commit 5f3019b298a9f1e156799fab153b0b541467b603
author Janos Follath <janos.follath@arm.com> Mon Sep 16 14:27:39 2019 +0100
committer Janos Follath <janos.follath@arm.com> Mon Nov 11 12:27:36 2019 +0000
tree a641a9247a61505b264703ef9401da127381283b
parent 883801d3eccc5fba809e592f5104a6808a99689a

Fix side channel vulnerability in ECDSA

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index cb8e947..5b8f103 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1957,6 +1957,7 @@
     {
         /* SEC1 3.2.1: Generate d such that 1 <= n < N */
         int count = 0;
+        int cmp = 0;
 
         /*
          * Match the procedure given in RFC 6979 (deterministic ECDSA):
@@ -1967,6 +1968,7 @@
          */
         do
         {
+
             MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
             MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
 
@@ -1981,9 +1983,14 @@
              */
             if( ++count > 30 )
                 return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+            ret = mbedtls_mpi_cmp_mpi_ct( d, &grp->N, &cmp );
+            if( ret != 0 )
+            {
+                goto cleanup;
+            }
         }
-        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
-               mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 );
+        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp >= 0 );
     }
 #endif /* ECP_SHORTWEIERSTRASS */