more change on Curve25519 ECDH
Werner Koch
wk at gnupg.org
Tue Apr 12 18:26:25 CEST 2016
On Tue, 12 Apr 2016 09:05, gniibe at fsij.org said:
> (1) For ecc_encrypt_raw, it won't abort but properly use X0 function
> to map infinity to 0
>
> (2) In ecc_decrypt_raw, avoiding validation (to be X25519 compatible) is
> based on the flag not the name of the curve.
>
> (3) In ecc_decrypt_raw, since our major use case is GnuPG, we handle
> the case of infinity differently. While X25519 returns 0,
> libgcrypt returns an error.
Okay.
> @@ -1394,7 +1394,13 @@ ecc_encrypt_raw (gcry_sexp_t *r_ciph, gcry_sexp_t
> + if (_gcry_mpi_ec_get_affine (x, y, &R, ec)
> + && !(flags & PUBKEY_FLAG_DJB_TWEAK))
> log_fatal ("ecdh: Failed to get affine coordinates for kdG\n");
Instead of calling log_fatal, which terminates the process, we would
better return an error.
> @@ -1598,8 +1604,8 @@ ecc_decrypt_raw (gcry_sexp_t *r_plain, gcry_sexp_t
> + if (_gcry_mpi_ec_get_affine (x, y, &R, ec))
> + {
> + if (!(flags & PUBKEY_FLAG_DJB_TWEAK))
> + log_fatal ("ecdh: Failed to get affine coordinates\n");
Ditto.
What do you think of such a change?
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gcrypt-devel
mailing list