From 178d9bac3c9c23307246f4e06779103d0fe6e0c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 29 Oct 2013 10:45:28 +0100 Subject: [PATCH] Fix ECDSA corner case: missing reduction mod N No security issue, can cause valid signatures to be rejected. Reported by DualTachyon on github. --- ChangeLog | 1 + library/ecdsa.c | 11 +++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7c0471b40..bcbd7c008 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,7 @@ Bugfix * Misc fixes and additions to dependency checks * Const correctness * cert_write with selfsign should use issuer_name as subject_name + * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon) = PolarSSL 1.3.1 released on 2013-10-15 Features diff --git a/library/ecdsa.c b/library/ecdsa.c index f653748ea..13f394bc8 100644 --- a/library/ecdsa.c +++ b/library/ecdsa.c @@ -68,12 +68,13 @@ int ecdsa_sign( ecp_group *grp, mpi *r, mpi *s, { /* * Steps 1-3: generate a suitable ephemeral keypair + * and set r = xR mod n */ key_tries = 0; do { MPI_CHK( ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) ); - MPI_CHK( mpi_copy( r, &R.X ) ); + MPI_CHK( mpi_mod_mpi( r, &R.X, &grp->N ) ); if( key_tries++ > 10 ) { @@ -176,7 +177,13 @@ int ecdsa_verify( ecp_group *grp, } /* - * Step 6: check that xR == r + * Step 6: convert xR to an integer (no-op) + * Step 7: reduce xR mod n (gives v) + */ + MPI_CHK( mpi_mod_mpi( &R.X, &R.X, &grp->N ) ); + + /* + * Step 8: check if v (that is, R.X) is equal to r */ if( mpi_cmp_mpi( &R.X, r ) != 0 ) {