add check that pub.y != res.y

2024-11-12 18:49:07 +00:00 · 2014-01-04 17:39:37 +01:00 · 2014-01-04 17:39:37 +01:00 · 8423c7abfd
commit 8423c7abfd
parent 3589cf5cbf
3 changed files with 19 additions and 2 deletions
--- a/bignum.c
+++ b/bignum.c
@ -93,6 +93,14 @@ int bn_is_less(const bignum256 *a, const bignum256 *b)
 	return 0;
 }

+int bn_is_equal(const bignum256 *a, const bignum256 *b) {
+	int i;
+	for (i = 0; i < 9; i++) {
+		if (a->val[i] != b->val[i]) return 0;
+	}
+	return 1;
+}
+
 int bn_bitlen(const bignum256 *a) {
 	int i = 8, j;
 	while (i >= 0 && a->val[i] == 0) i--;
--- a/bignum.h
+++ b/bignum.h
@ -63,6 +63,8 @@ int bn_is_zero(const bignum256 *a);

 int bn_is_less(const bignum256 *a, const bignum256 *b);

+int bn_is_equal(const bignum256 *a, const bignum256 *b);
+
 int bn_bitlen(const bignum256 *a);

 void bn_lshift(bignum256 *a);
--- a/ecdsa.c
+++ b/ecdsa.c
@ -396,11 +396,18 @@ int ecdsa_verify(const uint8_t *pub_key, const uint8_t *sig, const uint8_t *msg,
 		scalar_multiply(&z, &res);
 	}

-	// TODO both pub and res can be infinity, can have y = 0 OR can be equal
+	// both pub and res can be infinity, can have y = 0 OR can be equal -> false negative
 	for (i = 0; i < 9; i++) {
 		for (j = 0; j < 30; j++) {
 			if (i == 8 && (s.val[i] >> j) == 0) break;
 			if (s.val[i] & (1u << j)) {
+				bn_mod(&(pub.y), &prime256k1);
+				bn_mod(&(res.y), &prime256k1);
+				if (bn_is_equal(&(pub.y), &(res.y))) {
+					// this is not a failure, but a very inprobable case
+					// that we don't handle because of its inprobability
+					return 4;
+				}
 				point_add(&pub, &res);
 			}
 			point_double(&pub);
@ -413,7 +420,7 @@ int ecdsa_verify(const uint8_t *pub_key, const uint8_t *sig, const uint8_t *msg,
 	// signature does not match
 	for (i = 0; i < 9; i++) {
 		if (res.x.val[i] != r.val[i]) {
-			return 4;
+			return 5;
 		}
 	}