Backport of: From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niels=20M=C3=B6ller?= Date: Thu, 11 Mar 2021 19:37:41 +0100 Subject: [PATCH] New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical. * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): New functions. * ecc-internal.h: Declare and document new functions. * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. * ecc-j-to-a.c (ecc_j_to_a): Likewise. * ecc-mul-m.c (ecc_mul_m): Likewise. (cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c) Upstream-Status: Backport https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch CVE: CVE-2021-20305 dep1 Signed-off-by: Armin Kuster --- ChangeLog | 11 +++++++++++ curve25519-eh-to-x.c | 6 +----- curve448-eh-to-x.c | 5 +---- ecc-eh-to-a.c | 12 ++---------- ecc-internal.h | 15 +++++++++++++++ ecc-j-to-a.c | 15 +++------------ ecc-mod-arith.c | 24 ++++++++++++++++++++++++ ecc-mul-m.c | 6 ++---- 8 files changed, 59 insertions(+), 35 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index fd138d82..5cc5c188 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,14 @@ #+2021-03-11 Niels Möller #+ #+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): #+ New functions. #+ * ecc-internal.h: Declare and document new functions. #+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. #+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. #+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. #+ * ecc-j-to-a.c (ecc_j_to_a): Likewise. #+ * ecc-mul-m.c (ecc_mul_m): Likewise. #+ # 2021-02-17 Niels Möller # # * Released Nettle-3.7.1. Index: nettle-3.5.1/curve25519-eh-to-x.c =================================================================== --- nettle-3.5.1.orig/curve25519-eh-to-x.c +++ nettle-3.5.1/curve25519-eh-to-x.c @@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const #define t2 (scratch + 2*ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve25519; - mp_limb_t cy; /* If u = U/W and v = V/W are the coordiantes of the point on the Edwards curve we get the curve25519 x coordinate as @@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); ecc_modp_add (ecc, t0, wp, vp); - ecc_modp_mul (ecc, t2, t0, t1); - - cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); - cnd_copy (cy, xp, t2, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2); #undef vp #undef wp #undef t0 Index: nettle-3.5.1/ecc-eh-to-a.c =================================================================== --- nettle-3.5.1.orig/ecc-eh-to-a.c +++ nettle-3.5.1/ecc-eh-to-a.c @@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc /* Needs 2*size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); - ecc_modp_mul (ecc, tp, xp, izp); - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, tp, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); if (op) { @@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc } return; } - ecc_modp_mul (ecc, tp, yp, izp); - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); } Index: nettle-3.5.1/ecc-internal.h =================================================================== --- nettle-3.5.1.orig/ecc-internal.h +++ nettle-3.5.1/ecc-internal.h @@ -49,6 +49,8 @@ #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr +#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical +#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical #define ecc_mod_random _nettle_ecc_mod_random #define ecc_mod _nettle_ecc_mod #define ecc_mod_inv _nettle_ecc_mod_inv @@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m, #define ecc_modq_mul(ecc, r, a, b) \ ecc_mod_mul (&(ecc)->q, (r), (a), (b)) +/* These mul and sqr functions produce a canonical result, 0 <= R < M. + Requirements on input and output areas are similar to the above + functions, except that it is *not* allowed to pass rp = rp + + m->size. + */ +void +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); + +void +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t *tp); + /* mod q operations. */ void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, Index: nettle-3.5.1/ecc-j-to-a.c =================================================================== --- nettle-3.5.1.orig/ecc-j-to-a.c +++ nettle-3.5.1/ecc-j-to-a.c @@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc, #define izBp (scratch + 3*ecc->p.size) #define tp scratch - mp_limb_t cy; - if (ecc->use_redc) { /* Set v = (r_z / B^2)^-1, @@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc, ecc_modp_sqr (ecc, iz2p, izp); } - ecc_modp_mul (ecc, iz3p, iz2p, p); - /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so - do a conditional subtraction. */ - cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, iz3p, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); if (op) { /* Skip y coordinate */ if (op > 1) { + mp_limb_t cy; /* Also reduce the x coordinate mod ecc->q. It should already be < 2*ecc->q, so one subtraction should suffice. */ @@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc, return; } ecc_modp_mul (ecc, iz3p, iz2p, izp); - ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); - /* And a similar subtraction. */ - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p); #undef izp #undef up Index: nettle-3.5.1/ecc-mod-arith.c =================================================================== --- nettle-3.5.1.orig/ecc-mod-arith.c +++ nettle-3.5.1/ecc-mod-arith.c @@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m, } void +ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) +{ + mp_limb_t cy; + mpn_mul_n (tp + m->size, ap, bp, m->size); + m->reduce (m, tp + m->size); + + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); + cnd_copy (cy, rp, tp + m->size, m->size); +} + +void +ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t *tp) +{ + mp_limb_t cy; + mpn_sqr (tp + m->size, ap, m->size); + m->reduce (m, tp + m->size); + + cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); + cnd_copy (cy, rp, tp + m->size, m->size); +} + +void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap) {