diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2016-02-02 17:24:10 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2016-02-02 17:24:10 +0900 |
commit | 48ba5a50066611ecacea850ced13f5cb66097a81 (patch) | |
tree | 823972543693b8c9679faaa16d29497bb748a01b /cipher/ecc-misc.c | |
parent | a2f9afcd7fcdafd5951498b07f34957f9766dce9 (diff) | |
download | libgcrypt-48ba5a50066611ecacea850ced13f5cb66097a81.tar.gz |
ecc: more fix of Curve25519.
* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
prefix. Clear the MSB, according to RFC7748.
--
This change fixes two things.
* Handle the case the prefix 0x40 comes at the end when scanned as
standard MPI.
* Implement MSB handling. In the page 7 of RFC7748, it says about
decoding u-coordinate:
When receiving such an array, implementations of X25519 (but not
X448) MUST mask the most significant bit in the final byte.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Diffstat (limited to 'cipher/ecc-misc.c')
-rw-r--r-- | cipher/ecc-misc.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c index 33af6f74..e0dfec3c 100644 --- a/cipher/ecc-misc.c +++ b/cipher/ecc-misc.c @@ -342,10 +342,8 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) * Only when it's the prefix, we remove it. */ if (rawmpilen > nbytes) - {/* Prefix 0x40 or 0x00 */ - rawmpi++; - rawmpilen = nbytes; - } + /* Prefix 0x40 or 0x00, which comes at the end (reverse) */ + rawmpilen = nbytes; else if (rawmpilen < nbytes) {/* * It is possible for data created by older implementation @@ -364,6 +362,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) } } + rawmpi[0] &= (1 << (ctx->nbits % 8)) - 1; _gcry_mpi_set_buffer (result->x, rawmpi, rawmpilen, 0); xfree (a); mpi_set_ui (result->z, 1); |