Backport and combine multiple commits from 3.7.2 to address this CVE. Signed-off-by: Trevor Gamblin <trevor.gamb...@windriver.com> --- .../nettle/nettle/CVE-2021-20305.patch | 516 ++++++++++++++++++ meta/recipes-support/nettle/nettle_3.7.1.bb | 1 + 2 files changed, 517 insertions(+) create mode 100644 meta/recipes-support/nettle/nettle/CVE-2021-20305.patch
diff --git a/meta/recipes-support/nettle/nettle/CVE-2021-20305.patch b/meta/recipes-support/nettle/nettle/CVE-2021-20305.patch new file mode 100644 index 0000000000..b1065c705a --- /dev/null +++ b/meta/recipes-support/nettle/nettle/CVE-2021-20305.patch @@ -0,0 +1,516 @@ +From 80e3d99afb5820d9b4ed807136ba32d57c4229a6 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <trevor.gamb...@windriver.com> +Date: Wed, 21 Apr 2021 09:15:34 -0400 +Subject: [PATCH] CVE-2021-20305 + +Backport the following fixes from nettle 3.7.2: + +https://git.lysator.liu.se/nettle/nettle/-/commit/a63893791280d441c713293491da97c79c0950fe +https://git.lysator.liu.se/nettle/nettle/-/commit/971bed6ab4b27014eb23085e8176917e1a096fd5 +https://git.lysator.liu.se/nettle/nettle/-/commit/74ee0e82b6891e090f20723750faeb19064e31b2 +https://git.lysator.liu.se/nettle/nettle/-/commit/51f643eee00e2caa65c8a2f5857f49acdf3ef1ce +https://git.lysator.liu.se/nettle/nettle/-/commit/401c8d53d8a8cf1e79980e62bda3f946f8e07c14 +https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b +https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9 + +CVE: CVE-2021-20305 +Upstream-Status: Backport + +Signed-off-by: Trevor Gamblin <trevor.gamb...@windriver.com> +--- + ChangeLog | 40 ++++++++++++++++++++++++++++++++++- + curve25519-eh-to-x.c | 6 +----- + curve448-eh-to-x.c | 5 +---- + ecc-ecdsa-sign.c | 3 +-- + ecc-ecdsa-verify.c | 4 ++-- + ecc-eh-to-a.c | 12 ++--------- + ecc-gostdsa-verify.c | 6 +++--- + ecc-internal.h | 15 +++++++++++++ + ecc-j-to-a.c | 15 +++---------- + ecc-mod-arith.c | 24 +++++++++++++++++++++ + ecc-mul-m.c | 6 ++---- + eddsa-hash.c | 10 ++++++--- + eddsa-verify.c | 9 ++------ + gostdsa-vko.c | 2 +- + testsuite/ecdsa-sign-test.c | 26 +++++++++++++++++++++++ + testsuite/ecdsa-verify-test.c | 40 +++++++++++++++++++++++++++++++++++ + 16 files changed, 169 insertions(+), 54 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index fd138d82..9ab52fab 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,18 @@ ++2021-03-13 Niels Möller <ni...@lysator.liu.se> ++ ++ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. ++ ++2021-03-11 Niels Möller <ni...@lysator.liu.se> ++ ++ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): ++ New functions. ++ * ecc-internal.h: Declare and document new functions. ++ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. ++ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. ++ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. ++ * ecc-j-to-a.c (ecc_j_to_a): Likewise. ++ * ecc-mul-m.c (ecc_mul_m): Likewise. ++ + 2021-02-17 Niels Möller <ni...@lysator.liu.se> + + * Released Nettle-3.7.1. +@@ -316,11 +331,34 @@ + + 2020-11-02 Niels Möller <ni...@lysator.liu.se> + ++ * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to ++ compute the scalar used for ecc multiplication. ++ ++ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically ++ reduced. Two of the three call sites need that. ++ ++ * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical ++ to compute the scalars used for ecc multiplication. ++ ++ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to ++ canonical range. ++ ++ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical ++ to compute the scalars used for ecc multiplication. ++ * testsuite/ecdsa-verify-test.c (test_main): Add test case that ++ triggers an assert on 64-bit platforms, without above fix. ++ * testsuite/ecdsa-sign-test.c (test_main): Test case generating ++ the same signature. ++ ++2021-03-13 Niels Möller <ni...@lysator.liu.se> ++ + * ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need. + (ecc_curve25519_inv): Likewise. + (ecc_curve25519_sqrt): Likewise. + +-2020-11-01 Niels Möller <ni...@lysator.liu.se> ++ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. ++ ++2021-03-11 Niels Möller <ni...@lysator.liu.se> + + * ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument + for scratch area, reducing required size of result area. Update +diff --git a/curve25519-eh-to-x.c b/curve25519-eh-to-x.c +index f0f1920d..d90defda 100644 +--- a/curve25519-eh-to-x.c ++++ b/curve25519-eh-to-x.c +@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, + #define tp (scratch + 2*ecc->p.size) + + const struct ecc_curve *ecc = &_nettle_curve25519; +- mp_limb_t cy; + + /* If u = U/W and v = V/W are the coordinates of the point on the + Edwards curve we get the curve25519 x coordinate as +@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, + ecc->p.invert (&ecc->p, t1, t0, tp); + + ecc_mod_add (&ecc->p, t0, wp, vp); +- ecc_mod_mul (&ecc->p, t0, t0, t1, tp); +- +- cy = mpn_sub_n (xp, t0, ecc->p.m, ecc->p.size); +- cnd_copy (cy, xp, t0, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, tp); + #undef vp + #undef wp + #undef t0 +diff --git a/curve448-eh-to-x.c b/curve448-eh-to-x.c +index 8f3f8c45..3b9bf3ec 100644 +--- a/curve448-eh-to-x.c ++++ b/curve448-eh-to-x.c +@@ -52,7 +52,6 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) + #define tp (scratch + ecc->p.size) + + const struct ecc_curve *ecc = &_nettle_curve448; +- mp_limb_t cy; + + /* If u = U/W and v = V/W are the coordinates of the point on + edwards448 we get the curve448 x coordinate as +@@ -62,10 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) + /* Needs a total of 5*size storage. */ + ecc->p.invert (&ecc->p, t0, up, tp); + ecc_mod_mul (&ecc->p, t0, t0, vp, tp); +- ecc_mod_sqr (&ecc->p, t0, t0, tp); ++ ecc_mod_sqr_canonical (&ecc->p, xp, t0, tp); + +- cy = mpn_sub_n (xp, t0, ecc->p.m, ecc->p.size); +- cnd_copy (cy, xp, t0, ecc->p.size); + #undef up + #undef vp + #undef t0 +diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c +index f323196e..4adee1d1 100644 +--- a/ecc-ecdsa-sign.c ++++ b/ecc-ecdsa-sign.c +@@ -91,9 +91,8 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, + + ecc_mod_mul (&ecc->q, tp, zp, rp, tp); + ecc_mod_add (&ecc->q, hp, hp, tp); +- ecc_mod_mul (&ecc->q, tp, hp, kinv, tp); ++ ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); + +- mpn_copyi (sp, tp, ecc->p.size); + #undef P + #undef hp + #undef kinv +diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c +index 1b2dcca7..f3b112b0 100644 +--- a/ecc-ecdsa-verify.c ++++ b/ecc-ecdsa-verify.c +@@ -102,10 +102,10 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, + + /* u1 = h / s, P1 = u1 * G */ + ecc_hash (&ecc->q, hp, length, digest); +- ecc_mod_mul (&ecc->q, u1, hp, sinv, u1); ++ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); + + /* u2 = r / s, P2 = u2 * Y */ +- ecc_mod_mul (&ecc->q, u2, rp, sinv, u2); ++ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); + + /* Total storage: 5*ecc->p.size + ecc->mul_itch */ + ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); +diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c +index 24f6d0c0..5e3571c1 100644 +--- a/ecc-eh-to-a.c ++++ b/ecc-eh-to-a.c +@@ -49,23 +49,15 @@ ecc_eh_to_a (const struct ecc_curve *ecc, + #define izp scratch + #define tp (scratch + ecc->p.size) + +- + #define xp p + #define yp (p + ecc->p.size) + #define zp (p + 2*ecc->p.size) + +- mp_limb_t cy; +- + assert(op == 0); + + /* Needs size + scratch for the invert call. */ + ecc->p.invert (&ecc->p, izp, zp, tp); + +- ecc_mod_mul (&ecc->p, tp, xp, izp, tp); +- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); +- cnd_copy (cy, r, tp, ecc->p.size); +- +- ecc_mod_mul (&ecc->p, tp, yp, izp, tp); +- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); +- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); ++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); + } +diff --git a/ecc-gostdsa-verify.c b/ecc-gostdsa-verify.c +index c0613f4f..fcdd4644 100644 +--- a/ecc-gostdsa-verify.c ++++ b/ecc-gostdsa-verify.c +@@ -102,11 +102,11 @@ ecc_gostdsa_verify (const struct ecc_curve *ecc, + ecc->q.invert (&ecc->q, vp, hp, vp + ecc->p.size); + + /* z1 = s / h, P1 = z1 * G */ +- ecc_mod_mul (&ecc->q, z1, sp, vp, z1); ++ ecc_mod_mul_canonical (&ecc->q, z1, sp, vp, z1); + + /* z2 = - r / h, P2 = z2 * Y */ +- ecc_mod_mul (&ecc->q, z2, rp, vp, z2); +- mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size); ++ mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->q, z2, hp, vp, z2); + + /* Total storage: 5*ecc->p.size + ecc->mul_itch */ + ecc->mul (ecc, P2, z2, pp, z2 + ecc->p.size); +diff --git a/ecc-internal.h b/ecc-internal.h +index 55c9be27..acfcb4d7 100644 +--- a/ecc-internal.h ++++ b/ecc-internal.h +@@ -49,6 +49,8 @@ + #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 + #define ecc_mod_mul _nettle_ecc_mod_mul + #define ecc_mod_sqr _nettle_ecc_mod_sqr ++#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical ++#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical + #define ecc_mod_pow_2k _nettle_ecc_mod_pow_2k + #define ecc_mod_pow_2k_mul _nettle_ecc_mod_pow_2k_mul + #define ecc_mod_random _nettle_ecc_mod_random +@@ -264,6 +266,19 @@ void + ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t *tp); + ++/* These mul and sqr functions produce a canonical result, 0 <= R < M. ++ Requirements on input and output areas are similar to the above ++ functions, except that it is *not* allowed to pass rp = rp + ++ m->size. ++ */ ++void ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); ++ ++void ++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, mp_limb_t *tp); ++ + /* R <-- X^{2^k} mod M. Needs 2*ecc->size limbs of scratch space, same + overlap requirements as mul and sqr above. */ + void +diff --git a/ecc-j-to-a.c b/ecc-j-to-a.c +index 2d55b3a5..ac134b51 100644 +--- a/ecc-j-to-a.c ++++ b/ecc-j-to-a.c +@@ -49,8 +49,6 @@ ecc_j_to_a (const struct ecc_curve *ecc, + #define iz3p (scratch + 2*ecc->p.size) + #define tp scratch + +- mp_limb_t cy; +- + ecc->p.invert (&ecc->p, izp, p+2*ecc->p.size, izp + ecc->p.size); + ecc_mod_sqr (&ecc->p, iz2p, izp, iz2p); + +@@ -63,17 +61,13 @@ ecc_j_to_a (const struct ecc_curve *ecc, + } + + /* r_x <-- x / z^2 */ +- ecc_mod_mul (&ecc->p, iz3p, iz2p, p, iz3p); +- /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so +- do a conditional subtraction. */ +- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); +- cnd_copy (cy, r, iz3p, ecc->p.size); +- ++ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); + if (op) + { + /* Skip y coordinate */ + if (op > 1) + { ++ mp_limb_t cy; + /* Also reduce the x coordinate mod ecc->q. It should + already be < 2*ecc->q, so one subtraction should + suffice. */ +@@ -83,10 +77,7 @@ ecc_j_to_a (const struct ecc_curve *ecc, + return; + } + ecc_mod_mul (&ecc->p, iz3p, iz2p, izp, iz3p); +- ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size, tp); +- /* And a similar subtraction. */ +- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); +- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); ++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, tp); + + #undef izp + #undef iz2p +diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c +index 551f2c14..b3021d94 100644 +--- a/ecc-mod-arith.c ++++ b/ecc-mod-arith.c +@@ -125,6 +125,30 @@ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, + m->reduce (m, rp, tp); + } + ++void ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) ++{ ++ mp_limb_t cy; ++ mpn_mul_n (tp, ap, bp, m->size); ++ m->reduce (m, tp + m->size, tp); ++ ++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); ++ cnd_copy (cy, rp, tp + m->size, m->size); ++} ++ ++void ++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, ++ const mp_limb_t *ap, mp_limb_t *tp) ++{ ++ mp_limb_t cy; ++ mpn_sqr (tp, ap, m->size); ++ m->reduce (m, tp + m->size, tp); ++ ++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); ++ cnd_copy (cy, rp, tp + m->size, m->size); ++} ++ + void + ecc_mod_pow_2k (const struct ecc_modulo *m, + mp_limb_t *rp, const mp_limb_t *xp, +diff --git a/ecc-mul-m.c b/ecc-mul-m.c +index a3355751..f0ceb924 100644 +--- a/ecc-mul-m.c ++++ b/ecc-mul-m.c +@@ -48,7 +48,7 @@ ecc_mul_m (const struct ecc_modulo *m, + mp_limb_t *scratch) + { + unsigned i; +- mp_limb_t cy, swap; ++ mp_limb_t swap; + + #define x2 (scratch) + #define z2 (scratch + m->size) +@@ -162,7 +162,5 @@ ecc_mul_m (const struct ecc_modulo *m, + } + assert (m->invert_itch <= 7 * m->size); + m->invert (m, x3, z2, z3 + m->size); +- ecc_mod_mul (m, z3, x2, x3, z3); +- cy = mpn_sub_n (qx, z3, m->m, m->size); +- cnd_copy (cy, qx, z3, m->size); ++ ecc_mod_mul_canonical (m, qx, x2, x3, z3); + } +diff --git a/eddsa-hash.c b/eddsa-hash.c +index 95e0dd70..6ebbe977 100644 +--- a/eddsa-hash.c ++++ b/eddsa-hash.c +@@ -44,13 +44,14 @@ + #include "ecc-internal.h" + #include "nettle-internal.h" + +-/* Convert hash digest to integer, and reduce modulo q, to m->size +- limbs. Needs space for 2*m->size + 1 at rp. */ ++/* Convert hash digest to integer, and reduce canonically modulo q. ++ Needs space for 2*m->size + 1 at rp. */ + void + _eddsa_hash (const struct ecc_modulo *m, + mp_limb_t *rp, size_t digest_size, const uint8_t *digest) + { + mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS; ++ mp_limb_t cy; + + mpn_set_base256_le (rp, nlimbs, digest, digest_size); + +@@ -74,5 +75,8 @@ _eddsa_hash (const struct ecc_modulo *m, + hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size); + assert (hi == 0); + } +- m->mod (m, rp, rp); ++ m->mod (m, rp + m->size , rp); ++ /* Ensure canonical reduction. */ ++ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); ++ cnd_copy (cy, rp, rp + m->size, m->size); + } +diff --git a/eddsa-verify.c b/eddsa-verify.c +index de68f240..10d075ee 100644 +--- a/eddsa-verify.c ++++ b/eddsa-verify.c +@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p, + #define t0 scratch + #define t1 (scratch + p->size) + +- ecc_mod_mul (p, t0, x1, z2, t0); +- if (mpn_cmp (t0, p->m, p->size) >= 0) +- mpn_sub_n (t0, t0, p->m, p->size); +- +- ecc_mod_mul (p, t1, x2, z1, t1); +- if (mpn_cmp (t1, p->m, p->size) >= 0) +- mpn_sub_n (t1, t1, p->m, p->size); ++ ecc_mod_mul_canonical (p, t0, x1, z2, t0); ++ ecc_mod_mul_canonical (p, t1, x2, z1, t1); + + return mpn_cmp (t0, t1, p->size) == 0; + +diff --git a/gostdsa-vko.c b/gostdsa-vko.c +index a02d59a9..3dc42a1e 100644 +--- a/gostdsa-vko.c ++++ b/gostdsa-vko.c +@@ -87,7 +87,7 @@ gostdsa_vko (const struct ecc_scalar *priv, + if (mpn_zero_p (UKM, size)) + UKM[0] = 1; + +- ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */ ++ ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */ + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ + mpn_get_base256_le (out, bsize, TEMP, size); +diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c +index b240a31b..ed7e22bc 100644 +--- a/testsuite/ecdsa-sign-test.c ++++ b/testsuite/ecdsa-sign-test.c +@@ -58,6 +58,32 @@ test_ecdsa (const struct ecc_curve *ecc, + void + test_main (void) + { ++ /* Producing the signature for corresponding test in ++ ecdsa-verify-test.c, with special u1 and u2. */ ++ test_ecdsa (&_nettle_secp_224r1, ++ "99b5b787484def12894ca507058b3bf5" ++ "43d72d82fa7721d2e805e5e6", ++ "2", ++ SHEX("cdb887ac805a3b42e22d224c85482053" ++ "16c755d4a736bb2032c92553"), ++ "706a46dc76dcb76798e60e6d89474788" ++ "d16dc18032d268fd1a704fa6", /* r */ ++ "3a41e1423b1853e8aa89747b1f987364" ++ "44705d6d6d8371ea1f578f2e"); /* s */ ++ ++ /* Producing the signature for corresponding test in ++ ecdsa-verify-test.c, with special u1 and u2. */ ++ test_ecdsa (&_nettle_secp_224r1, ++ "99b5b787484def12894ca507058b3bf5" ++ "43d72d82fa7721d2e805e5e6", ++ "2", ++ SHEX("cdb887ac805a3b42e22d224c85482053" ++ "16c755d4a736bb2032c92553"), ++ "706a46dc76dcb76798e60e6d89474788" ++ "d16dc18032d268fd1a704fa6", /* r */ ++ "3a41e1423b1853e8aa89747b1f987364" ++ "44705d6d6d8371ea1f578f2e"); /* s */ ++ + /* Test cases for the smaller groups, verified with a + proof-of-concept implementation done for Yubico AB. */ + test_ecdsa (&_nettle_secp_192r1, +diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c +index 3ceac0eb..edcd32ea 100644 +--- a/testsuite/ecdsa-verify-test.c ++++ b/testsuite/ecdsa-verify-test.c +@@ -81,6 +81,46 @@ test_ecdsa (const struct ecc_curve *ecc, + void + test_main (void) + { ++ /* Corresponds to nonce k = 2 and private key z = ++ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and ++ hash are chosen so that intermediate scalars in the verify ++ equations are u1 = 0x6b245680e700, u2 = ++ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical ++ reduction of the scalars. Bug caused by missing canonical ++ reduction reported by Guido Vranken. */ ++ test_ecdsa (&_nettle_secp_224r1, ++ "9e7e6cc6b1bdfa8ee039b66ad85e5490" ++ "7be706a900a3cba1c8fdd014", /* x */ ++ "74855db3f7c1b4097ae095745fc915e3" ++ "8a79d2a1de28f282eafb22ba", /* y */ ++ ++ SHEX("cdb887ac805a3b42e22d224c85482053" ++ "16c755d4a736bb2032c92553"), ++ "706a46dc76dcb76798e60e6d89474788" ++ "d16dc18032d268fd1a704fa6", /* r */ ++ "3a41e1423b1853e8aa89747b1f987364" ++ "44705d6d6d8371ea1f578f2e"); /* s */ ++ ++ /* Corresponds to nonce k = 2 and private key z = ++ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and ++ hash are chosen so that intermediate scalars in the verify ++ equations are u1 = 0x6b245680e700, u2 = ++ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical ++ reduction of the scalars. Bug caused by missing canonical ++ reduction reported by Guido Vranken. */ ++ test_ecdsa (&_nettle_secp_224r1, ++ "9e7e6cc6b1bdfa8ee039b66ad85e5490" ++ "7be706a900a3cba1c8fdd014", /* x */ ++ "74855db3f7c1b4097ae095745fc915e3" ++ "8a79d2a1de28f282eafb22ba", /* y */ ++ ++ SHEX("cdb887ac805a3b42e22d224c85482053" ++ "16c755d4a736bb2032c92553"), ++ "706a46dc76dcb76798e60e6d89474788" ++ "d16dc18032d268fd1a704fa6", /* r */ ++ "3a41e1423b1853e8aa89747b1f987364" ++ "44705d6d6d8371ea1f578f2e"); /* s */ ++ + /* Test case provided by Guido Vranken, from oss-fuzz */ + test_ecdsa (&_nettle_secp_192r1, + "14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */ +-- +2.30.2 + diff --git a/meta/recipes-support/nettle/nettle_3.7.1.bb b/meta/recipes-support/nettle/nettle_3.7.1.bb index 3bbcf17c7a..0e2bd2a7e1 100644 --- a/meta/recipes-support/nettle/nettle_3.7.1.bb +++ b/meta/recipes-support/nettle/nettle_3.7.1.bb @@ -18,6 +18,7 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ file://Add-target-to-only-build-tests-not-run-them.patch \ file://run-ptest \ file://check-header-files-of-openssl-only-if-enable_.patch \ + file://CVE-2021-20305.patch \ " SRC_URI_append_class-target = "\ -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150744): https://lists.openembedded.org/g/openembedded-core/message/150744 Mute This Topic: https://lists.openembedded.org/mt/82260195/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
