commit 178d9bac3c9c23307246f4e06779103d0fe6e0c2
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Oct 29 10:45:28 2013 +0100
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 29 13:40:17 2013 +0100
tree 89b9616d017a441e5de514b33dd5ad81cc8e5fd5
parent 60b1d10131416e0bd85d62958e14036a64d230e2

Fix ECDSA corner case: missing reduction mod N

No security issue, can cause valid signatures to be rejected.

Reported by DualTachyon on github.

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 7c0471b..bcbd7c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,7 @@
    * Misc fixes and additions to dependency checks
    * Const correctness
    * cert_write with selfsign should use issuer_name as subject_name
+   * Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
 
 = PolarSSL 1.3.1 released on 2013-10-15
 Features

library/ecdsa.c

diff --git a/library/ecdsa.c b/library/ecdsa.c
index f653748..13f394b 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -68,12 +68,13 @@
     {
         /*
          * Steps 1-3: generate a suitable ephemeral keypair
+         * and set r = xR mod n
          */
         key_tries = 0;
         do
         {
             MPI_CHK( ecp_gen_keypair( grp, &k, &R, f_rng, p_rng ) );
-            MPI_CHK( mpi_copy( r, &R.X ) );
+            MPI_CHK( mpi_mod_mpi( r, &R.X, &grp->N ) );
 
             if( key_tries++ > 10 )
             {
@@ -176,7 +177,13 @@
     }
 
     /*
-     * Step 6: check that xR == r
+     * Step 6: convert xR to an integer (no-op)
+     * Step 7: reduce xR mod n (gives v)
+     */
+    MPI_CHK( mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
+
+    /*
+     * Step 8: check if v (that is, R.X) is equal to r
      */
     if( mpi_cmp_mpi( &R.X, r ) != 0 )
     {