chiark / gitweb /
dh: Fix mpz padding bug in use of write_mpbin
If the BN needs less than buflen bytes, write_mpbin would write only
the first len bytes. dh_makeshared wouldn't notice. The remaining
bytes will be left uninitialised.
In current code this is only called from site.c, where it so happens
right now that this buffer is always zero on entry. So the effect is
thst we pad the bignum with zeroes at the LS end, which is wrong.
We can't just change this because it's baked into the protocol.
So actually implement it properly.
We do this in the write_mpbin function, renaming it, because the old
API for write_mpbin invites precisely this error.
I don't think this is of an significant consequence
cryptographically. Perhaps we should introduce a non-anomalous
version of DH over prime fields. Or perhaps we should just leave it
as is and expect to switch to X448 or something.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>