File 0001-dh-check-validity-of-Z-before-export.patch of Package gnutls.18748
From bea53f1b46a64d6dcf5bbe4794740c4d4459f9bf Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 10 Jul 2020 09:35:49 +0200
Subject: [PATCH 1/5] dh: check validity of Z before export
SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the
calculated shared secret is verified before the data is returned to the
caller. This patch adds the validation check.
Suggested by Stephan Mueller.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
lib/nettle/pk.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
Index: gnutls-3.6.7/lib/nettle/pk.c
===================================================================
--- gnutls-3.6.7.orig/lib/nettle/pk.c 2020-09-03 14:20:19.685195035 +0200
+++ gnutls-3.6.7/lib/nettle/pk.c 2020-09-03 14:20:30.393262407 +0200
@@ -241,7 +241,7 @@ static int _wrap_nettle_pk_derive(gnutls
switch (algo) {
case GNUTLS_PK_DH: {
bigint_t f, x, q, prime;
- bigint_t k = NULL, ff = NULL, r = NULL;
+ bigint_t k = NULL, primesub1 = NULL, r = NULL;
unsigned int bits;
f = pub->params[DH_Y];
@@ -249,21 +249,20 @@ static int _wrap_nettle_pk_derive(gnutls
q = priv->params[DH_Q];
prime = priv->params[DH_P];
- ret = _gnutls_mpi_init_multi(&k, &ff, &r, NULL);
+ ret = _gnutls_mpi_init_multi(&k, &primesub1, &r, NULL);
if (ret < 0)
return gnutls_assert_val(ret);
- ret = _gnutls_mpi_add_ui(ff, f, 1);
+ ret = _gnutls_mpi_sub_ui(primesub1, prime, 1);
if (ret < 0) {
gnutls_assert();
goto dh_cleanup;
}
- /* check if f==0,1, or f >= p-1.
- * or (ff=f+1) equivalently ff==1,2, ff >= p */
- if ((_gnutls_mpi_cmp_ui(ff, 2) == 0)
- || (_gnutls_mpi_cmp_ui(ff, 1) == 0)
- || (_gnutls_mpi_cmp(ff, prime) >= 0)) {
+ /* check if f==0,1, or f >= p-1 */
+ if ((_gnutls_mpi_cmp_ui(f, 1) == 0)
+ || (_gnutls_mpi_cmp_ui(f, 0) == 0)
+ || (_gnutls_mpi_cmp(f, primesub1) >= 0)) {
gnutls_assert();
ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
goto dh_cleanup;
@@ -299,6 +298,15 @@ static int _wrap_nettle_pk_derive(gnutls
goto dh_cleanup;
}
+ /* check if k==0,1, or k = p-1 */
+ if ((_gnutls_mpi_cmp_ui(k, 1) == 0)
+ || (_gnutls_mpi_cmp_ui(k, 0) == 0)
+ || (_gnutls_mpi_cmp(k, primesub1) == 0)) {
+ gnutls_assert();
+ ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ goto dh_cleanup;
+ }
+
if (flags & PK_DERIVE_TLS13) {
ret =
_gnutls_mpi_dprint_size(k, out,
@@ -315,7 +323,7 @@ static int _wrap_nettle_pk_derive(gnutls
ret = 0;
dh_cleanup:
_gnutls_mpi_release(&r);
- _gnutls_mpi_release(&ff);
+ _gnutls_mpi_release(&primesub1);
zrelease_temp_mpi_key(&k);
if (ret < 0)
goto cleanup;