#47222 Serious bug in Nettle's ecdsa_verify

Message #12 received at 47222@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47222) by debbugs.gnu.org; 21 Mar 2021 19:49:33 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 21 15:49:33 2021
Received: from localhost ([127.0.0.1]:55524 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lO44r-0008Gy-DR
	for submit@debbugs.gnu.org; Sun, 21 Mar 2021 15:49:33 -0400
Received: from world.peace.net ([64.112.178.59]:35174)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@netris.org>) id 1lO44p-0008Gl-58
 for 47222@debbugs.gnu.org; Sun, 21 Mar 2021 15:49:31 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@netris.org>)
 id 1lO44i-0001gt-4n; Sun, 21 Mar 2021 15:49:24 -0400
From: Mark H Weaver <mhw@netris.org>
To: 47222@debbugs.gnu.org
Subject: [Niels Möller] ANNOUNCE: Nettle-3.7.2
References: <cpfmtuwlv0k.fsf@slartibartfast.lysator.liu.se>
Date: Sun, 21 Mar 2021 15:47:47 -0400
Message-ID: <875z1kl24h.fsf@netris.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47222
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[Message part 1 (text/plain, inline)]

-------------------- Start of forwarded message --------------------
From: nisse@lysator.liu.se (Niels Möller)
To: nettle-bugs@lists.lysator.liu.se, info-gnu@gnu.org
Subject: ANNOUNCE: Nettle-3.7.2
Date: Sun, 21 Mar 2021 10:24:11 +0100

[Message part 2 (text/plain, inline)]

I've prepared a new bug-fix release of Nettle, a low-level
cryptographics library, to fix a serious bug in the function to verify
ECDSA signatures. Implications include an assertion failure, which could
be used for denial-of-service, when verifying signatures on the
secp_224r1 and secp521_r1 curves. More details in NEWS file below.

Upgrading is strongly recomended.

The Nettle home page can be found at
https://www.lysator.liu.se/~nisse/nettle/, and the manual at
https://www.lysator.liu.se/~nisse/nettle/nettle.html.

The release can be downloaded from

  https://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz
  ftp://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz
  https://www.lysator.liu.se/~nisse/archive/nettle-3.7.2.tar.gz

Regards,
/Niels

NEWS for the Nettle 3.7.2 release

	This is a bugfix release, fixing a bug in ECDSA signature
	verification that could lead to a denial of service attack
	(via an assertion failure) or possibly incorrect results. It
	also fixes a few related problems where scalars are required
	to be canonically reduced modulo the ECC group order, but in
	fact may be slightly larger.

	Upgrading to the new version is strongly recommended.

	Even when no assert is triggered in ecdsa_verify, ECC point
	multiplication may get invalid intermediate values as input,
	and produce incorrect results. It's trivial to construct
	alleged signatures that result in invalid intermediate values.
	It appears difficult to construct an alleged signature that
	makes the function misbehave in such a way that an invalid
	signature is accepted as valid, but such attacks can't be
	ruled out without further analysis.

	Thanks to Guido Vranken for setting up the fuzzer tests that
	uncovered this problem.

	The new version is intended to be fully source and binary
	compatible with Nettle-3.6. The shared library names are
	libnettle.so.8.3 and libhogweed.so.6.3, with sonames
	libnettle.so.8 and libhogweed.so.6.

	Bug fixes:

	* Fixed bug in ecdsa_verify, and added a corresponding test
          case.

	* Similar fixes to ecc_gostdsa_verify and gostdsa_vko.

	* Similar fixes to eddsa signatures. The problem is less severe
          for these curves, because (i) the potentially out or range
          value is derived from output of a hash function, making it
          harder for the attacker to to hit the narrow range of
          problematic values, and (ii) the ecc operations are
          inherently more robust, and my current understanding is that
          unless the corresponding assert is hit, the verify
          operation should complete with a correct result.

	* Fix to ecdsa_sign, which with a very low probability could
          return out of range signature values, which would be
          rejected immediately by a verifier.

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.

[signature.asc (application/pgp-signature, inline)]

[Message part 4 (text/plain, inline)]

-- 
If you have a working or partly working program that you'd like
to offer to the GNU project as a GNU package,
see https://www.gnu.org/help/evaluation.html.

[Message part 5 (text/plain, inline)]

-------------------- End of forwarded message --------------------

Send a report that this bug log contains spam.