[git] GCRYPT - branch, master, updated. libgcrypt-1.5.0-177-g10dfa41
by Dmitry Eremin-Solenikov
cvs at cvs.gnupg.org
Wed Jul 31 18:27:38 CEST 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".
The branch, master has been updated
via 10dfa41b43a906031bc674ea41cd3073701011f3 (commit)
from 43320961a8751ee28dc95cdb0ae01ea8a7ff7f91 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 10dfa41b43a906031bc674ea41cd3073701011f3
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date: Wed Jul 31 17:20:58 2013 +0400
Correct checks for ecc secret key
* cipher/ecc.c (check_secret_key): replace wrong comparison of Q and
sk->Q points with correct one.
--
Currently check_secret_keys compares pointers to coordinates of Q
(calculated) and sk->Q (provided) points. Instead it should convert them
to affine representations and use mpi_cmp to compare coordinates.
This has an implication that keys that were (erroneously) verified as
valid could now become invalid.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
diff --git a/cipher/ecc.c b/cipher/ecc.c
index 071879d..375eeaf 100644
--- a/cipher/ecc.c
+++ b/cipher/ecc.c
@@ -675,6 +675,7 @@ check_secret_key (ECC_secret_key * sk)
int rc = 1;
mpi_point_struct Q;
gcry_mpi_t y_2, y2;
+ gcry_mpi_t x1, x2;
mpi_ec_t ctx = NULL;
point_init (&Q);
@@ -684,6 +685,8 @@ check_secret_key (ECC_secret_key * sk)
/* G in E(F_p) */
y_2 = gen_y_2 (sk->E.G.x, &sk->E); /* y^2=x^3+a*x+b */
y2 = mpi_alloc (0);
+ x1 = mpi_alloc (0);
+ x2 = mpi_alloc (0);
mpi_mulm (y2, sk->E.G.y, sk->E.G.y, sk->E.p); /* y^2=y*y */
if (mpi_cmp (y_2, y2))
{
@@ -717,17 +720,48 @@ check_secret_key (ECC_secret_key * sk)
}
/* pubkey = [d]G over E */
_gcry_mpi_ec_mul_point (&Q, sk->d, &sk->E.G, ctx);
- if ((Q.x == sk->Q.x) && (Q.y == sk->Q.y) && (Q.z == sk->Q.z))
+
+ if (_gcry_mpi_ec_get_affine (x1, y_2, &Q, ctx))
{
if (DBG_CIPHER)
- log_debug
- ("Bad check: There is NO correspondence between 'd' and 'Q'!\n");
+ log_debug ("Bad check: Q can not be a Point at Infinity!\n");
goto leave;
}
+
+ /* Fast path for loaded secret keys - sk->Q is already in affine coordinates */
+ if (!mpi_cmp_ui (sk->Q.z, 1))
+ {
+ if (mpi_cmp (x1, sk->Q.x) || mpi_cmp (y_2, sk->Q.y))
+ {
+ if (DBG_CIPHER)
+ log_debug
+ ("Bad check: There is NO correspondence between 'd' and 'Q'!\n");
+ goto leave;
+ }
+ }
+ else
+ {
+ if (_gcry_mpi_ec_get_affine (x2, y2, &sk->Q, ctx))
+ {
+ if (DBG_CIPHER)
+ log_debug ("Bad check: Q can not be a Point at Infinity!\n");
+ goto leave;
+ }
+
+ if (mpi_cmp (x1, x2) || mpi_cmp (y_2, y2))
+ {
+ if (DBG_CIPHER)
+ log_debug
+ ("Bad check: There is NO correspondence between 'd' and 'Q'!\n");
+ goto leave;
+ }
+ }
rc = 0; /* Okay. */
leave:
_gcry_mpi_ec_free (ctx);
+ mpi_free (x2);
+ mpi_free (x1);
mpi_free (y2);
mpi_free (y_2);
point_free (&Q);
-----------------------------------------------------------------------
Summary of changes:
cipher/ecc.c | 40 +++++++++++++++++++++++++++++++++++++---
1 files changed, 37 insertions(+), 3 deletions(-)
hooks/post-receive
--
The GNU crypto library
http://git.gnupg.org
More information about the Gnupg-commits
mailing list