From 932ea29845da1ae350d9c056cb2cb0379a66d642 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 30 Mar 2021 09:22:47 +0200
Subject: [PATCH] Port upstream hardening of EC scaler multiplication

Some internal functions used in point multiplications are known to
misbehave if the scaler is out-of-range.  This performs canonical
reduction on scalers, before point multiplication.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 ecc-ecdsa-sign.c   |  7 +++++--
 ecc-ecdsa-verify.c | 14 ++++++++++++--
 eddsa-hash.c       |  9 +++++++--
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c
index 3b9e9cc1..45062528 100644
--- a/ecc-ecdsa-sign.c
+++ b/ecc-ecdsa-sign.c
@@ -62,6 +62,8 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc,
 		mp_limb_t *rp, mp_limb_t *sp,
 		mp_limb_t *scratch)
 {
+  mp_limb_t cy;
+
 #define P	    scratch
 #define kinv	    scratch                /* Needs 5*ecc->p.size for computation */
 #define hp	    (scratch  + ecc->p.size) /* NOTE: ecc->p.size + 1 limbs! */
@@ -91,8 +93,9 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc,
   ecc_modq_mul (ecc, tp, zp, rp);
   ecc_modq_add (ecc, hp, hp, tp);
   ecc_modq_mul (ecc, tp, hp, kinv);
-
-  mpn_copyi (sp, tp, ecc->p.size);
+  /* Ensure canonical reduction. */
+  cy = mpn_sub_n (sp, tp, ecc->q.m, ecc->q.size);
+  cnd_copy (cy, sp, tp, ecc->q.size);
 #undef P
 #undef hp
 #undef kinv
diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c
index d7f5b684..6b8acb07 100644
--- a/ecc-ecdsa-verify.c
+++ b/ecc-ecdsa-verify.c
@@ -75,6 +75,8 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
 		  const mp_limb_t *rp, const mp_limb_t *sp,
 		  mp_limb_t *scratch)
 {
+  mp_limb_t cy;
+
   /* Procedure, according to RFC 6090, "KT-I". q denotes the group
      order.
 
@@ -98,6 +100,7 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
 #define P1 (scratch + 4*ecc->p.size)
 #define sinv (scratch)
 #define hp (scratch + ecc->p.size)
+#define tp (scratch + 4*ecc->p.size)
 
   if (! (ecdsa_in_range (ecc, rp)
 	 && ecdsa_in_range (ecc, sp)))
@@ -112,10 +115,16 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
 
   /* u1 = h / s, P1 = u1 * G */
   ecc_hash (&ecc->q, hp, length, digest);
-  ecc_modq_mul (ecc, u1, hp, sinv);
+  ecc_modq_mul (ecc, tp, hp, sinv);
+  /* Ensure canonical reduction. */
+  cy = mpn_sub_n (u1, tp, ecc->q.m, ecc->q.size);
+  cnd_copy (cy, u1, tp, ecc->q.size);
 
   /* u2 = r / s, P2 = u2 * Y */
-  ecc_modq_mul (ecc, u2, rp, sinv);
+  ecc_modq_mul (ecc, hp, rp, sinv);
+  /* Ensure canonical reduction. */
+  cy = mpn_sub_n (u2, hp, ecc->q.m, ecc->q.size);
+  cnd_copy (cy, u2, hp, ecc->q.size);
 
    /* Total storage: 5*ecc->p.size + ecc->mul_itch */
   ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
@@ -154,4 +163,5 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc,
 #undef u2
 #undef hp
 #undef u1
+#undef tp
 }
diff --git a/eddsa-hash.c b/eddsa-hash.c
index 4fb79f1b..53c6fc49 100644
--- a/eddsa-hash.c
+++ b/eddsa-hash.c
@@ -45,7 +45,12 @@ void
 _eddsa_hash (const struct ecc_modulo *m,
 	     mp_limb_t *rp, const uint8_t *digest)
 {
+  mp_limb_t cy;
+
   size_t nbytes = 1 + m->bit_size / 8;
-  mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes);
-  m->mod (m, rp);
+  mpn_set_base256_le (rp + m->size, 2*m->size, digest, 2*nbytes);
+  m->mod (m, rp + m->size);
+  /* Ensure canonical reduction. */
+  cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, rp + m->size, m->size);
 }
-- 
2.30.2