projects
/
BearSSL
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fixed typo in comment.
[BearSSL]
/
src
/
ec
/
ec_c25519_i31.c
diff --git
a/src/ec/ec_c25519_i31.c
b/src/ec/ec_c25519_i31.c
index
d030c50
..
f8ffc2c
100644
(file)
--- a/
src/ec/ec_c25519_i31.c
+++ b/
src/ec/ec_c25519_i31.c
@@
-230,11
+230,14
@@
api_mul(unsigned char *G, size_t Glen,
x2[1] = 0x13000000;
memcpy(z3, x2, sizeof x2);
x2[1] = 0x13000000;
memcpy(z3, x2, sizeof x2);
- memcpy(k, kb, kblen);
- memset(k + kblen, 0, (sizeof k) - kblen);
- k[0] &= 0xF8;
- k[31] &= 0x7F;
- k[31] |= 0x40;
+ /*
+ * kb[] is in big-endian notation, but possibly shorter than k[].
+ */
+ memset(k, 0, (sizeof k) - kblen);
+ memcpy(k + (sizeof k) - kblen, kb, kblen);
+ k[31] &= 0xF8;
+ k[0] &= 0x7F;
+ k[0] |= 0x40;
/* obsolete
print_int_mont("x1", x1);
/* obsolete
print_int_mont("x1", x1);
@@
-244,7
+247,7
@@
api_mul(unsigned char *G, size_t Glen,
for (i = 254; i >= 0; i --) {
uint32_t kt;
for (i = 254; i >= 0; i --) {
uint32_t kt;
- kt = (k[
i >> 3
] >> (i & 7)) & 1;
+ kt = (k[
31 - (i >> 3)
] >> (i & 7)) & 1;
swap ^= kt;
cswap(x2, x3, swap);
cswap(z2, z3, swap);
swap ^= kt;
cswap(x2, x3, swap);
cswap(z2, z3, swap);