File libnettle-CVE-2021-20305.patch of Package libnettle.19162
libnettle: multiply function being called with out-of-range scalars [CVE-2021-20305, bsc#1184401]
Back-port the effect of ecc_mod_mul_canonical() to ecc-ecdsa-sign(), ecc_ecdsa_verify() and _eddsa_hash().
Cherry-picked from upstream commits:
* New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical.
https://git.lysator.liu.se/nettle/nettle/-/commit/a63893791280d441c713293491da97c79c0950fe
* Fix bug in ecc_ecdsa_verify.
https://git.lysator.liu.se/nettle/nettle/-/commit/74ee0e82b6891e090f20723750faeb19064e31b2
* Ensure ecdsa_sign output is canonically reduced.
https://git.lysator.liu.se/nettle/nettle/-/commit/51f643eee00e2caa65c8a2f5857f49acdf3ef1ce
* Similar fix for eddsa.
https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b
Index: nettle-2.7.1/ecc-ecdsa-sign.c
===================================================================
--- nettle-2.7.1.orig/ecc-ecdsa-sign.c
+++ nettle-2.7.1/ecc-ecdsa-sign.c
@@ -54,18 +54,14 @@ ecc_ecdsa_sign (const struct ecc_curve *
{
mp_limb_t cy;
#define P scratch
-#define kinv scratch /* Needs 5*ecc->size for computation */
-#define hp (scratch + ecc->size) /* NOTE: ecc->size + 1 limbs! */
+#define kinv scratch /* Needs 5*ecc->size for computation */
+#define hp (scratch + ecc->size) /* NOTE: ecc->size + 1 limbs! */
#define tp (scratch + 2*ecc->size)
/* Procedure, according to RFC 6090, "KT-I". q denotes the group
order.
-
1. k <-- uniformly random, 0 < k < q
-
2. R <-- (r_x, r_y) = k g
-
3. s1 <-- r_x mod q
-
4. s2 <-- (h + z*s1)/k mod q.
*/
@@ -89,7 +85,13 @@ ecc_ecdsa_sign (const struct ecc_curve *
ecc_modq_add (ecc, hp, hp, tp);
ecc_modq_mul (ecc, tp, hp, kinv);
- mpn_copyi (sp, tp, ecc->size);
+ /* Back-port the effect of ecc_mod_mul_canonical() here
+ * to produce canonical results
+ */
+ cy = mpn_sub_n (sp, tp, ecc->q, ecc->size);
+ cnd_copy (cy, sp, tp, ecc->size);
+ //mpn_copyi (sp, tp, ecc->size);
+
#undef P
#undef hp
#undef kinv
Index: nettle-2.7.1/ecc-ecdsa-verify.c
===================================================================
--- nettle-2.7.1.orig/ecc-ecdsa-verify.c
+++ nettle-2.7.1/ecc-ecdsa-verify.c
@@ -68,17 +68,11 @@ ecc_ecdsa_verify (const struct ecc_curve
{
/* Procedure, according to RFC 6090, "KT-I". q denotes the group
order.
-
1. Check 0 < r, s < q.
-
2. s' <-- s^{-1} (mod q)
-
3. u1 <-- h * s' (mod q)
-
4. u2 <-- r * s' (mod q)
-
5. R = u1 G + u2 Y
-
6. Signature is valid if R_x = r (mod q).
*/
@@ -88,6 +82,9 @@ ecc_ecdsa_verify (const struct ecc_curve
#define u2 (scratch + 4*ecc->size)
#define hp (scratch + 4*ecc->size)
#define u1 (scratch + 6*ecc->size)
+#define tp (scratch + 7*ecc->size)
+
+ mp_limb_t cy;
if (! (ecdsa_in_range (ecc, rp)
&& ecdsa_in_range (ecc, sp)))
@@ -101,15 +98,23 @@ ecc_ecdsa_verify (const struct ecc_curve
mpn_copyi (sinv + ecc->size, sp, ecc->size);
ecc_modq_inv (ecc, sinv, sinv + ecc->size, P2);
+ /* Back-port the effect of ecc_mod_mul_canonical() here
+ * to produce canonical results
+ */
+
/* u2 = r / s, P2 = u2 * Y */
- ecc_modq_mul (ecc, u2, rp, sinv);
+ ecc_modq_mul (ecc, tp, rp, sinv);
+ cy = mpn_sub_n (u2, tp, ecc->q, ecc->size);
+ cnd_copy (cy, u2, tp, ecc->size);
/* Total storage: 5*ecc->size + ECC_MUL_A_ITCH (ecc->size) */
ecc_mul_a (ecc, 1, P2, u2, pp, u2 + ecc->size);
/* u1 = h / s, P1 = u1 * G */
ecc_hash (ecc, hp, length, digest);
- ecc_modq_mul (ecc, u1, hp, sinv);
+ ecc_modq_mul (ecc, tp, hp, sinv);
+ cy = mpn_sub_n (u1, tp, ecc->q, ecc->size);
+ cnd_copy (cy, u1, tp, ecc->size);
/* u = 0 can happen only if h = 0 or h = q, which is extremely
unlikely. */
@@ -147,4 +152,5 @@ ecc_ecdsa_verify (const struct ecc_curve
#undef u2
#undef hp
#undef u1
+#undef tp
}
Index: nettle-2.7.1/testsuite/ecdsa-sign-test.c
===================================================================
--- nettle-2.7.1.orig/testsuite/ecdsa-sign-test.c
+++ nettle-2.7.1/testsuite/ecdsa-sign-test.c
@@ -53,6 +53,19 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
+ /* Producing the signature for corresponding test in
+ ecdsa-verify-test.c, with special u1 and u2. */
+ test_ecdsa (&nettle_secp_224r1,
+ "99b5b787484def12894ca507058b3bf5"
+ "43d72d82fa7721d2e805e5e6",
+ "2",
+ SHEX("cdb887ac805a3b42e22d224c85482053"
+ "16c755d4a736bb2032c92553"),
+ "706a46dc76dcb76798e60e6d89474788"
+ "d16dc18032d268fd1a704fa6", /* r */
+ "3a41e1423b1853e8aa89747b1f987364"
+ "44705d6d6d8371ea1f578f2e"); /* s */
+
/* Test cases for the smaller groups, verified with a
proof-of-concept implementation done for Yubico AB. */
test_ecdsa (&nettle_secp_192r1,
Index: nettle-2.7.1/testsuite/ecdsa-verify-test.c
===================================================================
--- nettle-2.7.1.orig/testsuite/ecdsa-verify-test.c
+++ nettle-2.7.1/testsuite/ecdsa-verify-test.c
@@ -76,6 +76,26 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
+ /* Corresponds to nonce k = 2 and private key z =
+ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
+ hash are chosen so that intermediate scalars in the verify
+ equations are u1 = 0x6b245680e700, u2 =
+ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
+ reduction of the scalars. Bug caused by missing canonical
+ reduction reported by Guido Vranken. */
+ test_ecdsa (&nettle_secp_224r1,
+ "9e7e6cc6b1bdfa8ee039b66ad85e5490"
+ "7be706a900a3cba1c8fdd014", /* x */
+ "74855db3f7c1b4097ae095745fc915e3"
+ "8a79d2a1de28f282eafb22ba", /* y */
+
+ SHEX("cdb887ac805a3b42e22d224c85482053"
+ "16c755d4a736bb2032c92553"),
+ "706a46dc76dcb76798e60e6d89474788"
+ "d16dc18032d268fd1a704fa6", /* r */
+ "3a41e1423b1853e8aa89747b1f987364"
+ "44705d6d6d8371ea1f578f2e"); /* s */
+
/* From RFC 4754 */
test_ecdsa (&nettle_secp_256r1,
"2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
