1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
new file mode 100644
index 0000000000..468ff66266
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
@@ -0,0 +1,53 @@
+Backport of:
+From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:42:21 +0100
+Subject: [PATCH] Similar fix for eddsa.
+* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+reduced. Two of the three call sites need that.
+(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
+CVE: CVE-2021-20305 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog    |  3 +++
+ eddsa-hash.c | 10 +++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+#diff --git a/ChangeLog b/ChangeLog
+#index 5f8a22c2..ce330831 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13  Niels MÃ¶ller  <nisse@lysator.liu.se>
+# 
+#+      * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+#+      reduced. Two of the three call sites need that.
+#+
+#       * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
+#       to compute the scalars used for ecc multiplication.
+# 
+Index: nettle-3.5.1/eddsa-hash.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-hash.c
+++ nettle-3.5.1/eddsa-hash.c
+@@ -46,7 +46,12 @@ void
+ _eddsa_hash (const struct ecc_modulo *m,
+             mp_limb_t *rp, const uint8_t *digest)
+ {
+  mp_limb_t cy;
+   size_t nbytes = 1 + m->bit_size / 8;
+   mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes);
+   m->mod (m, rp);
+  mpn_copyi (rp + m->size, rp, m->size);
+  /* Ensure canonical reduction. */
+  cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, rp + m->size, m->size);
+ }

diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch new file mode 100644 index 0000000000..468ff66266 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
@@ -0,0 +1,53 @@
	1	Backport of:
	2
	3	From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
	4	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
	5	Date: Sat, 13 Mar 2021 16:42:21 +0100
	6	Subject: [PATCH] Similar fix for eddsa.
	7
	8	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
	9	reduced. Two of the three call sites need that.
	10
	11	(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
	12
	13
	14	Upstream-Status: Backport
	15	https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
	16	CVE: CVE-2021-20305
	17	Signed-off-by: Armin Kuster <akuster@mvista.com>
	18
	19	---
	20	ChangeLog \| 3 +++
	21	eddsa-hash.c \| 10 +++++++---
	22	2 files changed, 10 insertions(+), 3 deletions(-)
	23
	24	#diff --git a/ChangeLog b/ChangeLog
	25	#index 5f8a22c2..ce330831 100644
	26	#--- a/ChangeLog
	27	#+++ b/ChangeLog
	28	#@@ -1,5 +1,8 @@
	29	# 2021-03-13 Niels MÃ¶ller <nisse@lysator.liu.se>
	30	#
	31	#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
	32	#+ reduced. Two of the three call sites need that.
	33	#+
	34	# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
	35	# to compute the scalars used for ecc multiplication.
	36	#
	37	Index: nettle-3.5.1/eddsa-hash.c
	38	===================================================================
	39	--- nettle-3.5.1.orig/eddsa-hash.c
	40	+++ nettle-3.5.1/eddsa-hash.c
	41	@@ -46,7 +46,12 @@ void
	42	_eddsa_hash (const struct ecc_modulo *m,
	43	mp_limb_t rp, const uint8_t digest)
	44	{
	45	+ mp_limb_t cy;
	46	size_t nbytes = 1 + m->bit_size / 8;
	47	mpn_set_base256_le (rp, 2m->size, digest, 2nbytes);
	48	m->mod (m, rp);
	49	+ mpn_copyi (rp + m->size, rp, m->size);
	50	+ /* Ensure canonical reduction. */
	51	+ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
	52	+ cnd_copy (cy, rp, rp + m->size, m->size);
	53	}