aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/libgcrypt/files/0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch
blob: 211e041303d0f992c280361e9942103f4b15cf94 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
From db4e9976cc31b314aafad6626b2894e86ee44d60 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 8 Aug 2019 17:42:02 +0900
Subject: [PATCH] dsa,ecdsa: Fix use of nonce, use larger one.

Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc3]
CVE: CVE-2019-13627
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>

* cipher/dsa-common.c (_gcry_dsa_modify_k): New.
* cipher/pubkey-internal.h (_gcry_dsa_modify_k): New.
* cipher/dsa.c (sign): Use _gcry_dsa_modify_k.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Likewise.
* cipher/ecc-gost.c (_gcry_ecc_gost_sign): Likewise.

--

Cherry-picked master commit of:
	7c2943309d14407b51c8166c4dcecb56a3628567

CVE-id: CVE-2019-13627
GnuPG-bug-id: 4626
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 cipher/dsa-common.c      | 24 ++++++++++++++++++++++++
 cipher/dsa.c             |  2 ++
 cipher/ecc-ecdsa.c       | 10 +---------
 cipher/ecc-gost.c        |  2 ++
 cipher/pubkey-internal.h |  1 +
 5 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c
index 8c0a6843..fe49248d 100644
--- a/cipher/dsa-common.c
+++ b/cipher/dsa-common.c
@@ -29,6 +29,30 @@
 #include "pubkey-internal.h"
 
 
+/*
+ * Modify K, so that computation time difference can be small,
+ * by making K large enough.
+ *
+ * Originally, (EC)DSA computation requires k where 0 < k < q.  Here,
+ * we add q (the order), to keep k in a range: q < k < 2*q (or,
+ * addming more q, to keep k in a range: 2*q < k < 3*q), so that
+ * timing difference of the EC multiply (or exponentiation) operation
+ * can be small.  The result of (EC)DSA computation is same.
+ */
+void
+_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits)
+{
+  gcry_mpi_t k1 = mpi_new (qbits+2);
+
+  mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB);
+  k->nlimbs = k->alloced;
+  mpi_add (k, k, q);
+  mpi_add (k1, k, q);
+  mpi_set_cond (k, k1, !mpi_test_bit (k, qbits));
+
+  mpi_free (k1);
+}
+
 /*
  * Generate a random secret exponent K less than Q.
  * Note that ECDSA uses this code also to generate D.
diff --git a/cipher/dsa.c b/cipher/dsa.c
index 22d8d782..24a53528 100644
--- a/cipher/dsa.c
+++ b/cipher/dsa.c
@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey,
       k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
     }
 
+  _gcry_dsa_modify_k (k, skey->q, qbits);
+
   /* r = (a^k mod p) mod q */
   mpi_powm( r, skey->g, k, skey->p );
   mpi_fdiv_r( r, r, skey->q );
diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
index 84a1cf84..97966c3a 100644
--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
@@ -114,15 +114,7 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
           else
             k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
 
-          /* Originally, ECDSA computation requires k where 0 < k < n.
-           * Here, we add n (the order of curve), to keep k in a
-           * range: n < k < 2*n, or, addming more n, keep k in a range:
-           * 2*n < k < 3*n, so that timing difference of the EC
-           * multiply operation can be small.  The result is same.
-           */
-          mpi_add (k, k, skey->E.n);
-          if (!mpi_test_bit (k, qbits))
-            mpi_add (k, k, skey->E.n);
+          _gcry_dsa_modify_k (k, skey->E.n, qbits);
 
           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
index a34fa084..0362a6c7 100644
--- a/cipher/ecc-gost.c
+++ b/cipher/ecc-gost.c
@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey,
           mpi_free (k);
           k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
 
+          _gcry_dsa_modify_k (k, skey->E.n, qbits);
+
           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
             {
diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h
index b8167c77..d31e26f3 100644
--- a/cipher/pubkey-internal.h
+++ b/cipher/pubkey-internal.h
@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded,
 
 
 /*-- dsa-common.c --*/
+void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits);
 gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level);
 gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
                                         gcry_mpi_t dsa_q, gcry_mpi_t dsa_x,
-- 
2.23.0