[PATCH] g10: Fix ECDH secret compressed/uncompressed format

Arnaud Fontaine arnaud.fontaine at ssi.gouv.fr
Mon Oct 24 11:43:08 CEST 2016


* g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Improve detection of
the uncompressed format, add leading zeros to the compressed format.
---
 g10/ecdh.c | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/g10/ecdh.c b/g10/ecdh.c
index af1d844..ed855db 100644
--- a/g10/ecdh.c
+++ b/g10/ecdh.c
@@ -132,13 +132,30 @@ pk_ecdh_encrypt_with_shared_point (int is_encrypt,
gcry_mpi_t shared_mpi,
         return err;
       }

+    /* Expected size of the x component */
     secret_x_size = (nbits+7)/8;
-    log_assert (nbytes >= secret_x_size);
-    if ((nbytes & 1))
-      /* Remove the "04" prefix of non-compressed format.  */
-      memmove (secret_x, secret_x+1, secret_x_size);
-    if (nbytes - secret_x_size)
-      memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
+
+    if (nbytes > secret_x_size)
+      {
+        /* Un-compressed format expected, so it must start with 04 */
+        log_assert (secret_x[0] == (byte)0x04);
+
+        /* Remove the "04" prefix of non-compressed format.  */
+        memmove (secret_x, secret_x+1, secret_x_size);
+
+        /* Zeroize the y component following */
+        if (nbytes > secret_x_size)
+          memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
+      }
+    else
+      {
+        /* Compressed format expected, without leading zeros */
+        if (nbytes < secret_x_size)
+          {
+            memmove (secret_x+(secret_x_size - nbytes), secret_x, nbytes);
+            memset (secret_x, 0, secret_x_size - nbytes);
+          }
+      }

      if (DBG_CRYPTO)
       log_printhex ("ECDH shared secret X is:", secret_x, secret_x_size );
@@ -235,8 +252,8 @@ pk_ecdh_encrypt_with_shared_point (int is_encrypt,
gcry_mpi_t shared_mpi,
         return err;
       }
     gcry_md_write(h, "\x00\x00\x00\x01", 4);      /* counter = 1 */
-    gcry_md_write(h, secret_x, secret_x_size);	  /* x of the point X */
-    gcry_md_write(h, message, message_size);/* KDF parameters */
+    gcry_md_write(h, secret_x, secret_x_size);    /* x of the point X */
+    gcry_md_write(h, message, message_size);      /* KDF parameters */

     gcry_md_final (h);

--
2.9.3




More information about the Gnupg-devel mailing list