Page MenuHome GnuPG
Create Task
Maniphest T4964

ecc: Discrepancy of handling MPI for the interpretation of signed and unsigned
Closed, ResolvedPublic
Actions

Description

In the code of ECC with SEXP, some parts are handled as signed, other parts are handled as unsigned.
While having this inconsistency, it works.
Because it (computation result) never emits negative value (writing is handled as signed data with leading zero octet,
and reading is done by signed or unsigned).

In the code for curve Ed25519, we use negative constants unfortunately in its domain parameters, and it affects the computation of keygrip.
<-- only this part should be kept for the use of negative value.
Except this part of Ed25519, other parts are all unsigned.

Revisions and Commits

rC libgcrypt
rC00d7c1c63201 sexp: Raise an error when an integer is negative with USG.
rC6f8b1d4cb798 ecc: Consistently handle parameters as unsigned value.

Related Objects
Search...

Event Timeline

gniibe created this task.Jun 1 2020, 7:23 AM
gniibe added a commit: rC6f8b1d4cb798: ecc: Consistently handle parameters as unsigned value..Jun 1 2020, 8:00 AM
gniibe renamed this task from ecc: Disrepancy of handling MPI for the interpretation of signed and unsigned to ecc: Discrepancy of handling MPI for the interpretation of signed and unsigned.Nov 16 2020, 8:09 AM
werner added a subscriber: werner.Jan 7 2021, 11:33 AM

Do we really need this for 1.9?

gniibe updated the task description. (Show Details)Jan 8 2021, 2:16 AM
gniibe added a comment.Jan 8 2021, 3:13 AM

I describe about rC6f8b1d4cb798: ecc: Consistently handle parameters as unsigned value..

rC6f8b1d4cb798 is important (for me), as it is the removal of the last place which (somehow explicitly) allows use of negative value.

After this change, the ECC computation can assume that integers are all non-negative.

My intention of this task directly relates to:

  • curve specific optimization
  • introduce of redundant representation of integer (in future version of libgcrypt), for internal computation of modern ECC

which uses fixed number of limbs, assuming non-negative.

gniibe added a comment.EditedJan 8 2021, 6:58 AM

For printing SEXP, it would be good to have this change:

diff --git a/src/sexp.c b/src/sexp.c
index de28aedc..864916be 100644
--- a/src/sexp.c
+++ b/src/sexp.c
@@ -1483,6 +1483,12 @@ do_vsexp_sscan (gcry_sexp_t *retsexp, size_t *erroff,
                 }
               else
                 {
+                  if (mpifmt == GCRYMPI_FMT_USG && mpi_cmp_ui (m, 0) < 0)
+                    {
+                      err = GPG_ERR_INV_ARG;
+                      goto leave;
+                    }
+
                   err = _gcry_mpi_print (mpifmt, NULL, 0, &nm, m);
                   if (err)
                     goto leave;

This change makes sure not to write wrong value, but to raise an error.

werner added a comment.Jan 8 2021, 9:43 AM

I agree to the sexp change - but it should not be backported to 1.8

gniibe added a commit: rC00d7c1c63201: sexp: Raise an error when an integer is negative with USG..Jan 13 2021, 3:18 AM
gniibe closed this task as Resolved.Jan 26 2021, 4:48 AM
werner mentioned this in T5259: Release Libgcrypt 1.9.1.Jan 29 2021, 11:24 AM