projects / BearSSL / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 15b3af7)
Fixed carry propagation bug in P-256 'm62' implementation (found by Auke Zeilstra...
authorThomas Pornin <pornin@bolet.org>
Sat, 14 Dec 2019 15:53:30 +0000 (16:53 +0100)
committerThomas Pornin <pornin@bolet.org>
Sat, 14 Dec 2019 15:53:30 +0000 (16:53 +0100)
src/ec/ec_p256_m62.c patch | blob | history

diff --git a/src/ec/ec_p256_m62.c b/src/ec/ec_p256_m62.c
index 3bcb95b..a431790 100644 (file)
--- a/src/ec/ec_p256_m62.c
+++ b/src/ec/ec_p256_m62.c
@@ -580,7 +580,7 @@ f256_final_reduce(uint64_t *a)
        w = t[2] - cc;
        t[2] = w & MASK52;
        cc = w >> 63;
        w = t[2] - cc;
        t[2] = w & MASK52;
        cc = w >> 63;
-       w = t[3] - BIT(36);
+       w = t[3] - BIT(36) - cc;
        t[3] = w & MASK52;
        cc = w >> 63;
        t[4] -= cc;
        t[3] = w & MASK52;
        cc = w >> 63;
        t[4] -= cc;
The BearSSL library and tools.