Add pre and post-validation to mult_safer()
Validating the input is always a good idea. Validating the output protects
against some fault injections that would make the result invalid.
Note: valid_point() implies that the point is not zero.
Adding validation to mult_safer() makes it redundant in
compute_shared_secret().
diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c
index c69d422..b480832 100644
--- a/tinycrypt/ecc.c
+++ b/tinycrypt/ecc.c
@@ -936,6 +936,11 @@
if (curve != uECC_secp256r1())
return 0;
+ /* Protects against invalid curves attacks */
+ if (uECC_valid_point(point, curve) != 0 ) {
+ return 0;
+ }
+
/* Regularize the bitcount for the private key so that attackers cannot use a
* side channel attack to learn the number of leading zeros. */
carry = regularize_k(scalar, tmp, s);
@@ -952,7 +957,9 @@
EccPoint_mult(result, point, k2[!carry], initial_Z);
- if (EccPoint_isZero(result, curve)) {
+ /* Protect against fault injections that would make the resulting
+ * point not lie on the intended curve */
+ if (uECC_valid_point(result, curve) != 0 ) {
r = 0;
goto clear_and_out;
}
diff --git a/tinycrypt/ecc_dh.c b/tinycrypt/ecc_dh.c
index f9c0a5e..e2f5655 100644
--- a/tinycrypt/ecc_dh.c
+++ b/tinycrypt/ecc_dh.c
@@ -158,12 +158,6 @@
wordcount_t num_bytes = curve->num_bytes;
int r;
- /* Protect against invalid curve attacks */
- if (uECC_valid_public_key(public_key, curve) != 0) {
- r = 0;
- goto clear_and_out;
- }
-
/* Converting buffers to correct bit order: */
uECC_vli_bytesToNative(_private,
private_key,
@@ -176,13 +170,8 @@
num_bytes);
r = EccPoint_mult_safer(_public, _public, _private, curve);
- if (r == 0)
- goto clear_and_out;
-
uECC_vli_nativeToBytes(secret, num_bytes, _public);
- r = !EccPoint_isZero(_public, curve);
-clear_and_out:
/* erasing temporary buffer used to store secret: */
mbedtls_platform_zeroize(_private, sizeof(_private));