mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-25 06:05:36 +00:00
Fix low-probability arithmetic error in ECC
Fix the subtraction in fix_negative, which was incorrectly not looking
for a carry. This caused the result to be wrong when the least
significant limb of N was 0. Fix #4296.
The bug was introduced by d10e8fae9e
"Optimize fix_negative". Thanks to Philippe Antoine (catenacyber) for
reporting the bug which was found by his EC differential fuzzer.
Credit to OSS-Fuzz.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
parent
349b37273e
commit
ff6a32d79c
|
@ -1041,12 +1041,20 @@ void mbedtls_ecp_fix_negative( mbedtls_mpi *N, signed char c, size_t bits )
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
/* Set N := N - 2^bits */
|
/* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so
|
||||||
--N->p[0];
|
* set the absolute value to 0xfff...fff - N. There is no carry
|
||||||
|
* since we're subtracting from all-bits-one. */
|
||||||
for( i = 0; i <= bits / 8 / sizeof( mbedtls_mpi_uint ); i++ )
|
for( i = 0; i <= bits / 8 / sizeof( mbedtls_mpi_uint ); i++ )
|
||||||
{
|
{
|
||||||
N->p[i] = ~(mbedtls_mpi_uint)0 - N->p[i];
|
N->p[i] = ~(mbedtls_mpi_uint)0 - N->p[i];
|
||||||
}
|
}
|
||||||
|
/* Add 1, taking care of the carry. */
|
||||||
|
i = 0;
|
||||||
|
do
|
||||||
|
++N->p[i];
|
||||||
|
while( N->p[i++] == 0 && i <= bits / 8 / sizeof( mbedtls_mpi_uint ) );
|
||||||
|
/* Invert the sign.
|
||||||
|
* Now N = N0 - 2^bits where N0 is the initial value of N. */
|
||||||
N->s = -1;
|
N->s = -1;
|
||||||
|
|
||||||
/* Add |c| * 2^bits to the absolute value. Since c and N are
|
/* Add |c| * 2^bits to the absolute value. Since c and N are
|
||||||
|
|
Loading…
Reference in a new issue