[gnutls-devel] GnuTLS | lib/nettle: fix carry flag in Streebog code (!992)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Tue May 7 15:21:42 CEST 2019
Dmitry Eremin-Solenikov commented on a discussion on lib/nettle/gost/streebog.c: https://gitlab.com/gnutls/gnutls/merge_requests/992#note_167534005
> }
> }
>
> + cf = 0;
> ctx->sigma[0] += M[0];
> for (i = 1; i < 8; i++)
> - if (ctx->sigma[i-1] < M[i-1])
> - ctx->sigma[i] += M[i] + 1;
> - else
> - ctx->sigma[i] += M[i];
> + {
> + if (ctx->sigma[i-1] != M[i-1])
> + cf = (ctx->sigma[i-1] < M[i-1]);
No, it will be reset once there is no carried overflow.
In your example (if we use bytes instead of u64, lsb arrays):
sigma = 01 00 00 00
M = ff 00 00 00
0. sigma = **00** 00 00 00
1. i = 1, cf = 1, sigma = 00 **01** 00 00
2. i = 2, cf = 0, sigma = 00 01 **00** 00
3. i = 3, cf = 0, sigma = 00 01 00 **00**
A failing example:
sigma = ff ff ff 00 00
M = ff ff ff 00 00
then:
0. sigma = **fe** ff ff 00 00
1. i = 1, cf = 1 (overflow), sigma = fe **ff** ff 00 00
2. i = 2, cf = 1 (carried), sigma = fe ff **ff** 00 00 (with current code this would be fe ff **fe** 00 00)
3. i = 3, cf = 1 (carried), sigma = fe ff ff **01** 00
4. i = 4, cf = 0 (reset, no overflow), sigma = fe ff ff 01 **00**
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/992#note_167534005
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190507/14f854d3/attachment-0001.html>
More information about the Gnutls-devel
mailing list