GNU bug report logs -
#47222
Serious bug in Nettle's ecdsa_verify
Previous Next
Reported by: Mark H Weaver <mhw <at> netris.org>
Date: Thu, 18 Mar 2021 00:24:01 UTC
Severity: important
Tags: security
Done: "(" <paren <at> disroot.org>
Bug is archived. No further changes may be made.
Full log
Message #12 received at 47222 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
-------------------- Start of forwarded message --------------------
From: nisse <at> lysator.liu.se (Niels Möller)
To: nettle-bugs <at> lists.lysator.liu.se, info-gnu <at> gnu.org
Subject: ANNOUNCE: Nettle-3.7.2
Date: Sun, 21 Mar 2021 10:24:11 +0100
[Message part 2 (text/plain, inline)]
I've prepared a new bug-fix release of Nettle, a low-level
cryptographics library, to fix a serious bug in the function to verify
ECDSA signatures. Implications include an assertion failure, which could
be used for denial-of-service, when verifying signatures on the
secp_224r1 and secp521_r1 curves. More details in NEWS file below.
Upgrading is strongly recomended.
The Nettle home page can be found at
https://www.lysator.liu.se/~nisse/nettle/, and the manual at
https://www.lysator.liu.se/~nisse/nettle/nettle.html.
The release can be downloaded from
https://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz
ftp://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz
https://www.lysator.liu.se/~nisse/archive/nettle-3.7.2.tar.gz
Regards,
/Niels
NEWS for the Nettle 3.7.2 release
This is a bugfix release, fixing a bug in ECDSA signature
verification that could lead to a denial of service attack
(via an assertion failure) or possibly incorrect results. It
also fixes a few related problems where scalars are required
to be canonically reduced modulo the ECC group order, but in
fact may be slightly larger.
Upgrading to the new version is strongly recommended.
Even when no assert is triggered in ecdsa_verify, ECC point
multiplication may get invalid intermediate values as input,
and produce incorrect results. It's trivial to construct
alleged signatures that result in invalid intermediate values.
It appears difficult to construct an alleged signature that
makes the function misbehave in such a way that an invalid
signature is accepted as valid, but such attacks can't be
ruled out without further analysis.
Thanks to Guido Vranken for setting up the fuzzer tests that
uncovered this problem.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.3 and libhogweed.so.6.3, with sonames
libnettle.so.8 and libhogweed.so.6.
Bug fixes:
* Fixed bug in ecdsa_verify, and added a corresponding test
case.
* Similar fixes to ecc_gostdsa_verify and gostdsa_vko.
* Similar fixes to eddsa signatures. The problem is less severe
for these curves, because (i) the potentially out or range
value is derived from output of a hash function, making it
harder for the attacker to to hit the narrow range of
problematic values, and (ii) the ecc operations are
inherently more robust, and my current understanding is that
unless the corresponding assert is hit, the verify
operation should complete with a correct result.
* Fix to ecdsa_sign, which with a very low probability could
return out of range signature values, which would be
rejected immediately by a verifier.
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
[signature.asc (application/pgp-signature, inline)]
[Message part 4 (text/plain, inline)]
--
If you have a working or partly working program that you'd like
to offer to the GNU project as a GNU package,
see https://www.gnu.org/help/evaluation.html.
[Message part 5 (text/plain, inline)]
-------------------- End of forwarded message --------------------
This bug report was last modified 2 years and 323 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.