Merge remote-tracking branch 'upstream-restricted/pr/423' into mbedtls-1.3-restricted

Resolved simple conflicts caused by the independent addition of calls to polarssl_zeroize with sometimes whitespace or comment differences.
2025-03-18 13:07:31 +00:00 · 2017-11-28 16:23:28 +01:00 · 2017-11-28 16:23:28 +01:00 · 6f941d6c89
parent b087a88300 825c3db149
commit 6f941d6c89
3 changed files with 18 additions and 10 deletions
--- a/7
+++ b/7
@ -17,6 +17,13 @@ Security
     being leaked to memory after release.
   * Fix dhm_check_range() failing to detect trivial subgroups and potentially
     leaking 1 bit of the private key. Reported by prashantkspatil.
+   * Make mpi_read_binary constant-time with respect to
+     the input data. Previously, trailing zero bytes were detected
+     and omitted for the sake of saving memory, but potentially
+     leading to slight timing differences.
+     Reported by Marco Macchetti, Kudelski Group.
+   * Wipe stack buffer temporarily holding EC private exponent
+     after keypair generation.

 Bugfix
   * Fix memory leak in ssl_set_hostname() when called multiple times.
--- a/library/bignum.c
+++ b/library/bignum.c
@ -678,16 +678,20 @@ cleanup:
 int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen )
 {
    int ret;
-    size_t i, j, n;
+    size_t i, j;
+    size_t const limbs = CHARS_TO_LIMBS( buflen );

-    for( n = 0; n < buflen; n++ )
-        if( buf[n] != 0 )
-            break;
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if( X->n != limbs )
+    {
+        mpi_free( X );
+        mpi_init( X );
+        MPI_CHK( mpi_grow( X, limbs ) );
+    }

-    MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
    MPI_CHK( mpi_lset( X, 0 ) );

-    for( i = buflen, j = 0; i > n; i--, j++ )
+    for( i = buflen, j = 0; i > 0; i--, j++ )
        X->p[j / ciL] |= ((t_uint) buf[i - 1]) << ((j % ciL) << 3);

 cleanup:
@ -1881,7 +1885,6 @@ int mpi_fill_random( mpi *X, size_t size,

 cleanup:
    polarssl_zeroize( buf, sizeof( buf ) );
-
    return( ret );
 }

--- a/library/ecp.c
+++ b/library/ecp.c
@ -1854,7 +1854,6 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
    {
        /* SEC1 3.2.1: Generate d such that 1 <= n < N */
        int count = 0;
-        unsigned char rnd[POLARSSL_ECP_MAX_BYTES];

        /*
         * Match the procedure given in RFC 6979 (deterministic ECDSA):
@ -1865,8 +1864,7 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
         */
        do
        {
-            MPI_CHK( f_rng( p_rng, rnd, n_size ) );
-            MPI_CHK( mpi_read_binary( d, rnd, n_size ) );
+            MPI_CHK( mpi_fill_random( d, n_size, f_rng, p_rng ) );
            MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) );

            /*