diff options
author | David Benjamin <davidben@google.com> | 2018-03-28 12:21:45 -0400 |
---|---|---|
committer | David Benjamin <davidben@google.com> | 2018-04-03 16:09:20 -0400 |
commit | dc55e4f70f401c5869410d6a0c068c18c3fd53ec (patch) | |
tree | 194f3026ac5e25a6bcfcd0a2a812ab31d021254d /crypto/conf | |
parent | b2b4dfcca6cf2230107a711f7af1cd8ee3f74229 (diff) |
Fix a bug in ecp_nistp224.c.
felem_neg does not produce an output within the tight bounds suitable
for felem_contract. This affects build configurations which set
enable-ec_nistp_64_gcc_128.
point_double and point_add, in the non-z*_is_zero cases, tolerate and
fix up the wider bounds, so this only affects point_add calls where the
other point is infinity. Thus it only affects the final addition in
arbitrary-point multiplication, giving the wrong y-coordinate. This is a
no-op for ECDH and ECDSA, which only use the x-coordinate of
arbitrary-point operations.
Note: ecp_nistp521.c has the same issue in that the documented
preconditions are violated by the test case. I have not addressed this
in this PR. ecp_nistp521.c does not immediately produce the wrong
answer; felem_contract there appears to be a bit more tolerant than its
documented preconditions. However, I haven't checked the point_add
property above holds. ecp_nistp521.c should either get this same fix, to
be conservative, or have the bounds analysis and comments reworked for
the wider bounds.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5779)
Diffstat (limited to 'crypto/conf')
0 files changed, 0 insertions, 0 deletions