[gnutls-devel] GnuTLS | lib/nettle: fix carry flag in Streebog code (!992)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue May 7 15:21:42 CEST 2019




Dmitry Eremin-Solenikov commented on a discussion on lib/nettle/gost/streebog.c: https://gitlab.com/gnutls/gnutls/merge_requests/992#note_167534005

>          }
>      }
>  
> +  cf = 0;
>    ctx->sigma[0] += M[0];
>    for (i = 1; i < 8; i++)
> -    if (ctx->sigma[i-1] < M[i-1])
> -      ctx->sigma[i] += M[i] + 1;
> -    else
> -      ctx->sigma[i] += M[i];
> +    {
> +      if (ctx->sigma[i-1] != M[i-1])
> +	cf = (ctx->sigma[i-1] < M[i-1]);

No, it will be reset once there is no carried overflow.
In your example (if we use bytes instead of u64, lsb arrays):
sigma = 01 00 00 00
M = ff 00 00 00
0. sigma = **00** 00 00 00
1. i = 1, cf = 1, sigma = 00 **01** 00 00
2. i = 2, cf = 0, sigma = 00 01 **00** 00
3. i = 3, cf = 0, sigma = 00 01 00 **00**

A failing example:
sigma = ff ff ff 00 00
M = ff ff ff 00 00
then:
0. sigma = **fe** ff ff 00 00
1. i = 1, cf = 1 (overflow), sigma = fe **ff** ff 00 00
2. i = 2, cf = 1 (carried), sigma = fe ff **ff** 00 00 (with current code this would be fe ff **fe** 00 00)
3. i = 3, cf = 1 (carried), sigma = fe ff ff **01** 00
4. i = 4, cf = 0 (reset, no overflow), sigma = fe ff ff 01 **00**

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/992#note_167534005
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190507/14f854d3/attachment-0001.html>


More information about the Gnutls-devel mailing list