On Thu, May 17, 2007 at 08:43:47AM -0700, [EMAIL PROTECTED] wrote:
> This is not a problem with the algorithm or the protocol. It is a
> bug in the implementation. Digest values that are zero are allowed
> by the ANSI X9.62 (and there is no special case for them) and they
> work fine in other implementations.
[...]
> compute_wNAF is at ec_mult.c:188.and is called with scalar pointing
> to a zero BIGNUM. But compute_wNAF, either by design or by
> accident, can't deal with a scalar that is zero.
Let's say that by accident compute_wNAF was designed such that it
cannot deal with a scalar that is zero: At least it will cleanly
signal an internal error in this special case rather than going
completely mad.
This clearly is a bug in crypto/ec/ec_mult.c; and here is a patch that
should fix it. (This will be in the next daily snapshots.)
--- crypto/ec/ec_mult.c 14 Mar 2006 22:48:31 -0000 1.32.2.1
+++ crypto/ec/ec_mult.c 22 May 2007 09:03:47 -0000
@@ -194,6 +194,19 @@
int bit, next_bit, mask;
size_t len = 0, j;
+ if (BN_is_zero(scalar))
+ {
+ r = OPENSSL_malloc(1);
+ if (!r)
+ {
+ ECerr(EC_F_COMPUTE_WNAF, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ r[0] = 0;
+ *ret_len = 1;
+ return r;
+ }
+
if (w <= 0 || w > 7) /* 'signed char' can represent integers with
absolute values less than 2^7 */
{
ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
