cipher: Normalize the MPIs used as input to secret key functions.
authorWerner Koch <wk@gnupg.org>
Mon, 16 Dec 2013 08:22:10 +0000 (09:22 +0100)
committerWerner Koch <wk@gnupg.org>
Mon, 16 Dec 2013 10:44:25 +0000 (11:44 +0100)
commitdec048b2ec79271a2f4405be5b87b1e768b3f1a9
treeba943d5e91b7d0705005414c62c455efeb140791
parent953535a7de68cf62b5b1ad6f96ea3a9edd83762c
cipher: Normalize the MPIs used as input to secret key functions.

* cipher/dsa.c (sign): Normalize INPUT.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Reduce DATA before passing to secret.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks.
This is an extra pre-caution in case RSA blinding has been disabled.

CVE-id: CVE-2013-4576
Signed-off-by: Werner Koch <wk@gnupg.org>
cipher/dsa.c
cipher/elgamal.c
cipher/rsa.c