Add double-checking of critical value in uECC_verify() This hardens against attacks that glitch the conditional branch by making it necessary for the attacker to inject two consecutive faults instead of one. If desired, we could insert a random delay in order to further protect against double-glitch attacks. Also, when a single glitch is detected we report it.

commit: e6d6f17738b46a73bbf255073a96899b1667840d [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Nov 06 11:14:38 2019 +0100
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Nov 21 15:14:59 2019 +0100
tree: 8d3384be9e80d61300c2bd1ed7811ec99f7a3391
parent: 2b6312b7d90cbcb97f3f53d92d124422af3cb60b [diff]
diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c
index 5cf58f3..687ea98 100644
--- a/tinycrypt/ecc_dsa.c
+++ b/tinycrypt/ecc_dsa.c

@@ -214,6 +214,7 @@
 	const uECC_word_t *point;
 	bitcount_t num_bits;
 	bitcount_t i;
+	volatile uECC_word_t diff;
 
 	uECC_word_t _public[NUM_ECC_WORDS * 2];
 	uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS];
@@ -301,8 +302,15 @@
 	}
 
 	/* Accept only if v == r. */
-	if (uECC_vli_equal(rx, r) == 0)
-		return UECC_SUCCESS;
+	diff = uECC_vli_equal(rx, r);
+	if (diff == 0) {
+		if (diff == 0) {
+			return UECC_SUCCESS;
+		}
+		else {
+			return UECC_ATTACK_DETECTED;
+		}
+	}
 
 	return UECC_FAILURE;
 }
commit	e6d6f17738b46a73bbf255073a96899b1667840d	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Wed Nov 06 11:14:38 2019 +0100
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu Nov 21 15:14:59 2019 +0100
tree	8d3384be9e80d61300c2bd1ed7811ec99f7a3391
parent	2b6312b7d90cbcb97f3f53d92d124422af3cb60b [diff]