Suspicious about sign_ecdsa
Werner Koch
wk at gnupg.org
Wed Sep 25 09:02:36 CEST 2013
On Tue, 24 Sep 2013 21:48, dbaryshkov at gmail.com said:
> This made me extremely suspicious. It looks to me like a possible endless loop.
> If generated k makes r != 0, but s = 0, sign_ecdsa will loop forever, as code
> outside while (r != 0) loop does not contain any non-deterministic option.
You are right. However, the case of either of them being zero is very
unlikely, so that implementation may do it with out any check. Given
the unlikeliness my comment about the need to keep R is also bogus.
I just pushed the suggested fix to master. Backporting is not
justified.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gcrypt-devel
mailing list