crypto/elliptic: tolerate zero-padded scalars in generic P-256
Fixes #52075
Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
Reviewed-on: https://go-review.googlesource.com/c/go/+/397135
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go
index e1c6ff4..99c39ea 100644
--- a/src/crypto/elliptic/p256.go
+++ b/src/crypto/elliptic/p256.go
@@ -51,7 +51,7 @@
n := new(big.Int).SetBytes(in)
var scalarBytes []byte
- if n.Cmp(p256Params.N) >= 0 {
+ if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) {
n.Mod(n, p256Params.N)
scalarBytes = n.Bytes()
} else {
diff --git a/src/crypto/elliptic/p256_test.go b/src/crypto/elliptic/p256_test.go
index c6862d9..a607766 100644
--- a/src/crypto/elliptic/p256_test.go
+++ b/src/crypto/elliptic/p256_test.go
@@ -136,3 +136,17 @@
t.Errorf("1×G + (-1)×G = (%d, %d), should be ∞", x, y)
}
}
+
+func TestIssue52075(t *testing.T) {
+ Gx, Gy := P256().Params().Gx, P256().Params().Gy
+ scalar := make([]byte, 33)
+ scalar[32] = 1
+ x, y := P256().ScalarBaseMult(scalar)
+ if x.Cmp(Gx) != 0 || y.Cmp(Gy) != 0 {
+ t.Errorf("unexpected output (%v,%v)", x, y)
+ }
+ x, y = P256().ScalarMult(Gx, Gy, scalar)
+ if x.Cmp(Gx) != 0 || y.Cmp(Gy) != 0 {
+ t.Errorf("unexpected output (%v,%v)", x, y)
+ }
+}
