Fix ECDSA corner case: missing reduction mod N

No security issue, can cause valid signatures to be rejected. Reported by DualTachyon on github.
2024-10-18 12:21:04 +00:00 · 2013-10-29 10:45:28 +01:00 · 2013-10-29 10:45:28 +01:00 · 178d9bac3c
parent 60b1d10131
commit 178d9bac3c
2 changed files with 10 additions and 2 deletions
--- a/1
+++ b/1
@ -16,6 +16,7 @@ Bugfix
   * Misc fixes and additions to dependency checks
   * Const correctness
   * cert_write with selfsign should use issuer_name as subject_name
+   * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)

 = PolarSSL 1.3.1 released on 2013-10-15
 Features
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@ -68,12 +68,13 @@ int ecdsa_sign( ecp_group *grp, mpi *r, mpi *s,
    {
        /*
         * Steps 1-3: generate a suitable ephemeral keypair
+         * and set r = xR mod n
         */
        key_tries = 0;
        do
        {
            MPI_CHK( ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
-            MPI_CHK( mpi_copy( r, &R.X ) );
+            MPI_CHK( mpi_mod_mpi( r, &R.X, &grp->N ) );

            if( key_tries++ > 10 )
            {
@ -176,7 +177,13 @@ int ecdsa_verify( ecp_group *grp,
    }

    /*
-     * Step 6: check that xR == r
+     * Step 6: convert xR to an integer (no-op)
+     * Step 7: reduce xR mod n (gives v)
+     */
+    MPI_CHK( mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
+
+    /*
+     * Step 8: check if v (that is, R.X) is equal to r
     */
    if( mpi_cmp_mpi( &R.X, r ) != 0 )
    {