| CVE: CVE-2017-9526 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@intel.com> |
| |
| From 4a1768d683f6572ad86d833508c70e6b3dc1efdc Mon Sep 17 00:00:00 2001 |
| From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be> |
| Date: Thu, 19 Jan 2017 17:00:15 +0100 |
| Subject: [PATCH] ecc: Store EdDSA session key in secure memory. |
| |
| * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_sign): use mpi_snew to allocate |
| session key. |
| -- |
| |
| An attacker who learns the EdDSA session key from side-channel |
| observation during the signing process, can easily revover the long- |
| term secret key. Storing the session key in secure memory ensures that |
| constant time point operations are used in the MPI library. |
| |
| Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be> |
| --- |
| cipher/ecc-eddsa.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/cipher/ecc-eddsa.c b/cipher/ecc-eddsa.c |
| index f91f8489..813e030d 100644 |
| --- a/cipher/ecc-eddsa.c |
| +++ b/cipher/ecc-eddsa.c |
| @@ -603,7 +603,7 @@ _gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey, |
| a = mpi_snew (0); |
| x = mpi_new (0); |
| y = mpi_new (0); |
| - r = mpi_new (0); |
| + r = mpi_snew (0); |
| ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0, |
| skey->E.p, skey->E.a, skey->E.b); |
| b = (ctx->nbits+7)/8; |
| -- |
| 2.11.0 |
| |