[PATCH] g10: Fix ECDH secret compressed/uncompressed format
Arnaud Fontaine
arnaud.fontaine at ssi.gouv.fr
Mon Oct 24 11:43:08 CEST 2016
* g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Improve detection of
the uncompressed format, add leading zeros to the compressed format.
---
g10/ecdh.c | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/g10/ecdh.c b/g10/ecdh.c
index af1d844..ed855db 100644
--- a/g10/ecdh.c
+++ b/g10/ecdh.c
@@ -132,13 +132,30 @@ pk_ecdh_encrypt_with_shared_point (int is_encrypt,
gcry_mpi_t shared_mpi,
return err;
}
+ /* Expected size of the x component */
secret_x_size = (nbits+7)/8;
- log_assert (nbytes >= secret_x_size);
- if ((nbytes & 1))
- /* Remove the "04" prefix of non-compressed format. */
- memmove (secret_x, secret_x+1, secret_x_size);
- if (nbytes - secret_x_size)
- memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
+
+ if (nbytes > secret_x_size)
+ {
+ /* Un-compressed format expected, so it must start with 04 */
+ log_assert (secret_x[0] == (byte)0x04);
+
+ /* Remove the "04" prefix of non-compressed format. */
+ memmove (secret_x, secret_x+1, secret_x_size);
+
+ /* Zeroize the y component following */
+ if (nbytes > secret_x_size)
+ memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
+ }
+ else
+ {
+ /* Compressed format expected, without leading zeros */
+ if (nbytes < secret_x_size)
+ {
+ memmove (secret_x+(secret_x_size - nbytes), secret_x, nbytes);
+ memset (secret_x, 0, secret_x_size - nbytes);
+ }
+ }
if (DBG_CRYPTO)
log_printhex ("ECDH shared secret X is:", secret_x, secret_x_size );
@@ -235,8 +252,8 @@ pk_ecdh_encrypt_with_shared_point (int is_encrypt,
gcry_mpi_t shared_mpi,
return err;
}
gcry_md_write(h, "\x00\x00\x00\x01", 4); /* counter = 1 */
- gcry_md_write(h, secret_x, secret_x_size); /* x of the point X */
- gcry_md_write(h, message, message_size);/* KDF parameters */
+ gcry_md_write(h, secret_x, secret_x_size); /* x of the point X */
+ gcry_md_write(h, message, message_size); /* KDF parameters */
gcry_md_final (h);
--
2.9.3
More information about the Gnupg-devel
mailing list