[openssl-users] possible C bugs in ecp_nistp521

[Billy Brumley]

> I would expect that correct results would be provided for all valid
> inputs (including those inputs that are not otherwise constrained).
> As such, I would class this as a bug in OpenSSL.

These functions are not part of the public OpenSSL API so that's just
not how it works. There is a ton of internal code across the library
that makes assumptions about the inputs, e.g. in this case the
internal caller using some non-trivial representation that somehow
bounds limbs.

In this instance, I suspect Patrick's statement is valid -- hopefully
it's just a documentation typo and the bounds are tighter.

In any case, this (and any other might-be arithmetic bug) is
potentially a security issue so it shouldn't be discussed on a public
mailing list.

BBB