crypto.pcurves: don't assume that points with X=0 are at infinity (#16017)

There's also a valid point with X=0 on each curves. Fixes #16015
author: Frank Denis <124872+jedisct1@users.noreply.github.com> 2023-06-13 20:20:24 +0200
committer: GitHub <noreply@github.com> 2023-06-13 18:20:24 +0000
commit: cc708b4a880e0077c3fb0a077a8a39104701dc9c (patch)
tree: 833750ae7ff4cd1fba4ab99f647d6538943762f1 /lib
parent: 137b115681c1ca205df27c70422c42460b5aa6ec (diff)
download: zig-cc708b4a880e0077c3fb0a077a8a39104701dc9c.tar.gz
zig-cc708b4a880e0077c3fb0a077a8a39104701dc9c.zip
3 files changed, 18 insertions, 6 deletions
diff --git a/lib/std/crypto/pcurves/p256.zig b/lib/std/crypto/pcurves/p256.zig
index 0460515511..efda420284 100644
--- a/lib/std/crypto/pcurves/p256.zig
+++ b/lib/std/crypto/pcurves/p256.zig
@@ -36,7 +36,9 @@ pub const P256 = struct {
 
     /// Reject the neutral element.
     pub fn rejectIdentity(p: P256) IdentityElementError!void {
-        if (p.x.isZero()) {
+        const affine_0 = @boolToInt(p.x.equivalent(AffineCoordinates.identityElement.x)) & (@boolToInt(p.y.isZero()) | @boolToInt(p.y.equivalent(AffineCoordinates.identityElement.y)));
+        const is_identity = @boolToInt(p.z.isZero()) | affine_0;
+        if (is_identity != 0) {
             return error.IdentityElement;
         }
     }
@@ -286,12 +288,14 @@ pub const P256 = struct {
 
     /// Return affine coordinates.
     pub fn affineCoordinates(p: P256) AffineCoordinates {
+        const affine_0 = @boolToInt(p.x.equivalent(AffineCoordinates.identityElement.x)) & (@boolToInt(p.y.isZero()) | @boolToInt(p.y.equivalent(AffineCoordinates.identityElement.y)));
+        const is_identity = @boolToInt(p.z.isZero()) | affine_0;
         const zinv = p.z.invert();
         var ret = AffineCoordinates{
             .x = p.x.mul(zinv),
             .y = p.y.mul(zinv),
         };
-        ret.cMov(AffineCoordinates.identityElement, @boolToInt(p.x.isZero()));
+        ret.cMov(AffineCoordinates.identityElement, is_identity);
         return ret;
     }
 
diff --git a/lib/std/crypto/pcurves/p384.zig b/lib/std/crypto/pcurves/p384.zig
index 6662fc0011..958543084e 100644
--- a/lib/std/crypto/pcurves/p384.zig
+++ b/lib/std/crypto/pcurves/p384.zig
@@ -36,7 +36,9 @@ pub const P384 = struct {
 
     /// Reject the neutral element.
     pub fn rejectIdentity(p: P384) IdentityElementError!void {
-        if (p.x.isZero()) {
+        const affine_0 = @boolToInt(p.x.equivalent(AffineCoordinates.identityElement.x)) & (@boolToInt(p.y.isZero()) | @boolToInt(p.y.equivalent(AffineCoordinates.identityElement.y)));
+        const is_identity = @boolToInt(p.z.isZero()) | affine_0;
+        if (is_identity != 0) {
             return error.IdentityElement;
         }
     }
@@ -286,12 +288,14 @@ pub const P384 = struct {
 
     /// Return affine coordinates.
     pub fn affineCoordinates(p: P384) AffineCoordinates {
+        const affine_0 = @boolToInt(p.x.equivalent(AffineCoordinates.identityElement.x)) & (@boolToInt(p.y.isZero()) | @boolToInt(p.y.equivalent(AffineCoordinates.identityElement.y)));
+        const is_identity = @boolToInt(p.z.isZero()) | affine_0;
         const zinv = p.z.invert();
         var ret = AffineCoordinates{
             .x = p.x.mul(zinv),
             .y = p.y.mul(zinv),
         };
-        ret.cMov(AffineCoordinates.identityElement, @boolToInt(p.x.isZero()));
+        ret.cMov(AffineCoordinates.identityElement, is_identity);
         return ret;
     }
 
diff --git a/lib/std/crypto/pcurves/secp256k1.zig b/lib/std/crypto/pcurves/secp256k1.zig
index 753f929f44..2d94594f61 100644
--- a/lib/std/crypto/pcurves/secp256k1.zig
+++ b/lib/std/crypto/pcurves/secp256k1.zig
@@ -89,7 +89,9 @@ pub const Secp256k1 = struct {
 
     /// Reject the neutral element.
     pub fn rejectIdentity(p: Secp256k1) IdentityElementError!void {
-        if (p.x.isZero()) {
+        const affine_0 = @boolToInt(p.x.equivalent(AffineCoordinates.identityElement.x)) & (@boolToInt(p.y.isZero()) | @boolToInt(p.y.equivalent(AffineCoordinates.identityElement.y)));
+        const is_identity = @boolToInt(p.z.isZero()) | affine_0;
+        if (is_identity != 0) {
             return error.IdentityElement;
         }
     }
@@ -314,12 +316,14 @@ pub const Secp256k1 = struct {
 
     /// Return affine coordinates.
     pub fn affineCoordinates(p: Secp256k1) AffineCoordinates {
+        const affine_0 = @boolToInt(p.x.equivalent(AffineCoordinates.identityElement.x)) & (@boolToInt(p.y.isZero()) | @boolToInt(p.y.equivalent(AffineCoordinates.identityElement.y)));
+        const is_identity = @boolToInt(p.z.isZero()) | affine_0;
         const zinv = p.z.invert();
         var ret = AffineCoordinates{
             .x = p.x.mul(zinv),
             .y = p.y.mul(zinv),
         };
-        ret.cMov(AffineCoordinates.identityElement, @boolToInt(p.x.isZero()));
+        ret.cMov(AffineCoordinates.identityElement, is_identity);
         return ret;
     }
author	Frank Denis <124872+jedisct1@users.noreply.github.com>	2023-06-13 20:20:24 +0200
committer	GitHub <noreply@github.com>	2023-06-13 18:20:24 +0000
commit	cc708b4a880e0077c3fb0a077a8a39104701dc9c (patch)
tree	833750ae7ff4cd1fba4ab99f647d6538943762f1 /lib
parent	137b115681c1ca205df27c70422c42460b5aa6ec (diff)
download	zig-cc708b4a880e0077c3fb0a077a8a39104701dc9c.tar.gz zig-cc708b4a880e0077c3fb0a077a8a39104701dc9c.zip