yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-21 10:57:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream-restricted/pr/423' into mbedtls-1.3-restricted

Browse source 
Resolved simple conflicts caused by the independent addition of
calls to polarssl_zeroize with sometimes whitespace or comment
differences.
This commit is contained in:
Gilles Peskine 2017-11-28 16:23:28 +01:00
parent b087a88300 825c3db149
commit 6f941d6c89
3 changed files with 18 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
ChangeLog
View file

@ -17,6 +17,13 @@ Security
being leaked to memory after release. being leaked to memory after release.
* Fix dhm_check_range() failing to detect trivial subgroups and potentially * Fix dhm_check_range() failing to detect trivial subgroups and potentially
leaking 1 bit of the private key. Reported by prashantkspatil. leaking 1 bit of the private key. Reported by prashantkspatil.
* Make mpi_read_binary constant-time with respect to
the input data. Previously, trailing zero bytes were detected
and omitted for the sake of saving memory, but potentially
leading to slight timing differences.
Reported by Marco Macchetti, Kudelski Group.
* Wipe stack buffer temporarily holding EC private exponent
after keypair generation.
Bugfix Bugfix
* Fix memory leak in ssl_set_hostname() when called multiple times. * Fix memory leak in ssl_set_hostname() when called multiple times.

17
library/bignum.c
View file

@ -678,16 +678,20 @@ cleanup:
int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen ) int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen )
{ {
int ret; int ret;
size_t i, j, n; size_t i, j;
size_t const limbs = CHARS_TO_LIMBS( buflen );
for( n = 0; n < buflen; n++ ) /* Ensure that target MPI has exactly the necessary number of limbs */
if( buf[n] != 0 ) if( X->n != limbs )
break; {
mpi_free( X );
mpi_init( X );
MPI_CHK( mpi_grow( X, limbs ) );
}
MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
MPI_CHK( mpi_lset( X, 0 ) ); MPI_CHK( mpi_lset( X, 0 ) );
for( i = buflen, j = 0; i > n; i--, j++ ) for( i = buflen, j = 0; i > 0; i--, j++ )
X->p[j / ciL] |= ((t_uint) buf[i - 1]) << ((j % ciL) << 3); X->p[j / ciL] |= ((t_uint) buf[i - 1]) << ((j % ciL) << 3);
cleanup: cleanup:
@ -1881,7 +1885,6 @@ int mpi_fill_random( mpi *X, size_t size,
cleanup: cleanup:
polarssl_zeroize( buf, sizeof( buf ) ); polarssl_zeroize( buf, sizeof( buf ) );
return( ret ); return( ret );
} }

4
library/ecp.c
View file

@ -1854,7 +1854,6 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
{ {
/* SEC1 3.2.1: Generate d such that 1 <= n < N */ /* SEC1 3.2.1: Generate d such that 1 <= n < N */
int count = 0; int count = 0;
unsigned char rnd[POLARSSL_ECP_MAX_BYTES];
/* /*
* Match the procedure given in RFC 6979 (deterministic ECDSA): * Match the procedure given in RFC 6979 (deterministic ECDSA):
@ -1865,8 +1864,7 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
*/ */
do do
{ {
MPI_CHK( f_rng( p_rng, rnd, n_size ) ); MPI_CHK( mpi_fill_random( d, n_size, f_rng, p_rng ) );
MPI_CHK( mpi_read_binary( d, rnd, n_size ) );
MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) ); MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) );
/* /*