mbedtls_ecp_gen_privkey_mx: remove the exception for all-zero

The library rejected an RNG input of all-bits-zero, which led to the
key 2^{254} (for Curve25519) having a 31/32 chance of being generated
compared to other keys. This had no practical impact because the
probability of non-compliance was 2^{-256}, but needlessly
complicated the code.

The exception was added in 98e28a74e3 to
avoid the case where b - 1 wraps because b is 0. Instead, change the
comparison code to avoid calculating b - 1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2021-03-24 12:04:43 +01:00
parent 188828525d
commit 6acfc9cb4c
2 changed files with 8 additions and 12 deletions

View file

@ -3052,14 +3052,12 @@ int mbedtls_ecp_gen_privkey_mx( size_t high_bit,
size_t n_bytes = ( high_bit + 7 ) / 8;
/* [Curve25519] page 5 */
do {
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_bytes, f_rng, p_rng ) );
} while( mbedtls_mpi_bitlen( d ) == 0);
/* Make sure the most significant bit is high_bit */
b = mbedtls_mpi_bitlen( d ) - 1; /* position of the highest bit in d */
if( b > high_bit )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - high_bit ) );
b = mbedtls_mpi_bitlen( d ); /* mbedtls_mpi_bitlen is one-based */
if( b > high_bit + 1 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - 1 - high_bit ) );
else
MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, high_bit, 1 ) );

View file

@ -289,10 +289,8 @@ genkey_mx_known_answer:254:"ff0102030405060708090a0b0c0d0e0f10111213141516171819
ECP generate Montgomery key: Curve25519, clear low bits
genkey_mx_known_answer:254:"4f0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1eff":"4f0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1ef8"
# ECP generate Montgomery key: Curve25519, random = all-bits-zero
## Currently explicitly rejected in the library, but the specification
## says it shouldn't be.
# genkey_mx_known_answer:254:"0000000000000000000000000000000000000000000000000000000000000000":"4000000000000000000000000000000000000000000000000000000000000000"
ECP generate Montgomery key: Curve25519, random = all-bits-zero
genkey_mx_known_answer:254:"0000000000000000000000000000000000000000000000000000000000000000":"4000000000000000000000000000000000000000000000000000000000000000"
ECP generate Montgomery key: Curve25519, random = all-bits-one
genkey_mx_known_answer:254:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":"7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8"
@ -309,8 +307,8 @@ genkey_mx_known_answer:447:"0f0102030405060708090a0b0c0d0e0f10111213141516171819
ECP generate Montgomery key: Curve448, clear low bits
genkey_mx_known_answer:447:"cf0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536ff":"cf0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536fc"
# ECP generate Montgomery key: Curve448, random = all-bits-zero
# genkey_mx_known_answer:447:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ECP generate Montgomery key: Curve448, random = all-bits-zero
genkey_mx_known_answer:447:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
ECP generate Montgomery key: Curve448, random = all-bits-one
genkey_mx_known_answer:447:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc"