From: Thomas Pornin <pornin@bolet.org>
Date: Sat, 14 Dec 2019 15:53:30 +0000 (+0100)
Subject: Fixed carry propagation bug in P-256 'm62' implementation (found by Auke Zeilstra... 
X-Git-Url: https://bearssl.org/gitweb//home/git/?p=BearSSL;a=commitdiff_plain;h=252dba914912e694d0e69754f0167060fc4d2ba6;ds=sidebyside

Fixed carry propagation bug in P-256 'm62' implementation (found by Auke Zeilstra; consequences unclear, possibly some invalid curve attacks in static ECDH contexts).
---

diff --git a/src/ec/ec_p256_m62.c b/src/ec/ec_p256_m62.c
index 3bcb95b..a431790 100644
--- a/src/ec/ec_p256_m62.c
+++ b/src/ec/ec_p256_m62.c
@@ -580,7 +580,7 @@ f256_final_reduce(uint64_t *a)
 	w = t[2] - cc;
 	t[2] = w & MASK52;
 	cc = w >> 63;
-	w = t[3] - BIT(36);
+	w = t[3] - BIT(36) - cc;
 	t[3] = w & MASK52;
 	cc = w >> 63;
 	t[4] -= cc;