libgcrypt 1.12.0: gcry_mpi_ec_curve_point corrupts point
NIIBE Yutaka
gniibe at fsij.org
Fri Jan 30 08:08:59 CET 2026
Hello,
Thank you for testing.
Guido Vranken wrote:
> Afaik this affects Weierstrass curves with points satisfying Z >= 2 and
> limb count of X and/or Y != ctx->p->nlimbs. This is arguably a security
> vulnerability.
I was not careful enough for the commit:
92bbe34514ee180c074b882d8459cdf6b873ba0c
It changes the MPI of POINT for _gcry_mpi_ec_get_affine (thus,
gcry_mpi_ec_curve_point).
Here is the change to fix the regression.
==========================
diff --git a/mpi/ec.c b/mpi/ec.c
index d7bad4a6..b0b6f427 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -1220,18 +1220,20 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, mpi_point_t point,
if (x)
{
- mpi_resize (point->x, ctx->p->nlimbs);
- point->x->nlimbs = ctx->p->nlimbs;
- ec_mulm_lli (x, point->x, z2, ctx);
+ mpi_set (x, point->x);
+ mpi_resize (x, ctx->p->nlimbs);
+ x->nlimbs = ctx->p->nlimbs;
+ ec_mulm_lli (x, x, z2, ctx);
}
if (y)
{
- mpi_resize (point->y, ctx->p->nlimbs);
- point->y->nlimbs = ctx->p->nlimbs;
+ mpi_set (y, point->y);
+ mpi_resize (y, ctx->p->nlimbs);
+ y->nlimbs = ctx->p->nlimbs;
z3 = mpi_new (0);
ec_mulm_lli (z3, z2, z1, ctx); /* z3 = z^(-3) mod p */
- ec_mulm_lli (y, point->y, z3, ctx);
+ ec_mulm_lli (y, y, z3, ctx);
mpi_free (z3);
}
--
More information about the Gcrypt-devel
mailing list