Fix side channel vulnerability in ECDSA

This commit is contained in:
Janos Follath 2019-09-16 14:27:39 +01:00
parent 385d5b8682
commit a779b4601e

View file

@ -2803,6 +2803,7 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
{
/* SEC1 3.2.1: Generate d such that 1 <= n < N */
int count = 0;
int cmp = 0;
/*
* Match the procedure given in RFC 6979 (deterministic ECDSA):
@ -2813,6 +2814,7 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
*/
do
{
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
@ -2827,9 +2829,14 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
*/
if( ++count > 30 )
return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
ret = mbedtls_mpi_cmp_mpi_ct( d, &grp->N, &cmp );
if( ret != 0 )
{
goto cleanup;
}
}
while( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 );
while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp >= 0 );
}
#endif /* ECP_SHORTWEIERSTRASS */