ECDH loads parameters as signed
Ján Jančár
jancar.jj at gmail.com
Wed Oct 31 00:32:32 CET 2018
On 29/10/2018 17:44, Werner Koch wrote:
> On Mon, 29 Oct 2018 15:41, jancar.jj at gmail.com said:
>
>> Any updates on this? Such exporting and loading parameters back should
>> work. The same problem appears in ECDSA.
>
> I considered to include this in 1.8.4 but given that I have seen no
> further comments your patch first needs closer investigations. We need
> to check the history to see why the code was written this way. Even if
> your issue is a bug (in the sense of a wrong/different implementation)
> we can't simply change it and risk that other applications break.
The use of sexp_extract_param with the signed prefix was introduced in
6bd5d18c, which moved the sexp parsing from gcry_pk_encrypt to
ecc_encrypt_raw. Previously the keyparams S-exp was parsed using a loop and:
gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_STD);
as in 6bd5d18c: cipher/pubkey.c (sexp_elements_extract_ecc).
However, before 6bd5d18c, which introduced eddsa, this was done using:
gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);
Thus there is the change from unsigned to signed.
I think reasonable behavior is one where the way the S-exp is built
determines whether the mpis are considered signed or unsigned, thus %M
-> unsigned, %m -> signed, as I think the S-exp should hold this
information, or not?
Cheers,
Ján Jančár
More information about the Gcrypt-devel
mailing list