File nettle-CVE-2016-6489.patch of Package libnettle

Overview Repositories Revisions Requests Users Attributes Meta

File nettle-CVE-2016-6489.patch of Package libnettle

Index: nettle-2.7.1/dsa-sign.c
===================================================================
--- nettle-2.7.1.orig/dsa-sign.c
+++ nettle-2.7.1/dsa-sign.c
@@ -63,7 +63,7 @@ _dsa_sign(const struct dsa_public_key *p
   mpz_add_ui(k, k, 1);
 
   /* Compute r = (g^k (mod p)) (mod q) */
-  mpz_powm(tmp, pub->g, k, pub->p);
+  mpz_powm_sec(tmp, pub->g, k, pub->p);
   mpz_fdiv_r(signature->r, tmp, pub->q);
 
   /* Compute hash */
Index: nettle-2.7.1/rsa-blind.c
===================================================================
--- nettle-2.7.1.orig/rsa-blind.c
+++ nettle-2.7.1/rsa-blind.c
@@ -53,7 +53,7 @@ _rsa_blind (const struct rsa_public_key
   while (!mpz_invert (ri, r, pub->n));
 
   /* c = c*(r^e) mod n */
-  mpz_powm(r, r, pub->e, pub->n);
+  mpz_powm_sec(r, r, pub->e, pub->n);
   mpz_mul(c, c, r);
   mpz_fdiv_r(c, c, pub->n);
 
Index: nettle-2.7.1/rsa-sign.c
===================================================================
--- nettle-2.7.1.orig/rsa-sign.c
+++ nettle-2.7.1/rsa-sign.c
@@ -88,11 +88,11 @@ rsa_compute_root(const struct rsa_privat
 
   /* Compute xq = m^d % q = (m%q)^b % q */
   mpz_fdiv_r(xq, m, key->q);
-  mpz_powm(xq, xq, key->b, key->q);
+  mpz_powm_sec(xq, xq, key->b, key->q);
 
   /* Compute xp = m^d % p = (m%p)^a % p */
   mpz_fdiv_r(xp, m, key->p);
-  mpz_powm(xp, xp, key->a, key->p);
+  mpz_powm_sec(xp, xp, key->a, key->p);
 
   /* Set xp' = (xp - xq) c % p. */
   mpz_sub(xp, xp, xq);
Index: nettle-2.7.1/rsa.c
===================================================================
--- nettle-2.7.1.orig/rsa.c
+++ nettle-2.7.1/rsa.c
@@ -50,13 +50,19 @@ rsa_public_key_clear(struct rsa_public_k
 }
 
 /* Computes the size, in octets, of a the modulo. Returns 0 if the
- * modulo is too small to be useful. */
+ * modulo is too small to be useful. or otherwise appears invalid. */
 
 unsigned
 _rsa_check_size(mpz_t n)
 {
-  /* Round upwards */
-  unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8;
+/* Round upwards */
+  unsigned size;
+
+  /* Even moduli are invalid, and not supported by mpz_powm_sec. */
+  if (mpz_even_p (n))
+    return 0;
+  
+  size = (mpz_sizeinbase(n, 2) + 7) / 8; 
 
   if (size < RSA_MINIMUM_N_OCTETS)
     return 0;
Index: nettle-2.7.1/testsuite/rsa-test.c
===================================================================
--- nettle-2.7.1.orig/testsuite/rsa-test.c
+++ nettle-2.7.1/testsuite/rsa-test.c
@@ -57,6 +57,13 @@ test_main(void)
 
   test_rsa_sha512(&pub, &key, expected);
 
+  /* Test detection of invalid keys with even modulo */
+  mpz_clrbit (pub.n, 0);
+  ASSERT (!rsa_public_key_prepare (&pub));
+
+  mpz_clrbit (key.p, 0);
+  ASSERT (!rsa_private_key_prepare (&key));
+
   /* 777-bit key, generated by
    *
    *   lsh-keygen -a rsa -l 777 -f advanced-hex

Places

File nettle-CVE-2016-6489.patch of Package libnettle

Places