ECDH loads parameters as signed

Ján Jančár jancar.jj at
Wed Oct 31 00:32:32 CET 2018

On 29/10/2018 17:44, Werner Koch wrote:
> On Mon, 29 Oct 2018 15:41, jancar.jj at said:
>> Any updates on this? Such exporting and loading parameters back should
>> work. The same problem appears in ECDSA.
> I considered to include this in 1.8.4 but given that I have seen no
> further comments your patch first needs closer investigations.  We need
> to check the history to see why the code was written this way.  Even if
> your issue is a bug (in the sense of a wrong/different implementation)
> we can't simply change it and risk that other applications break.

The use of sexp_extract_param with the signed prefix was introduced in
6bd5d18c, which moved the sexp parsing from gcry_pk_encrypt to
ecc_encrypt_raw. Previously the keyparams S-exp was parsed using a loop and:

gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_STD);

as in 6bd5d18c: cipher/pubkey.c (sexp_elements_extract_ecc).

However, before 6bd5d18c, which introduced eddsa, this was done using:

gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG);

Thus there is the change from unsigned to signed.

I think reasonable behavior is one where the way the S-exp is built
determines whether the mpis are considered signed or unsigned, thus %M
-> unsigned, %m -> signed, as I think the S-exp should hold this
information, or not?

Ján Jančár

More information about the Gcrypt-devel mailing list