mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
Clear an extra low bit in EdDSA exponent calculation.
The source paper, and OpenSSH, agree that the lowest bit index used from the hash of the private key is bit 3, i.e. bits 0,1,2 at the bottom are all zero. We were only clearing bits 0 and 1, which would have worked for about half of keys. I must have got lucky during testing!
This commit is contained in:
parent
90af5bed04
commit
cc420507a9
14
sshecc.c
14
sshecc.c
@ -2204,9 +2204,10 @@ struct ec_point *ec_public(const Bignum privateKey, const struct ec_curve *curve
|
||||
}
|
||||
SHA512_Final(&s, hash);
|
||||
|
||||
/* The second part is simply turning the hash into a Bignum, however
|
||||
* the 2^(b-2) bit *must* be set, and the bottom 2 bits *must* not be */
|
||||
hash[0] &= 0xfc; /* Unset bottom two bits (if set) */
|
||||
/* The second part is simply turning the hash into a Bignum,
|
||||
* however the 2^(b-2) bit *must* be set, and the bottom 3
|
||||
* bits *must* not be */
|
||||
hash[0] &= 0xf8; /* Unset bottom 3 bits (if set) */
|
||||
hash[31] &= 0x7f; /* Unset above (b-2) */
|
||||
hash[31] |= 0x40; /* Set 2^(b-2) */
|
||||
/* Chop off the top part and convert to int */
|
||||
@ -3364,9 +3365,10 @@ static unsigned char *ecdsa_sign(void *key, const char *data, int datalen,
|
||||
|
||||
SHA512_Final(&hs, hash);
|
||||
|
||||
/* The second part is simply turning the hash into a Bignum, however
|
||||
* the 2^(b-2) bit *must* be set, and the bottom 2 bits *must* not be */
|
||||
hash[0] &= 0xfc; /* Unset bottom two bits (if set) */
|
||||
/* The second part is simply turning the hash into a
|
||||
* Bignum, however the 2^(b-2) bit *must* be set, and the
|
||||
* bottom 3 bits *must* not be */
|
||||
hash[0] &= 0xf8; /* Unset bottom 3 bits (if set) */
|
||||
hash[31] &= 0x7f; /* Unset above (b-2) */
|
||||
hash[31] |= 0x40; /* Set 2^(b-2) */
|
||||
/* Chop off the top part and convert to int */
|
||||
|
Loading…
Reference in New Issue
Block a user