Add ECCPoint_mult_safer() function
This avoids the need for each calling site to manually regularize the scalar
and randomize coordinates, which makes for simpler safe use and saves 50 bytes
of code size in the library.
diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c
index 853c50d..52208ad 100644
--- a/tinycrypt/ecc_dh.c
+++ b/tinycrypt/ecc_dh.c
@@ -72,12 +72,6 @@
#include <string.h>
#include "mbedtls/platform_util.h"
-#if default_RNG_defined
-static uECC_RNG_Function g_rng_function = &default_CSPRNG;
-#else
-static uECC_RNG_Function g_rng_function = 0;
-#endif
-
int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key,
unsigned int *d, uECC_Curve curve)
{
@@ -160,11 +154,6 @@
uECC_word_t _public[NUM_ECC_WORDS * 2];
uECC_word_t _private[NUM_ECC_WORDS];
-
- uECC_word_t tmp[NUM_ECC_WORDS];
- uECC_word_t *p2[2] = {_private, tmp};
- uECC_word_t *initial_Z = 0;
- uECC_word_t carry;
wordcount_t num_words = curve->num_words;
wordcount_t num_bytes = curve->num_bytes;
int r;
@@ -186,30 +175,15 @@
public_key + num_bytes,
num_bytes);
- /* Regularize the bitcount for the private key so that attackers cannot use a
- * side channel attack to learn the number of leading zeros. */
- carry = regularize_k(_private, _private, tmp, curve);
-
- /* If an RNG function was specified, try to get a random initial Z value to
- * improve protection against side-channel attacks. */
- if (g_rng_function) {
- if (!uECC_generate_random_int(p2[carry], curve->p, num_words)) {
- r = 0;
- goto clear_and_out;
- }
- initial_Z = p2[carry];
- }
-
- EccPoint_mult(_public, _public, p2[!carry], initial_Z, curve->num_n_bits + 1,
- curve);
+ r = EccPoint_mult_safer(_public, _public, _private, curve);
+ if (r == 0)
+ goto clear_and_out;
uECC_vli_nativeToBytes(secret, num_bytes, _public);
r = !EccPoint_isZero(_public, curve);
clear_and_out:
/* erasing temporary buffer used to store secret: */
- mbedtls_platform_zeroize(p2, sizeof(p2));
- mbedtls_platform_zeroize(tmp, sizeof(tmp));
mbedtls_platform_zeroize(_private, sizeof(_private));
return r;