Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
libnettle.19993
libnettle-CVE-2021-20305.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libnettle-CVE-2021-20305.patch of Package libnettle.19993
libnettle: multiply function being called with out-of-range scalars [CVE-2021-20305, bsc#1184401] Back-port the effect of ecc_mod_mul_canonical() to ecc-ecdsa-sign(), ecc_ecdsa_verify() and _eddsa_hash(). Cherry-picked from upstream commits: * New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical. https://git.lysator.liu.se/nettle/nettle/-/commit/a63893791280d441c713293491da97c79c0950fe * Fix bug in ecc_ecdsa_verify. https://git.lysator.liu.se/nettle/nettle/-/commit/74ee0e82b6891e090f20723750faeb19064e31b2 * Ensure ecdsa_sign output is canonically reduced. https://git.lysator.liu.se/nettle/nettle/-/commit/51f643eee00e2caa65c8a2f5857f49acdf3ef1ce * Similar fix for eddsa. https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b Index: nettle-2.7.1/ecc-ecdsa-sign.c =================================================================== --- nettle-2.7.1.orig/ecc-ecdsa-sign.c +++ nettle-2.7.1/ecc-ecdsa-sign.c @@ -54,18 +54,14 @@ ecc_ecdsa_sign (const struct ecc_curve * { mp_limb_t cy; #define P scratch -#define kinv scratch /* Needs 5*ecc->size for computation */ -#define hp (scratch + ecc->size) /* NOTE: ecc->size + 1 limbs! */ +#define kinv scratch /* Needs 5*ecc->size for computation */ +#define hp (scratch + ecc->size) /* NOTE: ecc->size + 1 limbs! */ #define tp (scratch + 2*ecc->size) /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. - 1. k <-- uniformly random, 0 < k < q - 2. R <-- (r_x, r_y) = k g - 3. s1 <-- r_x mod q - 4. s2 <-- (h + z*s1)/k mod q. */ @@ -89,7 +85,13 @@ ecc_ecdsa_sign (const struct ecc_curve * ecc_modq_add (ecc, hp, hp, tp); ecc_modq_mul (ecc, tp, hp, kinv); - mpn_copyi (sp, tp, ecc->size); + /* Back-port the effect of ecc_mod_mul_canonical() here + * to produce canonical results + */ + cy = mpn_sub_n (sp, tp, ecc->q, ecc->size); + cnd_copy (cy, sp, tp, ecc->size); + //mpn_copyi (sp, tp, ecc->size); + #undef P #undef hp #undef kinv Index: nettle-2.7.1/ecc-ecdsa-verify.c =================================================================== --- nettle-2.7.1.orig/ecc-ecdsa-verify.c +++ nettle-2.7.1/ecc-ecdsa-verify.c @@ -68,17 +68,11 @@ ecc_ecdsa_verify (const struct ecc_curve { /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. - 1. Check 0 < r, s < q. - 2. s' <-- s^{-1} (mod q) - 3. u1 <-- h * s' (mod q) - 4. u2 <-- r * s' (mod q) - 5. R = u1 G + u2 Y - 6. Signature is valid if R_x = r (mod q). */ @@ -88,6 +82,9 @@ ecc_ecdsa_verify (const struct ecc_curve #define u2 (scratch + 4*ecc->size) #define hp (scratch + 4*ecc->size) #define u1 (scratch + 6*ecc->size) +#define tp (scratch + 7*ecc->size) + + mp_limb_t cy; if (! (ecdsa_in_range (ecc, rp) && ecdsa_in_range (ecc, sp))) @@ -101,15 +98,23 @@ ecc_ecdsa_verify (const struct ecc_curve mpn_copyi (sinv + ecc->size, sp, ecc->size); ecc_modq_inv (ecc, sinv, sinv + ecc->size, P2); + /* Back-port the effect of ecc_mod_mul_canonical() here + * to produce canonical results + */ + /* u2 = r / s, P2 = u2 * Y */ - ecc_modq_mul (ecc, u2, rp, sinv); + ecc_modq_mul (ecc, tp, rp, sinv); + cy = mpn_sub_n (u2, tp, ecc->q, ecc->size); + cnd_copy (cy, u2, tp, ecc->size); /* Total storage: 5*ecc->size + ECC_MUL_A_ITCH (ecc->size) */ ecc_mul_a (ecc, 1, P2, u2, pp, u2 + ecc->size); /* u1 = h / s, P1 = u1 * G */ ecc_hash (ecc, hp, length, digest); - ecc_modq_mul (ecc, u1, hp, sinv); + ecc_modq_mul (ecc, tp, hp, sinv); + cy = mpn_sub_n (u1, tp, ecc->q, ecc->size); + cnd_copy (cy, u1, tp, ecc->size); /* u = 0 can happen only if h = 0 or h = q, which is extremely unlikely. */ @@ -147,4 +152,5 @@ ecc_ecdsa_verify (const struct ecc_curve #undef u2 #undef hp #undef u1 +#undef tp } Index: nettle-2.7.1/testsuite/ecdsa-sign-test.c =================================================================== --- nettle-2.7.1.orig/testsuite/ecdsa-sign-test.c +++ nettle-2.7.1/testsuite/ecdsa-sign-test.c @@ -53,6 +53,19 @@ test_ecdsa (const struct ecc_curve *ecc, void test_main (void) { + /* Producing the signature for corresponding test in + ecdsa-verify-test.c, with special u1 and u2. */ + test_ecdsa (&nettle_secp_224r1, + "99b5b787484def12894ca507058b3bf5" + "43d72d82fa7721d2e805e5e6", + "2", + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* Test cases for the smaller groups, verified with a proof-of-concept implementation done for Yubico AB. */ test_ecdsa (&nettle_secp_192r1, Index: nettle-2.7.1/testsuite/ecdsa-verify-test.c =================================================================== --- nettle-2.7.1.orig/testsuite/ecdsa-verify-test.c +++ nettle-2.7.1/testsuite/ecdsa-verify-test.c @@ -76,6 +76,26 @@ test_ecdsa (const struct ecc_curve *ecc, void test_main (void) { + /* Corresponds to nonce k = 2 and private key z = + 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and + hash are chosen so that intermediate scalars in the verify + equations are u1 = 0x6b245680e700, u2 = + 259da6542d4ba7d21ad916c3bd57f811. These values require canonical + reduction of the scalars. Bug caused by missing canonical + reduction reported by Guido Vranken. */ + test_ecdsa (&nettle_secp_224r1, + "9e7e6cc6b1bdfa8ee039b66ad85e5490" + "7be706a900a3cba1c8fdd014", /* x */ + "74855db3f7c1b4097ae095745fc915e3" + "8a79d2a1de28f282eafb22ba", /* y */ + + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* From RFC 4754 */ test_ecdsa (&nettle_secp_256r1, "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor