diff options
Diffstat (limited to 'src/lib/libcrypto/ec/ec_lib.c')
| -rw-r--r-- | src/lib/libcrypto/ec/ec_lib.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index a1c80c328b..9f1a742d38 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_lib.c,v 1.89 2024/11/30 21:09:59 tb Exp $ */ | 1 | /* $OpenBSD: ec_lib.c,v 1.90 2024/12/12 10:00:15 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller for the OpenSSL project. | 3 | * Originally written by Bodo Moeller for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -275,8 +275,7 @@ ec_set_cofactor(EC_GROUP *group, const BIGNUM *in_cofactor) | |||
| 275 | * If the cofactor is too large, we cannot guess it and default to zero. | 275 | * If the cofactor is too large, we cannot guess it and default to zero. |
| 276 | * The RHS of below is a strict overestimate of log(4 * sqrt(q)). | 276 | * The RHS of below is a strict overestimate of log(4 * sqrt(q)). |
| 277 | */ | 277 | */ |
| 278 | if (BN_num_bits(&group->order) <= | 278 | if (BN_num_bits(&group->order) <= (BN_num_bits(&group->p) + 1) / 2 + 3) |
| 279 | (BN_num_bits(&group->field) + 1) / 2 + 3) | ||
| 280 | goto done; | 279 | goto done; |
| 281 | 280 | ||
| 282 | /* | 281 | /* |
| @@ -291,7 +290,7 @@ ec_set_cofactor(EC_GROUP *group, const BIGNUM *in_cofactor) | |||
| 291 | if (!BN_add_word(cofactor, 1)) | 290 | if (!BN_add_word(cofactor, 1)) |
| 292 | goto err; | 291 | goto err; |
| 293 | /* h = q + 1 + n/2 */ | 292 | /* h = q + 1 + n/2 */ |
| 294 | if (!BN_add(cofactor, cofactor, &group->field)) | 293 | if (!BN_add(cofactor, cofactor, &group->p)) |
| 295 | goto err; | 294 | goto err; |
| 296 | /* h = (q + 1 + n/2) / n */ | 295 | /* h = (q + 1 + n/2) / n */ |
| 297 | if (!BN_div_ct(cofactor, NULL, cofactor, &group->order, ctx)) | 296 | if (!BN_div_ct(cofactor, NULL, cofactor, &group->order, ctx)) |
| @@ -299,7 +298,7 @@ ec_set_cofactor(EC_GROUP *group, const BIGNUM *in_cofactor) | |||
| 299 | 298 | ||
| 300 | done: | 299 | done: |
| 301 | /* Use Hasse's theorem to bound the cofactor. */ | 300 | /* Use Hasse's theorem to bound the cofactor. */ |
| 302 | if (BN_num_bits(cofactor) > BN_num_bits(&group->field) + 1) { | 301 | if (BN_num_bits(cofactor) > BN_num_bits(&group->p) + 1) { |
| 303 | ECerror(EC_R_INVALID_GROUP_ORDER); | 302 | ECerror(EC_R_INVALID_GROUP_ORDER); |
| 304 | goto err; | 303 | goto err; |
| 305 | } | 304 | } |
| @@ -325,8 +324,8 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, | |||
| 325 | return 0; | 324 | return 0; |
| 326 | } | 325 | } |
| 327 | 326 | ||
| 328 | /* Require group->field >= 1. */ | 327 | /* Require p >= 1. */ |
| 329 | if (BN_is_zero(&group->field) || BN_is_negative(&group->field)) { | 328 | if (BN_is_zero(&group->p) || BN_is_negative(&group->p)) { |
| 330 | ECerror(EC_R_INVALID_FIELD); | 329 | ECerror(EC_R_INVALID_FIELD); |
| 331 | return 0; | 330 | return 0; |
| 332 | } | 331 | } |
| @@ -336,7 +335,7 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, | |||
| 336 | * than the field cardinality due to Hasse's theorem. | 335 | * than the field cardinality due to Hasse's theorem. |
| 337 | */ | 336 | */ |
| 338 | if (order == NULL || BN_cmp(order, BN_value_one()) <= 0 || | 337 | if (order == NULL || BN_cmp(order, BN_value_one()) <= 0 || |
| 339 | BN_num_bits(order) > BN_num_bits(&group->field) + 1) { | 338 | BN_num_bits(order) > BN_num_bits(&group->p) + 1) { |
| 340 | ECerror(EC_R_INVALID_GROUP_ORDER); | 339 | ECerror(EC_R_INVALID_GROUP_ORDER); |
| 341 | return 0; | 340 | return 0; |
| 342 | } | 341 | } |