From a779b4601e0cf706f8b2992e783e6a7edc9700ed Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Mon, 16 Sep 2019 14:27:39 +0100
Subject: [PATCH] Fix side channel vulnerability in ECDSA

---
 library/ecp.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/library/ecp.c b/library/ecp.c
index c281d8419..596800a67 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -2803,6 +2803,7 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
     {
         /* SEC1 3.2.1: Generate d such that 1 <= n < N */
         int count = 0;
+        int cmp = 0;
 
         /*
          * Match the procedure given in RFC 6979 (deterministic ECDSA):
@@ -2813,6 +2814,7 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
          */
         do
         {
+
             MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
             MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
 
@@ -2827,9 +2829,14 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
              */
             if( ++count > 30 )
                 return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+            ret = mbedtls_mpi_cmp_mpi_ct( d, &grp->N, &cmp );
+            if( ret != 0 )
+            {
+                goto cleanup;
+            }
         }
-        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
-               mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 );
+        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp >= 0 );
     }
 #endif /* ECP_SHORTWEIERSTRASS */