diff options
Diffstat (limited to 'meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch')
-rw-r--r-- | meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch new file mode 100644 index 0000000000..15a892ecdf --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 15:19:19 +0100 | ||
6 | Subject: [PATCH] Fix bug in ecc_ecdsa_verify. | ||
7 | |||
8 | * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical | ||
9 | to compute the scalars used for ecc multiplication. | ||
10 | * testsuite/ecdsa-verify-test.c (test_main): Add test case that | ||
11 | triggers an assert on 64-bit platforms, without above fix. | ||
12 | * testsuite/ecdsa-sign-test.c (test_main): Test case generating | ||
13 | the same signature. | ||
14 | |||
15 | (cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f) | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch | ||
19 | CVE: CVE-2021-20305 dep3 | ||
20 | [Minor fixup on _nettle_secp_224r1] | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | ChangeLog | 10 +++++++++- | ||
25 | ecc-ecdsa-verify.c | 4 ++-- | ||
26 | testsuite/ecdsa-sign-test.c | 13 +++++++++++++ | ||
27 | testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++ | ||
28 | 4 files changed, 44 insertions(+), 3 deletions(-) | ||
29 | |||
30 | #diff --git a/ChangeLog b/ChangeLog | ||
31 | #index 2a9217a6..63848f53 100644 | ||
32 | #--- a/ChangeLog | ||
33 | #+++ b/ChangeLog | ||
34 | #@@ -1,7 +1,15 @@ | ||
35 | # 2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
36 | # | ||
37 | #- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
38 | #+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical | ||
39 | #+ to compute the scalars used for ecc multiplication. | ||
40 | #+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that | ||
41 | #+ triggers an assert on 64-bit platforms, without above fix. | ||
42 | #+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating | ||
43 | #+ the same signature. | ||
44 | #+ | ||
45 | #+2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
46 | # | ||
47 | #+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
48 | # 2021-03-11 Niels Möller <nisse@lysator.liu.se> | ||
49 | # | ||
50 | # * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
51 | Index: nettle-3.5.1/ecc-ecdsa-verify.c | ||
52 | =================================================================== | ||
53 | --- nettle-3.5.1.orig/ecc-ecdsa-verify.c | ||
54 | +++ nettle-3.5.1/ecc-ecdsa-verify.c | ||
55 | @@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve | ||
56 | |||
57 | /* u1 = h / s, P1 = u1 * G */ | ||
58 | ecc_hash (&ecc->q, hp, length, digest); | ||
59 | - ecc_modq_mul (ecc, u1, hp, sinv); | ||
60 | + ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); | ||
61 | |||
62 | /* u2 = r / s, P2 = u2 * Y */ | ||
63 | - ecc_modq_mul (ecc, u2, rp, sinv); | ||
64 | + ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); | ||
65 | |||
66 | /* Total storage: 5*ecc->p.size + ecc->mul_itch */ | ||
67 | ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); | ||
68 | Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c | ||
69 | =================================================================== | ||
70 | --- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c | ||
71 | +++ nettle-3.5.1/testsuite/ecdsa-sign-test.c | ||
72 | @@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc, | ||
73 | void | ||
74 | test_main (void) | ||
75 | { | ||
76 | + /* Producing the signature for corresponding test in | ||
77 | + ecdsa-verify-test.c, with special u1 and u2. */ | ||
78 | + test_ecdsa (&_nettle_secp_224r1, | ||
79 | + "99b5b787484def12894ca507058b3bf5" | ||
80 | + "43d72d82fa7721d2e805e5e6", | ||
81 | + "2", | ||
82 | + SHEX("cdb887ac805a3b42e22d224c85482053" | ||
83 | + "16c755d4a736bb2032c92553"), | ||
84 | + "706a46dc76dcb76798e60e6d89474788" | ||
85 | + "d16dc18032d268fd1a704fa6", /* r */ | ||
86 | + "3a41e1423b1853e8aa89747b1f987364" | ||
87 | + "44705d6d6d8371ea1f578f2e"); /* s */ | ||
88 | + | ||
89 | /* Test cases for the smaller groups, verified with a | ||
90 | proof-of-concept implementation done for Yubico AB. */ | ||
91 | test_ecdsa (&_nettle_secp_192r1, | ||
92 | Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c | ||
93 | =================================================================== | ||
94 | --- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c | ||
95 | +++ nettle-3.5.1/testsuite/ecdsa-verify-test.c | ||
96 | @@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc, | ||
97 | void | ||
98 | test_main (void) | ||
99 | { | ||
100 | + /* Corresponds to nonce k = 2 and private key z = | ||
101 | + 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and | ||
102 | + hash are chosen so that intermediate scalars in the verify | ||
103 | + equations are u1 = 0x6b245680e700, u2 = | ||
104 | + 259da6542d4ba7d21ad916c3bd57f811. These values require canonical | ||
105 | + reduction of the scalars. Bug caused by missing canonical | ||
106 | + reduction reported by Guido Vranken. */ | ||
107 | + test_ecdsa (&_nettle_secp_224r1, | ||
108 | + "9e7e6cc6b1bdfa8ee039b66ad85e5490" | ||
109 | + "7be706a900a3cba1c8fdd014", /* x */ | ||
110 | + "74855db3f7c1b4097ae095745fc915e3" | ||
111 | + "8a79d2a1de28f282eafb22ba", /* y */ | ||
112 | + | ||
113 | + SHEX("cdb887ac805a3b42e22d224c85482053" | ||
114 | + "16c755d4a736bb2032c92553"), | ||
115 | + "706a46dc76dcb76798e60e6d89474788" | ||
116 | + "d16dc18032d268fd1a704fa6", /* r */ | ||
117 | + "3a41e1423b1853e8aa89747b1f987364" | ||
118 | + "44705d6d6d8371ea1f578f2e"); /* s */ | ||
119 | + | ||
120 | /* From RFC 4754 */ | ||
121 | test_ecdsa (&_nettle_secp_256r1, | ||
122 | "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" | ||