diff options
Diffstat (limited to 'meta/recipes-support/nettle')
8 files changed, 939 insertions, 0 deletions
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch new file mode 100644 index 0000000000..cfc0f382fa --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch | |||
@@ -0,0 +1,215 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Thu, 11 Mar 2021 19:37:41 +0100 | ||
6 | Subject: [PATCH] New functions ecc_mod_mul_canonical and | ||
7 | ecc_mod_sqr_canonical. | ||
8 | |||
9 | * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
10 | New functions. | ||
11 | * ecc-internal.h: Declare and document new functions. | ||
12 | * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. | ||
13 | * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. | ||
14 | * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. | ||
15 | * ecc-j-to-a.c (ecc_j_to_a): Likewise. | ||
16 | * ecc-mul-m.c (ecc_mul_m): Likewise. | ||
17 | |||
18 | (cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c) | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch | ||
22 | CVE: CVE-2021-20305 dep1 | ||
23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
24 | |||
25 | --- | ||
26 | ChangeLog | 11 +++++++++++ | ||
27 | curve25519-eh-to-x.c | 6 +----- | ||
28 | curve448-eh-to-x.c | 5 +---- | ||
29 | ecc-eh-to-a.c | 12 ++---------- | ||
30 | ecc-internal.h | 15 +++++++++++++++ | ||
31 | ecc-j-to-a.c | 15 +++------------ | ||
32 | ecc-mod-arith.c | 24 ++++++++++++++++++++++++ | ||
33 | ecc-mul-m.c | 6 ++---- | ||
34 | 8 files changed, 59 insertions(+), 35 deletions(-) | ||
35 | |||
36 | #diff --git a/ChangeLog b/ChangeLog | ||
37 | #index fd138d82..5cc5c188 100644 | ||
38 | #--- a/ChangeLog | ||
39 | #+++ b/ChangeLog | ||
40 | #@@ -1,3 +1,14 @@ | ||
41 | #+2021-03-11 Niels Möller <nisse@lysator.liu.se> | ||
42 | #+ | ||
43 | #+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
44 | #+ New functions. | ||
45 | #+ * ecc-internal.h: Declare and document new functions. | ||
46 | #+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. | ||
47 | #+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. | ||
48 | #+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. | ||
49 | #+ * ecc-j-to-a.c (ecc_j_to_a): Likewise. | ||
50 | #+ * ecc-mul-m.c (ecc_mul_m): Likewise. | ||
51 | #+ | ||
52 | # 2021-02-17 Niels Möller <nisse@lysator.liu.se> | ||
53 | # | ||
54 | # * Released Nettle-3.7.1. | ||
55 | Index: nettle-3.5.1/curve25519-eh-to-x.c | ||
56 | =================================================================== | ||
57 | --- nettle-3.5.1.orig/curve25519-eh-to-x.c | ||
58 | +++ nettle-3.5.1/curve25519-eh-to-x.c | ||
59 | @@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const | ||
60 | #define t2 (scratch + 2*ecc->p.size) | ||
61 | |||
62 | const struct ecc_curve *ecc = &_nettle_curve25519; | ||
63 | - mp_limb_t cy; | ||
64 | |||
65 | /* If u = U/W and v = V/W are the coordiantes of the point on the | ||
66 | Edwards curve we get the curve25519 x coordinate as | ||
67 | @@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const | ||
68 | ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); | ||
69 | |||
70 | ecc_modp_add (ecc, t0, wp, vp); | ||
71 | - ecc_modp_mul (ecc, t2, t0, t1); | ||
72 | - | ||
73 | - cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); | ||
74 | - cnd_copy (cy, xp, t2, ecc->p.size); | ||
75 | + ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2); | ||
76 | #undef vp | ||
77 | #undef wp | ||
78 | #undef t0 | ||
79 | Index: nettle-3.5.1/ecc-eh-to-a.c | ||
80 | =================================================================== | ||
81 | --- nettle-3.5.1.orig/ecc-eh-to-a.c | ||
82 | +++ nettle-3.5.1/ecc-eh-to-a.c | ||
83 | @@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc | ||
84 | /* Needs 2*size + scratch for the invert call. */ | ||
85 | ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); | ||
86 | |||
87 | - ecc_modp_mul (ecc, tp, xp, izp); | ||
88 | - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); | ||
89 | - cnd_copy (cy, r, tp, ecc->p.size); | ||
90 | + ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); | ||
91 | |||
92 | if (op) | ||
93 | { | ||
94 | @@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc | ||
95 | } | ||
96 | return; | ||
97 | } | ||
98 | - ecc_modp_mul (ecc, tp, yp, izp); | ||
99 | - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); | ||
100 | - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); | ||
101 | + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); | ||
102 | } | ||
103 | Index: nettle-3.5.1/ecc-internal.h | ||
104 | =================================================================== | ||
105 | --- nettle-3.5.1.orig/ecc-internal.h | ||
106 | +++ nettle-3.5.1/ecc-internal.h | ||
107 | @@ -49,6 +49,8 @@ | ||
108 | #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 | ||
109 | #define ecc_mod_mul _nettle_ecc_mod_mul | ||
110 | #define ecc_mod_sqr _nettle_ecc_mod_sqr | ||
111 | +#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical | ||
112 | +#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical | ||
113 | #define ecc_mod_random _nettle_ecc_mod_random | ||
114 | #define ecc_mod _nettle_ecc_mod | ||
115 | #define ecc_mod_inv _nettle_ecc_mod_inv | ||
116 | @@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m, | ||
117 | #define ecc_modq_mul(ecc, r, a, b) \ | ||
118 | ecc_mod_mul (&(ecc)->q, (r), (a), (b)) | ||
119 | |||
120 | +/* These mul and sqr functions produce a canonical result, 0 <= R < M. | ||
121 | + Requirements on input and output areas are similar to the above | ||
122 | + functions, except that it is *not* allowed to pass rp = rp + | ||
123 | + m->size. | ||
124 | + */ | ||
125 | +void | ||
126 | +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, | ||
127 | + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); | ||
128 | + | ||
129 | +void | ||
130 | +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, | ||
131 | + const mp_limb_t *ap, mp_limb_t *tp); | ||
132 | + | ||
133 | /* mod q operations. */ | ||
134 | void | ||
135 | ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, | ||
136 | Index: nettle-3.5.1/ecc-j-to-a.c | ||
137 | =================================================================== | ||
138 | --- nettle-3.5.1.orig/ecc-j-to-a.c | ||
139 | +++ nettle-3.5.1/ecc-j-to-a.c | ||
140 | @@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc, | ||
141 | #define izBp (scratch + 3*ecc->p.size) | ||
142 | #define tp scratch | ||
143 | |||
144 | - mp_limb_t cy; | ||
145 | - | ||
146 | if (ecc->use_redc) | ||
147 | { | ||
148 | /* Set v = (r_z / B^2)^-1, | ||
149 | @@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc, | ||
150 | ecc_modp_sqr (ecc, iz2p, izp); | ||
151 | } | ||
152 | |||
153 | - ecc_modp_mul (ecc, iz3p, iz2p, p); | ||
154 | - /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so | ||
155 | - do a conditional subtraction. */ | ||
156 | - cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); | ||
157 | - cnd_copy (cy, r, iz3p, ecc->p.size); | ||
158 | + ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); | ||
159 | |||
160 | if (op) | ||
161 | { | ||
162 | /* Skip y coordinate */ | ||
163 | if (op > 1) | ||
164 | { | ||
165 | + mp_limb_t cy; | ||
166 | /* Also reduce the x coordinate mod ecc->q. It should | ||
167 | already be < 2*ecc->q, so one subtraction should | ||
168 | suffice. */ | ||
169 | @@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc, | ||
170 | return; | ||
171 | } | ||
172 | ecc_modp_mul (ecc, iz3p, iz2p, izp); | ||
173 | - ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); | ||
174 | - /* And a similar subtraction. */ | ||
175 | - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); | ||
176 | - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); | ||
177 | + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p); | ||
178 | |||
179 | #undef izp | ||
180 | #undef up | ||
181 | Index: nettle-3.5.1/ecc-mod-arith.c | ||
182 | =================================================================== | ||
183 | --- nettle-3.5.1.orig/ecc-mod-arith.c | ||
184 | +++ nettle-3.5.1/ecc-mod-arith.c | ||
185 | @@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m, | ||
186 | } | ||
187 | |||
188 | void | ||
189 | +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, | ||
190 | + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) | ||
191 | +{ | ||
192 | + mp_limb_t cy; | ||
193 | + mpn_mul_n (tp + m->size, ap, bp, m->size); | ||
194 | + m->reduce (m, tp + m->size); | ||
195 | + | ||
196 | + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); | ||
197 | + cnd_copy (cy, rp, tp + m->size, m->size); | ||
198 | +} | ||
199 | + | ||
200 | +void | ||
201 | +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, | ||
202 | + const mp_limb_t *ap, mp_limb_t *tp) | ||
203 | +{ | ||
204 | + mp_limb_t cy; | ||
205 | + mpn_sqr (tp + m->size, ap, m->size); | ||
206 | + m->reduce (m, tp + m->size); | ||
207 | + | ||
208 | + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); | ||
209 | + cnd_copy (cy, rp, tp + m->size, m->size); | ||
210 | +} | ||
211 | + | ||
212 | +void | ||
213 | ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, | ||
214 | const mp_limb_t *ap) | ||
215 | { | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch new file mode 100644 index 0000000000..bb56b14c8c --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 17:26:37 +0100 | ||
6 | Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison. | ||
7 | |||
8 | * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
9 | |||
10 | (cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906) | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch | ||
14 | CVE: CVE-2021-20305 dep2 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | ChangeLog | 4 ++++ | ||
19 | eddsa-verify.c | 9 ++------- | ||
20 | 2 files changed, 6 insertions(+), 7 deletions(-) | ||
21 | |||
22 | #diff --git a/ChangeLog b/ChangeLog | ||
23 | #index 5cc5c188..2a9217a6 100644 | ||
24 | #--- a/ChangeLog | ||
25 | #+++ b/ChangeLog | ||
26 | #@@ -1,3 +1,7 @@ | ||
27 | #+2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
28 | #+ | ||
29 | #+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
30 | #+ | ||
31 | # 2021-03-11 Niels Möller <nisse@lysator.liu.se> | ||
32 | # | ||
33 | # * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
34 | Index: nettle-3.5.1/eddsa-verify.c | ||
35 | =================================================================== | ||
36 | --- nettle-3.5.1.orig/eddsa-verify.c | ||
37 | +++ nettle-3.5.1/eddsa-verify.c | ||
38 | @@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p, | ||
39 | #define t0 scratch | ||
40 | #define t1 (scratch + p->size) | ||
41 | |||
42 | - ecc_mod_mul (p, t0, x1, z2); | ||
43 | - if (mpn_cmp (t0, p->m, p->size) >= 0) | ||
44 | - mpn_sub_n (t0, t0, p->m, p->size); | ||
45 | - | ||
46 | - ecc_mod_mul (p, t1, x2, z1); | ||
47 | - if (mpn_cmp (t1, p->m, p->size) >= 0) | ||
48 | - mpn_sub_n (t1, t1, p->m, p->size); | ||
49 | + ecc_mod_mul_canonical (p, t0, x1, z2, t0); | ||
50 | + ecc_mod_mul_canonical (p, t1, x2, z1, t1); | ||
51 | |||
52 | return mpn_cmp (t0, t1, p->size) == 0; | ||
53 | |||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch new file mode 100644 index 0000000000..15a892ecdf --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 15:19:19 +0100 | ||
6 | Subject: [PATCH] Fix bug in ecc_ecdsa_verify. | ||
7 | |||
8 | * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical | ||
9 | to compute the scalars used for ecc multiplication. | ||
10 | * testsuite/ecdsa-verify-test.c (test_main): Add test case that | ||
11 | triggers an assert on 64-bit platforms, without above fix. | ||
12 | * testsuite/ecdsa-sign-test.c (test_main): Test case generating | ||
13 | the same signature. | ||
14 | |||
15 | (cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f) | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch | ||
19 | CVE: CVE-2021-20305 dep3 | ||
20 | [Minor fixup on _nettle_secp_224r1] | ||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | ChangeLog | 10 +++++++++- | ||
25 | ecc-ecdsa-verify.c | 4 ++-- | ||
26 | testsuite/ecdsa-sign-test.c | 13 +++++++++++++ | ||
27 | testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++ | ||
28 | 4 files changed, 44 insertions(+), 3 deletions(-) | ||
29 | |||
30 | #diff --git a/ChangeLog b/ChangeLog | ||
31 | #index 2a9217a6..63848f53 100644 | ||
32 | #--- a/ChangeLog | ||
33 | #+++ b/ChangeLog | ||
34 | #@@ -1,7 +1,15 @@ | ||
35 | # 2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
36 | # | ||
37 | #- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
38 | #+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical | ||
39 | #+ to compute the scalars used for ecc multiplication. | ||
40 | #+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that | ||
41 | #+ triggers an assert on 64-bit platforms, without above fix. | ||
42 | #+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating | ||
43 | #+ the same signature. | ||
44 | #+ | ||
45 | #+2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
46 | # | ||
47 | #+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. | ||
48 | # 2021-03-11 Niels Möller <nisse@lysator.liu.se> | ||
49 | # | ||
50 | # * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): | ||
51 | Index: nettle-3.5.1/ecc-ecdsa-verify.c | ||
52 | =================================================================== | ||
53 | --- nettle-3.5.1.orig/ecc-ecdsa-verify.c | ||
54 | +++ nettle-3.5.1/ecc-ecdsa-verify.c | ||
55 | @@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve | ||
56 | |||
57 | /* u1 = h / s, P1 = u1 * G */ | ||
58 | ecc_hash (&ecc->q, hp, length, digest); | ||
59 | - ecc_modq_mul (ecc, u1, hp, sinv); | ||
60 | + ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); | ||
61 | |||
62 | /* u2 = r / s, P2 = u2 * Y */ | ||
63 | - ecc_modq_mul (ecc, u2, rp, sinv); | ||
64 | + ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); | ||
65 | |||
66 | /* Total storage: 5*ecc->p.size + ecc->mul_itch */ | ||
67 | ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); | ||
68 | Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c | ||
69 | =================================================================== | ||
70 | --- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c | ||
71 | +++ nettle-3.5.1/testsuite/ecdsa-sign-test.c | ||
72 | @@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc, | ||
73 | void | ||
74 | test_main (void) | ||
75 | { | ||
76 | + /* Producing the signature for corresponding test in | ||
77 | + ecdsa-verify-test.c, with special u1 and u2. */ | ||
78 | + test_ecdsa (&_nettle_secp_224r1, | ||
79 | + "99b5b787484def12894ca507058b3bf5" | ||
80 | + "43d72d82fa7721d2e805e5e6", | ||
81 | + "2", | ||
82 | + SHEX("cdb887ac805a3b42e22d224c85482053" | ||
83 | + "16c755d4a736bb2032c92553"), | ||
84 | + "706a46dc76dcb76798e60e6d89474788" | ||
85 | + "d16dc18032d268fd1a704fa6", /* r */ | ||
86 | + "3a41e1423b1853e8aa89747b1f987364" | ||
87 | + "44705d6d6d8371ea1f578f2e"); /* s */ | ||
88 | + | ||
89 | /* Test cases for the smaller groups, verified with a | ||
90 | proof-of-concept implementation done for Yubico AB. */ | ||
91 | test_ecdsa (&_nettle_secp_192r1, | ||
92 | Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c | ||
93 | =================================================================== | ||
94 | --- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c | ||
95 | +++ nettle-3.5.1/testsuite/ecdsa-verify-test.c | ||
96 | @@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc, | ||
97 | void | ||
98 | test_main (void) | ||
99 | { | ||
100 | + /* Corresponds to nonce k = 2 and private key z = | ||
101 | + 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and | ||
102 | + hash are chosen so that intermediate scalars in the verify | ||
103 | + equations are u1 = 0x6b245680e700, u2 = | ||
104 | + 259da6542d4ba7d21ad916c3bd57f811. These values require canonical | ||
105 | + reduction of the scalars. Bug caused by missing canonical | ||
106 | + reduction reported by Guido Vranken. */ | ||
107 | + test_ecdsa (&_nettle_secp_224r1, | ||
108 | + "9e7e6cc6b1bdfa8ee039b66ad85e5490" | ||
109 | + "7be706a900a3cba1c8fdd014", /* x */ | ||
110 | + "74855db3f7c1b4097ae095745fc915e3" | ||
111 | + "8a79d2a1de28f282eafb22ba", /* y */ | ||
112 | + | ||
113 | + SHEX("cdb887ac805a3b42e22d224c85482053" | ||
114 | + "16c755d4a736bb2032c92553"), | ||
115 | + "706a46dc76dcb76798e60e6d89474788" | ||
116 | + "d16dc18032d268fd1a704fa6", /* r */ | ||
117 | + "3a41e1423b1853e8aa89747b1f987364" | ||
118 | + "44705d6d6d8371ea1f578f2e"); /* s */ | ||
119 | + | ||
120 | /* From RFC 4754 */ | ||
121 | test_ecdsa (&_nettle_secp_256r1, | ||
122 | "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch new file mode 100644 index 0000000000..54b4fa584c --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 16:27:50 +0100 | ||
6 | Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced. | ||
7 | |||
8 | * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to | ||
9 | canonical range. | ||
10 | |||
11 | (cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398) | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch | ||
15 | CVE: CVE-2021-20305 dep4 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | ChangeLog | 3 +++ | ||
20 | ecc-ecdsa-sign.c | 3 +-- | ||
21 | 2 files changed, 4 insertions(+), 2 deletions(-) | ||
22 | |||
23 | #diff --git a/ChangeLog b/ChangeLog | ||
24 | #index 63848f53..fb2d7f66 100644 | ||
25 | #--- a/ChangeLog | ||
26 | #+++ b/ChangeLog | ||
27 | #@@ -1,5 +1,8 @@ | ||
28 | # 2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
29 | # | ||
30 | #+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to | ||
31 | #+ canonical range. | ||
32 | #+ | ||
33 | # * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical | ||
34 | # to compute the scalars used for ecc multiplication. | ||
35 | # * testsuite/ecdsa-verify-test.c (test_main): Add test case that | ||
36 | --- a/ecc-ecdsa-sign.c | ||
37 | +++ b/ecc-ecdsa-sign.c | ||
38 | @@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve * | ||
39 | |||
40 | ecc_modq_mul (ecc, tp, zp, rp); | ||
41 | ecc_modq_add (ecc, hp, hp, tp); | ||
42 | - ecc_modq_mul (ecc, tp, hp, kinv); | ||
43 | + ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); | ||
44 | |||
45 | - mpn_copyi (sp, tp, ecc->p.size); | ||
46 | #undef P | ||
47 | #undef hp | ||
48 | #undef kinv | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch new file mode 100644 index 0000000000..468ff66266 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
5 | Date: Sat, 13 Mar 2021 16:42:21 +0100 | ||
6 | Subject: [PATCH] Similar fix for eddsa. | ||
7 | |||
8 | * eddsa-hash.c (_eddsa_hash): Ensure result is canonically | ||
9 | reduced. Two of the three call sites need that. | ||
10 | |||
11 | (cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288) | ||
12 | |||
13 | |||
14 | Upstream-Status: Backport | ||
15 | https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch | ||
16 | CVE: CVE-2021-20305 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | ChangeLog | 3 +++ | ||
21 | eddsa-hash.c | 10 +++++++--- | ||
22 | 2 files changed, 10 insertions(+), 3 deletions(-) | ||
23 | |||
24 | #diff --git a/ChangeLog b/ChangeLog | ||
25 | #index 5f8a22c2..ce330831 100644 | ||
26 | #--- a/ChangeLog | ||
27 | #+++ b/ChangeLog | ||
28 | #@@ -1,5 +1,8 @@ | ||
29 | # 2021-03-13 Niels Möller <nisse@lysator.liu.se> | ||
30 | # | ||
31 | #+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically | ||
32 | #+ reduced. Two of the three call sites need that. | ||
33 | #+ | ||
34 | # * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical | ||
35 | # to compute the scalars used for ecc multiplication. | ||
36 | # | ||
37 | Index: nettle-3.5.1/eddsa-hash.c | ||
38 | =================================================================== | ||
39 | --- nettle-3.5.1.orig/eddsa-hash.c | ||
40 | +++ nettle-3.5.1/eddsa-hash.c | ||
41 | @@ -46,7 +46,12 @@ void | ||
42 | _eddsa_hash (const struct ecc_modulo *m, | ||
43 | mp_limb_t *rp, const uint8_t *digest) | ||
44 | { | ||
45 | + mp_limb_t cy; | ||
46 | size_t nbytes = 1 + m->bit_size / 8; | ||
47 | mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes); | ||
48 | m->mod (m, rp); | ||
49 | + mpn_copyi (rp + m->size, rp, m->size); | ||
50 | + /* Ensure canonical reduction. */ | ||
51 | + cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); | ||
52 | + cnd_copy (cy, rp, rp + m->size, m->size); | ||
53 | } | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch new file mode 100644 index 0000000000..ac3a638e72 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch | |||
@@ -0,0 +1,277 @@ | |||
1 | From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
3 | Date: Tue, 8 Jun 2021 21:31:39 +0200 | ||
4 | Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size. | ||
5 | |||
6 | Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug. | ||
7 | |||
8 | (cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c) | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2021-3580 dep#1 | ||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | ChangeLog | 17 +++++++++- | ||
16 | rsa-decrypt-tr.c | 7 ++--- | ||
17 | rsa-internal.h | 4 +-- | ||
18 | rsa-sec-decrypt.c | 9 ++++-- | ||
19 | rsa-sign-tr.c | 61 +++++++++++++++++------------------- | ||
20 | testsuite/rsa-encrypt-test.c | 14 ++++++++- | ||
21 | 6 files changed, 69 insertions(+), 43 deletions(-) | ||
22 | |||
23 | Index: nettle-3.5.1/rsa-decrypt-tr.c | ||
24 | =================================================================== | ||
25 | --- nettle-3.5.1.orig/rsa-decrypt-tr.c | ||
26 | +++ nettle-3.5.1/rsa-decrypt-tr.c | ||
27 | @@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k | ||
28 | mp_size_t key_limb_size; | ||
29 | int res; | ||
30 | |||
31 | - key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); | ||
32 | + key_limb_size = mpz_size(pub->n); | ||
33 | |||
34 | TMP_GMP_ALLOC (m, key_limb_size); | ||
35 | TMP_GMP_ALLOC (em, key->size); | ||
36 | + mpz_limbs_copy(m, gibberish, key_limb_size); | ||
37 | |||
38 | - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, | ||
39 | - mpz_limbs_read(gibberish), | ||
40 | - mpz_size(gibberish)); | ||
41 | + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); | ||
42 | |||
43 | mpn_get_base256 (em, key->size, m, key_limb_size); | ||
44 | |||
45 | Index: nettle-3.5.1/rsa-internal.h | ||
46 | =================================================================== | ||
47 | --- nettle-3.5.1.orig/rsa-internal.h | ||
48 | +++ nettle-3.5.1/rsa-internal.h | ||
49 | @@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p | ||
50 | mp_limb_t *scratch); | ||
51 | |||
52 | /* Safe side-channel silent variant, using RSA blinding, and checking the | ||
53 | - * result after CRT. */ | ||
54 | + * result after CRT. In-place calls, with x == m, is allowed. */ | ||
55 | int | ||
56 | _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, | ||
57 | const struct rsa_private_key *key, | ||
58 | void *random_ctx, nettle_random_func *random, | ||
59 | - mp_limb_t *x, const mp_limb_t *m, size_t mn); | ||
60 | + mp_limb_t *x, const mp_limb_t *m); | ||
61 | |||
62 | #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */ | ||
63 | Index: nettle-3.5.1/rsa-sec-decrypt.c | ||
64 | =================================================================== | ||
65 | --- nettle-3.5.1.orig/rsa-sec-decrypt.c | ||
66 | +++ nettle-3.5.1/rsa-sec-decrypt.c | ||
67 | @@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_ | ||
68 | TMP_GMP_ALLOC (m, mpz_size(pub->n)); | ||
69 | TMP_GMP_ALLOC (em, key->size); | ||
70 | |||
71 | - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, | ||
72 | - mpz_limbs_read(gibberish), | ||
73 | - mpz_size(gibberish)); | ||
74 | + /* We need a copy because m can be shorter than key_size, | ||
75 | + * but _rsa_sec_compute_root_tr expect all inputs to be | ||
76 | + * normalized to a key_size long buffer length */ | ||
77 | + mpz_limbs_copy(m, gibberish, mpz_size(pub->n)); | ||
78 | + | ||
79 | + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); | ||
80 | |||
81 | mpn_get_base256 (em, key->size, m, mpz_size(pub->n)); | ||
82 | |||
83 | Index: nettle-3.5.1/rsa-sign-tr.c | ||
84 | =================================================================== | ||
85 | --- nettle-3.5.1.orig/rsa-sign-tr.c | ||
86 | +++ nettle-3.5.1/rsa-sign-tr.c | ||
87 | @@ -131,35 +131,34 @@ int | ||
88 | _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, | ||
89 | const struct rsa_private_key *key, | ||
90 | void *random_ctx, nettle_random_func *random, | ||
91 | - mp_limb_t *x, const mp_limb_t *m, size_t mn) | ||
92 | + mp_limb_t *x, const mp_limb_t *m) | ||
93 | { | ||
94 | + mp_size_t nn; | ||
95 | mpz_t mz; | ||
96 | mpz_t xz; | ||
97 | int res; | ||
98 | |||
99 | - mpz_init(mz); | ||
100 | mpz_init(xz); | ||
101 | |||
102 | - mpn_copyi(mpz_limbs_write(mz, mn), m, mn); | ||
103 | - mpz_limbs_finish(mz, mn); | ||
104 | + nn = mpz_size (pub->n); | ||
105 | |||
106 | - res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz); | ||
107 | + res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, | ||
108 | + mpz_roinit_n(mz, m, nn)); | ||
109 | |||
110 | if (res) | ||
111 | - mpz_limbs_copy(x, xz, mpz_size(pub->n)); | ||
112 | + mpz_limbs_copy(x, xz, nn); | ||
113 | |||
114 | - mpz_clear(mz); | ||
115 | mpz_clear(xz); | ||
116 | return res; | ||
117 | } | ||
118 | #else | ||
119 | /* Blinds m, by computing c = m r^e (mod n), for a random r. Also | ||
120 | - returns the inverse (ri), for use by rsa_unblind. */ | ||
121 | + returns the inverse (ri), for use by rsa_unblind. Must have c != m, | ||
122 | + no in-place operation.*/ | ||
123 | static void | ||
124 | rsa_sec_blind (const struct rsa_public_key *pub, | ||
125 | void *random_ctx, nettle_random_func *random, | ||
126 | - mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m, | ||
127 | - mp_size_t mn) | ||
128 | + mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m) | ||
129 | { | ||
130 | const mp_limb_t *ep = mpz_limbs_read (pub->e); | ||
131 | const mp_limb_t *np = mpz_limbs_read (pub->n); | ||
132 | @@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k | ||
133 | |||
134 | /* c = m*(r^e) mod n */ | ||
135 | itch = mpn_sec_powm_itch(nn, ebn, nn); | ||
136 | - i2 = mpn_sec_mul_itch(nn, mn); | ||
137 | + i2 = mpn_sec_mul_itch(nn, nn); | ||
138 | itch = MAX(itch, i2); | ||
139 | - i2 = mpn_sec_div_r_itch(nn + mn, nn); | ||
140 | + i2 = mpn_sec_div_r_itch(2*nn, nn); | ||
141 | itch = MAX(itch, i2); | ||
142 | i2 = mpn_sec_invert_itch(nn); | ||
143 | itch = MAX(itch, i2); | ||
144 | |||
145 | - TMP_GMP_ALLOC (tp, nn + mn + itch); | ||
146 | - scratch = tp + nn + mn; | ||
147 | + TMP_GMP_ALLOC (tp, 2*nn + itch); | ||
148 | + scratch = tp + 2*nn; | ||
149 | |||
150 | /* ri = r^(-1) */ | ||
151 | do | ||
152 | @@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k | ||
153 | while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch)); | ||
154 | |||
155 | mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch); | ||
156 | - /* normally mn == nn, but m can be smaller in some cases */ | ||
157 | - mpn_sec_mul (tp, c, nn, m, mn, scratch); | ||
158 | - mpn_sec_div_r (tp, nn + mn, np, nn, scratch); | ||
159 | + mpn_sec_mul (tp, c, nn, m, nn, scratch); | ||
160 | + mpn_sec_div_r (tp, 2*nn, np, nn, scratch); | ||
161 | mpn_copyi(c, tp, nn); | ||
162 | |||
163 | TMP_GMP_FREE (r); | ||
164 | @@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k | ||
165 | TMP_GMP_FREE (tp); | ||
166 | } | ||
167 | |||
168 | -/* m = c ri mod n */ | ||
169 | +/* m = c ri mod n. Allows x == c. */ | ||
170 | static void | ||
171 | rsa_sec_unblind (const struct rsa_public_key *pub, | ||
172 | mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c) | ||
173 | @@ -299,7 +297,7 @@ int | ||
174 | _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, | ||
175 | const struct rsa_private_key *key, | ||
176 | void *random_ctx, nettle_random_func *random, | ||
177 | - mp_limb_t *x, const mp_limb_t *m, size_t mn) | ||
178 | + mp_limb_t *x, const mp_limb_t *m) | ||
179 | { | ||
180 | TMP_GMP_DECL (c, mp_limb_t); | ||
181 | TMP_GMP_DECL (ri, mp_limb_t); | ||
182 | @@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs | ||
183 | size_t key_limb_size; | ||
184 | int ret; | ||
185 | |||
186 | - key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); | ||
187 | + key_limb_size = mpz_size(pub->n); | ||
188 | |||
189 | /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the | ||
190 | key is invalid and rejected by rsa_private_key_prepare. However, | ||
191 | @@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs | ||
192 | } | ||
193 | |||
194 | assert(mpz_size(pub->n) == key_limb_size); | ||
195 | - assert(mn <= key_limb_size); | ||
196 | |||
197 | TMP_GMP_ALLOC (c, key_limb_size); | ||
198 | TMP_GMP_ALLOC (ri, key_limb_size); | ||
199 | TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); | ||
200 | |||
201 | - rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn); | ||
202 | + rsa_sec_blind (pub, random_ctx, random, c, ri, m); | ||
203 | |||
204 | - _rsa_sec_compute_root(key, c, x, scratch); | ||
205 | + _rsa_sec_compute_root(key, x, c, scratch); | ||
206 | |||
207 | - ret = rsa_sec_check_root(pub, c, x); | ||
208 | + ret = rsa_sec_check_root(pub, x, c); | ||
209 | |||
210 | - rsa_sec_unblind(pub, x, ri, c); | ||
211 | + rsa_sec_unblind(pub, x, ri, x); | ||
212 | |||
213 | cnd_mpn_zero(1 - ret, x, key_limb_size); | ||
214 | |||
215 | @@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub | ||
216 | mpz_t x, const mpz_t m) | ||
217 | { | ||
218 | TMP_GMP_DECL (l, mp_limb_t); | ||
219 | + mp_size_t nn = mpz_size(pub->n); | ||
220 | int res; | ||
221 | |||
222 | - mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); | ||
223 | - TMP_GMP_ALLOC (l, l_size); | ||
224 | + TMP_GMP_ALLOC (l, nn); | ||
225 | + mpz_limbs_copy(l, m, nn); | ||
226 | |||
227 | - res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, | ||
228 | - mpz_limbs_read(m), mpz_size(m)); | ||
229 | + res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l); | ||
230 | if (res) { | ||
231 | - mp_limb_t *xp = mpz_limbs_write (x, l_size); | ||
232 | - mpn_copyi (xp, l, l_size); | ||
233 | - mpz_limbs_finish (x, l_size); | ||
234 | + mp_limb_t *xp = mpz_limbs_write (x, nn); | ||
235 | + mpn_copyi (xp, l, nn); | ||
236 | + mpz_limbs_finish (x, nn); | ||
237 | } | ||
238 | |||
239 | TMP_GMP_FREE (l); | ||
240 | Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
241 | =================================================================== | ||
242 | --- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c | ||
243 | +++ nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
244 | @@ -19,6 +19,7 @@ test_main(void) | ||
245 | uint8_t after; | ||
246 | |||
247 | mpz_t gibberish; | ||
248 | + mpz_t zero; | ||
249 | |||
250 | rsa_private_key_init(&key); | ||
251 | rsa_public_key_init(&pub); | ||
252 | @@ -101,6 +102,17 @@ test_main(void) | ||
253 | ASSERT(decrypted[decrypted_length] == after); | ||
254 | ASSERT(decrypted[0] == 'A'); | ||
255 | |||
256 | + /* Test zero input. */ | ||
257 | + mpz_init_set_ui (zero, 0); | ||
258 | + decrypted_length = msg_length; | ||
259 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero)); | ||
260 | + ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
261 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
262 | + &decrypted_length, decrypted, zero)); | ||
263 | + ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
264 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
265 | + decrypted_length, decrypted, zero)); | ||
266 | + ASSERT(decrypted_length == msg_length); | ||
267 | |||
268 | /* Test invalid key. */ | ||
269 | mpz_add_ui (key.q, key.q, 2); | ||
270 | @@ -112,6 +124,6 @@ test_main(void) | ||
271 | rsa_private_key_clear(&key); | ||
272 | rsa_public_key_clear(&pub); | ||
273 | mpz_clear(gibberish); | ||
274 | + mpz_clear(zero); | ||
275 | free(decrypted); | ||
276 | } | ||
277 | - | ||
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch new file mode 100644 index 0000000000..18e952ddf7 --- /dev/null +++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch | |||
@@ -0,0 +1,163 @@ | |||
1 | From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se> | ||
3 | Date: Tue, 8 Jun 2021 21:32:38 +0200 | ||
4 | Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions. | ||
5 | |||
6 | (cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-3580 | ||
10 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
11 | |||
12 | --- | ||
13 | ChangeLog | 10 +++++++++- | ||
14 | rsa-decrypt-tr.c | 4 ++++ | ||
15 | rsa-decrypt.c | 10 ++++++++++ | ||
16 | rsa-sec-decrypt.c | 4 ++++ | ||
17 | rsa.h | 5 +++-- | ||
18 | testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------ | ||
19 | 6 files changed, 62 insertions(+), 9 deletions(-) | ||
20 | |||
21 | Index: nettle-3.5.1/rsa-decrypt-tr.c | ||
22 | =================================================================== | ||
23 | --- nettle-3.5.1.orig/rsa-decrypt-tr.c | ||
24 | +++ nettle-3.5.1/rsa-decrypt-tr.c | ||
25 | @@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k | ||
26 | mp_size_t key_limb_size; | ||
27 | int res; | ||
28 | |||
29 | + /* First check that input is in range. */ | ||
30 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) | ||
31 | + return 0; | ||
32 | + | ||
33 | key_limb_size = mpz_size(pub->n); | ||
34 | |||
35 | TMP_GMP_ALLOC (m, key_limb_size); | ||
36 | Index: nettle-3.5.1/rsa-decrypt.c | ||
37 | =================================================================== | ||
38 | --- nettle-3.5.1.orig/rsa-decrypt.c | ||
39 | +++ nettle-3.5.1/rsa-decrypt.c | ||
40 | @@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key | ||
41 | int res; | ||
42 | |||
43 | mpz_init(m); | ||
44 | + | ||
45 | + /* First check that input is in range. Since we don't have the | ||
46 | + public key available here, we need to reconstruct n. */ | ||
47 | + mpz_mul (m, key->p, key->q); | ||
48 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0) | ||
49 | + { | ||
50 | + mpz_clear (m); | ||
51 | + return 0; | ||
52 | + } | ||
53 | + | ||
54 | rsa_compute_root(key, m, gibberish); | ||
55 | |||
56 | res = pkcs1_decrypt (key->size, m, length, message); | ||
57 | Index: nettle-3.5.1/rsa-sec-decrypt.c | ||
58 | =================================================================== | ||
59 | --- nettle-3.5.1.orig/rsa-sec-decrypt.c | ||
60 | +++ nettle-3.5.1/rsa-sec-decrypt.c | ||
61 | @@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_ | ||
62 | TMP_GMP_DECL (em, uint8_t); | ||
63 | int res; | ||
64 | |||
65 | + /* First check that input is in range. */ | ||
66 | + if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) | ||
67 | + return 0; | ||
68 | + | ||
69 | TMP_GMP_ALLOC (m, mpz_size(pub->n)); | ||
70 | TMP_GMP_ALLOC (em, key->size); | ||
71 | |||
72 | Index: nettle-3.5.1/rsa.h | ||
73 | =================================================================== | ||
74 | --- nettle-3.5.1.orig/rsa.h | ||
75 | +++ nettle-3.5.1/rsa.h | ||
76 | @@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_ | ||
77 | size_t length, uint8_t *message, | ||
78 | const mpz_t gibberish); | ||
79 | |||
80 | -/* Compute x, the e:th root of m. Calling it with x == m is allowed. */ | ||
81 | +/* Compute x, the e:th root of m. Calling it with x == m is allowed. | ||
82 | + It is required that 0 <= m < n. */ | ||
83 | void | ||
84 | rsa_compute_root(const struct rsa_private_key *key, | ||
85 | mpz_t x, const mpz_t m); | ||
86 | |||
87 | /* Safer variant, using RSA blinding, and checking the result after | ||
88 | - CRT. */ | ||
89 | + CRT. It is required that 0 <= m < n. */ | ||
90 | int | ||
91 | rsa_compute_root_tr(const struct rsa_public_key *pub, | ||
92 | const struct rsa_private_key *key, | ||
93 | Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
94 | =================================================================== | ||
95 | --- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c | ||
96 | +++ nettle-3.5.1/testsuite/rsa-encrypt-test.c | ||
97 | @@ -19,11 +19,12 @@ test_main(void) | ||
98 | uint8_t after; | ||
99 | |||
100 | mpz_t gibberish; | ||
101 | - mpz_t zero; | ||
102 | + mpz_t bad_input; | ||
103 | |||
104 | rsa_private_key_init(&key); | ||
105 | rsa_public_key_init(&pub); | ||
106 | mpz_init(gibberish); | ||
107 | + mpz_init(bad_input); | ||
108 | |||
109 | knuth_lfib_init(&lfib, 17); | ||
110 | |||
111 | @@ -103,15 +104,40 @@ test_main(void) | ||
112 | ASSERT(decrypted[0] == 'A'); | ||
113 | |||
114 | /* Test zero input. */ | ||
115 | - mpz_init_set_ui (zero, 0); | ||
116 | + mpz_set_ui (bad_input, 0); | ||
117 | decrypted_length = msg_length; | ||
118 | - ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero)); | ||
119 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
120 | ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
121 | &lfib, (nettle_random_func *) knuth_lfib_random, | ||
122 | - &decrypted_length, decrypted, zero)); | ||
123 | + &decrypted_length, decrypted, bad_input)); | ||
124 | ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
125 | &lfib, (nettle_random_func *) knuth_lfib_random, | ||
126 | - decrypted_length, decrypted, zero)); | ||
127 | + decrypted_length, decrypted, bad_input)); | ||
128 | + ASSERT(decrypted_length == msg_length); | ||
129 | + | ||
130 | + /* Test input that is slightly larger than n */ | ||
131 | + mpz_add(bad_input, gibberish, pub.n); | ||
132 | + decrypted_length = msg_length; | ||
133 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
134 | + ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
135 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
136 | + &decrypted_length, decrypted, bad_input)); | ||
137 | + ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
138 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
139 | + decrypted_length, decrypted, bad_input)); | ||
140 | + ASSERT(decrypted_length == msg_length); | ||
141 | + | ||
142 | + /* Test input that is considerably larger than n */ | ||
143 | + mpz_mul_2exp (bad_input, pub.n, 100); | ||
144 | + mpz_add (bad_input, bad_input, gibberish); | ||
145 | + decrypted_length = msg_length; | ||
146 | + ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); | ||
147 | + ASSERT(!rsa_decrypt_tr(&pub, &key, | ||
148 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
149 | + &decrypted_length, decrypted, bad_input)); | ||
150 | + ASSERT(!rsa_sec_decrypt(&pub, &key, | ||
151 | + &lfib, (nettle_random_func *) knuth_lfib_random, | ||
152 | + decrypted_length, decrypted, bad_input)); | ||
153 | ASSERT(decrypted_length == msg_length); | ||
154 | |||
155 | /* Test invalid key. */ | ||
156 | @@ -124,6 +150,6 @@ test_main(void) | ||
157 | rsa_private_key_clear(&key); | ||
158 | rsa_public_key_clear(&pub); | ||
159 | mpz_clear(gibberish); | ||
160 | - mpz_clear(zero); | ||
161 | + mpz_clear(bad_input); | ||
162 | free(decrypted); | ||
163 | } | ||
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb index a9550ed033..192fd295e9 100644 --- a/meta/recipes-support/nettle/nettle_3.5.1.bb +++ b/meta/recipes-support/nettle/nettle_3.5.1.bb | |||
@@ -1,4 +1,5 @@ | |||
1 | SUMMARY = "A low level cryptographic library" | 1 | SUMMARY = "A low level cryptographic library" |
2 | DESCRIPTION = "Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space." | ||
2 | HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/" | 3 | HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/" |
3 | DESCRIPTION = "It tries to solve a problem of providing a common set of \ | 4 | DESCRIPTION = "It tries to solve a problem of providing a common set of \ |
4 | cryptographic algorithms for higher-level applications by implementing a \ | 5 | cryptographic algorithms for higher-level applications by implementing a \ |
@@ -17,6 +18,13 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ | |||
17 | file://Add-target-to-only-build-tests-not-run-them.patch \ | 18 | file://Add-target-to-only-build-tests-not-run-them.patch \ |
18 | file://run-ptest \ | 19 | file://run-ptest \ |
19 | file://check-header-files-of-openssl-only-if-enable_.patch \ | 20 | file://check-header-files-of-openssl-only-if-enable_.patch \ |
21 | file://CVE-2021-3580_1.patch \ | ||
22 | file://CVE-2021-3580_2.patch \ | ||
23 | file://CVE-2021-20305-1.patch \ | ||
24 | file://CVE-2021-20305-2.patch \ | ||
25 | file://CVE-2021-20305-3.patch \ | ||
26 | file://CVE-2021-20305-4.patch \ | ||
27 | file://CVE-2021-20305-5.patch \ | ||
20 | " | 28 | " |
21 | 29 | ||
22 | SRC_URI_append_class-target = "\ | 30 | SRC_URI_append_class-target = "\ |