From e6d6f17738b46a73bbf255073a96899b1667840d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Wed, 6 Nov 2019 11:14:38 +0100
Subject: [PATCH] Add double-checking of critical value in uECC_verify()

This hardens against attacks that glitch the conditional branch by making it
necessary for the attacker to inject two consecutive faults instead of one. If
desired, we could insert a random delay in order to further protect against
double-glitch attacks.

Also, when a single glitch is detected we report it.
---
 tinycrypt/ecc_dsa.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c
index 5cf58f31f..687ea9880 100644
--- a/tinycrypt/ecc_dsa.c
+++ b/tinycrypt/ecc_dsa.c
@@ -214,6 +214,7 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
 	const uECC_word_t *point;
 	bitcount_t num_bits;
 	bitcount_t i;
+	volatile uECC_word_t diff;
 
 	uECC_word_t _public[NUM_ECC_WORDS * 2];
 	uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS];
@@ -301,8 +302,15 @@ int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash,
 	}
 
 	/* Accept only if v == r. */
-	if (uECC_vli_equal(rx, r) == 0)
-		return UECC_SUCCESS;
+	diff = uECC_vli_equal(rx, r);
+	if (diff == 0) {
+		if (diff == 0) {
+			return UECC_SUCCESS;
+		}
+		else {
+			return UECC_ATTACK_DETECTED;
+		}
+	}
 
 	return UECC_FAILURE;
 }