|
 |
05700f |
diff -up ./doc/doxygen/Doxyfile.orig ./doc/doxygen/Doxyfile
|
|
|
05700f |
diff -up ./lib/nettle/ecc/ecc-gostdsa-verify.c.orig ./lib/nettle/ecc/ecc-gostdsa-verify.c
|
|
|
05700f |
--- ./lib/nettle/ecc/ecc-gostdsa-verify.c.orig 2020-06-03 15:05:27.000000000 +0200
|
|
|
05700f |
+++ ./lib/nettle/ecc/ecc-gostdsa-verify.c 2021-04-01 11:24:42.820992320 +0200
|
|
|
05700f |
@@ -63,6 +63,8 @@ ecc_gostdsa_verify (const struct ecc_cur
|
|
|
05700f |
const mp_limb_t *rp, const mp_limb_t *sp,
|
|
|
05700f |
mp_limb_t *scratch)
|
|
|
05700f |
{
|
|
|
05700f |
+ mp_limb_t cy;
|
|
|
05700f |
+
|
|
|
05700f |
/* Procedure, according to GOST R 34.10. q denotes the group
|
|
|
05700f |
order.
|
|
|
05700f |
|
|
|
05700f |
@@ -101,11 +103,17 @@ ecc_gostdsa_verify (const struct ecc_cur
|
|
|
05700f |
ecc->q.invert (&ecc->q, vp, hp, vp + 2*ecc->p.size);
|
|
|
05700f |
|
|
|
05700f |
/* z1 = s / h, P1 = z1 * G */
|
|
|
05700f |
- ecc_mod_mul (&ecc->q, z1, sp, vp);
|
|
|
05700f |
+ ecc_mod_mul (&ecc->q, z1 + ecc->q.size, sp, vp);
|
|
|
05700f |
+ /* Ensure canonical reduction */
|
|
|
05700f |
+ cy = mpn_sub_n (z1, z1 + ecc->q.size, ecc->q.m, ecc->q.size);
|
|
|
05700f |
+ cnd_copy (cy, z1, z1 + ecc->q.size, ecc->q.size);
|
|
|
05700f |
|
|
|
05700f |
/* z2 = - r / h, P2 = z2 * Y */
|
|
|
05700f |
- ecc_mod_mul (&ecc->q, z2, rp, vp);
|
|
|
05700f |
- mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size);
|
|
|
05700f |
+ mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size);
|
|
|
05700f |
+ ecc_mod_mul (&ecc->q, z2 + ecc->q.size, hp, vp);
|
|
|
05700f |
+ /* Ensure canonical reduction */
|
|
|
05700f |
+ cy = mpn_sub_n (z2, z2 + ecc->q.size, ecc->q.m, ecc->q.size);
|
|
|
05700f |
+ cnd_copy (cy, z2, z2 + ecc->q.size, ecc->q.size);
|
|
|
05700f |
|
|
|
05700f |
/* Total storage: 5*ecc->p.size + ecc->mul_itch */
|
|
|
05700f |
ecc->mul (ecc, P2, z2, pp, z2 + ecc->p.size);
|
|
|
05700f |
diff -up ./lib/nettle/ecc/eddsa-hash.c.orig ./lib/nettle/ecc/eddsa-hash.c
|
|
|
05700f |
--- ./lib/nettle/ecc/eddsa-hash.c.orig 2020-06-03 15:05:28.000000000 +0200
|
|
|
05700f |
+++ ./lib/nettle/ecc/eddsa-hash.c 2021-04-01 11:24:42.821992314 +0200
|
|
|
05700f |
@@ -43,13 +43,14 @@
|
|
|
05700f |
#include <nettle/ecc.h>
|
|
|
05700f |
#include "ecc-internal.h"
|
|
|
05700f |
|
|
|
05700f |
-/* Convert hash digest to integer, and reduce modulo q, to m->size
|
|
|
05700f |
- limbs. Needs space for 2*m->size + 1 at rp. */
|
|
|
05700f |
+/* Convert hash digest to integer, and reduce canonically modulo q.
|
|
|
05700f |
+ Needs space for 2*m->size + 1 at rp. */
|
|
|
05700f |
void
|
|
|
05700f |
_eddsa_hash (const struct ecc_modulo *m,
|
|
|
05700f |
mp_limb_t *rp, size_t digest_size, const uint8_t *digest)
|
|
|
05700f |
{
|
|
|
05700f |
mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;
|
|
|
05700f |
+ mp_limb_t cy;
|
|
|
05700f |
|
|
|
05700f |
mpn_set_base256_le (rp, nlimbs, digest, digest_size);
|
|
|
05700f |
|
|
|
05700f |
@@ -74,4 +75,8 @@ _eddsa_hash (const struct ecc_modulo *m,
|
|
|
05700f |
assert (hi == 0);
|
|
|
05700f |
}
|
|
|
05700f |
m->mod (m, rp);
|
|
|
05700f |
+ /* Ensure canonical reduction. */
|
|
|
05700f |
+ cy = mpn_sub_n (rp + m->size, rp, m->m, m->size);
|
|
|
05700f |
+ cnd_copy (cy, rp + m->size, rp, m->size);
|
|
|
05700f |
+ mpn_copyi (rp, rp + m->size, m->size);
|
|
|
05700f |
}
|
|
|
05700f |
diff -up ./lib/nettle/ecc/gostdsa-vko.c.orig ./lib/nettle/ecc/gostdsa-vko.c
|
|
|
05700f |
--- ./lib/nettle/ecc/gostdsa-vko.c.orig 2020-06-03 15:05:28.000000000 +0200
|
|
|
05700f |
+++ ./lib/nettle/ecc/gostdsa-vko.c 2021-04-01 11:24:42.821992314 +0200
|
|
|
05700f |
@@ -64,6 +64,7 @@ gostdsa_vko (const struct ecc_scalar *pr
|
|
|
05700f |
mp_size_t size = ecc->p.size;
|
|
|
05700f |
mp_size_t itch = 4*size + ecc->mul_itch;
|
|
|
05700f |
mp_limb_t *scratch;
|
|
|
05700f |
+ mp_limb_t cy;
|
|
|
05700f |
|
|
|
05700f |
if (itch < 5*size + ecc->h_to_a_itch)
|
|
|
05700f |
itch = 5*size + ecc->h_to_a_itch;
|
|
|
05700f |
@@ -87,7 +88,11 @@ gostdsa_vko (const struct ecc_scalar *pr
|
|
|
05700f |
if (mpn_zero_p (UKM, size))
|
|
|
05700f |
UKM[0] = 1;
|
|
|
05700f |
|
|
|
05700f |
- ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM); /* TEMP = UKM * priv */
|
|
|
05700f |
+ ecc_mod_mul (&ecc->q, TEMP + ecc->q.size, priv->p, UKM); /* TEMP = UKM * priv */
|
|
|
05700f |
+ /* Ensure canonical reduction */
|
|
|
05700f |
+ cy = mpn_sub_n (TEMP, TEMP + ecc->q.size, ecc->q.m, ecc->q.size);
|
|
|
05700f |
+ cnd_copy (cy, TEMP, TEMP + ecc->q.size, ecc->q.size);
|
|
|
05700f |
+
|
|
|
05700f |
ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */
|
|
|
05700f |
ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */
|
|
|
05700f |
mpn_get_base256_le (out, bsize, TEMP, size);
|