Commit graph

33 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 4d8777cbb6 Move p from curve structure to its own constant
This removes an indirection, which both makes the code smaller and decreases
the number of glitching opportunities for an attacker.
2019-11-26 12:51:58 +01:00
Manuel Pégourié-Gonnard 30833f2a07 Remove num_n_bits member from curve structure 2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard 72c1764c00 Remove num_bytes member from curve structure
Reduces code size and size of the structure.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard 1765933ab2 Remove num_words member from curve structure
Saves code size, and makes the curve structure simpler.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard 1c6f7eae2d Remove function pointers from curve structure
They're not needed in practice, and removing them decreases the code size
slightly and provides less opportunities for an attacker.
2019-11-21 15:37:22 +01:00
Manuel Pégourié-Gonnard 72a8c9e7dc Force some compilers to respect volatile reads
Inspection of the generated assembly showed that before this commit, armcc 5
was optimizing away the successive reads to the volatile local variable that's
used for double-checks. Inspection also reveals that inserting a call to an
external function is enough to prevent it from doing that.

The tested versions of ARM-GCC, Clang and Armcc 6 (aka armclang) all keep the
double read, with our without a call to an external function in the middle.

The inserted function can also be changed to insert a random delay if
desired in the future, as it is appropriately places between the reads.
2019-11-21 15:14:59 +01:00
Manuel Pégourié-Gonnard e6d6f17738 Add double-checking of critical value in uECC_verify()
This hardens against attacks that glitch the conditional branch by making it
necessary for the attacker to inject two consecutive faults instead of one. If
desired, we could insert a random delay in order to further protect against
double-glitch attacks.

Also, when a single glitch is detected we report it.
2019-11-21 15:14:59 +01:00
Manuel Pégourié-Gonnard 10d8e8ed64 Use safer return values in uECC_verify()
This is a first step in protecting against fault injection attacks: the
attacker can no longer change failure into success by flipping a single bit.
Additional steps are needed to prevent other attacks (instruction skip etc)
and will be the object of future commits.

The return value of uECC_vli_equal() should be protected as well, which will
be done in a future commit as well.
2019-11-21 15:12:44 +01:00
Manuel Pégourié-Gonnard ad166d8db7 Also check curve in verify()
This is the only function that performs computations without calling
EccPoint_mult_safer() and that didn't have that guard yet.
2019-11-04 15:53:24 +01:00
Manuel Pégourié-Gonnard 913534837a Hardcode numwords in vli_modInv 2019-11-04 15:53:22 +01:00
Manuel Pégourié-Gonnard 3e20adf533 Hardcode numwords in vli_modMult 2019-11-04 15:53:20 +01:00
Manuel Pégourié-Gonnard 10349e4912 Hardcode numwords in vli_mmod 2019-11-04 15:53:19 +01:00
Manuel Pégourié-Gonnard 1b0875d863 Hardcode numwords in vli_modSub 2019-11-04 15:53:17 +01:00
Manuel Pégourié-Gonnard 0779be7f31 Hardcode numwords in vli_modAdd 2019-11-04 15:53:14 +01:00
Manuel Pégourié-Gonnard 2cb3eea922 Hardcode numwords in vli_cmp 2019-11-04 15:53:10 +01:00
Manuel Pégourié-Gonnard 129b42ea2e Hardcode numwords in vli_sub 2019-11-04 15:53:09 +01:00
Manuel Pégourié-Gonnard 2eca3d367b Hardcode numwords in vli_equal 2019-11-04 15:53:07 +01:00
Manuel Pégourié-Gonnard a752191191 Hardcode numwords in vli_cpm_unsafe 2019-11-04 15:53:03 +01:00
Manuel Pégourié-Gonnard cbbb0f034b Hardcode numwords in vli_set() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard 2bf5a129cf Hardcode numwords in semi-internal vli_numBits() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard 94e48498ef Hardcode numwords in semi-internal vli_clear() 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard f3899fc0ea hardcode numwords in semi-internal vli_isZero 2019-11-04 15:52:43 +01:00
Manuel Pégourié-Gonnard c3ec14c87f Harcode curve in semi-internal modMult function
Saves 80 bytes of code size.
2019-11-04 12:23:11 +01:00
Manuel Pégourié-Gonnard ef238283d5 Add ECCPoint_mult_safer() function
This avoids the need for each calling site to manually regularize the scalar
and randomize coordinates, which makes for simpler safe use and saves 50 bytes
of code size in the library.
2019-11-04 11:19:30 +01:00
Manuel Pégourié-Gonnard 4a658a01c6 Add projective coordinates randomization in ECDSA
Why: this protects against potential side-channels attacks. This
counter-measure is for example effective against Template SPA. Also, the
bignum arithmetic as implemented in TinyCrypt isn't entirely regular, which
could in principle be exploited by an attacker; randomizing the coordinates
makes this less likely to happen.

Randomizing projective coordinates is also a well-known countermeasure to DPA.
In the context of the scalar multiplication in ECDSA, DPA isn't a concern
since it requires multiple measurements with various base points and the same
scalar, and the scalar mult in ECDSA is the opposite: the base point's always
the same and the scalar is always unique. But we want protection against the
other attacks as well.

How: we use the same code fragment as in uECC_shared_secret in ecc_dh.c,
adapted as follows: (1) replace p2 with k2 as that's how it's called in this
function; (2) adjust how errors are handled.

The code might not be immediately clear so here are a few more details:
regularize_k() takes two arrays as outputs, and the return value says which one
should be passed to ECCPoint_mult(). The other one is free for us to re-use to
generate a random number to be used as the initial Z value for randomizing
coordinates (otherwise the initial Z value is 1), thus avoiding the use of an
extra stack buffer.
2019-10-31 13:07:52 +01:00
Simon Butcher 92c3d1f4f4 Addition of copyright statements to tinycrypt files
Each of the tinycrypt files have had some very minor changes, so need a
copyright statement.
2019-09-09 17:37:08 +01:00
Simon Butcher cffedb548f Add SPDX lines to each imported TinyCrypt file
Out of the 6 tinycrypt files included in Mbed TLS, this commit adds SPDX lines
to each for the BSD 3 Clause licence.
2019-09-09 17:34:51 +01:00
Hanno Becker 36ae758798 Include Mbed TLS config in tinycrypt compilation units 2019-08-12 17:05:38 +01:00
Manuel Pégourié-Gonnard afdc1b5cbd Consistently use the name tinycrypt over uecc
We called in tinycrypt in the file names, but uecc in config.h, all.sh and
other places, which could be confusing. Just use tinycrypt everywhere because
that's the name of the project and repo where we took the files.

The changes were made using the following commands (with GNU sed and zsh):

sed -i 's/uecc/tinycrypt/g' **/*.[ch] tests/scripts/all.sh
sed -i 's/MBEDTLS_USE_UECC/MBEDTLS_USE_TINYCRYPT/g' **/*.[ch] tests/scripts/all.sh scripts/config.pl
2019-05-09 11:24:11 +02:00
Jarno Lamsa 46132207f8 Make compiler happy when MBEDTLS_USE_UECC disabled 2019-04-29 14:29:52 +03:00
Jarno Lamsa 55427964b1 Guard tinycrypt files with MBEDTLS_USE_UECC 2019-04-29 10:25:23 +03:00
Jarno Lamsa d50fd6b373 Remove unused headers from uecc sources 2019-04-24 16:19:50 +03:00
Jarno Lamsa 18987a420b Add micro-ecc based ecc-files to mbedtls
The files are from https://github.com/intel/tinycrypt
Using commit 6e0eb53fc8403988f97345e94081b0453f47231d as a base.
2019-04-24 15:40:43 +03:00