ECDH loads parameters as signed
Ján Jančár
jancar.jj at gmail.com
Thu Oct 18 11:51:57 CEST 2018
Hi all,
while trying to get libgcrypt to do ECDH I think I came up to a bug, or
at least a bit of unexpected behavior.
See the attached test.c for a proof-of-concept that fails/loops
indefinitely, but should work. The issue is that
ecc_encrypt_raw/ecc_decrypt_raw extract the domain
parameters from the keys using the signed option in sexp_extract_param.
This means that if keys are generated, then exported into unsigned MPIs
from the S-exps, then again built into S-exps using the unsigned
notation %M, and passed into ecc_encrypt_raw/ecc_decrypt_raw, they will
still be considered signed if their highest bit is set. This is a
problem for most curves that have such primes/parameters.
The attached patch fixes this problem and the proof-of-concept works.
Cheers,
Ján Jančár
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ecc-Fix-loading-of-parameters-in-ecdh.patch
Type: text/x-patch
Size: 1534 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20181018/c7473dfe/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.c
Type: text/x-csrc
Size: 3061 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20181018/c7473dfe/attachment.c>
More information about the Gcrypt-devel
mailing list