mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Handle when k is 1 or order + 1 for timing resistant ECC

Browse Source
This commit is contained in:
Sean Parkinson 2020-08-19 10:21:53 +10:00 committed by John Safranek
parent 362e328180
commit 549c47de65
No known key found for this signature in database
GPG Key ID: 8CE817DE0D3CCB4A
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
wolfcrypt/src/ecc.c
View File

@ -3105,6 +3105,23 @@ int wc_ecc_mulmod_ex2(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
if (err == MP_OKAY)
err = ecc_mulmod(&t, tG, R, M, a, modulus, mp, rng);
/* Check for k == 1 or k == order+1. Result will be 0 point which is not
* correct. Calculates 2 * order and get 0 point then adds base point
* which results in 0 point with constant time implementation)
*/
if (err == MP_OKAY)
err = mp_add_d(order, 1, &t);
if (err == MP_OKAY) {
int kIsOne = (mp_cmp_d(k, 1) == MP_EQ) | (mp_cmp(k, &t) == MP_EQ);
err = mp_cond_copy(tG->x, kIsOne, R->x);
if (err == 0) {
err = mp_cond_copy(tG->y, kIsOne, R->y);
}
if (err == 0) {
err = mp_cond_copy(tG->z, kIsOne, R->z);
}
}
mp_forcezero(&t);
mp_free(&t);
#else