diff options
author | Werner Koch <wk@gnupg.org> | 2015-08-31 23:13:27 +0200 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2015-08-31 23:13:27 +0200 |
commit | c17f84bd02d7ee93845e92e20f6ddba814961588 (patch) | |
tree | 4e04759824dad3cc5abfaa2b3d88497ec94b95f1 /cipher/rsa.c | |
parent | dd87639abd38afc91a6f27af33f0ba17402ad02d (diff) | |
download | libgcrypt-c17f84bd02d7ee93845e92e20f6ddba814961588.tar.gz |
rsa: Add verify after sign to avoid Lenstra's CRT attack.
* cipher/rsa.c (rsa_sign): Check the CRT.
--
Failures in the computation of the CRT (e.g. due faulty hardware) can
lead to a leak of the private key. The standard precaution against
this is to verify the signature after signing. GnuPG does this itself
and even has an option to disable this. However, the low performance
impact of this extra precaution suggest that it should always be done
and Libgcrypt is the right place here. For decryption is not done
because the application will detect the failure due to garbled
plaintext and in any case no key derived material will be send to the
user.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'cipher/rsa.c')
-rw-r--r-- | cipher/rsa.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/cipher/rsa.c b/cipher/rsa.c index e4f73d5a..45a481ba 100644 --- a/cipher/rsa.c +++ b/cipher/rsa.c @@ -1112,7 +1112,9 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) struct pk_encoding_ctx ctx; gcry_mpi_t data = NULL; RSA_secret_key sk = {NULL, NULL, NULL, NULL, NULL, NULL}; + RSA_public_key pk; gcry_mpi_t sig = NULL; + gcry_mpi_t result = NULL; _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN, rsa_get_nbits (keyparms)); @@ -1148,11 +1150,25 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) } } - /* Do RSA computation and build the result. */ + /* Do RSA computation. */ sig = mpi_new (0); secret (sig, data, &sk); if (DBG_CIPHER) log_printmpi ("rsa_sign res", sig); + + /* Check that the created signature is good. This detects a failure + of the CRT algorithm (Lenstra's attack on RSA's use of the CRT). */ + result = mpi_new (0); + pk.n = sk.n; + pk.e = sk.e; + public (result, sig, &pk); + if (mpi_cmp (result, data)) + { + rc = GPG_ERR_BAD_SIGNATURE; + goto leave; + } + + /* Convert the result. */ if ((ctx.flags & PUBKEY_FLAG_FIXEDLEN)) { /* We need to make sure to return the correct length to avoid @@ -1172,6 +1188,7 @@ rsa_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) leave: + _gcry_mpi_release (result); _gcry_mpi_release (sig); _gcry_mpi_release (sk.n); _gcry_mpi_release (sk.e); |