Backport of: From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niels=20M=C3=B6ller?= Date: Sat, 13 Mar 2021 16:42:21 +0100 Subject: [PATCH] Similar fix for eddsa. * eddsa-hash.c (_eddsa_hash): Ensure result is canonically reduced. Two of the three call sites need that. (cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288) Upstream-Status: Backport https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch CVE: CVE-2021-20305 Signed-off-by: Armin Kuster --- ChangeLog | 3 +++ eddsa-hash.c | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 5f8a22c2..ce330831 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,5 +1,8 @@ # 2021-03-13 Niels Möller # #+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically #+ reduced. Two of the three call sites need that. #+ # * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical # to compute the scalars used for ecc multiplication. # Index: nettle-3.5.1/eddsa-hash.c =================================================================== --- nettle-3.5.1.orig/eddsa-hash.c +++ nettle-3.5.1/eddsa-hash.c @@ -46,7 +46,12 @@ void _eddsa_hash (const struct ecc_modulo *m, mp_limb_t *rp, const uint8_t *digest) { + mp_limb_t cy; size_t nbytes = 1 + m->bit_size / 8; mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes); m->mod (m, rp); + mpn_copyi (rp + m->size, rp, m->size); + /* Ensure canonical reduction. */ + cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); + cnd_copy (cy, rp, rp + m->size, m->size); }