diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2019-08-08 17:42:02 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2019-08-08 17:42:02 +0900 |
commit | 7c2943309d14407b51c8166c4dcecb56a3628567 (patch) | |
tree | a56a9a9c9086719d309bef0c5e370a1d11d97c20 /cipher/dsa-common.c | |
parent | b9577f7c89b4327edc09f2231bc8b31521102c79 (diff) | |
download | libgcrypt-7c2943309d14407b51c8166c4dcecb56a3628567.tar.gz |
dsa,ecdsa: Fix use of nonce, use larger one.
* cipher/dsa-common.c (_gcry_dsa_modify_k): New.
* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
* cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
CVE-id: CVE-2019-13627
GnuPG-bug-id: 4626
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Diffstat (limited to 'cipher/dsa-common.c')
-rw-r--r-- | cipher/dsa-common.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c index 8c0a6843..fe49248d 100644 --- a/cipher/dsa-common.c +++ b/cipher/dsa-common.c @@ -30,6 +30,30 @@ /* + * Modify K, so that computation time difference can be small, + * by making K large enough. + * + * Originally, (EC)DSA computation requires k where 0 < k < q. Here, + * we add q (the order), to keep k in a range: q < k < 2*q (or, + * addming more q, to keep k in a range: 2*q < k < 3*q), so that + * timing difference of the EC multiply (or exponentiation) operation + * can be small. The result of (EC)DSA computation is same. + */ +void +_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits) +{ + gcry_mpi_t k1 = mpi_new (qbits+2); + + mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB); + k->nlimbs = k->alloced; + mpi_add (k, k, q); + mpi_add (k1, k, q); + mpi_set_cond (k, k1, !mpi_test_bit (k, qbits)); + + mpi_free (k1); +} + +/* * Generate a random secret exponent K less than Q. * Note that ECDSA uses this code also to generate D. */ |