Home GnuPG
Diffusion libgcrypt da780c8183cc

ecc: Add input validation for X25519.
da780c8183cc
Actions

Description

ecc: Add input validation for X25519.

* cipher/ecc.c (ecc_decrypt_raw): Add input validation.
* mpi/ec.c (ec_p_init): Use scratch buffer for bad points.
(_gcry_mpi_ec_bad_point): New.

Following is the paper describing the attack:

May the Fourth Be With You: A Microarchitectural Side Channel Attack
on Real-World Applications of Curve25519
by Daniel Genkin, Luke Valenta, and Yuval Yarom

In the current implementation, we do output checking and it results an
error for those bad points. However, when attacked, the computation
will done with leak of private key, even it will results errors. To
mitigate leak, we added input validation.

Note that we only list bad points with MSB=0. By X25519, MSB is
always cleared.

In future, we should implement constant-time field computation. Then,
this input validation could be removed, if performance is important
and we are sure for no leak.

CVE-id: CVE-2017-0379
(cherry picked from commit bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9)

  • Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

Details

Provenance
gniibeAuthored on Aug 25 2017, 11:13 AM
wernerCommitted on Aug 27 2017, 9:41 AM
Parents
rCcd271dce4cd8: Announce end-of-life for 1.7 at 2019-06-30.
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
cipher/
mpi/
src/

rCda780c8183cc

View Options

cipher/ecc.c

Loading...
View Options

mpi/ec.c

Loading...
View Options

src/mpi.h

Loading...