[Pkg-gnupg-commit] [gnupg2] 174/292: g10: Fix ECDH, clarifying the format.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Nov 21 06:31:39 UTC 2016 

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch master
in repository gnupg2.

commit ca0ee4e381d0b6a57e4ddc8f4bb2390eb97a2540
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Thu Oct 27 12:59:49 2016 +0900

    g10: Fix ECDH, clarifying the format.
    
    * g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Returns error when
    it's short.  Clarify the format.  Handle other prefixes correctly.
    
    --
    With the scdaemon's change, there is no case NBYTES < SECRET_X_SIZE.
    This fixes the break of ECDH with X25519.
    
    Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
---
 g10/ecdh.c | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/g10/ecdh.c b/g10/ecdh.c
index 886427b..dd47544 100644
--- a/g10/ecdh.c
+++ b/g10/ecdh.c
@@ -135,27 +135,29 @@ pk_ecdh_encrypt_with_shared_point (int is_encrypt, gcry_mpi_t shared_mpi,
     /* Expected size of the x component */
     secret_x_size = (nbits+7)/8;
 
-    if (nbytes > secret_x_size)
+    /* Extract X from the result.  It must be in the format of:
+           04 || X || Y
+           40 || X
+           41 || X
+
+       Since it always comes with the prefix, it's larger than X.  In
+       old experimental version of libgcrypt, there is a case where it
+       returns X with no prefix of 40, so, nbytes == secret_x_size
+       is allowed.  */
+    if (nbytes < secret_x_size)
       {
-        /* Uncompressed format expected, so it must start with 04 */
-        if (secret_x[0] != (byte)0x04)
-          {
-            return gpg_error (GPG_ERR_BAD_DATA);
-          }
+        xfree (secret_x);
+        return gpg_error (GPG_ERR_BAD_DATA);
+      }
 
-        /* Remove the "04" prefix of non-compressed format.  */
-        memmove (secret_x, secret_x+1, secret_x_size);
+    /* Remove the prefix.  */
+    if ((nbytes & 1))
+      memmove (secret_x, secret_x+1, secret_x_size);
+
+    /* Clear the rest of data.  */
+    if (nbytes - secret_x_size)
+      memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
 
-        /* Zeroize the y component following */
-        if (nbytes > secret_x_size)
-          memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
-      }
-    else if (nbytes < secret_x_size)
-      {
-        /* Raw share secret (x coordinate), without leading zeros */
-        memmove (secret_x+(secret_x_size - nbytes), secret_x, nbytes);
-        memset (secret_x, 0, secret_x_size - nbytes);
-      }
     if (DBG_CRYPTO)
       log_printhex ("ECDH shared secret X is:", secret_x, secret_x_size );
   }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git

More information about the Pkg-gnupg-commit mailing list