packages/nettle
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update nettle to 3.7.3

Browse Source
This commit is contained in:
yangl777 2021-12-04 16:00:41 +08:00 committed by quanhongfei
parent a2e5b1d847
commit 476a2050fb
12 changed files with 193 additions and 1001 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

240
0000-nettle-3.3-remove-ecc-testsuite.patch
View File

@ -1,14 +1,98 @@
Subject: [PATCH] changes
From b519b23a141752043c9cc9182048c26d80d22af2 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Sun, 21 Mar 2021 11:09:51 +0100
Subject: [PATCH] Remove secp192r1 and secp224r1 support
---
nettle-3.4.1/examples/ecc-benchmark.c | 2 --
nettle-3.4.1/examples/hogweed-benchmark.c | 32 -----------------------
nettle-3.4.1/testsuite/ecdh-test.c | 20 --------------
nettle-3.4.1/testsuite/ecdsa-sign-test.c | 32 -----------------------
nettle-3.4.1/testsuite/testutils.c | 16 ------------
5 files changed, 102 deletions(-)
eccdata.c | 67 +----------------------------------
examples/ecc-benchmark.c | 2 --
examples/hogweed-benchmark.c | 17 ---------
testsuite/ecdh-test.c | 40 ---------------------
testsuite/ecdsa-sign-test.c | 47 ------------------------
testsuite/ecdsa-verify-test.c | 28 ---------------
testsuite/testutils.c | 20 -----------
7 files changed, 1 insertion(+), 220 deletions(-)
diff --git a/eccdata.c b/eccdata.c
index 1b4cb0b5..dc2be5f9 100644
--- a/eccdata.c
+++ b/eccdata.c
@@ -434,72 +434,7 @@ ecc_curve_init_str (struct ecc_curve *ecc, enum ecc_type type,
static void
ecc_curve_init (struct ecc_curve *ecc, const char *curve)
{
- if (!strcmp (curve, "secp192r1"))
- {
- ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS,
- /* p = 2^{192} - 2^{64} - 1 */
- "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
- "FFFFFFFFFFFFFFFF",
-
- "64210519e59c80e70fa7e9ab72243049"
- "feb8deecc146b9b1",
-
- "ffffffffffffffffffffffff99def836"
- "146bc9b1b4d22831",
-
- "188da80eb03090f67cbf20eb43a18800"
- "f4ff0afd82ff1012",
-
- "07192b95ffc8da78631011ed6b24cdd5"
- "73f977a11e794811");
- ecc->ref = ecc_alloc (3);
- ecc_set_str (&ecc->ref[0], /* 2 g */
- "dafebf5828783f2ad35534631588a3f629a70fb16982a888",
- "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab");
-
- ecc_set_str (&ecc->ref[1], /* 3 g */
- "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da",
- "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd");
-
- ecc_set_str (&ecc->ref[2], /* 4 g */
- "35433907297cc378b0015703374729d7a4fe46647084e4ba",
- "a2649984f2135c301ea3acb0776cd4f125389b311db3be32");
-
- }
- else if (!strcmp (curve, "secp224r1"))
- {
- ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS,
- /* p = 2^{224} - 2^{96} + 1 */
- "ffffffffffffffffffffffffffffffff"
- "000000000000000000000001",
-
- "b4050a850c04b3abf54132565044b0b7"
- "d7bfd8ba270b39432355ffb4",
-
- "ffffffffffffffffffffffffffff16a2"
- "e0b8f03e13dd29455c5c2a3d",
-
- "b70e0cbd6bb4bf7f321390b94a03c1d3"
- "56c21122343280d6115c1d21",
-
- "bd376388b5f723fb4c22dfe6cd4375a0"
- "5a07476444d5819985007e34");
-
- ecc->ref = ecc_alloc (3);
- ecc_set_str (&ecc->ref[0], /* 2 g */
- "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6",
- "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb");
-
- ecc_set_str (&ecc->ref[1], /* 3 g */
- "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04",
- "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925");
-
- ecc_set_str (&ecc->ref[2], /* 4 g */
- "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301",
- "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9");
-
- }
- else if (!strcmp (curve, "secp256r1"))
+ if (!strcmp (curve, "secp256r1"))
{
ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS,
/* p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 */
diff --git a/examples/ecc-benchmark.c b/examples/ecc-benchmark.c
index 8e5e095..720d483 100644
index 3ab269c7..402744a0 100644
--- a/examples/ecc-benchmark.c
+++ b/examples/ecc-benchmark.c
@@ -307,8 +307,6 @@ bench_curve (const struct ecc_curve *ecc)
@ -21,10 +105,10 @@ index 8e5e095..720d483 100644
&_nettle_secp_256r1,
&_nettle_secp_384r1,
diff --git a/examples/hogweed-benchmark.c b/examples/hogweed-benchmark.c
index ebce903..f13ea18 100644
index 3d008021..b8cf902c 100644
--- a/examples/hogweed-benchmark.c
+++ b/examples/hogweed-benchmark.c
@@ -412,24 +412,6 @@ bench_ecdsa_init (unsigned size)
@@ -412,23 +412,6 @@ bench_ecdsa_init (unsigned size)
switch (size)
{
@ -45,50 +129,37 @@ index ebce903..f13ea18 100644
- ctx->digest_size = 28;
- break;
-
- /* From RFC 4754 */
/* From RFC 4754 */
case 256:
ecc = &_nettle_secp_256r1;
xs = "2442A5CC 0ECD015F A3CA31DC 8E2BBC70 BF42D60C BCA20085 E0822CB0 4235E970";
@@ -783,16 +765,6 @@ bench_openssl_ecdsa_init (unsigned size)
switch (size)
{
- case 192:
- ctx->key = EC_KEY_new_by_curve_name (NID_X9_62_prime192v1);
- ctx->digest_length = 24; /* truncated */
- ctx->digest = hash_string (&nettle_sha224, "abc");
- break;
- case 224:
- ctx->key = EC_KEY_new_by_curve_name (NID_secp224r1);
- ctx->digest_length = SHA224_DIGEST_SIZE;
- ctx->digest = hash_string (&nettle_sha224, "abc");
- break;
case 256:
ctx->key = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
ctx->digest_length = SHA256_DIGEST_SIZE;
@@ -924,14 +896,10 @@ struct alg alg_list[] = {
#if 0
{ "dsa",2048, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear },
#endif
- { "ecdsa", 192, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
- { "ecdsa", 224, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
{ "ecdsa", 256, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
{ "ecdsa", 384, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
{ "ecdsa", 521, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear },
#if WITH_OPENSSL
- { "ecdsa (openssl)", 192, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear },
- { "ecdsa (openssl)", 224, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear },
{ "ecdsa (openssl)", 256, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear },
{ "ecdsa (openssl)", 384, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear },
{ "ecdsa (openssl)", 521, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear },
diff --git a/testsuite/ecdh-test.c b/testsuite/ecdh-test.c
index 5a2b39d..08870b1 100644
index ff4f7233..2be26b19 100644
--- a/testsuite/ecdh-test.c
+++ b/testsuite/ecdh-test.c
@@ -179,26 +179,6 @@ test_dh (const char *name, const struct ecc_curve *ecc,
"5298249600854377235107392014200406283816103564916230704184",
1);
@@ -159,46 +159,6 @@ test_public_key (const char *label, const struct ecc_curve *ecc,
void
test_main(void)
{
- test_public_key ("(0,0) with secp-192r1", &_nettle_secp_192r1, "0", "0", 0);
- test_public_key (
- "(P,0) with secp-192r1", &_nettle_secp_192r1,
- "6277101735386680763835789423207666416083908700390324961279",
- "0", 0);
- test_public_key (
- "(0,P) with secp-192r1", &_nettle_secp_192r1, "0",
- "6277101735386680763835789423207666416083908700390324961279",
- 0);
- test_public_key (
- "(P,P) with secp-192r1", &_nettle_secp_192r1,
- "6277101735386680763835789423207666416083908700390324961279",
- "6277101735386680763835789423207666416083908700390324961279",
- 0);
- test_public_key ("(1,2) with secp-192r1", &_nettle_secp_192r1, "1", "2", 0);
- test_public_key ("(X,Y) with secp-192r1", &_nettle_secp_192r1,
- "1050363442265225480786760666329560655512990381040021438562",
- "5298249600854377235107392014200406283816103564916230704184",
- 1);
-
- test_dh ("secp-192r1", &_nettle_secp_192r1,
- "3406157206141798348095184987208239421004566462391397236532",
- "1050363442265225480786760666329560655512990381040021438562",
@ -113,13 +184,28 @@ index 5a2b39d..08870b1 100644
"94731533361265297353914491124013058635674217345912524033267198103710636378786",
"22441589863306126152768848344973918725077248391248404659242620344938484650846",
diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c
index 559de8e..2e84ed7 100644
index 08a10a1d..0acd4e5c 100644
--- a/testsuite/ecdsa-sign-test.c
+++ b/testsuite/ecdsa-sign-test.c
@@ -60,38 +60,6 @@ test_main (void)
@@ -58,53 +58,6 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
/* Test cases for the smaller groups, verified with a
proof-of-concept implementation done for Yubico AB. */
- /* Producing the signature for corresponding test in
- ecdsa-verify-test.c, with special u1 and u2. */
- test_ecdsa (&_nettle_secp_224r1,
- "99b5b787484def12894ca507058b3bf5"
- "43d72d82fa7721d2e805e5e6",
- "2",
- SHEX("cdb887ac805a3b42e22d224c85482053"
- "16c755d4a736bb2032c92553"),
- "706a46dc76dcb76798e60e6d89474788"
- "d16dc18032d268fd1a704fa6", /* r */
- "3a41e1423b1853e8aa89747b1f987364"
- "44705d6d6d8371ea1f578f2e"); /* s */
-
- /* Test cases for the smaller groups, verified with a
- proof-of-concept implementation done for Yubico AB. */
- test_ecdsa (&_nettle_secp_192r1,
- "DC51D3866A15BACDE33D96F992FCA99D"
- "A7E6EF0934E70975", /* z */
@ -155,8 +241,47 @@ index 559de8e..2e84ed7 100644
/* From RFC 4754 */
test_ecdsa (&_nettle_secp_256r1,
"DC51D386 6A15BACD E33D96F9 92FCA99D"
diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c
index 8110c64d..71c0b5c0 100644
--- a/testsuite/ecdsa-verify-test.c
+++ b/testsuite/ecdsa-verify-test.c
@@ -81,34 +81,6 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
- /* Corresponds to nonce k = 2 and private key z =
- 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
- hash are chosen so that intermediate scalars in the verify
- equations are u1 = 0x6b245680e700, u2 =
- 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
- reduction of the scalars. Bug caused by missing canonical
- reduction reported by Guido Vranken. */
- test_ecdsa (&_nettle_secp_224r1,
- "9e7e6cc6b1bdfa8ee039b66ad85e5490"
- "7be706a900a3cba1c8fdd014", /* x */
- "74855db3f7c1b4097ae095745fc915e3"
- "8a79d2a1de28f282eafb22ba", /* y */
-
- SHEX("cdb887ac805a3b42e22d224c85482053"
- "16c755d4a736bb2032c92553"),
- "706a46dc76dcb76798e60e6d89474788"
- "d16dc18032d268fd1a704fa6", /* r */
- "3a41e1423b1853e8aa89747b1f987364"
- "44705d6d6d8371ea1f578f2e"); /* s */
-
- /* Test case provided by Guido Vranken, from oss-fuzz */
- test_ecdsa (&_nettle_secp_192r1,
- "14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */
- " 1e2584 2ab8b2b0 4017f655 1b5e4058 a2aa0612 2dae9344", /* y */
- SHEX("00"), /* h == 0 corner case*/
- "952800792ed19341fdeeec047f2514f3b0f150d6066151fb", /* r */
- "ec5971222014878b50d7a19d8954bc871e7e65b00b860ffb"); /* s */
-
/* From RFC 4754 */
test_ecdsa (&_nettle_secp_256r1,
"2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
diff --git a/testsuite/testutils.c b/testsuite/testutils.c
index c965618..7f6745a 100644
index 2c6cac40..fbf4974c 100644
--- a/testsuite/testutils.c
+++ b/testsuite/testutils.c
@@ -1656,8 +1656,6 @@ test_dsa_key(const struct dsa_params *params,
@ -168,7 +293,7 @@ index c965618..7f6745a 100644
&_nettle_secp_256r1,
&_nettle_secp_384r1,
&_nettle_secp_521r1,
@@ -1714,24 +1712,6 @@ test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p)
@@ -1714,24 +1712,6 @@ test_ecc_point (const struct ecc_curve *ecc,
/* For each curve, the points g, 2 g, 3 g and 4 g */
static const struct ecc_ref_point ecc_ref[9][4] = {
@ -194,5 +319,4 @@ index c965618..7f6745a 100644
"4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" },
{ "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978",
--
2.19.1
2.30.2

220
backport-0001-CVE-2021-20305.patch
View File

@ -1,220 +0,0 @@
From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Thu, 11 Mar 2021 19:37:41 +0100
Subject: [PATCH] New functions ecc_mod_mul_canonical and
ecc_mod_sqr_canonical.
* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
New functions.
* ecc-internal.h: Declare and document new functions.
* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
* ecc-j-to-a.c (ecc_j_to_a): Likewise.
* ecc-mul-m.c (ecc_mul_m): Likewise.
(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
---
ChangeLog | 11 +++++++++++
curve25519-eh-to-x.c | 6 +-----
curve448-eh-to-x.c | 5 +----
ecc-eh-to-a.c | 12 ++----------
ecc-internal.h | 15 +++++++++++++++
ecc-j-to-a.c | 15 +++------------
ecc-mod-arith.c | 24 ++++++++++++++++++++++++
ecc-mul-m.c | 6 ++----
8 files changed, 59 insertions(+), 35 deletions(-)
#diff --git a/ChangeLog b/ChangeLog
#index fd138d82..5cc5c188 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,3 +1,14 @@
#+2021-03-11 Niels Möller <nisse@lysator.liu.se>
#+
#+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
#+ New functions.
#+ * ecc-internal.h: Declare and document new functions.
#+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
#+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
#+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
#+ * ecc-j-to-a.c (ecc_j_to_a): Likewise.
#+ * ecc-mul-m.c (ecc_mul_m): Likewise.
#+
# 2021-02-17 Niels Möller <nisse@lysator.liu.se>
#
# * Released Nettle-3.7.1.
--- a/curve25519-eh-to-x.c
+++ b/curve25519-eh-to-x.c
@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
#define t2 (scratch + 2*ecc->p.size)
const struct ecc_curve *ecc = &_nettle_curve25519;
- mp_limb_t cy;
/* If u = U/W and v = V/W are the coordiantes of the point on the
Edwards curve we get the curve25519 x coordinate as
@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
ecc_mod_add (&ecc->p, t0, wp, vp);
- ecc_mod_mul (&ecc->p, t2, t0, t1);
-
- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
- cnd_copy (cy, xp, t2, ecc->p.size);
+ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
#undef vp
#undef wp
#undef t0
--- a/curve448-eh-to-x.c
+++ b/curve448-eh-to-x.c
@@ -52,7 +52,6 @@ curve448_eh_to_x (mp_limb_t *xp, const m
#define t2 (scratch + 2*ecc->p.size)
const struct ecc_curve *ecc = &_nettle_curve448;
- mp_limb_t cy;
/* If u = U/W and v = V/W are the coordinates of the point on
edwards448 we get the curve448 x coordinate as
@@ -62,10 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const m
/* Needs a total of 9*size storage. */
ecc->p.invert (&ecc->p, t0, p, t1 + ecc->p.size);
ecc_mod_mul (&ecc->p, t1, t0, vp);
- ecc_mod_mul (&ecc->p, t2, t1, t1);
+ ecc_mod_mul_canonical (&ecc->p, xp, t1, t1, t2);
- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
- cnd_copy (cy, xp, t2, ecc->p.size);
#undef vp
#undef t0
#undef t1
--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -54,18 +54,11 @@ ecc_eh_to_a (const struct ecc_curve *ecc
#define yp (p + ecc->p.size)
#define zp (p + 2*ecc->p.size)
- mp_limb_t cy;
-
assert(op == 0);
/* Needs 2*size + scratch for the invert call. */
ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
- ecc_mod_mul (&ecc->p, tp, xp, izp);
- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
- cnd_copy (cy, r, tp, ecc->p.size);
-
- ecc_mod_mul (&ecc->p, tp, yp, izp);
- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
}
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -49,6 +49,8 @@
#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
#define ecc_mod_mul _nettle_ecc_mod_mul
#define ecc_mod_sqr _nettle_ecc_mod_sqr
+#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
+#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
#define ecc_mod_random _nettle_ecc_mod_random
#define ecc_mod _nettle_ecc_mod
#define ecc_mod_inv _nettle_ecc_mod_inv
@@ -256,6 +258,19 @@ void
ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
const mp_limb_t *ap);
+/* These mul and sqr functions produce a canonical result, 0 <= R < M.
+ Requirements on input and output areas are similar to the above
+ functions, except that it is *not* allowed to pass rp = rp +
+ m->size.
+ */
+void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, mp_limb_t *tp);
+
/* mod q operations. */
void
ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
--- a/ecc-j-to-a.c
+++ b/ecc-j-to-a.c
@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
#define izBp (scratch + 3*ecc->p.size)
#define tp scratch
- mp_limb_t cy;
-
if (ecc->use_redc)
{
/* Set v = (r_z / B^2)^-1,
@@ -86,17 +84,13 @@ ecc_j_to_a (const struct ecc_curve *ecc,
ecc_mod_sqr (&ecc->p, iz2p, izp);
}
- ecc_mod_mul (&ecc->p, iz3p, iz2p, p);
- /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so
- do a conditional subtraction. */
- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
- cnd_copy (cy, r, iz3p, ecc->p.size);
-
+ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
if (op)
{
/* Skip y coordinate */
if (op > 1)
{
+ mp_limb_t cy;
/* Also reduce the x coordinate mod ecc->q. It should
already be < 2*ecc->q, so one subtraction should
suffice. */
@@ -106,10 +100,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
return;
}
ecc_mod_mul (&ecc->p, iz3p, iz2p, izp);
- ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size);
- /* And a similar subtraction. */
- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
+ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
#undef izp
#undef up
--- a/ecc-mod-arith.c
+++ b/ecc-mod-arith.c
@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
}
void
+ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
+{
+ mp_limb_t cy;
+ mpn_mul_n (tp + m->size, ap, bp, m->size);
+ m->reduce (m, tp + m->size);
+
+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+ cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
+ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap, mp_limb_t *tp)
+{
+ mp_limb_t cy;
+ mpn_sqr (tp + m->size, ap, m->size);
+ m->reduce (m, tp + m->size);
+
+ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
+ cnd_copy (cy, rp, tp + m->size, m->size);
+}
+
+void
ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
const mp_limb_t *ap)
{

43
backport-0002-CVE-2021-20305.patch
View File

@ -1,43 +0,0 @@
From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 17:26:37 +0100
Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison.
* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
(cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906)
---
ChangeLog | 4 ++++
eddsa-verify.c | 9 ++-------
2 files changed, 6 insertions(+), 7 deletions(-)
#diff --git a/ChangeLog b/ChangeLog
#index 5cc5c188..2a9217a6 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,3 +1,7 @@
#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
#+
#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
#+
# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
#
# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
--- a/eddsa-verify.c
+++ b/eddsa-verify.c
@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p,
#define t0 scratch
#define t1 (scratch + p->size)
- ecc_mod_mul (p, t0, x1, z2);
- if (mpn_cmp (t0, p->m, p->size) >= 0)
- mpn_sub_n (t0, t0, p->m, p->size);
-
- ecc_mod_mul (p, t1, x2, z1);
- if (mpn_cmp (t1, p->m, p->size) >= 0)
- mpn_sub_n (t1, t1, p->m, p->size);
+ ecc_mod_mul_canonical (p, t0, x1, z2, t0);
+ ecc_mod_mul_canonical (p, t1, x2, z1, t1);
return mpn_cmp (t0, t1, p->size) == 0;

107
backport-0003-CVE-2021-20305.patch
View File

@ -1,107 +0,0 @@
From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 15:19:19 +0100
Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
* testsuite/ecdsa-verify-test.c (test_main): Add test case that
triggers an assert on 64-bit platforms, without above fix.
* testsuite/ecdsa-sign-test.c (test_main): Test case generating
the same signature.
(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
---
ChangeLog | 10 +++++++++-
ecc-ecdsa-verify.c | 4 ++--
testsuite/ecdsa-sign-test.c | 13 +++++++++++++
testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++
4 files changed, 44 insertions(+), 3 deletions(-)
#diff --git a/ChangeLog b/ChangeLog
#index 2a9217a6..63848f53 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,7 +1,15 @@
# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
#+ to compute the scalars used for ecc multiplication.
#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that
#+ triggers an assert on 64-bit platforms, without above fix.
#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating
#+ the same signature.
#+
#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
#
# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
--- a/ecc-ecdsa-verify.c
+++ b/ecc-ecdsa-verify.c
@@ -102,10 +102,10 @@ ecc_ecdsa_verify (const struct ecc_curve
/* u1 = h / s, P1 = u1 * G */
ecc_hash (&ecc->q, hp, length, digest);
- ecc_mod_mul (&ecc->q, u1, hp, sinv);
+ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
/* u2 = r / s, P2 = u2 * Y */
- ecc_mod_mul (&ecc->q, u2, rp, sinv);
+ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
/* Total storage: 5*ecc->p.size + ecc->mul_itch */
ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
--- a/testsuite/ecdsa-sign-test.c
+++ b/testsuite/ecdsa-sign-test.c
@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
+ /* Producing the signature for corresponding test in
+ ecdsa-verify-test.c, with special u1 and u2. */
+ test_ecdsa (&_nettle_secp_224r1,
+ "99b5b787484def12894ca507058b3bf5"
+ "43d72d82fa7721d2e805e5e6",
+ "2",
+ SHEX("cdb887ac805a3b42e22d224c85482053"
+ "16c755d4a736bb2032c92553"),
+ "706a46dc76dcb76798e60e6d89474788"
+ "d16dc18032d268fd1a704fa6", /* r */
+ "3a41e1423b1853e8aa89747b1f987364"
+ "44705d6d6d8371ea1f578f2e"); /* s */
+
/* Test cases for the smaller groups, verified with a
proof-of-concept implementation done for Yubico AB. */
/* From RFC 4754 */
--- a/testsuite/ecdsa-verify-test.c
+++ b/testsuite/ecdsa-verify-test.c
@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
void
test_main (void)
{
+ /* Corresponds to nonce k = 2 and private key z =
+ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
+ hash are chosen so that intermediate scalars in the verify
+ equations are u1 = 0x6b245680e700, u2 =
+ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
+ reduction of the scalars. Bug caused by missing canonical
+ reduction reported by Guido Vranken. */
+ test_ecdsa (&_nettle_secp_224r1,
+ "9e7e6cc6b1bdfa8ee039b66ad85e5490"
+ "7be706a900a3cba1c8fdd014", /* x */
+ "74855db3f7c1b4097ae095745fc915e3"
+ "8a79d2a1de28f282eafb22ba", /* y */
+
+ SHEX("cdb887ac805a3b42e22d224c85482053"
+ "16c755d4a736bb2032c92553"),
+ "706a46dc76dcb76798e60e6d89474788"
+ "d16dc18032d268fd1a704fa6", /* r */
+ "3a41e1423b1853e8aa89747b1f987364"
+ "44705d6d6d8371ea1f578f2e"); /* s */
+
/* From RFC 4754 */
test_ecdsa (&_nettle_secp_256r1,
"2442A5CC 0ECD015F A3CA31DC 8E2BBC70"

40
backport-0004-CVE-2021-20305.patch
View File

@ -1,40 +0,0 @@
From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 16:27:50 +0100
Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced.
* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
canonical range.
(cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398)
---
ChangeLog | 3 +++
ecc-ecdsa-sign.c | 3 +--
2 files changed, 4 insertions(+), 2 deletions(-)
#diff --git a/ChangeLog b/ChangeLog
#index 63848f53..fb2d7f66 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,5 +1,8 @@
# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
#+ canonical range.
#+
# * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
# to compute the scalars used for ecc multiplication.
# * testsuite/ecdsa-verify-test.c (test_main): Add test case that
--- a/ecc-ecdsa-sign.c
+++ b/ecc-ecdsa-sign.c
@@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve *
ecc_mod_mul (&ecc->q, tp, zp, rp);
ecc_mod_add (&ecc->q, hp, hp, tp);
- ecc_mod_mul (&ecc->q, tp, hp, kinv);
+ ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp);
- mpn_copyi (sp, tp, ecc->p.size);
#undef P
#undef hp
#undef kinv

44
backport-0005-CVE-2021-20305.patch
View File

@ -1,44 +0,0 @@
From 401c8d53d8a8cf1e79980e62bda3f946f8e07c14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 16:29:50 +0100
Subject: [PATCH] Analogous fix to ecc_gostdsa_verify.
* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
(cherry picked from commit fbaefb64b90cb45b7075a0ed72a92f2a1fbcd2ab)
---
ChangeLog | 3 +++
ecc-gostdsa-verify.c | 6 +++---
2 files changed, 6 insertions(+), 3 deletions(-)
#diff --git a/ChangeLog b/ChangeLog
#index fb2d7f66..5f8a22c2 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,5 +1,8 @@
# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#+ * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
#+ to compute the scalars used for ecc multiplication.
#+
# * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
# canonical range.
#
--- a/ecc-gostdsa-verify.c
+++ b/ecc-gostdsa-verify.c
@@ -102,11 +102,11 @@ ecc_gostdsa_verify (const struct ecc_cur
ecc->q.invert (&ecc->q, vp, hp, vp + 2*ecc->p.size);
/* z1 = s / h, P1 = z1 * G */
- ecc_mod_mul (&ecc->q, z1, sp, vp);
+ ecc_mod_mul_canonical (&ecc->q, z1, sp, vp, z1);
/* z2 = - r / h, P2 = z2 * Y */
- ecc_mod_mul (&ecc->q, z2, rp, vp);
- mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size);
+ mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size);
+ ecc_mod_mul_canonical (&ecc->q, z2, hp, vp, z2);
/* Total storage: 5*ecc->p.size + ecc->mul_itch */
ecc->mul (ecc, P2, z2, pp, z2 + ecc->p.size);

55
backport-0006-CVE-2021-20305.patch
View File

@ -1,55 +0,0 @@
From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 16:42:21 +0100
Subject: [PATCH] Similar fix for eddsa.
* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
reduced. Two of the three call sites need that.
(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
---
ChangeLog | 3 +++
eddsa-hash.c | 10 +++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
#diff --git a/ChangeLog b/ChangeLog
#index 5f8a22c2..ce330831 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,5 +1,8 @@
# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
#+ reduced. Two of the three call sites need that.
#+
# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
# to compute the scalars used for ecc multiplication.
#
--- a/eddsa-hash.c
+++ b/eddsa-hash.c
@@ -44,13 +44,14 @@
#include "ecc-internal.h"
#include "nettle-internal.h"
-/* Convert hash digest to integer, and reduce modulo q, to m->size
- limbs. Needs space for 2*m->size + 1 at rp. */
+/* Convert hash digest to integer, and reduce canonically modulo q.
+ Needs space for 2*m->size + 1 at rp. */
void
_eddsa_hash (const struct ecc_modulo *m,
mp_limb_t *rp, size_t digest_size, const uint8_t *digest)
{
mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;
+ mp_limb_t cy;
mpn_set_base256_le (rp, nlimbs, digest, digest_size);
@@ -75,4 +76,8 @@ _eddsa_hash (const struct ecc_modulo *m,
assert (hi == 0);
}
m->mod (m, rp);
+ mpn_copyi (rp + m->size, rp, m->size);
+ /* Ensure canonical reduction. */
+ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
+ cnd_copy (cy, rp, rp + m->size, m->size);
}

38
backport-0007-CVE-2021-20305.patch
View File

@ -1,38 +0,0 @@
From 63f222c60b03470c0005aa9bc4296fbf585f68b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 16:45:34 +0100
Subject: [PATCH] Fix canonical reduction in gostdsa_vko.
* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
compute the scalar used for ecc multiplication.
(cherry picked from commit b30e0ca6d2b41579a5b6a010fc54065d790e8d55)
---
ChangeLog | 3 +++
gostdsa-vko.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
#diff --git a/ChangeLog b/ChangeLog
#index ce330831..8a27a9a6 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,5 +1,8 @@
# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
#
#+ * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
#+ compute the scalar used for ecc multiplication.
#+
# * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
# reduced. Two of the three call sites need that.
#
--- a/gostdsa-vko.c
+++ b/gostdsa-vko.c
@@ -87,7 +87,7 @@ gostdsa_vko (const struct ecc_scalar *pr
if (mpn_zero_p (UKM, size))
UKM[0] = 1;
- ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */
+ ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */
ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */
ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */
mpn_get_base256_le (out, bsize, TEMP, size);

382
backport-CVE-2021-3580.patch
View File

@ -1,382 +0,0 @@
Description: Fix for CVE-2021-3580 - potential crash on invalid input to the RSA decryption functions.
Origin: upstream, https://git.lysator.liu.se/nettle/nettle/-/compare/7a5f86321f4c67d7219aa87ea4e2ddca677d7378...0ad0b5df315665250dfdaa4a1e087f4799edaefe
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3580
--- a/pkcs1-sec-decrypt.c
+++ b/pkcs1-sec-decrypt.c
@@ -64,7 +64,9 @@ _pkcs1_sec_decrypt (size_t length, uint8
volatile int ok;
size_t i, t;
- assert (padded_message_length >= length);
+ /* Message independent branch */
+ if (length + 11 > padded_message_length)
+ return 0;
t = padded_message_length - length - 1;
--- a/rsa-decrypt-tr.c
+++ b/rsa-decrypt-tr.c
@@ -52,14 +52,17 @@ rsa_decrypt_tr(const struct rsa_public_k
mp_size_t key_limb_size;
int res;
- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+ /* First check that input is in range. */
+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
+ return 0;
+
+ key_limb_size = mpz_size(pub->n);
TMP_GMP_ALLOC (m, key_limb_size);
TMP_GMP_ALLOC (em, key->size);
+ mpz_limbs_copy(m, gibberish, key_limb_size);
- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
- mpz_limbs_read(gibberish),
- mpz_size(gibberish));
+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
mpn_get_base256 (em, key->size, m, key_limb_size);
--- a/rsa-decrypt.c
+++ b/rsa-decrypt.c
@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key
int res;
mpz_init(m);
+
+ /* First check that input is in range. Since we don't have the
+ public key available here, we need to reconstruct n. */
+ mpz_mul (m, key->p, key->q);
+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0)
+ {
+ mpz_clear (m);
+ return 0;
+ }
+
rsa_compute_root(key, m, gibberish);
res = pkcs1_decrypt (key->size, m, length, message);
--- a/rsa-internal.h
+++ b/rsa-internal.h
@@ -53,11 +53,11 @@ _rsa_sec_compute_root(const struct rsa_p
mp_limb_t *scratch);
/* Safe side-channel silent variant, using RSA blinding, and checking the
- * result after CRT. */
+ * result after CRT. In-place calls, with x == m, is allowed. */
int
_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
void *random_ctx, nettle_random_func *random,
- mp_limb_t *x, const mp_limb_t *m, size_t mn);
+ mp_limb_t *x, const mp_limb_t *m);
#endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
--- a/rsa-sec-decrypt.c
+++ b/rsa-sec-decrypt.c
@@ -54,12 +54,19 @@ rsa_sec_decrypt(const struct rsa_public_
TMP_GMP_DECL (em, uint8_t);
int res;
+ /* First check that input is in range. */
+ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
+ return 0;
+
TMP_GMP_ALLOC (m, mpz_size(pub->n));
TMP_GMP_ALLOC (em, key->size);
- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
- mpz_limbs_read(gibberish),
- mpz_size(gibberish));
+ /* We need a copy because m can be shorter than key_size,
+ * but _rsa_sec_compute_root_tr expect all inputs to be
+ * normalized to a key_size long buffer length */
+ mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
+
+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
--- a/rsa-sign-tr.c
+++ b/rsa-sign-tr.c
@@ -131,35 +131,34 @@ int
_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
void *random_ctx, nettle_random_func *random,
- mp_limb_t *x, const mp_limb_t *m, size_t mn)
+ mp_limb_t *x, const mp_limb_t *m)
{
+ mp_size_t nn;
mpz_t mz;
mpz_t xz;
int res;
- mpz_init(mz);
mpz_init(xz);
- mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
- mpz_limbs_finish(mz, mn);
+ nn = mpz_size (pub->n);
- res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
+ res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
+ mpz_roinit_n(mz, m, nn));
if (res)
- mpz_limbs_copy(x, xz, mpz_size(pub->n));
+ mpz_limbs_copy(x, xz, nn);
- mpz_clear(mz);
mpz_clear(xz);
return res;
}
#else
/* Blinds m, by computing c = m r^e (mod n), for a random r. Also
- returns the inverse (ri), for use by rsa_unblind. */
+ returns the inverse (ri), for use by rsa_unblind. Must have c != m,
+ no in-place operation.*/
static void
rsa_sec_blind (const struct rsa_public_key *pub,
void *random_ctx, nettle_random_func *random,
- mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m,
- mp_size_t mn)
+ mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
{
const mp_limb_t *ep = mpz_limbs_read (pub->e);
const mp_limb_t *np = mpz_limbs_read (pub->n);
@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k
/* c = m*(r^e) mod n */
itch = mpn_sec_powm_itch(nn, ebn, nn);
- i2 = mpn_sec_mul_itch(nn, mn);
+ i2 = mpn_sec_mul_itch(nn, nn);
itch = MAX(itch, i2);
- i2 = mpn_sec_div_r_itch(nn + mn, nn);
+ i2 = mpn_sec_div_r_itch(2*nn, nn);
itch = MAX(itch, i2);
i2 = mpn_sec_invert_itch(nn);
itch = MAX(itch, i2);
- TMP_GMP_ALLOC (tp, nn + mn + itch);
- scratch = tp + nn + mn;
+ TMP_GMP_ALLOC (tp, 2*nn + itch);
+ scratch = tp + 2*nn;
/* ri = r^(-1) */
do
@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k
while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
- /* normally mn == nn, but m can be smaller in some cases */
- mpn_sec_mul (tp, c, nn, m, mn, scratch);
- mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
+ mpn_sec_mul (tp, c, nn, m, nn, scratch);
+ mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
mpn_copyi(c, tp, nn);
TMP_GMP_FREE (r);
@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k
TMP_GMP_FREE (tp);
}
-/* m = c ri mod n */
+/* m = c ri mod n. Allows x == c. */
static void
rsa_sec_unblind (const struct rsa_public_key *pub,
mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
@@ -298,7 +296,7 @@ int
_rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
void *random_ctx, nettle_random_func *random,
- mp_limb_t *x, const mp_limb_t *m, size_t mn)
+ mp_limb_t *x, const mp_limb_t *m)
{
TMP_GMP_DECL (c, mp_limb_t);
TMP_GMP_DECL (ri, mp_limb_t);
@@ -306,7 +304,7 @@ _rsa_sec_compute_root_tr(const struct rs
size_t key_limb_size;
int ret;
- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+ key_limb_size = mpz_size(pub->n);
/* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
key is invalid and rejected by rsa_private_key_prepare. However,
@@ -320,19 +318,18 @@ _rsa_sec_compute_root_tr(const struct rs
}
assert(mpz_size(pub->n) == key_limb_size);
- assert(mn <= key_limb_size);
TMP_GMP_ALLOC (c, key_limb_size);
TMP_GMP_ALLOC (ri, key_limb_size);
TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
- rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
+ rsa_sec_blind (pub, random_ctx, random, c, ri, m);
- _rsa_sec_compute_root(key, c, x, scratch);
+ _rsa_sec_compute_root(key, x, c, scratch);
- ret = rsa_sec_check_root(pub, c, x);
+ ret = rsa_sec_check_root(pub, x, c);
- rsa_sec_unblind(pub, x, ri, c);
+ rsa_sec_unblind(pub, x, ri, x);
cnd_mpn_zero(1 - ret, x, key_limb_size);
@@ -356,17 +353,17 @@ rsa_compute_root_tr(const struct rsa_pub
mpz_t x, const mpz_t m)
{
TMP_GMP_DECL (l, mp_limb_t);
+ mp_size_t nn = mpz_size(pub->n);
int res;
- mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
- TMP_GMP_ALLOC (l, l_size);
+ TMP_GMP_ALLOC (l, nn);
+ mpz_limbs_copy(l, m, nn);
- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
- mpz_limbs_read(m), mpz_size(m));
+ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
if (res) {
- mp_limb_t *xp = mpz_limbs_write (x, l_size);
- mpn_copyi (xp, l, l_size);
- mpz_limbs_finish (x, l_size);
+ mp_limb_t *xp = mpz_limbs_write (x, nn);
+ mpn_copyi (xp, l, nn);
+ mpz_limbs_finish (x, nn);
}
TMP_GMP_FREE (l);
--- a/rsa.h
+++ b/rsa.h
@@ -433,13 +433,14 @@ rsa_sec_decrypt(const struct rsa_public_
size_t length, uint8_t *message,
const mpz_t gibberish);
-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
+/* Compute x, the e:th root of m. Calling it with x == m is allowed.
+ It is required that 0 <= m < n. */
void
rsa_compute_root(const struct rsa_private_key *key,
mpz_t x, const mpz_t m);
/* Safer variant, using RSA blinding, and checking the result after
- CRT. */
+ CRT. It is required that 0 <= m < n. */
int
rsa_compute_root_tr(const struct rsa_public_key *pub,
const struct rsa_private_key *key,
--- a/testsuite/rsa-encrypt-test.c
+++ b/testsuite/rsa-encrypt-test.c
@@ -19,10 +19,12 @@ test_main(void)
uint8_t after;
mpz_t gibberish;
+ mpz_t bad_input;
rsa_private_key_init(&key);
rsa_public_key_init(&pub);
mpz_init(gibberish);
+ mpz_init(bad_input);
knuth_lfib_init(&lfib, 17);
@@ -101,6 +103,42 @@ test_main(void)
ASSERT(decrypted[decrypted_length] == after);
ASSERT(decrypted[0] == 'A');
+ /* Test zero input. */
+ mpz_set_ui (bad_input, 0);
+ decrypted_length = msg_length;
+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_decrypt_tr(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_sec_decrypt(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ decrypted_length, decrypted, bad_input));
+ ASSERT(decrypted_length == msg_length);
+
+ /* Test input that is slightly larger than n */
+ mpz_add(bad_input, gibberish, pub.n);
+ decrypted_length = msg_length;
+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_decrypt_tr(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_sec_decrypt(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ decrypted_length, decrypted, bad_input));
+ ASSERT(decrypted_length == msg_length);
+
+ /* Test input that is considerably larger than n */
+ mpz_mul_2exp (bad_input, pub.n, 100);
+ mpz_add (bad_input, bad_input, gibberish);
+ decrypted_length = msg_length;
+ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_decrypt_tr(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_sec_decrypt(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+ decrypted_length, decrypted, bad_input));
+ ASSERT(decrypted_length == msg_length);
/* Test invalid key. */
mpz_add_ui (key.q, key.q, 2);
@@ -112,6 +150,6 @@ test_main(void)
rsa_private_key_clear(&key);
rsa_public_key_clear(&pub);
mpz_clear(gibberish);
+ mpz_clear(bad_input);
free(decrypted);
}
-
--- a/testsuite/rsa-sec-decrypt-test.c
+++ b/testsuite/rsa-sec-decrypt-test.c
@@ -55,6 +55,7 @@ rsa_decrypt_for_test(const struct rsa_pu
#endif
#define PAYLOAD_SIZE 50
+#define DECRYPTED_SIZE 256
void
test_main(void)
{
@@ -63,7 +64,7 @@ test_main(void)
struct knuth_lfib_ctx random_ctx;
uint8_t plaintext[PAYLOAD_SIZE];
- uint8_t decrypted[PAYLOAD_SIZE];
+ uint8_t decrypted[DECRYPTED_SIZE];
uint8_t verifybad[PAYLOAD_SIZE];
unsigned n_size = 1024;
mpz_t gibberish;
@@ -98,6 +99,20 @@ test_main(void)
PAYLOAD_SIZE, decrypted, gibberish) == 1);
ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted));
+ ASSERT (pub.size > 10);
+ ASSERT (pub.size <= DECRYPTED_SIZE);
+
+ /* Check that too large message length is rejected, largest
+ valid size is pub.size - 11. */
+ ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
+ (nettle_random_func *) knuth_lfib_random,
+ pub.size - 10, decrypted, gibberish));
+
+ /* This case used to result in arithmetic underflow and a crash. */
+ ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx,
+ (nettle_random_func *) knuth_lfib_random,
+ pub.size, decrypted, gibberish));
+
/* bad one */
memcpy(decrypted, verifybad, PAYLOAD_SIZE);
nettle_mpz_random_size(garbage, &random_ctx,

BIN
nettle-3.6.tar.gz
View File

Binary file not shown.

BIN
nettle-3.7.3.tar.gz Normal file
View File

Binary file not shown.

25
nettle.spec
View File

@ -1,6 +1,6 @@
Name: nettle
Version: 3.6
Release: 7
Version: 3.7.3
Release: 1
Summary: A low-level cryptographic library
License: LGPLv3+ or GPLv2+
URL: https://www.lysator.liu.se/~nisse/nettle/
@ -8,15 +8,6 @@ Source0: https://www.lysator.liu.se/~nisse/archive/%{name}-%{version}.tar
Patch0: 0000-nettle-3.3-remove-ecc-testsuite.patch
Patch6000: backport-0001-CVE-2021-20305.patch
Patch6001: backport-0002-CVE-2021-20305.patch
Patch6002: backport-0003-CVE-2021-20305.patch
Patch6003: backport-0004-CVE-2021-20305.patch
Patch6004: backport-0005-CVE-2021-20305.patch
Patch6005: backport-0006-CVE-2021-20305.patch
Patch6006: backport-0007-CVE-2021-20305.patch
Patch6007: backport-CVE-2021-3580.patch
BuildRequires: automake autoconf fipscheck gcc gettext-devel gmp-devel libtool m4
BuildRequires: nettle
@ -36,11 +27,11 @@ The devel for %{name}
%package_help
%prep
%autosetup -n %{name}-3.6 -p1
%autosetup -n %{name}-%{version} -p1
sed s/ggdb3/g/ -i configure
sed 's/ecc-192.c//g' -i Makefile.in
sed 's/ecc-224.c//g' -i Makefile.in
sed 's/ecc-secp192r1.c//g' -i Makefile.in
sed 's/ecc-secp224r1.c//g' -i Makefile.in
%build
autoreconf -ifv
@ -87,6 +78,12 @@ make check
%ldconfig_scriptlets
%changelog
* Sat Mar 19 2022 quanhongfei <quanhongfei@h-partners.com> - 3.7.3-1
- Type:requirements
- Id:NA
- SUG:NA
- DESC:update nettle to 3.7.3
* Mon Aug 16 2021 gaihuiying <gaihuiying1@huawei.com> - 3.6-7
- Type:CVE
- CVE:CVE-2021-3580