yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-09 17:05:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'restricted/mbedtls-2.1' into mbedtls-2.1

Browse source 
* restricted/mbedtls-2.1:
  Remove obsolete macros from compat-1.3.h
  Add fix for #667 to ChangeLog
  Fix bug in threading sample implementation #667
  Fix check-doxy-blocks.pl to run from root dir
  RSA: wipe more stack buffers
  RSA: wipe stack buffers
This commit is contained in:
Manuel Pégourié-Gonnard 2017-06-06 18:23:05 +02:00
parent 61946d2c68 71e37e1205
commit cd6e4d5bcc
2 changed files with 42 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ChangeLog
View file

@ -8,6 +8,9 @@ Security
https://arxiv.org/abs/1702.08719v2. https://arxiv.org/abs/1702.08719v2.
Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss, Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
Clémentine Maurice and Stefan Mangard. Clémentine Maurice and Stefan Mangard.
* Wipe stack buffers in RSA private key operations
(rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
Found by Laurent Simon.
Bugfix Bugfix
* Remove macros from compat-1.3.h that correspond to deleted items from most * Remove macros from compat-1.3.h that correspond to deleted items from most

48
library/rsa.c
View file

@ -60,6 +60,11 @@
#define mbedtls_free free #define mbedtls_free free
#endif #endif
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
/* /*
* Initialize an RSA context * Initialize an RSA context
*/ */
@ -591,6 +596,8 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
dlen -= use_len; dlen -= use_len;
} }
mbedtls_zeroize( mask, sizeof( mask ) );
} }
#endif /* MBEDTLS_PKCS1_V21 */ #endif /* MBEDTLS_PKCS1_V21 */
@ -824,7 +831,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 ) if( ret != 0 )
return( ret ); goto cleanup;
/* /*
* Unmask data and generate lHash * Unmask data and generate lHash
@ -833,7 +840,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{ {
mbedtls_md_free( &md_ctx ); mbedtls_md_free( &md_ctx );
return( ret ); goto cleanup;
} }
@ -884,15 +891,26 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
* the different error conditions. * the different error conditions.
*/ */
if( bad != 0 ) if( bad != 0 )
return( MBEDTLS_ERR_RSA_INVALID_PADDING ); {
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto cleanup;
}
if( ilen - ( p - buf ) > output_max_len ) if( ilen - ( p - buf ) > output_max_len )
return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); {
ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
goto cleanup;
}
*olen = ilen - (p - buf); *olen = ilen - (p - buf);
memcpy( output, p, *olen ); memcpy( output, p, *olen );
ret = 0;
return( 0 ); cleanup:
mbedtls_zeroize( buf, sizeof( buf ) );
mbedtls_zeroize( lhash, sizeof( lhash ) );
return( ret );
} }
#endif /* MBEDTLS_PKCS1_V21 */ #endif /* MBEDTLS_PKCS1_V21 */
@ -926,7 +944,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 ) if( ret != 0 )
return( ret ); goto cleanup;
p = buf; p = buf;
bad = 0; bad = 0;
@ -971,15 +989,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
bad |= ( pad_count < 8 ); bad |= ( pad_count < 8 );
if( bad ) if( bad )
return( MBEDTLS_ERR_RSA_INVALID_PADDING ); {
ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto cleanup;
}
if( ilen - ( p - buf ) > output_max_len ) if( ilen - ( p - buf ) > output_max_len )
return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); {
ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
goto cleanup;
}
*olen = ilen - (p - buf); *olen = ilen - (p - buf);
memcpy( output, p, *olen ); memcpy( output, p, *olen );
ret = 0;
return( 0 ); cleanup:
mbedtls_zeroize( buf, sizeof( buf ) );
return( ret );
} }
#endif /* MBEDTLS_PKCS1_V15 */ #endif /* MBEDTLS_PKCS1_V15 */
@ -1084,6 +1112,7 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
{ {
mbedtls_md_free( &md_ctx ); mbedtls_md_free( &md_ctx );
/* No need to zeroize salt: we didn't use it. */
return( ret ); return( ret );
} }
@ -1094,6 +1123,7 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
mbedtls_md_update( &md_ctx, hash, hashlen ); mbedtls_md_update( &md_ctx, hash, hashlen );
mbedtls_md_update( &md_ctx, salt, slen ); mbedtls_md_update( &md_ctx, salt, slen );
mbedtls_md_finish( &md_ctx, p ); mbedtls_md_finish( &md_ctx, p );
mbedtls_zeroize( salt, sizeof( salt ) );
// Compensate for boundary condition when applying mask // Compensate for boundary condition when applying mask
// //