1 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
new file mode 100644
index 0000000000..15a892ecdf
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
@@ -0,0 +1,122 @@
+Backport of:
+From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 15:19:19 +0100
+Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
+* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+to compute the scalars used for ecc multiplication.
+* testsuite/ecdsa-verify-test.c (test_main): Add test case that
+triggers an assert on 64-bit platforms, without above fix.
+* testsuite/ecdsa-sign-test.c (test_main): Test case generating
+the same signature.
+(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
+CVE: CVE-2021-20305 dep3
+[Minor fixup on _nettle_secp_224r1]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog                     | 10 +++++++++-
+ ecc-ecdsa-verify.c            |  4 ++--
+ testsuite/ecdsa-sign-test.c   | 13 +++++++++++++
+ testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++
+ 4 files changed, 44 insertions(+), 3 deletions(-)
+#diff --git a/ChangeLog b/ChangeLog
+#index 2a9217a6..63848f53 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,7 +1,15 @@
+# 2021-03-13  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#-      * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+      * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+#+      to compute the scalars used for ecc multiplication.
+#+      * testsuite/ecdsa-verify-test.c (test_main): Add test case that
+#+      triggers an assert on 64-bit platforms, without above fix.
+#+      * testsuite/ecdsa-sign-test.c (test_main): Test case generating
+#+      the same signature.
+#+
+#+2021-03-13  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#+      * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+# 2021-03-11  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#       * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/ecc-ecdsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
+++ nettle-3.5.1/ecc-ecdsa-verify.c
+@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
+ 
+   /* u1 = h / s, P1 = u1 * G */
+   ecc_hash (&ecc->q, hp, length, digest);
+-  ecc_modq_mul (ecc, u1, hp, sinv);
+  ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
+ 
+   /* u2 = r / s, P2 = u2 * Y */
+-  ecc_modq_mul (ecc, u2, rp, sinv);
+  ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
+ 
+    /* Total storage: 5*ecc->p.size + ecc->mul_itch */
+   ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
+Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
+++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
+@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
+  /* Producing the signature for corresponding test in
+     ecdsa-verify-test.c, with special u1 and u2. */
+  test_ecdsa (&_nettle_secp_224r1,
+             "99b5b787484def12894ca507058b3bf5"
+             "43d72d82fa7721d2e805e5e6",
+             "2",
+             SHEX("cdb887ac805a3b42e22d224c85482053"
+                  "16c755d4a736bb2032c92553"),
+             "706a46dc76dcb76798e60e6d89474788"
+             "d16dc18032d268fd1a704fa6", /* r */
+             "3a41e1423b1853e8aa89747b1f987364"
+             "44705d6d6d8371ea1f578f2e"); /* s */
+
+   /* Test cases for the smaller groups, verified with a
+      proof-of-concept implementation done for Yubico AB. */
+   test_ecdsa (&_nettle_secp_192r1,
+Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
+++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
+@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
+  /* Corresponds to nonce k = 2 and private key z =
+     0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
+     hash are chosen so that intermediate scalars in the verify
+     equations are u1 = 0x6b245680e700, u2 =
+     259da6542d4ba7d21ad916c3bd57f811. These values require canonical
+     reduction of the scalars. Bug caused by missing canonical
+     reduction reported by Guido Vranken. */
+  test_ecdsa (&_nettle_secp_224r1,
+             "9e7e6cc6b1bdfa8ee039b66ad85e5490"
+             "7be706a900a3cba1c8fdd014", /* x */
+             "74855db3f7c1b4097ae095745fc915e3"
+             "8a79d2a1de28f282eafb22ba", /* y */
+
+             SHEX("cdb887ac805a3b42e22d224c85482053"
+                  "16c755d4a736bb2032c92553"),
+             "706a46dc76dcb76798e60e6d89474788"
+             "d16dc18032d268fd1a704fa6", /* r */
+             "3a41e1423b1853e8aa89747b1f987364"
+             "44705d6d6d8371ea1f578f2e"); /* s */
+
+   /* From RFC 4754 */
+   test_ecdsa (&_nettle_secp_256r1,
+              "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"

diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch new file mode 100644 index 0000000000..15a892ecdf --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
@@ -0,0 +1,122 @@
	1	Backport of:
	2
	3	From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
	4	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
	5	Date: Sat, 13 Mar 2021 15:19:19 +0100
	6	Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
	7
	8	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
	9	to compute the scalars used for ecc multiplication.
	10	* testsuite/ecdsa-verify-test.c (test_main): Add test case that
	11	triggers an assert on 64-bit platforms, without above fix.
	12	* testsuite/ecdsa-sign-test.c (test_main): Test case generating
	13	the same signature.
	14
	15	(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
	16
	17	Upstream-Status: Backport
	18	https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
	19	CVE: CVE-2021-20305 dep3
	20	[Minor fixup on _nettle_secp_224r1]
	21	Signed-off-by: Armin Kuster <akuster@mvista.com>
	22
	23	---
	24	ChangeLog \| 10 +++++++++-
	25	ecc-ecdsa-verify.c \| 4 ++--
	26	testsuite/ecdsa-sign-test.c \| 13 +++++++++++++
	27	testsuite/ecdsa-verify-test.c \| 20 ++++++++++++++++++++
	28	4 files changed, 44 insertions(+), 3 deletions(-)
	29
	30	#diff --git a/ChangeLog b/ChangeLog
	31	#index 2a9217a6..63848f53 100644
	32	#--- a/ChangeLog
	33	#+++ b/ChangeLog
	34	#@@ -1,7 +1,15 @@
	35	# 2021-03-13 Niels MÃ¶ller <nisse@lysator.liu.se>
	36	#
	37	#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
	38	#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
	39	#+ to compute the scalars used for ecc multiplication.
	40	#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that
	41	#+ triggers an assert on 64-bit platforms, without above fix.
	42	#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating
	43	#+ the same signature.
	44	#+
	45	#+2021-03-13 Niels MÃ¶ller <nisse@lysator.liu.se>
	46	#
	47	#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
	48	# 2021-03-11 Niels MÃ¶ller <nisse@lysator.liu.se>
	49	#
	50	# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
	51	Index: nettle-3.5.1/ecc-ecdsa-verify.c
	52	===================================================================
	53	--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
	54	+++ nettle-3.5.1/ecc-ecdsa-verify.c
	55	@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
	56
	57	/* u1 = h / s, P1 = u1 * G */
	58	ecc_hash (&ecc->q, hp, length, digest);
	59	- ecc_modq_mul (ecc, u1, hp, sinv);
	60	+ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
	61
	62	/* u2 = r / s, P2 = u2 * Y */
	63	- ecc_modq_mul (ecc, u2, rp, sinv);
	64	+ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
	65
	66	/* Total storage: 5ecc->p.size + ecc->mul_itch /
	67	ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
	68	Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
	69	===================================================================
	70	--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
	71	+++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
	72	@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
	73	void
	74	test_main (void)
	75	{
	76	+ /* Producing the signature for corresponding test in
	77	+ ecdsa-verify-test.c, with special u1 and u2. */
	78	+ test_ecdsa (&_nettle_secp_224r1,
	79	+ "99b5b787484def12894ca507058b3bf5"
	80	+ "43d72d82fa7721d2e805e5e6",
	81	+ "2",
	82	+ SHEX("cdb887ac805a3b42e22d224c85482053"
	83	+ "16c755d4a736bb2032c92553"),
	84	+ "706a46dc76dcb76798e60e6d89474788"
	85	+ "d16dc18032d268fd1a704fa6", /* r */
	86	+ "3a41e1423b1853e8aa89747b1f987364"
	87	+ "44705d6d6d8371ea1f578f2e"); /* s */
	88	+
	89	/* Test cases for the smaller groups, verified with a
	90	proof-of-concept implementation done for Yubico AB. */
	91	test_ecdsa (&_nettle_secp_192r1,
	92	Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
	93	===================================================================
	94	--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
	95	+++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
	96	@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
	97	void
	98	test_main (void)
	99	{
	100	+ /* Corresponds to nonce k = 2 and private key z =
	101	+ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
	102	+ hash are chosen so that intermediate scalars in the verify
	103	+ equations are u1 = 0x6b245680e700, u2 =
	104	+ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
	105	+ reduction of the scalars. Bug caused by missing canonical
	106	+ reduction reported by Guido Vranken. */
	107	+ test_ecdsa (&_nettle_secp_224r1,
	108	+ "9e7e6cc6b1bdfa8ee039b66ad85e5490"
	109	+ "7be706a900a3cba1c8fdd014", /* x */
	110	+ "74855db3f7c1b4097ae095745fc915e3"
	111	+ "8a79d2a1de28f282eafb22ba", /* y */
	112	+
	113	+ SHEX("cdb887ac805a3b42e22d224c85482053"
	114	+ "16c755d4a736bb2032c92553"),
	115	+ "706a46dc76dcb76798e60e6d89474788"
	116	+ "d16dc18032d268fd1a704fa6", /* r */
	117	+ "3a41e1423b1853e8aa89747b1f987364"
	118	+ "44705d6d6d8371ea1f578f2e"); /* s */
	119	+
	120	/* From RFC 4754 */
	121	test_ecdsa (&_nettle_secp_256r1,
	122	"2442A5CC 0ECD015F A3CA31DC 8E2BBC70"