cipher: Normalize the MPIs used as input to secret key functions.

* cipher/dsa.c (sign): Normalize INPUT.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Reduce DATA before passing to secret.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks.
This is an extra pre-caution in case RSA blinding has been disabled.

CVE-id: CVE-2013-4576
Signed-off-by: Werner Koch <wk@gnupg.org>

1 files changed, 4 insertions, 1 deletions

diff --git a/cipher/elgamal.c b/cipher/elgamal.c
index 3645e7d5..a71a9bcb 100644
--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
@@ -497,10 +497,13 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
 
 
 static void
-decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
 {
   gcry_mpi_t t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
 
+  mpi_normalize (a);
+  mpi_normalize (b);
+
   /* output = b/(a^x) mod p */
   mpi_powm( t1, a, skey->x, skey->p );
   mpi_invm( t1, t1, skey->p );