diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-18 11:18:04 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-04-18 16:36:36 +0200 |
commit | 2487a5a7ee00a239e45025c890a3bf1db8dd9164 (patch) | |
tree | 5cec5d67629be67cacdccd3af092fde8cc614a68 | |
parent | 95c3c22203523ceafdd4fd38412b046f08b546fb (diff) | |
download | gnutls-2487a5a7ee00a239e45025c890a3bf1db8dd9164.tar.gz |
_wrap_nettle_pk_derive: reject values of public key that are over the prime
That is do not canonicalise the value we get from the network, but
rather check it for validity. This saves a modular reduction on handshake
and performs a sanity check on the peer's (client) parameters.
Reported by Hubert Kario.
Resolves #84
-rw-r--r-- | lib/nettle/pk.c | 14 |
1 files changed, 4 insertions, 10 deletions
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c index 4ed1791ecf..f6dc7399e0 100644 --- a/lib/nettle/pk.c +++ b/lib/nettle/pk.c @@ -220,23 +220,17 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, if (ret < 0) return gnutls_assert_val(ret); - ret = _gnutls_mpi_modm(ff, f, prime); + ret = _gnutls_mpi_add_ui(ff, f, 1); if (ret < 0) { gnutls_assert(); goto dh_cleanup; } - ret = _gnutls_mpi_add_ui(ff, ff, 1); - if (ret < 0) { - gnutls_assert(); - goto dh_cleanup; - } - - /* check if f==0,1,p-1. - * or (ff=f+1) equivalently ff==1,2,p */ + /* check if f==0,1, or f >= p-1. + * or (ff=f+1) equivalently ff==1,2, ff >= p */ if ((_gnutls_mpi_cmp_ui(ff, 2) == 0) || (_gnutls_mpi_cmp_ui(ff, 1) == 0) - || (_gnutls_mpi_cmp(ff, prime) == 0)) { + || (_gnutls_mpi_cmp(ff, prime) >= 0)) { gnutls_assert(); ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; goto dh_cleanup; |