1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
From: Niels Möller <nisse@lysator.liu.se>
Origin: upstream, https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
Subject: CVE-2015-8803 and CVE-2015-8805: Miscomputation bugs in secp-256r1 modulo functions.
--- a/ecc-256.c
+++ b/ecc-256.c
@@ -108,7 +119,10 @@ ecc_256_modp (const struct ecc_curve *ec
u0 -= t;
t = (u1 < cy);
u1 -= cy;
- u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3);
+
+ cy = cnd_add_n (t, rp + n - 4, ecc->p, 2);
+ u0 += cy;
+ u1 += (u0 < cy);
u1 -= (-t) & 0xffffffff;
}
rp[2] = u0;
@@ -195,7 +209,7 @@ ecc_256_modq (const struct ecc_curve *ec
/* Conditional add of p */
u1 += t;
- u2 += (t<<32) + (u0 < t);
+ u2 += (t<<32) + (u1 < t);
t = cnd_add_n (t, rp + n - 4, ecc->q, 2);
u1 += t;
|
