commit 1a9d33e8c89aaf9016dc0a16e122cafbe8027d1d
author Piotr Nowicki <piotr.nowicki@arm.com> Wed May 20 22:10:14 2020 +0200
committer Piotr Nowicki <piotr.nowicki@arm.com> Wed May 27 15:34:49 2020 +0200
tree e42e285c7f5316906aa3b2f4a2b8421045140bf7
parent 4aaa34c03fa03124830460995bd61e976da28b7d

Start comparison from a random location in the uECC_vli_equal.

This increases security and increases resistance to the side channel leakage.

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>

tinycrypt/ecc.c

diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c
index c6c722a..8f2cf0e 100644
--- a/tinycrypt/ecc.c
+++ b/tinycrypt/ecc.c
@@ -286,20 +286,30 @@
 {
 
 	uECC_word_t diff = 0;
+	uECC_word_t flow_monitor = 0;
 	uECC_word_t tmp1, tmp2;
 	volatile int i;
 
-	for (i = NUM_ECC_WORDS - 1; i >= 0; --i) {
+	int start_offset = mbedtls_platform_random_in_range(NUM_ECC_WORDS);
+
+	for (i = start_offset; i < NUM_ECC_WORDS; ++i) {
 		tmp1 = left[i];
 		tmp2 = right[i];
+		flow_monitor++;
 		diff |= (tmp1 ^ tmp2);
 	}
 
-	/* i should be -1 now */
-	mbedtls_platform_random_delay();
-	diff |= i ^ -1;
+	for (i = 0; i < start_offset; ++i) {
+		tmp1 = left[i];
+		tmp2 = right[i];
+		flow_monitor++;
+		diff |= (tmp1 ^ tmp2);
+	}
 
-	return diff;
+	mbedtls_platform_random_delay();
+
+	/* Return 0 only when diff is 0 and flow_counter is equal to NUM_ECC_WORDS */
+	return (diff | (flow_monitor ^ NUM_ECC_WORDS));
 }
 
 uECC_word_t cond_set(uECC_word_t p_true, uECC_word_t p_false, unsigned int cond)
@@ -848,7 +858,7 @@
 		}
 		while (carry < 0);
 	} else  {
-		while (carry || 
+		while (carry ||
 		       uECC_vli_cmp_unsafe(curve_p, result) != 1) {
 			carry -= uECC_vli_sub(result, result, curve_p);
 		}