[git] GCRYPT - branch, master, updated. libgcrypt-1.8.1-71-g9010d15

by NIIBE Yutaka cvs at cvs.gnupg.org
Wed Jun 13 09:00:15 CEST 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  9010d1576e278a4274ad3f4aa15776c28f6ba965 (commit)
      from  7b6c2afd699e889f5f054cc3d202a61bd0ee1dcf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9010d1576e278a4274ad3f4aa15776c28f6ba965
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Wed Jun 13 15:28:58 2018 +0900

    ecc: Add blinding for ECDSA.
    
    * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
    randomized nonce B.
    
    --
    
    Reported-by: Keegan Ryan <Keegan.Ryan at nccgroup.trust>
    CVE-id: CVE-2018-0495
    Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>

diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
index 1484830..140e8c0 100644
--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
@@ -50,6 +50,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
   const void *abuf;
   unsigned int abits, qbits;
   mpi_ec_t ctx;
+  gcry_mpi_t b;                /* Random number needed for blinding.  */
+  gcry_mpi_t bi;               /* multiplicative inverse of B.        */
 
   if (DBG_CIPHER)
     log_mpidump ("ecdsa sign hash  ", input );
@@ -61,6 +63,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
   if (rc)
     return rc;
 
+  b  = mpi_snew (qbits);
+  bi = mpi_snew (qbits);
+  do
+    {
+      _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
+      mpi_mod (b, b, skey->E.n);
+    }
+  while (!mpi_invm (bi, b, skey->E.n));
+
   k = NULL;
   dr = mpi_alloc (0);
   sum = mpi_alloc (0);
@@ -115,8 +126,11 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
         }
       while (!mpi_cmp_ui (r, 0));
 
-      mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n  */
-      mpi_addm (sum, hash, dr, skey->E.n);  /* sum = hash + (d*r) mod n  */
+      mpi_mulm (dr, b, skey->d, skey->E.n);
+      mpi_mulm (dr, dr, r, skey->E.n);      /* dr = d*r mod n (blinded with b) */
+      mpi_mulm (sum, b, hash, skey->E.n);
+      mpi_addm (sum, sum, dr, skey->E.n);   /* sum = hash + (d*r) mod n  (blinded with b) */
+      mpi_mulm (sum, bi, sum, skey->E.n);   /* undo blinding by b^-1 */
       mpi_invm (k_1, k, skey->E.n);         /* k_1 = k^(-1) mod n  */
       mpi_mulm (s, k_1, sum, skey->E.n);    /* s = k^(-1)*(hash+(d*r)) mod n */
     }
@@ -129,6 +143,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
     }
 
  leave:
+  mpi_free (b);
+  mpi_free (bi);
   _gcry_mpi_ec_free (ctx);
   point_free (&I);
   mpi_free (x);

-----------------------------------------------------------------------

Summary of changes:
 cipher/ecc-ecdsa.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org


_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits

More information about the Gcrypt-devel mailing list