From unknown Tue Jun 17 22:11:58 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47222: Serious bug in Nettle's ecdsa_verify Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 18 Mar 2021 00:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47222@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161602703110826 (code B ref -1); Thu, 18 Mar 2021 00:24:01 +0000 Received: (at submit) by debbugs.gnu.org; 18 Mar 2021 00:23:51 +0000 Received: from localhost ([127.0.0.1]:44435 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMgS7-0002oY-5o for submit@debbugs.gnu.org; Wed, 17 Mar 2021 20:23:51 -0400 Received: from lists.gnu.org ([209.51.188.17]:41454) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMgS4-0002oP-6D for submit@debbugs.gnu.org; Wed, 17 Mar 2021 20:23:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58878) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMgS4-0003jR-04 for bug-guix@gnu.org; Wed, 17 Mar 2021 20:23:48 -0400 Received: from world.peace.net ([64.112.178.59]:36592) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMgRw-0000AY-R7 for bug-guix@gnu.org; Wed, 17 Mar 2021 20:23:47 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lMgRk-0005tF-Cm; Wed, 17 Mar 2021 20:23:28 -0400 From: Mark H Weaver References: Date: Wed, 17 Mar 2021 20:21:54 -0400 Message-ID: <87blbhia4i.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) FYI... -------------------- Start of forwarded message -------------------- From: nisse@lysator.liu.se (Niels M=C3=B6ller) To: nettle-bugs@lists.lysator.liu.se Subject: ANNOUNCE: Serious bug in Nettle's ecdsa_verify Date: Tue, 16 Mar 2021 09:07:56 +0100 I've been made aware of a bug in Nettle's code to verify ECDSA signatures. Certain signatures result in the ecc point multiply function being called with out-of-range scalars, which may give incorrect results, or crash in an assertion failure. It's an old bug, probably since Nettle's initial implementation of ECDSA. I've just pushed fixes for ecdsa_verify, as well as a few other cases of potentially out-of-range scalars, to the master-updates branch. I haven't fully analysed the implications, but I'll describe my current understanding. I think an assertion failure, useful for a denial-of-service attack, is easy on the curves where the bitsize of q, the group order, is not an integral number of words. That's secp224r1, on 64-bit platforms, and secp521r1. Even when it's not possible to trigger an assertion failure, it's easy to produce valid-looking input "signatures" that hit out-of range intermediate scalar values where point multiplication may misbehave. This applies to all the NIST secp* curves as well as the GOST curves. To me, it looks very difficult to make it misbehave in such a way that ecdsa_verify will think an invalid signature is valid, but it might be possible; further analysis is needed. I will not be able to analyze it properly now, if anyone else would like to look into it, I can provide a bit more background. ed25519 and ed448 may be affected too, but it appears a bit harder to find inputs that hit out of range values. And since point operations are inherently more robust on these curves, I think they will produce correct results as long as they don't hit the assert. Advise on how to deal best with this? My current plan is to prepare a 3.7.2 bugfix release (from a new bugfix-only branch, without the new arm64 code). Maybe as soon as tomorrow (Wednesday, european time), or in the weekend. Regards, /Niels --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs -------------------- End of forwarded message -------------------- From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 18 09:27:28 2021 Received: (at control) by debbugs.gnu.org; 18 Mar 2021 13:27:28 +0000 Received: from localhost ([127.0.0.1]:45372 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsgR-0007tj-TU for submit@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:28 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49306) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsgQ-0007tN-TT for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54839) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMsgL-0001mT-Ng for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:21 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53164 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lMsgK-0003Ml-9r for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:20 -0400 Date: Thu, 18 Mar 2021 14:27:19 +0100 Message-Id: <874kh8r3rc.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #47222 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) tags 47222 + security quit From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 18 09:27:32 2021 Received: (at control) by debbugs.gnu.org; 18 Mar 2021 13:27:32 +0000 Received: from localhost ([127.0.0.1]:45375 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsgW-0007tz-4L for submit@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:32 -0400 Received: from eggs.gnu.org ([209.51.188.92]:49328) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMsgV-0007ta-9N for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:54840) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMsgQ-0001qU-3p for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:26 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=53166 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lMsgO-0003Ti-Mf for control@debbugs.gnu.org; Thu, 18 Mar 2021 09:27:25 -0400 Date: Thu, 18 Mar 2021 14:27:23 +0100 Message-Id: <8735wsr3r8.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #47222 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) severity 47222 important quit From unknown Tue Jun 17 22:11:58 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47222: [Niels =?UTF-8?Q?M=C3=B6ller]?= ANNOUNCE: Nettle-3.7.2 In-Reply-To: <87blbhia4i.fsf@netris.org> Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 21 Mar 2021 19:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47222@debbugs.gnu.org Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161635617331809 (code B ref 47222); Sun, 21 Mar 2021 19:50:02 +0000 Received: (at 47222) by debbugs.gnu.org; 21 Mar 2021 19:49:33 +0000 Received: from localhost ([127.0.0.1]:55524 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lO44r-0008Gy-DR for submit@debbugs.gnu.org; Sun, 21 Mar 2021 15:49:33 -0400 Received: from world.peace.net ([64.112.178.59]:35174) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lO44p-0008Gl-58 for 47222@debbugs.gnu.org; Sun, 21 Mar 2021 15:49:31 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lO44i-0001gt-4n; Sun, 21 Mar 2021 15:49:24 -0400 From: Mark H Weaver References: Date: Sun, 21 Mar 2021 15:47:47 -0400 Message-ID: <875z1kl24h.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable -------------------- Start of forwarded message -------------------- From: nisse@lysator.liu.se (Niels M=C3=B6ller) To: nettle-bugs@lists.lysator.liu.se, info-gnu@gnu.org Subject: ANNOUNCE: Nettle-3.7.2 Date: Sun, 21 Mar 2021 10:24:11 +0100 --=-=-= Content-Type: multipart/mixed; boundary="==-=-=" --==-=-= Content-Type: multipart/signed; boundary="===-=-=" --===-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've prepared a new bug-fix release of Nettle, a low-level cryptographics library, to fix a serious bug in the function to verify ECDSA signatures. Implications include an assertion failure, which could be used for denial-of-service, when verifying signatures on the secp_224r1 and secp521_r1 curves. More details in NEWS file below. Upgrading is strongly recomended. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.7.2.tar.gz Regards, /Niels NEWS for the Nettle 3.7.2 release This is a bugfix release, fixing a bug in ECDSA signature verification that could lead to a denial of service attack (via an assertion failure) or possibly incorrect results. It also fixes a few related problems where scalars are required to be canonically reduced modulo the ECC group order, but in fact may be slightly larger. Upgrading to the new version is strongly recommended. Even when no assert is triggered in ecdsa_verify, ECC point multiplication may get invalid intermediate values as input, and produce incorrect results. It's trivial to construct alleged signatures that result in invalid intermediate values. It appears difficult to construct an alleged signature that makes the function misbehave in such a way that an invalid signature is accepted as valid, but such attacks can't be ruled out without further analysis. Thanks to Guido Vranken for setting up the fuzzer tests that uncovered this problem. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.3 and libhogweed.so.6.3, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fixed bug in ecdsa_verify, and added a corresponding test case. * Similar fixes to ecc_gostdsa_verify and gostdsa_vko. * Similar fixes to eddsa signatures. The problem is less severe for these curves, because (i) the potentially out or range value is derived from output of a hash function, making it harder for the attacker to to hit the narrow range of problematic values, and (ii) the ecc operations are inherently more robust, and my current understanding is that unless the corresponding assert is hit, the verify operation should complete with a correct result. * Fix to ecdsa_sign, which with a very low probability could return out of range signature values, which would be rejected immediately by a verifier. --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. --===-=-= Content-Type: application/pgp-signature; name=signature.asc Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRXpCQUVCQ2dBZEZpRUV5MGxpMEhEWGZY L0xpNk5pY2RqeC96YU1abmNGQW1CWEVMc0FDZ2tRY2RqeC96YU0KWm5lV2tRZi9hTXhBcVF2UC9p SnBKY1VmZ0gzQTZLMWhyVXp6czJ0VkVoQzQ3blhFc0ZQa0paVldFaUswS2t4UQpTZmo4UjdKNzlQ LzB4Q0N2NWVvRW1sbGNYZ0hIMitSQVUvdmtFTHVXUFMwTjZIS3NMQVBsQ2Y5THduWXVueXp0Ck84 WkdpZWZ4VEFMQVo5Z2tST3FLTm9RZWppa0ZOTFhmYjRlclcyRXJMQmdnZ1RiVFJVUmp4UlJRSDZ4 dU1lV20KVzZPQlhaZTMzOHNBcUJKMlBWYytiMzZ6eWVXWWZTd0EwUU91WXVndXVZSHNnZHBydk9V b1kzSldoSHJHdDYxbwpWZkE5bUtNVjZiVjNXZHJvcjdGMm1vejJSVTdFRVNoQlVaWkJBLzV6RUJE NEE4dE45MkZzT3YyRHV4emplYnk5CkJ6QU1EWHNWc3hXT29JMmE2K2RTbk52Z3E4ZlVrdz09Cj1U WTRQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ== --===-=-=-- --==-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline -- If you have a working or partly working program that you'd like to offer to the GNU project as a GNU package, see https://www.gnu.org/help/evaluation.html. --==-=-=-- --=-=-= Content-Type: text/plain -------------------- End of forwarded message -------------------- --=-=-=-- From unknown Tue Jun 17 22:11:58 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47222: Serious bug in Nettle's ecdsa_verify Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 25 Mar 2021 09:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Niels =?UTF-8?Q?M=C3=B6ller?= Cc: 47222@debbugs.gnu.org, nettle-bugs@lists.lysator.liu.se Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161666592521975 (code B ref 47222); Thu, 25 Mar 2021 09:53:01 +0000 Received: (at 47222) by debbugs.gnu.org; 25 Mar 2021 09:52:05 +0000 Received: from localhost ([127.0.0.1]:37168 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPMer-0005iN-7f for submit@debbugs.gnu.org; Thu, 25 Mar 2021 05:52:05 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45966) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPMep-0005ht-Pq for 47222@debbugs.gnu.org; Thu, 25 Mar 2021 05:52:04 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:47903) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPMei-0007Sp-Bo; Thu, 25 Mar 2021 05:51:56 -0400 Received: from nat-eduroam-36-gw-01-bso.bordeaux.inria.fr ([194.199.1.36]:53688 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lPMeh-00042B-Qy; Thu, 25 Mar 2021 05:51:56 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <875z1kl24h.fsf@netris.org> Date: Thu, 25 Mar 2021 10:51:51 +0100 In-Reply-To: <875z1kl24h.fsf@netris.org> (Mark H. Weaver's message of "Sun, 21 Mar 2021 15:47:47 -0400") Message-ID: <87h7kzblxk.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Niels, > I've prepared a new bug-fix release of Nettle, a low-level > cryptographics library, to fix a serious bug in the function to verify > ECDSA signatures. Implications include an assertion failure, which could > be used for denial-of-service, when verifying signatures on the > secp_224r1 and secp521_r1 curves. More details in NEWS file below. > > Upgrading is strongly recomended. Are there plans to make a new 3.5 release including these fixes? Alternatively, could you provide guidance as to which commits should be cherry-picked in 3.5 for downstream distros? I=E2=80=99m asking because in Guix, the easiest way for us to deploy the fi= xes on the =E2=80=98master=E2=80=99 branch would be by =E2=80=9Cgrafting=E2=80= =9D a new Nettle variant ABI-compatible with 3.5.1, which is the one packages currently depend on. Thanks in advance, Ludo=E2=80=99. From unknown Tue Jun 17 22:11:58 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47222: Serious bug in Nettle's ecdsa_verify Resent-From: nisse@lysator.liu.se (Niels =?UTF-8?Q?M=C3=B6ller?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 25 Mar 2021 16:22:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 47222@debbugs.gnu.org, nettle-bugs@lists.lysator.liu.se Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161668930515967 (code B ref 47222); Thu, 25 Mar 2021 16:22:02 +0000 Received: (at 47222) by debbugs.gnu.org; 25 Mar 2021 16:21:45 +0000 Received: from localhost ([127.0.0.1]:39423 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPSjx-00049T-Ck for submit@debbugs.gnu.org; Thu, 25 Mar 2021 12:21:45 -0400 Received: from mail.lysator.liu.se ([130.236.254.3]:53475) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPSjv-00049K-9W for 47222@debbugs.gnu.org; Thu, 25 Mar 2021 12:21:43 -0400 Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 9EC6040008; Thu, 25 Mar 2021 17:21:41 +0100 (CET) Received: from slartibartfast.lysator.liu.se (slartibartfast.lysator.liu.se [IPv6:2001:6b0:17:f0a0::df]) by mail.lysator.liu.se (Postfix) with SMTP id 6250E40004; Thu, 25 Mar 2021 17:21:40 +0100 (CET) Received: by slartibartfast.lysator.liu.se (sSMTP sendmail emulation); Thu, 25 Mar 2021 17:21:40 +0100 From: nisse@lysator.liu.se (Niels =?UTF-8?Q?M=C3=B6ller?=) References: <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org> Date: Thu, 25 Mar 2021 17:21:40 +0100 In-Reply-To: <87h7kzblxk.fsf_-_@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Thu, 25 Mar 2021 10:51:51 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: ClamAV using ClamSMTP X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s writes: > Are there plans to make a new 3.5 release including these fixes? No, I don't plan any 3.5.x release. > Alternatively, could you provide guidance as to which commits should be > cherry-picked in 3.5 for downstream distros? Look at the branch release-3.7-fixes (https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/). The commits since 3.7.1 are the ones you need. Changes to gostdsa and ed448 will not apply, since those curves didn't exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to refactoring when adding ed448. > I=E2=80=99m asking because in Guix, the easiest way for us to deploy the = fixes > on the =E2=80=98master=E2=80=99 branch would be by =E2=80=9Cgrafting=E2= =80=9D a new Nettle variant > ABI-compatible with 3.5.1, which is the one packages currently depend on. I still recommend upgrading to the latest version. There were an abi break in 3.6 (so you'd need to recompile lots of guix packages), but no incompatible changes to the (source level) api. Regards, /Niels --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. From unknown Tue Jun 17 22:11:58 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47222: Serious bug in Nettle's ecdsa_verify Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 25 Mar 2021 18:18:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Niels =?UTF-8?Q?M=C3=B6ller?= Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 47222@debbugs.gnu.org, nettle-bugs@lists.lysator.liu.se Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161669622327521 (code B ref 47222); Thu, 25 Mar 2021 18:18:01 +0000 Received: (at 47222) by debbugs.gnu.org; 25 Mar 2021 18:17:03 +0000 Received: from localhost ([127.0.0.1]:39542 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPUXX-00079p-H8 for submit@debbugs.gnu.org; Thu, 25 Mar 2021 14:17:03 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:55603) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPUXS-00078a-S9 for 47222@debbugs.gnu.org; Thu, 25 Mar 2021 14:16:59 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id C8C475C0113; Thu, 25 Mar 2021 14:16:53 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 25 Mar 2021 14:16:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-transfer-encoding:in-reply-to; s=mesmtp; bh=AN1LW834OhL8VIPJTaXi4scuasgP1RLEcQ3fJ1P8ocE=; b=Hq6C7wd9C9V8 njEh6EdalO03lTQ76Qh6Ubao53KTz3wQu4+60hyh9V+l6808DLvd1uVznf40W5En h/4rQ2buniYcwonukR/+GKA0zudj5K1a4pp4Dk86BSTxVpgCN9DzvZ8+uP7rkF2h imt4rp+ZBJ10ddsmpeU5QyEZNf9yIAU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=AN1LW834OhL8VIPJTaXi4scuasgP1RLEcQ3fJ1P8o cE=; b=SXsQxVdA0ksax5DraVxpNcOdw/GqKB8LmYgaFsBLxwogQpq9zNAwb5CIy qExErJVzjDC5YOi0vseJTyuVALybg3aSqHoZYSeJ/W+c367NMNytdfnoJHmuIY+3 6avP9xu988imN7HQZwNkSH1yZipxOxl0yVQkD4MIYprYmQimE9KYf8RAd3jRHLKv tBdUYPdRd1wflU+7AkN4o11diRiRBT2Io3hxouFkemKnMGk+lVLl0qADTjRMI5Iu 7/jBmzI2N+7iv2hEijIr2U9OtWzIiVcpvETtnktV2F+JwvdFtYfw6n2nqjFvKxSH Z/xmsvfW1kwgVth7QdEO7f0UjHTBQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudehtddgudduvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggugfgjsehtkeertddttdejnecuhfhrohhmpefnvgho ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg htthgvrhhnpeegjeeggeehtddugfffuddtvdfffeffjeekffffveffheegvddvuedtffek jeejjeenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghm vg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id BC893108005F; Thu, 25 Mar 2021 14:16:51 -0400 (EDT) Date: Thu, 25 Mar 2021 14:16:50 -0400 From: Leo Famulari Message-ID: References: <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Thu, Mar 25, 2021 at 05:21:40PM +0100, Niels Möller wrote: > Changes to gostdsa and ed448 will not apply, since those curves didn't > exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to > refactoring when adding ed448. Okay. > > I’m asking because in Guix, the easiest way for us to deploy the fixes > > on the ‘master’ branch would be by “grafting” a new Nettle variant > > ABI-compatible with 3.5.1, which is the one packages currently depend on. > > I still recommend upgrading to the latest version. There were an abi > break in 3.6 (so you'd need to recompile lots of guix packages), but no > incompatible changes to the (source level) api. Unfortunately, non-ABI compatible upgrades of nettle cannot be done quickly in Guix. As you point out, we'd have to recompile over >10000 packages, and then we'd have to fix any breakage that might occur from the upgrade. We will have to try to cherry-pick the bug fix patches. From unknown Tue Jun 17 22:11:58 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47222: Serious bug in Nettle's ecdsa_verify References: <87blbhia4i.fsf@netris.org> In-Reply-To: <87blbhia4i.fsf@netris.org> Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 06 Apr 2021 11:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47222@debbugs.gnu.org Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161770740530865 (code B ref 47222); Tue, 06 Apr 2021 11:11:02 +0000 Received: (at 47222) by debbugs.gnu.org; 6 Apr 2021 11:10:05 +0000 Received: from localhost ([127.0.0.1]:39367 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTjav-00081l-46 for submit@debbugs.gnu.org; Tue, 06 Apr 2021 07:10:05 -0400 Received: from mail.zaclys.net ([178.33.93.72]:50867) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTjat-00081D-Q7 for 47222@debbugs.gnu.org; Tue, 06 Apr 2021 07:10:04 -0400 Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136B9vcI047022 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <47222@debbugs.gnu.org>; Tue, 6 Apr 2021 13:09:57 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136B9vcI047022 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617707397; bh=eD5u1thn1KULsubH2NMEXE/5NNvZSPXyYkh3s9Obh7s=; h=Subject:From:To:Date:From; b=gYmTDYNdOCQN1lqrn3wLU+7O73GL13C6xoWAhKMG2LeIdutZT3XCnyEe/NMBXdc3H O3RSJ2YLvICD92r9A1o/Zs4HUg3DVKU9suSwzeeVgebRWePu8A15ICHDzP/hDOcDlx taQx3t2CJPQYWdsEeyTl84B4uZ1SBdyVHnWB2C3A= Message-ID: <082e0d953dd34519b597f675a72299c2e7a4917c.camel@zaclys.net> From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Date: Tue, 06 Apr 2021 13:09:57 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-HqmND3dOCn/wpek35qNA" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-HqmND3dOCn/wpek35qNA Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I am no expert cryptographer, it is likely that if I try backporting such patches I will get something wrong that introduces more flaws. https://security-tracker.debian.org/tracker/CVE-2021-20305 - no patch backported yet https://packages.ubuntu.com/source/focal/nettle - no patch backported either It would be best if Nettle adopted a forever (or almost) backwards compatible ABI from now on like curl (https://curl.se/libcurl/abi.html) so that such things don't happen again. Thank you, L=C3=A9o --=-HqmND3dOCn/wpek35qNA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBsQYUACgkQRaix6GvN EKakkBAAvmJ1Wl+TBstSjrbHZEx7m4daEkkuPMqLhGWZvaKZGn/N5EGZVMKQkjq+ vh7pzQkdr+9MZlkztnpp0r0FpB3oH1OT6EZSh62kWEe+uKgkJ7LxXeSM6rDScer3 5wvGfu+5u8KJQ55b+TKMdGkVdolUUC6Pt2yEPZF7ehmuxHqhBhC16qTfG4YlnZ1a eA6QBmhGqmndHY7ou/GKWM0TtKYFDh1EJAiPVluRHBrtiRlx2GZy0K9BSjmCVo2I YoqKUBXsI4CHLf4G4KInDTAil3duZPrTheENR7FAwJ1UcIQCHgJA4QCqCdVNt+BB 26fgVrYDXRTKt8iH9UeAY5Jo7m3rsUcjwpNatKLxyg8bGct8w+pfNjS0qsYkaQIU 9QDd4hig4vGrJvh9GRbRf9+DDLT5RPXkywgPG7Co0pBpCblgyGXpiZom5NDbNMej L5dpTdaJfyEPW4zxhnQDsYkGi/jafYYZG8GpK57Tya7HpA1V1/OcEmDHdSQRVcy8 R6TZ7K1mXTF4GqDL8GTRK5sn430efQ9r5KUvFU+J/42mpV6kOasHbUipFhJQ1MVV ztchyqxCUrtub1Ixs3oAUa7X/dkeScMP1HFPX3/SNP8RZhPnehM6Enb0Wh8H0DLg Zyjs2cAhH0UCcL+XVT2VVg6UhCcwMwULqFVaizGTONgNLYPUwUA= =yljb -----END PGP SIGNATURE----- --=-HqmND3dOCn/wpek35qNA-- From unknown Tue Jun 17 22:11:58 2025 X-Loop: help-debbugs@gnu.org Subject: bug#47222: Serious bug in Nettle's ecdsa_verify Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 16 Apr 2021 20:47:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47222 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47222@debbugs.gnu.org Cc: Mark H Weaver , Leo Famulari Received: via spool by 47222-submit@debbugs.gnu.org id=B47222.161860602116015 (code B ref 47222); Fri, 16 Apr 2021 20:47:01 +0000 Received: (at 47222) by debbugs.gnu.org; 16 Apr 2021 20:47:01 +0000 Received: from localhost ([127.0.0.1]:41783 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXVMi-0004AE-Ln for submit@debbugs.gnu.org; Fri, 16 Apr 2021 16:47:00 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55902) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lXVMg-00049y-Ve for 47222@debbugs.gnu.org; Fri, 16 Apr 2021 16:46:59 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48104) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lXVMb-00086L-CE; Fri, 16 Apr 2021 16:46:53 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=39792 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lXVMa-0004Hz-TR; Fri, 16 Apr 2021 16:46:53 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <875z1kl24h.fsf@netris.org> <87h7kzblxk.fsf_-_@gnu.org> Date: Fri, 16 Apr 2021 22:46:50 +0200 In-Reply-To: ("Niels =?UTF-8?Q?M=C3=B6ller?="'s message of "Thu, 25 Mar 2021 17:21:40 +0100") Message-ID: <87im4m2c05.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi! (- Niels, - nettle-bugs) nisse@lysator.liu.se (Niels M=C3=B6ller) skribis: > Ludovic Court=C3=A8s writes: > >> Are there plans to make a new 3.5 release including these fixes? > > No, I don't plan any 3.5.x release. > >> Alternatively, could you provide guidance as to which commits should be >> cherry-picked in 3.5 for downstream distros? > > Look at the branch release-3.7-fixes > (https://git.lysator.liu.se/nettle/nettle/-/commits/release-3.7-fixes/). > The commits since 3.7.1 are the ones you need. > > Changes to gostdsa and ed448 will not apply, since those curves didn't > exist in nettle-3.5. Changes to ed25519 might not apply cleanly, due to > refactoring when adding ed448. I confirm these patches don=E2=80=99t apply, and I=E2=80=99m not comfortabl= e fiddling with that. Leo and I checked and found that Debian doesn=E2=80=99t have 3.5. Do other distros have backports of these patches to 3.5? If not, our options are: 1. to invest in the backport ourselves, with good peer review, ideally getting it stamped by Niels & co; 2. to wait until a full rebuild has come. It=E2=80=99s not an ideal situation. Thoughts? Ludo=E2=80=99. From unknown Tue Jun 17 22:11:58 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Mark H Weaver Subject: bug#47222: closed () Message-ID: References: <87blbhia4i.fsf@netris.org> X-Gnu-PR-Message: they-closed 47222 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 47222@debbugs.gnu.org Date: Mon, 08 Aug 2022 17:13:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1659978782-31975-1" This is a multi-part message in MIME format... ------------=_1659978782-31975-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #47222: Serious bug in Nettle's ecdsa_verify which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 47222@debbugs.gnu.org. --=20 47222: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D47222 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1659978782-31975-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 47222-done) by debbugs.gnu.org; 8 Aug 2022 17:12:59 +0000 Received: from localhost ([127.0.0.1]:41839 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oL6JH-0008JS-1M for submit@debbugs.gnu.org; Mon, 08 Aug 2022 13:12:59 -0400 Received: from knopi.disroot.org ([178.21.23.139]:52528) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oL6JD-0008JI-Ae for 47222-done@debbugs.gnu.org; Mon, 08 Aug 2022 13:12:57 -0400 Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 7C7F945327 for <47222-done@debbugs.gnu.org>; Mon, 8 Aug 2022 19:12:53 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with UTF8SMTP id JQR3nbaF55Rr for <47222-done@debbugs.gnu.org>; Mon, 8 Aug 2022 19:12:52 +0200 (CEST) Mime-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1659978665; bh=dSkwj99f5zoR8armFQMYbFJofGH2c2VC1CrgpgaNhQk=; h=Date:To:Subject:From; b=dwX9dLH2PM09D/QWx51uS7U/0SvPXFoZKA07qWae8zkipVujw8xNAosqDK4iCfOhC xLSICuz2+qgkfbezH9iWYtgIbwySNXPwQ5cdq2Y3bZcTbdbxxIpLvkdkr2xx4I2uWg blK0fh5PgFLrT7VwPuWIq1KgvYA9uRBt+f3jq0E86WCaCU1Vxx8acYRlIkflepoMgp xP82aapcrbLQpKL4KpYOCSyXtSpbL2uH5BgycBk0QoTssDZXwcgL9lKDasUp/2Oqn9 mbvqI7bAf5TWV3WoacB1GVoTjykrrLOvLXSSlJeOd3vLdbKeAHxve2XRoYQq9E4Cmj Hw4TAb+Wfnf7g== Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Mon, 08 Aug 2022 18:11:05 +0100 Message-Id: To: <47222-done@debbugs.gnu.org> Subject: From: "(" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We now have nettle 3.7.3, so this isn't an issue anymore. Closing. -- ( Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty X-Debbugs-Envelope-To: 47222-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) We now have nettle 3.7.3, so this isn't an issue anymore. Closing. -- ( ------------=_1659978782-31975-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 18 Mar 2021 00:23:51 +0000 Received: from localhost ([127.0.0.1]:44435 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMgS7-0002oY-5o for submit@debbugs.gnu.org; Wed, 17 Mar 2021 20:23:51 -0400 Received: from lists.gnu.org ([209.51.188.17]:41454) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMgS4-0002oP-6D for submit@debbugs.gnu.org; Wed, 17 Mar 2021 20:23:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58878) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMgS4-0003jR-04 for bug-guix@gnu.org; Wed, 17 Mar 2021 20:23:48 -0400 Received: from world.peace.net ([64.112.178.59]:36592) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMgRw-0000AY-R7 for bug-guix@gnu.org; Wed, 17 Mar 2021 20:23:47 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lMgRk-0005tF-Cm; Wed, 17 Mar 2021 20:23:28 -0400 From: Mark H Weaver To: bug-guix@gnu.org Subject: Serious bug in Nettle's ecdsa_verify References: Date: Wed, 17 Mar 2021 20:21:54 -0400 Message-ID: <87blbhia4i.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) FYI... -------------------- Start of forwarded message -------------------- From: nisse@lysator.liu.se (Niels M=C3=B6ller) To: nettle-bugs@lists.lysator.liu.se Subject: ANNOUNCE: Serious bug in Nettle's ecdsa_verify Date: Tue, 16 Mar 2021 09:07:56 +0100 I've been made aware of a bug in Nettle's code to verify ECDSA signatures. Certain signatures result in the ecc point multiply function being called with out-of-range scalars, which may give incorrect results, or crash in an assertion failure. It's an old bug, probably since Nettle's initial implementation of ECDSA. I've just pushed fixes for ecdsa_verify, as well as a few other cases of potentially out-of-range scalars, to the master-updates branch. I haven't fully analysed the implications, but I'll describe my current understanding. I think an assertion failure, useful for a denial-of-service attack, is easy on the curves where the bitsize of q, the group order, is not an integral number of words. That's secp224r1, on 64-bit platforms, and secp521r1. Even when it's not possible to trigger an assertion failure, it's easy to produce valid-looking input "signatures" that hit out-of range intermediate scalar values where point multiplication may misbehave. This applies to all the NIST secp* curves as well as the GOST curves. To me, it looks very difficult to make it misbehave in such a way that ecdsa_verify will think an invalid signature is valid, but it might be possible; further analysis is needed. I will not be able to analyze it properly now, if anyone else would like to look into it, I can provide a bit more background. ed25519 and ed448 may be affected too, but it appears a bit harder to find inputs that hit out of range values. And since point operations are inherently more robust on these curves, I think they will produce correct results as long as they don't hit the assert. Advise on how to deal best with this? My current plan is to prepare a 3.7.2 bugfix release (from a new bugfix-only branch, without the new arm64 code). Maybe as soon as tomorrow (Wednesday, european time), or in the weekend. Regards, /Niels --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs -------------------- End of forwarded message -------------------- ------------=_1659978782-31975-1--