mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-24 09:30:59 +00:00
Fix ECDSA corner case: missing reduction mod N
No security issue, can cause valid signatures to be rejected. Reported by DualTachyon on github.
This commit is contained in:
parent
60b1d10131
commit
178d9bac3c
|
@ -16,6 +16,7 @@ Bugfix
|
||||||
* Misc fixes and additions to dependency checks
|
* Misc fixes and additions to dependency checks
|
||||||
* Const correctness
|
* Const correctness
|
||||||
* cert_write with selfsign should use issuer_name as subject_name
|
* cert_write with selfsign should use issuer_name as subject_name
|
||||||
|
* Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
|
||||||
|
|
||||||
= PolarSSL 1.3.1 released on 2013-10-15
|
= PolarSSL 1.3.1 released on 2013-10-15
|
||||||
Features
|
Features
|
||||||
|
|
|
@ -68,12 +68,13 @@ int ecdsa_sign( ecp_group *grp, mpi *r, mpi *s,
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Steps 1-3: generate a suitable ephemeral keypair
|
* Steps 1-3: generate a suitable ephemeral keypair
|
||||||
|
* and set r = xR mod n
|
||||||
*/
|
*/
|
||||||
key_tries = 0;
|
key_tries = 0;
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
MPI_CHK( ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
|
MPI_CHK( ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
|
||||||
MPI_CHK( mpi_copy( r, &R.X ) );
|
MPI_CHK( mpi_mod_mpi( r, &R.X, &grp->N ) );
|
||||||
|
|
||||||
if( key_tries++ > 10 )
|
if( key_tries++ > 10 )
|
||||||
{
|
{
|
||||||
|
@ -176,7 +177,13 @@ int ecdsa_verify( ecp_group *grp,
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Step 6: check that xR == r
|
* Step 6: convert xR to an integer (no-op)
|
||||||
|
* Step 7: reduce xR mod n (gives v)
|
||||||
|
*/
|
||||||
|
MPI_CHK( mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Step 8: check if v (that is, R.X) is equal to r
|
||||||
*/
|
*/
|
||||||
if( mpi_cmp_mpi( &R.X, r ) != 0 )
|
if( mpi_cmp_mpi( &R.X, r ) != 0 )
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue