From: Niels Möller Date: Sun, 21 Mar 2021 08:29:40 +0000 (+0100) Subject: NEWS entries for 3.7.2. X-Git-Tag: nettle_3.7.2_release_20210321^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a5f86321f4c67d7219aa87ea4e2ddca677d7378;p=thirdparty%2Fnettle.git NEWS entries for 3.7.2. --- diff --git a/ChangeLog b/ChangeLog index ff0e8019..bb169e86 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2021-03-21 Niels Möller + + * NEWS: NEWS entries for 3.7.2. + 2021-03-17 Niels Möller * configure.ac: Bump package version, to 3.7.2. diff --git a/NEWS b/NEWS index af797434..897527c9 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,51 @@ +NEWS for the Nettle 3.7.2 release + + This is a bugfix release, fixing a bug in ECDSA signature + verification that could lead to a denial of service attack + (via an assertion failure) or possibly incorrect results. It + also fixes a few related problems where scalars are required + to be canonically reduced modulo the ECC group order, but in + fact may be slightly larger. + + Upgrading to the new version is strongly recommended. + + Even when no assert is triggered in ecdsa_verify, ECC point + multiplication may get invalid intermediate values as input, + and produce incorrect results. It's trivial to construct + alleged signatures that result in invalid intermediate values. + It appears difficult to construct an alleged signature that + makes the function misbehave in such a way that an invalid + signature is accepted as valid, but such attacks can't be + ruled out without further analysis. + + Thanks to Guido Vranken for setting up the fuzzer tests that + uncovered this problem. + + The new version is intended to be fully source and binary + compatible with Nettle-3.6. The shared library names are + libnettle.so.8.3 and libhogweed.so.6.3, with sonames + libnettle.so.8 and libhogweed.so.6. + + Bug fixes: + + * Fixed bug in ecdsa_verify, and added a corresponding test + case. + + * Similar fixes to ecc_gostdsa_verify and gostdsa_vko. + + * Similar fixes to eddsa signatures. The problem is less severe + for these curves, because (i) the potentially out or range + value is derived from output of a hash function, making it + harder for the attacker to to hit the narrow range of + problematic values, and (ii) the ecc operations are + inherently more robust, and my current understanding is that + unless the corresponding assert is hit, the verify + operation should complete with a correct result. + + * Fix to ecdsa_sign, which with a very low probability could + return out of range signature values, which would be + rejected immediately by a verifier. + NEWS for the Nettle 3.7.1 release This is primarily a bug fix release, fixing a couple of