> I would expect that correct results would be provided for all valid > inputs (including those inputs that are not otherwise constrained). > As such, I would class this as a bug in OpenSSL. These functions are not part of the public OpenSSL API so that's just not how it works. There is a ton of internal code across the library that makes assumptions about the inputs, e.g. in this case the internal caller using some non-trivial representation that somehow bounds limbs. In this instance, I suspect Patrick's statement is valid -- hopefully it's just a documentation typo and the bounds are tighter. In any case, this (and any other might-be arithmetic bug) is potentially a security issue so it shouldn't be discussed on a public mailing list. BBB -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
