From 14ebb4ff27dd32c7bc834b7b1945a7f534b66d3c Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Fri, 25 Nov 2016 14:43:22 -0500 Subject: [PATCH] Don't compute the Kronecker symbol in ec_GFp_simple_set_compressed_coordinates. If y is zero, there is no point with odd y, so the odd bit may not be set, hence EC_R_INVALID_COMPRESSION_BIT. This code instead computed the Kronecker symbol of x and changed the error code to EC_R_INVALID_COMPRESSED_POINT if not a square. As the comment says, this was (intended to be) unreachable. But it seems x was a typo for tmp1. It dates to before upstream's 6fb60a84dd1ec81953917e0444dab50186617432, when BN_mod_sqrt gave garbage if its input was not square. Now it emits BN_R_NOT_A_SQUARE. Upstream's 48fe4d6233ac2d60745742a27f820dd88bc6689d then mapped BN_R_NOT_A_SQUARE to EC_R_INVALID_COMPRESSED_POINT. Change-Id: Id9e02fa1c154b61cc0c3a768c9cfe6bd9674c378 Reviewed-on: https://boringssl-review.googlesource.com/12463 Reviewed-by: Adam Langley --- crypto/ec/oct.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/crypto/ec/oct.c b/crypto/ec/oct.c index bf1957ca..11a88d8f 100644 --- a/crypto/ec/oct.c +++ b/crypto/ec/oct.c @@ -381,19 +381,7 @@ int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, if (y_bit != BN_is_odd(y)) { if (BN_is_zero(y)) { - int kron; - - kron = BN_kronecker(x, &group->field, ctx); - if (kron == -2) { - goto err; - } - - if (kron == 1) { - OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSION_BIT); - } else { - /* BN_mod_sqrt() should have cought this error (not a square) */ - OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSED_POINT); - } + OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSION_BIT); goto err; } if (!BN_usub(y, &group->field, y)) {