Don't use DH blinding for ephemeral DH

include/polarssl/dhm.h

@@ -228,7 +228,12 @@ int dhm_make_public( dhm_context *ctx, int x_size,
  * \return         0 if successful, or an POLARSSL_ERR_DHM_XXX error code
  *
  * \note           If f_rng is not NULL, it is used to blind the input as
- *                 countermeasure against timing attacks.
+ *                 countermeasure against timing attacks. This is only useful
+ *                 when this function is called repeatedly with the same
+ *                 secret value (X field), eg when using DH key exchange as
+ *                 opposed to DHE. It is recommended to use a non-NULL f_rng
+ *                 only when needed, since otherwise this countermeasure has
+ *                 high overhead.
  */
 int dhm_calc_secret( dhm_context *ctx,
                      unsigned char *output, size_t *olen,

library/ssl_cli.c

@@ -1711,10 +1711,11 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
 
         ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
 
+        /* No blinding needed for DHE, but will be needed for fixed DH! */
         if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
                                       ssl->handshake->premaster,
                                      &ssl->handshake->pmslen,
-                                     ssl->f_rng, ssl->p_rng ) ) != 0 )
+                                     NULL, NULL ) ) != 0 )
         {
             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
             return( ret );
@@ -1842,8 +1843,9 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
 
         *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len >> 8 );
         *(p++) = (unsigned char)( ssl->handshake->dhm_ctx.len      );
+        /* No blinding needed since this is ephemeral DHM */
         if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
-                                      p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
+                                      p, &n, NULL, NULL ) ) != 0 )
         {
             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
             return( ret );

library/ssl_srv.c

@@ -2384,10 +2384,11 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
 
         ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
 
+        /* No blinding needed for DHE, but will be needed for fixed DH! */
         if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
                                       ssl->handshake->premaster,
                                      &ssl->handshake->pmslen,
-                                      ssl->f_rng, ssl->p_rng ) ) != 0 )
+                                      NULL, NULL ) ) != 0 )
         {
             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
@@ -2472,8 +2473,9 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
 
         n = ssl->handshake->dhm_ctx.len;
 
+        /* No blinding needed since this is ephemeral DHM */
         if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
-                                      p, &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
+                                      p, &n, NULL, NULL ) ) != 0 )
         {
             SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
             return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );