Contract P-224 elements before returning them.
cfd50c63
switched to using the add/dbl of p224_64.c, but the outputs
weren't contracted before being returned and could be out of range,
giving invalid results.
Change-Id: I3cc295c7ddbff43375770dbafe73b37a668e4e6b
Reviewed-on: https://boringssl-review.googlesource.com/c/33184
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
This commit is contained in:
parent
e6eef1ca16
commit
549b9024d4
@ -754,6 +754,17 @@ TEST_P(ECCurveTest, P224Bug) {
|
|||||||
EXPECT_EQ(0, EC_POINT_cmp(group(), ret.get(), g, nullptr));
|
EXPECT_EQ(0, EC_POINT_cmp(group(), ret.get(), g, nullptr));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TEST_P(ECCurveTest, GPlusMinusG) {
|
||||||
|
const EC_POINT *g = EC_GROUP_get0_generator(group());
|
||||||
|
bssl::UniquePtr<EC_POINT> p(EC_POINT_dup(g, group()));
|
||||||
|
ASSERT_TRUE(p);
|
||||||
|
ASSERT_TRUE(EC_POINT_invert(group(), p.get(), nullptr));
|
||||||
|
bssl::UniquePtr<EC_POINT> sum(EC_POINT_new(group()));
|
||||||
|
|
||||||
|
ASSERT_TRUE(EC_POINT_add(group(), sum.get(), g, p.get(), nullptr));
|
||||||
|
EXPECT_TRUE(EC_POINT_is_at_infinity(group(), sum.get()));
|
||||||
|
}
|
||||||
|
|
||||||
static std::vector<EC_builtin_curve> AllCurves() {
|
static std::vector<EC_builtin_curve> AllCurves() {
|
||||||
const size_t num_curves = EC_get_builtin_curves(nullptr, 0);
|
const size_t num_curves = EC_get_builtin_curves(nullptr, 0);
|
||||||
std::vector<EC_builtin_curve> curves(num_curves);
|
std::vector<EC_builtin_curve> curves(num_curves);
|
||||||
|
@ -1011,8 +1011,12 @@ static void ec_GFp_nistp224_add(const EC_GROUP *group, EC_RAW_POINT *r,
|
|||||||
p224_generic_to_felem(y2, &b->Y);
|
p224_generic_to_felem(y2, &b->Y);
|
||||||
p224_generic_to_felem(z2, &b->Z);
|
p224_generic_to_felem(z2, &b->Z);
|
||||||
p224_point_add(x1, y1, z1, x1, y1, z1, 0 /* both Jacobian */, x2, y2, z2);
|
p224_point_add(x1, y1, z1, x1, y1, z1, 0 /* both Jacobian */, x2, y2, z2);
|
||||||
|
// The outputs are already reduced, but still need to be contracted.
|
||||||
|
p224_felem_contract(x1, x1);
|
||||||
p224_felem_to_generic(&r->X, x1);
|
p224_felem_to_generic(&r->X, x1);
|
||||||
|
p224_felem_contract(y1, y1);
|
||||||
p224_felem_to_generic(&r->Y, y1);
|
p224_felem_to_generic(&r->Y, y1);
|
||||||
|
p224_felem_contract(z1, z1);
|
||||||
p224_felem_to_generic(&r->Z, z1);
|
p224_felem_to_generic(&r->Z, z1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1023,8 +1027,12 @@ static void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_RAW_POINT *r,
|
|||||||
p224_generic_to_felem(y, &a->Y);
|
p224_generic_to_felem(y, &a->Y);
|
||||||
p224_generic_to_felem(z, &a->Z);
|
p224_generic_to_felem(z, &a->Z);
|
||||||
p224_point_double(x, y, z, x, y, z);
|
p224_point_double(x, y, z, x, y, z);
|
||||||
|
// The outputs are already reduced, but still need to be contracted.
|
||||||
|
p224_felem_contract(x, x);
|
||||||
p224_felem_to_generic(&r->X, x);
|
p224_felem_to_generic(&r->X, x);
|
||||||
|
p224_felem_contract(y, y);
|
||||||
p224_felem_to_generic(&r->Y, y);
|
p224_felem_to_generic(&r->Y, y);
|
||||||
|
p224_felem_contract(z, z);
|
||||||
p224_felem_to_generic(&r->Z, z);
|
p224_felem_to_generic(&r->Z, z);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user