crypto/elliptic: resample private keys if out of range.

author Adam Langley <agl@golang.org>

Fri, 4 Dec 2015 22:17:03 +0000 (14:17 -0800)

committer Russ Cox <rsc@golang.org>

Tue, 8 Dec 2015 17:39:09 +0000 (17:39 +0000)
author Adam Langley <agl@golang.org>
Fri, 4 Dec 2015 22:17:03 +0000 (14:17 -0800)
committer Russ Cox <rsc@golang.org>
Tue, 8 Dec 2015 17:39:09 +0000 (17:39 +0000)
diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go

index e6b59c5f436b9d24a8a61e093bd2adcc079e72ba..c02df45d10502d129bf3bf48406593492d8d85c9 100644 (file)
--- a/src/crypto/elliptic/elliptic.go
+++ b/src/crypto/elliptic/elliptic.go
@@ -274,7 +274,8 @@ var mask = []byte{0xff, 0x1, 0x3, 0x7, 0xf, 0x1f, 0x3f, 0x7f}
  // GenerateKey returns a public/private key pair. The private key is
  // generated using the given reader, which must return random data.
  func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err error) {
-       bitSize := curve.Params().BitSize
+       N := curve.Params().N
+       bitSize := N.BitLen()
         byteLen := (bitSize + 7) >> 3
         priv = make([]byte, byteLen)
  
@@ -289,6 +290,12 @@ func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err e
                 // This is because, in tests, rand will return all zeros and we don't
                 // want to get the point at infinity and loop forever.
                 priv[1] ^= 0x42
+
+               // If the scalar is out of range, sample another random number.
+               if new(big.Int).SetBytes(priv).Cmp(N) >= 0 {
+                       continue
+               }
+
                 x, y = curve.ScalarBaseMult(priv)
         }
         return
author	Adam Langley <agl@golang.org>
	Fri, 4 Dec 2015 22:17:03 +0000 (14:17 -0800)
committer	Russ Cox <rsc@golang.org>
	Tue, 8 Dec 2015 17:39:09 +0000 (17:39 +0000)