nettle/backport-0007-CVE-2021-20305.patch

From 63f222c60b03470c0005aa9bc4296fbf585f68b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Sat, 13 Mar 2021 16:45:34 +0100
Subject: [PATCH] Fix canonical reduction in gostdsa_vko.

* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
compute the scalar used for ecc multiplication.

(cherry picked from commit b30e0ca6d2b41579a5b6a010fc54065d790e8d55)
---
 ChangeLog     | 3 +++
 gostdsa-vko.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

#diff --git a/ChangeLog b/ChangeLog
#index ce330831..8a27a9a6 100644
#--- a/ChangeLog
#+++ b/ChangeLog
#@@ -1,5 +1,8 @@
# 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
# 
#+	* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
#+	compute the scalar used for ecc multiplication.
#+
# 	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
# 	reduced. Two of the three call sites need that.
# 
--- a/gostdsa-vko.c
+++ b/gostdsa-vko.c
@@ -87,7 +87,7 @@ gostdsa_vko (const struct ecc_scalar *pr
   if (mpn_zero_p (UKM, size))
     UKM[0] = 1;
 
-  ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */
+  ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */
   ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */
   ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */
   mpn_get_base256_le (out, bsize, TEMP, size);