diff options
-rw-r--r-- | cipher/dsa.c | 5 | ||||
-rw-r--r-- | cipher/elgamal.c | 5 | ||||
-rw-r--r-- | cipher/rsa.c | 10 |
3 files changed, 18 insertions, 2 deletions
diff --git a/cipher/dsa.c b/cipher/dsa.c index 5d29ba42..50bdab16 100644 --- a/cipher/dsa.c +++ b/cipher/dsa.c @@ -583,7 +583,10 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey, mpi_rshift (hash, hash, abits - qbits); } else - hash = input; + { + mpi_normalize (input); + hash = input; + } again: /* Create the K value. */ diff --git a/cipher/elgamal.c b/cipher/elgamal.c index 3645e7d5..a71a9bcb 100644 --- a/cipher/elgamal.c +++ b/cipher/elgamal.c @@ -497,10 +497,13 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) static void -decrypt(gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) +decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) { gcry_mpi_t t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); + mpi_normalize (a); + mpi_normalize (b); + /* output = b/(a^x) mod p */ mpi_powm( t1, a, skey->x, skey->p ); mpi_invm( t1, t1, skey->p ); diff --git a/cipher/rsa.c b/cipher/rsa.c index a97dcfd0..e595e386 100644 --- a/cipher/rsa.c +++ b/cipher/rsa.c @@ -712,6 +712,9 @@ stronger_key_check ( RSA_secret_key *skey ) static void secret (gcry_mpi_t output, gcry_mpi_t input, RSA_secret_key *skey ) { + /* Remove superfluous leading zeroes from INPUT. */ + mpi_normalize (input); + if (!skey->p || !skey->q || !skey->u) { mpi_powm (output, input, skey->d, skey->n); @@ -997,6 +1000,13 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms) } } + /* Better make sure that there are no superfluous leading zeroes in + the input and it has not been "padded" using multiples of N. + This mitigates side-channel attacks (CVE-2013-4576). */ + mpi_normalize (data); + mpi_fdiv_r (data, data, sk.n); + + /* Allocate MPI for the plaintext. */ plain = mpi_snew (ctx.nbits); /* We use blinding by default to mitigate timing attacks which can |