Fix EC J-PAKE failing when the payload is all-bits-zero
Fix function mbedtls_ecp_mul_shortcuts() to skip multiplication when m
is 0 and simply assignt 0 to R. Additionally fix ecjpake_zkp_read() to
return MBEDTLS_ERR_ECP_INVALID_KEY when the above condintion is met.
Fix #1792
Signed-off-by: TRodziewicz <rodziewicz@gmail.com>
diff --git a/ChangeLog.d/issue1792.txt b/ChangeLog.d/issue1792.txt
new file mode 100644
index 0000000..e82c80e
--- /dev/null
+++ b/ChangeLog.d/issue1792.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix a bug in EC J-PAKE that would cause it fail when the payload is all-
+ bits-zero.
+ Found by Gilles Peskine, reported in #1792.
diff --git a/library/ecjpake.c b/library/ecjpake.c
index bd47169..b835ac1 100644
--- a/library/ecjpake.c
+++ b/library/ecjpake.c
@@ -286,6 +286,13 @@
* Verification
*/
MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) );
+
+ if( mbedtls_mpi_cmp_int( &r,0 ) == 0 )
+ {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+
MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( (mbedtls_ecp_group *) grp,
&VV, &h, X, &r, G ) );
diff --git a/library/ecp.c b/library/ecp.c
index 3b68e8e..6e866fa 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -2795,7 +2795,7 @@
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
/*
- * R = m * P with shortcuts for m == 1 and m == -1
+ * R = m * P with shortcuts for m == 0, m == 1 and m == -1
* NOT constant-time - ONLY for short Weierstrass!
*/
static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
@@ -2806,7 +2806,11 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
+ if ( mbedtls_mpi_cmp_int( m, 0 ) == 0 )
+ {
+ MBEDTLS_MPI_CHK( mbedtls_ecp_set_zero( R ) );
+ }
+ else if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
{
MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
}
