |  6 ++----
+ 8 files changed, 59 insertions(+), 35 deletions(-)
+#diff --git a/ChangeLog b/ChangeLog
+#index fd138d82..5cc5c188 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,14 @@
+#+2021-03-11  Niels MÃ¶ller  <nisse@lysator.liu.se>
+#+
+#+      * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+#+      New functions.
+#+      * ecc-internal.h: Declare and document new functions.
+#+      * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+#+      * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+#+      * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+#+      * ecc-j-to-a.c (ecc_j_to_a): Likewise.
+#+      * ecc-mul-m.c (ecc_mul_m): Likewise.
+#+
+# 2021-02-17  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#       * Released Nettle-3.7.1.
+Index: nettle-3.5.1/curve25519-eh-to-x.c
+===================================================================
+--- nettle-3.5.1.orig/curve25519-eh-to-x.c
+++ nettle-3.5.1/curve25519-eh-to-x.c
+@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+ #define t2 (scratch + 2*ecc->p.size)
+ 
+   const struct ecc_curve *ecc = &_nettle_curve25519;
+-  mp_limb_t cy;
+ 
+   /* If u = U/W and v = V/W are the coordiantes of the point on the
+      Edwards curve we get the curve25519 x coordinate as
+@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+   ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
+   
+   ecc_modp_add (ecc, t0, wp, vp);
+-  ecc_modp_mul (ecc, t2, t0, t1);
+-
+-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, xp, t2, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
+ #undef vp
+ #undef wp
+ #undef t0
+Index: nettle-3.5.1/ecc-eh-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-eh-to-a.c
+++ nettle-3.5.1/ecc-eh-to-a.c
+@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+   /* Needs 2*size + scratch for the invert call. */
+   ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
+ 
+-  ecc_modp_mul (ecc, tp, xp, izp);
+-  cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
+ 
+   if (op)
+     {
+@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+        }
+       return;
+     }
+-  ecc_modp_mul (ecc, tp, yp, izp);
+-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
+ }
+Index: nettle-3.5.1/ecc-internal.h
+===================================================================
+--- nettle-3.5.1.orig/ecc-internal.h
+++ nettle-3.5.1/ecc-internal.h
+@@ -49,6 +49,8 @@
+ #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
+ #define ecc_mod_mul _nettle_ecc_mod_mul
+ #define ecc_mod_sqr _nettle_ecc_mod_sqr
+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
+ #define ecc_mod_random _nettle_ecc_mod_random
+ #define ecc_mod _nettle_ecc_mod
+ #define ecc_mod_inv _nettle_ecc_mod_inv
+@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m,
+ #define ecc_modq_mul(ecc, r, a, b) \
+   ecc_mod_mul (&(ecc)->q, (r), (a), (b))
+ 
+/* These mul and sqr functions produce a canonical result, 0 <= R < M.
+   Requirements on input and output areas are similar to the above
+   functions, except that it is *not* allowed to pass rp = rp +
+   m->size.
+ */
+void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+                      const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+                      const mp_limb_t *ap, mp_limb_t *tp);
+
+ /* mod q operations. */
+ void
+ ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
+Index: nettle-3.5.1/ecc-j-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-j-to-a.c
+++ nettle-3.5.1/ecc-j-to-a.c
+@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ #define izBp (scratch + 3*ecc->p.size)
+ #define tp    scratch
+ 
+-  mp_limb_t cy;
+-
+   if (ecc->use_redc)
+     {
+       /* Set v = (r_z / B^2)^-1,
+@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+       ecc_modp_sqr (ecc, iz2p, izp);
+     }
+ 
+-  ecc_modp_mul (ecc, iz3p, iz2p, p);
+-  /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so
+-     do a conditional subtraction. */
+-  cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r, iz3p, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
+ 
+   if (op)
+     {
+       /* Skip y coordinate */
+       if (op > 1)
+        {
+         mp_limb_t cy;
+          /* Also reduce the x coordinate mod ecc->q. It should
+             already be < 2*ecc->q, so one subtraction should
+             suffice. */
+@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+       return;
+     }
+   ecc_modp_mul (ecc, iz3p, iz2p, izp);
+-  ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size);
+-  /* And a similar subtraction. */
+-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
+ 
+ #undef izp
+ #undef up
+Index: nettle-3.5.1/ecc-mod-arith.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-mod-arith.c
+++ nettle-3.5.1/ecc-mod-arith.c
+@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
+ }
+ 
+ void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+                      const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
+{
+  mp_limb_t cy;
+  mpn_mul_n (tp + m->size, ap, bp, m->size);
+  m->reduce (m, tp + m->size);
+
+  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+                      const mp_limb_t *ap, mp_limb_t *tp)
+{
+  mp_limb_t cy;
+  mpn_sqr (tp + m->size, ap, m->size);
+  m->reduce (m, tp + m->size);
+
+  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
+ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
+             const mp_limb_t *ap)
+ {

diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch new file mode 100644 index 0000000000..cfc0f382fa --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
@@ -0,0 +1,215 @@
	1	Backport of:
	2
	3	From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
	4	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
	5	Date: Thu, 11 Mar 2021 19:37:41 +0100
	6	Subject: [PATCH] New functions ecc_mod_mul_canonical and
	7	ecc_mod_sqr_canonical.
	8
	9	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
	10	New functions.
	11	* ecc-internal.h: Declare and document new functions.
	12	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
	13	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
	14	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
	15	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
	16	* ecc-mul-m.c (ecc_mul_m): Likewise.
	17
	18	(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
	19
	20	Upstream-Status: Backport
	21	https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch
	22	CVE: CVE-2021-20305 dep1
	23	Signed-off-by: Armin Kuster <akuster@mvista.com>
	24
	25	---
	26	ChangeLog \| 11 +++++++++++
	27	curve25519-eh-to-x.c \| 6 +-----
	28	curve448-eh-to-x.c \| 5 +----
	29	ecc-eh-to-a.c \| 12 ++----------
	30	ecc-internal.h \| 15 +++++++++++++++
	31	ecc-j-to-a.c \| 15 +++------------
	32	ecc-mod-arith.c \| 24 ++++++++++++++++++++++++
	33	ecc-mul-m.c \| 6 ++----
	34	8 files changed, 59 insertions(+), 35 deletions(-)
	35
	36	#diff --git a/ChangeLog b/ChangeLog
	37	#index fd138d82..5cc5c188 100644
	38	#--- a/ChangeLog
	39	#+++ b/ChangeLog
	40	#@@ -1,3 +1,14 @@
	41	#+2021-03-11 Niels MÃ¶ller <nisse@lysator.liu.se>
	42	#+
	43	#+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
	44	#+ New functions.
	45	#+ * ecc-internal.h: Declare and document new functions.
	46	#+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
	47	#+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
	48	#+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
	49	#+ * ecc-j-to-a.c (ecc_j_to_a): Likewise.
	50	#+ * ecc-mul-m.c (ecc_mul_m): Likewise.
	51	#+
	52	# 2021-02-17 Niels MÃ¶ller <nisse@lysator.liu.se>
	53	#
	54	# * Released Nettle-3.7.1.
	55	Index: nettle-3.5.1/curve25519-eh-to-x.c
	56	===================================================================
	57	--- nettle-3.5.1.orig/curve25519-eh-to-x.c
	58	+++ nettle-3.5.1/curve25519-eh-to-x.c
	59	@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
	60	#define t2 (scratch + 2*ecc->p.size)
	61
	62	const struct ecc_curve *ecc = &_nettle_curve25519;
	63	- mp_limb_t cy;
	64
	65	/* If u = U/W and v = V/W are the coordiantes of the point on the
	66	Edwards curve we get the curve25519 x coordinate as
	67	@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
	68	ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
	69
	70	ecc_modp_add (ecc, t0, wp, vp);
	71	- ecc_modp_mul (ecc, t2, t0, t1);
	72	-
	73	- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
	74	- cnd_copy (cy, xp, t2, ecc->p.size);
	75	+ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
	76	#undef vp
	77	#undef wp
	78	#undef t0
	79	Index: nettle-3.5.1/ecc-eh-to-a.c
	80	===================================================================
	81	--- nettle-3.5.1.orig/ecc-eh-to-a.c
	82	+++ nettle-3.5.1/ecc-eh-to-a.c
	83	@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc
	84	/* Needs 2size + scratch for the invert call. /
	85	ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
	86
	87	- ecc_modp_mul (ecc, tp, xp, izp);
	88	- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
	89	- cnd_copy (cy, r, tp, ecc->p.size);
	90	+ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
	91
	92	if (op)
	93	{
	94	@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc
	95	}
	96	return;
	97	}
	98	- ecc_modp_mul (ecc, tp, yp, izp);
	99	- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
	100	- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
	101	+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
	102	}
	103	Index: nettle-3.5.1/ecc-internal.h
	104	===================================================================
	105	--- nettle-3.5.1.orig/ecc-internal.h
	106	+++ nettle-3.5.1/ecc-internal.h
	107	@@ -49,6 +49,8 @@
	108	#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
	109	#define ecc_mod_mul _nettle_ecc_mod_mul
	110	#define ecc_mod_sqr _nettle_ecc_mod_sqr
	111	+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
	112	+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
	113	#define ecc_mod_random _nettle_ecc_mod_random
	114	#define ecc_mod _nettle_ecc_mod
	115	#define ecc_mod_inv _nettle_ecc_mod_inv
	116	@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m,
	117	#define ecc_modq_mul(ecc, r, a, b) \
	118	ecc_mod_mul (&(ecc)->q, (r), (a), (b))
	119
	120	+/* These mul and sqr functions produce a canonical result, 0 <= R < M.
	121	+ Requirements on input and output areas are similar to the above
	122	+ functions, except that it is not allowed to pass rp = rp +
	123	+ m->size.
	124	+ */
	125	+void
	126	+ecc_mod_mul_canonical (const struct ecc_modulo m, mp_limb_t rp,
	127	+ const mp_limb_t ap, const mp_limb_t bp, mp_limb_t *tp);
	128	+
	129	+void
	130	+ecc_mod_sqr_canonical (const struct ecc_modulo m, mp_limb_t rp,
	131	+ const mp_limb_t ap, mp_limb_t tp);
	132	+
	133	/* mod q operations. */
	134	void
	135	ecc_mod_random (const struct ecc_modulo m, mp_limb_t xp,
	136	Index: nettle-3.5.1/ecc-j-to-a.c
	137	===================================================================
	138	--- nettle-3.5.1.orig/ecc-j-to-a.c
	139	+++ nettle-3.5.1/ecc-j-to-a.c
	140	@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
	141	#define izBp (scratch + 3*ecc->p.size)
	142	#define tp scratch
	143
	144	- mp_limb_t cy;
	145	-
	146	if (ecc->use_redc)
	147	{
	148	/* Set v = (r_z / B^2)^-1,
	149	@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc,
	150	ecc_modp_sqr (ecc, iz2p, izp);
	151	}
	152
	153	- ecc_modp_mul (ecc, iz3p, iz2p, p);
	154	- /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so
	155	- do a conditional subtraction. */
	156	- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
	157	- cnd_copy (cy, r, iz3p, ecc->p.size);
	158	+ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
	159
	160	if (op)
	161	{
	162	/* Skip y coordinate */
	163	if (op > 1)
	164	{
	165	+ mp_limb_t cy;
	166	/* Also reduce the x coordinate mod ecc->q. It should
	167	already be < 2*ecc->q, so one subtraction should
	168	suffice. */
	169	@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
	170	return;
	171	}
	172	ecc_modp_mul (ecc, iz3p, iz2p, izp);
	173	- ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size);
	174	- /* And a similar subtraction. */
	175	- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
	176	- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
	177	+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
	178
	179	#undef izp
	180	#undef up
	181	Index: nettle-3.5.1/ecc-mod-arith.c
	182	===================================================================
	183	--- nettle-3.5.1.orig/ecc-mod-arith.c
	184	+++ nettle-3.5.1/ecc-mod-arith.c
	185	@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
	186	}
	187
	188	void
	189	+ecc_mod_mul_canonical (const struct ecc_modulo m, mp_limb_t rp,
	190	+ const mp_limb_t ap, const mp_limb_t bp, mp_limb_t *tp)
	191	+{
	192	+ mp_limb_t cy;
	193	+ mpn_mul_n (tp + m->size, ap, bp, m->size);
	194	+ m->reduce (m, tp + m->size);
	195	+
	196	+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
	197	+ cnd_copy (cy, rp, tp + m->size, m->size);
	198	+}
	199	+
	200	+void
	201	+ecc_mod_sqr_canonical (const struct ecc_modulo m, mp_limb_t rp,
	202	+ const mp_limb_t ap, mp_limb_t tp)
	203	+{
	204	+ mp_limb_t cy;
	205	+ mpn_sqr (tp + m->size, ap, m->size);
	206	+ m->reduce (m, tp + m->size);
	207	+
	208	+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
	209	+ cnd_copy (cy, rp, tp + m->size, m->size);
	210	+}
	211	+
	212	+void
	213	ecc_mod_sqr (const struct ecc_modulo m, mp_limb_t rp,
	214	const mp_limb_t *ap)
	215	{