Skip to content
  1. Apr 11, 2018
  2. Apr 10, 2018
  3. Apr 09, 2018
  4. Apr 08, 2018
  5. Apr 07, 2018
  6. Apr 06, 2018
  7. Apr 05, 2018
  8. Apr 04, 2018
  9. Apr 03, 2018
    • David Benjamin's avatar
      Fix a bug in ecp_nistp224.c. · dc55e4f7
      David Benjamin authored
      
      
      felem_neg does not produce an output within the tight bounds suitable
      for felem_contract. This affects build configurations which set
      enable-ec_nistp_64_gcc_128.
      
      point_double and point_add, in the non-z*_is_zero cases, tolerate and
      fix up the wider bounds, so this only affects point_add calls where the
      other point is infinity. Thus it only affects the final addition in
      arbitrary-point multiplication, giving the wrong y-coordinate. This is a
      no-op for ECDH and ECDSA, which only use the x-coordinate of
      arbitrary-point operations.
      
      Note: ecp_nistp521.c has the same issue in that the documented
      preconditions are violated by the test case. I have not addressed this
      in this PR. ecp_nistp521.c does not immediately produce the wrong
      answer; felem_contract there appears to be a bit more tolerant than its
      documented preconditions. However, I haven't checked the point_add
      property above holds. ecp_nistp521.c should either get this same fix, to
      be conservative, or have the bounds analysis and comments reworked for
      the wider bounds.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5779)
      dc55e4f7