Harmonized behaviour when point length is invalid.

[BearSSL] / src / ec / ec_prime_i15.c

diff --git a/src/ec/ec_prime_i15.c b/src/ec/ec_prime_i15.c
index bf1d002..f86dbe6 100644 (file)
--- a/src/ec/ec_prime_i15.c
+++ b/src/ec/ec_prime_i15.c
@@ -716,6 +716,14 @@ api_order(int curve, size_t *len)
        return cd->order;
 }
 
+static size_t
+api_xoff(int curve, size_t *len)
+{
+       api_generator(curve, len);
+       *len >>= 1;
+       return 1;
+}
+
 static uint32_t
 api_mul(unsigned char *G, size_t Glen,
        const unsigned char *x, size_t xlen, int curve)
@@ -725,11 +733,12 @@ api_mul(unsigned char *G, size_t Glen,
        jacobian P;
 
        cc = id_to_curve(curve);
+       if (Glen != cc->point_len) {
+               return 0;
+       }
        r = point_decode(&P, G, Glen, cc);
        point_mul(&P, x, xlen, cc);
-       if (Glen == cc->point_len) {
-               point_encode(G, &P, cc);
-       }
+       point_encode(G, &P, cc);
        return r;
 }
 
@@ -757,11 +766,14 @@ api_muladd(unsigned char *A, const unsigned char *B, size_t len,
 
        /*
         * TODO: see about merging the two ladders. Right now, we do
-        * two independant point multiplications, which is a bit
+        * two independent point multiplications, which is a bit
         * wasteful of CPU resources (but yields short code).
         */
 
        cc = id_to_curve(curve);
+       if (len != cc->point_len) {
+               return 0;
+       }
        r = point_decode(&P, A, len, cc);
        if (B == NULL) {
                size_t Glen;
@@ -805,6 +817,7 @@ const br_ec_impl br_ec_prime_i15 = {
        (uint32_t)0x03800000,
        &api_generator,
        &api_order,
+       &api_xoff,
        &api_mul,
        &api_mulgen,
        &api_muladd