Issue 2256: mpi_powm

NIIBE Yutaka gniibe at fsij.org
Tue Feb 23 06:34:05 CET 2016


Hello,

We have an issue: https://bugs.gnupg.org/gnupg/issue2256

libssh2 does D-H computation using gcry_mpi_powm (if configured with
libgcrypt).  When gcry_mpi_powm is called, EXPO can have a limb of
all-zero as the most significant limb, which results undefined value
by count_leading_zeros on IA-32.

Here is a patch to fix both implementations of _gcry_mpi_powm.

I would require the most significant bit to be 1 in the protocol to
encourage constant-time computation by implementations, but that's
another story.


diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
index 0be153f..a780ebd 100644
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@@ -83,6 +83,7 @@ _gcry_mpi_powm (gcry_mpi_t res,

   rp = res->d;
   ep = expo->d;
+  MPN_NORMALIZE(ep, esize);

   if (!msize)
     _gcry_divide_by_zero();
@@ -429,6 +430,9 @@ _gcry_mpi_powm (gcry_mpi_t res,
   size = 2 * msize;
   msign = mod->sign;

+  ep = expo->d;
+  MPN_NORMALIZE(ep, esize);
+
   if (esize * BITS_PER_MPI_LIMB > 512)
     W = 5;
   else if (esize * BITS_PER_MPI_LIMB > 256)
@@ -445,7 +449,6 @@ _gcry_mpi_powm (gcry_mpi_t res,
   bsec = mpi_is_secure(base);

   rp = res->d;
-  ep = expo->d;

   if (!msize)
     _gcry_divide_by_zero();

-- 



More information about the Gcrypt-devel mailing list