nettle/backport-0006-CVE-2021-20305.patch

From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 16:42:21 +0100
Subject: [PATCH] Similar fix for eddsa.

* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
reduced. Two of the three call sites need that.

(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
---
 ChangeLog    |  3 +++
 eddsa-hash.c | 10 +++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

#diff --git a/ChangeLog b/ChangeLog
#index 5f8a22c2..ce330831 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,5 +1,8 @@
# 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
# 
#+	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
#+	reduced. Two of the three call sites need that.
#+
# 	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
# 	to compute the scalars used for ecc multiplication.
# 
--- a/eddsa-hash.c
+++ b/eddsa-hash.c
@@ -44,13 +44,14 @@
 #include "ecc-internal.h"
 #include "nettle-internal.h"
 
-/* Convert hash digest to integer, and reduce modulo q, to m->size
-   limbs. Needs space for 2*m->size + 1 at rp. */
+/* Convert hash digest to integer, and reduce canonically modulo q.
+   Needs space for 2*m->size + 1 at rp. */
 void
 _eddsa_hash (const struct ecc_modulo *m,
 	     mp_limb_t *rp, size_t digest_size, const uint8_t *digest)
 {
   mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;
+  mp_limb_t cy;
 
   mpn_set_base256_le (rp, nlimbs, digest, digest_size);
 
@@ -75,4 +76,8 @@ _eddsa_hash (const struct ecc_modulo *m,
       assert (hi == 0);
     }
   m->mod (m, rp);
+  mpn_copyi (rp + m->size, rp, m->size);
+  /* Ensure canonical reduction. */
+  cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, rp + m->size, m->size);
 }
fix CVE-2021-20305 2021-04-19 19:18:07 +08:00			`From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>`
			`Date: Sat, 13 Mar 2021 16:42:21 +0100`
			`Subject: [PATCH] Similar fix for eddsa.`

			`* eddsa-hash.c (_eddsa_hash): Ensure result is canonically`
			`reduced. Two of the three call sites need that.`

			`(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)`
			`---`
			`ChangeLog \| 3 +++`
			`eddsa-hash.c \| 10 +++++++---`
			`2 files changed, 10 insertions(+), 3 deletions(-)`

			`#diff --git a/ChangeLog b/ChangeLog`
			`#index 5f8a22c2..ce330831 100644`
			`#--- a/ChangeLog`
			`#+++ b/ChangeLog`
			`#@@ -1,5 +1,8 @@`
			`# 2021-03-13 Niels Möller <nisse@lysator.liu.se>`
			`#`
			`#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically`
			`#+ reduced. Two of the three call sites need that.`
			`#+`
			`# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical`
			`# to compute the scalars used for ecc multiplication.`
			`#`
			`--- a/eddsa-hash.c`
			`+++ b/eddsa-hash.c`
			`@@ -44,13 +44,14 @@`
			`#include "ecc-internal.h"`
			`#include "nettle-internal.h"`

			`-/* Convert hash digest to integer, and reduce modulo q, to m->size`
			`- limbs. Needs space for 2m->size + 1 at rp. /`
			`+/* Convert hash digest to integer, and reduce canonically modulo q.`
			`+ Needs space for 2m->size + 1 at rp. /`
			`void`
			`_eddsa_hash (const struct ecc_modulo *m,`
			`mp_limb_t rp, size_t digest_size, const uint8_t digest)`
			`{`
			`mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;`
			`+ mp_limb_t cy;`

			`mpn_set_base256_le (rp, nlimbs, digest, digest_size);`

			`@@ -75,4 +76,8 @@ _eddsa_hash (const struct ecc_modulo *m,`
			`assert (hi == 0);`
			`}`
			`m->mod (m, rp);`
			`+ mpn_copyi (rp + m->size, rp, m->size);`
			`+ /* Ensure canonical reduction. */`
			`+ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);`
			`+ cnd_copy (cy, rp, rp + m->size, m->size);`
			`}`