Hi Trevor, On Wed, 2021-04-21 at 09:44 -0400, Trevor Gamblin wrote: > Backport and combine multiple commits from 3.7.2 to address this CVE. >
I have taken the 3.7.2 upgrade for hardknott since the release notes mention it's a bug fix release. https://github.com/gnutls/nettle/commit/7a5f86321f4c67d7219aa87ea4e2ddca677d7378#diff-7ee66c4f1536ac84dc5bbff1b8312e2eef24b974b3e48a5c5c2bcfdf2eb8f3ce Thanks, Anuj > Signed-off-by: Trevor Gamblin <trevor.gamb...@windriver.com> > --- > .../nettle/nettle/CVE-2021-20305.patch | 516 ++++++++++++++++++ > meta/recipes-support/nettle/nettle_3.7.1.bb | 1 + > 2 files changed, 517 insertions(+) > create mode 100644 meta/recipes-support/nettle/nettle/CVE-2021- > 20305.patch > > diff --git a/meta/recipes-support/nettle/nettle/CVE-2021-20305.patch > b/meta/recipes-support/nettle/nettle/CVE-2021-20305.patch > new file mode 100644 > index 0000000000..b1065c705a > --- /dev/null > +++ b/meta/recipes-support/nettle/nettle/CVE-2021-20305.patch > @@ -0,0 +1,516 @@ > +From 80e3d99afb5820d9b4ed807136ba32d57c4229a6 Mon Sep 17 00:00:00 2001 > +From: Trevor Gamblin <trevor.gamb...@windriver.com> > +Date: Wed, 21 Apr 2021 09:15:34 -0400 > +Subject: [PATCH] CVE-2021-20305 > + > +Backport the following fixes from nettle 3.7.2: > + > + > https://git.lysator.liu.se/nettle/nettle/-/commit/a63893791280d441c713293491da97c79c0950fe > + > https://git.lysator.liu.se/nettle/nettle/-/commit/971bed6ab4b27014eb23085e8176917e1a096fd5 > + > https://git.lysator.liu.se/nettle/nettle/-/commit/74ee0e82b6891e090f20723750faeb19064e31b2 > + > https://git.lysator.liu.se/nettle/nettle/-/commit/51f643eee00e2caa65c8a2f5857f49acdf3ef1ce > + > https://git.lysator.liu.se/nettle/nettle/-/commit/401c8d53d8a8cf1e79980e62bda3f946f8e07c14 > + > https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b > + > https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9 > + > +CVE: CVE-2021-20305 > +Upstream-Status: Backport > + > +Signed-off-by: Trevor Gamblin <trevor.gamb...@windriver.com> > +--- > + ChangeLog | 40 > ++++++++++++++++++++++++++++++++++- > + curve25519-eh-to-x.c | 6 +----- > + curve448-eh-to-x.c | 5 +---- > + ecc-ecdsa-sign.c | 3 +-- > + ecc-ecdsa-verify.c | 4 ++-- > + ecc-eh-to-a.c | 12 ++--------- > + ecc-gostdsa-verify.c | 6 +++--- > + ecc-internal.h | 15 +++++++++++++ > + ecc-j-to-a.c | 15 +++---------- > + ecc-mod-arith.c | 24 +++++++++++++++++++++ > + ecc-mul-m.c | 6 ++---- > + eddsa-hash.c | 10 ++++++--- > + eddsa-verify.c | 9 ++------ > + gostdsa-vko.c | 2 +- > + testsuite/ecdsa-sign-test.c | 26 +++++++++++++++++++++++ > + testsuite/ecdsa-verify-test.c | 40 > +++++++++++++++++++++++++++++++++++ > + 16 files changed, 169 insertions(+), 54 deletions(-) > + > +diff --git a/ChangeLog b/ChangeLog > +index fd138d82..9ab52fab 100644 > +--- a/ChangeLog > ++++ b/ChangeLog > +@@ -1,3 +1,18 @@ > ++2021-03-13 Niels Möller <ni...@lysator.liu.se> > ++ > ++ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. > ++ > ++2021-03-11 Niels Möller <ni...@lysator.liu.se> > ++ > ++ * ecc-mod-arith.c (ecc_mod_mul_canonical, > ecc_mod_sqr_canonical): > ++ New functions. > ++ * ecc-internal.h: Declare and document new functions. > ++ * curve448-eh-to-x.c (curve448_eh_to_x): Use > ecc_mod_sqr_canonical. > ++ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use > ecc_mod_mul_canonical. > ++ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. > ++ * ecc-j-to-a.c (ecc_j_to_a): Likewise. > ++ * ecc-mul-m.c (ecc_mul_m): Likewise. > ++ > + 2021-02-17 Niels Möller <ni...@lysator.liu.se> > + > + * Released Nettle-3.7.1. > +@@ -316,11 +331,34 @@ > + > + 2020-11-02 Niels Möller <ni...@lysator.liu.se> > + > ++ * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to > ++ compute the scalar used for ecc multiplication. > ++ > ++ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically > ++ reduced. Two of the three call sites need that. > ++ > ++ * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use > ecc_mod_mul_canonical > ++ to compute the scalars used for ecc multiplication. > ++ > ++ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced > to > ++ canonical range. > ++ > ++ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use > ecc_mod_mul_canonical > ++ to compute the scalars used for ecc multiplication. > ++ * testsuite/ecdsa-verify-test.c (test_main): Add test case that > ++ triggers an assert on 64-bit platforms, without above fix. > ++ * testsuite/ecdsa-sign-test.c (test_main): Test case generating > ++ the same signature. > ++ > ++2021-03-13 Niels Möller <ni...@lysator.liu.se> > ++ > + * ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need. > + (ecc_curve25519_inv): Likewise. > + (ecc_curve25519_sqrt): Likewise. > + > +-2020-11-01 Niels Möller <ni...@lysator.liu.se> > ++ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. > ++ > ++2021-03-11 Niels Möller <ni...@lysator.liu.se> > + > + * ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument > + for scratch area, reducing required size of result area. Update > +diff --git a/curve25519-eh-to-x.c b/curve25519-eh-to-x.c > +index f0f1920d..d90defda 100644 > +--- a/curve25519-eh-to-x.c > ++++ b/curve25519-eh-to-x.c > +@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t > *p, > + #define tp (scratch + 2*ecc->p.size) > + > + const struct ecc_curve *ecc = &_nettle_curve25519; > +- mp_limb_t cy; > + > + /* If u = U/W and v = V/W are the coordinates of the point on the > + Edwards curve we get the curve25519 x coordinate as > +@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t > *p, > + ecc->p.invert (&ecc->p, t1, t0, tp); > + > + ecc_mod_add (&ecc->p, t0, wp, vp); > +- ecc_mod_mul (&ecc->p, t0, t0, t1, tp); > +- > +- cy = mpn_sub_n (xp, t0, ecc->p.m, ecc->p.size); > +- cnd_copy (cy, xp, t0, ecc->p.size); > ++ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, tp); > + #undef vp > + #undef wp > + #undef t0 > +diff --git a/curve448-eh-to-x.c b/curve448-eh-to-x.c > +index 8f3f8c45..3b9bf3ec 100644 > +--- a/curve448-eh-to-x.c > ++++ b/curve448-eh-to-x.c > +@@ -52,7 +52,6 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, > mp_limb_t *scratch) > + #define tp (scratch + ecc->p.size) > + > + const struct ecc_curve *ecc = &_nettle_curve448; > +- mp_limb_t cy; > + > + /* If u = U/W and v = V/W are the coordinates of the point on > + edwards448 we get the curve448 x coordinate as > +@@ -62,10 +61,8 @@ curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t > *p, mp_limb_t *scratch) > + /* Needs a total of 5*size storage. */ > + ecc->p.invert (&ecc->p, t0, up, tp); > + ecc_mod_mul (&ecc->p, t0, t0, vp, tp); > +- ecc_mod_sqr (&ecc->p, t0, t0, tp); > ++ ecc_mod_sqr_canonical (&ecc->p, xp, t0, tp); > + > +- cy = mpn_sub_n (xp, t0, ecc->p.m, ecc->p.size); > +- cnd_copy (cy, xp, t0, ecc->p.size); > + #undef up > + #undef vp > + #undef t0 > +diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c > +index f323196e..4adee1d1 100644 > +--- a/ecc-ecdsa-sign.c > ++++ b/ecc-ecdsa-sign.c > +@@ -91,9 +91,8 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, > + > + ecc_mod_mul (&ecc->q, tp, zp, rp, tp); > + ecc_mod_add (&ecc->q, hp, hp, tp); > +- ecc_mod_mul (&ecc->q, tp, hp, kinv, tp); > ++ ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); > + > +- mpn_copyi (sp, tp, ecc->p.size); > + #undef P > + #undef hp > + #undef kinv > +diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c > +index 1b2dcca7..f3b112b0 100644 > +--- a/ecc-ecdsa-verify.c > ++++ b/ecc-ecdsa-verify.c > +@@ -102,10 +102,10 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, > + > + /* u1 = h / s, P1 = u1 * G */ > + ecc_hash (&ecc->q, hp, length, digest); > +- ecc_mod_mul (&ecc->q, u1, hp, sinv, u1); > ++ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); > + > + /* u2 = r / s, P2 = u2 * Y */ > +- ecc_mod_mul (&ecc->q, u2, rp, sinv, u2); > ++ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); > + > + /* Total storage: 5*ecc->p.size + ecc->mul_itch */ > + ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); > +diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c > +index 24f6d0c0..5e3571c1 100644 > +--- a/ecc-eh-to-a.c > ++++ b/ecc-eh-to-a.c > +@@ -49,23 +49,15 @@ ecc_eh_to_a (const struct ecc_curve *ecc, > + #define izp scratch > + #define tp (scratch + ecc->p.size) > + > +- > + #define xp p > + #define yp (p + ecc->p.size) > + #define zp (p + 2*ecc->p.size) > + > +- mp_limb_t cy; > +- > + assert(op == 0); > + > + /* Needs size + scratch for the invert call. */ > + ecc->p.invert (&ecc->p, izp, zp, tp); > + > +- ecc_mod_mul (&ecc->p, tp, xp, izp, tp); > +- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); > +- cnd_copy (cy, r, tp, ecc->p.size); > +- > +- ecc_mod_mul (&ecc->p, tp, yp, izp, tp); > +- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); > +- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); > ++ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); > ++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); > + } > +diff --git a/ecc-gostdsa-verify.c b/ecc-gostdsa-verify.c > +index c0613f4f..fcdd4644 100644 > +--- a/ecc-gostdsa-verify.c > ++++ b/ecc-gostdsa-verify.c > +@@ -102,11 +102,11 @@ ecc_gostdsa_verify (const struct ecc_curve *ecc, > + ecc->q.invert (&ecc->q, vp, hp, vp + ecc->p.size); > + > + /* z1 = s / h, P1 = z1 * G */ > +- ecc_mod_mul (&ecc->q, z1, sp, vp, z1); > ++ ecc_mod_mul_canonical (&ecc->q, z1, sp, vp, z1); > + > + /* z2 = - r / h, P2 = z2 * Y */ > +- ecc_mod_mul (&ecc->q, z2, rp, vp, z2); > +- mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size); > ++ mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size); > ++ ecc_mod_mul_canonical (&ecc->q, z2, hp, vp, z2); > + > + /* Total storage: 5*ecc->p.size + ecc->mul_itch */ > + ecc->mul (ecc, P2, z2, pp, z2 + ecc->p.size); > +diff --git a/ecc-internal.h b/ecc-internal.h > +index 55c9be27..acfcb4d7 100644 > +--- a/ecc-internal.h > ++++ b/ecc-internal.h > +@@ -49,6 +49,8 @@ > + #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 > + #define ecc_mod_mul _nettle_ecc_mod_mul > + #define ecc_mod_sqr _nettle_ecc_mod_sqr > ++#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical > ++#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical > + #define ecc_mod_pow_2k _nettle_ecc_mod_pow_2k > + #define ecc_mod_pow_2k_mul _nettle_ecc_mod_pow_2k_mul > + #define ecc_mod_random _nettle_ecc_mod_random > +@@ -264,6 +266,19 @@ void > + ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, > + const mp_limb_t *ap, mp_limb_t *tp); > + > ++/* These mul and sqr functions produce a canonical result, 0 <= R < > M. > ++ Requirements on input and output areas are similar to the above > ++ functions, except that it is *not* allowed to pass rp = rp + > ++ m->size. > ++ */ > ++void > ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, > ++ const mp_limb_t *ap, const mp_limb_t *bp, > mp_limb_t *tp); > ++ > ++void > ++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, > ++ const mp_limb_t *ap, mp_limb_t *tp); > ++ > + /* R <-- X^{2^k} mod M. Needs 2*ecc->size limbs of scratch space, > same > + overlap requirements as mul and sqr above. */ > + void > +diff --git a/ecc-j-to-a.c b/ecc-j-to-a.c > +index 2d55b3a5..ac134b51 100644 > +--- a/ecc-j-to-a.c > ++++ b/ecc-j-to-a.c > +@@ -49,8 +49,6 @@ ecc_j_to_a (const struct ecc_curve *ecc, > + #define iz3p (scratch + 2*ecc->p.size) > + #define tp scratch > + > +- mp_limb_t cy; > +- > + ecc->p.invert (&ecc->p, izp, p+2*ecc->p.size, izp + ecc->p.size); > + ecc_mod_sqr (&ecc->p, iz2p, izp, iz2p); > + > +@@ -63,17 +61,13 @@ ecc_j_to_a (const struct ecc_curve *ecc, > + } > + > + /* r_x <-- x / z^2 */ > +- ecc_mod_mul (&ecc->p, iz3p, iz2p, p, iz3p); > +- /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so > +- do a conditional subtraction. */ > +- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); > +- cnd_copy (cy, r, iz3p, ecc->p.size); > +- > ++ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); > + if (op) > + { > + /* Skip y coordinate */ > + if (op > 1) > + { > ++ mp_limb_t cy; > + /* Also reduce the x coordinate mod ecc->q. It should > + already be < 2*ecc->q, so one subtraction should > + suffice. */ > +@@ -83,10 +77,7 @@ ecc_j_to_a (const struct ecc_curve *ecc, > + return; > + } > + ecc_mod_mul (&ecc->p, iz3p, iz2p, izp, iz3p); > +- ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size, tp); > +- /* And a similar subtraction. */ > +- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); > +- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); > ++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc- > >p.size, tp); > + > + #undef izp > + #undef iz2p > +diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c > +index 551f2c14..b3021d94 100644 > +--- a/ecc-mod-arith.c > ++++ b/ecc-mod-arith.c > +@@ -125,6 +125,30 @@ ecc_mod_sqr (const struct ecc_modulo *m, > mp_limb_t *rp, > + m->reduce (m, rp, tp); > + } > + > ++void > ++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, > ++ const mp_limb_t *ap, const mp_limb_t *bp, > mp_limb_t *tp) > ++{ > ++ mp_limb_t cy; > ++ mpn_mul_n (tp, ap, bp, m->size); > ++ m->reduce (m, tp + m->size, tp); > ++ > ++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); > ++ cnd_copy (cy, rp, tp + m->size, m->size); > ++} > ++ > ++void > ++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, > ++ const mp_limb_t *ap, mp_limb_t *tp) > ++{ > ++ mp_limb_t cy; > ++ mpn_sqr (tp, ap, m->size); > ++ m->reduce (m, tp + m->size, tp); > ++ > ++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); > ++ cnd_copy (cy, rp, tp + m->size, m->size); > ++} > ++ > + void > + ecc_mod_pow_2k (const struct ecc_modulo *m, > + mp_limb_t *rp, const mp_limb_t *xp, > +diff --git a/ecc-mul-m.c b/ecc-mul-m.c > +index a3355751..f0ceb924 100644 > +--- a/ecc-mul-m.c > ++++ b/ecc-mul-m.c > +@@ -48,7 +48,7 @@ ecc_mul_m (const struct ecc_modulo *m, > + mp_limb_t *scratch) > + { > + unsigned i; > +- mp_limb_t cy, swap; > ++ mp_limb_t swap; > + > + #define x2 (scratch) > + #define z2 (scratch + m->size) > +@@ -162,7 +162,5 @@ ecc_mul_m (const struct ecc_modulo *m, > + } > + assert (m->invert_itch <= 7 * m->size); > + m->invert (m, x3, z2, z3 + m->size); > +- ecc_mod_mul (m, z3, x2, x3, z3); > +- cy = mpn_sub_n (qx, z3, m->m, m->size); > +- cnd_copy (cy, qx, z3, m->size); > ++ ecc_mod_mul_canonical (m, qx, x2, x3, z3); > + } > +diff --git a/eddsa-hash.c b/eddsa-hash.c > +index 95e0dd70..6ebbe977 100644 > +--- a/eddsa-hash.c > ++++ b/eddsa-hash.c > +@@ -44,13 +44,14 @@ > + #include "ecc-internal.h" > + #include "nettle-internal.h" > + > +-/* Convert hash digest to integer, and reduce modulo q, to m->size > +- limbs. Needs space for 2*m->size + 1 at rp. */ > ++/* Convert hash digest to integer, and reduce canonically modulo q. > ++ Needs space for 2*m->size + 1 at rp. */ > + void > + _eddsa_hash (const struct ecc_modulo *m, > + mp_limb_t *rp, size_t digest_size, const uint8_t *digest) > + { > + mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / > GMP_NUMB_BITS; > ++ mp_limb_t cy; > + > + mpn_set_base256_le (rp, nlimbs, digest, digest_size); > + > +@@ -74,5 +75,8 @@ _eddsa_hash (const struct ecc_modulo *m, > + hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m- > >size); > + assert (hi == 0); > + } > +- m->mod (m, rp, rp); > ++ m->mod (m, rp + m->size , rp); > ++ /* Ensure canonical reduction. */ > ++ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); > ++ cnd_copy (cy, rp, rp + m->size, m->size); > + } > +diff --git a/eddsa-verify.c b/eddsa-verify.c > +index de68f240..10d075ee 100644 > +--- a/eddsa-verify.c > ++++ b/eddsa-verify.c > +@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p, > + #define t0 scratch > + #define t1 (scratch + p->size) > + > +- ecc_mod_mul (p, t0, x1, z2, t0); > +- if (mpn_cmp (t0, p->m, p->size) >= 0) > +- mpn_sub_n (t0, t0, p->m, p->size); > +- > +- ecc_mod_mul (p, t1, x2, z1, t1); > +- if (mpn_cmp (t1, p->m, p->size) >= 0) > +- mpn_sub_n (t1, t1, p->m, p->size); > ++ ecc_mod_mul_canonical (p, t0, x1, z2, t0); > ++ ecc_mod_mul_canonical (p, t1, x2, z1, t1); > + > + return mpn_cmp (t0, t1, p->size) == 0; > + > +diff --git a/gostdsa-vko.c b/gostdsa-vko.c > +index a02d59a9..3dc42a1e 100644 > +--- a/gostdsa-vko.c > ++++ b/gostdsa-vko.c > +@@ -87,7 +87,7 @@ gostdsa_vko (const struct ecc_scalar *priv, > + if (mpn_zero_p (UKM, size)) > + UKM[0] = 1; > + > +- ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * > priv */ > ++ ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP > = UKM * priv */ > + ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * > priv * pub */ > + ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ > + mpn_get_base256_le (out, bsize, TEMP, size); > +diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c > +index b240a31b..ed7e22bc 100644 > +--- a/testsuite/ecdsa-sign-test.c > ++++ b/testsuite/ecdsa-sign-test.c > +@@ -58,6 +58,32 @@ test_ecdsa (const struct ecc_curve *ecc, > + void > + test_main (void) > + { > ++ /* Producing the signature for corresponding test in > ++ ecdsa-verify-test.c, with special u1 and u2. */ > ++ test_ecdsa (&_nettle_secp_224r1, > ++ "99b5b787484def12894ca507058b3bf5" > ++ "43d72d82fa7721d2e805e5e6", > ++ "2", > ++ SHEX("cdb887ac805a3b42e22d224c85482053" > ++ "16c755d4a736bb2032c92553"), > ++ "706a46dc76dcb76798e60e6d89474788" > ++ "d16dc18032d268fd1a704fa6", /* r */ > ++ "3a41e1423b1853e8aa89747b1f987364" > ++ "44705d6d6d8371ea1f578f2e"); /* s */ > ++ > ++ /* Producing the signature for corresponding test in > ++ ecdsa-verify-test.c, with special u1 and u2. */ > ++ test_ecdsa (&_nettle_secp_224r1, > ++ "99b5b787484def12894ca507058b3bf5" > ++ "43d72d82fa7721d2e805e5e6", > ++ "2", > ++ SHEX("cdb887ac805a3b42e22d224c85482053" > ++ "16c755d4a736bb2032c92553"), > ++ "706a46dc76dcb76798e60e6d89474788" > ++ "d16dc18032d268fd1a704fa6", /* r */ > ++ "3a41e1423b1853e8aa89747b1f987364" > ++ "44705d6d6d8371ea1f578f2e"); /* s */ > ++ > + /* Test cases for the smaller groups, verified with a > + proof-of-concept implementation done for Yubico AB. */ > + test_ecdsa (&_nettle_secp_192r1, > +diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify- > test.c > +index 3ceac0eb..edcd32ea 100644 > +--- a/testsuite/ecdsa-verify-test.c > ++++ b/testsuite/ecdsa-verify-test.c > +@@ -81,6 +81,46 @@ test_ecdsa (const struct ecc_curve *ecc, > + void > + test_main (void) > + { > ++ /* Corresponds to nonce k = 2 and private key z = > ++ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z > and > ++ hash are chosen so that intermediate scalars in the verify > ++ equations are u1 = 0x6b245680e700, u2 = > ++ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical > ++ reduction of the scalars. Bug caused by missing canonical > ++ reduction reported by Guido Vranken. */ > ++ test_ecdsa (&_nettle_secp_224r1, > ++ "9e7e6cc6b1bdfa8ee039b66ad85e5490" > ++ "7be706a900a3cba1c8fdd014", /* x */ > ++ "74855db3f7c1b4097ae095745fc915e3" > ++ "8a79d2a1de28f282eafb22ba", /* y */ > ++ > ++ SHEX("cdb887ac805a3b42e22d224c85482053" > ++ "16c755d4a736bb2032c92553"), > ++ "706a46dc76dcb76798e60e6d89474788" > ++ "d16dc18032d268fd1a704fa6", /* r */ > ++ "3a41e1423b1853e8aa89747b1f987364" > ++ "44705d6d6d8371ea1f578f2e"); /* s */ > ++ > ++ /* Corresponds to nonce k = 2 and private key z = > ++ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z > and > ++ hash are chosen so that intermediate scalars in the verify > ++ equations are u1 = 0x6b245680e700, u2 = > ++ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical > ++ reduction of the scalars. Bug caused by missing canonical > ++ reduction reported by Guido Vranken. */ > ++ test_ecdsa (&_nettle_secp_224r1, > ++ "9e7e6cc6b1bdfa8ee039b66ad85e5490" > ++ "7be706a900a3cba1c8fdd014", /* x */ > ++ "74855db3f7c1b4097ae095745fc915e3" > ++ "8a79d2a1de28f282eafb22ba", /* y */ > ++ > ++ SHEX("cdb887ac805a3b42e22d224c85482053" > ++ "16c755d4a736bb2032c92553"), > ++ "706a46dc76dcb76798e60e6d89474788" > ++ "d16dc18032d268fd1a704fa6", /* r */ > ++ "3a41e1423b1853e8aa89747b1f987364" > ++ "44705d6d6d8371ea1f578f2e"); /* s */ > ++ > + /* Test case provided by Guido Vranken, from oss-fuzz */ > + test_ecdsa (&_nettle_secp_192r1, > + "14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", > /* x */ > +-- > +2.30.2 > + > diff --git a/meta/recipes-support/nettle/nettle_3.7.1.bb > b/meta/recipes-support/nettle/nettle_3.7.1.bb > index 3bbcf17c7a..0e2bd2a7e1 100644 > --- a/meta/recipes-support/nettle/nettle_3.7.1.bb > +++ b/meta/recipes-support/nettle/nettle_3.7.1.bb > @@ -18,6 +18,7 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ > file://Add-target-to-only-build-tests-not-run-them.patch \ > file://run-ptest \ > > file://check-header-files-of-openssl-only-if-enable_.patch \ > + file://CVE-2021-20305.patch \ > " > > SRC_URI_append_class-target = "\ > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150761): https://lists.openembedded.org/g/openembedded-core/message/150761 Mute This Topic: https://lists.openembedded.org/mt/82260195/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
