security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Code Activity

Normalize the MPIs used as input to secret key functions.

Browse Source 
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis.  This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.

CVE-id: CVE-2013-4576

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2013-11-27 14:22:10 +01:00
parent 93a96e3c0c
commit d0d72d98f3
3 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cipher/dsa.c
View File

@ -285,6 +285,8 @@ sign(MPI r, MPI s, MPI hash, DSA_secret_key *skey )
MPI kinv; MPI kinv;
MPI tmp; MPI tmp;
mpi_normalize (hash);
/* select a random k with 0 < k < q */ /* select a random k with 0 < k < q */
k = gen_k( skey->q ); k = gen_k( skey->q );

3
cipher/elgamal.c
View File

@ -374,6 +374,9 @@ decrypt(MPI output, MPI a, MPI b, ELG_secret_key *skey )
{ {
MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) ); MPI t1 = mpi_alloc_secure( mpi_get_nlimbs( skey->p ) );
mpi_normalize (a);
mpi_normalize (b);
/* output = b/(a^x) mod p */ /* output = b/(a^x) mod p */
mpi_powm( t1, a, skey->x, skey->p ); mpi_powm( t1, a, skey->x, skey->p );
mpi_invm( t1, t1, skey->p ); mpi_invm( t1, t1, skey->p );

22
cipher/rsa.c
View File

@ -308,9 +308,14 @@ secret(MPI output, MPI input, RSA_secret_key *skey )
MPI m2 = mpi_alloc_secure (nlimbs); MPI m2 = mpi_alloc_secure (nlimbs);
MPI h = mpi_alloc_secure (nlimbs); MPI h = mpi_alloc_secure (nlimbs);
# ifdef USE_BLINDING # ifdef USE_BLINDING
MPI r = mpi_alloc_secure (nlimbs);
MPI bdata= mpi_alloc_secure (nlimbs); MPI bdata= mpi_alloc_secure (nlimbs);
MPI r = mpi_alloc_secure (nlimbs);
# endif /* USE_BLINDING */
/* Remove superfluous leading zeroes from INPUT. */
mpi_normalize (input);
# ifdef USE_BLINDING
/* Blind: bdata = (data * r^e) mod n */ /* Blind: bdata = (data * r^e) mod n */
randomize_mpi (r, mpi_get_nbits (skey->n), 0); randomize_mpi (r, mpi_get_nbits (skey->n), 0);
mpi_fdiv_r (r, r, skey->n); mpi_fdiv_r (r, r, skey->n);
@ -338,8 +343,8 @@ secret(MPI output, MPI input, RSA_secret_key *skey )
mpi_add ( output, m1, h ); mpi_add ( output, m1, h );
# ifdef USE_BLINDING # ifdef USE_BLINDING
/* Unblind: output = (output * r^(-1)) mod n */
mpi_free (bdata); mpi_free (bdata);
/* Unblind: output = (output * r^(-1)) mod n */
mpi_invm (r, r, skey->n); mpi_invm (r, r, skey->n);
mpi_mulm (output, output, r, skey->n); mpi_mulm (output, output, r, skey->n);
mpi_free (r); mpi_free (r);
@ -419,6 +424,7 @@ int
rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey ) rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
{ {
RSA_secret_key sk; RSA_secret_key sk;
MPI input;
if( algo != 1 && algo != 2 ) if( algo != 1 && algo != 2 )
return G10ERR_PUBKEY_ALGO; return G10ERR_PUBKEY_ALGO;
@ -429,8 +435,16 @@ rsa_decrypt( int algo, MPI *result, MPI *data, MPI *skey )
sk.p = skey[3]; sk.p = skey[3];
sk.q = skey[4]; sk.q = skey[4];
sk.u = skey[5]; sk.u = skey[5];
*result = mpi_alloc_secure( mpi_get_nlimbs( sk.n ) );
secret( *result, data[0], &sk ); /* Better make sure that there are no superfluous leading zeroes
in the input and it has not been padded using multiples of N.
This mitigates side-channel attacks (CVE-2013-4576). */
input = mpi_alloc (0);
mpi_normalize (data[0]);
mpi_fdiv_r (input, data[0], sk.n);
*result = mpi_alloc_secure (mpi_get_nlimbs (sk.n));
secret (*result, input, &sk);
mpi_free (input);
return 0; return 0;
} }