libgcrypt/libgcrypt-1.8.5-montgomery-zeroes.patch
2026-06-29 12:29:31 +02:00

152 lines
4.3 KiB
Diff

From: NIIBE Yutaka <gniibe@fsij.org>
Date: Tue, 27 Apr 2021 17:24:16 +0900
Subject: [PATCH] ecc: Check the input length for the point.
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Check the length
of valid point representation.
--
Backport the commit of master:
060c378c050e7ec6206358c681a313d6e1967dcf
In the use case of GnuPG, ECDH decryption for anonymous recipient may
try to decrypt with different curves. When the input data of
ephemeral key does not match one of the private key, it should return
GPG_ERR_INV_OBJ.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/ecc-misc.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
index 34dd6804..b89dcfa6 100644
--- a/cipher/ecc-misc.c
+++ b/cipher/ecc-misc.c
@@ -294,6 +294,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
{
unsigned char *rawmpi;
unsigned int rawmpilen;
+ unsigned int nbytes = (ctx->nbits+7)/8;
if (mpi_is_opaque (pk))
{
@@ -305,27 +306,36 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
return GPG_ERR_INV_OBJ;
rawmpilen = (rawmpilen + 7)/8;
- if (rawmpilen > 1 && (rawmpilen%2) && buf[0] == 0x40)
+ if (rawmpilen == nbytes + 1
+ && (buf[0] == 0x00 || buf[0] == 0x40))
{
rawmpilen--;
buf++;
}
+ else if (rawmpilen > nbytes)
+ return GPG_ERR_INV_OBJ;
- rawmpi = xtrymalloc (rawmpilen? rawmpilen:1);
+ rawmpi = xtrymalloc (nbytes);
if (!rawmpi)
return gpg_err_code_from_syserror ();
p = rawmpi + rawmpilen;
while (p > rawmpi)
*--p = *buf++;
+
+ if (rawmpilen < nbytes)
+ memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen);
}
else
{
- unsigned int nbytes = (ctx->nbits+7)/8;
-
rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
if (!rawmpi)
return gpg_err_code_from_syserror ();
+ if (rawmpilen > nbytes + 1)
+ {
+ xfree (rawmpi);
+ return GPG_ERR_INV_OBJ;
+ }
/*
* It is not reliable to assume that 0x40 means the prefix.
*
--
2.54.0
From bd662c090bd4a45cc830de9e42e96dd0f8e1f702 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 6 May 2021 12:35:19 +0900
Subject: [PATCH] ecc: Fix the previous commit.
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the condition.
--
GnuPG-bug-id: 5423
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/ecc-misc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
index b89dcfa6..0c387c27 100644
--- a/cipher/ecc-misc.c
+++ b/cipher/ecc-misc.c
@@ -331,7 +331,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL);
if (!rawmpi)
return gpg_err_code_from_syserror ();
- if (rawmpilen > nbytes + 1)
+ if (rawmpilen > nbytes + BYTES_PER_MPI_LIMB)
{
xfree (rawmpi);
return GPG_ERR_INV_OBJ;
--
2.54.0
From 5ba63ec41a6e734c9ff82e20e4f84ac94c59ae27 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 10 Apr 2026 16:58:57 +0900
Subject: [PATCH] cipher:ecc: Fix decoding a point on Montgomery curve.
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the padding
mistake and add updating RAWMPILEN.
--
Reported by Calif.io in collaboration with Claude and Anthropic
Research.
GnuPG-bug-id: 8211
Fixes-commit: bbe15758c893dbf546416c1a6bccdad1ab000ad7
Suggested-by: Bronson Yen <bronson@calif.io>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
cipher/ecc-misc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
index 0c387c27..be4e2862 100644
--- a/cipher/ecc-misc.c
+++ b/cipher/ecc-misc.c
@@ -324,7 +324,10 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
*--p = *buf++;
if (rawmpilen < nbytes)
- memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen);
+ {
+ memset (rawmpi + rawmpilen, 0, nbytes - rawmpilen);
+ rawmpilen = nbytes;
+ }
}
else
{
--
2.54.0