ECDH loads parameters as signed

Ján Jančár jancar.jj at
Mon Oct 29 15:41:44 CET 2018

On 18/10/2018 11:51, Ján Jančár wrote:
> Hi all,
> while trying to get libgcrypt to do ECDH I think I came up to a bug, or
> at least a bit of unexpected behavior.
> See the attached test.c for a proof-of-concept that fails/loops
> indefinitely, but should work. The issue is that
> ecc_encrypt_raw/ecc_decrypt_raw extract the domain
> parameters from the keys using the signed option in sexp_extract_param.
> This means that if keys are generated, then exported into unsigned MPIs
> from the S-exps, then again built into S-exps using the unsigned
> notation %M, and passed into ecc_encrypt_raw/ecc_decrypt_raw, they will
> still be considered signed if their highest bit is set. This is a
> problem for most curves that have such primes/parameters.
> The attached patch fixes this problem and the proof-of-concept works.

Any updates on this? Such exporting and loading parameters back should
work. The same problem appears in ECDSA.

Ján Jančár

More information about the Gcrypt-devel mailing list