Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Avoid curve25519 "left shift of negative value"
Cast to unsigned before performing the left shift. The shifted result is then sign extended back before subtraction, giving the same output. Generated assembly is unaltered with this change, checking gcc 14.2.0 and clang 19.1.1 (x86-64). The same unsigned cast fix is present in crypto++'s tweetnacl version. weidai11/cryptopp@5be0c0a#diff-067e6f20b212f32eb7fcdec3395fb1d145612f5d44736d041c1dfc9bc44a9d5b Jeffery Walton's modification to modL() is also applied here. Running with -fsanitize=undefined could report a left shift of a negative value from car25519 o[i]-=c<<16; This is valid for gcc (and presumably clang), but the sanitizer report is a problem. https://gcc.gnu.org/onlinedocs/gcc-14.2.0/gcc/Integers-implementation.html Fixes #312 on github
- Loading branch information