openpgp: Fix serialized points on Weierstrass curves with OpenSSL.

  - OpenPGP uses the uncompressed representation.  Previously, the
    OpenSSL backend used the compressed representation by mistake.

3 files changed, 6 insertions, 2 deletions

diff --git a/openpgp/NEWS b/openpgp/NEWS
index ce276afe..3524af4b 100644
--- a/openpgp/NEWS
+++ b/openpgp/NEWS
@@ -9,6 +9,10 @@
      secret scalar to make the generated secret key packet more
      compatible with implementations that do not implicitly do the
      clamping before decryption.
+   - Sequoia built with the OpenSSL backend will now use the correct
+     representation of points on Weierstrass curves.  OpenPGP uses the
+     uncompressed representation.  Previously, the OpenSSL backend
+     used the compressed representation by mistake.
 ** New functionality
    - Curve::variants
 * Changes in 1.18.0
diff --git a/openpgp/src/crypto/backend/openssl/asymmetric.rs b/openpgp/src/crypto/backend/openssl/asymmetric.rs
index 6fd9f6a7..0ae2ca15 100644
--- a/openpgp/src/crypto/backend/openssl/asymmetric.rs
+++ b/openpgp/src/crypto/backend/openssl/asymmetric.rs
@@ -548,7 +548,7 @@ where
 
         let q = MPI::new(&key.public_key().to_bytes(
             &group,
-            PointConversionForm::COMPRESSED,
+            PointConversionForm::UNCOMPRESSED,
             &mut ctx,
         )?);
         let scalar = key.private_key().to_vec().into();
diff --git a/openpgp/src/crypto/backend/openssl/ecdh.rs b/openpgp/src/crypto/backend/openssl/ecdh.rs
index bf6237c2..04a87c23 100644
--- a/openpgp/src/crypto/backend/openssl/ecdh.rs
+++ b/openpgp/src/crypto/backend/openssl/ecdh.rs
@@ -53,7 +53,7 @@ where
 
     let q = mpi::MPI::new(&key.public_key().to_bytes(
         &group,
-        PointConversionForm::COMPRESSED,
+        PointConversionForm::UNCOMPRESSED,
         &mut ctx,
     )?);