mpi_swap_cond: different sizes error on eddsa key generation

Kostis Andrikopoulos el11151 at
Sun Dec 18 22:55:14 CET 2016

Hello again,

Thanks for the thorough explanation of the code related to the bug. I
think i have isolated the buggy code enough to be able to reach some

To give some context, our library is a fork of the libotr library. So
there is a possibility that it is not an actual bug of the gcrypt but an
error in libotr (however it worked correctly with an older gcrypt version).

The bug appears to be introduced when libotr sets a custom allocation
handler for the secure memory. This might explain why either

    a->nlimbs > b->alloced

    b->nlimbs > a->alloced

when it shouldn't, since it might change the way those objects are
stored in memory from how gcrypt excepts them to be.

In any case i included a not-so-minimal testcase that might help you. I
ran the code in libgcrypt version 1.7.3 and compiled with

gcc -o test main.c chat_sign.c mem.c `libgcrypt-config --libs`

When i run ./test the following error appears

Ohhhh jeeee: mpi_swap_cond: different sizes
[1]    16198 abort (core dumped)  ./test

When you remove the call to otrl_mem_init() and compile, the programme
should finish with no errors.

Hope this helps.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gcry.tar
Type: application/x-tar
Size: 20480 bytes
Desc: not available
URL: </pipermail/attachments/20161218/93d2aa0e/attachment-0001.tar>

More information about the Gcrypt-devel mailing list