arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-18 12:28:09 +00:00
Code Issues Releases Wiki Activity

ecdsa: fix out-of-bounds read in point_multiply (#71)

Browse Source 
Fixes #70.
This commit is contained in:
Jochen Hoenicke 2016-10-06 16:54:25 +02:00 committed by Pavol Rusnak
parent 133c068f37
commit 157caf3763
1 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
ecdsa.c
View File

@ -424,8 +424,10 @@ void point_multiply(const ecdsa_curve *curve, const bignum256 *k, const curve_po
assert (bn_is_less(k, &curve->order)); assert (bn_is_less(k, &curve->order));
int i, j; int i, j;
int pos, shift;
bignum256 a; bignum256 a;
uint32_t *aptr;
uint32_t abits;
int ashift;
uint32_t is_even = (k->val[0] & 1) - 1; uint32_t is_even = (k->val[0] & 1) - 1;
uint32_t bits, sign, nsign; uint32_t bits, sign, nsign;
jacobian_curve_point jres; jacobian_curve_point jres;
@ -485,7 +487,10 @@ void point_multiply(const ecdsa_curve *curve, const bignum256 *k, const curve_po
// and - (16 - (a>>(4*i) & 0xf)) otherwise. We can compute this as // and - (16 - (a>>(4*i) & 0xf)) otherwise. We can compute this as
// ((a ^ (((a >> 4) & 1) - 1)) & 0xf) >> 1 // ((a ^ (((a >> 4) & 1) - 1)) & 0xf) >> 1
// since a is odd. // since a is odd.
bits = a.val[8] >> 12; aptr = &a.val[8];
abits = *aptr;
ashift = 12;
bits = abits >> ashift;
sign = (bits >> 4) - 1; sign = (bits >> 4) - 1;
bits ^= sign; bits ^= sign;
bits &= 15; bits &= 15;
@ -493,6 +498,7 @@ void point_multiply(const ecdsa_curve *curve, const bignum256 *k, const curve_po
for (i = 62; i >= 0; i--) { for (i = 62; i >= 0; i--) {
// sign = sign(a[i+1]) (0xffffffff for negative, 0 for positive) // sign = sign(a[i+1]) (0xffffffff for negative, 0 for positive)
// invariant jres = (-1)^sign sum_{j=i+1..63} (a[j] * 16^{j-i-1} * p) // invariant jres = (-1)^sign sum_{j=i+1..63} (a[j] * 16^{j-i-1} * p)
// abits >> (ashift - 4) = lowbits(a >> (i*4))
point_jacobian_double(&jres, curve); point_jacobian_double(&jres, curve);
point_jacobian_double(&jres, curve); point_jacobian_double(&jres, curve);
@ -500,8 +506,18 @@ void point_multiply(const ecdsa_curve *curve, const bignum256 *k, const curve_po
point_jacobian_double(&jres, curve); point_jacobian_double(&jres, curve);
// get lowest 5 bits of a >> (i*4). // get lowest 5 bits of a >> (i*4).
pos = i*4/30; shift = i*4 % 30; ashift -= 4;
bits = (a.val[pos+1]<<(30-shift) | a.val[pos] >> shift) & 31; if (ashift < 0) {
// the condition only depends on the iteration number and
// leaks no private information to a side-channel.
bits = abits << (-ashift);
abits = *(--aptr);
ashift += 30;
bits |= abits >> ashift;
} else {
bits = abits >> ashift;
}
bits &= 31;
nsign = (bits >> 4) - 1; nsign = (bits >> 4) - 1;
bits ^= nsign; bits ^= nsign;
bits &= 15; bits &= 15;