TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / 9d6a535ba113ebf839f551c1bdaff7d3df50df68^! / . / tinycrypt / ecc_dsa.c
commit9d6a535ba113ebf839f551c1bdaff7d3df50df68[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Mon Nov 25 13:06:05 2019 +0100
committerManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Tue Nov 26 12:54:06 2019 +0100
tree17625fedd962dcbf8a0a81d705e0cc0e597fafed
parent4d6186beb0bca06096be6424daa2c618fb787c30 [diff] [blame]
Return and propagate UECC_FAULT_DETECTED

This commit first changes the return convention of EccPoint_mult_safer() so
that it properly reports when faults are detected. Then all functions that
call it need to be changed to (1) follow the same return convention and (2)
properly propagate UECC_FAULT_DETECTED when it occurs.

Here's the reverse call graph from EccPoint_mult_safer() to the rest of the
library (where return values are translated to the MBEDTLS_ERR_ space) and test
functions (where expected return values are asserted explicitly).

EccPoint_mult_safer()
    EccPoint_compute_public_key()
        uECC_compute_public_key()
            pkparse.c
            tests/suites/test_suite_pkparse.function
        uECC_make_key_with_d()
        uECC_make_key()
            ssl_cli.c
            ssl_srv.c
            tests/suites/test_suite_pk.function
            tests/suites/test_suite_tinycrypt.function
    uECC_shared_secret()
        ssl_tls.c
        tests/suites/test_suite_tinycrypt.function
    uECC_sign_with_k()
        uECC_sign()
            pk.c
            tests/suites/test_suite_tinycrypt.function

Note: in uECC_sign_with_k() a test for uECC_vli_isZero(p) is suppressed
because it is redundant with a more thorough test (point validity) done at the
end of EccPoint_mult_safer(). This redundancy was introduced in a previous
commit but not noticed earlier.

diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c
index 0d6683b..9ed6941 100644
--- a/tinycrypt/ecc_dsa.c
+++ b/tinycrypt/ecc_dsa.c

@@ -122,12 +122,12 @@
 	/* Make sure 0 < k < curve_n */
   	if (uECC_vli_isZero(k) ||
 	    uECC_vli_cmp(curve_n, k) != 1) {
-		return 0;
+		return UECC_FAILURE;
 	}
 
 	r = EccPoint_mult_safer(p, curve_G, k);
-	if (r == 0 || uECC_vli_isZero(p)) {
-		return 0;
+        if (r != UECC_SUCCESS) {
+		return r;
 	}
 
 	/* If an RNG function was specified, get a random number
@@ -137,7 +137,7 @@
 		tmp[0] = 1;
 	}
 	else if (!uECC_generate_random_int(tmp, curve_n, num_n_words)) {
-		return 0;
+		return UECC_FAILURE;
 	}
 
 	/* Prevent side channel analysis of uECC_vli_modInv() to determine
@@ -159,16 +159,17 @@
 	uECC_vli_modAdd(s, tmp, s, curve_n); /* s = e + r*d */
 	uECC_vli_modMult(s, s, k, curve_n);  /* s = (e + r*d) / k */
 	if (uECC_vli_numBits(s) > (bitcount_t)NUM_ECC_BYTES * 8) {
-		return 0;
+		return UECC_FAILURE;
 	}
 
 	uECC_vli_nativeToBytes(signature + NUM_ECC_BYTES, NUM_ECC_BYTES, s);
-	return 1;
+	return UECC_SUCCESS;
 }
 
 int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash,
 	      unsigned hash_size, uint8_t *signature)
 {
+	int r;
 	      uECC_word_t _random[2*NUM_ECC_WORDS];
 	      uECC_word_t k[NUM_ECC_WORDS];
 	      uECC_word_t tries;
@@ -178,17 +179,23 @@
 		uECC_RNG_Function rng_function = uECC_get_rng();
 		if (!rng_function ||
 		    !rng_function((uint8_t *)_random, 2*NUM_ECC_WORDS*uECC_WORD_SIZE)) {
-			return 0;
+			return UECC_FAILURE;
 		}
 
 		// computing k as modular reduction of _random (see FIPS 186.4 B.5.1):
 		uECC_vli_mmod(k, _random, curve_n);
 
-		if (uECC_sign_with_k(private_key, message_hash, hash_size, k, signature)) {
-			return 1;
+		r = uECC_sign_with_k(private_key, message_hash, hash_size, k, signature);
+		/* don't keep trying if a fault was detected */
+		if (r == UECC_FAULT_DETECTED) {
+			return r;
 		}
+		if (r == UECC_SUCCESS) {
+			return UECC_SUCCESS;
+		}
+		/* else keep trying */
 	}
-	return 0;
+	return UECC_FAILURE;
 }
 
 static bitcount_t smax(bitcount_t a, bitcount_t b)