From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 18 Apr 2016 09:18:04 +0000 (+0200)
Subject: _wrap_nettle_pk_derive: reject values of public key that are over the prime
X-Git-Tag: gnutls_3_5_0~134
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9dbf4954eea4a7ec899af0d0d66ae930695f8a5a;p=thirdparty%2Fgnutls.git

_wrap_nettle_pk_derive: reject values of public key that are over the prime

That is do not canonicalise the value we get from the network, but
rather check it for validity. This saves a modular reduction on handshake
and performs a sanity check on the peer's (client) parameters.
Reported by Hubert Kario.

Resolves #84
---

diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index c7ef0d78c5..dd1d8bb104 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -191,23 +191,17 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo,
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 
-		ret = _gnutls_mpi_modm(ff, f, prime);
+		ret = _gnutls_mpi_add_ui(ff, f, 1);
 		if (ret < 0) {
 			gnutls_assert();
 			goto dh_cleanup;
 		}
 
-		ret = _gnutls_mpi_add_ui(ff, ff, 1);
-		if (ret < 0) {
-			gnutls_assert();
-			goto dh_cleanup;
-		}
-
-		/* check if f==0,1,p-1. 
-		 * or (ff=f+1) equivalently ff==1,2,p */
+		/* check if f==0,1, or f >= p-1. 
+		 * or (ff=f+1) equivalently ff==1,2, ff >= p */
 		if ((_gnutls_mpi_cmp_ui(ff, 2) == 0)
 		    || (_gnutls_mpi_cmp_ui(ff, 1) == 0)
-		    || (_gnutls_mpi_cmp(ff, prime) == 0)) {
+		    || (_gnutls_mpi_cmp(ff, prime) >= 0)) {
 			gnutls_assert();
 			ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 			goto dh_cleanup;