ecc: more fix of Curve25519.

* cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of
prefix.  Clear the MSB, according to RFC7748.

--

This change fixes two things.

* Handle the case the prefix 0x40 comes at the end when scanned as
  standard MPI.

* Implement MSB handling.  In the page 7 of RFC7748, it says about
  decoding u-coordinate:

    When receiving such an array, implementations of X25519 (but not
    X448) MUST mask the most significant bit in the final byte.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

1 files changed, 3 insertions, 4 deletions

diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c
index 33af6f74..e0dfec3c 100644
--- a/cipher/ecc-misc.c
+++ b/cipher/ecc-misc.c
@@ -342,10 +342,8 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
        * Only when it's the prefix, we remove it.
        */
       if (rawmpilen > nbytes)
-        {/* Prefix 0x40 or 0x00 */
-          rawmpi++;
-          rawmpilen = nbytes;
-        }
+        /* Prefix 0x40 or 0x00, which comes at the end (reverse)  */
+        rawmpilen = nbytes;
       else if (rawmpilen < nbytes)
         {/*
           * It is possible for data created by older implementation
@@ -364,6 +362,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result)
         }
     }
 
+  rawmpi[0] &= (1 << (ctx->nbits % 8)) - 1;
   _gcry_mpi_set_buffer (result->x, rawmpi, rawmpilen, 0);
   xfree (a);
   mpi_set_ui (result->z, 1);