From 48ba5a50066611ecacea850ced13f5cb66097a81 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 2 Feb 2016 17:24:10 +0900 Subject: ecc: more fix of Curve25519. * cipher/ecc-misc.c (gcry_ecc_mont_decodepoint): Fix removing of prefix. Clear the MSB, according to RFC7748. -- This change fixes two things. * Handle the case the prefix 0x40 comes at the end when scanned as standard MPI. * Implement MSB handling. In the page 7 of RFC7748, it says about decoding u-coordinate: When receiving such an array, implementations of X25519 (but not X448) MUST mask the most significant bit in the final byte. Signed-off-by: NIIBE Yutaka --- cipher/ecc-misc.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'cipher') diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c index 33af6f74..e0dfec3c 100644 --- a/cipher/ecc-misc.c +++ b/cipher/ecc-misc.c @@ -342,10 +342,8 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) * Only when it's the prefix, we remove it. */ if (rawmpilen > nbytes) - {/* Prefix 0x40 or 0x00 */ - rawmpi++; - rawmpilen = nbytes; - } + /* Prefix 0x40 or 0x00, which comes at the end (reverse) */ + rawmpilen = nbytes; else if (rawmpilen < nbytes) {/* * It is possible for data created by older implementation @@ -364,6 +362,7 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ctx, mpi_point_t result) } } + rawmpi[0] &= (1 << (ctx->nbits % 8)) - 1; _gcry_mpi_set_buffer (result->x, rawmpi, rawmpilen, 0); xfree (a); mpi_set_ui (result->z, 1); -- cgit v1.2.1