1 files changed, 277 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
new file mode 100644
index 0000000000..ac3a638e72
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
@@ -0,0 +1,277 @@
+From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:31:39 +0200
+Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size.
+Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.
+(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c)
+Upstream-Status: Backport
+CVE: CVE-2021-3580 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog                    | 17 +++++++++-
+ rsa-decrypt-tr.c             |  7 ++---
+ rsa-internal.h               |  4 +--
+ rsa-sec-decrypt.c            |  9 ++++--
+ rsa-sign-tr.c                | 61 +++++++++++++++++-------------------
+ testsuite/rsa-encrypt-test.c | 14 ++++++++-
+ 6 files changed, 69 insertions(+), 43 deletions(-)
+Index: nettle-3.5.1/rsa-decrypt-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt-tr.c
+++ nettle-3.5.1/rsa-decrypt-tr.c
+@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k
+   mp_size_t key_limb_size;
+   int res;
+ 
+-  key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+  key_limb_size = mpz_size(pub->n);
+ 
+   TMP_GMP_ALLOC (m, key_limb_size);
+   TMP_GMP_ALLOC (em, key->size);
+  mpz_limbs_copy(m, gibberish, key_limb_size);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+-                                 mpz_limbs_read(gibberish),
+-                                 mpz_size(gibberish));
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+ 
+   mpn_get_base256 (em, key->size, m, key_limb_size);
+ 
+Index: nettle-3.5.1/rsa-internal.h
+===================================================================
+--- nettle-3.5.1.orig/rsa-internal.h
+++ nettle-3.5.1/rsa-internal.h
+@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p
+                       mp_limb_t *scratch);
+ 
+ /* Safe side-channel silent variant, using RSA blinding, and checking the
+- * result after CRT. */
+ * result after CRT. In-place calls, with x == m, is allowed. */
+ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+                         const struct rsa_private_key *key,
+                         void *random_ctx, nettle_random_func *random,
+-                        mp_limb_t *x, const mp_limb_t *m, size_t mn);
+                        mp_limb_t *x, const mp_limb_t *m);
+ 
+ #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
+Index: nettle-3.5.1/rsa-sec-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sec-decrypt.c
+++ nettle-3.5.1/rsa-sec-decrypt.c
+@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_
+   TMP_GMP_ALLOC (m, mpz_size(pub->n));
+   TMP_GMP_ALLOC (em, key->size);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+-                                 mpz_limbs_read(gibberish),
+-                                 mpz_size(gibberish));
+  /* We need a copy because m can be shorter than key_size,
+   * but _rsa_sec_compute_root_tr expect all inputs to be
+   * normalized to a key_size long buffer length */
+  mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
+
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+ 
+   mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
+ 
+Index: nettle-3.5.1/rsa-sign-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sign-tr.c
+++ nettle-3.5.1/rsa-sign-tr.c
+@@ -131,35 +131,34 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+                         const struct rsa_private_key *key,
+                         void *random_ctx, nettle_random_func *random,
+-                        mp_limb_t *x, const mp_limb_t *m, size_t mn)
+                        mp_limb_t *x, const mp_limb_t *m)
+ {
+  mp_size_t nn;
+   mpz_t mz;
+   mpz_t xz;
+   int res;
+ 
+-  mpz_init(mz);
+   mpz_init(xz);
+ 
+-  mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
+-  mpz_limbs_finish(mz, mn);
+  nn = mpz_size (pub->n);
+ 
+-  res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
+  res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
+                           mpz_roinit_n(mz, m, nn));
+ 
+   if (res)
+-    mpz_limbs_copy(x, xz, mpz_size(pub->n));
+    mpz_limbs_copy(x, xz, nn);
+ 
+-  mpz_clear(mz);
+   mpz_clear(xz);
+   return res;
+ }
+ #else
+ /* Blinds m, by computing c = m r^e (mod n), for a random r. Also
+-   returns the inverse (ri), for use by rsa_unblind. */
+   returns the inverse (ri), for use by rsa_unblind. Must have c != m,
+   no in-place operation.*/
+ static void
+ rsa_sec_blind (const struct rsa_public_key *pub,
+                void *random_ctx, nettle_random_func *random,
+-               mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m,
+-               mp_size_t mn)
+               mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
+ {
+   const mp_limb_t *ep = mpz_limbs_read (pub->e);
+   const mp_limb_t *np = mpz_limbs_read (pub->n);
+@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k
+ 
+   /* c = m*(r^e) mod n */
+   itch = mpn_sec_powm_itch(nn, ebn, nn);
+-  i2 = mpn_sec_mul_itch(nn, mn);
+  i2 = mpn_sec_mul_itch(nn, nn);
+   itch = MAX(itch, i2);
+-  i2 = mpn_sec_div_r_itch(nn + mn, nn);
+  i2 = mpn_sec_div_r_itch(2*nn, nn);
+   itch = MAX(itch, i2);
+   i2 = mpn_sec_invert_itch(nn);
+   itch = MAX(itch, i2);
+ 
+-  TMP_GMP_ALLOC (tp, nn + mn + itch);
+-  scratch = tp + nn + mn;
+  TMP_GMP_ALLOC (tp, 2*nn  + itch);
+  scratch = tp + 2*nn;
+ 
+   /* ri = r^(-1) */
+   do
+@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k
+   while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
+ 
+   mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
+-  /* normally mn == nn, but m can be smaller in some cases */
+-  mpn_sec_mul (tp, c, nn, m, mn, scratch);
+-  mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
+  mpn_sec_mul (tp, c, nn, m, nn, scratch);
+  mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
+   mpn_copyi(c, tp, nn);
+ 
+   TMP_GMP_FREE (r);
+@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k
+   TMP_GMP_FREE (tp);
+ }
+ 
+-/* m = c ri mod n */
+/* m = c ri mod n. Allows x == c. */
+ static void
+ rsa_sec_unblind (const struct rsa_public_key *pub,
+                  mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
+@@ -299,7 +297,7 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+                         const struct rsa_private_key *key,
+                         void *random_ctx, nettle_random_func *random,
+-                        mp_limb_t *x, const mp_limb_t *m, size_t mn)
+                        mp_limb_t *x, const mp_limb_t *m)
+ {
+   TMP_GMP_DECL (c, mp_limb_t);
+   TMP_GMP_DECL (ri, mp_limb_t);
+@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs
+   size_t key_limb_size;
+   int ret;
+ 
+-  key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+  key_limb_size = mpz_size(pub->n);
+ 
+   /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
+      key is invalid and rejected by rsa_private_key_prepare. However,
+@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs
+     }
+ 
+   assert(mpz_size(pub->n) == key_limb_size);
+-  assert(mn <= key_limb_size);
+ 
+   TMP_GMP_ALLOC (c, key_limb_size);
+   TMP_GMP_ALLOC (ri, key_limb_size);
+   TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
+ 
+-  rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
+  rsa_sec_blind (pub, random_ctx, random, c, ri, m);
+ 
+-  _rsa_sec_compute_root(key, c, x, scratch);
+  _rsa_sec_compute_root(key, x, c, scratch);
+ 
+-  ret = rsa_sec_check_root(pub, c, x);
+  ret = rsa_sec_check_root(pub, x, c);
+ 
+-  rsa_sec_unblind(pub, x, ri, c);
+  rsa_sec_unblind(pub, x, ri, x);
+ 
+   cnd_mpn_zero(1 - ret, x, key_limb_size);
+ 
+@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub
+                    mpz_t x, const mpz_t m)
+ {
+   TMP_GMP_DECL (l, mp_limb_t);
+  mp_size_t nn = mpz_size(pub->n);
+   int res;
+ 
+-  mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+-  TMP_GMP_ALLOC (l, l_size);
+  TMP_GMP_ALLOC (l, nn);
+  mpz_limbs_copy(l, m, nn);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+-                                 mpz_limbs_read(m), mpz_size(m));
+  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
+   if (res) {
+-    mp_limb_t *xp = mpz_limbs_write (x, l_size);
+-    mpn_copyi (xp, l, l_size);
+-    mpz_limbs_finish (x, l_size);
+    mp_limb_t *xp = mpz_limbs_write (x, nn);
+    mpn_copyi (xp, l, nn);
+    mpz_limbs_finish (x, nn);
+   }
+ 
+   TMP_GMP_FREE (l);
+Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
+++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
+@@ -19,6 +19,7 @@ test_main(void)
+   uint8_t after;
+ 
+   mpz_t gibberish;
+  mpz_t zero;
+ 
+   rsa_private_key_init(&key);
+   rsa_public_key_init(&pub);
+@@ -101,6 +102,17 @@ test_main(void)
+   ASSERT(decrypted[decrypted_length] == after);
+   ASSERT(decrypted[0] == 'A');
+ 
+  /* Test zero input. */
+  mpz_init_set_ui (zero, 0);
+  decrypted_length = msg_length;
+  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
+  ASSERT(!rsa_decrypt_tr(&pub, &key,
+                        &lfib, (nettle_random_func *) knuth_lfib_random,
+                        &decrypted_length, decrypted, zero));
+  ASSERT(!rsa_sec_decrypt(&pub, &key,
+                         &lfib, (nettle_random_func *) knuth_lfib_random,
+                         decrypted_length, decrypted, zero));
+  ASSERT(decrypted_length == msg_length);
+ 
+   /* Test invalid key. */
+   mpz_add_ui (key.q, key.q, 2);
+@@ -112,6 +124,6 @@ test_main(void)
+   rsa_private_key_clear(&key);
+   rsa_public_key_clear(&pub);
+   mpz_clear(gibberish);
+  mpz_clear(zero);
+   free(decrypted);
+ }
+-

diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch new file mode 100644 index 0000000000..ac3a638e72 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
@@ -0,0 +1,277 @@
	1	From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
	3	Date: Tue, 8 Jun 2021 21:31:39 +0200
	4	Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size.
	5
	6	Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.
	7
	8	(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c)
	9
	10	Upstream-Status: Backport
	11	CVE: CVE-2021-3580 dep#1
	12	Signed-off-by: Armin Kuster <akuster@mvista.com>
	13
	14	---
	15	ChangeLog \| 17 +++++++++-
	16	rsa-decrypt-tr.c \| 7 ++---
	17	rsa-internal.h \| 4 +--
	18	rsa-sec-decrypt.c \| 9 ++++--
	19	rsa-sign-tr.c \| 61 +++++++++++++++++-------------------
	20	testsuite/rsa-encrypt-test.c \| 14 ++++++++-
	21	6 files changed, 69 insertions(+), 43 deletions(-)
	22
	23	Index: nettle-3.5.1/rsa-decrypt-tr.c
	24	===================================================================
	25	--- nettle-3.5.1.orig/rsa-decrypt-tr.c
	26	+++ nettle-3.5.1/rsa-decrypt-tr.c
	27	@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k
	28	mp_size_t key_limb_size;
	29	int res;
	30
	31	- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
	32	+ key_limb_size = mpz_size(pub->n);
	33
	34	TMP_GMP_ALLOC (m, key_limb_size);
	35	TMP_GMP_ALLOC (em, key->size);
	36	+ mpz_limbs_copy(m, gibberish, key_limb_size);
	37
	38	- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
	39	- mpz_limbs_read(gibberish),
	40	- mpz_size(gibberish));
	41	+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
	42
	43	mpn_get_base256 (em, key->size, m, key_limb_size);
	44
	45	Index: nettle-3.5.1/rsa-internal.h
	46	===================================================================
	47	--- nettle-3.5.1.orig/rsa-internal.h
	48	+++ nettle-3.5.1/rsa-internal.h
	49	@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p
	50	mp_limb_t *scratch);
	51
	52	/* Safe side-channel silent variant, using RSA blinding, and checking the
	53	- * result after CRT. */
	54	+ * result after CRT. In-place calls, with x == m, is allowed. */
	55	int
	56	_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
	57	const struct rsa_private_key *key,
	58	void random_ctx, nettle_random_func random,
	59	- mp_limb_t x, const mp_limb_t m, size_t mn);
	60	+ mp_limb_t x, const mp_limb_t m);
	61
	62	#endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
	63	Index: nettle-3.5.1/rsa-sec-decrypt.c
	64	===================================================================
	65	--- nettle-3.5.1.orig/rsa-sec-decrypt.c
	66	+++ nettle-3.5.1/rsa-sec-decrypt.c
	67	@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_
	68	TMP_GMP_ALLOC (m, mpz_size(pub->n));
	69	TMP_GMP_ALLOC (em, key->size);
	70
	71	- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
	72	- mpz_limbs_read(gibberish),
	73	- mpz_size(gibberish));
	74	+ /* We need a copy because m can be shorter than key_size,
	75	+ * but _rsa_sec_compute_root_tr expect all inputs to be
	76	+ * normalized to a key_size long buffer length */
	77	+ mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
	78	+
	79	+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
	80
	81	mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
	82
	83	Index: nettle-3.5.1/rsa-sign-tr.c
	84	===================================================================
	85	--- nettle-3.5.1.orig/rsa-sign-tr.c
	86	+++ nettle-3.5.1/rsa-sign-tr.c
	87	@@ -131,35 +131,34 @@ int
	88	_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
	89	const struct rsa_private_key *key,
	90	void random_ctx, nettle_random_func random,
	91	- mp_limb_t x, const mp_limb_t m, size_t mn)
	92	+ mp_limb_t x, const mp_limb_t m)
	93	{
	94	+ mp_size_t nn;
	95	mpz_t mz;
	96	mpz_t xz;
	97	int res;
	98
	99	- mpz_init(mz);
	100	mpz_init(xz);
	101
	102	- mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
	103	- mpz_limbs_finish(mz, mn);
	104	+ nn = mpz_size (pub->n);
	105
	106	- res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
	107	+ res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
	108	+ mpz_roinit_n(mz, m, nn));
	109
	110	if (res)
	111	- mpz_limbs_copy(x, xz, mpz_size(pub->n));
	112	+ mpz_limbs_copy(x, xz, nn);
	113
	114	- mpz_clear(mz);
	115	mpz_clear(xz);
	116	return res;
	117	}
	118	#else
	119	/* Blinds m, by computing c = m r^e (mod n), for a random r. Also
	120	- returns the inverse (ri), for use by rsa_unblind. */
	121	+ returns the inverse (ri), for use by rsa_unblind. Must have c != m,
	122	+ no in-place operation.*/
	123	static void
	124	rsa_sec_blind (const struct rsa_public_key *pub,
	125	void random_ctx, nettle_random_func random,
	126	- mp_limb_t c, mp_limb_t ri, const mp_limb_t *m,
	127	- mp_size_t mn)
	128	+ mp_limb_t c, mp_limb_t ri, const mp_limb_t *m)
	129	{
	130	const mp_limb_t *ep = mpz_limbs_read (pub->e);
	131	const mp_limb_t *np = mpz_limbs_read (pub->n);
	132	@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k
	133
	134	/* c = m(r^e) mod n /
	135	itch = mpn_sec_powm_itch(nn, ebn, nn);
	136	- i2 = mpn_sec_mul_itch(nn, mn);
	137	+ i2 = mpn_sec_mul_itch(nn, nn);
	138	itch = MAX(itch, i2);
	139	- i2 = mpn_sec_div_r_itch(nn + mn, nn);
	140	+ i2 = mpn_sec_div_r_itch(2*nn, nn);
	141	itch = MAX(itch, i2);
	142	i2 = mpn_sec_invert_itch(nn);
	143	itch = MAX(itch, i2);
	144
	145	- TMP_GMP_ALLOC (tp, nn + mn + itch);
	146	- scratch = tp + nn + mn;
	147	+ TMP_GMP_ALLOC (tp, 2*nn + itch);
	148	+ scratch = tp + 2*nn;
	149
	150	/* ri = r^(-1) */
	151	do
	152	@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k
	153	while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
	154
	155	mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
	156	- /* normally mn == nn, but m can be smaller in some cases */
	157	- mpn_sec_mul (tp, c, nn, m, mn, scratch);
	158	- mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
	159	+ mpn_sec_mul (tp, c, nn, m, nn, scratch);
	160	+ mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
	161	mpn_copyi(c, tp, nn);
	162
	163	TMP_GMP_FREE (r);
	164	@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k
	165	TMP_GMP_FREE (tp);
	166	}
	167
	168	-/* m = c ri mod n */
	169	+/* m = c ri mod n. Allows x == c. */
	170	static void
	171	rsa_sec_unblind (const struct rsa_public_key *pub,
	172	mp_limb_t x, mp_limb_t ri, const mp_limb_t *c)
	173	@@ -299,7 +297,7 @@ int
	174	_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
	175	const struct rsa_private_key *key,
	176	void random_ctx, nettle_random_func random,
	177	- mp_limb_t x, const mp_limb_t m, size_t mn)
	178	+ mp_limb_t x, const mp_limb_t m)
	179	{
	180	TMP_GMP_DECL (c, mp_limb_t);
	181	TMP_GMP_DECL (ri, mp_limb_t);
	182	@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs
	183	size_t key_limb_size;
	184	int ret;
	185
	186	- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
	187	+ key_limb_size = mpz_size(pub->n);
	188
	189	/* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
	190	key is invalid and rejected by rsa_private_key_prepare. However,
	191	@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs
	192	}
	193
	194	assert(mpz_size(pub->n) == key_limb_size);
	195	- assert(mn <= key_limb_size);
	196
	197	TMP_GMP_ALLOC (c, key_limb_size);
	198	TMP_GMP_ALLOC (ri, key_limb_size);
	199	TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
	200
	201	- rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
	202	+ rsa_sec_blind (pub, random_ctx, random, c, ri, m);
	203
	204	- _rsa_sec_compute_root(key, c, x, scratch);
	205	+ _rsa_sec_compute_root(key, x, c, scratch);
	206
	207	- ret = rsa_sec_check_root(pub, c, x);
	208	+ ret = rsa_sec_check_root(pub, x, c);
	209
	210	- rsa_sec_unblind(pub, x, ri, c);
	211	+ rsa_sec_unblind(pub, x, ri, x);
	212
	213	cnd_mpn_zero(1 - ret, x, key_limb_size);
	214
	215	@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub
	216	mpz_t x, const mpz_t m)
	217	{
	218	TMP_GMP_DECL (l, mp_limb_t);
	219	+ mp_size_t nn = mpz_size(pub->n);
	220	int res;
	221
	222	- mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
	223	- TMP_GMP_ALLOC (l, l_size);
	224	+ TMP_GMP_ALLOC (l, nn);
	225	+ mpz_limbs_copy(l, m, nn);
	226
	227	- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
	228	- mpz_limbs_read(m), mpz_size(m));
	229	+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
	230	if (res) {
	231	- mp_limb_t *xp = mpz_limbs_write (x, l_size);
	232	- mpn_copyi (xp, l, l_size);
	233	- mpz_limbs_finish (x, l_size);
	234	+ mp_limb_t *xp = mpz_limbs_write (x, nn);
	235	+ mpn_copyi (xp, l, nn);
	236	+ mpz_limbs_finish (x, nn);
	237	}
	238
	239	TMP_GMP_FREE (l);
	240	Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
	241	===================================================================
	242	--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
	243	+++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
	244	@@ -19,6 +19,7 @@ test_main(void)
	245	uint8_t after;
	246
	247	mpz_t gibberish;
	248	+ mpz_t zero;
	249
	250	rsa_private_key_init(&key);
	251	rsa_public_key_init(&pub);
	252	@@ -101,6 +102,17 @@ test_main(void)
	253	ASSERT(decrypted[decrypted_length] == after);
	254	ASSERT(decrypted[0] == 'A');
	255
	256	+ /* Test zero input. */
	257	+ mpz_init_set_ui (zero, 0);
	258	+ decrypted_length = msg_length;
	259	+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
	260	+ ASSERT(!rsa_decrypt_tr(&pub, &key,
	261	+ &lfib, (nettle_random_func *) knuth_lfib_random,
	262	+ &decrypted_length, decrypted, zero));
	263	+ ASSERT(!rsa_sec_decrypt(&pub, &key,
	264	+ &lfib, (nettle_random_func *) knuth_lfib_random,
	265	+ decrypted_length, decrypted, zero));
	266	+ ASSERT(decrypted_length == msg_length);
	267
	268	/* Test invalid key. */
	269	mpz_add_ui (key.q, key.q, 2);
	270	@@ -112,6 +124,6 @@ test_main(void)
	271	rsa_private_key_clear(&key);
	272	rsa_public_key_clear(&pub);
	273	mpz_clear(gibberish);
	274	+ mpz_clear(zero);
	275	free(decrypted);
	276	}
	277	-