From 6b18ad2f184709bccc0de975c9318f2fd93ee9cd Mon Sep 17 00:00:00 2001
From: Andres Erbsen <andreser@mit.edu>
Date: Wed, 19 Oct 2016 14:03:23 -0400
Subject: Update crypto-defects.md

---
 crypto-defects.md | 1 +
 1 file changed, 1 insertion(+)

(limited to 'crypto-defects.md')

diff --git a/crypto-defects.md b/crypto-defects.md
index 33d0a7c95..49c65a254 100644
--- a/crypto-defects.md
+++ b/crypto-defects.md
@@ -18,4 +18,5 @@ appearing in our code.
 | [CVE-2014-3570](https://www.openssl.org/news/secadv/20150108.txt) | Bignum squaring |   |  |
 | [ref/sc25519.c:84](https://github.com/floodyberry/supercop/blob/master/crypto_sign/ed25519/ref/sc25519.c#L84) | x mod (order of Curve25519) |  Barrett reduction (code is likely correct) | "XXX" comment |
 | [ic#237002094](https://github.com/mit-plv/fiat-crypto/pull/42#issuecomment-237002094) | Barrett reduction for p256 | 1 conditional subtraction instead of 2 | unkown if ok |
+| [openssl#1593](https://rt.openssl.org/Ticket/Display.html?id=1593&user=guest&pass=guest) | P384 modular reduction | carry handling | [exploitable](https://eprint.iacr.org/2011/633.pdf) |
 Not covered in the above list: memory mismanagement (buffer overrun, use-after-free, uninitialized read, null dereference), timing attacks (branch, cache, instruction). While these issues are very important, there are good programming disciplines for avoiding them without verifying intricate details of the computation.
-- 
cgit v1.2.3