TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 10d8e8ed64158e12fe4279ea59d5b383433ab24f^! / .
commit10d8e8ed64158e12fe4279ea59d5b383433ab24f[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Wed Nov 06 10:30:26 2019 +0100
committerManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Thu Nov 21 15:12:44 2019 +0100
tree037215d166929c2db745a3498c1932913708b99e
parentc05f1506f41ef548680f4898245f693632a78152 [diff]
Use safer return values in uECC_verify()

This is a first step in protecting against fault injection attacks: the
attacker can no longer change failure into success by flipping a single bit.
Additional steps are needed to prevent other attacks (instruction skip etc)
and will be the object of future commits.

The return value of uECC_vli_equal() should be protected as well, which will
be done in a future commit as well.

diff --git a/include/tinycrypt/ecc_dsa.h b/include/tinycrypt/ecc_dsa.h
index e54a77e..55b9d43 100644
--- a/include/tinycrypt/ecc_dsa.h
+++ b/include/tinycrypt/ecc_dsa.h

@@ -123,8 +123,8 @@
 
 /**
  * @brief Verify an ECDSA signature.
- * @return returns TC_SUCCESS (1) if the signature is valid
- * 	   returns TC_FAIL (0) if the signature is invalid.
+ * @return returns UECC_SUCCESS if the signature is valid
+ * 	   returns UECC_FAILURE if the signature is invalid.
  *
  * @param p_public_key IN -- The signer's public key.
  * @param p_message_hash IN -- The hash of the signed data.

diff --git a/library/pk.c b/library/pk.c
index 29123eb..857bafc 100644
--- a/library/pk.c
+++ b/library/pk.c

@@ -591,7 +591,7 @@
 
     ret = uECC_verify( keypair->public_key, hash,
                        (unsigned) hash_len, signature, uecc_curve );
-    if( ret == 0 )
+    if( ret != UECC_SUCCESS )
         return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
 
     return( 0 );

diff --git a/tests/suites/test_suite_tinycrypt.data b/tests/suites/test_suite_tinycrypt.data
index ac2a8e2..2c4d54b 100644
--- a/tests/suites/test_suite_tinycrypt.data
+++ b/tests/suites/test_suite_tinycrypt.data

@@ -8,4 +8,4 @@
 ecdh_primitive_testvec:"C88F01F510D9AC3F70A292DAA2316DE544E9AAB8AFE84049C62A9C57862D1433":"DAD0B65394221CF9B051E1FECA5787D098DFE637FC90B9EF945D0C3772581180":"5271A0461CDB8252D61F1C456FA3E59AB1F45B33ACCF5F58389E0577B8990BB3":"C6EF9C5D78AE012A011164ACB397CE2088685D8F06BF9BE0B283AB46476BEE53":"D12DFB5289C8D4F81208B70270398C342296970A0BCCB74C736FC7554494BF63":"56FBF3CA366CC23E8157854C13C58D6AAC23F046ADA30F8353E74F33039872AB":"D6840F6B42F6EDAFD13116E0E12565202FEF8E9ECE7DCE03812464D04B9442DE"
 
 ECDSA primitive rfc 4754 p256
-ecdsa_primitive_testvec:"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315":1
+ecdsa_primitive_testvec:"2442A5CC0ECD015FA3CA31DC8E2BBC70BF42D60CBCA20085E0822CB04235E970":"6FC98BD7E50211A4A27102FA3549DF79EBCB4BF246B80945CDDFE7D509BBFD7D":"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD":"CB28E0999B9C7715FD0A80D8E47A77079716CBBF917DD72E97566EA1C066957C":"86FA3BB4E26CAD5BF90B7F81899256CE7594BB1EA0C89212748BFF3B3D5B0315"

diff --git a/tests/suites/test_suite_tinycrypt.function b/tests/suites/test_suite_tinycrypt.function
index 24b331d..664cd08 100644
--- a/tests/suites/test_suite_tinycrypt.function
+++ b/tests/suites/test_suite_tinycrypt.function

@@ -55,7 +55,7 @@
 
     TEST_ASSERT( uECC_sign( private, hash, sizeof( hash ), sig, curve ) != 0 );
 
-    TEST_ASSERT( uECC_verify( public, hash, sizeof( hash ), sig, curve ) != 0 );
+    TEST_ASSERT( uECC_verify( public, hash, sizeof( hash ), sig, curve ) == UECC_SUCCESS );
 }
 /* END_CASE */
 
@@ -88,8 +88,7 @@
 
 /* BEGIN_CASE depends_on:MBEDTLS_USE_TINYCRYPT */
 void ecdsa_primitive_testvec( data_t * xQ_str, data_t * yQ_str,
-                              data_t * hash, data_t * r_str, data_t * s_str,
-                              int result )
+                              data_t * hash, data_t * r_str, data_t * s_str )
 {
     const struct uECC_Curve_t * curve = uECC_secp256r1();
     uint8_t pub_bytes[2*NUM_ECC_BYTES] = {0};
@@ -101,7 +100,7 @@
     memcpy( sig_bytes + NUM_ECC_BYTES, s_str->x, r_str->len );
 
     TEST_ASSERT( uECC_verify( pub_bytes, hash->x, hash->len,
-                              sig_bytes, curve ) == result );
+                              sig_bytes, curve ) == UECC_SUCCESS );
 
     // Alter the signature and check the verification fails
     for( int i = 0; i < 2*NUM_ECC_BYTES; i++ )
@@ -109,7 +108,7 @@
         uint8_t temp = sig_bytes[i];
         sig_bytes[i] = ( sig_bytes[i] + 1 ) % 256;
         TEST_ASSERT( uECC_verify( pub_bytes, hash->x, hash->len,
-                                  sig_bytes, curve ) == 0 );
+                                  sig_bytes, curve ) == UECC_FAILURE );
         sig_bytes[i] = temp;
     }
 

diff --git a/tinycrypt/ecc_dsa.c b/tinycrypt/ecc_dsa.c
index 04b1bfa..5cf58f3 100644
--- a/tinycrypt/ecc_dsa.c
+++ b/tinycrypt/ecc_dsa.c

@@ -235,13 +235,13 @@
 
 	/* r, s must not be 0. */
 	if (uECC_vli_isZero(r) || uECC_vli_isZero(s)) {
-		return 0;
+		return UECC_FAILURE;
 	}
 
 	/* r, s must be < n. */
 	if (uECC_vli_cmp_unsafe(curve->n, r) != 1 ||
 	    uECC_vli_cmp_unsafe(curve->n, s) != 1) {
-		return 0;
+		return UECC_FAILURE;
 	}
 
 	/* Calculate u1 and u2. */
@@ -301,7 +301,10 @@
 	}
 
 	/* Accept only if v == r. */
-	return (int)(uECC_vli_equal(rx, r) == 0);
+	if (uECC_vli_equal(rx, r) == 0)
+		return UECC_SUCCESS;
+
+	return UECC_FAILURE;
 }
 #else
 typedef int mbedtls_dummy_tinycrypt_def;