From 1a9d33e8c89aaf9016dc0a16e122cafbe8027d1d Mon Sep 17 00:00:00 2001
From: Piotr Nowicki <piotr.nowicki@arm.com>
Date: Wed, 20 May 2020 22:10:14 +0200
Subject: [PATCH] Start comparison from a random location in the
 uECC_vli_equal.

This increases security and increases resistance to the side channel leakage.

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
---
 tinycrypt/ecc.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c
index c6c722a95..8f2cf0e55 100644
--- a/tinycrypt/ecc.c
+++ b/tinycrypt/ecc.c
@@ -286,20 +286,30 @@ uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right)
 {
 
 	uECC_word_t diff = 0;
+	uECC_word_t flow_monitor = 0;
 	uECC_word_t tmp1, tmp2;
 	volatile int i;
 
-	for (i = NUM_ECC_WORDS - 1; i >= 0; --i) {
+	int start_offset = mbedtls_platform_random_in_range(NUM_ECC_WORDS);
+
+	for (i = start_offset; i < NUM_ECC_WORDS; ++i) {
 		tmp1 = left[i];
 		tmp2 = right[i];
+		flow_monitor++;
 		diff |= (tmp1 ^ tmp2);
 	}
 
-	/* i should be -1 now */
-	mbedtls_platform_random_delay();
-	diff |= i ^ -1;
+	for (i = 0; i < start_offset; ++i) {
+		tmp1 = left[i];
+		tmp2 = right[i];
+		flow_monitor++;
+		diff |= (tmp1 ^ tmp2);
+	}
 
-	return diff;
+	mbedtls_platform_random_delay();
+
+	/* Return 0 only when diff is 0 and flow_counter is equal to NUM_ECC_WORDS */
+	return (diff | (flow_monitor ^ NUM_ECC_WORDS));
 }
 
 uECC_word_t cond_set(uECC_word_t p_true, uECC_word_t p_false, unsigned int cond)
@@ -848,7 +858,7 @@ void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product)
 		}
 		while (carry < 0);
 	} else  {
-		while (carry || 
+		while (carry ||
 		       uECC_vli_cmp_unsafe(curve_p, result) != 1) {
 			carry -= uECC_vli_sub(result, result, curve_p);
 		}