diff options
| author | Werner Koch <wk@gnupg.org> | 2013-12-16 09:22:10 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2013-12-16 11:44:25 +0100 |
| commit | dec048b2ec79271a2f4405be5b87b1e768b3f1a9 (patch) | |
| tree | ba943d5e91b7d0705005414c62c455efeb140791 /cipher | |
| parent | 953535a7de68cf62b5b1ad6f96ea3a9edd83762c (diff) | |
| download | libgcrypt-dec048b2ec79271a2f4405be5b87b1e768b3f1a9.tar.gz | |
cipher: Normalize the MPIs used as input to secret key functions.
* cipher/dsa.c (sign): Normalize INPUT.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Reduce DATA before passing to secret.
--
mpi_normalize is in general not required because extra leading zeroes
do not harm the computation. However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks.
This is an extra pre-caution in case RSA blinding has been disabled.
CVE-id: CVE-2013-4576
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'cipher')
| -rw-r--r-- | cipher/dsa.c | 5 | ||||
| -rw-r--r-- | cipher/elgamal.c | 5 | ||||
| -rw-r--r-- | cipher/rsa.c | 10 |
3 files changed, 18 insertions, 2 deletions
diff --git a/cipher/dsa.c b/cipher/dsa.c index 5d29ba42..50bdab16 100644 --- a/cipher/dsa.c +++ b/cipher/dsa.c @@ -583,7 +583,10 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey, mpi_rshift (hash, hash, abits - qbits); } else - hash = input; + { + mpi_normalize (input); + hash = input; + } again: /* Create the K value. */ diff --git a/cipher/elgamal.c b/cipher/elgamal.c index 3645e7d5..a71a9bcb 100644 --- a/cipher/elgamal.c +++ b/cipher/elgamal.c @@ -497,10 +497,13 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) static void -decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) +decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) { gcry_mpi_t t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); + mpi_normalize (a); + mpi_normalize (b); + /* output = b/(a^x) mod p */ mpi_powm( t1, a, skey->x, skey->p ); mpi_invm( t1, t1, skey->p ); diff --git a/cipher/rsa.c b/cipher/rsa.c index a97dcfd0..e595e386 100644 --- a/cipher/rsa.c +++ b/cipher/rsa.c @@ -712,6 +712,9 @@ stronger_key_check ( RSA_secret_key *skey ) static void secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) { + /* Remove superfluous leading zeroes from INPUT. */ + mpi_normalize (input); + if (!skey->p || !skey->q || !skey->u) { mpi_powm (output, input, skey->d, skey->n); @@ -997,6 +1000,13 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) } } + /* Better make sure that there are no superfluous leading zeroes in + the input and it has not been "padded" using multiples of N. + This mitigates side-channel attacks (CVE-2013-4576). */ + mpi_normalize (data); + mpi_fdiv_r (data, data, sk.n); + + /* Allocate MPI for the plaintext. */ plain = mpi_snew (ctx.nbits); /* We use blinding by default to mitigate timing attacks which can |