commit 1ea73060bbed6a3153e123c224f3eee67f0373d5 (tree)
parent 99c2792b5e52996c72f7689c347a394bb4a827f3
Author: Frank Denis <github@pureftpd.org>
Date: Fri, 29 May 2026 11:03:57 +0200
crypto.ff: fix operator priority
Exponentiation with short, public exponents doesn't use a
precomputation table. Building the table would take more time
that it would eventually save.
However without explicit parenthesis the test for that parsed as
"(public and e.len < 3) or (e.len == 3 and top_byte <= 0x0f)"
and not "public and (e.len < 3 or...)" as intended.
Not a practical issue since a secret exponent is never going to be
short, but we're still supposed to use the constant-time path for
non-public exponents.
Diffstat:
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/std/crypto/ff.zig b/lib/std/crypto/ff.zig
@@ -702,7 +702,9 @@ pub fn Modulus(comptime max_bits: comptime_int) type {
var out = self.one();
self.toMontgomery(&out) catch unreachable;
- if (public and e.len < 3 or (e.len == 3 and e[if (endian == .big) 0 else 2] <= 0b1111)) {
+ if (public and
+ (e.len < 3 or (e.len == 3 and e[if (endian == .big) 0 else 2] <= 0b1111)))
+ {
// Do not use a precomputation table for short, public exponents
var x_m = x;
if (!x.montgomery) {
