On 3/27/25 20:21, NIIBE Yutaka wrote:
[...]
Because we expose the lower level API, it is possible for an application
to violate the preconditions, by supplying an ECC point with larger MPIs.
By the violation of the preconditions, it used to result the call of
log_bug (emitting a message and abort). After the change of mine, it
results wrong value, by using lower bits and ignoring upper bits.
Are the ignored upper bits definitely zero or could an application
reasonably expect libgcrypt to do something useful with such a point
(perhaps reducing a value between P and 2*P to its proper value mod P?)?
[...]
If we'd take an approach of more kindness, we could add the check for
the external API to examine the field in ECC points for preconditions.
That is probably a good idea, along with making certain that the
preconditions are documented.
-- Jacob
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
