Fix multiplication producing a negative zero

Fix mbedtls_mpi_mul_mpi() when one of the operands is zero and the
other is negative. The sign of the result must be 1, since some
library functions do not treat {-1, 0, NULL} or {-1, n, {0}} as
representing the value 0.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

ChangeLog.d/mpi_read_negative_zero.txt

@@ -1,3 +1,7 @@
 Bugfix
-   * mbedtls_mpi_read_string on "-0" produced an MPI object that was not treated
+   * Fix some cases in the bignum module where the library constructed an
-     as equal to 0 in all cases. Fix it to produce the same object as "0".
+     unintended representation of the value 0 which was not processed
+     correctly by some bignum operations. This could happen when
+     mbedtls_mpi_read_string() was called on "-0", or when
+     mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
+     the arguments being negative and the other being 0. Fixes #4643.

library/bignum.c

@@ -1658,7 +1658,17 @@ int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
     for( ; j > 0; j-- )
         mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
 
-    X->s = A->s * B->s;
+    /* If the result is 0, we don't shortcut the operation, which reduces
+     * but does not eliminate side channels leaking the zero-ness. We do
+     * need to take care to set the sign bit properly since the library does
+     * not fully support an MPI object with a value of 0 and s == -1. */
+    if( ( i == 0 && ( A->n == 0 || A->p[0] == 0 ) ) ||
+        ( j == 0 && ( B->n == 0 || B->p[0] == 0 ) ) )
+    {
+        X->s = 1;
+    }
+    else
+        X->s = A->s * B->s;
 
 cleanup:
 

tests/suites/test_suite_mpi.data

@@ -910,6 +910,9 @@ mbedtls_mpi_mul_mpi:16:"":16:"01":16:""
 Test mbedtls_mpi_mul_mpi: 0 (null) * -1
 mbedtls_mpi_mul_mpi:16:"":16:"-01":16:""
 
+Test mbedtls_mpi_mul_mpi: 0 (1 limb) * -1
+mbedtls_mpi_mul_mpi:16:"00":16:"-01":16:""
+
 Test mbedtls_mpi_mul_mpi: 0 (1 limb) * 0 (null)
 mbedtls_mpi_mul_mpi:16:"":16:"00":16:""
 
@@ -919,6 +922,9 @@ mbedtls_mpi_mul_mpi:16:"01":16:"":16:""
 Test mbedtls_mpi_mul_mpi: -1 * 0 (null)
 mbedtls_mpi_mul_mpi:16:"-01":16:"":16:""
 
+Test mbedtls_mpi_mul_mpi: -1 * 0 (1 limb)
+mbedtls_mpi_mul_mpi:16:"-01":16:"00":16:""
+
 Test mbedtls_mpi_mul_mpi #1
 mbedtls_mpi_mul_mpi:10:"28911710017320205966167820725313234361535259163045867986277478145081076845846493521348693253530011243988160148063424837895971948244167867236923919506962312185829914482993478947657472351461336729641485069323635424692930278888923450060546465883490944265147851036817433970984747733020522259537":10:"16471581891701794764704009719057349996270239948993452268812975037240586099924712715366967486587417803753916334331355573776945238871512026832810626226164346328807407669366029926221415383560814338828449642265377822759768011406757061063524768140567867350208554439342320410551341675119078050953":10:"476221599179424887669515829231223263939342135681791605842540429321038144633323941248706405375723482912535192363845116154236465184147599697841273424891410002781967962186252583311115708128167171262206919514587899883547279647025952837516324649656913580411611297312678955801899536937577476819667861053063432906071315727948826276092545739432005962781562403795455162483159362585281248265005441715080197800335757871588045959754547836825977169125866324128449699877076762316768127816074587766799018626179199776188490087103869164122906791440101822594139648973454716256383294690817576188761"