diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2016-02-02 13:58:48 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2016-02-02 13:58:48 +0900 |
commit | a2f9afcd7fcdafd5951498b07f34957f9766dce9 (patch) | |
tree | a9881b14d01cd7165f3f2826e6e0bb9b13d84a70 /cipher/ecc-misc.c | |
parent | 57b60bb1718b4f2c2500bb447ebd1d4562a5aa9b (diff) | |
download | libgcrypt-a2f9afcd7fcdafd5951498b07f34957f9766dce9.tar.gz |
ecc: Fix ECDH of Curve25519.
* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix calc of NBITS
and prefix detection.
* cipher/ecc.c (ecc_generate): Use NBITS instead of CTX->NBITS.
(ecc_encrypt_raw): Use NBITS from curve instead of from P.
Fix rawmpilen calculation.
(ecc_decrypt_raw): Likewise. Add debug output.
--
This fixes the commit dd3d06e7. NBITS is defined 256 in ecc-curves.c,
thus, ecc_get_nbits returns 256. But CTX->NBITS has 255 for Montgomery
curve.
Diffstat (limited to 'cipher/ecc-misc.c')
-rw-r--r-- | cipher/ecc-misc.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c index 67e3b3d8..33af6f74 100644 --- a/cipher/ecc-misc.c +++ b/cipher/ecc-misc.c @@ -322,7 +322,9 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) } else { - a = rawmpi = _gcry_mpi_get_buffer (pk, ctx->nbits/8, &rawmpilen, NULL); + unsigned int nbytes = (ctx->nbits+7)/8; + + a = rawmpi = _gcry_mpi_get_buffer (pk, nbytes, &rawmpilen, NULL); if (!a) return gpg_err_code_from_syserror (); /* @@ -339,16 +341,17 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) * So, we need to check if it's really the prefix or not. * Only when it's the prefix, we remove it. */ - if (ctx->nbits/8 == rawmpilen - 1) - rawmpi++; - else if (rawmpilen < ctx->nbits/8) + if (rawmpilen > nbytes) + {/* Prefix 0x40 or 0x00 */ + rawmpi++; + rawmpilen = nbytes; + } + else if (rawmpilen < nbytes) {/* * It is possible for data created by older implementation * to have shorter length when it was parsed as MPI. */ - unsigned int new_rawmpilen = ctx->nbits/8; - - rawmpi = xtrymalloc (new_rawmpilen); + rawmpi = xtrymalloc (nbytes); if (!rawmpi) { gpg_err_code_t err = gpg_err_code_from_syserror (); @@ -356,8 +359,8 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) return err; } - memset (rawmpi, 0, new_rawmpilen - rawmpilen); - memcpy (rawmpi + new_rawmpilen - rawmpilen, a, rawmpilen); + memset (rawmpi, 0, nbytes - rawmpilen); + memcpy (rawmpi + nbytes - rawmpilen, a, rawmpilen); } } |