1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-22 06:18:07 +00:00

add check that pub.y != res.y

This commit is contained in:
Pavol Rusnak 2014-01-04 17:39:37 +01:00
parent 3589cf5cbf
commit 8423c7abfd
3 changed files with 19 additions and 2 deletions

View File

@ -93,6 +93,14 @@ int bn_is_less(const bignum256 *a, const bignum256 *b)
return 0;
}
int bn_is_equal(const bignum256 *a, const bignum256 *b) {
int i;
for (i = 0; i < 9; i++) {
if (a->val[i] != b->val[i]) return 0;
}
return 1;
}
int bn_bitlen(const bignum256 *a) {
int i = 8, j;
while (i >= 0 && a->val[i] == 0) i--;

View File

@ -63,6 +63,8 @@ int bn_is_zero(const bignum256 *a);
int bn_is_less(const bignum256 *a, const bignum256 *b);
int bn_is_equal(const bignum256 *a, const bignum256 *b);
int bn_bitlen(const bignum256 *a);
void bn_lshift(bignum256 *a);

11
ecdsa.c
View File

@ -396,11 +396,18 @@ int ecdsa_verify(const uint8_t *pub_key, const uint8_t *sig, const uint8_t *msg,
scalar_multiply(&z, &res);
}
// TODO both pub and res can be infinity, can have y = 0 OR can be equal
// both pub and res can be infinity, can have y = 0 OR can be equal -> false negative
for (i = 0; i < 9; i++) {
for (j = 0; j < 30; j++) {
if (i == 8 && (s.val[i] >> j) == 0) break;
if (s.val[i] & (1u << j)) {
bn_mod(&(pub.y), &prime256k1);
bn_mod(&(res.y), &prime256k1);
if (bn_is_equal(&(pub.y), &(res.y))) {
// this is not a failure, but a very inprobable case
// that we don't handle because of its inprobability
return 4;
}
point_add(&pub, &res);
}
point_double(&pub);
@ -413,7 +420,7 @@ int ecdsa_verify(const uint8_t *pub_key, const uint8_t *sig, const uint8_t *msg,
// signature does not match
for (i = 0; i < 9; i++) {
if (res.x.val[i] != r.val[i]) {
return 4;
return 5;
}
}