Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libnettle for openSUSE:Factory checked in at 2021-03-24 16:10:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libnettle (Old) and /work/SRC/openSUSE:Factory/.libnettle.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libnettle" Wed Mar 24 16:10:18 2021 rev:37 rq:880401 version:3.7.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libnettle/libnettle.changes 2021-02-22 14:22:57.391584361 +0100 +++ /work/SRC/openSUSE:Factory/.libnettle.new.2401/libnettle.changes 2021-03-24 16:10:19.735773832 +0100 @@ -1,0 +2,11 @@ +Sun Mar 21 10:17:35 UTC 2021 - Andreas Stieger <[email protected]> + +- GNU Nettle 3.7.2: + * fix a bug in ECDSA signature verification that could lead to a + denial of service attack (via an assertion failure) or possibly + incorrect results (boo#1183835) + * fix a few related problems where scalars are required to be + canonically reduced modulo the ECC group order, but in fact may + be slightly larger + +------------------------------------------------------------------- Old: ---- nettle-3.7.1.tar.gz nettle-3.7.1.tar.gz.sig New: ---- nettle-3.7.2.tar.gz nettle-3.7.2.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libnettle.spec ++++++ --- /var/tmp/diff_new_pack.TXnR1c/_old 2021-03-24 16:10:20.647774789 +0100 +++ /var/tmp/diff_new_pack.TXnR1c/_new 2021-03-24 16:10:20.655774797 +0100 @@ -19,7 +19,7 @@ %define soname 8 %define hogweed_soname 6 Name: libnettle -Version: 3.7.1 +Version: 3.7.2 Release: 0 Summary: Cryptographic Library License: LGPL-2.1-or-later AND GPL-2.0-or-later ++++++ nettle-3.7.1.tar.gz -> nettle-3.7.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ChangeLog new/nettle-3.7.2/ChangeLog --- old/nettle-3.7.1/ChangeLog 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ChangeLog 2021-03-21 09:32:25.000000000 +0100 @@ -1,3 +1,49 @@ +2021-03-21 Niels M??ller <[email protected]> + + * NEWS: NEWS entries for 3.7.2. + +2021-03-17 Niels M??ller <[email protected]> + + * configure.ac: Bump package version, to 3.7.2. + (LIBNETTLE_MINOR): Bump minor number, to 8.3. + (LIBHOGWEED_MINOR): Bump minor number, to 6.3. + +2021-03-13 Niels M??ller <[email protected]> + + * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to + compute the scalar used for ecc multiplication. + + * eddsa-hash.c (_eddsa_hash): Ensure result is canonically + reduced. Two of the three call sites need that. + + * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical + to compute the scalars used for ecc multiplication. + + * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to + canonical range. + + * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical + to compute the scalars used for ecc multiplication. + * testsuite/ecdsa-verify-test.c (test_main): Add test case that + triggers an assert on 64-bit platforms, without above fix. + * testsuite/ecdsa-sign-test.c (test_main): Test case generating + the same signature. + +2021-03-13 Niels M??ller <[email protected]> + + * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. + +2021-03-11 Niels M??ller <[email protected]> + + * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): + New functions. + * ecc-internal.h: Declare and document new functions. + * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. + * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. + * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. + * ecc-j-to-a.c (ecc_j_to_a): Likewise. + * ecc-mul-m.c (ecc_mul_m): Likewise. + 2021-02-17 Niels M??ller <[email protected]> * Released Nettle-3.7.1. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/NEWS new/nettle-3.7.2/NEWS --- old/nettle-3.7.1/NEWS 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/NEWS 2021-03-21 09:32:25.000000000 +0100 @@ -1,3 +1,51 @@ +NEWS for the Nettle 3.7.2 release + + This is a bugfix release, fixing a bug in ECDSA signature + verification that could lead to a denial of service attack + (via an assertion failure) or possibly incorrect results. It + also fixes a few related problems where scalars are required + to be canonically reduced modulo the ECC group order, but in + fact may be slightly larger. + + Upgrading to the new version is strongly recommended. + + Even when no assert is triggered in ecdsa_verify, ECC point + multiplication may get invalid intermediate values as input, + and produce incorrect results. It's trivial to construct + alleged signatures that result in invalid intermediate values. + It appears difficult to construct an alleged signature that + makes the function misbehave in such a way that an invalid + signature is accepted as valid, but such attacks can't be + ruled out without further analysis. + + Thanks to Guido Vranken for setting up the fuzzer tests that + uncovered this problem. + + The new version is intended to be fully source and binary + compatible with Nettle-3.6. The shared library names are + libnettle.so.8.3 and libhogweed.so.6.3, with sonames + libnettle.so.8 and libhogweed.so.6. + + Bug fixes: + + * Fixed bug in ecdsa_verify, and added a corresponding test + case. + + * Similar fixes to ecc_gostdsa_verify and gostdsa_vko. + + * Similar fixes to eddsa signatures. The problem is less severe + for these curves, because (i) the potentially out or range + value is derived from output of a hash function, making it + harder for the attacker to to hit the narrow range of + problematic values, and (ii) the ecc operations are + inherently more robust, and my current understanding is that + unless the corresponding assert is hit, the verify + operation should complete with a correct result. + + * Fix to ecdsa_sign, which with a very low probability could + return out of range signature values, which would be + rejected immediately by a verifier. + NEWS for the Nettle 3.7.1 release This is primarily a bug fix release, fixing a couple of diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/configure new/nettle-3.7.2/configure --- old/nettle-3.7.1/configure 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/configure 2021-03-21 09:32:25.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for nettle 3.7.1. +# Generated by GNU Autoconf 2.69 for nettle 3.7.2. # # Report bugs to <[email protected]>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='nettle' PACKAGE_TARNAME='nettle' -PACKAGE_VERSION='3.7.1' -PACKAGE_STRING='nettle 3.7.1' +PACKAGE_VERSION='3.7.2' +PACKAGE_STRING='nettle 3.7.2' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1343,7 +1343,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures nettle 3.7.1 to adapt to many kinds of systems. +\`configure' configures nettle 3.7.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1409,7 +1409,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of nettle 3.7.1:";; + short | recursive ) echo "Configuration of nettle 3.7.2:";; esac cat <<\_ACEOF @@ -1531,7 +1531,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -nettle configure 3.7.1 +nettle configure 3.7.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2175,7 +2175,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by nettle $as_me 3.7.1, which was +It was created by nettle $as_me 3.7.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2560,10 +2560,10 @@ LIBNETTLE_MAJOR=8 -LIBNETTLE_MINOR=2 +LIBNETTLE_MINOR=3 LIBHOGWEED_MAJOR=6 -LIBHOGWEED_MINOR=2 +LIBHOGWEED_MINOR=3 MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([^.]*\)\..*/\1/'` MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[^.]*\.\([0-9]*\).*/\1/'` @@ -8142,7 +8142,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by nettle $as_me 3.7.1, which was +This file was extended by nettle $as_me 3.7.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8208,7 +8208,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -nettle config.status 3.7.1 +nettle config.status 3.7.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/configure.ac new/nettle-3.7.2/configure.ac --- old/nettle-3.7.1/configure.ac 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/configure.ac 2021-03-21 09:32:25.000000000 +0100 @@ -2,7 +2,7 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([nettle], [3.7.1], [[email protected]]) +AC_INIT([nettle], [3.7.2], [[email protected]]) AC_PREREQ(2.61) AC_CONFIG_SRCDIR([arcfour.c]) # Needed to stop autoconf from looking for files in parent directories. @@ -11,10 +11,10 @@ AC_CONFIG_HEADER([config.h]) LIBNETTLE_MAJOR=8 -LIBNETTLE_MINOR=2 +LIBNETTLE_MINOR=3 LIBHOGWEED_MAJOR=6 -LIBHOGWEED_MINOR=2 +LIBHOGWEED_MINOR=3 dnl Note double square brackets, for extra m4 quoting. MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([[^.]]*\)\..*/\1/'` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/curve25519-eh-to-x.c new/nettle-3.7.2/curve25519-eh-to-x.c --- old/nettle-3.7.1/curve25519-eh-to-x.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/curve25519-eh-to-x.c 2021-03-21 09:32:25.000000000 +0100 @@ -53,7 +53,6 @@ #define tp (scratch + 2*ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve25519; - mp_limb_t cy; /* If u = U/W and v = V/W are the coordinates of the point on the Edwards curve we get the curve25519 x coordinate as @@ -69,10 +68,7 @@ ecc->p.invert (&ecc->p, t1, t0, tp); ecc_mod_add (&ecc->p, t0, wp, vp); - ecc_mod_mul (&ecc->p, t0, t0, t1, tp); - - cy = mpn_sub_n (xp, t0, ecc->p.m, ecc->p.size); - cnd_copy (cy, xp, t0, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, tp); #undef vp #undef wp #undef t0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/curve448-eh-to-x.c new/nettle-3.7.2/curve448-eh-to-x.c --- old/nettle-3.7.1/curve448-eh-to-x.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/curve448-eh-to-x.c 2021-03-21 09:32:25.000000000 +0100 @@ -52,7 +52,6 @@ #define tp (scratch + ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve448; - mp_limb_t cy; /* If u = U/W and v = V/W are the coordinates of the point on edwards448 we get the curve448 x coordinate as @@ -62,10 +61,8 @@ /* Needs a total of 5*size storage. */ ecc->p.invert (&ecc->p, t0, up, tp); ecc_mod_mul (&ecc->p, t0, t0, vp, tp); - ecc_mod_sqr (&ecc->p, t0, t0, tp); + ecc_mod_sqr_canonical (&ecc->p, xp, t0, tp); - cy = mpn_sub_n (xp, t0, ecc->p.m, ecc->p.size); - cnd_copy (cy, xp, t0, ecc->p.size); #undef up #undef vp #undef t0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ecc-ecdsa-sign.c new/nettle-3.7.2/ecc-ecdsa-sign.c --- old/nettle-3.7.1/ecc-ecdsa-sign.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ecc-ecdsa-sign.c 2021-03-21 09:32:24.000000000 +0100 @@ -91,9 +91,8 @@ ecc_mod_mul (&ecc->q, tp, zp, rp, tp); ecc_mod_add (&ecc->q, hp, hp, tp); - ecc_mod_mul (&ecc->q, tp, hp, kinv, tp); + ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); - mpn_copyi (sp, tp, ecc->p.size); #undef P #undef hp #undef kinv diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ecc-ecdsa-verify.c new/nettle-3.7.2/ecc-ecdsa-verify.c --- old/nettle-3.7.1/ecc-ecdsa-verify.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ecc-ecdsa-verify.c 2021-03-21 09:32:24.000000000 +0100 @@ -102,10 +102,10 @@ /* u1 = h / s, P1 = u1 * G */ ecc_hash (&ecc->q, hp, length, digest); - ecc_mod_mul (&ecc->q, u1, hp, sinv, u1); + ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); /* u2 = r / s, P2 = u2 * Y */ - ecc_mod_mul (&ecc->q, u2, rp, sinv, u2); + ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ecc-eh-to-a.c new/nettle-3.7.2/ecc-eh-to-a.c --- old/nettle-3.7.1/ecc-eh-to-a.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ecc-eh-to-a.c 2021-03-21 09:32:24.000000000 +0100 @@ -49,23 +49,15 @@ #define izp scratch #define tp (scratch + ecc->p.size) - #define xp p #define yp (p + ecc->p.size) #define zp (p + 2*ecc->p.size) - mp_limb_t cy; - assert(op == 0); /* Needs size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp); - ecc_mod_mul (&ecc->p, tp, xp, izp, tp); - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, tp, ecc->p.size); - - ecc_mod_mul (&ecc->p, tp, yp, izp, tp); - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ecc-gostdsa-verify.c new/nettle-3.7.2/ecc-gostdsa-verify.c --- old/nettle-3.7.1/ecc-gostdsa-verify.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ecc-gostdsa-verify.c 2021-03-21 09:32:25.000000000 +0100 @@ -102,11 +102,11 @@ ecc->q.invert (&ecc->q, vp, hp, vp + ecc->p.size); /* z1 = s / h, P1 = z1 * G */ - ecc_mod_mul (&ecc->q, z1, sp, vp, z1); + ecc_mod_mul_canonical (&ecc->q, z1, sp, vp, z1); /* z2 = - r / h, P2 = z2 * Y */ - ecc_mod_mul (&ecc->q, z2, rp, vp, z2); - mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size); + mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size); + ecc_mod_mul_canonical (&ecc->q, z2, hp, vp, z2); /* Total storage: 5*ecc->p.size + ecc->mul_itch */ ecc->mul (ecc, P2, z2, pp, z2 + ecc->p.size); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ecc-internal.h new/nettle-3.7.2/ecc-internal.h --- old/nettle-3.7.1/ecc-internal.h 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ecc-internal.h 2021-03-21 09:32:25.000000000 +0100 @@ -49,6 +49,8 @@ #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr +#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical +#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical #define ecc_mod_pow_2k _nettle_ecc_mod_pow_2k #define ecc_mod_pow_2k_mul _nettle_ecc_mod_pow_2k_mul #define ecc_mod_random _nettle_ecc_mod_random @@ -264,6 +266,19 @@ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp); +/* These mul and sqr functions produce a canonical result, 0 <= R < M. + Requirements on input and output areas are similar to the above + functions, except that it is *not* allowed to pass rp = rp + + m->size. + */ +void +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); + +void +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t *tp); + /* R <-- X^{2^k} mod M. Needs 2*ecc->size limbs of scratch space, same overlap requirements as mul and sqr above. */ void diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ecc-j-to-a.c new/nettle-3.7.2/ecc-j-to-a.c --- old/nettle-3.7.1/ecc-j-to-a.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ecc-j-to-a.c 2021-03-21 09:32:24.000000000 +0100 @@ -49,8 +49,6 @@ #define iz3p (scratch + 2*ecc->p.size) #define tp scratch - mp_limb_t cy; - ecc->p.invert (&ecc->p, izp, p+2*ecc->p.size, izp + ecc->p.size); ecc_mod_sqr (&ecc->p, iz2p, izp, iz2p); @@ -63,17 +61,13 @@ } /* r_x <-- x / z^2 */ - ecc_mod_mul (&ecc->p, iz3p, iz2p, p, iz3p); - /* ecc_mod (and ecc_mod_mul) may return a value up to 2p - 1, so - do a conditional subtraction. */ - cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, iz3p, ecc->p.size); - + ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); if (op) { /* Skip y coordinate */ if (op > 1) { + mp_limb_t cy; /* Also reduce the x coordinate mod ecc->q. It should already be < 2*ecc->q, so one subtraction should suffice. */ @@ -83,10 +77,7 @@ return; } ecc_mod_mul (&ecc->p, iz3p, iz2p, izp, iz3p); - ecc_mod_mul (&ecc->p, tp, iz3p, p + ecc->p.size, tp); - /* And a similar subtraction. */ - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, tp); #undef izp #undef iz2p diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ecc-mod-arith.c new/nettle-3.7.2/ecc-mod-arith.c --- old/nettle-3.7.1/ecc-mod-arith.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ecc-mod-arith.c 2021-03-21 09:32:24.000000000 +0100 @@ -126,6 +126,30 @@ } void +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) +{ + mp_limb_t cy; + mpn_mul_n (tp, ap, bp, m->size); + m->reduce (m, tp + m->size, tp); + + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); + cnd_copy (cy, rp, tp + m->size, m->size); +} + +void +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t *tp) +{ + mp_limb_t cy; + mpn_sqr (tp, ap, m->size); + m->reduce (m, tp + m->size, tp); + + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); + cnd_copy (cy, rp, tp + m->size, m->size); +} + +void ecc_mod_pow_2k (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, mp_limb_t *tp) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/ecc-mul-m.c new/nettle-3.7.2/ecc-mul-m.c --- old/nettle-3.7.1/ecc-mul-m.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/ecc-mul-m.c 2021-03-21 09:32:24.000000000 +0100 @@ -48,7 +48,7 @@ mp_limb_t *scratch) { unsigned i; - mp_limb_t cy, swap; + mp_limb_t swap; #define x2 (scratch) #define z2 (scratch + m->size) @@ -162,7 +162,5 @@ } assert (m->invert_itch <= 7 * m->size); m->invert (m, x3, z2, z3 + m->size); - ecc_mod_mul (m, z3, x2, x3, z3); - cy = mpn_sub_n (qx, z3, m->m, m->size); - cnd_copy (cy, qx, z3, m->size); + ecc_mod_mul_canonical (m, qx, x2, x3, z3); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/eddsa-hash.c new/nettle-3.7.2/eddsa-hash.c --- old/nettle-3.7.1/eddsa-hash.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/eddsa-hash.c 2021-03-21 09:32:25.000000000 +0100 @@ -44,13 +44,14 @@ #include "ecc-internal.h" #include "nettle-internal.h" -/* Convert hash digest to integer, and reduce modulo q, to m->size - limbs. Needs space for 2*m->size + 1 at rp. */ +/* Convert hash digest to integer, and reduce canonically modulo q. + Needs space for 2*m->size + 1 at rp. */ void _eddsa_hash (const struct ecc_modulo *m, mp_limb_t *rp, size_t digest_size, const uint8_t *digest) { mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS; + mp_limb_t cy; mpn_set_base256_le (rp, nlimbs, digest, digest_size); @@ -74,5 +75,8 @@ hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size); assert (hi == 0); } - m->mod (m, rp, rp); + m->mod (m, rp + m->size , rp); + /* Ensure canonical reduction. */ + cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); + cnd_copy (cy, rp, rp + m->size, m->size); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/eddsa-verify.c new/nettle-3.7.2/eddsa-verify.c --- old/nettle-3.7.1/eddsa-verify.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/eddsa-verify.c 2021-03-21 09:32:25.000000000 +0100 @@ -53,13 +53,8 @@ #define t0 scratch #define t1 (scratch + p->size) - ecc_mod_mul (p, t0, x1, z2, t0); - if (mpn_cmp (t0, p->m, p->size) >= 0) - mpn_sub_n (t0, t0, p->m, p->size); - - ecc_mod_mul (p, t1, x2, z1, t1); - if (mpn_cmp (t1, p->m, p->size) >= 0) - mpn_sub_n (t1, t1, p->m, p->size); + ecc_mod_mul_canonical (p, t0, x1, z2, t0); + ecc_mod_mul_canonical (p, t1, x2, z1, t1); return mpn_cmp (t0, t1, p->size) == 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/gostdsa-vko.c new/nettle-3.7.2/gostdsa-vko.c --- old/nettle-3.7.1/gostdsa-vko.c 2021-02-17 19:02:32.000000000 +0100 +++ new/nettle-3.7.2/gostdsa-vko.c 2021-03-21 09:32:25.000000000 +0100 @@ -87,7 +87,7 @@ if (mpn_zero_p (UKM, size)) UKM[0] = 1; - ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */ + ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */ ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ mpn_get_base256_le (out, bsize, TEMP, size); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/testsuite/ecdsa-sign-test.c new/nettle-3.7.2/testsuite/ecdsa-sign-test.c --- old/nettle-3.7.1/testsuite/ecdsa-sign-test.c 2021-02-17 19:02:33.000000000 +0100 +++ new/nettle-3.7.2/testsuite/ecdsa-sign-test.c 2021-03-21 09:32:25.000000000 +0100 @@ -58,6 +58,19 @@ void test_main (void) { + /* Producing the signature for corresponding test in + ecdsa-verify-test.c, with special u1 and u2. */ + test_ecdsa (&_nettle_secp_224r1, + "99b5b787484def12894ca507058b3bf5" + "43d72d82fa7721d2e805e5e6", + "2", + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* Test cases for the smaller groups, verified with a proof-of-concept implementation done for Yubico AB. */ test_ecdsa (&_nettle_secp_192r1, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nettle-3.7.1/testsuite/ecdsa-verify-test.c new/nettle-3.7.2/testsuite/ecdsa-verify-test.c --- old/nettle-3.7.1/testsuite/ecdsa-verify-test.c 2021-02-17 19:02:33.000000000 +0100 +++ new/nettle-3.7.2/testsuite/ecdsa-verify-test.c 2021-03-21 09:32:25.000000000 +0100 @@ -81,6 +81,26 @@ void test_main (void) { + /* Corresponds to nonce k = 2 and private key z = + 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and + hash are chosen so that intermediate scalars in the verify + equations are u1 = 0x6b245680e700, u2 = + 259da6542d4ba7d21ad916c3bd57f811. These values require canonical + reduction of the scalars. Bug caused by missing canonical + reduction reported by Guido Vranken. */ + test_ecdsa (&_nettle_secp_224r1, + "9e7e6cc6b1bdfa8ee039b66ad85e5490" + "7be706a900a3cba1c8fdd014", /* x */ + "74855db3f7c1b4097ae095745fc915e3" + "8a79d2a1de28f282eafb22ba", /* y */ + + SHEX("cdb887ac805a3b42e22d224c85482053" + "16c755d4a736bb2032c92553"), + "706a46dc76dcb76798e60e6d89474788" + "d16dc18032d268fd1a704fa6", /* r */ + "3a41e1423b1853e8aa89747b1f987364" + "44705d6d6d8371ea1f578f2e"); /* s */ + /* Test case provided by Guido Vranken, from oss-fuzz */ test_ecdsa (&_nettle_secp_192r1, "14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */
