diff options
author | Werner Koch <wk@gnupg.org> | 2013-12-16 09:22:10 +0100 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2013-12-16 11:44:25 +0100 |
commit | dec048b2ec79271a2f4405be5b87b1e768b3f1a9 (patch) | |
tree | ba943d5e91b7d0705005414c62c455efeb140791 /cipher/elgamal.c | |
parent | 953535a7de68cf62b5b1ad6f96ea3a9edd83762c (diff) | |
download | libgcrypt-dec048b2ec79271a2f4405be5b87b1e768b3f1a9.tar.gz |
cipher: Normalize the MPIs used as input to secret key functions.
* cipher/dsa.c (sign): Normalize INPUT.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Reduce DATA before passing to secret.
--
mpi_normalize is in general not required because extra leading zeroes
do not harm the computation. However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks.
This is an extra pre-caution in case RSA blinding has been disabled.
CVE-id: CVE-2013-4576
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'cipher/elgamal.c')
-rw-r--r-- | cipher/elgamal.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/cipher/elgamal.c b/cipher/elgamal.c index 3645e7d5..a71a9bcb 100644 --- a/cipher/elgamal.c +++ b/cipher/elgamal.c @@ -497,10 +497,13 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) static void -decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) +decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) { gcry_mpi_t t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); + mpi_normalize (a); + mpi_normalize (b); + /* output = b/(a^x) mod p */ mpi_powm( t1, a, skey->x, skey->p ); mpi_invm( t1, t1, skey->p ); |