diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2019-07-17 12:44:50 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2019-08-07 14:26:41 +0900 |
commit | b9577f7c89b4327edc09f2231bc8b31521102c79 (patch) | |
tree | 0f110e74421b34fa9ac7868ceb6a3816ed2244ad /mpi/ec.c | |
parent | 75c2fbc43d2f2cf5f4c60cb28001fda7324185c2 (diff) | |
download | libgcrypt-b9577f7c89b4327edc09f2231bc8b31521102c79.tar.gz |
ecc: Add mitigation against timing attack.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Add the order N to K.
* mpi/ec.c (_gcry_mpi_ec_mul_point): Compute with NBITS of P or larger.
CVE-id: CVE-2019-13627
GnuPG-bug-id: 4626
Co-authored-by: Ján Jančár <johny@neuromancer.sk>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Diffstat (limited to 'mpi/ec.c')
-rw-r--r-- | mpi/ec.c | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -1509,7 +1509,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result, unsigned int nbits; int j; - nbits = mpi_get_nbits (scalar); + if (mpi_cmp (scalar, ctx->p) >= 0) + nbits = mpi_get_nbits (scalar); + else + nbits = mpi_get_nbits (ctx->p); + if (ctx->model == MPI_EC_WEIERSTRASS) { mpi_set_ui (result->x, 1); |