Use safer return values in uECC_verify() This is a first step in protecting against fault injection attacks: the attacker can no longer change failure into success by flipping a single bit. Additional steps are needed to prevent other attacks (instruction skip etc) and will be the object of future commits. The return value of uECC_vli_equal() should be protected as well, which will be done in a future commit as well.

commit: 10d8e8ed64158e12fe4279ea59d5b383433ab24f [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Nov 06 10:30:26 2019 +0100
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Nov 21 15:12:44 2019 +0100
tree: 037215d166929c2db745a3498c1932913708b99e
parent: c05f1506f41ef548680f4898245f693632a78152 [diff] [blame]
diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c
index 04b1bfa..5cf58f3 100644
--- a/tinycrypt/ecc_dsa.c
+++ b/tinycrypt/ecc_dsa.c

@@ -235,13 +235,13 @@
 
 	/* r, s must not be 0. */
 	if (uECC_vli_isZero(r) || uECC_vli_isZero(s)) {
-		return 0;
+		return UECC_FAILURE;
 	}
 
 	/* r, s must be < n. */
 	if (uECC_vli_cmp_unsafe(curve->n, r) != 1 ||
 	    uECC_vli_cmp_unsafe(curve->n, s) != 1) {
-		return 0;
+		return UECC_FAILURE;
 	}
 
 	/* Calculate u1 and u2. */
@@ -301,7 +301,10 @@
 	}
 
 	/* Accept only if v == r. */
-	return (int)(uECC_vli_equal(rx, r) == 0);
+	if (uECC_vli_equal(rx, r) == 0)
+		return UECC_SUCCESS;
+
+	return UECC_FAILURE;
 }
 #else
 typedef int mbedtls_dummy_tinycrypt_def;
commit	10d8e8ed64158e12fe4279ea59d5b383433ab24f	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Wed Nov 06 10:30:26 2019 +0100
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu Nov 21 15:12:44 2019 +0100
tree	037215d166929c2db745a3498c1932913708b99e
parent	c05f1506f41ef548680f4898245f693632a78152 [diff] [blame]