Add pre and post-validation to mult_safer() Validating the input is always a good idea. Validating the output protects against some fault injections that would make the result invalid. Note: valid_point() implies that the point is not zero. Adding validation to mult_safer() makes it redundant in compute_shared_secret().

commit: e714332563449c86ad140328c145ccf27120011e [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Nov 15 10:47:45 2019 +0100
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Nov 21 15:37:22 2019 +0100
tree: e104fb108a36c9c0356f93aea3012689061c9bba
parent: 41ab8cb6cb76dd7e8a94c8105b2ef12d1158fc3c [diff] [blame]
diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c
index c69d422..b480832 100644
--- a/tinycrypt/ecc.c
+++ b/tinycrypt/ecc.c

@@ -936,6 +936,11 @@
 	if (curve != uECC_secp256r1())
 		return 0;
 
+	/* Protects against invalid curves attacks */
+	if (uECC_valid_point(point, curve) != 0 ) {
+		return 0;
+	}
+
 	/* Regularize the bitcount for the private key so that attackers cannot use a
 	 * side channel attack to learn the number of leading zeros. */
 	carry = regularize_k(scalar, tmp, s);
@@ -952,7 +957,9 @@
 
 	EccPoint_mult(result, point, k2[!carry], initial_Z);
 
-	if (EccPoint_isZero(result, curve)) {
+	/* Protect against fault injections that would make the resulting
+	 * point not lie on the intended curve */
+	if (uECC_valid_point(result, curve) != 0 ) {
 		r = 0;
 		goto clear_and_out;
 	}
commit	e714332563449c86ad140328c145ccf27120011e	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Fri Nov 15 10:47:45 2019 +0100
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu Nov 21 15:37:22 2019 +0100
tree	e104fb108a36c9c0356f93aea3012689061c9bba
parent	41ab8cb6cb76dd7e8a94c8105b2ef12d1158fc3c [diff] [blame]