mirror of
https://github.com/yuzu-mirror/mbedtls.git
synced 2026-01-09 10:10:14 +01:00
f29857ca0a
We were already rejecting them at the end, due to the fact that with the usual (x, z) formulas they lead to the result (0, 0) so when we want to normalize at the end, trying to compute the modular inverse of z will give an error. If we wanted to support those points, we'd a special case in ecp_normalize_mxz(). But it's actually permitted by all sources (RFC 7748 say we MAY reject 0 as a result) and recommended by some to reject those points (either to ensure contributory behaviour, or to protect against timing attack when the underlying field arithmetic is not constant-time). Since our field arithmetic is indeed not constant-time, let's reject those points before they get mixed with sensitive data (in ecp_mul_mxz()), in order to avoid exploitable leaks caused by the special cases they would trigger. (See the "May the Fourth" paper https://eprint.iacr.org/2017/806.pdf) Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> |
||
|---|---|---|
| .. | ||
| .jenkins | ||
| configs | ||
| data_files | ||
| docker/bionic | ||
| git-scripts | ||
| include | ||
| scripts | ||
| src | ||
| suites | ||
| .gitignore | ||
| CMakeLists.txt | ||
| compat-in-docker.sh | ||
| compat.sh | ||
| context-info.sh | ||
| Descriptions.txt | ||
| make-in-docker.sh | ||
| Makefile | ||
| ssl-opt-in-docker.sh | ||
| ssl-opt.sh | ||