[gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407)

Read-only notification of GnuTLS library development activities
GitLab

Daiki Ueno created a merge request:

Project:Branches: dueno/gnutls:wip/dueno/ecdsa-verify-3.6.x to gnutls/gnutls:gnutls_3_6_x
Author: Daiki Ueno
Assignees:
Reviewers:

Some internal functions used in point multiplications are known to misbehave if the scaler is out-of-range. This performs canonical reduction on scalers, before point multiplication.

This ports the fixes from Nettle upstream to the bundled EC code. See the Nettle 3.7.2 release announcement for details: https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • Code modified for feature
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated / NEWS entry present (for non-trivial changes)
  • CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407)

Read-only notification of GnuTLS library development activities
GitLab

Andreas Metzler commented:

Hello Daiki, nettle upstream applied this fix to quite a bit more broadly than this patch does. e.g. to eddsa-verify.c which is also present in GnuTLS. Is the respective code dead in gnutls?

Might less error prone to add a private helper function ("named like _nettle_backported_ecc_mod_mul_canonical") doing what upstream's ecc_mod_mul_canonical() does.

cu Andreas


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

Daiki Ueno commented on a discussion:

nettle upstream applied this fix to quite a bit more broadly than this patch does. e.g. to eddsa-verify.c which is also present in GnuTLS. Is the respective code dead in gnutls?

I think you mean this change: https://git.lysator.liu.se/nettle/nettle/-/commit/5b7608fde3a6d2ab82bffb35db1e4e330927c906 which I thought as a cleanup rather than a fix (i.e., the code behavior is identical).

Might less error prone to add a private helper function ("named like _nettle_backported_ecc_mod_mul_canonical") doing what upstream's ecc_mod_mul_canonical() does.

Maybe, but the convention of EC functions seems to have changed since the last nettle import in gnutls (based on nettle 3.6rc3): e.g., ecc_mod_mul takes scratch area now in the master. Therefore, I tried to rather minimize the amount of change.

@nielsmoller any suggestions? I also have backports for nettle 3.4.1 and 2.7.1 (for RHEL and CentOS).


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

Niels Möller commented:

I don't have the full context. Regarding https://git.lysator.liu.se/nettle/nettle/-/commit/5b7608fde3a6d2ab82bffb35db1e4e330927c906, that is indeed a cleanup. The bug fix changes are those that replace ecc_mod_mul, without any additional reduction logic, with calls to ecc_mod_mul_canonical.

I don't see see the fix to ecc_ecdsa_verify backported in this mr (https://git.lysator.liu.se/nettle/nettle/-/commit/2397757b3f95fcae1e2d3011bf99ca5b5438378f), that seems quite important?

For backports, I know that the GNU guix project is interested in a backport to nettle-3.5, see https://debbugs.gnu.org/cgi/bugreport.cgi?bug=47222

I might make sense to add a helper similar to the the ecc_mod_mul_canonical in nettl-3.7.2, but as you have noticed, it can't be identical due to the changed conventions for ecc_mod_mul and the underlying mod functions. But I think it should be fairly straight forward to write a variant with an interface compatible with ecc_mod_mul in older versions.


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

Daiki Ueno commented on a discussion:

Thank you for the prompt response.

I don't see see the fix to ecc_ecdsa_verify backported in this mr (https://git.lysator.liu.se/nettle/nettle/-/commit/2397757b3f95fcae1e2d3011bf99ca5b5438378f), that seems quite important?

We only import any missing functionalities in the minimum supported version of nettle, which in this case are only Ed448 and GOSTDSA: https://gitlab.com/gnutls/gnutls/-/blob/gnutls_3_6_x/devel/import-ecc-from-nettle.sh


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|

Re: [gnutls-devel] GnuTLS | nettle: port upstream hardening of EC point multiplication [3.6.x] (!1407)

Read-only notification of GnuTLS library development activities
In reply to this post by Read-only notification of GnuTLS library development activities
GitLab

Daiki Ueno commented on a discussion:

Thank you for the prompt response.

I don't see see the fix to ecc_ecdsa_verify backported in this mr (https://git.lysator.liu.se/nettle/nettle/-/commit/2397757b3f95fcae1e2d3011bf99ca5b5438378f), that seems quite important?

We only import any missing functionalities in the minimum supported version of nettle, which in this case are only Ed448 and GOSTDSA: https://gitlab.com/gnutls/gnutls/-/blob/gnutls_3_6_x/devel/import-ecc-from-nettle.sh


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel