mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
5d92b853f6
The EFD database does not state that the "ladd-2002-it-3" algorithm assumes X1 != 0. Consequently the current implementation, based on it, fails to compute correctly if the affine x coordinate of the scalar multiplication input point is 0. We replace this implementation using the alternative algorithm based on Eq. (9) and (10) from the same paper, which being derived from the additive relation of (6) does not incur in this problem, but costs one extra field multiplication. The EFD entry for this algorithm is at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4 and the code to implement it was generated with tooling. Regression tests add one positive test for each named curve that has such a point. The `SharedSecret` was generated independently from the OpenSSL codebase with sage. This bug was originally reported by Dmitry Belyavsky on the openssl-users maling list: https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7000) |
||
|---|---|---|
| .. | ||
| asm | ||
| curve448 | ||
| build.info | ||
| curve25519.c | ||
| ec2_oct.c | ||
| ec2_smpl.c | ||
| ec_ameth.c | ||
| ec_asn1.c | ||
| ec_check.c | ||
| ec_curve.c | ||
| ec_cvt.c | ||
| ec_err.c | ||
| ec_key.c | ||
| ec_kmeth.c | ||
| ec_lcl.h | ||
| ec_lib.c | ||
| ec_mult.c | ||
| ec_oct.c | ||
| ec_pmeth.c | ||
| ec_print.c | ||
| ecdh_kdf.c | ||
| ecdh_ossl.c | ||
| ecdsa_ossl.c | ||
| ecdsa_sign.c | ||
| ecdsa_vrf.c | ||
| eck_prn.c | ||
| ecp_mont.c | ||
| ecp_nist.c | ||
| ecp_nistp224.c | ||
| ecp_nistp256.c | ||
| ecp_nistp521.c | ||
| ecp_nistputil.c | ||
| ecp_nistz256_table.c | ||
| ecp_nistz256.c | ||
| ecp_oct.c | ||
| ecp_smpl.c | ||
| ecx_meth.c | ||