crypto/shamir: Fix edge case when shamir_interpolate() is called with duplicate share indices which are equal to the result index.

5 years ago · 223868f552
parent 0a99ad3f13
commit 223868f552
2 changed files with 22 additions and 11 deletions
--- a/crypto/shamir.c
+++ b/crypto/shamir.c
@ -69,7 +69,7 @@ static void unbitslice(uint8_t *r, const uint32_t x[8], size_t len) {
 static void bitslice_setall(uint32_t r[8], const uint8_t x) {
  size_t idx;
  for (idx = 0; idx < 8; idx++) {
-    r[idx] = ((int32_t)((x & (1 << idx)) << (31 - idx))) >> 31;
+    r[idx] = -((x >> idx) & 1);
  }
 }

@ -271,14 +271,6 @@ bool shamir_interpolate(uint8_t *result, uint8_t result_index,

  if (len > SHAMIR_MAX_LEN) return false;

-  /* The code below assumes that none of the share_indices are equal to
-   * result_index. We need to treat that as a special case. */
-  for (i = 0; i < share_count; i++)
-    if (share_indices[i] == result_index) {
-      memcpy(result, share_values[i], len);
-      return true;
-    }
-
  /* Collect the x and y values */
  for (i = 0; i < share_count; i++) {
    bitslice_setall(xs[i], share_indices[i]);
@ -294,8 +286,15 @@ bool shamir_interpolate(uint8_t *result, uint8_t result_index,

  /* Use Lagrange basis polynomials to calculate the secret coefficient */
  for (i = 0; i < share_count; i++) {
-    memcpy(denom, x, sizeof(denom));
-    gf256_add(denom, xs[i]);
+    /* The code below assumes that none of the share_indices are equal to
+     * result_index. We need to treat that as a special case. */
+    if (share_indices[i] != result_index) {
+      memcpy(denom, x, sizeof(denom));
+      gf256_add(denom, xs[i]);
+    } else {
+      bitslice_setall(denom, 1);
+      gf256_add(secret, ys[i]);
+    }
    for (j = 0; j < share_count; j++) {
      if (i == j) continue;
      memcpy(tmp, xs[i], sizeof(uint32_t[8]));
--- a/crypto/tests/test_check.c
+++ b/crypto/tests/test_check.c
@ -5120,6 +5120,18 @@ START_TEST(test_shamir) {
                  7,
                  true},

+                 {{0},
+                  1,
+                  {5, 1, 1},
+                  {
+                      {129, 18, 104, 86, 236, 73, 176},
+                      {91, 188, 226, 91, 254, 197, 225},
+                      {69, 53, 151, 204, 224, 37, 19},
+                  },
+                  3,
+                  7,
+                  false},
+
                 {{0},
                  255,
                  {3, 12, 3},