Skip to content
Permalink
Browse files

ecc_sign_hash blinding CVE-2018-12437

This originates from the LibTomCrypt upstream mitigation patch:
 f0a51bbdbd ("ecc_sign_hash blinding CVE-2018-12437") [1]

but with modifications to fit into the current LibTomCrypt version used
by OP-TEE (use the old function name rand_bn_range(..) instead of the
new name rand_bn_upto(..)).

Link: [1] libtom/libtomcrypt@f0a51bb

Fixes: OP-TEE-2019-0018

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU-v7)
Reported-by: Santos Merino del Pozo <santos.research@gmail.com>
Suggested-by: Santos Merino del Pozo <santos.research@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
  • Loading branch information...
jbech-linaro authored and jforissier committed Jul 1, 2019
1 parent 0f4b02e commit 8bbd9b374a51a1b8617796aae8a70c271543357f
Showing with 11 additions and 8 deletions.
  1. +11 −8 core/lib/libtomcrypt/src/pk/ecc/ecc_sign_hash.c
@@ -67,7 +67,7 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
prng_state *prng, int wprng, ecc_key *key)
{
ecc_key pubkey;
void *e, *p;
void *e, *p, *b;
int err;

LTC_ARGCHK(in != NULL);
@@ -91,7 +91,7 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,

/* get the hash and load it as a bignum into 'e' */
/* init the bignums */
if ((err = mp_init_multi(&p, &e, NULL)) != CRYPT_OK) {
if ((err = mp_init_multi(&p, &e, &b, NULL)) != CRYPT_OK) {
return err;
}
if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK) { goto errnokey; }
@@ -109,12 +109,15 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
if (mp_iszero(r) == LTC_MP_YES) {
ecc_free(&pubkey);
} else {
if ((err = rand_bn_range(b, p, prng, wprng)) != CRYPT_OK) { goto error; } /* b = blinding value */
/* find s = (e + xr)/k */
if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/k */
if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK) { goto error; } /* s = xr */
if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e + xr */
if ((err = mp_mod(s, p, s)) != CRYPT_OK) { goto error; } /* s = e + xr */
if ((err = mp_mulmod(s, pubkey.k, p, s)) != CRYPT_OK) { goto error; } /* s = (e + xr)/k */
if ((err = mp_mulmod(pubkey.k, b, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = kb */
if ((err = mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK) { goto error; } /* k = 1/kb */
if ((err = mp_mulmod(key->k, r, p, s)) != CRYPT_OK) { goto error; } /* s = xr */
if ((err = mp_mulmod(pubkey.k, s, p, s)) != CRYPT_OK) { goto error; } /* s = xr/kb */
if ((err = mp_mulmod(pubkey.k, e, p, e)) != CRYPT_OK) { goto error; } /* e = e/kb */
if ((err = mp_add(e, s, s)) != CRYPT_OK) { goto error; } /* s = e/kb + xr/kb */
if ((err = mp_mulmod(s, b, p, s)) != CRYPT_OK) { goto error; } /* s = b(e/kb + xr/kb) = (e + xr)/k */
ecc_free(&pubkey);
if (mp_iszero(s) == LTC_MP_NO) {
break;
@@ -128,7 +131,7 @@ int ecc_sign_hash_raw(const unsigned char *in, unsigned long inlen,
error:
ecc_free(&pubkey);
errnokey:
mp_clear_multi(p, e, NULL);
mp_clear_multi(p, e, b, NULL);
return err;
}

0 comments on commit 8bbd9b3

Please sign in to comment.
You can’t perform that action at this time.