Normalize the MPIs used as input to secret key functions.
authorWerner Koch <wk@gnupg.org>
Wed, 27 Nov 2013 13:22:10 +0000 (14:22 +0100)
committerWerner Koch <wk@gnupg.org>
Tue, 3 Dec 2013 08:26:04 +0000 (09:26 +0100)
commitd0d72d98f34579213230b3febfebd2fd8dff272b
tree37f17efd808a5e1eccd2c5da760926e79003e4ba
parent93a96e3c0c33370248f6570d8285c4e811d305d4
Normalize the MPIs used as input to secret key functions.

* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis.  This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.

CVE-id: CVE-2013-4576

Signed-off-by: Werner Koch <wk@gnupg.org>
cipher/dsa.c
cipher/elgamal.c
cipher/rsa.c