Fix side channel vulnerability in ECDSA

This commit is contained in:
Janos Follath 2019-09-16 14:27:39 +01:00
parent e9ae6305ea
commit 4c3408b140

View file

@ -2724,6 +2724,7 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
{ {
/* SEC1 3.2.1: Generate d such that 1 <= n < N */ /* SEC1 3.2.1: Generate d such that 1 <= n < N */
int count = 0; int count = 0;
int cmp = 0;
/* /*
* Match the procedure given in RFC 6979 (deterministic ECDSA): * Match the procedure given in RFC 6979 (deterministic ECDSA):
@ -2734,6 +2735,7 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
*/ */
do do
{ {
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
@ -2748,9 +2750,14 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
*/ */
if( ++count > 30 ) if( ++count > 30 )
return( MBEDTLS_ERR_ECP_RANDOM_FAILED ); return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
ret = mbedtls_mpi_cmp_mpi_ct( d, &grp->N, &cmp );
if( ret != 0 )
{
goto cleanup;
}
} }
while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp >= 0 );
mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 );
} }
#endif /* ECP_SHORTWEIERSTRASS */ #endif /* ECP_SHORTWEIERSTRASS */