diff options
| author | lloyd <[email protected]> | 2011-05-19 12:56:05 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2011-05-19 12:56:05 +0000 |
| commit | 2bfbaa792c71d289d433afb9fcec173110aa7006 (patch) | |
| tree | fc37f5a2e8579bcd126e475e64900e695b54048f /doc | |
| parent | 49e6d3fdbd47cf827f6ac2e23ab1061abf3084ea (diff) | |
Reject s == 0 or r == 0 in a ECC signature.
In ECDSA, this cases should all be caught by the later check that R is
not zero, so I don't believe there is any security danger.
However the GOST 34.10 implementation did not have either check.
Fortunately, the function that extracts the affine X coordinate from
the Jacobian coordinates will throw an exception if the point is at
infinity, so we would not in fact accept invalid signatures, but this
is mostly by luck. And still represents a bit of a DoS potential.
I checked the history, it looks like not checking for zeros at the
start traces back to the original InSiTo code, and I copied the ECDSA
code for GOST without thinking about it too much.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/log.txt | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/doc/log.txt b/doc/log.txt index e0b69ded8..77033f10b 100644 --- a/doc/log.txt +++ b/doc/log.txt @@ -12,8 +12,21 @@ Version 1.9.18, Not Yet Released * Fourth release candidate for 1.10.0 -* Add support for compiling SSL using Visual C++ 2010's TR1 - implementation. +* The GOST 34.10 verification operation was not ensuring that s and r + were both greater than zero. This could potentially have meant it + would have accepted an invalid all-zero signature as valid for any + message. Due to how ECC points are internally represented it instead + resulted in an exception being thrown. + +* The internal representation of elliptic curve points has been + modified to use Montgomery representation exclusively, resulting in + reduced memory usage and a 10 to 20% performance improvement for + ECDSA and ECDH. + +* In OAEP decoding, scan for the delimiter bytes using a loop that is + written without conditionals so as to help avoid timing analysis. + Unfortunately GCC at least is 'smart' enough to compile it to + jumps anyway. * The SSE2 implementation of IDEA did not work correctly when compiled by Clang, because the trick it used to emulate a 16 bit unsigned @@ -21,10 +34,8 @@ Version 1.9.18, Not Yet Released overflow working in the 'usual' way. A different method that doesn't rely on signed overflow is now used. -* The internal representation of elliptic curve points has been - modified to use Montgomery representation exclusively, resulting in - reduced memory usage and a 10 to 20% performance improvement for - ECDSA and ECDH. +* Add support for compiling SSL using Visual C++ 2010's TR1 + implementation. * Fix a bug under Visual C++ 2010 which would cause ``hex_encode`` to crash if given a zero-sized input to encode. @@ -41,11 +52,6 @@ Version 1.9.18, Not Yet Released ``libbotan-1.9.so.0.18``. The ``0`` is the ABI version, and will be incremented whenever a breaking ABI change is made. -* In OAEP decoding, scan for the delimiter bytes using a loop that is - written without conditionals so as to help avoid timing analysis. - Unfortunately GCC at least is 'smart' enough to compile it to - jumps anyway. - * TR1 support is not longer automatically assumed under older versions of GCC |