ECDH loads parameters as signed

Ján Jančár jancar.jj at
Thu Oct 18 11:51:57 CEST 2018

Hi all,
while trying to get libgcrypt to do ECDH I think I came up to a bug, or
at least a bit of unexpected behavior.

See the attached test.c for a proof-of-concept that fails/loops
indefinitely, but should work. The issue is that
ecc_encrypt_raw/ecc_decrypt_raw extract the domain
parameters from the keys using the signed option in sexp_extract_param.
This means that if keys are generated, then exported into unsigned MPIs
from the S-exps, then again built into S-exps using the unsigned
notation %M, and passed into ecc_encrypt_raw/ecc_decrypt_raw, they will
still be considered signed if their highest bit is set. This is a
problem for most curves that have such primes/parameters.

The attached patch fixes this problem and the proof-of-concept works.

Ján Jančár
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ecc-Fix-loading-of-parameters-in-ecdh.patch
Type: text/x-patch
Size: 1534 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.c
Type: text/x-csrc
Size: 3061 bytes
Desc: not available
URL: <>

More information about the Gcrypt-devel mailing list