Fix ECDSA corner case: missing reduction mod N No security issue, can cause valid signatures to be rejected. Reported by DualTachyon on github.

commit: 178d9bac3c9c23307246f4e06779103d0fe6e0c2 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Oct 29 10:45:28 2013 +0100
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 29 13:40:17 2013 +0100
tree: 89b9616d017a441e5de514b33dd5ad81cc8e5fd5
parent: 60b1d10131416e0bd85d62958e14036a64d230e2 [diff] [blame]
diff --git a/library/ecdsa.c b/library/ecdsa.c
index f653748..13f394b 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c

@@ -68,12 +68,13 @@
     {
         /*
          * Steps 1-3: generate a suitable ephemeral keypair
+         * and set r = xR mod n
          */
         key_tries = 0;
         do
         {
             MPI_CHK( ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
-            MPI_CHK( mpi_copy( r, &R.X ) );
+            MPI_CHK( mpi_mod_mpi( r, &R.X, &grp->N ) );
 
             if( key_tries++ > 10 )
             {
@@ -176,7 +177,13 @@
     }
 
     /*
-     * Step 6: check that xR == r
+     * Step 6: convert xR to an integer (no-op)
+     * Step 7: reduce xR mod n (gives v)
+     */
+    MPI_CHK( mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
+
+    /*
+     * Step 8: check if v (that is, R.X) is equal to r
      */
     if( mpi_cmp_mpi( &R.X, r ) != 0 )
     {
commit	178d9bac3c9c23307246f4e06779103d0fe6e0c2	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Tue Oct 29 10:45:28 2013 +0100
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Oct 29 13:40:17 2013 +0100
tree	89b9616d017a441e5de514b33dd5ad81cc8e5fd5
parent	60b1d10131416e0bd85d62958e14036a64d230e2 [diff] [blame]