diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2019-08-08 17:42:02 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2019-08-08 17:42:02 +0900 |
commit | 7c2943309d14407b51c8166c4dcecb56a3628567 (patch) | |
tree | a56a9a9c9086719d309bef0c5e370a1d11d97c20 /cipher/ecc-ecdsa.c | |
parent | b9577f7c89b4327edc09f2231bc8b31521102c79 (diff) | |
download | libgcrypt-7c2943309d14407b51c8166c4dcecb56a3628567.tar.gz |
dsa,ecdsa: Fix use of nonce, use larger one.
* cipher/dsa-common.c (_gcry_dsa_modify_k): New.
* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
* cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.
CVE-id: CVE-2019-13627
GnuPG-bug-id: 4626
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Diffstat (limited to 'cipher/ecc-ecdsa.c')
-rw-r--r-- | cipher/ecc-ecdsa.c | 10 |
1 files changed, 1 insertions, 9 deletions
diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c index 84a1cf84..97966c3a 100644 --- a/cipher/ecc-ecdsa.c +++ b/cipher/ecc-ecdsa.c @@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey, else k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM); - /* Originally, ECDSA computation requires k where 0 < k < n. - * Here, we add n (the order of curve), to keep k in a - * range: n < k < 2*n, or, addming more n, keep k in a range: - * 2*n < k < 3*n, so that timing difference of the EC - * multiply operation can be small. The result is same. - */ - mpi_add (k, k, skey->E.n); - if (!mpi_test_bit (k, qbits)) - mpi_add (k, k, skey->E.n); + _gcry_dsa_modify_k (k, skey->E.n, qbits); _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx); if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx)) |