1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00

Normalize the MPIs used as input to secret key functions.

* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis.  This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.

CVE-id: CVE-2013-4576

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2013-11-27 14:22:10 +01:00
parent 93a96e3c0c
commit d0d72d98f3
3 changed files with 25 additions and 6 deletions

View file

@ -274,7 +274,7 @@ check_secret_key( DSA_secret_key *sk )
/****************
* Make a DSA signature from HASH and put it into r and s.
*
* Without generating the k this function runs in
* Without generating the k this function runs in
* about 26ms on a 300 Mhz Mobile Pentium
*/
@ -285,6 +285,8 @@ sign(MPI r, MPI s, MPI hash, DSA_secret_key *skey )
MPI kinv;
MPI tmp;
mpi_normalize (hash);
/* select a random k with 0 < k < q */
k = gen_k( skey->q );
@ -311,7 +313,7 @@ sign(MPI r, MPI s, MPI hash, DSA_secret_key *skey )
/****************
* Returns true if the signature composed from R and S is valid.
*
* Without the checks this function runs in
* Without the checks this function runs in
* about 31ms on a 300 Mhz Mobile Pentium
*/
static int