Issue 2256: mpi_powm
NIIBE Yutaka
gniibe at fsij.org
Tue Feb 23 06:34:05 CET 2016
Hello,
We have an issue: https://bugs.gnupg.org/gnupg/issue2256
libssh2 does D-H computation using gcry_mpi_powm (if configured with
libgcrypt). When gcry_mpi_powm is called, EXPO can have a limb of
all-zero as the most significant limb, which results undefined value
by count_leading_zeros on IA-32.
Here is a patch to fix both implementations of _gcry_mpi_powm.
I would require the most significant bit to be 1 in the protocol to
encourage constant-time computation by implementations, but that's
another story.
diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
index 0be153f..a780ebd 100644
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@@ -83,6 +83,7 @@ _gcry_mpi_powm (gcry_mpi_t res,
rp = res->d;
ep = expo->d;
+ MPN_NORMALIZE(ep, esize);
if (!msize)
_gcry_divide_by_zero();
@@ -429,6 +430,9 @@ _gcry_mpi_powm (gcry_mpi_t res,
size = 2 * msize;
msign = mod->sign;
+ ep = expo->d;
+ MPN_NORMALIZE(ep, esize);
+
if (esize * BITS_PER_MPI_LIMB > 512)
W = 5;
else if (esize * BITS_PER_MPI_LIMB > 256)
@@ -445,7 +449,6 @@ _gcry_mpi_powm (gcry_mpi_t res,
bsec = mpi_is_secure(base);
rp = res->d;
- ep = expo->d;
if (!msize)
_gcry_divide_by_zero();
--
More information about the Gcrypt-devel
mailing list