Correct error in P-224 computation

If x was very small to start with x.size() might be under the limb count which would cause the final addition to throw because the destination array was smaller than the P-224 p being added. Caught by Wycheproof ECDSA tests
author: Jack Lloyd <[email protected]> 2018-05-31 17:18:20 -0400
committer: Jack Lloyd <[email protected]> 2018-05-31 17:18:20 -0400
commit: ec6afeece0894aee67b4ff1b7ac88403d15219bf (patch)
tree: 266e487395345d174276630fc43a348c6f4e115b /src/lib/math
parent: b3e4f1421b432e239ce76d72869a0e28089748f5 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/math/numbertheory/nistp_redc.cpp b/src/lib/math/numbertheory/nistp_redc.cpp
index 33e77562e..b74a2f9c6 100644
--- a/src/lib/math/numbertheory/nistp_redc.cpp
+++ b/src/lib/math/numbertheory/nistp_redc.cpp
@@ -221,6 +221,8 @@ const BigInt& prime_p224()
 
 void redc_p224(BigInt& x, secure_vector<word>& ws)
    {
+   static const size_t p224_limbs = (BOTAN_MP_WORD_BITS == 32) ? 7 : 4;
+
    BOTAN_UNUSED(ws);
 
    const int64_t X00 = get_uint32_t(x,  0);
@@ -249,6 +251,7 @@ void redc_p224(BigInt& x, secure_vector<word>& ws)
    const int64_t S6 = 0xFFFFFFFF + X06 + X10 - X13;
 
    x.mask_bits(224);
+   x.shrink_to_fit(p224_limbs + 1);
 
    int64_t S = 0;
    uint32_t R0 = 0, R1 = 0;
@@ -291,8 +294,6 @@ void redc_p224(BigInt& x, secure_vector<word>& ws)
 
    BOTAN_ASSERT(S >= 0 && S <= 2, "Expected overflow in P-224 reduce");
 
-   static const size_t p224_limbs = (BOTAN_MP_WORD_BITS == 32) ? 7 : 4;
-
    static const word p224_mults[3][p224_limbs] = {
 #if (BOTAN_MP_WORD_BITS == 64)
     {0x0000000000000001, 0xFFFFFFFF00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF},
author	Jack Lloyd <[email protected]>	2018-05-31 17:18:20 -0400
committer	Jack Lloyd <[email protected]>	2018-05-31 17:18:20 -0400
commit	ec6afeece0894aee67b4ff1b7ac88403d15219bf (patch)
tree	266e487395345d174276630fc43a348c6f4e115b /src/lib/math
parent	b3e4f1421b432e239ce76d72869a0e28089748f5 (diff)