mirror of
https://github.com/freebsd/freebsd-src
synced 2024-09-20 00:33:57 +00:00
Always clamp curve25519 keys prior to use.
This fixes an issue where a private key contained bits that should have been cleared by the clamping process, but were passed through to the scalar multiplication routine and resulted in an invalid public key. Issue diagnosed (and an initial fix proposed) by shamaz.mazum in PR 252894. This fix suggested by Jason Donenfeld. PR: 252894 Reported by: shamaz.mazum Reviewed by: dch MFC after: 3 days
This commit is contained in:
parent
9b131f1e51
commit
5aaea4b99e
|
@ -767,6 +767,7 @@ void curve25519_generic(u8 out[CURVE25519_KEY_SIZE],
|
|||
u8 e[32];
|
||||
|
||||
memcpy(e, scalar, 32);
|
||||
curve25519_clamp_secret(e);
|
||||
|
||||
/* The following implementation was transcribed to Coq and proven to
|
||||
* correspond to unary scalar multiplication in affine coordinates given
|
||||
|
|
Loading…
Reference in a new issue