From 796117145aea371151dc9eadccd12a7ccdb82903 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 08 2021 20:54:41 +0000 Subject: import nettle-2.7.1-9.el7_9 --- diff --git a/SOURCES/nettle-2.7.1-ecdsa-verify.patch b/SOURCES/nettle-2.7.1-ecdsa-verify.patch new file mode 100644 index 0000000..cfd966c --- /dev/null +++ b/SOURCES/nettle-2.7.1-ecdsa-verify.patch @@ -0,0 +1,84 @@ +From fa98a26f68c6cb27a3feea0b10475e7ff2ade74a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 30 Mar 2021 09:22:47 +0200 +Subject: [PATCH] Port upstream hardening of EC scaler multiplication + +Some internal functions used in point multiplications are known to +misbehave if the scaler is out-of-range. This performs canonical +reduction on scalers, before point multiplication. + +Signed-off-by: Daiki Ueno +--- + ecc-ecdsa-sign.c | 5 +++-- + ecc-ecdsa-verify.c | 14 ++++++++++++-- + 2 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c +index cdf37746..acfb2a2e 100644 +--- a/ecc-ecdsa-sign.c ++++ b/ecc-ecdsa-sign.c +@@ -88,8 +88,9 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, + ecc_modq_mul (ecc, tp, zp, rp); + ecc_modq_add (ecc, hp, hp, tp); + ecc_modq_mul (ecc, tp, hp, kinv); +- +- mpn_copyi (sp, tp, ecc->size); ++ /* Ensure canonical reduction. */ ++ cy = mpn_sub_n (sp, tp, ecc->q, ecc->size); ++ cnd_copy (cy, sp, tp, ecc->size); + #undef P + #undef hp + #undef kinv +diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c +index f24eff37..5015271c 100644 +--- a/ecc-ecdsa-verify.c ++++ b/ecc-ecdsa-verify.c +@@ -66,6 +66,8 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, + const mp_limb_t *rp, const mp_limb_t *sp, + mp_limb_t *scratch) + { ++ mp_limb_t cy; ++ + /* Procedure, according to RFC 6090, "KT-I". q denotes the group + order. + +@@ -88,6 +90,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, + #define u2 (scratch + 4*ecc->size) + #define hp (scratch + 4*ecc->size) + #define u1 (scratch + 6*ecc->size) ++#define tp (scratch + 7*ecc->size) + + if (! (ecdsa_in_range (ecc, rp) + && ecdsa_in_range (ecc, sp))) +@@ -102,14 +105,20 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, + ecc_modq_inv (ecc, sinv, sinv + ecc->size, P2); + + /* u2 = r / s, P2 = u2 * Y */ +- ecc_modq_mul (ecc, u2, rp, sinv); ++ ecc_modq_mul (ecc, tp, rp, sinv); ++ /* Ensure canonical reduction. */ ++ cy = mpn_sub_n (u2, tp, ecc->q, ecc->size); ++ cnd_copy (cy, u2, tp, ecc->size); + + /* Total storage: 5*ecc->size + ECC_MUL_A_ITCH (ecc->size) */ + ecc_mul_a (ecc, 1, P2, u2, pp, u2 + ecc->size); + + /* u1 = h / s, P1 = u1 * G */ + ecc_hash (ecc, hp, length, digest); +- ecc_modq_mul (ecc, u1, hp, sinv); ++ ecc_modq_mul (ecc, tp, hp, sinv); ++ /* Ensure canonical reduction. */ ++ cy = mpn_sub_n (u1, tp, ecc->q, ecc->size); ++ cnd_copy (cy, u1, tp, ecc->size); + + /* u = 0 can happen only if h = 0 or h = q, which is extremely + unlikely. */ +@@ -147,4 +156,5 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, + #undef u2 + #undef hp + #undef u1 ++#undef tp + } +-- +2.30.2 + diff --git a/SPECS/nettle.spec b/SPECS/nettle.spec index 34b5b37..05f688f 100644 --- a/SPECS/nettle.spec +++ b/SPECS/nettle.spec @@ -1,6 +1,6 @@ Name: nettle Version: 2.7.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: A low-level cryptographic library Group: Development/Libraries @@ -13,6 +13,8 @@ Patch1: nettle-2.7.1-tmpalloc.patch Patch2: nettle-2.7.1-sha3-fix.patch Patch3: nettle-2.7.1-ecc-cve.patch Patch4: nettle-2.7.1-powm-sec.patch +# https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html +Patch5: nettle-2.7.1-ecdsa-verify.patch BuildRequires: gmp-devel m4 texinfo-tex texlive-dvips ghostscript BuildRequires: fipscheck @@ -53,6 +55,7 @@ sed 's/ecc-224.c//g' -i Makefile.in %patch2 -p1 -b .sha3 %patch3 -p1 -b .ecc-cve %patch4 -p1 -b .powm-sec +%patch5 -p1 -b .ecdsa-verify %build %configure --enable-shared @@ -118,6 +121,9 @@ fi %changelog +* Wed Apr 7 2021 Daiki Ueno - 2.7.1-9 +- Port fixes for potential miscalculation in ecdsa_verify (#1943156) + * Mon Aug 8 2016 Nikos Mavrogiannopoulos - 2.7.1-8 - Use a cache-silent version of mpz_powm to prevent cache-timing attacks against RSA and DSA in shared VMs. (#1364897,CVE-2016-6489)