nettle/backport-0001-CVE-2021-20305.patch

From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Thu, 11 Mar 2021 19:37:41 +0100
Subject: [PATCH] New functions ecc_mod_mul_canonical and
 ecc_mod_sqr_canonical.

* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
New functions.
* ecc-internal.h: Declare and document new functions.
* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
* ecc-j-to-a.c (ecc_j_to_a): Likewise.
* ecc-mul-m.c (ecc_mul_m): Likewise.

(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
---
 ChangeLog            | 11 +++++++++++
 curve25519-eh-to-x.c |  6 +-----
 curve448-eh-to-x.c   |  5 +----
 ecc-eh-to-a.c        | 12 ++----------
 ecc-internal.h       | 15 +++++++++++++++
 ecc-j-to-a.c         | 15 +++------------
 ecc-mod-arith.c      | 24 ++++++++++++++++++++++++
 ecc-mul-m.c          |  6 ++----
 8 files changed, 59 insertions(+), 35 deletions(-)

#diff --git a/ChangeLog b/ChangeLog
#index fd138d82..5cc5c188 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,3 +1,14 @@
#+2021-03-11  Niels Möller  <nisse@lysator.liu.se>
#+
#+	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
#+	New functions.
#+	* ecc-internal.h: Declare and document new functions.
#+	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
#+	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
#+	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
#+	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
#+	* ecc-mul-m.c (ecc_mul_m): Likewise.
#+
# 2021-02-17  Niels Möller  <nisse@lysator.liu.se>
# 
# 	* Released Nettle-3.7.1.
--- a/curve25519-eh-to-x.c
+++ b/curve25519-eh-to-x.c
@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
 #define t2 (scratch + 2*ecc->p.size)
 
   const struct ecc_curve *ecc = &_nettle_curve25519;
-  mp_limb_t cy;
 
   /* If u = U/W and v = V/W are the coordiantes of the point on the
      Edwards curve we get the curve25519 x coordinate as
@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
   ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
   
   ecc_mod_add (&ecc->p, t0, wp, vp);
-  ecc_mod_mul (&ecc->p, t2, t0, t1);
-
-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, xp, t2, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
 #undef vp
 #undef wp
 #undef t0
--- a/curve448-eh-to-x.c
+++ b/curve448-eh-to-x.c
@@ -52,7 +52,6 @@ curve448_eh_to_x (mp_limb_t *xp, const m
 #define t2 (scratch + 2*ecc->p.size)
 
   const struct ecc_curve *ecc = &_nettle_curve448;
-  mp_limb_t cy;
 
   /* If u = U/W and v = V/W are the coordinates of the point on
      edwards448 we get the curve448 x coordinate as
@@ -62,10 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const m
   /* Needs a total of 9*size storage. */
   ecc->p.invert (&ecc->p, t0, p, t1 + ecc->p.size);
   ecc_mod_mul (&ecc->p, t1, t0, vp);
-  ecc_mod_mul (&ecc->p, t2, t1, t1);
+  ecc_mod_mul_canonical (&ecc->p, xp, t1, t1, t2);
 
-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, xp, t2, ecc->p.size);
 #undef vp
 #undef t0
 #undef t1
--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -54,18 +54,11 @@ ecc_eh_to_a (const struct ecc_curve *ecc
 #define yp (p + ecc->p.size)
 #define zp (p + 2*ecc->p.size)
 
-  mp_limb_t cy;
-
   assert(op == 0);
 
   /* Needs 2*size + scratch for the invert call. */
   ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
 
-  ecc_mod_mul (&ecc->p, tp, xp, izp);
-  cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r, tp, ecc->p.size);
-
-  ecc_mod_mul (&ecc->p, tp, yp, izp);
-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
+  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
 }
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -49,6 +49,8 @@
 #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
 #define ecc_mod_mul _nettle_ecc_mod_mul
 #define ecc_mod_sqr _nettle_ecc_mod_sqr
+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
 #define ecc_mod_random _nettle_ecc_mod_random
 #define ecc_mod _nettle_ecc_mod
 #define ecc_mod_inv _nettle_ecc_mod_inv
@@ -256,6 +258,19 @@ void
 ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
 	     const mp_limb_t *ap);
 
+/* These mul and sqr functions produce a canonical result, 0 <= R < M.
+   Requirements on input and output areas are similar to the above
+   functions, except that it is *not* allowed to pass rp = rp +
+   m->size.
+ */
+void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+		       const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+		       const mp_limb_t *ap, mp_limb_t *tp);
+
 /* mod q operations. */
 void
 ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
--- a/ecc-j-to-a.c
+++ b/ecc-j-to-a.c
@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
 #define izBp (scratch + 3*ecc->p.size)
 #define tp    scratch
 
-  mp_limb_t cy;
-
   if (ecc->use_redc)
     {
       /* Set v = (r_z / B^2)^-1,
@@ -86,17 +84,13 @@ ecc_j_to_a (const struct ecc_curve *ecc,
       ecc_mod_sqr (&ecc->p, iz2p, izp);
     }
 
-  ecc_mod_mul (&ecc->p, iz3p, iz2p, p);
-  /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so
-     do a conditional subtraction. */
-  cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r, iz3p, ecc->p.size);
-
+  ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
   if (op)
     {
       /* Skip y coordinate */
       if (op > 1)
 	{
+	  mp_limb_t cy;
 	  /* Also reduce the x coordinate mod ecc->q. It should
 	     already be < 2*ecc->q, so one subtraction should
 	     suffice. */
@@ -106,10 +100,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
       return;
     }
   ecc_mod_mul (&ecc->p, iz3p, iz2p, izp);
-  ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size);
-  /* And a similar subtraction. */
-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
 
 #undef izp
 #undef up
--- a/ecc-mod-arith.c
+++ b/ecc-mod-arith.c
@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
 }
 
 void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+		       const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
+{
+  mp_limb_t cy;
+  mpn_mul_n (tp + m->size, ap, bp, m->size);
+  m->reduce (m, tp + m->size);
+
+  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+		       const mp_limb_t *ap, mp_limb_t *tp)
+{
+  mp_limb_t cy;
+  mpn_sqr (tp + m->size, ap, m->size);
+  m->reduce (m, tp + m->size);
+
+  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
 ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
 	     const mp_limb_t *ap)
 {
fix CVE-2021-20305 2021-04-19 19:18:07 +08:00			`From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>`
			`Date: Thu, 11 Mar 2021 19:37:41 +0100`
			`Subject: [PATCH] New functions ecc_mod_mul_canonical and`
			`ecc_mod_sqr_canonical.`

			`* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):`
			`New functions.`
			`* ecc-internal.h: Declare and document new functions.`
			`* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.`
			`* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.`
			`* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.`
			`* ecc-j-to-a.c (ecc_j_to_a): Likewise.`
			`* ecc-mul-m.c (ecc_mul_m): Likewise.`

			`(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)`
			`---`
			`ChangeLog \| 11 +++++++++++`
			`curve25519-eh-to-x.c \| 6 +-----`
			`curve448-eh-to-x.c \| 5 +----`
			`ecc-eh-to-a.c \| 12 ++----------`
			`ecc-internal.h \| 15 +++++++++++++++`
			`ecc-j-to-a.c \| 15 +++------------`
			`ecc-mod-arith.c \| 24 ++++++++++++++++++++++++`
			`ecc-mul-m.c \| 6 ++----`
			`8 files changed, 59 insertions(+), 35 deletions(-)`

			`#diff --git a/ChangeLog b/ChangeLog`
			`#index fd138d82..5cc5c188 100644`
			`#--- a/ChangeLog`
			`#+++ b/ChangeLog`
			`#@@ -1,3 +1,14 @@`
			`#+2021-03-11 Niels Möller <nisse@lysator.liu.se>`
			`#+`
			`#+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):`
			`#+ New functions.`
			`#+ * ecc-internal.h: Declare and document new functions.`
			`#+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.`
			`#+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.`
			`#+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.`
			`#+ * ecc-j-to-a.c (ecc_j_to_a): Likewise.`
			`#+ * ecc-mul-m.c (ecc_mul_m): Likewise.`
			`#+`
			`# 2021-02-17 Niels Möller <nisse@lysator.liu.se>`
			`#`
			`# * Released Nettle-3.7.1.`
			`--- a/curve25519-eh-to-x.c`
			`+++ b/curve25519-eh-to-x.c`
			`@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const`
			`#define t2 (scratch + 2*ecc->p.size)`

			`const struct ecc_curve *ecc = &_nettle_curve25519;`
			`- mp_limb_t cy;`

			`/* If u = U/W and v = V/W are the coordiantes of the point on the`
			`Edwards curve we get the curve25519 x coordinate as`
			`@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const`
			`ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);`

			`ecc_mod_add (&ecc->p, t0, wp, vp);`
			`- ecc_mod_mul (&ecc->p, t2, t0, t1);`
			`-`
			`- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);`
			`- cnd_copy (cy, xp, t2, ecc->p.size);`
			`+ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);`
			`#undef vp`
			`#undef wp`
			`#undef t0`
			`--- a/curve448-eh-to-x.c`
			`+++ b/curve448-eh-to-x.c`
			`@@ -52,7 +52,6 @@ curve448_eh_to_x (mp_limb_t *xp, const m`
			`#define t2 (scratch + 2*ecc->p.size)`

			`const struct ecc_curve *ecc = &_nettle_curve448;`
			`- mp_limb_t cy;`

			`/* If u = U/W and v = V/W are the coordinates of the point on`
			`edwards448 we get the curve448 x coordinate as`
			`@@ -62,10 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const m`
			`/* Needs a total of 9size storage. /`
			`ecc->p.invert (&ecc->p, t0, p, t1 + ecc->p.size);`
			`ecc_mod_mul (&ecc->p, t1, t0, vp);`
			`- ecc_mod_mul (&ecc->p, t2, t1, t1);`
			`+ ecc_mod_mul_canonical (&ecc->p, xp, t1, t1, t2);`

			`- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);`
			`- cnd_copy (cy, xp, t2, ecc->p.size);`
			`#undef vp`
			`#undef t0`
			`#undef t1`
			`--- a/ecc-eh-to-a.c`
			`+++ b/ecc-eh-to-a.c`
			`@@ -54,18 +54,11 @@ ecc_eh_to_a (const struct ecc_curve *ecc`
			`#define yp (p + ecc->p.size)`
			`#define zp (p + 2*ecc->p.size)`

			`- mp_limb_t cy;`
			`-`
			`assert(op == 0);`

			`/* Needs 2size + scratch for the invert call. /`
			`ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);`

			`- ecc_mod_mul (&ecc->p, tp, xp, izp);`
			`- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);`
			`- cnd_copy (cy, r, tp, ecc->p.size);`
			`-`
			`- ecc_mod_mul (&ecc->p, tp, yp, izp);`
			`- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);`
			`- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);`
			`+ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);`
			`+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);`
			`}`
			`--- a/ecc-internal.h`
			`+++ b/ecc-internal.h`
			`@@ -49,6 +49,8 @@`
			`#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1`
			`#define ecc_mod_mul _nettle_ecc_mod_mul`
			`#define ecc_mod_sqr _nettle_ecc_mod_sqr`
			`+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical`
			`+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical`
			`#define ecc_mod_random _nettle_ecc_mod_random`
			`#define ecc_mod _nettle_ecc_mod`
			`#define ecc_mod_inv _nettle_ecc_mod_inv`
			`@@ -256,6 +258,19 @@ void`
			`ecc_mod_sqr (const struct ecc_modulo m, mp_limb_t rp,`
			`const mp_limb_t *ap);`

			`+/* These mul and sqr functions produce a canonical result, 0 <= R < M.`
			`+ Requirements on input and output areas are similar to the above`
			`+ functions, except that it is not allowed to pass rp = rp +`
			`+ m->size.`
			`+ */`
			`+void`
			`+ecc_mod_mul_canonical (const struct ecc_modulo m, mp_limb_t rp,`
			`+ const mp_limb_t ap, const mp_limb_t bp, mp_limb_t *tp);`
			`+`
			`+void`
			`+ecc_mod_sqr_canonical (const struct ecc_modulo m, mp_limb_t rp,`
			`+ const mp_limb_t ap, mp_limb_t tp);`
			`+`
			`/* mod q operations. */`
			`void`
			`ecc_mod_random (const struct ecc_modulo m, mp_limb_t xp,`
			`--- a/ecc-j-to-a.c`
			`+++ b/ecc-j-to-a.c`
			`@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,`
			`#define izBp (scratch + 3*ecc->p.size)`
			`#define tp scratch`

			`- mp_limb_t cy;`
			`-`
			`if (ecc->use_redc)`
			`{`
			`/* Set v = (r_z / B^2)^-1,`
			`@@ -86,17 +84,13 @@ ecc_j_to_a (const struct ecc_curve *ecc,`
			`ecc_mod_sqr (&ecc->p, iz2p, izp);`
			`}`

			`- ecc_mod_mul (&ecc->p, iz3p, iz2p, p);`
			`- /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so`
			`- do a conditional subtraction. */`
			`- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);`
			`- cnd_copy (cy, r, iz3p, ecc->p.size);`
			`-`
			`+ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);`
			`if (op)`
			`{`
			`/* Skip y coordinate */`
			`if (op > 1)`
			`{`
			`+ mp_limb_t cy;`
			`/* Also reduce the x coordinate mod ecc->q. It should`
			`already be < 2*ecc->q, so one subtraction should`
			`suffice. */`
			`@@ -106,10 +100,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,`
			`return;`
			`}`
			`ecc_mod_mul (&ecc->p, iz3p, iz2p, izp);`
			`- ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size);`
			`- /* And a similar subtraction. */`
			`- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);`
			`- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);`
			`+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);`

			`#undef izp`
			`#undef up`
			`--- a/ecc-mod-arith.c`
			`+++ b/ecc-mod-arith.c`
			`@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,`
			`}`

			`void`
			`+ecc_mod_mul_canonical (const struct ecc_modulo m, mp_limb_t rp,`
			`+ const mp_limb_t ap, const mp_limb_t bp, mp_limb_t *tp)`
			`+{`
			`+ mp_limb_t cy;`
			`+ mpn_mul_n (tp + m->size, ap, bp, m->size);`
			`+ m->reduce (m, tp + m->size);`
			`+`
			`+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);`
			`+ cnd_copy (cy, rp, tp + m->size, m->size);`
			`+}`
			`+`
			`+void`
			`+ecc_mod_sqr_canonical (const struct ecc_modulo m, mp_limb_t rp,`
			`+ const mp_limb_t ap, mp_limb_t tp)`
			`+{`
			`+ mp_limb_t cy;`
			`+ mpn_sqr (tp + m->size, ap, m->size);`
			`+ m->reduce (m, tp + m->size);`
			`+`
			`+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);`
			`+ cnd_copy (cy, rp, tp + m->size, m->size);`
			`+}`
			`+`
			`+void`
			`ecc_mod_sqr (const struct ecc_modulo m, mp_limb_t rp,`
			`const mp_limb_t *ap)`
			`{`